OpenBSD Journal

The OpenBSD project has announced the release of OpenIKED 7.4:

We have released OpenIKED 7.4, which will be arriving in the OpenIKED directory of your local OpenBSD mirror soon. This release includes the following changes to the previous release: * Fixed a double free bug in ECDH * Added a natt config option that forces negotiation of nat-t (and udpencap) for a policy * Made config file verification not require root permissions * Fixed a bug where iked was retransmitting fragments too eagerly * Tightened apparmor sandboxing on Linux * Various other bug fixes, compatibility fixes and documentation improvements

Read more…

The OpenSSH project has announced their latest release, OpenSSH 10.0.

The announcement and release notes read:

OpenSSH 10.0/10.0p1 (2025-04-09) OpenSSH 10.0 was released on 2025-04-09. It is available from the mirrors listed at https://www.openssh.com/. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: https://www.openssh.com/donations.html Potentially-incompatible changes -------------------------------- * This release removes support for the weak DSA signature algorithm, completing the deprecation process that began in 2015 (when DSA was disabled by default) and repeatedly warned over the last 12 months.

Read more…

If you have ever been irked by having to enter a sequence of sysctl(8) commands to achieve things like enabling forwarding for IPv4 and IPv6 both, help is at hand.

In a recent commit, Klemens Nanni (kn@) added functionality to have the classic command read multiple settings from a file:

Subject: CVS: cvs.openbsd.org: src From: Klemens Nanni <kn () cvs ! openbsd ! org> Date: 2025-04-05 14:09:06 Message-ID: f3c322a675a4cd33 () cvs ! openbsd ! org [Download RAW message or body] CVSROOT: /cvs Module name: src Changes by: kn@cvs.openbsd.org 2025/04/05 08:09:06 Modified files: sbin/sysctl : sysctl.8 sysctl.c Log message: Add [-f file] to apply sysctl.conf in one go

Read more…

We (undeadly.org editors) had not noticed ourselves, but Will Backman wrote in about the news that some OpenBSD code -- openrsync -- had been made available to a wider audience, courtesy of Apple:

"While Apple has been updating the rsync 2.6.9 command line tool it shipped with macOS as needed in response to security issues and other problems, the fact remains that Apple’s version of rsync up until macOS Sequoia was almost twenty years old and did not include any of the new features introduced in rsync versions which came after version 2.6.9."

"Now with macOS Sequoia, Apple has replaced rsync 2.6.9 with openrsync, an implementation of rsync which is not using any version of the GPL open source license."

You can read more at https://derflounder.wordpress.com/2025/04/06/rsync-replaced-with-openrsync-on-macos-sequoia/

The editors can confirm that on a fully updated Mac, man rsync will reveal that rsync is indeed the OpenBSD openrsync.

The OpenBSD 7.7 release cycle is entering its final phases…

With the following commit, Theo de Raadt (deraadt@) moved -current to version 7.7 (dropping the "-beta"):

CVSROOT: /cvs Module name: src Changes by: deraadt@cvs.openbsd.org 2025/03/30 14:43:36 Modified files: sys/conf : newvers.sh Log message: head out of -beta to 7.7

For those unfamiliar with the process:
this is not the 7.7 release, but is part of the standard build-up to the release.

Remember: It's time to start using "-D snap" with pkg_add(1) (and pkg_info(1)).

(Regular readers will know what comes next…)
This serves as an excellent reminder to upgrade snapshots frequently, test both base and ports, and report problems [plus, of course, donate!].

Hitherto, fw_update(8) has gathered system information largely from /var/run/dmesg.boot (on the host on which it is invoked).

