OpenBSD Journal

Omar Polo (op@) has announced the release of version 7.4.0p1 of OpenSMTPD.

It is a bugfix release.

In a long series of commits, Robert Nagy (robert@) updated clang(1)/llvm in -current to version 16:

CVSROOT: /cvs Module name: src Changes by: robert@cvs.openbsd.org 2023/11/11 11:01:31 Log message: import of llvm from LLVM 16.0.6 Status: Vendor Tag: LLVM Release Tags: LLVM_16_0_6 U src/gnu/llvm/llvm/.clang-format U src/gnu/llvm/llvm/.clang-tidy U src/gnu/llvm/llvm/.gitattributes […] U src/gnu/llvm/llvm/utils/vscode/llvm/syntaxes/ll.tmLanguage.yaml U src/gnu/llvm/llvm/utils/yaml-bench/CMakeLists.txt U src/gnu/llvm/llvm/utils/yaml-bench/YAMLBench.cpp 67 conflicts created by this import. Use the following command to help the merge: cvs checkout -jLLVM:yesterday -jLLVM src/gnu/llvm/llvm

Naturally, this has involved supporting work elsewhere in base, and in ports.

A new stable release of LibreSSL is out, and should be arriving on a mirror near you shortly.

Brent Cook (bcook@)'s announcement reads:

We have released LibreSSL 3.8.2, which will be arriving in the LibreSSL directory of your local OpenBSD mirror soon. This is the first stable release for the 3.8.x branch, also available with OpenBSD 7.4

Read more…

Theo de Raadt (deraadt@) posted to tech@ a message entitled disruptive amd64 snapshot coming. It reads:

There is a pretty disruptive amd64 snapshot coming, so anyone who is using snapshots for critical stuff should take a pause. (This warning about a development step is unusual, I won't make it common practice).

Of course, on non-critical amd64 systems running snapshots, this is a good opportunity to test (and report any problems).

Hot on the heels of the release of OpenBSD 7.4, Omar Polo (op@) has announced the release of OpenSMTPD 7.4.0p0. The announcement reads,

Subject: OpenSMTPD 7.4.0p0 Released From: Omar Polo <op () openbsd ! org> Date: 2023-10-25 7:33:43 OpenSMTPD is a FREE implementation of the SMTP protocol with some common extensions. It allows ordinary machines to exchange e-mails with systems speaking the SMTP protocol. It implements a fairly large part of RFC5321 and can already cover a large range of use-cases. It runs on OpenBSD, NetBSD, FreeBSD, DragonFlyBSD, Linux and OSX. The archives are now available from the main site at www.OpenSMTPD.org

Read more…

As announced on the misc@ mailing list, Otto Moerbeek (otto@), the author of OpenBSD's malloc(3) implementation [a.k.a. "otto malloc"], has written a tutorial on the new malloc(3) leak detection available in OpenBSD 7.4

Read it at: OpenBSD's built-in memory leak detection

Since the publication of that write-up, Otto has committed further enhancements:

CVSROOT: /cvs Module name: src Changes by: otto@cvs.openbsd.org 2023/10/22 06:19:26 Modified files: lib/libc/stdlib: malloc.3 malloc.c Log message: When option D is active, store callers for all chunks; this avoids the 0x0 call sites for leak reports. Also display more info on detected write of free chunks: print the info about where the chunk was allocated, and for the preceding chunk as well. ok asou@

The OpenBSD project has announced the release of OpenBSD 7.4, the 55th release of the OpenBSD operating system.

The new release contains a number of innovations and improvements across a number of areas, including

• Mandatory enforcement of indirect branch targets [See earlier report].
• viogpu(4), a VirtIO GPU driver [See earlier report].
• vmd(8) has moved to a multi-process model for virtio(4) block and network devices [See earlier report].
• Virtual machine owners can now override the boot kernel [See earlier report].
• malloc(3) now has built-in leak detection [See earlier report]. Chunk sizes are now fine-grained, and all chunks in the delayed free list are checked for write-after-free.
• In LibreSSL 3.8.2, TLSv1.0 and TLSv 1.1 are disabled in libssl. Ed25519 certificates are now supported in openssl(1) ca and req.
• In OpenSSH 9.5, ssh-kengen(1) generates Ed25519 keys by default. Keystroke timing obfuscation has been added to ssh(1) [See earlier report]. The fingerprint of a newly generated host key is printed on first boot [See commit].
• cron(8) now supports random ranges with steps [See earlier report].
• shutdown(8)/reboot(8) now require membership of group _shutdown [See earlier report].
• sec(4) for Route Based IPSec VPNs [See earlier reports].
• Soft updates (softdep) have been disabled for future VFS work [See earlier report].
• There has been a major rewrite of pfsync(4) [See earlier report].
• AMD processor microcode update is now supported [See earlier report].
• ifconfig(8) has a new wgdescr[iption] option which allows labelling peers.

as well as the general churn of optimizations and fixes across the system.

Package counts (packages prebuilt for this release) for the more popular architectures are
i386: 10603,
amd64: 11845,
aarch64: 11508,
sparc64: 8469,
powerpc64: NNNNN,
--> with more to follow as bulk builds complete.

