From efaa6fdefbabfbc20013e41e408457015d5476ee Mon Sep 17 00:00:00 2001
From: purplerain <purplerain@secbsd.org>
Date: Wed, 19 Jun 2024 19:56:02 +0000
Subject: [PATCH] sync with OpenBSD -current

---
 bin/test/test.1                               |  13 +--
 bin/test/test.c                               |   4 +-
 lib/libcrypto/x509/x509_bitst.c               |   6 +-
 lib/libcrypto/x509/x509_conf.c                | 107 +++++++++---------
 lib/libcrypto/x509/x509_utl.c                 |   4 +-
 lib/libcrypto/x509/x_all.c                    |  42 ++++---
 regress/usr.bin/ssh/dropbear-ciphers.sh       |  16 ++-
 regress/usr.bin/ssh/dropbear-kex.sh           |  14 +--
 regress/usr.bin/ssh/test-exec.sh              |  24 +++-
 sbin/dhcp6leased/engine.c                     |  26 +----
 sbin/dhcp6leased/frontend.c                   |  70 +-----------
 sbin/iked/ca.c                                |  20 ++--
 sys/arch/amd64/amd64/hibernate_machdep.c      |   3 +-
 sys/arch/i386/i386/hibernate_machdep.c        |   3 +-
 sys/arch/i386/include/cpu.h                   |   3 +-
 sys/arch/i386/include/pmap.h                  |   3 +-
 sys/dev/ata/ata_wdc.c                         |  22 +---
 sys/dev/ic/wdcvar.h                           |   5 +-
 .../drm/amd/pm/swsmu/smu13/smu_v13_0_6_ppt.c  |   2 +-
 sys/uvm/uvm_map.h                             |   6 +-
 usr.sbin/acme-client/main.c                   |   5 +-
 usr.sbin/acme-client/util.c                   |  25 +---
 usr.sbin/sysupgrade/sysupgrade.sh             |  15 ++-
 23 files changed, 168 insertions(+), 270 deletions(-)

diff --git a/bin/test/test.1 b/bin/test/test.1
index 2371acdda..46c182b0f 100644
--- a/bin/test/test.1
+++ b/bin/test/test.1
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: test.1,v 1.34 2023/06/10 07:19:39 op Exp $
+.\"	$OpenBSD: test.1,v 1.35 2024/06/18 16:41:39 schwarze Exp $
 .\"	$NetBSD: test.1,v 1.6 1995/03/21 07:04:03 cgd Exp $
 .\"
 .\" Copyright (c) 1991, 1993
@@ -33,7 +33,7 @@
 .\"
 .\"     @(#)test.1	8.1 (Berkeley) 5/31/93
 .\"
-.Dd $Mdocdate: June 10 2023 $
+.Dd $Mdocdate: June 18 2024 $
 .Dt TEST 1
 .Os
 .Sh NAME
@@ -110,6 +110,8 @@ is set.
 True if
 .Ar file
 exists and is a symbolic link.
+Identical to
+.Fl L .
 .It Fl k Ar file
 True if
 .Ar file
@@ -118,11 +120,8 @@ exists and its sticky bit is set.
 True if
 .Ar file
 exists and is a symbolic link.
-This operator is for compatibility purposes.
-Do not rely on its existence;
-use
-.Fl h
-instead.
+Identical to
+.Fl h .
 .It Fl n Ar string
 True if the length of
 .Ar string
diff --git a/bin/test/test.c b/bin/test/test.c
index bb49356ec..575664557 100644
--- a/bin/test/test.c
+++ b/bin/test/test.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: test.c,v 1.20 2022/10/11 13:40:38 jsg Exp $	*/
+/*	$OpenBSD: test.c,v 1.21 2024/06/18 16:41:39 schwarze Exp $	*/
 /*	$NetBSD: test.c,v 1.15 1995/03/21 07:04:06 cgd Exp $	*/
 
 /*
@@ -110,7 +110,7 @@ struct t_op {
 	{"-t",	FILTT,	UNOP},
 	{"-z",	STREZ,	UNOP},
 	{"-n",	STRNZ,	UNOP},
-	{"-h",	FILSYM,	UNOP},		/* for backwards compat */
+	{"-h",	FILSYM,	UNOP},
 	{"-O",	FILUID,	UNOP},
 	{"-G",	FILGID,	UNOP},
 	{"-L",	FILSYM,	UNOP},
diff --git a/lib/libcrypto/x509/x509_bitst.c b/lib/libcrypto/x509/x509_bitst.c
index 97c630d8b..4c36d31b0 100644
--- a/lib/libcrypto/x509/x509_bitst.c
+++ b/lib/libcrypto/x509/x509_bitst.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_bitst.c,v 1.4 2023/04/21 06:11:56 tb Exp $ */
+/* $OpenBSD: x509_bitst.c,v 1.5 2024/06/18 08:29:40 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -157,7 +157,7 @@ STACK_OF(CONF_VALUE) *
 i2v_ASN1_BIT_STRING(X509V3_EXT_METHOD *method, ASN1_BIT_STRING *bits,
     STACK_OF(CONF_VALUE) *ret)
 {
-	BIT_STRING_BITNAME *bnam;
+	const BIT_STRING_BITNAME *bnam;
 	STACK_OF(CONF_VALUE) *free_ret = NULL;
 
 	if (ret == NULL) {
@@ -188,7 +188,7 @@ v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
 	CONF_VALUE *val;
 	ASN1_BIT_STRING *bs;
 	int i;
-	BIT_STRING_BITNAME *bnam;
+	const BIT_STRING_BITNAME *bnam;
 
 	if (!(bs = ASN1_BIT_STRING_new())) {
 		X509V3error(ERR_R_MALLOC_FAILURE);
diff --git a/lib/libcrypto/x509/x509_conf.c b/lib/libcrypto/x509/x509_conf.c
index 189bf6440..a9e5076dc 100644
--- a/lib/libcrypto/x509/x509_conf.c
+++ b/lib/libcrypto/x509/x509_conf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_conf.c,v 1.5 2023/02/16 08:38:17 tb Exp $ */
+/* $OpenBSD: x509_conf.c,v 1.17 2024/06/18 09:47:03 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -70,7 +70,7 @@
 
 static int v3_check_critical(const char **value);
 static int v3_check_generic(const char **value);
-static X509_EXTENSION *do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid,
+static X509_EXTENSION *do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int nid,
     int crit, const char *value);
 static X509_EXTENSION *v3_generic_extension(const char *ext, const char *value,
     int crit, int type, X509V3_CTX *ctx);
@@ -78,8 +78,8 @@ static char *conf_lhash_get_string(void *db, const char *section,
     const char *value);
 static STACK_OF(CONF_VALUE) *conf_lhash_get_section(void *db,
     const char *section);
-static X509_EXTENSION *do_ext_i2d(const X509V3_EXT_METHOD *method, int ext_nid,
-    int crit, void *ext_struc);
+static X509_EXTENSION *do_ext_i2d(const X509V3_EXT_METHOD *method, int nid,
+    int crit, void *ext_struct);
 static unsigned char *generic_asn1(const char *value, X509V3_CTX *ctx,
     long *ext_len);
 
