Hi, fos...@posteo.de wrote on Thu, Aug 07, 2025 at 08:05:13PM +0000:
> What I wish to review in writing are tips on finding security flaws > in writing and auditing cryptographic code. In the past I have > read Mark Dowd's "The Art of Software Security Assessment" Not a bad book, that one. If you have already learnt (in part or in full) what that book teaches, then just find and report some bugs. We all hope that the bug density in OpenBSD is lower than in some other systems, but there still are enough bugs in OpenBSD that searching for them is *not* a waste of time. > However, of course, I am looking for books to familiarize myself > with the modern OpenBSD cryptographic codebase. I'm usually not the right person to suggest books, and i'm not sure any books have been written on libcrypto, OpenSSL or LibreSSL (i may be wrong, though). But the OpenBSD = LibreSSL manuals are significantly better than the OpenSSL manuals most (but not all) of them were originally based on - over the years, i spent many months making them better, and tb@ also did significant work on several of them. Start from crypto(3). From there, follow SEE ALSO sections and .Xr links that interest you. I personally made sure that *every* LibreSSL manual page can be reached by following .Xr links from crypto(3), but the tree is multiple levels deep and currently contains 425 distinct manual pages documenting about 3000 functions grand total. You can also see the complete collection in /usr/src/lib/libcrypto/man/. When you find a bug, report it and include: * A precise and concise description of what is wrong. When doing what, what happens, and what should happen instead? * Ideally, a minimal reproducer. At the minimum, precise instructions how to reproduce the bug. * Ideally, a patch fixing it (even if that patch turns out to not be perfect, it is not unusual that suboptimal patches that at least point into the right direction trigger better ones). If you don't have a patch yet, but a suspicion where approximately the bug might reside, mention that, and why you guess so. If you have no idea, that's not a show-stopper. Be warned that cryptography is not the easiest field to understand, and libcrypto not the easiest code to understand, so being a bit frustration-tolerant will come in handy. But in particular on the fringes of libcrypto, there is definitly no shortage of bugs that wait for being hunted down. Happy hunting, Ingo
