1 /* $OpenBSD: test_parser_fuzz.c,v 1.8 2022/12/04 00:23:03 tobhe Exp $ */
2 /*
3 * Fuzz tests for payload parsing
4 *
5 * Placed in the public domain
6 */
7
8 #include <sys/socket.h>
9 #include <sys/queue.h>
10 #include <sys/uio.h>
11
12 #include <endian.h>
13 #include <event.h>
14 #include <imsg.h>
15 #include <string.h>
16 #include <syslog.h>
17
18 #include "iked.h"
19 #include "ikev2.h"
20 #include "test_helper.h"
21
22 extern int ikev2_pld_payloads(struct iked *, struct iked_message *,
23 size_t, size_t, u_int);
24
25 void parser_fuzz_tests(void);
26
27 uint8_t cookies[] = {
28 0xde, 0xad, 0xbe, 0xef, 0xca, 0xfe, 0x00, 0x01, /* initator cookie */
29 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 /* responder cookie */
30 };
31
32 uint8_t genhdr[] = {
33 0x00, 0x20, 0x22, 0x08, /* next, major/minor, exchange type, flags */
34 0x00, 0x00, 0x00, 0x00, /* message ID */
35 0x00, 0x00, 0x00, 0x00 /* total length */
36 };
37
38 uint8_t sa_pld[] = {
39 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x08, 0x01, 0x01, 0x00, 0x00
40 };
41
42 uint8_t saxform_pld[] = {
43 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x3c,
44 0x01, 0x01, 0x00, 0x06, 0x03, 0x00, 0x00, 0x08,
45 0x03, 0x00, 0x00, 0x0c, 0x03, 0x00, 0x00, 0x0c,
46 0x01, 0x00, 0x00, 0x0c, 0x80, 0x0e, 0x00, 0xc0,
47 0x03, 0x00, 0x00, 0x08, 0x04, 0x00, 0x00, 0x0e,
48 0x03, 0x00, 0x00, 0x08, 0x02, 0x00, 0x00, 0x05,
49 0x03, 0x00, 0x00, 0x08, 0x02, 0x00, 0x00, 0x02,
50 0x00, 0x00, 0x00, 0x08, 0x02, 0x00, 0x00, 0x01
51 };
52
53 uint8_t ke_pld[] = {
54 0x00, 0x00, 0x01, 0x08, 0x00, 0x0e, 0x00, 0x00, 0x16, 0xcb,
55 0x68, 0xaf, 0x63, 0xfe, 0xb0, 0x58, 0x49, 0x0e, 0x7f, 0x85,
56 0x60, 0x53, 0x80, 0xae, 0x3f, 0x82, 0xf3, 0x35, 0x21, 0xd5,
57 0xae, 0x09, 0x1c, 0xfa, 0x68, 0xc2, 0xfb, 0x4b, 0xb3, 0x84,
58 0xda, 0xaf, 0x6e, 0xe2, 0x5e, 0xc5, 0xb6, 0x8c, 0x35, 0x3c,
59 0xec, 0x58, 0x7f, 0xa9, 0xf8, 0xa4, 0x24, 0xf3, 0xf8, 0xf4,
60 0x65, 0x59, 0x8c, 0x15, 0x4d, 0x2c, 0xf1, 0x5d, 0xeb, 0x57,
61 0x68, 0xfe, 0x75, 0x61, 0x5a, 0x80, 0x96, 0xa4, 0x0a, 0xad,
62 0x75, 0x71, 0xd8, 0xe0, 0x06, 0xbc, 0xde, 0x16, 0x6d, 0x1e,
63 0xd9, 0x5d, 0x2c, 0x00, 0x66, 0x43, 0x82, 0xe4, 0x6f, 0x5f,
64 0x95, 0xe7, 0x9b, 0xfd, 0xf2, 0xe2, 0xcb, 0xc5, 0xf1, 0x52,
65 0xdd, 0x3b, 0xed, 0x88, 0xd4, 0xa9, 0x13, 0x4e, 0x42, 0xe8,
66 0x60, 0x2d, 0x3c, 0xf6, 0xc8, 0xf0, 0x70, 0x42, 0xfa, 0x33,
67 0x7f, 0x28, 0xdf, 0x6b, 0x79, 0x2c, 0x79, 0x8f, 0xc0, 0x5d,
68 0x81, 0x7a, 0x62, 0xdb, 0xd4, 0x44, 0x3a, 0x3c, 0x21, 0xbf,
69 0x85, 0xc8, 0x0b, 0x8c, 0x77, 0x72, 0xe9, 0xfb, 0x50, 0x5c,
70 0x03, 0xa6, 0xb2, 0x3f, 0x17, 0x4a, 0xd1, 0xb3, 0x01, 0x30,
71 0xad, 0xe4, 0xfa, 0xe2, 0xba, 0x6f, 0x22, 0x83, 0xf4, 0xde,
72 0x38, 0x43, 0xe8, 0x27, 0x00, 0xb8, 0x95, 0xbe, 0x03, 0x8f,
73 0xcd, 0xd3, 0x72, 0xed, 0xa5, 0xed, 0x8d, 0xf4, 0x68, 0x98,
74 0xef, 0x59, 0xcc, 0xfb, 0x54, 0x89, 0xde, 0xa9, 0xd4, 0x88,
75 0xcd, 0xb9, 0xca, 0x09, 0xd3, 0xd5, 0x25, 0xb1, 0x8c, 0x58,
76 0x12, 0x9c, 0x69, 0x03, 0x72, 0x00, 0xc9, 0xca, 0x95, 0x8a,
77 0xce, 0x0d, 0xd2, 0xc8, 0x25, 0xe7, 0x7c, 0xed, 0x5e, 0xee,
78 0x35, 0x01, 0xfc, 0x00, 0x56, 0xed, 0xf3, 0x8d, 0x81, 0x6c,
79 0x3e, 0x86, 0x6a, 0x40, 0xac, 0xc7, 0x9c, 0x7a, 0xbf, 0x9f,
80 0x8e, 0x1f, 0xd8, 0x60
81 };
82
83 uint8_t nonce_pld[] = {
84 0x00, 0x00, 0x00, 0x24, 0x5f, 0x61, 0x42, 0x72, 0x7d, 0xb2,
85 0xa8, 0xc1, 0xfe, 0xb1, 0x38, 0x2e, 0xb8, 0x75, 0xa7, 0xc1,
86 0x1d, 0x8a, 0xa7, 0xb7, 0x9b, 0x92, 0xe2, 0x0e, 0x3a, 0x18,
87 0x20, 0xb6, 0x16, 0xf3, 0x35, 0x67,
88 };
89
90 uint8_t notify_pld[] = {
91 0x00, 0x00, 0x00, 0x1c, 0x00, 0x00, 0x40, 0x04, 0xc7, 0xa0,
92 0x68, 0x68, 0x09, 0x0a, 0x7f, 0x12, 0x0b, 0x13, 0xd3, 0x2f,
93 0xde, 0x64, 0x8b, 0xf1, 0xc3, 0x3c, 0x79, 0x8f, 0x00, 0x00,
94 0x00, 0x1c, 0x00, 0x00, 0x40, 0x05, 0x9f, 0xbc, 0x8c, 0xd0,
95 0x91, 0x5e, 0xa0, 0x87, 0x81, 0xab, 0x4f, 0xa1, 0x8a, 0xa7,
96 0xa8, 0xf9, 0xeb, 0xdf, 0x9f, 0x2c
97 };
98
99 uint8_t id_pld[] = {
100 0x00, 0x00, 0x00, 0x0c, 0x01, 0x00, 0x00, 0x00,
101 0xac, 0x12, 0x7d, 0x01
102 };
103
104 uint8_t cert_pld[] = {
105 0x00, 0x00, 0x01, 0x10, 0x0b, 0x00, 0x00, 0x00,
106 0x30, 0x82, 0x01, 0x0c, 0x02, 0x82, 0x01, 0x01, 0x00, 0x8a,
107 0x26, 0xf8, 0x9e, 0xe8, 0x09, 0x11, 0x6b, 0x3d, 0x00, 0xd3,
108 0x25, 0xf8, 0x9f, 0xe8, 0x09, 0x11, 0x6b, 0x3d, 0x10, 0xd3,
109 0x0b, 0x9a, 0xb0, 0xb7, 0xe4, 0x3e, 0x40, 0x59, 0xd7, 0x51,
110 0x03, 0xaf, 0x09, 0x79, 0x1b, 0x0d, 0x63, 0x66, 0x28, 0xaa,
111 0x97, 0xc8, 0x20, 0x4b, 0x28, 0x9b, 0x5e, 0x8c, 0xa9, 0x8f,