@@ -109,7 +109,7 @@ LCRYPTO_ALIAS(X509V3_EXT_nconf);
 /* CONF *conf:  Config file    */
 /* char *value:  Value    */
 X509_EXTENSION *
-X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int ext_nid,
+X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int nid,
     const char *value)
 {
 	int crit;
@@ -117,27 +117,27 @@ X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int ext_nid,
 
 	crit = v3_check_critical(&value);
 	if ((ext_type = v3_check_generic(&value)))
-		return v3_generic_extension(OBJ_nid2sn(ext_nid),
+		return v3_generic_extension(OBJ_nid2sn(nid),
 		    value, crit, ext_type, ctx);
-	return do_ext_nconf(conf, ctx, ext_nid, crit, value);
+	return do_ext_nconf(conf, ctx, nid, crit, value);
 }
 LCRYPTO_ALIAS(X509V3_EXT_nconf_nid);
 
 /* CONF *conf:  Config file    */
 /* char *value:  Value    */
 static X509_EXTENSION *
-do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid, int crit,
+do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int nid, int crit,
     const char *value)
 {
 	const X509V3_EXT_METHOD *method;
 	X509_EXTENSION *ext;
-	void *ext_struc;
+	void *ext_struct;
 
-	if (ext_nid == NID_undef) {
+	if (nid == NID_undef) {
 		X509V3error(X509V3_R_UNKNOWN_EXTENSION_NAME);
 		return NULL;
 	}
-	if (!(method = X509V3_EXT_get_nid(ext_nid))) {
+	if (!(method = X509V3_EXT_get_nid(nid))) {
 		X509V3error(X509V3_R_UNKNOWN_EXTENSION);
 		return NULL;
 	}
@@ -152,93 +152,97 @@ do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid, int crit,
 		if (sk_CONF_VALUE_num(nval) <= 0) {
 			X509V3error(X509V3_R_INVALID_EXTENSION_STRING);
 			ERR_asprintf_error_data("name=%s,section=%s",
-			    OBJ_nid2sn(ext_nid), value);
+			    OBJ_nid2sn(nid), value);
 			if (*value != '@')
 				sk_CONF_VALUE_pop_free(nval, X509V3_conf_free);
 			return NULL;
 		}
-		ext_struc = method->v2i(method, ctx, nval);
+		ext_struct = method->v2i(method, ctx, nval);
 		if (*value != '@')
 			sk_CONF_VALUE_pop_free(nval, X509V3_conf_free);
 	} else if (method->s2i) {
-		ext_struc = method->s2i(method, ctx, value);
+		ext_struct = method->s2i(method, ctx, value);
 	} else if (method->r2i) {
 		if (!ctx->db || !ctx->db_meth) {
 			X509V3error(X509V3_R_NO_CONFIG_DATABASE);
 			return NULL;
 		}
-		ext_struc = method->r2i(method, ctx, value);
+		ext_struct = method->r2i(method, ctx, value);
 	} else {
 		X509V3error(X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED);
-		ERR_asprintf_error_data("name=%s", OBJ_nid2sn(ext_nid));
+		ERR_asprintf_error_data("name=%s", OBJ_nid2sn(nid));
 		return NULL;
 	}
-	if (ext_struc == NULL)
+	if (ext_struct == NULL)
 		return NULL;
 
-	ext = do_ext_i2d(method, ext_nid, crit, ext_struc);
+	ext = do_ext_i2d(method, nid, crit, ext_struct);
 	if (method->it)
-		ASN1_item_free(ext_struc, method->it);
+		ASN1_item_free(ext_struct, method->it);
 	else
-		method->ext_free(ext_struc);
+		method->ext_free(ext_struct);
 	return ext;
 }
 
 static X509_EXTENSION *
-do_ext_i2d(const X509V3_EXT_METHOD *method, int ext_nid, int crit,
-    void *ext_struc)
+do_ext_i2d(const X509V3_EXT_METHOD *method, int nid, int crit,
+    void *ext_struct)
 {
-	unsigned char *ext_der;
+	unsigned char *ext_der = NULL;
 	int ext_len;
 	ASN1_OCTET_STRING *ext_oct = NULL;
 	X509_EXTENSION *ext;
 
 	/* Convert internal representation to DER */
-	if (method->it) {
+	if (method->it != NULL) {
 		ext_der = NULL;
-		ext_len = ASN1_item_i2d(ext_struc, &ext_der,
-		    method->it);
+		ext_len = ASN1_item_i2d(ext_struct, &ext_der, method->it);
 		if (ext_len < 0)
 			goto merr;
 	} else {
 		unsigned char *p;
-		ext_len = method->i2d(ext_struc, NULL);
-		if (!(ext_der = malloc(ext_len)))
+
+		if ((ext_len = method->i2d(ext_struct, NULL)) <= 0)
+			goto merr;
+		if ((ext_der = calloc(1, ext_len)) == NULL)
 			goto merr;
 		p = ext_der;
-		method->i2d(ext_struc, &p);
+		if (method->i2d(ext_struct, &p) != ext_len)
+			goto merr;
 	}
-	if (!(ext_oct = ASN1_OCTET_STRING_new()))
+	if ((ext_oct = ASN1_OCTET_STRING_new()) == NULL)
 		goto merr;
-	ext_oct->data = ext_der;
-	ext_oct->length = ext_len;
+	ASN1_STRING_set0(ext_oct, ext_der, ext_len);
+	ext_der = NULL;
+	ext_len = 0;
 
-	ext = X509_EXTENSION_create_by_NID(NULL, ext_nid, crit, ext_oct);
-	if (!ext)
+	ext = X509_EXTENSION_create_by_NID(NULL, nid, crit, ext_oct);
+	if (ext == NULL)
 		goto merr;
 	ASN1_OCTET_STRING_free(ext_oct);
 
 	return ext;
 
-merr:
+ merr:
+	free(ext_der);
 	ASN1_OCTET_STRING_free(ext_oct);
 	X509V3error(ERR_R_MALLOC_FAILURE);
-	return NULL;
 
+	return NULL;
 }
 
 /* Given an internal structure, nid and critical flag create an extension */
 
 X509_EXTENSION *
-X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc)
+X509V3_EXT_i2d(int nid, int crit, void *ext_struct)
 {
 	const X509V3_EXT_METHOD *method;
 
