OpenBSD Journal

Claudio Jeker (claudio@) announced the release of version 8.7 of OpenBGPD, the OpenBSD project's Border Gateway Protocol (BGP) daemon:

We have released OpenBGPD 8.7, which will be arriving in the OpenBGPD directory of your local OpenBSD mirror soon. This release includes the following changes to the previous release: * Cache the Adj-RIB-Out for sessions that have not been down for more than 1h. This significantly improves synchronisation time of peers that flap. * Implement RFC 8538: Notification Message Support for BGP Graceful Restart. * Add support for RFC 8654, extended messages. * In bgplgd add additional endpoints to query the Adj-RIB-In and Adj-RIB-Out. * Bump internal message size limit to 128k and handle up to 10 000 ASPA SPAS entries as suggested in draft-ietf-sidrops-aspa-profile. * Various improvements to the ibuf API including a new reader API which is used to make all message parsing in bgpd memory safe. * Added support for IPsec and TCP MD5 to RTR sessions. OpenBGPD-portable is known to compile and run on FreeBSD, NetBSD and the Linux distributions Alpine, Debian, CentOS/RHEL/Rocky, Fedora, openSUSE/SLE, and Ubuntu. It is our hope that packagers take interest and help adapt OpenBGPD-portable to more distributions. We welcome feedback and improvements from the broader community. Thanks to all of the contributors who helped make this release possible.

The initial list of 21 'low hanging fruit' videos from EuroBSDcon 2024 has been released with more to follow:

Here is the EuroBSDcon 2024 playlist.

The OpenBSD highlights include:

Confidential Computing with OpenBSD - Hans Jörg Höxer

Building a SD-WAN appliance suitable for Australian Health Sector NFP/NGO - Jason Tubnor

A Packet's Journey Through the OpenBSD Network Stack - Alexander Bluhm

OpenBSD vs. IPv6 - Florian Obser

Global anycast using OpenBSD on a budget - Rob Keizer

Why rewrite fw_update(8)? - Andrew Hewus Fresh<br>

vmd's multi-process device emulation: 2 releases later - Dave Voutila

Puffy does Realtime Hypermedia - Patrick Marchand

The rest (see the conference schedule) will appear soon, pending some necessary post-processing.

Enjoy this bunch, and do come back for the rest soon!

(As noted in his toot,) Rafael Sadowski (radowski@) has written a blog entry entitled dpb - distributed ports builder, which describes his dpb(1) setup.
It is likely to be of interest to those getting started with porting software to OpenBSD.

The article sets out its purpose as, The goal is to provide an overview of how to configure a single instance for port building with minimal effort. Whether you’re trying dpb(1) for the first time or looking for a straightforward guide, I hope this documentation will be useful both for beginners and for myself, as a reference for future setups since I don’t have an Ansible playbook for it ;).

So maybe an Ansible playbook is up next? Anyway, a good read for prospective and current porters. Enjoy!

Jeremie Courreges-Anglas (jca@) committed a change which is likely to be welcomed by laptop users:

CVSROOT: /cvs Module name: src Changes by: jca@cvs.openbsd.org 2024/11/21 04:58:45 Modified files: sys/kern : sched_bsd.c lib/libc/sys : sysctl.2 Log message: Let the user provide an alternative perfpolicy when on battery The current behavior of "auto", which implies running at full speed when on AC power, does not fit all the hardware and use cases. For some people it results in more power consumption, more heat, more noise, etc. Extend the semantics of hw.perfpolicy and provide two buttons to specify the desired behavior: sysctl hw.perfpolicy=<policy while on ac>[,<policy while on battery>] Keep the default behavior of "high,auto". People can opt for "auto,auto" or simply "auto" instead. No objection from deraadt@, input and ok sobrado@ sthen@

This is now in snapshots, so please test if you run those!

Soon, unwind will have support wildcard in blacklist.

Here, a change that makes any domain in the blacklist that starts with '.', which is not a legal name due to an empty label, is treated as any subdomain on that zone.

This means that .example.com blocks all requests to any subdomain of example.com, but allows example.com.

Changes: https://marc.info/?l=openbsd-cvs&m=173244784522937&w=2

Version 0.106 of Game of Trees has been released (and the port updated).

