1 /* $OpenBSD: test_parser_fuzz.c,v 1.4 2020/09/21 20:10:14 tobhe Exp $ */ 2 /* 3 * Fuzz tests for payload parsing 4 * 5 * Placed in the public domain 6 */ 7 8 #include <sys/socket.h> 9 #include <sys/param.h> 10 #include <sys/queue.h> 11 #include <sys/uio.h> 12 13 #include <event.h> 14 #include <imsg.h> 15 #include <string.h> 16 17 #include "iked.h" 18 #include "ikev2.h" 19 #include "test_helper.h" 20 21 extern int ikev2_pld_payloads(struct iked *, struct iked_message *, 22 size_t, size_t, u_int); 23 24 void parser_fuzz_tests(void); 25 26 u_int8_t cookies[] = { 27 0xde, 0xad, 0xbe, 0xef, 0xca, 0xfe, 0x00, 0x01, /* initator cookie */ 28 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 /* responder cookie */ 29 }; 30 31 u_int8_t genhdr[] = { 32 0x00, 0x20, 0x22, 0x08, /* next, major/minor, exchange type, flags */ 33 0x00, 0x00, 0x00, 0x00, /* message ID */ 34 0x00, 0x00, 0x00, 0x00 /* total length */ 35 }; 36 37 u_int8_t sa_pld[] = { 38 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x08, 0x01, 0x01, 0x00, 0x00 39 }; 40 41 u_int8_t saxform_pld[] = { 42 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x3c, 43 0x01, 0x01, 0x00, 0x06, 0x03, 0x00, 0x00, 0x08, 44 0x03, 0x00, 0x00, 0x0c, 0x03, 0x00, 0x00, 0x0c, 45 0x01, 0x00, 0x00, 0x0c, 0x80, 0x0e, 0x00, 0xc0, 46 0x03, 0x00, 0x00, 0x08, 0x04, 0x00, 0x00, 0x0e, 47 0x03, 0x00, 0x00, 0x08, 0x02, 0x00, 0x00, 0x05, 48 0x03, 0x00, 0x00, 0x08, 0x02, 0x00, 0x00, 0x02, 49 0x00, 0x00, 0x00, 0x08, 0x02, 0x00, 0x00, 0x01 50 }; 51 52 u_int8_t ke_pld[] = { 53 0x00, 0x00, 0x01, 0x08, 0x00, 0x0e, 0x00, 0x00, 0x16, 0xcb, 54 0x68, 0xaf, 0x63, 0xfe, 0xb0, 0x58, 0x49, 0x0e, 0x7f, 0x85, 55 0x60, 0x53, 0x80, 0xae, 0x3f, 0x82, 0xf3, 0x35, 0x21, 0xd5, 56 0xae, 0x09, 0x1c, 0xfa, 0x68, 0xc2, 0xfb, 0x4b, 0xb3, 0x84, 57 0xda, 0xaf, 0x6e, 0xe2, 0x5e, 0xc5, 0xb6, 0x8c, 0x35, 0x3c, 58 0xec, 0x58, 0x7f, 0xa9, 0xf8, 0xa4, 0x24, 0xf3, 0xf8, 0xf4, 59 0x65, 0x59, 0x8c, 0x15, 0x4d, 0x2c, 0xf1, 0x5d, 0xeb, 0x57, 60 0x68, 0xfe, 0x75, 0x61, 0x5a, 0x80, 0x96, 0xa4, 0x0a, 0xad, 61 0x75, 0x71, 0xd8, 0xe0, 0x06, 0xbc, 0xde, 0x16, 0x6d, 0x1e, 62 0xd9, 0x5d, 0x2c, 0x00, 0x66, 0x43, 0x82, 0xe4, 0x6f, 0x5f, 63 0x95, 0xe7, 0x9b, 0xfd, 0xf2, 0xe2, 0xcb, 0xc5, 0xf1, 0x52, 64 0xdd, 0x3b, 0xed, 0x88, 0xd4, 0xa9, 0x13, 0x4e, 0x42, 0xe8, 65 0x60, 0x2d, 0x3c, 0xf6, 0xc8, 0xf0, 0x70, 0x42, 0xfa, 0x33, 66 0x7f, 0x28, 0xdf, 0x6b, 0x79, 0x2c, 0x79, 0x8f, 0xc0, 0x5d, 67 0x81, 0x7a, 0x62, 0xdb, 0xd4, 0x44, 0x3a, 0x3c, 0x21, 0xbf, 68 0x85, 0xc8, 0x0b, 0x8c, 0x77, 0x72, 0xe9, 0xfb, 0x50, 0x5c, 69 0x03, 0xa6, 0xb2, 0x3f, 0x17, 0x4a, 0xd1, 0xb3, 0x01, 0x30, 70 0xad, 0xe4, 0xfa, 0xe2, 0xba, 0x6f, 0x22, 0x83, 0xf4, 0xde, 71 0x38, 0x43, 0xe8, 0x27, 0x00, 0xb8, 0x95, 0xbe, 0x03, 0x8f, 72 0xcd, 0xd3, 0x72, 0xed, 0xa5, 0xed, 0x8d, 0xf4, 0x68, 0x98, 73 0xef, 0x59, 0xcc, 0xfb, 0x54, 0x89, 0xde, 0xa9, 0xd4, 0x88, 74 0xcd, 0xb9, 0xca, 0x09, 0xd3, 0xd5, 0x25, 0xb1, 0x8c, 0x58, 75 0x12, 0x9c, 0x69, 0x03, 0x72, 0x00, 0xc9, 0xca, 0x95, 0x8a, 76 0xce, 0x0d, 0xd2, 0xc8, 0x25, 0xe7, 0x7c, 0xed, 0x5e, 0xee, 77 0x35, 0x01, 0xfc, 0x00, 0x56, 0xed, 0xf3, 0x8d, 0x81, 0x6c, 78 0x3e, 0x86, 0x6a, 0x40, 0xac, 0xc7, 0x9c, 0x7a, 0xbf, 0x9f, 79 0x8e, 0x1f, 0xd8, 0x60 80 }; 81 82 u_int8_t nonce_pld[] = { 83 0x00, 0x00, 0x00, 0x24, 0x5f, 0x61, 0x42, 0x72, 0x7d, 0xb2, 84 0xa8, 0xc1, 0xfe, 0xb1, 0x38, 0x2e, 0xb8, 0x75, 0xa7, 0xc1, 85 0x1d, 0x8a, 0xa7, 0xb7, 0x9b, 0x92, 0xe2, 0x0e, 0x3a, 0x18, 86 0x20, 0xb6, 0x16, 0xf3, 0x35, 0x67, 87 }; 88 89 u_int8_t notify_pld[] = { 90 0x00, 0x00, 0x00, 0x1c, 0x00, 0x00, 0x40, 0x04, 0xc7, 0xa0, 91 0x68, 0x68, 0x09, 0x0a, 0x7f, 0x12, 0x0b, 0x13, 0xd3, 0x2f, 92 0xde, 0x64, 0x8b, 0xf1, 0xc3, 0x3c, 0x79, 0x8f, 0x00, 0x00, 93 0x00, 0x1c, 0x00, 0x00, 0x40, 0x05, 0x9f, 0xbc, 0x8c, 0xd0, 94 0x91, 0x5e, 0xa0, 0x87, 0x81, 0xab, 0x4f, 0xa1, 0x8a, 0xa7, 95 0xa8, 0xf9, 0xeb, 0xdf, 0x9f, 0x2c 96 }; 97 98 u_int8_t id_pld[] = { 99 0x00, 0x00, 0x00, 0x0c, 0x01, 0x00, 0x00, 0x00, 100 0xac, 0x12, 0x7d, 0x01 101 }; 102 103 u_int8_t cert_pld[] = { 104 0x00, 0x00, 0x01, 0x10, 0x0b, 0x00, 0x00, 0x00, 105 0x30, 0x82, 0x01, 0x0c, 0x02, 0x82, 0x01, 0x01, 0x00, 0x8a, 106 0x26, 0xf8, 0x9e, 0xe8, 0x09, 0x11, 0x6b, 0x3d, 0x00, 0xd3, 107 0x25, 0xf8, 0x9f, 0xe8, 0x09, 0x11, 0x6b, 0x3d, 0x10, 0xd3, 108 0x0b, 0x9a, 0xb0, 0xb7, 0xe4, 0x3e, 0x40, 0x59, 0xd7, 0x51, 109 0x03, 0xaf, 0x09, 0x79, 0x1b, 0x0d, 0x63, 0x66, 