1 /* $OpenBSD: test_parser_fuzz.c,v 1.1 2017/05/29 20:59:28 markus Exp $ */ 2 /* 3 * Fuzz tests for payload parsing 4 * 5 * Placed in the public domain 6 */ 7 8 #include <sys/socket.h> 9 #include <sys/param.h> 10 #include <sys/queue.h> 11 #include <sys/uio.h> 12 13 #include <event.h> 14 #include <imsg.h> 15 #include <string.h> 16 17 #include "iked.h" 18 #include "ikev2.h" 19 #include "test_helper.h" 20 21 extern int ikev2_pld_payloads(struct iked *, struct iked_message *, 22 size_t, size_t, u_int); 23 24 void parser_fuzz_tests(void); 25 26 u_int8_t cookies[] = { 27 0xde, 0xad, 0xbe, 0xef, 0xca, 0xfe, 0x00, 0x01, /* initator cookie */ 28 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 /* responder cookie */ 29 }; 30 31 u_int8_t genhdr[] = { 32 0x00, 0x20, 0x22, 0x08, /* next, major/minor, exchange type, flags */ 33 0x00, 0x00, 0x00, 0x00, /* message ID */ 34 0x00, 0x00, 0x00, 0x00 /* total length */ 35 }; 36 37 u_int8_t sa_pld[] = { 38 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x08, 0x01, 0x01, 0x00, 0x00 39 }; 40 41 u_int8_t saxform_pld[] = { 42 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x3c, 43 0x01, 0x01, 0x00, 0x06, 0x03, 0x00, 0x00, 0x08, 44 0x03, 0x00, 0x00, 0x0c, 0x03, 0x00, 0x00, 0x0c, 45 0x01, 0x00, 0x00, 0x0c, 0x80, 0x0e, 0x00, 0xc0, 46 0x03, 0x00, 0x00, 0x08, 0x04, 0x00, 0x00, 0x0e, 47 0x03, 0x00, 0x00, 0x08, 0x02, 0x00, 0x00, 0x05, 48 0x03, 0x00, 0x00, 0x08, 0x02, 0x00, 0x00, 0x02, 49 0x00, 0x00, 0x00, 0x08, 0x02, 0x00, 0x00, 0x01 50 }; 51 52 u_int8_t ke_pld[] = { 53 0x00, 0x00, 0x01, 0x08, 0x00, 0x0e, 0x00, 0x00, 0x16, 0xcb, 54 0x68, 0xaf, 0x63, 0xfe, 0xb0, 0x58, 0x49, 0x0e, 0x7f, 0x85, 55 0x60, 0x53, 0x80, 0xae, 0x3f, 0x82, 0xf3, 0x35, 0x21, 0xd5, 56 0xae, 0x09, 0x1c, 0xfa, 0x68, 0xc2, 0xfb, 0x4b, 0xb3, 0x84, 57 0xda, 0xaf, 0x6e, 0xe2, 0x5e, 0xc5, 0xb6, 0x8c, 0x35, 0x3c, 58 0xec, 0x58, 0x7f, 0xa9, 0xf8, 0xa4, 0x24, 0xf3, 0xf8, 0xf4, 59 0x65, 0x59, 0x8c, 0x15, 0x4d, 0x2c, 0xf1, 0x5d, 0xeb, 0x57, 60 0x68, 0xfe, 0x75, 0x61, 0x5a, 0x80, 0x96, 0xa4, 0x0a, 0xad, 61 0x75, 0x71, 0xd8, 0xe0, 0x06, 0xbc, 0xde, 0x16, 0x6d, 0x1e, 62 0xd9, 0x5d, 0x2c, 0x00, 0x66, 0x43, 0x82, 0xe4, 0x6f, 0x5f, 63 0x95, 0xe7, 0x9b, 0xfd, 0xf2, 0xe2, 0xcb, 0xc5, 0xf1, 0x52, 64 0xdd, 0x3b, 0xed, 0x88, 0xd4, 0xa9, 0x13, 0x4e, 0x42, 0xe8, 65 0x60, 0x2d, 0x3c, 0xf6, 0xc8, 0xf0, 0x70, 0x42, 0xfa, 0x33, 66 0x7f, 0x28, 0xdf, 0x6b, 0x79, 0x2c, 0x79, 0x8f, 0xc0, 0x5d, 67 0x81, 0x7a, 0x62, 0xdb, 0xd4, 0x44, 0x3a, 0x3c, 0x21, 0xbf, 68 0x85, 0xc8, 0x0b, 0x8c, 0x77, 0x72, 0xe9, 0xfb, 0x50, 0x5c, 69 0x03, 0xa6, 0xb2, 0x3f, 0x17, 0x4a, 0xd1, 0xb3, 0x01, 0x30, 70 0xad, 0xe4, 0xfa, 0xe2, 0xba, 0x6f, 0x22, 0x83, 0xf4, 0xde, 71 0x38, 0x43, 0xe8, 0x27, 0x00, 0xb8, 0x95, 0xbe, 0x03, 0x8f, 72 0xcd, 0xd3, 0x72, 0xed, 0xa5, 0xed, 0x8d, 0xf4, 0x68, 0x98, 73 0xef, 0x59, 0xcc, 0xfb, 0x54, 0x89, 0xde, 0xa9, 0xd4, 0x88, 74 0xcd, 0xb9, 0xca, 0x09, 0xd3, 0xd5, 0x25, 0xb1, 0x8c, 0x58, 75 0x12, 0x9c, 0x69, 0x03, 0x72, 0x00, 0xc9, 0xca, 0x95, 0x8a, 76 0xce, 0x0d, 0xd2, 0xc8, 0x25, 0xe7, 0x7c, 0xed, 0x5e, 0xee, 77 0x35, 0x01, 0xfc, 0x00, 0x56, 0xed, 0xf3, 0x8d, 0x81, 0x6c, 78 0x3e, 0x86, 0x6a, 0x40, 0xac, 0xc7, 0x9c, 0x7a, 0xbf, 0x9f, 79 0x8e, 0x1f, 0xd8, 0x60 80 }; 81 82 u_int8_t nonce_pld[] = { 83 0x00, 0x00, 0x00, 0x24, 0x5f, 0x61, 0x42, 0x72, 0x7d, 0xb2, 84 0xa8, 0xc1, 0xfe, 0xb1, 0x38, 0x2e, 0xb8, 0x75, 0xa7, 0xc1, 85 0x1d, 0x8a, 0xa7, 0xb7, 0x9b, 0x92, 0xe2, 0x0e, 0x3a, 0x18, 86 0x20, 0xb6, 0x16, 0xf3, 0x35, 0x67, 87 }; 88 89 u_int8_t notify_pld[] = { 90 0x00, 0x00, 0x00, 0x1c, 0x00, 0x00, 0x40, 0x04, 0xc7, 0xa0, 91 0x68, 0x68, 0x09, 0x0a, 0x7f, 0x12, 0x0b, 0x13, 0xd3, 0x2f, 92 0xde, 0x64, 0x8b, 0xf1, 0xc3, 0x3c, 0x79, 0x8f, 0x00, 0x00, 93 0x00, 0x1c, 0x00, 0x00, 0x40, 0x05, 0x9f, 0xbc, 0x8c, 0xd0, 94 0x91, 0x5e, 0xa0, 0x87, 0x81, 0xab, 0x4f, 0xa1, 0x8a, 0xa7, 95 0xa8, 0xf9, 0xeb, 0xdf, 0x9f, 0x2c 