sync with OpenBSD -current

bin/pax/ar_subs.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: ar_subs.c,v 1.51 2023/07/10 16:28:33 jeremy Exp $	*/
+/*	$OpenBSD: ar_subs.c,v 1.52 2024/05/18 05:21:38 guenther Exp $	*/
 /*	$NetBSD: ar_subs.c,v 1.5 1995/03/21 09:07:06 cgd Exp $	*/
 
 /*-
@@ -146,23 +146,60 @@ list(void)
 }
 
 static int
-cmp_file_times(int mtime_flag, int ctime_flag, ARCHD *arcn, struct stat *sbp)
+cmp_file_times(int mtime_flag, int ctime_flag, ARCHD *arcn, const char *path)
 {
 	struct stat sb;
+	long res;
 
-	if (sbp == NULL) {
+	if (path == NULL)
-		if (lstat(arcn->name, &sb) != 0)
+		path = arcn->name;
+	if (lstat(path, &sb) != 0)
 		return (0);
-		sbp = &sb;
-	}
 
-	if (ctime_flag && mtime_flag)
+	/*
-		return (timespeccmp(&arcn->sb.st_mtim, &sbp->st_mtim, <=) &&
+	 * The target (sb) mtime might be rounded down due to the limitations
-		        timespeccmp(&arcn->sb.st_ctim, &sbp->st_ctim, <=));
+	 * of the FS it's on.  If it's strictly greater or we don't care about
-	else if (ctime_flag)
+	 * mtime, then precision doesn't matter, so check those cases first.
-		return (timespeccmp(&arcn->sb.st_ctim, &sbp->st_ctim, <=));
+	 */
-	else
+	if (ctime_flag && mtime_flag) {
-		return (timespeccmp(&arcn->sb.st_mtim, &sbp->st_mtim, <=));
+		if (timespeccmp(&arcn->sb.st_mtim, &sb.st_mtim, <=))
+			return timespeccmp(&arcn->sb.st_ctim, &sb.st_ctim, <=);
+		if (!timespeccmp(&arcn->sb.st_ctim, &sb.st_ctim, <=))
+			return 0;
+		/* <= ctim, but >= mtim */
+	} else if (ctime_flag)
+		return timespeccmp(&arcn->sb.st_ctim, &sb.st_ctim, <=);
+	else if (timespeccmp(&arcn->sb.st_mtim, &sb.st_mtim, <=))
+		return 1;
+
+	/* 
+	 * If we got here then the target arcn > sb for mtime *and* that's
+	 * the deciding factor.  Check whether they're equal after rounding
+	 * down the arcn mtime to the precision of the target path.
+	 */
+	res = pathconfat(AT_FDCWD, path, _PC_TIMESTAMP_RESOLUTION,
+	    AT_SYMLINK_NOFOLLOW);
+	if (res == -1)
+		return 0;
+
+	/* nanosecond resolution?  previous comparisons were accurate */
+	if (res == 1)
+		return 0;
+
+	/* common case: second accuracy */
+	if (res == 1000000000)
+		return arcn->sb.st_mtime <= sb.st_mtime;
+
+	if (res < 1000000000) {
+		struct timespec ts = arcn->sb.st_mtim;
+		ts.tv_nsec = (ts.tv_nsec / res) * res;
+		return timespeccmp(&ts, &sb.st_mtim, <=);
+	} else {
+		/* not a POSIX compliant FS */
+		res /= 1000000000;
+		return ((arcn->sb.st_mtime / res) * res) <= sb.st_mtime;
+		return arcn->sb.st_mtime <= ((sb.st_mtime / res) * res);
+	}
 }
 
 /*
@@ -842,14 +879,12 @@ copy(void)
 			/*
 			 * if existing file is same age or newer skip
 			 */
-			res = lstat(dirbuf, &sb);
+			if (cmp_file_times(uflag, Dflag, arcn, dirbuf)) {
 				*dest_pt = '\0';
-
-			if (res == 0) {
 				ftree_skipped_newer(arcn);
-				if (cmp_file_times(uflag, Dflag, arcn, &sb))
 				continue;
 			}
+			*dest_pt = '\0';
 		}
 
 		/*

bin/ps/ps.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: ps.c,v 1.80 2023/11/10 09:17:02 kn Exp $	*/
+/*	$OpenBSD: ps.c,v 1.81 2024/05/18 13:08:09 sobrado Exp $	*/
 /*	$NetBSD: ps.c,v 1.15 1995/05/18 20:33:25 mycroft Exp $	*/
 
 /*-
@@ -623,9 +623,9 @@ forest_sort(struct pinfo *ki, int items)
 static void
 usage(void)
 {
-	fprintf(stderr, "usage: %s [-AacefHhjkLlmrSTuvwx] [-M core] [-N system]"
+	fprintf(stderr, "usage: %s [[-]AacefHhjkLlmrSTuvwx] [-M core]"
-	    " [-O fmt] [-o fmt] [-p pid]\n", __progname);
+	    " [-N system] [-O fmt] [-o fmt]\n", __progname);
-	fprintf(stderr, "%-*s[-t tty] [-U user] [-W swap]\n",
+	fprintf(stderr, "%-*s[-p pid] [-t tty] [-U user] [-W swap]\n",
 	    (int)strlen(__progname) + 8, "");
 	exit(1);
 }

distrib/sets/lists/base/mi

@@ -727,7 +727,7 @@
 ./usr/lib/crtendS.o
 ./usr/lib/gcrt0.o
 ./usr/lib/libagentx.so.1.1
-./usr/lib/libc.so.100.0
+./usr/lib/libc.so.100.1
 ./usr/lib/libcbor.so.2.0
 ./usr/lib/libcrypto.so.54.0
 ./usr/lib/libcurses.so.15.0
@@ -2528,6 +2528,7 @@
 ./usr/libexec/ssh-keysign
 ./usr/libexec/ssh-pkcs11-helper
 ./usr/libexec/ssh-sk-helper
+./usr/libexec/sshd-session
 ./usr/libexec/tradcpp
 ./usr/libexec/vi.recover
 ./usr/local
@@ -2972,10 +2973,12 @@
 ./usr/share/relink/usr/bin/ssh-agent
 ./usr/share/relink/usr/bin/ssh-agent/ssh-agent.tar
 ./usr/share/relink/usr/lib
-./usr/share/relink/usr/lib/libc.so.100.0.a
+./usr/share/relink/usr/lib/libc.so.100.1.a
 ./usr/share/relink/usr/lib/libcrypto.so.54.0.a
 ./usr/share/relink/usr/libexec
 ./usr/share/relink/usr/libexec/ld.so.a
+./usr/share/relink/usr/libexec/sshd-session
+./usr/share/relink/usr/libexec/sshd-session/sshd-session.tar
 ./usr/share/relink/usr/sbin
 ./usr/share/relink/usr/sbin/sshd
 ./usr/share/relink/usr/sbin/sshd/sshd.tar

etc/daily

@@ -1,5 +1,5 @@
 #
-#	$OpenBSD: daily,v 1.97 2023/03/03 16:22:57 bluhm Exp $
+#	$OpenBSD: daily,v 1.98 2024/05/16 11:33:59 solene Exp $
 #	From: @(#)daily	8.2 (Berkeley) 1/25/94
 #
 # For local additions, create the file /etc/daily.local.
@@ -136,6 +136,9 @@ done
 next_part "Services that should be running but aren't:"
 rcctl ls failed
 
+next_part "Services that are running but shouldn't:"
+rcctl ls rogue
+
 next_part "Filesystems which need to be dumped:"
 dump w | grep -vB1 ^Dump
 

etc/rc

@@ -1,4 +1,4 @@
-#	$OpenBSD: rc,v 1.574 2024/04/02 08:21:04 deraadt Exp $
+#	$OpenBSD: rc,v 1.575 2024/05/17 00:33:43 deraadt Exp $
 
 # System startup script run by init on autoboot or after single-user.
 # Output and error are redirected to console by init, and the console is the
@@ -241,7 +241,8 @@ reorder_libs() {
 		) || { _error=true; break; }
 	done
 
-	for _bin in $_relink/usr/sbin/sshd $_relink/usr/bin/ssh-agent ; do
+	for _bin in $_relink/usr/sbin/sshd $_relink/usr/libexec/sshd-session \
+	    $_relink/usr/bin/ssh-agent ; do
 		_tmpdir=$(mktemp -dq $_relink/_rebuild.XXXXXXXXXXXX) &&
 		(
 		set -o errexit

gnu/usr.bin/perl/README.secbsd

@@ -1,3 +1,5 @@
+# vim: syntax=pod
+
 If you read this file _as_is_, just ignore the funny characters you
 see.  It is written in the POD format (see pod/perlpod.pod) which is
 specifically designed to be readable as is.

gnu/usr.bin/perl/locale.c

@@ -2858,7 +2858,7 @@ Perl_setlocale(const int category, const char * locale)
 
     /* If the new locale is the same as the current one, nothing is actually
      * being changed, so do nothing. */
-    if (      strEQ(retval, locale)
+    if (      retval != NULL && strEQ(retval, locale)
         && (   ! affects_LC_NUMERIC(category)
 
 #  ifdef USE_LOCALE_NUMERIC

include/unistd.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: unistd.h,v 1.108 2023/12/12 15:30:55 deraadt Exp $ */
+/*	$OpenBSD: unistd.h,v 1.109 2024/05/18 05:20:22 guenther Exp $ */
 /*	$NetBSD: unistd.h,v 1.26.4.1 1996/05/28 02:31:51 mrg Exp $	*/
 
 /*-
@@ -357,6 +357,9 @@ int	 isatty(int);
 int	 link(const char *, const char *);
 off_t	 lseek(int, off_t, int);
 long	 pathconf(const char *, int);
+#if __BSD_VISIBLE
+long	 pathconfat(int, const char *, int, int);
+#endif
 int	 pause(void);
 int	 pipe(int *);
 ssize_t	 read(int, void *, size_t)

lib/libc/Symbols.list

@@ -157,6 +157,7 @@ _thread_sys_nfssvc
 _thread_sys_open
 _thread_sys_openat
 _thread_sys_pathconf
+_thread_sys_pathconfat
 _thread_sys_pipe
 _thread_sys_pipe2
 _thread_sys_pledge
@@ -359,6 +360,7 @@ nfssvc
 open
 openat
 pathconf
+pathconfat
 pipe
 pipe2
 pledge

lib/libc/hidden/unistd.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: unistd.h,v 1.13 2023/12/12 15:30:55 deraadt Exp $	*/
+/*	$OpenBSD: unistd.h,v 1.14 2024/05/18 05:20:22 guenther Exp $	*/
 /*
  * Copyright (c) 2015 Philip Guenther <guenther@openbsd.org>
  *
@@ -110,6 +110,7 @@ PROTO_NORMAL(mkstemp);
 PROTO_NORMAL(nfssvc);
 PROTO_DEPRECATED(nice);
 PROTO_NORMAL(pathconf);
+PROTO_NORMAL(pathconfat);
 /*PROTO_CANCEL(pause);*/
 PROTO_NORMAL(pipe);
 PROTO_NORMAL(pipe2);

lib/libc/shlib_version

@@ -1,4 +1,4 @@
 major=100
-minor=0
+minor=1
 # note: If changes were made to include/thread_private.h or if system calls
 # were added/changed then librthread/shlib_version must also be updated.

lib/libc/sys/Makefile.inc

@@ -1,4 +1,4 @@
-#	$OpenBSD: Makefile.inc,v 1.178 2024/03/29 06:48:04 deraadt Exp $
+#	$OpenBSD: Makefile.inc,v 1.179 2024/05/18 05:20:22 guenther Exp $
 #	$NetBSD: Makefile.inc,v 1.35 1995/10/16 23:49:07 jtc Exp $
 #	@(#)Makefile.inc	8.1 (Berkeley) 6/17/93
 
@@ -62,7 +62,7 @@ ASM=	__semctl.o __thrsigdivert.o \
 	mknod.o mknodat.o mlock.o mlockall.o mmap.o mount.o mprotect.o \
 	mquery.o msgctl.o msgget.o munlock.o munlockall.o munmap.o \
 	nfssvc.o \
-	pathconf.o pipe.o pipe2.o pledge.o profil.o \
+	pathconf.o pathconfat.o pipe.o pipe2.o pledge.o profil.o \
 	quotactl.o \
 	readlink.o readlinkat.o reboot.o \
 	rename.o renameat.o revoke.o rmdir.o \

lib/libc/sys/pathconf.2

@@ -1,4 +1,4 @@
-.\"	$OpenBSD: pathconf.2,v 1.25 2018/06/21 20:30:36 jmc Exp $
+.\"	$OpenBSD: pathconf.2,v 1.26 2024/05/18 05:20:22 guenther Exp $
 .\"	$NetBSD: pathconf.2,v 1.2 1995/02/27 12:35:22 cgd Exp $
 .\"
 .\" Copyright (c) 1993
@@ -30,11 +30,12 @@
 .\"
 .\"	@(#)pathconf.2	8.1 (Berkeley) 6/4/93
 .\"
-.Dd $Mdocdate: June 21 2018 $
+.Dd $Mdocdate: May 18 2024 $
 .Dt PATHCONF 2
 .Os
 .Sh NAME
 .Nm pathconf ,
+.Nm pathconfat ,
 .Nm fpathconf
 .Nd get configurable pathname variables
 .Sh SYNOPSIS
@@ -43,9 +44,13 @@
 .Fn pathconf "const char *path" "int name"
 .Ft long
 .Fn fpathconf "int fd" "int name"
+.In fcntl.h
+.Ft long
+.Fn pathconfat "int fd" "const char *path" "int name" "int flag"
 .Sh DESCRIPTION
 The
-.Fn pathconf
+.Fn pathconf ,
+.Fn pathconfat ,
 and
 .Fn fpathconf
 functions provide a method for applications to determine the current
@@ -132,9 +137,48 @@ Returns 1 if synchronized I/O is supported, otherwise 0.
 .It Dv _PC_TIMESTAMP_RESOLUTION
 The resolution in nanoseconds of file timestamps.
 .El
+.Pp
+The
+.Fn pathconfat
+function is equivalent to
+.Fn pathconf
+except in the case where
+.Fa path
+specifies a relative path.
+In this case the file to be changed is determined relative to the directory
+associated with the file descriptor
+.Fa fd
+instead of the current working directory.
+.Pp
+If
+.Fn pathconfat
+is passed the special value
+.Dv AT_FDCWD
+(defined in
+.In fcntl.h )
+in the
+.Fa fd
+parameter, the current working directory is used.
+If
+.Fa flag
+is also zero, the behavior is identical to a call to
+.Fn pathconf .
+.Pp
+The
+.Fa flag
+argument is the bitwise OR of zero or more of the following values:
+.Pp
+.Bl -tag -width AT_SYMLINK_NOFOLLOW -offset indent -compact
+.It Dv AT_SYMLINK_NOFOLLOW
+If
+.Fa path
+names a symbolic link, then the system variable for the symbolic
+link is queried.
+.El
 .Sh RETURN VALUES
 If the call to
-.Fn pathconf
+.Fn pathconf ,
+.Fn pathconfat ,
 or
 .Fn fpathconf
 is not successful, \-1 is returned and
@@ -147,7 +191,8 @@ is not modified.
 Otherwise, the current variable value is returned.
 .Sh ERRORS
 If any of the following conditions occur, the
-.Fn pathconf
+.Fn pathconf ,
+.Fn pathconfat ,
 and
 .Fn fpathconf
 functions shall return \-1 and set
@@ -166,6 +211,8 @@ An I/O error occurred while reading from the file system.
 .El
 .Pp
 .Fn pathconf
+and
+.Fn pathconfat
 will fail if:
 .Bl -tag -width Er
 .It Bq Er ENOTDIR
@@ -190,6 +237,38 @@ Too many symbolic links were encountered in translating the pathname.
 points outside the process's allocated address space.
 .El
 .Pp
+Additionally, the
+.Fn pathconfat
+function will fail if:
+.Bl -tag -width Er
+.It Bq Er EINVAL
+The value of the
+.Fa flag
+argument was neither zero nor
+.Dv AT_SYMLINK_NOFOLLOW .
+.It Bq Er EBADF
+The
+.Fa path
+argument specifies a relative path and the
+.Fa fd
+argument is neither
+.Dv AT_FDCWD
+nor a valid file descriptor.
+.It Bq Er ENOTDIR
+The
+.Fa path
+argument specifies a relative path and the
+.Fa fd
+argument is a valid file descriptor but it does not reference a directory.
+.It Bq Er EACCES
+The
+.Fa path
+argument specifies a relative path but search permission is denied
+for the directory which the
+.Fa fd
+file descriptor references.
+.El
+.Pp
 .Fn fpathconf
 will fail if:
 .Bl -tag -width Er
@@ -214,3 +293,7 @@ and
 .Fn fpathconf
 functions first appeared in
 .Bx 4.4 .
+The
+.Fn pathconfat
+function first appeared in
+.Ox 7.6 .

lib/libcrypto/asn1/asn1_gen.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: asn1_gen.c,v 1.21 2023/07/05 21:23:36 beck Exp $ */
+/* $OpenBSD: asn1_gen.c,v 1.22 2024/05/17 02:57:26 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2002.
  */
@@ -533,7 +533,8 @@ static int
 asn1_str2tag(const char *tagstr, int len)
 {
 	unsigned int i;
-	static const struct tag_name_st *tntmp, tnst [] = {
+	const struct tag_name_st *tntmp;
+	static const struct tag_name_st tnst[] = {
 		ASN1_GEN_STR("BOOL", V_ASN1_BOOLEAN),
 		ASN1_GEN_STR("BOOLEAN", V_ASN1_BOOLEAN),
 		ASN1_GEN_STR("NULL", V_ASN1_NULL),

lib/libcrypto/asn1/x_bignum.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: x_bignum.c,v 1.13 2022/11/26 16:08:50 tb Exp $ */
+/* $OpenBSD: x_bignum.c,v 1.14 2024/05/17 02:47:21 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2000.
  */
@@ -79,7 +79,7 @@ static int bn_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
 static int bn_print(BIO *out, ASN1_VALUE **pval, const ASN1_ITEM *it,
     int indent, const ASN1_PCTX *pctx);
 
-static ASN1_PRIMITIVE_FUNCS bignum_pf = {
+static const ASN1_PRIMITIVE_FUNCS bignum_pf = {
 	.app_data = NULL,
 	.flags = 0,
 	.prim_new = bn_new,

lib/libcrypto/asn1/x_long.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: x_long.c,v 1.19 2022/11/26 16:08:50 tb Exp $ */
+/* $OpenBSD: x_long.c,v 1.20 2024/05/17 02:49:21 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2000.
  */
@@ -81,7 +81,7 @@ static int long_c2i(ASN1_VALUE **pval, const unsigned char *content, int len,
 static int long_print(BIO *out, ASN1_VALUE **pval, const ASN1_ITEM *it,
     int indent, const ASN1_PCTX *pctx);
 
-static ASN1_PRIMITIVE_FUNCS long_pf = {
+static const ASN1_PRIMITIVE_FUNCS long_pf = {
 	.app_data = NULL,
 	.flags = 0,
 	.prim_new = long_new,

lib/libcrypto/man/X509V3_get_d2i.3

@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509V3_get_d2i.3,v 1.22 2024/05/12 17:44:11 tb Exp $
+.\" $OpenBSD: X509V3_get_d2i.3,v 1.23 2024/05/15 21:15:28 tb Exp $
 .\" full merge up to: OpenSSL ff7fbfd5 Nov 2 11:52:01 2015 +0000
 .\" selective merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: May 12 2024 $
+.Dd $Mdocdate: May 15 2024 $
 .Dt X509V3_GET_D2I 3
 .Os
 .Sh NAME
@@ -155,8 +155,8 @@
 .Ft void
 .Fo X509_get0_uids
 .Fa "const X509 *x"
-.Fa "const ASN1_BIT_STRING **piuid"
+.Fa "const ASN1_BIT_STRING **issuerUID"
-.Fa "const ASN1_BIT_STRING **psuid"
+.Fa "const ASN1_BIT_STRING **subjectUID"
 .Fc
 .Sh DESCRIPTION
 .Fn X509V3_get_d2i
@@ -312,14 +312,22 @@ It is possible to determine the precise reason by checking the value of
 .Pf * Fa crit .
 .Pp
 .Fn X509_get0_uids
-sets
+returns the issuer and subject unique identifiers of the certificate
-.Fa *piuid
-and
-.Fa *psuid
-to the issuer and subject unique identifiers of certificate
 .Fa x
-or NULL if the fields are not present.
+in
-These fields are rarely used.
+.Pf * Fa issuerUID
+and
+.Pf * Fa subjectUID .
+If a unique identifier field is not present in
+.Fa x ,
+.Dv NULL
+is returned.
+Either one of
+.Fa issuerUID
+and
+.Fa subjectUID
+can be
+.Dv NULL .
 .Sh SUPPORTED EXTENSIONS
 The following sections contain a list of all supported extensions
 including their name and NID.

lib/libcrypto/x509/x509_v3.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_v3.c,v 1.21 2023/02/16 08:38:17 tb Exp $ */
+/* $OpenBSD: x509_v3.c,v 1.22 2024/05/16 13:19:09 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -72,8 +72,8 @@ int
 X509v3_get_ext_count(const STACK_OF(X509_EXTENSION) *x)
 {
 	if (x == NULL)
-		return (0);
+		return 0;
-	return (sk_X509_EXTENSION_num(x));
+	return sk_X509_EXTENSION_num(x);
 }
 LCRYPTO_ALIAS(X509v3_get_ext_count);
 
@@ -84,8 +84,8 @@ X509v3_get_ext_by_NID(const STACK_OF(X509_EXTENSION) *x, int nid, int lastpos)
 
 	obj = OBJ_nid2obj(nid);
 	if (obj == NULL)
-		return (-2);
+		return -2;
-	return (X509v3_get_ext_by_OBJ(x, obj, lastpos));
+	return X509v3_get_ext_by_OBJ(x, obj, lastpos);
 }
 LCRYPTO_ALIAS(X509v3_get_ext_by_NID);
 
@@ -97,7 +97,7 @@ X509v3_get_ext_by_OBJ(const STACK_OF(X509_EXTENSION) *sk,
 	X509_EXTENSION *ex;
 
 	if (sk == NULL)
-		return (-1);
+		return -1;
 	lastpos++;
 	if (lastpos < 0)
 		lastpos = 0;
@@ -105,9 +105,9 @@ X509v3_get_ext_by_OBJ(const STACK_OF(X509_EXTENSION) *sk,
 	for (; lastpos < n; lastpos++) {
 		ex = sk_X509_EXTENSION_value(sk, lastpos);
 		if (OBJ_cmp(ex->object, obj) == 0)
-			return (lastpos);
+			return lastpos;
 	}
-	return (-1);
+	return -1;
 }
 LCRYPTO_ALIAS(X509v3_get_ext_by_OBJ);
 
@@ -119,18 +119,18 @@ X509v3_get_ext_by_critical(const STACK_OF(X509_EXTENSION) *sk, int crit,
 	X509_EXTENSION *ex;
 
 	if (sk == NULL)
-		return (-1);
+		return -1;
 	lastpos++;
 	if (lastpos < 0)
 		lastpos = 0;
 	n = sk_X509_EXTENSION_num(sk);
 	for (; lastpos < n; lastpos++) {
 		ex = sk_X509_EXTENSION_value(sk, lastpos);
-		if (((ex->critical > 0) && crit) ||
+		if ((ex->critical > 0 && crit) ||
-		    ((ex->critical <= 0) && !crit))
+		    (ex->critical <= 0 && !crit))
-			return (lastpos);
+			return lastpos;
 	}
-	return (-1);
+	return -1;
 }
 LCRYPTO_ALIAS(X509v3_get_ext_by_critical);
 
@@ -150,9 +150,9 @@ X509v3_delete_ext(STACK_OF(X509_EXTENSION) *x, int loc)
 	X509_EXTENSION *ret;
 
 	if (x == NULL || sk_X509_EXTENSION_num(x) <= loc || loc < 0)
-		return (NULL);
+		return NULL;
 	ret = sk_X509_EXTENSION_delete(x, loc);
-	return (ret);
+	return ret;
 }
 LCRYPTO_ALIAS(X509v3_delete_ext);
 
@@ -186,16 +186,16 @@ X509v3_add_ext(STACK_OF(X509_EXTENSION) **x, X509_EXTENSION *ex, int loc)
 		goto err;
 	if (*x == NULL)
 		*x = sk;
-	return (sk);
+	return sk;
 
 err:
 	X509error(ERR_R_MALLOC_FAILURE);
 err2:
 	if (new_ex != NULL)
 		X509_EXTENSION_free(new_ex);
-	if (sk != NULL && (x != NULL && sk != *x))
+	if (sk != NULL && x != NULL && sk != *x)
 		sk_X509_EXTENSION_free(sk);
-	return (NULL);
+	return NULL;
 }
 LCRYPTO_ALIAS(X509v3_add_ext);
 
@@ -209,12 +209,12 @@ X509_EXTENSION_create_by_NID(X509_EXTENSION **ex, int nid, int crit,
 	obj = OBJ_nid2obj(nid);
 	if (obj == NULL) {
 		X509error(X509_R_UNKNOWN_NID);
-		return (NULL);
+		return NULL;
 	}
 	ret = X509_EXTENSION_create_by_OBJ(ex, obj, crit, data);
 	if (ret == NULL)
 		ASN1_OBJECT_free(obj);
-	return (ret);
+	return ret;
 }
 LCRYPTO_ALIAS(X509_EXTENSION_create_by_NID);
 
@@ -224,10 +224,10 @@ X509_EXTENSION_create_by_OBJ(X509_EXTENSION **ex, const ASN1_OBJECT *obj,
 {
 	X509_EXTENSION *ret;
 
-	if ((ex == NULL) || (*ex == NULL)) {
+	if (ex == NULL || *ex == NULL) {
 		if ((ret = X509_EXTENSION_new()) == NULL) {
 			X509error(ERR_R_MALLOC_FAILURE);
-			return (NULL);
+			return NULL;
 		}
 	} else
 		ret= *ex;
@@ -239,22 +239,22 @@ X509_EXTENSION_create_by_OBJ(X509_EXTENSION **ex, const ASN1_OBJECT *obj,
 	if (!X509_EXTENSION_set_data(ret, data))
 		goto err;
 
-	if ((ex != NULL) && (*ex == NULL))
+	if (ex != NULL && *ex == NULL)
 		*ex = ret;
-	return (ret);
+	return ret;
 
 err:
-	if ((ex == NULL) || (ret != *ex))
+	if (ex == NULL || ret != *ex)
 		X509_EXTENSION_free(ret);
-	return (NULL);
+	return NULL;
 }
 LCRYPTO_ALIAS(X509_EXTENSION_create_by_OBJ);
 
 int
 X509_EXTENSION_set_object(X509_EXTENSION *ex, const ASN1_OBJECT *obj)
 {
-	if ((ex == NULL) || (obj == NULL))
+	if (ex == NULL || obj == NULL)
-		return (0);
+		return 0;
 	ASN1_OBJECT_free(ex->object);
 	ex->object = OBJ_dup(obj);
 	return ex->object != NULL;
@@ -265,9 +265,9 @@ int
 X509_EXTENSION_set_critical(X509_EXTENSION *ex, int crit)
 {
 	if (ex == NULL)
-		return (0);
+		return 0;
-	ex->critical = (crit) ? 0xFF : -1;
+	ex->critical = crit ? 0xFF : -1;
-	return (1);
+	return 1;
 }
 LCRYPTO_ALIAS(X509_EXTENSION_set_critical);
 
