The reason is that there are subtle attacks on the implementation, such as timing attacks, which can leak information.
I'm not advocating everyone and their mother implement their own crypto. But some software diversity is a good thing. These algorithms aren't quite as scary or fickle as the documentation and existing implementations make them seem. Especially if you stick to good software like DJB's stuff.
For instance, using montgomery/edwards curves instead of weierstrass curves eliminates a lot of the difficulty in writing a constant-time implementation of ECC. And the 25519 implementation comes with a fast, constant-time implementation of a prime field type.
Yet even DJB's stuff can be simplified. You can knock off a good 80% of the scary code at a cost of a mere 10% of performance. To Google or Facebook, that may be unacceptable. But to me, that's entirely worth it. Now you have a tiny library that is easy to understand, and easy to audit.
Wouldn't you say DJB (et al) did that themselves? https://tweetnacl.cr.yp.to/
Compare theirs: https://tweetnacl.cr.yp.to/20140427/tweetnacl.c
To mine:
https://gitlab.com/higan/higan/blob/master/nall/elliptic-cur...
https://gitlab.com/higan/higan/blob/master/nall/elliptic-cur...
https://gitlab.com/higan/higan/blob/master/nall/cipher/chach...
https://gitlab.com/higan/higan/blob/master/nall/mac/poly1305...
https://gitlab.com/higan/higan/blob/master/nall/hash/sha256....
Please note that like BearSSL, my implementations are alpha-quality. Further, I'm not suggesting anyone use these in production. If I do so myself and it blows up in my face, it'll only have harmed me, and I'll only have myself to blame.
(Also, I'm really bad when it comes to source code comments, sorry. The why really needs you to read the research papers; the how is mostly self-evident. The remaining one-letter variable names were used to match the papers, and because I couldn't think of more descriptive terms.)
they have all code running in constant time from the alpha version.
Next comes making sure there are no buffer overflows. the code is stable and compatible.
If everyone leaves it to someone else who does it exactly?
Obviously not ready for use in production until its been audited.
Remind me again where i can download an audited ssl implimentation?
Not sure I'd agree with that. OpenSSL is very far from perfect and obviously contains many many security bugs, but it also has a very long history of fixes, knowledge, etc. and has a large number of eyes on it. It's more of a known quantity than something new.
There is not a single malloc() call in all the library. In fact, the whole of BearSSL requires only memcpy(), memmove(), memcmp() and strlen() from the underlying C library. This makes it utterly portable even in the most special, OS-less situations. (On “big” systems, BearSSL will automatically use a couple more system calls to access the OS-provided clock and random number generator.)
On big desktop and server OS, this feature still offers an interesting characteristic: immunity to memory leaks and memory-based DoS attacks. Outsiders cannot make BearSSL allocate megabytes of RAM since BearSSL does not actually know how to allocate RAM at all.
