1 /* $OpenBSD: test_parser_fuzz.c,v 1.2 2018/03/22 21:11:49 patrick Exp $ */ 2 /* 3 * Fuzz tests for payload parsing 4 * 5 * Placed in the public domain 6 */ 7 8 #include <sys/socket.h> 9 #include <sys/param.h> 10 #include <sys/queue.h> 11 #include <sys/uio.h> 12 13 #include <event.h> 14 #include <imsg.h> 15 #include <string.h> 16 17 #include "iked.h" 18 #include "ikev2.h" 19 #include "test_helper.h" 20 21 extern int ikev2_pld_payloads(struct iked *, struct iked_message *, 22 size_t, size_t, u_int); 23 24 void parser_fuzz_tests(void); 25 26 u_int8_t cookies[] = { 27 0xde, 0xad, 0xbe, 0xef, 0xca, 0xfe, 0x00, 0x01, /* initator cookie */ 28 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 /* responder cookie */ 29 }; 30 31 u_int8_t genhdr[] = { 32 0x00, 0x20, 0x22, 0x08, /* next, major/minor, exchange type, flags */ 33 0x00, 0x00, 0x00, 0x00, /* message ID */ 34 0x00, 0x00, 0x00, 0x00 /* total length */ 35 }; 36 37 u_int8_t sa_pld[] = { 38 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x08, 0x01, 0x01, 0x00, 0x00 39 }; 40 41 u_int8_t saxform_pld[] = { 42 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x3c, 43 0x01, 0x01, 0x00, 0x06, 0x03, 0x00, 0x00, 0x08, 44 0x03, 0x00, 0x00, 0x0c, 0x03, 0x00, 0x00, 0x0c, 45 0x01, 0x00, 0x00, 0x0c, 0x80, 0x0e, 0x00, 0xc0, 46 0x03, 0x00, 0x00, 0x08, 0x04, 0x00, 0x00, 0x0e, 47 0x03, 0x00, 0x00, 0x08, 0x02, 0x00, 0x00, 0x05, 48 0x03, 0x00, 0x00, 0x08, 0x02, 0x00, 0x00, 0x02, 49 0x00, 0x00, 0x00, 0x08, 0x02, 0x00, 0x00, 0x01 50 }; 51 52 u_int8_t ke_pld[] = { 53 0x00, 0x00, 0x01, 0x08, 0x00, 0x0e, 0x00, 0x00, 0x16, 0xcb, 54 0x68, 0xaf, 0x63, 0xfe, 0xb0, 0x58, 0x49, 0x0e, 0x7f, 0x85, 55 0x60, 0x53, 0x80, 0xae, 0x3f, 0x82, 0xf3, 0x35, 0x21, 0xd5, 56 0xae, 0x09, 0x1c, 0xfa, 0x68, 0xc2, 0xfb, 0x4b, 0xb3, 0x84, 57 0xda, 0xaf, 0x6e, 0xe2, 0x5e, 0xc5, 0xb6, 0x8c, 0x35, 0x3c, 58 0xec, 0x58, 0x7f, 0xa9, 0xf8, 0xa4, 0x24, 0xf3, 0xf8, 0xf4, 59 0x65, 0x59, 0x8c, 0x15, 0x4d, 0x2c, 0xf1, 0x5d, 0xeb, 0x57, 60 0x68, 0xfe, 0x75, 0x61, 0x5a, 0x80, 0x96, 0xa4, 0x0a, 0xad, 61 0x75, 0x71, 0xd8, 0xe0, 0x06, 0xbc, 0xde, 0x16, 0x6d, 0x1e, 62 0xd9, 0x5d, 0x2c, 0x00, 0x66, 0x43, 0x82, 0xe4, 0x6f, 0x5f, 63 0x95, 0xe7, 0x9b, 0xfd, 0xf2, 0xe2, 0xcb, 0xc5, 0xf1, 0x52, 64 0xdd, 0x3b, 0xed, 0x88, 0xd4, 0xa9, 0x13, 0x4e, 0x42, 0xe8, 65 0x60, 0x2d, 0x3c, 0xf6, 0xc8, 0xf0, 0x70, 0x42, 0xfa, 0x33, 66 0x7f, 0x28, 0xdf, 0x6b, 0x79, 0x2c, 0x79, 0x8f, 0xc0, 0x5d, 67 0x81, 0x7a, 0x62, 0xdb, 0xd4, 0x44, 0x3a, 0x3c, 0x21, 0xbf, 68 0x85, 0xc8, 0x0b, 0x8c, 0x77, 0x72, 0xe9, 0xfb, 0x50, 0x5c, 69 0x03, 0xa6, 0xb2, 0x3f, 0x17, 0x4a, 0xd1, 0xb3, 0x01, 0x30, 70 0xad, 0xe4, 0xfa, 0xe2, 0xba, 0x6f, 0x22, 0x83, 0xf4, 0xde, 71 0x38, 0x43, 0xe8, 0x27, 0x00, 0xb8, 0x95, 0xbe, 0x03, 0x8f, 72 0xcd, 0xd3, 0x72, 0xed, 0xa5, 0xed, 0x8d, 0xf4, 0x68, 0x98, 73 0xef, 0x59, 0xcc, 0xfb, 0x54, 0x89, 0xde, 0xa9, 0xd4, 0x88, 74 0xcd, 0xb9, 0xca, 0x09, 0xd3, 0xd5, 0x25, 0xb1, 0x8c, 0x58, 75 0x12, 0x9c, 0x69, 0x03, 0x72, 0x00, 0xc9, 0xca, 0x95, 0x8a, 76 0xce, 0x0d, 0xd2, 0xc8, 0x25, 0xe7, 0x7c, 0xed, 0x5e, 0xee, 77 0x35, 0x01, 0xfc, 0x00, 0x56, 0xed, 0xf3, 0x8d, 0x81, 0x6c, 78 0x3e, 0x86, 0x6a, 0x40, 0xac, 0xc7, 0x9c, 0x7a, 0xbf, 0x9f, 79 0x8e, 0x1f, 0xd8, 0x60 80 }; 81 82 u_int8_t nonce_pld[] = { 83 0x00, 0x00, 0x00, 0x24, 0x5f, 0x61, 0x42, 0x72, 0x7d, 0xb2, 84 0xa8, 0xc1, 0xfe, 0xb1, 0x38, 0x2e, 0xb8, 0x75, 0xa7, 0xc1, 85 0x1d, 0x8a, 0xa7, 0xb7, 0x9b, 0x92, 0xe2, 0x0e, 0x3a, 0x18, 86 0x20, 0xb6, 0x16, 0xf3, 0x35, 0x67, 87 }; 88 89 u_int8_t notify_pld[] = { 90 0x00, 0x00, 0x00, 0x1c, 0x00, 0x00, 0x40, 0x04, 0xc7, 0xa0, 91 0x68, 0x68, 0x09, 0x0a, 0x7f, 0x12, 0x0b, 0x13, 0xd3, 0x2f, 92 0xde, 0x64, 0x8b, 0xf1, 0xc3, 0x3c, 0x79, 0x8f, 0x00, 0x00, 93 0x00, 0x1c, 0x00, 0x00, 0x40, 0x05, 0x9f, 0xbc, 0x8c, 0xd0, 94 0x91, 0x5e, 0xa0, 0x87, 0x81, 0xab, 0x4f, 0xa1, 0x8a, 0xa7, 95 0xa8, 0xf9, 0xeb, 0xdf, 0x9f, 0x2c 96 }; 97 98 u_int8_t id_pld[] = { 99 0x00, 0x00, 0x00, 0x0c, 0x01, 0x00, 