OpenBSD Journal

Version 0.111 of Game of Trees has been released (and the port updated, with additional useful information in the commit message):

• introduce gotsysd: configure gotd servers by committing to gotsys.git repo
• make gotd run 'gotsys check' on gotsys.conf commits before accepting them
• make gotd run 'gotsys apply' when the gotsys.git repo receives changes
• add a missing malloc failure check to gotd's repo_write process
• make got clone/fetch work against Git servers which do not speak English
• stop processing more messages upon error in gotd repo_write process
• close file descriptors passed to gotd_imsg_compose_event() on failure
• potential fix for use-after-free in lib/repository.c's match_packed_object()
• make gotd return an informative error when the connection limit is exceeded
• in gotctl info, display the time when a client connection was created
• add reload support to gotd, triggered via 'gotctl reload', not via SIGHUP!
• test S_ISREG in parse_ref_file() explicitly rather than via getline(3)
• release ref-file lock when fstat fails in parse_ref_file()
• do not treat unhandled signals as a fatal error in gotwebd
• fix an edge case of tog spinning when 'B' is pressed in log view
• stop using got_repo_map_path() in gotwebd to fix spurious realpath(3) errors
• avoid creation of pack_fds array when not needed, saving file descriptors
• gotwebd now runs as the _gotwebd user by default, rather than "www"
• gotwebd can now serve repositories outside the /var/www chroot directory
• the gotwebd.conf repos_path directive is no longer relative to the chroot
• get rid of the gotwebd-specific libexec helpers in /var/www/bin/gotwebd
• improve gotwebd behaviour when sending data to already disconnected clients
• plug some memory leaks in got-send-pack and got-fetch-pack
• fix got-fetch-http performance when server sends chunked HTTP responses

Over on tech@, Alexander Bluhm (bluhm@) is airing a patch to improve parallel TCP input, and is looking for testers:

List: openbsd-tech Subject: running TCP input in parallel From: Alexander Bluhm <bluhm () openbsd ! org> Date: 2025-04-17 16:53:19 Hi, To run tcp_input() in parallel efficently, we have to lock the socket in a smart way. I have measured multiple variants. http://bluhm.genua.de/perform/results/2025-04-16T09:33:58Z/perform.html The relevant TCP graph is here. http://bluhm.genua.de/perform/results/2025-04-16T09:33:58Z/gnuplot/tcp.html http://bluhm.genua.de/perform/results/2025-04-16T09:33:58Z/gnuplot/tcp6.html First column (left) is no locking at all, just exclusive net lock.

Read more…

The OpenBSD project has announced the release of version 9.5 of rpki-client:

rpki-client 9.5 has just been released and will be available in the rpki-client directory of any OpenBSD mirror soon. It is recommended that all users upgrade to this version for improved reliability. rpki-client is a FREE, easy-to-use implementation of the Resource Public Key Infrastructure (RPKI) for Relying Parties to facilitate validation of BGP announcements. The program queries the global RPKI repository system and validates untrusted network inputs. The program outputs validated ROA payloads, BGPsec Router keys, and ASPA payloads in configuration formats suitable for OpenBGPD and BIRD, and supports emitting CSV and JSON for consumption by other routing stacks. See RFC 6480 and RFC 6811 for a description of how RPKI and BGP Prefix Origin Validation help secure the global Internet routing system. rpki-client was primarily developed by Kristaps Dzonsons, Claudio Jeker, Job Snijders, Theo Buehler, Theo de Raadt and Sebastian Benoit as part of the OpenBSD Project. This release includes the following changes to the previous release: - rpki-client now includes arin.tal which is no longer legally encumbered. See https://www.arin.net/announcements/20250116-tal/ - rpki-client reports Certification Authorities that do not meaningfully participate in the RPKI as non-functional CAs. By definition, a CA is non-functional if there is no currently valid Manifest. The number of such CAs is printed at the end of each run and more detailed information is available in the JSON (-j) and ometrics (-m) output. - OpenBSD reliability errata 014: Incorrect internal RRDP state handling in rpki-client can lead to a denial of service. Affected are rpki-client versions 7.5 - 9.4. - Termination of rsync child processes with SIGTERM is no longer treated as an error if rpki-client has sent this signal. This only affects openrsync. - Do not exit filemode with an error if a .gbr or a .tak object contains control characters in its UTF-8 strings. Instead, only warn and emit a sanitized version in JSON output. Upcoming breaking change: - Starting with release 9.6, rpki-client will emit all key identifiers (AKI and SKI) encoded in JSON as bare hex strings without colons.

