LibreSSL

After the Heartbleed security vulnerability was discovered in OpenSSL, the OpenBSD team audited the codebase and decided it was necessary to fork OpenSSL to remove dangerous code. The libressl.org domain was registered on 11 April 2014; the project announced the name on 22 April 2014. In the first week of development, more than 90,000 lines of C code were removed.{{cite web |url=https://arstechnica.com/information-technology/2014/04/openssl-code-beyond-repair-claims-creator-of-libressl-fork/ |title=OpenSSL code beyond repair, claims creator of "LibreSSL" fork |first=Jon |last=Brodkin |work=Ars Technica |date=22 April 2014 |access-date=24 April 2014}} Unused code was removed, and support for obsolete operating systems (Classic Mac OS, NetWare, OS/2, 16-bit Windows) and some older operating systems (OpenVMS) was removed.{{cite mailing list |url=https://marc.info/?l=openbsd-announce&m=141486254309079 |title=OpenBSD 5.6 Released |date=1 November 2014 |access-date=28 October 2015 |mailing-list=openbsd-announce |last=Jacoutot |first=Antoine }}

LibreSSL was initially developed as an intended replacement for OpenSSL in OpenBSD 5.6, and was ported to other platforms once a stripped-down version of the library was stable.{{cite web |url=http://www.pcpro.co.uk/news/security/388309/heartbleed-libressl-scrubs-irresponsible-openssl-code |title=Heartbleed: LibreSSL scrubs "irresponsible" OpenSSL code |first=Jane |last=McCallion |work=PC Pro |date=22 April 2014 |access-date=23 April 2014 |archive-url=https://web.archive.org/web/20140626092314/http://www.pcpro.co.uk/news/security/388309/heartbleed-libressl-scrubs-irresponsible-openssl-code |archive-date=26 June 2014 |url-status=dead }} {{As of|2014|04}}, the project was seeking a "stable commitment" of external funding. On 17 May 2014, Bob Beck presented "LibreSSL: The First 30 Days, and What The Future Holds" during the 2014 BSDCan conference, in which he described the progress made in the first month.{{cite web|first=Bob|last=Beck|title=LibreSSL: The first 30 days, and what the Future Holds Slides|access-date=17 May 2014|date=17 May 2014|url=http://www.openbsd.org/papers/bsdcan14-libressl/mgp00003.html}} On 5 June 2014, several OpenSSL bugs became public. While several projects were notified in advance,{{cite mailing list |url=http://seclists.org/oss-sec/2014/q2/466 |title=Re: OpenSSL seven security fixes |date=5 June 2014 |access-date=9 June 2014 |mailing-list=oss-sec}} LibreSSL was not; Theo de Raadt accused the OpenSSL developers of intentionally withholding this information from OpenBSD and LibreSSL.{{cite mailing list |url=https://marc.info/?l=openbsd-misc&m=140199662922801&w=2 |title=Re: new OpenSSL flaws |date=5 June 2014 |access-date=9 June 2014 |mailing-list=openbsd-misc |last=de Raadt |first=Theo |author-link=Theo de Raadt }}

