<div dir="ltr">Ah, thanks! Sorry for the false positive everyone.<br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, May 18, 2019 at 5:46 AM Jussi Kivilinna <<a href="mailto:jussi.kivilinna@iki.fi">jussi.kivilinna@iki.fi</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hello,<br>
<br>
On 17.5.2019 19.00, Guido Vranken wrote:<br>
> OSS-Fuzz recently found a new bug. Cryptofuzz always abort()s at the same place if it detects mismatching results, and this confuses OSS-Fuzz, thinking that multiple distinct bugs are the same bug. This is why nobody got an e-mail about it.<br>
> <br>
> But about the bug:<br>
> <br>
> <a href="https://oss-fuzz.com/testcase-detail/5651343798173696" rel="noreferrer" target="_blank">https://oss-fuzz.com/testcase-detail/5651343798173696</a><br>
> <br>
> <br>
> Operation:<br>
> operation name: Digest<br>
> digest: GOST-R-34.11-94<br>
> cleartext: {}<br>
> <br>
> Module OpenSSL result:<br>
> <br>
> {0x98, 0x1e, 0x5f, 0x3c, 0xa3, 0x0c, 0x84, 0x14, 0x87, 0x83, 0x0f, 0x84, 0xfb, 0x43, 0x3e, 0x13,<br>
> 0xac, 0x11, 0x01, 0x56, 0x9b, 0x9c, 0x13, 0x58, 0x4a, 0xc4, 0x83, 0x23, 0x4c, 0xd6, 0x56, 0xc0} (32 bytes)<br>
> <br>
> Module libgcrypt result:<br>
> <br>
> {0xce, 0x85, 0xb9, 0x9c, 0xc4, 0x67, 0x52, 0xff, 0xfe, 0xe3, 0x5c, 0xab, 0x9a, 0x7b, 0x02, 0x78,<br>
> 0xab, 0xb4, 0xc2, 0xd2, 0x05, 0x5c, 0xff, 0x68, 0x5a, 0xf4, 0x91, 0x2c, 0x49, 0x49, 0x0f, 0x8d} (32 bytes)<br>
> <br>
> <br>
> In LibreSSL I use EVP_gostr341194(), and in libgcrypt I use GCRY_MD_GOSTR3411_94.<br>
> <br>
<br>
Libgcrypt digest GCRY_MD_GOSTR3411_CP gives same output as EVP_gostr341194(). Output from gchash:<br>
<br>
$ tests/gchash GOSTR3411_CP /dev/null<br>
981e5f3ca30c841487830f84fb433e13ac1101569b9c13584ac483234cd656c0 /dev/null<br>
<br>
CP in the digest name means CryptoPro parameters and appears those parameters are used by EVP_gostr341194(). <br>
<br>
-Jussi<br>
</blockquote></div>