World Library  
Flag as Inappropriate
Email this Article

LibreSSL

 

LibreSSL

LibreSSL
Puffy, the mascot of OpenBSD, made to resemble Che Guevara
Original author(s) The OpenSSL Project
Developer(s) The OpenBSD Project
Initial release 2.0.0 / 11 July 2014 (2014-07-11)
Development status Active
Written in C and assembly
Operating system OpenBSD, FreeBSD, NetBSD, Linux, HP-UX, Solaris, OS X, Windows and others[1]
Type Security library
License Apache license 1.0, 4-clause BSD License, ISC license, and some are public domain
Website .org.libresslwww

LibreSSL is an open-source implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. It was forked from the OpenSSL cryptographic software library in April 2014 as a response by OpenBSD developers to the Heartbleed security vulnerability in OpenSSL,[2][3][4][5] with the aim of refactoring the OpenSSL code so as to provide a more secure implementation.[6]

LibreSSL was forked from the OpenSSL library starting with the 1.0.1g branch and will follow the security guidelines used elsewhere in the OpenBSD project.[7]

Contents

  • History 1
    • Adoption 1.1
  • Changes 2
    • Memory-related 2.1
    • Proactive measures 2.2
    • Cryptographic 2.3
    • Added features 2.4
    • Old insecure features 2.5
    • Code removal 2.6
    • Bug backlog 2.7
  • Security and vulnerabilities 3
    • 13 July 2014 3.1
    • 6 August 2014 3.2
    • 15 October 2014 3.3
    • 8 January 2015 3.4
    • 19 March 2015 3.5
    • 11 June 2015 3.6
    • 09 July 2015 3.7
    • 15 October 2015 3.8
  • See also 4
  • Notes 5
  • References 6
  • External links 7

History

After the Heartbleed bug in OpenSSL, the OpenBSD team audited the code afresh, and quickly realised they would need to maintain a fork themselves.[2] The libressl.org domain was registered on 11 April 2014; the project announced the name on 22 April 2014.

In the first week of code pruning, more than 90,000 lines of C code were removed.[6][8] Older or unused code has been removed, and support for some older or now-rare operating systems removed. LibreSSL is initially being developed as an intended replacement for OpenSSL in OpenBSD 5.6, and it is then expected to be ported back to other platforms once a stripped-down version of the library is stable.[9][10] As of April 2014, the project was seeking a "stable commitment" of external funding.[8]

On 17 May 2014, Bob Beck presented "LibreSSL: The first 30 days, and what the Future Holds" during the 2014 BSDCan conference, in which he described the progress made in the first month, encountered issues, and implemented changes.[11]

On 5 June 2014, several OpenSSL bugs became public. While several projects were notified in advance,[12] LibreSSL was not; Theo de Raadt accused the OpenSSL developers of intentionally withholding this information from OpenBSD and LibreSSL.[13]

On 20 June 2014, Google created another fork of OpenSSL called BoringSSL, and promised to exchange fixes with LibreSSL.[14][15] Google has already relicensed some of its contributions under the ISC license, as it was requested by the LibreSSL developers.[14][16] On 21 June, Theo de Raadt welcomed BoringSSL and outlined the plans for LibreSSL-portable.[17] Starting on 8 July, code porting for OS X and Solaris began,[18] while initial porting to Linux began on 20 June.[19]

On 11 July 2014, the first portable version of LibreSSL was released as version 2.0.0.[20][21] The first release was quickly followed by 2.0.1[22] on 13 July, 2.0.2[23] on 16 July, 2.0.3[24] on 22 July, 2.0.4[25] on 3 August and 2.0.5[26] on 5 August 2014. Many issues with the first portable release were fixed in the 2.0 series.

On 28 September 2014, Ted Unangst presented "LibreSSL: More Than 30 Days Later", in which he described the progress, issues and changes in the months since Bob Beck's BSDCan talk.[11][27]

With the version 2.1.0,[28] released on 12 October 2014, the rate of changes in LibreSSL became considerably lower and LibreSSL became a usable alternative to OpenSSL. Most of the changes in the 2.1.x versions were related to security vulnerabilities found in OpenSSL.

