[Cryptography] Testing crypto protocol implementations
Patrick Chkoreff
patrick at rayservers.net
Mon Mar 3 13:01:04 EST 2014
Viktor Dukhovni wrote, On 03/02/2014 03:21 PM:
> Lack of a reasonably comprehensive test-bed almost assures that
> flawed implementations will continue to be produced, and users will
> continue to use them unaware of their defects.
Right. At the very least, the people who maintain the
SSLVerifySignedServerKeyExchange function could add a test case just to
prevent this one specific problem from happening again.
The task would be to write a piece of test code which calls this function:
static OSStatus
SSLVerifySignedServerKeyExchange(SSLContext *ctx, bool isRsa,
SSLBuffer signedParams, uint8_t *signature, UInt16 signatureLen);
The test code should pass in values for ctx, isRsa, signedParams,
signature, and signatureLen in a way that causes the function to call
sslRawVerify.
It wouldn't require a big budget, or massive refactoring, or the
insertion of dangerous code into the main line of the library.
-- Patrick
More information about the cryptography
mailing list