OpenBSD 3.4

Released Nov 1, 2003
Copyright 1997-2003, Theo de Raadt.
ISBN 0-9731791-2-0
3.4 Song: "The Legend of Puffy Hood"

• Order a CDROM from our ordering system.
• See the information on The FTP page for a list of mirror machines.
• Go to the pub/OpenBSD/3.4/ directory on one of the mirror sites.
• Briefly read the rest of this document.
• Have a look at The 3.4 Errata page for a list of bugs and workarounds.
• See a detailed log of changes between the 3.3 and 3.4 releases.

All applicable copyrights and credits can be found in the applicable file sources found in the files src.tar.gz, sys.tar.gz, xenocara.tar.gz, or in the files fetched via ports.tar.gz. The distribution files used to build packages from the ports.tar.gz file are not included on the CDROM because of lack of space.

What's New

This is a partial list of new features and systems included in OpenBSD 3.4. For a comprehensive list, see the changelog leading to 3.4.

• The i386 architecture has been switched to the ELF executable format.

• Further W^X improvements, including support for the i386 architecture. Native i386 binaries have their executable segments rearranged to support isolating code from data, and the CPU CS limit is used to impose a best effort limit on code execution.

• ld.so(1) on ELF platforms now loads libraries in a random order for greater resistance to attacks. The i386 architecture also maps libraries into somewhat randomized addresses. Together with W^X and ProPolice, these changes increase the difficulty of successfully exploiting an application error, such as a buffer overflow.

• A static bounds checker has been added to the compiler to perform basic checks on functions which accept buffers and sizes. The checker aims to find common mistakes in the use of library functions such as strlcpy(3) or sscanf(3) without emitting any false positives. Running it over the source and ports trees revealed over a hundred real bugs, which were fixed and submitted back to the original authors where possible.

• Privilege separation has been implemented for the syslogd(8) daemon, making it much more robust against future errors. The child which listens to network traffic now runs as a normal user and chroots itself, while the parent process tracks the state of the child and performs privileged operations on its behalf.

• Many unsafe string functions have been removed from the kernel and userland utilities. This audit is one of the most comprehensive OpenBSD has ever done, with thousands of occurrences of strcpy(3), strcat(3), sprintf(3), and vsprintf(3) being replaced with safer, bounded alternatives such as strlcpy(3), strlcat(3), snprintf(3), vsnprintf(3), and asprintf(3).

• Many improvements to and bugs fixed in the ProPolice stack protector. Several other code generation bugs for RISC architectures fixed.

• ProPolice stack protection has been enabled in the kernel as well.

• Privilege separation has been implemented in the X server. The privileged child process is responsible for the operations that can't be done after the main process has switched to a non-privileged user. This greatly reduces the potential damage that could be caused by malicious X clients, in case of bugs in the X server.

• Emulation support for binary compatibility is now controlled via sysctl(8). Emulation is now disabled by default to limit exposure to malicious binaries, and can be enabled in sysctl.conf(5).

• Manual pages have been greatly cleaned up and improved.

• The ports tree now supports building programs under systrace(1), preventing the possibility of applications harming the system at compile-time via trojaned configuration scripts or otherwise.

• Symbol caching in ld.so(1) reduces the startup time of large applications.

• More license fixes, including the removal of the advertising clause for large parts of the source tree.

• Replacement of GNU diff(1), diff3(1), grep(1), egrep(1), fgrep(1), zgrep(1), zegrep(1), zfgrep(1), gzip(1), zcat(1), gunzip(1), gzcat(1), zcmp(1), zmore(1), zdiff(1), zforce(1), gzexe(1), and znew(1) commands with BSD licensed equivalents.

• Addition of read-only support for NTFS file systems.

• Reliability improvements to layered file systems, enabling NULLFS to work again.

• Import of growfs(8) utility, allowing expansion of existing file systems.

• Improvements to linux emulation enabling more applications to run.

• Significant improvements to the pthreads(3) library.

• Replace many static fd_set uses, to instead use poll(2) or dynamic allocation.

• ANSIfication and stricter prototypes for a large portion of the source tree.

• Legacy KerberosIV support has been removed, and the remaining KerberosV codebase has been restructured for easier management.

• Over 2400 ports, 2200 pre-built packages.