• prevent gotd from exiting with pending notifications if client disconnects
• convert got to the new imsg API
• gotwebd: improve performance of repository age calculations
• gotwebd: ensure child processes inherit non-default config

Version 0.105 of Game of Trees has been released (and the port updated).

Read more…

Version 0.104 of Game of Trees has been released (and the port updated).

* got 0.104; 2024-10-22 see git repository history for per-change authorship information - gotd.conf: document the macro syntax - tog: prevent a segfault upon unexpected object type in ref list view - fix pack file creation in the presence of tagged tag objects - plugged some memory leaks - fix a crash when unstaging a file which has been removed from disk - gotwebd: fix out of bounds access while handling the configuration

The LibreSSL project, a closely associated subproject of the OpenBSD project, has announced the availability of their new stable release, LibreSSL 4.0.0, which comes with a number of improvements and a sprinkling of fixes.

The release announcement reads,

Subject: LibreSSL 4.0.0 Released From: Brent Cook <busterb () gmail ! com> We have released LibreSSL 4.0.0, which will be arriving in the LibreSSL directory of your local OpenBSD mirror soon. This is the first stable release for the 4.0.x branch, also available with OpenBSD 7.6 It includes the following change from LibreSSL 3.9.2: * Portable changes - Added initial Emscripten support in CMake builds. - Removed timegm() compatibility layer since all uses were replaced with OPENSSL_timegm(). Cleaned up the corresponding test harness. - The mips32 platform is no longer actively supported. - Fixed Windows support for dates beyond 2038.

Read more…

The work of improving ssh security by segregating functionality into separate binaries contiues, this time by introducing sshd-auth as a separate binary.

The commit message summarizes why this makes sense,

Splitting this code into a separate binary ensures that the crucial pre-authentication attack surface has an entirely disjoint address space from the code used for the rest of the connection. It also yields a small runtime memory saving as the authentication code will be unloaded after thhe authentication phase completes.

The code is in snapshots as we type.

Read the whole thing after the fold -

Read more…

Omar Polo (op@) has announced the release of version 7.6.0p0 of OpenSMTPD.

The changes (including the table protocol change on which we reported earlier) are:

- Introduced a new K_AUTH service to allow offloading the credentials to a proc table for non-crypt(3) authentication. Helps with use cases like LDAP or custom auth. - Implement report responses for proc-filters too. - Changed the table protocol to a simpler text-based one. Existing proc tables needs to be updated since old ones won't work. The new protocol is documented in smtpd-tables(7). - Fixed the parsing of IPv6 addresses in file-backed table(5) - Document expected MDA behavior and the environment set by OpenSMTPD. - Set ORIGINAL_RECIPIENT in the environment of MDA scripts for compatibility with postfix. - Updated the bundled libtls.

See the release announcement for full details.

The OpenBSD project has announced OpenBSD 7.6, its 57th release.

The new release contains a number of significant improvements, including but not limited to:

• There is initial support for Qualcomm Snapdragon X Elite [arm64] laptops.
• Initial support for Suspend-to-Idle has been added on amd64 and i386, enabling suspend on machines which do not support S3.
• UDP parallel input has been enabled. [See earlier report]
• Libva's VA-API (Video Acceleration API) was imported into xenocara. [See earlier report]
• The default write format for tar(1) has changed to "pax". [See earlier report]
• pfctl(8) and systat(1) now display fragment reassembly statistics. [See earlier report]
• A configurable passphrase timeout for disk decryption at boot (a potential battery lifesaver) has been added. [See earlier report]
• Local-to-anchor tables are now available in pf(4) rules. [See earlier report]
• rport(4), a driver providing point-to-point interfaces for layer 3 connectivity between rdomain(4) instances, has been added.
• dhcp6leased(8), a DHCPv6 client daemon for IPv6 PD has been added. [See earlier report]
• dhclient(8) has been removed (now that dhcpleased(8) is well established). [See earlier report]
• OpenSSH 9.9, featuring:
  • sshd(8) has been split into multiple binaries. [See earlier report]
  • Options to penalize undesirable behavior [See earlier report]
  • support for a new hybrid post-quantum key exchange [See earlier report]

and of course there is the full changelog which details the changes made over this latest six month development cycle.