@@ -277,11 +277,11 @@ X509_EXTENSION_set_data(X509_EXTENSION *ex, ASN1_OCTET_STRING *data)
 	int i;
 
 	if (ex == NULL)
-		return (0);
+		return 0;
 	i = ASN1_STRING_set(ex->value, data->data, data->length);
 	if (!i)
-		return (0);
+		return 0;
-	return (1);
+	return 1;
 }
 LCRYPTO_ALIAS(X509_EXTENSION_set_data);
 
@@ -289,8 +289,8 @@ ASN1_OBJECT *
 X509_EXTENSION_get_object(X509_EXTENSION *ex)
 {
 	if (ex == NULL)
-		return (NULL);
+		return NULL;
-	return (ex->object);
+	return ex->object;
 }
 LCRYPTO_ALIAS(X509_EXTENSION_get_object);
 
@@ -298,8 +298,8 @@ ASN1_OCTET_STRING *
 X509_EXTENSION_get_data(X509_EXTENSION *ex)
 {
 	if (ex == NULL)
-		return (NULL);
+		return NULL;
-	return (ex->value);
+	return ex->value;
 }
 LCRYPTO_ALIAS(X509_EXTENSION_get_data);
 
@@ -307,7 +307,7 @@ int
 X509_EXTENSION_get_critical(const X509_EXTENSION *ex)
 {
 	if (ex == NULL)
-		return (0);
+		return 0;
 	if (ex->critical > 0)
 		return 1;
 	return 0;

lib/libssl/man/SSL_CTX_set_keylog_callback.3

@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CTX_set_keylog_callback.3,v 1.2 2021/10/23 13:17:03 schwarze Exp $
+.\" $OpenBSD: SSL_CTX_set_keylog_callback.3,v 1.3 2024/05/16 08:39:30 tb Exp $
 .\" OpenSSL pod checked up to: 61f805c1 Jan 16 01:01:46 2018 +0800
 .\"
 .\" Copyright (c) 2021 Bob Beck <beck@openbsd.org>
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: October 23 2021 $
+.Dd $Mdocdate: May 16 2024 $
 .Dt SSL_CTX_SET_KEYLOG_CALLBACK 3
 .Os
 .Sh NAME
@@ -38,7 +38,7 @@
 sets the TLS key logging callback.
 This callback is never called in LibreSSL.
 .Pp
-.Fn SSL_CTX_set_keylog_callback
+.Fn SSL_CTX_get_keylog_callback
 retrieves the previously set TLS key logging callback.
 .Pp
 These functions are provided only for compatibility with OpenSSL.

libexec/ld.so/util.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: util.h,v 1.40 2023/12/08 12:58:27 deraadt Exp $	*/
+/*	$OpenBSD: util.h,v 1.41 2024/05/17 06:11:54 deraadt Exp $	*/
 
 /*
  * Copyright (c) 1998 Todd C. Miller <millert@openbsd.org>
@@ -32,6 +32,7 @@
 #define __DL_UTIL_H__
 
 #include <sys/utsname.h>
+#include <sys/signal.h>
 #include <stdarg.h>
 #include <stddef.h>		/* for NULL */
 
@@ -72,7 +73,7 @@ long _dl_strtol(const char *nptr, char **endptr, int base);
 
 __dead void _dl_oom(void);
 __dead void _dl_die(const char *, ...) __attribute__((format (printf, 1, 2)));
-#define _dl_diedie()	_dl_thrkill(0, 9, NULL)
+#define _dl_diedie()	_dl_thrkill(0, SIGKILL, NULL)
 __END_HIDDEN_DECLS
 
 #define	_dl_round_page(x) \

regress/usr.bin/mandoc/char/unicode/ascii.in

@@ -1,10 +1,11 @@
-.\" $OpenBSD: ascii.in,v 1.4 2017/07/04 14:53:23 schwarze Exp $
+.\" $OpenBSD: ascii.in,v 1.5 2024/05/16 18:49:00 schwarze Exp $
-.TH CHAR-UNICODE-ASCII 1 "October 27, 2014"
+.TH CHAR-UNICODE-ASCII 1 "May 16, 2024"
 .SH NAME
 char-unicode-ascii \- Unicode characters in the ASCII range
 .SH DESCRIPTION
 .nf
 BEGINTEST
+\[u0020]\N'32' 	SPACE
 \[u0022]\N'34'\(dq	QUOTATION MARK
 \[u0023]\N'35'\(sh	NUMBER SIGN
 \[u0024]\N'36'\(Do	DOLLAR SIGN

regress/usr.bin/mandoc/char/unicode/ascii.out_ascii

@@ -5,6 +5,7 @@ NNAAMMEE
 
 DDEESSCCRRIIPPTTIIOONN
      BEGINTEST
+          SPACE
      """  QUOTATION MARK
      ###  NUMBER SIGN
      $$$  DOLLAR SIGN
@@ -27,4 +28,4 @@ DDEESSCCRRIIPPTTIIOONN
      ~~~~ TILDE
      ENDTEST
 
-OpenBSD                        October 27, 2014          CHAR-UNICODE-ASCII(1)
+OpenBSD                          May 16, 2024            CHAR-UNICODE-ASCII(1)

regress/usr.bin/mandoc/char/unicode/ascii.out_html

@@ -1,3 +1,4 @@
+   	SPACE
 """	QUOTATION MARK
 ###	NUMBER SIGN
 $$$	DOLLAR SIGN

regress/usr.bin/mandoc/char/unicode/ascii.out_utf8

@@ -5,6 +5,7 @@ NNAAMMEE
 
 DDEESSCCRRIIPPTTIIOONN
      BEGINTEST
+          SPACE
      """  QUOTATION MARK
      ###  NUMBER SIGN
      $$$  DOLLAR SIGN
@@ -27,4 +28,4 @@ DDEESSCCRRIIPPTTIIOONN
      ~~~~ TILDE
      ENDTEST
 
-OpenBSD                        October 27, 2014          CHAR-UNICODE-ASCII(1)
+OpenBSD                          May 16, 2024            CHAR-UNICODE-ASCII(1)

regress/usr.bin/mandoc/char/unicode/input.out_ascii

@@ -31,12 +31,17 @@ DDEESSCCRRIIPPTTIIOONN
      U+1000   0xe18080   <?><?>   begin of second start byte
      U+CFFF   0xecbfbf   <?><?>   end of last normal start byte
      U+D000   0xed8080   <?><?>   begin of last start byte
+     U+D7FB   0xed9fbb   <?><?>   highest valid public three-byte
      U+D7FF   0xed9fbf   <?><?>   highest public three-byte
      U+D800   0xeda080   ???      lowest surrogate
      U+DFFF   0xedbfbf   ???      highest surrogate
      U+E000   0xee8080   <?><?>   lowest private use
      U+F8FF   0xefa3bf   <?><?>   highest private use
      U+F900   0xefa480   <?><?>   lowest post-private
+     U+FEFF   0xefbbbf   <?><?>   byte-order mark
+     U+FFFC   0xefbfbc   <?><?>   object replacement character
+     U+FFFD   0xefbfbd   <?><?>   replacement character
+     U+FFFE   0xefbfbe   <?><?>   reversed byte-order mark
      U+FFFF   0xefbfbf   <?><?>   highest three-byte
 
    FFoouurr--bbyyttee rraannggee
@@ -60,4 +65,4 @@ DDEESSCCRRIIPPTTIIOONN
      U+1FFFFF   0xf7bfbfbf     ????     highest invalid four-byte
      U+200000   0xf888808080   ?????    lowest five-byte
 
-OpenBSD                          June 2, 2021            CHAR-UNICODE-INPUT(1)
+OpenBSD                          May 16, 2024            CHAR-UNICODE-INPUT(1)

regress/usr.bin/mandoc/char/unicode/input.out_lint

@@ -21,61 +21,63 @@ mandoc: input.in:34:19: ERROR: skipping bad character: 0x80
 mandoc: input.in:35:17: ERROR: skipping bad character: 0xe0
 mandoc: input.in:35:18: ERROR: skipping bad character: 0x9f
 mandoc: input.in:35:19: ERROR: skipping bad character: 0xbf
-mandoc: input.in:42:25: ERROR: skipping bad character: 0xed
+mandoc: input.in:43:33: ERROR: skipping bad character: 0xed
-mandoc: input.in:42:26: ERROR: skipping bad character: 0xa0
+mandoc: input.in:43:34: ERROR: skipping bad character: 0xa0
-mandoc: input.in:42:27: ERROR: skipping bad character: 0x80
+mandoc: input.in:43:35: ERROR: skipping bad character: 0x80
-mandoc: input.in:42:17: ERROR: invalid special character: \[uD800]
+mandoc: input.in:43:17: ERROR: invalid special character: \[uD800]
-mandoc: input.in:43:25: ERROR: skipping bad character: 0xed
+mandoc: input.in:43:25: ERROR: invalid special character: \[ud800]
-mandoc: input.in:43:26: ERROR: skipping bad character: 0xbf
+mandoc: input.in:44:33: ERROR: skipping bad character: 0xed
-mandoc: input.in:43:27: ERROR: skipping bad character: 0xbf
+mandoc: input.in:44:34: ERROR: skipping bad character: 0xbf
-mandoc: input.in:43:17: ERROR: invalid special character: \[uDFFF]
+mandoc: input.in:44:35: ERROR: skipping bad character: 0xbf
-mandoc: input.in:53:19: ERROR: skipping bad character: 0xf0
+mandoc: input.in:44:17: ERROR: invalid special character: \[uDFFF]
-mandoc: input.in:53:20: ERROR: skipping bad character: 0x80
+mandoc: input.in:44:25: ERROR: invalid special character: \[udfff]
-mandoc: input.in:53:21: ERROR: skipping bad character: 0x80
-mandoc: input.in:53:22: ERROR: skipping bad character: 0x80
-mandoc: input.in:54:19: ERROR: skipping bad character: 0xf0
-mandoc: input.in:54:20: ERROR: skipping bad character: 0x80
-mandoc: input.in:54:21: ERROR: skipping bad character: 0x81
-mandoc: input.in:54:22: ERROR: skipping bad character: 0xbf
-mandoc: input.in:55:19: ERROR: skipping bad character: 0xf0
-mandoc: input.in:55:20: ERROR: skipping bad character: 0x80
-mandoc: input.in:55:21: ERROR: skipping bad character: 0x82
-mandoc: input.in:55:22: ERROR: skipping bad character: 0x80
-mandoc: input.in:56:19: ERROR: skipping bad character: 0xf0
-mandoc: input.in:56:20: ERROR: skipping bad character: 0x80
-mandoc: input.in:56:21: ERROR: skipping bad character: 0x9f
-mandoc: input.in:56:22: ERROR: skipping bad character: 0xbf
-mandoc: input.in:57:19: ERROR: skipping bad character: 0xf0
-mandoc: input.in:57:20: ERROR: skipping bad character: 0x80
-mandoc: input.in:57:21: ERROR: skipping bad character: 0xa0
-mandoc: input.in:57:22: ERROR: skipping bad character: 0x80
 mandoc: input.in:58:19: ERROR: skipping bad character: 0xf0
-mandoc: input.in:58:20: ERROR: skipping bad character: 0x8f
+mandoc: input.in:58:20: ERROR: skipping bad character: 0x80
-mandoc: input.in:58:21: ERROR: skipping bad character: 0xbf
+mandoc: input.in:58:21: ERROR: skipping bad character: 0x80
-mandoc: input.in:58:22: ERROR: skipping bad character: 0xbf
+mandoc: input.in:58:22: ERROR: skipping bad character: 0x80
-mandoc: input.in:67:31: ERROR: skipping bad character: 0xf4
+mandoc: input.in:59:19: ERROR: skipping bad character: 0xf0
-mandoc: input.in:67:32: ERROR: skipping bad character: 0x90
+mandoc: input.in:59:20: ERROR: skipping bad character: 0x80
-mandoc: input.in:67:33: ERROR: skipping bad character: 0x80
+mandoc: input.in:59:21: ERROR: skipping bad character: 0x81
-mandoc: input.in:67:34: ERROR: skipping bad character: 0x80
+mandoc: input.in:59:22: ERROR: skipping bad character: 0xbf
-mandoc: input.in:67:21: ERROR: invalid special character: \[u110000]
+mandoc: input.in:60:19: ERROR: skipping bad character: 0xf0
-mandoc: input.in:68:31: ERROR: skipping bad character: 0xf4
+mandoc: input.in:60:20: ERROR: skipping bad character: 0x80
-mandoc: input.in:68:32: ERROR: skipping bad character: 0xbf
+mandoc: input.in:60:21: ERROR: skipping bad character: 0x82
-mandoc: input.in:68:33: ERROR: skipping bad character: 0xbf
+mandoc: input.in:60:22: ERROR: skipping bad character: 0x80
-mandoc: input.in:68:34: ERROR: skipping bad character: 0xbf
+mandoc: input.in:61:19: ERROR: skipping bad character: 0xf0
-mandoc: input.in:68:21: ERROR: invalid special character: \[u13FFFF]
+mandoc: input.in:61:20: ERROR: skipping bad character: 0x80
-mandoc: input.in:69:31: ERROR: skipping bad character: 0xf5
+mandoc: input.in:61:21: ERROR: skipping bad character: 0x9f
-mandoc: input.in:69:32: ERROR: skipping bad character: 0x80
+mandoc: input.in:61:22: ERROR: skipping bad character: 0xbf
-mandoc: input.in:69:33: ERROR: skipping bad character: 0x80
+mandoc: input.in:62:19: ERROR: skipping bad character: 0xf0
-mandoc: input.in:69:34: ERROR: skipping bad character: 0x80
+mandoc: input.in:62:20: ERROR: skipping bad character: 0x80
-mandoc: input.in:69:21: ERROR: invalid special character: \[u140000]
+mandoc: input.in:62:21: ERROR: skipping bad character: 0xa0
-mandoc: input.in:70:31: ERROR: skipping bad character: 0xf7
+mandoc: input.in:62:22: ERROR: skipping bad character: 0x80
-mandoc: input.in:70:32: ERROR: skipping bad character: 0xbf
+mandoc: input.in:63:19: ERROR: skipping bad character: 0xf0
-mandoc: input.in:70:33: ERROR: skipping bad character: 0xbf
+mandoc: input.in:63:20: ERROR: skipping bad character: 0x8f
-mandoc: input.in:70:34: ERROR: skipping bad character: 0xbf
+mandoc: input.in:63:21: ERROR: skipping bad character: 0xbf
-mandoc: input.in:70:21: ERROR: invalid special character: \[u1FFFFF]
+mandoc: input.in:63:22: ERROR: skipping bad character: 0xbf
-mandoc: input.in:71:33: ERROR: skipping bad character: 0xf8
+mandoc: input.in:72:31: ERROR: skipping bad character: 0xf4
-mandoc: input.in:71:34: ERROR: skipping bad character: 0x88
+mandoc: input.in:72:32: ERROR: skipping bad character: 0x90
-mandoc: input.in:71:35: ERROR: skipping bad character: 0x80
+mandoc: input.in:72:33: ERROR: skipping bad character: 0x80
-mandoc: input.in:71:36: ERROR: skipping bad character: 0x80
+mandoc: input.in:72:34: ERROR: skipping bad character: 0x80
-mandoc: input.in:71:37: ERROR: skipping bad character: 0x80
+mandoc: input.in:72:21: ERROR: invalid special character: \[u110000]
-mandoc: input.in:71:23: ERROR: invalid special character: \[u200000]
+mandoc: input.in:73:31: ERROR: skipping bad character: 0xf4
+mandoc: input.in:73:32: ERROR: skipping bad character: 0xbf
+mandoc: input.in:73:33: ERROR: skipping bad character: 0xbf
+mandoc: input.in:73:34: ERROR: skipping bad character: 0xbf
+mandoc: input.in:73:21: ERROR: invalid special character: \[u13FFFF]
+mandoc: input.in:74:31: ERROR: skipping bad character: 0xf5
+mandoc: input.in:74:32: ERROR: skipping bad character: 0x80
+mandoc: input.in:74:33: ERROR: skipping bad character: 0x80
+mandoc: input.in:74:34: ERROR: skipping bad character: 0x80
+mandoc: input.in:74:21: ERROR: invalid special character: \[u140000]
+mandoc: input.in:75:31: ERROR: skipping bad character: 0xf7
+mandoc: input.in:75:32: ERROR: skipping bad character: 0xbf
+mandoc: input.in:75:33: ERROR: skipping bad character: 0xbf
+mandoc: input.in:75:34: ERROR: skipping bad character: 0xbf
+mandoc: input.in:75:21: ERROR: invalid special character: \[u1FFFFF]
+mandoc: input.in:76:33: ERROR: skipping bad character: 0xf8
+mandoc: input.in:76:34: ERROR: skipping bad character: 0x88
+mandoc: input.in:76:35: ERROR: skipping bad character: 0x80
+mandoc: input.in:76:36: ERROR: skipping bad character: 0x80
+mandoc: input.in:76:37: ERROR: skipping bad character: 0x80
+mandoc: input.in:76:23: ERROR: invalid special character: \[u200000]

regress/usr.bin/mandoc/char/unicode/input.out_utf8

@@ -31,12 +31,17 @@ DDEESSCCRRIIPPTTIIOONN
      U+1000   0xe18080   ကက     begin of second start byte
      U+CFFF   0xecbfbf   쿿쿿   end of last normal start byte
      U+D000   0xed8080   퀀퀀   begin of last start byte
+     U+D7FB   0xed9fbb   ퟻퟻ   highest valid public three-byte
      U+D7FF   0xed9fbf   ퟿퟿       highest public three-byte
      U+D800   0xeda080   ???    lowest surrogate
      U+DFFF   0xedbfbf   ???    highest surrogate
      U+E000   0xee8080        lowest private use
      U+F8FF   0xefa3bf        highest private use
      U+F900   0xefa480   豈豈   lowest post-private
+     U+FEFF   0xefbbbf          byte-order mark
+     U+FFFC   0xefbfbc        object replacement character
+     U+FFFD   0xefbfbd   <20><>     replacement character
+     U+FFFE   0xefbfbe   ￾￾       reversed byte-order mark
      U+FFFF   0xefbfbf   ￿￿       highest three-byte
 
    FFoouurr--bbyyttee rraannggee
@@ -60,4 +65,4 @@ DDEESSCCRRIIPPTTIIOONN
      U+1FFFFF   0xf7bfbfbf     ????    highest invalid four-byte
      U+200000   0xf888808080   ?????   lowest five-byte
 
-OpenBSD                          June 2, 2021            CHAR-UNICODE-INPUT(1)
+OpenBSD                          May 16, 2024            CHAR-UNICODE-INPUT(1)

regress/usr.bin/mandoc/char/unicode/nogroff.in

@@ -1,5 +1,5 @@
-.\" $OpenBSD: nogroff.in,v 1.6 2021/06/02 17:36:59 schwarze Exp $
+.\" $OpenBSD: nogroff.in,v 1.8 2024/05/16 18:49:00 schwarze Exp $
-.TH CHAR-UNICODE-NOGROFF 1 "June 2, 2021"
+.TH CHAR-UNICODE-NOGROFF 1 "May 16, 2024"
 .SH NAME
 char-unicode-nogroff \- characters handled differently by groff
 .SH DESCRIPTION
@@ -7,6 +7,11 @@ char-unicode-nogroff \- characters handled differently by groff
 BEGINTEST
 \[u0000]\N'0'	<control> NULL
 \[u0001]\N'1'	<control> START OF HEADING
+\[u0002]\N'2'	<control> START OF TEXT
+\[u0003]\N'3'	<control> END OF TEXT
+\[u0004]\N'4'	<control> END OF TRANSMISSION
+\[u0005]\N'5'	<control> ENQUIRY
+\[u0006]\N'6'	<control> ACKNOWLEDGE
 \[u0007]\N'7'	<control> BELL
 \[u0008]\N'8'	<control> BACKSPACE
 \[u0009]\N'9'	<control> CHARACTER TABULATION
@@ -14,12 +19,76 @@ BEGINTEST
 \[u000B]\N'11'	<control> LINE TABULATION
 \[u000C]\N'12'	<control> FORM FEED
 \[u000D]\N'13'	<control> CARRIAGE RETURN
+\[u000E]\N'14'	<control> SHIFT OUT
+\[u000F]\N'15'	<control> SHIFT IN
+\[u0010]\N'16'	<control> DATA LINK ESCAPE
+\[u0011]\N'17'	<control> DEVICE CONTROL ONE
+\[u0012]\N'18'	<control> DEVICE CONTROL TWO
+\[u0013]\N'19'	<control> DEVICE CONTROL THREE
+\[u0014]\N'20'	<control> DEVICE CONTROL FOUR
+\[u0015]\N'21'	<control> NEGATIVE ACKNOWLEDGE
+\[u0016]\N'22'	<control> SYNCHRONOUS IDLE
+\[u0017]\N'23'	<control> END OF TRANSMISSION BLOCK
+\[u0018]\N'24'	<control> CANCEL
+\[u0019]\N'25'	<control> END OF MEDIUM
+\[u001A]\N'26'	<control> SUBSTITUTE
 \[u001B]\N'27'	<control> ESCAPE
+\[u001C]\N'28'	<control> INFORMATION SEPARATOR FOUR
+\[u001D]\N'29'	<control> INFORMATION SEPARATOR THREE
+\[u001E]\N'30'	<control> INFORMATION SEPARATOR TWO
+\[u001F]\N'31'	<control> INFORMATION SEPARATOR INE
+\[u0021]\N'33'	EXCLAMATION MARK
+\[u0025]\N'37'	PERCENT SIGN
+\[u0026]\N'38'	AMPERSAND
+\[u0028]\N'40'	LEFT PARENTHESIS
+\[u0029]\N'41'	RIGHT PARENTHESIS
+\[u002A]\N'42'	ASTERISK
+\[u002C]\N'44'	COMMA
+\[u002D]\N'45'	HYPHEN-MINUS
+\[u002E]\N'46'	FULL STOP
+\[u0030]\N'48'	DIGIT ZERO
+\[u0031]\N'49'	DIGIT ONE
+\[u0039]\N'57'	DIGIT NINE
+\[u003A]\N'58'	COLON
+\[u003B]\N'59'	SEMICOLON
+\[u003C]\N'60'	LESS-THAN SIGN
+\[u003E]\N'62'	GREATER-THAN SIGN
+\[u003F]\N'63'	QUESTION MARK
+\[u0041]\N'65'	LATIN CAPITAL LETTER A
+\[u005A]\N'90'	LATIN CAPITAL LETTER Z
+\[u0061]\N'97'	LATIN SMALL LETTER A
+\[u007A]\N'122'	LATIN SMALL LETTER Z
 \[u007F]\N'127'	<control> DELETE
 \[u0080]\N'128'	<control> 0x80
 \[u0081]\N'129'	<control> 0x81
 \[u0082]\N'130'	<control> BREAK PERMITTED HERE
 \[u0083]\N'131'	<control> NO BREAK HERE
+\[u0084]\N'132'	<control> 0x84
+\[u0085]\N'133'	<control> NEXT LINE (NEL)
+\[u0086]\N'134'	<control> START OF SELECTED AREA
+\[u0087]\N'135'	<control> END OF SELECTED AREA
+\[u0088]\N'136'	<control> CHARACTER TABULATION SET
+\[u0089]\N'137'	<control> CHARACTER TABULATION WITH JUSTIFICATION
+\[u008A]\N'138'	<control> LINE TABULATION SET
+\[u008B]\N'139'	<control> PARTIAL LINE FORWARD
+\[u008C]\N'140'	<control> PARTIAL LINE BACKWARD
+\[u008D]\N'141'	<control> REVERSE LINE FEED
+\[u008E]\N'142'	<control> SINGLE SHIFT TWO
+\[u008F]\N'143'	<control> SINGLE SHIFT THREE
+\[u0090]\N'144'	<control> DEVICE CONTROL STRING
+\[u0091]\N'145'	<control> PRIVATE USE ONE
+\[u0092]\N'146'	<control> PRIVATE USE TWO
+\[u0093]\N'147'	<control> SET TRANSMIT STATE
+\[u0094]\N'148'	<control> CANCEL CHARACTER
+\[u0095]\N'149'	<control> MESSAGE WAITING
+\[u0096]\N'150'	<control> START OF GUARDED AREA
+\[u0097]\N'151'	<control> END OF GUARDED AREA
+\[u0098]\N'152'	<control> START OF STRING
+\[u0099]\N'153'	<control> 0x99
+\[u009A]\N'154'	<control> SINGLE CHARACTER INTRODUCER
+\[u009B]\N'155'	<control> CONTROL SEQUENCE INTRODUCER
+\[u009C]\N'156'	<control> STRING TERMINATOR
+\[u009D]\N'157'	<control> OPERATING SYSTEM COMMAND
 \[u009E]\N'158'	<control> PRIVACY MESSAGE
 \[u009F]\N'159'	<control> APPLICATION PROGRAM COMMAND
 \[u226A]\(<<	MUCH LESS-THAN

regress/usr.bin/mandoc/char/unicode/nogroff.out_ascii

@@ -7,6 +7,11 @@ DDEESSCCRRIIPPTTIIOONN
      BEGINTEST
      <NUL><NUL>     <control> NULL
      <SOH><SOH>     <control> START OF HEADING
+     <STX><STX>     <control> START OF TEXT
+     <ETX><ETX>     <control> END OF TEXT
+     <EOT><EOT>     <control> END OF TRANSMISSION
+     <ENQ><ENQ>     <control> ENQUIRY
+     <ACK><ACK>     <control> ACKNOWLEDGE
      <BEL><BEL>     <control> BELL
      <BS><BS>  <control> BACKSPACE
                     <control> CHARACTER TABULATION
@@ -14,12 +19,76 @@ DDEESSCCRRIIPPTTIIOONN
      <VT><VT>  <control> LINE TABULATION
      <FF><FF>  <control> FORM FEED
      <CR><CR>  <control> CARRIAGE RETURN
+     <SO><SO>  <control> SHIFT OUT
+     <SI><SI>  <control> SHIFT IN
+     <DLE><DLE>     <control> DATA LINK ESCAPE
+     <DC1><DC1>     <control> DEVICE CONTROL ONE
+     <DC2><DC2>     <control> DEVICE CONTROL TWO
+     <DC3><DC3>     <control> DEVICE CONTROL THREE
+     <DC4><DC4>     <control> DEVICE CONTROL FOUR
+     <NAK><NAK>     <control> NEGATIVE ACKNOWLEDGE
+     <SYN><SYN>     <control> SYNCHRONOUS IDLE
+     <ETB><ETB>     <control> END OF TRANSMISSION BLOCK
+     <CAN><CAN>     <control> CANCEL
+     <EM><EM>  <control> END OF MEDIUM
+     <SUB><SUB>     <control> SUBSTITUTE
      <ESC><ESC>     <control> ESCAPE
+     <FS><FS>  <control> INFORMATION SEPARATOR FOUR
+     <GS><GS>  <control> INFORMATION SEPARATOR THREE
+     <RS><RS>  <control> INFORMATION SEPARATOR TWO
+     <US><US>  <control> INFORMATION SEPARATOR INE
+     !!   EXCLAMATION MARK
+     %%   PERCENT SIGN
+     &&   AMPERSAND
+     ((   LEFT PARENTHESIS
+     ))   RIGHT PARENTHESIS
+     **   ASTERISK
+     ,,   COMMA
+     --   HYPHEN-MINUS
+     ..   FULL STOP
+     00   DIGIT ZERO
+     11   DIGIT ONE
+     99   DIGIT NINE
+     ::   COLON
+     ;;   SEMICOLON
+     <<   LESS-THAN SIGN
+     >>   GREATER-THAN SIGN
+     ??   QUESTION MARK
+     AA   LATIN CAPITAL LETTER A
+     ZZ   LATIN CAPITAL LETTER Z
+     aa   LATIN SMALL LETTER A
+     zz   LATIN SMALL LETTER Z
      <DEL><DEL>     <control> DELETE
      <80><80>  <control> 0x80
      <81><81>  <control> 0x81
      <82><82>  <control> BREAK PERMITTED HERE
      <83><83>  <control> NO BREAK HERE
+     <84><84>  <control> 0x84
+     <85><85>  <control> NEXT LINE (NEL)
+     <86><86>  <control> START OF SELECTED AREA
+     <87><87>  <control> END OF SELECTED AREA
+     <88><88>  <control> CHARACTER TABULATION SET
+     <89><89>  <control> CHARACTER TABULATION WITH JUSTIFICATION
+     <8A><8A>  <control> LINE TABULATION SET
+     <8B><8B>  <control> PARTIAL LINE FORWARD
+     <8C><8C>  <control> PARTIAL LINE BACKWARD
+     <8D><8D>  <control> REVERSE LINE FEED
+     <8E><8E>  <control> SINGLE SHIFT TWO
+     <8F><8F>  <control> SINGLE SHIFT THREE
+     <90><90>  <control> DEVICE CONTROL STRING
+     <91><91>  <control> PRIVATE USE ONE
+     <92><92>  <control> PRIVATE USE TWO
+     <93><93>  <control> SET TRANSMIT STATE
+     <94><94>  <control> CANCEL CHARACTER
+     <95><95>  <control> MESSAGE WAITING
+     <96><96>  <control> START OF GUARDED AREA
+     <97><97>  <control> END OF GUARDED AREA
+     <98><98>  <control> START OF STRING
+     <99><99>  <control> 0x99
+     <9A><9A>  <control> SINGLE CHARACTER INTRODUCER
+     <9B><9B>  <control> CONTROL SEQUENCE INTRODUCER
+     <9C><9C>  <control> STRING TERMINATOR
+     <9D><9D>  <control> OPERATING SYSTEM COMMAND
      <9E><9E>  <control> PRIVACY MESSAGE
      <9F><9F>  <control> APPLICATION PROGRAM COMMAND
      <<<< MUCH LESS-THAN
@@ -50,4 +119,4 @@ DDEESSCCRRIIPPTTIIOONN
      <?>  <undefined>
      ENDTEST
 
