What a surprise when a colleague of mine discovered that it fails to compute any of the hash functions (SHA1, SHA256, SHA512) from data of more than 256MB. We are building use cases for our cloud encryption service Enigma Bridge and it took us more than a day to figure out that the problem is not on our side nor on the way we use the library. The problem was in the library itself and the reason was quite interesting (from the technical point of view – see below).
What strikes me more though is how this kind of error could remain hidden since the inception of the SJCL library. What kind of testing has been done to verify the correctness of the implementation? After all, standards describing these functions a) describe the algorithm and provide test vectors b) define constraints for all external inputs – including the maximum length of data the function is able to process.
Also, as I said – this is a low-level library doing just one, well-defined task – it computes several cryptographic algorithms according to their specifications. There is no user interface, no business logic, not databases to store data. It’s just a stateless, re-entrant mathematical library. Still it fails.
Since we started using continuous integration and rich sets of test cases internally, I started looking for similar tests in other projects, especially on GitHub. There aren’t many and I wonder whether it’s safe to rely on something only because it’s been around for a long time.