summaryrefslogtreecommitdiffstats
path: root/regress/misc/fuzz-harness
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-27 11:13:18 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-27 11:13:18 +0000
commit9e7e4ab6617fef1d1681fc2d3e02554264ccc954 (patch)
tree336445493163aa0370cb7830d97ebd8819b2e2c5 /regress/misc/fuzz-harness
parentInitial commit. (diff)
downloadopenssh-9e7e4ab6617fef1d1681fc2d3e02554264ccc954.tar.xz
openssh-9e7e4ab6617fef1d1681fc2d3e02554264ccc954.zip
Adding upstream version 1:8.4p1.upstream/1%8.4p1upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'regress/misc/fuzz-harness')
-rw-r--r--regress/misc/fuzz-harness/Makefile38
-rw-r--r--regress/misc/fuzz-harness/README1
-rw-r--r--regress/misc/fuzz-harness/authopt_fuzz.cc33
-rw-r--r--regress/misc/fuzz-harness/privkey_fuzz.cc21
-rw-r--r--regress/misc/fuzz-harness/pubkey_fuzz.cc18
-rw-r--r--regress/misc/fuzz-harness/sig_fuzz.cc62
-rw-r--r--regress/misc/fuzz-harness/ssh-sk-null.cc51
-rw-r--r--regress/misc/fuzz-harness/sshsig_fuzz.cc37
-rw-r--r--regress/misc/fuzz-harness/sshsigopt_fuzz.cc29
9 files changed, 290 insertions, 0 deletions
diff --git a/regress/misc/fuzz-harness/Makefile b/regress/misc/fuzz-harness/Makefile
new file mode 100644
index 0000000..64fbdba
--- /dev/null
+++ b/regress/misc/fuzz-harness/Makefile
@@ -0,0 +1,38 @@
+# NB. libssh and libopenbsd-compat should be built with the same sanitizer opts.
+CXX=clang++-6.0
+FUZZ_FLAGS=-fsanitize=address,undefined -fsanitize-coverage=edge,trace-pc
+FUZZ_LIBS=-lFuzzer
+
+CXXFLAGS=-O2 -g -Wall -Wextra -Wno-unused-parameter -I ../../.. $(FUZZ_FLAGS)
+LDFLAGS=-L ../../.. -L ../../../openbsd-compat -g $(FUZZ_FLAGS)
+LIBS=-lssh -lopenbsd-compat -lcrypto -lfido2 -lcbor $(FUZZ_LIBS)
+COMMON_OBJS=ssh-sk-null.o
+
+TARGETS=pubkey_fuzz sig_fuzz authopt_fuzz sshsig_fuzz \
+ sshsigopt_fuzz privkey_fuzz
+
+all: $(TARGETS)
+
+.cc.o:
+ $(CXX) $(CXXFLAGS) -c $< -o $@
+
+pubkey_fuzz: pubkey_fuzz.o $(COMMON_OBJS)
+ $(CXX) -o $@ pubkey_fuzz.o $(COMMON_OBJS) $(LDFLAGS) $(LIBS)
+
+sig_fuzz: sig_fuzz.o $(COMMON_OBJS)
+ $(CXX) -o $@ sig_fuzz.o $(COMMON_OBJS) $(LDFLAGS) $(LIBS)
+
+authopt_fuzz: authopt_fuzz.o $(COMMON_OBJS)
+ $(CXX) -o $@ authopt_fuzz.o $(COMMON_OBJS) ../../../auth-options.o $(LDFLAGS) $(LIBS)
+
+sshsig_fuzz: sshsig_fuzz.o $(COMMON_OBJS)
+ $(CXX) -o $@ sshsig_fuzz.o $(COMMON_OBJS) ../../../sshsig.o $(LDFLAGS) $(LIBS)
+
+sshsigopt_fuzz: sshsigopt_fuzz.o $(COMMON_OBJS)
+ $(CXX) -o $@ sshsigopt_fuzz.o $(COMMON_OBJS) ../../../sshsig.o $(LDFLAGS) $(LIBS)
+
+privkey_fuzz: privkey_fuzz.o $(COMMON_OBJS)
+ $(CXX) -o $@ privkey_fuzz.o $(COMMON_OBJS) $(LDFLAGS) $(LIBS)
+
+clean:
+ -rm -f *.o $(TARGETS)
diff --git a/regress/misc/fuzz-harness/README b/regress/misc/fuzz-harness/README
new file mode 100644
index 0000000..ae6fbe7
--- /dev/null
+++ b/regress/misc/fuzz-harness/README
@@ -0,0 +1 @@
+This directory contains fuzzing harnesses for use with clang's libfuzzer.
