OpenBSD 3.5

Released May 1, 2004
Copyright 1997-2004, Theo de Raadt.
ISBN 0-9731791-3-9
3.5 Song: "CARP License" and "Redundancy must be free"

• Order a CDROM from our ordering system.
• See the information on The FTP page for a list of mirror machines.
• Go to the pub/OpenBSD/3.5/ directory on one of the mirror sites.
• Briefly read the rest of this document.
• Have a look at The 3.5 Errata page for a list of bugs and workarounds.
• See a detailed log of changes between the 3.4 and 3.5 releases.

All applicable copyrights and credits can be found in the applicable file sources found in the files src.tar.gz, sys.tar.gz, xenocara.tar.gz, or in the files fetched via ports.tar.gz. The distribution files used to build packages from the ports.tar.gz file are not included on the CDROM because of lack of space.

What's New

This is a partial list of new features and systems included in OpenBSD 3.5. For a comprehensive list, see the changelog leading to 3.5.

• New platforms:
  • OpenBSD/amd64
    Supporting the AMD64 architecture natively, with full 64-bit support, 8 extra registers in the architecture to significantly increase performance, and a memory management Non-Executable bit that permits full W^X support.
    (Note: The upcoming Intel "ia32e" AMD64-compatible CPUs have also been tested, and work, even though they lack the NX bit).
  • OpenBSD/cats
    Our first entry in the ARM-CPU landscape. We intend to use this as a development platform for something else we plan for the future...
  • OpenBSD/mvme88k
    Supporting an older, but very cool CPU architecture, perhaps the most pure RISC CPU ever.

• Replacement of the GNU bc(1), dc(1), nm(1) and size(1) commands with BSD licensed equivalents.

• A large number of bug fixes, changes, and optimizations to our packet filter pf(4) including:
  • Atomic commits of ruleset changes (reduce the chance of ending up in an inconsistent state).
  • A 30% reduction in the size of state table entries.
  • Source-tracking (limit number of clients and states per client).
  • Sticky-address (the flexibility of round-robin with the benefits of source-hash).
  • Invert the socket match order when redirecting to localhost (prevents the potential security problem of remote connections being identified as local).
  • Significant improvements to interface handling.

• New tools for filtering gateway failover:
  • CARP (the Common Address Redundancy Protocol) carp(4) allows multiple machines to share responsibility for a given IP address or addresses. If the owner of the address fails, another member of the group will take over for it. A discussion of the history of CARP can be found here.
  • Additions to the pfsync(4) interface allow it to synchronise state table entries between two or more firewalls which are operating in parallel, allowing stateful connections to cross any of the firewalls regardless of where the state was initially created.

• New functionality:
  • pty(4) devices are now allocated on demand, up to a configurable limit.
  • New ptm device (see pty(4)) that allows non-privileged processes to allocate a properly-permissioned pty.
    As a result any process can now open a pty easily, meaning xterm(1) and xconsole(1) are no longer setuid root. (In 3.4 they were setuid root, but privilege revoking).
  • The closefrom(2) system call has been added.
  • TCP MD5 signatures (used by nc(1) and bgpd(8)).
  • Network boot support for i386 and amd64, using pxeboot(8).
  • The i386 8GB boot loader limitation has been removed.
  • spamd(8) gains greylisting support. This allows greylisting (a very powerful spam reduction technique) to be done on a firewall for many mail hosts, no matter what MTA is being used.
  • Interface 'cloning', accessed by ifconfig(8) commands create and destroy. E.g. `ifconfig vlan100 create'.
  • ifconfig(8) can now be used with a generic interface name, for listing all such configured interfaces. E.g. `ifconfig carp'.
  • The MAKEDEV(8) manual pages are now generated, and hence, accurate.
  • Complete rewrite of package tools in perl.
  • syslogd(8) now supports logging to memory buffers, to be read using syslogc(8). This is useful for diskless or flash-based computers.
  • IPsec ESP in UDP encapsulation.
  • malloc(3) chunk randomization and guard pages. This helps to detect out-of-bounds reads and writes.
  • authpf(8) now tags traffic in pflog(4) so that users may be associated with traffic through a NAT setup.
  • hw.setperf sysctl allows controlling the speed of many new i386 CPUs, great for prolonged battery life.
  • XFS has been added to the GENERIC kernels so that afsd(8) may be started easily, eliminating the need to recompile the kernel to use AFS.
    AFS can now be used anonymously by enabling it in rc.conf(8) with no further configuration.
  • The ps, top and w utilities no longer break when changes are made in kernel structures.
  • A poll interface has been added to the rpc routines in the standard C library. Use of poll over select can result in better performance for programs with a large number of open file descriptors.
  • dhclient(8) now detects when the interface it configured is modified and gracefully exits. e.g. repeatedly running it against the same interface leaves only the last instance active.

