For building Cryptofuzz, please refer to docs/building.md
.
For instructions on how to run Cryptofuzz, please see docs/running.md
.
- OpenSSL: ARIA GCM ciphers memory leak after EVP_CTRL_AEAD_SET_IVLEN
- OpenSSL: HMAC with SHAKE128 via EVP interface crashes on EVP_DigestSignUpdate
- OpenSSL: BLAKE2b_Update can pass NULL to memcpy (undefined behavior)
- LibreSSL: EVP_aes_128_cbc_hmac_sha1, EVP_aes_256_cbc_hmac_sha1 decrypt OOB read/crash/invalid result
- OpenSSL: CHACHA20_POLY1305 different results for chunked/non-chunked updating
- OpenSSL: OpenSSL 1.0.2: BIO_read + *_WRAP ciphers copy to uninitialized pointer
- BoringSSL: AEAD AES GCM SIV NULL pointer dereference/OOB read
- LibreSSL: BIO_read can report more bytes written than buffer can hold
- LibreSSL: Use-after-free/bad free after EVP_CIPHER_CTX_copy
- BoringSSL: Use-after-free/bad free after EVP_CIPHER_CTX_copy
- LibreSSL: GOST HMAC uses and outputs uninitialized memory
- OpenSSL: Overlong tag buffer leaves memory uninitialized in CCM mode
- OpenSSL: Buffer write overflow when passing large RC5 key
- OpenSSL: Hang after particular sequence of operations
- LibreSSL: Overlong tag buffer leaves memory uninitialized in CCM mode
- LibreSSL: AES GCM context copy crash
- LibreSSL: Streebog wrong output
- OpenSSL: EVP_EncryptUpdate, EVP_EncryptFinal_ex branching on uninitialized memory
- libgcrypt: Invalid output of MD4, MD5, RIPEMD160
- OpenSSL: RC5 signed integer overflow, TBA
- LibreSSL: AES CCM context copy crash
- LibreSSL: DES EDE3 CFB1 leaves output uninitialized
- Crypto++: Scrypt crash with blocksize 0
- EverCrypt: Illegal instruction exception on non-AVX CPUs
- OpenSSL: OpenSSL 1.0.2: RC4 OOB read
- OpenSSL: OpenSSL 1.0.2: Branch on uninitialized memory in EVP_CIPHER_CTX_copy
- Crypto++: PBKDF1 OOB read
- NSS: MD2 invalid output
- Botan: CAST5_CBC invalid output
- Botan: Streebog invalid output
- Botan: PBKDF2 hang (very long loop) if iterations == 0
- NSS: HKDF SHA1 stack buffer overflow, CVE-2019-11759
- NSS: RC2 CBC OOB read with undersized IV
- NSS: SEED_CBC encryption out-of-bounds write
- NSS: CKM_AES_GCM succeeds with invalid tag sizes, risk of memory corruption
- NSS: PBKDF2 memory leak if key size > 256
- NSS: DES IV buffer overread if IV is undersized
- wolfCrypt: RC4 may dereference empty key
- wolfCrypt: SCRYPT leaves output buffer uninitialized
- wolfCrypt: wc_HKDF + BLAKE2B leaves output buffer uninitialized
- wolfCrypt: PKCS12 PBKDF + SHA3 buffer overflow
- NSS: mp_toradix buffer overflow (write) TBA
- BLAKE3: memcpy undefined behavior in C impl
- sjcl: scrypt wrong result with certain parameters
- sjcl: RIPEMD160 HMAC wrong result
- sjcl: bignum subtraction incorrect result
- NSS: SEEK ECB leaves output buffer uninitialized when encrypting more than 1 block
- libgcrypt: gcry_mpi_invm indicates multiplicative inverse exists when it does not
- wolfCrypt: AES GCM allows IV of size 0
- wolfCrypt: AES CCM allows invalid tag sizes
- LibreSSL: AES GCM allows IV of size 0
- OpenSSL: CAST5 invalid output
- Crypto++: SPECK64 different output if input is passed in chunks
- Crypto++: Undersized SipHash key leads to buffer out-of-bounds read
- libkcapi: PBKDF2 with iteration count = 0 zeroes output buffer
- wolfCrypt: HKDF allows key sizes > 255 * digest size TBA
- Botan: HKDF clamps output to 255 * requested key size
- SymCrypt: Signed overshift and other undefined behavior
- NSS: ChaCha20, ChaCha20/Poly1305 OOB read, OOB write, incorrect output with multi-part updating or small AEAD tag, CVE-2020-12403
- OpenSSL: AES key wrap ciphers out-of-bounds write
- LibreSSL: AES key wrap ciphers use-after-free
- OpenSSL: AES key wrap ciphers use-after-free
- Crypto++: AES GCM encryption with large tag size results in incorrect output, out-of-bounds reads
- mbed TLS: mbedtls_md_setup memory leak if allocation fails
- OpenSSL: EVP_CIPHER_CTX re-initialisation bugs
- OpenSSL: KBKDF NULL ptr dereference
- Botan: PointGFp_Multi_Point_Precompute gives wrong result when an infinity point occurs in the precomputation (credit to @andrewkozlik)
- Botan: ECDSA hash truncation discrepancy
- mbed TLS: mbedtls_cipher_auth_encrypt with AES key wrap OOB write
- bignumber.js: squareRoot() produces incorrect result
- elliptic: Curves p384 and p521 produce incorrect results
- Nettle: Blowfish signed integer overshift
- Golang: crypto/ecdsa: signature verification succeeds when it should fail
- SymCrypt: Elliptic curve private-to-public incorrect result on Linux 32 bit
- libtomcrypt: PKBDF1 hang if iterations is 0
- libtomcrypt: TEA cipher incorrect result
- SymCrypt: NULL pointer access in struct offset resolution
- BearSSL: Carry propagation bug in ECC code. Commit: b2ec2030e40acf5e9e4cd0f2669aacb27eadb540
- Trezor firmware: ECDSA verification fails if hash is curve order
- Botan: ECDSA verification succeeds with invalid public key
- Botan: KDF + BLAKE incorrect result
- Crypto++: ECDSA verification succeeds with invalid signature
- micro-ecc: ECDSA verification fails when it should succeed
- Parity libsecp256k1: RFC6979 signature discrepancy if input is curve order
- LibreSSL: ECDSA verification succeeds with invalid public key
- SymCrypt: Uninitialized memory used as array index in ECDSA verification if hash is 0
- TBA: TBA
- NSS/ecckiila: ECDSA verification fails for all-zero hash
- mbed TLS: mbedtls_mpi_sub_abs memory corruption
- relic: Out-of-bounds read via bn_sqr_basic
- relic: Wrong square root computation
- relic: ECDSA verification discrepancies
- relic: bn_write_str buffer overflow
- Nettle: ECDSA verification fails for all-zero hash
- relic: Buffer overflow via bn_mxp_slide
- relic: bn_mxp_monty incorrect result
- NSS: TBA