3 files changed, 76 insertions, 4 deletions
diff --git a/regress/misc/fuzz-harness/Makefile b/regress/misc/fuzz-harness/Makefile
index a2aa4441f..85179ac4e 100644
--- a/regress/misc/fuzz-harness/Makefile
+++ b/regress/misc/fuzz-harness/Makefile
@@ -1,13 +1,15 @@
 # NB. libssh and libopenbsd-compat should be built with the same sanitizer opts.
-CXX=clang++-3.9
+CXX=clang++-6.0
-FUZZ_FLAGS=-fsanitize=address,undefined -fsanitize-coverage=edge
+FUZZ_FLAGS=-fsanitize=address,undefined -fsanitize-coverage=edge,trace-pc
 FUZZ_LIBS=-lFuzzer
 CXXFLAGS=-O2 -g -Wall -Wextra -I ../../.. $(FUZZ_FLAGS)
 LDFLAGS=-L ../../.. -L ../../../openbsd-compat -g $(FUZZ_FLAGS)
 LIBS=-lssh -lopenbsd-compat -lcrypto $(FUZZ_LIBS)
-all: pubkey_fuzz sig_fuzz authopt_fuzz
+TARGETS=pubkey_fuzz sig_fuzz authopt_fuzz sshsig_fuzz sshsigopt_fuzz
+all: $(TARGETS)
 .cc.o:
        $(CXX) $(CXXFLAGS) -c $< -o $@
@@ -21,5 +23,11 @@ sig_fuzz: sig_fuzz.o
 authopt_fuzz: authopt_fuzz.o
        $(CXX) -o $@ authopt_fuzz.o ../../../auth-options.o $(LDFLAGS) $(LIBS)
+sshsig_fuzz: sshsig_fuzz.o
+        $(CXX) -o $@ sshsig_fuzz.o ../../../sshsig.o $(LDFLAGS) $(LIBS)
+sshsigopt_fuzz: sshsigopt_fuzz.o
+        $(CXX) -o $@ sshsigopt_fuzz.o ../../../sshsig.o $(LDFLAGS) $(LIBS)
 clean:
-        -rm -f *.o pubkey_fuzz sig_fuzz authopt_fuzz
+        -rm -f *.o $(TARGETS)
diff --git a/regress/misc/fuzz-harness/sshsig_fuzz.cc b/regress/misc/fuzz-harness/sshsig_fuzz.cc
new file mode 100644
index 000000000..fe09ccb87
--- /dev/null
+++ b/regress/misc/fuzz-harness/sshsig_fuzz.cc
@@ -0,0 +1,35 @@
+// cc_fuzz_target test for sshsig verification.
+#include <stddef.h>
+#include <stdio.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+extern "C" {
+#include "includes.h"
+#include "sshkey.h"
+#include "ssherr.h"
+#include "sshbuf.h"
+#include "sshsig.h"
+#include "log.h"
+int LLVMFuzzerTestOneInput(const uint8_t* sig, size_t slen)
+{
+  static const char *data = "If everyone started announcing his nose had "
+      "run away, I don’t know how it would all end";
+  struct sshbuf *signature = sshbuf_from(sig, slen);
+  struct sshbuf *message = sshbuf_from(data, strlen(data));
+  struct sshkey *k = NULL;
+  extern char *__progname;
+  log_init(__progname, SYSLOG_LEVEL_QUIET, SYSLOG_FACILITY_USER, 1);
+  sshsig_verifyb(signature, message, "castle", &k);
+  sshkey_free(k);
+  sshbuf_free(signature);
+  sshbuf_free(message);
+  return 0;
+}
+} // extern
diff --git a/regress/misc/fuzz-harness/sshsigopt_fuzz.cc b/regress/misc/fuzz-harness/sshsigopt_fuzz.cc
new file mode 100644
index 000000000..7424fcbe3
--- /dev/null
+++ b/regress/misc/fuzz-harness/sshsigopt_fuzz.cc
@@ -0,0 +1,29 @@
+#include <stddef.h>
+#include <stdio.h>
+#include <stdint.h>
+#include <string.h>
+#include <stdlib.h>
+extern "C" {
+#include "sshsig.h"
+int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
+{
+        char *cp = (char *)malloc(size + 1);
+        struct sshsigopt *opts = NULL;
+        if (cp == NULL)
+                goto out;
+        memcpy(cp, data, size);
+        cp[size] = '\0';
+        if ((opts = sshsigopt_parse(cp, "libfuzzer", 0, NULL)) == NULL)
+                goto out;
+ out:
+        free(cp);
+        sshsigopt_free(opts);
+        return 0;
+}
+} // extern "C"

