LibreSSL
Developer(s) | The OpenBSD Project |
---|---|
Stable release | 2.1.6 (March 19, 2015[1]) [±] |
Written in | C, assembly |
Operating system | OpenBSD, FreeBSD, NetBSD, Linux, HP-UX, Solaris, Mac OS X, Windows and others[2] |
Type | Security library |
License | Apache License 1.0, 4-clause BSD License, ISC License, and some are public domain |
Website | http://www.libressl.org |
LibreSSL is an open-source implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. It was forked from the OpenSSL cryptographic software library in April 2014 as a response by OpenBSD developers to the Heartbleed security vulnerability in OpenSSL,[3][4][5][6][7] with the aim of refactoring the OpenSSL code so as to provide a more secure implementation.[8]
LibreSSL was forked from the OpenSSL library starting with the 1.0.1g branch and will follow the security guidelines used elsewhere in the OpenBSD project.[9]
History
After the Heartbleed bug in OpenSSL, the OpenBSD team audited the code afresh, and quickly realised they would need to maintain a fork themselves.[3] The libressl.org domain was registered on 11 April, 2014; the project announced the name on 22 April, 2014.
In the first week of code pruning, more than 90,000 lines of C code were removed.[8][10] Older or unused code has been removed, and support for some older or now-rare operating systems removed. LibreSSL is initially being developed as an intended replacement for OpenSSL in OpenBSD 5.6, and it is then expected to be ported back to other platforms once a stripped-down version of the library is stable.[11][12] As of April 2014, the project was seeking a "stable commitment" of external funding.[10]
On 5 June 2014, several OpenSSL bugs became public. While several projects were notified in advance,[13] LibreSSL was not; Theo de Raadt accused the OpenSSL developers of intentionally withholding this information from OpenBSD and LibreSSL.[14]
On 20 June 2014, Google created another fork of OpenSSL called BoringSSL, and promised to exchange fixes with LibreSSL.[15][16] Google has already relicensed some of its contributions under the ISC license, as it was requested by the LibreSSL developers.[15][17] On 21 June, Theo de Raadt welcomed BoringSSL and outlined the plans for LibreSSL-portable.[18] Starting on 8 July, code porting for OS X and Solaris began,[19] while initial porting to Linux began on 20 June.[20]
On 11 July 2014, the first portable version of LibreSSL was released as version 2.0.0.[21][22] The first release was quickly followed by 2.0.1[23] on 13 July, 2.0.2[24] on 16 July, 2.0.3[25] on 22 July, 2.0.4[26] on 3 Aug and 2.0.5[27] on 5 August 2014. Many issues with the first portable release were fixed in the 2.0 series.
With version 2.1.0[28] released on 12 October 2014 the rate of change in LibreSSL became considerably lower and LibreSSL became a usable alternative to OpenSSL. Most of the changes in the 2.1 versions were related to security vulnerabilities found in OpenSSL
Changes
Memory-related
In more detail, some of the more notable and important changes thus far include replacement of custom memory calls to ones in a standard library (for example, strlcpy
, calloc
, asprintf
, reallocarray
, etc.).[29][30] This process may help later on to catch buffer overflow errors with more advanced memory analysis tools or by simply observing program crashes (via ASLR, use of the NX bit, stack canaries, etc.).
Fixes for potential double free scenarios have also been cited in the CVS commit logs (including explicit assignments of NULL pointer values).[31] There have been extra sanity checks also cited in the commit logs related to ensuring length arguments, unsigned-to-signed variable assignments, pointer values, and method returns.
Proactive measures
In order to maintain good programming practice, a number of compiler options and flags designed for safety have been enabled by default to help in spotting potential issues so they can be fixed earlier (-Wall, -Werror, -Wextra, -Wuninitialized). There have also been code readability updates which help future contributors in verifying program correctness (KNF, white-space, line-wrapping, etc.). Modification or removal of unneeded method wrappers and macros also help with code readability and auditing (Error and I/O abstraction library references).
