diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-27 11:13:18 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-27 11:13:18 +0000 |
commit | 9e7e4ab6617fef1d1681fc2d3e02554264ccc954 (patch) | |
tree | 336445493163aa0370cb7830d97ebd8819b2e2c5 /regress/misc/fuzz-harness | |
parent | Initial commit. (diff) | |
download | openssh-9e7e4ab6617fef1d1681fc2d3e02554264ccc954.tar.xz openssh-9e7e4ab6617fef1d1681fc2d3e02554264ccc954.zip |
Adding upstream version 1:8.4p1.upstream/1%8.4p1upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'regress/misc/fuzz-harness')
-rw-r--r-- | regress/misc/fuzz-harness/Makefile | 38 | ||||
-rw-r--r-- | regress/misc/fuzz-harness/README | 1 | ||||
-rw-r--r-- | regress/misc/fuzz-harness/authopt_fuzz.cc | 33 | ||||
-rw-r--r-- | regress/misc/fuzz-harness/privkey_fuzz.cc | 21 | ||||
-rw-r--r-- | regress/misc/fuzz-harness/pubkey_fuzz.cc | 18 | ||||
-rw-r--r-- | regress/misc/fuzz-harness/sig_fuzz.cc | 62 | ||||
-rw-r--r-- | regress/misc/fuzz-harness/ssh-sk-null.cc | 51 | ||||
-rw-r--r-- | regress/misc/fuzz-harness/sshsig_fuzz.cc | 37 | ||||
-rw-r--r-- | regress/misc/fuzz-harness/sshsigopt_fuzz.cc | 29 |
9 files changed, 290 insertions, 0 deletions
diff --git a/regress/misc/fuzz-harness/Makefile b/regress/misc/fuzz-harness/Makefile new file mode 100644 index 0000000..64fbdba --- /dev/null +++ b/regress/misc/fuzz-harness/Makefile @@ -0,0 +1,38 @@ +# NB. libssh and libopenbsd-compat should be built with the same sanitizer opts. +CXX=clang++-6.0 +FUZZ_FLAGS=-fsanitize=address,undefined -fsanitize-coverage=edge,trace-pc +FUZZ_LIBS=-lFuzzer + +CXXFLAGS=-O2 -g -Wall -Wextra -Wno-unused-parameter -I ../../.. $(FUZZ_FLAGS) +LDFLAGS=-L ../../.. -L ../../../openbsd-compat -g $(FUZZ_FLAGS) +LIBS=-lssh -lopenbsd-compat -lcrypto -lfido2 -lcbor $(FUZZ_LIBS) +COMMON_OBJS=ssh-sk-null.o + +TARGETS=pubkey_fuzz sig_fuzz authopt_fuzz sshsig_fuzz \ + sshsigopt_fuzz privkey_fuzz + +all: $(TARGETS) + +.cc.o: + $(CXX) $(CXXFLAGS) -c $< -o $@ + +pubkey_fuzz: pubkey_fuzz.o $(COMMON_OBJS) + $(CXX) -o $@ pubkey_fuzz.o $(COMMON_OBJS) $(LDFLAGS) $(LIBS) + +sig_fuzz: sig_fuzz.o $(COMMON_OBJS) + $(CXX) -o $@ sig_fuzz.o $(COMMON_OBJS) $(LDFLAGS) $(LIBS) + +authopt_fuzz: authopt_fuzz.o $(COMMON_OBJS) + $(CXX) -o $@ authopt_fuzz.o $(COMMON_OBJS) ../../../auth-options.o $(LDFLAGS) $(LIBS) + +sshsig_fuzz: sshsig_fuzz.o $(COMMON_OBJS) + $(CXX) -o $@ sshsig_fuzz.o $(COMMON_OBJS) ../../../sshsig.o $(LDFLAGS) $(LIBS) + +sshsigopt_fuzz: sshsigopt_fuzz.o $(COMMON_OBJS) + $(CXX) -o $@ sshsigopt_fuzz.o $(COMMON_OBJS) ../../../sshsig.o $(LDFLAGS) $(LIBS) + +privkey_fuzz: privkey_fuzz.o $(COMMON_OBJS) + $(CXX) -o $@ privkey_fuzz.o $(COMMON_OBJS) $(LDFLAGS) $(LIBS) + +clean: + -rm -f *.o $(TARGETS) diff --git a/regress/misc/fuzz-harness/README b/regress/misc/fuzz-harness/README new file mode 100644 index 0000000..ae6fbe7 --- /dev/null +++ b/regress/misc/fuzz-harness/README @@ -0,0 +1 @@ +This directory contains fuzzing harnesses for use with clang's libfuzzer. diff --git a/regress/misc/fuzz-harness/authopt_fuzz.cc b/regress/misc/fuzz-harness/authopt_fuzz.cc new file mode 100644 index 0000000..a76d5a3 --- /dev/null +++ b/regress/misc/fuzz-harness/authopt_fuzz.cc @@ -0,0 +1,33 @@ +#include <stddef.h> +#include <stdio.h> +#include <stdint.h> +#include <string.h> +#include <stdlib.h> + +extern "C" { + +#include "auth-options.h" + +int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) +{ + char *cp = (char *)malloc(size + 1); + struct sshauthopt *opts = NULL, *merge = NULL, *add = sshauthopt_new(); + + if (cp == NULL || add == NULL) + goto out; + memcpy(cp, data, size); + cp[size] = '\0'; + if ((opts = sshauthopt_parse(cp, NULL)) == NULL) + goto out; + if ((merge = sshauthopt_merge(opts, add, NULL)) == NULL) + goto out; + + out: + free(cp); + sshauthopt_free(add); + sshauthopt_free(opts); + sshauthopt_free(merge); + return 0; +} + +} // extern "C" diff --git a/regress/misc/fuzz-harness/privkey_fuzz.cc b/regress/misc/fuzz-harness/privkey_fuzz.cc new file mode 100644 index 0000000..ff0b0f7 --- /dev/null +++ b/regress/misc/fuzz-harness/privkey_fuzz.cc @@ -0,0 +1,21 @@ +#include <stddef.h> +#include <stdio.h> +#include <stdint.h> + +extern "C" { + +#include "sshkey.h" +#include "sshbuf.h" + +int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) +{ + struct sshkey *k = NULL; + struct sshbuf *b = sshbuf_from(data, size); + int r = sshkey_private_deserialize(b, &k); + if (r == 0) sshkey_free(k); + sshbuf_free(b); + return 0; +} + +} // extern + diff --git a/regress/misc/fuzz-harness/pubkey_fuzz.cc b/regress/misc/fuzz-harness/pubkey_fuzz.cc new file mode 100644 index 0000000..8bbc110 --- /dev/null +++ b/regress/misc/fuzz-harness/pubkey_fuzz.cc @@ -0,0 +1,18 @@ +#include <stddef.h> +#include <stdio.h> +#include <stdint.h> + +extern "C" { + +#include "sshkey.h" + +int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) +{ + struct sshkey *k = NULL; + int r = sshkey_from_blob(data, size, &k); + if (r == 0) sshkey_free(k); + return 0; +} + +} // extern + diff --git a/regress/misc/fuzz-harness/sig_fuzz.cc b/regress/misc/fuzz-harness/sig_fuzz.cc new file mode 100644 index 0000000..b32502b --- /dev/null +++ b/regress/misc/fuzz-harness/sig_fuzz.cc @@ -0,0 +1,62 @@ +// cc_fuzz_target test for public key parsing. + +#include <stddef.h> +#include <stdio.h> +#include <stdint.h> +#include <stdlib.h> +#include <string.h> + +extern "C" { + +#include "includes.h" +#include "sshkey.h" +#include "ssherr.h" + +static struct sshkey *generate_or_die(int type, unsigned bits) { + int r; + struct sshkey *ret; + if ((r = sshkey_generate(type, bits, &ret)) != 0) { + fprintf(stderr, "generate(%d, %u): %s", type, bits, ssh_err(r)); + abort(); + } + return ret; +} + +int LLVMFuzzerTestOneInput(const uint8_t* sig, size_t slen) +{ +#ifdef WITH_OPENSSL + static struct sshkey *rsa = generate_or_die(KEY_RSA, 2048); + static struct sshkey *dsa = generate_or_die(KEY_DSA, 1024); + static struct sshkey *ecdsa256 = generate_or_die(KEY_ECDSA, 256); + static struct sshkey *ecdsa384 = generate_or_die(KEY_ECDSA, 384); + static struct sshkey *ecdsa521 = generate_or_die(KEY_ECDSA, 521); +#endif + struct sshkey_sig_details *details = NULL; + static struct sshkey *ed25519 = generate_or_die(KEY_ED25519, 0); + static const char *data = "If everyone started announcing his nose had " + "run away, I don’t know how it would all end"; + static const size_t dlen = strlen(data); + +#ifdef WITH_OPENSSL + sshkey_verify(rsa, sig, slen, (const u_char *)data, dlen, NULL, 0, &details); + sshkey_sig_details_free(details); + details = NULL; + sshkey_verify(dsa, sig, slen, (const u_char *)data, dlen, NULL, 0, &details); + sshkey_sig_details_free(details); + details = NULL; + sshkey_verify(ecdsa256, sig, slen, (const u_char *)data, dlen, NULL, 0, &details); + sshkey_sig_details_free(details); + details = NULL; + sshkey_verify(ecdsa384, sig, slen, (const