Some of it:<p><pre><code> todo: do not leave 15 year old todo lists in the tree.
This code is the reason perl has a name as a write only language.
Remove oh-so-important-from-a-security-pov OpenSSL_rtdsc() function.
Do not feed RSA private key information to the random subsystem as entropy.
It might be fed to a pluggable random subsystem.... What were they thinking?!
<RANT> Whoever thought that RAND_screen(), feeding the PRNG with the contents
of the local workstation's display, under Win32, was a smart idea,
ought to be banned from security programming. </RANT>
</code></pre>
Edit: just noticed, there's a BLOG with it.. <a href="http://opensslrampage.org/" rel="nofollow">http://opensslrampage.org/</a>
<p><pre><code> - Why do we hide from the OpenSSL police, dad?
- Because they're not like us, son. They use macros to wrap stdio routines,
for an undocumented (OPENSSL_USE_APPLINK) use case, which only serves to
obfuscate the code.</code></pre>
A more accurate link: <a href="http://freshbsd.org/search?project=openbsd&q=file.name%3Alibssl" rel="nofollow">http://freshbsd.org/search?project=openbsd&q=file.name%3Alib...</a>