-	if (!(method = X509V3_EXT_get_nid(ext_nid))) {
+	if (!(method = X509V3_EXT_get_nid(nid))) {
 		X509V3error(X509V3_R_UNKNOWN_EXTENSION);
 		return NULL;
 	}
-	return do_ext_i2d(method, ext_nid, crit, ext_struc);
+	return do_ext_i2d(method, nid, crit, ext_struct);
 }
 LCRYPTO_ALIAS(X509V3_EXT_i2d);
 
@@ -280,18 +284,18 @@ v3_check_generic(const char **value)
 
 /* Create a generic extension: for now just handle DER type */
 static X509_EXTENSION *
-v3_generic_extension(const char *ext, const char *value, int crit, int gen_type,
+v3_generic_extension(const char *name, const char *value, int crit, int gen_type,
     X509V3_CTX *ctx)
 {
 	unsigned char *ext_der = NULL;
 	long ext_len = 0;
 	ASN1_OBJECT *obj = NULL;
 	ASN1_OCTET_STRING *oct = NULL;
-	X509_EXTENSION *extension = NULL;
+	X509_EXTENSION *ext = NULL;
 
-	if (!(obj = OBJ_txt2obj(ext, 0))) {
+	if ((obj = OBJ_txt2obj(name, 0)) == NULL) {
 		X509V3error(X509V3_R_EXTENSION_NAME_ERROR);
-		ERR_asprintf_error_data("name=%s", ext);
+		ERR_asprintf_error_data("name=%s", name);
 		goto err;
 	}
 
@@ -310,22 +314,23 @@ v3_generic_extension(const char *ext, const char *value, int crit, int gen_type,
 		goto err;
 	}
 
-	if (!(oct = ASN1_OCTET_STRING_new())) {
+	if ((oct = ASN1_OCTET_STRING_new()) == NULL) {
 		X509V3error(ERR_R_MALLOC_FAILURE);
 		goto err;
 	}
 
-	oct->data = ext_der;
-	oct->length = ext_len;
+	ASN1_STRING_set0(oct, ext_der, ext_len);
 	ext_der = NULL;
+	ext_len = 0;
 
-	extension = X509_EXTENSION_create_by_OBJ(NULL, obj, crit, oct);
+	ext = X509_EXTENSION_create_by_OBJ(NULL, obj, crit, oct);
 
-err:
+ err:
 	ASN1_OBJECT_free(obj);
 	ASN1_OCTET_STRING_free(oct);
 	free(ext_der);
-	return extension;
+
+	return ext;
 }
 
 static unsigned char *
@@ -516,13 +521,13 @@ LCRYPTO_ALIAS(X509V3_EXT_conf);
 /* LHASH *conf:  Config file    */
 /* char *value:  Value    */
 X509_EXTENSION *
-X509V3_EXT_conf_nid(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx, int ext_nid,
+X509V3_EXT_conf_nid(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx, int nid,
     const char *value)
 {
 	CONF ctmp;
 
 	CONF_set_nconf(&ctmp, conf);
-	return X509V3_EXT_nconf_nid(&ctmp, ctx, ext_nid, value);
+	return X509V3_EXT_nconf_nid(&ctmp, ctx, nid, value);
 }
 LCRYPTO_ALIAS(X509V3_EXT_conf_nid);
 
diff --git a/lib/libcrypto/x509/x509_utl.c b/lib/libcrypto/x509/x509_utl.c
index 14b43e8b6..e5e95bfac 100644
--- a/lib/libcrypto/x509/x509_utl.c
+++ b/lib/libcrypto/x509/x509_utl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_utl.c,v 1.17 2023/05/12 19:02:10 tb Exp $ */
+/* $OpenBSD: x509_utl.c,v 1.18 2024/06/18 08:29:40 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -210,7 +210,7 @@ LCRYPTO_ALIAS(i2s_ASN1_ENUMERATED);
 char *
 i2s_ASN1_ENUMERATED_TABLE(X509V3_EXT_METHOD *method, const ASN1_ENUMERATED *e)
 {
-	BIT_STRING_BITNAME *enam;
+	const BIT_STRING_BITNAME *enam;
 	long strval;
 
 	strval = ASN1_ENUMERATED_get(e);
diff --git a/lib/libcrypto/x509/x_all.c b/lib/libcrypto/x509/x_all.c
index 45c527b41..599771406 100644
--- a/lib/libcrypto/x509/x_all.c
+++ b/lib/libcrypto/x509/x_all.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x_all.c,v 1.31 2024/03/27 01:22:30 tb Exp $ */
+/* $OpenBSD: x_all.c,v 1.32 2024/06/19 08:00:53 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -401,24 +401,24 @@ X509_verify(X509 *a, EVP_PKEY *r)
 {
 	if (X509_ALGOR_cmp(a->sig_alg, a->cert_info->signature))
 		return 0;
-	return (ASN1_item_verify(&X509_CINF_it, a->sig_alg,
-	    a->signature, a->cert_info, r));
+	return ASN1_item_verify(&X509_CINF_it, a->sig_alg,
+	    a->signature, a->cert_info, r);
 }
 LCRYPTO_ALIAS(X509_verify);
 
 int
 X509_REQ_verify(X509_REQ *a, EVP_PKEY *r)
 {
-	return (ASN1_item_verify(&X509_REQ_INFO_it,
-	    a->sig_alg, a->signature, a->req_info, r));
+	return ASN1_item_verify(&X509_REQ_INFO_it,
+	    a->sig_alg, a->signature, a->req_info, r);
 }
 LCRYPTO_ALIAS(X509_REQ_verify);
 
 int
 NETSCAPE_SPKI_verify(NETSCAPE_SPKI *a, EVP_PKEY *r)
 {
-	return (ASN1_item_verify(&NETSCAPE_SPKAC_it,
-	    a->sig_algor, a->signature, a->spkac, r));
+	return ASN1_item_verify(&NETSCAPE_SPKAC_it,
+	    a->sig_algor, a->signature, a->spkac, r);
 }
 LCRYPTO_ALIAS(NETSCAPE_SPKI_verify);
 
@@ -426,9 +426,9 @@ int
 X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md)
 {
 	x->cert_info->enc.modified = 1;
-	return (ASN1_item_sign(&X509_CINF_it,
+	return ASN1_item_sign(&X509_CINF_it,
 	    x->cert_info->signature, x->sig_alg, x->signature,
-	    x->cert_info, pkey, md));
+	    x->cert_info, pkey, md);
 }
 LCRYPTO_ALIAS(X509_sign);
 
