After months of code cleanup and rewriting, the OpenBSD Foundation this weekend sent LibreSSL out the door.
The slimmed down OpenSSL fork works on a number of platforms beyond OpenBSD, including several Linux flavors, Solaris, Mac OS X and Free BSD.
“I firmly believe that LibreSSL is in a better situation than OpenSSL is now,” said Bob Beck of OpenBSD. “Having said that, is there more clean-up to do? Absolutely. But if I had a choice between this or OpenSSL, I’d pick this.”
LibreSSL came out of the shadows in April shortly after the Heartbleed OpenSSL vulnerability surfaced, though Beck said at the time that Heartbleed was not the impetus for LibreSSL, nor was it the final straw. Beck told Threatpost that the decision to fork OpenSSL began with the implementation of a LIFO (Last In, First Out) memory cache that killed compatibility tools such as Coverity and Valgrind that are used for memory debugging and leak detection that help sniff out critical bugs in code.
Beck said the OpenBSD team working on LibreSSL has been working on cleaning up OpenSSL’s bloated code base for months, carefully considering what was deleted and re-written, usually with portability in mind. OpenSSL, meanwhile, remains a popular cryptographic library, used in a large number of applications, but for too long has suffered as an under-funded, under-staffed initiative. That neglect led to a lifeline from the Core Infrastructure Initiative, which pledged enough funding to hire two full-time developers and pay for an audit of the OpenSSL code, similar to the TrueCrypt audit, but the Open Crypto Audit Project (OCAP).
“A lot of it is pretty ugly and continues to be,” Beck said of OpenSSL. “It’s a code base that has suffered for a long time from people wanting to add features and not getting a guiding hand to say the new feature is not up to quality, or that you can add stuff, but you have to get rid of stuff too.”
Gentoo Linux developer Johannes Bock said that he was able to swap out OpenSSL for LibreSSL on his systems, successfully rebuilding all of his packages. He cautions that this is a first run, something Beck said as well, that the OpenBSD wants to hear feedback and suggestions for potential problem areas or further improvements.
“We are happy to see the Linux community work with it and see what it takes to integrate it,” Beck said. “That means as they continue to work with the library and fix things, they can see the process happen and hopefully we get the benefits from them as well.
“Our goal is to produce something that if integrated with an OS and quickly recompiled, the software will work the same and there will be no serious issues,” Beck said.
Beck said in April that 90,000 lines of C code had already been deleted and the code had been converted to modern C programming practices, including modern memory allocation practices and integer overflow avoidance, just to name two. The LibreSSL developers had also found 20-year-old chunks of unmaintained code in OpenSSL, “abandonware,” as Beck put it, code that was added for FIPS certification and never attended to again.
“A lot of effort has been put into this cleanup, but it’s a process not an event,” Beck said. “Just because it’s out there, that doesn’t mean the problem is solved. So LibreSSL is out there and we think it’s better, but we’re going to continue to improve it over the months and years to come.”