Is retroshare vulnerable by the new Openssl flaws?

RetroShare Development discussion

Is retroshare vulnerable by the new Openssl flaws?

Postby Benni12345 » Fri Jun 06, 2014 11:31 pm

Hello,
As I learned in connection with heartbleed, the windows version of retroshare comes bundled with an own Openssl. So everytime a severe openssl flaw gets discovered, a new installer should be available for retroshare.

On 05.06.2014, seven security fixes were announced by the Openssl team:

https://www.openssl.org/news/secadv_20140605.txt

Is retroshare vulnerable to these flaws? Anyway, perhaps you should update the retroshare installer.

I have looked a bit on the openssl code myself and find it extremely scary. It has thousands of #ifdefs and wrappers around standard functions to deliberately make the code unreadable.

For example, as discovered by OpenBsd developers, the Openssl API contains an undocumented function that allows to jump to an arbitrary adress in the library:

http://goo.gl/TFjQNl

One should expect that more and more security flaws are discovered in the Openssl software.

Perhaps when libressl http://www.libressl.org/ from the OpenBsd team arrives in 6 months and is made ready for several platforms, retroshare should consider switching to that library instead of openssl.
Benni12345
 
Posts: 11
Joined: Wed Apr 09, 2014 10:37 pm

Re: Is retroshare vulnerable by the new Openssl flaws?

Postby Benni12345 » Sat Jul 12, 2014 4:00 pm

The first portable release of libressl is out:
https://marc.info/?l=openbsd-tech&m=140510291304119&w=2

For now it only supports OpenBsd, Linux and Mac, but they have fixed tons of bugs. Perhaps the retroshare team could link the Openbsd, Linux and Mac versions of retroshare against Libressl?
Benni12345
 
Posts: 11
Joined: Wed Apr 09, 2014 10:37 pm


Return to Developers Corner

Who is online

Users browsing this forum: No registered users and 1 guest

cron