summaryrefslogtreecommitdiff
path: root/regress/unittests/sshkey/test_fuzz.c
diff options
context:
space:
mode:
Diffstat (limited to 'regress/unittests/sshkey/test_fuzz.c')
-rw-r--r--regress/unittests/sshkey/test_fuzz.c406
1 files changed, 406 insertions, 0 deletions
diff --git a/regress/unittests/sshkey/test_fuzz.c b/regress/unittests/sshkey/test_fuzz.c
new file mode 100644
index 000000000..a3f61a6df
--- /dev/null
+++ b/regress/unittests/sshkey/test_fuzz.c
@@ -0,0 +1,406 @@
1/* $OpenBSD: test_fuzz.c,v 1.1 2014/06/24 01:14:18 djm Exp $ */
2/*
3 * Fuzz tests for key parsing
4 *
5 * Placed in the public domain
6 */
7
8#include "includes.h"
9
10#include <sys/types.h>
11#include <sys/param.h>
12#include <sys/stat.h>
13#include <fcntl.h>
14#include <stdio.h>
15#ifdef HAVE_STDINT_H
16#include <stdint.h>
17#endif
18#include <stdlib.h>
19#include <string.h>
20#include <unistd.h>
21
22#include <openssl/bn.h>
23#include <openssl/rsa.h>
24#include <openssl/dsa.h>
25#include <openssl/objects.h>
26#ifdef OPENSSL_HAS_NISTP256
27# include <openssl/ec.h>
28#endif
29
30#include "../test_helper/test_helper.h"
31
32#include "ssherr.h"
33#include "authfile.h"
34#include "sshkey.h"
35#include "sshbuf.h"
36
37#include "common.h"
38
39void sshkey_fuzz_tests(void);
40
41static void
42onerror(void *fuzz)
43{
44 fprintf(stderr, "Failed during fuzz:\n");
45 fuzz_dump((struct fuzz *)fuzz);
46}
47
48static void
49public_fuzz(struct sshkey *k)
50{
51 struct sshkey *k1;
52 struct sshbuf *buf;
53 struct fuzz *fuzz;
54
55 ASSERT_PTR_NE(buf = sshbuf_new(), NULL);
56 ASSERT_INT_EQ(sshkey_to_blob_buf(k, buf), 0);
57 /* XXX need a way to run the tests in "slow, but complete" mode */
58 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | /* XXX too slow FUZZ_2_BIT_FLIP | */
59 FUZZ_1_BYTE_FLIP | /* XXX too slow FUZZ_2_BYTE_FLIP | */
60 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END,
61 sshbuf_mutable_ptr(buf), sshbuf_len(buf));
62 ASSERT_INT_EQ(sshkey_from_blob(sshbuf_ptr(buf), sshbuf_len(buf),
63 &k1), 0);
64 sshkey_free(k1);
65 sshbuf_free(buf);
66 TEST_ONERROR(onerror, fuzz);
67 for(; !fuzz_done(fuzz); fuzz_next(fuzz)) {
68 if (sshkey_from_blob(fuzz_ptr(fuzz), fuzz_len(fuzz), &k1) == 0)
69 sshkey_free(k1);
70 }
71 fuzz_cleanup(fuzz);
72}
73
74static void
75sig_fuzz(struct sshkey *k)
76{
77 struct fuzz *fuzz;
78 u_char *sig, c[] = "some junk to be signed";
79 size_t l;
80
81 ASSERT_INT_EQ(sshkey_sign(k, &sig, &l, c, sizeof(c), 0), 0);
82 ASSERT_SIZE_T_GT(l, 0);
83 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | /* too slow FUZZ_2_BIT_FLIP | */
84 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP |
85 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END, sig, l);
86 ASSERT_INT_EQ(sshkey_verify(k, sig, l, c, sizeof(c), 0), 0);
87 free(sig);
88 TEST_ONERROR(onerror, fuzz);
89 for(; !fuzz_done(fuzz); fuzz_next(fuzz)) {
90 sshkey_verify(k, fuzz_ptr(fuzz), fuzz_len(fuzz),
91 c, sizeof(c), 0);
92 }
93 fuzz_cleanup(fuzz);
94}
95
96void
97sshkey_fuzz_tests(void)
98{
99 struct sshkey *k1;
100 struct sshbuf *buf, *fuzzed;
101 struct fuzz *fuzz;
102 int r;
