[Cryptography] Testing crypto protocol implementations

Patrick Chkoreff patrick at rayservers.net
Mon Mar 3 13:01:04 EST 2014

Viktor Dukhovni wrote, On 03/02/2014 03:21 PM:

> Lack of a reasonably comprehensive test-bed almost assures that
> flawed implementations will continue to be produced, and users will
> continue to use them unaware of their defects.

Right.  At the very least, the people who maintain the
SSLVerifySignedServerKeyExchange function could add a test case just to
prevent this one specific problem from happening again.

The task would be to write a piece of test code which calls this function:

  static OSStatus
  SSLVerifySignedServerKeyExchange(SSLContext *ctx, bool isRsa,
  SSLBuffer signedParams, uint8_t *signature, UInt16 signatureLen);

The test code should pass in values for ctx, isRsa, signedParams,
signature, and signatureLen in a way that causes the function to call

It wouldn't require a big budget, or massive refactoring, or the
insertion of dangerous code into the main line of the library.

-- Patrick

More information about the cryptography mailing list