diff --git a/regress/misc/fuzz-harness/Makefile b/regress/misc/fuzz-harness/Makefile index a2aa4441f..85179ac4e 100644 --- a/regress/misc/fuzz-harness/Makefile +++ b/regress/misc/fuzz-harness/Makefile
@@ -1,13 +1,15 @@
1	# NB. libssh and libopenbsd-compat should be built with the same sanitizer opts.	1	# NB. libssh and libopenbsd-compat should be built with the same sanitizer opts.
2	CXX=clang++-3.9	2	CXX=clang++-6.0
3	FUZZ_FLAGS=-fsanitize=address,undefined -fsanitize-coverage=edge	3	FUZZ_FLAGS=-fsanitize=address,undefined -fsanitize-coverage=edge,trace-pc
4	FUZZ_LIBS=-lFuzzer	4	FUZZ_LIBS=-lFuzzer
5		5
6	CXXFLAGS=-O2 -g -Wall -Wextra -I ../../.. $(FUZZ_FLAGS)	6	CXXFLAGS=-O2 -g -Wall -Wextra -I ../../.. $(FUZZ_FLAGS)
7	LDFLAGS=-L ../../.. -L ../../../openbsd-compat -g $(FUZZ_FLAGS)	7	LDFLAGS=-L ../../.. -L ../../../openbsd-compat -g $(FUZZ_FLAGS)
8	LIBS=-lssh -lopenbsd-compat -lcrypto $(FUZZ_LIBS)	8	LIBS=-lssh -lopenbsd-compat -lcrypto $(FUZZ_LIBS)
9		9
10	all: pubkey_fuzz sig_fuzz authopt_fuzz	10	TARGETS=pubkey_fuzz sig_fuzz authopt_fuzz sshsig_fuzz sshsigopt_fuzz
		11
		12	all: $(TARGETS)
11		13
12	.cc.o:	14	.cc.o:
13	$(CXX) $(CXXFLAGS) -c $< -o $@	15	$(CXX) $(CXXFLAGS) -c $< -o $@
@@ -21,5 +23,11 @@ sig_fuzz: sig_fuzz.o
21	authopt_fuzz: authopt_fuzz.o	23	authopt_fuzz: authopt_fuzz.o
22	$(CXX) -o $@ authopt_fuzz.o ../../../auth-options.o $(LDFLAGS) $(LIBS)	24	$(CXX) -o $@ authopt_fuzz.o ../../../auth-options.o $(LDFLAGS) $(LIBS)
23		25
		26	sshsig_fuzz: sshsig_fuzz.o
		27	$(CXX) -o $@ sshsig_fuzz.o ../../../sshsig.o $(LDFLAGS) $(LIBS)
		28
		29	sshsigopt_fuzz: sshsigopt_fuzz.o
		30	$(CXX) -o $@ sshsigopt_fuzz.o ../../../sshsig.o $(LDFLAGS) $(LIBS)
		31
24	clean:	32	clean:
25	-rm -f *.o pubkey_fuzz sig_fuzz authopt_fuzz	33	-rm -f *.o $(TARGETS)


diff --git a/regress/misc/fuzz-harness/sshsig_fuzz.cc b/regress/misc/fuzz-harness/sshsig_fuzz.cc new file mode 100644 index 000000000..fe09ccb87 --- /dev/null +++ b/regress/misc/fuzz-harness/sshsig_fuzz.cc
@@ -0,0 +1,35 @@
		1	// cc_fuzz_target test for sshsig verification.
		2
		3	#include <stddef.h>
		4	#include <stdio.h>
		5	#include <stdint.h>
		6	#include <stdlib.h>
		7	#include <string.h>
		8
		9	extern "C" {
		10
		11	#include "includes.h"
		12	#include "sshkey.h"
		13	#include "ssherr.h"
		14	#include "sshbuf.h"
		15	#include "sshsig.h"
		16	#include "log.h"
		17
		18	int LLVMFuzzerTestOneInput(const uint8_t* sig, size_t slen)
		19	{
		20	static const char *data = "If everyone started announcing his nose had "
		21	"run away, I don’t know how it would all end";
		22	struct sshbuf *signature = sshbuf_from(sig, slen);
		23	struct sshbuf *message = sshbuf_from(data, strlen(data));
		24	struct sshkey *k = NULL;
		25	extern char *__progname;
		26
		27	log_init(__progname, SYSLOG_LEVEL_QUIET, SYSLOG_FACILITY_USER, 1);
		28	sshsig_verifyb(signature, message, "castle", &k);
		29	sshkey_free(k);
		30	sshbuf_free(signature);
		31	sshbuf_free(message);
		32	return 0;
		33	}
		34
		35	} // extern


diff --git a/regress/misc/fuzz-harness/sshsigopt_fuzz.cc b/regress/misc/fuzz-harness/sshsigopt_fuzz.cc new file mode 100644 index 000000000..7424fcbe3 --- /dev/null +++ b/regress/misc/fuzz-harness/sshsigopt_fuzz.cc
@@ -0,0 +1,29 @@
		1	#include <stddef.h>
		2	#include <stdio.h>
		3	#include <stdint.h>
		4	#include <string.h>
		5	#include <stdlib.h>
		6
		7	extern "C" {
		8
		9	#include "sshsig.h"
		10
		11	int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
		12	{
		13	char cp = (char )malloc(size + 1);
		14	struct sshsigopt *opts = NULL;
		15
		16	if (cp == NULL)
		17	goto out;
		18	memcpy(cp, data, size);
		19	cp[size] = '\0';
		20	if ((opts = sshsigopt_parse(cp, "libfuzzer", 0, NULL)) == NULL)
		21	goto out;
		22
		23	out:
		24	free(cp);
		25	sshsigopt_free(opts);
		26	return 0;
		27	}
		28
		29	} // extern "C"