The only other codebase I've seen that's remotely as hairy as OpenSSL is GCC's gnarly mess. (I've heard it's improved since I looked a few years ago.) And that's notoriously engineered to be difficult as possible to contribute without giving back; I can't imagine what OpenSSL's excuse is. Any sane programmer would have cold sweats even if they understood the implementation because it's so difficult to figure out and verify what the fuck is going on internally with any speed.
Documentation would help, but a good cleanup would make provided documentation much less necessary. Crypto may be difficult to understand, but with clean coding practices and formal verification (even on an audit workflow level) would be a much better investment, IMHO.
Documentation would help, but a good cleanup would make provided documentation much less necessary. Crypto may be difficult to understand, but with clean coding practices and formal verification (even on an audit workflow level) would be a much better investment, IMHO.