Which hashes would you like to see fuzzed, assuming "all of them" is off the table? And how long should we fuzz as well?
I think one of them, your pick, like SHA2-512 maybe for 5 minutes in CI would add robustness. Maybe limit the fuzzed messages to 2 < len < 1024 bytes? This is not required in any way, although I think this would increase robustness.
You could link up with OpenSSL to obtain
control values for the dynamically selected,
fuzzed message(s).
Christopher
On Wednesday, December 11, 2024 at 07:13:42 AM GMT+1, Christopher Kormanyos
* Include a subset of NIST testing.
I did think about a scenario where we would've committed the .rsp files to the repo and run them during CI or some such as part of a much more extensive test suite.
Thanks for responding, Christian. I think including and running the short test vectors might be a good compromise for your CI. They run rather quickly and I don't think that'll slow down CI too much.
* Fuzzing run(s) on some hashes in CI.
Which hashes would you like to see fuzzed, assuming "all of them" is off the table? And how long should we fuzz as well?
I think one of them, your pick, like SHA2-512
maybe for 5 minutes in CI would add robustness.
Maybe limit the fuzzed messages to 2 < len < 1024
bytes? This is not required in any way,
although I think this would increase robustness.
Christopher.
On Wednesday, December 11, 2024 at 12:26:07 AM GMT+1, Christian Mazakas via Boost
What I'd like to see short-term: * Handle enhanced compiler warnings. * Include a subset of NIST testing. * Fuzzing run(s) on some hashes in CI. * I think SHA-3 is worthy of inclusion.
I was wondering what kind of NIST testing you're alluding to. We do have some copy-pasted test vectors for myriad PDFs but for a good portion of the algorithms, we're using the test vectors outlined here: https://github.com/pdimov/hash2/blob/7a25f8518692b657e9272884519519fbaca2ec5... https://csrc.nist.gov/Projects/Cryptographic-Algorithm-Validation-Program/Se... Towards the bottom there under Test Vectors, one can download a .zip folder full of .rsp files which were used to verify the output of the applicable algorithms. I tried to avoid relying on those too much during testing because I wanted something quasi-human readable and understandable so if there was an applicable PDF, I preferred that. I did think about a scenario where we would've committed the .rsp files to the repo and run them during CI or some such as part of a much more extensive test suite. Which hashes would you like to see fuzzed, assuming "all of them" is off the table? And how long should we fuzz as well? I'm not sure if we can exhaustively fuzz the algorithms as part of a normal CI infrastructure. - Christian _______________________________________________ Unsubscribe & other changes: http://lists.boost.org/mailman/listinfo.cgi/boost