OpenBSD Journal

OpenBSD Journal

sshd(8) split into multiple binaries

Contributed by rueda on from the puffy-does-the-splits dept.

With the following commit, Damien Miller (djm@) commenced the process of splitting sshd(8) into multiple binaries:

CVSROOT:	/cvs
Module name:	src
Changes by:	djm@cvs.openbsd.org	2024/05/16 18:30:24

Modified files:
	usr.bin/ssh    : Makefile Makefile.inc auth-rhosts.c auth.c 
	                 auth.h auth2-gss.c auth2-hostbased.c 
	                 auth2-kbdint.c auth2-none.c auth2-passwd.c 
	                 auth2-pubkey.c auth2.c channels.c kex.c kex.h 
	                 kexgexs.c misc.c misc.h monitor.c monitor.h 
	                 monitor_wrap.c monitor_wrap.h msg.c packet.c 
	                 packet.h pathnames.h servconf.c servconf.h 
	                 serverloop.c session.c ssh_api.c sshd.c 
	usr.bin/ssh/sshd: Makefile 
Added files:
	usr.bin/ssh    : sshd-session.c 
	usr.bin/ssh/sshd-session: Makefile 

Log message:
Start the process of splitting sshd into separate binaries. This step
splits sshd into a listener and a session binary. More splits are
planned.

Read more…

Demise of Nagle's algorithm (RFC 896 - Congestion Control) predicted via sysctl

Contributed by Peter N. M. Hansteen on from the hammering the Nagle dept.

Is the classical TCP congestion control mechanism known as Nagle's algorithm (RFC 896 - Congestion Control) headed for the scrap heap of history?

A recent post on tech@ titled Add sysctl to disable Nagle's algorithm (RFC 896 - Congestion Control) from Job Snijders (job@) with a patch to implement the disabling sysctl indicates that some at least think that deprecation is in order.

The message leads in,

List:       openbsd-tech
Subject:    Add sysctl to disable Nagle's algorithm (RFC 896 - Congestion Control)
From:       Job Snijders <job () openbsd ! org>
Date:       2024-05-13 18:41:55

Dear all,

Back in the early 1980s, a suggestion was put forward how to improve TCP
congestion control, also known as "Nagle's algorithm". See RFC 896.

Nagle's algorithm can cause consecutive small packets from userland
applications to be coalesced into a single TCP packet. This happens at
the cost of an increase in latency: the sender is locally queuing up
data until it either receives an acknowledgement from the remote side or
sufficient additional data piled up to send a full-sized segment.

Read more…

LibreSSL version 3.9.2 released

Contributed by rueda on from the splat dept.

The LibreSSL project has announced the release of [bugfix] version 3.9.2 of the software:

We have released LibreSSL 3.9.2, which will be arriving in the
LibreSSL directory of your local OpenBSD mirror soon.

It includes the following change from LibreSSL 3.9.1:

 * Bugfixes
   - OpenBSD 7.5 errata 003. A missing bounds check could lead to a crash
     due to dereferencing a zero-sized allocation.

The LibreSSL project continues improvement of the codebase to reflect modern,
safe programming practices. We welcome feedback and improvements from the
broader community. Thanks to all of the contributors who helped make this
release possible.

Game of Trees 0.99 released

Contributed by rueda on from the again-and-again-and dept.

Version 0.99 of Game of Trees has been released (and the port updated).

* got 0.99; 2024-05-05
  see git repository history for per-change authorship information
- make 'got fetch' work with URLs which refer to $HOME via a tilde: ~user
- replace strftime %G-%m-%d with %F to prevent 2024-12-30 -> 2025-12-30
- fix spurious errors from got-fetch-http when server has no more data to send
- prevent gotd notification process from exiting due to EPIPE
- fix I/O hangs with TLS in got-notify-http
- document http and https protocol support in got.conf(5), too
- fix an fd leak in gotd's notify process causing endless CPU spin
- back out got stage -R option addition; deemed too inconvenient in practice
- fix got-fetch-http GET request URL; add leading slash and avoid double slashes
- allow custom GOT_TEST_HTTP_PORT when running regression tests
- gotwebd: add magic ".git" handling; try foo.git if repository foo is not found
- expose authenticated gotd user account in HTTP notifications
- gotd.conf(5) HTTP/JSON documentation fixes
- fix endless loop upon Ctrl-D (EOF) input during got stage/unstage/revert -p
- make gotd notifications work when 'git push' is used instead of 'got send'
- make got stage -p behave the same way in interactive and -F modes for 'q'
- fix lingering gotd processes from clients closing connections early
- regress: prevent spurious failure of gotd test_clone_basic_access_denied
- fix an issue where 'git fetch' would error or hang against gotd
- use polling read in got_pkt_readn() to avoid endless hangs in gotsh

And we, too, are curious what the next version number will be :)

OpenSMTPD table protocol changes, now with the backstory

Contributed by Peter N. M. Hansteen on from the tables, we deliver dept.

Regular readers will be aware that OpenBSD ships with its own mail server implementation, OpenSMTPD, in its base system.

In a recent message to the tech@ mailing list, Omar Polo (op@) asked for comments or oks for a patches implementing a change of table protocols. A little later, Gilles Chehade (gilles@) posted to the misc@opensmtpd.org mailing list with the backstory for this change.

