Cryptofuzz - Differential cryptography fuzzing

Documentation

For building Cryptofuzz, please refer to docs/building.md.

For instructions on how to run Cryptofuzz, please see docs/running.md.

Bugs found by Cryptofuzz

• OpenSSL: ARIA GCM ciphers memory leak after EVP_CTRL_AEAD_SET_IVLEN
• OpenSSL: HMAC with SHAKE128 via EVP interface crashes on EVP_DigestSignUpdate
• OpenSSL: BLAKE2b_Update can pass NULL to memcpy (undefined behavior)
• LibreSSL: EVP_aes_128_cbc_hmac_sha1, EVP_aes_256_cbc_hmac_sha1 decrypt OOB read/crash/invalid result
• OpenSSL: CHACHA20_POLY1305 different results for chunked/non-chunked updating
• OpenSSL: OpenSSL 1.0.2: BIO_read + *_WRAP ciphers copy to uninitialized pointer
• BoringSSL: AEAD AES GCM SIV NULL pointer dereference/OOB read
• LibreSSL: BIO_read can report more bytes written than buffer can hold
• LibreSSL: Use-after-free/bad free after EVP_CIPHER_CTX_copy
• BoringSSL: Use-after-free/bad free after EVP_CIPHER_CTX_copy
• LibreSSL: GOST HMAC uses and outputs uninitialized memory
• OpenSSL: Overlong tag buffer leaves memory uninitialized in CCM mode
• OpenSSL: Buffer write overflow when passing large RC5 key
• OpenSSL: Hang after particular sequence of operations
• LibreSSL: Overlong tag buffer leaves memory uninitialized in CCM mode
• LibreSSL: AES GCM context copy crash
• LibreSSL: Streebog wrong output
• OpenSSL: EVP_EncryptUpdate, EVP_EncryptFinal_ex branching on uninitialized memory
• libgcrypt: Invalid output of MD4, MD5, RIPEMD160
• OpenSSL: RC5 signed integer overflow, TBA
• LibreSSL: AES CCM context copy crash
• LibreSSL: DES EDE3 CFB1 leaves output uninitialized
• Crypto++: Scrypt crash with blocksize 0
• EverCrypt: Illegal instruction exception on non-AVX CPUs
• OpenSSL: OpenSSL 1.0.2: RC4 OOB read
• OpenSSL: OpenSSL 1.0.2: Branch on uninitialized memory in EVP_CIPHER_CTX_copy
• Crypto++: PBKDF1 OOB read
• NSS: MD2 invalid output
• Botan: CAST5_CBC invalid output
• Botan: Streebog invalid output
• Botan: PBKDF2 hang (very long loop) if iterations == 0
• NSS: HKDF SHA1 stack buffer overflow, CVE-2019-11759
• NSS: RC2 CBC OOB read with undersized IV
• NSS: SEED_CBC encryption out-of-bounds write
• NSS: CKM_AES_GCM succeeds with invalid tag sizes, risk of memory corruption
• NSS: PBKDF2 memory leak if key size > 256
• NSS: DES IV buffer overread if IV is undersized
• wolfCrypt: RC4 may dereference empty key
• wolfCrypt: SCRYPT leaves output buffer uninitialized
• wolfCrypt: wc_HKDF + BLAKE2B leaves output buffer uninitialized
• wolfCrypt: PKCS12 PBKDF + SHA3 buffer overflow
• NSS: mp_toradix buffer overflow (write) TBA
• BLAKE3: memcpy undefined behavior in C impl
• sjcl: scrypt wrong result with certain parameters
• sjcl: RIPEMD160 HMAC wrong result
• sjcl: bignum subtraction incorrect result
• NSS: SEEK ECB leaves output buffer uninitialized when encrypting more than 1 block
• libgcrypt: gcry_mpi_invm indicates multiplicative inverse exists when it does not
• wolfCrypt: AES GCM allows IV of size 0
• wolfCrypt: AES CCM allows invalid tag sizes
• LibreSSL: AES GCM allows IV of size 0
• OpenSSL: CAST5 invalid output
• Crypto++: SPECK64 different output if input is passed in chunks
• Crypto++: Undersized SipHash key leads to buffer out-of-bounds read
• libkcapi: PBKDF2 with iteration count = 0 zeroes output buffer
• wolfCrypt: HKDF allows key sizes > 255 * digest size TBA
• Botan: HKDF clamps output to 255 * requested key size
• SymCrypt: Signed overshift and other undefined behavior
• NSS: ChaCha20, ChaCha20/Poly1305 OOB read, OOB write, incorrect output with multi-part updating or small AEAD tag, CVE-2020-12403
• OpenSSL: AES key wrap ciphers out-of-bounds write
• LibreSSL: AES key wrap ciphers use-after-free
• OpenSSL: AES key wrap ciphers use-after-free
• Crypto++: AES GCM encryption with large tag size results in incorrect output, out-of-bounds reads
• mbed TLS: mbedtls_md_setup memory leak if allocation fails
• OpenSSL: EVP_CIPHER_CTX re-initialisation bugs
• OpenSSL: KBKDF NULL ptr dereference
• Botan: PointGFp_Multi_Point_Precompute gives wrong result when an infinity point occurs in the precomputation (credit to @andrewkozlik)
• Botan: ECDSA hash truncation discrepancy
• mbed TLS: mbedtls_cipher_auth_encrypt with AES key wrap OOB write
• bignumber.js: squareRoot() produces incorrect result
• elliptic: Curves p384 and p521 produce incorrect results
• Nettle: Blowfish signed integer overshift
• Golang: crypto/ecdsa: signature verification succeeds when it should fail
• SymCrypt: Elliptic curve private-to-public incorrect result on Linux 32 bit
• libtomcrypt: PKBDF1 hang if iterations is 0
• libtomcrypt: TEA cipher incorrect result
• SymCrypt: NULL pointer access in struct offset resolution
• BearSSL: Carry propagation bug in ECC code. Commit: b2ec2030e40acf5e9e4cd0f2669aacb27eadb540
• Trezor firmware: ECDSA verification fails if hash is curve order
• Botan: ECDSA verification succeeds with invalid public key
• Botan: KDF + BLAKE incorrect result
• Crypto++: ECDSA verification succeeds with invalid signature
• micro-ecc: ECDSA verification fails when it should succeed
• Parity libsecp256k1: RFC6979 signature discrepancy if input is curve order
• LibreSSL: ECDSA verification succeeds with invalid public key
• SymCrypt: Uninitialized memory used as array index in ECDSA verification if hash is 0
• TBA: TBA
• NSS/ecckiila: ECDSA verification fails for all-zero hash
• mbed TLS: mbedtls_mpi_sub_abs memory corruption
• relic: Out-of-bounds read via bn_sqr_basic
• relic: Wrong square root computation
• relic: ECDSA verification discrepancies
• relic: bn_write_str buffer overflow
• Nettle: ECDSA verification fails for all-zero hash
• relic: Buffer overflow via bn_mxp_slide
• relic: bn_mxp_monty incorrect result
• relic: Several other memory and correctness bugs
• libgcrypt: ECDSA verification succeeds with invalid public key
• libgcrypt: Out-of-bounds read in SHA256
• SymCrypt: Invalid ECDSA signature and public key for private key that is curve order
• SymCrypt: ECDSA signing branches on uninitialized memory
• blst: Modular inverse incorrect result
• blst: Inverse modulo hangs on i386 if input is 0 or multiple of modulo
• blst Using non-standard 'dst' parameter branches on uninitialized memory
• Botan: Incorrect comparison of negative values
• blst: NULL pointer dereference if msg is empty and aug is non-empty
• Nettle: Crash, potential incorrect verification in ECDSA verification
• relic: Modular exponentiation returns 1 if exponent is 0 and modulo is 1
• Chia bls-signatures: TBA
• relic: BLAKE2S160, BLAKE2S256 functions leave output buffer uninitialized if input is empty
• Botan: BigInt right-shifting can cause std::vector to throw std::length_error
• mbed TLS: ECDSA signing of 0 produces unverifiable signature
• mbed TLS: PKCS12 KDF + MD2 incorrect result
• libgcrypt CMAC + SERPENT/IDEA/RC2 buffer overflow/crash with oversized key
• Parity libsecp256k1: Verifies signatures whose R,S > curve order
• Botan: ECDSA pubkey recovery succeeds with invalid parameters
• mbed TLS: CHACHA20-POLY1305 succeeds with invalid IV size
• SymCrypt: ECDSA signing produces invalid signature
• BLAKE reference implementation: Updating with empty buffer resets internal counter
• Herumi mcl: Incorrect results with dst larger than 255 bytes
• LibreSSL: EC_POINT_point2oct / EC_POINT_oct2point asymmetry
• noble-secp256k1: Several ECDSA verification bugs: 1 2 3
• blst: NULL pointer dereference if point multiplier is zero-stripped
• libecc: Use of uninitialized memory in ECGDSA signing
• noble-ed25519: Accepts overlong private keys
• relic: Elliptic curve point multiplication incorrect result if input X = 0
• relic: Incorrect point validation
• Chia/relic: Allows loading invalid point 1 2
• blst: Branching on uninitialize memory
• num-bigint: Panic on multiplication
• Botan: Produces invalid ECDSA signatures
• libgcrypt: gcry_mpi_sub_ui result is positive when it should be negative
• Decred uint256: Incorrect decimal string formatting
• Botan: Undefined behavior upon instantiating DL_Group
• libtommath: mp_is_square says 0 is not a square
• OpenSSL: HMAC use-after-free after copying ctx
• Golang: CVE-2022-23806: crypto/elliptic: IsOnCurve returns true for invalid field elements
• mbed TLS: mbedtls_ecp_muladd hangs with oversized point coordinates
• BoringSSL: EVP_AEAD_CTX_free NULL pointer dereference if pointer is NULL
• blst: blst_fr_eucl_inverse incorrect result
• circl: Inadequate scalar reduction in p384 leads to panic
• Herumi mcl: map-to-curve incorrect result if both inputs are equivalent
• OpenSSL: BN_mod_exp2_mont NULL pointer dereference if modulus is 0
• relic: bn_mod_pmers hangs if modulus is 0
• relic: bn_mod_barrt out-of-bounds write and hang
• relic: bn_gcd_ext_stein returns different Bezout coefficients
• Zig: std.math.big.int panics (divFloor, gcd, bitAnd)
• NSS: mp_xgcd produces incorrect Bezout coefficients
• Nettle: TBA
• libgcrypt: Argon2 incorrect result and division by zero
• Herumi mcl: Incorrect result for G1 multiplication by Fp
• libgcrypt: gcry_mpi_invm incorrect result
• OpenSSL, LibreSSL: Incorrect NIST curve math
• relic: bn_lcm incorrect result with negative zero input
• relic: bn_gcd_lehme hangs with negative input
• relic: Modulo functions hang with negative inputs
• blst: blst_fp_is_square incorrect result on ARM
• OpenSSL, BoringSSL: BN_mod_exp_mont_consttime returns modulus when it should return 0
• libgcrypt: Allows invalid HKDF output sizes
• libgmp mini-gmp: mpz_powm incorrect result
• mbed TLS: mbedtls_mpi_mod_int produces incorrect results
• Zig: HKDF rejects maximum key size
• Zig: HMAC + SHA3 incorrect output
• Nim bigints: Division causes assert failure
• D: std.bigint powmod incorrect result on Ubuntu 20.04
• Golang: CVE-2023-24532: Specific unreduced P-256 scalars produce incorrect results
• OpenSSL, LibreSSL, BoringSSL: DSA signing hangs with invalid parameters
• Zig: Streaming SHA3 incorrect output
• Zig: Argon2 outputs uninitialized memory with keysize > 64
• Boost multiprecision: Loading cpp_int by std::string branches on uninitialized memory
• mbed TLS: AES key wrap ciphertext cannot be decrypted
• Zig: secp256k1 scalar multiplication panics
• kilic-bls12-381: Fr FromBytes does not reduce value if value is modulus
• OpenSSL, LibreSSL, BoringSSL: BN_mod_inverse incorrect result when parameters are aliased
• libgcrypt: Modular add/sub/mul incorrect result if result and modulus pointer are equal
• libecc: nn_modinv_2exp incorrect result if exponent is 0
• libecc: Modular addition incorrect result if result and modulus pointer are equal
• NEAR modexp precompile: Panic if exponent is 0
• arkworks-algebra: multi_scalar_mul incorrect result if scalar exceeds curve order
• Golang: crypto/ecdsa: P521 ecdsa.Verify panics with malformed message
• Golang: crypto/elliptic: P256 ScalarBaseMult with order-34 yields point at infinity
• Zig: Elliptic curve point addition incorrect result