112 0x73, 0x81, 0xb4, 0xfa, 0xf4, 0xdd, 0x05, 0x69, 0x0b, 0x71,
113 0x72, 0xd8, 0xbb, 0xac, 0x4b, 0x6d, 0x67, 0x5a, 0xa2, 0x63,
114 0x5d, 0x6d, 0x27, 0xc5, 0xf4, 0xe6, 0x0a, 0xbd, 0x2b, 0x0a,
115 0x64, 0xb2, 0xcf, 0x59, 0x63, 0x9b, 0x5c, 0x4f, 0x26, 0x36,
116 0xe3, 0x10, 0x70, 0x3c, 0x39, 0x77, 0x55, 0x07, 0x1c, 0x12,
117 0xde, 0x60, 0x53, 0xa1, 0x70, 0xf4, 0xda, 0xfc, 0xcc, 0xec,
118 0xad, 0x6d, 0x34, 0xad, 0xe2, 0x36, 0x10, 0x93, 0x59, 0x0c,
119 0x81, 0x8d, 0x22, 0x7e, 0x57, 0xeb, 0x89, 0x26, 0xdb, 0x6e,
120 0x99, 0x9a, 0xde, 0xbe, 0xad, 0xef, 0xca, 0xaf, 0xfe, 0xfe,
121 0x99, 0x9a, 0xde, 0xbe, 0xad, 0xef, 0xca, 0xaf, 0xfe, 0xfe,
122 0x6f, 0xd4, 0xe4, 0x63, 0x6c, 0x3e, 0x83, 0x09, 0xf4, 0x32,
123 0x78, 0x3b, 0x71, 0xe9, 0x36, 0xb6, 0x92, 0xf6, 0xa8, 0x31,
124 0x4d, 0x7c, 0xd0, 0xa1, 0x30, 0x55, 0xb6, 0x6b, 0x9e, 0xb7,
125 0x41, 0xa8, 0x77, 0x6c, 0x96, 0xb8, 0xa2, 0x0c, 0x7d, 0x70,
126 0xca, 0x51, 0xb9, 0xad, 0xc5, 0x75, 0xa7, 0xf1, 0x1e, 0x0e,
127 0xca, 0x51, 0xb9, 0xad, 0xc5, 0x75, 0xa7, 0xf1, 0x1e, 0x0e,
128 0xf2, 0xcf, 0x69, 0xbf, 0x20, 0xe9, 0x97, 0x05, 0xdd, 0xf3,
129 0xf2, 0xcf, 0x69, 0xbf, 0x20, 0xe9, 0x97, 0x05, 0xdd, 0xf3,
130 0x32, 0x58, 0x37, 0x8c, 0x5d, 0x02, 0x05, 0x00, 0xd1, 0x76,
131 0x67, 0x01, 0x67, 0x75, 0x3b, 0xba, 0x45, 0xc2, 0xa2, 0x77,
132 0x3b, 0x7e, 0xb4, 0x03, 0x88, 0x08, 0x93, 0xfe, 0x07, 0x51,
133 0x8e, 0xcf
134 };
135
136 uint8_t certreq_pld[] = {
137 0x00, 0x00, 0x00, 0x05, 0x0b
138 };
139
140 uint8_t auth_pld[] = {
141 0x00, 0x00, 0x01, 0x08, 0x01, 0x00, 0x00, 0x00,
142 0x2a, 0x34, 0x80, 0x52, 0x3c, 0x86, 0x1c, 0xfa, 0x9a, 0x2b,
143 0x8b, 0xff, 0xbb, 0xb5, 0x0d, 0x6b, 0xa1, 0x62, 0x58, 0xd8,
144 0x16, 0xaa, 0x15, 0xe4, 0x34, 0x24, 0xca, 0xc3, 0x09, 0x08,
145 0x51, 0x69, 0x69, 0xef, 0xbd, 0xb7, 0xd4, 0xc5, 0x4f, 0x6c,
146 0x12, 0xd5, 0xd0, 0x0b, 0xc7, 0x66, 0x0d, 0xcb, 0x6d, 0x01,
147 0x7b, 0x8c, 0xec, 0x3d, 0x98, 0xe5, 0x2a, 0xac, 0x11, 0xde,
148 0x88, 0x2e, 0xf2, 0x22, 0x98, 0x13, 0x73, 0xa3, 0x38, 0xd0,
149 0x43, 0xf4, 0xc6, 0xf0, 0xc1, 0x24, 0x1a, 0x7a, 0x9f, 0xba,
150 0x03, 0x25, 0x49, 0xe5, 0x8e, 0xb7, 0x5d, 0x79, 0x76, 0xfd,
151 0x22, 0x5c, 0xba, 0x82, 0xb8, 0x75, 0x81, 0xc6, 0x79, 0xb3,
152 0x56, 0x44, 0x82, 0x80, 0x5a, 0x3c, 0xe8, 0x21, 0xe4, 0xdb,
153 0xfd, 0x1c, 0xd3, 0x18, 0xbd, 0x74, 0x22, 0x25, 0x44, 0xde,
154 0x0b, 0x7e, 0x6e, 0xdb, 0xe3, 0x3b, 0x17, 0xc1, 0x4d, 0x5e,
155 0x51, 0x87, 0xb0, 0x5a, 0xce, 0x5f, 0x23, 0xce, 0x18, 0x61,
156 0x03, 0x02, 0x7e, 0x4b, 0x36, 0xb0, 0x7c, 0x90, 0xcf, 0xac,
157 0x81, 0xc4, 0x45, 0xa3, 0x50, 0x01, 0x2e, 0x0a, 0xce, 0x62,
158 0x7a, 0xe0, 0xa7, 0xc0, 0x45, 0x5e, 0x90, 0xe2, 0x2e, 0xc6,
159 0x90, 0xe9, 0xbe, 0x8f, 0xe9, 0x31, 0xa9, 0xc9, 0x44, 0x62,
160 0x31, 0xb6, 0x13, 0xaf, 0xd5, 0x9a, 0x55, 0x9b, 0x14, 0xf9,
161 0x80, 0xcc, 0x73, 0xe3, 0x51, 0xdf, 0x2a, 0x04, 0x79, 0x0d,
162 0x04, 0xee, 0x4c, 0xa8, 0x9d, 0xaa, 0x67, 0x2f, 0x77, 0x87,
163 0x5e, 0x2d, 0x05, 0x95, 0xbe, 0x53, 0x45, 0x96, 0x8b, 0x89,
164 0x79, 0x5b, 0x48, 0xe2, 0x6f, 0x3a, 0xc9, 0xef, 0x83, 0x81,
165 0xcc, 0x4c, 0xfe, 0xb7, 0x40, 0x2d, 0xa5, 0xa5, 0x51, 0xb7,
166 0xad, 0x2f, 0x29, 0xd8, 0xc8, 0x02, 0xbe, 0x18, 0x09, 0xd0,
167 0xba, 0x71, 0x77, 0xfe, 0x2c, 0x6d
168 };
169
170 uint8_t delete_pld[] = {
171 0x2a, 0x00, 0x00, 0x10, 0x01, 0x08, 0x00, 0x01, /* IKE SA */
172 0xde, 0xad, 0xbe, 0xef, 0xca, 0xfe, 0xaf, 0xfe,
173 0x00, 0x00, 0x00, 0x10, 0x03, 0x04, 0x00, 0x02, /* ESP SA */
174 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff, 0x00, 0x11
175 };
176
177 uint8_t vendor_pld[] = {
178 0x00, 0x00, 0x00, 0x08, 0x11, 0x22, 0x33, 0x44
179 };
180
181 uint8_t ts_pld[] = {
182 0x00, 0x00, 0x00, 0x18, 0x01, 0x00, 0x00, 0x00,
183 0x07, 0x00, 0x00, 0x10, 0x00, 0x00, 0xff, 0xff,
184 0xac, 0x28, 0x7d, 0x00, 0xac, 0x28, 0x7d, 0xff
185 };
186
187 uint8_t skf_1of1_pld[] = {
188 0x21, 0x00, 0x01, 0x98, 0x00, 0x01, 0x00, 0x01, 0x14, 0x77,
189 0x25, 0x7b, 0x82, 0xc0, 0xdb, 0x0b, 0x24, 0x36, 0x36, 0x13,
190 0x36, 0xe4, 0x99, 0xad, 0xf5, 0xaf, 0x26, 0x6f, 0x47, 0xd2,
191 0x0d, 0x65, 0xe1, 0xa8, 0xcb, 0x35, 0x1e, 0x53, 0xce, 0x6d,
192 0x8e, 0xf9, 0xe4, 0x51, 0xe3, 0x27, 0x10, 0x43, 0x38, 0x84,
193 0x54, 0x1d, 0x7a, 0x1a, 0x89, 0x34, 0x06, 0xb3, 0x62, 0x86,
194 0x98, 0x3b, 0x39, 0x91, 0x6e, 0xe8, 0x65, 0x3e, 0x31, 0xa8,
195 0x08, 0xfe, 0x83, 0x56, 0x30, 0xd3, 0xe0, 0xfd, 0x73, 0x92,
196 0x85, 0x2d, 0xae, 0x1d, 0x7d, 0xdb, 0x47, 0x05, 0x57, 0xe7,
197 0x8e, 0xc5, 0xa5, 0x1b, 0x0e, 0x85, 0x1f, 0x12, 0x6d, 0xe6,
198 0xdb, 0x3a, 0x3e, 0x99, 0xd1, 0x23, 0x41, 0xa4, 0x1c, 0x46,