-OpenBSD                          June 2, 2021          CHAR-UNICODE-NOGROFF(1)
+OpenBSD                          May 16, 2024          CHAR-UNICODE-NOGROFF(1)

regress/usr.bin/mandoc/char/unicode/nogroff.out_html

@@ -1,5 +1,10 @@
 ��	<control> NULL
 ��	<control> START OF HEADING
+��	<control> START OF TEXT
+��	<control> END OF TEXT
+��	<control> END OF TRANSMISSION
+��	<control> ENQUIRY
+��	<control> ACKNOWLEDGE
 ��	<control> BELL
 ��	<control> BACKSPACE
 			<control> CHARACTER TABULATION
@@ -7,12 +12,76 @@
 ��	<control> LINE TABULATION
 ��	<control> FORM FEED
 ��	<control> CARRIAGE RETURN
+��	<control> SHIFT OUT
+��	<control> SHIFT IN
+��	<control> DATA LINK ESCAPE
+��	<control> DEVICE CONTROL ONE
+��	<control> DEVICE CONTROL TWO
+��	<control> DEVICE CONTROL THREE
+��	<control> DEVICE CONTROL FOUR
+��	<control> NEGATIVE ACKNOWLEDGE
+��	<control> SYNCHRONOUS IDLE
+��	<control> END OF TRANSMISSION BLOCK
+��	<control> CANCEL
+��	<control> END OF MEDIUM
+��	<control> SUBSTITUTE
 ��	<control> ESCAPE
+��	<control> INFORMATION SEPARATOR FOUR
+��	<control> INFORMATION SEPARATOR THREE
+��	<control> INFORMATION SEPARATOR TWO
+��	<control> INFORMATION SEPARATOR INE
+!!	EXCLAMATION MARK
+%%	PERCENT SIGN
+&&	AMPERSAND
+((	LEFT PARENTHESIS
+))	RIGHT PARENTHESIS
+**	ASTERISK
+,,	COMMA
+--	HYPHEN-MINUS
+..	FULL STOP
+00	DIGIT ZERO
+11	DIGIT ONE
+99	DIGIT NINE
+::	COLON
+;;	SEMICOLON
+<<	LESS-THAN SIGN
+>>	GREATER-THAN SIGN
+??	QUESTION MARK
+AA	LATIN CAPITAL LETTER A
+ZZ	LATIN CAPITAL LETTER Z
+aa	LATIN SMALL LETTER A
+zz	LATIN SMALL LETTER Z
 ��	<control> DELETE
 ��	<control> 0x80
 ��	<control> 0x81
 ��	<control> BREAK PERMITTED HERE
 ��	<control> NO BREAK HERE
+��	<control> 0x84
+��	<control> NEXT LINE (NEL)
+��	<control> START OF SELECTED AREA
+��	<control> END OF SELECTED AREA
+��	<control> CHARACTER TABULATION SET
+��	<control> CHARACTER TABULATION WITH JUSTIFICATION
+��	<control> LINE TABULATION SET
+��	<control> PARTIAL LINE FORWARD
+��	<control> PARTIAL LINE BACKWARD
+��	<control> REVERSE LINE FEED
+��	<control> SINGLE SHIFT TWO
+��	<control> SINGLE SHIFT THREE
+��	<control> DEVICE CONTROL STRING
+��	<control> PRIVATE USE ONE
+��	<control> PRIVATE USE TWO
+��	<control> SET TRANSMIT STATE
+��	<control> CANCEL CHARACTER
+��	<control> MESSAGE WAITING
+��	<control> START OF GUARDED AREA
+��	<control> END OF GUARDED AREA
+��	<control> START OF STRING
+��	<control> 0x99
+��	<control> SINGLE CHARACTER INTRODUCER
+��	<control> CONTROL SEQUENCE INTRODUCER
+��	<control> STRING TERMINATOR
+��	<control> OPERATING SYSTEM COMMAND
 ��	<control> PRIVACY MESSAGE
 ��	<control> APPLICATION PROGRAM COMMAND
 ≪≪	MUCH LESS-THAN

regress/usr.bin/mandoc/char/unicode/nogroff.out_utf8

@@ -7,6 +7,11 @@ DDEESSCCRRIIPPTTIIOONN
      BEGINTEST
      <20><>   <control> NULL
      <20><>   <control> START OF HEADING
+     <20><>   <control> START OF TEXT
+     <20><>   <control> END OF TEXT
+     <20><>   <control> END OF TRANSMISSION
+     <20><>   <control> ENQUIRY
+     <20><>   <control> ACKNOWLEDGE
      <20><>   <control> BELL
      <20><>   <control> BACKSPACE
                     <control> CHARACTER TABULATION
@@ -14,12 +19,76 @@ DDEESSCCRRIIPPTTIIOONN
      <20><>   <control> LINE TABULATION
      <20><>   <control> FORM FEED
      <20><>   <control> CARRIAGE RETURN
+     <20><>   <control> SHIFT OUT
+     <20><>   <control> SHIFT IN
+     <20><>   <control> DATA LINK ESCAPE
+     <20><>   <control> DEVICE CONTROL ONE
+     <20><>   <control> DEVICE CONTROL TWO
+     <20><>   <control> DEVICE CONTROL THREE
+     <20><>   <control> DEVICE CONTROL FOUR
+     <20><>   <control> NEGATIVE ACKNOWLEDGE
+     <20><>   <control> SYNCHRONOUS IDLE
+     <20><>   <control> END OF TRANSMISSION BLOCK
+     <20><>   <control> CANCEL
+     <20><>   <control> END OF MEDIUM
+     <20><>   <control> SUBSTITUTE
      <20><>   <control> ESCAPE
+     <20><>   <control> INFORMATION SEPARATOR FOUR
+     <20><>   <control> INFORMATION SEPARATOR THREE
+     <20><>   <control> INFORMATION SEPARATOR TWO
+     <20><>   <control> INFORMATION SEPARATOR INE
+     !!   EXCLAMATION MARK
+     %%   PERCENT SIGN
+     &&   AMPERSAND
+     ((   LEFT PARENTHESIS
+     ))   RIGHT PARENTHESIS
+     **   ASTERISK
+     ,,   COMMA
+     --   HYPHEN-MINUS
+     ..   FULL STOP
+     00   DIGIT ZERO
+     11   DIGIT ONE
+     99   DIGIT NINE
+     ::   COLON
+     ;;   SEMICOLON
+     <<   LESS-THAN SIGN
+     >>   GREATER-THAN SIGN
+     ??   QUESTION MARK
+     AA   LATIN CAPITAL LETTER A
+     ZZ   LATIN CAPITAL LETTER Z
+     aa   LATIN SMALL LETTER A
+     zz   LATIN SMALL LETTER Z
      <20><>   <control> DELETE
      <20><>   <control> 0x80
      <20><>   <control> 0x81
      <20><>   <control> BREAK PERMITTED HERE
      <20><>   <control> NO BREAK HERE
+     <20><>   <control> 0x84
+     <20><>   <control> NEXT LINE (NEL)
+     <20><>   <control> START OF SELECTED AREA
+     <20><>   <control> END OF SELECTED AREA
+     <20><>   <control> CHARACTER TABULATION SET
+     <20><>   <control> CHARACTER TABULATION WITH JUSTIFICATION
+     <20><>   <control> LINE TABULATION SET
+     <20><>   <control> PARTIAL LINE FORWARD
+     <20><>   <control> PARTIAL LINE BACKWARD
+     <20><>   <control> REVERSE LINE FEED
+     <20><>   <control> SINGLE SHIFT TWO
+     <20><>   <control> SINGLE SHIFT THREE
+     <20><>   <control> DEVICE CONTROL STRING
+     <20><>   <control> PRIVATE USE ONE
+     <20><>   <control> PRIVATE USE TWO
+     <20><>   <control> SET TRANSMIT STATE
+     <20><>   <control> CANCEL CHARACTER
+     <20><>   <control> MESSAGE WAITING
+     <20><>   <control> START OF GUARDED AREA
+     <20><>   <control> END OF GUARDED AREA
+     <20><>   <control> START OF STRING
+     <20><>   <control> 0x99
+     <20><>   <control> SINGLE CHARACTER INTRODUCER
+     <20><>   <control> CONTROL SEQUENCE INTRODUCER
+     <20><>   <control> STRING TERMINATOR
+     <20><>   <control> OPERATING SYSTEM COMMAND
      <20><>   <control> PRIVACY MESSAGE
      <20><>   <control> APPLICATION PROGRAM COMMAND
      ≪≪   MUCH LESS-THAN
@@ -50,4 +119,4 @@ DDEESSCCRRIIPPTTIIOONN
      􏿿     <undefined>
      ENDTEST
 
-OpenBSD                          June 2, 2021          CHAR-UNICODE-NOGROFF(1)
+OpenBSD                          May 16, 2024          CHAR-UNICODE-NOGROFF(1)

regress/usr.bin/ssh/test-exec.sh

@@ -1,4 +1,4 @@
-#	$OpenBSD: test-exec.sh,v 1.110 2024/04/03 06:01:11 anton Exp $
+#	$OpenBSD: test-exec.sh,v 1.111 2024/05/17 01:45:22 djm Exp $
 #	Placed in the Public Domain.
 
 #SUDO=sudo
@@ -52,6 +52,7 @@ SSHKEYGEN=ssh-keygen
 SSHKEYSCAN=ssh-keyscan
 SFTP=sftp
 SFTPSERVER=/usr/libexec/sftp-server
+SSHD_SESSION=/usr/libexec/sshd-session
 SCP=scp
 
 # Interop testing
@@ -73,6 +74,9 @@ OPENSSL_BIN="${OPENSSL_BIN:-openssl}"
 if [ "x$TEST_SSH_SSH" != "x" ]; then
 	SSH="${TEST_SSH_SSH}"
 fi
+if [ "x$TEST_SSH_SSHD_SESSION" != "x" ]; then
+	SSHD_SESSION="${TEST_SSH_SSHD_SESSION}"
+fi
 if [ "x$TEST_SSH_SSHD" != "x" ]; then
 	SSHD="${TEST_SSH_SSHD}"
 fi
@@ -422,6 +426,7 @@ cat << EOF > $OBJ/sshd_config
 	AcceptEnv		_XXX_TEST_*
 	AcceptEnv		_XXX_TEST
 	Subsystem	sftp	$SFTPSERVER
+	SshdSessionPath		$SSHD_SESSION
 EOF
 
 # This may be necessary if /usr/src and/or /usr/obj are group-writable,

sbin/ifconfig/ifconfig.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: ifconfig.c,v 1.471 2024/04/23 13:34:50 jsg Exp $	*/
+/*	$OpenBSD: ifconfig.c,v 1.472 2024/05/18 02:44:22 jsg Exp $	*/
 /*	$NetBSD: ifconfig.c,v 1.40 1997/10/01 02:19:43 enami Exp $	*/
 
 /*
@@ -711,8 +711,6 @@ void	process_join_commands(void);
 
 void	process_wg_commands(void);
 
-unsigned long get_ts_map(int, int, int);
-
 void	in_status(int);
 void	in_getaddr(const char *, int);
 void	in_getprefix(const char *, int);

share/man/man5/bsd.port.arch.mk.5

@@ -1,4 +1,4 @@
-.\" $OpenBSD: bsd.port.arch.mk.5,v 1.13 2019/12/08 12:54:36 espie Exp $
+.\" $OpenBSD: bsd.port.arch.mk.5,v 1.14 2024/05/16 09:52:58 sthen Exp $
 .\"
 .\" Copyright (c) 2011 Marc Espie
 .\"
@@ -24,7 +24,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 8 2019 $
+.Dd $Mdocdate: May 16 2024 $
 .Dt BSD.PORT.ARCH.MK 5
 .Os
 .Sh NAME
@@ -96,6 +96,7 @@ It will set up the following variables for use in the rest of the
 .It Ev LLD_EMUL
 .It Ev LLVM_ARCHS
 .It Ev LP64_ARCHS
+.It Ev LUAJIT_ARCHS
 .It Ev MONO_ARCHS
 .It Ev OCAML_NATIVE_ARCHS
 .It Ev OCAML_NATIVE_DYNLINK_ARCHS

share/man/man8/bulk.8

@@ -1,4 +1,4 @@
-.\"	$OpenBSD: bulk.8,v 1.8 2024/05/15 11:27:36 sthen Exp $
+.\"	$OpenBSD: bulk.8,v 1.10 2024/05/16 10:31:55 sthen Exp $
 .\"
 .\"	Copyright (c) 2016 Marc Espie <espie@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.Dd $Mdocdate: May 15 2024 $
+.Dd $Mdocdate: May 16 2024 $
 .Dt BULK 8
 .Os
 .Sh NAME
@@ -42,7 +42,7 @@ Setup a master machine with enough room for a chroot, say
 Assuming you are using a cluster of machines,
 this chroot should contain NFS exportable partitions for distfiles,
 plists, and packages (one single partition can be used for simplicity).
-A full setup currently requires in the order of 100GB for distfiles
+A full setup currently requires in the order of 120GB for distfiles
 and 70GB for packages.
 Expect these numbers to grow.
 150GB for each should last a few years.
@@ -59,11 +59,14 @@ for instance
 .Pp
 Reserve one "scratch" partition under the chroot for WRKOBJDIR
 (for instance, mfs, async, or SSD).
-This partition should be roughly 40GB if you want to be able to
-build all ports using multiple CPU cores.
 This can often double as
 .Pa /tmp
 under the chroot.
+The largest ports can take in excess of 20GB each (more for a debug
+build) and you may have several of these built at the same time.
+50GB is probably a reasonable minimum on an architecture which can build
+chromium, though 100GB would not be overkill, especially if you have
+many cores.
 .Pp
 Alternately, you can setup your whole chroot as a scratch partition,
 and reserve one more permanent space under it for distfiles,

share/man/man8/daily.8

@@ -1,4 +1,4 @@
-.\"	$OpenBSD: daily.8,v 1.29 2020/10/20 22:42:29 danj Exp $
+.\"	$OpenBSD: daily.8,v 1.30 2024/05/16 11:33:59 solene Exp $
 .\"
 .\" Copyright (c) 2003 Jason McIntyre <jmc@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: October 20 2020 $
+.Dd $Mdocdate: May 16 2024 $
 .Dt DAILY 8
 .Os
 .Sh NAME
@@ -112,7 +112,7 @@ for the mount options, e.g.
 Checks daemon status.
 Lists any daemons which are enabled in
 .Xr rc.conf.local 8
-but which are not actually running.
+but which are not actually running (and vice versa).
 .It
 Reports on which file systems need to be dumped via
 .Xr dump 8 .

sys/dev/fdt/ociic.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: ociic.c,v 1.3 2022/04/06 18:59:28 naddy Exp $	*/
+/*	$OpenBSD: ociic.c,v 1.4 2024/05/15 22:54:03 kettenis Exp $	*/
 /*
  * Copyright (c) 2021 Mark Kettenis <kettenis@openbsd.org>
  *
@@ -53,6 +53,13 @@
 #define  I2C_SR_TIP	(1 << 1)
 #define  I2C_SR_IF	(1 << 0)
 
+/*
+ * OpenSBI on the SiFive HiFive Unmatched board implements reboot and
+ * powerdown functionality through the Dialog DA9063 Power Management
+ * IC over I2C.  The code expects the I2C controller to be enabled so
+ * we have to make sure we leave it in that state.
+ */
+
 struct ociic_softc {
 	struct device		sc_dev;
 	bus_space_tag_t		sc_iot;
@@ -156,6 +163,8 @@ ociic_attach(struct device *parent, struct device *self, void *aux)
 		ociic_write(sc, I2C_PRER_HI, div >> 8);
 	}
 
+	ociic_set(sc, I2C_CTR, I2C_CTR_EN);
+
 	sc->sc_ic.ic_cookie = sc;
 	sc->sc_ic.ic_acquire_bus = ociic_acquire_bus;
 	sc->sc_ic.ic_release_bus = ociic_release_bus;
@@ -174,18 +183,12 @@ ociic_attach(struct device *parent, struct device *self, void *aux)
 int
 ociic_acquire_bus(void *cookie, int flags)
 {
-	struct ociic_softc *sc = cookie;
-
-	ociic_set(sc, I2C_CTR, I2C_CTR_EN);
 	return 0;
 }
 
 void
 ociic_release_bus(void *cookie, int flags)
 {
-	struct ociic_softc *sc = cookie;
-
-	ociic_clr(sc, I2C_CTR, I2C_CTR_EN);
 }
 
 int

sys/dev/fdt/virtio_mmio.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: virtio_mmio.c,v 1.12 2024/01/15 02:35:23 dv Exp $	*/
+/*	$OpenBSD: virtio_mmio.c,v 1.13 2024/05/17 16:37:10 sf Exp $	*/
 /*	$NetBSD: virtio.c,v 1.3 2011/11/02 23:05:52 njoly Exp $	*/
 
 /*
@@ -97,6 +97,7 @@ void		virtio_mmio_write_device_config_4(struct virtio_softc *, int, uint32_t);
 void		virtio_mmio_write_device_config_8(struct virtio_softc *, int, uint64_t);
 uint16_t	virtio_mmio_read_queue_size(struct virtio_softc *, uint16_t);
 void		virtio_mmio_setup_queue(struct virtio_softc *, struct virtqueue *, uint64_t);
+int		virtio_mmio_get_status(struct virtio_softc *);
 void		virtio_mmio_set_status(struct virtio_softc *, int);
 int		virtio_mmio_negotiate_features(struct virtio_softc *,
     const struct virtio_feature_name *);
@@ -144,6 +145,7 @@ struct virtio_ops virtio_mmio_ops = {
 	virtio_mmio_write_device_config_8,
 	virtio_mmio_read_queue_size,
 	virtio_mmio_setup_queue,
+	virtio_mmio_get_status,
 	virtio_mmio_set_status,
 	virtio_mmio_negotiate_features,
 	virtio_mmio_intr,
@@ -194,6 +196,15 @@ virtio_mmio_setup_queue(struct virtio_softc *vsc, struct virtqueue *vq,
 	}
 }
 
+int
+virtio_mmio_get_status(struct virtio_softc *vsc)
+{
+	struct virtio_mmio_softc *sc = (struct virtio_mmio_softc *)vsc;
+
+	return bus_space_read_4(sc->sc_iot, sc->sc_ioh,
+	    VIRTIO_MMIO_STATUS);
+}
+
 void
 virtio_mmio_set_status(struct virtio_softc *vsc, int status)
 {

sys/dev/ic/ufshci.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: ufshci.c,v 1.22 2024/05/15 18:01:10 mglocker Exp $ */
+/*	$OpenBSD: ufshci.c,v 1.24 2024/05/16 10:52:11 mglocker Exp $ */
 
 /*
  * Copyright (c) 2022 Marcus Glocker <mglocker@openbsd.org>
@@ -186,9 +186,6 @@ ufshci_attach(struct ufshci_softc *sc)
 	DPRINTF(1, " BI=0x%04x\n", UFSHCI_REG_HCMID_BI(sc->sc_hcmid));
 	DPRINTF(1, " MIC=0x%04x\n", UFSHCI_REG_HCMID_MIC(sc->sc_hcmid));
 
-	/* XXX: Using more than one slot currently causes OCS errors */
-	sc->sc_nutrs = 1;
-
 	if (sc->sc_nutrs > 32) {
 		printf("%s: NUTRS can't be >32 (is %d)!\n",
 		    sc->sc_dev.dv_xname, sc->sc_nutrs);
@@ -513,7 +510,7 @@ ufshci_utr_cmd_nop(struct ufshci_softc *sc, struct ufshci_ccb *ccb,
 	ucd->cmd.hdr.tc = UPIU_TC_I2T_NOP_OUT;
 	ucd->cmd.hdr.flags = 0;
 	ucd->cmd.hdr.lun = 0;
-	ucd->cmd.hdr.taskid = 0;
+	ucd->cmd.hdr.task_tag = slot;
 	ucd->cmd.hdr.cmd_set_type = 0; /* SCSI command */
 	ucd->cmd.hdr.query = 0;
 	ucd->cmd.hdr.response = 0;
@@ -603,7 +600,7 @@ ufshci_utr_cmd_lun(struct ufshci_softc *sc, struct ufshci_ccb *ccb,
 	ucd->cmd.hdr.tc = UPIU_TC_I2T_COMMAND;
 	ucd->cmd.hdr.flags = (1 << 6); /* Bit-5 = Write, Bit-6 = Read */
 	ucd->cmd.hdr.lun = 0;
-	ucd->cmd.hdr.taskid = 0;
+	ucd->cmd.hdr.task_tag = slot;
 	ucd->cmd.hdr.cmd_set_type = 0; /* SCSI command */
 	ucd->cmd.hdr.query = 0;
 	ucd->cmd.hdr.response = 0;
@@ -710,7 +707,7 @@ ufshci_utr_cmd_inquiry(struct ufshci_softc *sc, struct ufshci_ccb *ccb,
 	ucd->cmd.hdr.tc = UPIU_TC_I2T_COMMAND;
 	ucd->cmd.hdr.flags = (1 << 6); /* Bit-5 = Write, Bit-6 = Read */
 	ucd->cmd.hdr.lun = 0;
-	ucd->cmd.hdr.taskid = 0;
+	ucd->cmd.hdr.task_tag = slot;
 	ucd->cmd.hdr.cmd_set_type = 0; /* SCSI command */
 	ucd->cmd.hdr.query = 0;
 	ucd->cmd.hdr.response = 0;
@@ -815,7 +812,7 @@ ufshci_utr_cmd_capacity16(struct ufshci_softc *sc, struct ufshci_ccb *ccb,
 	ucd->cmd.hdr.tc = UPIU_TC_I2T_COMMAND;
 	ucd->cmd.hdr.flags = (1 << 6); /* Bit-5 = Write, Bit-6 = Read */
 	ucd->cmd.hdr.lun = 0;
-	ucd->cmd.hdr.taskid = 0;
+	ucd->cmd.hdr.task_tag = slot;
 	ucd->cmd.hdr.cmd_set_type = 0; /* SCSI command */
 	ucd->cmd.hdr.query = 0;
 	ucd->cmd.hdr.response = 0;
@@ -924,7 +921,7 @@ ufshci_utr_cmd_capacity(struct ufshci_softc *sc, struct ufshci_ccb *ccb,
 	ucd->cmd.hdr.tc = UPIU_TC_I2T_COMMAND;
 	ucd->cmd.hdr.flags = (1 << 6); /* Bit-5 = Write, Bit-6 = Read */
 	ucd->cmd.hdr.lun = 0;
-	ucd->cmd.hdr.taskid = 0;
+	ucd->cmd.hdr.task_tag = slot;
 	ucd->cmd.hdr.cmd_set_type = 0; /* SCSI command */
 	ucd->cmd.hdr.query = 0;
 	ucd->cmd.hdr.response = 0;
@@ -1003,6 +1000,8 @@ ufshci_utr_cmd_io(struct ufshci_softc *sc, struct ufshci_ccb *ccb,
 	struct ufshci_utrd *utrd;
 	struct ufshci_ucd *ucd;
 	bus_dmamap_t dmap = ccb->ccb_dmamap;
+	uint32_t blocks;
+	uint64_t lba;
 
 	/* 7.2.1 Basic Steps when Building a UTP Transfer Request: 1) */
 	slot = ccb->ccb_slot;
@@ -1038,7 +1037,7 @@ ufshci_utr_cmd_io(struct ufshci_softc *sc, struct ufshci_ccb *ccb,
 	else
 		ucd->cmd.hdr.flags = (1 << 5); /* Bit-5 = Write */
 	ucd->cmd.hdr.lun = 0;
-	ucd->cmd.hdr.taskid = 0;
+	ucd->cmd.hdr.task_tag = slot;
 	ucd->cmd.hdr.cmd_set_type = 0; /* SCSI command */
 	ucd->cmd.hdr.query = 0;
 	ucd->cmd.hdr.response = 0;
@@ -1047,7 +1046,16 @@ ufshci_utr_cmd_io(struct ufshci_softc *sc, struct ufshci_ccb *ccb,
 	ucd->cmd.hdr.device_info = 0;
 	ucd->cmd.hdr.ds_len = 0;
 
-	ucd->cmd.expected_xfer_len = htobe32(xs->datalen);
+	/*
+	 * JESD220C-2_1.pdf, page 88, d) Expected Data Transfer Length:
+	 * "When the COMMAND UPIU encodes a SCSI WRITE or SCSI READ command
+	 * (specifically WRITE (6), READ (6), WRITE (10), READ (10),
+	 * WRITE (16), or READ (16)), the value of this field shall be the
+	 * product of the Logical Block Size (bLogicalBlockSize) and the
+	 * TRANSFER LENGTH field of the CDB."
+	 */
+	scsi_cmd_rw_decode(&xs->cmd, &lba, &blocks);
+	ucd->cmd.expected_xfer_len = htobe32(UFSHCI_LBS * blocks);
 
 	memcpy(ucd->cmd.cdb, &xs->cmd, sizeof(ucd->cmd.cdb));
 
