[Cryptography] LibreSSL rewrite of OpenSSL status and funding request
Gary Mulder
flyingkiwiguy at gmail.com
Sun May 18 09:59:38 EDT 2014
All,
As most probably know the OpenBSD guys are developing a fork of OpenSSL
1.0.1g called LibreSSL:
- OpenSSL 1.0.1g was a 388,00 line code base.
- About 90,000 lines of C source code deleted, about 150,000 lines of
files.
- Approximately at 500,000 line unifigg from 1.0.1g at this point.
- Many bugs fixed
- The cleaning continues, but we have now started adding new features
(ciphers)
- The code has become more readable - portions still remain scary.
(http://www.openbsd.org/papers/bsdcan14-libressl/mgp00026.html)
Notably for this forum:
OpenSSL's attempt to be a random subsystem resulted in all sorts of horrors:
- EGD considered harmful - really, userland has no business in this.
- Library can decide "Oh Noes, We need something random..." and then:
- Your RSA Private key is pretty random
char seed[] = "String to Give the Random Number Generator Randomness";
gitpid();
gettimeofday();
- Since many of these were always "there" - these become an attack
target - modify the word to enable them and you have predictable key
generation
(http://www.openbsd.org/papers/bsdcan14-libressl/mgp00017.html)
They are naturally focusing on OpenBSD compatibility, which will
necessarily delay any ports back to Linux and other OSes:
We are looking for funding commitment to:
- Sponsor several developers to re-write some key pieces of the codebase
- Sponsor some efforts of the portability/ports people to track the
effects of changes through the ports tree and push changes upstream.
- In a nutshell, a significant funding commitment for a couple of years.
We would like to speed the rewrite of this library but not at the expense
of our usual resources to maintain OpenBSD, OpenSSH and related projects.
- Yes we have asked the Linux Foundation. They have not yet committed to
support us.
(http://www.openbsd.org/papers/bsdcan14-libressl/mgp00033.html)
Regards,
Gary
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140518/e6cb326d/attachment.html>
More information about the cryptography
mailing list