Hello,
Over the past few days I have managed to put together a regression testing framework for OpenSSL that allows test cases to be created to synthetically setup a specific application, OpenSSL and networking layer interaction scenario (and validate for expected error returns, or ensure a application lockup doesn't occur). I have done this as I have found some API behaviors which don't conform to documentation and some areas of the API that are not as well thought out as they might otherwise be. There appears to be nothing distributed with OpenSSL to allow a 'make test' to be performed on the SSL protocol engine and achieve the level of situation coverage I hope to achieve with this framework.
My drive behind this approach is that it feels like the best first step to take to be able to prove what the current situation is to others. With this framework I hope to prove something isn't as documented, from there any follow up patches can be proven to address a problem and also provide a mechanism to test they doesn't break anything else in the process.
The program sets up two non-blocking pipes and fork()s a child process. The two processes then communicate with each other down those pipes with packetized control data. The master process reads an instruction sheet (which is the specific test case). Those instructions maybe to invoke an OpenSSL highlevel API call, alter BIO layer return values to minic network IO situations, mimic when network data can flow between or a number of other useful situations. Each process has the ability to setup SSL endpoints with each other, under instruction from the testcase. I have written a special purpose BIO layer that can mimic any kernel level IO situation for read or/and write (buffer full, buffer empty, end-of-file, EPIPE, partial read/write). Currently non-blocking IO situations can be synthetically created, however by using pthreads I could further develop the BIO layer to synthetically mimic blocking IO situations as well.
I would like to enlist interested parties on proving my regression testing framework and possibility setting up a few test cases of their own. I would like for this application to be a useful tool to validating the design and APIs of SSL protocol engine against the written specification (and expected behavior) so that any future code modifications can be audited with a high degree of confidence.
I also seek guidance on how best to make this tool available. OpenSSL is a security project and while it is hoped that any test cases that are created won't show up any serious defects within OpenSSL that possibility can't be ruled out. So I'm thinking posting a patch to the openssl-dev list might not be the best first step to take.
Request for comments, Darryl L. Miles ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
