Repository files navigation

Cryptofuzz was created and maintained byGuido Vranken and credit for its design, development and impact should be attributed to Guido. FollowingGuido's decision to withdraw from the open-source community, this fork was created to keep the code available and support community contributions.

For building Cryptofuzz, please refer todocs/building.md.

For instructions on how to run Cryptofuzz, please seedocs/running.md.

• OpenSSL:ARIA GCM ciphers memory leak after EVP_CTRL_AEAD_SET_IVLEN
• OpenSSL:HMAC with SHAKE128 via EVP interface crashes on EVP_DigestSignUpdate
• OpenSSL:BLAKE2b_Update can pass NULL to memcpy (undefined behavior)
• LibreSSL:EVP_aes_128_cbc_hmac_sha1, EVP_aes_256_cbc_hmac_sha1 decrypt OOB read/crash/invalid result
• OpenSSL:CHACHA20_POLY1305 different results for chunked/non-chunked updating
• OpenSSL:OpenSSL 1.0.2: BIO_read + *_WRAP ciphers copy to uninitialized pointer
• BoringSSL:AEAD AES GCM SIV NULL pointer dereference/OOB read
• LibreSSL:BIO_read can report more bytes written than buffer can hold
• LibreSSL:Use-after-free/bad free after EVP_CIPHER_CTX_copy
• BoringSSL:Use-after-free/bad free after EVP_CIPHER_CTX_copy
• LibreSSL:GOST HMAC uses and outputs uninitialized memory
• OpenSSL:Overlong tag buffer leaves memory uninitialized in CCM mode
• OpenSSL:Buffer write overflow when passing large RC5 key
• OpenSSL:Hang after particular sequence of operations
• LibreSSL:Overlong tag buffer leaves memory uninitialized in CCM mode
• LibreSSL:AES GCM context copy crash
• LibreSSL:Streebog wrong output
• OpenSSL:EVP_EncryptUpdate, EVP_EncryptFinal_ex branching on uninitialized memory
• libgcrypt:Invalid output of MD4, MD5, RIPEMD160
• OpenSSL: RC5 signed integer overflow, TBA
• LibreSSL:AES CCM context copy crash
• LibreSSL:DES EDE3 CFB1 leaves output uninitialized
• Crypto++:Scrypt crash with blocksize 0
• EverCrypt: Illegal instruction exception on non-AVX CPUs
• OpenSSL:OpenSSL 1.0.2: RC4 OOB read
• OpenSSL:OpenSSL 1.0.2: Branch on uninitialized memory in EVP_CIPHER_CTX_copy
• Crypto++:PBKDF1 OOB read
• NSS:MD2 invalid output
• Botan:CAST5_CBC invalid output
• Botan:Streebog invalid output
• Botan:PBKDF2 hang (very long loop) if iterations == 0
• NSS:HKDF SHA1 stack buffer overflow, CVE-2019-11759
• NSS:RC2 CBC OOB read with undersized IV
• NSS:SEED_CBC encryption out-of-bounds write
• NSS:CKM_AES_GCM succeeds with invalid tag sizes, risk of memory corruption
• NSS:PBKDF2 memory leak if key size > 256
• NSS:DES IV buffer overread if IV is undersized
• wolfCrypt:RC4 may dereference empty key
• wolfCrypt:SCRYPT leaves output buffer uninitialized
• wolfCrypt: wc_HKDF + BLAKE2B leaves output buffer uninitialized
• wolfCrypt:PKCS12 PBKDF + SHA3 buffer overflow
• NSS: mp_toradix buffer overflow (write) TBA
• BLAKE3:memcpy undefined behavior in C impl
• sjcl:scrypt wrong result with certain parameters
• sjcl:RIPEMD160 HMAC wrong result
• sjcl:bignum subtraction incorrect result
• NSS:SEEK ECB leaves output buffer uninitialized when encrypting more than 1 block
• libgcrypt:gcry_mpi_invm indicates multiplicative inverse exists when it does not
• wolfCrypt:AES GCM allows IV of size 0
• wolfCrypt:AES CCM allows invalid tag sizes
• LibreSSL:AES GCM allows IV of size 0
• OpenSSL:CAST5 invalid output
• Crypto++:SPECK64 different output if input is passed in chunks
• Crypto++:Undersized SipHash key leads to buffer out-of-bounds read
• libkcapi:PBKDF2 with iteration count = 0 zeroes output buffer
• wolfCrypt:HKDF allows key sizes > 255 * digest size TBA
• Botan:HKDF clamps output to 255 * requested key size
• SymCrypt:Signed overshift and other undefined behavior
• NSS:ChaCha20, ChaCha20/Poly1305 OOB read, OOB write, incorrect output with multi-part updating or small AEAD tag, CVE-2020-12403
• OpenSSL:AES key wrap ciphers out-of-bounds write
• LibreSSL:AES key wrap ciphers use-after-free
• OpenSSL:AES key wrap ciphers use-after-free
• Crypto++:AES GCM encryption with large tag size results in incorrect output, out-of-bounds reads
• mbed TLS:mbedtls_md_setup memory leak if allocation fails
• OpenSSL:EVP_CIPHER_CTX re-initialisation bugs
• OpenSSL:KBKDF NULL ptr dereference
• Botan:PointGFp_Multi_Point_Precompute gives wrong result when an infinity point occurs in the precomputation (credit to @andrewkozlik)
• Botan:ECDSA hash truncation discrepancy
• mbed TLS:mbedtls_cipher_auth_encrypt with AES key wrap OOB write
• bignumber.js:squareRoot() produces incorrect result
• elliptic:Curves p384 and p521 produce incorrect results
• Nettle:Blowfish signed integer overshift
• Golang:crypto/ecdsa: signature verification succeeds when it should fail
• SymCrypt:Elliptic curve private-to-public incorrect result on Linux 32 bit
• libtomcrypt:PKBDF1 hang if iterations is 0
• libtomcrypt:TEA cipher incorrect result
• SymCrypt:NULL pointer access in struct offset resolution
• BearSSL: Carry propagation bug in ECC code. Commit: b2ec2030e40acf5e9e4cd0f2669aacb27eadb540
• Trezor firmware:ECDSA verification fails if hash is curve order
• Botan:ECDSA verification succeeds with invalid public key
• Botan:KDF + BLAKE incorrect result
• Crypto++:ECDSA verification succeeds with invalid signature
• micro-ecc:ECDSA verification fails when it should succeed
• Parity libsecp256k1:RFC6979 signature discrepancy if input is curve order
• LibreSSL:ECDSA verification succeeds with invalid public key
• SymCrypt:Uninitialized memory used as array index in ECDSA verification if hash is 0
• TBA: TBA
• NSS/ecckiila:ECDSA verification fails for all-zero hash
• mbed TLS:mbedtls_mpi_sub_abs memory corruption
• relic:Out-of-bounds read via bn_sqr_basic
• relic:Wrong square root computation
• relic:ECDSA verification discrepancies
• relic:bn_write_str buffer overflow
• Nettle:ECDSA verification fails for all-zero hash
• relic:Buffer overflow via bn_mxp_slide
• relic:bn_mxp_monty incorrect result
• relic: Several other memory and correctness bugs
• libgcrypt:ECDSA verification succeeds with invalid public key
• libgcrypt:Out-of-bounds read in SHA256
• SymCrypt:Invalid ECDSA signature and public key for private key that is curve order
• SymCrypt:ECDSA signing branches on uninitialized memory
• blst:Modular inverse incorrect result
• blst:Inverse modulo hangs on i386 if input is 0 or multiple of modulo
• blstUsing non-standard 'dst' parameter branches on uninitialized memory
• Botan:Incorrect comparison of negative values
• blst:NULL pointer dereference if msg is empty and aug is non-empty
• Nettle:Crash, potential incorrect verification in ECDSA verification
• relic:Modular exponentiation returns 1 if exponent is 0 and modulo is 1
• Chia bls-signatures: TBA
• relic:BLAKE2S160, BLAKE2S256 functions leave output buffer uninitialized if input is empty
• Botan:BigInt right-shifting can cause std::vector to throw std::length_error
• mbed TLS:ECDSA signing of 0 produces unverifiable signature
• mbed TLS:PKCS12 KDF + MD2 incorrect result
• libgcryptCMAC + SERPENT/IDEA/RC2 buffer overflow/crash with oversized key
• Parity libsecp256k1:Verifies signatures whose R,S > curve order
• Botan:ECDSA pubkey recovery succeeds with invalid parameters
• mbed TLS:CHACHA20-POLY1305 succeeds with invalid IV size
• SymCrypt:ECDSA signing produces invalid signature
• BLAKE reference implementation:Updating with empty buffer resets internal counter
• Herumi mcl:Incorrect results with dst larger than 255 bytes
• LibreSSL:EC_POINT_point2oct / EC_POINT_oct2point asymmetry
• noble-secp256k1: Several ECDSA verification bugs:123
• blst:NULL pointer dereference if point multiplier is zero-stripped
• libecc:Use of uninitialized memory in ECGDSA signing
• noble-ed25519:Accepts overlong private keys
• relic:Elliptic curve point multiplication incorrect result if input X = 0
• relic:Incorrect point validation
• Chia/relic: Allows loading invalid point12
• blst:Branching on uninitialize memory