0x00, 0x00, 100 0xac, 0x12, 0x7d, 0x01 101 }; 102 103 u_int8_t cert_pld[] = { 104 0x00, 0x00, 0x01, 0x10, 0x0b, 0x00, 0x00, 0x00, 105 0x30, 0x82, 0x01, 0x0c, 0x02, 0x82, 0x01, 0x01, 0x00, 0x8a, 106 0x26, 0xf8, 0x9e, 0xe8, 0x09, 0x11, 0x6b, 0x3d, 0x00, 0xd3, 107 0x25, 0xf8, 0x9f, 0xe8, 0x09, 0x11, 0x6b, 0x3d, 0x10, 0xd3, 108 0x0b, 0x9a, 0xb0, 0xb7, 0xe4, 0x3e, 0x40, 0x59, 0xd7, 0x51, 109 0x03, 0xaf, 0x09, 0x79, 0x1b, 0x0d, 0x63, 0x66, 0x28, 0xaa, 110 0x97, 0xc8, 0x20, 0x4b, 0x28, 0x9b, 0x5e, 0x8c, 0xa9, 0x8f, 111 0x73, 0x81, 0xb4, 0xfa, 0xf4, 0xdd, 0x05, 0x69, 0x0b, 0x71, 112 0x72, 0xd8, 0xbb, 0xac, 0x4b, 0x6d, 0x67, 0x5a, 0xa2, 0x63, 113 0x5d, 0x6d, 0x27, 0xc5, 0xf4, 0xe6, 0x0a, 0xbd, 0x2b, 0x0a, 114 0x64, 0xb2, 0xcf, 0x59, 0x63, 0x9b, 0x5c, 0x4f, 0x26, 0x36, 115 0xe3, 0x10, 0x70, 0x3c, 0x39, 0x77, 0x55, 0x07, 0x1c, 0x12, 116 0xde, 0x60, 0x53, 0xa1, 0x70, 0xf4, 0xda, 0xfc, 0xcc, 0xec, 117 0xad, 0x6d, 0x34, 0xad, 0xe2, 0x36, 0x10, 0x93, 0x59, 0x0c, 118 0x81, 0x8d, 0x22, 0x7e, 0x57, 0xeb, 0x89, 0x26, 0xdb, 0x6e, 119 0x99, 0x9a, 0xde, 0xbe, 0xad, 0xef, 0xca, 0xaf, 0xfe, 0xfe, 120 0x99, 0x9a, 0xde, 0xbe, 0xad, 0xef, 0xca, 0xaf, 0xfe, 0xfe, 121 0x6f, 0xd4, 0xe4, 0x63, 0x6c, 0x3e, 0x83, 0x09, 0xf4, 0x32, 122 0x78, 0x3b, 0x71, 0xe9, 0x36, 0xb6, 0x92, 0xf6, 0xa8, 0x31, 123 0x4d, 0x7c, 0xd0, 0xa1, 0x30, 0x55, 0xb6, 0x6b, 0x9e, 0xb7, 124 0x41, 0xa8, 0x77, 0x6c, 0x96, 0xb8, 0xa2, 0x0c, 0x7d, 0x70, 125 0xca, 0x51, 0xb9, 0xad, 0xc5, 0x75, 0xa7, 0xf1, 0x1e, 0x0e, 126 0xca, 0x51, 0xb9, 0xad, 0xc5, 0x75, 0xa7, 0xf1, 0x1e, 0x0e, 127 0xf2, 0xcf, 0x69, 0xbf, 0x20, 0xe9, 0x97, 0x05, 0xdd, 0xf3, 128 0xf2, 0xcf, 0x69, 0xbf, 0x20, 0xe9, 0x97, 0x05, 0xdd, 0xf3, 129 0x32, 0x58, 0x37, 0x8c, 0x5d, 0x02, 0x05, 0x00, 0xd1, 0x76, 130 0x67, 0x01, 0x67, 0x75, 0x3b, 0xba, 0x45, 0xc2, 0xa2, 0x77, 131 0x3b, 0x7e, 0xb4, 0x03, 0x88, 0x08, 0x93, 0xfe, 0x07, 0x51, 132 0x8e, 0xcf 133 }; 134 135 u_int8_t certreq_pld[] = { 136 0x00, 0x00, 0x00, 0x05, 0x0b 137 }; 138 139 u_int8_t auth_pld[] = { 140 0x00, 0x00, 0x01, 0x08, 0x01, 0x00, 0x00, 0x00, 141 0x2a, 0x34, 0x80, 0x52, 0x3c, 0x86, 0x1c, 0xfa, 0x9a, 0x2b, 142 0x8b, 0xff, 0xbb, 0xb5, 0x0d, 0x6b, 0xa1, 0x62, 0x58, 0xd8, 143 0x16, 0xaa, 0x15, 0xe4, 0x34, 0x24, 0xca, 0xc3, 0x09, 0x08, 144 0x51, 0x69, 0x69, 0xef, 0xbd, 0xb7, 0xd4, 0xc5, 0x4f, 0x6c, 145 0x12, 0xd5, 0xd0, 0x0b, 0xc7, 0x66, 0x0d, 0xcb, 0x6d, 0x01, 146 0x7b, 0x8c, 0xec, 0x3d, 0x98, 0xe5, 0x2a, 0xac, 0x11, 0xde, 147 0x88, 0x2e, 0xf2, 0x22, 0x98, 0x13, 0x73, 0xa3, 0x38, 0xd0, 148 0x43, 0xf4, 0xc6, 0xf0, 0xc1, 0x24, 0x1a, 0x7a, 0x9f, 0xba, 149 0x03, 0x25, 0x49, 0xe5, 0x8e, 0xb7, 0x5d, 0x79, 0x76, 0xfd, 150 0x22, 0x5c, 0xba, 0x82, 0xb8, 0x75, 0x81, 0xc6, 0x79, 0xb3, 151 0x56, 0x44, 0x82, 0x80, 0x5a, 0x3c, 0xe8, 0x21, 0xe4, 0xdb, 152 0xfd, 0x1c, 0xd3, 0x18, 0xbd, 0x74, 0x22, 0x25, 0x44, 0xde, 153 0x0b, 0x7e, 0x6e, 0xdb, 0xe3, 0x3b, 0x17, 0xc1, 0x4d, 0x5e, 154 0x51, 0x87, 0xb0, 0x5a, 0xce, 0x5f, 0x23, 0xce, 0x18, 0x61, 155 0x03, 0x02, 0x7e, 0x4b, 0x36, 0xb0, 0x7c, 0x90, 0xcf, 0xac, 156 0x81, 0xc4, 0x45, 0xa3, 0x50, 0x01, 0x2e, 0x0a, 0xce, 0x62, 157 0x7a, 0xe0, 0xa7, 0xc0, 0x45, 0x5e, 0x90, 0xe2, 0x2e, 0xc6, 158 0x90, 0xe9, 0xbe, 0x8f, 0xe9, 0x31, 0xa9, 0xc9, 0x44, 0x62, 159 0x31, 0xb6, 0x13, 0xaf, 0xd5, 0x9a, 0x55, 0x9b, 0x14, 0xf9, 160 0x80, 0xcc, 0x73, 0xe3, 0x51, 0xdf, 0x2a, 0x04, 0x79, 0x0d, 161 0x04, 0xee, 0x4c, 0xa8, 0x9d, 0xaa, 0x67, 0x2f, 0x77, 0x87, 162 0x5e, 0x2d, 0x05, 0x95, 0xbe, 0x53, 0x45, 0x96, 0x8b, 0x89, 163 0x79, 0x5b, 0x48, 0xe2, 0x6f, 0x3a, 0xc9, 0xef, 0x83, 0x81, 164 0xcc, 0x4c, 0xfe, 0xb7, 0x40, 0x2d, 0xa5, 0xa5, 0x51, 0xb7, 165 0xad, 0x2f, 0x29, 0xd8, 0xc8, 0x02, 0xbe, 0x18, 0x09, 0xd0, 166 0xba, 0x71, 0x77, 0xfe, 0x2c, 0x6d 167 }; 168 169 u_int8_t delete_pld[] = { 170 0x2a, 0x00, 0x00, 0x10, 0x01, 0x08, 0x00, 0x01, /* IKE SA */ 171 0xde, 0xad, 0xbe, 0xef, 0xca, 0xfe, 0xaf, 0xfe, 172 0x00, 0x00, 0x00, 0x10, 0x03, 0x04, 0x00, 0x02, /* ESP SA */ 173 