Changes were made to ensure that LibreSSL will be year 2038 compatible along with maintaining portability for other similar platforms. In addition, explicit_bzero
and bn_clear
calls were added to prevent the compiler from optimizing them out and prevent attackers from reading previously allocated memory.
Cryptographic
There were changes to help ensure proper seeding of random number generator-based methods via replacements of insecure seeding practices (taking advantage of features offered by the kernel itself natively).[32][33] In terms of notable additions made, OpenBSD has added support for newer and more reputable algorithms (ChaCha stream cipher and Poly1305 message authentication code) along with a safer set of elliptic curves (brainpool curves from RFC 5639, up to 512 bits in strength).
Added features
The initial release of LibreSSL added a number of features: the ChaCha and Poly1305 algorithm, the Brainpool and ANSSI elliptic curves, and the AES-GCM and ChaCha20-Poly1305 AEAD modes.
Later versions added the following:[34]
- 2.1.0:[28] Automatic ephemeral EC keys
- 2.1.2:[35] Built-in arc4random implementation on OS X and FreeBSD
- 2.1.2: Reworked GOST cipher suite support
- 2.1.3:[36] ALPN support
- 2.1.3: SHA256 Camellia cipher suites
- 2.1.4:[37] TLS_FALLBACK_SCSV server-side support
- 2.1.4: certhash as a replacement of the c_rehash script
- 2.1.4: X509_STORE_load_mem API for loading certificates from memory (enhance chroot support)
- 2.1.4: Experimental Windows binaries
- 2.1.5:[38] Minor update mainly for improving Windows support, first working 32- and 64-bit binaries
- 2.1.6:[39] libtls declared stable and enabled by default
Old insecure features
The initial release of LibreSSL disabled a number of features by default.[40] Some of the code for these features was later removed, including Kerberos, US-Export ciphers, TLS compression, DTLS heartbeat, and SSL v2.
Later versions disabled more features:
- 2.1.1:[41] Following the discovery of the POODLE vulnerability in the legacy SSL 3.0 protocol, LibreSSL now disables the use of SSL 3.0 by default.
- 2.1.3:[36] GOST R 34.10-94 signature authentication[34]
Code removal
On 18 April 2014 Bob Beck reports[42] to have removed 82000 lines of C code and 140000 lines in total from the OpenSSL 1.0.1g code.
The initial release of LibreSSL has removed a number of features that were deemed insecure, unnecessary or deprecated as part of OpenBSD 5.6[40]
- In response to Heartbleed, the heartbeat functionality[43] was the one of the first features to be removed
- Unneeded platforms (Classic Mac OS, NetWare, OS/2, VMS, 16-bit Windows, etc.)
- Support for old compilers
- The IBM 4758, Broadcom ubsec, Sureware, Nuron, GOST, GMP, CSwift, CHIL, CAPI, Atalla and AEP engines were removed due to irrelevance of hardware or dependency on non-free libraries
- The OpenSSL PRNG was removed (and replaced with arc4random)
- Preprocessor macros that have been deemed unnecessary or insecure or were already deprecated in OpenSSL for a long time (e.g. des_old.h)
- Older unneeded files for assembly language, C, and Perl (e.g. EGD)
- MD2, SEED functionality
The Dual_EC_DRBG algorithm, which is suspected of having a back door,[44] was cut along with support for the FIPS 140-2 standard that required it. Unused protocols and insecure algorithms have also been removed, including the support for FIPS 140-2,[45] MD4/MD5[34] J-PAKE,[40] and SRP.[26]
Bug backlog
One of the complaints of OpenSSL was the number of open bugs reported in the bug tracker that had gone unfixed for years. Older bugs are now being fixed in LibreSSL.[46]
Security and vulnerabilities
LibreSSL has proven not to be vulnerable to many of the issues discovered after it was forked from the OpenSSL project. Notably, none of the vulnerabilities rated "High" were applicable to LibreSSL.
Severity | LibreSSL | OpenSSL |
---|---|---|
High | 0 | 4 |
Medium | 12 | 22 |
Low | 7 | 9 |
Total | 19 | 35 |
13 July 2014
Shortly after the first portable release, LibreSSL's PRNG was found to not always reseed the PRNG when forking new processes, and to have low entropy for the seed when /dev/urandom was not available as might happen in a chroot jail.[47] LibreSSL refers to this as the 'Linux forking and PID wrap issue'.
