Commit: 13a66a32c73d7b51f13424a3dfa81495c174745b Parent: 9e1acc0a2e03c3853407fd1d0d16a48409d5c012 Author: Michael Forney Date: Wed, 20 May 2026 01:17:08 -0700 openbsd: Update to 7.9 Diffstat:
13 files changed, 285 insertions(+), 184 deletions(-)
diff --git a/pkg/openbsd/patch/0017-m4-Use-hand-written-lexer-to-avoid-cycle-in-bootstra.patch b/pkg/openbsd/patch/0017-m4-Use-hand-written-lexer-to-avoid-cycle-in-bootstra.patch @@ -1,4 +1,4 @@ -From edf250c633bef40e7e37dafc9fc393dd2ad9074f Mon Sep 17 00:00:00 2001 +From 6409a0c0efb552c6cbb8b8da17328bb65dd3473d Mon Sep 17 00:00:00 2001 From: Michael Forney <mforney@mforney.org> Date: Tue, 10 Apr 2018 13:37:14 -0700 Subject: [PATCH] m4: Use hand-written lexer to avoid cycle in bootstrap @@ -209,12 +209,12 @@ index 00000000000..fa19fc65035 +} diff --git a/usr.bin/m4/tokenizer.l b/usr.bin/m4/tokenizer.l deleted file mode 100644 -index 94f02fb6085..00000000000 +index 36f9b58853c..00000000000 --- a/usr.bin/m4/tokenizer.l +++ /dev/null @@ -1,109 +0,0 @@ -%{ --/* $OpenBSD: tokenizer.l,v 1.10 2017/06/17 01:55:16 bcallah Exp $ */ +-/* $OpenBSD: tokenizer.l,v 1.11 2025/11/05 17:10:45 tb Exp $ */ -/* - * Copyright (c) 2004 Marc Espie <espie@cvs.openbsd.org> - * @@ -276,7 +276,7 @@ index 94f02fb6085..00000000000 -%% - -int32_t --number() +-number(void) -{ - long l; - @@ -289,7 +289,7 @@ index 94f02fb6085..00000000000 -} - -int32_t --parse_radix() +-parse_radix(void) -{ - long base; - char *next; @@ -323,5 +323,5 @@ index 94f02fb6085..00000000000 -} - -- -2.17.0 +2.54.0 diff --git a/pkg/openbsd/patch/0026-nc-Portability-fixes-from-libressl-portable.patch b/pkg/openbsd/patch/0026-nc-Portability-fixes-from-libressl-portable.patch @@ -1,17 +1,28 @@ -From 941679ac1af45e3359fa28172cd9339727c08a17 Mon Sep 17 00:00:00 2001 +From 36bb1d71b1e6963feb61fdf13c3e2f1cd55b0f5c Mon Sep 17 00:00:00 2001 From: Michael Forney <mforney@mforney.org> Date: Mon, 2 Dec 2019 21:11:04 -0800 Subject: [PATCH] nc: Portability fixes from libressl-portable --- - usr.bin/nc/netcat.c | 55 +++++++++++++++++++++++++++++++++++++++------ - 1 file changed, 48 insertions(+), 7 deletions(-) + usr.bin/nc/netcat.c | 59 +++++++++++++++++++++++++++++++++++++++------ + 1 file changed, 52 insertions(+), 7 deletions(-) diff --git a/usr.bin/nc/netcat.c b/usr.bin/nc/netcat.c -index e3c9c939e24..9d182198089 100644 +index 9361ff50cd9..4fd399a6f89 100644 --- a/usr.bin/nc/netcat.c +++ b/usr.bin/nc/netcat.c -@@ -93,9 +93,13 @@ int zflag; /* Port Scan Flag */ +@@ -73,6 +73,10 @@ + #define TLS_CCERT (1 << 3) + #define TLS_MUSTSTAPLE (1 << 4) + ++#ifndef IPTOS_DSCP_VA ++#define IPTOS_DSCP_VA 0xb0 ++#endif ++ + /* Command Line Options */ + int dflag; /* detached, no stdin */ + int Fflag; /* fdpass sock to stdout */ +@@ -93,9 +97,13 @@ int zflag; /* Port Scan Flag */ int Dflag; /* sodebug */ int Iflag; /* TCP receive buffer size */ int Oflag; /* TCP send buffer size */ @@ -25,7 +36,7 @@ index e3c9c939e24..9d182198089 100644 int usetls; /* use TLS */ const char *Cflag; /* Public cert file */ -@@ -271,12 +275,14 @@ main(int argc, char *argv[]) +@@ -271,12 +279,14 @@ main(int argc, char *argv[]) case 'u': uflag = 1; break; @@ -40,7 +51,7 @@ index e3c9c939e24..9d182198089 100644 case 'v': vflag = 1; break; -@@ -323,9 +329,11 @@ main(int argc, char *argv[]) +@@ -323,9 +333,11 @@ main(int argc, char *argv[]) case 'o': oflag = optarg; break; @@ -52,7 +63,7 @@ index e3c9c939e24..9d182198089 100644 case 'T': errstr = NULL; errno = 0; -@@ -349,9 +357,11 @@ main(int argc, char *argv[]) +@@ -349,9 +361,11 @@ main(int argc, char *argv[]) argc -= optind; argv += optind; @@ -64,7 +75,7 @@ index e3c9c939e24..9d182198089 100644 /* Cruft to make sure options are clean, and used properly. */ if (argc == 1 && family == AF_UNIX) { -@@ -928,7 +938,10 @@ remote_connect(const char *host, const char *port, struct addrinfo hints, +@@ -930,7 +944,10 @@ remote_connect(const char *host, const char *port, struct addrinfo hints, char *ipaddr) { struct addrinfo *res, *res0; @@ -76,7 +87,7 @@ index e3c9c939e24..9d182198089 100644 if ((error = getaddrinfo(host, port, &hints, &res0))) errx(1, "getaddrinfo for host \"%s\" port %s: %s", host, -@@ -943,8 +956,10 @@ remote_connect(const char *host, const char *port, struct addrinfo hints, +@@ -945,8 +962,10 @@ remote_connect(const char *host, const char *port, struct addrinfo hints, if (sflag || pflag) { struct addrinfo ahints, *ares; @@ -87,7 +98,7 @@ index e3c9c939e24..9d182198089 100644 memset(&ahints, 0, sizeof(struct addrinfo)); ahints.ai_family = res->ai_family; ahints.ai_socktype = uflag ? SOCK_DGRAM : SOCK_STREAM; -@@ -1036,8 +1051,11 @@ int +@@ -1038,8 +1057,11 @@ int local_listen(const char *host, const char *port, struct addrinfo hints) { struct addrinfo *res, *res0; @@ -100,7 +111,7 @@ index e3c9c939e24..9d182198089 100644 /* Allow nodename to be null. */ hints.ai_flags |= AI_PASSIVE; -@@ -1057,9 +1075,11 @@ local_listen(const char *host, const char *port, struct addrinfo hints) +@@ -1059,9 +1081,11 @@ local_listen(const char *host, const char *port, struct addrinfo hints) res->ai_protocol)) == -1) continue; @@ -112,7 +123,7 @@ index e3c9c939e24..9d182198089 100644 set_common_sockopts(s, res->ai_family); -@@ -1564,11 +1584,13 @@ set_common_sockopts(int s, int af) +@@ -1571,11 +1595,13 @@ set_common_sockopts(int s, int af) { int x = 1; @@ -126,7 +137,7 @@ index e3c9c939e24..9d182198089 100644 if (Dflag) { if (setsockopt(s, SOL_SOCKET, SO_DEBUG, &x, sizeof(x)) == -1) -@@ -1579,9 +1601,16 @@ set_common_sockopts(int s, int af) +@@ -1586,9 +1612,16 @@ set_common_sockopts(int s, int af) IP_TOS, &Tflag, sizeof(Tflag)) == -1) err(1, "set IP ToS"); @@ -143,7 +154,7 @@ index e3c9c939e24..9d182198089 100644 } if (Iflag) { if (setsockopt(s, SOL_SOCKET, SO_RCVBUF, -@@ -1605,13 +1634,17 @@ set_common_sockopts(int s, int af) +@@ -1612,13 +1645,17 @@ set_common_sockopts(int s, int af) } if (minttl != -1) { @@ -162,7 +173,7 @@ index e3c9c939e24..9d182198089 100644 } } -@@ -1841,14 +1874,22 @@ help(void) +@@ -1849,14 +1886,22 @@ help(void) \t-P proxyuser\tUsername for proxy authentication\n\ \t-p port\t Specify local port for remote connects\n\ \t-R CAfile CA bundle\n\ @@ -190,5 +201,5 @@ index e3c9c939e24..9d182198089 100644 \t-W recvlimit Terminate after receiving a number of packets\n\ \t-w timeout Timeout for connects and final net reads\n\ -- -2.49.0 +2.54.0 diff --git a/pkg/openbsd/patch/0028-acme-client-Fix-build-with-old-bison-versions.patch b/pkg/openbsd/patch/0028-acme-client-Fix-build-with-old-bison-versions.patch @@ -1,4 +1,4 @@ -From c3aab43559f17feb64a29f8b0d395532cb423e8b Mon Sep 17 00:00:00 2001 +From 9121d31f3ca0d49395846334752b6e820da66cf4 Mon Sep 17 00:00:00 2001 From: Michael Forney <mforney@mforney.org> Date: Wed, 15 Apr 2020 20:26:16 -0700 Subject: [PATCH] acme-client: Fix build with old bison versions @@ -8,10 +8,10 @@ Subject: [PATCH] acme-client: Fix build with old bison versions 1 file changed, 1 insertion(+) diff --git a/usr.sbin/acme-client/parse.y b/usr.sbin/acme-client/parse.y -index 20818328d92..f392e516b63 100644 +index 5b9795f948b..14a3cec8203 100644 --- a/usr.sbin/acme-client/parse.y +++ b/usr.sbin/acme-client/parse.y -@@ -97,6 +97,7 @@ typedef struct { +@@ -100,6 +100,7 @@ typedef struct { } v; int lineno; } YYSTYPE; @@ -20,5 +20,5 @@ index 20818328d92..f392e516b63 100644 %} -- -2.26.1 +2.54.0 diff --git a/pkg/openbsd/patch/0033-m4-Declare-dopaste-only-when-it-s-used.patch b/pkg/openbsd/patch/0033-m4-Declare-dopaste-only-when-it-s-used.patch @@ -1,4 +1,4 @@ -From 666a050e706230ba5b0316a316100d8c7e86c93c Mon Sep 17 00:00:00 2001 +From df8af384d7c22f6bfee93e6ff1f9bcf501549664 Mon Sep 17 00:00:00 2001 From: Michael Forney <mforney@mforney.org> Date: Thu, 4 Jun 2020 21:42:18 -0700 Subject: [PATCH] m4: Declare dopaste only when it's used @@ -8,19 +8,19 @@ Subject: [PATCH] m4: Declare dopaste only when it's used 1 file changed, 2 insertions(+) diff --git a/usr.bin/m4/eval.c b/usr.bin/m4/eval.c -index d226505cab3..fe9fbde3d9c 100644 +index 9ee73fcd3d6..ba828074a5a 100644 --- a/usr.bin/m4/eval.c +++ b/usr.bin/m4/eval.c -@@ -61,7 +61,9 @@ static void dodump(const char *[], int); +@@ -61,7 +61,9 @@ static void dodumpdef(const char *[], int); static void dotrace(const char *[], int, int); static void doifelse(const char *[], int); - static int doincl(const char *); + static int doinclude(const char *); +#ifdef EXTENDED static int dopaste(const char *); +#endif - static void dochq(const char *[], int); - static void dochc(const char *[], int); + static void dochangequote(const char *[], int); + static void dochangecom(const char *[], int); static void dom4wrap(const char *); -- -2.27.0 +2.54.0 diff --git a/pkg/openbsd/patch/0034-acme-client-Fix-signed-ness-of-base64buf_url-input.patch b/pkg/openbsd/patch/0034-acme-client-Fix-signed-ness-of-base64buf_url-input.patch @@ -1,4 +1,4 @@ -From d287356e4da2f2bc232df9bc13821738ffbe5299 Mon Sep 17 00:00:00 2001 +From 0f55823084233ab6980c6c1beb9a2fedadc7a5ee Mon Sep 17 00:00:00 2001 From: Michael Forney <mforney@mforney.org> Date: Fri, 23 Apr 2021 20:10:05 -0700 Subject: [PATCH] acme-client: Fix signed-ness of base64buf_url input @@ -9,8 +9,8 @@ This make most of the pointer casts unnecessary. usr.sbin/acme-client/base64.c | 2 +- usr.sbin/acme-client/extern.h | 2 +- usr.sbin/acme-client/keyproc.c | 5 +++-- - usr.sbin/acme-client/revokeproc.c | 6 ++++-- - 5 files changed, 18 insertions(+), 14 deletions(-) + usr.sbin/acme-client/revokeproc.c | 5 +++-- + 5 files changed, 17 insertions(+), 14 deletions(-) diff --git a/usr.sbin/acme-client/acctproc.c b/usr.sbin/acme-client/acctproc.c index da3d49107ae..9e97a8bb760 100644 @@ -96,10 +96,10 @@ index 2b6377f0d81..0d84ad4b458 100644 size_t i, sz; char *buf; diff --git a/usr.sbin/acme-client/extern.h b/usr.sbin/acme-client/extern.h -index 46a1387f5bc..37820e6cfb6 100644 +index 8b500561744..990c784f706 100644 --- a/usr.sbin/acme-client/extern.h +++ b/usr.sbin/acme-client/extern.h -@@ -244,7 +244,7 @@ int checkexit_ext(int *, pid_t, enum comp); +@@ -241,7 +241,7 @@ int checkexit_ext(int *, pid_t, enum comp); * Returns a buffer or NULL on allocation error. */ size_t base64len(size_t); @@ -109,20 +109,20 @@ index 46a1387f5bc..37820e6cfb6 100644 /* * JSON parsing routines. diff --git a/usr.sbin/acme-client/keyproc.c b/usr.sbin/acme-client/keyproc.c -index a3b6666c279..f0df9f292d4 100644 +index bab74c2b385..4360156b9c0 100644 --- a/usr.sbin/acme-client/keyproc.c +++ b/usr.sbin/acme-client/keyproc.c -@@ -77,7 +77,8 @@ int - keyproc(int netsock, const char *keyfile, const char **alts, size_t altsz, - enum keytype keytype) +@@ -76,7 +76,8 @@ add_ext(STACK_OF(X509_EXTENSION) *sk, int nid, const char *value) + int + keyproc(int netsock, struct domain_c *domain) { - char *der64 = NULL, *der = NULL, *dercp; + char *der64 = NULL; + unsigned char *der = NULL, *dercp; char *sans = NULL, *san = NULL; FILE *f; - size_t i, sansz; -@@ -238,7 +239,7 @@ keyproc(int netsock, const char *keyfile, const char **alts, size_t altsz, + size_t sansz; +@@ -234,7 +235,7 @@ keyproc(int netsock, struct domain_c *domain) } else if ((der = dercp = malloc(len)) == NULL) { warn("malloc"); goto out; @@ -132,21 +132,20 @@ index a3b6666c279..f0df9f292d4 100644 goto out; } else if ((der64 = base64buf_url(der, len)) == NULL) { diff --git a/usr.sbin/acme-client/revokeproc.c b/usr.sbin/acme-client/revokeproc.c -index 65170078226..493a9ea9752 100644 +index 6fe34043129..c0963a278fb 100644 --- a/usr.sbin/acme-client/revokeproc.c +++ b/usr.sbin/acme-client/revokeproc.c -@@ -77,7 +77,9 @@ revokeproc(int fd, const char *certfile, int force, - int revocate, const char *const *alts, size_t altsz) +@@ -79,7 +79,8 @@ revokeproc(int fd, const char *certfile, int force, + int revocate, struct domain_c *domain) { GENERAL_NAMES *sans = NULL; - char *der = NULL, *dercp, *der64 = NULL; + unsigned char *der = NULL, *dercp; + char *der64 = NULL; -+ char *san = NULL, *str, *tok; - int rc = 0, cc, i, len; - size_t *found = NULL; + int rc = 0, cc, sanidx, len, j, k; + int *found_altnames = NULL; FILE *f = NULL; -@@ -260,7 +262,7 @@ revokeproc(int fd, const char *certfile, int force, +@@ -320,7 +321,7 @@ revokeproc(int fd, const char *certfile, int force, } else if ((der = dercp = malloc(len)) == NULL) { warn("malloc"); goto out; @@ -156,5 +155,5 @@ index 65170078226..493a9ea9752 100644 goto out; } else if ((der64 = base64buf_url(der, len)) == NULL) { -- -2.49.0 +2.54.0 diff --git a/pkg/openbsd/patch/0035-acme-client-Port-to-BearSSL.patch