On December 1st, 2022 the OpenIKED project announced a new stable version, OpenIKED 7.2.

The OpenBSD Foundation, which is central to funding the OpenBSD project, needs your help to reach its 2022 Fundraising Goal of $300,000.

At the time of writing, the amount raised in 2022 stands at a little over 50% of the stated goal.

The Foundation needs your help to sustainably fund the project. Please head over to the Foundation's donations page, and make sure you drag your employer over there too!

With about 30 days left in 2022, we know we can do it!

It started with a thread on misc@ with the subject "Locking network card configuration" where the problem description is, when two or more network interfaces are attached to the same USB bus, their numbering may not be entirely predictable. The question is, what workarounds are possible?

The thread, where several developers offered their insights, and which soon migrated to tech@ with the subject switched to "lladdr support for netstart/hostname.if (was: Re: Locking network card configuration)" and later "lladdr support for netstart/hostname.if" turned up several suggestions, with several patches, and potential support for link level address (MAC address) tied configuration via a new hostname.MAC(5) file to supplement the more familiar hostname.if(5) config file, complete with corresponding ifconfig(8) options.

Please read the messages and patches, and if you have useful input for the developers on this, please chime in via tech@ or in comments here if you prefer.

Once again, an interesting feature that may materialize for testing in snapshots in the near future.

In a recent message to the tech mailing list, Theo de Raadt (deraadt@) summarized the state of the new memory protections work. The thread also includes a followup from Otto Moerbeek (otto@) on consequent changes to the memory allocation mechanisms.

Theo writes,

From: "Theo de Raadt" <deraadt () openbsd ! org>
Date: Fri, 18 Nov 2022 03:10:05 +0000
To: openbsd-tech
Subject: More on mimmutable

[LONG]

I am getting close to having the big final step of mimmutable in the tree.
Here's a refresher on the how it works, what's already done, and the next
bit to land.

DESCRIPTION
     The mimmutable() system call changes currently mapped pages in the region
     to be marked immutable, which means their protection or mapping may not
     be changed in the future.  mmap(2), mprotect(2), and munmap(2) to pages
     marked immutable will return with error EPERM.

Tobias Heider (tobhe@) posted to tech@ asking people with access to the relevant hardware to test updates to the arm64 bootloader code:

From: Tobias Heider <tobhe () openbsd ! org>
Date: Fri, 18 Nov 2022 16:57:12 +0000
To: openbsd-tech
Subject: Help testing Apple M1/M2 bootloader update

Hi all,

we are working on automated bootloader and device-tree updates for Apple
Silicon machines.  This is necessary because both drivers and device trees
are moving targets and without a way to update both we end up in situations
where drivers suddenly stop working.

Version 0.79 of Game of Trees has been released (and the port updated):

* got 0.79; 2022-11-08
- repair build on OpenBSD/sparc64 (patch by Ted Bullock)
- fix crash in gotd if client gets disconnected on error (reported by Mikhail)
- fix crash in got-send-pack when server does not announce any capabilities
- make gotd work as intended on an empty repository
- prevent freeing of bogus pointers in got_inflate_end() and got_deflate_end()
- reduce delta cache size to avoid running out of memory on large pack files
- add missing free of delta buffers in several error paths
- make 'got clone -b' work for repositories which lack a valid HEAD reference
- use sub-second precision when checking for objects/pack/ modification
- fix capabilities announced by gotsh when no references exist in repository

Martin Pieuchot (mpi@) has committed a change unlocking the mmap(2), munmap(2), and mprotect(2) system calls:

CVSROOT:	/cvs
Module name:	src
Changes by:	mpi@cvs.openbsd.org	2022/11/08 04:05:57

Modified files:
	sys/kern       : syscalls.master 

Log message:
Mark mmap(2), munmap(2) and mprotect(2) as NOLOCK.

Accesses to data structures used by these syscalls are serialized by the
VM map lock with the exception of file mappings which are still protected
by the KERNEL_LOCK().

Unlocking this set of syscalls improves most of userland workloads.

Tested by many including robert@ (since 2 years), mlarkin@, kn@, sdk@,
jca@, aoyama@, naddy@, Scott Bennett and others. Thanks to all!

Joint work with kn@.

ok robert@, aja@, kettenis@, kn@, deraadt@, beck@

The improvement in workload performance can be quite marked. Following Martin's request for testing, Mike Larkin (mlarkin@) reported build performance improvement of over 12%!

Version 0.78 of Game of Trees has been released (and the port updated):

* got 0.78; 2022-11-03
- gotsh.1: Use Sx for referencing EXAMPLES (patch by Josiah Frentsos)
- change got_pack_parse_offset_delta tslen argument to size_t (op)
- fix regression test failures with Git 2.30.5 / 2.38.1 or later installed
- fix gotd(8) usage() string (patch by Josiah Frentsos)
- regress/rebase.sh: remove accidentally included absolute path to "got" (naddy)
- fix off_t type mismatches in printf format string arguments (naddy, op)
- fix spelling of "FastCGI" (patch by Josiah Frentsos)
- add missing `goto done;' on error path of read_raw_delta_data() (op)
- add bounds check when reading a delta offset from a packed object (op)
- check size before calling mmap(2) (op)
- sort getopt() option lists and switch statements (patch by Josiah Frentsos)
- make got.conf(5) warn about remotes configured in locally-shared repositories
- add missing check for errors from got_gotconfig_read() in open_worktree()
- plug a memory leak on error in got_gotconfig_read()
- convert pack filesize variables to off_t for large packs on 32-bit arch (op)
- remove sendfd pledge promise from gotd repo_read and repo_write processes
- add gotctl(8); initially supported commands are 'info' and 'stop'
- respect umask when creating or changing files and directories (op)
- fix typo which caused a double-free in gotd repo_write_shutdown()
- got-fetch-pack: fix wrong memmove length leading to dubious checksum failures
- avoid incomplete writes of pack file data in gotsh and got-send-pack
- add a test suite for gotd(8); check basic clone and send functionality
- require space between commit author name and email, for Git compatibility
- gotwebd: avoid 500 error code if erroring out in plaintext mode (landry)
- gotwebd: add respect_exportok flag, defaulting to off (landry)
- respect open files resource limit when sizing pack cache; regression from 0.71
- provide a diff of changes in a temp file while editing a commit log message
- fix memory and file descriptor leak for raw objects (regression from 0.77)
- remove casts which made older gcc versions unhappy
- fix free of wrong address on error in gotweb's parse.y

This release sees the introduction of gotctl(8), a utility for controlling gotd(8).

Brent Cook (bcook@) has announced the release of LibreSSL verion 3.6.1:

We have released LibreSSL 3.6.1, which will be arriving in the
LibreSSL directory of your local OpenBSD mirror soon. This is the first
stable portable LibreSSL release from the OpenBSD 7.2 branch.

It includes the following fixes from LibreSSL 3.6.0:

 - Custom verification callbacks could cause the X.509 verifier to
   fail to store errors resulting from leaf certificate verification.
     Reported by Ilya Shipitsin.
 - Unbreak ASN.1 indefinite length encoding.
     Reported by Niklas Hallqvist.
 - Fix endian detection on macOS
     Reported by jiegec on Github

For the changes from LibreSSL 3.5.x, see the 3.6.0 release notes here:
https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.6.0-relnotes.txt

The LibreSSL project continues improvement of the codebase to reflect modern,
safe programming practices. We welcome feedback and improvements from the
broader community. Thanks to all of the contributors who helped make this
release possible.