Awesome
Cryptofuzz - Differential cryptography fuzzing
Documentation
For building Cryptofuzz, please refer to docs/building.md
.
For instructions on how to run Cryptofuzz, please see docs/running.md
.
Bugs found by Cryptofuzz
- OpenSSL: ARIA GCM ciphers memory leak after EVP_CTRL_AEAD_SET_IVLEN
- OpenSSL: HMAC with SHAKE128 via EVP interface crashes on EVP_DigestSignUpdate
- OpenSSL: BLAKE2b_Update can pass NULL to memcpy (undefined behavior)
- LibreSSL: EVP_aes_128_cbc_hmac_sha1, EVP_aes_256_cbc_hmac_sha1 decrypt OOB read/crash/invalid result
- OpenSSL: CHACHA20_POLY1305 different results for chunked/non-chunked updating
- OpenSSL: OpenSSL 1.0.2: BIO_read + *_WRAP ciphers copy to uninitialized pointer
- BoringSSL: AEAD AES GCM SIV NULL pointer dereference/OOB read
- LibreSSL: BIO_read can report more bytes written than buffer can hold
- LibreSSL: Use-after-free/bad free after EVP_CIPHER_CTX_copy
- BoringSSL: Use-after-free/bad free after EVP_CIPHER_CTX_copy
- LibreSSL: GOST HMAC uses and outputs uninitialized memory
- OpenSSL: Overlong tag buffer leaves memory uninitialized in CCM mode
- OpenSSL: Buffer write overflow when passing large RC5 key
- OpenSSL: Hang after particular sequence of operations
- LibreSSL: Overlong tag buffer leaves memory uninitialized in CCM mode
- LibreSSL: AES GCM context copy crash
- LibreSSL: Streebog wrong output
- OpenSSL: EVP_EncryptUpdate, EVP_EncryptFinal_ex branching on uninitialized memory
- libgcrypt: Invalid output of MD4, MD5, RIPEMD160
- OpenSSL: RC5 signed integer overflow, TBA
- LibreSSL: AES CCM context copy crash
- LibreSSL: DES EDE3 CFB1 leaves output uninitialized
- Crypto++: Scrypt crash with blocksize 0
- EverCrypt: Illegal instruction exception on non-AVX CPUs
- OpenSSL: OpenSSL 1.0.2: RC4 OOB read
- OpenSSL: OpenSSL 1.0.2: Branch on uninitialized memory in EVP_CIPHER_CTX_copy
- Crypto++: PBKDF1 OOB read
- NSS: MD2 invalid output
- Botan: CAST5_CBC invalid output
- Botan: Streebog invalid output
- Botan: PBKDF2 hang (very long loop) if iterations == 0
- NSS: HKDF SHA1 stack buffer overflow, CVE-2019-11759
- NSS: RC2 CBC OOB read with undersized IV
- NSS: SEED_CBC encryption out-of-bounds write
- NSS: CKM_AES_GCM succeeds with invalid tag sizes, risk of memory corruption
- NSS: PBKDF2 memory leak if key size > 256
- NSS: DES IV buffer overread if IV is undersized
- wolfCrypt: RC4 may dereference empty key
- wolfCrypt: SCRYPT leaves output buffer uninitialized
- wolfCrypt: wc_HKDF + BLAKE2B leaves output buffer uninitialized
- wolfCrypt: PKCS12 PBKDF + SHA3 buffer overflow
- NSS: mp_toradix buffer overflow (write) TBA
- BLAKE3: memcpy undefined behavior in C impl
- sjcl: scrypt wrong result with certain parameters
- sjcl: RIPEMD160 HMAC wrong result
- sjcl: bignum subtraction incorrect result
- NSS: SEEK ECB leaves output buffer uninitialized when encrypting more than 1 block
- libgcrypt: gcry_mpi_invm indicates multiplicative inverse exists when it does not
- wolfCrypt: AES GCM allows IV of size 0
- wolfCrypt: AES CCM allows invalid tag sizes
- LibreSSL: AES GCM allows IV of size 0
- OpenSSL: CAST5 invalid output
- Crypto++: SPECK64 different output if input is passed in chunks
- Crypto++: Undersized SipHash key leads to buffer out-of-bounds read
- libkcapi: PBKDF2 with iteration count = 0 zeroes output buffer
- wolfCrypt: HKDF allows key sizes > 255 * digest size TBA
- Botan: HKDF clamps output to 255 * requested key size
- SymCrypt: Signed overshift and other undefined behavior
- NSS: ChaCha20, ChaCha20/Poly1305 OOB read, OOB write, incorrect output with multi-part updating or small AEAD tag, CVE-2020-12403
- OpenSSL: AES key wrap ciphers out-of-bounds write
- LibreSSL: AES key wrap ciphers use-after-free
- OpenSSL: AES key wrap ciphers use-after-free
- Crypto++: AES GCM encryption with large tag size results in incorrect output, out-of-bounds reads
- mbed TLS: mbedtls_md_setup memory leak if allocation fails