• A large number of bug fixes, changes, and optimizations to our packet filter pf(4) including:
  • packet tagging (e.g. filter on tags added by bridge based on MAC address)
  • stateful TCP normalization (prevent uptime calculation and NAT detection)
  • passive OS detection (filter or redirect connections based on source OS)
  • SYN proxy (protect servers against SYN flood attacks)
  • adaptive state timeouts (prevent state table overflows under attack)

• Improved hardware support, including:
  • Kauai ATA controllers (Apple ATA100 wdc) kauaiata(4) enabling support for Powerbook 12" and 17" models.
  • Support for controlling LongRun registers on Transmeta CPUs.
  • Many fixes to aac(4), ahc(4), osiop(4), and siop(4) SCSI drivers.
  • New it(4), lm(4), and viaenv(4) hardware monitor drivers.
  • New safe(4) driver for SafeNet crypto accelerators.
  • New mtd(4) driver for Myson Technologies network cards.
  • More ethernet cards supported by sk(4), wi(4), fxp(4), and dc(4).
  • Massive overhaul and sync with NetBSD of the entire usb(4) support system.
  • New and better support for various controllers in pciide(4), including experimental support for Serial ATA.
  • New drivers to support mgx(4) and pninek(4) SPARC framebuffers. The vigra(4) driver also supports more models.
  • pcmcia(4) support for Tadpole SPARCBooks and SPARCs with pcmcia-sbus bridges.
  • Watchdog support for elansc(4) and geodesc(4) as used on Soekris boards.

• The system includes the following major components from outside suppliers:
  • XFree86 4.3.0 (+ patches, and i386 contains 3.3.X servers also, thus providing support for all chipsets)
  • Gcc 2.95.3 (+ patches)
  • Perl 5.8.0 (+ patches)
  • Apache 1.3.28, mod_ssl 2.8.15, DSO support (+ patches)
  • OpenSSL 0.9.7b (+ patches)
  • Groff 1.15
  • Sendmail 8.12.9 (+ parse8.359.2.8 security patch)
  • Bind 9.2.2 (+ patches)
  • Lynx 2.8.4rel.1 with HTTPS and IPv6 support (+ patches)
  • Sudo 1.6.7p5
  • Ncurses 5.2
  • Latest KAME IPv6
  • Heimdal 0.6rc1 (+ patches)
  • Arla-current
  • OpenSSH 3.7.1 (now with GSSAPI support)

• Many improvements for security and reliability (look for the red print in the complete changelog).

• and much more.

How to install

Following this are the instructions which you would have on a piece of paper if you had purchased a CDROM set instead of doing an alternate form of install. The instructions for doing an ftp (or other style of) install are very similar; the CDROM instructions are left intact so that you can see how much easier it would have been if you had purchased a CDROM instead.

• CD1:3.4/i386/INSTALL.i386

• CD2:3.4/macppc/INSTALL.macppc
• CD2:3.4/vax/INSTALL.vax

• CD3:3.4/sparc/INSTALL.sparc
• CD3:3.4/sparc64/INSTALL.sparc64

• FTP:.../OpenBSD/3.4/alpha/INSTALL.alpha
• FTP:.../OpenBSD/3.4/hp300/INSTALL.hp300
• FTP:.../OpenBSD/3.4/hppa/INSTALL.hppa
• FTP:.../OpenBSD/3.4/mac68k/INSTALL.mac68k
• FTP:.../OpenBSD/3.4/mvme68k/INSTALL.mvme68k

Quick installer information for people familiar with OpenBSD, and the use of the "disklabel -E" command. If you are at all confused when installing OpenBSD, read the relevant INSTALL.* file as listed above!

OpenBSD/i386:

Play with your BIOS options to enable booting from a CD. The OpenBSD/i386 release is on CD1. If your BIOS does not support booting from CD, you will need to create a boot floppy to install from. To create a boot floppy write CD1:3.4/i386/floppy34.fs to a floppy and boot via the floppy drive.

Use CD1:3.4/i386/floppyB34.fs instead for greater scsi controller support, or CD1:3.4/i386/floppyC34.fs for better laptop support.

If you are planning on dual booting OpenBSD with another OS, you will need to read the included INSTALL.i386 document.

To make a boot floppy under MS-DOS, use the "rawrite" utility located at CD:/3.4/tools/rawrite.exe. To make the boot floppy under a Unix OS, use the dd(1) utility. The following is an example usage of dd(1) , where the device could be "floppy", "rfd0c", or "rfd0a".

# dd if=<file> of=/dev/<device> bs=32k

Make sure you use properly formatted perfect floppies with NO BAD BLOCKS or your install will most likely fail. For more information on creating a boot floppy and installing OpenBSD/i386 please refer to FAQ4.1.

OpenBSD/macppc:

Put the CD2 in your CDROM drive and poweron your machine while holding down the C key until the display turns on and shows OpenBSD/macppc boot.