0x28, 0xaa, 110 0x97, 0xc8, 0x20, 0x4b, 0x28, 0x9b, 0x5e, 0x8c, 0xa9, 0x8f, 111 0x73, 0x81, 0xb4, 0xfa, 0xf4, 0xdd, 0x05, 0x69, 0x0b, 0x71, 112 0x72, 0xd8, 0xbb, 0xac, 0x4b, 0x6d, 0x67, 0x5a, 0xa2, 0x63, 113 0x5d, 0x6d, 0x27, 0xc5, 0xf4, 0xe6, 0x0a, 0xbd, 0x2b, 0x0a, 114 0x64, 0xb2, 0xcf, 0x59, 0x63, 0x9b, 0x5c, 0x4f, 0x26, 0x36, 115 0xe3, 0x10, 0x70, 0x3c, 0x39, 0x77, 0x55, 0x07, 0x1c, 0x12, 116 0xde, 0x60, 0x53, 0xa1, 0x70, 0xf4, 0xda, 0xfc, 0xcc, 0xec, 117 0xad, 0x6d, 0x34, 0xad, 0xe2, 0x36, 0x10, 0x93, 0x59, 0x0c, 118 0x81, 0x8d, 0x22, 0x7e, 0x57, 0xeb, 0x89, 0x26, 0xdb, 0x6e, 119 0x99, 0x9a, 0xde, 0xbe, 0xad, 0xef, 0xca, 0xaf, 0xfe, 0xfe, 120 0x99, 0x9a, 0xde, 0xbe, 0xad, 0xef, 0xca, 0xaf, 0xfe, 0xfe, 121 0x6f, 0xd4, 0xe4, 0x63, 0x6c, 0x3e, 0x83, 0x09, 0xf4, 0x32, 122 0x78, 0x3b, 0x71, 0xe9, 0x36, 0xb6, 0x92, 0xf6, 0xa8, 0x31, 123 0x4d, 0x7c, 0xd0, 0xa1, 0x30, 0x55, 0xb6, 0x6b, 0x9e, 0xb7, 124 0x41, 0xa8, 0x77, 0x6c, 0x96, 0xb8, 0xa2, 0x0c, 0x7d, 0x70, 125 0xca, 0x51, 0xb9, 0xad, 0xc5, 0x75, 0xa7, 0xf1, 0x1e, 0x0e, 126 0xca, 0x51, 0xb9, 0xad, 0xc5, 0x75, 0xa7, 0xf1, 0x1e, 0x0e, 127 0xf2, 0xcf, 0x69, 0xbf, 0x20, 0xe9, 0x97, 0x05, 0xdd, 0xf3, 128 0xf2, 0xcf, 0x69, 0xbf, 0x20, 0xe9, 0x97, 0x05, 0xdd, 0xf3, 129 0x32, 0x58, 0x37, 0x8c, 0x5d, 0x02, 0x05, 0x00, 0xd1, 0x76, 130 0x67, 0x01, 0x67, 0x75, 0x3b, 0xba, 0x45, 0xc2, 0xa2, 0x77, 131 0x3b, 0x7e, 0xb4, 0x03, 0x88, 0x08, 0x93, 0xfe, 0x07, 0x51, 132 0x8e, 0xcf 133 }; 134 135 u_int8_t certreq_pld[] = { 136 0x00, 0x00, 0x00, 0x05, 0x0b 137 }; 138 139 u_int8_t auth_pld[] = { 140 0x00, 0x00, 0x01, 0x08, 0x01, 0x00, 0x00, 0x00, 141 0x2a, 0x34, 0x80, 0x52, 0x3c, 0x86, 0x1c, 0xfa, 0x9a, 0x2b, 142 0x8b, 0xff, 0xbb, 0xb5, 0x0d, 0x6b, 0xa1, 0x62, 0x58, 0xd8, 143 0x16, 0xaa, 0x15, 0xe4, 0x34, 0x24, 0xca, 0xc3, 0x09, 0x08, 144 0x51, 0x69, 0x69, 0xef, 0xbd, 0xb7, 0xd4, 0xc5, 0x4f, 0x6c, 145 0x12, 0xd5, 0xd0, 0x0b, 0xc7, 0x66, 0x0d, 0xcb, 0x6d, 0x01, 146 0x7b, 0x8c, 0xec, 0x3d, 0x98, 0xe5, 0x2a, 0xac, 0x11, 0xde, 147 0x88, 0x2e, 0xf2, 0x22, 0x98, 0x13, 0x73, 0xa3, 0x38, 0xd0, 148 0x43, 0xf4, 0xc6, 0xf0, 0xc1, 0x24, 0x1a, 0x7a, 0x9f, 0xba, 149 0x03, 0x25, 0x49, 0xe5, 0x8e, 0xb7, 0x5d, 0x79, 0x76, 0xfd, 150 0x22, 0x5c, 0xba, 0x82, 0xb8, 0x75, 0x81, 0xc6, 0x79, 0xb3, 151 0x56, 0x44, 0x82, 0x80, 0x5a, 0x3c, 0xe8, 0x21, 0xe4, 0xdb, 152 0xfd, 0x1c, 0xd3, 0x18, 0xbd, 0x74, 0x22, 0x25, 0x44, 0xde, 153 0x0b, 0x7e, 0x6e, 0xdb, 0xe3, 0x3b, 0x17, 0xc1, 0x4d, 0x5e, 154 0x51, 0x87, 0xb0, 0x5a, 0xce, 0x5f, 0x23, 0xce, 0x18, 0x61, 155 0x03, 0x02, 0x7e, 0x4b, 0x36, 0xb0, 0x7c, 0x90, 0xcf, 0xac, 156 0x81, 0xc4, 0x45, 0xa3, 0x50, 0x01, 0x2e, 0x0a, 0xce, 0x62, 157 0x7a, 0xe0, 0xa7, 0xc0, 0x45, 0x5e, 0x90, 0xe2, 0x2e, 0xc6, 158 0x90, 0xe9, 0xbe, 0x8f, 0xe9, 0x31, 0xa9, 0xc9, 0x44, 0x62, 159 0x31, 0xb6, 0x13, 0xaf, 0xd5, 0x9a, 0x55, 0x9b, 0x14, 0xf9, 160 0x80, 0xcc, 0x73, 0xe3, 0x51, 0xdf, 0x2a, 0x04, 0x79, 0x0d, 161 0x04, 0xee, 0x4c, 0xa8, 0x9d, 0xaa, 0x67, 0x2f, 0x77, 0x87, 162 0x5e, 0x2d, 0x05, 0x95, 0xbe, 0x53, 0x45, 0x96, 0x8b, 0x89, 163 0x79, 0x5b, 0x48, 0xe2, 0x6f, 0x3a, 0xc9, 0xef, 0x83, 0x81, 164 0xcc, 0x4c, 0xfe, 0xb7, 0x40, 0x2d, 0xa5, 0xa5, 0x51, 0xb7, 165 0xad, 0x2f, 0x29, 0xd8, 0xc8, 0x02, 0xbe, 0x18, 0x09, 0xd0, 166 0xba, 0x71, 0x77, 0xfe, 0x2c, 0x6d 167 }; 168 169 u_int8_t delete_pld[] = { 170 0x2a, 0x00, 0x00, 0x10, 0x01, 0x08, 0x00, 0x01, /* IKE SA */ 171 0xde, 0xad, 0xbe, 0xef, 0xca, 0xfe, 0xaf, 0xfe, 172 0x00, 0x00, 0x00, 0x10, 0x03, 0x04, 0x00, 0x02, /* ESP SA */ 173 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff, 0x00, 0x11 174 }; 175 176 u_int8_t vendor_pld[] = { 177 0x00, 0x00, 0x00, 0x08, 0x11, 0x22, 0x33, 0x44 178 }; 179 180 u_int8_t ts_pld[] = { 181 0x00, 0x00, 0x00, 0x18, 0x01, 0x00, 0x00, 0x00, 182 0x07, 0x00, 0x00, 0x10, 0x00, 0x00, 0xff, 0xff, 183 0xac, 0x28, 0x7d, 0x00, 0xac, 0x28, 0x7d, 0xff 184 }; 185 186 uint8_t skf_1of1_pld[] = { 187 0x21, 0x00, 0x01, 0x98, 0x00, 0x01, 0x00, 0x01, 0x14, 0x77, 188 0x25, 0x7b, 0x82, 0xc0, 0xdb, 0x0b, 0x24, 0x36, 0x36, 0x13, 189 0x36, 0xe4, 0x99, 0xad, 0xf5, 0xaf, 0x26, 0x6f, 0x47, 0xd2, 190 0x0d, 0x65, 0xe1, 0xa8, 0xcb, 0x35, 0x1e, 0x53, 0xce, 0x6d, 191 0x8e, 0xf9, 0xe4, 0x51, 0xe3, 0x27, 0x10, 0x43, 0x38, 0x84, 192 0x54, 0x1d, 0x7a, 0x1a, 0x89, 0x34, 0x06, 0xb3, 0x62, 0x86, 193 0x98, 0x3b, 0x39, 0x91, 0x6e, 0xe8, 0x65, 0x3e, 0x31, 0xa8, 194 0x08, 0xfe, 0x83, 0x56, 0x30, 0xd3, 0xe0, 