sync code with last improvements from OpenBSD

distrib/miniroot/install.sub

@@ -1,5 +1,5 @@
 #!/bin/ksh
-#	$OpenBSD: install.sub,v 1.1253 2023/08/10 17:09:34 kn Exp $
+#	$OpenBSD: install.sub,v 1.1255 2023/08/21 14:33:55 kn Exp $
 #
 # Copyright (c) 1997-2015 Todd Miller, Theo de Raadt, Ken Westerback
 # Copyright (c) 2015, Robert Peichaer <rpe@openbsd.org>
@@ -3078,7 +3078,7 @@ do_autoinstall() {
 }
 
 encrypt_root() {
-	local _chunk _tries=0
+	local _chunk=$ROOTDISK
 
 	[[ $MDBOOTSR == y ]] || return
 
@@ -3093,17 +3093,11 @@ encrypt_root() {
 
 	ask_yn 'Encrypt the root disk with a passphrase?' || return
 
-	_chunk=$ROOTDISK
 	echo "\nConfiguring the crypto chunk $_chunk...\n"
-
-	make_dev $_chunk
 	md_prep_fdisk $_chunk
 	echo 'RAID *' | disklabel -w -A -T- $_chunk
 
-	until bioctl -Cforce -cC -l${_chunk}a softraid0 >/dev/null; do
-		# Most likely botched passphrases, silently retry twice.
-		((++_tries < 3)) || exit
-	done
+	bioctl -Cforce -cC -l${_chunk}a softraid0 >/dev/null
 
 	# No volumes existed before asking, but we just created one.
 	ROOTDISK=$(get_softraid_volumes)

lib/libcrypto/ec/ec_ameth.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_ameth.c,v 1.42 2023/08/12 08:07:35 tb Exp $ */
+/* $OpenBSD: ec_ameth.c,v 1.43 2023/08/21 09:52:30 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2006.
  */
@@ -75,6 +75,17 @@ static int ecdh_cms_decrypt(CMS_RecipientInfo *ri);
 static int ecdh_cms_encrypt(CMS_RecipientInfo *ri);
 #endif
 
+static void
+eckey_param_free(int ptype, void *pval)
+{
+	if (pval == NULL)
+		return;
+	if (ptype == V_ASN1_OBJECT)
+		ASN1_OBJECT_free(pval);		/* XXX - really necessary? */
+	else
+		ASN1_STRING_free(pval);
+}
+
 static int
 eckey_param2type(int *pptype, void **ppval, EC_KEY *ec_key)
 {
@@ -110,36 +121,37 @@ eckey_param2type(int *pptype, void **ppval, EC_KEY *ec_key)
 static int
 eckey_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
 {
-	EC_KEY *ec_key = pkey->pkey.ec;
+	EC_KEY *eckey = pkey->pkey.ec;
+	int ptype = V_ASN1_UNDEF;
 	void *pval = NULL;
-	int ptype;
-	unsigned char *penc = NULL, *p;
-	int penclen;
+	ASN1_OBJECT *aobj;
+	unsigned char *key = NULL;
+	int key_len = 0;
+	int ret = 0;
 
-	if (!eckey_param2type(&ptype, &pval, ec_key)) {
+	if (!eckey_param2type(&ptype, &pval, eckey)) {
 		ECerror(ERR_R_EC_LIB);
-		return 0;
+		goto err;
 	}
-	penclen = i2o_ECPublicKey(ec_key, NULL);
-	if (penclen <= 0)
+	if ((key_len = i2o_ECPublicKey(eckey, &key)) <= 0) {
+		key_len = 0;
 		goto err;
-	penc = malloc(penclen);
-	if (!penc)
+	}
+	if ((aobj = OBJ_nid2obj(EVP_PKEY_EC)) == NULL)
 		goto err;
-	p = penc;
-	penclen = i2o_ECPublicKey(ec_key, &p);
-	if (penclen <= 0)
+	if (!X509_PUBKEY_set0_param(pk, aobj, ptype, pval, key, key_len))
 		goto err;
-	if (X509_PUBKEY_set0_param(pk, OBJ_nid2obj(EVP_PKEY_EC),
-		ptype, pval, penc, penclen))
-		return 1;
+	pval = NULL;
+	key = NULL;
+	key_len = 0;
+
+	ret = 1;
+
  err:
-	if (ptype == V_ASN1_OBJECT)
-		ASN1_OBJECT_free(pval);
-	else
-		ASN1_STRING_free(pval);
-	free(penc);
-	return 0;
+	eckey_param_free(ptype, pval);
+	freezero(key, key_len);
+
+	return ret;
 }
 
