summaryrefslogtreecommitdiff
path: root/regress/unittests/sshkey/test_fuzz.c
diff options
context:
space:
mode:
Diffstat (limited to 'regress/unittests/sshkey/test_fuzz.c')
-rw-r--r--regress/unittests/sshkey/test_fuzz.c396
1 files changed, 396 insertions, 0 deletions
diff --git a/regress/unittests/sshkey/test_fuzz.c b/regress/unittests/sshkey/test_fuzz.c
new file mode 100644
index 000000000..be309f5d8
--- /dev/null
+++ b/regress/unittests/sshkey/test_fuzz.c
@@ -0,0 +1,396 @@
1/* $OpenBSD: test_fuzz.c,v 1.1 2014/06/24 01:14:18 djm Exp $ */
2/*
3 * Fuzz tests for key parsing
4 *
5 * Placed in the public domain
6 */
7
8#include "includes.h"
9
10#include <sys/types.h>
11#include <sys/param.h>
12#include <sys/stat.h>
13#include <fcntl.h>
14#include <stdio.h>
15#include <stdint.h>
16#include <stdlib.h>
17#include <string.h>
18#include <unistd.h>
19
20#include <openssl/bn.h>
21#include <openssl/ec.h>
22#include <openssl/rsa.h>
23#include <openssl/dsa.h>
24#include <openssl/objects.h>
25
26#include "../test_helper/test_helper.h"
27
28#include "ssherr.h"
29#include "authfile.h"
30#include "sshkey.h"
31#include "sshbuf.h"
32
33#include "common.h"
34
35void sshkey_fuzz_tests(void);
36
37static void
38onerror(void *fuzz)
39{
40 fprintf(stderr, "Failed during fuzz:\n");
41 fuzz_dump((struct fuzz *)fuzz);
42}
43
44static void
45public_fuzz(struct sshkey *k)
46{
47 struct sshkey *k1;
48 struct sshbuf *buf;
49 struct fuzz *fuzz;
50
51 ASSERT_PTR_NE(buf = sshbuf_new(), NULL);
52 ASSERT_INT_EQ(sshkey_to_blob_buf(k, buf), 0);
53 /* XXX need a way to run the tests in "slow, but complete" mode */
54 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | /* XXX too slow FUZZ_2_BIT_FLIP | */
55 FUZZ_1_BYTE_FLIP | /* XXX too slow FUZZ_2_BYTE_FLIP | */
56 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END,
57 sshbuf_mutable_ptr(buf), sshbuf_len(buf));
58 ASSERT_INT_EQ(sshkey_from_blob(sshbuf_ptr(buf), sshbuf_len(buf),
59 &k1), 0);
60 sshkey_free(k1);
61 sshbuf_free(buf);
62 TEST_ONERROR(onerror, fuzz);
63 for(; !fuzz_done(fuzz); fuzz_next(fuzz)) {
64 if (sshkey_from_blob(fuzz_ptr(fuzz), fuzz_len(fuzz), &k1) == 0)
65 sshkey_free(k1);
66 }
67 fuzz_cleanup(fuzz);
68}
69
70static void
71sig_fuzz(struct sshkey *k)
72{
73 struct fuzz *fuzz;
74 u_char *sig, c[] = "some junk to be signed";
75 size_t l;
76
77 ASSERT_INT_EQ(sshkey_sign(k, &sig, &l, c, sizeof(c), 0), 0);
78 ASSERT_SIZE_T_GT(l, 0);
79 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | /* too slow FUZZ_2_BIT_FLIP | */
80 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP |
81 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END, sig, l);
82 ASSERT_INT_EQ(sshkey_verify(k, sig, l, c, sizeof(c), 0), 0);
83 free(sig);
84 TEST_ONERROR(onerror, fuzz);
85 for(; !fuzz_done(fuzz); fuzz_next(fuzz)) {
86 sshkey_verify(k, fuzz_ptr(fuzz), fuzz_len(fuzz),
87 c, sizeof(c), 0);
88 }
89 fuzz_cleanup(fuzz);
90}
91
92void
93sshkey_fuzz_tests(void)
94{
95 struct sshkey *k1;
96 struct sshbuf *buf, *fuzzed;
97 struct fuzz *fuzz;
98 int r;
99
100 TEST_START("fuzz RSA1 private");