@@ -445,8 +445,8 @@ LCRYPTO_ALIAS(X509_sign_ctx);
 int
 X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md)
 {
-	return (ASN1_item_sign(&X509_REQ_INFO_it,
-	    x->sig_alg, NULL, x->signature, x->req_info, pkey, md));
+	return ASN1_item_sign(&X509_REQ_INFO_it,
+	    x->sig_alg, NULL, x->signature, x->req_info, pkey, md);
 }
 LCRYPTO_ALIAS(X509_REQ_sign);
 
@@ -462,8 +462,8 @@ int
 X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md)
 {
 	x->crl->enc.modified = 1;
-	return(ASN1_item_sign(&X509_CRL_INFO_it, x->crl->sig_alg,
-	    x->sig_alg, x->signature, x->crl, pkey, md));
+	return ASN1_item_sign(&X509_CRL_INFO_it, x->crl->sig_alg,
+	    x->sig_alg, x->signature, x->crl, pkey, md);
 }
 LCRYPTO_ALIAS(X509_CRL_sign);
 
@@ -479,8 +479,8 @@ LCRYPTO_ALIAS(X509_CRL_sign_ctx);
 int
 NETSCAPE_SPKI_sign(NETSCAPE_SPKI *x, EVP_PKEY *pkey, const EVP_MD *md)
 {
-	return (ASN1_item_sign(&NETSCAPE_SPKAC_it,
-	    x->sig_algor, NULL, x->signature, x->spkac, pkey, md));
+	return ASN1_item_sign(&NETSCAPE_SPKAC_it,
+	    x->sig_algor, NULL, x->signature, x->spkac, pkey, md);
 }
 LCRYPTO_ALIAS(NETSCAPE_SPKI_sign);
 
@@ -500,8 +500,7 @@ int
 X509_digest(const X509 *data, const EVP_MD *type, unsigned char *md,
     unsigned int *len)
 {
-	return (ASN1_item_digest(&X509_it, type, (char *)data,
-	    md, len));
+	return ASN1_item_digest(&X509_it, type, (void *)data, md, len);
 }
 LCRYPTO_ALIAS(X509_digest);
 
@@ -509,8 +508,7 @@ int
 X509_CRL_digest(const X509_CRL *data, const EVP_MD *type, unsigned char *md,
     unsigned int *len)
 {
-	return (ASN1_item_digest(&X509_CRL_it, type, (char *)data,
-	    md, len));
+	return ASN1_item_digest(&X509_CRL_it, type, (void *)data, md, len);
 }
 LCRYPTO_ALIAS(X509_CRL_digest);
 
@@ -518,8 +516,7 @@ int
 X509_REQ_digest(const X509_REQ *data, const EVP_MD *type, unsigned char *md,
     unsigned int *len)
 {
-	return (ASN1_item_digest(&X509_REQ_it, type, (char *)data,
-	    md, len));
+	return ASN1_item_digest(&X509_REQ_it, type, (void *)data, md, len);
 }
 LCRYPTO_ALIAS(X509_REQ_digest);
 
@@ -527,8 +524,7 @@ int
 X509_NAME_digest(const X509_NAME *data, const EVP_MD *type, unsigned char *md,
     unsigned int *len)
 {
-	return (ASN1_item_digest(&X509_NAME_it, type, (char *)data,
-	    md, len));
+	return ASN1_item_digest(&X509_NAME_it, type, (void *)data, md, len);
 }
 LCRYPTO_ALIAS(X509_NAME_digest);
 
diff --git a/regress/usr.bin/ssh/dropbear-ciphers.sh b/regress/usr.bin/ssh/dropbear-ciphers.sh
index 2e0f9a1d3..7b0924ce7 100644
--- a/regress/usr.bin/ssh/dropbear-ciphers.sh
+++ b/regress/usr.bin/ssh/dropbear-ciphers.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: dropbear-ciphers.sh,v 1.1 2023/10/20 06:56:45 dtucker Exp $
+#	$OpenBSD: dropbear-ciphers.sh,v 1.2 2024/06/19 10:15:51 dtucker Exp $
 #	Placed in the Public Domain.
 
 tid="dropbear ciphers"
@@ -7,13 +7,23 @@ if test "x$REGRESS_INTEROP_DROPBEAR" != "xyes" ; then
 	skip "dropbear interop tests not enabled"
 fi
 
+# Enable all support algorithms
+algs=`$SSH -Q key-sig | tr '\n' ,`
 cat >>$OBJ/sshd_proxy <<EOD
-PubkeyAcceptedAlgorithms +ssh-rsa,ssh-dss
-HostkeyAlgorithms +ssh-rsa,ssh-dss
+PubkeyAcceptedAlgorithms $algs
+HostkeyAlgorithms $algs
 EOD
 
 ciphers=`$DBCLIENT -c help 2>&1 | awk '/ ciphers: /{print $4}' | tr ',' ' '`
+if [ -z "$ciphers" ]; then
+	trace dbclient query ciphers failed, making assumptions.
+	ciphers="chacha20-poly1305@openssh.com aes128-ctr aes256-ctr"
+fi
 macs=`$DBCLIENT -m help 2>&1 | awk '/ MACs: /{print $4}' | tr ',' ' '`
+if [ -z "$macs" ]; then
+	trace dbclient query macs failed, making assumptions.
+	macs="hmac-sha1 hmac-sha2-256"
+fi
 keytype=`(cd $OBJ/.dropbear && ls id_*)`
 
 for c in $ciphers ; do
diff --git a/regress/usr.bin/ssh/dropbear-kex.sh b/regress/usr.bin/ssh/dropbear-kex.sh
index a25de3edd..d9f1b32c0 100644
--- a/regress/usr.bin/ssh/dropbear-kex.sh
+++ b/regress/usr.bin/ssh/dropbear-kex.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: dropbear-kex.sh,v 1.1 2023/10/20 06:56:45 dtucker Exp $
+#	$OpenBSD: dropbear-kex.sh,v 1.3 2024/06/19 10:10:46 dtucker Exp $
 #	Placed in the Public Domain.
 
 tid="dropbear kex"
@@ -7,21 +7,19 @@ if test "x$REGRESS_INTEROP_DROPBEAR" != "xyes" ; then
 	skip "dropbear interop tests not enabled"
 fi
 
-cat >>$OBJ/sshd_proxy <<EOD
-PubkeyAcceptedAlgorithms +ssh-rsa,ssh-dss
-HostkeyAlgorithms +ssh-rsa,ssh-dss
-EOD
 cp $OBJ/sshd_proxy $OBJ/sshd_proxy.bak
 
