Build date: 1775253603 - Fri Apr 3 22:00:03 UTC 2026 Build cvs date: 1775238272 - Fri Apr 3 17:44:32 UTC 2026 Build id: 2026-04-04.1 Build tags: amd64-regress ports sysupgrade Applied the following diff(s): /home/anton/tmp/robsd/src-sys-em.diff /home/anton/tmp/robsd/src-sys-uhidev-sispm.diff /home/anton/tmp/robsd/src-sysupgrade.diff P lib/libssl/Makefile P lib/libssl/ssl.h P lib/libssl/ssl_both.c P lib/libssl/ssl_clnt.c P lib/libssl/ssl_local.h P lib/libssl/ssl_methods.c cvs server: lib/libssl/ssl_packet.c is no longer in the repository P lib/libssl/ssl_pkt.c P lib/libssl/ssl_srvr.c P lib/libssl/t1_enc.c P lib/libssl/tls13_legacy.c cvs server: lib/libssl/test/CAss.cnf is no longer in the repository cvs server: lib/libssl/test/CAssdh.cnf is no longer in the repository cvs server: lib/libssl/test/CAssdsa.cnf is no longer in the repository cvs server: lib/libssl/test/CAssrsa.cnf is no longer in the repository cvs server: lib/libssl/test/CAtsa.cnf is no longer in the repository cvs server: lib/libssl/test/P1ss.cnf is no longer in the repository cvs server: lib/libssl/test/P2ss.cnf is no longer in the repository cvs server: lib/libssl/test/Sssdsa.cnf is no longer in the repository cvs server: lib/libssl/test/Sssrsa.cnf is no longer in the repository cvs server: lib/libssl/test/Uss.cnf is no longer in the repository cvs server: lib/libssl/test/VMSca-response.1 is no longer in the repository cvs server: lib/libssl/test/VMSca-response.2 is no longer in the repository cvs server: lib/libssl/test/bctest is no longer in the repository cvs server: lib/libssl/test/cms-examples.pl is no longer in the repository cvs server: lib/libssl/test/cms-test.pl is no longer in the repository cvs server: lib/libssl/test/pkcs7-1.pem is no longer in the repository cvs server: lib/libssl/test/pkcs7.pem is no longer in the repository cvs server: lib/libssl/test/pkits-test.pl is no longer in the repository cvs server: lib/libssl/test/smcont.txt is no longer in the repository cvs server: lib/libssl/test/tcrl is no longer in the repository cvs server: lib/libssl/test/test.cnf is no longer in the repository cvs server: lib/libssl/test/test_aesni is no longer in the repository cvs server: lib/libssl/test/test_padlock is no longer in the repository cvs server: lib/libssl/test/testca is no longer in the repository cvs server: lib/libssl/test/testcrl.pem is no longer in the repository cvs server: lib/libssl/test/testenc is no longer in the repository cvs server: lib/libssl/test/testgen is no longer in the repository cvs server: lib/libssl/test/testp7.pem is no longer in the repository cvs server: lib/libssl/test/testreq2.pem is no longer in the repository cvs server: lib/libssl/test/testrsa.pem is no longer in the repository cvs server: lib/libssl/test/testsid.pem is no longer in the repository cvs server: lib/libssl/test/testss is no longer in the repository cvs server: lib/libssl/test/testssl is no longer in the repository cvs server: lib/libssl/test/testsslproxy is no longer in the repository cvs server: lib/libssl/test/testtsa is no longer in the repository cvs server: lib/libssl/test/testx509.pem is no longer in the repository cvs server: lib/libssl/test/times is no longer in the repository cvs server: lib/libssl/test/tpkcs7 is no longer in the repository cvs server: lib/libssl/test/tpkcs7d is no longer in the repository cvs server: lib/libssl/test/treq is no longer in the repository cvs server: lib/libssl/test/trsa is no longer in the repository cvs server: lib/libssl/test/tsid is no longer in the repository