0xfd, 0x73, 0x92, 195 0x85, 0x2d, 0xae, 0x1d, 0x7d, 0xdb, 0x47, 0x05, 0x57, 0xe7, 196 0x8e, 0xc5, 0xa5, 0x1b, 0x0e, 0x85, 0x1f, 0x12, 0x6d, 0xe6, 197 0xdb, 0x3a, 0x3e, 0x99, 0xd1, 0x23, 0x41, 0xa4, 0x1c, 0x46, 198 0x38, 0xd1, 0xa8, 0x84, 0x96, 0x13, 0xdb, 0x2a, 0x1d, 0x3b, 199 0xb8, 0xd2, 0x04, 0xb3, 0x0d, 0xb4, 0x71, 0x90, 0xdb, 0xf6, 200 0x2d, 0x60, 0x01, 0xc2, 0xb2, 0x89, 0xbd, 0xe9, 0x95, 0x7b, 201 0x53, 0xa4, 0x94, 0x7e, 0x12, 0xe9, 0x5f, 0xfc, 0x51, 0x17, 202 0x94, 0x3e, 0xba, 0xc2, 0xa5, 0x4d, 0x3a, 0x4d, 0x4b, 0x95, 203 0x6d, 0x91, 0xc2, 0xb0, 0x2d, 0xb7, 0x24, 0xe8, 0x3b, 0xbd, 204 0xe0, 0xcc, 0x09, 0x50, 0x11, 0x83, 0xc0, 0xcd, 0x29, 0x33, 205 0xd5, 0x8f, 0x8a, 0xd1, 0xe3, 0xe8, 0x4f, 0x6a, 0x10, 0x4a, 206 0x64, 0x97, 0x0f, 0x38, 0x58, 0x8d, 0x7f, 0x5d, 0xb4, 0x6b, 207 0xa0, 0x42, 0x5e, 0x95, 0xe6, 0x08, 0x3e, 0x01, 0xf8, 0x82, 208 0x90, 0x81, 0xd4, 0x70, 0xb5, 0xb2, 0x8c, 0x64, 0xa9, 0x56, 209 0xdd, 0xc2, 0xda, 0xe1, 0xd3, 0xad, 0xf8, 0x5b, 0x99, 0x0b, 210 0x19, 0x5e, 0x88, 0x0d, 0x81, 0x04, 0x4d, 0xc1, 0x43, 0x41, 211 0xf1, 0xd3, 0x45, 0x65, 0x62, 0x70, 0x2f, 0xfa, 0x62, 0xbe, 212 0x7d, 0xf4, 0x94, 0x91, 0xe0, 0xbb, 0xb1, 0xbc, 0xe5, 0x27, 213 0xc8, 0x15, 0xd4, 0xcb, 0x82, 0x97, 0x15, 0x46, 0x82, 0xbb, 214 0x48, 0xbb, 0x16, 0x25, 0xbe, 0x82, 0xe4, 0x27, 0x80, 0xf3, 215 0xc2, 0x92, 0x3b, 0xd6, 0xc3, 0x65, 0x20, 0xec, 0x50, 0xdb, 216 0x6a, 0xcb, 0x47, 0x73, 0xf7, 0x98, 0xf1, 0x66, 0x5e, 0xc4, 217 0xe9, 0x87, 0xf8, 0xcb, 0x1e, 0x06, 0xa7, 0x67, 0xf5, 0xec, 218 0x73, 0xe5, 0xc7, 0x4d, 0xc2, 0x90, 0xe4, 0xdf, 0x9d, 0x1f, 219 0x05, 0x67, 0x99, 0xd6, 0xf0, 0xc4, 0x20, 0xbc, 0xf8, 0xf5, 220 0x3e, 0x19, 0xe9, 0x3a, 0x12, 0xe1, 0xcc, 0x9f, 0x81, 0x55, 221 0x1e, 0xad, 0xc8, 0xa3, 0xe5, 0x98, 0xbe, 0xe0, 0x4d, 0xb7, 222 0x6b, 0xd5, 0xbe, 0x6a, 0x3d, 0x76, 0xb6, 0xe2, 0xa5, 0xa7, 223 0x96, 0x68, 0xeb, 0x91, 0xee, 0x02, 0xfc, 0xe4, 0x01, 0xc3, 224 0x24, 0xda, 0x4c, 0xff, 0x10, 0x27, 0x78, 0xb0, 0x0b, 0x55, 225 0x5c, 0xce, 0x62, 0x7d, 0x33, 0x2b, 0x25, 0x99, 0xaa, 0x99, 226 0xea, 0xa3, 0x1d, 0xd8, 0x2b, 0x57, 0xb5, 0xe4, 0x04, 0x21, 227 0x75, 0xd9, 0xc4, 0xd0, 0x3d, 0xa1, 0xa5, 0x8f 228 }; 229 230 u_int8_t sk_pld[] = { 231 0x21, 0x00, 0x01, 0x94, 0x14, 0x77, 0x25, 0x7b, 0x82, 0xc0, 232 0xdb, 0x0b, 0x24, 0x36, 0x36, 0x13, 0x36, 0xe4, 0x99, 0xad, 233 0xf5, 0xaf, 0x26, 0x6f, 0x47, 0xd2, 0x0d, 0x65, 0xe1, 0xa8, 234 0xcb, 0x35, 0x1e, 0x53, 0xce, 0x6d, 0x8e, 0xf9, 0xe4, 0x51, 235 0xe3, 0x27, 0x10, 0x43, 0x38, 0x84, 0x54, 0x1d, 0x7a, 0x1a, 236 0x89, 0x34, 0x06, 0xb3, 0x62, 0x86, 0x98, 0x3b, 0x39, 0x91, 237 0x6e, 0xe8, 0x65, 0x3e, 0x31, 0xa8, 0x08, 0xfe, 0x83, 0x56, 238 0x30, 0xd3, 0xe0, 0xfd, 0x73, 0x92, 0x85, 0x2d, 0xae, 0x1d, 239 0x7d, 0xdb, 0x47, 0x05, 0x57, 0xe7, 0x8e, 0xc5, 0xa5, 0x1b, 240 0x0e, 0x85, 0x1f, 0x12, 0x6d, 0xe6, 0xdb, 0x3a, 0x3e, 0x99, 241 0xd1, 0x23, 0x41, 0xa4, 0x1c, 0x46, 0x38, 0xd1, 0xa8, 0x84, 242 0x96, 0x13, 0xdb, 0x2a, 0x1d, 0x3b, 0xb8, 0xd2, 0x04, 0xb3, 243 0x0d, 0xb4, 0x71, 0x90, 0xdb, 0xf6, 0x2d, 0x60, 0x01, 0xc2, 244 0xb2, 0x89, 0xbd, 0xe9, 0x95, 0x7b, 0x53, 0xa4, 0x94, 0x7e, 245 0x12, 0xe9, 0x5f, 0xfc, 0x51, 0x17, 0x94, 0x3e, 0xba, 0xc2, 246 0xa5, 0x4d, 0x3a, 0x4d, 0x4b, 0x95, 0x6d, 0x91, 0xc2, 0xb0, 247 0x2d, 0xb7, 0x24, 0xe8, 0x3b, 0xbd, 0xe0, 0xcc, 0x09, 0x50, 248 0x11, 0x83, 0xc0, 0xcd, 0x29, 0x33, 0xd5, 0x8f, 0x8a, 0xd1, 249 0xe3, 0xe8, 0x4f, 0x6a, 0x10, 0x4a, 0x64, 0x97, 0x0f, 0x38, 250 0x58, 0x8d, 0x7f, 0x5d, 0xb4, 0x6b, 0xa0, 0x42, 0x5e, 0x95, 251 0xe6, 0x08, 0x3e, 0x01, 0xf8, 0x82, 0x90, 0x81, 0xd4, 0x70, 252 0xb5, 0xb2, 0x8c, 0x64, 0xa9, 0x56, 0xdd, 0xc2, 0xda, 0xe1, 253 0xd3, 0xad, 0xf8, 0x5b, 0x99, 0x0b, 0x19, 0x5e, 0x88, 0x0d, 254 0x81, 0x04, 0x4d, 0xc1, 0x43, 0x41, 0xf1, 0xd3, 0x45, 0x65, 255 0x62, 0x70, 0x2f, 0xfa, 0x62, 0xbe, 0x7d, 0xf4, 0x94, 0x91, 256 0xe0, 0xbb, 0xb1, 0xbc, 0xe5, 0x27, 0xc8, 0x15, 0xd4, 0xcb, 257 0x82, 0x97, 0x15, 0x46, 0x82, 0xbb, 0x48, 0xbb, 0x16, 0x25, 258 0xbe, 0x82, 0xe4, 0x27, 0x80, 0xf3, 0xc2, 0x92, 0x3b, 0xd6, 259 0xc3, 0x65, 0x20, 0xec, 0x50, 0xdb, 0x6a, 0xcb, 0x47, 0x73, 260 0xf7, 0x98, 0xf1, 0x66, 0x5e, 0xc4, 0xe9, 0x87, 0xf8, 0xcb, 261 0x1e, 0x06, 0xa7, 0x67, 0xf5, 0xec, 0x73, 0xe5, 0xc7, 0x4d, 262 0xc2, 0x90, 0xe4, 0xdf, 0x9d, 0x1f, 0x05, 0x67, 0x99, 0xd6, 263 0xf0, 0xc4, 0x20, 0xbc, 0xf8, 0xf5, 0x3e, 0x19, 0xe9, 0x3a, 264 0x12, 0xe1, 0xcc, 0x9f, 0x81, 0x55, 0x1e, 0xad, 0xc8, 0xa3, 265 0xe5, 0x98, 0xbe, 0xe0, 