@@ -1140,7 +1148,7 @@ ufshci_utr_cmd_sync(struct ufshci_softc *sc, struct ufshci_ccb *ccb,
 	ucd->cmd.hdr.tc = UPIU_TC_I2T_COMMAND;
 	ucd->cmd.hdr.flags = 0; /* No data transfer */
 	ucd->cmd.hdr.lun = 0;
-	ucd->cmd.hdr.taskid = 0;
+	ucd->cmd.hdr.task_tag = slot;
 	ucd->cmd.hdr.cmd_set_type = 0; /* SCSI command */
 	ucd->cmd.hdr.query = 0;
 	ucd->cmd.hdr.response = 0;
@@ -1207,16 +1215,19 @@ ufshci_xfer_complete(struct ufshci_softc *sc)
 {
 	struct ufshci_ccb *ccb;
 	uint32_t reg;
-	int i;
+	int i, timeout;
 
 	mtx_enter(&sc->sc_cmd_mtx);
 
 	/* Wait for all commands to complete. */
-	while ((reg = ufshci_doorbell_read(sc))) {
+	for (timeout = 5000; timeout != 0; timeout--) {
-		DPRINTF(3, "%s: doorbell reg=0x%x\n", __func__, reg);
+		reg = ufshci_doorbell_read(sc);
 		if (reg == 0)
 			break;
+		delay(10);
 	}
+	if (timeout == 0)
+		printf("%s: timeout (reg=0x%x)\n", __func__, reg);
 
 	for (i = 0; i < sc->sc_nutrs; i++) {
 		ccb = &sc->sc_ccbs[i];

sys/dev/ic/ufshcireg.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: ufshcireg.h,v 1.7 2024/05/09 08:20:22 mglocker Exp $ */
+/*	$OpenBSD: ufshcireg.h,v 1.9 2024/05/16 10:52:11 mglocker Exp $ */
 
 /*
  * Copyright (c) 2022 Marcus Glocker <mglocker@openbsd.org>
@@ -21,8 +21,11 @@
  */
 #define UFSHCI_UCD_PRDT_MAX_SEGS	64
 #define UFSHCI_UCD_PRDT_MAX_XFER	(UFSHCI_UCD_PRDT_MAX_SEGS * PAGE_SIZE)
-#define UFSHCI_INTR_AGGR_TIMEOUT	0x64 /* 4ms */
+#define UFSHCI_INTR_AGGR_TIMEOUT	0x08 /* 320us (1 unit = 40us) */
 #define UFSHCI_MAX_UNITS		32
+#define UFSHCI_LBS			4096 /* UFS Logical Block Size:
+						For UFS minimum size shall be
+					        4096 bytes */
 
 /*
  * Controller Capabilities Registers
@@ -335,7 +338,7 @@ struct upiu_hdr {
 	uint8_t tc;			/* Transaction Code */
 	uint8_t flags;
 	uint8_t lun;
-	uint8_t taskid;
+	uint8_t task_tag;
 	uint8_t cmd_set_type;
 	uint8_t query;
 	uint8_t response;

sys/dev/ic/ufshcivar.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: ufshcivar.h,v 1.4 2024/05/09 08:06:42 mglocker Exp $ */
+/*	$OpenBSD: ufshcivar.h,v 1.5 2024/05/15 20:15:33 mglocker Exp $ */
 
 /*
  * Copyright (c) 2022 Marcus Glocker <mglocker@openbsd.org>
@@ -68,7 +68,6 @@ struct ufshci_softc {
 	uint8_t			 sc_nutmrs;
 	uint8_t			 sc_rtt;
 	uint8_t			 sc_nutrs;
-	uint8_t			 sc_taskid;
 
 	struct ufshci_dmamem	*sc_dmamem_utmrd;
 	struct ufshci_dmamem	*sc_dmamem_utrd;

sys/dev/pci/azalia.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: azalia.c,v 1.286 2024/03/06 00:11:25 jsg Exp $	*/
+/*	$OpenBSD: azalia.c,v 1.287 2024/05/17 19:43:45 kettenis Exp $	*/
 /*	$NetBSD: azalia.c,v 1.20 2006/05/07 08:31:44 kent Exp $	*/
 
 /*-
@@ -176,6 +176,7 @@ typedef struct azalia_t {
 	int nistreams, nostreams, nbstreams;
 	stream_t pstream;
 	stream_t rstream;
+	uint32_t intctl;
 } azalia_t;
 #define XNAME(sc)		((sc)->dev.dv_xname)
 #define AZ_READ_1(z, r)		bus_space_read_1((z)->iot, (z)->ioh, HDA_##r)
@@ -556,16 +557,6 @@ azalia_pci_attach(struct device *parent, struct device *self, void *aux)
 		azalia_pci_write(sc->pc, sc->tag, ICH_PCI_MMC, reg);
 	}
 
-	/* disable MSI for AMD Summit Ridge/Raven Ridge HD Audio */
-	if (PCI_VENDOR(sc->pciid) == PCI_VENDOR_AMD) {
-		switch (PCI_PRODUCT(sc->pciid)) {
-		case PCI_PRODUCT_AMD_17_HDA:
-		case PCI_PRODUCT_AMD_17_1X_HDA:
-		case PCI_PRODUCT_AMD_HUDSON2_HDA:
-			pa->pa_flags &= ~PCI_FLAGS_MSI_ENABLED;
-		}
-	}
-
 	/* interrupt */
 	if (pci_intr_map_msi(pa, &ih) && pci_intr_map(pa, &ih)) {
 		printf(": can't map interrupt\n");
@@ -684,7 +675,6 @@ azalia_pci_detach(struct device *self, int flags)
 		AZ_WRITE_4(az, INTCTL, 0);
 
 		DPRINTF(("%s: clear interrupts\n", __func__));
-		AZ_WRITE_4(az, INTSTS, HDA_INTSTS_CIS | HDA_INTSTS_GIS);
 		AZ_WRITE_2(az, STATESTS, HDA_STATESTS_SDIWAKE);
 		AZ_WRITE_1(az, RIRBSTS, HDA_RIRBSTS_RINTFL | HDA_RIRBSTS_RIRBOIS);
 	}
@@ -711,13 +701,10 @@ azalia_intr(void *v)
 	int ret = 0;
 
 	mtx_enter(&audio_lock);
+	for (;;) {
 		intsts = AZ_READ_4(az, INTSTS);
-	if (intsts == 0 || intsts == 0xffffffff) {
+		if ((intsts & az->intctl) == 0 || intsts == 0xffffffff)
-		mtx_leave(&audio_lock);
+			break;
-		return (ret);
-	}
-
-	AZ_WRITE_4(az, INTSTS, intsts);
 
 		if (intsts & az->pstream.intr_bit) {
 			azalia_stream_intr(&az->pstream);
@@ -735,6 +722,7 @@ azalia_intr(void *v)
 			azalia_rirb_intr(az);
 			ret = 1;
 		}
+	}
 	mtx_leave(&audio_lock);
 	return (ret);
 }
@@ -918,7 +906,6 @@ azalia_init(azalia_t *az, int resuming)
 	/* clear interrupt status */
 	AZ_WRITE_2(az, STATESTS, HDA_STATESTS_SDIWAKE);
 	AZ_WRITE_1(az, RIRBSTS, HDA_RIRBSTS_RINTFL | HDA_RIRBSTS_RIRBOIS);
-	AZ_WRITE_4(az, INTSTS, HDA_INTSTS_CIS | HDA_INTSTS_GIS);
 	AZ_WRITE_4(az, DPLBASE, 0);
 	AZ_WRITE_4(az, DPUBASE, 0);
 
@@ -932,8 +919,8 @@ azalia_init(azalia_t *az, int resuming)
 	if (err)
 		return(err);
 
-	AZ_WRITE_4(az, INTCTL,
+	az->intctl = HDA_INTCTL_CIE | HDA_INTCTL_GIE;
-	    AZ_READ_4(az, INTCTL) | HDA_INTCTL_CIE | HDA_INTCTL_GIE);
+	AZ_WRITE_4(az, INTCTL, az->intctl);
 
 	return(0);
 }
@@ -1421,7 +1408,6 @@ azalia_suspend(azalia_t *az)
 
 	/* stop interrupts and clear status registers */
 	AZ_WRITE_4(az, INTCTL, 0);
-	AZ_WRITE_4(az, INTSTS, HDA_INTSTS_CIS | HDA_INTSTS_GIS);
 	AZ_WRITE_2(az, STATESTS, HDA_STATESTS_SDIWAKE);
 	AZ_WRITE_1(az, RIRBSTS, HDA_RIRBSTS_RINTFL | HDA_RIRBSTS_RIRBOIS);
 
@@ -3723,7 +3709,6 @@ azalia_stream_start(stream_t *this)
 	bdlist_entry_t *bdlist;
 	bus_addr_t dmaaddr, dmaend;
 	int err, index;
-	uint32_t intctl;
 	uint8_t ctl2;
 
 	err = azalia_stream_reset(this);
@@ -3768,9 +3753,8 @@ azalia_stream_start(stream_t *this)
 	if (err)
 		return EINVAL;
 
-	intctl = AZ_READ_4(this->az, INTCTL);
+	this->az->intctl |= this->intr_bit;
-	intctl |= this->intr_bit;
+	AZ_WRITE_4(this->az, INTCTL, this->az->intctl);
-	AZ_WRITE_4(this->az, INTCTL, intctl);
 
 	STR_WRITE_1(this, CTL, STR_READ_1(this, CTL) |
 	    HDA_SD_CTL_DEIE | HDA_SD_CTL_FEIE | HDA_SD_CTL_IOCE |
@@ -3786,8 +3770,8 @@ azalia_stream_halt(stream_t *this)
 	ctl = STR_READ_2(this, CTL);
 	ctl &= ~(HDA_SD_CTL_DEIE | HDA_SD_CTL_FEIE | HDA_SD_CTL_IOCE | HDA_SD_CTL_RUN);
 	STR_WRITE_2(this, CTL, ctl);
-	AZ_WRITE_4(this->az, INTCTL,
+	this->az->intctl &= ~this->intr_bit;
-	    AZ_READ_4(this->az, INTCTL) & ~this->intr_bit);
+	AZ_WRITE_4(this->az, INTCTL, this->az->intctl);
 	azalia_codec_disconnect_stream(this);
 
 	return (0);

sys/dev/pci/virtio_pci.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: virtio_pci.c,v 1.36 2024/01/15 02:35:23 dv Exp $	*/
+/*	$OpenBSD: virtio_pci.c,v 1.37 2024/05/17 16:37:10 sf Exp $	*/
 /*	$NetBSD: virtio.c,v 1.3 2011/11/02 23:05:52 njoly Exp $	*/
 
 /*
@@ -72,6 +72,7 @@ void		virtio_pci_write_device_config_4(struct virtio_softc *, int, uint32_t);
 void		virtio_pci_write_device_config_8(struct virtio_softc *, int, uint64_t);
 uint16_t	virtio_pci_read_queue_size(struct virtio_softc *, uint16_t);
 void		virtio_pci_setup_queue(struct virtio_softc *, struct virtqueue *, uint64_t);
+int		virtio_pci_get_status(struct virtio_softc *);
 void		virtio_pci_set_status(struct virtio_softc *, int);
 int		virtio_pci_negotiate_features(struct virtio_softc *, const struct virtio_feature_name *);
 int		virtio_pci_negotiate_features_10(struct virtio_softc *, const struct virtio_feature_name *);
@@ -155,6 +156,7 @@ struct virtio_ops virtio_pci_ops = {
 	virtio_pci_write_device_config_8,
 	virtio_pci_read_queue_size,
 	virtio_pci_setup_queue,
+	virtio_pci_get_status,
 	virtio_pci_set_status,
 	virtio_pci_negotiate_features,
 	virtio_pci_poll_intr,
@@ -275,6 +277,18 @@ virtio_pci_setup_queue(struct virtio_softc *vsc, struct virtqueue *vq,
 	}
 }
 
+int
+virtio_pci_get_status(struct virtio_softc *vsc)
+{
+	struct virtio_pci_softc *sc = (struct virtio_pci_softc *)vsc;
+
+	if (sc->sc_sc.sc_version_1)
+		return CREAD(sc, device_status);
+	else
+		return bus_space_read_1(sc->sc_iot, sc->sc_ioh,
+		    VIRTIO_CONFIG_DEVICE_STATUS);
+}
+
 void
 virtio_pci_set_status(struct virtio_softc *vsc, int status)
 {

sys/dev/pv/if_vio.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: if_vio.c,v 1.33 2024/05/07 18:35:23 jan Exp $	*/
+/*	$OpenBSD: if_vio.c,v 1.34 2024/05/17 16:37:10 sf Exp $	*/
 
 /*
  * Copyright (c) 2012 Stefan Fritsch, Alexander Fiveg.
@@ -252,6 +252,7 @@ struct vio_softc {
 #define VIRTIO_NET_TX_MAXNSEGS		16 /* for larger chains, defrag */
 #define VIRTIO_NET_CTRL_MAC_MC_ENTRIES	64 /* for more entries, use ALLMULTI */
 #define VIRTIO_NET_CTRL_MAC_UC_ENTRIES	 1 /* one entry for own unicast addr */
+#define VIRTIO_NET_CTRL_TIMEOUT		(5*1000*1000*1000ULL) /* 5 seconds */
 
 #define VIO_CTRL_MAC_INFO_SIZE					\
 	(2*sizeof(struct virtio_net_ctrl_mac_tbl) +		\
@@ -512,6 +513,17 @@ vio_put_lladdr(struct arpcom *ac, struct virtio_softc *vsc)
 	}
 }
 
+static int vio_needs_reset(struct vio_softc *sc)
+{
+	if (virtio_get_status(sc->sc_virtio) &
+	    VIRTIO_CONFIG_DEVICE_STATUS_DEVICE_NEEDS_RESET) {
+		printf("%s: device needs reset", sc->sc_dev.dv_xname);
+		vio_ctrl_wakeup(sc, RESET);
+		return 1;
+	}
+	return 0;
+}
+
 void
 vio_attach(struct device *parent, struct device *self, void *aux)
 {
@@ -649,6 +661,7 @@ vio_config_change(struct virtio_softc *vsc)
 {
 	struct vio_softc *sc = (struct vio_softc *)vsc->sc_child;
 	vio_link_state(&sc->sc_ac.ac_if);
+	vio_needs_reset(sc);
 	return 1;
 }
 
@@ -703,7 +716,7 @@ vio_stop(struct ifnet *ifp, int disable)
 	virtio_reset(vsc);
 	vio_rxeof(sc);
 	if (vsc->sc_nvqs >= 3)
-		vio_ctrleof(&sc->sc_vq[VQCTL]);
+		vio_ctrl_wakeup(sc, RESET);
 	vio_tx_drain(sc);
 	if (disable)
 		vio_rx_drain(sc);
@@ -714,11 +727,8 @@ vio_stop(struct ifnet *ifp, int disable)
 	if (vsc->sc_nvqs >= 3)
 		virtio_start_vq_intr(vsc, &sc->sc_vq[VQCTL]);
 	virtio_reinit_end(vsc);
-	if (vsc->sc_nvqs >= 3) {
+	if (vsc->sc_nvqs >= 3)
-		if (sc->sc_ctrl_inuse != FREE)
+		vio_ctrl_wakeup(sc, FREE);
-			sc->sc_ctrl_inuse = RESET;
-		wakeup(&sc->sc_ctrl_inuse);
-	}
 }
 
 static inline uint16_t
@@ -1230,6 +1240,9 @@ vio_txeof(struct virtqueue *vq)
 	int r = 0;
 	int slot, len;
 
+	if (!ISSET(ifp->if_flags, IFF_RUNNING))
+		return 0;
+
 	while (virtio_dequeue(vsc, vq, &slot, &len) == 0) {
 		struct virtio_net_hdr *hdr = &sc->sc_tx_hdrs[slot];
 		r++;
@@ -1363,32 +1376,15 @@ out:
 	return r;
 }
 
-/*
- * XXXSMP As long as some per-ifp ioctl(2)s are executed with the
- * NET_LOCK() deadlocks are possible.  So release it here.
- */
-static inline int
-vio_sleep(struct vio_softc *sc, const char *wmesg)
-{
-	int status = rw_status(&netlock);
-
-	if (status != RW_WRITE && status != RW_READ)
-		return tsleep_nsec(&sc->sc_ctrl_inuse, PRIBIO|PCATCH, wmesg,
-		    INFSLP);
-
-	return rwsleep_nsec(&sc->sc_ctrl_inuse, &netlock, PRIBIO|PCATCH, wmesg,
-	    INFSLP);
-}
-
 int
 vio_wait_ctrl(struct vio_softc *sc)
 {
 	int r = 0;
 
 	while (sc->sc_ctrl_inuse != FREE) {
-		r = vio_sleep(sc, "viowait");
+		if (sc->sc_ctrl_inuse == RESET || vio_needs_reset(sc))
-		if (r == EINTR)
+			return ENXIO;
-			return r;
+		r = tsleep_nsec(&sc->sc_ctrl_inuse, PRIBIO, "viowait", INFSLP);
 	}
 	sc->sc_ctrl_inuse = INUSE;
 
@@ -1400,14 +1396,16 @@ vio_wait_ctrl_done(struct vio_softc *sc)
 {
 	int r = 0;
 
-	while (sc->sc_ctrl_inuse != DONE && sc->sc_ctrl_inuse != RESET) {
+	while (sc->sc_ctrl_inuse != DONE) {
-		if (sc->sc_ctrl_inuse == RESET) {
+		if (sc->sc_ctrl_inuse == RESET || vio_needs_reset(sc))
-			r = 1;
+			return ENXIO;
-			break;
+		r = tsleep_nsec(&sc->sc_ctrl_inuse, PRIBIO, "viodone",
+		    VIRTIO_NET_CTRL_TIMEOUT);
+		if (r == EWOULDBLOCK) {
+			printf("%s: ctrl queue timeout", sc->sc_dev.dv_xname);
+			vio_ctrl_wakeup(sc, RESET);
+			return ENXIO;
 		}
-		r = vio_sleep(sc, "viodone");
-		if (r == EINTR)
-			break;
 	}
 	return r;
 }

sys/dev/pv/virtiovar.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: virtiovar.h,v 1.17 2024/05/13 01:15:51 jsg Exp $	*/
+/*	$OpenBSD: virtiovar.h,v 1.18 2024/05/17 16:37:10 sf Exp $	*/
 /*	$NetBSD: virtiovar.h,v 1.1 2011/10/30 12:12:21 hannken Exp $	*/
 
 /*
@@ -154,6 +154,7 @@ struct virtio_ops {
 	void		(*write_dev_cfg_8)(struct virtio_softc *, int, uint64_t);
 	uint16_t	(*read_queue_size)(struct virtio_softc *, uint16_t);
 	void		(*setup_queue)(struct virtio_softc *, struct virtqueue *, uint64_t);
+	int		(*get_status)(struct virtio_softc *);
 	void		(*set_status)(struct virtio_softc *, int);
 	int		(*neg_features)(struct virtio_softc *, const struct virtio_feature_name *);
 	int		(*poll_intr)(void *);
@@ -197,9 +198,10 @@ struct virtio_softc {
 #define	virtio_setup_queue(sc, i, v)		(sc)->sc_ops->setup_queue(sc, i, v)
 #define	virtio_negotiate_features(sc, n)	(sc)->sc_ops->neg_features(sc, n)
 #define	virtio_poll_intr(sc)			(sc)->sc_ops->poll_intr(sc)
+#define	virtio_get_status(sc)			(sc)->sc_ops->get_status(sc)
+#define	virtio_set_status(sc, i)		(sc)->sc_ops->set_status(sc, i)
 
 /* only for transport drivers */
-#define	virtio_set_status(sc, i)		(sc)->sc_ops->set_status(sc, i)
 #define	virtio_device_reset(sc)			virtio_set_status((sc), 0)
 
 static inline int

sys/dev/sbus/esp_sbus.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: esp_sbus.c,v 1.26 2022/03/13 13:34:54 mpi Exp $	*/
+/*	$OpenBSD: esp_sbus.c,v 1.27 2024/05/17 20:03:13 miod Exp $	*/
 /*	$NetBSD: esp_sbus.c,v 1.14 2001/04/25 17:53:37 bouyer Exp $	*/
 
 /*-
@@ -262,18 +262,14 @@ espattach_sbus(struct device *parent, struct device *self, void *aux)
 
 	/*
 	 * Find the DMA by poking around the dma device structures
-	 *
 	 * What happens here is that if the dma driver has not been
-	 * configured, then this returns a NULL pointer. Then when the
+	 * configured, then this returns a NULL pointer.
-	 * dma actually gets configured, it does the opposing test, and
-	 * if the sc->sc_esp field in its softc is NULL, then tries to
-	 * find the matching esp driver.
 	 */
 	esc->sc_dma = (struct lsi64854_softc *)
 	    getdevunit("dma", sc->sc_dev.dv_unit - esp_unit_offset);
 
 	/*
-	 * and a back pointer to us, for DMA
+	 * add a back pointer to us, for DMA
 	 */
 	if (esc->sc_dma)
 		esc->sc_dma->sc_client = sc;

sys/dev/wscons/wsmouse.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: wsmouse.c,v 1.71 2024/03/25 13:01:49 mvs Exp $ */
+/* $OpenBSD: wsmouse.c,v 1.72 2024/05/17 20:11:58 miod Exp $ */
 /* $NetBSD: wsmouse.c,v 1.35 2005/02/27 00:27:52 perry Exp $ */
 
 /*
@@ -1255,6 +1255,7 @@ wsmouse_matching(int *matrix, int m, int n, int *buffer)
 	for (; p < mc; *p++ = 0) {}
 	for (col = 0; col < n; col++) {
 		delta = INT_MAX;
+		row = 0;
 		for (i = 0, p = matrix + col; i < m; i++, p += n) {
 			d = *p - red[i];
 			if (d < delta || (d == delta && r2c[i] < 0)) {

sys/kern/init_sysent.c

@@ -1,10 +1,10 @@
-/*	$OpenBSD: init_sysent.c,v 1.280 2024/05/10 09:21:41 claudio Exp $	*/
+/*	$OpenBSD: init_sysent.c,v 1.281 2024/05/18 05:21:02 guenther Exp $	*/
 
 /*
  * System call switch table.
  *
  * DO NOT EDIT-- this file is automatically generated.
- * created from;	OpenBSD: syscalls.master,v 1.263 2024/05/10 09:21:01 claudio Exp 
+ * created from;	OpenBSD: syscalls.master,v 1.264 2024/05/18 05:20:22 guenther Exp 
  */
 
 #include <sys/param.h>
@@ -417,8 +417,8 @@ const struct sysent sysent[] = {
 	    sys_nosys },			/* 188 = obsolete stat35 */
 	{ 0, 0, 0,
 	    sys_nosys },			/* 189 = obsolete fstat35 */
-	{ 0, 0, 0,
+	{ 4, s(struct sys_pathconfat_args), 0,
-	    sys_nosys },			/* 190 = obsolete lstat35 */
+	    sys_pathconfat },			/* 190 = pathconfat */
 	{ 2, s(struct sys_pathconf_args), 0,
 	    sys_pathconf },			/* 191 = pathconf */
 	{ 2, s(struct sys_fpathconf_args), 0,

sys/kern/kern_pledge.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: kern_pledge.c,v 1.313 2024/04/05 13:55:26 deraadt Exp $	*/
+/*	$OpenBSD: kern_pledge.c,v 1.314 2024/05/18 05:20:22 guenther Exp $	*/
 
 /*
  * Copyright (c) 2015 Nicholas Marriott <nicm@openbsd.org>
@@ -340,6 +340,7 @@ const uint64_t pledge_syscalls[SYS_MAXSYSCALL] = {
 	[SYS_statfs] = PLEDGE_RPATH,
 	[SYS_fstatfs] = PLEDGE_RPATH,
 	[SYS_pathconf] = PLEDGE_RPATH,
+	[SYS_pathconfat] = PLEDGE_RPATH,
 
 	[SYS_utimes] = PLEDGE_FATTR,
 	[SYS_futimes] = PLEDGE_FATTR,

sys/kern/syscalls.c

@@ -1,10 +1,10 @@
-/*	$OpenBSD: syscalls.c,v 1.278 2024/05/10 09:21:41 claudio Exp $	*/
+/*	$OpenBSD: syscalls.c,v 1.279 2024/05/18 05:21:02 guenther Exp $	*/
 
 /*
  * System call names.
  *
  * DO NOT EDIT-- this file is automatically generated.
- * created from;	OpenBSD: syscalls.master,v 1.263 2024/05/10 09:21:01 claudio Exp 
+ * created from;	OpenBSD: syscalls.master,v 1.264 2024/05/18 05:20:22 guenther Exp 
  */
 
 const char *const syscallnames[] = {
@@ -214,7 +214,7 @@ const char *const syscallnames[] = {
 	"#187 (obsolete lfs_segwait)",		/* 187 = obsolete lfs_segwait */
 	"#188 (obsolete stat35)",		/* 188 = obsolete stat35 */
 	"#189 (obsolete fstat35)",		/* 189 = obsolete fstat35 */
-	"#190 (obsolete lstat35)",		/* 190 = obsolete lstat35 */
+	"pathconfat",			/* 190 = pathconfat */
 	"pathconf",			/* 191 = pathconf */
 	"fpathconf",			/* 192 = fpathconf */
 	"swapctl",			/* 193 = swapctl */

sys/kern/syscalls.master

@@ -1,4 +1,4 @@
-;	$OpenBSD: syscalls.master,v 1.263 2024/05/10 09:21:01 claudio Exp $
+;	$OpenBSD: syscalls.master,v 1.264 2024/05/18 05:20:22 guenther Exp $
 ;	$NetBSD: syscalls.master,v 1.32 1996/04/23 10:24:21 mycroft Exp $
 
 ;	@(#)syscalls.master	8.2 (Berkeley) 1/13/94
@@ -346,7 +346,8 @@
 187	OBSOL		lfs_segwait
 188	OBSOL		stat35
 189	OBSOL		fstat35
-190	OBSOL		lstat35
+190	STD		{ long sys_pathconfat(int fd, const char *path, \
+			    int name, int flag); }
 191	STD		{ long sys_pathconf(const char *path, int name); }
 192	STD		{ long sys_fpathconf(int fd, int name); }
 193	STD		{ int sys_swapctl(int cmd, const void *arg, int misc); }

sys/kern/uipc_socket.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: uipc_socket.c,v 1.333 2024/05/03 17:43:09 mvs Exp $	*/
+/*	$OpenBSD: uipc_socket.c,v 1.335 2024/05/17 19:11:14 mvs Exp $	*/
 /*	$NetBSD: uipc_socket.c,v 1.21 1996/02/04 02:17:52 christos Exp $	*/
 
 /*
@@ -66,7 +66,6 @@ void	soreaper(void *);
 void	soput(void *);
 int	somove(struct socket *, int);
 void	sorflush(struct socket *);
-void	sorflush_locked(struct socket *);
 
 void	filt_sordetach(struct knote *kn);
 int	filt_soread(struct knote *kn, long hint);
@@ -166,6 +165,7 @@ soalloc(const struct protosw *prp, int wait)
 			break;
 		}
 		break;
+	case AF_KEY:
 	case AF_UNIX:
 		so->so_snd.sb_flags |= SB_MTXLOCK;
 		so->so_rcv.sb_flags |= SB_MTXLOCK;
@@ -606,11 +606,11 @@ sosend(struct socket *so, struct mbuf *addr, struct uio *uio, struct mbuf *top,
 