199 0x38, 0xd1, 0xa8, 0x84, 0x96, 0x13, 0xdb, 0x2a, 0x1d, 0x3b,
200 0xb8, 0xd2, 0x04, 0xb3, 0x0d, 0xb4, 0x71, 0x90, 0xdb, 0xf6,
201 0x2d, 0x60, 0x01, 0xc2, 0xb2, 0x89, 0xbd, 0xe9, 0x95, 0x7b,
202 0x53, 0xa4, 0x94, 0x7e, 0x12, 0xe9, 0x5f, 0xfc, 0x51, 0x17,
203 0x94, 0x3e, 0xba, 0xc2, 0xa5, 0x4d, 0x3a, 0x4d, 0x4b, 0x95,
204 0x6d, 0x91, 0xc2, 0xb0, 0x2d, 0xb7, 0x24, 0xe8, 0x3b, 0xbd,
205 0xe0, 0xcc, 0x09, 0x50, 0x11, 0x83, 0xc0, 0xcd, 0x29, 0x33,
206 0xd5, 0x8f, 0x8a, 0xd1, 0xe3, 0xe8, 0x4f, 0x6a, 0x10, 0x4a,
207 0x64, 0x97, 0x0f, 0x38, 0x58, 0x8d, 0x7f, 0x5d, 0xb4, 0x6b,
208 0xa0, 0x42, 0x5e, 0x95, 0xe6, 0x08, 0x3e, 0x01, 0xf8, 0x82,
209 0x90, 0x81, 0xd4, 0x70, 0xb5, 0xb2, 0x8c, 0x64, 0xa9, 0x56,
210 0xdd, 0xc2, 0xda, 0xe1, 0xd3, 0xad, 0xf8, 0x5b, 0x99, 0x0b,
211 0x19, 0x5e, 0x88, 0x0d, 0x81, 0x04, 0x4d, 0xc1, 0x43, 0x41,
212 0xf1, 0xd3, 0x45, 0x65, 0x62, 0x70, 0x2f, 0xfa, 0x62, 0xbe,
213 0x7d, 0xf4, 0x94, 0x91, 0xe0, 0xbb, 0xb1, 0xbc, 0xe5, 0x27,
214 0xc8, 0x15, 0xd4, 0xcb, 0x82, 0x97, 0x15, 0x46, 0x82, 0xbb,
215 0x48, 0xbb, 0x16, 0x25, 0xbe, 0x82, 0xe4, 0x27, 0x80, 0xf3,
216 0xc2, 0x92, 0x3b, 0xd6, 0xc3, 0x65, 0x20, 0xec, 0x50, 0xdb,
217 0x6a, 0xcb, 0x47, 0x73, 0xf7, 0x98, 0xf1, 0x66, 0x5e, 0xc4,
218 0xe9, 0x87, 0xf8, 0xcb, 0x1e, 0x06, 0xa7, 0x67, 0xf5, 0xec,
219 0x73, 0xe5, 0xc7, 0x4d, 0xc2, 0x90, 0xe4, 0xdf, 0x9d, 0x1f,
220 0x05, 0x67, 0x99, 0xd6, 0xf0, 0xc4, 0x20, 0xbc, 0xf8, 0xf5,
221 0x3e, 0x19, 0xe9, 0x3a, 0x12, 0xe1, 0xcc, 0x9f, 0x81, 0x55,
222 0x1e, 0xad, 0xc8, 0xa3, 0xe5, 0x98, 0xbe, 0xe0, 0x4d, 0xb7,
223 0x6b, 0xd5, 0xbe, 0x6a, 0x3d, 0x76, 0xb6, 0xe2, 0xa5, 0xa7,
224 0x96, 0x68, 0xeb, 0x91, 0xee, 0x02, 0xfc, 0xe4, 0x01, 0xc3,
225 0x24, 0xda, 0x4c, 0xff, 0x10, 0x27, 0x78, 0xb0, 0x0b, 0x55,
226 0x5c, 0xce, 0x62, 0x7d, 0x33, 0x2b, 0x25, 0x99, 0xaa, 0x99,
227 0xea, 0xa3, 0x1d, 0xd8, 0x2b, 0x57, 0xb5, 0xe4, 0x04, 0x21,
228 0x75, 0xd9, 0xc4, 0xd0, 0x3d, 0xa1, 0xa5, 0x8f
229 };
230
231 uint8_t sk_pld[] = {
232 0x21, 0x00, 0x01, 0x94, 0x14, 0x77, 0x25, 0x7b, 0x82, 0xc0,
233 0xdb, 0x0b, 0x24, 0x36, 0x36, 0x13, 0x36, 0xe4, 0x99, 0xad,
234 0xf5, 0xaf, 0x26, 0x6f, 0x47, 0xd2, 0x0d, 0x65, 0xe1, 0xa8,
235 0xcb, 0x35, 0x1e, 0x53, 0xce, 0x6d, 0x8e, 0xf9, 0xe4, 0x51,
236 0xe3, 0x27, 0x10, 0x43, 0x38, 0x84, 0x54, 0x1d, 0x7a, 0x1a,
237 0x89, 0x34, 0x06, 0xb3, 0x62, 0x86, 0x98, 0x3b, 0x39, 0x91,
238 0x6e, 0xe8, 0x65, 0x3e, 0x31, 0xa8, 0x08, 0xfe, 0x83, 0x56,
239 0x30, 0xd3, 0xe0, 0xfd, 0x73, 0x92, 0x85, 0x2d, 0xae, 0x1d,
240 0x7d, 0xdb, 0x47, 0x05, 0x57, 0xe7, 0x8e, 0xc5, 0xa5, 0x1b,
241 0x0e, 0x85, 0x1f, 0x12, 0x6d, 0xe6, 0xdb, 0x3a, 0x3e, 0x99,
242 0xd1, 0x23, 0x41, 0xa4, 0x1c, 0x46, 0x38, 0xd1, 0xa8, 0x84,
243 0x96, 0x13, 0xdb, 0x2a, 0x1d, 0x3b, 0xb8, 0xd2, 0x04, 0xb3,
244 0x0d, 0xb4, 0x71, 0x90, 0xdb, 0xf6, 0x2d, 0x60, 0x01, 0xc2,
245 0xb2, 0x89, 0xbd, 0xe9, 0x95, 0x7b, 0x53, 0xa4, 0x94, 0x7e,
246 0x12, 0xe9, 0x5f, 0xfc, 0x51, 0x17, 0x94, 0x3e, 0xba, 0xc2,
247 0xa5, 0x4d, 0x3a, 0x4d, 0x4b, 0x95, 0x6d, 0x91, 0xc2, 0xb0,
248 0x2d, 0xb7, 0x24, 0xe8, 0x3b, 0xbd, 0xe0, 0xcc, 0x09, 0x50,
249 0x11, 0x83, 0xc0, 0xcd, 0x29, 0x33, 0xd5, 0x8f, 0x8a, 0xd1,
250 0xe3, 0xe8, 0x4f, 0x6a, 0x10, 0x4a, 0x64, 0x97, 0x0f, 0x38,
251 0x58, 0x8d, 0x7f, 0x5d, 0xb4, 0x6b, 0xa0, 0x42, 0x5e, 0x95,
252 0xe6, 0x08, 0x3e, 0x01, 0xf8, 0x82, 0x90, 0x81, 0xd4, 0x70,
253 0xb5, 0xb2, 0x8c, 0x64, 0xa9, 0x56, 0xdd, 0xc2, 0xda, 0xe1,
254 0xd3, 0xad, 0xf8, 0x5b, 0x99, 0x0b, 0x19, 0x5e, 0x88, 0x0d,
255 0x81, 0x04, 0x4d, 0xc1, 0x43, 0x41, 0xf1, 0xd3, 0x45, 0x65,
256 0x62, 0x70, 0x2f, 0xfa, 0x62, 0xbe, 0x7d, 0xf4, 0x94, 0x91,
257 0xe0, 0xbb, 0xb1, 0xbc, 0xe5, 0x27, 0xc8, 0x15, 0xd4, 0xcb,
258 0x82, 0x97, 0x15, 0x46, 0x82, 0xbb, 0x48, 0xbb, 0x16, 0x25,
259 0xbe, 0x82, 0xe4, 0x27, 0x80, 0xf3, 0xc2, 0x92, 0x3b, 0xd6,
260 0xc3, 0x65, 0x20, 0xec, 0x50, 0xdb, 0x6a, 0xcb, 0x47, 0x73,
261 0xf7, 0x98, 0xf1, 0x66, 0x5e, 0xc4, 0xe9, 0x87, 0xf8, 0xcb,
262 0x1e, 0x06, 0xa7, 0x67, 0xf5, 0xec, 0x73, 0xe5, 0xc7, 0x4d,
263 0xc2, 0x90, 0xe4, 0xdf, 0x9d, 0x1f, 0x05, 0x67, 0x99, 0xd6,
264 0xf0, 0xc4, 0x20, 0xbc, 0xf8, 0xf5, 0x3e, 0x19, 0xe9, 0x3a,
265 0x12, 0xe1, 0xcc, 0x9f, 0x81, 0x55, 0x1e, 0xad, 0xc8, 0xa3,
266 0xe5, 0x98, 0xbe, 0xe0, 0x4d, 0xb7, 0x6b, 0xd5, 0xbe, 0x6a,
267 0x3d, 0x76, 0xb6, 0xe2, 0xa5, 0xa7, 0x96, 0x68, 0xeb, 0x91,
268 0xee, 0x02, 0xfc, 0xe4, 0x01, 0xc3, 0x24, 0xda, 0x4c, 0xff,
269 0x10, 0x27, 0x78, 0xb0, 0x0b, 0x55, 0x5c, 0xce, 0x62, 0x7d,
270 0x33, 0x2b, 0x25, 0x99, 0xaa, 0x99, 0xea, 0xa3, 0x1d, 0xd8,