 static EC_KEY *
@@ -308,54 +320,47 @@ eckey_priv_decode(EVP_PKEY *pkey, const PKCS8_PRIV_KEY_INFO *p8)
 static int
 eckey_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey)
 {
-	EC_KEY *ec_key;
-	unsigned char *ep, *p;
-	int eplen, ptype;
-	void *pval;
-	unsigned int tmp_flags, old_flags;
+	EC_KEY *eckey = pkey->pkey.ec;
+	void *pval = NULL;
+	int ptype = V_ASN1_UNDEF;
+	ASN1_OBJECT *aobj;
+	unsigned char *key = NULL;
+	int key_len = 0;
+	unsigned int flags;
+	int ret = 0;
 
-	ec_key = pkey->pkey.ec;
+	flags = EC_KEY_get_enc_flags(eckey);
 
-	if (!eckey_param2type(&ptype, &pval, ec_key)) {
+	if (!eckey_param2type(&ptype, &pval, eckey)) {
 		ECerror(EC_R_DECODE_ERROR);
-		return 0;
+		goto err;
 	}
-	/* set the private key */
 
-	/*
-	 * do not include the parameters in the SEC1 private key see PKCS#11
-	 * 12.11
-	 */
-	old_flags = EC_KEY_get_enc_flags(ec_key);
-	tmp_flags = old_flags | EC_PKEY_NO_PARAMETERS;
-	EC_KEY_set_enc_flags(ec_key, tmp_flags);
-	eplen = i2d_ECPrivateKey(ec_key, NULL);
-	if (!eplen) {
-		EC_KEY_set_enc_flags(ec_key, old_flags);
+	/* PKCS#11 12.11: don't include parameters in the SEC1 private key. */
+	EC_KEY_set_enc_flags(eckey, flags | EC_PKEY_NO_PARAMETERS);
+
+	if ((key_len = i2d_ECPrivateKey(eckey, &key)) <= 0) {
 		ECerror(ERR_R_EC_LIB);
-		return 0;
+		key_len = 0;
+		goto err;
 	}
-	ep = malloc(eplen);
-	if (!ep) {
-		EC_KEY_set_enc_flags(ec_key, old_flags);
-		ECerror(ERR_R_MALLOC_FAILURE);
-		return 0;
-	}
-	p = ep;
-	if (!i2d_ECPrivateKey(ec_key, &p)) {
-		EC_KEY_set_enc_flags(ec_key, old_flags);
-		free(ep);
-		ECerror(ERR_R_EC_LIB);
-		return 0;
-	}
-	/* restore old encoding flags */
-	EC_KEY_set_enc_flags(ec_key, old_flags);
+	if ((aobj = OBJ_nid2obj(NID_X9_62_id_ecPublicKey)) == NULL)
+		goto err;
+	if (!PKCS8_pkey_set0(p8, aobj, 0, ptype, pval, key, key_len))
+		goto err;
+	pval = NULL;
+	key = NULL;
+	key_len = 0;
 
-	if (!PKCS8_pkey_set0(p8, OBJ_nid2obj(NID_X9_62_id_ecPublicKey), 0,
-		ptype, pval, ep, eplen))
-		return 0;
+	ret = 1;
 
