[Swan-dev] test vector code, compile/check time or runtime?

[Paul Wouters]

Hi,

We're working on adding crypto test vectors into the code to confirm
proper crypto functioning for IKE (not ESP/kernel). Currently, all
our IKE ciphers are CBC only, and we will be adding CTR and GCM/CCM,
so it important that we test our implementation for correctness when
making these changes.

We use NSS for our crypto, and it has its own initialization tests in
the runtime. So we should already find out if there is a problem with
the raw cipher when we try to use it (but not before)

However, we do have some parameter handling such as counters (in CTR)
and padding (in CBC) and other things we do in our code before handing
it of to NSS. RFC's for IKE often specify those test vectors and we want
to run those.

We could run those as part of "make check" as our own handling code does
not change during runtime.

We could also run these as part of our initialisation/registration of
the ciphers at runtime.

Or we could have a configuration option or a compile time option for one
of the above.

I'm interested to know what other people think is the best place for
these tests.

Paul