1 /* $OpenBSD: test_fuzz.c,v 1.4 2015/03/04 23:22:35 djm Exp $ */
3 * Fuzz tests for key parsing
5 * Placed in the public domain
10 #include <sys/types.h>
11 #include <sys/param.h>
22 #include <openssl/bn.h>
23 #include <openssl/rsa.h>
24 #include <openssl/dsa.h>
25 #include <openssl/objects.h>
26 #ifdef OPENSSL_HAS_NISTP256
27 # include <openssl/ec.h>
30 #include "../test_helper/test_helper.h"
39 void sshkey_fuzz_tests(void);
44 fprintf(stderr, "Failed during fuzz:\n");
45 fuzz_dump((struct fuzz *)fuzz);
49 public_fuzz(struct sshkey *k)
55 ASSERT_PTR_NE(buf = sshbuf_new(), NULL);
56 ASSERT_INT_EQ(sshkey_putb(k, buf), 0);
57 /* XXX need a way to run the tests in "slow, but complete" mode */
58 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | /* XXX too slow FUZZ_2_BIT_FLIP | */
59 FUZZ_1_BYTE_FLIP | /* XXX too slow FUZZ_2_BYTE_FLIP | */
60 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END,
61 sshbuf_mutable_ptr(buf), sshbuf_len(buf));
62 ASSERT_INT_EQ(sshkey_from_blob(sshbuf_ptr(buf), sshbuf_len(buf),
66 TEST_ONERROR(onerror, fuzz);
67 for(; !fuzz_done(fuzz); fuzz_next(fuzz)) {
68 if (sshkey_from_blob(fuzz_ptr(fuzz), fuzz_len(fuzz), &k1) == 0)
75 sig_fuzz(struct sshkey *k)
78 u_char *sig, c[] = "some junk to be signed";
81 ASSERT_INT_EQ(sshkey_sign(k, &sig, &l, c, sizeof(c), 0), 0);
82 ASSERT_SIZE_T_GT(l, 0);
83 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | /* too slow FUZZ_2_BIT_FLIP | */
84 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP |
85 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END, sig, l);
86 ASSERT_INT_EQ(sshkey_verify(k, sig, l, c, sizeof(c), 0), 0);
88 TEST_ONERROR(onerror, fuzz);
89 for(; !fuzz_done(fuzz); fuzz_next(fuzz)) {
90 /* Ensure 1-bit difference at least */
91 if (fuzz_matches_original(fuzz))
93 ASSERT_INT_NE(sshkey_verify(k, fuzz_ptr(fuzz), fuzz_len(fuzz),
100 sshkey_fuzz_tests(void)
103 struct sshbuf *buf, *fuzzed;
108 TEST_START("fuzz RSA1 private");
109 buf = load_file("rsa1_1");
110 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_1_BYTE_FLIP |
111 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END,
112 sshbuf_mutable_ptr(buf), sshbuf_len(buf));
113 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
117 ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL);
118 TEST_ONERROR(onerror, fuzz);
119 for(; !fuzz_done(fuzz); fuzz_next(fuzz)) {
120 r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz));
122 if (sshkey_parse_private_fileblob(fuzzed, "", "key",
125 sshbuf_reset(fuzzed);
131 TEST_START("fuzz RSA1 public");
132 buf = load_file("rsa1_1_pw");
133 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_1_BYTE_FLIP |
134 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END,
135 sshbuf_mutable_ptr(buf), sshbuf_len(buf));
136 ASSERT_INT_EQ(sshkey_parse_public_rsa1_fileblob(buf, &k1, NULL), 0);
139 ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL);
140 TEST_ONERROR(onerror, fuzz);
141 for(; !fuzz_done(fuzz); fuzz_next(fuzz)) {
142 r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz));
144 if (sshkey_parse_public_rsa1_fileblob(fuzzed, &k1, NULL) == 0)
146 sshbuf_reset(fuzzed);
153 TEST_START("fuzz RSA private");
154 buf = load_file("rsa_1");
155 fuzz = fuzz_begin(FUZZ_BASE64, sshbuf_mutable_ptr(buf),
157 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
161 ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL);
162 TEST_ONERROR(onerror, fuzz);
163 for(; !fuzz_done(fuzz); fuzz_next(fuzz)) {
164 r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz));
166 if (sshkey_parse_private_fileblob(fuzzed, "", "key",
169 sshbuf_reset(fuzzed);
175 TEST_START("fuzz RSA new-format private");
176 buf = load_file("rsa_n");
177 fuzz = fuzz_begin(FUZZ_BASE64, sshbuf_mutable_ptr(buf),
179 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
183 ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL);
184 TEST_ONERROR(onerror, fuzz);
185 for(; !fuzz_done(fuzz); fuzz_next(fuzz)) {
186 r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz));