cvs server: lib/libssl/test/tx509 is no longer in the repository cvs server: lib/libssl/test/v3-cert1.pem is no longer in the repository cvs server: lib/libssl/test/v3-cert2.pem is no longer in the repository cvs server: lib/libssl/test/smime-certs/smdsa1.pem is no longer in the repository cvs server: lib/libssl/test/smime-certs/smdsa2.pem is no longer in the repository cvs server: lib/libssl/test/smime-certs/smdsa3.pem is no longer in the repository cvs server: lib/libssl/test/smime-certs/smdsap.pem is no longer in the repository cvs server: lib/libssl/test/smime-certs/smroot.pem is no longer in the repository cvs server: lib/libssl/test/smime-certs/smrsa1.pem is no longer in the repository cvs server: lib/libssl/test/smime-certs/smrsa2.pem is no longer in the repository cvs server: lib/libssl/test/smime-certs/smrsa3.pem is no longer in the repository P regress/lib/libssl/tlsext/tlsexttest.c P regress/lib/libssl/unit/ssl_versions.c P sys/arch/amd64/amd64/machdep.c P sys/arch/arm64/arm64/cpu.c P sys/arch/arm64/arm64/machdep.c P sys/arch/arm64/dev/acpicpu.c P sys/arch/arm64/include/cpu.h P sys/arch/riscv64/conf/GENERIC P sys/arch/riscv64/conf/RAMDISK P sys/arch/riscv64/conf/files.riscv64 U sys/arch/riscv64/dev/smtgpio.c P sys/arch/riscv64/riscv64/cpu.c M sys/dev/usb/uhidev.c P usr.bin/patch/patch.c P usr.bin/tmux/format-draw.c P usr.bin/tmux/format.c P usr.bin/tmux/input.c P usr.bin/tmux/screen-redraw.c P usr.bin/tmux/screen.c P usr.bin/tmux/server-client.c P usr.bin/tmux/status.c P usr.bin/tmux/style.c P usr.bin/tmux/tmux.1 P usr.bin/tmux/tmux.h P usr.bin/tmux/tty-keys.c P usr.bin/tmux/window.c M usr.sbin/bgpd/session.c P usr.sbin/npppd/npppd/parse.y P usr.sbin/relayd/config.c P usr.sbin/rpki-client/cert.c P usr.sbin/rpki-client/print.c P usr.sbin/smtpd/mda_variables.c P usr.sbin/smtpd/smtpd.conf.5 commit vQNebbVP0zRikxbp Author: kettenis Date: 2026/04/03 17:44:32 Stop printing the riscv,isa string; our code to do so is broken and the string is now deprecated. Instead change hw.model to be the CPU core name for cpu0 like we do on other architectures. We'll revisit printing CPU features for riscv64 in the future. ok jca@, mlarkin@ sys/arch/riscv64/riscv64/cpu.c commit gvRbW9gObDionyjj Author: kettenis Date: 2026/04/03 14:20:23 Add hw.blockcpu support for arm64. Here we classify CPU cores based on their "capacity". This a concept borrowed from the device tree standard that indicates the nominal performance of a CPU core. For ACPI machines we use similar information from ACPI's Collaborative Processor Performance Control (CPPC). If performance is less than 30% of the fastest cores in the same we classify them as L. Between 30% and 80% we classify them as E. And above 80% we classify them as P. The CPU capacity is communicated to userland though kstat(4). ok deraadt@, jca@ sys/arch/amd64/amd64/machdep.c sys/arch/arm64/arm64/cpu.c sys/arch/arm64/arm64/machdep.c sys/arch/arm64/dev/acpicpu.c sys/arch/arm64/include/cpu.h commit 8K1mN0G68AG5s5tP Author: op Date: 2026/04/03 13:21:00 fix memory leak in config_purge() when dealing CONFIG_PROTOS original diff from CypherFox (openbsd at cypher-fox com), thanks! slightly rearranged to be a bit smaller by me, but still equivalent. usr.sbin/relayd/config.c commit SQimshUxIV8H7OVL Author: jsing Date: 2026/04/03 13:11:00 Remove workaround for SSL 3.0/TLS 1.0 CBC vulnerability. We no longer support TLSv1.0 and definitely do not support SSLv3 - remove the empty fragments workaround for the CBC vulnerability in these protocols. ok kenjiro@ tb@ lib/libssl/ssl.h lib/libssl/ssl_both.c lib/libssl/ssl_local.h lib/libssl/ssl_pkt.c lib/libssl/t1_enc.c commit PE4P17l8GFxp9bCE Author: kirill Date: 2026/04/03 12:58:40 usr.bin/patch: fix fd leak From Renaud Allard OK: op@ usr.bin/patch/patch.c commit 5WeMUnKOd26i0j2D Author: jsing Date: 2026/04/03 12:58:19 Ensure that we cannot negotiate TLSv1.1 or lower. TLS versions prior to TLSv1.2 were disabled a while ago, however this was done in the version handling code. Remove TLSv1.1 and earlier from ssl_get_method() and add an explicit min version check in the legacy client and server, to provide a stronger guarantee. ok kenjiro@ tb@ lib/libssl/ssl_clnt.c lib/libssl/ssl_methods.c lib/libssl/ssl_srvr.c commit gXl4e7NgNo62c6NV Author: kettenis Date: 2026/04/03 12:47:06 Add smtgpio(4), a driver for the GPIO controller found on SpacemiT K1 SoCs. ok jca@ sys/arch/riscv64/conf/GENERIC sys/arch/riscv64/conf/RAMDISK sys/arch/riscv64/conf/files.riscv64 sys/arch/riscv64/dev/smtgpio.c commit pMk7jwTmALYjUmOy Author: jtt Date: 2026/04/03 10:18:58 smtpd: fix using modifiers with partial expansion in format specifiers Nits on the manpage and ok op@ usr.sbin/smtpd/mda_variables.c usr.sbin/smtpd/smtpd.conf.5 commit Yy5wo4aspTr4zszo Author: nicm Date: 2026/04/03 10:13:20 Add some new mouse ranges called "control0" to "control9", will be used for controls on floating panes, from Dane Jensen, with some bits from Michael Grant. usr.bin/tmux/format-draw.c usr.bin/tmux/format.c usr.bin/tmux/screen-redraw.c usr.bin/tmux/server-client.c usr.bin/tmux/status.c usr.bin/tmux/style.c usr.bin/tmux/tmux.h usr.bin/tmux/window.c commit GVHFlKSTeQo9jFtH Author: op Date: 2026/04/03 09:36:21 remove dup block that tries to close tls client ca fd it's already closed and fd set to -1 a few lines above. diff from Marc Jorge (openbsd [at] cypher-fox com), thanks! usr.sbin/relayd/config.c commit dUg3vUIOry6VxJV0 Author: nicm Date: 2026/04/03 09:18:24 Missed a line from previous. usr.bin/tmux/screen.c commit wSvYeXonScfZIiJh Author: nicm Date: 2026/04/03 09:14:27 Handle OSC 9;4 progress bar sequence and store in format variables, from Eric Dorland in GitHub issue 4954. usr.bin/tmux/format.c usr.bin/tmux/input.c usr.bin/tmux/screen.c usr.bin/tmux/tmux.1 usr.bin/tmux/tmux.h commit rUyeNv5FxpQSq762 Author: nicm Date: 2026/04/03 08:23:10 Increase b64_pton buffer to allow for Base64 without padding, from Michal Majchrowicz. usr.bin/tmux/input.c usr.bin/tmux/tty-keys.c commit 38ScMztyXdl6Wv8n Author: jsing Date: 2026/04/03 07:40:14 Fix min vs max in failure output. regress/lib/libssl/unit/ssl_versions.c commit mWkQmKUaCPYJPQId Author: jsing Date: 2026/04/03 07:37:52 Use DTLS_client_method() instead of DTLSv1_client_method(). regress/lib/libssl/tlsext/tlsexttest.c commit X98nI3fqoyqP3vhr Author: jsing Date: 2026/04/03 07:26:20 Remove ssl_server_legacy_first_packet() This has not been reachable since we made the TLSv1.3 stack the default entry point - tls13_record_layer_read_record() will send a protocol version alert and raise an error, which means we never transition into the legacy stack. ok kenjiro@ lib/libssl/Makefile lib/libssl/ssl_pkt.c commit fIO6rvAhPBVG9Ue5 Author: jsing Date: 2026/04/03 07:17:36 Mop up mac_packet. This is a left over from when we accepted SSLv2 ClientHello messages. ok kenjiro@ lib/libssl/ssl_both.c lib/libssl/ssl_local.h lib/libssl/ssl_pkt.c lib/libssl/tls13_legacy.c commit ZehpXhF8K8FE1IFd Author: tb Date: 2026/04/03 02:41:03 rpki-client: stop aligning variables in cert_parse_extensions() While