-	return 1;
+ err:
+	eckey_param_free(ptype, pval);
+	freezero(key, key_len);
+
+	EC_KEY_set_enc_flags(eckey, flags);
+
+	return ret;
 }
 
 static int

lib/libcrypto/man/EVP_chacha20.3

@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_chacha20.3,v 1.2 2023/08/16 13:47:18 schwarze Exp $
+.\" $OpenBSD: EVP_chacha20.3,v 1.3 2023/08/21 03:26:42 jsg Exp $
 .\" full merge up to: OpenSSL 35fd9953 May 28 14:49:38 2019 +0200
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: August 16 2023 $
+.Dd $Mdocdate: August 21 2023 $
 .Dt EVP_CHACHA20 3
 .Os
 .Sh NAME
@@ -157,7 +157,7 @@ It is strongly recommended to specify
 .Fa arg
 as exactly 16.
 Otherwise, only the initial part of the tag may be compared
-and mismatches near the end of the tag may get silently irgnored.
+and mismatches near the end of the tag may get silently ignored.
 This control operation fails if the
 .Fa ctx
 is configured for encryption or if
@@ -204,7 +204,7 @@ is less than 1 or greater than 16.
 .It Dv EVP_CTRL_INIT
 Set the length of the initialization vector to the default value
 of 12 bytes and clear the Poly1305 internal state.
-The application program usually does not need to invoke this contol
+The application program usually does not need to invoke this control
 operation manually because it is automatically called internally by
 .Xr EVP_EncryptInit_ex 3 ,
 .Xr EVP_DecryptInit_ex 3 ,

regress/sbin/bioctl/Makefile

@@ -1,4 +1,4 @@
-#	$OpenBSD: Makefile,v 1.1 2023/08/20 23:19:00 kn Exp $
+#	$OpenBSD: Makefile,v 1.2 2023/08/21 05:10:25 anton Exp $
 
 BIOCTL ?=		/sbin/bioctl
 
@@ -9,17 +9,17 @@ VOLDEVFILE =		vol.txt
 OLDPW =			oldsecret
 NEWPW =			securenew
 
-
 REGRESS_SETUP_ONCE =	create-chunk
 
 create-chunk:
-	dd if=/dev/zero  of=${CHUNKFILE} bs=512k count=0 seek=1 status=none
+	dd if=/dev/zero of=${CHUNKFILE} bs=512k count=0 seek=1 status=none
 	${SUDO} vnconfig -- ${CHUNKFILE} 1>${CHUNKDEVFILE}
 	echo 'RAID *' | ${SUDO} disklabel -wAT- -- "$$(<${CHUNKDEVFILE})"
 
 
 REGRESS_TARGETS =		scripted-create-volume \
 				scripted-change-passphrase
+REGRESS_ROOT_TARGETS =		${REGRESS_TARGETS}
 
 scripted-create-volume:
 	printf '%s\n' '${OLDPW}' | \

regress/usr.sbin/installboot/Makefile

@@ -1,4 +1,4 @@
-#	$OpenBSD: Makefile,v 1.39 2023/08/20 22:38:49 kn Exp $
+#	$OpenBSD: Makefile,v 1.40 2023/08/21 14:25:22 kn Exp $
 
 INSTALLBOOT ?=		/usr/sbin/installboot
 DRY_RUN =		${INSTALLBOOT} -n
@@ -103,11 +103,13 @@ REGRESS_TARGETS =	prepare
 prepare:
 	${SUDO} ${REAL_RUN} -p -- "$$(<${ROOTDEVFILE})"
 
-REGRESS_TARGETS +=	dry-prepare \
+SUCCESS_TESTS +=	dry-prepare \
 			dry-default \
 			dry-root \
 			root \
 			root-stages
+REGRESS_TARGETS +=	${SUCCESS_TESTS}
+REGRESS_ROOT_TARGETS +=	${SUCCESS_TESTS}
 
 dry-prepare:
 	${SUDO} ${DRY_RUN} -p -- "$$(<${ROOTDEVFILE})"
@@ -122,12 +124,14 @@ root-stages:
 	${SUDO} ${REAL_RUN} -- "$$(<${ROOTDEVFILE})" ${STAGEFILES}
 