0x4d, 0xb7, 0x6b, 0xd5, 0xbe, 0x6a, 266 0x3d, 0x76, 0xb6, 0xe2, 0xa5, 0xa7, 0x96, 0x68, 0xeb, 0x91, 267 0xee, 0x02, 0xfc, 0xe4, 0x01, 0xc3, 0x24, 0xda, 0x4c, 0xff, 268 0x10, 0x27, 0x78, 0xb0, 0x0b, 0x55, 0x5c, 0xce, 0x62, 0x7d, 269 0x33, 0x2b, 0x25, 0x99, 0xaa, 0x99, 0xea, 0xa3, 0x1d, 0xd8, 270 0x2b, 0x57, 0xb5, 0xe4, 0x04, 0x21, 0x75, 0xd9, 0xc4, 0xd0, 271 0x3d, 0xa1, 0xa5, 0x8f 272 }; 273 274 u_int8_t cp_pld[] = { 275 0x2f, 0x00, 0x00, 0x0c, 276 0x01, 0x00, 0x00, 0x00, /* REQUEST */ 277 0x00, 0x01, 0x00, 0x00, /* INTERNAL_IP4_ADDRESS */ 278 0x2f, 0x00, 0x00, 0x10, 279 0x02, 0x00, 0x00, 0x00, /* REPLY */ 280 0x00, 0x01, 0x00, 0x04, /* INTERNAL_IP4_ADDRESS */ 281 0xaa, 0xbb, 0xcc, 0xdd, /* 170.187.204.221 */ 282 0x2f, 0x00, 0x00, 0x08, 283 0x03, 0x00, 0x00, 0x00, /* SET (empty) */ 284 0x2f, 0x00, 0x00, 0x24, 285 0x02, 0x00, 0x00, 0x00, /* REPLY */ 286 0x00, 0x01, 0x00, 0x04, /* INTERNAL_IP4_ADDRESS */ 287 0xaa, 0xaa, 0xaa, 0xaa, /* 170.170.170.170 */ 288 0x00, 0x02, 0x00, 0x04, /* INTERNAL_IP4_NETMASK */ 289 0xbb, 0xbb, 0xbb, 0xbb, /* 187.187.187.187 */ 290 0x00, 0x03, 0x00, 0x04, /* INTERNAL_IP4_DNS */ 291 0xcc, 0xcc, 0xcc, 0xcc, /* 204.204.204.204 */ 292 0x00, 0x08, 0x00, 0x00, /* INTERNAL_IP6_ADDRESS */ 293 0x00, 0x00, 0x00, 0x08, 294 0x04, 0x00, 0x00, 0x00, /* ACK (empty) */ 295 }; 296 297 u_int8_t eap_pld[] = { 298 0x30, 0x00, 0x00, 0x09, 299 0x01, 0x00, 0x00, 0x05, 0x01, 300 0x30, 0x00, 0x00, 0x0c, 301 0x02, 0x00, 0x00, 0x05, 0x01, 0xfa, 0xfb, 0xfc, 302 0x30, 0x00, 0x00, 0x08, 303 0x03, 0x00, 0x00, 0x04, 304 0x00, 0x00, 0x00, 0x08, 305 0x04, 0x00, 0x00, 0x04 306 }; 307 308 /* Valid initator packet */ 309 u_int8_t valid_packet[] = { 310 0xde, 0xad, 0xbe, 0xef, 0xca, 0xfe, 0x00, 0x01, 0x00, 0x00, 311 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x21, 0x20, 0x22, 0x08, 312 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0xc0, 0x22, 0x00, 313 0x00, 0x40, 0x00, 0x00, 0x00, 0x3c, 0x01, 0x01, 0x00, 0x06, 314 0x03, 0x00, 0x00, 0x08, 0x03, 0x00, 0x00, 0x0c, 0x03, 0x00, 315 0x00, 0x0c, 0x01, 0x00, 0x00, 0x0c, 0x80, 0x0e, 0x00, 0xc0, 316 0x03, 0x00, 0x00, 0x08, 0x04, 0x00, 0x00, 0x0e, 0x03, 0x00, 317 0x00, 0x08, 0x02, 0x00, 0x00, 0x05, 0x03, 0x00, 0x00, 0x08, 318 0x02, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x08, 0x02, 0x00, 319 0x00, 0x01, 0x28, 0x00, 0x01, 0x08, 0x00, 0x0e, 0x00, 0x00, 320 0x16, 0xcb, 0x68, 0xaf, 0x63, 0xfe, 0xb0, 0x58, 0x49, 0x0e, 321 0x7f, 0x85, 0x60, 0x53, 0x80, 0xae, 0x3f, 0x82, 0xf3, 0x35, 322 0x21, 0xd5, 0xae, 0x09, 0x1c, 0xfa, 0x68, 0xc2, 0xfb, 0x4b, 323 0xb3, 0x84, 0xda, 0xaf, 0x6e, 0xe2, 0x5e, 0xc5, 0xb6, 0x8c, 324 0x35, 0x3c, 0xec, 0x58, 0x7f, 0xa9, 0xf8, 0xa4, 0x24, 0xf3, 325 0xf8, 0xf4, 0x65, 0x59, 0x8c, 0x15, 0x4d, 0x2c, 0xf1, 0x5d, 326 0xeb, 0x57, 0x68, 0xfe, 0x75, 0x61, 0x5a, 0x80, 0x96, 0xa4, 327 0x0a, 0xad, 0x75, 0x71, 0xd8, 0xe0, 0x06, 0xbc, 0xde, 0x16, 328 0x6d, 0x1e, 0xd9, 0x5d, 0x2c, 0x00, 0x66, 0x43, 0x82, 0xe4, 329 0x6f, 0x5f, 0x95, 0xe7, 0x9b, 0xfd, 0xf2, 0xe2, 0xcb, 0xc5, 330 0xf1, 0x52, 0xdd, 0x3b, 0xed, 0x88, 0xd4, 0xa9, 0x13, 0x4e, 331 0x42, 0xe8, 0x60, 0x2d, 0x3c, 0xf6, 0xc8, 0xf0, 0x70, 0x42, 332 0xfa, 0x33, 0x7f, 0x28, 0xdf, 0x6b, 0x79, 0x2c, 0x79, 0x8f, 333 0xc0, 0x5d, 0x81, 0x7a, 0x62, 0xdb, 0xd4, 0x44, 0x3a, 0x3c, 334 0x21, 0xbf, 0x85, 0xc8, 0x0b, 0x8c, 0x77, 0x72, 0xe9, 0xfb, 335 0x50, 0x5c, 0x03, 0xa6, 0xb2, 0x3f, 0x17, 0x4a, 0xd1, 0xb3, 336 0x01, 0x30, 0xad, 0xe4, 0xfa, 0xe2, 0xba, 0x6f, 0x22, 0x83, 337 0xf4, 0xde, 0x38, 0x43, 0xe8, 0x27, 0x00, 0xb8, 0x95, 0xbe, 338 0x03, 0x8f, 0xcd, 0xd3, 0x72, 0xed, 0xa5, 0xed, 0x8d, 0xf4, 339 0x68, 0x98, 0xef, 0x59, 0xcc, 0xfb, 0x54, 0x89, 0xde, 0xa9, 340 0xd4, 0x88, 0xcd, 0xb9, 0xca, 0x09, 0xd3, 0xd5, 0x25, 0xb1, 341 0x8c, 0x58, 0x12, 0x9c, 0x69, 0x03, 0x72, 0x00, 0xc9, 0xca, 342 0x95, 0x8a, 0xce, 0x0d, 0xd2, 0xc8, 0x25, 0xe7, 0x7c, 0xed, 343 0x5e, 0xee, 0x35, 0x01, 0xfc, 0x00, 0x56, 0xed, 0xf3, 0x8d, 344 0x81, 0x6c, 0x3e, 0x86, 0x6a, 0x40, 0xac, 0xc7, 0x9c, 0x7a, 345 0xbf, 0x9f, 0x8e, 0x1f, 0xd8, 0x60, 0x29, 0x00, 0x00, 0x24, 346 0x5f, 0x61, 0x42, 0x72, 0x7d, 0xb2, 0xa8, 0xc1, 0xfe, 0xb1, 347 0x38, 0x2e, 0xb8, 0x75, 0xa7, 0xc1, 0x1d, 0x8a, 0xa7, 0xb7, 348 0x9b, 0x92, 0xe2, 0x0e, 0x3a, 0x18, 0x20, 0xb6, 0x16, 0xf3, 349 0x35, 0x67, 0x29, 0x00, 0x00, 0x1c, 0x00, 0x00, 0x40, 0x04, 350 0xc7, 0xa0, 0x68, 0x68, 0x09, 0x0a, 0x7f, 0x12, 0x0b, 0x13, 351 0xd3, 0x2f, 0xde, 