- OpenSSL: EVP_CIPHER_CTX re-initialisation bugs
- OpenSSL: KBKDF NULL ptr dereference
- Botan: PointGFp_Multi_Point_Precompute gives wrong result when an infinity point occurs in the precomputation (credit to @andrewkozlik)
- Botan: ECDSA hash truncation discrepancy
- mbed TLS: mbedtls_cipher_auth_encrypt with AES key wrap OOB write
- bignumber.js: squareRoot() produces incorrect result
- elliptic: Curves p384 and p521 produce incorrect results
- Nettle: Blowfish signed integer overshift
- Golang: crypto/ecdsa: signature verification succeeds when it should fail
- SymCrypt: Elliptic curve private-to-public incorrect result on Linux 32 bit
- libtomcrypt: PKBDF1 hang if iterations is 0
- libtomcrypt: TEA cipher incorrect result
- SymCrypt: NULL pointer access in struct offset resolution
- BearSSL: Carry propagation bug in ECC code. Commit: b2ec2030e40acf5e9e4cd0f2669aacb27eadb540
- Trezor firmware: ECDSA verification fails if hash is curve order
- Botan: ECDSA verification succeeds with invalid public key
- Botan: KDF + BLAKE incorrect result
- Crypto++: ECDSA verification succeeds with invalid signature
- micro-ecc: ECDSA verification fails when it should succeed
- Parity libsecp256k1: RFC6979 signature discrepancy if input is curve order
- LibreSSL: ECDSA verification succeeds with invalid public key
- SymCrypt: Uninitialized memory used as array index in ECDSA verification if hash is 0
- TBA: TBA
- NSS/ecckiila: ECDSA verification fails for all-zero hash
- mbed TLS: mbedtls_mpi_sub_abs memory corruption
- relic: Out-of-bounds read via bn_sqr_basic
- relic: Wrong square root computation
- relic: ECDSA verification discrepancies
- relic: bn_write_str buffer overflow
- Nettle: ECDSA verification fails for all-zero hash
- relic: Buffer overflow via bn_mxp_slide
- relic: bn_mxp_monty incorrect result
- relic: Several other memory and correctness bugs
- libgcrypt: ECDSA verification succeeds with invalid public key
- libgcrypt: Out-of-bounds read in SHA256
- SymCrypt: Invalid ECDSA signature and public key for private key that is curve order
- SymCrypt: ECDSA signing branches on uninitialized memory
- blst: Modular inverse incorrect result
- blst: Inverse modulo hangs on i386 if input is 0 or multiple of modulo
- blst Using non-standard 'dst' parameter branches on uninitialized memory
- Botan: Incorrect comparison of negative values
- blst: NULL pointer dereference if msg is empty and aug is non-empty
- Nettle: Crash, potential incorrect verification in ECDSA verification
- relic: Modular exponentiation returns 1 if exponent is 0 and modulo is 1
- Chia bls-signatures: TBA
- relic: BLAKE2S160, BLAKE2S256 functions leave output buffer uninitialized if input is empty
- Botan: BigInt right-shifting can cause std::vector to throw std::length_error
- mbed TLS: ECDSA signing of 0 produces unverifiable signature
- mbed TLS: PKCS12 KDF + MD2 incorrect result
- libgcrypt CMAC + SERPENT/IDEA/RC2 buffer overflow/crash with oversized key
- Parity libsecp256k1: Verifies signatures whose R,S > curve order
- Botan: ECDSA pubkey recovery succeeds with invalid parameters
- mbed TLS: CHACHA20-POLY1305 succeeds with invalid IV size
- SymCrypt: ECDSA signing produces invalid signature
- BLAKE reference implementation: Updating with empty buffer resets internal counter
- Herumi mcl: Incorrect results with dst larger than 255 bytes
- LibreSSL: EC_POINT_point2oct / EC_POINT_oct2point asymmetry
- noble-secp256k1: Several ECDSA verification bugs: 1 2 3
- blst: NULL pointer dereference if point multiplier is zero-stripped
- libecc: Use of uninitialized memory in ECGDSA signing
- noble-ed25519: Accepts overlong private keys
- relic: Elliptic curve point multiplication incorrect result if input X = 0
- relic: Incorrect point validation
- Chia/relic: Allows loading invalid point 1 2
- blst: Branching on uninitialize memory
- num-bigint: Panic on multiplication
- Botan: Produces invalid ECDSA signatures