diff --git a/regress/misc/fuzz-harness/authopt_fuzz.cc b/regress/misc/fuzz-harness/authopt_fuzz.cc
new file mode 100644
index 0000000..a76d5a3
--- /dev/null
+++ b/regress/misc/fuzz-harness/authopt_fuzz.cc
@@ -0,0 +1,33 @@
+#include <stddef.h>
+#include <stdio.h>
+#include <stdint.h>
+#include <string.h>
+#include <stdlib.h>
+
+extern "C" {
+
+#include "auth-options.h"
+
+int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
+{
+ char *cp = (char *)malloc(size + 1);
+ struct sshauthopt *opts = NULL, *merge = NULL, *add = sshauthopt_new();
+
+ if (cp == NULL || add == NULL)
+ goto out;
+ memcpy(cp, data, size);
+ cp[size] = '\0';
+ if ((opts = sshauthopt_parse(cp, NULL)) == NULL)
+ goto out;
+ if ((merge = sshauthopt_merge(opts, add, NULL)) == NULL)
+ goto out;
+
+ out:
+ free(cp);
+ sshauthopt_free(add);
+ sshauthopt_free(opts);
+ sshauthopt_free(merge);
+ return 0;
+}
+
+} // extern "C"
diff --git a/regress/misc/fuzz-harness/privkey_fuzz.cc b/regress/misc/fuzz-harness/privkey_fuzz.cc
new file mode 100644
index 0000000..ff0b0f7
--- /dev/null
+++ b/regress/misc/fuzz-harness/privkey_fuzz.cc
@@ -0,0 +1,21 @@
+#include <stddef.h>
+#include <stdio.h>
+#include <stdint.h>
+
+extern "C" {
+
+#include "sshkey.h"
+#include "sshbuf.h"
+
+int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
+{
+ struct sshkey *k = NULL;
+ struct sshbuf *b = sshbuf_from(data, size);
+ int r = sshkey_private_deserialize(b, &k);
+ if (r == 0) sshkey_free(k);
+ sshbuf_free(b);
+ return 0;
+}
+
+} // extern
+
diff --git a/regress/misc/fuzz-harness/pubkey_fuzz.cc b/regress/misc/fuzz-harness/pubkey_fuzz.cc
new file mode 100644
index 0000000..8bbc110
--- /dev/null
+++ b/regress/misc/fuzz-harness/pubkey_fuzz.cc
@@ -0,0 +1,18 @@
+#include <stddef.h>
+#include <stdio.h>
+#include <stdint.h>
+
+extern "C" {
+
+#include "sshkey.h"
+
+int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
+{
+ struct sshkey *k = NULL;
+ int r = sshkey_from_blob(data, size, &k);
+ if (r == 0) sshkey_free(k);
+ return 0;
+}
+
+} // extern
+
diff --git a/regress/misc/fuzz-harness/sig_fuzz.cc b/regress/misc/fuzz-harness/sig_fuzz.cc
new file mode 100644
index 0000000..b32502b
--- /dev/null
+++ b/regress/misc/fuzz-harness/sig_fuzz.cc
@@ -0,0 +1,62 @@
+// cc_fuzz_target test for public key parsing.
+
+#include <stddef.h>
+#include <stdio.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+
+extern "C" {
+
+#include "includes.h"
+#include "sshkey.h"
+#include "ssherr.h"
+
+static struct sshkey *generate_or_die(int type, unsigned bits) {
+ int r;
+ struct sshkey *ret;
+ if ((r = sshkey_generate(type, bits, &ret)) != 0) {
+ fprintf(stderr, "generate(%d, %u): %s", type, bits, ssh_err(r));
+ abort();
+ }
+ return ret;
+}
+
+int LLVMFuzzerTestOneInput(const uint8_t* sig, size_t slen)
+{
+#ifdef WITH_OPENSSL
+ static struct sshkey *rsa = generate_or_die(KEY_RSA, 2048);
+ static struct sshkey *dsa = generate_or_die(KEY_DSA, 1024);
+ static struct sshkey *ecdsa256 = generate_or_die(KEY_ECDSA, 256);
+ static struct sshkey *ecdsa384 = generate_or_die(KEY_ECDSA, 384);
+ static struct sshkey *ecdsa521 = generate_or_die(KEY_ECDSA, 521);
+#endif
+ struct sshkey_sig_details *details = NULL;
+ static struct sshkey *ed25519 = generate_or_die(KEY_ED25519, 0);
+ static const char *data = "If everyone started announcing his nose had "
+ "run away, I don’t know how it would all end";
+ static const size_t dlen = strlen(data);
+
+#ifdef WITH_OPENSSL
+ sshkey_verify(rsa, sig, slen, (const u_char *)data, dlen, NULL, 0, &details);
+ sshkey_sig_details_free(details);
+ details = NULL;
+ sshkey_verify(dsa, sig, slen, (const u_char *)data, dlen, NULL, 0, &details);