 #define	snderr(errno)	{ error = errno; goto release; }
 
+restart:
+	if ((error = sblock(&so->so_snd, SBLOCKWAIT(flags))) != 0)
+		goto out;
 	if (dosolock)
 		solock_shared(so);
-restart:
-	if ((error = sblock(so, &so->so_snd, SBLOCKWAIT(flags))) != 0)
-		goto out;
 	sb_mtx_lock(&so->so_snd);
 	so->so_snd.sb_state |= SS_ISSENDING;
 	do {
@@ -643,15 +643,12 @@ restart:
 		    (atomic || space < so->so_snd.sb_lowat))) {
 			if (flags & MSG_DONTWAIT)
 				snderr(EWOULDBLOCK);
-			sbunlock(so, &so->so_snd);
+			sbunlock(&so->so_snd);
-
-			if (so->so_snd.sb_flags & SB_MTXLOCK)
-				error = sbwait_locked(so, &so->so_snd);
-			else
 			error = sbwait(so, &so->so_snd);
-
 			so->so_snd.sb_state &= ~SS_ISSENDING;
 			sb_mtx_unlock(&so->so_snd);
+			if (dosolock)
+				sounlock_shared(so);
 			if (error)
 				goto out;
 			goto restart;
@@ -705,10 +702,10 @@ restart:
 release:
 	so->so_snd.sb_state &= ~SS_ISSENDING;
 	sb_mtx_unlock(&so->so_snd);
-	sbunlock(so, &so->so_snd);
-out:
 	if (dosolock)
 		sounlock_shared(so);
+	sbunlock(&so->so_snd);
+out:
 	m_freem(top);
 	m_freem(control);
 	return (error);
@@ -875,11 +872,11 @@ bad:
 	if (mp)
 		*mp = NULL;
 
+restart:
+	if ((error = sblock(&so->so_rcv, SBLOCKWAIT(flags))) != 0)
+		return (error);
 	if (dosolock)
 		solock_shared(so);
-restart:
-	if ((error = sblock(so, &so->so_rcv, SBLOCKWAIT(flags))) != 0)
-		goto out;
 	sb_mtx_lock(&so->so_rcv);
 
 	m = so->so_rcv.sb_mb;
@@ -944,25 +941,13 @@ restart:
 		SBLASTRECORDCHK(&so->so_rcv, "soreceive sbwait 1");
 		SBLASTMBUFCHK(&so->so_rcv, "soreceive sbwait 1");
 
-		if (so->so_rcv.sb_flags & SB_MTXLOCK) {
+		sbunlock(&so->so_rcv);
-			sbunlock_locked(so, &so->so_rcv);
+		error = sbwait(so, &so->so_rcv);
+		sb_mtx_unlock(&so->so_rcv);
 		if (dosolock)
 			sounlock_shared(so);
-			error = sbwait_locked(so, &so->so_rcv);
-			sb_mtx_unlock(&so->so_rcv);
 		if (error)
 			return (error);
-			if (dosolock)
-				solock_shared(so);
-		} else {
-			sb_mtx_unlock(&so->so_rcv);
-			sbunlock(so, &so->so_rcv);
-			error = sbwait(so, &so->so_rcv);
-			if (error) {
-				sounlock_shared(so);
-				return (error);
-			}
-		}
 		goto restart;
 	}
 dontblock:
@@ -1202,22 +1187,13 @@ dontblock:
 				break;
 			SBLASTRECORDCHK(&so->so_rcv, "soreceive sbwait 2");
 			SBLASTMBUFCHK(&so->so_rcv, "soreceive sbwait 2");
-			if (dosolock) {
+			if (sbwait(so, &so->so_rcv)) {
 				sb_mtx_unlock(&so->so_rcv);
-				error = sbwait(so, &so->so_rcv);
+				if (dosolock)
-				if (error) {
-					sbunlock(so, &so->so_rcv);
 					sounlock_shared(so);
+				sbunlock(&so->so_rcv);
 				return (0);
 			}
-				sb_mtx_lock(&so->so_rcv);
-			} else {
-				if (sbwait_locked(so, &so->so_rcv)) {
-					sb_mtx_unlock(&so->so_rcv);
-					sbunlock(so, &so->so_rcv);
-					return (0);
-				}
-			}
 			if ((m = so->so_rcv.sb_mb) != NULL)
 				nextrecord = m->m_nextpkt;
 		}
@@ -1258,7 +1234,7 @@ dontblock:
 	    (flags & MSG_EOR) == 0 &&
 	    (so->so_rcv.sb_state & SS_CANTRCVMORE) == 0) {
 		sb_mtx_unlock(&so->so_rcv);
-		sbunlock(so, &so->so_rcv);
+		sbunlock(&so->so_rcv);
 		goto restart;
 	}
 
@@ -1269,10 +1245,9 @@ dontblock:
 		*flagsp |= flags;
 release:
 	sb_mtx_unlock(&so->so_rcv);
-	sbunlock(so, &so->so_rcv);
-out:
 	if (dosolock)
 		sounlock_shared(so);
+	sbunlock(&so->so_rcv);
 	return (error);
 }
 
@@ -1302,48 +1277,33 @@ soshutdown(struct socket *so, int how)
 }
 
 void
-sorflush_locked(struct socket *so)
+sorflush(struct socket *so)
 {
 	struct sockbuf *sb = &so->so_rcv;
 	struct mbuf *m;
 	const struct protosw *pr = so->so_proto;
 	int error;
 
-	if ((sb->sb_flags & SB_MTXLOCK) == 0)
+	error = sblock(sb, SBL_WAIT | SBL_NOINTR);
-		soassertlocked(so);
-
-	error = sblock(so, sb, SBL_WAIT | SBL_NOINTR);
 	/* with SBL_WAIT and SLB_NOINTR sblock() must not fail */
 	KASSERT(error == 0);
 
-	if (sb->sb_flags & SB_MTXLOCK)
+	solock_shared(so);
-		solock(so);
 	socantrcvmore(so);
-	if (sb->sb_flags & SB_MTXLOCK)
-		sounlock(so);
-
 	mtx_enter(&sb->sb_mtx);
 	m = sb->sb_mb;
 	memset(&sb->sb_startzero, 0,
 	     (caddr_t)&sb->sb_endzero - (caddr_t)&sb->sb_startzero);
 	sb->sb_timeo_nsecs = INFSLP;
 	mtx_leave(&sb->sb_mtx);
-	sbunlock(so, sb);
+	sounlock_shared(so);
+	sbunlock(sb);
+
 	if (pr->pr_flags & PR_RIGHTS && pr->pr_domain->dom_dispose)
 		(*pr->pr_domain->dom_dispose)(m);
 	m_purge(m);
 }
 
-void
-sorflush(struct socket *so)
-{
-	if ((so->so_rcv.sb_flags & SB_MTXLOCK) == 0)
-		solock_shared(so);
-	sorflush_locked(so);
-	if ((so->so_rcv.sb_flags & SB_MTXLOCK) == 0)
-		sounlock_shared(so);
-}
-
 #ifdef SOCKET_SPLICE
 
 #define so_splicelen	so_sp->ssp_len
@@ -1355,7 +1315,7 @@ sorflush(struct socket *so)
 int
 sosplice(struct socket *so, int fd, off_t max, struct timeval *tv)
 {
-	struct file	*fp = NULL;
+	struct file	*fp;
 	struct socket	*sosp;
 	struct taskq	*tq;
 	int		 error = 0;
@@ -1367,6 +1327,29 @@ sosplice(struct socket *so, int fd, off_t max, struct timeval *tv)
 	if (tv && (tv->tv_sec < 0 || !timerisvalid(tv)))
 		return (EINVAL);
 
+	/* If no fd is given, unsplice by removing existing link. */
+	if (fd < 0) {
+		if ((error = sblock(&so->so_rcv, SBL_WAIT)) != 0)
+			return (error);
+		solock(so);
+		if (so->so_options & SO_ACCEPTCONN) {
+			error = EOPNOTSUPP;
+			goto out;
+		}
+		if ((so->so_state & (SS_ISCONNECTED|SS_ISCONNECTING)) == 0 &&
+		    (so->so_proto->pr_flags & PR_CONNREQUIRED)) {
+			error = ENOTCONN;
+			goto out;
+		}
+
+		if (so->so_sp && so->so_sp->ssp_socket)
+			sounsplice(so, so->so_sp->ssp_socket, 0);
+ out:
+		sounlock(so);
+		sbunlock(&so->so_rcv);
+		return (error);
+	}
+
 	if (sosplice_taskq == NULL) {
 		rw_enter_write(&sosplice_lock);
 		if (sosplice_taskq == NULL) {
@@ -1386,65 +1369,47 @@ sosplice(struct socket *so, int fd, off_t max, struct timeval *tv)
 		membar_consumer();
 	}
 
-	if (so->so_rcv.sb_flags & SB_MTXLOCK) {
+	/* Find sosp, the drain socket where data will be spliced into. */
-		if ((error = sblock(so, &so->so_rcv, SBL_WAIT)) != 0)
+	if ((error = getsock(curproc, fd, &fp)) != 0)
 		return (error);
-		solock(so);
+	sosp = fp->f_data;
-	} else {
+
-		solock(so);
+	if (sosp->so_proto->pr_usrreqs->pru_send !=
-		if ((error = sblock(so, &so->so_rcv, SBL_WAIT)) != 0) {
+	    so->so_proto->pr_usrreqs->pru_send) {
-			sounlock(so);
+		error = EPROTONOSUPPORT;
-			return (error);
+		goto frele;
-		}
 	}
 
-	if (so->so_options & SO_ACCEPTCONN) {
+	if ((error = sblock(&so->so_rcv, SBL_WAIT)) != 0)
+		goto frele;
+	if ((error = sblock(&sosp->so_snd, SBL_WAIT)) != 0) {
+		sbunlock(&so->so_rcv);
+		goto frele;
+	}
+	solock(so);
+
+	if ((so->so_options & SO_ACCEPTCONN) ||
+	    (sosp->so_options & SO_ACCEPTCONN)) {
 		error = EOPNOTSUPP;
-		goto out;
+		goto release;
 	}
 	if ((so->so_state & (SS_ISCONNECTED|SS_ISCONNECTING)) == 0 &&
 	    (so->so_proto->pr_flags & PR_CONNREQUIRED)) {
 		error = ENOTCONN;
-		goto out;
-	}
-	if (so->so_sp == NULL)
-		so->so_sp = pool_get(&sosplice_pool, PR_WAITOK | PR_ZERO);
-
-	/* If no fd is given, unsplice by removing existing link. */
-	if (fd < 0) {
-		if (so->so_sp->ssp_socket)
-			sounsplice(so, so->so_sp->ssp_socket, 0);
-		goto out;
-	}
-
-	/* Find sosp, the drain socket where data will be spliced into. */
-	if ((error = getsock(curproc, fd, &fp)) != 0)
-		goto out;
-	sosp = fp->f_data;
-	if (sosp->so_proto->pr_usrreqs->pru_send !=
-	    so->so_proto->pr_usrreqs->pru_send) {
-		error = EPROTONOSUPPORT;
-		goto out;
-	}
-	if (sosp->so_sp == NULL)
-		sosp->so_sp = pool_get(&sosplice_pool, PR_WAITOK | PR_ZERO);
-
-	if ((error = sblock(sosp, &sosp->so_snd, SBL_WAIT)) != 0) {
-		goto out;
-	}
-
-	if (so->so_sp->ssp_socket || sosp->so_sp->ssp_soback) {
-		error = EBUSY;
-		goto release;
-	}
-	if (sosp->so_options & SO_ACCEPTCONN) {
-		error = EOPNOTSUPP;
 		goto release;
 	}
 	if ((sosp->so_state & (SS_ISCONNECTED|SS_ISCONNECTING)) == 0) {
 		error = ENOTCONN;
 		goto release;
 	}
+	if (so->so_sp == NULL)
+		so->so_sp = pool_get(&sosplice_pool, PR_WAITOK | PR_ZERO);
+	if (sosp->so_sp == NULL)
+		sosp->so_sp = pool_get(&sosplice_pool, PR_WAITOK | PR_ZERO);
+	if (so->so_sp->ssp_socket || sosp->so_sp->ssp_soback) {
+		error = EBUSY;
+		goto release;
+	}
 
 	/* Splice so and sosp together. */
 	mtx_enter(&so->so_rcv.sb_mtx);
@@ -1472,17 +1437,10 @@ sosplice(struct socket *so, int fd, off_t max, struct timeval *tv)
 	}
 
  release:
-	sbunlock(sosp, &sosp->so_snd);
- out:
-	if (so->so_rcv.sb_flags & SB_MTXLOCK) {
 	sounlock(so);
-		sbunlock(so, &so->so_rcv);
+	sbunlock(&sosp->so_snd);
-	} else {
+	sbunlock(&so->so_rcv);
-		sbunlock(so, &so->so_rcv);
+ frele:
-		sounlock(so);
-	}
-
-	if (fp)
 	FRELE(fp, curproc);
 
 	return (error);

sys/kern/uipc_socket2.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: uipc_socket2.c,v 1.154 2024/05/07 15:54:23 claudio Exp $	*/
+/*	$OpenBSD: uipc_socket2.c,v 1.155 2024/05/17 19:11:14 mvs Exp $	*/
 /*	$NetBSD: uipc_socket2.c,v 1.11 1996/02/04 02:17:55 christos Exp $	*/
 
 /*
@@ -512,10 +512,12 @@ sbmtxassertlocked(struct socket *so, struct sockbuf *sb)
  * Wait for data to arrive at/drain from a socket buffer.
  */
 int
-sbwait_locked(struct socket *so, struct sockbuf *sb)
+sbwait(struct socket *so, struct sockbuf *sb)
 {
+	uint64_t timeo_nsecs;
 	int prio = (sb->sb_flags & SB_NOINTR) ? PSOCK : PSOCK | PCATCH;
 
+	if (sb->sb_flags & SB_MTXLOCK) {
 		MUTEX_ASSERT_LOCKED(&sb->sb_mtx);
 
 		sb->sb_flags |= SB_WAIT;
@@ -523,12 +525,6 @@ sbwait_locked(struct socket *so, struct sockbuf *sb)
 		    sb->sb_timeo_nsecs);
 	}
 
-int
-sbwait(struct socket *so, struct sockbuf *sb)
-{
-	uint64_t timeo_nsecs;
-	int prio = (sb->sb_flags & SB_NOINTR) ? PSOCK : PSOCK | PCATCH;
-
 	soassertlocked(so);
 
 	mtx_enter(&sb->sb_mtx);
@@ -540,12 +536,9 @@ sbwait(struct socket *so, struct sockbuf *sb)
 }
 
 int
-sblock(struct socket *so, struct sockbuf *sb, int flags)
+sblock(struct sockbuf *sb, int flags)
 {
-	int error = 0, prio = PSOCK;
+	int rwflags = RW_WRITE, error;
-
-	if (sb->sb_flags & SB_MTXLOCK) {
-		int rwflags = RW_WRITE;
 
 	if (!(flags & SBL_NOINTR || sb->sb_flags & SB_NOINTR))
 		rwflags |= RW_INTR;
@@ -555,66 +548,14 @@ sblock(struct socket *so, struct sockbuf *sb, int flags)
 	error = rw_enter(&sb->sb_lock, rwflags);
 	if (error == EBUSY)
 		error = EWOULDBLOCK;
+
 	return error;
 }
 
-	soassertlocked(so);
-
-	mtx_enter(&sb->sb_mtx);
-	if ((sb->sb_flags & SB_LOCK) == 0) {
-		sb->sb_flags |= SB_LOCK;
-		goto out;
-	}
-	if ((flags & SBL_WAIT) == 0) {
-		error = EWOULDBLOCK;
-		goto out;
-	}
-	if (!(flags & SBL_NOINTR || sb->sb_flags & SB_NOINTR))
-		prio |= PCATCH;
-
-	while (sb->sb_flags & SB_LOCK) {
-		sb->sb_flags |= SB_WANT;
-		mtx_leave(&sb->sb_mtx);
-		error = sosleep_nsec(so, &sb->sb_flags, prio, "sblock", INFSLP);
-		if (error)
-			return (error);
-		mtx_enter(&sb->sb_mtx);
-	}
-	sb->sb_flags |= SB_LOCK;
-out:
-	mtx_leave(&sb->sb_mtx);
-
-	return (error);
-}
-
 void
-sbunlock_locked(struct socket *so, struct sockbuf *sb)
+sbunlock(struct sockbuf *sb)
 {
-	if (sb->sb_flags & SB_MTXLOCK) {
 	rw_exit(&sb->sb_lock);
-		return;
-	}
-
-	MUTEX_ASSERT_LOCKED(&sb->sb_mtx);
-
-	sb->sb_flags &= ~SB_LOCK;
-	if (sb->sb_flags & SB_WANT) {
-		sb->sb_flags &= ~SB_WANT;
-		wakeup(&sb->sb_flags);
-	}
-}
-
-void
-sbunlock(struct socket *so, struct sockbuf *sb)
-{
-	if (sb->sb_flags & SB_MTXLOCK) {
-		rw_exit(&sb->sb_lock);
-		return;
-	}
-
-	mtx_enter(&sb->sb_mtx);
-	sbunlock_locked(so, sb);
-	mtx_leave(&sb->sb_mtx);
 }
 
 /*
@@ -1128,7 +1069,7 @@ void
 sbflush(struct socket *so, struct sockbuf *sb)
 {
 	KASSERT(sb == &so->so_rcv || sb == &so->so_snd);
-	KASSERT((sb->sb_flags & SB_LOCK) == 0);
+	rw_assert_unlocked(&sb->sb_lock);
 
 	while (sb->sb_mbcnt)
 		sbdrop(so, sb, (int)sb->sb_cc);

sys/kern/vfs_syscalls.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: vfs_syscalls.c,v 1.364 2024/03/25 17:57:07 guenther Exp $	*/
+/*	$OpenBSD: vfs_syscalls.c,v 1.365 2024/05/18 05:20:22 guenther Exp $	*/
 /*	$NetBSD: vfs_syscalls.c,v 1.71 1996/04/23 10:29:02 mycroft Exp $	*/
 
 /*
@@ -76,6 +76,7 @@ int dosymlinkat(struct proc *, const char *, int, const char *);
 int dounlinkat(struct proc *, int, const char *, int);
 int dofaccessat(struct proc *, int, const char *, int, int);
 int dofstatat(struct proc *, int, const char *, struct stat *, int);
+int dopathconfat(struct proc *, int, const char *, int, int, register_t *);
 int doreadlinkat(struct proc *, int, const char *, char *, size_t,
     register_t *);
 int dochflagsat(struct proc *, int, const char *, u_int, int);
@@ -2112,16 +2113,42 @@ sys_pathconf(struct proc *p, void *v, register_t *retval)
 		syscallarg(const char *) path;
 		syscallarg(int) name;
 	} */ *uap = v;
-	int error;
+
+	return dopathconfat(p, AT_FDCWD, SCARG(uap, path), SCARG(uap, name),
+	    0, retval);
+}
+
+int
+sys_pathconfat(struct proc *p, void *v, register_t *retval)
+{
+	struct sys_pathconfat_args /* {
+		syscallarg(int) fd;
+		syscallarg(const char *) path;
+		syscallarg(int) name;
+		syscallarg(int) flag;
+	} */ *uap = v;
+
+	return dopathconfat(p, SCARG(uap, fd), SCARG(uap, path),
+	    SCARG(uap, name), SCARG(uap, flag), retval);
+}
+
+int
+dopathconfat(struct proc *p, int fd, const char *path, int name, int flag,
+    register_t *retval)
+{
+	int follow, error;
 	struct nameidata nd;
 
-	NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF, UIO_USERSPACE,
+	if (flag & ~AT_SYMLINK_NOFOLLOW)
-	    SCARG(uap, path), p);
+		return EINVAL;
+
+	follow = (flag & AT_SYMLINK_NOFOLLOW) ? NOFOLLOW : FOLLOW;
+	NDINITAT(&nd, LOOKUP, follow | LOCKLEAF, UIO_USERSPACE, fd, path, p);
 	nd.ni_pledge = PLEDGE_RPATH;
 	nd.ni_unveil = UNVEIL_READ;
 	if ((error = namei(&nd)) != 0)
 		return (error);
-	error = VOP_PATHCONF(nd.ni_vp, SCARG(uap, name), retval);
+	error = VOP_PATHCONF(nd.ni_vp, name, retval);
 	vput(nd.ni_vp);
 	return (error);
 }

sys/net/pfkeyv2.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: pfkeyv2.c,v 1.260 2024/01/11 14:15:11 bluhm Exp $ */
+/* $OpenBSD: pfkeyv2.c,v 1.262 2024/05/17 19:02:04 mvs Exp $ */
 
 /*
  *	@(#)COPYRIGHT	1.1 (NRL) 17 January 1995
@@ -443,8 +443,7 @@ pfkey_sendup(struct pkpcb *kp, struct mbuf *m0, int more)
 {
 	struct socket *so = kp->kcb_socket;
 	struct mbuf *m;
-
+	int ret;
-	soassertlocked(so);
 
 	if (more) {
 		if (!(m = m_dup_pkt(m0, 0, M_DONTWAIT)))
@@ -452,7 +451,11 @@ pfkey_sendup(struct pkpcb *kp, struct mbuf *m0, int more)
 	} else
 		m = m0;
 
-	if (!sbappendaddr(so, &so->so_rcv, &pfkey_addr, m, NULL)) {
+	mtx_enter(&so->so_rcv.sb_mtx);
+	ret = sbappendaddr(so, &so->so_rcv, &pfkey_addr, m, NULL);
+	mtx_leave(&so->so_rcv.sb_mtx);
+
+	if (ret == 0) {
 		m_freem(m);
 		return (ENOBUFS);
 	}
@@ -515,9 +518,7 @@ pfkeyv2_sendmessage(void **headers, int mode, struct socket *so,
 		 * Send message to the specified socket, plus all
 		 * promiscuous listeners.
 		 */
-		solock(so);
 		pfkey_sendup(sotokeycb(so), packet, 0);
-		sounlock(so);
 
 		/*
 		 * Promiscuous messages contain the original message
@@ -544,10 +545,8 @@ pfkeyv2_sendmessage(void **headers, int mode, struct socket *so,
 			if (kp->kcb_socket == so || kp->kcb_rdomain != rdomain)
 				continue;
 
-			keylock(kp);
 			if (kp->kcb_flags & PFKEYV2_SOCKETFLAGS_PROMISC)
 				pfkey_sendup(kp, packet, 1);
-			keyunlock(kp);
 		}
 		SRPL_LEAVE(&sr);
 		m_freem(packet);
@@ -562,19 +561,19 @@ pfkeyv2_sendmessage(void **headers, int mode, struct socket *so,
 			if (kp->kcb_rdomain != rdomain)
 				continue;
 
-			keylock(kp);
 			if (kp->kcb_flags & PFKEYV2_SOCKETFLAGS_REGISTERED) {
 				if (!satype) {
 					/* Just send to everyone registered */
 					pfkey_sendup(kp, packet, 1);
 				} else {
+					keylock(kp);
 					/* Check for specified satype */
 					if ((1 << satype) & kp->kcb_reg)
 						pfkey_sendup(kp, packet, 1);
-				}
-			}
 					keyunlock(kp);
 				}
+			}
+		}
 		SRPL_LEAVE(&sr);
 		/* Free last/original copy of the packet */
 		m_freem(packet);
@@ -595,14 +594,14 @@ pfkeyv2_sendmessage(void **headers, int mode, struct socket *so,
 
 		/* Send to all registered promiscuous listeners */
 		SRPL_FOREACH(kp, &sr, &pkptable.pkp_list, kcb_list) {
+			int flags = READ_ONCE(kp->kcb_flags);
+
 			if (kp->kcb_rdomain != rdomain)
 				continue;
 
-			keylock(kp);
+			if ((flags & PFKEYV2_SOCKETFLAGS_PROMISC) &&
-			if ((kp->kcb_flags & PFKEYV2_SOCKETFLAGS_PROMISC) &&
+			    !(flags & PFKEYV2_SOCKETFLAGS_REGISTERED))
-			    !(kp->kcb_flags & PFKEYV2_SOCKETFLAGS_REGISTERED))
 				pfkey_sendup(kp, packet, 1);
-			keyunlock(kp);
 		}
 		SRPL_LEAVE(&sr);
 		m_freem(packet);
@@ -614,9 +613,7 @@ pfkeyv2_sendmessage(void **headers, int mode, struct socket *so,
 			if (kp->kcb_rdomain != rdomain)
 				continue;
 
-			keylock(kp);
 			pfkey_sendup(kp, packet, 1);
-			keyunlock(kp);
 		}
 		SRPL_LEAVE(&sr);
 		m_freem(packet);
@@ -1196,10 +1193,8 @@ pfkeyv2_dosend(struct socket *so, void *message, int len)
 			if (bkp->kcb_rdomain != kp->kcb_rdomain)
 				continue;
 
-			keylock(bkp);
 			if (bkp->kcb_flags & PFKEYV2_SOCKETFLAGS_PROMISC)
 				pfkey_sendup(bkp, packet, 1);
-			keyunlock(bkp);
 		}
 		SRPL_LEAVE(&sr);
 
@@ -2049,14 +2044,13 @@ pfkeyv2_dosend(struct socket *so, void *message, int len)
 				goto ret;
 
 			SRPL_FOREACH(bkp, &sr, &pkptable.pkp_list, kcb_list) {
-				if (bkp == kp || bkp->kcb_rdomain != kp->kcb_rdomain)
+				if (bkp == kp ||
+				    bkp->kcb_rdomain != kp->kcb_rdomain)
 					continue;
 
 				if (!smsg->sadb_msg_seq ||
 				    (smsg->sadb_msg_seq == kp->kcb_pid)) {
-					keylock(bkp);
 					pfkey_sendup(bkp, packet, 1);
-					keyunlock(bkp);
 				}
 			}
 			SRPL_LEAVE(&sr);
@@ -2705,7 +2699,10 @@ pfkeyv2_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp,
 	if (namelen < 1)
 		return (EINVAL);
 	w.w_op = name[0];
+	if (namelen >= 2)
 		w.w_satype = name[1];
+	else
+		w.w_satype = SADB_SATYPE_UNSPEC;
 	w.w_where = oldp;
 	w.w_len = oldp ? *oldlenp : 0;
 

sys/netinet/ip_ipip.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_ipip.c,v 1.101 2024/02/11 01:27:45 bluhm Exp $ */
+/*	$OpenBSD: ip_ipip.c,v 1.102 2024/05/17 20:44:36 bluhm Exp $ */
 /*
  * The authors of this code are John Ioannidis (ji@tla.org),
  * Angelos D. Keromytis (kermit@csd.uch.gr) and
@@ -481,7 +481,7 @@ ipip_output(struct mbuf **mp, struct tdb *tdb)
 		ip6o->ip6_vfc &= ~IPV6_VERSION_MASK;
 		ip6o->ip6_vfc |= IPV6_VERSION;
 		ip6o->ip6_plen = htons(m->m_pkthdr.len - sizeof(*ip6o));
-		ip6o->ip6_hlim = ip_defttl;
+		ip6o->ip6_hlim = ip6_defhlim;
 		in6_embedscope(&ip6o->ip6_src, &tdb->tdb_src.sin6, NULL, NULL);
 		in6_embedscope(&ip6o->ip6_dst, &tdb->tdb_dst.sin6, NULL, NULL);
 

sys/netinet/ip_output.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_output.c,v 1.398 2024/04/17 20:48:51 bluhm Exp $	*/
+/*	$OpenBSD: ip_output.c,v 1.399 2024/05/16 13:01:04 bluhm Exp $	*/
 /*	$NetBSD: ip_output.c,v 1.28 1996/02/13 23:43:07 christos Exp $	*/
 