103
104 TEST_START("fuzz RSA1 private");
105 buf = load_file("rsa1_1");
106 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_1_BYTE_FLIP |
107 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END,
108 sshbuf_mutable_ptr(buf), sshbuf_len(buf));
109 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
110 &k1, NULL), 0);
111 sshkey_free(k1);
112 sshbuf_free(buf);
113 ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL);
114 TEST_ONERROR(onerror, fuzz);
115 for(; !fuzz_done(fuzz); fuzz_next(fuzz)) {
116 r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz));
117 ASSERT_INT_EQ(r, 0);
118 if (sshkey_parse_private_fileblob(fuzzed, "", "key",
119 &k1, NULL) == 0)
120 sshkey_free(k1);
121 sshbuf_reset(fuzzed);
122 }
123 sshbuf_free(fuzzed);
124 fuzz_cleanup(fuzz);
125 TEST_DONE();
126
127 TEST_START("fuzz RSA1 public");
128 buf = load_file("rsa1_1_pw");
129 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_1_BYTE_FLIP |
130 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END,
131 sshbuf_mutable_ptr(buf), sshbuf_len(buf));
132 ASSERT_INT_EQ(sshkey_parse_public_rsa1_fileblob(buf, &k1, NULL), 0);
133 sshkey_free(k1);
134 sshbuf_free(buf);
135 ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL);
136 TEST_ONERROR(onerror, fuzz);
137 for(; !fuzz_done(fuzz); fuzz_next(fuzz)) {
138 r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz));
139 ASSERT_INT_EQ(r, 0);
140 if (sshkey_parse_public_rsa1_fileblob(fuzzed, &k1, NULL) == 0)
141 sshkey_free(k1);
142 sshbuf_reset(fuzzed);
143 }
144 sshbuf_free(fuzzed);
145 fuzz_cleanup(fuzz);
146 TEST_DONE();
147
148 TEST_START("fuzz RSA private");
149 buf = load_file("rsa_1");
150 fuzz = fuzz_begin(FUZZ_BASE64, sshbuf_mutable_ptr(buf),
151 sshbuf_len(buf));
152 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
153 &k1, NULL), 0);
154 sshkey_free(k1);
155 sshbuf_free(buf);
156 ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL);
157 TEST_ONERROR(onerror, fuzz);
158 for(; !fuzz_done(fuzz); fuzz_next(fuzz)) {
159 r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz));
160 ASSERT_INT_EQ(r, 0);
161 if (sshkey_parse_private_fileblob(fuzzed, "", "key",
162 &k1, NULL) == 0)
163 sshkey_free(k1);
164 sshbuf_reset(fuzzed);
165 }
166 sshbuf_free(fuzzed);
167 fuzz_cleanup(fuzz);
168 TEST_DONE();
169
170 TEST_START("fuzz RSA new-format private");
171 buf = load_file("rsa_n");
172 fuzz = fuzz_begin(FUZZ_BASE64, sshbuf_mutable_ptr(buf),
173 sshbuf_len(buf));
174 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
175 &k1, NULL), 0);
176 sshkey_free(k1);
177 sshbuf_free(buf);
178 ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL);
179 TEST_ONERROR(onerror, fuzz);
180 for(; !fuzz_done(fuzz); fuzz_next(fuzz)) {
181 r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz));
182 ASSERT_INT_EQ(r, 0);
183 if (sshkey_parse_private_fileblob(fuzzed, "", "key",
184 &k1, NULL) == 0)
185 sshkey_free(k1);
186 sshbuf_reset(fuzzed);
187 }
188 sshbuf_free(fuzzed);
189 fuzz_cleanup(fuzz);
190 TEST_DONE();
191
192 TEST_START("fuzz DSA private");
193 buf = load_file("dsa_1");