This was fixed in LibreSSL 2.0.2[24]
This vulnerability does not apply to OpenSSL and is a result of the refactoring of the PRNG code in LibreSSL.
CVE reference | Description | Severity | Comment |
---|---|---|---|
- | Linux forking and PID wrap issue | low[note 1] |
- ↑ No official rating for this vulnerability is available, however another PRNG seeding issue, CVE-2015-0285 "Handshake with unseeded PRNG", has been rated as low.
6 August 2014
OpenSSL published 9 vulnerabilities[48]
CVE reference | Description | Severity | Comment |
---|---|---|---|
CVE-2014-3510 | Flaw handling DTLS anonymous EC(DH) ciphersuites | medium | |
CVE-2014-3508 | Information leak in pretty printing functions | medium | partially vulnerable |
CVE-2014-3509 | Race condition in ssl_parse_serverhello_tlsext | medium | |
CVE-2014-3505 | Double Free when processing DTLS packets | medium | |
CVE-2014-3506 | DTLS memory exhaustion | medium | |
CVE-2014-3507 | DTLS memory leak from zero-length fragments | medium | |
CVE-2014-3511 | OpenSSL TLS protocol downgrade attack | medium | |
CVE-2014-5139 | Crash with SRP ciphersuite in Server Hello message | medium | Not vulnerable |
CVE-2014-3512 | SRP buffer overrun | high | Not vulnerable |
Severity taken from the NIST National Vulnerability Database
15 October 2014
OpenSSL responds to the POODLE attack and publishes 4 vulnerabilities[49]
NB: As of this advisory, OpenSSL includes severity ratings to vulnerabilities
CVE reference | Description | Severity | Comment |
---|---|---|---|
SSL 3.0 Fallback protection | medium | LibreSSL disables SSLv3 [50] Adds TLS_SCSV_FALLBACK in 2.1.4 | |
CVE-2014-3568 | Build option no-ssl3 is incomplete | low | |
CVE-2014-3513 | SRTP Memory Leak | high | Not vulnerable |
CVE-2014-3567 | Session Ticket Memory Leak | medium | Not vulnerable |
8 January 2015
OpenSSL publishes 8 vulnerabilities[51] discovered by the OpenSSL code review.
CVE reference | Description | Severity | Comment |
---|---|---|---|
CVE-2014-8275 | Certificate fingerprints can be modified | low | Fixed in 2.1.4 |
CVE-2014-3572 | ECDHE silently downgrades to ECDH [Client] | low | Fixed in 2.1.4 |
CVE-2014-3570 | Bignum squaring may produce incorrect results | low | Fixed in 2.1.4 |
CVE-2015-0205 | DH client certificates accepted without verification [Server] | low | Fixed in 2.1.4 |
CVE-2015-0206 | DTLS memory leak in dtls1_buffer_record | moderate | Fixed in earlier release |
CVE-2014-3571 | DTLS segmentation fault in dtls1_get_record | moderate | Not vulnerable |
CVE-2014-3569 | no-ssl3 configuration sets method to NULL | low | Not vulnerable |
CVE-2015-0204 | RSA silently downgrades to EXPORT_RSA [Client] | low | Not vulnerable |
19 March 2015
OpenSSL publishes 14 vulnerabilities[52] discovered by the OpenSSL code review. LibreSSL confirms that 5 of these vulnerabilities apply to LibreSSL as well.[53] notably not CVE-2015-0291 which has the highest possible impact rating for OpenSSL. LibreSSL released 2.1.6[39] to fix these security issues.
