Heartbleed’s Aftermath: OpenBSD Developers Start Purifying OpenSSL
Update (April 23, 2014): The fork of OpenSSL has a name, LibreSSL. The team announced that they are targeting an initial production release for OpenBSD 5.6 (scheduled for November 2014). A portable version of OpenSSL is dependent on donations from the community at-large.
The recent news of the Heartbleed flaw has caused the entire OpenSSL project to face heightened scrutiny—everywhere from the technical community to the mainstream news media. Building increased awareness around the problems facing the library is the first step to improving security. The OpenBSD development team is taking the next step by undertaking a massive audit and clean-up of OpenSSL’s entire codebase. (Despite the similar project names, it should be noted that OpenBSD is wholly distinct from OpenSSL, and until now the OpenBSD developers had no involvement with the project's code.)
The OpenBSD development team follows a design philosophy that adheres to “portability, standardization, correctness, proactive security and integrated cryptography.” Prioritizing a secure and intelligent design before any other considerations has periodically led to stern criticism by other open source projects. Perhaps most notably Linux creator Linus Torvalds referred to the OpenBSD team as “… a bunch of masturbating monkeys” back in 2008. Given the level of disrepair in the OpenSSL library it would seem that OpenBSD’s “black-and-white” thinking may be just what is needed to regain some measure of trust in the library.
The reports and code commits arising from this clean-up are a combination of insightful and entertaining. The website OpenSSL Valhalla Rampage and its accompanying Twitter feed have sprung up to highlight particularly memorable changes. References to the music rapper Coolio, Hal 9000, and Cthulhu(?) are being made in the source commits. OpenBSD developer Bob Beck noted that over 82,000 lines of C code have been removed so far. A high-level overview of the changes made to the code through April 11th is available courtesy of developer Joshua Stein.
At the time of this article, a name for OpenBSD’s revised version of OpenSSL has not been given. Nor has a formal release date been set. It is also undetermined whether or not a portable version will be made available for non-OpenBSD systems similar to the method in which OpenSSH is delivered. Regardless of the ultimate path this revised version takes, the massive amount of work the team is doing will be available to all projects as the code is publicly available throughout the development process.
Martin Thompson Jul 27, 2014