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff, 0x00, 0x11 174 }; 175 176 u_int8_t vendor_pld[] = { 177 0x00, 0x00, 0x00, 0x08, 0x11, 0x22, 0x33, 0x44 178 }; 179 180 u_int8_t ts_pld[] = { 181 0x00, 0x00, 0x00, 0x18, 0x01, 0x00, 0x00, 0x00, 182 0x07, 0x00, 0x00, 0x10, 0x00, 0x00, 0xff, 0xff, 183 0xac, 0x28, 0x7d, 0x00, 0xac, 0x28, 0x7d, 0xff 184 }; 185 186 u_int8_t sk_pld[] = { 187 0x21, 0x00, 0x01, 0x94, 0x14, 0x77, 0x25, 0x7b, 0x82, 0xc0, 188 0xdb, 0x0b, 0x24, 0x36, 0x36, 0x13, 0x36, 0xe4, 0x99, 0xad, 189 0xf5, 0xaf, 0x26, 0x6f, 0x47, 0xd2, 0x0d, 0x65, 0xe1, 0xa8, 190 0xcb, 0x35, 0x1e, 0x53, 0xce, 0x6d, 0x8e, 0xf9, 0xe4, 0x51, 191 0xe3, 0x27, 0x10, 0x43, 0x38, 0x84, 0x54, 0x1d, 0x7a, 0x1a, 192 0x89, 0x34, 0x06, 0xb3, 0x62, 0x86, 0x98, 0x3b, 0x39, 0x91, 193 0x6e, 0xe8, 0x65, 0x3e, 0x31, 0xa8, 0x08, 0xfe, 0x83, 0x56, 194 0x30, 0xd3, 0xe0, 0xfd, 0x73, 0x92, 0x85, 0x2d, 0xae, 0x1d, 195 0x7d, 0xdb, 0x47, 0x05, 0x57, 0xe7, 0x8e, 0xc5, 0xa5, 0x1b, 196 0x0e, 0x85, 0x1f, 0x12, 0x6d, 0xe6, 0xdb, 0x3a, 0x3e, 0x99, 197 0xd1, 0x23, 0x41, 0xa4, 0x1c, 0x46, 0x38, 0xd1, 0xa8, 0x84, 198 0x96, 0x13, 0xdb, 0x2a, 0x1d, 0x3b, 0xb8, 0xd2, 0x04, 0xb3, 199 0x0d, 0xb4, 0x71, 0x90, 0xdb, 0xf6, 0x2d, 0x60, 0x01, 0xc2, 200 0xb2, 0x89, 0xbd, 0xe9, 0x95, 0x7b, 0x53, 0xa4, 0x94, 0x7e, 201 0x12, 0xe9, 0x5f, 0xfc, 0x51, 0x17, 0x94, 0x3e, 0xba, 0xc2, 202 0xa5, 0x4d, 0x3a, 0x4d, 0x4b, 0x95, 0x6d, 0x91, 0xc2, 0xb0, 203 0x2d, 0xb7, 0x24, 0xe8, 0x3b, 0xbd, 0xe0, 0xcc, 0x09, 0x50, 204 0x11, 0x83, 0xc0, 0xcd, 0x29, 0x33, 0xd5, 0x8f, 0x8a, 0xd1, 205 0xe3, 0xe8, 0x4f, 0x6a, 0x10, 0x4a, 0x64, 0x97, 0x0f, 0x38, 206 0x58, 0x8d, 0x7f, 0x5d, 0xb4, 0x6b, 0xa0, 0x42, 0x5e, 0x95, 207 0xe6, 0x08, 0x3e, 0x01, 0xf8, 0x82, 0x90, 0x81, 0xd4, 0x70, 208 0xb5, 0xb2, 0x8c, 0x64, 0xa9, 0x56, 0xdd, 0xc2, 0xda, 0xe1, 209 0xd3, 0xad, 0xf8, 0x5b, 0x99, 0x0b, 0x19, 0x5e, 0x88, 0x0d, 210 0x81, 0x04, 0x4d, 0xc1, 0x43, 0x41, 0xf1, 0xd3, 0x45, 0x65, 211 0x62, 0x70, 0x2f, 0xfa, 0x62, 0xbe, 0x7d, 0xf4, 0x94, 0x91, 212 0xe0, 0xbb, 0xb1, 0xbc, 0xe5, 0x27, 0xc8, 0x15, 0xd4, 0xcb, 213 0x82, 0x97, 0x15, 0x46, 0x82, 0xbb, 0x48, 0xbb, 0x16, 0x25, 214 0xbe, 0x82, 0xe4, 0x27, 0x80, 0xf3, 0xc2, 0x92, 0x3b, 0xd6, 215 0xc3, 0x65, 0x20, 0xec, 0x50, 0xdb, 0x6a, 0xcb, 0x47, 0x73, 216 0xf7, 0x98, 0xf1, 0x66, 0x5e, 0xc4, 0xe9, 0x87, 0xf8, 0xcb, 217 0x1e, 0x06, 0xa7, 0x67, 0xf5, 0xec, 0x73, 0xe5, 0xc7, 0x4d, 218 0xc2, 0x90, 0xe4, 0xdf, 0x9d, 0x1f, 0x05, 0x67, 0x99, 0xd6, 219 0xf0, 0xc4, 0x20, 0xbc, 0xf8, 0xf5, 0x3e, 0x19, 0xe9, 0x3a, 220 0x12, 0xe1, 0xcc, 0x9f, 0x81, 0x55, 0x1e, 0xad, 0xc8, 0xa3, 221 0xe5, 0x98, 0xbe, 0xe0, 0x4d, 0xb7, 0x6b, 0xd5, 0xbe, 0x6a, 222 0x3d, 0x76, 0xb6, 0xe2, 0xa5, 0xa7, 0x96, 0x68, 0xeb, 0x91, 223 0xee, 0x02, 0xfc, 0xe4, 0x01, 0xc3, 0x24, 0xda, 0x4c, 0xff, 224 0x10, 0x27, 0x78, 0xb0, 0x0b, 0x55, 0x5c, 0xce, 0x62, 0x7d, 225 0x33, 0x2b, 0x25, 0x99, 0xaa, 0x99, 0xea, 0xa3, 0x1d, 0xd8, 226 0x2b, 0x57, 0xb5, 0xe4, 0x04, 0x21, 0x75, 0xd9, 0xc4, 0xd0, 227 0x3d, 0xa1, 0xa5, 0x8f 228 }; 229 230 u_int8_t cp_pld[] = { 231 0x2f, 0x00, 0x00, 0x0c, 232 0x01, 0x00, 0x00, 0x00, /* REQUEST */ 233 0x00, 0x01, 0x00, 0x00, /* INTERNAL_IP4_ADDRESS */ 234 0x2f, 0x00, 0x00, 0x10, 235 0x02, 0x00, 0x00, 0x00, /* REPLY */ 236 0x00, 0x01, 0x00, 0x04, /* INTERNAL_IP4_ADDRESS */ 237 0xaa, 0xbb, 0xcc, 0xdd, /* 170.187.204.221 */ 238 0x2f, 0x00, 0x00, 0x08, 239 0x03, 0x00, 0x00, 0x00, /* SET (empty) */ 240 0x2f, 0x00, 0x00, 0x24, 241 0x02, 0x00, 0x00, 0x00, /* REPLY */ 242 0x00, 0x01, 0x00, 0x04, /* INTERNAL_IP4_ADDRESS */ 243 0xaa, 0xaa, 0xaa, 0xaa, /* 170.170.170.170 */ 244 0x00, 0x02, 0x00, 0x04, /* INTERNAL_IP4_NETMASK */ 245 0xbb, 0xbb, 0xbb, 0xbb, /* 187.187.187.187 */ 246 0x00, 0x03, 0x00, 0x04, /* INTERNAL_IP4_DNS */ 247 0xcc, 0xcc, 0xcc, 0xcc, /* 204.204.204.204 */ 248 0x00, 0x08, 0x00, 0x00, /* INTERNAL_IP6_ADDRESS */ 249 0x00, 0x00, 0x00, 0x08, 250 0x04, 0x00, 0x00, 0x00, /* ACK (empty) */ 251 }; 252 253 u_int8_t eap_pld[] = { 