101 buf = load_file("rsa1_1");
102 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_1_BYTE_FLIP |
103 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END,
104 sshbuf_mutable_ptr(buf), sshbuf_len(buf));
105 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
106 &k1, NULL), 0);
107 sshkey_free(k1);
108 sshbuf_free(buf);
109 ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL);
110 TEST_ONERROR(onerror, fuzz);
111 for(; !fuzz_done(fuzz); fuzz_next(fuzz)) {
112 r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz));
113 ASSERT_INT_EQ(r, 0);
114 if (sshkey_parse_private_fileblob(fuzzed, "", "key",
115 &k1, NULL) == 0)
116 sshkey_free(k1);
117 sshbuf_reset(fuzzed);
118 }
119 sshbuf_free(fuzzed);
120 fuzz_cleanup(fuzz);
121 TEST_DONE();
122
123 TEST_START("fuzz RSA1 public");
124 buf = load_file("rsa1_1_pw");
125 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_1_BYTE_FLIP |
126 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END,
127 sshbuf_mutable_ptr(buf), sshbuf_len(buf));
128 ASSERT_INT_EQ(sshkey_parse_public_rsa1_fileblob(buf, &k1, NULL), 0);
129 sshkey_free(k1);
130 sshbuf_free(buf);
131 ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL);
132 TEST_ONERROR(onerror, fuzz);
133 for(; !fuzz_done(fuzz); fuzz_next(fuzz)) {
134 r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz));
135 ASSERT_INT_EQ(r, 0);
136 if (sshkey_parse_public_rsa1_fileblob(fuzzed, &k1, NULL) == 0)
137 sshkey_free(k1);
138 sshbuf_reset(fuzzed);
139 }
140 sshbuf_free(fuzzed);
141 fuzz_cleanup(fuzz);
142 TEST_DONE();
143
144 TEST_START("fuzz RSA private");
145 buf = load_file("rsa_1");
146 fuzz = fuzz_begin(FUZZ_BASE64, sshbuf_mutable_ptr(buf),
147 sshbuf_len(buf));
148 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
149 &k1, NULL), 0);
150 sshkey_free(k1);
151 sshbuf_free(buf);
152 ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL);
153 TEST_ONERROR(onerror, fuzz);
154 for(; !fuzz_done(fuzz); fuzz_next(fuzz)) {
155 r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz));
156 ASSERT_INT_EQ(r, 0);
157 if (sshkey_parse_private_fileblob(fuzzed, "", "key",
158 &k1, NULL) == 0)
159 sshkey_free(k1);
160 sshbuf_reset(fuzzed);
161 }
162 sshbuf_free(fuzzed);
163 fuzz_cleanup(fuzz);
164 TEST_DONE();
165
166 TEST_START("fuzz RSA new-format private");
167 buf = load_file("rsa_n");
168 fuzz = fuzz_begin(FUZZ_BASE64, sshbuf_mutable_ptr(buf),
169 sshbuf_len(buf));
170 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
171 &k1, NULL), 0);
172 sshkey_free(k1);
173 sshbuf_free(buf);
174 ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL);
175 TEST_ONERROR(onerror, fuzz);
176 for(; !fuzz_done(fuzz); fuzz_next(fuzz)) {
177 r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz));
178 ASSERT_INT_EQ(r, 0);
179 if (sshkey_parse_private_fileblob(fuzzed, "", "key",
180 &k1, NULL) == 0)
181 sshkey_free(k1);
182 sshbuf_reset(fuzzed);
183 }
184 sshbuf_free(fuzzed);
185 fuzz_cleanup(fuzz);
186 TEST_DONE();
187
188 TEST_START("fuzz DSA private");
189 buf = load_file("dsa_1");