+ sshkey_sig_details_free(details);
+ details = NULL;
+ sshkey_verify(ecdsa256, sig, slen, (const u_char *)data, dlen, NULL, 0, &details);
+ sshkey_sig_details_free(details);
+ details = NULL;
+ sshkey_verify(ecdsa384, sig, slen, (const u_char *)data, dlen, NULL, 0, &details);
+ sshkey_sig_details_free(details);
+ details = NULL;
+ sshkey_verify(ecdsa521, sig, slen, (const u_char *)data, dlen, NULL, 0, &details);
+ sshkey_sig_details_free(details);
+ details = NULL;
+#endif
+ sshkey_verify(ed25519, sig, slen, (const u_char *)data, dlen, NULL, 0, &details);
+ sshkey_sig_details_free(details);
+ return 0;
+}
+
+} // extern
diff --git a/regress/misc/fuzz-harness/ssh-sk-null.cc b/regress/misc/fuzz-harness/ssh-sk-null.cc
new file mode 100644
index 0000000..199af11
--- /dev/null
+++ b/regress/misc/fuzz-harness/ssh-sk-null.cc
@@ -0,0 +1,51 @@
+/* $OpenBSD$ */
+/*
+ * Copyright (c) 2019 Google LLC
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+extern "C" {
+
+#include "includes.h"
+
+#include <sys/types.h>
+
+#include "ssherr.h"
+#include "ssh-sk.h"
+
+int
+sshsk_enroll(int type, const char *provider_path, const char *device,
+ const char *application, const char *userid, uint8_t flags,
+ const char *pin, struct sshbuf *challenge_buf,
+ struct sshkey **keyp, struct sshbuf *attest)
+{
+ return SSH_ERR_FEATURE_UNSUPPORTED;
+}
+
+int
+sshsk_sign(const char *provider_path, struct sshkey *key,
+ u_char **sigp, size_t *lenp, const u_char *data, size_t datalen,
+ u_int compat, const char *pin)
+{
+ return SSH_ERR_FEATURE_UNSUPPORTED;
+}
+
+int
+sshsk_load_resident(const char *provider_path, const char *device,
+ const char *pin, struct sshkey ***keysp, size_t *nkeysp)
+{
+ return SSH_ERR_FEATURE_UNSUPPORTED;
+}
+
+};
diff --git a/regress/misc/fuzz-harness/sshsig_fuzz.cc b/regress/misc/fuzz-harness/sshsig_fuzz.cc
new file mode 100644
index 0000000..02211a0
--- /dev/null
+++ b/regress/misc/fuzz-harness/sshsig_fuzz.cc
@@ -0,0 +1,37 @@
+// cc_fuzz_target test for sshsig verification.
+
+#include <stddef.h>
+#include <stdio.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+
+extern "C" {
+
+#include "includes.h"
+#include "sshkey.h"
+#include "ssherr.h"
+#include "sshbuf.h"
+#include "sshsig.h"
+#include "log.h"
+
+int LLVMFuzzerTestOneInput(const uint8_t* sig, size_t slen)
+{
+ static const char *data = "If everyone started announcing his nose had "
+ "run away, I don’t know how it would all end";
+ struct sshbuf *signature = sshbuf_from(sig, slen);
+ struct sshbuf *message = sshbuf_from(data, strlen(data));
+ struct sshkey *k = NULL;
+ struct sshkey_sig_details *details = NULL;
+ extern char *__progname;
+
+ log_init(__progname, SYSLOG_LEVEL_QUIET, SYSLOG_FACILITY_USER, 1);
+ sshsig_verifyb(signature, message, "castle", &k, &details);
+ sshkey_sig_details_free(details);
+ sshkey_free(k);
+ sshbuf_free(signature);
+ sshbuf_free(message);
+ return 0;
+}
+
+} // extern
diff --git a/regress/misc/fuzz-harness/sshsigopt_fuzz.cc b/regress/misc/fuzz-harness/sshsigopt_fuzz.cc
new file mode 100644
index 0000000..7424fcb
--- /dev/null
+++ b/regress/misc/fuzz-harness/sshsigopt_fuzz.cc
@@ -0,0 +1,29 @@
+#include <stddef.h>
+#include <stdio.h>
+#include <stdint.h>
+#include <string.h>
+#include <stdlib.h>
+
+extern "C" {
+
+#include "sshsig.h"
+
+int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
+{
+ char *cp = (char *)malloc(size + 1);
+ struct sshsigopt *opts = NULL;
+
+ if (cp == NULL)
+ goto out;
+ memcpy(cp, data, size);
+ cp[size] = '\0';
+ if ((opts = sshsigopt_parse(cp, "libfuzzer", 0, NULL)) == NULL)
+ goto out;
+
+ out:
+ free(cp);
+ sshsigopt_free(opts);
+ return 0;
+}
+
+} // extern "C"