- libgcrypt: gcry_mpi_sub_ui result is positive when it should be negative
- Decred uint256: Incorrect decimal string formatting
- Botan: Undefined behavior upon instantiating DL_Group
- libtommath: mp_is_square says 0 is not a square
- OpenSSL: HMAC use-after-free after copying ctx
- Golang: CVE-2022-23806: crypto/elliptic: IsOnCurve returns true for invalid field elements
- mbed TLS: mbedtls_ecp_muladd hangs with oversized point coordinates
- BoringSSL: EVP_AEAD_CTX_free NULL pointer dereference if pointer is NULL
- blst: blst_fr_eucl_inverse incorrect result
- circl: Inadequate scalar reduction in p384 leads to panic
- Herumi mcl: map-to-curve incorrect result if both inputs are equivalent
- OpenSSL: BN_mod_exp2_mont NULL pointer dereference if modulus is 0
- relic: bn_mod_pmers hangs if modulus is 0
- relic: bn_mod_barrt out-of-bounds write and hang
- relic: bn_gcd_ext_stein returns different Bezout coefficients
- Zig: std.math.big.int panics (divFloor, gcd, bitAnd)
- NSS: mp_xgcd produces incorrect Bezout coefficients
- Nettle: TBA
- libgcrypt: Argon2 incorrect result and division by zero
- Herumi mcl: Incorrect result for G1 multiplication by Fp
- libgcrypt: gcry_mpi_invm incorrect result
- OpenSSL, LibreSSL: Incorrect NIST curve math
- relic: bn_lcm incorrect result with negative zero input
- relic: bn_gcd_lehme hangs with negative input
- relic: Modulo functions hang with negative inputs
- blst: blst_fp_is_square incorrect result on ARM
- OpenSSL, BoringSSL: BN_mod_exp_mont_consttime returns modulus when it should return 0
- libgcrypt: Allows invalid HKDF output sizes
- libgmp mini-gmp: mpz_powm incorrect result
- mbed TLS: mbedtls_mpi_mod_int produces incorrect results
- Zig: HKDF rejects maximum key size
- Zig: HMAC + SHA3 incorrect output
- Nim bigints: Division causes assert failure
- D: std.bigint powmod incorrect result on Ubuntu 20.04
- Golang: CVE-2023-24532: Specific unreduced P-256 scalars produce incorrect results
- OpenSSL, LibreSSL, BoringSSL: DSA signing hangs with invalid parameters
- Zig: Streaming SHA3 incorrect output
- Zig: Argon2 outputs uninitialized memory with keysize > 64
- Boost multiprecision: Loading cpp_int by std::string branches on uninitialized memory
- Zig: secp256k1 scalar multiplication panics
- kilic-bls12-381: Fr FromBytes does not reduce value if value is modulus
- OpenSSL, LibreSSL, BoringSSL: BN_mod_inverse incorrect result when parameters are aliased
- libgcrypt: Modular add/sub/mul incorrect result if result and modulus pointer are equal
- libecc: nn_modinv_2exp incorrect result if exponent is 0
- libecc: Modular addition incorrect result if result and modulus pointer are equal
- NEAR modexp precompile: Panic if exponent is 0
- arkworks-algebra: multi_scalar_mul incorrect result if scalar exceeds curve order
- Golang: crypto/ecdsa: P521 ecdsa.Verify panics with malformed message
- Golang: crypto/elliptic: P256 ScalarBaseMult with order-34 yields point at infinity
- Zig: Elliptic curve point addition incorrect result
- Botan: BigInt::random_integer hangs
- Constantine: Incorrect reduction of BigInt
- Constantine: Modular exponentiation incorrect result with power-of-2 modulus
- Constantine: Slow repeated modular exponentiation
- Constantine: BLS12-381 HashToCurve G1 incorrect result
- Constantine: Modular exponentiation crash
- libtommath: mp_exptmod incorrect result
- Botan: Undefined behavior in AlignmentBuffer::fill_up_with_zeros
- Constantine: Modular exponentiation incorrect result due to uninitialized memory
- Zig: std.math.big.int sqrt panics
- Botan: blinded_var_point_multiply incorrect result with curves with cofactor > 1
- OpenSSL: HKDF + BLAKE2S256 outputs uninitialized memory
- libgmp mini-gmp: mpz_gcdext Bézout coefficients do not match documentation
- relic:
bn_gcd_ext_binar
returns different Bezout coefficients - LibreSSL: BN_bn2mpi out-of-bounds read
- Constantine: inv_vartime incorrect result