libgcrypt integration into OSS-Fuzz differential cryptography fuzzer

Jussi Kivilinna jussi.kivilinna at iki.fi
Wed May 8 21:48:56 CEST 2019


Hello,

On 8.5.2019 16.31, Guido Vranken wrote:
> Hi,
> 
> I've been building a differential cryptography fuzzer that has been finding some nice bugs in major cryptographic libraries: https://github.com/guidovranken/cryptofuzz#hall-of-fame
> It's very effective as it can find the Whirlpool bug (before 1.60.0) and the recent Stribog bug instantly.
> 
> It finds errors in message digests like RipeMD160 in the current master branch that are not present in 1.8.4. I still have to research the cause.. I can post demonstration code later.

Thanks! It looks like culprit commit is 46d7dbbc293fdc1e04656798b3e6f58873fee110 which breaks md4, md5 and rmd160. Quickly looking at code, this happens when input size is '64*nblks + 56..63'. Bug is at md4.c/md5.c/rmd160.c new code path "/* need one extra block */" and when writing bit count to buffer. Buffer offsets there should be "hd->bctx.buf + 56 + 64" and "hd->bctx.buf + 60 + 64". Other message digests modified in that commit appear to get this right. 

Bigger issue here is that there is quite big cap in testing coverage for digest finalization functions.. fuzzing against different libraries would definitely help.

> 
> It's running 24/7 on Google's OSS-Fuzz. Are the libgcrypt maintainers interested in participating in the OSS-Fuzz project? This entails that results for message digests, HMACs, CMACs and symmetric ciphers are compared to other libraries, and if there is a mismatch, everyone gets an e-mail. At that point we have to find out which library is emitting the wrong result, and the bug has to be fixed.
> 

I'd be interested getting emails of such mismatches.

What do others think? Werner? Niibe?


-Jussi



More information about the Gcrypt-devel mailing list