[cryptography] Just how bad is OpenSSL ?

Jeffrey Walton noloader at gmail.com
Tue Jan 6 13:30:24 EST 2015


> The source code is mostly written to the OpenSSL coding standards, which
> are seriously different from any other coding standard I've seen (it's
> not Linux/K&R, nor GNU, nor Microsoft, nor Sun/Oracle).  Nonconformance
> with the coding standards in later patches is very common, so it's a
> mishmash of indentation standards on top of that ...

Sorry to dig up an old thread. This seems news worthy for anyone who
has spent time staring at the sources.

"[openssl-users] OpenSSL source reformat",
http://openssl.6102.n7.nabble.com/openssl-users-OpenSSL-source-reformat-td55691.html.

On Fri, Oct 26, 2012 at 3:38 PM, Andy Isaacson <adi at hexapodia.org> wrote:
> On Fri, Oct 26, 2012 at 06:29:47PM +0000, John Case wrote:
>> So, given what is in the stanford report and then reading this rant
>> about openssl, I am wondering just how bad openssl is ?  I've never
>> had to implement it or code with it, so I really have no idea.
>>
>> How long has it been "understood" that it's a mess (if it is indeed
>> a mess) ?  How dangerous is it ?
>>
>> It looks like the rant was published in 2009 ....
>
> "Bad" is such a subjective measurement.
>
> OpenSSL is very very hard for a non-expert to code against.  It's hard
> to figure out what interfaces you should use, what interfaces are well
> tested, what interfaces are known to be unsafe, and what interfaces are
> buggy but can be used safely with careful coding.  It's fairly easy to
> accidentally disable security critical codepaths in the process of
> iterative "hmm that doesn't quite work, the docs are unclear, maybe this
> is a bug in my code or maybe a bug in OpenSSL?" that is a normal part of
> software development.  If you need to implement anything even slightly
> different from what was expected by the authors.
>
> The source code is mostly written to the OpenSSL coding standards, which
> are seriously different from any other coding standard I've seen (it's
> not Linux/K&R, nor GNU, nor Microsoft, nor Sun/Oracle).  Nonconformance
> with the coding standards in later patches is very common, so it's a
> mishmash of indentation standards on top of that.  Naming conventions
> sometimes indicate that functions are strictly internal and should not
> be used by applications, but sometimes you have to use an internal API
> to get a necessary result and other times there are clearly internal
> APIs in the public namespace.  I could go on.
>
> Overall, I would say that yes, OpenSSL is a huge mess for application
> developers.  In that sense, it's very bad.  On the other hand, it's the
> most thoroughly reviewed open source crypto implementation, and hasn't
> had very many security bugs found in the library per se.  Its
> performance is fairly good.  In that sense it's still the best option
> for some use cases.
>


More information about the cryptography mailing list