 
-REGRESS_EXPECTED_FAILURES =	dry-prepare-root \
+FAILURE_TESTS =			dry-prepare-root \
 				dry-prepare-stages \
 				dry-nodisk-stages \
 				dry-toofew \
 				dry-toomany
-REGRESS_TARGETS +=		${REGRESS_EXPECTED_FAILURES}
+REGRESS_EXPECTED_FAILURES +=	${FAILURE_TESTS}
+REGRESS_TARGETS +=		${FAILURE_TESTS}
+REGRESS_ROOT_TARGETS +=		dry-nodisk-stages
 
 dry-prepare-root:
 	${DRY_RUN} -p -r/ -- "$$(<${ROOTDEVFILE})" 2>/dev/null

sbin/bioctl/bioctl.8

@@ -1,4 +1,4 @@
-.\"	$OpenBSD: bioctl.8,v 1.112 2023/08/18 14:09:19 kn Exp $
+.\"	$OpenBSD: bioctl.8,v 1.113 2023/08/21 08:33:11 kn Exp $
 .\"
 .\" Copyright (c) 2004, 2005 Marco Peereboom
 .\"
@@ -23,7 +23,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: August 18 2023 $
+.Dd $Mdocdate: August 21 2023 $
 .Dt BIOCTL 8
 .Os
 .Sh NAME
@@ -288,10 +288,11 @@ is specified as "auto", the number of rounds will be automatically determined
 based on system performance.
 Otherwise the minimum is 4 rounds and the default is 16.
 .It Fl s
-Omit prompts and read passphrases without confirmation from
+Read passphrases from
 .Pa /dev/stdin
 rather than
-.Pa /dev/tty .
+.Pa /dev/tty ,
+without prompts, confirmation or retry on mismatch.
 .El
 .Sh EXAMPLES
 Configure a new

sbin/bioctl/bioctl.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: bioctl.c,v 1.152 2023/08/18 14:09:19 kn Exp $ */
+/* $OpenBSD: bioctl.c,v 1.154 2023/08/21 08:33:11 kn Exp $ */
 
 /*
  * Copyright (c) 2004, 2005 Marco Peereboom
@@ -376,7 +376,8 @@ bio_status(struct bio_status *bs)
 		prefix = __progname;
 
 	for (i = 0; i < bs->bs_msg_count; i++)
-		printf("%s: %s\n", prefix, bs->bs_msgs[i].bm_msg);
+		fprintf(bs->bs_msgs[i].bm_type == BIO_MSG_INFO ?
+		    stdout : stderr, "%s: %s\n", prefix, bs->bs_msgs[i].bm_msg);
 
 	if (bs->bs_status == BIO_STATUS_ERROR) {
 		if (bs->bs_msg_count == 0)
@@ -1354,6 +1355,7 @@ derive_key(u_int32_t type, int rounds, u_int8_t *key, size_t keysz,
 	} else {
 		rpp_flag |= interactive ? RPP_REQUIRE_TTY : RPP_STDIN;
 
+ retry:
 		if (readpassphrase(prompt, passphrase, sizeof(passphrase),
 		    rpp_flag) == NULL)
 			err(1, "unable to read passphrase");
@@ -1370,6 +1372,10 @@ derive_key(u_int32_t type, int rounds, u_int8_t *key, size_t keysz,
 		    (strcmp(passphrase, verifybuf) != 0)) {
 			explicit_bzero(passphrase, sizeof(passphrase));
 			explicit_bzero(verifybuf, sizeof(verifybuf));
+			if (interactive) {
+				warnx("Passphrases did not match, try again");
+				goto retry;
+			}
 			errx(1, "Passphrases did not match");
 		}
 		/* forget the re-typed one */