96 }; 97 98 u_int8_t id_pld[] = { 99 0x00, 0x00, 0x00, 0x0c, 0x01, 0x00, 0x00, 0x00, 100 0xac, 0x12, 0x7d, 0x01 101 }; 102 103 u_int8_t cert_pld[] = { 104 0x00, 0x00, 0x01, 0x10, 0x0b, 0x00, 0x00, 0x00, 105 0x30, 0x82, 0x01, 0x0c, 0x02, 0x82, 0x01, 0x01, 0x00, 0x8a, 106 0x26, 0xf8, 0x9e, 0xe8, 0x09, 0x11, 0x6b, 0x3d, 0x00, 0xd3, 107 0x25, 0xf8, 0x9f, 0xe8, 0x09, 0x11, 0x6b, 0x3d, 0x10, 0xd3, 108 0x0b, 0x9a, 0xb0, 0xb7, 0xe4, 0x3e, 0x40, 0x59, 0xd7, 0x51, 109 0x03, 0xaf, 0x09, 0x79, 0x1b, 0x0d, 0x63, 0x66, 0x28, 0xaa, 110 0x97, 0xc8, 0x20, 0x4b, 0x28, 0x9b, 0x5e, 0x8c, 0xa9, 0x8f, 111 0x73, 0x81, 0xb4, 0xfa, 0xf4, 0xdd, 0x05, 0x69, 0x0b, 0x71, 112 0x72, 0xd8, 0xbb, 0xac, 0x4b, 0x6d, 0x67, 0x5a, 0xa2, 0x63, 113 0x5d, 0x6d, 0x27, 0xc5, 0xf4, 0xe6, 0x0a, 0xbd, 0x2b, 0x0a, 114 0x64, 0xb2, 0xcf, 0x59, 0x63, 0x9b, 0x5c, 0x4f, 0x26, 0x36, 115 0xe3, 0x10, 0x70, 0x3c, 0x39, 0x77, 0x55, 0x07, 0x1c, 0x12, 116 0xde, 0x60, 0x53, 0xa1, 0x70, 0xf4, 0xda, 0xfc, 0xcc, 0xec, 117 0xad, 0x6d, 0x34, 0xad, 0xe2, 0x36, 0x10, 0x93, 0x59, 0x0c, 118 0x81, 0x8d, 0x22, 0x7e, 0x57, 0xeb, 0x89, 0x26, 0xdb, 0x6e, 119 0x99, 0x9a, 0xde, 0xbe, 0xad, 0xef, 0xca, 0xaf, 0xfe, 0xfe, 120 0x99, 0x9a, 0xde, 0xbe, 0xad, 0xef, 0xca, 0xaf, 0xfe, 0xfe, 121 0x6f, 0xd4, 0xe4, 0x63, 0x6c, 0x3e, 0x83, 0x09, 0xf4, 0x32, 122 0x78, 0x3b, 0x71, 0xe9, 0x36, 0xb6, 0x92, 0xf6, 0xa8, 0x31, 123 0x4d, 0x7c, 0xd0, 0xa1, 0x30, 0x55, 0xb6, 0x6b, 0x9e, 0xb7, 124 0x41, 0xa8, 0x77, 0x6c, 0x96, 0xb8, 0xa2, 0x0c, 0x7d, 0x70, 125 0xca, 0x51, 0xb9, 0xad, 0xc5, 0x75, 0xa7, 0xf1, 0x1e, 0x0e, 126 0xca, 0x51, 0xb9, 0xad, 0xc5, 0x75, 0xa7, 0xf1, 0x1e, 0x0e, 127 0xf2, 0xcf, 0x69, 0xbf, 0x20, 0xe9, 0x97, 0x05, 0xdd, 0xf3, 128 0xf2, 0xcf, 0x69, 0xbf, 0x20, 0xe9, 0x97, 0x05, 0xdd, 0xf3, 129 0x32, 0x58, 0x37, 0x8c, 0x5d, 0x02, 0x05, 0x00, 0xd1, 0x76, 130 0x67, 0x01, 0x67, 0x75, 0x3b, 0xba, 0x45, 0xc2, 0xa2, 0x77, 131 0x3b, 0x7e, 0xb4, 0x03, 0x88, 0x08, 0x93, 0xfe, 0x07, 0x51, 132 0x8e, 0xcf 133 }; 134 135 u_int8_t certreq_pld[] = { 136 0x00, 0x00, 0x00, 0x05, 0x0b 137 }; 138 139 u_int8_t auth_pld[] = { 140 0x00, 0x00, 0x01, 0x08, 0x01, 0x00, 0x00, 0x00, 141 0x2a, 0x34, 0x80, 0x52, 0x3c, 0x86, 0x1c, 0xfa, 0x9a, 0x2b, 142 0x8b, 0xff, 0xbb, 0xb5, 0x0d, 0x6b, 0xa1, 0x62, 0x58, 0xd8, 143 0x16, 0xaa, 0x15, 0xe4, 0x34, 0x24, 0xca, 0xc3, 0x09, 0x08, 144 0x51, 0x69, 0x69, 0xef, 0xbd, 0xb7, 0xd4, 0xc5, 0x4f, 0x6c, 145 0x12, 0xd5, 0xd0, 0x0b, 0xc7, 0x66, 0x0d, 0xcb, 0x6d, 0x01, 146 0x7b, 0x8c, 0xec, 0x3d, 0x98, 0xe5, 0x2a, 0xac, 0x11, 0xde, 147 0x88, 0x2e, 0xf2, 0x22, 0x98, 0x13, 0x73, 0xa3, 0x38, 0xd0, 148 0x43, 0xf4, 0xc6, 0xf0, 0xc1, 0x24, 0x1a, 0x7a, 0x9f, 0xba, 149 0x03, 0x25, 0x49, 0xe5, 0x8e, 0xb7, 0x5d, 0x79, 0x76, 0xfd, 150 0x22, 0x5c, 0xba, 0x82, 0xb8, 0x75, 0x81, 0xc6, 0x79, 0xb3, 151 0x56, 0x44, 0x82, 0x80, 0x5a, 0x3c, 0xe8, 0x21, 0xe4, 0xdb, 152 0xfd, 0x1c, 0xd3, 0x18, 0xbd, 0x74, 0x22, 0x25, 0x44, 0xde, 153 0x0b, 0x7e, 0x6e, 0xdb, 0xe3, 0x3b, 0x17, 0xc1, 0x4d, 0x5e, 154 0x51, 0x87, 0xb0, 0x5a, 0xce, 0x5f, 0x23, 0xce, 0x18, 0x61, 155 0x03, 0x02, 0x7e, 0x4b, 0x36, 0xb0, 0x7c, 0x90, 0xcf, 0xac, 156 0x81, 0xc4, 0x45, 0xa3, 0x50, 0x01, 0x2e, 0x0a, 0xce, 0x62, 157 0x7a, 0xe0, 0xa7, 0xc0, 0x45, 0x5e, 0x90, 0xe2, 0x2e, 0xc6, 158 0x90, 0xe9, 0xbe, 0x8f, 0xe9, 0x31, 0xa9, 0xc9, 0x44, 0x62, 159 0x31, 0xb6, 0x13, 0xaf, 0xd5, 0x9a, 0x55, 0x9b, 0x14, 0xf9, 160 0x80, 0xcc, 0x73, 0xe3, 0x51, 0xdf, 0x2a, 0x04, 0x79, 0x0d, 161 0x04, 0xee, 0x4c, 0xa8, 0x9d, 0xaa, 0x67, 0x2f, 0x77, 0x87, 162 0x5e, 0x2d, 0x05, 0x95, 0xbe, 0x53, 0x45, 0x96, 0x8b, 0x89, 163 0x79, 0x5b, 0x48, 0xe2, 0x6f, 0x3a, 0xc9, 0xef, 0x83, 0x81, 164 0xcc, 0x4c, 0xfe, 0xb7, 0x40, 0x2d, 0xa5, 0xa5, 0x51, 0xb7, 165 0xad, 0x2f, 0x29, 0xd8, 0xc8, 0x02, 0xbe, 0x18, 0x09, 0xd0, 166 0xba, 0x71, 0x77, 0xfe, 0x2c, 0x6d 167 }; 168 169 u_int8_t delete_pld[] = { 170 0x2a, 0x00, 0x00, 0x10, 0x01, 0x08, 0x00, 0x01, /* IKE SA */ 171 0xde, 0xad, 0xbe, 0xef, 0xca, 0xfe, 0xaf, 0xfe, 172 0x00, 0x00, 0x00, 0x10, 0x03, 0x04, 0x00, 0x02, /* ESP SA */ 173 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff, 0x00, 0x11 174 }; 175 176 u_int8_t vendor_pld[] = { 177 0x00, 0x00, 0x00, 0x08, 0x11, 0x22, 0x33, 0x44 178 }; 179 180 u_int8_t ts_pld[] = { 181 0x00, 0x00, 0x00, 0x18, 0x01, 0x00, 0x00, 0x00, 182 0x07, 0x00, 0x00, 0x10, 0x00, 0x00, 0xff, 0xff, 183 0xac, 0x28, 0x7d, 0x00, 0xac, 0x28, 0x7d, 0xff 184 }; 185 186 u_int8_t sk_pld[] = { 187 0x21, 0x00, 0x01, 0x94, 0x14, 0x77, 0x25, 0x7b, 0x82, 0xc0, 188 0xdb, 0x0b, 0x24, 0x36, 0x36, 0x13, 0x36, 0xe4, 0x99, 0xad, 189 0xf5, 0xaf, 0x26, 0x6f, 0x47, 0xd2, 0x0d, 0x65, 0xe1, 0xa8, 190 0xcb, 0x35, 0x1e, 0x53, 0xce, 0x6d, 0x8e, 0xf9, 0xe4, 0x51, 191 0xe3, 0x27, 0x10, 0x43, 0x38, 0x84, 0x54, 0x1d, 0x7a, 0x1a, 192 0x89, 0x34, 0x06, 0xb3, 0x62, 0x86, 0x98, 0x3b, 0x39, 0x91, 193 0x6e, 0xe8, 0x65, 0x3e, 0x31, 0xa8, 0x08, 0xfe, 0x83, 0x56, 194 0x30, 0xd3, 0xe0, 0xfd, 0x73, 0x92, 0x85, 0x2d, 0xae, 0x1d, 195 0x7d, 0xdb, 0x47, 0x05, 0x57, 0xe7, 0x8e, 0xc5, 0xa5, 0x1b, 196 0x0e, 0x85, 0x1f, 0x12, 0x6d, 0xe6, 0xdb, 0x3a, 0x3e, 0x99, 197 0xd1, 0x23, 0x41, 0xa4, 0x1c, 0x46, 0x38, 0xd1, 0xa8, 0x84, 198 0x96, 0x13, 0xdb, 0x2a, 0x1d, 0x3b, 0xb8, 0xd2, 0x04, 0xb3, 199 0x0d, 0xb4, 0x71, 0x90, 0xdb, 0xf6, 0x2d, 0x60, 0x01, 0xc2, 200 0xb2, 0x89, 0xbd, 0xe9, 0x95, 0x7b, 0x53, 0xa4, 0x94, 0x7e, 201 0x12, 0xe9, 0x5f, 0xfc, 0x51, 0x17, 0x94, 0x3e, 0xba, 0xc2, 202 0xa5, 0x4d, 0x3a, 0x4d, 0x4b, 0x95, 0x6d, 0x91, 0xc2, 0xb0, 203 0x2d, 0xb7, 0x24, 0xe8, 0x3b, 0xbd, 0xe0, 0xcc, 0x09, 0x50, 204 0x11, 0x83, 0xc0, 0xcd, 0x29, 0x33, 0xd5, 0x8f, 0x8a, 0xd1, 205 0xe3, 0xe8, 0x4f, 0x6a, 0x10, 0x4a, 0x64, 0x97, 0x0f, 0x38, 206 0x58, 0x8d, 0x7f, 0x5d, 0xb4, 0x6b, 0xa0, 0x42, 0x5e, 0x95, 207 0xe6, 0x08, 0x3e, 0x01, 0xf8, 0x82, 0x90, 0x81, 0xd4, 0x70, 208 0xb5, 0xb2, 0x8c, 0x64, 0xa9, 0x56, 0xdd, 0xc2, 0xda, 0xe1, 209 0xd3, 0xad, 0xf8, 0x5b, 0x99, 0x0b, 0x19, 0x5e, 0x88, 0x0d, 210 0x81, 0x04, 0x4d, 0xc1, 0x43, 0x41, 0xf1, 0xd3, 0x45, 0x65, 211 0x62, 0x70, 0x2f, 0xfa, 0x62, 0xbe, 0x7d, 0xf4, 0x94, 0x91, 212 0xe0, 0xbb, 0xb1, 0xbc, 0xe5, 0x27, 0xc8, 0x15, 0xd4, 0xcb, 213 0x82, 0x97, 0x15, 0x46, 0x82, 0xbb, 0x48, 0xbb, 0x16, 0x25, 214 0xbe, 0x82, 0xe4, 0x27, 0x80, 0xf3, 0xc2, 0x92, 0x3b, 0xd6, 215 0xc3, 0x65, 0x20, 0xec, 0x50, 0xdb, 0x6a, 0xcb, 0x47, 0x73, 216 0xf7, 0x98, 0xf1, 0x66, 0x5e, 0xc4, 0xe9, 0x87, 0xf8, 0xcb, 217 0x1e, 0x06, 0xa7, 0x67, 0xf5, 0xec, 0x73, 0xe5, 0xc7, 0x4d, 218 0xc2, 0x90, 0xe4, 0xdf, 0x9d, 0x1f, 0x05, 0x67, 0x99, 0xd6, 219 0xf0, 0xc4, 0x20, 0xbc, 0xf8, 0xf5, 0x3e, 0x19, 0xe9, 0x3a, 220 0x12, 0xe1, 0xcc, 0x9f, 0x81, 0x55, 0x1e, 0xad, 0xc8, 0xa3, 221 0xe5, 0x98, 0xbe, 0xe0, 0x4d, 0xb7, 0x6b, 0xd5, 0xbe, 0x6a, 222 0x3d, 0x76, 0xb6, 0xe2, 0xa5, 0xa7, 0x96, 0x68, 0xeb, 0x91, 223 0xee, 0x02, 0xfc, 0xe4, 0x01, 0xc3, 0x24, 0xda, 0x4c, 0xff, 224 0x10, 0x27, 0x78, 0xb0, 0x0b, 0x55, 0x5c, 0xce, 0x62, 0x7d, 225 0x33, 0x2b, 0x25, 0x99, 0xaa, 0x99, 0xea, 0xa3, 0x1d, 0xd8, 226 0x2b, 0x57, 0xb5, 0xe4, 0x04, 0x21, 0x75, 0xd9, 0xc4, 0xd0, 227 0x3d, 0xa1, 0xa5, 0x8f 228 }; 229 230 u_int8_t cp_pld[] = { 231 0x2f, 0x00, 0x00, 0x0c, 232 0x01, 0x00, 0x00, 0x00, 233 0x00, 0x01, 0x00, 0x00, 234 0x2f, 0x00, 0x00, 0x10, 235 0x02, 0x00, 0x00, 0x00, 236 0x00, 0x01, 0x00, 0x04, 237 0xaa, 0xbb, 0xcc, 0xdd, 238 0x2f, 0x00, 0x00, 0x08, 239 0x03, 0x00, 0x00, 0x00, 240 0x00, 0x00, 0x00, 0x08, 241 0x04, 0x00, 0x00, 0x00, 242 }; 243 244 u_int8_t eap_pld[] = { 245 0x30, 0x00, 0x00, 0x09, 246 0x01, 0x00, 0x00, 0x05, 0x01, 247 0x30, 0x00, 0x00, 0x0c, 248 0x02, 0x00, 0x00, 0x05, 0x01, 0xfa, 0xfb, 0xfc, 249 0x30, 0x00, 0x00, 0x08, 250 0x03, 0x00, 0x00, 0x04, 251 0x00, 0x00, 0x00, 0x08, 252 0x04, 0x00, 0x00, 0x04 253 }; 254 255 /* Valid initator packet */ 256 u_int8_t valid_packet[] = { 257 0xde, 0xad, 0xbe, 0xef, 0xca, 0xfe, 0x00, 0x01, 0x00, 0x00, 258 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x21, 0x20, 0x22, 0x08, 259 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0xc0, 0x22, 0x00, 260 0x00, 0x40, 0x00, 0x00, 0x00, 0x3c, 0x01, 0x01, 0x00, 0x06, 261 0x03, 0x00, 0x00, 0x08, 0x03, 0x00, 0x00, 0x0c, 0x03, 0x00, 262 0x00, 0x0c, 0x01, 0x00, 0x00, 0x0c, 0x80, 0x0e, 0x00, 0xc0, 263 0x03, 0x00, 0x00, 0x08, 0x04, 0x00, 0x00, 0x0e, 0x03, 0x00, 264 0x00, 0x08, 0x02, 0x00, 0x00, 0x05, 0x03, 0x00, 0x00, 0x08, 265 0x02, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x08, 0x02, 0x00, 266 0x00, 0x01, 0x28, 0x00, 0x01, 0x08, 0x00, 0x0e, 0x00, 0x00, 267 0x16, 0xcb, 0x68, 0xaf, 0x63, 0xfe, 0xb0, 0x58, 0x49, 0x0e, 268 0x7f, 0x85, 0x60, 0x53, 0x80, 0xae, 0x3f, 0x82, 0xf3, 0x35, 269 0x21, 0xd5, 0xae, 0x09, 0x1c, 0xfa, 0x68, 0xc2, 0xfb, 0x4b, 270 0xb3, 0x84, 0xda, 0xaf, 0x6e, 0xe2, 0x5e, 0xc5, 0xb6, 0x8c, 271 0x35, 0x3c, 0xec, 0x58, 0x7f, 0xa9, 0xf8, 0xa4, 0x24, 0xf3, 272 0xf8, 0xf4, 0x65, 0x59, 0x8c, 0x15, 0x4d, 0x2c, 0xf1, 0x5d, 273 0xeb, 0x57, 0x68, 0xfe, 0x75, 0x61, 0x5a, 0x80, 0x96, 0xa4, 274 0x0a, 0xad, 0x75, 0x71, 0xd8, 0xe0, 0x06, 0xbc, 0xde, 0x16, 275 0x6d, 0x1e, 0xd9, 0x5d, 0x2c, 0x00, 0x66, 0x43, 0x82, 0xe4, 276 0x6f, 0x5f, 0x95, 0xe7, 0x9b, 0xfd, 0xf2, 0xe2, 0xcb, 0xc5, 277 0xf1, 0x52, 0xdd, 0x3b, 0xed, 0x88, 0xd4, 0xa9, 0x13, 0x4e, 278 0x42, 0xe8, 0x60, 0x2d, 0x3c, 0xf6, 0xc8, 0xf0, 0x70, 0x42, 279 0xfa, 0x33, 0x7f, 0x28, 0xdf, 0x6b, 0x79, 0x2c, 0x79, 0x8f, 280 0xc0, 0x5d, 0x81, 0x7a, 0x62, 0xdb, 0xd4, 0x44, 0x3a, 0x3c, 281 0x21, 0xbf, 0x85, 0xc8, 0x0b, 0x8c, 0x77, 0x72, 0xe9, 0xfb, 282 0x50, 0x5c, 0x03, 0xa6, 0xb2, 0x3f, 0x17, 0x4a, 0xd1, 0xb3, 283 0x01, 0x30, 0xad, 0xe4, 0xfa, 0xe2, 0xba, 0x6f, 0x22, 0x83, 284 0xf4, 0xde, 0x38, 0x43, 0xe8, 0x27, 0x00, 0xb8, 0x95, 0xbe, 285 0x03, 0x8f, 0xcd, 0xd3, 0x72, 0xed, 0xa5, 0xed, 0x8d, 0xf4, 286 0x68, 0x98, 0xef, 0x59, 0xcc, 0xfb, 0x54, 0x89, 0xde, 0xa9, 287 0xd4, 0x88, 0xcd, 0xb9, 0xca, 0x09, 0xd3, 0xd5, 0x25, 0xb1, 288 0x8c, 0x58, 0x12, 0x9c, 0x69, 0x03, 0x72, 0x00, 0xc9, 0xca, 289 0x95, 0x8a, 0xce, 0x0d, 0xd2, 0xc8, 0x25, 0xe7, 0x7c, 0xed, 290 0x5e, 0xee, 0x35, 0x01, 0xfc, 0x00, 0x56, 0xed, 0xf3, 0x8d, 291 0x81, 0x6c, 0x3e, 0x86, 0x6a, 0x40, 0xac, 0xc7, 0x9c, 0x7a, 292 0xbf, 0x9f, 0x8e, 0x1f, 0xd8, 0x60, 0x29, 0x00, 0x00, 0x24, 293 0x5f, 0x61, 0x42, 0x72, 0x7d, 0xb2, 0xa8, 0xc1, 0xfe, 0xb1, 294 0x38, 0x2e, 0xb8, 0x75, 0xa7, 0xc1, 0x1d, 0x8a, 0xa7, 0xb7, 295 0x9b, 0x92, 0xe2, 0x0e, 0x3a, 0x18, 0x20, 0xb6, 0x16, 0xf3, 296 0x35, 0x67, 0x29, 0x00, 0x00, 0x1c, 0x00, 0x00, 0x40, 0x04, 297 0xc7, 0xa0, 0x68, 0x68, 0x09, 0x0a, 0x7f, 0x12, 0x0b, 0x13, 298 0xd3, 0x2f, 0xde, 0x64, 0x8b, 0xf1, 0xc3, 0x3c, 0x79, 0x8f, 299 0x00, 0x00, 0x00, 0x1c, 0x00, 0x00, 0x40, 0x05, 0x9f, 0xbc, 300 0x8c, 0xd0, 0x91, 0x5e, 0xa0, 0x87, 0x81, 0xab, 0x4f, 0xa1, 301 0x8a, 0xa7, 0xa8, 0xf9, 0xeb, 0xdf, 0x9f, 0x2c 302 }; 303 304 #define OFFSET_ICOOKIE 0 305 #define OFFSET_RCOOKIE 8 306 #define OFFSET_NEXTPAYLOAD (0 + sizeof(cookies)) 307 #define OFFSET_VERSION (1 + sizeof(cookies)) 308 #define OFFSET_EXCHANGE (2 + sizeof(cookies)) 309 #define OFFSET_LENGTH (8 + sizeof(cookies)) 310 311 static u_int8_t * 312 get_icookie(u_int8_t *data) 313 { 314 return &data[OFFSET_ICOOKIE]; 315 } 316 317 static u_int8_t * 318 get_rcookie(u_int8_t *data) 319 { 320 return &data[OFFSET_RCOOKIE]; 321 } 322 323 static u_int8_t 324 get_nextpayload(u_int8_t *data) 325 { 326 return data[OFFSET_NEXTPAYLOAD]; 327 } 328 329 static u_int8_t 330 get_version(u_int8_t *data) 331 { 332 return data[OFFSET_VERSION]; 333 } 334 335 static u_int8_t 336 get_exchange(u_int8_t *data) 337 { 338 return data[OFFSET_EXCHANGE]; 339 } 340 341 static u_int32_t 342 get_length(u_int8_t *data) 343 { 344 return *(u_int32_t *)&data[OFFSET_LENGTH]; 345 } 346 347 static void 348 set_length(u_int8_t *data, u_int32_t length) 349 { 350 u_int32_t *p; 351 352 p = (u_int32_t *)&data[OFFSET_LENGTH]; 353 *p = htobe32(length); 354 } 355 356 static void 357 set_nextpayload(u_int8_t *data, u_int8_t next) 358 { 359 data[OFFSET_NEXTPAYLOAD] = next; 360 } 361 362 static void 363 prepare_header(struct ike_header *hdr, struct ibuf *data) 364 { 365 bzero(hdr, sizeof(*hdr)); 366 bcopy(get_icookie(ibuf_data(data)), &hdr->ike_ispi, 367 sizeof(hdr->ike_ispi)); 368 bcopy(get_rcookie(ibuf_data(data)), &hdr->ike_rspi, 369 sizeof(hdr->ike_rspi)); 370 hdr->ike_nextpayload = get_nextpayload(ibuf_data(data)); 371 hdr->ike_version = get_version(ibuf_data(data)); 372 hdr->ike_exchange = get_exchange(ibuf_data(data)); 373 hdr->ike_length = get_length(ibuf_data(data)); 374 } 375 376 static void 377 prepare_message(struct iked_message *msg, struct ibuf *data) 378 { 379 static struct iked_sa sa; 380 381 bzero(&sa, sizeof(sa)); 382 bzero(msg, sizeof(*msg)); 383 384 msg->msg_sa = &sa; 385 msg->msg_data = data; 386 } 387 388 static void 389 perform_test(struct fuzz *fuzz) 390 { 391 struct ibuf *fuzzed; 392 struct ike_header hdr; 393 struct iked_message msg; 394 395 bzero(&hdr, sizeof(hdr)); 396 bzero(&msg, sizeof(msg)); 397 398 for (; !fuzz_done(fuzz); fuzz_next(fuzz)) { 399 ASSERT_PTR_NE(fuzzed = ibuf_new(fuzz_ptr(fuzz), fuzz_len(fuzz)), 400 NULL); 401 print_hex(ibuf_data(fuzzed), 0, ibuf_size(fuzzed)); 402 403 /* We need at least cookies and generic header. */ 404 if (ibuf_size(fuzzed) < sizeof(cookies) + sizeof(genhdr)) { 405 ibuf_free(fuzzed); 406 continue; 407 } 408 409 prepare_header(&hdr, fuzzed); 410 prepare_message(&msg, fuzzed); 411 412 ikev2_pld_parse(NULL, &hdr, &msg, 0); 413 414 ibuf_free(fuzzed); 415 } 416 } 417 418 void 419 parser_fuzz_tests(void) 420 { 421 struct fuzz *fuzz; 422 struct ike_header hdr; 423 struct iked_message msg; 424 struct ibuf *data; 425 426 #if 0 427 log_init(3); 428 #endif 429 430 TEST_START("fuzz generic header"); 431 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 432 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 433 set_length(ibuf_data(data), ibuf_size(data)); 434 print_hex(ibuf_data(data), 0, ibuf_size(data)); 435 prepare_header(&hdr, data); 436 prepare_message(&msg, data); 437 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 438 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 439 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 440 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 441 FUZZ_BASE64, 442 ibuf_data(data), ibuf_size(data)); 443 ibuf_free(data); 444 perform_test(fuzz); 445 TEST_DONE(); 446 447 TEST_START("fuzz sa payload"); 448 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 449 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 450 ASSERT_INT_EQ(ibuf_add(data, sa_pld, sizeof(sa_pld)), 0); 451 set_length(ibuf_data(data), ibuf_size(data)); 452 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_SA); 453 print_hex(ibuf_data(data), 0, ibuf_size(data)); 454 prepare_header(&hdr, data); 455 prepare_message(&msg, data); 456 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 457 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 458 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 459 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 460 FUZZ_BASE64, 461 ibuf_data(data), ibuf_size(data)); 462 ibuf_free(data); 463 perform_test(fuzz); 464 TEST_DONE(); 465 466 TEST_START("fuzz sa and xform payload"); 467 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 468 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 469 ASSERT_INT_EQ(ibuf_add(data, saxform_pld, sizeof(saxform_pld)), 0); 470 set_length(ibuf_data(data), ibuf_size(data)); 471 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_SA); 472 print_hex(ibuf_data(data), 0, ibuf_size(data)); 473 prepare_header(&hdr, data); 474 prepare_message(&msg, data); 475 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 476 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 477 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 478 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 479 FUZZ_BASE64, 480 ibuf_data(data), ibuf_size(data)); 481 ibuf_free(data); 482 perform_test(fuzz); 483 TEST_DONE(); 484 485 TEST_START("fuzz ke payload"); 486 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 487 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 488 ASSERT_INT_EQ(ibuf_add(data, ke_pld, sizeof(ke_pld)), 0); 489 set_length(ibuf_data(data), ibuf_size(data)); 490 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_KE); 491 print_hex(ibuf_data(data), 0, ibuf_size(data)); 492 prepare_header(&hdr, data); 493 prepare_message(&msg, data); 494 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 495 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 496 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 497 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 498 FUZZ_BASE64, 499 ibuf_data(data), ibuf_size(data)); 500 ibuf_free(data); 501 perform_test(fuzz); 502 TEST_DONE(); 503 504 TEST_START("fuzz nonce payload"); 505 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 506 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 507 ASSERT_INT_EQ(ibuf_add(data, nonce_pld, sizeof(nonce_pld)), 0); 508 set_length(ibuf_data(data), ibuf_size(data)); 509 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_NONCE); 510 print_hex(ibuf_data(data), 0, ibuf_size(data)); 511 prepare_header(&hdr, data); 512 prepare_message(&msg, data); 513 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 514 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 515 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 516 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 517 FUZZ_BASE64, 518 ibuf_data(data), ibuf_size(data)); 519 ibuf_free(data); 520 perform_test(fuzz); 521 TEST_DONE(); 522 523 TEST_START("fuzz notify payload"); 524 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 525 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 526 ASSERT_INT_EQ(ibuf_add(data, notify_pld, sizeof(notify_pld)), 0); 527 set_length(ibuf_data(data), ibuf_size(data)); 528 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_NOTIFY); 529 print_hex(ibuf_data(data), 0, ibuf_size(data)); 530 prepare_header(&hdr, data); 531 prepare_message(&msg, data); 532 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 533 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 534 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 535 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 536 FUZZ_BASE64, 537 ibuf_data(data), ibuf_size(data)); 538 ibuf_free(data); 539 perform_test(fuzz); 540 TEST_DONE(); 541 542 TEST_START("fuzz id payload"); 543 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 544 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 545 ASSERT_INT_EQ(ibuf_add(data, id_pld, sizeof(id_pld)), 0); 546 set_length(ibuf_data(data), ibuf_size(data)); 547 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_IDi); 548 print_hex(ibuf_data(data), 0, ibuf_size(data)); 549 prepare_header(&hdr, data); 550 prepare_message(&msg, data); 551 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 552 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 553 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 554 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 555 FUZZ_BASE64, 556 ibuf_data(data), ibuf_size(data)); 557 ibuf_free(data); 558 perform_test(fuzz); 559 TEST_DONE(); 560 561 TEST_START("fuzz cert payload"); 562 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 563 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 564 ASSERT_INT_EQ(ibuf_add(data, cert_pld, sizeof(cert_pld)), 0); 565 set_length(ibuf_data(data), ibuf_size(data)); 566 