Fix relayd reload race crash Instead of terminating with fatalx() when a private key hash cannot be found, log a warning and send an error back to the relay worker. This prevents a race condition during "reload" where a request might reach the CA process while keys are being repopulated. Reported by Nick Owens; thanks! OK tb@

relayd: replace unneeded engine.h with needed x509.h Adjust a comment. Being non-existent, the OpenSSL engine layer cannot be responsible for whatever unholy hacks this code requires.

Set User-Agent for HTTP healthchecks Joel Carnat (Thanks) notice that GoToSocial does not like it when we sent no User-Agent and returns an HTTP/418. Lloyd pointed to use RELAYD_SERVERNAME instead hardcoded "relayd" OK sthen, claudio (diff without RELAYD_SERVERNAME)

relayd/log.h: missed cvs add

Standardize logging with bgpd OK claudio@

imsg_composev() / imsgbuf_flush() handle return values OK claudio@

fix memory leak in rsae_send_imsg If the cookie doesn't match, we bail with a continue and totally forget to free the imsg. OK claudio@

usr.sbin/relayd: add support for PROXY protocol in TCP relays patch from Christoph Liebender OK: rsadowski@

Slightly iprove a confusing wording in the parse.y manuals: The things that need quoting are not necessarily "argument names", and not even necessarily "names" at all, so just talk about "arguments". "I guess?" florian@ and no objection from otto@, both back in July 2025. Actually, the quoting rules are more complicated than the text makes believe, but i do not know how to better describe them. It may not be easy because some suspect the implementation may be somewhat adhoc rather than based on cleary defined lexical rules.

fix scan-build dead stores findings OK stsp

fix missing initialisation It is possible that "request_method" is checked without having been initialised in line 439. OK kirill@ stsp@

relayd: fix dead store and unindent carp_demote_init Found by scan-build: carp.c:64:7: warning: Although the value stored to 'c' is used in the enclosing expression, the value is never actually read from 'c' [deadcode.DeadSt ores] 64 | if ((c = carp_group_find(group)) == NULL) Feedback from Crystal Kolipe and tb@, OK tb@

relayd: fix relay_http_time() to emit GMT times again The HTTP standard RFC 9110 requires GMT, in HTTP-date. We used to do this until a recent modification to localtime.c changed GMT to UTC. sync from httpd

For IMSG_BINDANY, bnd.bnd_proc wasn't range checked to ensure it is positive. As a result IF the other side of the privsep was succesfully exploited, it could then send such a flawed message and cause a cause an array bounds violation over the privsep boundary. Reported by S. Ai, H. Lefeuvre, Systopia team ok claudio

Make internal hyperlinking work by moving custom sections from .Sh to .Ss and the titles from all caps to sentence case such that they match the table of contents, and switch from .Sy to .Sx as needed. OK florian@

In the manual pages for configuration files based on parse.y, describe the syntax of both defining and using macros, rather than exclusively relying on examples, which some of the pages do not even provide. In those pages containing tables of content, also clarify that the "Macros" section contains *definitions* of variables. Both changes were already committed to vm.conf(5) earlier. In those few pages that referenced cpp(1) and m4(1), stop doing that because the macro definition syntax and the macro dereferencing syntax of both languages is totally different from the parse.y syntax. OK florian@, and deraadt also requests keeping these manuals in sync.

Ensure that string buffers are '\0' terminated when handling them in the privileged parent. Again code does not expect strings that are not terminated and by default nothing sends such strings but lets fix this bug anyway. Reported by S. Ai, H. Lefeuvre, Systopia team OK tb@ benno@

unveil the agentx socket path. This was probably broken with adding unix sockets to unveil. reported by pascal@ OK sthen@ benno@

Convert various reyk proc.c daemons over to new imsgbuf_init and imsgbuf_allow_fdpass. OK tb@

Convert the common imsgbuf_read calls to the post EAGAIN world. OK tb@

Use imsgbuf_queuelen() instead of accessing the w.queue member. OK tb@

Use imsgbuf_clear() where appropriate instead of msgbuf_clear(). OK tb@

Rename imsg_init, imsg_clear, imsg_read, imsg_write and imsg_flush to imsgbuf_init, imsgbuf_clear, imsgbuf_read, imsgbuf_write and imsgbuf_flush. This separates the imsgbuf API from the per-imsg API. OK tb@

Convert imsg_write() callers to the new simplified return logic. OK tb@

Introduce imsg_write() and use it instead of msgbuf_write(). imsg_write() is just a thin wrapper around msgbuf_write(). So this is mostly search and replace. OK tb@