libgcrypt integration into OSS-Fuzz differential cryptography fuzzer

Guido Vranken guidovranken at gmail.com
Wed May 8 15:31:45 CEST 2019


Hi,

I've been building a differential cryptography fuzzer that has been finding
some nice bugs in major cryptographic libraries:
https://github.com/guidovranken/cryptofuzz#hall-of-fame
It's very effective as it can find the Whirlpool bug (before 1.60.0) and
the recent Stribog bug instantly.

It finds errors in message digests like RipeMD160 in the current master
branch that are not present in 1.8.4. I still have to research the cause..
I can post demonstration code later.

It's running 24/7 on Google's OSS-Fuzz. Are the libgcrypt maintainers
interested in participating in the OSS-Fuzz project? This entails that
results for message digests, HMACs, CMACs and symmetric ciphers are
compared to other libraries, and if there is a mismatch, everyone gets an
e-mail. At that point we have to find out which library is emitting the
wrong result, and the bug has to be fixed.

For this I need one or more e-mail addresses linked to a Google account.

Read more about OSS-Fuzz here: https://github.com/google/oss-fuzz

Guido
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gcrypt-devel/attachments/20190508/f86c79e9/attachment.html>


More information about the Gcrypt-devel mailing list