-kex="curve25519-sha256 curve25519-sha256@libssh.org
-    diffie-hellman-group14-sha256 diffie-hellman-group14-sha1"
+kex="curve25519-sha256 curve25519-sha256@libssh.org"
+if $SSH -Q kex | grep 'diffie-hellman-group14-sha1'; then
+	kex="$kex diffie-hellman-group14-sha256 diffie-hellman-group14-sha1"
+fi
 
 for k in $kex; do
 	verbose "$tid: kex $k"
 	rm -f ${COPY}
 	# dbclient doesn't have switch for kex, so force in server
 	(cat $OBJ/sshd_proxy.bak; echo "KexAlgorithms $k") >$OBJ/sshd_proxy
-	env HOME=$OBJ dbclient -y -i $OBJ/.dropbear/id_rsa 2>$OBJ/dbclient.log \
+	env HOME=$OBJ dbclient -y -i $OBJ/.dropbear/id_ed25519 2>$OBJ/dbclient.log \
 	    -J "$OBJ/ssh_proxy.sh" somehost cat ${DATA} > ${COPY}
 	if [ $? -ne 0 ]; then
 		fail "ssh cat $DATA failed"
diff --git a/regress/usr.bin/ssh/test-exec.sh b/regress/usr.bin/ssh/test-exec.sh
index 7adf0889a..7f532850d 100644
--- a/regress/usr.bin/ssh/test-exec.sh
+++ b/regress/usr.bin/ssh/test-exec.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: test-exec.sh,v 1.115 2024/06/11 01:58:27 djm Exp $
+#	$OpenBSD: test-exec.sh,v 1.118 2024/06/19 10:08:34 dtucker Exp $
 #	Placed in the Public Domain.
 
 #SUDO=sudo
@@ -646,16 +646,28 @@ esac
 
 if test "$REGRESS_INTEROP_DROPBEAR" = "yes" ; then
 	trace Create dropbear keys and add to authorized_keys
+	kt="ed25519"
+	if $SSH -Q key-plain | grep '^ssh-dss$' >/dev/null; then
+		kt="$kt dss"
+	fi
+	if $SSH -Q key-plain | grep '^ssh-rsa$' >/dev/null; then
+		kt="$kt rsa"
+	fi
+	if $SSH -Q key-plain | grep '^ecdsa-sha2' >/dev/null; then
+		kt="$kt ecdsa"
+	fi
 	mkdir -p $OBJ/.dropbear
-	for i in rsa ecdsa ed25519 dss; do
+	for i in $kt; do
 		if [ ! -f "$OBJ/.dropbear/id_$i" ]; then
-			($DROPBEARKEY -t $i -f $OBJ/.dropbear/id_$i
-			$DROPBEARCONVERT dropbear openssh \
-			    $OBJ/.dropbear/id_$i $OBJ/.dropbear/ossh.id_$i
-			) > /dev/null 2>&1
+			verbose Create dropbear key type $i
+			$DROPBEARKEY -t $i -f $OBJ/.dropbear/id_$i \
+			    >/dev/null 2>&1
 		fi
+		$DROPBEARCONVERT dropbear openssh $OBJ/.dropbear/id_$i \
+		    $OBJ/.dropbear/ossh.id_$i >/dev/null 2>&1
 		$SSHKEYGEN -y -f $OBJ/.dropbear/ossh.id_$i \
 		   >>$OBJ/authorized_keys_$USER
+		rm -f $OBJ/.dropbear/id_$i.pub $OBJ/.dropbear/ossh.id_$i
 	done
 fi
 
diff --git a/sbin/dhcp6leased/engine.c b/sbin/dhcp6leased/engine.c
index 180847406..12663506c 100644
--- a/sbin/dhcp6leased/engine.c
+++ b/sbin/dhcp6leased/engine.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: engine.c,v 1.13 2024/06/06 15:15:44 florian Exp $	*/
+/*	$OpenBSD: engine.c,v 1.14 2024/06/19 07:42:44 florian Exp $	*/
 
 /*
  * Copyright (c) 2017, 2021, 2024 Florian Obser <florian@openbsd.org>
@@ -1034,27 +1034,9 @@ state_transition(struct dhcp6leased_iface *iface, enum if_state new_state)
 
 	switch (new_state) {
 	case IF_DOWN:
-#if 0
-XXXX
-		if (iface->requested_ip.s_addr == INADDR_ANY) {
-			/* nothing to do until iface comes up */
-			iface->timo.tv_sec = -1;
-			break;
-		}
-		if (old_state == IF_DOWN) {
-			/* nameservers already withdrawn when if went down */
-			deconfigure_interfaces(iface);
-			/* nothing more to do until iface comes back */
-			iface->timo.tv_sec = -1;
-		} else {
-			clock_gettime(CLOCK_MONOTONIC, &now);
-			timespecsub(&now, &iface->request_time, &res);
-			iface->timo.tv_sec = iface->lease_time - res.tv_sec;
-			if (iface->timo.tv_sec < 0)
-				iface->timo.tv_sec = 0; /* deconfigure now */
-		}
-#endif
-		/* nothing to do until iface comes up */
+		/*
+		 * Nothing to do until iface comes up. IP addresses will expire.
+		 */
 		iface->timo.tv_sec = -1;
 		break;
 	case IF_INIT:
diff --git a/sbin/dhcp6leased/frontend.c b/sbin/dhcp6leased/frontend.c
index b5e349cca..716ccfdb0 100644
--- a/sbin/dhcp6leased/frontend.c
+++ b/sbin/dhcp6leased/frontend.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: frontend.c,v 1.11 2024/06/05 16:14:12 florian Exp $	*/
+/*	$OpenBSD: frontend.c,v 1.12 2024/06/19 07:42:44 florian Exp $	*/
 
 /*
  * Copyright (c) 2017, 2021, 2024 Florian Obser <florian@openbsd.org>
@@ -69,7 +69,6 @@ struct iface {
 
 __dead void	 frontend_shutdown(void);
 void		 frontend_sig_handler(int, short, void *);
-void		 rtsock_update_iface(struct if_msghdr *, struct sockaddr_dl *);
 void		 frontend_startup(void);
 void		 update_iface(uint32_t);
 void		 route_receive(int, short, void *);
@@ -595,64 +594,6 @@ update_iface(uint32_t if_index)
 	    sizeof(iface->ifinfo));
 }
 
