-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OSS-Fuzz integration #833
Comments
Sorry about the late reply @guidovranken,
I started looking into OSS-Fuzz several months ago, but nothing came of it. I have not had time to loop back to it. I don't have spare cycles at the moment. If you add Crypto++ and find some bugs, then please share them. I embrace bug hunting. I don't search for excuses why they are not our problem. I simply fix them and move on. Crypto++ will not be the weak link in the chain.
I send similar reports to https://groups.google.com/forum/#!forum/cryptopp-build . You can send chatty messages, like test started and test complete, to cryptopp-build for record keeping. If you manage to break things, then please email me noloader, gmail account. Or send a note to the mailing list at https://groups.google.com/forum/#!forum/cryptopp-users . Please keep the messages on-point. |
Hello @noloader, Crypto++ fuzzing has been operational (as a part of my crypto fuzzing framework) on OSS-Fuzz for a few days. Crypto++ is one of the most stable/secure projects I've tested so far. There's only a potential wrong output for RC2 (it differs with OpenSSL/LibreSSL, but it could also be a bug in those libraries, or a bug of my own). I will report it to you or the list some time soon (I also have limited time and this is a volunteering effort). |
You may as well open a bug report here. I can verify the Crypto++ results, and document things for you, like the implementation and test vectors we use. Usually when these types of questions arise I cross-validate Crypto++ with Jack Lloyd's Botan. |
Wei Dai deserves all the credit. He designed the library, and made it easy to use safely. Wei is no longer involved in the day-today operations. He turned the library over to the community several years ago. I think we have found less about three or five non-trivial bugs in his code. |
|
I've build a cryptography implementation differential fuzzer that has been running on OSS-Fuzz for a few weeks and has found some nice bugs.
I will be integrating Crypto++ support for my fuzzer into OSS-Fuzz shortly. Would any of the maintainers like to be notified of automated bug reports? If so, please give me one or more e-mail addresses linked to a Google account.
I noticed that someone had commenced OSS-Fuzz integration, did anything come of this?
I'm also running a bignum differential fuzzer on OSS-Fuzz. Would you be interested in writing Crypto++ support for this fuzzer?
The text was updated successfully, but these errors were encountered: