[Cryptography] LibreSSL rewrite of OpenSSL status and funding request

Gary Mulder flyingkiwiguy at gmail.com
Sun May 18 09:59:38 EDT 2014 

All,

As most probably know the OpenBSD guys are developing a fork of OpenSSL
1.0.1g called LibreSSL:

   - OpenSSL 1.0.1g was a 388,00 line code base.
   - About 90,000 lines of C source code deleted, about 150,000 lines of
   files.
   - Approximately at 500,000 line unifigg from 1.0.1g at this point.
   - Many bugs fixed
   - The cleaning continues, but we have now started adding new features
   (ciphers)
   - The code has become more readable - portions still remain scary.

(http://www.openbsd.org/papers/bsdcan14-libressl/mgp00026.html)

Notably for this forum:

OpenSSL's attempt to be a random subsystem resulted in all sorts of horrors:


   - EGD considered harmful - really, userland has no business in this.
   - Library can decide "Oh Noes, We need something random..." and then:
   - Your RSA Private key is pretty random

char seed[] = "String to Give the Random Number Generator Randomness";

gitpid();

gettimeofday();


   - Since many of these were always "there" - these become an attack
   target - modify the word to enable them and you have predictable key
   generation


(http://www.openbsd.org/papers/bsdcan14-libressl/mgp00017.html)

They are naturally focusing on OpenBSD compatibility, which will
necessarily delay any ports back to Linux and other OSes:

We are looking for funding commitment to:


   - Sponsor several developers to re-write some key pieces of the codebase
   - Sponsor some efforts of the portability/ports people to track the
   effects of changes through the ports tree and push changes upstream.
   - In a nutshell, a significant funding commitment for a couple of years.
   We would like to speed the rewrite of this library but not at the expense
   of our usual resources to maintain OpenBSD, OpenSSH and related projects.
   - Yes we have asked the Linux Foundation. They have not yet committed to
   support us.

(http://www.openbsd.org/papers/bsdcan14-libressl/mgp00033.html)

Regards,
Gary
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140518/e6cb326d/attachment.html>

More information about the cryptography mailing list