|
Boost : |
From: Christopher Kormanyos (e_float_at_[hidden])
Date: 2024-12-11 06:39:41
>> Which hashes would you like to see fuzzed,
>> assuming "all of them" is off the table?
>> And how long should we fuzz as well?
> I think one of them, your pick, like SHA2-512
> maybe for 5 minutes in CI would add robustness.
> Maybe limit the fuzzed messages to 2 < len < 1024
> bytes? This is not required in any way,
> although I think this would increase robustness.
You could link up with OpenSSL to obtain
control values for the dynamically selected,
fuzzed message(s).
Christopher
On Wednesday, December 11, 2024 at 07:13:42 AM GMT+1, Christopher Kormanyos <e_float_at_[hidden]> wrote:
>>Â * Include a subset of NIST testing.
> I did think about a scenario where we
> would've committed the .rsp files to
> the repo and run them during CI or some
> such as part of a much more extensive
> test suite.
Thanks for responding, Christian.
I think including and running the short
test vectors might be a good compromise
for your CI. They run rather quickly
and I don't think that'll slow down CI
too much.
>>Â * Fuzzing run(s) on some hashes in CI.
> Which hashes would you like to see fuzzed,
> assuming "all of them" is off the table?
> And how long should we fuzz as well?
I think one of them, your pick, like SHA2-512
maybe for 5 minutes in CI would add robustness.
Maybe limit the fuzzed messages to 2 < len < 1024
bytes? This is not required in any way,
although I think this would increase robustness.
Christopher.
On Wednesday, December 11, 2024 at 12:26:07 AM GMT+1, Christian Mazakas via Boost <boost_at_[hidden]> wrote:
On Tue, Dec 10, 2024 at 12:07â¯PM Christopher Kormanyos via Boost <
boost_at_[hidden]> wrote:
> What I'd like to see short-term:
>Â * Handle enhanced compiler warnings.
>Â * Include a subset of NIST testing.
>Â * Fuzzing run(s) on some hashes in CI.
>Â * I think SHA-3 is worthy of inclusion.
>
I was wondering what kind of NIST testing you're alluding to.
We do have some copy-pasted test vectors for myriad PDFs but for a good
portion of the algorithms, we're using the test vectors outlined here:
https://github.com/pdimov/hash2/blob/7a25f8518692b657e9272884519519fbaca2ec54/test/sha2.cpp#L282
https://csrc.nist.gov/Projects/Cryptographic-Algorithm-Validation-Program/Secure-Hashing
Towards the bottom there under Test Vectors, one can download a .zip folder
full of .rsp files which were used to verify the output of the applicable
algorithms.
I tried to avoid relying on those too much during testing because I wanted
something quasi-human readable and understandable so if there was an
applicable PDF, I preferred that.
I did think about a scenario where we would've committed the .rsp files to
the repo and run them during CI or some such as part of a much more
extensive test suite.
Which hashes would you like to see fuzzed, assuming "all of them" is off
the table? And how long should we fuzz as well? I'm not sure if we can
exhaustively fuzz the algorithms as part of a normal CI infrastructure.
- Christian
_______________________________________________
Unsubscribe & other changes: http://lists.boost.org/mailman/listinfo.cgi/boost
Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk