libgcrypt integration into OSS-Fuzz differential cryptography fuzzer

Guido Vranken guidovranken at gmail.com
Fri May 10 20:23:22 CEST 2019


I hadn't noticed Veracrypt deliberately disabled the carry overflow check.
Thanks for the suggestion; I've modified the Veracrypt code and there are
no differences anymore.

Can people who are interested in receiving messages from OSS-Fuzz send
their Google account-linked address to guidovranken at gmail.com ? Thanks

Dimitry/others: was the carry overflow bug in Stribog in libgcrypt found
because I notified LibreSSL about the same bug (
https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libcrypto/gost/streebog.c?rev=1.6&content-type=text/x-cvsweb-markup).
Would it be fair to say, then, that my fuzzer found the libgcrypt Stribog
bug? If so I'll add it to my HoF.

Thanks

On Fri, May 10, 2019 at 8:45 AM NIIBE Yutaka <gniibe at fsij.org> wrote:

> Hello,
>
> Jussi Kivilinna <jussi.kivilinna at iki.fi> wrote:
> >> It's running 24/7 on Google's OSS-Fuzz. Are the libgcrypt maintainers
> interested in participating in the OSS-Fuzz project? This entails that
> results for message digests, HMACs, CMACs and symmetric ciphers are
> compared to other libraries, and if there is a mismatch, everyone gets an
> e-mail. At that point we have to find out which library is emitting the
> wrong result, and the bug has to be fixed.
> >>
> >
> > I'd be interested getting emails of such mismatches.
> >
> > What do others think? Werner? Niibe?
>
> Getting email report is fine for me.
>
> If Google account is required, I have old one (not in use currently).
> (It was created when I joined Google SoC as a mentor org admin in 2005.
> And it was used until 2009.)
> --
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gcrypt-devel/attachments/20190510/c36ca5bf/attachment.html>


More information about the Gcrypt-devel mailing list