OpenBSD Journal

Random order relinking of critical components is an OpenBSD feature specifically designed to make it harder to exploit bugs in the resulting binary.sshd(8) was the first of the network-facing daemons to get the random treatment (see this previous report). Nowin a series of commits that split one daemon (smptd(8)) into six separate binaries, Theo de Raadt (deraadt@) is bringing httpd(8) and smptd(8), both common in network facing configrations, into the random relink at boot fold.httpd(8) was the first of the two:Read more...

In -current,Robert Nagy (robert@)updatedclang(1),llvm,and lld(1)to version 22.1.6:

The LibreSSL project has announced the release of version 4.3.2 of the software.

Version 0.126 of Game of Trees has been released (and the port updated). Complete release notes are as follows:

The OpenBSD project hasannouncedOpenBSD 7.9,its 60 release.The new releasecontains a number of significant improvements, including but certainlynot limited to:

Like (we suspect) quite a few of our readers, undeadly.org co-editor Peter Hansteen runs a mail service and settled on exim as the reasonable alternative to the classic sendmail way back when.However, that software has had its share of security issues over the years, and during the preparations for the OpenBSD 7.9 release, the ports maintainers decided that

Network-oriented readers will be familiar with the concept of overload tables, commonly used with state tracking options to create adaptive rulesets for such things as punishingpassword-guessing botnets.A downside to tables that would tend to fill up indefinitely is that at some point they will be quite full, and the administrator would need to either manually run pfctl expire or set up a crontab entry to weed out old entries at intervals.Now Alexandr Nedvedicky (sashan@) is airing a patch on tech@ that would add a timeout option to to tables declarations, doing away with the need to set up crontab entries to run pfctl expire.The patch and the explanation can be found in the thread pf(4) add timeout option to ip address tables, with followup discussion where several developers and users pitch in.The message reads,

Florian Obser (florian@) recently gave aBSD-NLtalkentitled"Let's find out how to get predictable IPv6 addresses assigned to OpenBSD VMs".Florian takes us on a guided tour of how inet6 autoconf actually works, with enlightening and entertaining peeks into selected piece of OpenBSD source.At the end, we are asked to "now, draw the rest of the owl".Slidesare available in theusual place,andvideois also available.

Version 0.125of Game of Treeshas been released (and the portupdated).Note the security fixes:

Due to hardware failure, the machine hosting undeadly has gone down last week. Thanks to the kind and swift help from OpenBSD.amsterdam, we're now back online. We will source new hardware for the original machine and hopefully move back again soon.

TheLibreSSL projecthasannouncedthe release of version 4.3.1of the software:

Jonathan Gray (jsg@) updated the versionofOpenBSD-currentfrom "7.9"to "7.9-current".Those running the latest-and-greatest[via a sufficiently new snapshot or built from source]no longer need to use"-D snap" withpkg_add(1)(andpkg_info(1)).

Routing security matters to all of us(even those of us who seldom give the subject any thought),and therpki-client projectannouncedthe release of a new version of theirResource Public Key Infrastructure (RPKI) client,with a number of improvements.The announcement reads,

We're a little late reporting it but...The familiar safeguardsysctl hw.smtis now deprecated,having been replaced by a more flexible mechanismwhich allows discriminating between different varieties of core type.First, Theo de Raadt (deraadt@) enabled the mechanism for OpenBSD/amd64 in thiscommit:

OpenBSD7.9 release cycle is entering its final phases...With the followingcommit,Theo de Raadt (deraadt@) moved -currentto version 7.9(dropping the "-beta"):

Every spring and autumn, the routing world can expect a new OpenBGPD release, and this time is no exception. The OpenBGPD project have announced the availability of their newest release, version 9.1, with the following announcement:

Version 0.124of Game of Treeshas been released (and the portupdated):

Bogus security bug reports generated by large language model(LLM)tool use are a well known irritant and time sink for open source projects. As a consequence of one such report, Theo de Raadt (deraadt@)committed a change to pfsync(4) to rename an otherwise unused field in the pfsync(4) packet header.The commit message reads,

As we approach the 60th OpenBSD release: 7.9, the OpenSSH project has released OpenSSH 10.3.