• Privilege separation added to allow complex operations to occur in an untrusted, unprivileged process, resulting in much greater security for the following processes:
  • isakmpd(8)
  • named(8) (Previously privilege revoking, but this had a small breakage).
  • pflogd(8)
  • tcpdump(8)

• New tools:
  • sensorsd(8), monitoring hardware sensors.
  • procmap(1), to examine a process' memory map.
  • bgpd(8), implementing the BGP-4 routing protocol.
  • pkill(1) and pgrep(1), finding or signalling processes by name.

• Performance improvements:
  • Improved connection/socket lookup - about 100 times faster at 10000 sockets than 3.4.
  • TCP SYN cache. Greatly reduces the memory cost of half-open TCP connections.
  • Implemented TCP adjustments recommended by RFC3390, controllable via sysctl.
  • OpenSSL speedup on i386, up to 100% improvement for md5, sha1, blowfish, des, 3des, rsa, dsa and bn.
  • OpenSSL now directly uses the new AES instructions some VIA C3 processors provide, increasing AES to 780MBytes/second (so you get to see a fan-less CPU performing AES more than 10x faster than the fastest CPU currently sold).
  • Directory hashing makes lookups in large directories much faster.
  • Zeroing pages with SSE. Faster operation, and avoids clobbering the cache.

• SCSI(4) improvements:
  • Bus probe made faster by skipping non-existent LUNs.
  • Bus probe made saner by elimination of spurious commands.
  • Bus probe made safer by having INQUIRY commands ask only for available data.
  • Eliminated a race that, e.g., caused problems burning CDs at high speeds.
  • SCSIDEBUG output can now be restricted to specified buses.
  • ASC/ASCQ diagnostic messages updated to SCSI-3 standards.
  • Better error handling.

• Improved hardware support, including:
  • The hppa architecture gets support for many PCI based machines w/ addition of dino(4) GSC-PCI bridge.
  • New oosiop(4) driver for NCR 53C700 SCSI host adapters.
  • Major improvements to ahc(4), bringing support for many new models.
  • New bce(4) driver, supporting the Broadcom BCM4401 FastEthernet chipset.
  • New mpt(4) driver for LSI Fusion-MPT SCSI and FibreChannel host adapters.
  • New snapper(4) audio driver for recent iBook (since May 02) and PowerBook (since Apr 02) models.
  • Improved stability of the wi(4) driver as well as support for USB-based adapters and software WEP.
  • wi(4) in HostAP mode now supports SSID hiding and newer prism firmware revisions.
  • Fixed several firmware incompatibility issues in an(4).
  • Improved ATA and SATA support.
  • Support for i835 AGP GART in vga(4).
  • Improved Gigabit Ethernet support for em(4), sk(4) & bge(4).
  • Several fixes for apm(4).
  • Support for Intel 852/855/865 AGP chipsets.
  • Many more USB Flash and other umass(4) devices work as a result of SCSI improvements.

• This release ships with Firefox for all major architectures.

• Major improvements in pthreads(3).

• Over 2500 ports, 2300 pre-built packages.

• Many improvements for security and reliability (look for the red print in the complete changelog).

• Many improvements in manual pages and other documentation.

• Gcc 3.3.2, including local additions like ProPolice support, for the OpenBSD/amd64, OpenBSD/cats and OpenBSD/sparc64 platforms. Other architectures still use gcc 2.95.3 with the same local additions.

• OpenSSH 3.8.1:
  • sshd(8) now supports forced changes of expired passwords via passwd(1).
  • ssh(1) now uses untrusted cookies for X11-Forwarding. Some X11 applications might need full access to the X11 server, see ForwardX11Trusted in ssh_config(5) and xauth(1).
  • ssh(1) now supports sending application layer keep-alive messages to the server. See ServerAliveInterval in ssh_config(5).
  • Improved sftp(1) batch file support.
  • New KerberosGetAFSToken option for sshd(8).
  • Updated /etc/moduli file and improved performance for protocol version 2.
  • Support for host keys in DNS.
  • The experimental "gssapi" support has been replaced with the "gssapi-with-mic" to fix possible MITM attacks. The two versions are not compatible.

