OpenBSD Journal
Home : : Add Story : : Archives : : About : : Create Account : : Login :
OpenBSD has started a massive strip-down and cleanup of OpenSSL
Contributed by phessler on Tue Apr 15 09:29:08 2014 (GMT)
from the how-i-learned-to-stop-worrying-and-shine-the-turd dept.

The denizens of lobste.rs (and no doubt you, eagle-eyed reader!) have made note of the ongoing rototilling of the OpenSSL code in OpenBSD, and Joshua Stein (jcs@) has chimed in with a quick breakdown of the action thus far:

Changes so far to OpenSSL 1.0.1g since the 11th include:

  • Splitting up libcrypto and libssl build directories
  • Fixing a use-after-free bug
  • Removal of ancient MacOS, Netware, OS/2, VMS and Windows build junk
  • Removal of “bugs” directory, benchmarks, INSTALL files, and shared library goo for lame platforms
  • Removal of most (all?) backend engines, some of which didn’t even have appropriate licensing
  • Ripping out some windows-specific cruft
  • Removal of various wrappers for things like sockets, snprintf, opendir, etc. to actually expose real return values
  • KNF of most C files
  • Removal of weak entropy additions
  • Removal of all heartbeat functionality which resulted in Heartbleed

To clarify, not all of the cryptographic engines were removed; the padlock and aesni engines are still in place.

As always, it's heartening to see a concentrated effort on such a critical software component.

[topicsecurity]

<< OpenBSD Foundation Funding Goals Reached | Reply | Flattened | Expanded | m2k14: Hackathon Begins >>

Threshold: Help

Related Links
more by phessler


  Re: OpenBSD has started a massive strip-down and cleanup of OpenSSL (mod 12/46)
by jdv (216.16.224.222) (jdv@clevermonkey.org) on Tue Apr 15 14:02:42 2014 (GMT)
http://clvrmnky.org/
  Oh thanks be to Crom. As someone who has had to integrate OpenSSL into two different product build trees, this is long overdue. Hopefully, they take the diffs upstream, but my guess is that this is going to be the OpenBSD fork of OpenSSL 1.0.1c (I think?).

Messy, but necessary.
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: OpenBSD has started a massive strip-down and cleanup of OpenSSL (mod 1/35)
by Anonymous Coward (107.197.28.197) on Tue Apr 15 19:42:20 2014 (GMT)
  Is this just because OpenSSL is just so widely used? Otherwise, axTLS or TropicSSL seem like more logical starting points (to flesh out rather than prune), unless the license is not a consideration here.
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: OpenBSD has started a massive strip-down and cleanup of OpenSSL (mod -4/42)
by Anonymous Coward (23.242.254.17) on Wed Apr 16 00:13:16 2014 (GMT)
  Can we please rename the forked project to something such as SecureSSL?

OpenSSL is not maintained by responsible people. Even if OpenBSD cleans this up, and even if the OpenBSD code is absorbed upstream, this irresponsible group might screw things up again.

If it is renamed to SecureSSL then it might be ported and adopted by major distributions and we can all sail off into the sunset.
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Privilege Separation (mod -1/37)
by Chas (147.154.235.102) on Wed Apr 16 16:23:26 2014 (GMT)
 

I'm not competent to code such things, but is it possible for calls to the OpenSSL library to automatically fork off a process with reduced privilege when appropriate?

Transparent privilege separation could have prevented heartbleed.

  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: OpenBSD has started a massive strip-down and cleanup of OpenSSL (mod -2/36)
by Anonymous Coward (9.98.35.50) on Thu Apr 17 05:17:53 2014 (GMT)
  why not polarssl or other forks?
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: OpenBSD has started a massive strip-down and cleanup of OpenSSL (mod 6/40)
by chronicdiscord (70.31.53.212) on Thu Apr 17 16:54:40 2014 (GMT)
  Does this mean we'll be getting a Meatloaf-style song for the next release talking about how Puff would do anything for software, but he won't do that?

Instead of a motorcycle engine revving up, they could use the sound of a damaged fan chugging along.
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: OpenBSD has started a massive strip-down and cleanup of OpenSSL (mod -2/38)
by Anonymous Coward (65.110.26.253) on Fri Apr 18 05:13:48 2014 (GMT)
  Removing the RSA key creates a timing attack https://twitter.com/matthew_d_green/status/456960435845996544

  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: OpenBSD has started a massive strip-down and cleanup of OpenSSL (mod -3/39)
by JoeUser (184.56.20.112) (ju@gmail.com) on Sat Apr 19 14:07:55 2014 (GMT)
  Too little, too late, imho.

Theo et. al. rant and rave about "the most secure operating system on the planet" and yet the fixes to OpenSSL were left to be fixed AFTER the sky fell.

So what DO you spend you money on Mr. DeRat? :) Those Hackathons really work, huh?

Frikkn' morons.
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]
      Code quality (-3/27) by Rich on Tue Apr 22 07:56:50 2014 (GMT)

[ Home | Add Story | Archives | Polls | About ]

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. Some icons from slashdot.org used with permission from Kathleen. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. Search engine is ht://Dig. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]