Read more…

Theo de Raadt (deraadt@) updated the version of OpenBSD -current to "7.7-current".

Those running the latest-and-greatest [via a sufficiently new snapshot or built from source] no longer need to use "-D snap" with pkg_add(1) (and pkg_info(1)).

The OpenBSD project has announced the release of OpenIKED 7.4:

We have released OpenIKED 7.4, which will be arriving in the OpenIKED directory of your local OpenBSD mirror soon. This release includes the following changes to the previous release: * Fixed a double free bug in ECDH * Added a natt config option that forces negotiation of nat-t (and udpencap) for a policy * Made config file verification not require root permissions * Fixed a bug where iked was retransmitting fragments too eagerly * Tightened apparmor sandboxing on Linux * Various other bug fixes, compatibility fixes and documentation improvements

Read more…

The OpenSSH project has announced their latest release, OpenSSH 10.0.

The announcement and release notes read:

OpenSSH 10.0/10.0p1 (2025-04-09) OpenSSH 10.0 was released on 2025-04-09. It is available from the mirrors listed at https://www.openssh.com/. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: https://www.openssh.com/donations.html Potentially-incompatible changes -------------------------------- * This release removes support for the weak DSA signature algorithm, completing the deprecation process that began in 2015 (when DSA was disabled by default) and repeatedly warned over the last 12 months.

Read more…

If you have ever been irked by having to enter a sequence of sysctl(8) commands to achieve things like enabling forwarding for IPv4 and IPv6 both, help is at hand.

In a recent commit, Klemens Nanni (kn@) added functionality to have the classic command read multiple settings from a file:

Subject: CVS: cvs.openbsd.org: src From: Klemens Nanni <kn () cvs ! openbsd ! org> Date: 2025-04-05 14:09:06 Message-ID: f3c322a675a4cd33 () cvs ! openbsd ! org [Download RAW message or body] CVSROOT: /cvs Module name: src Changes by: kn@cvs.openbsd.org 2025/04/05 08:09:06 Modified files: sbin/sysctl : sysctl.8 sysctl.c Log message: Add [-f file] to apply sysctl.conf in one go

Read more…

We (undeadly.org editors) had not noticed ourselves, but Will Backman wrote in about the news that some OpenBSD code -- openrsync -- had been made available to a wider audience, courtesy of Apple:

"While Apple has been updating the rsync 2.6.9 command line tool it shipped with macOS as needed in response to security issues and other problems, the fact remains that Apple’s version of rsync up until macOS Sequoia was almost twenty years old and did not include any of the new features introduced in rsync versions which came after version 2.6.9."

"Now with macOS Sequoia, Apple has replaced rsync 2.6.9 with openrsync, an implementation of rsync which is not using any version of the GPL open source license."

You can read more at https://derflounder.wordpress.com/2025/04/06/rsync-replaced-with-openrsync-on-macos-sequoia/

The editors can confirm that on a fully updated Mac, man rsync will reveal that rsync is indeed the OpenBSD openrsync.

The OpenBSD 7.7 release cycle is entering its final phases…

With the following commit, Theo de Raadt (deraadt@) moved -current to version 7.7 (dropping the "-beta"):

CVSROOT: /cvs Module name: src Changes by: deraadt@cvs.openbsd.org 2025/03/30 14:43:36 Modified files: sys/conf : newvers.sh Log message: head out of -beta to 7.7

For those unfamiliar with the process:
this is not the 7.7 release, but is part of the standard build-up to the release.

Remember: It's time to start using "-D snap" with pkg_add(1) (and pkg_info(1)).

(Regular readers will know what comes next…)
This serves as an excellent reminder to upgrade snapshots frequently, test both base and ports, and report problems [plus, of course, donate!].

Hitherto, fw_update(8) has gathered system information largely from /var/run/dmesg.boot (on the host on which it is invoked).

Andrew Hewus Fresh (afresh1@) has committed a change which allows specifying an arbitrary dmesg file. The commit message explains the rationale:

CVSROOT: /cvs Module name: src Changes by: afresh1@cvs.openbsd.org 2025/03/21 18:33:34 Modified files: usr.sbin/fw_update: fw_update.8 fw_update.sh Log message: Allow using a different dmesg for driver detection This also solves an issue that jmc@ was having with installing downloaded firmware. (thanks for reporting) It also adjusts detecting the OpenBSD version from the dmesg instead of from sysctl while still allowing sysupgrade to override. I see two main uses for this, the first being downloading firmware to be used on a machine that doesn't have access to download for itself. The other would be for testing detection of devices in a dmesg for a machine you don't have or that is hard to test such as from the installer.

