[openssl-dev] Fuzzer Patch(es)
Benjamin Kaduk
bkaduk at akamai.com
Fri Aug 26 16:33:52 UTC 2016
On 08/25/2016 04:33 PM, Tom Ritter wrote:
> NCC Group has prepared (or begun preparing) a patch that integrates
> fuzzing of OpenSSL.
Exciting stuff, most of which I will ignore for now and ask a targeted
question.
> - Because ossltest cooks MD5 to output a constant value, OpenSSL's RNG
> becomes constant.
Is it specifically MD5 and not SHA1? That would be worrisome, as I
thought rand_lcl.h would be setting up for USE_SHA1_RAND by default, not
md5.
-Ben
> This causes an error in ssl/ssl_sess.c:generate_session_id() because
> it always generates a colliding Session ID. This breaks renegotiation
> in the test harness. I haven't thought of an elegant way to resolve this.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160826/5f387274/attachment.html>
More information about the openssl-dev
mailing list