Andrew Hewus Fresh (afresh1@) has committed a change which allows specifying an arbitrary dmesg file. The commit message explains the rationale:

CVSROOT: /cvs Module name: src Changes by: afresh1@cvs.openbsd.org 2025/03/21 18:33:34 Modified files: usr.sbin/fw_update: fw_update.8 fw_update.sh Log message: Allow using a different dmesg for driver detection This also solves an issue that jmc@ was having with installing downloaded firmware. (thanks for reporting) It also adjusts detecting the OpenBSD version from the dmesg instead of from sysctl while still allowing sysupgrade to override. I see two main uses for this, the first being downloading firmware to be used on a machine that doesn't have access to download for itself. The other would be for testing detection of devices in a dmesg for a machine you don't have or that is hard to test such as from the installer.

This is a very welcome change indeed!

At least one of the editors (and we suspect several of our readers) would have saved quite a bit of time while installing our favourite operating system on hardware that requires firmware that for some reason is not included in the install media, such as some recent-ish laptops.

It's that time of the year again. With the following commit, Theo de Raadt (deraadt@) changed the version of the OpenBSD development branch to 7.7-beta:

CVSROOT: /cvs Module name: src Changes by: deraadt@cvs.openbsd.org 2025/03/01 12:44:07 Modified files: sys/sys : param.h distrib/sets/lists/base: md.alpha md.hppa md.landisk md.luna88k md.sparc64 distrib/sets/lists/comp: gcc.alpha gcc.hppa gcc.landisk gcc.luna88k gcc.sparc64 etc/root : root.mail share/mk : sys.mk sys/arch/macppc/stand/tbxidata: bsd.tbxi sys/conf : newvers.sh usr.bin/signify: signify.1 Log message: move to 7.7-beta

7.7-beta snapshots can be expected on the OpenBSD mirrors soon.

As always, this change should encourage testing and donation!

Version 0.110 of Game of Trees has been released (and the port updated):

• fix an endless loop in got-read-pack (regression from 0.109)
• change gotwebd diff algorithm from Myers to Patience diff
• gotd regress depends on p5-Net-Daemon now due to an added test case

Version 0.109 of Game of Trees has been released (and the port updated):

• fix gotd failing to protect references when the client sends an empty pack
• during pack generation, fix exclusion of commits via an ancestor commit
• fix a bogus "received unexpected privsep message" error from gotsh
• fix diffstat path order bug in field width computation
• gotwebd: preserve 'folder=' parameter when following More links

The OpenBGPD project (essentially a subproject of the OpenBSD project), have released their latest work in the OpenBGPD 8.8 release.

The release announcement reads,

Subject: OpenBGPD 8.8 released From: Claudio Jeker <claudio () openbsd ! org> Date: 2025-02-06 19:59:43 We have released OpenBGPD 8.8, which will be arriving in the OpenBGPD directory of your local OpenBSD mirror soon. This release includes the following changes to the previous release: * Improve default multiproto capability announcement selection. The default MP capability is only set if no other capability is configured on the neighbor. * The `reject as-set` configuration option now defaults to yes. Route announcements with AS_SET segments in the AS_PATH Attribute will be rejected. See draft-ietf-idr-deprecate-as-set-confed-set for more information.

Read more…

Version 0.108 of Game of Trees has been released (and the port updated):

• add ssh -i identity-file support to commands which use the network
• make 'got import' output independent of readdir(3) entry order
• avoid full file content comparisons in 'got status' for speed
• tog: fix NULL deref when log view T keymap is used on worktree entry
• tog: fix a deadlock (hang) in the log view implementation
• tog: plug a memory leak
• tog: do not exit if a tag pointing at a non-commit is selected in ref view
• tog: do not mark an incorrect base commit in nested log views
• tog: fix NULL deref when scrolling small tree views down
• tog: avoid showing a negative log view entry index
• tog: do not apply a pointless count modifier to the H, &, p keymaps
• tog: do not make users wait for the worktree diff to quit out of tog
• gotwebd: make parent process drop root privileges
• gotwebd: drop read access to /var/www from parent process
• gotwebd: rename "socket" processes to "server"
• gotadmin cleanup: pack the repository before removing objects
• gotadmin cleanup: do not delete directly referenced trees and blobs
• gotadmin cleanup: do not delete objects reachable via nested tags
• regress: skip test memleak_send_basic in sha256 mode; expected to fail
• regress: make seq(1) invocations portable to fix test failures on linux
• regress/gotwebd: implement paginated commits test

There's also a toot which mentions some ongoing work.