it looks a bit tidier if the variables are aligned with a tab in the declarations, this is also a source of churn, so give up on this in this function. usr.sbin/rpki-client/cert.c commit JENufHqm2K3tmkbU Author: tb Date: 2026/04/03 02:36:38 rpki-client: const for ext and OID in cert_parse_extensions() This is the last step of sprinkling const for OpenSSL 4. Move the extension retrieved via X509_get_ext() to a const. The extension is first passed to the simple X509_EXTENSION_get_object() getter and in the extension parsers to X509V3_EXT_d2i(). The OID is passed to the const correct OBJ_obj2nid() and OBJ_obj2text(). discussed with claudio usr.sbin/rpki-client/cert.c commit skkn81YOxGliiSaQ Author: tb Date: 2026/04/03 02:33:21 rpki-client: cast extension passed to X509_EXTENSION_get_object() Again this is currently a noop which is needed since this simple getter isn't const correct in OpenSSL < 4 and LibreSSL and because OpenSSL 4 fixed this. discussed with claudio usr.sbin/rpki-client/cert.c commit R9gtbJbwg6Y9rHSM Author: tb Date: 2026/04/03 02:23:33 rpki-client: const correct cert extension handlers The only reason the extension passed in wasn't const was X509V3_EXT_d2i(), for which we now cast away const. discussed with claudio usr.sbin/rpki-client/cert.c commit d9HcppvtJHQMwBEw Author: tb Date: 2026/04/03 02:20:03 rpki-client: cast extension passed to X509V3_EXT_d2i() This function has never modified the extensions. It only uses the extension's object (OID) to retrieve the X509_EXT_METHOD and then calls the appropriate d2i handler on the extension's value. OpenSSL 4 correctly added a const qualifier to this function. The cast is a noop right now, but once we switch the extension handlers' signatures to take a const, this will generate a warning due to passing a const pointer to a non-const function for OpensSL < 4 and LibreSSL. Annotate the cast for our future selves. discussed with claudio usr.sbin/rpki-client/cert.c commit OCsCQAfGNVVujowm Author: tb Date: 2026/04/03 02:11:43 rpki-client: rename certificate_policies() into cert_policies() This is slightly more consistent with the remainder of the file. All other extension handlers except those for ipAddrBlocks and autonomousSysIds, which start with sbgp_ for historical reasons, have a cert_ prefix. discussed with claudio usr.sbin/rpki-client/cert.c commit fqj3JWIuyV4yT4MG Author: tb Date: 2026/04/03 02:10:10 rpki-client: cast away const for X509_get_X509_PUBKEY() In cert_check_spki() the pubkey is a libcrypto-internal pointer hanging off cert->x509, which is then passed to the very const-incorrect getter X509_PUBKEY_get0_param(): that's a piece of art which hands back pointers to things deeper down in the x509 - some of them const, some non-const. OpenSSL 3 made its X509_PUBKEY argument const, but their X509_ALGOR ** still isn't. I don't believe they thought about this in #11894 as they had a more important _cmp() vs _eq() bikeshed to sort out. discussed with claudio usr.sbin/rpki-client/cert.c commit w55PhNPnrKFHHbqA Author: tb Date: 2026/04/03 02:07:15 rpki-client: make the X509_NAME *xissuer const X509_get_issuer_name() isn't const correct in LibreSSL and OpenSSL < 4 and it returns a modifiable X509_NAME *. The xissuer is only passed to X509_NAME_oneline() which takes a const X509_NAME, so it can be const. discussed with claudio usr.sbin/rpki-client/print.c commit 8BtvI1RuLaTLxbId Author: yasuoka Date: 2026/04/03 00:09:24 Fix a memory leak in handling radius configuration. Diff from iij. usr.sbin/npppd/npppd/parse.y