OpenSSL Rampage

Published: 2014-04-21. Last Updated: 2014-04-21 13:19:47 UTC
by Daniel Wesemann (Version: 1)
2 comment(s)

OpenSSL, in spite of its name, isn't really a part of the OpenBSD project. But as one of the more positive results of the recent Heartbleed fiasco, the OpenBSD developers, who are known for their focus on readable and secure code, have now started a full-scale review and cleanup of the OpenSSL codebase.

If you are interested in writing secure code in C (not necessarily a contradiction in terms), I recommend you take a look at http://opensslrampage.org/archive/2014/4, where the OpenBSD-OpenSSL diffs and code changes are coming in fast, and are often accompanied by cynical but instructive comments. As one poster put it, "I don't know if I should laugh or cry". The good news though definitely is that the OpenSSL code is being looked at, carefully and expertly, and everyone will be better off for it.

2 comment(s)

Comments

While probably well intentioned, they may not understand the full ramifications of their changes. One response to one of their changes is at

http://blog.ngas.ch/archives/2014/04/17/what_is_this_private_key_doing_in_my_random_pool/index.html
That site is not official, and in fact there is no real project site other than the codebase. But there is a full-out fork going on (although there's a lot more knife than fork involved).
http://www.zdnet.com/openbsd-forks-prunes-fixes-openssl-7000028613/

Diary Archives