b/pkg/openbsd/patch/0035-acme-client-Port-to-BearSSL.patch @@ -1,4 +1,4 @@ -From 6abdd6eef47b5ff9a34536acbec947d2c9a3cebc Mon Sep 17 00:00:00 2001 +From 4ad4ffcb7c731ae48c97b93760d7625724a991bc Mon Sep 17 00:00:00 2001 From: Michael Forney <mforney@mforney.org> Date: Fri, 23 Apr 2021 23:14:16 -0700 Subject: [PATCH] acme-client: Port to BearSSL @@ -8,9 +8,9 @@ Subject: [PATCH] acme-client: Port to BearSSL usr.sbin/acme-client/certproc.c | 5 - usr.sbin/acme-client/key.c | 329 ++++++++++++++++++++++++------ usr.sbin/acme-client/key.h | 22 +- - usr.sbin/acme-client/keyproc.c | 198 ++++++------------ - usr.sbin/acme-client/revokeproc.c | 260 +++++++++++------------ - 6 files changed, 566 insertions(+), 546 deletions(-) + usr.sbin/acme-client/keyproc.c | 192 ++++++----------- + usr.sbin/acme-client/revokeproc.c | 319 +++++++++++------------------ + 6 files changed, 568 insertions(+), 597 deletions(-) diff --git a/usr.sbin/acme-client/acctproc.c b/usr.sbin/acme-client/acctproc.c index 9e97a8bb760..8d66dac49d9 100644 @@ -951,7 +951,7 @@ index 272d36eb09a..12abdec813c 100644 #endif /* ! KEY_H */ diff --git a/usr.sbin/acme-client/keyproc.c b/usr.sbin/acme-client/keyproc.c -index f0df9f292d4..fc7de74b616 100644 +index 4360156b9c0..19b8077a8fb 100644 --- a/usr.sbin/acme-client/keyproc.c +++ b/usr.sbin/acme-client/keyproc.c @@ -18,55 +18,18 @@ @@ -1013,40 +1013,41 @@ index f0df9f292d4..fc7de74b616 100644 /* * Create an X509 certificate from the private key we have on file. * To do this, we first open the key file, then jail ourselves. -@@ -77,18 +40,20 @@ int - keyproc(int netsock, const char *keyfile, const char **alts, size_t altsz, - enum keytype keytype) +@@ -76,19 +39,20 @@ add_ext(STACK_OF(X509_EXTENSION) *sk, int nid, const char *value) + int + keyproc(int netsock, struct domain_c *domain) { - char *der64 = NULL; - unsigned char *der = NULL, *dercp; - char *sans = NULL, *san = NULL; - FILE *f; -- size_t i, sansz; +- size_t sansz; - void *pp; - EVP_PKEY *pkey = NULL; - X509_REQ *x = NULL; -- X509_NAME *name = NULL; -- int len, rc = 0, cc, nid, newkey = 0; +- int len, rc = 0, cc, nid, newkey = 0, first; - mode_t prev; - STACK_OF(X509_EXTENSION) *exts = NULL; +- struct altname_c *ac; +- const char *keyfile = domain->key; + char *der64 = NULL; + unsigned char *der = NULL; + FILE *f; -+ size_t i; + struct key *pkey = NULL; + struct x509cert_req req; + struct x509cert_skey skey; + struct x509cert_dn dn; -+ struct x509cert_rdn rdn; + struct x509cert_item item; -+ int len, rc = 0, newkey = 0; ++ int len, rc = 0, newkey = 0, i; + mode_t prev; ++ struct altname_c *ac; ++ const char *keyfile = domain->key; + + req.alts = NULL; /* * First, open our private key file read-only or write-only if -@@ -110,8 +75,6 @@ keyproc(int netsock, const char *keyfile, const char **alts, size_t altsz, +@@ -110,8 +74,6 @@ keyproc(int netsock, struct domain_c *domain) /* File-system, user, and sandbox jail. */ @@ -1055,7 +1056,7 @@ index f0df9f292d4..fc7de74b616 100644 if (pledge("stdio", NULL) == -1) { warn("pledge"); goto out; -@@ -145,102 +108,61 @@ keyproc(int netsock, const char *keyfile, const char **alts, size_t altsz, +@@ -145,98 +107,65 @@ keyproc(int netsock, struct domain_c *domain) * Then set it as the X509 requester's key. */ @@ -1081,29 +1082,6 @@ index f0df9f292d4..fc7de74b616 100644 + break; } - /* Now specify the common name that we'll request. */ - -- if ((name = X509_NAME_new()) == NULL) { -- warnx("X509_NAME_new"); -- goto out; -- } else if (!X509_NAME_add_entry_by_txt(name, "CN", -- MBSTRING_ASC, (u_char *)alts[0], -1, -1, 0)) { -- warnx("X509_NAME_add_entry_by_txt: CN=%s", alts[0]); -- goto out; -- } else if (!X509_REQ_set_subject_name(x, name)) { -- warnx("X509_req_set_issuer_name"); -- goto out; -- } -+ rdn.oid = x509cert_oid_CN; -+ rdn.val.tag = X509CERT_ASN1_UTF8STRING; -+ rdn.val.val = alts[0]; -+ rdn.val.len = strlen(alts[0]); -+ rdn.val.enc = NULL; -+ dn.rdn = &rdn; -+ dn.rdn_len = 1; -+ req.subject.enc = x509cert_dn_encoder; -+ req.subject.val = &dn; - - /* - * Now add the SAN extensions. - * This was lifted more or less directly from demos/x509/mkreq.c @@ -1111,22 +1089,29 @@ index f0df9f292d4..fc7de74b616 100644 - * (The zeroth altname is the domain name.) - * TODO: is this the best way of doing this? - */ -+ /* Now add the SAN extension. */ ++ /* Use an empty subject. */ - nid = NID_subject_alt_name; - if ((exts = sk_X509_EXTENSION_new_null()) == NULL) { - warnx("sk_X509_EXTENSION_new_null"); -+ req.alts_len = altsz; -+ req.alts = calloc(altsz, sizeof(req.alts[0])); +- goto out; +- } +- /* Initialise to empty string. */ +- if ((sans = strdup("")) == NULL) { +- warn("strdup"); ++ dn.rdn = NULL; ++ dn.rdn_len = 0; ++ req.subject.enc = x509cert_dn_encoder; ++ req.subject.val = &dn; ++ ++ /* Now add the SAN extension. */ ++ ++ req.alts_len = domain->altname_count; ++ req.alts = calloc(domain->altname_count, sizeof(req.alts[0])); + if (req.alts == NULL) { + warn("calloc"); goto out; } -- /* Initialise to empty string. */ -- if ((sans = strdup("")) == NULL) { -- warn("strdup"); -- goto out; -- } - sansz = strlen(sans) + 1; - /* @@ -1136,9 +1121,23 @@ index f0df9f292d4..fc7de74b616 100644 - */ + /* Add a dNSName SAN entry for each alternate name. */ - for (i = 0; i < altsz; i++) { -- cc = asprintf(&san, "%sDNS:%s", -- i ? "," : "", alts[i]); +- first = 1; ++ i = 0; + TAILQ_FOREACH(ac, &domain->altname_list, entry) { + switch (ac->idtype) { + case ID_DNS: +- cc = asprintf(&san, "%sDNS:%s", first ? "" : ",", +- ac->domain); ++ req.alts[i].tag = X509CERT_SAN_DNSNAME; ++ req.alts[i].val = ac->domain; ++ req.alts[i].len = strlen(ac->domain); + break; + case ID_IP: +- cc = asprintf(&san, "%sIP:%s", first ? "" : ",", +- ac->domain); +- break; +- } +- first = 0; - if (cc == -1) { - warn("asprintf"); - goto out; @@ -1146,8 +1145,9 @@ index f0df9f292d4..fc7de74b616 100644 - pp = recallocarray(sans, sansz, sansz + strlen(san), 1); - if (pp == NULL) { - warn("recallocarray"); -- goto out; -- } ++ warnx("ID_IP is not supported"); + goto out; + } - sans = pp; - sansz += strlen(san); - strlcat(sans, san, sansz); @@ -1169,9 +1169,7 @@ index f0df9f292d4..fc7de74b616 100644 - if (!X509_REQ_sign(x, pkey, EVP_sha256())) { - warnx("X509_sign"); - goto out; -+ req.alts[i].tag = X509CERT_SAN_DNSNAME; -+ req.alts[i].val = alts[i]; -+ req.alts[i].len = strlen(alts[i]); ++ i++; } - /* Now, serialise to DER, then base64. */ @@ -1196,14 +1194,13 @@ index f0df9f292d4..fc7de74b616 100644 goto out; } else if ((der64 = base64buf_url(der, len)) == NULL) { warnx("base64buf_url"); -@@ -265,12 +187,8 @@ out: +@@ -261,11 +190,8 @@ out: fclose(f); free(der); free(der64); - free(sans); - free(san); - X509_REQ_free(x); -- X509_NAME_free(name); - EVP_PKEY_free(pkey); - ERR_print_errors_fp(stderr); - ERR_free_strings(); @@ -1213,10 +1210,19 @@ index f0df9f292d4..fc7de74b616 100644 return rc; } diff --git a/usr.sbin/acme-client/revokeproc.c b/usr.sbin/acme-client/revokeproc.c -index 493a9ea9752..82e31792f3b 100644 +index c0963a278fb..2109d7a8799 100644 --- a/usr.sbin/acme-client/revokeproc.c +++ b/usr.sbin/acme-client/revokeproc.c -@@ -22,73 +22,53 @@ +@@ -15,8 +15,6 @@ + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +-#include <sys/socket.h> +-#include <arpa/inet.h> + #include <assert.h> + #include <ctype.h> + #include <err.h> +@@ -24,71 +22,54 @@ #include <stdio.h> #include <stdlib.h> #include <string.h> @@ -1291,18 +1297,17 @@ index 493a9ea9752..82e31792f3b 100644 int revokeproc(int fd, const char *certfile, int force, - int revocate, const char *const *alts, size_t altsz) + int revocate, struct domain_c *domain) { - GENERAL_NAMES *sans = NULL; - unsigned char *der = NULL, *dercp; - char *der64 = NULL; -- char *san = NULL, *str, *tok; -- int rc = 0, cc, i, len; -- size_t *found = NULL; +- int rc = 0, cc, sanidx, len, j, k; +- int *found_altnames = NULL; + static const unsigned char dnsname[] = {0, 2}; + char buf[8192], *pos, *sans = NULL, *der64 = NULL; -+ int rc = 0, cc, state, err; -+ size_t i, j, n, len = 0, altlen, altmax, eltsz; ++ int rc = 0, cc, i, eltsz, state, err; ++ size_t n, len = 0, altlen, altmax; FILE *f = NULL; - X509 *x = NULL; + br_pem_decoder_context pc; @@ -1315,11 +1320,11 @@ index 493a9ea9752..82e31792f3b 100644 enum revokeop op, rop; time_t notafter, notbefore, cert_validity; time_t