 /*
@@ -428,8 +428,9 @@ sendit:
 #endif
 
 #ifdef IPSEC
-	if (ipsec_in_use && (flags & IP_FORWARDING) && (ipforwarding == 2) &&
+	if ((flags & IP_FORWARDING) && ipforwarding == 2 &&
-	    (m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) == NULL)) {
+	    (!ipsec_in_use ||
+	    m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) == NULL)) {
 		error = EHOSTUNREACH;
 		goto bad;
 	}

sys/sys/mutex.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: mutex.h,v 1.21 2024/03/26 18:18:30 bluhm Exp $	*/
+/*	$OpenBSD: mutex.h,v 1.22 2024/05/16 09:30:03 kettenis Exp $	*/
 
 /*
  * Copyright (c) 2004 Artur Grabowski <art@openbsd.org>
@@ -33,6 +33,20 @@
  * "mtx_enter(foo); mtx_enter(bar); mtx_leave(foo); mtx_leave(bar);"
  */
 
+/*
+ * To prevent lock ordering problems with the kernel lock, we need to
+ * make sure we block all interrupts that can grab the kernel lock.
+ * The simplest way to achieve this is to make sure mutexes always
+ * raise the interrupt priority level to the highest level that has
+ * interrupts that grab the kernel lock.
+ */
+#ifdef MULTIPROCESSOR
+#define __MUTEX_IPL(ipl) \
+	(((ipl) < IPL_MPFLOOR) ? IPL_MPFLOOR : (ipl))
+#else
+#define __MUTEX_IPL(ipl) (ipl)
+#endif
+
 #include <machine/mutex.h>
 
 #ifdef __USE_MI_MUTEX
@@ -48,20 +62,6 @@ struct mutex {
 #endif
 };
 
-/*
- * To prevent lock ordering problems with the kernel lock, we need to
- * make sure we block all interrupts that can grab the kernel lock.
- * The simplest way to achieve this is to make sure mutexes always
- * raise the interrupt priority level to the highest level that has
- * interrupts that grab the kernel lock.
- */
-#ifdef MULTIPROCESSOR
-#define __MUTEX_IPL(ipl) \
-    (((ipl) > IPL_NONE && (ipl) < IPL_MPFLOOR) ? IPL_MPFLOOR : (ipl))
-#else
-#define __MUTEX_IPL(ipl) (ipl)
-#endif
-
 #ifdef WITNESS
 #define MUTEX_INITIALIZER_FLAGS(ipl, name, flags) \
 	{ NULL, __MUTEX_IPL((ipl)), IPL_NONE, MTX_LO_INITIALIZER(name, flags) }

sys/sys/socketvar.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: socketvar.h,v 1.130 2024/05/03 17:43:09 mvs Exp $	*/
+/*	$OpenBSD: socketvar.h,v 1.131 2024/05/17 19:11:14 mvs Exp $	*/
 /*	$NetBSD: socketvar.h,v 1.18 1996/02/09 18:25:38 christos Exp $	*/
 
 /*-
@@ -128,13 +128,11 @@ struct socket {
 		struct klist sb_klist;	/* process selecting read/write */
 	} so_rcv, so_snd;
 #define SB_MAX		(2*1024*1024)	/* default for max chars in sockbuf */
-#define SB_LOCK		0x0001		/* lock on data queue */
+#define SB_WAIT		0x0001		/* someone is waiting for data/space */
-#define SB_WANT		0x0002		/* someone is waiting to lock */
+#define SB_ASYNC	0x0002		/* ASYNC I/O, need signals */
-#define SB_WAIT		0x0004		/* someone is waiting for data/space */
+#define SB_SPLICE	0x0004		/* buffer is splice source or drain */
-#define SB_ASYNC	0x0010		/* ASYNC I/O, need signals */
+#define SB_NOINTR	0x0008		/* operations not interruptible */
-#define SB_SPLICE	0x0020		/* buffer is splice source or drain */
+#define SB_MTXLOCK	0x0010		/* sblock() doesn't need solock() */
-#define SB_NOINTR	0x0040		/* operations not interruptible */
-#define SB_MTXLOCK	0x0080		/* sblock() doesn't need solock() */
 
 	void	(*so_upcall)(struct socket *so, caddr_t arg, int waitf);
 	caddr_t	so_upcallarg;		/* Arg for above */
@@ -315,11 +313,10 @@ sbfree(struct socket *so, struct sockbuf *sb, struct mbuf *m)
  * sleep is interruptible. Returns error without lock if
  * sleep is interrupted.
  */
-int sblock(struct socket *, struct sockbuf *, int);
+int sblock(struct sockbuf *, int);
 
 /* release lock on sockbuf sb */
-void sbunlock(struct socket *, struct sockbuf *);
+void sbunlock(struct sockbuf *);
-void sbunlock_locked(struct socket *, struct sockbuf *);
 
 #define	SB_EMPTY_FIXUP(sb) do {						\
 	if ((sb)->sb_mb == NULL) {					\
@@ -367,7 +364,6 @@ int	sbcheckreserve(u_long, u_long);
 int	sbchecklowmem(void);
 int	sbreserve(struct socket *, struct sockbuf *, u_long);
 int	sbwait(struct socket *, struct sockbuf *);
-int	sbwait_locked(struct socket *, struct sockbuf *);
 void	soinit(void);
 void	soabort(struct socket *);
 int	soaccept(struct socket *, struct mbuf *);

sys/sys/syscall.h

@@ -1,10 +1,10 @@
-/*	$OpenBSD: syscall.h,v 1.277 2024/05/10 09:21:41 claudio Exp $	*/
+/*	$OpenBSD: syscall.h,v 1.278 2024/05/18 05:21:02 guenther Exp $	*/
 
 /*
  * System call numbers.
  *
  * DO NOT EDIT-- this file is automatically generated.
- * created from;	OpenBSD: syscalls.master,v 1.263 2024/05/10 09:21:01 claudio Exp 
+ * created from;	OpenBSD: syscalls.master,v 1.264 2024/05/18 05:20:22 guenther Exp 
  */
 
 /* syscall: "exit" ret: "void" args: "int" */
@@ -497,7 +497,9 @@
 				/* 187 is obsolete lfs_segwait */
 				/* 188 is obsolete stat35 */
 				/* 189 is obsolete fstat35 */
-				/* 190 is obsolete lstat35 */
+/* syscall: "pathconfat" ret: "long" args: "int" "const char *" "int" "int" */
+#define	SYS_pathconfat	190
+
 /* syscall: "pathconf" ret: "long" args: "const char *" "int" */
 #define	SYS_pathconf	191
 

sys/sys/syscallargs.h

@@ -1,10 +1,10 @@
-/*	$OpenBSD: syscallargs.h,v 1.280 2024/05/10 09:21:41 claudio Exp $	*/
+/*	$OpenBSD: syscallargs.h,v 1.281 2024/05/18 05:21:02 guenther Exp $	*/
 
 /*
  * System call argument lists.
  *
  * DO NOT EDIT-- this file is automatically generated.
- * created from;	OpenBSD: syscalls.master,v 1.263 2024/05/10 09:21:01 claudio Exp 
+ * created from;	OpenBSD: syscalls.master,v 1.264 2024/05/18 05:20:22 guenther Exp 
  */
 
 #ifdef	syscallarg
@@ -828,6 +828,13 @@ struct sys_seteuid_args {
 	syscallarg(uid_t) euid;
 };
 
+struct sys_pathconfat_args {
+	syscallarg(int) fd;
+	syscallarg(const char *) path;
+	syscallarg(int) name;
+	syscallarg(int) flag;
+};
+
 struct sys_pathconf_args {
 	syscallarg(const char *) path;
 	syscallarg(int) name;
@@ -1320,6 +1327,7 @@ int	sys_pwritev(struct proc *, void *, register_t *);
 int	sys_setgid(struct proc *, void *, register_t *);
 int	sys_setegid(struct proc *, void *, register_t *);
 int	sys_seteuid(struct proc *, void *, register_t *);
+int	sys_pathconfat(struct proc *, void *, register_t *);
 int	sys_pathconf(struct proc *, void *, register_t *);
 int	sys_fpathconf(struct proc *, void *, register_t *);
 int	sys_swapctl(struct proc *, void *, register_t *);

usr.bin/dig/dig.h

@@ -288,9 +288,6 @@ start_lookup(void);
 void
 onrun_callback(isc_task_t *task, isc_event_t *event);
 
-int
-dhmain(int argc, char **argv);
-
 void
 setup_libs(void);
 

usr.bin/dig/lib/dns/dst_internal.h

@@ -31,7 +31,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dst_internal.h,v 1.12 2020/09/15 08:15:59 deraadt Exp $ */
+/* $Id: dst_internal.h,v 1.13 2024/05/17 23:56:19 jsg Exp $ */
 
 #ifndef DST_DST_INTERNAL_H
 #define DST_DST_INTERNAL_H 1
@@ -133,7 +133,6 @@ isc_result_t dst__hmacsha384_init(struct dst_func **funcp);
 isc_result_t dst__hmacsha512_init(struct dst_func **funcp);
 isc_result_t dst__opensslrsa_init(struct dst_func **funcp,
 				  unsigned char algorithm);
-isc_result_t dst__opensslecdsa_init(struct dst_func **funcp);
 
 /*%
  * Destructors

usr.bin/dig/lib/dns/include/dns/compress.h

@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: compress.h,v 1.5 2020/09/14 08:40:43 florian Exp $ */
+/* $Id: compress.h,v 1.6 2024/05/17 23:56:19 jsg Exp $ */
 
 #ifndef DNS_COMPRESS_H
 #define DNS_COMPRESS_H 1
@@ -173,16 +173,6 @@ dns_decompress_init(dns_decompress_t *dctx, int edns,
  *\li		'dctx' to be a valid pointer.
  */
 
-void
-dns_decompress_invalidate(dns_decompress_t *dctx);
-
-/*%<
- *	Invalidates 'dctx'.
- *
- *	Requires:
- *\li		'dctx' to be initialized
- */
-
 void
 dns_decompress_setmethods(dns_decompress_t *dctx, unsigned int allowed);
 
@@ -193,14 +183,4 @@ dns_decompress_setmethods(dns_decompress_t *dctx, unsigned int allowed);
  *\li		'dctx' to be initialized
  */
 
-dns_decompresstype_t
-dns_decompress_type(dns_decompress_t *dctx);
-
-/*%<
- *	Returns 'dctx->type'
- *
- *	Requires:
- *\li		'dctx' to be initialized
- */
-
 #endif /* DNS_COMPRESS_H */

usr.bin/dig/lib/dns/include/dns/message.h

@@ -985,27 +985,6 @@ dns_message_takebuffer(dns_message_t *msg, isc_buffer_t **buffer);
  *	dynamically allocated via isc_buffer_allocate().
  */
 
-isc_result_t
-dns_message_rechecksig(dns_message_t *msg, dns_view_t *view);
-/*%<
- * Reset the signature state and then if the message was signed,
- * verify the message.
- *
- * Requires:
- *
- *\li	msg is a valid parsed message.
- *\li	view is a valid view or NULL
- *
- * Returns:
- *
- *\li	#ISC_R_SUCCESS		- the message was unsigned, or the message
- *				  was signed correctly.
- *
- *\li	#DNS_R_EXPECTEDTSIG	- A TSIG was expected, but not seen
- *\li	#DNS_R_UNEXPECTEDTSIG	- A TSIG was seen but not expected
- *\li	#DNS_R_TSIGVERIFYFAILURE - The TSIG failed to verify
- */
-
 isc_result_t
 dns_message_buildopt(dns_message_t *msg, dns_rdataset_t **opt,
 		     unsigned int version, uint16_t udpsize,

usr.bin/dig/lib/dns/rdataset.c

@@ -198,7 +198,7 @@ towiresorted(dns_rdataset_t *rdataset, const dns_name_t *owner_name,
 	dns_rdata_t rdata = DNS_RDATA_INIT;
 	isc_region_t r;
 	isc_result_t result;
-	unsigned int i, count = 0, added;
+	unsigned int i, count = 0;
 	isc_buffer_t savedbuffer, rdlen;
 	unsigned int headlen;
 	int question = 0;
@@ -287,7 +287,6 @@ towiresorted(dns_rdataset_t *rdataset, const dns_name_t *owner_name,
 
 	savedbuffer = *target;
 	i = 0;
-	added = 0;
 
 	do {
 		/*
@@ -335,7 +334,6 @@ towiresorted(dns_rdataset_t *rdataset, const dns_name_t *owner_name,
 			isc_buffer_putuint16(&rdlen,
 					     (uint16_t)(target->used -
 							    rdlen.used - 2));
-			added++;
 		}
 
 		if (shuffle) {

usr.bin/dig/lib/isc/include/isc/log.h

@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: log.h,v 1.8 2020/09/14 08:40:44 florian Exp $ */
+/* $Id: log.h,v 1.9 2024/05/17 23:56:19 jsg Exp $ */
 
 #ifndef ISC_LOG_H
 #define ISC_LOG_H 1
@@ -551,28 +551,6 @@ isc_log_wouldlog(isc_log_t *lctx, int level);
  * isc_log_write() calls and possible message preformatting.
  */
 
-void
-isc_log_closefilelogs(isc_log_t *lctx);
-/*%<
- * Close all open files used by #ISC_LOG_TOFILE channels.
- *
- * Notes:
- *\li	This function is provided for programs that want to use their own
- *	log rolling mechanism rather than the one provided internally.
- *	For example, a program that wanted to keep daily logs would define
- *	a channel which used #ISC_LOG_ROLLNEVER, then once a day would
- *	rename the log file and call isc_log_closefilelogs().
- *
- *\li	#ISC_LOG_TOFILEDESC channels are unaffected.
- *
- * Requires:
- *\li	lctx is a valid context.
- *
- * Ensures:
- *\li	The open files are closed and will be reopened when they are
- *	next needed.
- */
-
 void
 isc_log_setcontext(isc_log_t *lctx);
 /*%<

usr.bin/dig/lib/isc/sha2.c

@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sha2.c,v 1.4 2020/02/24 13:49:38 jsg Exp $ */
+/* $Id: sha2.c,v 1.5 2024/05/17 09:36:48 tb Exp $ */
 
 /*	$FreeBSD: src/sys/crypto/sha2/sha2.c,v 1.2.2.2 2002/03/05 08:36:47 ume Exp $	*/
 /*	$KAME: sha2.c,v 1.8 2001/11/08 01:07:52 itojun Exp $	*/
@@ -87,7 +87,7 @@ isc_sha224_update(isc_sha224_t *context, const uint8_t* data, size_t len) {
 }
 
 void
-isc_sha224_final(uint8_t digest[], isc_sha224_t *context) {
+isc_sha224_final(uint8_t digest[ISC_SHA224_DIGESTLENGTH], isc_sha224_t *context) {
 	/* Sanity check: */
 	REQUIRE(context != (isc_sha224_t *)0);
 	REQUIRE(context->ctx != (EVP_MD_CTX *)0);
@@ -129,7 +129,7 @@ isc_sha256_update(isc_sha256_t *context, const uint8_t *data, size_t len) {
 }
 
 void
-isc_sha256_final(uint8_t digest[], isc_sha256_t *context) {
+isc_sha256_final(uint8_t digest[ISC_SHA256_DIGESTLENGTH], isc_sha256_t *context) {
 	/* Sanity check: */
 	REQUIRE(context != (isc_sha256_t *)0);
 	REQUIRE(context->ctx != (EVP_MD_CTX *)0);
@@ -169,7 +169,7 @@ void isc_sha512_update(isc_sha512_t *context, const uint8_t *data, size_t len) {
 				       (const void *) data, len) == 1);
 }
 
-void isc_sha512_final(uint8_t digest[], isc_sha512_t *context) {
+void isc_sha512_final(uint8_t digest[ISC_SHA512_DIGESTLENGTH], isc_sha512_t *context) {
 	/* Sanity check: */
 	REQUIRE(context != (isc_sha512_t *)0);
 	REQUIRE(context->ctx != (EVP_MD_CTX *)0);
@@ -211,7 +211,7 @@ isc_sha384_update(isc_sha384_t *context, const uint8_t* data, size_t len) {
 }
 
 void
-isc_sha384_final(uint8_t digest[], isc_sha384_t *context) {
+isc_sha384_final(uint8_t digest[ISC_SHA384_DIGESTLENGTH], isc_sha384_t *context) {
 	/* Sanity check: */
 	REQUIRE(context != (isc_sha384_t *)0);
 	REQUIRE(context->ctx != (EVP_MD_CTX *)0);

usr.bin/kdump/kdump.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: kdump.c,v 1.162 2024/03/29 07:53:32 deraadt Exp $	*/
+/*	$OpenBSD: kdump.c,v 1.163 2024/05/18 05:20:22 guenther Exp $	*/
 
 /*-
  * Copyright (c) 1988, 1993
@@ -866,6 +866,7 @@ static const formatter scargs[][8] = {
     [SYS_setgid]	= { Gidname },
     [SYS_setegid]	= { Gidname },
     [SYS_seteuid]	= { Uidname },
+    [SYS_pathconfat]	= { Atfd, Ppath, Pathconfname, Atflagsname },
     [SYS_pathconf]	= { Ppath, Pathconfname },
     [SYS_fpathconf]	= { Pfd, Pathconfname },
     [SYS_swapctl]	= { Swapctlname, Pptr, Pdecint },

usr.bin/less/forwback.c

@@ -29,8 +29,6 @@ extern int plusoption;
 extern int forw_scroll;
 extern int back_scroll;
 extern int ignore_eoi;
-extern int clear_bg;
-extern int final_attr;
 extern int oldbot;
 extern char *tagoption;
 

usr.bin/mandoc/roff_escape.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: roff_escape.c,v 1.14 2022/06/08 13:08:00 schwarze Exp $ */
+/* $OpenBSD: roff_escape.c,v 1.15 2024/05/16 21:21:08 schwarze Exp $ */
 /*
  * Copyright (c) 2011, 2012, 2013, 2014, 2015, 2017, 2018, 2020, 2022
  *               Ingo Schwarze <schwarze@openbsd.org>
@@ -467,13 +467,12 @@ roff_escape(const char *buf, const int ln, const int aesc,
 		/*
 		 * Unicode escapes are defined in groff as \[u0000]
 		 * to \[u10FFFF], where the contained value must be
-		 * a valid Unicode codepoint.  Here, however, only
+		 * a valid Unicode codepoint.
-		 * check the length and range.
 		 */
 
 		if (buf[iarg] != 'u' || argl < 5 || argl > 7)
 			break;
-		if (argl == 7 &&
+		if (argl == 7 &&  /* beyond the Unicode range */
 		    (buf[iarg + 1] != '1' || buf[iarg + 2] != '0')) {
 			err = MANDOCERR_ESC_BADCHAR;
 			break;
@@ -482,8 +481,9 @@ roff_escape(const char *buf, const int ln, const int aesc,
 			err = MANDOCERR_ESC_BADCHAR;
 			break;
 		}
-		if (argl == 5 && buf[iarg + 1] == 'D' &&
+		if (argl == 5 &&  /* UTF-16 surrogate */
-		    strchr("89ABCDEF", buf[iarg + 2]) != NULL) {
+		    toupper((unsigned char)buf[iarg + 1]) == 'D' &&
+		    strchr("89ABCDEFabcdef", buf[iarg + 2]) != NULL) {
 			err = MANDOCERR_ESC_BADCHAR;
 			break;
 		}

usr.bin/netstat/netstat.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: netstat.h,v 1.77 2022/09/08 13:18:47 kn Exp $	*/
+/*	$OpenBSD: netstat.h,v 1.78 2024/05/18 07:10:16 jsg Exp $	*/
 /*	$NetBSD: netstat.h,v 1.6 1996/05/07 02:55:05 thorpej Exp $	*/
 
 /*
@@ -90,7 +90,6 @@ void	ip_stats(char *);
 void	div_stats(char *);
 void	icmp_stats(char *);
 void	igmp_stats(char *);
-void	pim_stats(char *);
 void	ah_stats(char *);
 void	ipsec_stats(char *);
 void	esp_stats(char *);
@@ -105,19 +104,14 @@ void	net80211_ifstats(char *);
 
 void	mbpr(void);
 
-void	hostpr(u_long, u_long);
-void	impstats(u_long, u_long);
-
 void	rt_stats(void);
 void	pr_rthdr(int, int);
-void	pr_encaphdr(void);
 void	pr_family(int);
 
 void	rdomainpr(void);
 
 void	ip6_stats(char *);
 void	icmp6_stats(char *);
-void	pim6_stats(char *);
 void	div6_stats(char *);
 void	rip6_stats(char *);
 void	mroute6pr(void);
@@ -142,8 +136,6 @@ char	*netname4(in_addr_t, in_addr_t);
 char	*mpls_op(u_int32_t);
 void	routepr(u_long, u_long, u_long, u_int);
 
-void	nsprotopr(u_long, char *);
-
 #define	IF_SHOW_FAIL	0
 #define	IF_SHOW_ERRS	1
 #define	IF_SHOW_DROP	2

usr.bin/openssl/apps.h

@@ -1,4 +1,4 @@
-/* $OpenBSD: apps.h,v 1.34 2023/06/11 13:02:10 jsg Exp $ */
+/* $OpenBSD: apps.h,v 1.36 2024/05/18 08:48:31 jsg Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -127,7 +127,6 @@
 #endif
 
 #include <unistd.h>
-extern int single_execution;
 
 extern CONF *config;
 extern char *default_config_file;
@@ -151,7 +150,6 @@ int ui_write(UI *ui, UI_STRING *uis);
 int ui_close(UI *ui);
 
 int should_retry(int i);
-int args_from_file(char *file, int *argc, char **argv[]);
 int str2fmt(char *s);
 void program_name(char *in, char *out, int size);
 #ifdef HEADER_X509_H

usr.bin/openssl/progs.h

@@ -1,4 +1,4 @@
-/* $OpenBSD: progs.h,v 1.9 2019/11/04 15:25:54 jsing Exp $ */
+/* $OpenBSD: progs.h,v 1.10 2024/05/18 08:47:13 jsg Exp $ */
 /* Public domain */
 
 int asn1parse_main(int argc, char **argv);
@@ -21,7 +21,6 @@ int gendh_main(int argc, char **argv);
 int gendsa_main(int argc, char **argv);
 int genpkey_main(int argc, char **argv);
 int genrsa_main(int argc, char **argv);
-int nseq_main(int argc, char **argv);
 int ocsp_main(int argc, char **argv);
 int passwd_main(int argc, char **argv);
 int pkcs7_main(int argc, char **argv);

usr.bin/openssl/s_apps.h

@@ -1,4 +1,4 @@
-/* $OpenBSD: s_apps.h,v 1.7 2021/12/06 11:06:58 tb Exp $ */
+/* $OpenBSD: s_apps.h,v 1.8 2024/05/18 08:47:13 jsg Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -130,7 +130,6 @@ int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key);
 #endif
 int ssl_print_tmp_key(BIO *out, SSL *s);
 int init_client(int *sock, char *server, char *port, int type, int af);
-int should_retry(int i);
 int extract_port(char *str, short *port_ptr);
 int extract_host_port(char *str, char **host_ptr, unsigned char *ip, char **p);
 

usr.bin/ssh/Makefile

@@ -1,8 +1,9 @@
-#	$OpenBSD: Makefile,v 1.17 2019/10/31 21:22:01 djm Exp $
+#	$OpenBSD: Makefile,v 1.18 2024/05/17 00:30:23 djm Exp $
 
 .include <bsd.own.mk>
 
-SUBDIR=	ssh sshd ssh-add ssh-keygen ssh-agent scp sftp-server \
+SUBDIR=	ssh sshd sshd-session \
+	ssh-add ssh-keygen ssh-agent scp sftp-server \
 	ssh-keysign ssh-keyscan sftp ssh-pkcs11-helper ssh-sk-helper
 
 distribution:

usr.bin/ssh/Makefile.inc

@@ -1,4 +1,4 @@
-#	$OpenBSD: Makefile.inc,v 1.89 2024/01/11 01:45:36 djm Exp $
+#	$OpenBSD: Makefile.inc,v 1.90 2024/05/17 00:30:23 djm Exp $
 
 .include <bsd.own.mk>
 
@@ -25,7 +25,7 @@ CDIAGFLAGS+=	-Wstrict-aliasing=2
 CDIAGFLAGS+=	-Wold-style-definition
 .endif
 
-#CDIAGFLAGS+=	-Werror
+CDIAGFLAGS+=	-Werror
 #CDIAGFLAGS+=	-fno-common
 #DEBUG=-g
 #INSTALL_STRIP=
@@ -111,14 +111,17 @@ SRCS_KEYP+=	atomicio.c
 SRCS_KRL+=	bitmap.c
 SRCS_KRL+=	krl.c
 
+SRCS_MAC+=	mac.c
+SRCS_MAC+=	hmac.c
+SRCS_MAC+=	umac.c
+SRCS_MAC+=	umac128.c
+
 SRCS_PKT+=	canohost.c
 SRCS_PKT+=	dispatch.c
-SRCS_PKT+=	hmac.c
 SRCS_PKT+=	kex.c
-SRCS_PKT+=	mac.c
+SRCS_PKT+=	kex-names.c
 SRCS_PKT+=	packet.c
-SRCS_PKT+=	umac.c
+SRCS_PKT+=	${SRCS_MAC}
-SRCS_PKT+=	umac128.c
 
 SRCS_PROT+=	channels.c
 SRCS_PROT+=	monitor_fdpass.c

usr.bin/ssh/auth-rhosts.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: auth-rhosts.c,v 1.57 2022/12/09 00:17:40 dtucker Exp $ */
+/* $OpenBSD: auth-rhosts.c,v 1.58 2024/05/17 00:30:23 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -42,7 +42,6 @@
 
 /* import */
 extern ServerOptions options;
-extern int use_privsep;
 
 /*
  * This function processes an rhosts-style file (.rhosts, .shosts, or

usr.bin/ssh/auth.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: auth.c,v 1.160 2023/03/05 05:34:09 dtucker Exp $ */
+/* $OpenBSD: auth.c,v 1.161 2024/05/17 00:30:23 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -67,7 +67,6 @@
 /* import */
 extern ServerOptions options;
 extern struct include_list includes;
-extern int use_privsep;
 extern struct sshauthopt *auth_opts;
 
 /* Debugging messages */
@@ -246,7 +245,7 @@ auth_log(struct ssh *ssh, int authenticated, int partial,
 	const char *authmsg;
 	char *extra = NULL;
 
-	if (use_privsep && !mm_is_monitor() && !authctxt->postponed)
+	if (!mm_is_monitor() && !authctxt->postponed)
 		return;
 
 	/* Raise logging level */
@@ -420,14 +419,14 @@ getpwnamallow(struct ssh *ssh, const char *user)
 	struct connection_info *ci;
 	u_int i;
 
-	ci = get_connection_info(ssh, 1, options.use_dns);
+	ci = server_get_connection_info(ssh, 1, options.use_dns);
 	ci->user = user;
 	parse_server_match_config(&options, &includes, ci);
 	log_change_level(options.log_level);
 	log_verbose_reset();
 	for (i = 0; i < options.num_log_verbose; i++)
 		log_verbose_add(options.log_verbose[i]);
-	process_permitopen(ssh, &options);
+	server_process_permitopen(ssh);
 
 	pw = getpwnam(user);
 	if (pw == NULL) {
@@ -562,93 +561,6 @@ fakepw(void)
 	return (&fake);
 }
 