254 0x30, 0x00, 0x00, 0x09, 255 0x01, 0x00, 0x00, 0x05, 0x01, 256 0x30, 0x00, 0x00, 0x0c, 257 0x02, 0x00, 0x00, 0x05, 0x01, 0xfa, 0xfb, 0xfc, 258 0x30, 0x00, 0x00, 0x08, 259 0x03, 0x00, 0x00, 0x04, 260 0x00, 0x00, 0x00, 0x08, 261 0x04, 0x00, 0x00, 0x04 262 }; 263 264 /* Valid initator packet */ 265 u_int8_t valid_packet[] = { 266 0xde, 0xad, 0xbe, 0xef, 0xca, 0xfe, 0x00, 0x01, 0x00, 0x00, 267 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x21, 0x20, 0x22, 0x08, 268 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0xc0, 0x22, 0x00, 269 0x00, 0x40, 0x00, 0x00, 0x00, 0x3c, 0x01, 0x01, 0x00, 0x06, 270 0x03, 0x00, 0x00, 0x08, 0x03, 0x00, 0x00, 0x0c, 0x03, 0x00, 271 0x00, 0x0c, 0x01, 0x00, 0x00, 0x0c, 0x80, 0x0e, 0x00, 0xc0, 272 0x03, 0x00, 0x00, 0x08, 0x04, 0x00, 0x00, 0x0e, 0x03, 0x00, 273 0x00, 0x08, 0x02, 0x00, 0x00, 0x05, 0x03, 0x00, 0x00, 0x08, 274 0x02, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x08, 0x02, 0x00, 275 0x00, 0x01, 0x28, 0x00, 0x01, 0x08, 0x00, 0x0e, 0x00, 0x00, 276 0x16, 0xcb, 0x68, 0xaf, 0x63, 0xfe, 0xb0, 0x58, 0x49, 0x0e, 277 0x7f, 0x85, 0x60, 0x53, 0x80, 0xae, 0x3f, 0x82, 0xf3, 0x35, 278 0x21, 0xd5, 0xae, 0x09, 0x1c, 0xfa, 0x68, 0xc2, 0xfb, 0x4b, 279 0xb3, 0x84, 0xda, 0xaf, 0x6e, 0xe2, 0x5e, 0xc5, 0xb6, 0x8c, 280 0x35, 0x3c, 0xec, 0x58, 0x7f, 0xa9, 0xf8, 0xa4, 0x24, 0xf3, 281 0xf8, 0xf4, 0x65, 0x59, 0x8c, 0x15, 0x4d, 0x2c, 0xf1, 0x5d, 282 0xeb, 0x57, 0x68, 0xfe, 0x75, 0x61, 0x5a, 0x80, 0x96, 0xa4, 283 0x0a, 0xad, 0x75, 0x71, 0xd8, 0xe0, 0x06, 0xbc, 0xde, 0x16, 284 0x6d, 0x1e, 0xd9, 0x5d, 0x2c, 0x00, 0x66, 0x43, 0x82, 0xe4, 285 0x6f, 0x5f, 0x95, 0xe7, 0x9b, 0xfd, 0xf2, 0xe2, 0xcb, 0xc5, 286 0xf1, 0x52, 0xdd, 0x3b, 0xed, 0x88, 0xd4, 0xa9, 0x13, 0x4e, 287 0x42, 0xe8, 0x60, 0x2d, 0x3c, 0xf6, 0xc8, 0xf0, 0x70, 0x42, 288 0xfa, 0x33, 0x7f, 0x28, 0xdf, 0x6b, 0x79, 0x2c, 0x79, 0x8f, 289 0xc0, 0x5d, 0x81, 0x7a, 0x62, 0xdb, 0xd4, 0x44, 0x3a, 0x3c, 290 0x21, 0xbf, 0x85, 0xc8, 0x0b, 0x8c, 0x77, 0x72, 0xe9, 0xfb, 291 0x50, 0x5c, 0x03, 0xa6, 0xb2, 0x3f, 0x17, 0x4a, 0xd1, 0xb3, 292 0x01, 0x30, 0xad, 0xe4, 0xfa, 0xe2, 0xba, 0x6f, 0x22, 0x83, 293 0xf4, 0xde, 0x38, 0x43, 0xe8, 0x27, 0x00, 0xb8, 0x95, 0xbe, 294 0x03, 0x8f, 0xcd, 0xd3, 0x72, 0xed, 0xa5, 0xed, 0x8d, 0xf4, 295 0x68, 0x98, 0xef, 0x59, 0xcc, 0xfb, 0x54, 0x89, 0xde, 0xa9, 296 0xd4, 0x88, 0xcd, 0xb9, 0xca, 0x09, 0xd3, 0xd5, 0x25, 0xb1, 297 0x8c, 0x58, 0x12, 0x9c, 0x69, 0x03, 0x72, 0x00, 0xc9, 0xca, 298 0x95, 0x8a, 0xce, 0x0d, 0xd2, 0xc8, 0x25, 0xe7, 0x7c, 0xed, 299 0x5e, 0xee, 0x35, 0x01, 0xfc, 0x00, 0x56, 0xed, 0xf3, 0x8d, 300 0x81, 0x6c, 0x3e, 0x86, 0x6a, 0x40, 0xac, 0xc7, 0x9c, 0x7a, 301 0xbf, 0x9f, 0x8e, 0x1f, 0xd8, 0x60, 0x29, 0x00, 0x00, 0x24, 302 0x5f, 0x61, 0x42, 0x72, 0x7d, 0xb2, 0xa8, 0xc1, 0xfe, 0xb1, 303 0x38, 0x2e, 0xb8, 0x75, 0xa7, 0xc1, 0x1d, 0x8a, 0xa7, 0xb7, 304 0x9b, 0x92, 0xe2, 0x0e, 0x3a, 0x18, 0x20, 0xb6, 0x16, 0xf3, 305 0x35, 0x67, 0x29, 0x00, 0x00, 0x1c, 0x00, 0x00, 0x40, 0x04, 306 0xc7, 0xa0, 0x68, 0x68, 0x09, 0x0a, 0x7f, 0x12, 0x0b, 0x13, 307 0xd3, 0x2f, 0xde, 0x64, 0x8b, 0xf1, 0xc3, 0x3c, 0x79, 0x8f, 308 0x00, 0x00, 0x00, 0x1c, 0x00, 0x00, 0x40, 0x05, 0x9f, 0xbc, 309 0x8c, 0xd0, 0x91, 0x5e, 0xa0, 0x87, 0x81, 0xab, 0x4f, 0xa1, 310 0x8a, 0xa7, 0xa8, 0xf9, 0xeb, 0xdf, 0x9f, 0x2c 311 }; 312 313 #define OFFSET_ICOOKIE 0 314 #define OFFSET_RCOOKIE 8 315 #define OFFSET_NEXTPAYLOAD (0 + sizeof(cookies)) 316 #define OFFSET_VERSION (1 + sizeof(cookies)) 317 #define OFFSET_EXCHANGE (2 + sizeof(cookies)) 318 #define OFFSET_LENGTH (8 + sizeof(cookies)) 319 320 static u_int8_t * 321 get_icookie(u_int8_t *data) 322 { 323 return &data[OFFSET_ICOOKIE]; 324 } 325 326 static u_int8_t * 327 get_rcookie(u_int8_t *data) 328 { 329 return &data[OFFSET_RCOOKIE]; 330 } 331 332 static u_int8_t 333 get_nextpayload(u_int8_t *data) 334 { 335 return data[OFFSET_NEXTPAYLOAD]; 336 } 337 338 static u_int8_t 339 get_version(u_int8_t *data) 340 { 341 return data[OFFSET_VERSION]; 