As announced by Job Snijders on the FediVerse rpki-client 9.4 has been released.

The complete release notes from https://cdn.openbsd.org/pub/OpenBSD/rpki-client/rpki-client-9.4.txt are below:

Read more…

Version 0.107 of Game of Trees has been released (and the port updated):

• gotwebd.css styling tweaks
• hide ssh debug output during fetch/send -v, keep showing it at -vv and -vvv
• discern mixed-commit worktree diffs with commit ID headers
• gotwebd: avoid printf("%s", NULL) when path parameter is not in query
• implement a regression test harness for gotwebd
• fix free() called with bogus pointer in 'got fetch'; regression from 0.106
• ensure config privsep children get collected upon error to prevent zombies
• fix some fprintf(3) failure checks
• gotwebd: replace strftime(3) with asctime_r(3) for the sake of consistency
• tweak gotwebd log message levels, and log requests in verbose (-v) mode
• prevent out-of-bounds read during gotwebd fcgi record debugging
• implement tog work tree diff support via log view and CLI
• improve error reporting when 'got patch' encounters malformed patches
• improve got_opentemp_named_fd error reporting by showing the path template
• add ssh -J jumphost support to got and cvg commands which use the network
• add regression tests checking for memory leaks with Otto malloc and ktrace
• got tag: change -s signer to -S signer
• got tag: provide one-line output mode via new -s option
• tog: use wtimeout(3) instead of nodelay(3) to honour our display refresh rate
• switch got_pathlist data store from TAILQ to RB-tree
• plug many memory leaks, some of which affected gotwebd in particular

There has long been some concern in the networking communities, particularly the routing security part, about the use of very long lived Trust Anchor (TA) certificates in routing infrastructure.

Today Job Snijders (job@) commited code to rpki-client(8) to implement a gradual phase in of a stricter policy on TA certificates lifetimes.

The commit message reads,

Subject: CVS: cvs.openbsd.org: src From: Job Snijders <job () cvs ! openbsd ! org> Date: 2024-12-18 16:38:40 CVSROOT: /cvs Module name: src Changes by: job@cvs.openbsd.org 2024/12/18 09:38:40 Modified files: usr.sbin/rpki-client: cert.c Log message: Schedule future rejection of ultra long-lived TA certificates The RPKI ecosystem suffers from a partially unmitigated risk related to long-lived Trust Anchor certificate issuances.

Read more…

Thanks to work by David Gwynne (dlg@), OpenBSD -current now has a new "AF_FRAME" socket domain:

CVSROOT: /cvs Module name: src Changes by: dlg@cvs.openbsd.org 2024/12/15 04:00:05 Modified files: sys/conf : files sys/kern : uipc_domain.c uipc_socket.c sys/net : if_ethersubr.c sys/sys : socket.h Added files: sys/net : af_frame.c frame.h Log message: add an AF_FRAME socket domain and an IFT_ETHER protocol family under it. this allows userland to use sockets to send and receive Ethernet frames. as per the upcoming frame.4 man page: frame protocol family sockets are designed as an alternative to bpf(4) for handling low data and packet rate communication protocols. Rather than filtering every frame entering the system before the network stack like bpf(4), the frame protocol family processing avoids this overhead by running after the built in protocol handlers in the kernel. For this reason, it is not possible to handle IPv4 or IPv6 packets with frame protocol sockets because the kernel network stack consumes them before the receive handling for frame sockets is run. if you've used udp sockets then these should feel much the same. my main motivation is to implement an lldp agent in userland, but without having to have bpf look at every packet when lldp happens every minute or two. the only feedback i had was positive, so i'm putting it in ok claudio@

There's been a related change to aggr(4).

