[Cryptography] bounded pointers in C

Nemo nemo at self-evident.org
Sun Apr 20 12:54:15 EDT 2014


Jon Callas <jon at callas.org> writes:

>> Good workmen never quarrel with their tools.
>
> Yeah, that's most often said by people who make crap tools.

Perhaps. But in the case of OpenSSL, the problem quite unambiguously
lies in the authors, not the language.

The OpenBSD folks -- who, unlike OpenSSL, actually know what they are
doing -- are taking a scalpel to the code base. Well, more like a
chainsaw. You can follow the most egregious / hilarious bits here:

  http://opensslrampage.org/

This is really not complicated. OpenSSL is buggy and insecure because
the code is garbage, plain and simple. Anyone for whom this is not
completely obvious should do everyone a favor and not attempt to write
cryptographic code.

 - Nemo
   https://self-evident.org/


More information about the cryptography mailing list