342 } 343 344 static u_int8_t 345 get_exchange(u_int8_t *data) 346 { 347 return data[OFFSET_EXCHANGE]; 348 } 349 350 static u_int32_t 351 get_length(u_int8_t *data) 352 { 353 return *(u_int32_t *)&data[OFFSET_LENGTH]; 354 } 355 356 static void 357 set_length(u_int8_t *data, u_int32_t length) 358 { 359 u_int32_t *p; 360 361 p = (u_int32_t *)&data[OFFSET_LENGTH]; 362 *p = htobe32(length); 363 } 364 365 static void 366 set_nextpayload(u_int8_t *data, u_int8_t next) 367 { 368 data[OFFSET_NEXTPAYLOAD] = next; 369 } 370 371 static void 372 prepare_header(struct ike_header *hdr, struct ibuf *data) 373 { 374 bzero(hdr, sizeof(*hdr)); 375 bcopy(get_icookie(ibuf_data(data)), &hdr->ike_ispi, 376 sizeof(hdr->ike_ispi)); 377 bcopy(get_rcookie(ibuf_data(data)), &hdr->ike_rspi, 378 sizeof(hdr->ike_rspi)); 379 hdr->ike_nextpayload = get_nextpayload(ibuf_data(data)); 380 hdr->ike_version = get_version(ibuf_data(data)); 381 hdr->ike_exchange = get_exchange(ibuf_data(data)); 382 hdr->ike_length = get_length(ibuf_data(data)); 383 } 384 385 static void 386 prepare_message(struct iked_message *msg, struct ibuf *data) 387 { 388 static struct iked_sa sa; 389 390 bzero(&sa, sizeof(sa)); 391 bzero(msg, sizeof(*msg)); 392 393 msg->msg_sa = &sa; 394 msg->msg_data = data; 395 msg->msg_e = 1; 396 } 397 398 static void 399 perform_test(struct fuzz *fuzz) 400 { 401 struct ibuf *fuzzed; 402 struct ike_header hdr; 403 struct iked_message msg; 404 405 bzero(&hdr, sizeof(hdr)); 406 bzero(&msg, sizeof(msg)); 407 408 for (; !fuzz_done(fuzz); fuzz_next(fuzz)) { 409 ASSERT_PTR_NE(fuzzed = ibuf_new(fuzz_ptr(fuzz), fuzz_len(fuzz)), 410 NULL); 411 print_hex(ibuf_data(fuzzed), 0, ibuf_size(fuzzed)); 412 413 /* We need at least cookies and generic header. */ 414 if (ibuf_size(fuzzed) < sizeof(cookies) + sizeof(genhdr)) { 415 ibuf_free(fuzzed); 416 continue; 417 } 418 419 prepare_header(&hdr, fuzzed); 420 prepare_message(&msg, fuzzed); 421 422 ikev2_pld_parse(NULL, &hdr, &msg, 0); 423 424 ibuf_free(fuzzed); 425 } 426 } 427 428 void 429 parser_fuzz_tests(void) 430 { 431 struct fuzz *fuzz; 432 struct ike_header hdr; 433 struct iked_message msg; 434 struct ibuf *data; 435 436 #if 0 437 log_init(3); 438 #endif 439 440 TEST_START("fuzz generic header"); 441 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 442 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 443 set_length(ibuf_data(data), ibuf_size(data)); 444 print_hex(ibuf_data(data), 0, ibuf_size(data)); 445 prepare_header(&hdr, data); 446 prepare_message(&msg, data); 447 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 448 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 449 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 450 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 451 FUZZ_BASE64, 452 ibuf_data(data), ibuf_size(data)); 453 ibuf_free(data); 454 perform_test(fuzz); 455 TEST_DONE(); 456 457 TEST_START("fuzz sa payload"); 458 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 459 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 460 ASSERT_INT_EQ(ibuf_add(data, sa_pld, sizeof(sa_pld)), 0); 461 set_length(ibuf_data(data), ibuf_size(data)); 462 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_SA); 463 print_hex(ibuf_data(data), 0, ibuf_size(data)); 464 prepare_header(&hdr, data); 465 prepare_message(&msg, data); 466 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 467 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 468 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 469 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 470 FUZZ_BASE64, 471 ibuf_data(data), ibuf_size(data)); 472 ibuf_free(data); 473 perform_test(fuzz); 474 TEST_DONE(); 475 476 TEST_START("fuzz sa and xform payload"); 477 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 478 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 479 ASSERT_INT_EQ(ibuf_add(data, saxform_pld, sizeof(saxform_pld)), 0); 480 