CVE reference | Description | Severity | Comment |
---|---|---|---|
CVE-2015-0286 | Segmentation fault in ASN1_TYPE_cmp | moderate | Fixed in 2.1.6 |
CVE-2015-0287 | ASN.1 structure reuse memory corruption | moderate | Fixed in 2.1.6 |
CVE-2015-0288 | X509_to_X509_REQ NULL pointer deref | moderate | Fixed in 2.1.6 |
CVE-2015-0289 | PKCS7 NULL pointer dereferences | moderate | Fixed in 2.1.6 |
CVE-2015-0209 | Use After Free following d2i_ECPrivatekey error | low | Fixed in 2.1.6 |
CVE-2015-0291 | ClientHello sigalgs DoS | high | Affected code is not present |
CVE-2015-0204 | RSA silently downgrades to EXPORT_RSA [Client] | high | Fixed in LibreSSL 2.1.2 - reclassifed from low to high |
CVE-2015-0207 | Segmentation fault in DTLSv1_listen | moderate | LibreSSL is not vulnerable, but the fix was safe to merge |
CVE-2015-0208 | Segmentation fault for invalid PSS parameters | moderate | Affected code is not present |
CVE-2015-0290 | Multiblock corrupted pointer | moderate | Affected code is not present |
CVE-2015-0292 | Base64 decode | moderate | Fixed in LibreSSL 2.0.0 |
CVE-2015-0293 | DoS via reachable assert in SSLv2 servers | moderate | Affected code is not present |
CVE-2015-0285 | Handshake with unseeded PRNG | low | Cannot happen by the design of the LibreSSL PRNG |
CVE-2015-1787 | Empty CKE with client auth and DHE | moderate | Fixed in LibreSSL 2.0.1 |
See also
References
- ↑ "LibreSSL 2.1.6 released". 2015-03-19. Retrieved 2015-03-22.
- ↑ "LibreSSL Releases".
- ↑ 3.0 3.1 Unangst, Ted (22 April 2014). "Origins of libressl". flak. Retrieved 24 April 2014.
- ↑ Kemer, Sean Michael (22 April 2014). "After Heartbleed, OpenSSL Is Forked Into LibreSSL". eWeek. Retrieved 24 April 2014.
- ↑ "Not Just a Cleanup Any More: LibreSSL Project Announced". Slashdot. 22 April 2014. Retrieved 24 April 2014.
- ↑ Beck, Bob (17 May 2014). "LibreSSL: The first 30 days, and what the Future Holds Slides". Retrieved 17 May 2014.
- ↑ M, Constantine (17 May 2014). Soulskill, ed. "30-Day Status Update On LibreSSL". Slashdot.
- ↑ 8.0 8.1 Seltzer, Larry (21 April 2014). "OpenBSD forks, prunes, fixes OpenSSL". Zero Day. ZDNet. Retrieved 21 April 2014.
- ↑ Hessler, Peter (15 April 2014). "OpenBSD has started a massive strip-down and cleanup of OpenSSL". OpenBSD Journal. Retrieved 24 April 2014.
- ↑ 10.0 10.1 Brodkin, Jon (22 April 2014). "OpenSSL code beyond repair, claims creator of "LibreSSL" fork". Ars Technica. Retrieved 24 April 2014.
- ↑ McCallion, Jane (22 April 2014). "Heartbleed: LibreSSL scrubs "irresponsible" OpenSSL code". PC Pro. Retrieved 23 April 2014.
- ↑ Larabel, Michael (9 May 2014). "OpenBSD Affirms That LibreSSL Will Be Portable". Phoronix. Retrieved 30 May 2014.
- ↑ "oss-sec: Re: OpenSSL seven security fixes". Seclists.org. Retrieved 2014-06-09.
- ↑ "'Re: new OpenSSL flaws' - MARC". Marc.info. 2014-06-05. Retrieved 2014-06-09.
- ↑ 15.0 15.1 Langley, Adam (20 June 2014). "BoringSSL (20 Jun 2014)". ImperialViolet. Retrieved 2014-06-21.
- ↑ Goodin, Dan (20 June 2014). "Google unveils independent "fork" of OpenSSL called "BoringSSL"". Ars Technica. Retrieved 21 June 2014.
- ↑ Sing, Joel (21 June 2014). "OpenBSD — lib/libssl/src/crypto/evp evp_aead.c e_chacha20poly1305.c". Retrieved 21 June 2014.
- ↑ Raadt, Theo de (21 June 2014). "Boringssl and such" (Mailing list).