share/man/man5/bsd.port.mk.5

@@ -1,4 +1,4 @@
-.\" $OpenBSD: bsd.port.mk.5,v 1.579 2023/08/08 12:46:56 espie Exp $
+.\" $OpenBSD: bsd.port.mk.5,v 1.581 2023/08/21 12:54:04 espie Exp $
 .\"
 .\" Copyright (c) 2000-2008 Marc Espie
 .\"
@@ -24,7 +24,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: August 8 2023 $
+.Dd $Mdocdate: August 21 2023 $
 .Dt BSD.PORT.MK 5
 .Os
 .Sh NAME
@@ -153,7 +153,7 @@ Check that patches would apply cleanly, but do not modify anything.
 Compute a
 .Xr sha256 1
 digest
-of ${CHECKSUMFILES} (files listed in DISTFILES and PATCHFILES) and
+of ${CHECKSUMFILES} (files listed in DISTFILES* and PATCHFILES*) and
 check it against ${CHECKSUM_FILE}, normally
 .Pa distinfo .
 In case of a mismatch, running
@@ -286,12 +286,12 @@ See
 .Cm print-package-args .
 .It Cm fetch
 Fetch the list of files in
-.Ev DISTFILES
+.Ev DISTFILES*
 and
-.Ev PATCHFILES
+.Ev PATCHFILES*
 using ${FETCH_CMD}.
 Files are normally retrieved from the list of sites in
-.Ev MASTER_SITES .
+.Ev MASTER_SITES* .
 .Pp
 Appending
 .Sq :0
@@ -303,6 +303,19 @@ ${FETCH_CMD} retrieve from
 to
 .Ev MASTER_SITES9
 instead.
+.Pp
+Preferably, adding a suffix to
+.Ev DISTFILES ,
+.Ev PATCHFILES ,
+.Ev SUPDISTFILES
+will switch the site entry to the corresponding
+.Ev MASTER_SITES
+variable, e.g.,
+.Bd -literal -offset indent
+DISTFILES.go = ...
+MASTER_SITES.go = ...
+.Ed
+.Pp
 If the rest of the entry parses as
 .Sq Ar filename Ns { Ns Ar url Ns } Ns Ar sufx
 ${FETCH_CMD} will fetch
@@ -332,24 +345,23 @@ hooks is forbidden, as this would make mirroring of distfiles very complicated.
 See
 .Ev CHECKSUMFILES ,
 .Ev DISTDIR ,
-.Ev DISTFILES ,
+.Ev DISTFILES* ,
 .Ev DIST_SUBDIR ,
 .Ev FETCH_CMD ,
 .Ev FETCH_MANUALLY ,
-.Ev FETCH_SYMLINK_DISTFILES ,
 .Ev FULLDISTDIR ,
 .Ev MAKESUMFILES ,
-.Ev MASTER_SITES ,
+.Ev MASTER_SITES* ,
 .Ev MASTER_SITES0 , ... ,
 .Ev MASTER_SITES9 ,
-.Ev PATCHFILES ,
-.Ev SUPDISTFILES ,
+.Ev PATCHFILES* ,
+.Ev SUPDISTFILES* ,
 .Ev REFETCH .
 .It Cm fetch-all
 Like
 .Cm fetch ,
 but also fetches
-.Ev SUPDISTFILES ,
+.Ev SUPDISTFILES* ,
 for use with e.g.,
 .Cm makesum .
 .It Cm fix-permissions
@@ -458,7 +470,7 @@ for details.
 Run
 .Xr sha256 1
 on ${MAKESUMFILES}
-that is, files listed in ${DISTFILES}, ${SUPDISTFILES} and ${PATCHFILES},
+that is, files listed in ${DISTFILES*}, ${SUPDISTFILES*} and ${PATCHFILES*},
 and store the result in ${CHECKSUM_FILE}, normally
 .Pa distinfo .
 Also store the lengths of all files for a quick check during
@@ -1547,10 +1559,10 @@ Always use
 to refer to ports' distribution files location, as it takes an eventual
 .Ev DIST_SUBDIR
 into account.
-.It Ev DISTFILES
+.It Ev DISTFILES*
 The main port's distribution files (the actual software source, except
 for binary-only ports).
-Will be retrieved from the MASTER_SITES (see
+Will be retrieved from the corresponding MASTER_SITES* (see
 .Cm fetch ) ,
 checksummed and extracted (see
 .Cm checksum ,
@@ -1563,6 +1575,16 @@ to
 appended to select a different
 .Ev MASTER_SITES .
 .Pp
+Preferably, adding a suffix to
+.Ev DISTFILES ,
+will switch the site entry to the corresponding
+.Ev MASTER_SITES
+variable, e.g.,
+.Bd -literal -offset indent
+DISTFILES.go = ...
+MASTER_SITES.go = ...
+.Ed
+.Pp
 Each entry may optionally be of the form
 .Sq Ar filename Ns { Ns Ar url Ns } Ns Ar sufx
 to deal with sites that only offer archives as weird urls, doing the transfer
@@ -1582,17 +1604,17 @@ will retrieve from url
 into
 .Sq minetest-${V}${EXTRACT_SUFX} .
 .Pp
-If ${DISTFILES} varies depending on
+If ${DISTFILES*} varies depending on
 .Ev FLAVORS
 or architecture, use
-.Ev SUPDISTFILES
+.Ev SUPDISTFILES*
 to ensure distfiles mirroring and
 .Cm makesum
 proper operation.
 .It Ev DISTNAME
 Name used to identify the port.
 See
-.Ev DISTFILES
+.Ev DISTFILES*
 and
 .Ev PKGNAME .
 .It Ev DISTORIG
@@ -1748,6 +1770,12 @@ Used to set DISTFILES default value to ${DISTNAME}${EXTRACT_SUFX}.
 The decompression tool needed will be automatically added as
 .Ev BUILD_DEPENDS .
 Default value is .tar.gz.
+.Pp
+Note that
+.Ev DISTFILES
+will only be set in the absence of
+.Ev DISTFILES.sufx
+as well.
 .It Ev EXTRACT_FILES