0x64, 0x8b, 0xf1, 0xc3, 0x3c, 0x79, 0x8f, 352 0x00, 0x00, 0x00, 0x1c, 0x00, 0x00, 0x40, 0x05, 0x9f, 0xbc, 353 0x8c, 0xd0, 0x91, 0x5e, 0xa0, 0x87, 0x81, 0xab, 0x4f, 0xa1, 354 0x8a, 0xa7, 0xa8, 0xf9, 0xeb, 0xdf, 0x9f, 0x2c 355 }; 356 357 #define OFFSET_ICOOKIE 0 358 #define OFFSET_RCOOKIE 8 359 #define OFFSET_NEXTPAYLOAD (0 + sizeof(cookies)) 360 #define OFFSET_VERSION (1 + sizeof(cookies)) 361 #define OFFSET_EXCHANGE (2 + sizeof(cookies)) 362 #define OFFSET_LENGTH (8 + sizeof(cookies)) 363 364 static u_int8_t * 365 get_icookie(u_int8_t *data) 366 { 367 return &data[OFFSET_ICOOKIE]; 368 } 369 370 static u_int8_t * 371 get_rcookie(u_int8_t *data) 372 { 373 return &data[OFFSET_RCOOKIE]; 374 } 375 376 static u_int8_t 377 get_nextpayload(u_int8_t *data) 378 { 379 return data[OFFSET_NEXTPAYLOAD]; 380 } 381 382 static u_int8_t 383 get_version(u_int8_t *data) 384 { 385 return data[OFFSET_VERSION]; 386 } 387 388 static u_int8_t 389 get_exchange(u_int8_t *data) 390 { 391 return data[OFFSET_EXCHANGE]; 392 } 393 394 static u_int32_t 395 get_length(u_int8_t *data) 396 { 397 return *(u_int32_t *)&data[OFFSET_LENGTH]; 398 } 399 400 static void 401 set_length(u_int8_t *data, u_int32_t length) 402 { 403 u_int32_t *p; 404 405 p = (u_int32_t *)&data[OFFSET_LENGTH]; 406 *p = htobe32(length); 407 } 408 409 static void 410 set_nextpayload(u_int8_t *data, u_int8_t next) 411 { 412 data[OFFSET_NEXTPAYLOAD] = next; 413 } 414 415 static void 416 prepare_header(struct ike_header *hdr, struct ibuf *data) 417 { 418 bzero(hdr, sizeof(*hdr)); 419 bcopy(get_icookie(ibuf_data(data)), &hdr->ike_ispi, 420 sizeof(hdr->ike_ispi)); 421 bcopy(get_rcookie(ibuf_data(data)), &hdr->ike_rspi, 422 sizeof(hdr->ike_rspi)); 423 hdr->ike_nextpayload = get_nextpayload(ibuf_data(data)); 424 hdr->ike_version = get_version(ibuf_data(data)); 425 hdr->ike_exchange = get_exchange(ibuf_data(data)); 426 hdr->ike_length = get_length(ibuf_data(data)); 427 } 428 429 static void 430 prepare_message(struct iked_message *msg, struct ibuf *data) 431 { 432 static struct iked_sa sa; 433 434 bzero(&sa, sizeof(sa)); 435 bzero(msg, sizeof(*msg)); 436 437 msg->msg_sa = &sa; 438 msg->msg_data = data; 439 msg->msg_e = 1; 440 msg->msg_parent = msg; 441 } 442 443 static void 444 perform_test(struct fuzz *fuzz) 445 { 446 struct ibuf *fuzzed; 447 struct ike_header hdr; 448 struct iked_message msg; 449 450 bzero(&hdr, sizeof(hdr)); 451 bzero(&msg, sizeof(msg)); 452 453 for (; !fuzz_done(fuzz); fuzz_next(fuzz)) { 454 ASSERT_PTR_NE(fuzzed = ibuf_new(fuzz_ptr(fuzz), fuzz_len(fuzz)), 455 NULL); 456 print_hex(ibuf_data(fuzzed), 0, ibuf_size(fuzzed)); 457 458 /* We need at least cookies and generic header. */ 459 if (ibuf_size(fuzzed) < sizeof(cookies) + sizeof(genhdr)) { 460 ibuf_free(fuzzed); 461 continue; 462 } 463 464 prepare_header(&hdr, fuzzed); 465 prepare_message(&msg, fuzzed); 466 467 ikev2_pld_parse(NULL, &hdr, &msg, 0); 468 469 ibuf_free(fuzzed); 470 } 471 } 472 473 void 474 parser_fuzz_tests(void) 475 { 476 struct fuzz *fuzz; 477 struct ike_header hdr; 478 struct iked_message msg; 479 struct ibuf *data; 480 481 #if 0 482 log_init(3); 483 #endif 484 485 TEST_START("fuzz generic header"); 486 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 487 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 488 set_length(ibuf_data(data), ibuf_size(data)); 489 print_hex(ibuf_data(data), 0, ibuf_size(data)); 490 prepare_header(&hdr, data); 491 prepare_message(&msg, data); 492 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 493 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 494 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 495 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 496 FUZZ_BASE64, 497 ibuf_data(data), ibuf_size(data)); 498 ibuf_free(data); 499 perform_test(fuzz); 500 TEST_DONE(); 501 502 TEST_START("fuzz skf_1of1 payload"); 503 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 504 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 505 ASSERT_INT_EQ(ibuf_add(data, skf_1of1_pld, sizeof(skf_1of1_pld)), 0); 506 set_length(ibuf_data(data), ibuf_size(data)); 507 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_SKF); 508 print_hex(ibuf_data(data), 0, ibuf_size(data)); 509 prepare_header(&hdr, data); 510 prepare_message(&msg, data); 511 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 512 