On 20 June 2014, Google created another fork of OpenSSL called BoringSSL, and promised to exchange fixes with LibreSSL.{{cite web|url=https://www.imperialviolet.org/2014/06/20/boringssl.html|title=BoringSSL (20 Jun 2014)|last=Langley|first=Adam|date=20 June 2014|website=Imperialviolet.org|access-date=21 June 2014}}{{cite web|url=https://arstechnica.com/security/2014/06/google-unveils-independent-fork-of-openssl-called-boringssl/|title=Google unveils independent "fork" of OpenSSL called "BoringSSL"|last=Goodin|first=Dan|date=20 June 2014|access-date=21 June 2014|work=Ars Technica}} Google has already relicensed some of its contributions under the ISC license, as it was requested by the LibreSSL developers.{{cite web|url=https://secure.freshbsd.org/commit/openbsd/ef62f9c8a51b8fb8ce21e1486986f8f3dc7f50a3|title=OpenBSD — lib/libssl/src/crypto/evp evp_aead.c e_chacha20poly1305.c|last=Sing|first=Joel|date=21 June 2014|access-date=21 June 2014|archive-url=https://archive.today/20140622060845/https://secure.freshbsd.org/commit/openbsd/ef62f9c8a51b8fb8ce21e1486986f8f3dc7f50a3|archive-date=22 June 2014|url-status=dead}} On 21 June 2014, Theo de Raadt welcomed BoringSSL and outlined the plans for LibreSSL-portable.{{cite mailing list|url=https://marc.info/?l=openbsd-tech&m=140332790726752&w=2 |title=Boringssl and such |date=21 June 2014 |access-date=28 October 2015 |mailing-list=openbsd-tech |last=de Raadt|first=Theo |author-link=Theo de Raadt}} Starting on 8 July, code porting for macOS and Solaris began,{{cite web|url=https://secure.freshbsd.org/commit/openbsd/bb95c69c5dea2b7ae53fb1036904c27c038bd2b0|title=OpenBSD - lib/libcrypto/crypto getentropy_osx.c getentropy_solaris.c|date=8 July 2014|last=Beck|first=Bob|access-date=8 July 2014|archive-url=https://web.archive.org/web/20140722094048/https://secure.freshbsd.org/commit/openbsd/bb95c69c5dea2b7ae53fb1036904c27c038bd2b0|archive-date=22 July 2014|url-status=dead}} while the initial porting to Linux began on 20 June.{{cite web|url=https://secure.freshbsd.org/commit/openbsd/1d7eab2186ba0e70b976372401977c2c784ef30a|archive-url=https://archive.today/20140709185108/https://secure.freshbsd.org/commit/openbsd/1d7eab2186ba0e70b976372401977c2c784ef30a|url-status=dead|archive-date=9 July 2014|title=OpenBSD — lib/libcrypto/crypto getentropy_linux.c|date=20 June 2014|last=Beck|first=Bob}}

As of 2021, OpenBSD uses LibreSSL as the primary TLS library. Alpine Linux supported LibreSSL as its primary TLS library for three years, until release 3.9.0 in January 2019. Gentoo supported LibreSSL until February 2021.{{Cite web|title=LibreSSL languishes on Linux [LWN.net]|url=https://lwn.net/SubscriberLink/841664/0ba4265680b9dadf/|access-date=2021-01-06|website=lwn.net}} Python 3.10 dropped LibreSSL{{Cite web|url=https://www.python.org/dev/peps/pep-0644/#libressl-support|title = PEP 644 -- Require OpenSSL 1.1.1 or newer}} after being supported since Python 3.4.3 (2015).{{Cite web|url=https://docs.python.org/3.4/whatsnew/changelog.html#python-3-4-3-final|title = Changelog — Python 3.4.10 documentation}}

LibreSSL is the default provider of TLS for:

• Dragonfly BSD{{Cite web |title=[Beta] Switch base to use private LibreSSL libraries |url=https://gitweb.dragonflybsd.org/dragonfly.git/commitdiff/304ca408000cd34559ef5319b4b5a6766d6eb35b |first=John |last=Marino|access-date= 9 November 2018}}
• OpenBSD
• Hyperbola GNU/Linux-libre{{cite web | url = https://www.hyperbola.info/news/milky-way-v03-release/ | title = Milky Way v0.3 release | access-date = 23 September 2019 | publisher = Hyperbola Project | date = 23 September 2019}}
• [https://github.com/powershell/Win32-OpenSSH OpenSSH on Windows]

LibreSSL is the default provider of TLS for these now-discontinued systems:

• OpenELEC{{cite web|url=http://openelec.tv/news/22-releases/165-beta-openelec-6-0-beta-2-released|title=OpenELEC Mediacenter - [Beta] OpenELEC 6.0 Beta 2 released|first=Stephan|last=Raue|website=Openelec.tv|access-date=20 August 2015|archive-url=https://web.archive.org/web/20151126061521/http://openelec.tv/news/22-releases/165-beta-openelec-6-0-beta-2-released|archive-date=26 November 2015|url-status=dead}}
• TrueOS packages{{Cite web |title=PC-BSD Evolves into TrueOS |url=https://www.trueos.org/2016/09/01/pc-bsd-evolves-into-trueos/ |access-date=16 September 2016 |archive-url=https://web.archive.org/web/20160916041238/https://www.trueos.org/2016/09/01/pc-bsd-evolves-into-trueos/ |archive-date=16 September 2016 |url-status=dead }}{{Cite web |title=PC-BSD 10.1.2: an Interview with Kris Moore |url=http://blog.pcbsd.org/2015/05/pc-bsd-10-1-2-an-interview-with-kris-moore/ |first=Mark |last=VonFange |publisher=Official PC-BSD Blog |access-date= 15 October 2015}}

LibreSSL is a selectable provider of TLS for:

• FreeBSD packages{{Cite web |title=Add DEFAULT_VERSIONS=ssl=XXX|url=https://svnweb.freebsd.org/ports?view=revision&revision=416965|website=Svnweb.freebsd.org}}
• Gentoo packages{{Cite web|title= Project:LibreSSL - Gentoo|url=https://wiki.gentoo.org/wiki/Project:LibreSSL|website=Wiki.gentoo.org}} (support dropped as of February 2021{{Cite web |url=https://www.gentoo.org/support/news-items/2021-01-05-libressl-support-discontinued.html|first=Michał|last=Górny|date=2021-01-05|access-date =2021-03-30|title=LibreSSL support discontinued|website=www.gentoo.org}}{{Cite web |url=https://bugs.gentoo.org/762847|first=Michał|last=Górny|date=2020-12-31|access-date =2021-03-30|title=Bug 762847 - dev-libs/libressl: Removal|website=bugs.gentoo.org}}{{Cite web |url=https://archives.gentoo.org/gentoo-dev/message/9a92320c599e63c8c18b2ed29050f22f|first=Michał|last=Górny|date=28 Dec 2020|access-date=2021-03-30|title=[gentoo-dev] [RFC] Discontinuing LibreSSL support?|website=archives.gentoo.org}})
• OPNsense packages {{Cite web |title=OPNsense version 15.7 Released |url=https://opnsense.org/opnsense-version-15-7-released/ |publisher=OPNsense |access-date=15 October 2015}} (will be dropped after 22.7{{Cite web |title=OPNsense version 22.7 Released |url=https://forum.opnsense.org/index.php?topic=29507.0 |publisher=OPNsense |access-date=2022-08-05}})
• macOS

Changes include replacement of custom memory calls to ones in a standard library (for example, strlcpy, calloc, asprintf, reallocarray, etc.).{{cite web|url=http://opensslrampage.org/post/83631316689/a-quick-recap-over-the-last-week|work=OpenSSL Valhalla Rampage|title=A quick recap over the last week|date=23 April 2014|access-date=30 April 2014|last=Orr|first=William}}{{self-published inline|date=May 2014}}{{cite web|url=https://secure.freshbsd.org/search?project=openbsd&q=libssl+calloc|title=OpenBSD LibreSSL CVS Calloc Commits|website=Secure.freshbsd.org}} This process may help later on to catch buffer overflow errors with more advanced memory analysis tools or by observing program crashes (via ASLR, use of the NX bit, stack canaries, etc.).

Fixes for potential double free scenarios have also been cited in the VCS commit logs (including explicit assignments of null pointer values).{{cite web|url=https://secure.freshbsd.org/search?project=openbsd&q=libssl+double+free|title=OpenBSD LibreSSL CVS Double Free Commits|website=Secure.freshbsd.org}} There have been extra sanity checks also cited in the commit logs related to ensuring length arguments, unsigned-to-signed variable assignments, pointer values, and method returns.

In order to maintain good programming practice, a number of compiler options and flags designed for safety have been enabled by default to help in spotting potential issues so they can be fixed earlier (-Wall, -Werror, -Wextra, -Wuninitialized). There have also been code readability updates which help future contributors in verifying program correctness (KNF, white-space, line-wrapping, etc.). Modification or removal of unneeded method wrappers and macros also help with code readability and auditing (Error and I/O abstraction library references).

Changes were made to ensure that LibreSSL will be year 2038 compatible along with maintaining portability for other similar platforms. In addition, explicit_bzero and bn_clear calls were added to prevent the compiler from optimizing them out and prevent attackers from reading previously allocated memory.

There were changes to help ensure proper seeding of random number generator-based methods via replacements of insecure seeding practices (taking advantage of features offered by the kernel itself natively).{{cite web|url=http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/src/crypto/rsa/rsa_crpt.c.diff?r1=1.2&r2=1.3|title=OpenBSD LibreSSL CVS insecure seeding|website=Secure.freshbsd.org}}{{cite web|url=https://secure.freshbsd.org/commit/openbsd/58777eed1cff7c5b34cbc026278f730176a6dbc2|archive-url=https://archive.today/20140916151049/https://secure.freshbsd.org/commit/openbsd/58777eed1cff7c5b34cbc026278f730176a6dbc2|url-status=dead|archive-date=2014-09-16|title=OpenBSD LibreSSL CVS Kernel Seeding|website=Secure.freshbsd.org}} In terms of notable additions made, OpenBSD has added support for newer and more reputable algorithms (ChaCha stream cipher and Poly1305 message authentication code) along with a safer set of elliptic curves (brainpool curves from RFC 5639, up to 512 bits in strength).

The initial release of LibreSSL added a number of features: the ChaCha and Poly1305 algorithm, the [https://tools.ietf.org/html/rfc7027 Brainpool] and [http://www.ssi.gouv.fr/agence/publication/publication-dun-parametrage-de-courbe-elliptique-visant-des-applications-de-passeport-electronique-et-de-ladministration-electronique-francaise/ ANSSI] elliptic curves, and the AES-GCM and ChaCha20-Poly1305 AEAD modes.

Later versions added the following:

• 2.1.0: Automatic ephemeral EC keys.{{cite mailing list |url=http://marc.info/?l=openbsd-announce&m=141314415604790 |title=LibreSSL 2.1.0 released |date=12 October 2014 |access-date=28 October 2015 |mailing-list=openbsd-announce |last=Beck |first=Bob }}
• 2.1.2: Built-in arc4random implementation on macOS and FreeBSD.{{cite mailing list |url=http://marc.info/?l=openbsd-announce&m=141809396501638 |title=LibreSSL 2.1.2 released |date=9 December 2014 |access-date=28 October 2015 |mailing-list=openbsd-announce |last=Beck |first=Bob }}
• 2.1.2: Reworked GOST cipher suite support.
• 2.1.3: ALPN support.{{cite mailing list |url=http://marc.info/?l=openbsd-announce&m=142193407304782 |title=LibreSSL 2.1.3 released |date=22 January 2015 |access-date=28 October 2015 |mailing-list=openbsd-announce |last=Cook |first=Brent }}
• 2.1.3: Support for SHA-256 and Camellia cipher suites.
• 2.1.4: TLS_FALLBACK_SCSV server-side support.{{cite mailing list |url=http://marc.info/?l=openbsd-announce&m=142543818707898 |title=LibreSSL 2.1.4 released |date=4 March 2015 |access-date=28 October 2015 |mailing-list=openbsd-announce |last=Cook |first=Brent }}
• 2.1.4: certhash as a replacement of the c_rehash script.
• 2.1.4: X509_STORE_load_mem API for loading certificates from memory (enhance chroot support).
• 2.1.4: Experimental Windows binaries.
• 2.1.5: Minor update mainly for improving Windows support, first working 32- and 64-bit binaries.{{cite mailing list |url=http://marc.info/?l=openbsd-announce&m=142656309518707 |title=LibreSSL 2.1.5 released |date=17 March 2015 |access-date=28 October 2015 |mailing-list=openbsd-announce |last=Cook |first=Brent }}
• 2.1.6: {{not a typo|libtls}} declared stable and enabled by default.{{cite mailing list |url=http://marc.info/?l=openbsd-announce&m=142678407219391 |title=LibreSSL 2.1.6 released |date=19 March 2015 |access-date=28 October 2015 |mailing-list=openbsd-announce |last=Cook |first=Brent }}
• 2.2.0: AIX and Cygwin support.{{cite mailing list |url=https://marc.info/?l=openbsd-announce&m=143404058913441 |title=LibreSSL 2.1.7 and 2.2.0 released |date=11 June 2015 |access-date=28 October 2015 |mailing-list=openbsd-announce |last=Cook |first=Brent }}
• 2.2.1: Addition of EC_curve_nid2nist and EC_curve_nist2nid{{cite mailing list |url=http://marc.info/?l=openbsd-announce&m=143635991232240 |title=LibreSSL 2.2.1 released |date=9 July 2015 |access-date=28 October 2015 |mailing-list=openbsd-announce |last=Cook |first=Brent }} from OpenSSL, initial Windows XP/2003 support.
• 2.2.2: Defines LIBRESSL_VERSION_NUMBER,{{cite mailing list |url=http://marc.info/?l=openbsd-announce&m=143882451401333 |title=LibreSSL 2.2.2 released |date=6 August 2015 |access-date=28 October 2015 |mailing-list=openbsd-announce |last=Cook |first=Brent }} added TLS_*methods as a replacement for the SSLv23_*method calls, cmake build support.

The initial release of LibreSSL disabled a number of features by default. Some of the code for these features was later removed, including Kerberos, US-Export ciphers, TLS compression, DTLS heartbeat, SSL v2 and SSL v3.

