OpenBSD Journal

A fairly critical component of routing security infrastructure, rpki-client, has a new release out, version 7.9.The announcement leads in,

Theo de Raadt (deraadt@)committedthe change:

The first r2k22 hackathon report is in, from Job Snijders (job@), who writes:

Courtney Allen has published a blog post about how to run a website and blog almost exclusively on things that are in the OpenBSD base system already, only adding AsciiDoc to the mix.The lead in reads,

Christian Ludwig "wrote a tool to statically analyze spl(9) kernel locking in OpenBSD. It even found some bugs."His write up is here: https://medium.com/@chrissicool/analyze-openbsds-kernel-with-domain-specific-knowledge-ca665d92eebbHis code for the Lock Balancing Checker referenced in the write up is available under an ISC license and can be obtained here: https://github.com/chrissicool/lbc

Here are a few recent OpenBSD news items that we almost missed ourselves:

Frederic Cambus (fcambus@)has written ablog entryregarding the significant differences between the versions ofLLVM inbase andports.

We wouldn't blame you if you it slipped under yourRADAR thatOpenBGPD 7.4 was released,since it doesn't appear to have been mentioned on the OpenBGPD website yet.However, the release notes may be found inthis mailing list postfrom June 14th, 2022:

Peter Hansteen, Massimiliano Stucchi and Tom Smyth gave a presentation on pf at BSDCan 2022. While a video recording from the event has yet to appear, the slides from their presentation may be viewed here:

OpenIKED 7.1 was released on May 23rd, 2022.The complete release notes may be read here:

LibreSSL 3.5.3 was released on May 18th, 2022.The release notes may be found here:

Crystal Kolipe writes in about her work on the framebuffer console, and provides an article on

Following much development and testing,parallel IP forwarding has been enabled in -current.The most recent of the relevant commitsare:

In -current, the performance ofpkg_add(1)has been greatly enhanced by theenabling of caching by default:

syspatch71-001_wifi was somewhatbroken(in terms of the housekeeping rather thanthe functionality of the patch).On those systems to which the faulty patch was applied,some manual intervention is required.Instructions for thisare now on theerrata page.

Hot on the heels of OpenBSD 7.1's release,LibreSSLhas been updated to 3.5.2!The complete release notes may be read here:https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.5.2-relnotes.txt

The long spring (or fall) wait is over, the OpenBSD project today formally released OpenBSD 7.1, the 52nd release of our favorite open source operating system.As usual, the release page lists the main highlights of the new release, which include

Claudio Jeker (claudio@) has just announced the release of OpenBGPD 7.3. He writes:

Version 9.0ofOpenSSHhas been released.Notable changes include:

In amessage to tech@(and arm64@),Mark Kettenis (kettenis@) wrote:

Hrvoje Popovski writes in with some result from his performance tests, like he did a few years ago:

For undeadly readers, our Errata column on the right side of the web site automatically updates and as of March 15th, 2022 some of you may have already noticed that there is a new security fix related to LibreSSL. Salient excerpt from the release notes as follows:

Following a request-for-testingthreadon tech@,Stefan Sperling (stsp@)hascommittedsomeIEEE 802.11acsupport toiwx(4):

James Hastings (hastings@) hascommittedmtw(4),a driver forMediaTek MT7601UUSBWi-Fi devices:

As of February 24th, 2022, LibreSSL's development branch has been updated to version 3.5.0.

On February 23rd, 2022 OpenSSH was updated to version 8.9.

With the followingcommit,Theo de Raadt (deraadt@) moved -currentto version 7.1-beta:

Recent things of interest include:

Crystal Kolipe writes in, saying

Crystal Kolipe has donea four partmulti-part write upabout getting OpenBSD running on aPinePhone here:

A long list of recent LibreSSLcommits by Theo Buehler (tb@)culminated inbumps to library versions:

Johathan Gray (jsg@) hasupdatedDRMto Linux 5.15.14 (with support for several additional chips):

Damien Miller (djm@) justnoted on social media that he has committed(starting here)changes which allow control overssh-agent(1)key-forwarding based on destination host and forwarding path.A detailed description isavailableon theOpenSSH site.

After much preparatory work in base and ports,clang(1)has been upgraded to version 13.0.0 (on the relevant platforms).Patrick Wildt (patrick@) made thecommits.

Interesting developments (in -current) sinceOpenBSD 7.0 include:

The OpenBSD projecthas releasedOpenBSD 7.0,the project's 51 release.As usual, the release pageoffers highlights, installation and upgrade instructions, as well as links toother resources such as thedetailed changelog.Notable improvements include, but are not limited to:

In the run-up to the OpenBSD 7.0 release, we note several recent interestingthings previously unreported:

As a result of a licence change byRealtek,that company's wireless firmware images are now included in the tree.The followingcommitby Kevin Lo (kevlo@)explains the details:Read more…

Did you just runsyspatch(8)and see it fail?Here's the reason: one of the two root certificatesbehind the (excellent)Let's EncryptCA service has expired.A bug in (the "legacy" verifier of)LibreSSLalso contributed.The syspatches (for OpenBSD 6.8,032, for OpenBSD 6.9,018) mitigate the unfortunate situation.However, your syspatch may fail if your local mirror uses aLet's Encrypt certificate.Patch-22!In that case, the best advice may be to try a mirror that does notuse a Let's Encrypt certificate just to get past this speed bump.Read more…

EuroBSDCon 2021was held [virtually] earlier this month.Videos of the presentation arenow available.Amongst the OpenBSD-related presentations is that byMarc Espie (espie@) -Debug Packages in OpenBSD(slides,video).

Thanks to acommitby Damien Miller (djm@),scp(1) (in -current)now defaults to using theSFTP protocol:

In a recentmessageto tech@ Martin Pieuchot (mpi@) wrote aboutanalysis of kernel lock contention.We reproduce the message(s) here, reformatted with his permission.

Florian Obser (florian@)has committeda significant speed boost fortraceroute(8):

With the followingcommit,Matthieu Herrb (matthieu@)gavexterm(1)someunveil(2)goodness:

With the followingcommit,Tobias Heider (tobhe@)added client-side support for DNS configurationto iked(8):

Job Snijders (job@)importedthetimeout(1)utility from NetBSD:

OpenBSD Journal co-editor Solène Rapenne (solene@) writes,

Theo de Raadt (deraadt@)committeda change which significantly reduceshibernatetime on machines with larger amounts of RAM:

In amessage to tech@Damien Miller (djm@)explained the consequences of his recentcommit:

Claudio Jeker (claudio@) hascommittedsupport for simple include and exclude casesin (open)rsync: