I’ve taken my best stab at writing a complete unit/regression test for the Heartbleed bug and I’m fairly happy with the results. You can grab it here: heartbleed_test.c
It exercises all of the code paths introduced in the fix for the Heartbleed bug. It tests both the positive and negative cases. The test cases that fail for OpenSSL 1.0.1-beta 1 pass for OpenSSL 1.0.1g. It’s small, it’s fast, and it didn’t require that much setup once I figured out all the parts I needed.
The complete instructions on how to build it and a description of the output is contained in the header comments. I built it on my OS X 10.9.2 system using Xcode/Apple LLVM version 5.1 (clang-503.0.40). Feel free to let me know if it doesn’t work on Linux or other platforms. Other constructive comments are, of course, always welcome.
I wish I could say I did this completely out of the goodness of my heart. But the truth is, I’m a vain, bitter, petty man, and I’ve got a bone to pick. While I’m grateful to my friend for submitting yesterday’s AutoTest Central-syndicated Heartbleed post to Reddit, the fact that it got downvoted out of existence and inspired the following useless and harmful commentary really got under my skin:
ruinercollector: So many Monday morning quarterbacks.
Synackaon: I hate them too
Hollow posturing that contributes no social value whatsoever such as this is exactly why I’m so skeptical of low-/no-barrier public forums like Reddit, and why I prefer forums where there are no shadows in which anonymous cowards can hide. However, were I the troll-feeding type, maybe I’d say something like:
Monday morning quarterback? Try retired Super Bowl Champion!
or:
So many jackass cowboys who’d rather excuse and dismiss catastrophic failures than help solve the problem of making sure they don’t happen to the extent humanly possible.
Guess I’ve always been a bit thin-skinned and grumpy. Luckily that doesn’t ever seem to stop me! And what’s more, there’s nothing quite like having working code in your pocket to come back at everyone who says unit testing for bugs like this and the Apple SSL bug can’t be done. In other words:
QED, bitch!