-/*
- * Returns the remote DNS hostname as a string. The returned string must not
- * be freed. NB. this will usually trigger a DNS query the first time it is
- * called.
- * This function does additional checks on the hostname to mitigate some
- * attacks on based on conflation of hostnames and IP addresses.
- */
-
-static char *
-remote_hostname(struct ssh *ssh)
-{
-	struct sockaddr_storage from;
-	socklen_t fromlen;
-	struct addrinfo hints, *ai, *aitop;
-	char name[NI_MAXHOST], ntop2[NI_MAXHOST];
-	const char *ntop = ssh_remote_ipaddr(ssh);
-
-	/* Get IP address of client. */
-	fromlen = sizeof(from);
-	memset(&from, 0, sizeof(from));
-	if (getpeername(ssh_packet_get_connection_in(ssh),
-	    (struct sockaddr *)&from, &fromlen) == -1) {
-		debug("getpeername failed: %.100s", strerror(errno));
-		return xstrdup(ntop);
-	}
-
-	debug3("Trying to reverse map address %.100s.", ntop);
-	/* Map the IP address to a host name. */
-	if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
-	    NULL, 0, NI_NAMEREQD) != 0) {
-		/* Host name not found.  Use ip address. */
-		return xstrdup(ntop);
-	}
-
-	/*
-	 * if reverse lookup result looks like a numeric hostname,
-	 * someone is trying to trick us by PTR record like following:
-	 *	1.1.1.10.in-addr.arpa.	IN PTR	2.3.4.5
-	 */
-	memset(&hints, 0, sizeof(hints));
-	hints.ai_socktype = SOCK_DGRAM;	/*dummy*/
-	hints.ai_flags = AI_NUMERICHOST;
-	if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
-		logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
-		    name, ntop);
-		freeaddrinfo(ai);
-		return xstrdup(ntop);
-	}
-
-	/* Names are stored in lowercase. */
-	lowercase(name);
-
-	/*
-	 * Map it back to an IP address and check that the given
-	 * address actually is an address of this host.  This is
-	 * necessary because anyone with access to a name server can
-	 * define arbitrary names for an IP address. Mapping from
-	 * name to IP address can be trusted better (but can still be
-	 * fooled if the intruder has access to the name server of
-	 * the domain).
-	 */
-	memset(&hints, 0, sizeof(hints));
-	hints.ai_family = from.ss_family;
-	hints.ai_socktype = SOCK_STREAM;
-	if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
-		logit("reverse mapping checking getaddrinfo for %.700s "
-		    "[%s] failed.", name, ntop);
-		return xstrdup(ntop);
-	}
-	/* Look for the address from the list of addresses. */
-	for (ai = aitop; ai; ai = ai->ai_next) {
-		if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
-		    sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
-		    (strcmp(ntop, ntop2) == 0))
-				break;
-	}
-	freeaddrinfo(aitop);
-	/* If we reached the end of the list, the address was not there. */
-	if (ai == NULL) {
-		/* Address not found for the host name. */
-		logit("Address %.100s maps to %.600s, but this does not "
-		    "map back to the address.", ntop, name);
-		return xstrdup(ntop);
-	}
-	return xstrdup(name);
-}
-
 /*
  * Return the canonical name of the host in the other side of the current
  * connection.  The host name is cached, so it is efficient to call this
@@ -662,13 +574,11 @@ auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
 
 	if (!use_dns)
 		return ssh_remote_ipaddr(ssh);
-	else if (dnsname != NULL)
+	if (dnsname != NULL)
 		return dnsname;
-	else {
+	dnsname = ssh_remote_hostname(ssh);
-		dnsname = remote_hostname(ssh);
 	return dnsname;
 }
-}
 
 /* These functions link key/cert options to the auth framework */
 

usr.bin/ssh/auth.h

@@ -1,4 +1,4 @@
-/* $OpenBSD: auth.h,v 1.106 2022/06/15 16:08:25 djm Exp $ */
+/* $OpenBSD: auth.h,v 1.108 2024/05/17 06:42:04 jsg Exp $ */
 
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
@@ -95,13 +95,17 @@ struct Authctxt {
  * the client.
  */
 
-struct Authmethod {
+struct authmethod_cfg {
-	char	*name;
+	const char *name;
-	char	*synonym;
+	const char *synonym;
-	int	(*userauth)(struct ssh *, const char *);
 	int *enabled;
 };
 
+struct Authmethod {
+	struct authmethod_cfg *cfg;
+	int	(*userauth)(struct ssh *, const char *);
+};
+
 /*
  * Keyboard interactive device:
  * init_ctx	returns: non NULL upon success
@@ -142,8 +146,6 @@ void	 auth2_record_info(Authctxt *authctxt, const char *, ...)
 void	 auth2_update_session_info(Authctxt *, const char *, const char *);
 
 #ifdef KRB5
-int	auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *);
-int	auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt);
 int	auth_krb5_password(Authctxt *authctxt, const char *password);
 void	krb5_cleanup_proc(Authctxt *authctxt);
 #endif /* KRB5 */
@@ -192,7 +194,6 @@ int	 sshd_hostkey_sign(struct ssh *, struct sshkey *, struct sshkey *,
     u_char **, size_t *, const u_char *, size_t, const char *);
 
 /* Key / cert options linkage to auth layer */
-const struct sshauthopt *auth_options(struct ssh *);
 int	 auth_activate_options(struct ssh *, struct sshauthopt *);
 void	 auth_restrict_session(struct ssh *);
 void	 auth_log_authopts(const char *, const struct sshauthopt *, int);

usr.bin/ssh/auth2-gss.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-gss.c,v 1.34 2023/03/31 04:22:27 djm Exp $ */
+/* $OpenBSD: auth2-gss.c,v 1.36 2024/05/17 04:42:13 djm Exp $ */
 
 /*
  * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -46,6 +46,7 @@
 #define SSH_GSSAPI_MAX_MECHS	2048
 
 extern ServerOptions options;
+extern struct authmethod_cfg methodcfg_gssapi;
 
 static int input_gssapi_token(int type, u_int32_t plen, struct ssh *ssh);
 static int input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh);
@@ -111,7 +112,7 @@ userauth_gssapi(struct ssh *ssh, const char *method)
 		return (0);
 	}
 
-	if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) {
+	if (GSS_ERROR(mm_ssh_gssapi_server_ctx(&ctxt, &goid))) {
 		if (ctxt != NULL)
 			ssh_gssapi_delete_ctx(&ctxt);
 		free(doid);
@@ -148,7 +149,7 @@ input_gssapi_token(int type, u_int32_t plen, struct ssh *ssh)
 	size_t len;
 	int r;
 
-	if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep))
+	if (authctxt == NULL)
 		fatal("No authentication or GSSAPI context");
 
 	gssctxt = authctxt->methoddata;
@@ -158,8 +159,8 @@ input_gssapi_token(int type, u_int32_t plen, struct ssh *ssh)
 
 	recv_tok.value = p;
 	recv_tok.length = len;
-	maj_status = PRIVSEP(ssh_gssapi_accept_ctx(gssctxt, &recv_tok,
+	maj_status = mm_ssh_gssapi_accept_ctx(gssctxt, &recv_tok,
-	    &send_tok, &flags));
+	    &send_tok, &flags);
 
 	free(p);
 
@@ -212,7 +213,7 @@ input_gssapi_errtok(int type, u_int32_t plen, struct ssh *ssh)
 	u_char *p;
 	size_t len;
 
-	if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep))
+	if (authctxt == NULL)
 		fatal("No authentication or GSSAPI context");
 
 	gssctxt = authctxt->methoddata;
@@ -223,8 +224,8 @@ input_gssapi_errtok(int type, u_int32_t plen, struct ssh *ssh)
 	recv_tok.length = len;
 
 	/* Push the error token into GSSAPI to see what it says */
-	maj_status = PRIVSEP(ssh_gssapi_accept_ctx(gssctxt, &recv_tok,
+	maj_status = mm_ssh_gssapi_accept_ctx(gssctxt, &recv_tok,
-	    &send_tok, NULL));
+	    &send_tok, NULL);
 
 	free(recv_tok.value);
 
@@ -249,9 +250,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh)
 {
 	Authctxt *authctxt = ssh->authctxt;
 	int r, authenticated;
-	const char *displayname;
 
-	if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep))
+	if (authctxt == NULL)
 		fatal("No authentication or GSSAPI context");
 
 	/*
@@ -262,11 +262,7 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh)
 	if ((r = sshpkt_get_end(ssh)) != 0)
 		fatal_fr(r, "parse packet");
 
-	authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
+	authenticated = mm_ssh_gssapi_userok(authctxt->user);
-
-	if ((!use_privsep || mm_is_monitor()) &&
-	    (displayname = ssh_gssapi_displayname()) != NULL)
-		auth2_record_info(authctxt, "%s", displayname);
 
 	authctxt->postponed = 0;
 	ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
@@ -285,11 +281,10 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh)
 	int r, authenticated = 0;
 	struct sshbuf *b;
 	gss_buffer_desc mic, gssbuf;
-	const char *displayname;
 	u_char *p;
 	size_t len;
 
-	if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep))
+	if (authctxt == NULL)
 		fatal("No authentication or GSSAPI context");
 
 	gssctxt = authctxt->methoddata;
@@ -307,18 +302,14 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh)
 		fatal_f("sshbuf_mutable_ptr failed");
 	gssbuf.length = sshbuf_len(b);
 
-	if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))
+	if (!GSS_ERROR(mm_ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic)))
-		authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
+		authenticated = mm_ssh_gssapi_userok(authctxt->user);
 	else
 		logit("GSSAPI MIC check failed");
 
 	sshbuf_free(b);
 	free(mic.value);
 
-	if ((!use_privsep || mm_is_monitor()) &&
-	    (displayname = ssh_gssapi_displayname()) != NULL)
-		auth2_record_info(authctxt, "%s", displayname);
-
 	authctxt->postponed = 0;
 	ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
 	ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
@@ -329,9 +320,7 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh)
 }
 
 Authmethod method_gssapi = {
-	"gssapi-with-mic",
+	&methodcfg_gssapi,
-	NULL,
 	userauth_gssapi,
-	&options.gss_authentication
 };
 #endif

usr.bin/ssh/auth2-hostbased.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-hostbased.c,v 1.52 2023/03/05 05:34:09 dtucker Exp $ */
+/* $OpenBSD: auth2-hostbased.c,v 1.53 2024/05/17 00:30:23 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -53,6 +53,7 @@
 
 /* import */
 extern ServerOptions options;
+extern struct authmethod_cfg methodcfg_hostbased;
 
 static int
 userauth_hostbased(struct ssh *ssh, const char *method)
@@ -144,10 +145,10 @@ userauth_hostbased(struct ssh *ssh, const char *method)
 
 	/* test for allowed key and correct signature */
 	authenticated = 0;
-	if (PRIVSEP(hostbased_key_allowed(ssh, authctxt->pw, cuser,
+	if (mm_hostbased_key_allowed(ssh, authctxt->pw, cuser,
-	    chost, key)) &&
+	    chost, key) &&
-	    PRIVSEP(sshkey_verify(key, sig, slen,
+	    mm_sshkey_verify(key, sig, slen,
-	    sshbuf_ptr(b), sshbuf_len(b), pkalg, ssh->compat, NULL)) == 0)
+	    sshbuf_ptr(b), sshbuf_len(b), pkalg, ssh->compat, NULL) == 0)
 		authenticated = 1;
 
 	auth2_record_key(authctxt, authenticated, key);
@@ -251,8 +252,6 @@ hostbased_key_allowed(struct ssh *ssh, struct passwd *pw,
 }
 
 Authmethod method_hostbased = {
-	"hostbased",
+	&methodcfg_hostbased,
-	NULL,
 	userauth_hostbased,
-	&options.hostbased_authentication
 };

usr.bin/ssh/auth2-kbdint.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-kbdint.c,v 1.14 2021/12/19 22:12:07 djm Exp $ */
+/* $OpenBSD: auth2-kbdint.c,v 1.15 2024/05/17 00:30:23 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -40,6 +40,7 @@
 
 /* import */
 extern ServerOptions options;
+extern struct authmethod_cfg methodcfg_kbdint;
 
 static int
 userauth_kbdint(struct ssh *ssh, const char *method)
@@ -63,8 +64,6 @@ userauth_kbdint(struct ssh *ssh, const char *method)
 }
 
 Authmethod method_kbdint = {
-	"keyboard-interactive",
+	&methodcfg_kbdint,
-	NULL,
 	userauth_kbdint,
-	&options.kbd_interactive_authentication
 };

usr.bin/ssh/auth2-methods.c

@@ -0,0 +1,133 @@
+/*
+ * Copyright (c) 2012,2023 Damien Miller <djm@mindrot.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <sys/types.h>
+#include <sys/queue.h>
+
+#include <stdlib.h>
+#include <string.h>
+
+#include "log.h"
+#include "misc.h"
+#include "servconf.h"
+#include "xmalloc.h"
+#include "hostfile.h"
+#include "auth.h"
+
+extern ServerOptions options;
+
+/*
+ * Configuration of enabled authentication methods. Separate to the rest of
+ * auth2-*.c because we want to query it during server configuration validity
+ * checking in the sshd listener process without pulling all the auth code in
+ * too.
+ */
+
+/* "none" is allowed only one time and it cleared by userauth_none() later */
+int none_enabled = 1;
+struct authmethod_cfg methodcfg_none = {
+	"none",
+	NULL,
+	&none_enabled
+};
+struct authmethod_cfg methodcfg_pubkey = {
+	"publickey",
+	"publickey-hostbound-v00@openssh.com",
+	&options.pubkey_authentication
+};
+#ifdef GSSAPI
+struct authmethod_cfg methodcfg_gssapi = {
+	"gssapi-with-mic",
+	NULL,
+	&options.gss_authentication
+};
+#endif
+struct authmethod_cfg methodcfg_passwd = {
+	"password",
+	NULL,
+	&options.password_authentication
+};
+struct authmethod_cfg methodcfg_kbdint = {
+	"keyboard-interactive",
+	NULL,
+	&options.kbd_interactive_authentication
+};
+struct authmethod_cfg methodcfg_hostbased = {
+	"hostbased",
+	NULL,
+	&options.hostbased_authentication
+};
+
+static struct authmethod_cfg *authmethod_cfgs[] = {
+	&methodcfg_none,
+	&methodcfg_pubkey,
+#ifdef GSSAPI
+	&methodcfg_gssapi,
+#endif
+	&methodcfg_passwd,
+	&methodcfg_kbdint,
+	&methodcfg_hostbased,
+	NULL
+};
+
+/*
+ * Check a comma-separated list of methods for validity. Is need_enable is
+ * non-zero, then also require that the methods are enabled.
+ * Returns 0 on success or -1 if the methods list is invalid.
+ */
+int
+auth2_methods_valid(const char *_methods, int need_enable)
+{
+	char *methods, *omethods, *method, *p;
+	u_int i, found;
+	int ret = -1;
+	const struct authmethod_cfg *cfg;
+
+	if (*_methods == '\0') {
+		error("empty authentication method list");
+		return -1;
+	}
+	omethods = methods = xstrdup(_methods);
+	while ((method = strsep(&methods, ",")) != NULL) {
+		for (found = i = 0; !found && authmethod_cfgs[i] != NULL; i++) {
+			cfg = authmethod_cfgs[i];
+			if ((p = strchr(method, ':')) != NULL)
+				*p = '\0';
+			if (strcmp(method, cfg->name) != 0)
+				continue;
+			if (need_enable) {
+				if (cfg->enabled == NULL ||
+				    *(cfg->enabled) == 0) {
+					error("Disabled method \"%s\" in "
+					    "AuthenticationMethods list \"%s\"",
+					    method, _methods);
+					goto out;
+				}
+			}
+			found = 1;
+			break;
+		}
+		if (!found) {
+			error("Unknown authentication method \"%s\" in list",
+			    method);
+			goto out;
+		}
+	}
+	ret = 0;
+ out:
+	free(omethods);
+	return ret;
+}

usr.bin/ssh/auth2-none.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-none.c,v 1.25 2023/03/05 05:34:09 dtucker Exp $ */
+/* $OpenBSD: auth2-none.c,v 1.26 2024/05/17 00:30:23 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -44,9 +44,9 @@
 
 /* import */
 extern ServerOptions options;
+extern struct authmethod_cfg methodcfg_none;
 
-/* "none" is allowed only one time */
+extern int none_enabled;
-static int none_enabled = 1;
 
 static int
 userauth_none(struct ssh *ssh, const char *method)
@@ -57,13 +57,11 @@ userauth_none(struct ssh *ssh, const char *method)
 	if ((r = sshpkt_get_end(ssh)) != 0)
 		fatal_fr(r, "parse packet");
 	if (options.permit_empty_passwd && options.password_authentication)
-		return (PRIVSEP(auth_password(ssh, "")));
+		return mm_auth_password(ssh, "");
 	return (0);
 }
 
 Authmethod method_none = {
-	"none",
+	&methodcfg_none,
-	NULL,
 	userauth_none,
-	&none_enabled
 };

usr.bin/ssh/auth2-passwd.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-passwd.c,v 1.21 2022/05/27 04:29:40 dtucker Exp $ */
+/* $OpenBSD: auth2-passwd.c,v 1.22 2024/05/17 00:30:23 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -45,6 +45,7 @@
 
 /* import */
 extern ServerOptions options;
+extern struct authmethod_cfg methodcfg_passwd;
 
 static int
 userauth_passwd(struct ssh *ssh, const char *method)
@@ -64,15 +65,13 @@ userauth_passwd(struct ssh *ssh, const char *method)
 
 	if (change)
 		logit("password change not supported");
-	else if (PRIVSEP(auth_password(ssh, password)) == 1)
+	else if (mm_auth_password(ssh, password) == 1)
 		authenticated = 1;
 	freezero(password, len);
 	return authenticated;
 }
 
 Authmethod method_passwd = {
-	"password",
+	&methodcfg_passwd,
-	NULL,
 	userauth_passwd,
-	&options.password_authentication
 };

usr.bin/ssh/auth2-pubkey.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-pubkey.c,v 1.119 2023/07/27 22:25:17 djm Exp $ */
+/* $OpenBSD: auth2-pubkey.c,v 1.120 2024/05/17 00:30:23 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  * Copyright (c) 2010 Damien Miller.  All rights reserved.
@@ -69,6 +69,7 @@
 
 /* import */
 extern ServerOptions options;
+extern struct authmethod_cfg methodcfg_pubkey;
 
 static char *
 format_key(const struct sshkey *key)
@@ -216,11 +217,11 @@ userauth_pubkey(struct ssh *ssh, const char *method)
 #endif
 		/* test for correct signature */
 		authenticated = 0;
-		if (PRIVSEP(user_key_allowed(ssh, pw, key, 1, &authopts)) &&
+		if (mm_user_key_allowed(ssh, pw, key, 1, &authopts) &&
-		    PRIVSEP(sshkey_verify(key, sig, slen,
+		    mm_sshkey_verify(key, sig, slen,
 		    sshbuf_ptr(b), sshbuf_len(b),
 		    (ssh->compat & SSH_BUG_SIGTYPE) == 0 ? pkalg : NULL,
-		    ssh->compat, &sig_details)) == 0) {
+		    ssh->compat, &sig_details) == 0) {
 			authenticated = 1;
 		}
 		if (authenticated == 1 && sig_details != NULL) {
@@ -278,7 +279,7 @@ userauth_pubkey(struct ssh *ssh, const char *method)
 		 * if a user is not allowed to login. is this an
 		 * issue? -markus
 		 */
-		if (PRIVSEP(user_key_allowed(ssh, pw, key, 0, NULL))) {
+		if (mm_user_key_allowed(ssh, pw, key, 0, NULL)) {
 			if ((r = sshpkt_start(ssh, SSH2_MSG_USERAUTH_PK_OK))
 			    != 0 ||
 			    (r = sshpkt_put_cstring(ssh, pkalg)) != 0 ||
@@ -810,8 +811,6 @@ user_key_allowed(struct ssh *ssh, struct passwd *pw, struct sshkey *key,
 }
 
 Authmethod method_pubkey = {
-	"publickey",
+	&methodcfg_pubkey,
-	"publickey-hostbound-v00@openssh.com",
 	userauth_pubkey,
-	&options.pubkey_authentication
 };

usr.bin/ssh/auth2.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2.c,v 1.168 2023/12/18 14:45:49 djm Exp $ */
+/* $OpenBSD: auth2.c,v 1.169 2024/05/17 00:30:23 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -141,7 +141,7 @@ userauth_banner(struct ssh *ssh)
 	if (options.banner == NULL)
 		return;
 
-	if ((banner = PRIVSEP(auth2_read_banner())) == NULL)
+	if ((banner = mm_auth2_read_banner()) == NULL)
 		goto done;
 
 	if ((r = sshpkt_start(ssh, SSH2_MSG_USERAUTH_BANNER)) != 0 ||
@@ -281,7 +281,7 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
 		auth_maxtries_exceeded(ssh);
 	if (authctxt->attempt++ == 0) {
 		/* setup auth context */
-		authctxt->pw = PRIVSEP(getpwnamallow(ssh, user));
+		authctxt->pw = mm_getpwnamallow(ssh, user);
 		if (authctxt->pw && strcmp(service, "ssh-connection")==0) {
 			authctxt->valid = 1;
 			debug2_f("setting up authctxt for %s", user);
@@ -292,12 +292,10 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
 		}
 		ssh_packet_set_log_preamble(ssh, "%suser %s",
 		    authctxt->valid ? "authenticating " : "invalid ", user);
-		setproctitle("%s%s", authctxt->valid ? user : "unknown",
+		setproctitle("%s [net]", authctxt->valid ? user : "unknown");
-		    use_privsep ? " [net]" : "");
 		authctxt->user = xstrdup(user);
 		authctxt->service = xstrdup(service);
 		authctxt->style = style ? xstrdup(style) : NULL;
-		if (use_privsep)
 		mm_inform_authserv(service, style);
 		userauth_banner(ssh);
 		if ((r = kex_server_update_ext_info(ssh)) != 0)
@@ -362,7 +360,7 @@ userauth_finish(struct ssh *ssh, int authenticated, const char *packet_method,
 		/* prefer primary authmethod name to possible synonym */
 		if ((m = authmethod_byname(method)) == NULL)
 			fatal("INTERNAL ERROR: bad method %s", method);
-		method = m->name;
+		method = m->cfg->name;
 	}
 
 	/* Special handling for root */
@@ -453,16 +451,16 @@ authmethods_get(Authctxt *authctxt)
 	if ((b = sshbuf_new()) == NULL)
 		fatal_f("sshbuf_new failed");
 	for (i = 0; authmethods[i] != NULL; i++) {
-		if (strcmp(authmethods[i]->name, "none") == 0)
+		if (strcmp(authmethods[i]->cfg->name, "none") == 0)
 			continue;
-		if (authmethods[i]->enabled == NULL ||
+		if (authmethods[i]->cfg->enabled == NULL ||
-		    *(authmethods[i]->enabled) == 0)
+		    *(authmethods[i]->cfg->enabled) == 0)
 			continue;
-		if (!auth2_method_allowed(authctxt, authmethods[i]->name,
+		if (!auth2_method_allowed(authctxt, authmethods[i]->cfg->name,
 		    NULL))
 			continue;
 		if ((r = sshbuf_putf(b, "%s%s", sshbuf_len(b) ? "," : "",
-		    authmethods[i]->name)) != 0)
+		    authmethods[i]->cfg->name)) != 0)
 			fatal_fr(r, "buffer error");
 	}
 	if ((list = sshbuf_dup_string(b)) == NULL)
@@ -479,9 +477,9 @@ authmethod_byname(const char *name)
 	if (name == NULL)
 		fatal_f("NULL authentication method name");
 	for (i = 0; authmethods[i] != NULL; i++) {
-		if (strcmp(name, authmethods[i]->name) == 0 ||
+		if (strcmp(name, authmethods[i]->cfg->name) == 0 ||
-		    (authmethods[i]->synonym != NULL &&
+		    (authmethods[i]->cfg->synonym != NULL &&
-		    strcmp(name, authmethods[i]->synonym) == 0))
+		    strcmp(name, authmethods[i]->cfg->synonym) == 0))
 			return authmethods[i];
 	}
 	debug_f("unrecognized authentication method name: %s", name);
@@ -496,11 +494,11 @@ authmethod_lookup(Authctxt *authctxt, const char *name)
 	if ((method = authmethod_byname(name)) == NULL)
 		return NULL;
 
-	if (method->enabled == NULL || *(method->enabled) == 0) {
+	if (method->cfg->enabled == NULL || *(method->cfg->enabled) == 0) {
 		debug3_f("method %s not enabled", name);
 		return NULL;
 	}
-	if (!auth2_method_allowed(authctxt, method->name, NULL)) {
+	if (!auth2_method_allowed(authctxt, method->cfg->name, NULL)) {
 		debug3_f("method %s not allowed "
 		    "by AuthenticationMethods", name);
 		return NULL;
@@ -508,53 +506,6 @@ authmethod_lookup(Authctxt *authctxt, const char *name)
 	return method;
 }
 
-/*
- * Check a comma-separated list of methods for validity. Is need_enable is
- * non-zero, then also require that the methods are enabled.
- * Returns 0 on success or -1 if the methods list is invalid.
- */
-int
-auth2_methods_valid(const char *_methods, int need_enable)
-{
-	char *methods, *omethods, *method, *p;
-	u_int i, found;
-	int ret = -1;
-
-	if (*_methods == '\0') {
-		error("empty authentication method list");
-		return -1;
-	}
-	omethods = methods = xstrdup(_methods);
-	while ((method = strsep(&methods, ",")) != NULL) {
-		for (found = i = 0; !found && authmethods[i] != NULL; i++) {
-			if ((p = strchr(method, ':')) != NULL)
-				*p = '\0';
-			if (strcmp(method, authmethods[i]->name) != 0)
-				continue;
-			if (need_enable) {
-				if (authmethods[i]->enabled == NULL ||
-				    *(authmethods[i]->enabled) == 0) {
-					error("Disabled method \"%s\" in "
-					    "AuthenticationMethods list \"%s\"",
-					    method, _methods);
-					goto out;
-				}
-			}
-			found = 1;
-			break;
-		}
-		if (!found) {
-			error("Unknown authentication method \"%s\" in list",
-			    method);
-			goto out;
-		}
-	}
-	ret = 0;
- out:
-	free(omethods);
-	return ret;
-}
-
 /*
  * Prune the AuthenticationMethods supplied in the configuration, removing
  * any methods lists that include disabled methods. Note that this might

usr.bin/ssh/channels.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: channels.c,v 1.437 2024/03/06 02:59:59 djm Exp $ */
+/* $OpenBSD: channels.c,v 1.438 2024/05/17 00:30:23 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -85,13 +85,6 @@
 /* -- agent forwarding */
 #define	NUM_SOCKS	10
 
-/* -- tcp forwarding */
-/* special-case port number meaning allow any port */
-#define FWD_PERMIT_ANY_PORT	0
-
-/* special-case wildcard meaning allow any host */
-#define FWD_PERMIT_ANY_HOST	"*"
-
 /* -- X11 forwarding */
 /* Maximum number of fake X11 displays to try. */
 #define MAX_DISPLAYS  1000
@@ -4530,19 +4523,6 @@ channel_update_permission(struct ssh *ssh, int idx, int newport)
 	}
 }
 