Regular readers will be aware that Miod Vallat (miod@) is documenting the adventures of porting OpenBSD to various architectures in his OpenBSD Stories collection.The latest addition is OpenBSD on Motorola 88000 processors, where the first two of a planned total of nine chapters have been published.The first chapter, The Forsaken RISC Architecture, takes us through some background and pre-history of the architecture.The second chapter, A New Hope, gives insight into the early porting efforts.We very much look forward to seeing the further chapters of the OpenBSD on Motorola 88000 processors saga.

Regular readers will be aware that Miod Vallat (miod@) is documenting the adventures of porting OpenBSD to various architectures in his OpenBSD Stories collection.The latest addition is OpenBSD on Motorola 88000 processors, where the first two of a planned total of nine chapters have been published.The first chapter, The Forsaken RISC Architecture, takes us through some background and pre-history of the architecture.The second chapter, A New Hopegives insight into the early porting efforts.We very much look forward to seeing the further chapters of the OpenBSD on Motorola 88000 processors saga.

David Leadbeater (dgl@)posted to ports@ a message,entitledPledge changes in 7.9-beta,which explains the consequences for portersof the recent pledge(2)/unveil(2) changes in -current (and, to some extent, 7.8).Whilst targeted at porters, it provides a good overview foranyone interested in the changes.The message reads:Read more...

OpenBSD'sPFpacket filter has long supported HFSC traffic shapingwith the queuerules inpf.conf(5).However, an internal 32-bit limitation in the HFSCservice curve structure (struct hfsc_sc) meant that bandwidth valueswere silently capped at approximately 4.29 Gbps," the maximum value of a u_int ".With 10G, 25G, and 100Gnetwork interfaces now commonplace,OpenBSD devs making huge progress unlocking the kernel for SMP,and adding drivers for cards supporting some of these speeds,this limitation started to get in the way.Configuring bandwidth 10G on a queue would silently wrap around,producing incorrect and unpredictable scheduling behaviour.A new patchwidens the bandwidth fields in the kernel's HFSC schedulerfrom 32-bit to 64-bit integers, removing this bottleneck entirely.The diff also fixes a pre-existing display bug inpftop(1)where bandwidth values above 4 Gbps would be shown incorrectly.Read more...

In a move that would have gone unnoticed by most but will be appreciated by OpenBSD/amd64 laptop users, Mark Kettenis (kettenis@) committed support for delayed hibernation with the new machdep.hibernatedelay sysctlThe commit message reads,

It's that time of the year again.With the followingcommit,Theo de Raadt (deraadt@)changed the version of the OpenBSD development branchto 7.9-beta:

In an unusually extensive commit, Jonathan Gray (jsg@) has upgraded the drm(4) (Direct Rendering Manager) subsystem in OpenBSD-current.Coming at this point in the development cycle, this foreshadows what will be in the upcoming OpenBSD 7.9 release (yes, we're aware that link does not work yet).Also worth noting is Jonathan's note in the commit message,

You may have heard already that afourth editionofThe Book of PF was on the way.It is now shipping, and when author andundeadly.orgco-editor Peter Hansteen finally got his author copies,he wrote a blog post titledThe Book of PF, 4th Edition: It's Here, It's Real.Like Peter says in the article, we would like to encourage readers who can afford it, tosupportthe OpenBSD project.And there are pictures, of the book and the resident philosopher.

Some readers will be aware that Miod Vallat (miod@) has been chronicling some of the more challenging parts of OpenBSD development in his OpenBSD stories collection for a while now.The latest entry is the full OpenBSD on SGI: a rollercoaster story, which is also available in six parts,A missed opportunity, 1988-1998

A long standing and somewhat odd conflict between two OpenBSD security mechanisms, pledge(2) and unveil(2) has been resolved by eliminating the tmppath promise from what pledge(2) offers.The commit by Theo de Raadt (deraadt@) comes with an explanation in the commit message, which reads

Dave Voutila (dv@)has continued his work on movingvmd(8)to a multi-process model.(Undeadlyfirst reportedon this in 2023.)This time thevirtio scsi device has beenconverted to a subprocess:

Version 0.123of Game of Treeshas been released (and the portupdated):Read more...

