OSS-Fuzz integration

[guidovranken]

My project https://github.com/guidovranken/cryptofuzz uses fuzzing to find bugs in cryptographic libraries and is very effective at that: https://github.com/guidovranken/cryptofuzz#bugs-found-by-cryptofuzz

For relic I've already implemented a large portion of the bignum functions: https://github.com/guidovranken/cryptofuzz/commit/1e9dc133f368071cc6c7b5e067e79f476b1bc71a

Is there interest in running a fuzzer for Relic using Cryptofuzz at OSS-Fuzz (https://github.com/google/oss-fuzz)? The only condition for integration is that the library (relic) must be maintained, so any bugs found by the fuzzer must be fixed. A Google account is required.

[dfaranha]

Nice project, thanks for the offer! There is certainly interest from my part, but I've been a little busy to respond quickly to bug reports.

How fast are the bugs expected to be fixed? :)

[guidovranken]

Thanks for the quick response. Every bug will be automatically disclosed after 90 days. I think fixing them after 90 days is OK too, as long as they are getting fixed at some point.

[dfaranha]

Sounds like a good deal! Where do I sign up? :)

[guidovranken]

1. I need to have your e-mail address that is connected to a Google account (doesn't necessarily have to be a gmail addresses) and that of any other maintainers
2. Is there a way to disable relic stdout/stderr output completely? It is the nature of fuzzing to do things that are not necessary normal (like dividing by zero). I try/catch all errors, but the error handler fprintf's a message to the screen. This causes a great slowdown. How can we disable those messages?
3. Is ALLOC=DYNAMIC supported and working as intended? I get a lot of memory bugs when running random operations with random inputs in DYNAMIC mode.
4. Do you have any suggestions as to the build configuration of relic for our purpose?

[dfaranha]

1. dfaranha at gmail dot com
2. You can build with QUIET=on. The error checking can be disabled entirely with CHECK=off, but I'm not sure that's what you want.
3. It is not the default, so it rarely gets properly tested. I tried to remove it several times in the past, but could not because users found applications for it. Nowadays I mostly use it as a canary for memory safety. I would not be surprised that many bugs arise when it is turned on.
4. Can we start with the default configuration and see how it goes?

[guidovranken]

With QUIET=on I still get a lot of messages like

ERROR in bn_div_rem() at /src/relic/src/bn/relic_bn_div.c,142: invalid value passed as input.

ERROR in bn_grow() at /src/relic/src/bn/relic_bn_mem.c,124: insufficient precision.

ERROR in bn_div() at /src/relic/src/bn/relic_bn_div.c,135: invalid value passed as input.
	CAUGHT in bn_lcm() at /src/relic/src/bn/relic_bn_lcm.c,60.

Is there any way to turn it off completely?

[dfaranha]

I just updated QUIET=on to be really quiet, let's see how it goes.