271 0x2b, 0x57, 0xb5, 0xe4, 0x04, 0x21, 0x75, 0xd9, 0xc4, 0xd0,
272 0x3d, 0xa1, 0xa5, 0x8f
273 };
274
275 uint8_t cp_pld[] = {
276 0x2f, 0x00, 0x00, 0x0c,
277 0x01, 0x00, 0x00, 0x00, /* REQUEST */
278 0x00, 0x01, 0x00, 0x00, /* INTERNAL_IP4_ADDRESS */
279 0x2f, 0x00, 0x00, 0x10,
280 0x02, 0x00, 0x00, 0x00, /* REPLY */
281 0x00, 0x01, 0x00, 0x04, /* INTERNAL_IP4_ADDRESS */
282 0xaa, 0xbb, 0xcc, 0xdd, /* 170.187.204.221 */
283 0x2f, 0x00, 0x00, 0x08,
284 0x03, 0x00, 0x00, 0x00, /* SET (empty) */
285 0x2f, 0x00, 0x00, 0x24,
286 0x02, 0x00, 0x00, 0x00, /* REPLY */
287 0x00, 0x01, 0x00, 0x04, /* INTERNAL_IP4_ADDRESS */
288 0xaa, 0xaa, 0xaa, 0xaa, /* 170.170.170.170 */
289 0x00, 0x02, 0x00, 0x04, /* INTERNAL_IP4_NETMASK */
290 0xbb, 0xbb, 0xbb, 0xbb, /* 187.187.187.187 */
291 0x00, 0x03, 0x00, 0x04, /* INTERNAL_IP4_DNS */
292 0xcc, 0xcc, 0xcc, 0xcc, /* 204.204.204.204 */
293 0x00, 0x08, 0x00, 0x00, /* INTERNAL_IP6_ADDRESS */
294 0x00, 0x00, 0x00, 0x08,
295 0x04, 0x00, 0x00, 0x00, /* ACK (empty) */
296 };
297
298 uint8_t eap_pld[] = {
299 0x30, 0x00, 0x00, 0x09,
300 0x01, 0x00, 0x00, 0x05, 0x01,
301 0x30, 0x00, 0x00, 0x0c,
302 0x02, 0x00, 0x00, 0x05, 0x01, 0xfa, 0xfb, 0xfc,
303 0x30, 0x00, 0x00, 0x08,
304 0x03, 0x00, 0x00, 0x04,
305 0x00, 0x00, 0x00, 0x08,
306 0x04, 0x00, 0x00, 0x04
307 };
308
309 /* Valid initator packet */
310 uint8_t valid_packet[] = {
311 0xde, 0xad, 0xbe, 0xef, 0xca, 0xfe, 0x00, 0x01, 0x00, 0x00,
312 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x21, 0x20, 0x22, 0x08,
313 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0xc0, 0x22, 0x00,
314 0x00, 0x40, 0x00, 0x00, 0x00, 0x3c, 0x01, 0x01, 0x00, 0x06,
315 0x03, 0x00, 0x00, 0x08, 0x03, 0x00, 0x00, 0x0c, 0x03, 0x00,
316 0x00, 0x0c, 0x01, 0x00, 0x00, 0x0c, 0x80, 0x0e, 0x00, 0xc0,
317 0x03, 0x00, 0x00, 0x08, 0x04, 0x00, 0x00, 0x0e, 0x03, 0x00,
318 0x00, 0x08, 0x02, 0x00, 0x00, 0x05, 0x03, 0x00, 0x00, 0x08,
319 0x02, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x08, 0x02, 0x00,
320 0x00, 0x01, 0x28, 0x00, 0x01, 0x08, 0x00, 0x0e, 0x00, 0x00,
321 0x16, 0xcb, 0x68, 0xaf, 0x63, 0xfe, 0xb0, 0x58, 0x49, 0x0e,
322 0x7f, 0x85, 0x60, 0x53, 0x80, 0xae, 0x3f, 0x82, 0xf3, 0x35,
323 0x21, 0xd5, 0xae, 0x09, 0x1c, 0xfa, 0x68, 0xc2, 0xfb, 0x4b,
324 0xb3, 0x84, 0xda, 0xaf, 0x6e, 0xe2, 0x5e, 0xc5, 0xb6, 0x8c,
325 0x35, 0x3c, 0xec, 0x58, 0x7f, 0xa9, 0xf8, 0xa4, 0x24, 0xf3,
326 0xf8, 0xf4, 0x65, 0x59, 0x8c, 0x15, 0x4d, 0x2c, 0xf1, 0x5d,
327 0xeb, 0x57, 0x68, 0xfe, 0x75, 0x61, 0x5a, 0x80, 0x96, 0xa4,
328 0x0a, 0xad, 0x75, 0x71, 0xd8, 0xe0, 0x06, 0xbc, 0xde, 0x16,
329 0x6d, 0x1e, 0xd9, 0x5d, 0x2c, 0x00, 0x66, 0x43, 0x82, 0xe4,
330 0x6f, 0x5f, 0x95, 0xe7, 0x9b, 0xfd, 0xf2, 0xe2, 0xcb, 0xc5,
331 0xf1, 0x52, 0xdd, 0x3b, 0xed, 0x88, 0xd4, 0xa9, 0x13, 0x4e,
332 0x42, 0xe8, 0x60, 0x2d, 0x3c, 0xf6, 0xc8, 0xf0, 0x70, 0x42,
333 0xfa, 0x33, 0x7f, 0x28, 0xdf, 0x6b, 0x79, 0x2c, 0x79, 0x8f,
334 0xc0, 0x5d, 0x81, 0x7a, 0x62, 0xdb, 0xd4, 0x44, 0x3a, 0x3c,
335 0x21, 0xbf, 0x85, 0xc8, 0x0b, 0x8c, 0x77, 0x72, 0xe9, 0xfb,
336 0x50, 0x5c, 0x03, 0xa6, 0xb2, 0x3f, 0x17, 0x4a, 0xd1, 0xb3,
337 0x01, 0x30, 0xad, 0xe4, 0xfa, 0xe2, 0xba, 0x6f, 0x22, 0x83,
338 0xf4, 0xde, 0x38, 0x43, 0xe8, 0x27, 0x00, 0xb8, 0x95, 0xbe,
339 0x03, 0x8f, 0xcd, 0xd3, 0x72, 0xed, 0xa5, 0xed, 0x8d, 0xf4,
340 0x68, 0x98, 0xef, 0x59, 0xcc, 0xfb, 0x54, 0x89, 0xde, 0xa9,
341 0xd4, 0x88, 0xcd, 0xb9, 0xca, 0x09, 0xd3, 0xd5, 0x25, 0xb1,
342 0x8c, 0x58, 0x12, 0x9c, 0x69, 0x03, 0x72, 0x00, 0xc9, 0xca,
343 0x95, 0x8a, 0xce, 0x0d, 0xd2, 0xc8, 0x25, 0xe7, 0x7c, 0xed,
344 0x5e, 0xee, 0x35, 0x01, 0xfc, 0x00, 0x56, 0xed, 0xf3, 0x8d,
345 0x81, 0x6c, 0x3e, 0x86, 0x6a, 0x40, 0xac, 0xc7, 0x9c, 0x7a,
346 0xbf, 0x9f, 0x8e, 0x1f, 0xd8, 0x60, 0x29, 0x00, 0x00, 0x24,
347 0x5f, 0x61, 0x42, 0x72, 0x7d, 0xb2, 0xa8, 0xc1, 0xfe, 0xb1,
348 0x38, 0x2e, 0xb8, 0x75, 0xa7, 0xc1, 0x1d, 0x8a, 0xa7, 0xb7,
349 0x9b, 0x92, 0xe2, 0x0e, 0x3a, 0x18, 0x20, 0xb6, 0x16, 0xf3,
350 0x35, 0x67, 0x29, 0x00, 0x00, 0x1c, 0x00, 0x00, 0x40, 0x04,
351 0xc7, 0xa0, 0x68, 0x68, 0x09, 0x0a, 0x7f, 0x12, 0x0b, 0x13,
352 0xd3, 0x2f, 0xde, 0x64, 0x8b, 0xf1, 0xc3, 0x3c, 0x79, 0x8f,
353 0x00, 0x00, 0x00, 0x1c, 0x00, 0x00, 0x40, 0x05, 0x9f, 0xbc,
354 0x8c, 0xd0, 0x91, 0x5e, 0xa0, 0x87, 0x81, 0xab, 0x4f, 0xa1,
355 0x8a, 0xa7, 0xa8, 0xf9, 0xeb, 0xdf, 0x9f, 0x2c
356 };
357
358 #define OFFSET_ICOOKIE 0
359 #define OFFSET_RCOOKIE 8
360 #define OFFSET_NEXTPAYLOAD (0 + sizeof(cookies))
361 #define OFFSET_VERSION (1 + sizeof(cookies))
