libcrypto includes the OpenSSL ASN.1 code, which is worrying as all hell, e.g.: https://git.openssl.org/?p=openssl.git;a=blob;f=crypto/asn1/...

Or any file in that directory.

Oh man, that code is just horrible. No comments on some of the functions, no comments on the input parameters and return values pretty much throughout.

I really thought OpenSSL was in a much better shape.

Code that implements standards should be read with the standard open next to it. This code: https://git.openssl.org/?p=openssl.git;a=blob;f=crypto/md5/m... looks like awful garbage, until you compare it to https://www.ietf.org/rfc/rfc1321.txt , and then you realize you don't really want comments or anything else cluttering up the implementation.

> I really thought OpenSSL was in a much better shape.

Why?

I overlooked that, I was thinking of the crypto primitives there.

They aren't?

Depends who "they" are. Bugs in the crypto code will compromise the cryptographic strength of the connection, revealing data or keys. Bugs in the protocol code will compromise the host which is running it.

Both are bad, but I'd say that "remote root" trumps "side channel attack".