diff options
Diffstat (limited to 'regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c')
-rw-r--r-- | regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c | 120 |
1 files changed, 120 insertions, 0 deletions
diff --git a/regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c b/regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c new file mode 100644 index 000000000..a382ee154 --- /dev/null +++ b/regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c | |||
@@ -0,0 +1,120 @@ | |||
1 | /* $OpenBSD: test_sshbuf_getput_fuzz.c,v 1.2 2014/05/02 02:54:00 djm Exp $ */ | ||
2 | /* | ||
3 | * Regress test for sshbuf.h buffer API | ||
4 | * | ||
5 | * Placed in the public domain | ||
6 | */ | ||
7 | |||
8 | #include <sys/types.h> | ||
9 | #include <sys/param.h> | ||
10 | #include <stdio.h> | ||
11 | #include <stdint.h> | ||
12 | #include <stdlib.h> | ||
13 | #include <string.h> | ||
14 | |||
15 | #include <openssl/bn.h> | ||
16 | #include <openssl/ec.h> | ||
17 | #include <openssl/objects.h> | ||
18 | |||
19 | #include "test_helper.h" | ||
20 | #include "ssherr.h" | ||
21 | #include "sshbuf.h" | ||
22 | |||
23 | void sshbuf_getput_fuzz_tests(void); | ||
24 | |||
25 | static void | ||
26 | attempt_parse_blob(u_char *blob, size_t len) | ||
27 | { | ||
28 | struct sshbuf *p1; | ||
29 | BIGNUM *bn; | ||
30 | EC_KEY *eck; | ||
31 | u_char *s; | ||
32 | size_t l; | ||
33 | u_int8_t u8; | ||
34 | u_int16_t u16; | ||
35 | u_int32_t u32; | ||
36 | u_int64_t u64; | ||
37 | |||
38 | p1 = sshbuf_new(); | ||
39 | ASSERT_PTR_NE(p1, NULL); | ||
40 | ASSERT_INT_EQ(sshbuf_put(p1, blob, len), 0); | ||
41 | sshbuf_get_u8(p1, &u8); | ||
42 | sshbuf_get_u16(p1, &u16); | ||
43 | sshbuf_get_u32(p1, &u32); | ||
44 | sshbuf_get_u64(p1, &u64); | ||
45 | if (sshbuf_get_string(p1, &s, &l) == 0) { | ||
46 | bzero(s, l); | ||
47 | free(s); | ||
48 | } | ||
49 | bn = BN_new(); | ||
50 | sshbuf_get_bignum1(p1, bn); | ||
51 | BN_clear_free(bn); | ||
52 | bn = BN_new(); | ||
53 | sshbuf_get_bignum2(p1, bn); | ||
54 | BN_clear_free(bn); | ||
55 | eck = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); | ||
56 | ASSERT_PTR_NE(eck, NULL); | ||
57 | sshbuf_get_eckey(p1, eck); | ||
58 | EC_KEY_free(eck); | ||
59 | sshbuf_free(p1); | ||
60 | } | ||
61 | |||
62 | |||
63 | static void | ||
64 | onerror(void *fuzz) | ||
65 | { | ||
66 | fprintf(stderr, "Failed during fuzz:\n"); | ||
67 | fuzz_dump((struct fuzz *)fuzz); | ||
68 | } | ||
69 | |||
70 | void | ||
71 | sshbuf_getput_fuzz_tests(void) | ||
72 | { | ||
73 | u_char blob[] = { | ||
74 | /* u8 */ | ||
75 | 0xd0, | ||
76 | /* u16 */ | ||
77 | 0xc0, 0xde, | ||
78 | /* u32 */ | ||
79 | 0xfa, 0xce, 0xde, 0xad, | ||
80 | /* u64 */ | ||
81 | 0xfe, 0xed, 0xac, 0x1d, 0x1f, 0x1c, 0xbe, 0xef, | ||
82 | /* string */ | ||
83 | 0x00, 0x00, 0x00, 0x09, | ||
84 | 'O', ' ', 'G', 'o', 'r', 'g', 'o', 'n', '!', | ||
85 | /* bignum1 */ | ||
86 | 0x79, | ||
87 | 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, | ||
88 | 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, | ||
89 | /* bignum2 */ | ||
90 | 0x00, 0x00, 0x00, 0x14, | ||
91 | 0x00, | ||
92 | 0xf0, 0xe0, 0xd0, 0xc0, 0xb0, 0xa0, 0x90, 0x80, | ||
93 | 0x70, 0x60, 0x50, 0x40, 0x30, 0x20, 0x10, 0x00, | ||
94 | 0x7f, 0xff, 0x11, | ||
95 | /* EC point (NIST-256 curve) */ | ||
96 | 0x00, 0x00, 0x00, 0x41, | ||
97 | 0x04, | ||
98 | 0x0c, 0x82, 0x80, 0x04, 0x83, 0x9d, 0x01, 0x06, | ||
99 | 0xaa, 0x59, 0x57, 0x52, 0x16, 0x19, 0x13, 0x57, | ||
100 | 0x34, 0xb4, 0x51, 0x45, 0x9d, 0xad, 0xb5, 0x86, | ||
101 | 0x67, 0x7e, 0xf9, 0xdf, 0x55, 0x78, 0x49, 0x99, | ||
102 | 0x4d, 0x19, 0x6b, 0x50, 0xf0, 0xb4, 0xe9, 0x4b, | ||
103 | 0x3c, 0x73, 0xe3, 0xa9, 0xd4, 0xcd, 0x9d, 0xf2, | ||
104 | 0xc8, 0xf9, 0xa3, 0x5e, 0x42, 0xbd, 0xd0, 0x47, | ||
105 | 0x55, 0x0f, 0x69, 0xd8, 0x0e, 0xc2, 0x3c, 0xd4, | ||
106 | }; | ||
107 | struct fuzz *fuzz; | ||
108 | |||
109 | TEST_START("fuzz blob parsing"); | ||
110 | fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | | ||
111 | FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | | ||
112 | FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END, blob, sizeof(blob)); | ||
113 | TEST_ONERROR(onerror, fuzz); | ||
114 | for(; !fuzz_done(fuzz); fuzz_next(fuzz)) | ||
115 | attempt_parse_blob(blob, sizeof(blob)); | ||
116 | fuzz_cleanup(fuzz); | ||
117 | TEST_DONE(); | ||
118 | TEST_ONERROR(NULL, NULL); | ||
119 | } | ||
120 | |||