On Tue, Dec 10, 2024 at 12:07 PM Christopher Kormanyos via Boost < boost@lists.boost.org> wrote:
What I'd like to see short-term: * Handle enhanced compiler warnings. * Include a subset of NIST testing. * Fuzzing run(s) on some hashes in CI. * I think SHA-3 is worthy of inclusion.
I was wondering what kind of NIST testing you're alluding to. We do have some copy-pasted test vectors for myriad PDFs but for a good portion of the algorithms, we're using the test vectors outlined here: https://github.com/pdimov/hash2/blob/7a25f8518692b657e9272884519519fbaca2ec5... https://csrc.nist.gov/Projects/Cryptographic-Algorithm-Validation-Program/Se... Towards the bottom there under Test Vectors, one can download a .zip folder full of .rsp files which were used to verify the output of the applicable algorithms. I tried to avoid relying on those too much during testing because I wanted something quasi-human readable and understandable so if there was an applicable PDF, I preferred that. I did think about a scenario where we would've committed the .rsp files to the repo and run them during CI or some such as part of a much more extensive test suite. Which hashes would you like to see fuzzed, assuming "all of them" is off the table? And how long should we fuzz as well? I'm not sure if we can exhaustively fuzz the algorithms as part of a normal CI infrastructure. - Christian