bit-tech.net

OpenSSL forked into LibreSSL

OpenSSL forked into LibreSSL

The Heartbleed vulnerability has shone a light on the OpenSSL project, and OpenBSD developers have discovered enough flaws in its code to justify the creation of a fixed fork dubbed LibreSSL.

The OpenBSD project has announced the inevitible outcome of its recent deep-dive into the OpenSSL source code: a full fork of the project, dubbed LibreSSL, to feature a significantly improved codebase.

The OpenSSL cryptographic library made unfortunate headlines earlier this month due to the Heartbleed vulnerability, a nasty bug caused by incautious coding that allowed an attacker to steal memory contents - including, but not limited to, usernames, passwords, and even the entire private key - from any server using the software. With an estimated two-thirds of all webservers using OpenSSL for encryption, that's a significant target base - and the attack, before it became known to the public, left no trace on the host machine.

OpenSSL is an open source project, meaning anyone can download, examine and modify the source code that drives it. In theory, fans of the open methodology claim, this leads to improved code quality and security - the 'many-eyes' theory. In practice, it appears, when an open source project reaches a certain size, individual contributors can become the sole controller of particular sub-sections - with the result that their code goes unchecked by their peers.

OpenBSD is, as the name suggests, an open-source port of the BSD operating system. Designed for maximum security, the project was hit by the Heartbleed bug and vowed to examine the OpenSSL source code more closely in the future. The result has been the exposure of numerous terrifying kludges and bugs in the code - which, it must be remembered, still drives two-thirds of the web - in what has been dubbed the OpenSSL Valhalla Rampage. Having found everything from 'temporary' compatibility code reaching back more than a decade to a kludge which uses the server's private key as entropy for the random number generator - potentially exposing the entire private key to any plug-in RNG used on the system, a major security hole - the OpenBSD researchers have reached a conclusion: OpenSSL can't be trusted.

The result: LibreSSL, a fork of OpenSSL which benefits from the changes made by the OpenBSD project. Announced on a particularly spartan website - 'donate now to stop the Comic Sans and Blink Tags,' its creators exhort visitors - the LibreSSL project will become the default cryptographic library for the OpenBSD 5.6 release. Initially, that will be the only supported operating ssytem; once the codebase has been cleaned of extant bugs and rewritten to improve maintainability and a source of funding secured, LibreSSL will be extended to additional operating systems.

Whether LibreSSL will improve security overall or simply divert resources that could be better used improving the cross-platform OpenSSL directly remains to be seen.

18 Comments

Discuss in the forums Reply
Flibblebot 23rd April 2014, 12:15 Quote
I read son Gizmodo this morning that the team has removed 90,000 lines of unused code in the last week - if that's true, then OpenSSL has been appallingly managed for something which so much of the Internet relies on for security.
faugusztin 23rd April 2014, 12:42 Quote
Well that is Gizmodo for you. They removed support for any other platform other than OpenBSD, plus of course they removed some older tech (SSLv2 etc). Sure if you take some library and cut out 90% of the other platform support, you can easily cut out tons of code :).
r3loaded 23rd April 2014, 13:27 Quote
Maybe if the billion-dollar companies who rely on such a critical library for free contributed back some cash, code fixes or just some advice, we wouldn't have had this situation in the first place.
faugusztin 23rd April 2014, 13:36 Quote
"Last year, the foundation took in less than $1 million from donations and consulting contracts." While i know the big companies should have given more, cash is clearly not the problem here.
Corky42 23rd April 2014, 15:14 Quote
Quote:
Originally Posted by faugusztin
"Last year, the foundation took in less than $1 million from donations and consulting contracts." While i know the big companies should have given more, cash is clearly not the problem here.

Would you happen to have details on their income ?
I ask because from what i read it seems the president of the OpenSSL Foundation, Steve Marquess claims they take in less than $2000 a year in outright donations and sells commercial software support contracts.
In fact he goes onto say, 'The media have noted that in the five years since it was created OSF has never taken in over $1 million in gross revenues annually.'

He then goes onto say...http://veridicalsystems.com/blog/of-money-responsibility-and-pride/
Quote:
Originally Posted by Steve Marquess
it is nowhere near enough to properly sustain the manpower levels needed to support such a complex and critical software product. While OpenSSL does “belong to the people” it is neither realistic nor appropriate to expect that a few hundred, or even a few thousand, individuals provide all the financial support. The ones who should be contributing real resources are the commercial companies[5] and governments[6] who use OpenSSL extensively and take it for granted
faugusztin 23rd April 2014, 16:16 Quote
http://online.wsj.com/news/articles/SB10001424052702303873604579491350251315132

And no offense, but if you have $1m in revenues from support contracts, don't tell me you don't have the money to spend it on actual developers.
Phil Rhodes 23rd April 2014, 16:16 Quote
I hate to pander to popular prejudice here, but what this does do is poke some very big holes in the utopian dream of open source software.

Whatever the reasons for underfunding and poor engineering, crap management is absolutely endemic in open source software. Mob rule and anarchy doesn't work very well, as this incident shows.

I've been banging on for years that bad management, or more to the point just no real management at all, the single biggest problem facing open source software, for dozens of reasons, and nobody gets it.

P
faugusztin 23rd April 2014, 16:27 Quote
Actually, the biggest problem with OpenSSL is that they are pretty much suffering from "NIH syndrome".