• The system includes the following major components from outside suppliers:
  • XFree86 4.4.0 unencumbered (+ patches, and i386 contains 3.3.X servers also, thus providing support for all chipsets)
  • Gcc 2.95.3 (+ patches) and 3.3.2 (+ patches)
  • Perl 5.8.2 (+ patches)
  • Apache 1.3.29, mod_ssl 2.8.16, DSO support (+ patches)
  • OpenSSL 0.9.7c (+ patches)
  • Groff 1.15
  • Sendmail 8.12.11
  • Bind 9.2.3 (+ patches)
  • Lynx 2.8.4rel.1 with HTTPS and IPv6 support (+ patches)
  • Sudo 1.6.7p5
  • Ncurses 5.2
  • Latest KAME IPv6
  • Heimdal 0.6rc1 (+ patches)
  • Arla-current

How to install

Following this are the instructions which you would have on a piece of paper if you had purchased a CDROM set instead of doing an alternate form of install. The instructions for doing an ftp (or other style of) install are very similar; the CDROM instructions are left intact so that you can see how much easier it would have been if you had purchased a CDROM instead.

• CD1:3.5/i386/INSTALL.i386
• CD1:3.5/vax/INSTALL.vax

• CD2:3.5/amd64/INSTALL.amd64
• CD2:3.5/macppc/INSTALL.macppc

• CD3:3.5/sparc/INSTALL.sparc
• CD3:3.5/sparc64/INSTALL.sparc64

• FTP:.../OpenBSD/3.5/alpha/INSTALL.alpha
• FTP:.../OpenBSD/3.5/cats/INSTALL.cats
• FTP:.../OpenBSD/3.5/hp300/INSTALL.hp300
• FTP:.../OpenBSD/3.5/hppa/INSTALL.hppa
• FTP:.../OpenBSD/3.5/mac68k/INSTALL.mac68k
• FTP:.../OpenBSD/3.5/mvme68k/INSTALL.mvme68k
• FTP:.../OpenBSD/3.5/mvme88k/INSTALL.mvme88k

Quick installer information for people familiar with OpenBSD, and the use of the "disklabel -E" command. If you are at all confused when installing OpenBSD, read the relevant INSTALL.* file as listed above!

OpenBSD/i386:

Play with your BIOS options to enable booting from a CD. The OpenBSD/i386 release is on CD1. If your BIOS does not support booting from CD, you will need to create a boot floppy to install from. To create a boot floppy write CD1:3.5/i386/floppy35.fs to a floppy and boot via the floppy drive.

Use CD1:3.5/i386/floppyB35.fs instead for greater scsi controller support, or CD1:3.5/i386/floppyC35.fs for better laptop support.

If you can't boot from a CD or a floppy disk, you can install across the network using PXE as described in the included INSTALL.i386 document.

If you are planning on dual booting OpenBSD with another OS, you will need to read INSTALL.i386.

To make a boot floppy under MS-DOS, use the "rawrite" utility located at CD1:3.5/tools/rawrite.exe. To make the boot floppy under a Unix OS, use the dd(1) utility. The following is an example usage of dd(1) , where the device could be "floppy", "rfd0c", or "rfd0a".

# dd if=<file> of=/dev/<device> bs=32k

Make sure you use properly formatted perfect floppies with NO BAD BLOCKS or your install will most likely fail. For more information on creating a boot floppy and installing OpenBSD/i386 please refer to FAQ4.1.

OpenBSD/vax:

Boot over the network via mopbooting as described in INSTALL.vax.

OpenBSD/amd64:

The 3.5 release of OpenBSD/amd64 is located on CD2. Boot from the CD to begin the install - you may need to adjust your BIOS options first. If you can't boot from the CD, you can create a boot floppy to install from. To do this, write CD2:3.5/amd64/floppy35.fs to a floppy, then boot from the floppy drive.

If you can't boot from a CD or a floppy disk, you can install across the network using PXE as described in the included INSTALL.amd64 document.

If you are planning to dual boot OpenBSD with another OS, you will need to read INSTALL.amd64.

OpenBSD/macppc:

Put the CD2 in your CDROM drive and poweron your machine while holding down the C key until the display turns on and shows OpenBSD/macppc boot.