remaining_validity, renew_allow; -- size_t j; ++ struct altname_c *ac; /* * First try to open the certificate before we drop privileges -@@ -103,8 +83,6 @@ revokeproc(int fd, const char *certfile, int force, +@@ -103,8 +84,6 @@ revokeproc(int fd, const char *certfile, int force, /* File-system and sandbox jailing. */ @@ -1328,7 +1333,7 @@ index 493a9ea9752..82e31792f3b 100644 if (pledge("stdio", NULL) == -1) { warn("pledge"); goto out; -@@ -128,44 +106,88 @@ revokeproc(int fd, const char *certfile, int force, +@@ -128,45 +107,89 @@ revokeproc(int fd, const char *certfile, int force, goto out; } @@ -1397,12 +1402,13 @@ index 493a9ea9752..82e31792f3b 100644 + br_x509_decoder_get_notbefore(&xd, &days, &secs); + notbefore = 86400ll * (days - 719528) + 86400; + -+ for (i = 0, altmax = 0; i < altsz; ++i) { -+ altlen = strlen(alts[i]) + 1; ++ altmax = 0; ++ TAILQ_FOREACH(ac, &domain->altname_list, entry) { ++ altlen = strlen(ac->domain) + 1; + if (altlen > altmax) + altmax = altlen; + } -+ eltsz = altsz + 1; ++ eltsz = domain->altname_count + 1; + if ((elts = calloc(eltsz, sizeof(elts[0]))) == NULL || + (sans = calloc(eltsz, altmax)) == NULL) { + warn("calloc"); @@ -1426,7 +1432,8 @@ index 493a9ea9752..82e31792f3b 100644 - /* An array of buckets: the number of entries found. */ + /* Extract list of SAN entries from the certificate. */ -- if ((found = calloc(altsz, sizeof(size_t))) == NULL) { +- if ((found_altnames = (int *)calloc(domain->altname_count, +- sizeof(int))) == NULL) { - warn("calloc"); + br_x509_minimal_init(&xc, &br_sha256_vtable, NULL, 0); + br_x509_minimal_set_hash(&xc, br_sha256_ID, &br_sha256_vtable); @@ -1443,90 +1450,147 @@ index 493a9ea9752..82e31792f3b 100644 goto out; } -@@ -174,63 +196,37 @@ revokeproc(int fd, const char *certfile, int force, +@@ -175,121 +198,37 @@ revokeproc(int fd, const char *certfile, int force, * configuration file and that all domains are represented only once. */ -- for (i = 0; i < sk_GENERAL_NAME_num(sans); i++) { +- for (sanidx = 0; sanidx < sk_GENERAL_NAME_num(sans); sanidx++) { - GENERAL_NAME *gen_name; -- const ASN1_IA5STRING *name; -- const unsigned char *name_buf; +- char *name_buf = NULL; - int name_len; -- int name_type; +- struct altname_c *ac; - -- gen_name = sk_GENERAL_NAME_value(sans, i); +- gen_name = sk_GENERAL_NAME_value(sans, sanidx); - assert(gen_name != NULL); - -- name = GENERAL_NAME_get0_value(gen_name, &name_type); -- if (name_type != GEN_DNS) +- if (gen_name->type == GEN_IPADD) { +- char ip_buf[INET6_ADDRSTRLEN]; +- const char *ip; +- +- name_len = ASN1_STRING_length(gen_name->d.iPAddress); +- switch (name_len) { +- case 4: +- ip = inet_ntop(AF_INET, +- ASN1_STRING_get0_data(gen_name->d.iPAddress), +- ip_buf, INET6_ADDRSTRLEN); +- break; +- case 16: +- ip = inet_ntop(AF_INET6, +- ASN1_STRING_get0_data(gen_name->d.iPAddress), +- ip_buf, INET6_ADDRSTRLEN); +- break; +- default: +- ip = NULL; ++ TAILQ_FOREACH(ac, &domain->altname_list, entry) { ++ for (i = 0; i < eltsz; i++) { ++ if (elts[i].status == 1 && ++ strcmp(ac->domain, elts[i].buf) == 0) { ++ elts[i].status = 0; + break; + } +- if (ip == NULL) { +- warnx("invalid IP address"); +- continue; +- } +- name_len = asprintf(&name_buf, "%s", ip); +- } else if (gen_name->type == GEN_DNS) { +- name_len = ASN1_STRING_length(gen_name->d.dNSName); +- name_len = asprintf(&name_buf, "%.*s", +- name_len, +- ASN1_STRING_get0_data(gen_name->d.dNSName)); +- } else - continue; - -- /* name_buf isn't a C string and could contain embedded NULs. */ -- name_buf = ASN1_STRING_get0_data(name); -- name_len = ASN1_STRING_length(name); +- if (name_len == -1) { +- warn("asprintf"); +- continue; + } - -- for (j = 0; j < altsz; j++) { -- if ((size_t)name_len != strlen(alts[j])) -- continue; -- if (memcmp(name_buf, alts[j], name_len) == 0) -+ for (i = 0; i < altsz; i++) { -+ for (j = 0; j < eltsz; j++) { -+ if (elts[j].status == 1 && -+ strcmp(alts[i], elts[j].buf) == 0) { -+ elts[j].status = 0; - break; +- j = 0; +- TAILQ_FOREACH(ac, &domain->altname_list, entry) { +- if (strcmp(name_buf, ac->domain) == 0) { +- found_altnames[j]++; +- break; +- } +- /* increment if didn't match */ +- j++; - } -- if (j == altsz) { +- if (j >= domain->altname_count) { +- /* we haven't matched any */ - if (revocate) { - char *visbuf; - - visbuf = calloc(4, name_len + 1); - if (visbuf == NULL) { -- warn("%s: unexpected SAN", certfile); +- warn("%s: unexpected SAN in " +- "certificate", certfile); +- free(name_buf); - goto out; - } - strvisx(visbuf, name_buf, name_len, VIS_SAFE); -- warnx("%s: unexpected SAN entry: %s", -- certfile, visbuf); +- warnx("%s: unexpected SAN entry in " +- "certificate: %s", certfile, visbuf); - free(visbuf); +- free(name_buf); - goto out; - } +- } - force = 2; - continue; - } -- if (found[j]++) { -+ if (j == eltsz) { +- } +- /* should not reach here if j is out of bounds */ +- if (found_altnames[j] > 1) { ++ if (i == eltsz) { if (revocate) { -- warnx("%s: duplicate SAN entry: %.*s", -- certfile, name_len, name_buf); -+ warnx("%s: domain not listed: %s", certfile, alts[i]); +- char *visbuf; +- visbuf = calloc(4, name_len + 1); +- if (visbuf == NULL) { +- warn("%s: duplicate SAN in " +- "certificate", certfile); +- free(name_buf); +- goto out; +- } +- warnx("%s: duplicate SAN entry in " +- "certificate: %s", certfile, visbuf); +- free(name_buf); +- free(visbuf); ++ warnx("%s: domain not listed: %s", certfile, ac->domain); goto out; } force = 2; } +- +- free(name_buf); } -- for (j = 0; j < altsz; j++) { -- if (found[j]) +- for (j = 0; j < domain->altname_count; j++) { +- struct altname_c *ac; +- +- if (found_altnames[j]) + for (i = 0; i < eltsz; i++) { + if (elts[i].status == 0) continue; if (revocate) { -- warnx("%s: domain not listed: %s", certfile, alts[j]); +- k = 0; +- TAILQ_FOREACH(ac, &domain->altname_list, entry) { +- if (j == k) +- break; +- k++; + char *visbuf; + + if (elts[i].status != 1 || + stravis(&visbuf, elts[i].buf, VIS_SAFE) < 0) { + warnx("%s: unexpected SAN", certfile); + goto out; -+ } + } +- warnx("%s: domain not listed: %s", certfile, +- ac->domain); + warnx("%s: unexpected SAN entry: %s", + certfile, visbuf); + free(visbuf); goto out; } force = 2; -@@ -256,16 +252,7 @@ revokeproc(int fd, const char *certfile, int force, +@@ -315,16 +254,7 @@ revokeproc(int fd, const char *certfile, int force, if (cc <= 0) goto out; @@ -1544,14 +1608,14 @@ index 493a9ea9752..82e31792f3b 100644 warnx("base64buf_url"); goto out; } else if (writestr(fd, COMM_CSR, der64) >= 0) -@@ -339,12 +326,9 @@ out: +@@ -398,12 +328,9 @@ out: close(fd); if (f != NULL) fclose(f); - X509_free(x); - GENERAL_NAMES_free(sans); - free(der); -- free(found); +- free(found_altnames); + free(cert.data); + free(sans); + free(elts); @@ -1561,5 +1625,5 @@ index 493a9ea9752..82e31792f3b 100644 return rc; } -- -2.49.0 +2.54.0 diff --git a/pkg/openbsd/patch/0038-nc-Add-option-to-disable-certificate-time-checking.patch b/pkg/openbsd/patch/0038-nc-Add-option-to-disable-certificate-time-checking.patch @@ -1,4 +1,4 @@ -From 0b4249dea4ec148875be7a7fedc8ec0873043c71 Mon Sep 17 00:00:00 2001 +From e3267bbd5f0e3f8ea9caf07c92f58b046100901a Mon Sep 17 00:00:00 2001 From: Michael Forney <mforney@mforney.org> Date: Thu, 20 May 2021 13:44:35 -0700 Subject: [PATCH] nc: Add option to disable certificate time checking @@ -22,7 +22,7 @@ index 2ffdcd1ea60..ecff109e395 100644 which requires a client certificate on incoming connections; or .Cm muststaple , diff --git a/usr.bin/nc/netcat.c b/usr.bin/nc/netcat.c -index 9d182198089..74d18595309 100644 +index 4fd399a6f89..982b65592fe 100644 --- a/usr.bin/nc/netcat.c +++ b/usr.bin/nc/netcat.c @@ -70,8 +70,9 @@ @@ -35,9 +35,9 @@ index 9d182198089..74d18595309 100644 +#define TLS_CCERT (1 << 4) +#define TLS_MUSTSTAPLE (1 << 5) - /* Command Line Options */ - int dflag; /* detached, no stdin */ -@@ -551,6 +552,8 @@ main(int argc, char *argv[]) + #ifndef IPTOS_DSCP_VA + #define IPTOS_DSCP_VA 0xb0 +@@ -557,6 +558,8 @@ main(int argc, char *argv[]) errx(1, "clientcert is only valid with -l"); if (TLSopt & TLS_NONAME) tls_config_insecure_noverifyname(tls_cfg); @@ -46,7 +46,7 @@ index 9d182198089..74d18595309 100644 if (TLSopt & TLS_NOVERIFY) { if (tls_expecthash != NULL) errx(1, "-H and -T noverify may not be used " -@@ -1712,6 +1715,7 @@ process_tls_opt(char *s, int *flags) +@@ -1724,6 +1727,7 @@ process_tls_opt(char *s, int *flags) { "clientcert", TLS_CCERT, NULL }, { "muststaple", TLS_MUSTSTAPLE, NULL }, { "noname", TLS_NONAME, NULL }, @@ -55,5 +55,5 @@ index 9d182198089..74d18595309 100644 { "protocols", -1, &tls_protocols }, { NULL, -1, NULL }, -- -2.49.0 +2.54.0 diff --git a/pkg/openbsd/patch/0040-acme-client-Fix-enum-int-mismatch-in-declaration-of-.patch b/pkg/openbsd/patch/0040-acme-client-Fix-enum-int-mismatch-in-declaration-of-.patch @@ -1,4 +1,4 @@ -From 87c6da40a600a00d331d1d7f8968fd4ee933377a Mon Sep 17 00:00:00 2001 +From ef9e08a9597e02425f9da0f43486e0cdfa1a4a1e Mon Sep 17 00:00:00 2001 From: Michael Forney <mforney@mforney.org> Date: Wed, 4 Mar 2026 15:27:54 -0800 Subject: [PATCH] acme-client: Fix enum/int mismatch in declaration of @@ -9,10 +9,10 @@ Subject: [PATCH] acme-client: Fix enum/int mismatch in declaration of 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr.sbin/acme-client/extern.h b/usr.sbin/acme-client/extern.h -index 37820e6cfb6..3c780ebf777 100644 +index 990c784f706..32127182548 100644 --- a/usr.sbin/acme-client/extern.h +++ b/usr.sbin/acme-client/extern.h -@@ -252,7 +252,7 @@ char *base64buf_url(const unsigned char *, size_t); +@@ -249,7 +249,7 @@ char *base64buf_url(const unsigned char *, size_t); */ struct jsmnn *json_parse(const char *, size_t); void json_free(struct jsmnn *); @@ -22,5 +22,5 @@ index 37820e6cfb6..3c780ebf777 100644 int json_parse_challenge(struct jsmnn *, struct chng *); void json_free_order(struct order *); -- -2.49.0 +2.54.0 diff --git a/pkg/openbsd/patch/0043-nc-Use-explicit-cast-for-pointer-sign-conversion.patch b/pkg/openbsd/patch/0043-nc-Use-explicit-cast-for-pointer-sign-conversion.patch @@ -1,4 +1,4 @@ -From 4da7b308eb6d8c7947d3ea0106a49c8ab6e3481a Mon Sep 17 00:00:00 2001 +From bcaddae8de94a8d2d448a287b42a75a7306999b7 Mon Sep 17 00:00:00 2001 From: Michael Forney <mforney@mforney.org> Date: Sun, 17 May 2026 01:40:40 -0700 Subject: [PATCH] nc: Use explicit cast for pointer sign conversion @@ -8,10 +8,10 @@ Subject: [PATCH] nc: Use explicit cast for pointer sign conversion 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr.bin/nc/netcat.c b/usr.bin/nc/netcat.c -index 74d18595309..bb170967d8e 100644 +index 982b65592fe..82f1686fa6f 100644 --- a/usr.bin/nc/netcat.c +++ b/usr.bin/nc/netcat.c -@@ -1751,7 +1751,7 @@ save_peer_cert(struct tls *tls_ctx, FILE *fp) +@@ -1763,7 +1763,7 @@ save_peer_cert(struct tls *tls_ctx, FILE *fp) const char *pem; size_t plen; diff --git a/pkg/openbsd/patch/0044-Add-fallback-define-for-__pledge_open.patch b/pkg/openbsd/patch/0044-Add-fallback-define-for-__pledge_open.patch @@ -0,0 +1,27 @@ +From 62369cc52d95e6998078951d9fcb633b2c013954 Mon Sep 17 00:00:00 2001 +From: Michael Forney <mforney@mforney.org> +Date: Wed, 20 May 2026 01:56:37 -0700 +Subject: [PATCH] Add fallback define for __pledge_open + +--- + lib/libc/gen/readpassphrase.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/lib/libc/gen/readpassphrase.c b/lib/libc/gen/readpassphrase.c +index c3bf85fb3eb..47f9c5707b5 100644 +--- a/lib/libc/gen/readpassphrase.c ++++ b/lib/libc/gen/readpassphrase.c +@@ -36,6 +36,10 @@ + #define TCSASOFT 0 + #endif + ++#ifndef __OpenBSD__ ++#define __pledge_open open ++#endif ++ + static volatile sig_atomic_t signo[_NSIG]; + + static void handler(int); +-- +2.54.0 + diff --git a/pkg/openbsd/sha256 b/pkg/openbsd/sha256 @@ -1,2 +1,2 @@ -1f20cc61f3b5bc9be69be131f9c897635ca6c3b4eba3a69e938a68e74139f48a src.tar.gz -e24904caaee40e8774816b20f30983626f4a5434e04b4768a9ef451dc4bc39eb sys.tar.gz +fb305c553059b48e8ee64539f392b783cb38a67865823f6f6a94f3b220a1268b src.tar.gz +c9ef294021ef7aafd5f18ffe8ebfed63394e5a86d65d7436d6db78551f9d57f1 sys.tar.gz diff --git a/pkg/openbsd/url b/pkg/openbsd/url @@ -1,5 +1,5 @@ remote-name -url = "https://cloudflare.cdn.openbsd.org/pub/OpenBSD/7.8/src.tar.gz" +url = "https://cloudflare.cdn.openbsd.org/pub/OpenBSD/7.9/src.tar.gz" remote-name -url = "https://cloudflare.cdn.openbsd.org/pub/OpenBSD/7.8/sys.tar.gz" +url = "https://cloudflare.cdn.openbsd.org/pub/OpenBSD/7.9/sys.tar.gz" diff --git a/pkg/openbsd/ver b/pkg/openbsd/ver @@ -1 +1 @@ -7.8 r3 +7.9