SoylentNews
SoylentNews is people
https://soylentnews.org/

Title    Bob Beck gives a 30-day status update on LibreSSL
Date    Sunday May 18 2014, @05:44AM
Author    martyb
Topic   
from the got-your-acronyms-here dept.
https://soylentnews.org/article.pl?sid=14/05/18/0254237

cnst writes:

Bob Beck who is an OpenBSD, OpenSSH, and LibreSSL developer as well as the director of Alberta-based non-profit OpenBSD Foundation gave a talk earlier today at BSDCan 2014 in Ottawa, discussing and illustrating the OpenSSL problems that have led to the creation of a big fork of OpenSSL that is still API-compatible with the original, providing a drop-in replacement, without the #ifdef spaghetti and without its own "OpenSSL C" dialect.

Bob is claiming that the Maryland-incorporated OpenSSL Foundation is nothing but a for-profit front for FIPS consulting gigs, and that noone at OpenSSL is actually interested in maintaining OpenSSL, but merely adding more and more features, with the existing bugs rotting in bug-tracking for a staggering 4 years (CVE-2010-5298 has been independently re-discovered by the OpenBSD team after having been quietly reported in OpenSSL's RT some 4 years prior).

Bob reports that the bug-tracking system abandoned by OpenSSL has actually been very useful to the OpenBSD developers at finding and fixing even more of OpenSSL bugs in downstream LibreSSL, which still remain unfixed in upstream OpenSSL.

It is revealed that a lot of crude cleaning has already been completed, and the process is still ongoing, but some new ciphers already saw their addition to LibreSSL RFC 5639 EC Brainpool, ChaCha20, Poly1305, FRP256v1, and some derivatives based on the above, like ChaCha20-Poly1305 AEAD EVP from Adam Langley's Chromium OpenSSL patchset.

To conclude, Bob warns against portable LibreSSL knockoffs, and asks the community for Funding Commitment -- the Linux Foundation is turning a blind eye to LibreSSL, and instead is only committed to funding OpenSSL directly, despite the apparent lack of security-oriented direction within the OpenSSL project upstream. Funding can be directed to the OpenBSD Foundation.

Links
  1. "cnst" - http://cnst.su/
  2. "LibreSSL" - http://www.libressl.org/
  3. "OpenBSD Foundation" - http://www.openbsdfoundation.org/
  4. "a talk earlier today at BSDCan 2014 in Ottawa" - http://www.bsdcan.org/2014/schedule/events/520.en.html
  5. "drop-in replacement" - http://www.openbsd.org/papers/bsdcan14-libressl/mgp00010.html
  6. "the #ifdef spaghetti" - http://www.openbsd.org/papers/bsdcan14-libressl/mgp00012.html
  7. "is nothing but a for-profit front" - http://www.openbsd.org/papers/bsdcan14-libressl/mgp00008.html
  8. "rotting in bug-tracking for a staggering 4 years" - http://www.openbsd.org/papers/bsdcan14-libressl/mgp00009.html
  9. "CVE-2010-5298" - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5298
  10. "has actually been very useful" - http://www.openbsd.org/papers/bsdcan14-libressl/mgp00020.html
  11. "a lot of crude cleaning has already been completed" - http://www.openbsd.org/papers/bsdcan14-libressl/mgp00026.html
  12. "new ciphers" - http://www.openbsd.org/papers/bsdcan14-libressl/mgp00027.html
  13. "RFC 5639 EC Brainpool" - http://bxr.su/OpenBSD/lib/libssl/src/crypto/ec/ec_curve.c#_EC_brainpoolP160r1
  14. "ChaCha20" - http://bxr.su/OpenBSD/lib/libssl/src/crypto/chacha/chacha.c
  15. "Poly1305" - http://bxr.su/OpenBSD/lib/libssl/src/crypto/poly1305/poly1305.c
  16. "ChaCha20-Poly1305 AEAD EVP" - http://bxr.su/OpenBSD/lib/libssl/src/crypto/evp/e_chacha20poly1305.c
  17. "warns against portable LibreSSL knockoffs" - http://www.openbsd.org/papers/bsdcan14-libressl/mgp00030.html
  18. "asks the community for Funding Commitment" - http://www.openbsd.org/papers/bsdcan14-libressl/mgp00033.html
© Copyright 2024 - SoylentNews, All Rights Reserved

printed from SoylentNews, Bob Beck gives a 30-day status update on LibreSSL on 2024-04-18 18:37:54