188 if (sshkey_parse_private_fileblob(fuzzed, "", "key",
191 sshbuf_reset(fuzzed);
197 TEST_START("fuzz DSA private");
198 buf = load_file("dsa_1");
199 fuzz = fuzz_begin(FUZZ_BASE64, sshbuf_mutable_ptr(buf),
201 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
205 ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL);
206 TEST_ONERROR(onerror, fuzz);
207 for(; !fuzz_done(fuzz); fuzz_next(fuzz)) {
208 r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz));
210 if (sshkey_parse_private_fileblob(fuzzed, "", "key",
213 sshbuf_reset(fuzzed);
219 TEST_START("fuzz DSA new-format private");
220 buf = load_file("dsa_n");
221 fuzz = fuzz_begin(FUZZ_BASE64, sshbuf_mutable_ptr(buf),
223 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
227 ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL);
228 TEST_ONERROR(onerror, fuzz);
229 for(; !fuzz_done(fuzz); fuzz_next(fuzz)) {
230 r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz));
232 if (sshkey_parse_private_fileblob(fuzzed, "", "key",
235 sshbuf_reset(fuzzed);
241 #ifdef OPENSSL_HAS_ECC
242 TEST_START("fuzz ECDSA private");
243 buf = load_file("ecdsa_1");
244 fuzz = fuzz_begin(FUZZ_BASE64, sshbuf_mutable_ptr(buf),
246 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
250 ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL);
251 TEST_ONERROR(onerror, fuzz);
252 for(; !fuzz_done(fuzz); fuzz_next(fuzz)) {
253 r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz));
255 if (sshkey_parse_private_fileblob(fuzzed, "", "key",
258 sshbuf_reset(fuzzed);
264 TEST_START("fuzz ECDSA new-format private");
265 buf = load_file("ecdsa_n");
266 fuzz = fuzz_begin(FUZZ_BASE64, sshbuf_mutable_ptr(buf),
268 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
272 ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL);
273 TEST_ONERROR(onerror, fuzz);
274 for(; !fuzz_done(fuzz); fuzz_next(fuzz)) {
275 r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz));
277 if (sshkey_parse_private_fileblob(fuzzed, "", "key",
280 sshbuf_reset(fuzzed);
287 TEST_START("fuzz Ed25519 private");
288 buf = load_file("ed25519_1");
289 fuzz = fuzz_begin(FUZZ_BASE64, sshbuf_mutable_ptr(buf),
291 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
295 ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL);
296 TEST_ONERROR(onerror, fuzz);
297 for(; !fuzz_done(fuzz); fuzz_next(fuzz)) {
298 r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz));
300 if (sshkey_parse_private_fileblob(fuzzed, "", "key",
303 sshbuf_reset(fuzzed);
309 TEST_START("fuzz RSA public");
310 buf = load_file("rsa_1");
311 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
318 TEST_START("fuzz RSA cert");
319 ASSERT_INT_EQ(sshkey_load_cert(test_data_file("rsa_1"), &k1), 0);
324 TEST_START("fuzz DSA public");
325 buf = load_file("dsa_1");
326 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
333 TEST_START("fuzz DSA cert");
334 ASSERT_INT_EQ(sshkey_load_cert(test_data_file("dsa_1"), &k1), 0);
339 #ifdef OPENSSL_HAS_ECC
340 TEST_START("fuzz ECDSA public");
341 buf = load_file("ecdsa_1");
342 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
349 TEST_START("fuzz ECDSA cert");
350 ASSERT_INT_EQ(sshkey_load_cert(test_data_file("ecdsa_1"), &k1), 0);
356 TEST_START("fuzz Ed25519 public");
357 buf = load_file("ed25519_1");
358 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
365 TEST_START("fuzz Ed25519 cert");
366 ASSERT_INT_EQ(sshkey_load_cert(test_data_file("ed25519_1"), &k1), 0);
371 TEST_START("fuzz RSA sig");
372 buf = load_file("rsa_1");
373 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
380 TEST_START("fuzz DSA sig");
381 buf = load_file("dsa_1");
382 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
389 #ifdef OPENSSL_HAS_ECC
390 TEST_START("fuzz ECDSA sig");
391 buf = load_file("ecdsa_1");
392 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
400 TEST_START("fuzz Ed25519 sig");
401 buf = load_file("ed25519_1");
402 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
409 /* XXX fuzz decoded new-format blobs too */