Alternatively, at the Open Firmware prompt, enter boot cd:,ofwboot /3.5/macppc/bsd.rd

OpenBSD/sparc:

The 3.5 release of OpenBSD/sparc is located on CD3. To boot off of this CD you can use one of the two commands listed below, depending on the version of your ROM.

ok boot cdrom 3.5/sparc/bsd.rd
or
> b sd(0,6,0)3.5/sparc/bsd.rd

If your sparc does not have a CD drive, you can alternatively boot from floppy. To do so you need to write CD3:3.5/sparc/floppy35.fs to a floppy. For more information see FAQ4.1. To boot from the floppy use one of the two commands listed below, depending on the version of your ROM.

ok boot floppy
or
> boot fd()

Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install will most likely fail.

If your sparc doesn't have a floppy drive nor a CD drive, you can either setup a bootable tape, or install via network, as told in the INSTALL.sparc file.

OpenBSD/sparc64:

Put the CD3 in your CDROM drive and type boot cdrom.

If this doesn't work, or if you don't have a CDROM drive, you can write CD3:3.5/sparc64/floppy35.fs to a floppy and boot it with boot floppy.
Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install will most likely fail.

You can also write CD3:3.5/sparc64/miniroot35.fs to the swap partition on the disk and boot with boot disk:b.

If nothing works, you can boot over the network as described in INSTALL.sparc64

OpenBSD/alpha:

Write FTP:3.5/alpha/floppy35.fs or FTP:3.5/alpha/floppyB35.fs (depending on your machine) to a diskette and enter boot dva0. Refer to INSTALL.alpha for more details.

Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install will most likely fail.

OpenBSD/cats:

After updating the firmware to at least ABLE 1.95 if necessary, boot FTP:3.5/cats/bsd.rd from an ABLE-supported device (such as a CD-ROM or an existing FFS or EXT2FS partition).

OpenBSD/hp300:

Boot over the network by following the instructions in INSTALL.hp300.

OpenBSD/hppa:

Boot over the network by following the instructions in INSTALL.hppa or the hppa platform page.

OpenBSD/mac68k:

Boot MacOS as normal and partition your disk with the appropriate A/UX configurations. Then, extract the Macside utilities from FTP:3.5/mac68k/utils onto your hard disk. Run Mkfs to create your filesystems on the A/UX partitions you just made. Then, use the "BSD/Mac68k Installer" to copy all the sets in FTP:3.5/mac68k/ onto your partitions. Finally, you will be ready to configure the "BSD/Mac68k Booter" with the location of your kernel and boot the system.

OpenBSD/mvme68k:

You can create a bootable installation tape or boot over the network.
The network boot requires a MVME68K BUG version that supports the NIOT and NBO debugger commands. Follow the instructions in INSTALL.mvme68k for more details.

OpenBSD/mvme88k:

You can create a bootable installation tape or boot over the network.
The network boot requires a MVME88K BUG version that supports the NIOT and NBO debugger commands. Follow the instructions in INSTALL.mvme88k for more details.

Notes about the source code:

src.tar.gz contains a source archive starting at /usr/src. This file contains everything you need except for the kernel sources, which are in a separate archive. To extract:

# mkdir -p /usr/src
# cd /usr/src
# tar xvfz /tmp/src.tar.gz

sys.tar.gz contains a source archive starting at /usr/src/sys. This file contains all the kernel sources you need to rebuild kernels. To extract:

# mkdir -p /usr/src/sys
# cd /usr/src
# tar xvfz /tmp/sys.tar.gz

Both of these trees are a regular CVS checkout. Using these trees it is possible to get a head-start on using the anoncvs servers as described here. Using these files results in a much faster initial CVS update than you could expect from a fresh checkout of the full OpenBSD source tree.

Ports Tree

A ports tree archive is also provided. To extract:

# cd /usr
# tar xvfz /tmp/ports.tar.gz
# cd ports

The ports/ subdirectory is a checkout of the OpenBSD ports tree. Go read the ports page if you know nothing about ports at this point. This text is not a manual of how to use ports. Rather, it is a set of notes meant to kickstart the user on the OpenBSD ports system.

The ports/ directory represents a CVS (see the manpage for cvs(1) if you aren't familiar with CVS) checkout of our ports. As with our complete source tree, our ports tree is available via anoncvs. So, in order to keep current with it, you must make the ports/ tree available on a read-write medium and update the tree with a command like:

# cd [portsdir]/; cvs -d anoncvs@server.openbsd.org:/cvs update -Pd -rOPENBSD_3_5

[Of course, you must replace the local directory and server name here with the location of your ports collection and a nearby anoncvs server.]

Note that most ports are available as packages through ftp. Updated packages for the 3.5 release will be made available if problems arise.

If you're interested in seeing a port added, would like to help out, or just would like to know more, the mailing list ports@openbsd.org is a good place to know.