u_char *)data, dlen, NULL, 0, &details); + sshkey_sig_details_free(details); + details = NULL; + sshkey_verify(ecdsa521, sig, slen, (const u_char *)data, dlen, NULL, 0, &details); + sshkey_sig_details_free(details); + details = NULL; +#endif + sshkey_verify(ed25519, sig, slen, (const u_char *)data, dlen, NULL, 0, &details); + sshkey_sig_details_free(details); + return 0; +} + +} // extern diff --git a/regress/misc/fuzz-harness/ssh-sk-null.cc b/regress/misc/fuzz-harness/ssh-sk-null.cc new file mode 100644 index 0000000..199af11 --- /dev/null +++ b/regress/misc/fuzz-harness/ssh-sk-null.cc @@ -0,0 +1,51 @@ +/* $OpenBSD$ */ +/* + * Copyright (c) 2019 Google LLC + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +extern "C" { + +#include "includes.h" + +#include <sys/types.h> + +#include "ssherr.h" +#include "ssh-sk.h" + +int +sshsk_enroll(int type, const char *provider_path, const char *device, + const char *application, const char *userid, uint8_t flags, + const char *pin, struct sshbuf *challenge_buf, + struct sshkey **keyp, struct sshbuf *attest) +{ + return SSH_ERR_FEATURE_UNSUPPORTED; +} + +int +sshsk_sign(const char *provider_path, struct sshkey *key, + u_char **sigp, size_t *lenp, const u_char *data, size_t datalen, + u_int compat, const char *pin) +{ + return SSH_ERR_FEATURE_UNSUPPORTED; +} + +int +sshsk_load_resident(const char *provider_path, const char *device, + const char *pin, struct sshkey ***keysp, size_t *nkeysp) +{ + return SSH_ERR_FEATURE_UNSUPPORTED; +} + +}; diff --git a/regress/misc/fuzz-harness/sshsig_fuzz.cc b/regress/misc/fuzz-harness/sshsig_fuzz.cc new file mode 100644 index 0000000..02211a0 --- /dev/null +++ b/regress/misc/fuzz-harness/sshsig_fuzz.cc @@ -0,0 +1,37 @@ +// cc_fuzz_target test for sshsig verification. + +#include <stddef.h> +#include <stdio.h> +#include <stdint.h> +#include <stdlib.h> +#include <string.h> + +extern "C" { + +#include "includes.h" +#include "sshkey.h" +#include "ssherr.h" +#include "sshbuf.h" +#include "sshsig.h" +#include "log.h" + +int LLVMFuzzerTestOneInput(const uint8_t* sig, size_t slen) +{ + static const char *data = "If everyone started announcing his nose had " + "run away, I don’t know how it would all end"; + struct sshbuf *signature = sshbuf_from(sig, slen); + struct sshbuf *message = sshbuf_from(data, strlen(data)); + struct sshkey *k = NULL; + struct sshkey_sig_details *details = NULL; + extern char *__progname; + + log_init(__progname, SYSLOG_LEVEL_QUIET, SYSLOG_FACILITY_USER, 1); + sshsig_verifyb(signature, message, "castle", &k, &details); + sshkey_sig_details_free(details); + sshkey_free(k); + sshbuf_free(signature); + sshbuf_free(message); + return 0; +} + +} // extern diff --git a/regress/misc/fuzz-harness/sshsigopt_fuzz.cc b/regress/misc/fuzz-harness/sshsigopt_fuzz.cc new file mode 100644 index 0000000..7424fcb --- /dev/null +++ b/regress/misc/fuzz-harness/sshsigopt_fuzz.cc @@ -0,0 +1,29 @@ +#include <stddef.h> +#include <stdio.h> +#include <stdint.h> +#include <string.h> +#include <stdlib.h> + +extern "C" { + +#include "sshsig.h" + +int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) +{ + char *cp = (char *)malloc(size + 1); + struct sshsigopt *opts = NULL; + + if (cp == NULL) + goto out; + memcpy(cp, data, size); + cp[size] = '\0'; + if ((opts = sshsigopt_parse(cp, "libfuzzer", 0, NULL)) == NULL) + goto out; + + out: + free(cp); + sshsigopt_free(opts); + return 0; +} + +} // extern "C" |