Claudio Jeker (claudio@) announced the release of version 8.7 of OpenBGPD, the OpenBSD project's Border Gateway Protocol (BGP) daemon:

We have released OpenBGPD 8.7, which will be arriving in the OpenBGPD directory of your local OpenBSD mirror soon. This release includes the following changes to the previous release: * Cache the Adj-RIB-Out for sessions that have not been down for more than 1h. This significantly improves synchronisation time of peers that flap. * Implement RFC 8538: Notification Message Support for BGP Graceful Restart. * Add support for RFC 8654, extended messages. * In bgplgd add additional endpoints to query the Adj-RIB-In and Adj-RIB-Out. * Bump internal message size limit to 128k and handle up to 10 000 ASPA SPAS entries as suggested in draft-ietf-sidrops-aspa-profile. * Various improvements to the ibuf API including a new reader API which is used to make all message parsing in bgpd memory safe. * Added support for IPsec and TCP MD5 to RTR sessions. OpenBGPD-portable is known to compile and run on FreeBSD, NetBSD and the Linux distributions Alpine, Debian, CentOS/RHEL/Rocky, Fedora, openSUSE/SLE, and Ubuntu. It is our hope that packagers take interest and help adapt OpenBGPD-portable to more distributions. We welcome feedback and improvements from the broader community. Thanks to all of the contributors who helped make this release possible.

The initial list of 21 'low hanging fruit' videos from EuroBSDcon 2024 has been released with more to follow:

Here is the EuroBSDcon 2024 playlist.

The OpenBSD highlights include:

Confidential Computing with OpenBSD - Hans Jörg Höxer

Building a SD-WAN appliance suitable for Australian Health Sector NFP/NGO - Jason Tubnor

A Packet's Journey Through the OpenBSD Network Stack - Alexander Bluhm

OpenBSD vs. IPv6 - Florian Obser

Global anycast using OpenBSD on a budget - Rob Keizer

Why rewrite fw_update(8)? - Andrew Hewus Fresh<br>

vmd's multi-process device emulation: 2 releases later - Dave Voutila

Puffy does Realtime Hypermedia - Patrick Marchand

The rest (see the conference schedule) will appear soon, pending some necessary post-processing.

Enjoy this bunch, and do come back for the rest soon!

(As noted in his toot,) Rafael Sadowski (radowski@) has written a blog entry entitled dpb - distributed ports builder, which describes his dpb(1) setup.
It is likely to be of interest to those getting started with porting software to OpenBSD.

The article sets out its purpose as, The goal is to provide an overview of how to configure a single instance for port building with minimal effort. Whether you’re trying dpb(1) for the first time or looking for a straightforward guide, I hope this documentation will be useful both for beginners and for myself, as a reference for future setups since I don’t have an Ansible playbook for it ;).

So maybe an Ansible playbook is up next? Anyway, a good read for prospective and current porters. Enjoy!

Jeremie Courreges-Anglas (jca@) committed a change which is likely to be welcomed by laptop users:

CVSROOT: /cvs Module name: src Changes by: jca@cvs.openbsd.org 2024/11/21 04:58:45 Modified files: sys/kern : sched_bsd.c lib/libc/sys : sysctl.2 Log message: Let the user provide an alternative perfpolicy when on battery The current behavior of "auto", which implies running at full speed when on AC power, does not fit all the hardware and use cases. For some people it results in more power consumption, more heat, more noise, etc. Extend the semantics of hw.perfpolicy and provide two buttons to specify the desired behavior: sysctl hw.perfpolicy=<policy while on ac>[,<policy while on battery>] Keep the default behavior of "high,auto". People can opt for "auto,auto" or simply "auto" instead. No objection from deraadt@, input and ok sobrado@ sthen@

This is now in snapshots, so please test if you run those!

Soon, unwind will have support wildcard in blacklist.

Here, a change that makes any domain in the blacklist that starts with '.', which is not a legal name due to an empty label, is treated as any subdomain on that zone.

This means that .example.com blocks all requests to any subdomain of example.com, but allows example.com.

Changes: https://marc.info/?l=openbsd-cvs&m=173244784522937&w=2