Installation Guide details how to get the system up and running with a fresh install, while those who already run earlier releases should follow the Upgrade Guide, in most cases using sysupgrade(8) to upgrade their systems.

Now please dive in and enjoy the new release, and while the installer runs, please do donate to the project to support further development and more future goodies for us all!

There has been a significant change to the behaviour of sysupgrade(8):

CVSROOT: /cvs Module name: src Changes by: florian@cvs.openbsd.org 2024/09/24 01:33:35 Modified files: usr.sbin/sysupgrade: sysupgrade.8 sysupgrade.sh Log message: Remove -r toggle and generally be less smart. The default is to install the next release. Snapshots are only installed when invoked with -s.

Read more…

Theo de Raadt (deraadt@) updated the version of OpenBSD -current to "7.6-current".

Those running the latest-and-greatest [via a sufficiently new snapshot or built from source] no longer need to use "-D snap" with pkg_add(1) (and pkg_info(1)).

Our favorite operating system is now changing the default shell (ksh) to enforce not allowing invalid NUL characters in input that will be parsed as parts of the script.

The commit message reads, List: openbsd-cvs Subject: CVS: cvs.openbsd.org: src From: Theo de Raadt <deraadt () cvs ! openbsd ! org> Date: 2024-09-23 21:18:33 CVSROOT: /cvs Module name: src Changes by: deraadt@cvs.openbsd.org 2024/09/23 15:18:33 Modified files: bin/ksh : shf.c Log message: If during parsing lines in the script, ksh finds a NUL byte on the line, it should abort ("syntax error: NUL byte unexpected"). There appears to be one piece of software which is misinterpreting guidance of this, and trying to depend upon embedded NUL. During research, every shell we tested has one or more cases where a NUL byte in the input or inside variable contents will create divergent behaviour from other shells. (ie. gets converted to a space, is silently skipped, or aborts script parsing or later execution). All the shells are written in C, and majority of them use C strings for everything, which means they cannot embed a NUL, so this is not surprising. It is quite unbelievable there are people trying to rewrite history on a lark, and expecting the world to follow alone.

Read more…

EuroBSDCon 2024 [in Dublin, Ireland] has now ended, and slides for many of the OpenBSD developer presentations are now available in the usual place.

Video of the individual presentations can be expected somewhat later. In the meantime, OpenBSD-related presentations [including those from non-developers] can be found in the recordings of the "Foyer B" streams.

In addition, there was a full day PF tutorial with some updates to the publicly available slides.

Sebastian Benoit (benno@) announced the release of version 9.3 of rpki-client, the essential component for routing security.

See the full announcement for further details.

Key excerpts from the release announcement:

Read more…

In a fediverse post, Damien Miller (djm@) announced the availability of the new OpenSSH version 9.9:

OpenSSH 9.9 has just been released. New features include support for hybrid ML-KEM X25519 post-quantum key exchange (using a formally-verified ML-KEM implementation), improved controls to drop and penalise unwanted connections, faster NTRUPrime key exchange code and more.

Read more…

Claudio Jeker (claudio@) announced the release of version 8.6 of OpenBGPD, the OpenBSD project's Border Gateway Protocol (BGP) daemon:

We have released OpenBGPD 8.6, which will be arriving in the OpenBGPD directory of your local OpenBSD mirror soon. This release includes the following changes to the previous release:

Read more…

The OpenBSD 7.6 release cycle is entering its final phases…

With the following commit, Theo de Raadt (deraadt@) moved -current to version 7.6:

CVSROOT: /cvs Module name: src Changes by: deraadt@cvs.openbsd.org 2024/09/17 07:39:17 Modified files: sys/conf : newvers.sh Log message: head into release

For those unfamiliar with the process: this is not the 7.6 release, but is part of the standard build-up to the release.

Remember: It's time to start using "-D snap" with pkg_add(1) (and pkg_info(1)).

(Regular readers will know what comes next…)
This serves as an excellent reminder to upgrade snapshots frequently, test both base and ports, and report problems [plus, of course, donate!].