-void
-rtsock_update_iface(struct if_msghdr *ifm, struct sockaddr_dl *sdl)
-{
-#if 0
-XXX
-	struct iface		*iface;
-	struct imsg_ifinfo	 ifinfo;
-	uint32_t		 if_index;
-	int			 flags;
-	char			 ifnamebuf[IF_NAMESIZE], *if_name;
-
-	if_index = ifm->ifm_index;
-
-	flags = ifm->ifm_flags;
-
-	iface = get_iface_by_id(if_index);
-	if_name = if_indextoname(if_index, ifnamebuf);
-
-	if (if_name == NULL) {
-		if (iface != NULL) {
-			log_debug("interface with idx %d removed", if_index);
-			frontend_imsg_compose_engine(IMSG_REMOVE_IF, 0, 0,
-			    &if_index, sizeof(if_index));
-			remove_iface(if_index);
-		}
-		return;
-	}
-
-	memset(&ifinfo, 0, sizeof(ifinfo));
-	ifinfo.if_index = if_index;
-	ifinfo.link_state = ifm->ifm_data.ifi_link_state;
-	ifinfo.rdomain = ifm->ifm_tableid;
-	ifinfo.running = (flags & (IFF_UP | IFF_RUNNING)) ==
-	    (IFF_UP | IFF_RUNNING);
-
-	if (iface == NULL) {
-		if ((iface = calloc(1, sizeof(*iface))) == NULL)
-			fatal("calloc");
-		iface->udpsock = -1;
-		LIST_INSERT_HEAD(&interfaces, iface, entries);
-		frontend_imsg_compose_main(IMSG_OPEN_UDPSOCK, 0,
-		    &if_index, sizeof(if_index));
-	} else {
-		if (iface->ifinfo.rdomain != ifinfo.rdomain &&
-		    iface->udpsock != -1) {
-			close(iface->udpsock);
-			iface->udpsock = -1;
-		}
-	}
-
-	if (memcmp(&iface->ifinfo, &ifinfo, sizeof(iface->ifinfo)) != 0) {
-		memcpy(&iface->ifinfo, &ifinfo, sizeof(iface->ifinfo));
-		frontend_imsg_compose_main(IMSG_UPDATE_IF, 0, &iface->ifinfo,
-		    sizeof(iface->ifinfo));
-	}
-#endif
-}
-
 void
 frontend_startup(void)
 {
@@ -660,8 +601,6 @@ frontend_startup(void)
 		fatalx("%s: did not receive a route socket from the main "
 		    "process", __func__);
 
-	if (pledge("stdio unix recvfd", NULL) == -1)
-		fatal("pledge");
 	event_add(&ev_route, NULL);
 }
 
@@ -707,16 +646,13 @@ route_receive(int fd, short events, void *arg)
 void
 handle_route_message(struct rt_msghdr *rtm, struct sockaddr **rti_info)
 {
-	struct sockaddr_dl		*sdl = NULL;
 	struct if_announcemsghdr	*ifan;
 	uint32_t			 if_index;
 
 	switch (rtm->rtm_type) {
 	case RTM_IFINFO:
-		if (rtm->rtm_addrs & RTA_IFP && rti_info[RTAX_IFP]->sa_family
-		    == AF_LINK)
-			sdl = (struct sockaddr_dl *)rti_info[RTAX_IFP];
-		rtsock_update_iface((struct if_msghdr *)rtm, sdl);
+		if_index = ((struct if_msghdr *)rtm)->ifm_index;
+		update_iface(if_index);
 		break;
 	case RTM_IFANNOUNCE:
 		ifan = (struct if_announcemsghdr *)rtm;
diff --git a/sbin/iked/ca.c b/sbin/iked/ca.c
index 3c4183440..042bce995 100644
--- a/sbin/iked/ca.c
+++ b/sbin/iked/ca.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ca.c,v 1.101 2024/02/13 12:25:11 tobhe Exp $	*/
+/*	$OpenBSD: ca.c,v 1.102 2024/06/18 05:08:41 tb Exp $	*/
 
 /*
  * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org>
@@ -1985,13 +1985,13 @@ ca_x509_subjectaltname_do(X509 *cert, int mode, const char *logmsg,
 	GENERAL_NAME *entry;
 	ASN1_STRING *cstr;
 	char idstr[IKED_ID_SIZE];
-	int idx, ret, i, type, len;
+	int crit, ret, i, type, len;
 	const uint8_t *data;
 
 	ret = -1;
-	idx = -1;
-	while ((stack = X509_get_ext_d2i(cert, NID_subject_alt_name,
-	    NULL, &idx)) != NULL) {
+	crit = -1;
+	if ((stack = X509_get_ext_d2i(cert, NID_subject_alt_name,
+	    &crit, NULL)) != NULL) {
 		for (i = 0; i < sk_GENERAL_NAME_num(stack); i++) {
 			entry = sk_GENERAL_NAME_value(stack, i);
 			switch (entry->type) {
@@ -2071,12 +2071,14 @@ ca_x509_subjectaltname_do(X509 *cert, int mode, const char *logmsg,
 			}
 		}
 		sk_GENERAL_NAME_pop_free(stack, GENERAL_NAME_free);
-		if (ret != -1)
-			break;
-	}
-	if (idx == -1)
+	} else if (crit == -2)
+		log_info("%s: multiple subjectAltName extensions are invalid",
+		    __func__);
+	else if (crit == -1)
 		log_debug("%s: did not find subjectAltName in certificate",
 		    __func__);
+	else
+		log_debug("%s: failed to decode subjectAltName", __func__);
 	return ret;
 }
 
diff --git a/sys/arch/amd64/amd64/hibernate_machdep.c b/sys/arch/amd64/amd64/hibernate_machdep.c
index db59d0866..98e3ff3e7 100644
--- a/sys/arch/amd64/amd64/hibernate_machdep.c
+++ b/sys/arch/amd64/amd64/hibernate_machdep.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: hibernate_machdep.c,v 1.51 2024/06/05 04:58:05 mglocker Exp $	*/
+/*	$OpenBSD: hibernate_machdep.c,v 1.52 2024/06/19 13:27:26 jsg Exp $	*/
 
 /*
  * Copyright (c) 2012 Mike Larkin <mlarkin@openbsd.org>
@@ -61,7 +61,6 @@ extern	caddr_t start, end;
 extern	int mem_cluster_cnt;
 extern  phys_ram_seg_t mem_clusters[];
 extern	bios_memmap_t *bios_memmap;
-extern	struct hibernate_state *hibernate_state;
 
 /*
  * amd64 MD Hibernate functions
diff --git a/sys/arch/i386/i386/hibernate_machdep.c b/sys/arch/i386/i386/hibernate_machdep.c
index 2e1be1875..cccda268c 100644
--- a/sys/arch/i386/i386/hibernate_machdep.c
+++ b/sys/arch/i386/i386/hibernate_machdep.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: hibernate_machdep.c,v 1.61 2023/01/30 10:49:05 jsg Exp $	*/
+/*	$OpenBSD: hibernate_machdep.c,v 1.62 2024/06/19 13:27:26 jsg Exp $	*/
 
 /*
  * Copyright (c) 2011 Mike Larkin <mlarkin@openbsd.org>
@@ -52,7 +52,6 @@ extern	caddr_t start, end;
 extern	int ndumpmem;
 extern  struct dumpmem dumpmem[];
 extern	bios_memmap_t *bios_memmap;
-extern	struct hibernate_state *hibernate_state;
 