Adoption

LibreSSL has been the default provider of TLS for

  1. OpenBSD since version 5.6[29]
  2. Void Linux since August 6, 2014[30]
  3. the packages of PC-BSD since version 10.1.2[31]
  4. as an option for OPNsense since version 15.7[32]
  5. OpenELEC since version 6.0 beta 2[33]
  6. OS X since version 10.11 El Capitan[34]

Changes

Memory-related

In more detail, some of the more notable and important changes thus far include replacement of custom memory calls to ones in a standard library (for example, strlcpy, calloc, asprintf, reallocarray, etc.).[35][36] This process may help later on to catch buffer overflow errors with more advanced memory analysis tools or by simply observing program crashes (via ASLR, use of the NX bit, stack canaries, etc.).

Fixes for potential double free scenarios have also been cited in the CVS commit logs (including explicit assignments of NULL pointer values).[37] There have been extra sanity checks also cited in the commit logs related to ensuring length arguments, unsigned-to-signed variable assignments, pointer values, and method returns.

Proactive measures

In order to maintain good programming practice, a number of compiler options and flags designed for safety have been enabled by default to help in spotting potential issues so they can be fixed earlier (-Wall, -Werror, -Wextra, -Wuninitialized). There have also been code readability updates which help future contributors in verifying program correctness (KNF, white-space, line-wrapping, etc.). Modification or removal of unneeded method wrappers and macros also help with code readability and auditing (Error and I/O abstraction library references).

Changes were made to ensure that LibreSSL will be year 2038 compatible along with maintaining portability for other similar platforms. In addition, explicit_bzero and bn_clear calls were added to prevent the compiler from optimizing them out and prevent attackers from reading previously allocated memory.

Cryptographic

There were changes to help ensure proper seeding of random number generator-based methods via replacements of insecure seeding practices (taking advantage of features offered by the kernel itself natively).[38][39] In terms of notable additions made, OpenBSD has added support for newer and more reputable algorithms (ChaCha stream cipher and Poly1305 message authentication code) along with a safer set of elliptic curves (brainpool curves from RFC 5639, up to 512 bits in strength).

Added features

The initial release of LibreSSL added a number of features: the ChaCha and Poly1305 algorithm, the Brainpool and ANSSI elliptic curves, and the AES-GCM and ChaCha20-Poly1305 AEAD modes.

Later versions added the following:[40]

  • 2.1.0: Automatic ephemeral EC keys[28]
  • 2.1.2: Built-in arc4random implementation on OS X and FreeBSD[41]
  • 2.1.2: Reworked GOST cipher suite support
  • 2.1.3: ALPN support[42]
  • 2.1.3: SHA-256 Camellia cipher suites
  • 2.1.4: TLS_FALLBACK_SCSV server-side support[43]
  • 2.1.4: certhash as a replacement of the c_rehash script
  • 2.1.4: X509_STORE_load_mem API for loading certificates from memory (enhance chroot support)
  • 2.1.4: Experimental Windows binaries
  • 2.1.5: Minor update mainly for improving Windows support, first working 32- and 64-bit binaries[44]
  • 2.1.6: libtls declared stable and enabled by default[45]
  • 2.2.0: AIX and Cygwin support[46]
  • 2.2.1: Addition of EC_curve_nid2nist and EC_curve_nist2nid[47] from OpenSSL, initial Windows XP/2003 support
  • 2.2.2: Defines LIBRESSL_VERSION_NUMBER,[48] added TLS_*methods as a replacement for the SSLv23_*method calls, cmake build support.

Old insecure features

The initial release of LibreSSL disabled a number of features by default.[29] Some of the code for these features was later removed, including Kerberos, US-Export ciphers, TLS compression, DTLS heartbeat, and SSL v2.