Alternatively, at the Open Firmware prompt, enter boot cd:,ofwboot /3.4/macppc/bsd.rd

OpenBSD/vax:

Boot over the network via mopbooting as described in INSTALL.vax.

OpenBSD/sparc:

The 3.4 release of OpenBSD/sparc is located on CD3. To boot off of this CD you can use one of the two commands listed below, depending on the version of your ROM.

> boot cdrom 3.4/sparc/bsd.rd
or
> b sd(0,6,0)3.4/sparc/bsd.rd

If your sparc does not have a CD drive, you can alternatively boot from floppy. To do so you need to write "CD3:3.4/sparc/floppy34.fs" to a floppy. For more information see FAQ4.1. To boot from the floppy use one of the two commands listed below, depending on the version of your ROM.

> boot floppy
or
> boot fd()

Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install will most likely fail.

If your sparc doesn't have a floppy drive nor a CD drive, you can either setup a bootable tape, or install via network, as told in the INSTALL.sparc file.

OpenBSD/sparc64:

Put the CD3 in your CDROM drive and type boot cdrom.

If this doesn't work, or if you don't have a CDROM drive, you can write CD3:3.4/sparc64/floppy34.fs to a floppy and boot it with boot floppy.
Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install will most likely fail.

You can also write CD3:3.4/sparc64/miniroot34.fs to the swap partition on the disk and boot with boot disk:b.

If nothing works, you can boot over the network as described in INSTALL.sparc64

OpenBSD/alpha:

Write FTP:3.4/alpha/floppy34.fs or FTP:3.4/alpha/floppyB34.fs (depending on your machine) to a diskette and enter boot dva0. Refer to INSTALL.alpha for more details.

Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install will most likely fail.

OpenBSD/hp300:

Boot over the network by following the instructions in INSTALL.hp300.

OpenBSD/hppa:

Boot over the network by following the instructions in INSTALL.hppa or the hppa platform page.

OpenBSD/mac68k:

Boot MacOS as normal and partition your disk with the appropriate A/UX configurations. Then, extract the Macside utilities from FTP:3.4/mac68k/utils onto your hard disk. Run Mkfs to create your filesystems on the A/UX partitions you just made. Then, use the "BSD/Mac68k Installer" to copy all the sets in FTP:3.4/mac68k/ onto your partitions. Finally, you will be ready to configure the "BSD/Mac68k Booter" with the location of your kernel and boot the system.

OpenBSD/mvme68k:

You can create a bootable installation tape or boot over the network.
The network boot requires a MVME68K BUG version that supports the NIOT and NBO debugger commands. Follow the instructions in INSTALL.mvme68k for more details.

Notes about the source code:

src.tar.gz contains a source archive starting at /usr/src. This file contains everything you need except for the kernel sources, which are in a separate archive. To extract:

# mkdir -p /usr/src
# cd /usr/src
# tar xvfz /tmp/src.tar.gz

sys.tar.gz contains a source archive starting at /usr/src/sys. This file contains all the kernel sources you need to rebuild kernels. To extract:

# mkdir -p /usr/src/sys
# cd /usr/src
# tar xvfz /tmp/sys.tar.gz

Both of these trees are a regular CVS checkout. Using these trees it is possible to get a head-start on using the anoncvs servers as described here. Using these files results in a much faster initial CVS update than you could expect from a fresh checkout of the full OpenBSD source tree.

Ports Tree

A ports tree archive is also provided. To extract:

# cd /usr
# tar xvfz /tmp/ports.tar.gz
# cd ports

The ports/ subdirectory is a checkout of the OpenBSD ports tree. Go read the ports page if you know nothing about ports at this point. This text is not a manual of how to use ports. Rather, it is a set of notes meant to kickstart the user on the OpenBSD ports system.

The ports/ directory represents a CVS (see the manpage for cvs(1) if you aren't familiar with CVS) checkout of our ports. As with our complete source tree, our ports tree is available via anoncvs. So, in order to keep current with it, you must make the ports/ tree available on a read-write medium and update the tree with a command like:

# cd [portsdir]/; cvs -d anoncvs@server.openbsd.org:/cvs update -Pd -rOPENBSD_3_4

[Of course, you must replace the local directory and server name here with the location of your ports collection and a nearby anoncvs server.]

Note that most ports are available as packages through ftp. Updated packages for the 3.4 release will be made available if problems arise.

If you're interested in seeing a port added, would like to help out, or just would like to know more, the mailing list ports@openbsd.org is a good place to know.