• num-bigint:Panic on multiplication
• Botan:Produces invalid ECDSA signatures
• libgcrypt:gcry_mpi_sub_ui result is positive when it should be negative
• Decred uint256:Incorrect decimal string formatting
• Botan:Undefined behavior upon instantiating DL_Group
• libtommath:mp_is_square says 0 is not a square
• OpenSSL:HMAC use-after-free after copying ctx
• Golang:CVE-2022-23806: crypto/elliptic: IsOnCurve returns true for invalid field elements
• mbed TLS:mbedtls_ecp_muladd hangs with oversized point coordinates
• BoringSSL:EVP_AEAD_CTX_free NULL pointer dereference if pointer is NULL
• blst:blst_fr_eucl_inverse incorrect result
• circl:Inadequate scalar reduction in p384 leads to panic
• Herumi mcl:map-to-curve incorrect result if both inputs are equivalent
• OpenSSL:BN_mod_exp2_mont NULL pointer dereference if modulus is 0
• relic:bn_mod_pmers hangs if modulus is 0
• relic:bn_mod_barrt out-of-bounds write and hang
• relic:bn_gcd_ext_stein returns different Bezout coefficients
• Zig:std.math.big.int panics (divFloor, gcd, bitAnd)
• NSS:mp_xgcd produces incorrect Bezout coefficients
• Nettle: TBA
• libgcrypt:Argon2 incorrect result and division by zero
• Herumi mcl:Incorrect result for G1 multiplication by Fp
• libgcrypt:gcry_mpi_invm incorrect result
• OpenSSL, LibreSSL:Incorrect NIST curve math
• relic:bn_lcm incorrect result with negative zero input
• relic:bn_gcd_lehme hangs with negative input
• relic:Modulo functions hang with negative inputs
• blst:blst_fp_is_square incorrect result on ARM
• OpenSSL, BoringSSL:BN_mod_exp_mont_consttime returns modulus when it should return 0
• libgcrypt:Allows invalid HKDF output sizes
• libgmp mini-gmp:mpz_powm incorrect result
• mbed TLS:mbedtls_mpi_mod_int produces incorrect results
• Zig:HKDF rejects maximum key size
• Zig:HMAC + SHA3 incorrect output
• Nim bigints:Division causes assert failure
• D:std.bigint powmod incorrect result on Ubuntu 20.04
• Golang:CVE-2023-24532: Specific unreduced P-256 scalars produce incorrect results
• OpenSSL, LibreSSL, BoringSSL:DSA signing hangs with invalid parameters
• Zig:Streaming SHA3 incorrect output
• Zig:Argon2 outputs uninitialized memory with keysize > 64
• Boost multiprecision:Loading cpp_int by std::string branches on uninitialized memory
• Zig:secp256k1 scalar multiplication panics
• kilic-bls12-381:Fr FromBytes does not reduce value if value is modulus
• OpenSSL, LibreSSL, BoringSSL:BN_mod_inverse incorrect result when parameters are aliased
• libgcrypt:Modular add/sub/mul incorrect result if result and modulus pointer are equal
• libecc:nn_modinv_2exp incorrect result if exponent is 0
• libecc:Modular addition incorrect result if result and modulus pointer are equal
• NEAR modexp precompile:Panic if exponent is 0
• arkworks-algebra:multi_scalar_mul incorrect result if scalar exceeds curve order
• Golang:crypto/ecdsa: P521 ecdsa.Verify panics with malformed message
• Golang:crypto/elliptic: P256 ScalarBaseMult with order-34 yields point at infinity
• Zig:Elliptic curve point addition incorrect result
• Botan:BigInt::random_integer hangs
• Constantine:Incorrect reduction of BigInt
• Constantine:Modular exponentiation incorrect result with power-of-2 modulus
• Constantine:Slow repeated modular exponentiation
• Constantine:BLS12-381 HashToCurve G1 incorrect result
• Constantine:Modular exponentiation crash
• libtommath:mp_exptmod incorrect result
• Botan:Undefined behavior in AlignmentBuffer::fill_up_with_zeros
• Constantine:Modular exponentiation incorrect result due to uninitialized memory
• Zig:std.math.big.int sqrt panics
• Botan:blinded_var_point_multiply incorrect result with curves with cofactor > 1
• OpenSSL:HKDF + BLAKE2S256 outputs uninitialized memory
• libgmp mini-gmp:mpz_gcdext Bézout coefficients do not match documentation
• relic:bn_gcd_ext_binar returns different Bezout coefficients
• LibreSSL:BN_bn2mpi out-of-bounds read
• Constantine:inv_vartime incorrect result