Hi Pádraig, Collin Funk <[email protected]> writes:
>> It would be good to verify that we don't have the following bug >> from the reference implementations: >> https://mouha.be/sha-3-buffer-overflow/ > > Ah, so there is a well-maintained Keccak package. Not sure how I did not > see that earlier. > > I'll have a look at adding that test case. I have added a test to tests/test-sha3-224-buffer.c locally. But I am inclined to remove it because the test takes 30 seconds (in total for the 2 mentioned CVEs) to run on my system: $ grep ^'model name' /proc/cpuinfo | head -n 1 model name : AMD Ryzen 7 3700X 8-Core Processor My understanding is that we would want this test for the other digest sizes as well. 2 minutes seems too long for every run of 'make check'. Maybe we can add it as a separate file with the 'longrunning-test' module tag? That would let maintainers and/or CI use the following: $ gnulib-tool --with-longrunning-tests ... To test it but leave it off by default so people building Coreutils, for example, don't need to wait 2 minutes or longer for 'make check'. WDYT? Collin
