On Sun, Jan 20, 2013 at 08:27:07PM +0100, Alexander Kjeldaas wrote:
Regarding testing, it looks like the Tests directory hasn't been updated to cover this bug. What would really give confidence is a set of tests encoding fixed security vulnerabilities in OpenSSL (and similar libraries). That should also give you a lot of confidence in your library.
But anyways, this is fantastic work you're doing. Keep it up!
Thanks, Regarding tests, a good test suite is a hard and long job. Some security properties are just insanely hard to codify, and some others need a lots of tests. My time being very limited, it's hard to pull off, but i have plan to add some tests for the certificate validation functions. Specially since i want to harden some functions a bit more, and it will come handy to verify i'm not breaking anything :-) -- Vincent