OpenBSD devs comments documenting progress with cleaning of OpenSSL codebase (opens in new tab)

(freshbsd.org)

19 pointszytek11y ago4 comments

4 comments

zytekOP11y ago

Some of it:

    todo: do not leave 15 year old todo lists in the tree.


    This code is the reason perl has a name as a write only language.


    Remove oh-so-important-from-a-security-pov OpenSSL_rtdsc() function.

    Do not feed RSA private key information to the random subsystem as entropy.  
    It might be fed to a pluggable random subsystem.... What were they thinking?!

    <RANT> Whoever thought that RAND_screen(), feeding the PRNG with the contents 
    of the local workstation's display, under Win32, was a smart idea, 
    ought to be banned from security programming. </RANT>

Edit: just noticed, there's a BLOG with it.. http://opensslrampage.org/

LaSombra11y ago

    - Why do we hide from the OpenSSL police, dad?
    - Because they're not like us, son. They use macros to wrap stdio routines,
      for an undocumented (OPENSSL_USE_APPLINK) use case, which only serves to
      obfuscate the code.

cratermoon11y ago

What is the "UPLINK" interface spoken of in the OPENSSL_USE_APPLINK changes?

Freaky11y ago

A more accurate link: http://freshbsd.org/search?project=openbsd&q=file.name%3Alib...

j / k navigate · click thread line to collapse