Later versions disabled more features:

  • 2.1.1: Following the discovery of the POODLE vulnerability in the legacy SSL 3.0 protocol, LibreSSL now disables the use of SSL 3.0 by default.[49]
  • 2.1.3: GOST R 34.10-94 signature authentication[40][42]
  • 2.2.1: Removal of Dynamic Engine and MDC-2DES support[47]
  • 2.2.2: Removal of SSLv3 from the openssl binary, removal of Internet Explorer 6 workarounds, RSAX engine.[48]
  • 2.3.0: Complete removal of SSLv3, SHA-0 and DTLS1_BAD_VER

Code removal

The initial release of LibreSSL has removed a number of features that were deemed insecure, unnecessary or deprecated as part of OpenBSD 5.6[29]

  • In response to Heartbleed, the heartbeat functionality[50] was the one of the first features to be removed
  • Unneeded platforms (Classic Mac OS, NetWare, OS/2, VMS, 16-bit Windows, etc.)
  • Support for old compilers
  • The IBM 4758, Broadcom ubsec, Sureware, Nuron, GOST, GMP, CSwift, CHIL, CAPI, Atalla and AEP engines were removed due to irrelevance of hardware or dependency on non-free libraries
  • The OpenSSL PRNG was removed (and replaced with arc4random)
  • Preprocessor macros that have been deemed unnecessary or insecure or were already deprecated in OpenSSL for a long time (e.g. des_old.h)
  • Older unneeded files for assembly language, C, and Perl (e.g. EGD)
  • MD2, SEED functionality
  • SSLv3, SHA-0, DTLS1_BAD_VER

The Dual_EC_DRBG algorithm, which is suspected of having a back door,[51] was cut along with support for the FIPS 140-2 standard that required it. Unused protocols and insecure algorithms have also been removed, including the support for FIPS 140-2,[52] MD4/MD5[40] J-PAKE,[29] and SRP.[25]

Bug backlog

One of the complaints of OpenSSL was the number of open bugs reported in the bug tracker that had gone unfixed for years. Older bugs are now being fixed in LibreSSL.[53]

Security and vulnerabilities

LibreSSL has proven not to be vulnerable to many of the issues discovered after it was forked from the OpenSSL project. Notably, none of the vulnerabilities found in OpenSSL and rated "High" were applicable to LibreSSL.

Severity LibreSSL OpenSSL
High 0 5
Medium 15 28
Low 7 10
Total 22 43

13 July 2014

Shortly after the first portable release, LibreSSL's PRNG was found to not always reseed the PRNG when forking new processes, and to have low entropy for the seed when /dev/urandom was not available as might happen in a chroot jail.[54] LibreSSL refers to this as the 'Linux forking and PID wrap issue'. This was fixed in LibreSSL 2.0.2.[23]

This vulnerability does not apply to OpenSSL and is a result of the refactoring of the PRNG code in LibreSSL.

CVE reference Description Severity Comment
- Linux forking and PID wrap issue Low[1]

6 August 2014

OpenSSL published 9 vulnerabilities[55]

CVE reference Description Severity Comment
CVE-2014-3510 Flaw handling DTLS anonymous EC(DH) ciphersuites medium
CVE-2014-3508 Information leak in pretty printing functions medium partially vulnerable
CVE-2014-3509 Race condition in ssl_parse_serverhello_tlsext medium
CVE-2014-3505 Double Free when processing DTLS packets medium
CVE-2014-3506 DTLS memory exhaustion medium
CVE-2014-3507 DTLS memory leak from zero-length fragments medium
CVE-2014-3511 OpenSSL TLS protocol downgrade attack medium
CVE-2014-5139 Crash with SRP ciphersuite in Server Hello message medium Not vulnerable
CVE-2014-3512 SRP buffer overrun high Not vulnerable

Severity taken from the NIST National Vulnerability Database

15 October 2014

OpenSSL responds to the POODLE attack and publishes 4 vulnerabilities[56]