194 fuzz = fuzz_begin(FUZZ_BASE64, sshbuf_mutable_ptr(buf),
195 sshbuf_len(buf));
196 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
197 &k1, NULL), 0);
198 sshkey_free(k1);
199 sshbuf_free(buf);
200 ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL);
201 TEST_ONERROR(onerror, fuzz);
202 for(; !fuzz_done(fuzz); fuzz_next(fuzz)) {
203 r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz));
204 ASSERT_INT_EQ(r, 0);
205 if (sshkey_parse_private_fileblob(fuzzed, "", "key",
206 &k1, NULL) == 0)
207 sshkey_free(k1);
208 sshbuf_reset(fuzzed);
209 }
210 sshbuf_free(fuzzed);
211 fuzz_cleanup(fuzz);
212 TEST_DONE();
213
214 TEST_START("fuzz DSA new-format private");
215 buf = load_file("dsa_n");
216 fuzz = fuzz_begin(FUZZ_BASE64, sshbuf_mutable_ptr(buf),
217 sshbuf_len(buf));
218 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
219 &k1, NULL), 0);
220 sshkey_free(k1);
221 sshbuf_free(buf);
222 ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL);
223 TEST_ONERROR(onerror, fuzz);
224 for(; !fuzz_done(fuzz); fuzz_next(fuzz)) {
225 r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz));
226 ASSERT_INT_EQ(r, 0);
227 if (sshkey_parse_private_fileblob(fuzzed, "", "key",
228 &k1, NULL) == 0)
229 sshkey_free(k1);
230 sshbuf_reset(fuzzed);
231 }
232 sshbuf_free(fuzzed);
233 fuzz_cleanup(fuzz);
234 TEST_DONE();
235
236#ifdef OPENSSL_HAS_ECC
237 TEST_START("fuzz ECDSA private");
238 buf = load_file("ecdsa_1");
239 fuzz = fuzz_begin(FUZZ_BASE64, sshbuf_mutable_ptr(buf),
240 sshbuf_len(buf));
241 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
242 &k1, NULL), 0);
243 sshkey_free(k1);
244 sshbuf_free(buf);
245 ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL);
246 TEST_ONERROR(onerror, fuzz);
247 for(; !fuzz_done(fuzz); fuzz_next(fuzz)) {
248 r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz));
249 ASSERT_INT_EQ(r, 0);
250 if (sshkey_parse_private_fileblob(fuzzed, "", "key",
251 &k1, NULL) == 0)
252 sshkey_free(k1);
253 sshbuf_reset(fuzzed);
254 }
255 sshbuf_free(fuzzed);
256 fuzz_cleanup(fuzz);
257 TEST_DONE();
258
259 TEST_START("fuzz ECDSA new-format private");
260 buf = load_file("ecdsa_n");
261 fuzz = fuzz_begin(FUZZ_BASE64, sshbuf_mutable_ptr(buf),
262 sshbuf_len(buf));
263 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
264 &k1, NULL), 0);
265 sshkey_free(k1);
266 sshbuf_free(buf);
267 ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL);
268 TEST_ONERROR(onerror, fuzz);
269 for(; !fuzz_done(fuzz); fuzz_next(fuzz)) {
270 r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz));
271 ASSERT_INT_EQ(r, 0);
272 if (sshkey_parse_private_fileblob(fuzzed, "", "key",
273 &k1, NULL) == 0)
274 sshkey_free(k1);
275 sshbuf_reset(fuzzed);
276 }
277 sshbuf_free(fuzzed);
278 fuzz_cleanup(fuzz);
279 TEST_DONE();
280#endif
281
282 TEST_START("fuzz Ed25519 private");
283 buf = load_file("ed25519_1");
284 fuzz = fuzz_begin(FUZZ_BASE64, sshbuf_mutable_ptr(buf),
285 sshbuf_len(buf));
286 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
287 &k1, NULL), 0);
288 sshkey_free(k1);
289 sshbuf_free(buf);
290 ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL);
