xref: /openbsd-src/regress/usr.bin/ssh/unittests/sshbuf/test_sshbuf_getput_fuzz.c (revision 897fc685943471cf985a0fe38ba076ea6fe74fa5) 
1 /* 	$OpenBSD: test_sshbuf_getput_fuzz.c,v 1.2 2014/05/02 02:54:00 djm Exp $ */
2 /*
3  * Regress test for sshbuf.h buffer API
4  *
5  * Placed in the public domain
6  */
7 
8 #include <sys/types.h>
9 #include <sys/param.h>
10 #include <stdio.h>
11 #include <stdint.h>
12 #include <stdlib.h>
13 #include <string.h>
14 
15 #include <openssl/bn.h>
16 #include <openssl/ec.h>
17 #include <openssl/objects.h>
18 
19 #include "test_helper.h"
20 #include "ssherr.h"
21 #include "sshbuf.h"
22 
23 void sshbuf_getput_fuzz_tests(void);
24 
25 static void
26 attempt_parse_blob(u_char *blob, size_t len)
27 {
28 	struct sshbuf *p1;
29 	BIGNUM *bn;
30 	EC_KEY *eck;
31 	u_char *s;
32 	size_t l;
33 	u_int8_t u8;
34 	u_int16_t u16;
35 	u_int32_t u32;
36 	u_int64_t u64;
37 
38 	p1 = sshbuf_new();
39 	ASSERT_PTR_NE(p1, NULL);
40 	ASSERT_INT_EQ(sshbuf_put(p1, blob, len), 0);
41 	sshbuf_get_u8(p1, &u8);
42 	sshbuf_get_u16(p1, &u16);
43 	sshbuf_get_u32(p1, &u32);
44 	sshbuf_get_u64(p1, &u64);
45 	if (sshbuf_get_string(p1, &s, &l) == 0) {
46 		bzero(s, l);
47 		free(s);
48 	}
49 	bn = BN_new();
50 	sshbuf_get_bignum1(p1, bn);
51 	BN_clear_free(bn);
52 	bn = BN_new();
53 	sshbuf_get_bignum2(p1, bn);
54 	BN_clear_free(bn);
55 	eck = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
56 	ASSERT_PTR_NE(eck, NULL);
57 	sshbuf_get_eckey(p1, eck);
58 	EC_KEY_free(eck);
59 	sshbuf_free(p1);
60 }
61 
62 
63 static void
64 onerror(void *fuzz)
65 {
66 	fprintf(stderr, "Failed during fuzz:\n");
67 	fuzz_dump((struct fuzz *)fuzz);
68 }
69 
70 void
71 sshbuf_getput_fuzz_tests(void)
72 {
73 	u_char blob[] = {
74 		/* u8 */
75 		0xd0,
76 		/* u16 */
77 		0xc0, 0xde,
78 		/* u32 */
79 		0xfa, 0xce, 0xde, 0xad,
80 		/* u64 */
81 		0xfe, 0xed, 0xac, 0x1d, 0x1f, 0x1c, 0xbe, 0xef,
82 		/* string */
83 		0x00, 0x00, 0x00, 0x09,
84 		'O', ' ', 'G', 'o', 'r', 'g', 'o', 'n', '!',
85 		/* bignum1 */
86 		0x79,
87 		0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
88 		0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10,
89 		/* bignum2 */
90 		0x00, 0x00, 0x00, 0x14,
91 		0x00,
92 		0xf0, 0xe0, 0xd0, 0xc0, 0xb0, 0xa0, 0x90, 0x80,
93 		0x70, 0x60, 0x50, 0x40, 0x30, 0x20, 0x10, 0x00,
94 		0x7f, 0xff, 0x11,
95 		/* EC point (NIST-256 curve) */
96 		0x00, 0x00, 0x00, 0x41,
97 		0x04,
98 		0x0c, 0x82, 0x80, 0x04, 0x83, 0x9d, 0x01, 0x06,
99 		0xaa, 0x59, 0x57, 0x52, 0x16, 0x19, 0x13, 0x57,
100 		0x34, 0xb4, 0x51, 0x45, 0x9d, 0xad, 0xb5, 0x86,
101 		0x67, 0x7e, 0xf9, 0xdf, 0x55, 0x78, 0x49, 0x99,
102 		0x4d, 0x19, 0x6b, 0x50, 0xf0, 0xb4, 0xe9, 0x4b,
103 		0x3c, 0x73, 0xe3, 0xa9, 0xd4, 0xcd, 0x9d, 0xf2,
104 		0xc8, 0xf9, 0xa3, 0x5e, 0x42, 0xbd, 0xd0, 0x47,
105 		0x55, 0x0f, 0x69, 0xd8, 0x0e, 0xc2, 0x3c, 0xd4,
106 	};
107 	struct fuzz *fuzz;
108 
109 	TEST_START("fuzz blob parsing");
110 	fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP |
111 	    FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP |
112 	    FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END, blob, sizeof(blob));
113 	TEST_ONERROR(onerror, fuzz);
114 	for(; !fuzz_done(fuzz); fuzz_next(fuzz))
115 		attempt_parse_blob(blob, sizeof(blob));
116 	fuzz_cleanup(fuzz);
117 	TEST_DONE();
118 	TEST_ONERROR(NULL, NULL);
119 }
120 
121