-/* returns port number, FWD_PERMIT_ANY_PORT or -1 on error */
-int
-permitopen_port(const char *p)
-{
-	int port;
-
-	if (strcmp(p, "*") == 0)
-		return FWD_PERMIT_ANY_PORT;
-	if ((port = a2port(p)) > 0)
-		return port;
-	return -1;
-}
-
 /* Try to start non-blocking connect to next host in cctx list */
 static int
 connect_next(struct channel_connect *cctx)

usr.bin/ssh/channels.h

@@ -1,4 +1,4 @@
-/* $OpenBSD: channels.h,v 1.154 2023/12/18 14:47:20 djm Exp $ */
+/* $OpenBSD: channels.h,v 1.155 2024/05/17 06:42:04 jsg Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -322,7 +322,6 @@ int	 channel_input_ieof(int, u_int32_t, struct ssh *);
 int	 channel_input_oclose(int, u_int32_t, struct ssh *);
 int	 channel_input_open_confirmation(int, u_int32_t, struct ssh *);
 int	 channel_input_open_failure(int, u_int32_t, struct ssh *);
-int	 channel_input_port_open(int, u_int32_t, struct ssh *);
 int	 channel_input_window_adjust(int, u_int32_t, struct ssh *);
 int	 channel_input_status_confirm(int, u_int32_t, struct ssh *);
 

usr.bin/ssh/cipher.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: cipher.c,v 1.120 2023/10/10 06:49:54 tb Exp $ */
+/* $OpenBSD: cipher.c,v 1.121 2024/05/17 02:39:11 jsg Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -366,7 +366,7 @@ cipher_crypt(struct sshcipher_ctx *cc, u_int seqnr, u_char *dest,
 		if (!EVP_CIPHER_CTX_ctrl(cc->evp, EVP_CTRL_GCM_IV_GEN,
 		    1, lastiv))
 			return SSH_ERR_LIBCRYPTO_ERROR;
-		/* set tag on decyption */
+		/* set tag on decryption */
 		if (!cc->encrypt &&
 		    !EVP_CIPHER_CTX_ctrl(cc->evp, EVP_CTRL_GCM_SET_TAG,
 		    authlen, (u_char *)src + aadlen + len))

usr.bin/ssh/clientloop.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: clientloop.c,v 1.406 2024/05/09 09:46:47 djm Exp $ */
+/* $OpenBSD: clientloop.c,v 1.407 2024/05/17 06:42:04 jsg Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -184,7 +184,6 @@ TAILQ_HEAD(global_confirms, global_confirm);
 static struct global_confirms global_confirms =
     TAILQ_HEAD_INITIALIZER(global_confirms);
 
-void ssh_process_session2_setup(int, int, int, struct sshbuf *);
 static void quit_message(const char *fmt, ...)
     __attribute__((__format__ (printf, 1, 2)));
 

usr.bin/ssh/clientloop.h

@@ -1,4 +1,4 @@
-/* $OpenBSD: clientloop.h,v 1.37 2020/04/03 02:40:32 djm Exp $ */
+/* $OpenBSD: clientloop.h,v 1.38 2024/05/17 06:42:04 jsg Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -43,7 +43,6 @@ struct ssh;
 int	 client_loop(struct ssh *, int, int, int);
 int	 client_x11_get_proto(struct ssh *, const char *, const char *,
 	    u_int, u_int, char **, char **);
-void	 client_global_request_reply_fwd(int, u_int32_t, void *);
 void	 client_session2_setup(struct ssh *, int, int, int,
 	    const char *, struct termios *, int, struct sshbuf *, char **);
 char	 *client_request_tun_fwd(struct ssh *, int, int, int,

usr.bin/ssh/ed25519.sh

@@ -1,5 +1,5 @@
 #!/bin/sh
-#       $OpenBSD: ed25519.sh,v 1.1 2023/01/15 23:05:32 djm Exp $
+#       $OpenBSD: ed25519.sh,v 1.2 2024/05/17 02:39:11 jsg Exp $
 #       Placed in the Public Domain.
 #
 AUTHOR="supercop-20221122/crypto_sign/ed25519/ref/implementors"
@@ -74,7 +74,7 @@ for i in $FILES; do
 	    sed -e "s/crypto_sign_open/crypto_sign_ed25519_open/g"
 	    ;;
 	*/crypto_sign/ed25519/ref/fe25519.*)
-	    # avoid a couple of name collions with other files
+	    # avoid a couple of name collisions with other files
 	    sed -e "s/reduce_add_sub/fe25519_reduce_add_sub/g" \
 	        -e "s/ equal[(]/ fe25519_equal(/g" \
 	        -e "s/^int /static int /g"

usr.bin/ssh/kex-names.c

@@ -0,0 +1,319 @@
+/* $OpenBSD: kex-names.c,v 1.1 2024/05/17 00:32:32 djm Exp $ */
+/*
+ * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <signal.h>
+
+#ifdef WITH_OPENSSL
+#include <openssl/crypto.h>
+#include <openssl/evp.h>
+#endif
+
+#include "kex.h"
+#include "log.h"
+#include "match.h"
+#include "digest.h"
+#include "misc.h"
+
+#include "ssherr.h"
+#include "xmalloc.h"
+
+struct kexalg {
+	char *name;
+	u_int type;
+	int ec_nid;
+	int hash_alg;
+};
+static const struct kexalg kexalgs[] = {
+#ifdef WITH_OPENSSL
+	{ KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
+	{ KEX_DH14_SHA1, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
+	{ KEX_DH14_SHA256, KEX_DH_GRP14_SHA256, 0, SSH_DIGEST_SHA256 },
+	{ KEX_DH16_SHA512, KEX_DH_GRP16_SHA512, 0, SSH_DIGEST_SHA512 },
+	{ KEX_DH18_SHA512, KEX_DH_GRP18_SHA512, 0, SSH_DIGEST_SHA512 },
+	{ KEX_DHGEX_SHA1, KEX_DH_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
+	{ KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, SSH_DIGEST_SHA256 },
+	{ KEX_ECDH_SHA2_NISTP256, KEX_ECDH_SHA2,
+	    NID_X9_62_prime256v1, SSH_DIGEST_SHA256 },
+	{ KEX_ECDH_SHA2_NISTP384, KEX_ECDH_SHA2, NID_secp384r1,
+	    SSH_DIGEST_SHA384 },
+	{ KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1,
+	    SSH_DIGEST_SHA512 },
+#endif
+	{ KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
+	{ KEX_CURVE25519_SHA256_OLD, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
+	{ KEX_SNTRUP761X25519_SHA512, KEX_KEM_SNTRUP761X25519_SHA512, 0,
+	    SSH_DIGEST_SHA512 },
+	{ NULL, 0, -1, -1},
+};
+
+char *
+kex_alg_list(char sep)
+{
+	char *ret = NULL, *tmp;
+	size_t nlen, rlen = 0;
+	const struct kexalg *k;
+
+	for (k = kexalgs; k->name != NULL; k++) {
+		if (ret != NULL)
+			ret[rlen++] = sep;
+		nlen = strlen(k->name);
+		if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL) {
+			free(ret);
+			return NULL;
+		}
+		ret = tmp;
+		memcpy(ret + rlen, k->name, nlen + 1);
+		rlen += nlen;
+	}
+	return ret;
+}
+
+static const struct kexalg *
+kex_alg_by_name(const char *name)
+{
+	const struct kexalg *k;
+
+	for (k = kexalgs; k->name != NULL; k++) {
+		if (strcmp(k->name, name) == 0)
+			return k;
+	}
+	return NULL;
+}
+
+int
+kex_name_valid(const char *name)
+{
+	return kex_alg_by_name(name) != NULL;
+}
+
+u_int
+kex_type_from_name(const char *name)
+{
+	const struct kexalg *k;
+
+	if ((k = kex_alg_by_name(name)) == NULL)
+		return 0;
+	return k->type;
+}
+
+int
+kex_hash_from_name(const char *name)
+{
+	const struct kexalg *k;
+
+	if ((k = kex_alg_by_name(name)) == NULL)
+		return -1;
+	return k->hash_alg;
+}
+
+int
+kex_nid_from_name(const char *name)
+{
+	const struct kexalg *k;
+
+	if ((k = kex_alg_by_name(name)) == NULL)
+		return -1;
+	return k->ec_nid;
+}
+
+/* Validate KEX method name list */
+int
+kex_names_valid(const char *names)
+{
+	char *s, *cp, *p;
+
+	if (names == NULL || strcmp(names, "") == 0)
+		return 0;
+	if ((s = cp = strdup(names)) == NULL)
+		return 0;
+	for ((p = strsep(&cp, ",")); p && *p != '\0';
+	    (p = strsep(&cp, ","))) {
+		if (kex_alg_by_name(p) == NULL) {
+			error("Unsupported KEX algorithm \"%.100s\"", p);
+			free(s);
+			return 0;
+		}
+	}
+	debug3("kex names ok: [%s]", names);
+	free(s);
+	return 1;
+}
+
+/* returns non-zero if proposal contains any algorithm from algs */
+int
+kex_has_any_alg(const char *proposal, const char *algs)
+{
+	char *cp;
+
+	if ((cp = match_list(proposal, algs, NULL)) == NULL)
+		return 0;
+	free(cp);
+	return 1;
+}
+
+/*
+ * Concatenate algorithm names, avoiding duplicates in the process.
+ * Caller must free returned string.
+ */
+char *
+kex_names_cat(const char *a, const char *b)
+{
+	char *ret = NULL, *tmp = NULL, *cp, *p;
+	size_t len;
+
+	if (a == NULL || *a == '\0')
+		return strdup(b);
+	if (b == NULL || *b == '\0')
+		return strdup(a);
+	if (strlen(b) > 1024*1024)
+		return NULL;
+	len = strlen(a) + strlen(b) + 2;
+	if ((tmp = cp = strdup(b)) == NULL ||
+	    (ret = calloc(1, len)) == NULL) {
+		free(tmp);
+		return NULL;
+	}
+	strlcpy(ret, a, len);
+	for ((p = strsep(&cp, ",")); p && *p != '\0'; (p = strsep(&cp, ","))) {
+		if (kex_has_any_alg(ret, p))
+			continue; /* Algorithm already present */
+		if (strlcat(ret, ",", len) >= len ||
+		    strlcat(ret, p, len) >= len) {
+			free(tmp);
+			free(ret);
+			return NULL; /* Shouldn't happen */
+		}
+	}
+	free(tmp);
+	return ret;
+}
+
+/*
+ * Assemble a list of algorithms from a default list and a string from a
+ * configuration file. The user-provided string may begin with '+' to
+ * indicate that it should be appended to the default, '-' that the
+ * specified names should be removed, or '^' that they should be placed
+ * at the head.
+ */
+int
+kex_assemble_names(char **listp, const char *def, const char *all)
+{
+	char *cp, *tmp, *patterns;
+	char *list = NULL, *ret = NULL, *matching = NULL, *opatterns = NULL;
+	int r = SSH_ERR_INTERNAL_ERROR;
+
+	if (listp == NULL || def == NULL || all == NULL)
+		return SSH_ERR_INVALID_ARGUMENT;
+
+	if (*listp == NULL || **listp == '\0') {
+		if ((*listp = strdup(def)) == NULL)
+			return SSH_ERR_ALLOC_FAIL;
+		return 0;
+	}
+
+	list = *listp;
+	*listp = NULL;
+	if (*list == '+') {
+		/* Append names to default list */
+		if ((tmp = kex_names_cat(def, list + 1)) == NULL) {
+			r = SSH_ERR_ALLOC_FAIL;
+			goto fail;
+		}
+		free(list);
+		list = tmp;
+	} else if (*list == '-') {
+		/* Remove names from default list */
+		if ((*listp = match_filter_denylist(def, list + 1)) == NULL) {
+			r = SSH_ERR_ALLOC_FAIL;
+			goto fail;
+		}
+		free(list);
+		/* filtering has already been done */
+		return 0;
+	} else if (*list == '^') {
+		/* Place names at head of default list */
+		if ((tmp = kex_names_cat(list + 1, def)) == NULL) {
+			r = SSH_ERR_ALLOC_FAIL;
+			goto fail;
+		}
+		free(list);
+		list = tmp;
+	} else {
+		/* Explicit list, overrides default - just use "list" as is */
+	}
+
+	/*
+	 * The supplied names may be a pattern-list. For the -list case,
+	 * the patterns are applied above. For the +list and explicit list
+	 * cases we need to do it now.
+	 */
+	ret = NULL;
+	if ((patterns = opatterns = strdup(list)) == NULL) {
+		r = SSH_ERR_ALLOC_FAIL;
+		goto fail;
+	}
+	/* Apply positive (i.e. non-negated) patterns from the list */
+	while ((cp = strsep(&patterns, ",")) != NULL) {
+		if (*cp == '!') {
+			/* negated matches are not supported here */
+			r = SSH_ERR_INVALID_ARGUMENT;
+			goto fail;
+		}
+		free(matching);
+		if ((matching = match_filter_allowlist(all, cp)) == NULL) {
+			r = SSH_ERR_ALLOC_FAIL;
+			goto fail;
+		}
+		if ((tmp = kex_names_cat(ret, matching)) == NULL) {
+			r = SSH_ERR_ALLOC_FAIL;
+			goto fail;
+		}
+		free(ret);
+		ret = tmp;
+	}
+	if (ret == NULL || *ret == '\0') {
+		/* An empty name-list is an error */
+		/* XXX better error code? */
+		r = SSH_ERR_INVALID_ARGUMENT;
+		goto fail;
+	}
+
+	/* success */
+	*listp = ret;
+	ret = NULL;
+	r = 0;
+
+ fail:
+	free(matching);
+	free(opatterns);
+	free(list);
+	free(ret);
+	return r;
+}

usr.bin/ssh/kex.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: kex.c,v 1.185 2024/01/08 00:34:33 djm Exp $ */
+/* $OpenBSD: kex.c,v 1.186 2024/05/17 00:30:23 djm Exp $ */
 /*
  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
  *
@@ -76,244 +76,6 @@ static const char * const proposal_names[PROPOSAL_MAX] = {
 	"languages stoc",
 };
 
-struct kexalg {
-	char *name;
-	u_int type;
-	int ec_nid;
-	int hash_alg;
-};
-static const struct kexalg kexalgs[] = {
-#ifdef WITH_OPENSSL
-	{ KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
-	{ KEX_DH14_SHA1, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
-	{ KEX_DH14_SHA256, KEX_DH_GRP14_SHA256, 0, SSH_DIGEST_SHA256 },
-	{ KEX_DH16_SHA512, KEX_DH_GRP16_SHA512, 0, SSH_DIGEST_SHA512 },
-	{ KEX_DH18_SHA512, KEX_DH_GRP18_SHA512, 0, SSH_DIGEST_SHA512 },
-	{ KEX_DHGEX_SHA1, KEX_DH_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
-	{ KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, SSH_DIGEST_SHA256 },
-	{ KEX_ECDH_SHA2_NISTP256, KEX_ECDH_SHA2,
-	    NID_X9_62_prime256v1, SSH_DIGEST_SHA256 },
-	{ KEX_ECDH_SHA2_NISTP384, KEX_ECDH_SHA2, NID_secp384r1,
-	    SSH_DIGEST_SHA384 },
-	{ KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1,
-	    SSH_DIGEST_SHA512 },
-#endif
-	{ KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
-	{ KEX_CURVE25519_SHA256_OLD, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
-	{ KEX_SNTRUP761X25519_SHA512, KEX_KEM_SNTRUP761X25519_SHA512, 0,
-	    SSH_DIGEST_SHA512 },
-	{ NULL, 0, -1, -1},
-};
-
-char *
-kex_alg_list(char sep)
-{
-	char *ret = NULL, *tmp;
-	size_t nlen, rlen = 0;
-	const struct kexalg *k;
-
-	for (k = kexalgs; k->name != NULL; k++) {
-		if (ret != NULL)
-			ret[rlen++] = sep;
-		nlen = strlen(k->name);
-		if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL) {
-			free(ret);
-			return NULL;
-		}
-		ret = tmp;
-		memcpy(ret + rlen, k->name, nlen + 1);
-		rlen += nlen;
-	}
-	return ret;
-}
-
-static const struct kexalg *
-kex_alg_by_name(const char *name)
-{
-	const struct kexalg *k;
-
-	for (k = kexalgs; k->name != NULL; k++) {
-		if (strcmp(k->name, name) == 0)
-			return k;
-	}
-	return NULL;
-}
-
-/* Validate KEX method name list */
-int
-kex_names_valid(const char *names)
-{
-	char *s, *cp, *p;
-
-	if (names == NULL || strcmp(names, "") == 0)
-		return 0;
-	if ((s = cp = strdup(names)) == NULL)
-		return 0;
-	for ((p = strsep(&cp, ",")); p && *p != '\0';
-	    (p = strsep(&cp, ","))) {
-		if (kex_alg_by_name(p) == NULL) {
-			error("Unsupported KEX algorithm \"%.100s\"", p);
-			free(s);
-			return 0;
-		}
-	}
-	debug3("kex names ok: [%s]", names);
-	free(s);
-	return 1;
-}
-
-/* returns non-zero if proposal contains any algorithm from algs */
-static int
-has_any_alg(const char *proposal, const char *algs)
-{
-	char *cp;
-
-	if ((cp = match_list(proposal, algs, NULL)) == NULL)
-		return 0;
-	free(cp);
-	return 1;
-}
-
-/*
- * Concatenate algorithm names, avoiding duplicates in the process.
- * Caller must free returned string.
- */
-char *
-kex_names_cat(const char *a, const char *b)
-{
-	char *ret = NULL, *tmp = NULL, *cp, *p;
-	size_t len;
-
-	if (a == NULL || *a == '\0')
-		return strdup(b);
-	if (b == NULL || *b == '\0')
-		return strdup(a);
-	if (strlen(b) > 1024*1024)
-		return NULL;
-	len = strlen(a) + strlen(b) + 2;
-	if ((tmp = cp = strdup(b)) == NULL ||
-	    (ret = calloc(1, len)) == NULL) {
-		free(tmp);
-		return NULL;
-	}
-	strlcpy(ret, a, len);
-	for ((p = strsep(&cp, ",")); p && *p != '\0'; (p = strsep(&cp, ","))) {
-		if (has_any_alg(ret, p))
-			continue; /* Algorithm already present */
-		if (strlcat(ret, ",", len) >= len ||
-		    strlcat(ret, p, len) >= len) {
-			free(tmp);
-			free(ret);
-			return NULL; /* Shouldn't happen */
-		}
-	}
-	free(tmp);
-	return ret;
-}
-
-/*
- * Assemble a list of algorithms from a default list and a string from a
- * configuration file. The user-provided string may begin with '+' to
- * indicate that it should be appended to the default, '-' that the
- * specified names should be removed, or '^' that they should be placed
- * at the head.
- */
-int
-kex_assemble_names(char **listp, const char *def, const char *all)
-{
-	char *cp, *tmp, *patterns;
-	char *list = NULL, *ret = NULL, *matching = NULL, *opatterns = NULL;
-	int r = SSH_ERR_INTERNAL_ERROR;
-
-	if (listp == NULL || def == NULL || all == NULL)
-		return SSH_ERR_INVALID_ARGUMENT;
-
-	if (*listp == NULL || **listp == '\0') {
-		if ((*listp = strdup(def)) == NULL)
-			return SSH_ERR_ALLOC_FAIL;
-		return 0;
-	}
-
-	list = *listp;
-	*listp = NULL;
-	if (*list == '+') {
-		/* Append names to default list */
-		if ((tmp = kex_names_cat(def, list + 1)) == NULL) {
-			r = SSH_ERR_ALLOC_FAIL;
-			goto fail;
-		}
-		free(list);
-		list = tmp;
-	} else if (*list == '-') {
-		/* Remove names from default list */
-		if ((*listp = match_filter_denylist(def, list + 1)) == NULL) {
-			r = SSH_ERR_ALLOC_FAIL;
-			goto fail;
-		}
-		free(list);
-		/* filtering has already been done */
-		return 0;
-	} else if (*list == '^') {
-		/* Place names at head of default list */
-		if ((tmp = kex_names_cat(list + 1, def)) == NULL) {
-			r = SSH_ERR_ALLOC_FAIL;
-			goto fail;
-		}
-		free(list);
-		list = tmp;
-	} else {
-		/* Explicit list, overrides default - just use "list" as is */
-	}
-
-	/*
-	 * The supplied names may be a pattern-list. For the -list case,
-	 * the patterns are applied above. For the +list and explicit list
-	 * cases we need to do it now.
-	 */
-	ret = NULL;
-	if ((patterns = opatterns = strdup(list)) == NULL) {
-		r = SSH_ERR_ALLOC_FAIL;
-		goto fail;
-	}
-	/* Apply positive (i.e. non-negated) patterns from the list */
-	while ((cp = strsep(&patterns, ",")) != NULL) {
-		if (*cp == '!') {
-			/* negated matches are not supported here */
-			r = SSH_ERR_INVALID_ARGUMENT;
-			goto fail;
-		}
-		free(matching);
-		if ((matching = match_filter_allowlist(all, cp)) == NULL) {
-			r = SSH_ERR_ALLOC_FAIL;
-			goto fail;
-		}
-		if ((tmp = kex_names_cat(ret, matching)) == NULL) {
-			r = SSH_ERR_ALLOC_FAIL;
-			goto fail;
-		}
-		free(ret);
-		ret = tmp;
-	}
-	if (ret == NULL || *ret == '\0') {
-		/* An empty name-list is an error */
-		/* XXX better error code? */
-		r = SSH_ERR_INVALID_ARGUMENT;
-		goto fail;
-	}
-
-	/* success */
-	*listp = ret;
-	ret = NULL;
-	r = 0;
-
- fail:
-	free(matching);
-	free(opatterns);
-	free(list);
-	free(ret);
-	return r;
-}
-
 /*
  * Fill out a proposal array with dynamically allocated values, which may
  * be modified as required for compatibility reasons.
@@ -512,11 +274,11 @@ kex_set_server_sig_algs(struct ssh *ssh, const char *allowed_algs)
 	    (alg = strsep(&algs, ","))) {
 		if ((sigalg = sshkey_sigalg_by_name(alg)) == NULL)
 			continue;
-		if (!has_any_alg(sigalg, sigalgs))
+		if (!kex_has_any_alg(sigalg, sigalgs))
 			continue;
 		/* Don't add an algorithm twice. */
 		if (ssh->kex->server_sig_algs != NULL &&
-		    has_any_alg(sigalg, ssh->kex->server_sig_algs))
+		    kex_has_any_alg(sigalg, ssh->kex->server_sig_algs))
 			continue;
 		xextendf(&ssh->kex->server_sig_algs, ",", "%s", sigalg);
 	}
@@ -1091,20 +853,18 @@ choose_comp(struct sshcomp *comp, char *client, char *server)
 static int
 choose_kex(struct kex *k, char *client, char *server)
 {
-	const struct kexalg *kexalg;
-
 	k->name = match_list(client, server, NULL);
 
 	debug("kex: algorithm: %s", k->name ? k->name : "(no match)");
 	if (k->name == NULL)
 		return SSH_ERR_NO_KEX_ALG_MATCH;
-	if ((kexalg = kex_alg_by_name(k->name)) == NULL) {
+	if (!kex_name_valid(k->name)) {
 		error_f("unsupported KEX method %s", k->name);
 		return SSH_ERR_INTERNAL_ERROR;
 	}
-	k->kex_type = kexalg->type;
+	k->kex_type = kex_type_from_name(k->name);
-	k->hash_alg = kexalg->hash_alg;
+	k->hash_alg = kex_hash_from_name(k->name);
-	k->ec_nid = kexalg->ec_nid;
+	k->ec_nid = kex_nid_from_name(k->name);
 	return 0;
 }
 
@@ -1154,7 +914,7 @@ proposals_match(char *my[PROPOSAL_MAX], char *peer[PROPOSAL_MAX])
 static int
 kexalgs_contains(char **peer, const char *ext)
 {
-	return has_any_alg(peer[PROPOSAL_KEX_ALGS], ext);
+	return kex_has_any_alg(peer[PROPOSAL_KEX_ALGS], ext);
 }
 
 static int
@@ -1205,10 +965,10 @@ kex_choose_conf(struct ssh *ssh, uint32_t seq)
 
 	/* Check whether client supports rsa-sha2 algorithms */
 	if (kex->server && (kex->flags & KEX_INITIAL)) {
-		if (has_any_alg(peer[PROPOSAL_SERVER_HOST_KEY_ALGS],
+		if (kex_has_any_alg(peer[PROPOSAL_SERVER_HOST_KEY_ALGS],
 		    "rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com"))
 			kex->flags |= KEX_RSA_SHA2_256_SUPPORTED;
-		if (has_any_alg(peer[PROPOSAL_SERVER_HOST_KEY_ALGS],
+		if (kex_has_any_alg(peer[PROPOSAL_SERVER_HOST_KEY_ALGS],
 		    "rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com"))
 			kex->flags |= KEX_RSA_SHA2_512_SUPPORTED;
 	}

usr.bin/ssh/kex.h

@@ -1,4 +1,4 @@
-/* $OpenBSD: kex.h,v 1.122 2024/02/02 00:13:34 djm Exp $ */
+/* $OpenBSD: kex.h,v 1.123 2024/05/17 00:30:23 djm Exp $ */
 
 /*
  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
@@ -85,7 +85,7 @@ enum kex_modes {
 };
 
 enum kex_exchange {
-	KEX_DH_GRP1_SHA1,
+	KEX_DH_GRP1_SHA1 = 1,
 	KEX_DH_GRP14_SHA1,
 	KEX_DH_GRP14_SHA256,
 	KEX_DH_GRP16_SHA512,
@@ -176,9 +176,14 @@ struct kex {
 	struct sshbuf *client_pub;
 };
 
+int	 kex_name_valid(const char *);
+u_int	 kex_type_from_name(const char *);
+int	 kex_hash_from_name(const char *);
+int	 kex_nid_from_name(const char *);
 int	 kex_names_valid(const char *);
 char	*kex_alg_list(char);
 char	*kex_names_cat(const char *, const char *);
+int	 kex_has_any_alg(const char *, const char *);
 int	 kex_assemble_names(char **, const char *, const char *);
 void	 kex_proposal_populate_entries(struct ssh *, char *prop[PROPOSAL_MAX],
     const char *, const char *, const char *, const char *, const char *);

usr.bin/ssh/kexgexs.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: kexgexs.c,v 1.46 2023/03/29 01:07:48 dtucker Exp $ */
+/* $OpenBSD: kexgexs.c,v 1.47 2024/05/17 00:30:23 djm Exp $ */
 /*
  * Copyright (c) 2000 Niels Provos.  All rights reserved.
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
@@ -91,7 +91,7 @@ input_kex_dh_gex_request(int type, u_int32_t seq, struct ssh *ssh)
 	}
 
 	/* Contact privileged parent */
-	kex->dh = PRIVSEP(choose_dh(min, nbits, max));
+	kex->dh = mm_choose_dh(min, nbits, max);
 	if (kex->dh == NULL) {
 		(void)sshpkt_disconnect(ssh, "no matching DH grp found");
 		r = SSH_ERR_ALLOC_FAIL;

usr.bin/ssh/misc.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: misc.c,v 1.193 2024/04/02 10:02:08 deraadt Exp $ */
+/* $OpenBSD: misc.c,v 1.195 2024/05/17 06:11:17 deraadt Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  * Copyright (c) 2005-2020 Damien Miller.  All rights reserved.
@@ -544,7 +544,7 @@ int
 convtime(const char *s)
 {
 	int secs, total = 0, multiplier;
-	char *p, *os, *np, c;
+	char *p, *os, *np, c = 0;
 	const char *errstr;
 
 	if (s == NULL || *s == '\0')
@@ -1909,6 +1909,19 @@ forward_equals(const struct Forward *a, const struct Forward *b)
 	return 1;
 }
 
+/* returns port number, FWD_PERMIT_ANY_PORT or -1 on error */
+int
+permitopen_port(const char *p)
+{
+	int port;
+
+	if (strcmp(p, "*") == 0)
+		return FWD_PERMIT_ANY_PORT;
+	if ((port = a2port(p)) > 0)
+		return port;
+	return -1;
+}
+
 /* returns 1 if process is already daemonized, 0 otherwise */
 int
 daemonized(void)