291 TEST_ONERROR(onerror, fuzz);
292 for(; !fuzz_done(fuzz); fuzz_next(fuzz)) {
293 r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz));
294 ASSERT_INT_EQ(r, 0);
295 if (sshkey_parse_private_fileblob(fuzzed, "", "key",
296 &k1, NULL) == 0)
297 sshkey_free(k1);
298 sshbuf_reset(fuzzed);
299 }
300 sshbuf_free(fuzzed);
301 fuzz_cleanup(fuzz);
302 TEST_DONE();
303
304 TEST_START("fuzz RSA public");
305 buf = load_file("rsa_1");
306 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
307 &k1, NULL), 0);
308 sshbuf_free(buf);
309 public_fuzz(k1);
310 sshkey_free(k1);
311 TEST_DONE();
312
313 TEST_START("fuzz RSA cert");
314 ASSERT_INT_EQ(sshkey_load_cert(test_data_file("rsa_1"), &k1), 0);
315 public_fuzz(k1);
316 sshkey_free(k1);
317 TEST_DONE();
318
319 TEST_START("fuzz DSA public");
320 buf = load_file("dsa_1");
321 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
322 &k1, NULL), 0);
323 sshbuf_free(buf);
324 public_fuzz(k1);
325 sshkey_free(k1);
326 TEST_DONE();
327
328 TEST_START("fuzz DSA cert");
329 ASSERT_INT_EQ(sshkey_load_cert(test_data_file("dsa_1"), &k1), 0);
330 public_fuzz(k1);
331 sshkey_free(k1);
332 TEST_DONE();
333
334#ifdef OPENSSL_HAS_ECC
335 TEST_START("fuzz ECDSA public");
336 buf = load_file("ecdsa_1");
337 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
338 &k1, NULL), 0);
339 sshbuf_free(buf);
340 public_fuzz(k1);
341 sshkey_free(k1);
342 TEST_DONE();
343
344 TEST_START("fuzz ECDSA cert");
345 ASSERT_INT_EQ(sshkey_load_cert(test_data_file("ecdsa_1"), &k1), 0);
346 public_fuzz(k1);
347 sshkey_free(k1);
348 TEST_DONE();
349#endif
350
351 TEST_START("fuzz Ed25519 public");
352 buf = load_file("ed25519_1");
353 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
354 &k1, NULL), 0);
355 sshbuf_free(buf);
356 public_fuzz(k1);
357 sshkey_free(k1);
358 TEST_DONE();
359
360 TEST_START("fuzz Ed25519 cert");
361 ASSERT_INT_EQ(sshkey_load_cert(test_data_file("ed25519_1"), &k1), 0);
362 public_fuzz(k1);
363 sshkey_free(k1);
364 TEST_DONE();
365
366 TEST_START("fuzz RSA sig");
367 buf = load_file("rsa_1");
368 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
369 &k1, NULL), 0);
370 sshbuf_free(buf);
371 sig_fuzz(k1);
372 sshkey_free(k1);
373 TEST_DONE();
374
375 TEST_START("fuzz DSA sig");
376 buf = load_file("dsa_1");
377 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
378 &k1, NULL), 0);
379 sshbuf_free(buf);
380 sig_fuzz(k1);
381 sshkey_free(k1);
382 TEST_DONE();
383
384#ifdef OPENSSL_HAS_ECC
385 TEST_START("fuzz ECDSA sig");
386 buf = load_file("ecdsa_1");
387 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
388 &k1, NULL), 0);
389 sshbuf_free(buf);
390 sig_fuzz(k1);
391 sshkey_free(k1);
392 TEST_DONE();
393#endif
394
395 TEST_START("fuzz Ed25519 sig");
396 buf = load_file("ed25519_1");
397 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
398 &k1, NULL), 0);
399 sshbuf_free(buf);
400 sig_fuzz(k1);
401 sshkey_free(k1);
402 TEST_DONE();
403
404/* XXX fuzz decoded new-format blobs too */
405
406}
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-30 00:15:41 +0000