set_length(ibuf_data(data), ibuf_size(data)); 481 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_SA); 482 print_hex(ibuf_data(data), 0, ibuf_size(data)); 483 prepare_header(&hdr, data); 484 prepare_message(&msg, data); 485 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 486 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 487 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 488 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 489 FUZZ_BASE64, 490 ibuf_data(data), ibuf_size(data)); 491 ibuf_free(data); 492 perform_test(fuzz); 493 TEST_DONE(); 494 495 TEST_START("fuzz ke payload"); 496 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 497 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 498 ASSERT_INT_EQ(ibuf_add(data, ke_pld, sizeof(ke_pld)), 0); 499 set_length(ibuf_data(data), ibuf_size(data)); 500 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_KE); 501 print_hex(ibuf_data(data), 0, ibuf_size(data)); 502 prepare_header(&hdr, data); 503 prepare_message(&msg, data); 504 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 505 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 506 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 507 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 508 FUZZ_BASE64, 509 ibuf_data(data), ibuf_size(data)); 510 ibuf_free(data); 511 perform_test(fuzz); 512 TEST_DONE(); 513 514 TEST_START("fuzz nonce payload"); 515 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 516 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 517 ASSERT_INT_EQ(ibuf_add(data, nonce_pld, sizeof(nonce_pld)), 0); 518 set_length(ibuf_data(data), ibuf_size(data)); 519 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_NONCE); 520 print_hex(ibuf_data(data), 0, ibuf_size(data)); 521 prepare_header(&hdr, data); 522 prepare_message(&msg, data); 523 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 524 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 525 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 526 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 527 FUZZ_BASE64, 528 ibuf_data(data), ibuf_size(data)); 529 ibuf_free(data); 530 perform_test(fuzz); 531 TEST_DONE(); 532 533 TEST_START("fuzz notify payload"); 534 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 535 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 536 ASSERT_INT_EQ(ibuf_add(data, notify_pld, sizeof(notify_pld)), 0); 537 set_length(ibuf_data(data), ibuf_size(data)); 538 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_NOTIFY); 539 print_hex(ibuf_data(data), 0, ibuf_size(data)); 540 prepare_header(&hdr, data); 541 prepare_message(&msg, data); 542 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 543 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 544 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 545 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 546 FUZZ_BASE64, 547 ibuf_data(data), ibuf_size(data)); 548 ibuf_free(data); 549 perform_test(fuzz); 550 TEST_DONE(); 551 552 TEST_START("fuzz id payload"); 553 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 554 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 555 ASSERT_INT_EQ(ibuf_add(data, id_pld, sizeof(id_pld)), 0); 556 set_length(ibuf_data(data), ibuf_size(data)); 557 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_IDi); 558 print_hex(ibuf_data(data), 0, ibuf_size(data)); 559 prepare_header(&hdr, data); 560 prepare_message(&msg, data); 561 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 562 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 563 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 564 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 565 FUZZ_BASE64, 566 ibuf_data(data), ibuf_size(data)); 567 ibuf_free(data); 568 perform_test(fuzz); 569 TEST_DONE(); 570 571 TEST_START("fuzz cert payload"); 572 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 573 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 574 ASSERT_INT_EQ(ibuf_add(data, cert_pld, sizeof(cert_pld)), 0); 575 set_length(ibuf_data(data), ibuf_size(data)); 576 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_CERT); 577 print_hex(ibuf_data(data), 0, ibuf_size(data)); 578 prepare_header(&hdr, data); 579 prepare_message(&msg, data); 580 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 581 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 582 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 583 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 584 FUZZ_BASE64, 585 ibuf_data(data), ibuf_size(data)); 586 ibuf_free(data); 587 perform_test(fuzz); 588 TEST_DONE(); 589 590 TEST_START("fuzz certreq payload"); 591 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 592 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 593 ASSERT_INT_EQ(ibuf_add(data, certreq_pld, sizeof(certreq_pld)), 0); 594 set_length(ibuf_data(data), ibuf_size(data)); 595 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_CERTREQ); 596 print_hex(ibuf_data(data), 0, ibuf_size(data)); 597 prepare_header(&hdr, data); 598 prepare_message(&msg, data); 599 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 600 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 601 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 602 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 603 FUZZ_BASE64, 604 ibuf_data(data), ibuf_size(data)); 605 ibuf_free(data); 606 perform_test(fuzz); 607 TEST_DONE(); 608 609 TEST_START("fuzz auth payload"); 610 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 611 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 612 ASSERT_INT_EQ(ibuf_add(data, auth_pld, sizeof(auth_pld)), 0); 613 set_length(ibuf_data(data), ibuf_size(data)); 614 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_AUTH); 615 print_hex(ibuf_data(data), 0, ibuf_size(data)); 616 prepare_header(&hdr, data); 617 prepare_message(&msg, data); 618 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 619 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 620 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 621 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 622 FUZZ_BASE64, 623 ibuf_data(data), ibuf_size(data)); 624 ibuf_free(data); 625 perform_test(fuzz); 626 TEST_DONE(); 627 628 TEST_START("fuzz delete notify payload"); 629 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 630 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 631 ASSERT_INT_EQ(ibuf_add(data, delete_pld, sizeof(delete_pld)), 0); 632 set_length(ibuf_data(data), ibuf_size(data)); 633 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_DELETE); 634 print_hex(ibuf_data(data), 0, ibuf_size(data)); 635 prepare_header(&hdr, data); 636 prepare_message(&msg, data); 637 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 638 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 639 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 640 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 641 FUZZ_BASE64, 642 ibuf_data(data), ibuf_size(data)); 643 ibuf_free(data); 644 perform_test(fuzz); 645 TEST_DONE(); 646 647 TEST_START("fuzz vendor id payload"); 648 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 649 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 650 ASSERT_INT_EQ(ibuf_add(data, vendor_pld, sizeof(vendor_pld)), 0); 651 set_length(ibuf_data(data), ibuf_size(data)); 652 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_VENDOR); 653 print_hex(ibuf_data(data), 0, ibuf_size(data)); 654 prepare_header(&hdr, data); 655 prepare_message(&msg, data); 656 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 657 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 658 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 659 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 660 FUZZ_BASE64, 661 ibuf_data(data), ibuf_size(data)); 662 ibuf_free(data); 663 perform_test(fuzz); 664 