362 #define OFFSET_EXCHANGE (2 + sizeof(cookies))
363 #define OFFSET_LENGTH (8 + sizeof(cookies))
364
365 static uint8_t *
get_icookie(uint8_t * data)366 get_icookie(uint8_t *data)
367 {
368 return &data[OFFSET_ICOOKIE];
369 }
370
371 static uint8_t *
get_rcookie(uint8_t * data)372 get_rcookie(uint8_t *data)
373 {
374 return &data[OFFSET_RCOOKIE];
375 }
376
377 static uint8_t
get_nextpayload(uint8_t * data)378 get_nextpayload(uint8_t *data)
379 {
380 return data[OFFSET_NEXTPAYLOAD];
381 }
382
383 static uint8_t
get_version(uint8_t * data)384 get_version(uint8_t *data)
385 {
386 return data[OFFSET_VERSION];
387 }
388
389 static uint8_t
get_exchange(uint8_t * data)390 get_exchange(uint8_t *data)
391 {
392 return data[OFFSET_EXCHANGE];
393 }
394
395 static uint32_t
get_length(uint8_t * data)396 get_length(uint8_t *data)
397 {
398 return *(uint32_t *)&data[OFFSET_LENGTH];
399 }
400
401 static void
set_length(uint8_t * data,uint32_t length)402 set_length(uint8_t *data, uint32_t length)
403 {
404 uint32_t *p;
405
406 p = (uint32_t *)&data[OFFSET_LENGTH];
407 *p = htobe32(length);
408 }
409
410 static void
set_nextpayload(uint8_t * data,uint8_t next)411 set_nextpayload(uint8_t *data, uint8_t next)
412 {
413 data[OFFSET_NEXTPAYLOAD] = next;
414 }
415
416 static void
prepare_header(struct ike_header * hdr,struct ibuf * data)417 prepare_header(struct ike_header *hdr, struct ibuf *data)
418 {
419 bzero(hdr, sizeof(*hdr));
420 bcopy(get_icookie(ibuf_data(data)), &hdr->ike_ispi,
421 sizeof(hdr->ike_ispi));
422 bcopy(get_rcookie(ibuf_data(data)), &hdr->ike_rspi,
423 sizeof(hdr->ike_rspi));
424 hdr->ike_nextpayload = get_nextpayload(ibuf_data(data));
425 hdr->ike_version = get_version(ibuf_data(data));
426 hdr->ike_exchange = get_exchange(ibuf_data(data));
427 hdr->ike_length = get_length(ibuf_data(data));
428 }
429
430 static void
prepare_message(struct iked_message * msg,struct ibuf * data)431 prepare_message(struct iked_message *msg, struct ibuf *data)
432 {
433 static struct iked_sa sa;
434
435 bzero(&sa, sizeof(sa));
436 bzero(msg, sizeof(*msg));
437
438 msg->msg_sa = &sa;
439 msg->msg_data = data;
440 msg->msg_e = 1;
441 msg->msg_parent = msg;
442 }
443
444 static void
perform_test(struct fuzz * fuzz)445 perform_test(struct fuzz *fuzz)
446 {
447 struct ibuf *fuzzed;
448 struct ike_header hdr;
449 struct iked_message msg;
450
451 bzero(&hdr, sizeof(hdr));
452 bzero(&msg, sizeof(msg));
453
454 for (; !fuzz_done(fuzz); fuzz_next(fuzz)) {
455 ASSERT_PTR_NE(fuzzed = ibuf_new(fuzz_ptr(fuzz), fuzz_len(fuzz)),
456 NULL);
457 print_hex(ibuf_data(fuzzed), 0, ibuf_size(fuzzed));
458
459 /* We need at least cookies and generic header. */
460 if (ibuf_size(fuzzed) < sizeof(cookies) + sizeof(genhdr)) {
461 ibuf_free(fuzzed);
462 continue;
463 }
464
465 prepare_header(&hdr, fuzzed);
466 prepare_message(&msg, fuzzed);
467
468 ikev2_pld_parse(NULL, &hdr, &msg, 0);
469
470 ibuf_free(fuzzed);
471 }
472 }
473
474 void
parser_fuzz_tests(void)475 parser_fuzz_tests(void)
476 {
477 struct fuzz *fuzz;
478 struct ike_header hdr;
479 struct iked_message msg;
480 struct ibuf *data;
481
482 log_init(1, LOG_DAEMON);
483 log_setverbose(0);
484
485 TEST_START("fuzz generic header");
486 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL);
487 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0);
488 set_length(ibuf_data(data), ibuf_size(data));
489 print_hex(ibuf_data(data), 0, ibuf_size(data));
490 prepare_header(&hdr, data);
491 prepare_message(&msg, data);
492 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0);
493 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP |
494 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP |
495 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END |
496 FUZZ_BASE64,
497 ibuf_data(data), ibuf_size(data));
498 ibuf_free(data);
499 perform_test(fuzz);
500 TEST_DONE();
501
502 TEST_START("fuzz skf_1of1 payload");
503 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL);
504 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0);
505 ASSERT_INT_EQ(ibuf_add(data, skf_1of1_pld, sizeof(skf_1of1_pld)), 0);
506 set_length(ibuf_data(data), ibuf_size(data));
507 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_SKF);
508 print_hex(ibuf_data(data), 0, ibuf_size(data));
509 prepare_header(&hdr, data);
510 prepare_message(&msg, data);
511 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0);
512 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP |
513 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP |
514 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END |
515 FUZZ_BASE64,
516 ibuf_data(data), ibuf_size(data));
517 ibuf_free(data);
518 perform_test(fuzz);
519 TEST_DONE();
520
521 TEST_START("fuzz sa payload");
522 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL);
523 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0);
524 ASSERT_INT_EQ(ibuf_add(data, sa_pld, sizeof(sa_pld)), 0);
525 set_length(ibuf_data(data), ibuf_size(data));
526 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_SA);
527 print_hex(ibuf_data(data), 0, ibuf_size(data));
528 prepare_header(&hdr, data);
529 prepare_message(&msg, data);
530 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0);
531 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP |
532 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP |
533 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END |
534 FUZZ_BASE64,
535 ibuf_data(data), ibuf_size(data));
536 ibuf_free(data);
537 perform_test(fuzz);
538 TEST_DONE();
539
540 TEST_START("fuzz sa and xform payload");
541 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL);
542 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0);
543 ASSERT_INT_EQ(ibuf_add(data, saxform_pld, sizeof(saxform_pld)), 0);
544 set_length(ibuf_data(data), ibuf_size(data));
545 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_SA);
546 print_hex(ibuf_data(data), 0, ibuf_size(data));
547 prepare_header(&hdr, data);
548 prepare_message(&msg, data);
549 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0);
550 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP |
551 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP |
552 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END |
553 FUZZ_BASE64,
554 ibuf_data(data), ibuf_size(data));
555 ibuf_free(data);
556 perform_test(fuzz);
557 TEST_DONE();
558
559 TEST_START("fuzz ke payload");
560 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL);
561 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0);
562 ASSERT_INT_EQ(ibuf_add(data, ke_pld, sizeof(ke_pld)), 0);
563 set_length(ibuf_data(data), ibuf_size(data));
564 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_KE);
565 print_hex(ibuf_data(data), 0, ibuf_size(data));
566 prepare_header(&hdr, data);
567 prepare_message(&msg, data);
568 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0);
569 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP |
570 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP |
571 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END |
572 FUZZ_BASE64,
573 ibuf_data(data), ibuf_size(data));
574 ibuf_free(data);
575 perform_test(fuzz);
576 TEST_DONE();
577
578 TEST_START("fuzz nonce payload");
579 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL);
580 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0);
581 ASSERT_INT_EQ(ibuf_add(data, nonce_pld, sizeof(nonce_pld)), 0);
582 set_length(ibuf_data(data), ibuf_size(data));
583 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_NONCE);
584 print_hex(ibuf_data(data), 0, ibuf_size(data));
585 prepare_header(&hdr, data);
586 prepare_message(&msg, data);
587 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0);
588 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP |
589 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP |
590 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END |
591 FUZZ_BASE64,
592 ibuf_data(data), ibuf_size(data));
593 ibuf_free(data);
594 perform_test(fuzz);
595 TEST_DONE();
596
597 TEST_START("fuzz notify payload");
598 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL);
599 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0);
600 ASSERT_INT_EQ(ibuf_add(data, notify_pld, sizeof(notify_pld)), 0);
601 set_length(ibuf_data(data), ibuf_size(data));
602 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_NOTIFY);
603 print_hex(ibuf_data(data), 0, ibuf_size(data));
604 prepare_header(&hdr, data);
605 prepare_message(&msg, data);
606 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0);
607 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP |
608 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP |
609 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END |
610 FUZZ_BASE64,
611 ibuf_data(data), ibuf_size(data));
612 ibuf_free(data);
613 perform_test(fuzz);
614 TEST_DONE();
615
616 TEST_START("fuzz id payload");
617 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL);