190 fuzz = fuzz_begin(FUZZ_BASE64, sshbuf_mutable_ptr(buf),
191 sshbuf_len(buf));
192 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
193 &k1, NULL), 0);
194 sshkey_free(k1);
195 sshbuf_free(buf);
196 ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL);
197 TEST_ONERROR(onerror, fuzz);
198 for(; !fuzz_done(fuzz); fuzz_next(fuzz)) {
199 r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz));
200 ASSERT_INT_EQ(r, 0);
201 if (sshkey_parse_private_fileblob(fuzzed, "", "key",
202 &k1, NULL) == 0)
203 sshkey_free(k1);
204 sshbuf_reset(fuzzed);
205 }
206 sshbuf_free(fuzzed);
207 fuzz_cleanup(fuzz);
208 TEST_DONE();
209
210 TEST_START("fuzz DSA new-format private");
211 buf = load_file("dsa_n");
212 fuzz = fuzz_begin(FUZZ_BASE64, sshbuf_mutable_ptr(buf),
213 sshbuf_len(buf));
214 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
215 &k1, NULL), 0);
216 sshkey_free(k1);
217 sshbuf_free(buf);
218 ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL);
219 TEST_ONERROR(onerror, fuzz);
220 for(; !fuzz_done(fuzz); fuzz_next(fuzz)) {
221 r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz));
222 ASSERT_INT_EQ(r, 0);
223 if (sshkey_parse_private_fileblob(fuzzed, "", "key",
224 &k1, NULL) == 0)
225 sshkey_free(k1);
226 sshbuf_reset(fuzzed);
227 }
228 sshbuf_free(fuzzed);
229 fuzz_cleanup(fuzz);
230 TEST_DONE();
231
232 TEST_START("fuzz ECDSA private");
233 buf = load_file("ecdsa_1");
234 fuzz = fuzz_begin(FUZZ_BASE64, sshbuf_mutable_ptr(buf),
235 sshbuf_len(buf));
236 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
237 &k1, NULL), 0);
238 sshkey_free(k1);
239 sshbuf_free(buf);
240 ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL);
241 TEST_ONERROR(onerror, fuzz);
242 for(; !fuzz_done(fuzz); fuzz_next(fuzz)) {
243 r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz));
244 ASSERT_INT_EQ(r, 0);
245 if (sshkey_parse_private_fileblob(fuzzed, "", "key",
246 &k1, NULL) == 0)
247 sshkey_free(k1);
248 sshbuf_reset(fuzzed);
249 }
250 sshbuf_free(fuzzed);
251 fuzz_cleanup(fuzz);
252 TEST_DONE();
253
254 TEST_START("fuzz ECDSA new-format private");
255 buf = load_file("ecdsa_n");
256 fuzz = fuzz_begin(FUZZ_BASE64, sshbuf_mutable_ptr(buf),
257 sshbuf_len(buf));
258 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
259 &k1, NULL), 0);
260 sshkey_free(k1);
261 sshbuf_free(buf);
262 ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL);
263 TEST_ONERROR(onerror, fuzz);
264 for(; !fuzz_done(fuzz); fuzz_next(fuzz)) {
265 r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz));
266 ASSERT_INT_EQ(r, 0);
267 if (sshkey_parse_private_fileblob(fuzzed, "", "key",
268 &k1, NULL) == 0)
269 sshkey_free(k1);
270 sshbuf_reset(fuzzed);
271 }
272 sshbuf_free(fuzzed);
273 fuzz_cleanup(fuzz);
274 TEST_DONE();
275
276 TEST_START("fuzz Ed25519 private");
277 buf = load_file("ed25519_1");
278 fuzz = fuzz_begin(FUZZ_BASE64, sshbuf_mutable_ptr(buf),
279 sshbuf_len(buf));
280 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
281 &k1, NULL), 0);
282 sshkey_free(k1);
283 sshbuf_free(buf);