Or read what Theo de Raadt from OpenBSD has to say about the Heartbleed :
http://article.gmane.org/gmane.os.openbsd.misc/211963
Corky42 23rd April 2014, 16:32 Quote
Quote:
Originally Posted by faugusztin
http://online.wsj.com/news/articles/SB10001424052702303873604579491350251315132

And no offense, but if you have $1m in revenues from support contracts, don't tell me you don't have the money to spend it on actual developers.
Hmm, who to believe.
Matthew Green, an encryption expert at Johns Hopkins University, or Steve Marquess the president of the OpenSSL Foundation.
RTT 23rd April 2014, 16:48 Quote
Quote:
Originally Posted by Flibblebot
I read son Gizmodo this morning that the team has removed 90,000 lines of unused code in the last week - if that's true, then OpenSSL has been appallingly managed for something which so much of the Internet relies on for security.

90k lines of code is nothing in such a project, I wouldn't read too much into that. For example, Google dropped 9M lines of code out of Chrome/Webkit once they forked it to Blink by dropping code for archs that Webkit supported but which Chrome didn't need to - so they could just be removing code for other architectures, seeing as openssl is compileable on almost anything.

edit: that's exactly what it was :D
Guinevere 23rd April 2014, 20:47 Quote
90k less lines is still 90k less lines. If those 90k lines of code were truly not needed by ANY platform that they claim to support they should have been removed.

Leaving in legacy code because 'well you know - busy' doesn't cut it when you're charging commercial clients for the code or to support the code.

But...

This wouldn't have solved heart bleed, and I feel very uneasy about another fork. I don't trust their reasoning to split against working on the same codebase and their website is simply a joke.

They are trying to instil more trust in SSL code and failing at it so far. IMHO.
faugusztin 23rd April 2014, 21:28 Quote
It is not 90k lines not needed for OpenSSL in general. Most of it is not needed for LibreSSL running ONLY on OpenBSD. OpenSSL runs on Linux. LibreSSL doesn't. OpenSSL runs on Windows. LibreSSL doesn't. Removing 90k lines to strip the code base of Linux or Windows compatibility is not a source code optimization, nor has anything with security whatsoever.
Corky42 24th April 2014, 08:04 Quote
Quote:
Originally Posted by Guinevere
Leaving in legacy code because 'well you know - busy' doesn't cut it when you're charging commercial clients for the code or to support the code.

Charging for open source code, since when did that happen ?
Charging to support the code, i think that maybe a grey area.

Yes they offer Support Contract's but the money from those all goes to the people directly providing the technical support services and to current active OpenSSL team members.

IMO The OpenSSL Software Foundation has been severely underfunded. Whether that is down to bad management when it came to acquiring funding, or the lack of support from the larger community is difficult to know. Although looking on the OpenSSL web site at who has helped fund the project shows a very small list of just four companies, i personally would have expected that list to be filled with some notable names.
jb0 24th April 2014, 11:48 Quote
*talk about removing lines by removing platform support*

Let's not forget that one of the supported platforms OpenBSD removed was big-endian x86.

Note: the x86 family is little-endian.
Note: it's not actually POSSIBLE to make a processor that is both big-endian and x86-compatible.

It takes a certain kind of special to implement support for an imaginary mirror-universe version of one of the most ubiquitous processor architectures in the world and insist there's actually a reason for this to exist.
Whatever their programmers were smoking, I want some of it.
faugusztin 24th April 2014, 13:18 Quote
Quote:
Originally Posted by jb0
Let's not forget that one of the supported platforms OpenBSD removed was big-endian x86.

They removed everything but OpenBSD.
Flibblebot 24th April 2014, 13:28 Quote
What's the issue with only supporting OpenBSD at the moment? On their website, they state:
Quote:
Originally Posted by libressl.org
Multi OS support will happen once we have:
  • Flensed, refactored, rewritten, and fixed enough of the code so we have stable baseline that we trust and can be maintained/improved.
  • The right Portability team in place.
  • A Stable Commitment of Funding to support an increased development and porting effort.

Surely it's better to strip back to one system, make sure that's as stable and bug-free as possible, then extend to other systems? LibreSSL is, after all, part of the OpenBSD project, so it makes sense that they would support that first.

Unless, of course, you're worried about further forks by other teams to support their own preferred OS, leading to a whole different mish-mash of OpenSSL interpretations?
Thawn 25th April 2014, 19:58 Quote
What surprises me is that giant companies like Google and Facebook that apparently use OpenSSL to secure their services weren't doing their own audits. If you are that big and well resourced, and are relying for critical security functionality on an external project, shouldn't you be putting some effort into ascertaining that the external project is actually providing you with security?

Ideally the big guns would collaborate on this, or perhaps put the resources into ensuring the OpenSSL foundation was up to the job, but in lieu of either of those things surely they should at least be doing some rigorous internal testing and code audits?
dinoscothern 26th April 2014, 19:01 Quote
A distribution contains a lot of packages. Thats a lot of lines of code. One of the perceived 'benefits' of open source is that an organisation/individual can take advantage of that prior work (they don't have to reinvent the wheel) and reduce their costs. As more machines use that software the consequence of mistakes/poor design decisions in building that sw has a greater effect. The fact that this problem was discovered (even after two years is better than none) shows that companies are (gradually) realising that they have responsibilities to contibute/maintain that body of code (or pay someone else to do so).
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums