Boost :

From: Christopher Kormanyos (e_float_at_[hidden])
Date: 2024-12-11 06:13:42

• Next message: Christopher Kormanyos: "Re: [hash2] Formal Review Begins"
• Previous message: Tom Kent: "Re: [hash2] Formal Review Begins"
• In reply to: Christian Mazakas: "Re: [hash2] Formal Review Begins"
• Next in thread: Christopher Kormanyos: "Re: [hash2] Formal Review Begins"
• Reply: Christopher Kormanyos: "Re: [hash2] Formal Review Begins"

>>  * Include a subset of NIST testing.

> I did think about a scenario where we
> would've committed the .rsp files to
> the repo and run them during CI or some
> such as part of a much more extensive
> test suite.

Thanks for responding, Christian.

I think including and running the short
test vectors might be a good compromise
for your CI. They run rather quickly
and I don't think that'll slow down CI
too much.

>>  * Fuzzing run(s) on some hashes in CI.

> Which hashes would you like to see fuzzed,
> assuming "all of them" is off the table?
> And how long should we fuzz as well?

I think one of them, your pick, like SHA2-512
maybe for 5 minutes in CI would add robustness.
Maybe limit the fuzzed messages to 2 < len < 1024
bytes? This is not required in any way,
although I think this would increase robustness.

Christopher.

    On Wednesday, December 11, 2024 at 12:26:07 AM GMT+1, Christian Mazakas via Boost <boost_at_[hidden]> wrote:
 
 On Tue, Dec 10, 2024 at 12:07 PM Christopher Kormanyos via Boost <
boost_at_[hidden]> wrote:

> What I'd like to see short-term:
>  * Handle enhanced compiler warnings.
>  * Include a subset of NIST testing.
>  * Fuzzing run(s) on some hashes in CI.
>  * I think SHA-3 is worthy of inclusion.
>

I was wondering what kind of NIST testing you're alluding to.

We do have some copy-pasted test vectors for myriad PDFs but for a good
portion of the algorithms, we're using the test vectors outlined here:
https://github.com/pdimov/hash2/blob/7a25f8518692b657e9272884519519fbaca2ec54/test/sha2.cpp#L282
https://csrc.nist.gov/Projects/Cryptographic-Algorithm-Validation-Program/Secure-Hashing

Towards the bottom there under Test Vectors, one can download a .zip folder
full of .rsp files which were used to verify the output of the applicable
algorithms.

I tried to avoid relying on those too much during testing because I wanted
something quasi-human readable and understandable so if there was an
applicable PDF, I preferred that.

I did think about a scenario where we would've committed the .rsp files to
the repo and run them during CI or some such as part of a much more
extensive test suite.

Which hashes would you like to see fuzzed, assuming "all of them" is off
the table? And how long should we fuzz as well? I'm not sure if we can
exhaustively fuzz the algorithms as part of a normal CI infrastructure.

- Christian

_______________________________________________
Unsubscribe & other changes: http://lists.boost.org/mailman/listinfo.cgi/boost
  

• Next message: Christopher Kormanyos: "Re: [hash2] Formal Review Begins"
• Previous message: Tom Kent: "Re: [hash2] Formal Review Begins"
• In reply to: Christian Mazakas: "Re: [hash2] Formal Review Begins"
• Next in thread: Christopher Kormanyos: "Re: [hash2] Formal Review Begins"
• Reply: Christopher Kormanyos: "Re: [hash2] Formal Review Begins"

Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk