1276707Sdes/* $OpenBSD: test_sshbuf_getput_fuzz.c,v 1.2 2014/05/02 02:54:00 djm Exp $ */ 2276707Sdes/* 3276707Sdes * Regress test for sshbuf.h buffer API 4276707Sdes * 5276707Sdes * Placed in the public domain 6276707Sdes */ 7276707Sdes 8276707Sdes#include "includes.h" 9276707Sdes 10276707Sdes#include <sys/types.h> 11276707Sdes#include <sys/param.h> 12276707Sdes#include <stdio.h> 13276707Sdes#ifdef HAVE_STDINT_H 14276707Sdes# include <stdint.h> 15276707Sdes#endif 16276707Sdes#include <stdlib.h> 17276707Sdes#include <string.h> 18276707Sdes 19276707Sdes#include <openssl/bn.h> 20276707Sdes#include <openssl/objects.h> 21276707Sdes#ifdef OPENSSL_HAS_NISTP256 22276707Sdes# include <openssl/ec.h> 23276707Sdes#endif 24276707Sdes 25276707Sdes#include "../test_helper/test_helper.h" 26276707Sdes#include "ssherr.h" 27276707Sdes#include "sshbuf.h" 28276707Sdes 29276707Sdesvoid sshbuf_getput_fuzz_tests(void); 30276707Sdes 31276707Sdesstatic void 32276707Sdesattempt_parse_blob(u_char *blob, size_t len) 33276707Sdes{ 34276707Sdes struct sshbuf *p1; 35276707Sdes BIGNUM *bn; 36294332Sdes#if defined(OPENSSL_HAS_ECC) && defined(OPENSSL_HAS_NISTP256) 37276707Sdes EC_KEY *eck; 38276707Sdes#endif 39276707Sdes u_char *s; 40276707Sdes size_t l; 41276707Sdes u_int8_t u8; 42276707Sdes u_int16_t u16; 43276707Sdes u_int32_t u32; 44276707Sdes u_int64_t u64; 45276707Sdes 46276707Sdes p1 = sshbuf_new(); 47276707Sdes ASSERT_PTR_NE(p1, NULL); 48276707Sdes ASSERT_INT_EQ(sshbuf_put(p1, blob, len), 0); 49276707Sdes sshbuf_get_u8(p1, &u8); 50276707Sdes sshbuf_get_u16(p1, &u16); 51276707Sdes sshbuf_get_u32(p1, &u32); 52276707Sdes sshbuf_get_u64(p1, &u64); 53276707Sdes if (sshbuf_get_string(p1, &s, &l) == 0) { 54276707Sdes bzero(s, l); 55276707Sdes free(s); 56276707Sdes } 57276707Sdes bn = BN_new(); 58276707Sdes sshbuf_get_bignum1(p1, bn); 59276707Sdes BN_clear_free(bn); 60276707Sdes bn = BN_new(); 61276707Sdes sshbuf_get_bignum2(p1, bn); 62276707Sdes BN_clear_free(bn); 63294332Sdes#if defined(OPENSSL_HAS_ECC) && defined(OPENSSL_HAS_NISTP256) 64276707Sdes eck = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); 65276707Sdes ASSERT_PTR_NE(eck, NULL); 66276707Sdes sshbuf_get_eckey(p1, eck); 67276707Sdes EC_KEY_free(eck); 68276707Sdes#endif 69276707Sdes sshbuf_free(p1); 70276707Sdes} 71276707Sdes 72276707Sdes 73276707Sdesstatic void 74276707Sdesonerror(void *fuzz) 75276707Sdes{ 76276707Sdes fprintf(stderr, "Failed during fuzz:\n"); 77276707Sdes fuzz_dump((struct fuzz *)fuzz); 78276707Sdes} 79276707Sdes 80276707Sdesvoid 81276707Sdessshbuf_getput_fuzz_tests(void) 82276707Sdes{ 83276707Sdes u_char blob[] = { 84276707Sdes /* u8 */ 85276707Sdes 0xd0, 86276707Sdes /* u16 */ 87276707Sdes 0xc0, 0xde, 88276707Sdes /* u32 */ 89276707Sdes 0xfa, 0xce, 0xde, 0xad, 90276707Sdes /* u64 */ 91276707Sdes 0xfe, 0xed, 0xac, 0x1d, 0x1f, 0x1c, 0xbe, 0xef, 92276707Sdes /* string */ 93276707Sdes 0x00, 0x00, 0x00, 0x09, 94276707Sdes 'O', ' ', 'G', 'o', 'r', 'g', 'o', 'n', '!', 95276707Sdes /* bignum1 */ 96276707Sdes 0x79, 97276707Sdes 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 98276707Sdes 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 99276707Sdes /* bignum2 */ 100276707Sdes 0x00, 0x00, 0x00, 0x14, 101276707Sdes 0x00, 102276707Sdes 0xf0, 0xe0, 0xd0, 0xc0, 0xb0, 0xa0, 0x90, 0x80, 103276707Sdes 0x70, 0x60, 0x50, 0x40, 0x30, 0x20, 0x10, 0x00, 104276707Sdes 0x7f, 0xff, 0x11, 105276707Sdes /* EC point (NIST-256 curve) */ 106276707Sdes 0x00, 0x00, 0x00, 0x41, 107276707Sdes 0x04, 108276707Sdes 0x0c, 0x82, 0x80, 0x04, 0x83, 0x9d, 0x01, 0x06, 109276707Sdes 0xaa, 0x59, 0x57, 0x52, 0x16, 0x19, 0x13, 0x57, 110276707Sdes 0x34, 0xb4, 0x51, 0x45, 0x9d, 0xad, 0xb5, 0x86, 111276707Sdes 0x67, 0x7e, 0xf9, 0xdf, 0x55, 0x78, 0x49, 0x99, 112276707Sdes 0x4d, 0x19, 0x6b, 0x50, 0xf0, 0xb4, 0xe9, 0x4b, 113276707Sdes 0x3c, 0x73, 0xe3, 0xa9, 0xd4, 0xcd, 0x9d, 0xf2, 114276707Sdes 0xc8, 0xf9, 0xa3, 0x5e, 0x42, 0xbd, 0xd0, 0x47, 115276707Sdes 0x55, 0x0f, 0x69, 0xd8, 0x0e, 0xc2, 0x3c, 0xd4, 116276707Sdes }; 117276707Sdes struct fuzz *fuzz; 118276707Sdes 119276707Sdes TEST_START("fuzz blob parsing"); 120276707Sdes fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 121276707Sdes FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 122276707Sdes FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END, blob, sizeof(blob)); 123276707Sdes TEST_ONERROR(onerror, fuzz); 124276707Sdes for(; !fuzz_done(fuzz); fuzz_next(fuzz)) 125276707Sdes attempt_parse_blob(blob, sizeof(blob)); 126276707Sdes fuzz_cleanup(fuzz); 127276707Sdes TEST_DONE(); 128276707Sdes TEST_ONERROR(NULL, NULL); 129276707Sdes} 130276707Sdes 131