TEST_DONE(); 665 666 TEST_START("fuzz traffic selector initiator payload"); 667 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 668 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 669 ASSERT_INT_EQ(ibuf_add(data, ts_pld, sizeof(ts_pld)), 0); 670 set_length(ibuf_data(data), ibuf_size(data)); 671 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_TSi); 672 print_hex(ibuf_data(data), 0, ibuf_size(data)); 673 prepare_header(&hdr, data); 674 prepare_message(&msg, data); 675 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 676 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 677 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 678 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 679 FUZZ_BASE64, 680 ibuf_data(data), ibuf_size(data)); 681 ibuf_free(data); 682 perform_test(fuzz); 683 TEST_DONE(); 684 685 TEST_START("fuzz traffic selector responder payload"); 686 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 687 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 688 ASSERT_INT_EQ(ibuf_add(data, ts_pld, sizeof(ts_pld)), 0); 689 set_length(ibuf_data(data), ibuf_size(data)); 690 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_TSr); 691 print_hex(ibuf_data(data), 0, ibuf_size(data)); 692 prepare_header(&hdr, data); 693 prepare_message(&msg, data); 694 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 695 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 696 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 697 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 698 FUZZ_BASE64, 699 ibuf_data(data), ibuf_size(data)); 700 ibuf_free(data); 701 perform_test(fuzz); 702 TEST_DONE(); 703 704 TEST_START("fuzz configuration payload"); 705 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 706 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 707 ASSERT_INT_EQ(ibuf_add(data, cp_pld, sizeof(cp_pld)), 0); 708 set_length(ibuf_data(data), ibuf_size(data)); 709 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_CP); 710 print_hex(ibuf_data(data), 0, ibuf_size(data)); 711 prepare_header(&hdr, data); 712 prepare_message(&msg, data); 713 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 714 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 715 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 716 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 717 FUZZ_BASE64, 718 ibuf_data(data), ibuf_size(data)); 719 ibuf_free(data); 720 perform_test(fuzz); 721 TEST_DONE(); 722 723 TEST_START("fuzz eap payload"); 724 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 725 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 726 ASSERT_INT_EQ(ibuf_add(data, eap_pld, sizeof(eap_pld)), 0); 727 set_length(ibuf_data(data), ibuf_size(data)); 728 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_EAP); 729 print_hex(ibuf_data(data), 0, ibuf_size(data)); 730 prepare_header(&hdr, data); 731 prepare_message(&msg, data); 732 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 733 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 734 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 735 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 736 FUZZ_BASE64, 737 ibuf_data(data), ibuf_size(data)); 738 ibuf_free(data); 739 perform_test(fuzz); 740 TEST_DONE(); 741 742 TEST_START("fuzz full valid packet"); 743 ASSERT_PTR_NE(data = ibuf_new(valid_packet, sizeof(valid_packet)), 744 NULL); 745 set_length(ibuf_data(data), ibuf_size(data)); 746 print_hex(ibuf_data(data), 0, ibuf_size(data)); 747 prepare_header(&hdr, data); 748 prepare_message(&msg, data); 749 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 750 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 751 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 752 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 753 FUZZ_BASE64, 754 ibuf_data(data), ibuf_size(data)); 755 ibuf_free(data); 756 perform_test(fuzz); 757 TEST_DONE(); 758 } 759