Doesn't everybody ...
... arrange for 'make test' to whine if some module's output does not match known good output for a set of test vectors?
So the new plan is to use untested code to connect to a spoofed server, get some test vectors, run the untested crypto algorithm on them and rely on a reply from that spoofed server to valid the code that authenticated the wrong server in the first place?