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 513 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 514 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 515 FUZZ_BASE64, 516 ibuf_data(data), ibuf_size(data)); 517 ibuf_free(data); 518 perform_test(fuzz); 519 TEST_DONE(); 520 521 TEST_START("fuzz sa payload"); 522 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 523 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 524 ASSERT_INT_EQ(ibuf_add(data, sa_pld, sizeof(sa_pld)), 0); 525 set_length(ibuf_data(data), ibuf_size(data)); 526 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_SA); 527 print_hex(ibuf_data(data), 0, ibuf_size(data)); 528 prepare_header(&hdr, data); 529 prepare_message(&msg, data); 530 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 531 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 532 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 533 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 534 FUZZ_BASE64, 535 ibuf_data(data), ibuf_size(data)); 536 ibuf_free(data); 537 perform_test(fuzz); 538 TEST_DONE(); 539 540 TEST_START("fuzz sa and xform payload"); 541 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 542 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 543 ASSERT_INT_EQ(ibuf_add(data, saxform_pld, sizeof(saxform_pld)), 0); 544 set_length(ibuf_data(data), ibuf_size(data)); 545 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_SA); 546 print_hex(ibuf_data(data), 0, ibuf_size(data)); 547 prepare_header(&hdr, data); 548 prepare_message(&msg, data); 549 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 550 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 551 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 552 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 553 FUZZ_BASE64, 554 ibuf_data(data), ibuf_size(data)); 555 ibuf_free(data); 556 perform_test(fuzz); 557 TEST_DONE(); 558 559 TEST_START("fuzz ke payload"); 560 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 561 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 562 ASSERT_INT_EQ(ibuf_add(data, ke_pld, sizeof(ke_pld)), 0); 563 set_length(ibuf_data(data), ibuf_size(data)); 564 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_KE); 565 print_hex(ibuf_data(data), 0, ibuf_size(data)); 566 prepare_header(&hdr, data); 567 prepare_message(&msg, data); 568 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 569 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 570 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 571 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 572 FUZZ_BASE64, 573 ibuf_data(data), ibuf_size(data)); 574 ibuf_free(data); 575 perform_test(fuzz); 576 TEST_DONE(); 577 578 TEST_START("fuzz nonce payload"); 579 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 580 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 581 ASSERT_INT_EQ(ibuf_add(data, nonce_pld, sizeof(nonce_pld)), 0); 582 set_length(ibuf_data(data), ibuf_size(data)); 583 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_NONCE); 584 print_hex(ibuf_data(data), 0, ibuf_size(data)); 585 prepare_header(&hdr, data); 586 prepare_message(&msg, data); 587 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 588 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 589 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 590 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 591 FUZZ_BASE64, 592 ibuf_data(data), ibuf_size(data)); 593 ibuf_free(data); 594 perform_test(fuzz); 595 TEST_DONE(); 596 597 TEST_START("fuzz notify payload"); 598 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 599 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 600 ASSERT_INT_EQ(ibuf_add(data, notify_pld, sizeof(notify_pld)), 0); 601 set_length(ibuf_data(data), ibuf_size(data)); 602 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_NOTIFY); 603 print_hex(ibuf_data(data), 0, ibuf_size(data)); 604 prepare_header(&hdr, data); 605 prepare_message(&msg, data); 606 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 607 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 608 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 609 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 610 FUZZ_BASE64, 611 ibuf_data(data), ibuf_size(data)); 612 ibuf_free(data); 613 perform_test(fuzz); 614 TEST_DONE(); 615 616 TEST_START("fuzz id payload"); 617 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 618 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 619 ASSERT_INT_EQ(ibuf_add(data, id_pld, sizeof(id_pld)), 0); 620 set_length(ibuf_data(data), ibuf_size(data)); 621 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_IDi); 622 print_hex(ibuf_data(data), 0, ibuf_size(data)); 623 prepare_header(&hdr, data); 624 prepare_message(&msg, data); 625 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 626 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 627 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 628 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 629 FUZZ_BASE64, 630 ibuf_data(data), ibuf_size(data)); 631 ibuf_free(data); 632 perform_test(fuzz); 633 TEST_DONE(); 634 635 TEST_START("fuzz cert payload"); 636 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 637 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 638 ASSERT_INT_EQ(ibuf_add(data, cert_pld, sizeof(cert_pld)), 0); 639 set_length(ibuf_data(data), ibuf_size(data)); 640 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_CERT); 641 print_hex(ibuf_data(data), 0, ibuf_size(data)); 642 prepare_header(&hdr, data); 643 prepare_message(&msg, data); 644 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 645 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 646 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 647 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 648 FUZZ_BASE64, 649 ibuf_data(data), ibuf_size(data)); 650 ibuf_free(data); 651 perform_test(fuzz); 652 TEST_DONE(); 653 654 TEST_START("fuzz certreq payload"); 655 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 656 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 657 ASSERT_INT_EQ(ibuf_add(data, certreq_pld, sizeof(certreq_pld)), 0); 658 set_length(ibuf_data(data), ibuf_size(data)); 659 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_CERTREQ); 660 print_hex(ibuf_data(data), 0, ibuf_size(data)); 661 prepare_header(&hdr, data); 662 prepare_message(&msg, data); 663 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 664 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 665 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 666 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 667 FUZZ_BASE64, 668 ibuf_data(data), ibuf_size(data)); 669 ibuf_free(data); 670 perform_test(fuzz); 671 TEST_DONE(); 672 673 TEST_START("fuzz auth payload"); 674 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 675 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 676 ASSERT_INT_EQ(ibuf_add(data, auth_pld, sizeof(auth_pld)), 0); 677 set_length(ibuf_data(data), ibuf_size(data)); 678 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_AUTH); 679 print_hex(ibuf_data(data), 0, ibuf_size(data)); 680 prepare_header(&hdr, data); 681 prepare_message(&msg, data); 682 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 683 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 684 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 685 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 686 FUZZ_BASE64, 687 ibuf_data(data), ibuf_size(data)); 688 ibuf_free(data); 689 perform_test(fuzz); 690 TEST_DONE(); 691 692 TEST_START("fuzz delete notify payload"); 693 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 694 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 695 ASSERT_INT_EQ(ibuf_add(data, delete_pld, sizeof(delete_pld)), 0); 696 set_length(ibuf_data(data), ibuf_size(data)); 697 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_DELETE); 698 print_hex(ibuf_data(data), 0, ibuf_size(data)); 699 prepare_header(&hdr, data); 700 prepare_message(&msg, data); 701 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 702 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 703 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 704 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 705 FUZZ_BASE64, 706 ibuf_data(data), ibuf_size(data)); 707 ibuf_free(data); 708 perform_test(fuzz); 709 TEST_DONE(); 710 711 TEST_START("fuzz vendor id payload"); 712 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 713 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 714 ASSERT_INT_EQ(ibuf_add(data, vendor_pld, sizeof(vendor_pld)), 0); 715 set_length(ibuf_data(data), ibuf_size(data)); 716 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_VENDOR); 717 print_hex(ibuf_data(data), 