On 31/08/2025 20:12, Collin Funk wrote:
Hi Pádraig,
Collin Funk <[email protected]> writes:
It would be good to verify that we don't have the following bug
from the reference implementations:
https://mouha.be/sha-3-buffer-overflow/
Ah, so there is a well-maintained Keccak package. Not sure how I did not
see that earlier.
I'll have a look at adding that test case.
I have added a test to tests/test-sha3-224-buffer.c locally. But I am
inclined to remove it because the test takes 30 seconds (in total for
the 2 mentioned CVEs) to run on my system:
$ grep ^'model name' /proc/cpuinfo | head -n 1
model name : AMD Ryzen 7 3700X 8-Core Processor
My understanding is that we would want this test for the other digest
sizes as well. 2 minutes seems too long for every run of 'make check'.
Maybe we can add it as a separate file with the 'longrunning-test'
module tag? That would let maintainers and/or CI use the following:
$ gnulib-tool --with-longrunning-tests ...
To test it but leave it off by default so people building Coreutils, for
example, don't need to wait 2 minutes or longer for 'make check'.
WDYT?
Well the main thing is that it passes the test now, so thanks for checking that.
If we were to keep it, then it would have to be tagged/separated as a
longrunning test.
I would think that testing a single size is fine, as the fix was to generic
routines:
https://github.com/XKCP/XKCP/commit/fdc6fef0
So a single longrunning-test seems appropriate IMHO.
thanks!
Padraig