As always, the release is available for download from mirror sites all over the world; be sure to pick one that is near you, network-wise! Those upgrading from the 7.3 release (or earlier) should consult the Upgrade Guide.

Thanks again to the developers for the dedicated effort that went into producing this new release!

The release of version 8.3 of OpenBGPD has been announced.

This version contains a few fixes.

Rafael Sadowski (rsadowski@) blogged about his participation in p2k23.

Perhaps most notable is his work in porting KDE Plasma.

Read all about it at https://rsadowski.de/posts/2023-10-09-p2k23-dublin-openbsd-hackathon/.

There is some further discussion of the work in a thread titled NEW: KDE Plasma (x11/kde-plasma) on the ports@ mailing list.

Version 8.6 of rpki-client, the FREE, easy-to-use implementation of the Resource Public Key Infrastructure (RPKI) for Relying Parties (RP), has been released.

This version includes new compliance checks, random shuffling of processing of Manifest entries, and [non-random!] code shuffling.

See the announcement for more details.

This is another hint that a new OpenBSD release is about to happen, and soon.

Jay Eptinxa has published a detailed write-up, entitled E-mail Filters In C, of his work creating a spamd(8)-like greylisting smtpd(8) filter.

Thanks to Crystal Kolipe for letting us know!

OpenSSH 9.5 has been released.

This releases features the keystroke timing obfuscation on which we reported earlier.

With a message from Claudio Jeker (claudio@), the OpenBSD project today announced the release of the OpenBSD BGP (Border Gateway Protocol) daemon OpenBGPD, version 8.2.

The announcement reads, From: Claudio Jeker <claudio () openbsd ! org> Date: Mon, 02 Oct 2023 10:22:39 +0000 To: openbsd-announce Subject: OpenBGPD 8.2 released We have released OpenBGPD 8.2, which will be arriving in the OpenBGPD directory of your local OpenBSD mirror soon.

Read more…

Many OpenBSD sysadmins find the sysclean(8) port useful for removing obsolete files following upgrades.

Sebastien Marie (semarie@), the author of sysclean(8), has written a piece giving an under-the-hood look at the operation of this handy utility. It's well worth reading for those interested in understanding how it works!

With the following commit, Theo de Raadt (deraadt@) moved -current to version 7.4:

CVSROOT: /cvs Module name: src Changes by: deraadt@cvs.openbsd.org 2023/09/26 07:27:32 Modified files: sys/conf : newvers.sh Log message: we are heading out of -beta

For those unfamiliar with the process: this is not the 7.4 release, but is part of the standard build-up to the release.

Remember: It's time to start using "-D snap" with pkg_add (and pkg_info).

(Regular readers will know what comes next…)
This serves as an excellent reminder to upgrade snapshots frequently, test both base and ports, and report problems [plus, of course, donate!].

Theo de Raadt (deraadt@) posted to tech@ a detailed message explaining the past and (potential) future of anti-ROP measures in OpenBSD.

It's well worth reading its entirety. Highlights include:

Years later, Todd Mortimer and I developed RETGUARD. At the start of that initiative he proposed we protect all functions, to try to guard all the RET instructions, and therefore achieve a state we call "ROP-free". I felt this was impossible, but after a couple hurdles the RETGUARD performance was vastly better than the stack protector and we were able to protect all functions and get to ROP-free (on fixed-sized instruction architecures). Performance was acceptable to trade against improved security. […] We were able to enable RETGUARD on all functions because it was fast. […] On the other hand the RETGUARD approach uses an illegal instruction (of some sort), which is a speculation barrier. That prevents the cpu from heading off into an alternative set of weeds. It will go decode more instructions along the post-RET execution path. I filed that idea as interesting but did nothing with it. Until now.

Like we said earlier, it is worth reading the whole thing! This points forward to some remarkable improvements on several architectures, and those changes could be a clear benefit for other systems too.

Frederic Cambus (fcambus@) wrote a blogpost about running OpenBSD on the arm64-based cloudservers provided by Hetzner. For now, only -current will work, because the new viogpu(4) driver [on which we reported earlier] is needed.

Head on over to Frederic's blog for the full story!

EuroBSDCon 2023 has now ended, and slides for many of the OpenBSD developer presentations are now available in the usual place.

Video of the presentations can be expected somewhat later.

Slides from the tutorial "Network Management with the OpenBSD Packet Filter Toolset" are also available.

Version 0.93 of Game of Trees has been released (and the port updated).

Read more…

With the following commit(s), Theo de Raadt (deraadt@) moved -current to version 7.4-beta:

CVSROOT: /cvs Module name: src Changes by: deraadt@cvs.openbsd.org 2023/09/18 07:16:13 Modified files: share/mk : sys.mk etc/root : root.mail sys/conf : newvers.sh sys/arch/macppc/stand/tbxidata: bsd.tbxi usr.bin/signify: signify.1 Log message: crank to 7.4-beta

Snapshots are (already) available for several platforms. At the time of writing, there are a mixture of 7.3 and 7.4 files on at least some mirrors, so readers are advised that problems may occur.

(Regular readers will know what comes next…)

This serves as an excellent reminder to upgrade snapshots frequently, test both base and ports, and report problems [plus, of course, donate!].