 /*
  * Hibernate always uses non-PAE page tables during resume, so
diff --git a/sys/arch/i386/include/cpu.h b/sys/arch/i386/include/cpu.h
index 30f1aaf90..1b633aba4 100644
--- a/sys/arch/i386/include/cpu.h
+++ b/sys/arch/i386/include/cpu.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: cpu.h,v 1.191 2024/06/09 21:15:29 jca Exp $	*/
+/*	$OpenBSD: cpu.h,v 1.192 2024/06/18 12:37:29 jsg Exp $	*/
 /*	$NetBSD: cpu.h,v 1.35 1996/05/05 19:29:26 christos Exp $	*/
 
 /*-
@@ -458,7 +458,6 @@ void k1x_setperf(int);
 #endif
 
 /* npx.c */
-void	npxdrop(struct proc *);
 void	npxsave_proc(struct proc *, int);
 void	npxsave_cpu(struct cpu_info *, int);
 
diff --git a/sys/arch/i386/include/pmap.h b/sys/arch/i386/include/pmap.h
index e7e222bea..4433283cb 100644
--- a/sys/arch/i386/include/pmap.h
+++ b/sys/arch/i386/include/pmap.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pmap.h,v 1.94 2023/12/11 22:12:53 kettenis Exp $	*/
+/*	$OpenBSD: pmap.h,v 1.95 2024/06/18 12:37:29 jsg Exp $	*/
 /*	$NetBSD: pmap.h,v 1.44 2000/04/24 17:18:18 thorpej Exp $	*/
 
 /*
@@ -297,7 +297,6 @@ void pmap_pinit_pd_pae(pmap_t);
 void pmap_zero_phys_pae(paddr_t);
 int pmap_zero_page_uncached_pae(paddr_t);
 void pmap_copy_page_pae(struct vm_page *, struct vm_page *);
-void pae_copy_phys(paddr_t, paddr_t, int, int);
 
 #define	pmap_pte_set		(*pmap_pte_set_p)
 #define	pmap_pte_setbits	(*pmap_pte_setbits_p)
diff --git a/sys/dev/ata/ata_wdc.c b/sys/dev/ata/ata_wdc.c
index f2731090b..10c3e29b7 100644
--- a/sys/dev/ata/ata_wdc.c
+++ b/sys/dev/ata/ata_wdc.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: ata_wdc.c,v 1.53 2024/05/26 10:01:01 jsg Exp $	*/
+/*      $OpenBSD: ata_wdc.c,v 1.54 2024/06/18 09:08:02 jsg Exp $	*/
 /*	$NetBSD: ata_wdc.c,v 1.21 1999/08/09 09:43:11 bouyer Exp $	*/
 
 /*
@@ -808,23 +808,3 @@ wdc_ata_err(struct ata_drive_datas *drvp, struct ata_bio *ata_bio)
 		ata_bio->flags |= ATA_CORR;
 	return WDC_ATA_NOERR;
 }
-
-#if 0
-int
-wdc_ata_addref(drvp)
-	struct ata_drive_datas *drvp;
-{
-	struct channel_softc *chp = drvp->chnl_softc;
-
-	return (wdc_addref(chp));
-}
-
-void
-wdc_ata_delref(drvp)
-	struct ata_drive_datas *drvp;
-{
-	struct channel_softc *chp = drvp->chnl_softc;
-
-	wdc_delref(chp);
-}
-#endif
diff --git a/sys/dev/ic/wdcvar.h b/sys/dev/ic/wdcvar.h
index 8f4b08d80..cb3a9e8e9 100644
--- a/sys/dev/ic/wdcvar.h
+++ b/sys/dev/ic/wdcvar.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: wdcvar.h,v 1.58 2024/05/29 00:48:15 jsg Exp $     */
+/*      $OpenBSD: wdcvar.h,v 1.59 2024/06/18 12:37:29 jsg Exp $     */
 /*	$NetBSD: wdcvar.h,v 1.17 1999/04/11 20:50:29 bouyer Exp $	*/
 
 /*-
@@ -287,9 +287,6 @@ void  wdccommandshort(struct channel_softc *, int, int);
 void  wdctimeout(void *arg);
 void  wdc_do_reset(struct channel_softc *);
 
-int   wdc_addref(struct channel_softc *);
-void  wdc_delref(struct channel_softc *);
-
 /*
  * ST506 spec says that if READY or SEEKCMPLT go off, then the read or write
  * command is aborted.
diff --git a/sys/dev/pci/drm/amd/pm/swsmu/smu13/smu_v13_0_6_ppt.c b/sys/dev/pci/drm/amd/pm/swsmu/smu13/smu_v13_0_6_ppt.c
index ca4b8f968..aee973f1f 100644
--- a/sys/dev/pci/drm/amd/pm/swsmu/smu13/smu_v13_0_6_ppt.c
+++ b/sys/dev/pci/drm/amd/pm/swsmu/smu13/smu_v13_0_6_ppt.c
@@ -2044,7 +2044,7 @@ static ssize_t smu_v13_0_6_get_gpu_metrics(struct smu_context *smu, void **table
 static void smu_v13_0_6_restore_pci_config(struct smu_context *smu)
 {
 	STUB();
-#if notyet
+#ifdef notyet
 	struct amdgpu_device *adev = smu->adev;
 	int i;
 
diff --git a/sys/uvm/uvm_map.h b/sys/uvm/uvm_map.h
index b88529374..ae331f933 100644
--- a/sys/uvm/uvm_map.h
+++ b/sys/uvm/uvm_map.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: uvm_map.h,v 1.89 2024/04/02 08:39:17 deraadt Exp $	*/
+/*	$OpenBSD: uvm_map.h,v 1.90 2024/06/18 12:37:29 jsg Exp $	*/
 /*	$NetBSD: uvm_map.h,v 1.24 2001/02/18 21:19:08 chs Exp $	*/
 