The message follows in full below (apparently the otherwise fine marc.info archive site no longer archives the list):

Date: Fri, 03 May 2024 08:22:03 +0000
From: gilles@poolp.org
To: misc@opensmtpd.org
Subject: smtpd: change the table protocol

Hello,

This is a copy of a mail I sent to OpenBSD hackers a few days ago so you are aware of work
being done on OpenSMTPD by Omar Polo.

~~~

TL;DR: proposal to change table backends wire protocol to one that's closer to filters, it
       has proven to work for years now, comes with many benefits and it is a very trivial
       change that we can pull in a handful of hours:
       https://tmp.omarpolo.com/smtpd-tables.7.html

Read more…

Passphrase timeout for disk decryption at boot added (potential battery lifesaver)

Contributed by Peter N. M. Hansteen on from the bag heater no more dept.

Have you had your laptop accidentally un-hibernate while you weren't looking, leaving you with a totally drained battery?

Now OpenBSD-current has a fix for that, thanks to this commit by Klemens Nanni (kn@). The commit message reads,

List:       openbsd-cvs
Subject:    CVS: cvs.openbsd.org: src
From:       Klemens Nanni <kn () cvs ! openbsd ! org>
Date:       2024-04-25 18:31:49

CVSROOT:	/cvs
Module name:	src
Changes by:	kn@cvs.openbsd.org	2024/04/25 12:31:49

Modified files:
	sys/lib/libsa  : softraid.c 
	sys/arch/amd64/stand/boot: boot.8 
	sys/arch/amd64/stand/efiboot: Makefile.common cmd_i386.c conf.c 
	                              efiboot.c efiboot.h 

Log message:
Add boot.conf(8) 'mach idle [secs]' to halt at idle passphrase prompts

Read more…

Game of Trees 0.98 released

Contributed by Peter N. M. Hansteen on from the are these all trees dept.

The version control system gameoftrees 0.98 has been released and should soon show up in OpenBSD -current packages. An update for the -portable version will follow as well.

The main improvements in the new release are listed in the release notes as

- speed up got tag -l by caching timestamps in got_ref_cmp_tags()
- provide a macro for vi(1) path for use by -portable at compile time
- avoid a rename/stat race when gotd installs a new pack and then uses it
- make 'got ref -l' output consistent when packed references exist
- make 'got ref -l' work consistently when a reference argument is given
- add initial support for notifications to gotd(8), via email and http/json

Read more…

pfctl(8) and systat(8) to display fragment reassembly statistics

Contributed by Peter N. M. Hansteen on from the assembling, not dissembling my fragments dept.

The OpenBSD toolbox for network debugging just got better. In a recent thread on tech@ titled pfctl show fragment info, Alexander Bluhm (bluhm@) posted a patch to enable packet reassembly statistics in pfctl(8).

Several other developers joined in, and Claudio Jeker (claudio@) suggested that systat(8) should too be enhanced to display packet reassembly data in pf(4) related views.

This suggestion was well received, and the resulting code has now been committed,

Read more…

Coming soon to a -current system near you: parallel raw IP input

Contributed by Peter N. M. Hansteen on from the all the packets all at once dept.

The work to improve the capabilities of the network stack is about to take a noticeable step forward. In a message to tech@ titled parallel raw IP input, Alexander Bluhm (bluhm@) posted a patch that he describes as

List:       openbsd-tech
Subject:    parallel raw IP input
From:       Alexander Bluhm <bluhm () openbsd ! org>
Date:       2024-04-11 20:24:39

Hi,

As mvs@ mentioned, running raw IP in parallel is easier as it is
less complex than UDP.  Especially there is no socket splicing.

So I fixed one race in rip_input() and reused my shared net lock
ip_deliver() loop.

Read more…

Donate!

Donate to OpenBSD

Features

We are constantly on the lookout for stories of how you put OpenBSD to work. Please submit any informative articles on how OpenBSD is helping your company.

OpenBSD Errata

OpenBSD 7.5

0032024-05-10 RELIABILITY A missing bounds check could lead to a crash in libcrypto.
0022024-04-11 RELIABILITY Install media for alpha architecture was broken due to strip(1) bug.
0012024-04-08 SECURITY Fix multiple heap buffer overread and data leakage in the X11 server Xi extension and use after free in the Render extension. CVE-2024-31080 CVE-2024-31081 CVE-2024-31083

Unofficial RSS feed of OpenBSD errata

OpenBSD 7.4

0162024-04-08 SECURITY Fix multiple heap buffer overread and data leakage in the X11 server Xi extension and use after free in the Render extension. CVE-2024-31080 CVE-2024-31081 CVE-2024-31083
0152024-03-18 SECURITY In libexpat fix billion laughs attack vulnerability CVE-2024-28757.
0142024-02-29 SECURITY vmm(4) did not restore GDTR limits properly on Intel (VMX) CPUs.
0132024-02-13 SECURITY DNSSEC protocol vulnerabilities have been discovered that render various DNSSEC validators victims of Denial Of Service while trying to validate specially crafted DNSSEC responses. Fix CVE-2023-50387 and CVE-2023-50868 in unwind(8) and unbound(8).
0122024-01-16 SECURITY Fix multiple xserver heap buffer overflows, out of bounds memory accesses and memory corruption. CVE-2023-6816 CVE-2024-0229 CVE-2024-21885 CVE-2024-21886 CVE-2024-0408 CVE-2024-0409
0112023-12-18 SECURITY An SSH protocol weakness (the Terrapin Attack) exists that allows an on-path adversary to disable keystroke timing obfuscation.

Unofficial RSS feed of OpenBSD errata

XML/RSS/RDF

Users wishing RSS/RDF summary files of OpenBSD Journal can retrieve: RSS feed

Options are available.

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]