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_CERT); 567 print_hex(ibuf_data(data), 0, ibuf_size(data)); 568 prepare_header(&hdr, data); 569 prepare_message(&msg, data); 570 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 571 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 572 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 573 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 574 FUZZ_BASE64, 575 ibuf_data(data), ibuf_size(data)); 576 ibuf_free(data); 577 perform_test(fuzz); 578 TEST_DONE(); 579 580 TEST_START("fuzz certreq payload"); 581 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 582 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 583 ASSERT_INT_EQ(ibuf_add(data, certreq_pld, sizeof(certreq_pld)), 0); 584 set_length(ibuf_data(data), ibuf_size(data)); 585 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_CERTREQ); 586 print_hex(ibuf_data(data), 0, ibuf_size(data)); 587 prepare_header(&hdr, data); 588 prepare_message(&msg, data); 589 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 590 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 591 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 592 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 593 FUZZ_BASE64, 594 ibuf_data(data), ibuf_size(data)); 595 ibuf_free(data); 596 perform_test(fuzz); 597 TEST_DONE(); 598 599 TEST_START("fuzz auth payload"); 600 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 601 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 602 ASSERT_INT_EQ(ibuf_add(data, auth_pld, sizeof(auth_pld)), 0); 603 set_length(ibuf_data(data), ibuf_size(data)); 604 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_AUTH); 605 print_hex(ibuf_data(data), 0, ibuf_size(data)); 606 prepare_header(&hdr, data); 607 prepare_message(&msg, data); 608 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 609 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 610 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 611 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 612 FUZZ_BASE64, 613 ibuf_data(data), ibuf_size(data)); 614 ibuf_free(data); 615 perform_test(fuzz); 616 TEST_DONE(); 617 618 TEST_START("fuzz delete notify payload"); 619 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 620 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 621 ASSERT_INT_EQ(ibuf_add(data, delete_pld, sizeof(delete_pld)), 0); 622 set_length(ibuf_data(data), ibuf_size(data)); 623 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_DELETE); 624 print_hex(ibuf_data(data), 0, ibuf_size(data)); 625 prepare_header(&hdr, data); 626 prepare_message(&msg, data); 627 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 628 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 629 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 630 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 631 FUZZ_BASE64, 632 ibuf_data(data), ibuf_size(data)); 633 ibuf_free(data); 634 perform_test(fuzz); 635 TEST_DONE(); 636 637 TEST_START("fuzz vendor id payload"); 638 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 639 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 640 ASSERT_INT_EQ(ibuf_add(data, vendor_pld, sizeof(vendor_pld)), 0); 641 set_length(ibuf_data(data), ibuf_size(data)); 642 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_VENDOR); 643 print_hex(ibuf_data(data), 0, ibuf_size(data)); 644 prepare_header(&hdr, data); 645 prepare_message(&msg, data); 646 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 647 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 648 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 649 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 650 FUZZ_BASE64, 651 ibuf_data(data), ibuf_size(data)); 652 ibuf_free(data); 653 perform_test(fuzz); 654 TEST_DONE(); 655 656 TEST_START("fuzz traffic selector initiator payload"); 657 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 658 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 659 ASSERT_INT_EQ(ibuf_add(data, ts_pld, sizeof(ts_pld)), 0); 660 set_length(ibuf_data(data), ibuf_size(data)); 661 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_TSi); 662 print_hex(ibuf_data(data), 0, ibuf_size(data)); 663 prepare_header(&hdr, data); 664 prepare_message(&msg, data); 665 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 666 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 667 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 668 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 669 FUZZ_BASE64, 670 ibuf_data(data), ibuf_size(data)); 671 ibuf_free(data); 672 perform_test(fuzz); 673 TEST_DONE(); 674 675 TEST_START("fuzz traffic selector responder payload"); 676 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 677 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 678 ASSERT_INT_EQ(ibuf_add(data, ts_pld, sizeof(ts_pld)), 0); 679 set_length(ibuf_data(data), ibuf_size(data)); 680 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_TSr); 681 print_hex(ibuf_data(data), 0, ibuf_size(data)); 682 prepare_header(&hdr, data); 683 prepare_message(&msg, data); 684 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 685 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 686 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 687 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 688 FUZZ_BASE64, 689 ibuf_data(data), ibuf_size(data)); 690 ibuf_free(data); 691 perform_test(fuzz); 692 TEST_DONE(); 693 694 TEST_START("fuzz configuration payload"); 695 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 696 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 697 ASSERT_INT_EQ(ibuf_add(data, cp_pld, sizeof(cp_pld)), 0); 698 set_length(ibuf_data(data), ibuf_size(data)); 699 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_CP); 700 print_hex(ibuf_data(data), 0, ibuf_size(data)); 701 prepare_header(&hdr, data); 702 prepare_message(&msg, data); 703 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 704 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 705 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 706 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 707 FUZZ_BASE64, 708 ibuf_data(data), ibuf_size(data)); 709 ibuf_free(data); 710 perform_test(fuzz); 711 TEST_DONE(); 712 713 TEST_START("fuzz eap payload"); 714 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 715 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 716 ASSERT_INT_EQ(ibuf_add(data, eap_pld, sizeof(eap_pld)), 0); 717 set_length(ibuf_data(data), ibuf_size(data)); 718 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_EAP); 719 print_hex(ibuf_data(data), 0, ibuf_size(data)); 720 prepare_header(&hdr, data); 721 prepare_message(&msg, data); 722 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 723 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 724 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 725 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 726 FUZZ_BASE64, 727 ibuf_data(data), ibuf_size(data)); 728 ibuf_free(data); 729 perform_test(fuzz); 730 TEST_DONE(); 731 732 TEST_START("fuzz full valid packet"); 733 ASSERT_PTR_NE(data = ibuf_new(valid_packet, sizeof(valid_packet)), 734 NULL); 735 set_length(ibuf_data(data), ibuf_size(data)); 736 print_hex(ibuf_data(data), 0, ibuf_size(data)); 737 prepare_header(&hdr, data); 738 prepare_message(&msg, data); 739 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 740 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 741 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 742 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 743 FUZZ_BASE64, 744 ibuf_data(data), ibuf_size(data)); 745 ibuf_free(data); 746 perform_test(fuzz); 747 TEST_DONE(); 748 } 749