284 ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL);
285 TEST_ONERROR(onerror, fuzz);
286 for(; !fuzz_done(fuzz); fuzz_next(fuzz)) {
287 r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz));
288 ASSERT_INT_EQ(r, 0);
289 if (sshkey_parse_private_fileblob(fuzzed, "", "key",
290 &k1, NULL) == 0)
291 sshkey_free(k1);
292 sshbuf_reset(fuzzed);
293 }
294 sshbuf_free(fuzzed);
295 fuzz_cleanup(fuzz);
296 TEST_DONE();
297
298 TEST_START("fuzz RSA public");
299 buf = load_file("rsa_1");
300 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
301 &k1, NULL), 0);
302 sshbuf_free(buf);
303 public_fuzz(k1);
304 sshkey_free(k1);
305 TEST_DONE();
306
307 TEST_START("fuzz RSA cert");
308 ASSERT_INT_EQ(sshkey_load_cert(test_data_file("rsa_1"), &k1), 0);
309 public_fuzz(k1);
310 sshkey_free(k1);
311 TEST_DONE();
312
313 TEST_START("fuzz DSA public");
314 buf = load_file("dsa_1");
315 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
316 &k1, NULL), 0);
317 sshbuf_free(buf);
318 public_fuzz(k1);
319 sshkey_free(k1);
320 TEST_DONE();
321
322 TEST_START("fuzz DSA cert");
323 ASSERT_INT_EQ(sshkey_load_cert(test_data_file("dsa_1"), &k1), 0);
324 public_fuzz(k1);
325 sshkey_free(k1);
326 TEST_DONE();
327
328 TEST_START("fuzz ECDSA public");
329 buf = load_file("ecdsa_1");
330 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
331 &k1, NULL), 0);
332 sshbuf_free(buf);
333 public_fuzz(k1);
334 sshkey_free(k1);
335 TEST_DONE();
336
337 TEST_START("fuzz ECDSA cert");
338 ASSERT_INT_EQ(sshkey_load_cert(test_data_file("ecdsa_1"), &k1), 0);
339 public_fuzz(k1);
340 sshkey_free(k1);
341 TEST_DONE();
342
343 TEST_START("fuzz Ed25519 public");
344 buf = load_file("ed25519_1");
345 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
346 &k1, NULL), 0);
347 sshbuf_free(buf);
348 public_fuzz(k1);
349 sshkey_free(k1);
350 TEST_DONE();
351
352 TEST_START("fuzz Ed25519 cert");
353 ASSERT_INT_EQ(sshkey_load_cert(test_data_file("ed25519_1"), &k1), 0);
354 public_fuzz(k1);
355 sshkey_free(k1);
356 TEST_DONE();
357
358 TEST_START("fuzz RSA sig");
359 buf = load_file("rsa_1");
360 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
361 &k1, NULL), 0);
362 sshbuf_free(buf);
363 sig_fuzz(k1);
364 sshkey_free(k1);
365 TEST_DONE();
366
367 TEST_START("fuzz DSA sig");
368 buf = load_file("dsa_1");
369 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
370 &k1, NULL), 0);
371 sshbuf_free(buf);
372 sig_fuzz(k1);
373 sshkey_free(k1);
374 TEST_DONE();
375
376 TEST_START("fuzz ECDSA sig");
377 buf = load_file("ecdsa_1");
378 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
379 &k1, NULL), 0);
380 sshbuf_free(buf);
381 sig_fuzz(k1);
382 sshkey_free(k1);
383 TEST_DONE();
384
385 TEST_START("fuzz Ed25519 sig");
386 buf = load_file("ed25519_1");
387 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
388 &k1, NULL), 0);
389 sshbuf_free(buf);
390 sig_fuzz(k1);
391 sshkey_free(k1);
392 TEST_DONE();
393
394/* XXX fuzz decoded new-format blobs too */
395
396}
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-01 04:19:40 +0000