This is a very welcome change indeed!

At least one of the editors (and we suspect several of our readers) would have saved quite a bit of time while installing our favourite operating system on hardware that requires firmware that for some reason is not included in the install media, such as some recent-ish laptops.

It's that time of the year again. With the following commit, Theo de Raadt (deraadt@) changed the version of the OpenBSD development branch to 7.7-beta:

CVSROOT: /cvs Module name: src Changes by: deraadt@cvs.openbsd.org 2025/03/01 12:44:07 Modified files: sys/sys : param.h distrib/sets/lists/base: md.alpha md.hppa md.landisk md.luna88k md.sparc64 distrib/sets/lists/comp: gcc.alpha gcc.hppa gcc.landisk gcc.luna88k gcc.sparc64 etc/root : root.mail share/mk : sys.mk sys/arch/macppc/stand/tbxidata: bsd.tbxi sys/conf : newvers.sh usr.bin/signify: signify.1 Log message: move to 7.7-beta

7.7-beta snapshots can be expected on the OpenBSD mirrors soon.

As always, this change should encourage testing and donation!

Version 0.110 of Game of Trees has been released (and the port updated):

• fix an endless loop in got-read-pack (regression from 0.109)
• change gotwebd diff algorithm from Myers to Patience diff
• gotd regress depends on p5-Net-Daemon now due to an added test case

Version 0.109 of Game of Trees has been released (and the port updated):

• fix gotd failing to protect references when the client sends an empty pack
• during pack generation, fix exclusion of commits via an ancestor commit
• fix a bogus "received unexpected privsep message" error from gotsh
• fix diffstat path order bug in field width computation
• gotwebd: preserve 'folder=' parameter when following More links

The OpenBGPD project (essentially a subproject of the OpenBSD project), have released their latest work in the OpenBGPD 8.8 release.

The release announcement reads,

Subject: OpenBGPD 8.8 released From: Claudio Jeker <claudio () openbsd ! org> Date: 2025-02-06 19:59:43 We have released OpenBGPD 8.8, which will be arriving in the OpenBGPD directory of your local OpenBSD mirror soon. This release includes the following changes to the previous release: * Improve default multiproto capability announcement selection. The default MP capability is only set if no other capability is configured on the neighbor. * The `reject as-set` configuration option now defaults to yes. Route announcements with AS_SET segments in the AS_PATH Attribute will be rejected. See draft-ietf-idr-deprecate-as-set-confed-set for more information.

Read more…

Version 0.108 of Game of Trees has been released (and the port updated):

• add ssh -i identity-file support to commands which use the network
• make 'got import' output independent of readdir(3) entry order
• avoid full file content comparisons in 'got status' for speed
• tog: fix NULL deref when log view T keymap is used on worktree entry
• tog: fix a deadlock (hang) in the log view implementation
• tog: plug a memory leak
• tog: do not exit if a tag pointing at a non-commit is selected in ref view
• tog: do not mark an incorrect base commit in nested log views
• tog: fix NULL deref when scrolling small tree views down
• tog: avoid showing a negative log view entry index
• tog: do not apply a pointless count modifier to the H, &, p keymaps
• tog: do not make users wait for the worktree diff to quit out of tog
• gotwebd: make parent process drop root privileges
• gotwebd: drop read access to /var/www from parent process
• gotwebd: rename "socket" processes to "server"
• gotadmin cleanup: pack the repository before removing objects
• gotadmin cleanup: do not delete directly referenced trees and blobs
• gotadmin cleanup: do not delete objects reachable via nested tags
• regress: skip test memleak_send_basic in sha256 mode; expected to fail
• regress: make seq(1) invocations portable to fix test failures on linux
• regress/gotwebd: implement paginated commits test

There's also a toot which mentions some ongoing work.

As announced by Job Snijders on the FediVerse rpki-client 9.4 has been released.

