Feeds

LibreSSL crypto library leaps from OpenBSD to Linux, OS X, more

First cross-platform version of cleaned-up OpenSSL fork

Using blade systems to cut costs and sharpen efficiencies

The OpenBSD project has released the first portable version of LibreSSL, the team's OpenSSL fork – meaning it can be built for operating systems other than OpenBSD.

The LibreSSL project, which aims to clean up the buggy and inscrutable OpenSSL code, was founded about two months ago by a group of OpenBSD developers, so it only makes sense that getting it running on that OS would be their priority.

With the release of LibreSSL 2.0.0 on Friday, however, many of the dependencies on OpenBSD have been removed and the library can now be built for various flavors of Linux, Solaris, OS X, and FreeBSD.

Note that this is still considerably fewer platforms that the original OpenSSL library supported. But OpenSSL's portability approach had become one of extreme overkill, with the code incorporating numerous hacks and workarounds to make it run on such outdated platforms as VMS, OS/2, NetWare, 16-bit Windows, and even DOS.

By comparison, LibreSSL is focusing on Unix-like operating systems for now, although a Windows port may appear in the future.

In a presentation given in May, LibreSSL developer Bob Beck explained that much of the initial work on LibreSSL involved deleting code that only existed to provide support for oddball systems. Between that effort and removing redundant and unused code, the LibreSSL group was able to shrink the size of the OpenSSL codebase by about 23 per cent.

The LibreSSL developers have also worked to get OpenSSL's unorthodox and inconsistent source code into "kernel normal form" (KNF), a standard C coding style used by the OpenBSD project.

In addition, although the goal of the LibreSSL project is to create a secure, drop-in replacement for OpenSSL, the developers have also tried to undo some of the OpenSSL developers' more ill-advised design decisions.

For example, the OpenSSL library relies on a quirky custom memory-management layer that behaves in strange ways, which makes it impossible to audit the code with tools designed to flag memory management problems. The LibreSSL team has been replacing this code with new routines that use memory allocation routines from the standard C library, making it far easier to spot bugs.

The portable version of LibrSSL 2.0.0 is available now from the LibreSSL directory of the various OpenBSD mirror sites around the globe.

Meanwhile, work continues on a parallel effort to clean up the original OpenSSL code base, a project that has been sponsored by the Linux Foundation, among others. The LibreSSL project, on the other hand, says it has yet to receive a stable commitment of funding. ®

Boost IT visibility and business value

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.