 Set to the list of files to actually extract from distfiles.
 Its content is subject to shell evaluation as part of
@@ -1912,8 +1940,8 @@ the
 target will also update installed packages even when the signature
 did not change.
 .It Ev FULLDISTDIR
-Complete path to directory where ${DISTFILES} and ${PATCHFILES} will be
-located, to be used in hand-crafted extraction targets.
+Complete path to directory where ${DISTFILES*} ${SUPDISTFILES*} and
+${PATCHFILES*} will be located, to be used in hand-crafted extraction targets.
 Read-only.
 .It Ev FULLPKGNAME
 Full name of the created package, taking flavors into account.
@@ -1944,7 +1972,7 @@ Set by
 .Nm
 to the generated name of the distribution file.
 This can be useful for ports listing multiple
-.Ev DISTFILES .
+.Ev DISTFILES* .
 .It Ev GH_PROJECT
 Name of the project on GitHub.
 .It Ev GH_TAGNAME
@@ -2205,6 +2233,16 @@ see
 See
 .Xr ports 7
 for user configuration.
+.It Ev MASTER_SITES*
+List of alternate locations from which ${DISTFILES*}, ${PATCHFILES*},
+${SUPDISTFILES*} are retrieved.
+See
+.Cm fetch
+for details.
+Suffix should start with
+.Sq \&.
+for consistency.
+.Pp
 .It Ev MASTER_SITES0 , ... , MASTER_SITES9
 Supplementary locations from which distribution files and patchfiles are
 retrieved.
@@ -2416,7 +2454,7 @@ to re-generate
 by looking for files using this suffix.
 Defaults to
 .Pa .orig.port .
-In the unlikely event that one of the ${DISTFILES} already contains
+In the unlikely event that one of the ${DISTFILES*} already contains
 .Pa .orig.port
 files, set this to something else, such as
 .Pa .orig.obsdport .
@@ -2427,7 +2465,7 @@ See also
 In the normal
 .Cm distpatch
 stage (when
-.Ev PATCHFILES
+.Ev PATCHFILES*
 is not empty), this is the contents of a case statement, used to apply
 distribution patches.
 Fragments are automatically appended to handle gzip'ed, bzip'ed and lzip'ed
@@ -2456,15 +2494,15 @@ Location for patches applied by the
 target.
 Default:
 .Pa patches .
-.It Ev PATCHFILES
+.It Ev PATCHFILES*
 Files to fetch from the master sites like
-.Ev DISTFILES ,
+.Ev DISTFILES* ,
 but serving a different purpose, as they hold distribution patches that
 will be applied at the
 .Cm patch
 stage.
 See also
-.Ev SUPDISTFILES .
+.Ev SUPDISTFILES* .
 .It Ev PATCH_ARGS
 Full list of options used while applying port's patches.
 .It Ev PATCH_CHECK_ONLY
@@ -3150,23 +3188,25 @@ in
 .Xr mk.conf 5 ,
 the ports tree will only invoke root's privileges for the parts that
 really require it.
-.It Ev SUPDISTFILES
+.It Ev SUPDISTFILES*
 Supplementary files that need to be retrieved under some specific
 circumstances.
 For instance, a port might need architecture-specific files.
-.Ev SUPDISTFILES
+.Ev SUPDISTFILES*
 should hold a list of all distribution files and patchfiles that are not
 always needed, so that a mirror will be able to grab all files, or that
 .Cm makesum
 will work.
 Having an overlap between
-.Ev SUPDISTFILES
+.Ev SUPDISTFILES*
 and
-.Ev DISTFILES ,
-.Ev PATCHFILES
+.Ev DISTFILES* ,
+.Ev PATCHFILES*
 is admissible, and in fact, expected, as it is much simpler to build
 an error-free list of files to retrieve in that way.
-See the xanim port for an example.
+See the
+.Pa devel/jdk/1.8
+port for an example.
 .It Ev SYSCONFDIR
 Location for this port's configuration files, should always be derived
 from
@@ -4084,7 +4124,7 @@ Holds the output of
 .Xr cksum 1 ,
 using
 .Xr sha256 1
-for the port's ${DISTFILES} and ${PATCHFILES},
+for the port's ${DISTFILES*}, ${SUPDISFILES*} and ${PATCHFILES*},
 as well as the sizes of these files.
 .It Pa ${DISTDIR}/${CHECKSUMFILES}
 Cache of normal distribution files for a given port.
@@ -4245,7 +4285,7 @@ resulting in a double inclusion.
 This would lead to weird results, such as
 .Ev PKG_ARGS
 being defined twice.
-.It "Fatal: MASTER_SITESn is not defined but referenced by <file> in <DISTFILES/PATCHFILES/SUPDISTFILES>"
+.It "Fatal: MASTER_SITES* is not defined but referenced by <file> in <DISTFILES*/PATCHFILES*/SUPDISTFILES*>"
 Pretty much self-explanatory.
 .It "Fatal: SUBPACKAGES should always begin with -: <offending list>"
 That is the only way to differentiate between