0, ibuf_size(data)); 718 prepare_header(&hdr, data); 719 prepare_message(&msg, data); 720 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 721 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 722 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 723 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 724 FUZZ_BASE64, 725 ibuf_data(data), ibuf_size(data)); 726 ibuf_free(data); 727 perform_test(fuzz); 728 TEST_DONE(); 729 730 TEST_START("fuzz traffic selector initiator payload"); 731 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 732 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 733 ASSERT_INT_EQ(ibuf_add(data, ts_pld, sizeof(ts_pld)), 0); 734 set_length(ibuf_data(data), ibuf_size(data)); 735 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_TSi); 736 print_hex(ibuf_data(data), 0, ibuf_size(data)); 737 prepare_header(&hdr, data); 738 prepare_message(&msg, data); 739 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 740 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 741 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 742 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 743 FUZZ_BASE64, 744 ibuf_data(data), ibuf_size(data)); 745 ibuf_free(data); 746 perform_test(fuzz); 747 TEST_DONE(); 748 749 TEST_START("fuzz traffic selector responder payload"); 750 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 751 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 752 ASSERT_INT_EQ(ibuf_add(data, ts_pld, sizeof(ts_pld)), 0); 753 set_length(ibuf_data(data), ibuf_size(data)); 754 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_TSr); 755 print_hex(ibuf_data(data), 0, ibuf_size(data)); 756 prepare_header(&hdr, data); 757 prepare_message(&msg, data); 758 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 759 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 760 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 761 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 762 FUZZ_BASE64, 763 ibuf_data(data), ibuf_size(data)); 764 ibuf_free(data); 765 perform_test(fuzz); 766 TEST_DONE(); 767 768 TEST_START("fuzz configuration payload"); 769 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 770 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 771 ASSERT_INT_EQ(ibuf_add(data, cp_pld, sizeof(cp_pld)), 0); 772 set_length(ibuf_data(data), ibuf_size(data)); 773 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_CP); 774 print_hex(ibuf_data(data), 0, ibuf_size(data)); 775 prepare_header(&hdr, data); 776 prepare_message(&msg, data); 777 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 778 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 779 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 780 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 781 FUZZ_BASE64, 782 ibuf_data(data), ibuf_size(data)); 783 ibuf_free(data); 784 perform_test(fuzz); 785 TEST_DONE(); 786 787 TEST_START("fuzz eap payload"); 788 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 789 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 790 ASSERT_INT_EQ(ibuf_add(data, eap_pld, sizeof(eap_pld)), 0); 791 set_length(ibuf_data(data), ibuf_size(data)); 792 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_EAP); 793 print_hex(ibuf_data(data), 0, ibuf_size(data)); 794 prepare_header(&hdr, data); 795 prepare_message(&msg, data); 796 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 797 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 798 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 799 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 800 FUZZ_BASE64, 801 ibuf_data(data), ibuf_size(data)); 802 ibuf_free(data); 803 perform_test(fuzz); 804 TEST_DONE(); 805 806 TEST_START("fuzz full valid packet"); 807 ASSERT_PTR_NE(data = ibuf_new(valid_packet, sizeof(valid_packet)), 808 NULL); 809 set_length(ibuf_data(data), ibuf_size(data)); 810 print_hex(ibuf_data(data), 0, ibuf_size(data)); 811 prepare_header(&hdr, data); 812 prepare_message(&msg, data); 813 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 814 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 815 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 816 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 817 FUZZ_BASE64, 818 ibuf_data(data), ibuf_size(data)); 819 ibuf_free(data); 820 perform_test(fuzz); 821 TEST_DONE(); 822 } 823