Later versions disabled more features:

• 2.1.1: Following the discovery of the POODLE vulnerability in the legacy SSL 3.0 protocol, LibreSSL now disables the use of SSL 3.0 by default.{{cite mailing list|first= Bob|last= Beck|url= http://marc.info/?l=openbsd-tech&m=141346535617562|title= LibreSSL 2.1.1 released|date= 16 October 2014|mailing-list= openbsd-tech}}
• 2.1.3: GOST R 34.10-94 signature authentication.{{cite web | url=https://github.com/libressl-portable/portable/blob/master/ChangeLog | title=LibreSSL-portable ChangeLog | date=15 October 2021 | publisher=LibreSSL}}
• 2.2.1: Removal of Dynamic Engine and MDC-2DES support
• 2.2.2: Removal of SSL 3.0 from the openssl binary, removal of Internet Explorer 6 workarounds, RSAX engine.
• 2.3.0: Complete removal of SSL 3.0, SHA-0 and DTLS1_BAD_VER.

The initial release of LibreSSL has removed a number of features that were deemed insecure, unnecessary or deprecated as part of OpenBSD 5.6.

• In response to Heartbleed, the heartbeat functionality{{cite web|url=http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/src/ssl/d1_both.c.diff?r1=1.6&r2=1.7|title=OpenBSD LibreSSL CVS OPENSSL_NO_HEARTBEATS}} was one of the first features to be removed.
• Support for obsolete platforms (Classic Mac OS, NetWare, OS/2, 16-bit Windows) were removed.
• Support for some older platforms (OpenVMS) was removed.
• Support for platforms that do not exist, such as big-endian i386 and amd64.{{cite mailing list|url=https://marc.info/?l=openbsd-cvs&m=139776884925793&w=2|title=Remove support for big-endian i386 and amd64|author=Miod Vallat|mailing-list=openbsd-cvs}}
• Support for old compilers.
• The IBM 4758, Broadcom ubsec, Sureware, Nuron, GOST, GMP, CSwift, CHIL, CAPI, Atalla and AEP engines were removed due to irrelevance of hardware or dependency on non-free libraries.
• The OpenSSL PRNG was removed (and replaced with ChaCha20-based implementation of arc4random).
• Preprocessor macros that have been deemed unnecessary or insecure or had already been deprecated in OpenSSL for a long time (e.g. des_old.h).
• Older unneeded files for assembly language, C, and Perl (e.g. Entropy Gathering Daemon).
• MD2, SEED functionality.
• SSL 3.0, SHA-0, DTLS1_BAD_VER

The Dual EC DRBG algorithm, which is suspected of having a back door,{{cite news|first=Nicole |last=Perlroth |title=Government Announces Steps to Restore Confidence on Encryption Standards|url=http://bits.blogs.nytimes.com/2013/09/10/government-announces-steps-to-restore-confidence-on-encryption-standards/|access-date=9 May 2014|newspaper=The New York Times|date=10 September 2013}} was cut along with support for the FIPS 140-2 standard that required{{Citation needed|date=December 2021}} it. Unused protocols and insecure algorithms have also been removed, including the support for FIPS 140-2,{{cite web | url=http://opensslrampage.org/post/83555615721/the-future-or-lack-thereof-of-libressls-fips | title=The future (or lack thereof) of LibreSSL's FIPS Object Module}} MD4/MD5 J-PAKE, and SRP.{{cite mailing list |url=https://marc.info/?l=openbsd-announce&m=140711256104278 |title=LibreSSL 2.0.4 released |date=3 August 2014 |access-date=28 October 2015 |mailing-list=openbsd-announce |last=Beck |first=Bob }}

One of the complaints of OpenSSL was the number of open bugs reported in the bug tracker that had gone unfixed for years. Older bugs are now being fixed in LibreSSL.{{cite mailing list |url=https://marc.info/?l=openbsd-cvs&m=139715677231774 |title=Re: CVS: cvs.openbsd.org: src |date=10 November 2014 |access-date=28 October 2015 |mailing-list=openbsd-cvs |last=Vallat |first=Miod }}

{{Portal|Free Software}}

• Comparison of TLS implementations
• Comparison of cryptography libraries
• OpenSSH
• wolfSSH

{{Reflist}}

• {{Official website|//www.libressl.org/}}
• [http://BXR.SU/OpenBSD/lib/libssl/ LibreSSL] and [http://bxr.su/o/lib/libtls/ {{not a typo|libtls}} source code (OpenGrok)]
• {{github|libressl-portable|LibreSSL Portable}}

{{OpenBSD}}

{{Cryptographic software}}

{{SSL/TLS}}

Category:2014 software

Category:C (programming language) libraries

Category:Cryptographic software

Category:Free security software

Category:Free software programmed in C

Category:OpenBSD

Category:Software forks

Category:Transport Layer Security implementation