Hello,
Over the past few days I have managed to put together a regression
testing framework for OpenSSL that allows test cases to be created to
synthetically setup a specific application, OpenSSL and networking layer
interaction scenario (and validate for expected error returns, or ensure
a application lockup doesn't occur). I have done this as I have found
some API behaviors which don't conform to documentation and some areas
of the API that are not as well thought out as they might otherwise be.
There appears to be nothing distributed with OpenSSL to allow a 'make
test' to be performed on the SSL protocol engine and achieve the level
of situation coverage I hope to achieve with this framework.
My drive behind this approach is that it feels like the best first step
to take to be able to prove what the current situation is to others.
With this framework I hope to prove something isn't as documented, from
there any follow up patches can be proven to address a problem and also
provide a mechanism to test they doesn't break anything else in the process.
The program sets up two non-blocking pipes and fork()s a child process.
The two processes then communicate with each other down those pipes with
packetized control data. The master process reads an instruction sheet
(which is the specific test case). Those instructions maybe to invoke
an OpenSSL highlevel API call, alter BIO layer return values to minic
network IO situations, mimic when network data can flow between or a
number of other useful situations. Each process has the ability to
setup SSL endpoints with each other, under instruction from the
testcase. I have written a special purpose BIO layer that can mimic any
kernel level IO situation for read or/and write (buffer full, buffer
empty, end-of-file, EPIPE, partial read/write). Currently non-blocking
IO situations can be synthetically created, however by using pthreads I
could further develop the BIO layer to synthetically mimic blocking IO
situations as well.
I would like to enlist interested parties on proving my regression
testing framework and possibility setting up a few test cases of their
own. I would like for this application to be a useful tool to
validating the design and APIs of SSL protocol engine against the
written specification (and expected behavior) so that any future code
modifications can be audited with a high degree of confidence.
I also seek guidance on how best to make this tool available. OpenSSL
is a security project and while it is hoped that any test cases that are
created won't show up any serious defects within OpenSSL that
possibility can't be ruled out. So I'm thinking posting a patch to the
openssl-dev list might not be the best first step to take.
Request for comments,
Darryl L. Miles
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager [EMAIL PROTECTED]