NB: As of this advisory, OpenSSL includes severity ratings to vulnerabilities
CVE reference Description Severity Comment
SSL 3.0 Fallback protection medium LibreSSL disables SSLv3[57]
Adds TLS_SCSV_FALLBACK in 2.1.4
CVE-2014-3568 Build option no-ssl3 is incomplete low
CVE-2014-3513 SRTP Memory Leak high Not vulnerable
CVE-2014-3567 Session Ticket Memory Leak medium Not vulnerable

8 January 2015

OpenSSL publishes 8 vulnerabilities[58] discovered by the OpenSSL code review.

CVE reference Description Severity Comment
CVE-2014-8275 Certificate fingerprints can be modified low Fixed in 2.1.4
CVE-2014-3572 ECDHE silently downgrades to ECDH [Client] low Fixed in 2.1.4
CVE-2014-3570 Bignum squaring may produce incorrect results low Fixed in 2.1.4
CVE-2015-0205 DH client certificates accepted without verification [Server] low Fixed in 2.1.4
CVE-2015-0206 DTLS memory leak in dtls1_buffer_record moderate Fixed in earlier release
CVE-2014-3571 DTLS segmentation fault in dtls1_get_record moderate Not vulnerable
CVE-2014-3569 no-ssl3 configuration sets method to NULL low Not vulnerable
CVE-2015-0204 RSA silently downgrades to EXPORT_RSA [Client] low Not vulnerable

19 March 2015

OpenSSL publishes 14 vulnerabilities[59] discovered by the OpenSSL code review. LibreSSL confirms that 5 of these vulnerabilities apply to LibreSSL as well.[60] notably not CVE-2015-0291 which has the highest possible impact rating for OpenSSL. LibreSSL released 2.1.6[45] to fix these security issues.

CVE reference Description Severity Comment
CVE-2015-0286 Segmentation fault in ASN1_TYPE_cmp moderate Fixed in 2.1.6
CVE-2015-0287 ASN.1 structure reuse memory corruption moderate Fixed in 2.1.6
CVE-2015-0288 X509_to_X509_REQ NULL pointer deref moderate Fixed in 2.1.6
CVE-2015-0289 PKCS7 NULL pointer dereferences moderate Fixed in 2.1.6
CVE-2015-0209 Use After Free following d2i_ECPrivatekey error low Fixed in 2.1.6
CVE-2015-0291 ClientHello sigalgs DoS high Affected code is not present
CVE-2015-0204 RSA silently downgrades to EXPORT_RSA [Client] high Fixed in LibreSSL 2.1.2 - reclassifed from low to high
CVE-2015-0207 Segmentation fault in DTLSv1_listen moderate LibreSSL is not vulnerable, but the fix was safe to merge
CVE-2015-0208 Segmentation fault for invalid PSS parameters moderate Affected code is not present
CVE-2015-0290 Multiblock corrupted pointer moderate Affected code is not present
CVE-2015-0292 Base64 decode moderate Fixed in LibreSSL 2.0.0
CVE-2015-0293 DoS via reachable assert in SSLv2 servers moderate Affected code is not present
CVE-2015-0285 Handshake with unseeded PRNG low Cannot happen by the design of the LibreSSL PRNG
CVE-2015-1787 Empty CKE with client auth and DHE moderate Fixed in LibreSSL 2.0.1

11 June 2015

OpenSSL publishes seven vulnerabilities.[61] LibreSSL confirms that three of these vulnerabilities apply to LibreSSL as well and one is still under review.[46]

CVE reference Description Severity Comment
CVE-2015-4000 DHE man-in-the-middle protection (Logjam) medium Not vulnerable
CVE-2015-1788 Malformed ECParameters causes infinite loop medium Fixed in 2.1.7/2.2.0
CVE-2015-1789 Exploitable out-of-bounds read in X509_cmp_time medium Fixed in 2.1.7/2.2.0
CVE-2015-1790 PKCS7 crash with missing EnvelopedContent medium Not vulnerable
CVE-2015-1792 CMS verify infinite loop with unknown hash function medium Fixed in 2.1.7/2.2.0
CVE-2015-1791 Race condition handling NewSessionTicket low In review
CVE-2014-8176 Invalid free in DTLS medium Not vulnerable

09 July 2015

OpenSSL publishes a single vulnerability[62] in the most recent versions of 1.0.1 and 1.0.2. Bob Beck announces[63] that this vulnerability does not apply to LibreSSL.

