From f4846dfc6a79f84bbc6356ae3184f142bacedc24 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 5 Sep 2019 11:09:28 +1000 Subject: Fuzzer harness for sshsig --- regress/misc/fuzz-harness/Makefile | 5 ++++- regress/misc/fuzz-harness/sshsig_fuzz.cc | 35 ++++++++++++++++++++++++++++++++ 2 files changed, 39 insertions(+), 1 deletion(-) create mode 100644 regress/misc/fuzz-harness/sshsig_fuzz.cc (limited to 'regress/misc/fuzz-harness') diff --git a/regress/misc/fuzz-harness/Makefile b/regress/misc/fuzz-harness/Makefile index a2aa4441f..6ab7d7217 100644 --- a/regress/misc/fuzz-harness/Makefile +++ b/regress/misc/fuzz-harness/Makefile @@ -7,7 +7,7 @@ CXXFLAGS=-O2 -g -Wall -Wextra -I ../../.. $(FUZZ_FLAGS) LDFLAGS=-L ../../.. -L ../../../openbsd-compat -g $(FUZZ_FLAGS) LIBS=-lssh -lopenbsd-compat -lcrypto $(FUZZ_LIBS) -all: pubkey_fuzz sig_fuzz authopt_fuzz +all: pubkey_fuzz sig_fuzz authopt_fuzz sshsig_fuzz .cc.o: $(CXX) $(CXXFLAGS) -c $< -o $@ @@ -21,5 +21,8 @@ sig_fuzz: sig_fuzz.o authopt_fuzz: authopt_fuzz.o $(CXX) -o $@ authopt_fuzz.o ../../../auth-options.o $(LDFLAGS) $(LIBS) +sshsig_fuzz: sshsig_fuzz.o + $(CXX) -o $@ sshsig_fuzz.o ../../../sshsig.o $(LDFLAGS) $(LIBS) + clean: -rm -f *.o pubkey_fuzz sig_fuzz authopt_fuzz diff --git a/regress/misc/fuzz-harness/sshsig_fuzz.cc b/regress/misc/fuzz-harness/sshsig_fuzz.cc new file mode 100644 index 000000000..fe09ccb87 --- /dev/null +++ b/regress/misc/fuzz-harness/sshsig_fuzz.cc @@ -0,0 +1,35 @@ +// cc_fuzz_target test for sshsig verification. + +#include +#include +#include +#include +#include + +extern "C" { + +#include "includes.h" +#include "sshkey.h" +#include "ssherr.h" +#include "sshbuf.h" +#include "sshsig.h" +#include "log.h" + +int LLVMFuzzerTestOneInput(const uint8_t* sig, size_t slen) +{ + static const char *data = "If everyone started announcing his nose had " + "run away, I don’t know how it would all end"; + struct sshbuf *signature = sshbuf_from(sig, slen); + struct sshbuf *message = sshbuf_from(data, strlen(data)); + struct sshkey *k = NULL; + extern char *__progname; + + log_init(__progname, SYSLOG_LEVEL_QUIET, SYSLOG_FACILITY_USER, 1); + sshsig_verifyb(signature, message, "castle", &k); + sshkey_free(k); + sshbuf_free(signature); + sshbuf_free(message); + return 0; +} + +} // extern -- cgit v1.2.3 From ae631ad77daf8fd39723d15a687cd4b1482cbae8 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 5 Sep 2019 15:45:32 +1000 Subject: fuzzer for sshsig allowed_signers option parsing --- regress/misc/fuzz-harness/Makefile | 9 +++++++-- regress/misc/fuzz-harness/sshsigopt_fuzz.cc | 29 +++++++++++++++++++++++++++++ 2 files changed, 36 insertions(+), 2 deletions(-) create mode 100644 regress/misc/fuzz-harness/sshsigopt_fuzz.cc (limited to 'regress/misc/fuzz-harness') diff --git a/regress/misc/fuzz-harness/Makefile b/regress/misc/fuzz-harness/Makefile index 6ab7d7217..744c1f8b2 100644 --- a/regress/misc/fuzz-harness/Makefile +++ b/regress/misc/fuzz-harness/Makefile @@ -7,7 +7,9 @@ CXXFLAGS=-O2 -g -Wall -Wextra -I ../../.. $(FUZZ_FLAGS) LDFLAGS=-L ../../.. -L ../../../openbsd-compat -g $(FUZZ_FLAGS) LIBS=-lssh -lopenbsd-compat -lcrypto $(FUZZ_LIBS) -all: pubkey_fuzz sig_fuzz authopt_fuzz sshsig_fuzz +TARGETS=pubkey_fuzz sig_fuzz authopt_fuzz sshsig_fuzz sshsigopt_fuzz + +all: $(TARGETS) .cc.o: $(CXX) $(CXXFLAGS) -c $< -o $@ @@ -24,5 +26,8 @@ authopt_fuzz: authopt_fuzz.o sshsig_fuzz: sshsig_fuzz.o $(CXX) -o $@ sshsig_fuzz.o ../../../sshsig.o $(LDFLAGS) $(LIBS) +sshsigopt_fuzz: sshsigopt_fuzz.o + $(CXX) -o $@ sshsigopt_fuzz.o ../../../sshsig.o $(LDFLAGS) $(LIBS) + clean: - -rm -f *.o pubkey_fuzz sig_fuzz authopt_fuzz + -rm -f *.o $(TARGETS) diff --git a/regress/misc/fuzz-harness/sshsigopt_fuzz.cc b/regress/misc/fuzz-harness/sshsigopt_fuzz.cc new file mode 100644 index 000000000..7424fcbe3 --- /dev/null +++ b/regress/misc/fuzz-harness/sshsigopt_fuzz.cc @@ -0,0 +1,29 @@ +#include +#include +#include +#include +#include + +extern "C" { + +#include "sshsig.h" + +int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) +{ + char *cp = (char *)malloc(size + 1); + struct sshsigopt *opts = NULL; + + if (cp == NULL) + goto out; + memcpy(cp, data, size); + cp[size] = '\0'; + if ((opts = sshsigopt_parse(cp, "libfuzzer", 0, NULL)) == NULL) + goto out; + + out: + free(cp); + sshsigopt_free(opts); + return 0; +} + +} // extern "C" -- cgit v1.2.3 From 8b57337c1c1506df2bb9f039d0628a6de618566b Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 5 Sep 2019 15:46:39 +1000 Subject: update fuzzing makefile to more recent clang --- regress/misc/fuzz-harness/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'regress/misc/fuzz-harness') diff --git a/regress/misc/fuzz-harness/Makefile b/regress/misc/fuzz-harness/Makefile index 744c1f8b2..85179ac4e 100644 --- a/regress/misc/fuzz-harness/Makefile +++ b/regress/misc/fuzz-harness/Makefile @@ -1,6 +1,6 @@ # NB. libssh and libopenbsd-compat should be built with the same sanitizer opts. -CXX=clang++-3.9 -FUZZ_FLAGS=-fsanitize=address,undefined -fsanitize-coverage=edge +CXX=clang++-6.0 +FUZZ_FLAGS=-fsanitize=address,undefined -fsanitize-coverage=edge,trace-pc FUZZ_LIBS=-lFuzzer CXXFLAGS=-O2 -g -Wall -Wextra -I ../../.. $(FUZZ_FLAGS) -- cgit v1.2.3