618 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0);
619 ASSERT_INT_EQ(ibuf_add(data, id_pld, sizeof(id_pld)), 0);
620 set_length(ibuf_data(data), ibuf_size(data));
621 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_IDi);
622 print_hex(ibuf_data(data), 0, ibuf_size(data));
623 prepare_header(&hdr, data);
624 prepare_message(&msg, data);
625 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0);
626 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP |
627 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP |
628 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END |
629 FUZZ_BASE64,
630 ibuf_data(data), ibuf_size(data));
631 ibuf_free(data);
632 perform_test(fuzz);
633 TEST_DONE();
634
635 TEST_START("fuzz cert payload");
636 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL);
637 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0);
638 ASSERT_INT_EQ(ibuf_add(data, cert_pld, sizeof(cert_pld)), 0);
639 set_length(ibuf_data(data), ibuf_size(data));
640 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_CERT);
641 print_hex(ibuf_data(data), 0, ibuf_size(data));
642 prepare_header(&hdr, data);
643 prepare_message(&msg, data);
644 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0);
645 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP |
646 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP |
647 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END |
648 FUZZ_BASE64,
649 ibuf_data(data), ibuf_size(data));
650 ibuf_free(data);
651 perform_test(fuzz);
652 TEST_DONE();
653
654 TEST_START("fuzz certreq payload");
655 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL);
656 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0);
657 ASSERT_INT_EQ(ibuf_add(data, certreq_pld, sizeof(certreq_pld)), 0);
658 set_length(ibuf_data(data), ibuf_size(data));
659 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_CERTREQ);
660 print_hex(ibuf_data(data), 0, ibuf_size(data));
661 prepare_header(&hdr, data);
662 prepare_message(&msg, data);
663 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0);
664 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP |
665 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP |
666 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END |
667 FUZZ_BASE64,
668 ibuf_data(data), ibuf_size(data));
669 ibuf_free(data);
670 perform_test(fuzz);
671 TEST_DONE();
672
673 TEST_START("fuzz auth payload");
674 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL);
675 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0);
676 ASSERT_INT_EQ(ibuf_add(data, auth_pld, sizeof(auth_pld)), 0);
677 set_length(ibuf_data(data), ibuf_size(data));
678 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_AUTH);
679 print_hex(ibuf_data(data), 0, ibuf_size(data));
680 prepare_header(&hdr, data);
681 prepare_message(&msg, data);
682 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0);
683 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP |
684 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP |
685 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END |
686 FUZZ_BASE64,
687 ibuf_data(data), ibuf_size(data));
688 ibuf_free(data);
689 perform_test(fuzz);
690 TEST_DONE();
691
692 TEST_START("fuzz delete notify payload");
693 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL);
694 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0);
695 ASSERT_INT_EQ(ibuf_add(data, delete_pld, sizeof(delete_pld)), 0);
696 set_length(ibuf_data(data), ibuf_size(data));
697 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_DELETE);
698 print_hex(ibuf_data(data), 0, ibuf_size(data));
699 prepare_header(&hdr, data);
700 prepare_message(&msg, data);
701 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0);
702 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP |
703 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP |
704 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END |
705 FUZZ_BASE64,
706 ibuf_data(data), ibuf_size(data));
707 ibuf_free(data);
708 perform_test(fuzz);
709 TEST_DONE();
710
711 TEST_START("fuzz vendor id payload");
712 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL);
713 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0);
714 ASSERT_INT_EQ(ibuf_add(data, vendor_pld, sizeof(vendor_pld)), 0);
715 set_length(ibuf_data(data), ibuf_size(data));
716 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_VENDOR);
717 print_hex(ibuf_data(data), 0, ibuf_size(data));