CVE reference Description Severity Comment
CVE-2015-1793 Alternative chains certificate forgery high Not vulnerable

15 October 2015

Qualys publishes a memory leak and buffer overflow vulnerability[64] in all versions prior to 2.2.4. Ted Unangst announces[65] release 2.2.4 of LibreSSL fixing the vulnerabilities.

CVE reference Description Severity Comment
CVE-2015-5333 Memory leak in OBJ_obj2txt() n.a. Not in OpenSSL
CVE-2015-5334 Buffer overflow in in OBJ_obj2txt() n.a. Not in OpenSSL

See also

Notes

  1. ^ No official rating for this vulnerability is available, however another PRNG seeding issue, CVE-2015-0285 "Handshake with unseeded PRNG", has been rated as low.

References

  1. ^
  2. ^ a b
  3. ^
  4. ^
  5. ^
  6. ^ a b
  7. ^
  8. ^ a b
  9. ^
  10. ^
  11. ^ a b
  12. ^
  13. ^
  14. ^ a b
  15. ^
  16. ^
  17. ^
  18. ^
  19. ^
  20. ^
  21. ^
  22. ^
  23. ^ a b
  24. ^
  25. ^ a b
  26. ^
  27. ^
  28. ^ a b
  29. ^ a b c d
  30. ^
  31. ^
  32. ^
  33. ^
  34. ^
  35. ^
  36. ^
  37. ^
  38. ^
  39. ^
  40. ^ a b c
  41. ^
  42. ^ a b
  43. ^
  44. ^
  45. ^ a b
  46. ^ a b
  47. ^ a b
  48. ^ a b
  49. ^
  50. ^
  51. ^
  52. ^
  53. ^
  54. ^
  55. ^
  56. ^
  57. ^
  58. ^
  59. ^
  60. ^
  61. ^
  62. ^
  63. ^
  64. ^
  65. ^

External links

  • Official website
  • LibreSSL source code (OpenGrok)
  • OpenSSL Valhalla Rampage (blog of highlights of the code cleanup)
  • LibreSSL status on FreeBSD
  • LibreSSL ebuilds testing repo on Gentoo


This article was sourced from Creative Commons Attribution-ShareAlike License; additional terms may apply. World Heritage Encyclopedia content is assembled from numerous content providers, Open Access Publishing, and in compliance with The Fair Access to Science and Technology Research Act (FASTR), Wikimedia Foundation, Inc., Public Library of Science, The Encyclopedia of Life, Open Book Publishers (OBP), PubMed, U.S. National Library of Medicine, National Center for Biotechnology Information, U.S. National Library of Medicine, National Institutes of Health (NIH), U.S. Department of Health & Human Services, and USA.gov, which sources content from all federal, state, local, tribal, and territorial government publication portals (.gov, .mil, .edu). Funding for USA.gov and content contributors is made possible from the U.S. Congress, E-Government Act of 2002.
 
Crowd sourced content that is contributed to World Heritage Encyclopedia is peer reviewed and edited by our editorial staff to ensure quality scholarly research articles.
 
By using this site, you agree to the Terms of Use and Privacy Policy. World Heritage Encyclopedia™ is a registered trademark of the World Public Library Association, a non-profit organization.
 


Copyright © World Library Foundation. All rights reserved. eBooks from Project Gutenberg are sponsored by the World Library Foundation,
a 501c(4) Member's Support Non-Profit Organization, and is NOT affiliated with any governmental agency or department.