The complete release notes from https://cdn.openbsd.org/pub/OpenBSD/rpki-client/rpki-client-9.4.txt are below:

Read more…

Version 0.107 of Game of Trees has been released (and the port updated):

• gotwebd.css styling tweaks
• hide ssh debug output during fetch/send -v, keep showing it at -vv and -vvv
• discern mixed-commit worktree diffs with commit ID headers
• gotwebd: avoid printf("%s", NULL) when path parameter is not in query
• implement a regression test harness for gotwebd
• fix free() called with bogus pointer in 'got fetch'; regression from 0.106
• ensure config privsep children get collected upon error to prevent zombies
• fix some fprintf(3) failure checks
• gotwebd: replace strftime(3) with asctime_r(3) for the sake of consistency
• tweak gotwebd log message levels, and log requests in verbose (-v) mode
• prevent out-of-bounds read during gotwebd fcgi record debugging
• implement tog work tree diff support via log view and CLI
• improve error reporting when 'got patch' encounters malformed patches
• improve got_opentemp_named_fd error reporting by showing the path template
• add ssh -J jumphost support to got and cvg commands which use the network
• add regression tests checking for memory leaks with Otto malloc and ktrace
• got tag: change -s signer to -S signer
• got tag: provide one-line output mode via new -s option
• tog: use wtimeout(3) instead of nodelay(3) to honour our display refresh rate
• switch got_pathlist data store from TAILQ to RB-tree
• plug many memory leaks, some of which affected gotwebd in particular

There has long been some concern in the networking communities, particularly the routing security part, about the use of very long lived Trust Anchor (TA) certificates in routing infrastructure.

Today Job Snijders (job@) commited code to rpki-client(8) to implement a gradual phase in of a stricter policy on TA certificates lifetimes.

The commit message reads,

Subject: CVS: cvs.openbsd.org: src From: Job Snijders <job () cvs ! openbsd ! org> Date: 2024-12-18 16:38:40 CVSROOT: /cvs Module name: src Changes by: job@cvs.openbsd.org 2024/12/18 09:38:40 Modified files: usr.sbin/rpki-client: cert.c Log message: Schedule future rejection of ultra long-lived TA certificates The RPKI ecosystem suffers from a partially unmitigated risk related to long-lived Trust Anchor certificate issuances.

Read more…

Thanks to work by David Gwynne (dlg@), OpenBSD -current now has a new "AF_FRAME" socket domain:

CVSROOT: /cvs Module name: src Changes by: dlg@cvs.openbsd.org 2024/12/15 04:00:05 Modified files: sys/conf : files sys/kern : uipc_domain.c uipc_socket.c sys/net : if_ethersubr.c sys/sys : socket.h Added files: sys/net : af_frame.c frame.h Log message: add an AF_FRAME socket domain and an IFT_ETHER protocol family under it. this allows userland to use sockets to send and receive Ethernet frames. as per the upcoming frame.4 man page: frame protocol family sockets are designed as an alternative to bpf(4) for handling low data and packet rate communication protocols. Rather than filtering every frame entering the system before the network stack like bpf(4), the frame protocol family processing avoids this overhead by running after the built in protocol handlers in the kernel. For this reason, it is not possible to handle IPv4 or IPv6 packets with frame protocol sockets because the kernel network stack consumes them before the receive handling for frame sockets is run. if you've used udp sockets then these should feel much the same. my main motivation is to implement an lldp agent in userland, but without having to have bpf look at every packet when lldp happens every minute or two. the only feedback i had was positive, so i'm putting it in ok claudio@

There's been a related change to aggr(4).

Claudio Jeker (claudio@) announced the release of version 8.7 of OpenBGPD, the OpenBSD project's Border Gateway Protocol (BGP) daemon:

We have released OpenBGPD 8.7, which will be arriving in the OpenBGPD directory of your local OpenBSD mirror soon. This release includes the following changes to the previous release: * Cache the Adj-RIB-Out for sessions that have not been down for more than 1h. This significantly improves synchronisation time of peers that flap. * Implement RFC 8538: Notification Message Support for BGP Graceful Restart. * Add support for RFC 8654, extended messages. * In bgplgd add additional endpoints to query the Adj-RIB-In and Adj-RIB-Out. * Bump internal message size limit to 128k and handle up to 10 000 ASPA SPAS entries as suggested in draft-ietf-sidrops-aspa-profile. * Various improvements to the ibuf API including a new reader API which is used to make all message parsing in bgpd memory safe. * Added support for IPsec and TCP MD5 to RTR sessions. OpenBGPD-portable is known to compile and run on FreeBSD, NetBSD and the Linux distributions Alpine, Debian, CentOS/RHEL/Rocky, Fedora, openSUSE/SLE, and Ubuntu. It is our hope that packagers take interest and help adapt OpenBGPD-portable to more distributions. We welcome feedback and improvements from the broader community. Thanks to all of the contributors who helped make this release possible.