Version 0.122of Game of Treeshas been released (and the portupdated):Read more...

Version 0.121of Game of Treeshas been released (and the portupdated):Read more...

In a move likely to be welcomed by users of streamingvideo services,Robert Nagy (robert@)hasadded aport forOpenWV (a free andopen-source reimplementation ofGoogle's WidevineCDM),andenabledits use with the chromium port:Read more...

Seasoned networkers will know to tell you that legacy IPv4 and modern IPv6 are, in fact, not directly compatible, and shipping traffic between IPv4 and IPv6 networks requires address family translation. On our favorite operating system and its siblings, that special case has been handled via the af-to option and special case rules since back in the OpenBSD 5.1 days.But that special case has always felt a bit awkward to some, and now David Gwynne (dlg@) is airing a patch on tech@ with a view to making af-to "less magical".In the message titled pf: make af-to less magical, David explains the motivation,

Seasoned networkers will know to tell you that legacy IPv4 and modern IPv6 are, in fact, not directly compatible, and shipping traffic between IPv4 and IPv6 network requires address family translation. On our favorite operating system and its siblings, that special case has been handled via the af-to option and special case rules since back in the OpenBSD 5.1 days.But that special case has always felt a bit awkward to some, and now David Gwynne (dlg@) is airing a patch on tech@ with a view to making af-to "less magical".In the message titled pf: make af-to less magical, David explains the motivation,

Following a recent series of commits by Helg Bredow (helg@) and Stefan Fritsch (sf@), OpenBSD/arm64 now works as a guest operating system under the Apple Hypervisor.The commits read

With these two commits, Mike Larkin (mlarkin@) set the stage for, and next up, bumped the maximum number of processors supported on OpenBSD/amd64 from 64 to 255.The first commit message reads,

The rkpi-client project has made a new release, rkpi-client 9.7, available with important new features and bug fixes.The announcement reads,

The rkpi-client project has made a new release, rkpi-client 9-7, available with important new features and bug fixes.The announcement reads,

David Gwynne (dlg@)has removed LACP mode from thetrunk(4) network driver.Thecommit messageexplains the reasoning:

Veteran OpenBSD developer Miod Vallat (miod@) has written another deep dive article on porting our favorite operating system to a new platform and maintaining the code, this time the OpenBSD/hppa platform.The piece titled The scariest boot loader code certainly lives up to the title!If you're the right type of person, you will know to set aside a goodly chunk of time for this piece.

The OpenBGPD project have announced their new release, OpenBGPD 9.0. The announcement reads,

Thanks to acommitby Andrew Hewus Fresh (afresh1@),fw_update(8)now checksthe output of [runtime]dmesg(8)in addition to the [boot-time] file/var/run/dmesg.boot.The commit message explains the rationale:

In a fascinating retrospective titled The story of Propolice, longtime OpenBSD developer Miod Vallat (miod@) tells the story of the early stack protection work on OpenBSD. This is also part of the early history of OpenBSD development, when Miod relates that the project

OpenBSD developer Job Snijders (job@) has updated therpki-client websiteto indicate the OpenBSD-associated project needs to raise[a total of] 300,000before the start of 2026 to continue work.If your company uses rpki-client, please consider working to arrange a donation!

In -current,Theo de Raadt (deraadt@) hasstartedthe transition to support for 52 disk partitions(on a subset of hardware architectures):

David Gwynne (dlg@) hasintroducedsource and state limiters,which provide a massive increase in the flexibilyof pf traffic limiting:

Several recent commits have improvedsysupgrade(8)handling of low free disk space in /usr:Firstly, Stuart Henderson (sthen@)modifiedthe installer to increase free space prior to installing: