1 /* $OpenBSD: test_sshbuf_getput_fuzz.c,v 1.3 2018/10/17 23:28:05 djm Exp $ */ 2 /* 3 * Regress test for sshbuf.h buffer API 4 * 5 * Placed in the public domain 6 */ 7 8 #include <sys/types.h> 9 #include <sys/param.h> 10 #include <stdio.h> 11 #include <stdint.h> 12 #include <stdlib.h> 13 #include <string.h> 14 15 #include <openssl/bn.h> 16 #include <openssl/ec.h> 17 #include <openssl/objects.h> 18 19 #include "test_helper.h" 20 #include "ssherr.h" 21 #include "sshbuf.h" 22 23 void sshbuf_getput_fuzz_tests(void); 24 25 static void 26 attempt_parse_blob(u_char *blob, size_t len) 27 { 28 struct sshbuf *p1; 29 BIGNUM *bn; 30 EC_KEY *eck; 31 u_char *s; 32 size_t l; 33 u_int8_t u8; 34 u_int16_t u16; 35 u_int32_t u32; 36 u_int64_t u64; 37 38 p1 = sshbuf_new(); 39 ASSERT_PTR_NE(p1, NULL); 40 ASSERT_INT_EQ(sshbuf_put(p1, blob, len), 0); 41 sshbuf_get_u8(p1, &u8); 42 sshbuf_get_u16(p1, &u16); 43 sshbuf_get_u32(p1, &u32); 44 sshbuf_get_u64(p1, &u64); 45 if (sshbuf_get_string(p1, &s, &l) == 0) { 46 bzero(s, l); 47 free(s); 48 } 49 bn = BN_new(); 50 sshbuf_get_bignum1(p1, bn); 51 BN_clear_free(bn); 52 bn = BN_new(); 53 sshbuf_get_bignum2(p1, bn); 54 BN_clear_free(bn); 55 eck = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); 56 ASSERT_PTR_NE(eck, NULL); 57 sshbuf_get_eckey(p1, eck); 58 EC_KEY_free(eck); 59 sshbuf_free(p1); 60 } 61 62 63 static void 64 onerror(void *fuzz) 65 { 66 fprintf(stderr, "Failed during fuzz:\n"); 67 fuzz_dump((struct fuzz *)fuzz); 68 } 69 70 void 71 sshbuf_getput_fuzz_tests(void) 72 { 73 u_char blob[] = { 74 /* u8 */ 75 0xd0, 76 /* u16 */ 77 0xc0, 0xde, 78 /* u32 */ 79 0xfa, 0xce, 0xde, 0xad, 80 /* u64 */ 81 0xfe, 0xed, 0xac, 0x1d, 0x1f, 0x1c, 0xbe, 0xef, 82 /* string */ 83 0x00, 0x00, 0x00, 0x09, 84 'O', ' ', 'G', 'o', 'r', 'g', 'o', 'n', '!', 85 /* bignum1 */ 86 0x79, 87 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 88 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 89 /* bignum2 */ 90 0x00, 0x00, 0x00, 0x14, 91 0x00, 92 0xf0, 0xe0, 0xd0, 0xc0, 0xb0, 0xa0, 0x90, 0x80, 93 0x70, 0x60, 0x50, 0x40, 0x30, 0x20, 0x10, 0x00, 94 0x7f, 0xff, 0x11, 95 /* EC point (NIST-256 curve) */ 96 0x00, 0x00, 0x00, 0x41, 97 0x04, 98 0x0c, 0x82, 0x80, 0x04, 0x83, 0x9d, 0x01, 0x06, 99 0xaa, 0x59, 0x57, 0x52, 0x16, 0x19, 0x13, 0x57, 100 0x34, 0xb4, 0x51, 0x45, 0x9d, 0xad, 0xb5, 0x86, 101 0x67, 0x7e, 0xf9, 0xdf, 0x55, 0x78, 0x49, 0x99, 102 0x4d, 0x19, 0x6b, 0x50, 0xf0, 0xb4, 0xe9, 0x4b, 103 0x3c, 0x73, 0xe3, 0xa9, 0xd4, 0xcd, 0x9d, 0xf2, 104 0xc8, 0xf9, 0xa3, 0x5e, 0x42, 0xbd, 0xd0, 0x47, 105 0x55, 0x0f, 0x69, 0xd8, 0x0e, 0xc2, 0x3c, 0xd4, 106 }; 107 struct fuzz *fuzz; 108 u_int fuzzers = FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 109 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 110 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END; 111 112 if (test_is_fast()) 113 fuzzers &= ~(FUZZ_2_BYTE_FLIP|FUZZ_2_BIT_FLIP); 114 115 TEST_START("fuzz blob parsing"); 116 fuzz = fuzz_begin(fuzzers, blob, sizeof(blob)); 117 TEST_ONERROR(onerror, fuzz); 118 for(; !fuzz_done(fuzz); fuzz_next(fuzz)) 119 attempt_parse_blob(blob, sizeof(blob)); 120 fuzz_cleanup(fuzz); 121 TEST_DONE(); 122 TEST_ONERROR(NULL, NULL); 123 } 124 125