xref: /freebsd/crypto/openssh/regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c (revision 963f5dc7a30624e95d72fb7f87b8892651164e46) 
1 /* 	$OpenBSD: test_sshbuf_getput_fuzz.c,v 1.4 2019/01/21 12:29:35 djm Exp $ */
2 /*
3  * Regress test for sshbuf.h buffer API
4  *
5  * Placed in the public domain
6  */
7 
8 #include "includes.h"
9 
10 #include <sys/types.h>
11 #include <sys/param.h>
12 #include <stdio.h>
13 #ifdef HAVE_STDINT_H
14 # include <stdint.h>
15 #endif
16 #include <stdlib.h>
17 #include <string.h>
18 
19 #include <openssl/bn.h>
20 #include <openssl/objects.h>
21 #ifdef OPENSSL_HAS_NISTP256
22 # include <openssl/ec.h>
23 #endif
24 
25 #include "../test_helper/test_helper.h"
26 #include "ssherr.h"
27 #include "sshbuf.h"
28 
29 void sshbuf_getput_fuzz_tests(void);
30 
31 static void
32 attempt_parse_blob(u_char *blob, size_t len)
33 {
34 	struct sshbuf *p1;
35 #ifdef WITH_OPENSSL
36 	BIGNUM *bn;
37 #if defined(OPENSSL_HAS_ECC) && defined(OPENSSL_HAS_NISTP256)
38 	EC_KEY *eck;
39 #endif /* defined(OPENSSL_HAS_ECC) && defined(OPENSSL_HAS_NISTP256) */
40 #endif /* WITH_OPENSSL */
41 	u_char *s;
42 	size_t l;
43 	u_int8_t u8;
44 	u_int16_t u16;
45 	u_int32_t u32;
46 	u_int64_t u64;
47 
48 	p1 = sshbuf_new();
49 	ASSERT_PTR_NE(p1, NULL);
50 	ASSERT_INT_EQ(sshbuf_put(p1, blob, len), 0);
51 	sshbuf_get_u8(p1, &u8);
52 	sshbuf_get_u16(p1, &u16);
53 	sshbuf_get_u32(p1, &u32);
54 	sshbuf_get_u64(p1, &u64);
55 	if (sshbuf_get_string(p1, &s, &l) == 0) {
56 		bzero(s, l);
57 		free(s);
58 	}
59 #ifdef WITH_OPENSSL
60 	bn = NULL;
61 	sshbuf_get_bignum2(p1, &bn);
62 	BN_clear_free(bn);
63 #if defined(OPENSSL_HAS_ECC) && defined(OPENSSL_HAS_NISTP256)
64 	eck = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
65 	ASSERT_PTR_NE(eck, NULL);
66 	sshbuf_get_eckey(p1, eck);
67 	EC_KEY_free(eck);
68 #endif /* defined(OPENSSL_HAS_ECC) && defined(OPENSSL_HAS_NISTP256) */
69 #endif /* WITH_OPENSSL */
70 	sshbuf_free(p1);
71 }
72 
73 
74 static void
75 onerror(void *fuzz)
76 {
77 	fprintf(stderr, "Failed during fuzz:\n");
78 	fuzz_dump((struct fuzz *)fuzz);
79 }
80 
81 void
82 sshbuf_getput_fuzz_tests(void)
83 {
84 	u_char blob[] = {
85 		/* u8 */
86 		0xd0,
87 		/* u16 */
88 		0xc0, 0xde,
89 		/* u32 */
90 		0xfa, 0xce, 0xde, 0xad,
91 		/* u64 */
92 		0xfe, 0xed, 0xac, 0x1d, 0x1f, 0x1c, 0xbe, 0xef,
93 		/* string */
94 		0x00, 0x00, 0x00, 0x09,
95 		'O', ' ', 'G', 'o', 'r', 'g', 'o', 'n', '!',
96 		/* bignum2 */
97 		0x00, 0x00, 0x00, 0x14,
98 		0x00,
99 		0xf0, 0xe0, 0xd0, 0xc0, 0xb0, 0xa0, 0x90, 0x80,
100 		0x70, 0x60, 0x50, 0x40, 0x30, 0x20, 0x10, 0x00,
101 		0x7f, 0xff, 0x11,
102 		/* EC point (NIST-256 curve) */
103 		0x00, 0x00, 0x00, 0x41,
104 		0x04,
105 		0x0c, 0x82, 0x80, 0x04, 0x83, 0x9d, 0x01, 0x06,
106 		0xaa, 0x59, 0x57, 0x52, 0x16, 0x19, 0x13, 0x57,
107 		0x34, 0xb4, 0x51, 0x45, 0x9d, 0xad, 0xb5, 0x86,
108 		0x67, 0x7e, 0xf9, 0xdf, 0x55, 0x78, 0x49, 0x99,
109 		0x4d, 0x19, 0x6b, 0x50, 0xf0, 0xb4, 0xe9, 0x4b,
110 		0x3c, 0x73, 0xe3, 0xa9, 0xd4, 0xcd, 0x9d, 0xf2,
111 		0xc8, 0xf9, 0xa3, 0x5e, 0x42, 0xbd, 0xd0, 0x47,
112 		0x55, 0x0f, 0x69, 0xd8, 0x0e, 0xc2, 0x3c, 0xd4,
113 	};
114 	struct fuzz *fuzz;
115 	u_int fuzzers = FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP |
116 	    FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP |
117 	    FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END;
118 
119 	if (test_is_fast())
120 		fuzzers &= ~(FUZZ_2_BYTE_FLIP|FUZZ_2_BIT_FLIP);
121 
122 	TEST_START("fuzz blob parsing");
123 	fuzz = fuzz_begin(fuzzers, blob, sizeof(blob));
124 	TEST_ONERROR(onerror, fuzz);
125 	for(; !fuzz_done(fuzz); fuzz_next(fuzz))
126 		attempt_parse_blob(blob, sizeof(blob));
127 	fuzz_cleanup(fuzz);
128 	TEST_DONE();
129 	TEST_ONERROR(NULL, NULL);
130 }
131 
132