usr.bin/ssh/serverloop.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: serverloop.c,v 1.236 2023/03/08 04:43:12 guenther Exp $ */
+/* $OpenBSD: serverloop.c,v 1.237 2023/08/21 04:59:54 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -247,7 +247,7 @@ wait_until_can_do_something(struct ssh *ssh,
 	/* ClientAliveInterval probing */
 	if (client_alive_scheduled) {
 		if (ret == 0 &&
-		    now > last_client_time + options.client_alive_interval) {
+		    now >= last_client_time + options.client_alive_interval) {
 			/* ppoll timed out and we're due to probe */
 			client_alive_check(ssh);
 			last_client_time = now;

usr.bin/ssh/sshkey.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: sshkey.c,v 1.137 2023/07/27 22:23:05 djm Exp $ */
+/* $OpenBSD: sshkey.c,v 1.138 2023/08/21 04:36:46 djm Exp $ */
 /*
  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
  * Copyright (c) 2008 Alexander von Gernler.  All rights reserved.
@@ -38,6 +38,7 @@
 
 #include <errno.h>
 #include <stdio.h>
+#include <stdlib.h>
 #include <string.h>
 #include <util.h>
 #include <limits.h>

usr.bin/whois/whois.1

@@ -1,4 +1,4 @@
-.\"	$OpenBSD: whois.1,v 1.37 2022/02/18 10:24:33 jsg Exp $
+.\"	$OpenBSD: whois.1,v 1.38 2023/08/21 11:12:28 jsg Exp $
 .\"	$NetBSD: whois.1,v 1.5 1995/08/31 21:51:32 jtc Exp $
 .\"
 .\" Copyright (c) 1985, 1990, 1993
@@ -30,7 +30,7 @@
 .\"
 .\"     @(#)whois.1	8.2 (Berkeley) 6/20/94
 .\"
-.Dd $Mdocdate: February 18 2022 $
+.Dd $Mdocdate: August 21 2023 $
 .Dt WHOIS 1
 .Os
 .Sh NAME
@@ -309,4 +309,4 @@ on port
 The
 .Nm
 command appeared in
-.Bx 4.3 .
+.Bx 4.1c .