718 prepare_header(&hdr, data);
719 prepare_message(&msg, data);
720 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0);
721 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP |
722 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP |
723 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END |
724 FUZZ_BASE64,
725 ibuf_data(data), ibuf_size(data));
726 ibuf_free(data);
727 perform_test(fuzz);
728 TEST_DONE();
729
730 TEST_START("fuzz traffic selector initiator payload");
731 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL);
732 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0);
733 ASSERT_INT_EQ(ibuf_add(data, ts_pld, sizeof(ts_pld)), 0);
734 set_length(ibuf_data(data), ibuf_size(data));
735 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_TSi);
736 print_hex(ibuf_data(data), 0, ibuf_size(data));
737 prepare_header(&hdr, data);
738 prepare_message(&msg, data);
739 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0);
740 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP |
741 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP |
742 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END |
743 FUZZ_BASE64,
744 ibuf_data(data), ibuf_size(data));
745 ibuf_free(data);
746 perform_test(fuzz);
747 TEST_DONE();
748
749 TEST_START("fuzz traffic selector responder payload");
750 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL);
751 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0);
752 ASSERT_INT_EQ(ibuf_add(data, ts_pld, sizeof(ts_pld)), 0);
753 set_length(ibuf_data(data), ibuf_size(data));
754 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_TSr);
755 print_hex(ibuf_data(data), 0, ibuf_size(data));
756 prepare_header(&hdr, data);
757 prepare_message(&msg, data);
758 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0);
759 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP |
760 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP |
761 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END |
762 FUZZ_BASE64,
763 ibuf_data(data), ibuf_size(data));
764 ibuf_free(data);
765 perform_test(fuzz);
766 TEST_DONE();
767
768 TEST_START("fuzz configuration payload");
769 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL);
770 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0);
771 ASSERT_INT_EQ(ibuf_add(data, cp_pld, sizeof(cp_pld)), 0);
772 set_length(ibuf_data(data), ibuf_size(data));
773 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_CP);
774 print_hex(ibuf_data(data), 0, ibuf_size(data));
775 prepare_header(&hdr, data);
776 prepare_message(&msg, data);
777 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0);
778 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP |
779 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP |
780 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END |
781 FUZZ_BASE64,
782 ibuf_data(data), ibuf_size(data));
783 ibuf_free(data);
784 perform_test(fuzz);
785 TEST_DONE();
786
787 TEST_START("fuzz eap payload");
788 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL);
789 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0);
790 ASSERT_INT_EQ(ibuf_add(data, eap_pld, sizeof(eap_pld)), 0);
791 set_length(ibuf_data(data), ibuf_size(data));
792 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_EAP);
793 print_hex(ibuf_data(data), 0, ibuf_size(data));
794 prepare_header(&hdr, data);
795 prepare_message(&msg, data);
796 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0);
797 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP |
798 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP |
799 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END |
800 FUZZ_BASE64,
801 ibuf_data(data), ibuf_size(data));
802 ibuf_free(data);
803 perform_test(fuzz);
804 TEST_DONE();
805
806 TEST_START("fuzz full valid packet");
807 ASSERT_PTR_NE(data = ibuf_new(valid_packet, sizeof(valid_packet)),
808 NULL);
809 set_length(ibuf_data(data), ibuf_size(data));
810 print_hex(ibuf_data(data), 0, ibuf_size(data));
811 prepare_header(&hdr, data);
812 prepare_message(&msg, data);
813 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0);
814 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP |
815 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP |
816 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END |
817 FUZZ_BASE64,
818 ibuf_data(data), ibuf_size(data));
819 ibuf_free(data);
820 perform_test(fuzz);
821 TEST_DONE();
822 }
823