- ↑ Beck, Bob (8 July 2014). "OpenBSD - lib/libcrypto/crypto getentropy_osx.c getentropy_solaris.c".
- ↑ Beck, Bob (20 June 2014). "OpenBSD — lib/libcrypto/crypto getentropy_linux.c".
- ↑ "Index of /pub/OpenBSD/LibreSSL". 11 July 2014. Retrieved 11 July 2014.
- ↑ Beck, Bob (11 July 2014). "First release of LibreSSL portable is available". Marc.info. Retrieved 11 July 2014.
- ↑ Beck, Bob (13 July 2014). "LibreSSL 2.0.1 released".
- ↑ 24.0 24.1 Beck, Bob (16 July 2014). "LibreSSL portable 2.0.2 released".
- ↑ Beck, Bob (22 July 2014). "LibreSSL 2.0.3 released".
- ↑ 26.0 26.1 Beck, Bob (3 August 2014). "LibreSSL 2.0.4 released".
- ↑ Cook, Brent (8 August 2014). "LibreSSL 2.0.5 released".
- ↑ 28.0 28.1 Beck, Bob (12 October 2014). "LibreSSL 2.1.0 released".
- ↑ Orr, William (23 April 2014). "A quick recap over the last week". OpenSSL Valhalla Rampage. Retrieved 30 April 2014.
- ↑ "OpenBSD LibreSSL CVS Calloc Commits".
- ↑ "OpenBSD LibreSSL CVS Double Free Commits".
- ↑ "OpenBSD LibreSSL CVS Insecure Seeding".
- ↑ "OpenBSD LibreSSL CVS Kernel Seeding".
- ↑ 34.0 34.1 34.2 "LibreSSL-portable ChangeLog". LibreSSL.
- ↑ Beck, Bob (9 December 2014). "LibreSSL 2.1.2 released".
- ↑ 36.0 36.1 Cook, Brent (22 January 2015). "LibreSSL 2.1.3 released".
- ↑ Cook, Brent (4 March 2015). "LibreSSL 2.1.4 released".
- ↑ Cook, Brent (17 March 2015). "LibreSSL 2.1.5 released".
- ↑ 39.0 39.1 Cook, Brent (19 March 2015). "LibreSSL 2.1.6 released".
- ↑ 40.0 40.1 40.2 Antoine Jacoutot. "OpenBSD 5.6 Released". OpenBSD.
- ↑ Beck, Bob (16 October 2014). "LibreSSL 2.1.1 released".
- ↑ Beck, Bob (2014-04-18). "Bob Beck on Twitter".
- ↑ "OpenBSD LibreSSL CVS OPENSSL_NO_HEARTBEAT".
- ↑ Perlroth, Nicole (10 September 2013). "Government Announces Steps to Restore Confidence on Encryption Standards". The New York Times. Retrieved 9 May 2014.
- ↑ "The future (or lack thereof) of LibreSSL’s FIPS Object Module".
- ↑ "OpenBSD LibreSSL CVS Buffer Release (#2167 bugfix) Commit". 10 April 2014. Retrieved 1 May 2014.
- ↑ Ayer, Andrew (13 July 2014). "LibreSSL's PRNG is Unsafe on Linux".
- ↑ "OpenSSL Security Advisory [6 Aug 2014]". 6 August 2014.
- ↑ "OpenSSL Security Advisory [15 Oct 2014]". 15 October 2014.
- ↑ "Disable SSLv3 by default.". 15 October 2015.
- ↑ "OpenSSL Security Advisory [08 Jan 2015]". 8 January 2015.
- ↑ "OpenSSL Security Advisory [19 Mar 2015]". 19 March 2015.
- ↑ Beck, Bob (19 March 2015). "Official word outbound: Of the 13 CVE's only 5 affect #LibreSSL".
External links
- Official website
- LibreSSL source code (OpenGrok)
- OpenSSL Valhalla Rampage (blog of highlights of the code cleanup)
- LibreSSL status on FreeBSD
- LibreSSL ebuilds testing repo on Gentoo
|
|
|