 /*
@@ -363,10 +363,6 @@ void		uvm_map_init(void);
 boolean_t	uvm_map_lookup_entry(struct vm_map *, vaddr_t, vm_map_entry_t *);
 boolean_t	uvm_map_is_stack_remappable(struct vm_map *, vaddr_t, vsize_t, int);
 int		uvm_map_remap_as_stack(struct proc *, vaddr_t, vsize_t);
-int		uvm_map_replace(struct vm_map *, vaddr_t, vaddr_t,
-		    vm_map_entry_t, int);
-int		uvm_map_reserve(struct vm_map *, vsize_t, vaddr_t, vsize_t,
-		    vaddr_t *);
 void		uvm_map_setup(struct vm_map *, pmap_t, vaddr_t, vaddr_t, int);
 int		uvm_map_submap(struct vm_map *, vaddr_t, vaddr_t,
 		    struct vm_map *);
diff --git a/usr.sbin/acme-client/main.c b/usr.sbin/acme-client/main.c
index f739bad79..e4505ce86 100644
--- a/usr.sbin/acme-client/main.c
+++ b/usr.sbin/acme-client/main.c
@@ -1,4 +1,4 @@
-/*	$Id: main.c,v 1.55 2022/05/05 19:51:35 florian Exp $ */
+/*	$Id: main.c,v 1.56 2024/06/19 13:13:25 claudio Exp $ */
 /*
  * Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -21,6 +21,7 @@
 #include <err.h>
 #include <libgen.h>
 #include <locale.h>
+#include <signal.h>
 #include <stdarg.h>
 #include <stdio.h>
 #include <stdlib.h>
@@ -202,6 +203,8 @@ main(int argc, char *argv[])
 	if (socketpair(AF_UNIX, SOCK_STREAM, 0, rvk_fds) == -1)
 		err(EXIT_FAILURE, "socketpair");
 
+	signal(SIGPIPE, SIG_IGN);
+
 	/* Start with the network-touching process. */
 
 	if ((pids[COMP_NET] = fork()) == -1)
diff --git a/usr.sbin/acme-client/util.c b/usr.sbin/acme-client/util.c
index cb53440d5..67710cd3c 100644
--- a/usr.sbin/acme-client/util.c
+++ b/usr.sbin/acme-client/util.c
@@ -1,4 +1,4 @@
-/*	$Id: util.c,v 1.13 2022/12/28 21:30:15 jmc Exp $ */
+/*	$Id: util.c,v 1.14 2024/06/19 13:13:25 claudio Exp $ */
 /*
  * Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -21,7 +21,6 @@
 #include <err.h>
 #include <errno.h>
 #include <limits.h>
-#include <signal.h>
 #include <stdarg.h>
 #include <stdio.h>
 #include <stdlib.h>
@@ -31,8 +30,6 @@
 
 #include "extern.h"
 
-static	volatile sig_atomic_t sig;
-
 static	const char *const comps[COMP__MAX] = {
 	"netproc", /* COMP_NET */
 	"keyproc", /* COMP_KEY */
@@ -71,14 +68,6 @@ static	const char *const comms[COMM__MAX] = {
 	"revoke-response", /* COMM_REVOKE_RESP */
 };
 
-static void
-sigpipe(int code)
-{
-
-	(void)code;
-	sig = 1;
-}
-
 /*
  * This will read a long-sized operation.
  * Operations are usually enums, so this should be alright.
@@ -169,21 +158,15 @@ readbuf(int fd, enum comm comm, size_t *sz)
 int
 writeop(int fd, enum comm comm, long op)
 {
-	void	(*sigfp)(int);
 	ssize_t	 ssz;
 	int	 er;
 
-	sigfp = signal(SIGPIPE, sigpipe);
-
 	if ((ssz = write(fd, &op, sizeof(long))) == -1) {
 		if ((er = errno) != EPIPE)
 			warn("write: %s", comms[comm]);
-		signal(SIGPIPE, sigfp);
 		return er == EPIPE ? 0 : -1;
 	}
 
-	signal(SIGPIPE, sigfp);
-
 	if ((size_t)ssz != sizeof(long)) {
 		warnx("short write: %s", comms[comm]);
 		return -1;
@@ -201,21 +184,16 @@ writebuf(int fd, enum comm comm, const void *v, size_t sz)
 {
 	ssize_t	 ssz;
 	int	 er, rc = -1;
-	void	(*sigfp)(int);
 
 	/*
 	 * First, try to write the length.
 	 * If the other end of the pipe has closed, we allow the short
 	 * write to propagate as a return value of zero.
-	 * To detect this, catch SIGPIPE.
 	 */
 
-	sigfp = signal(SIGPIPE, sigpipe);
-
 	if ((ssz = write(fd, &sz, sizeof(size_t))) == -1) {
 		if ((er = errno) != EPIPE)
 			warn("write: %s length", comms[comm]);
-		signal(SIGPIPE, sigfp);
 		return er == EPIPE ? 0 : -1;
 	}
 
@@ -233,7 +211,6 @@ writebuf(int fd, enum comm comm, const void *v, size_t sz)
 	else
 		rc = 1;
 
-	signal(SIGPIPE, sigfp);
 	return rc;
 }
 
diff --git a/usr.sbin/sysupgrade/sysupgrade.sh b/usr.sbin/sysupgrade/sysupgrade.sh
index 4b9fb053c..82d328244 100644
--- a/usr.sbin/sysupgrade/sysupgrade.sh
+++ b/usr.sbin/sysupgrade/sysupgrade.sh
@@ -1,6 +1,6 @@
 #!/bin/ksh
 #
-# $OpenBSD: sysupgrade.sh,v 1.50 2024/06/08 06:05:40 florian Exp $
+# $OpenBSD: sysupgrade.sh,v 1.52 2024/06/19 05:22:33 otto Exp $
 #
 # Copyright (c) 1997-2015 Todd Miller, Theo de Raadt, Ken Westerback
 # Copyright (c) 2015 Robert Peichaer <rpe@openbsd.org>
@@ -161,9 +161,9 @@ if cmp -s /var/db/installed.SHA256 SHA256 && ! $FORCE; then
 	exit 0
 fi
 
-# INSTALL.*, bsd*, *.tgz
+# BUILDINFO INSTALL.*, bsd*, *.tgz
 SETS=$(sed -n -e 's/^SHA256 (\(.*\)) .*/\1/' \
-    -e '/^INSTALL\./p;/^bsd/p;/\.tgz$/p' SHA256)
+    -e '/^BUILDINFO$/p;/^INSTALL\./p;/^bsd/p;/\.tgz$/p' SHA256)
 
 OLD_FILES=$(ls)
 OLD_FILES=$(rmel SHA256 $OLD_FILES)
@@ -187,6 +187,15 @@ if [[ -n ${DL} ]]; then
 	unpriv cksum -qC SHA256 ${DL}
 fi
 
+if [[ -e /var/db/installed.BUILDINFO && -e BUILDINFO ]]; then
+	installed_build_ts=$(cut -f3 -d' ' /var/db/installed.BUILDINFO)
+	build_ts=$(cut -f3 -d' ' BUILDINFO)
+	if (( $build_ts < $installed_build_ts )) && ! $FORCE; then
+		echo "Downloaded snapshot is older than installed snapshot. Use -f to force downgrade."
+		exit 1
+	fi
+fi
+
 cat <<__EOT >/auto_upgrade.conf
 Location of sets = disk
 Pathname to the sets = ${SETSDIR}/