Add simple sshsig fuzzer

Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Sahana Prasad <sahana@redhat.com>
2025-07-31 00:03:07 +03:00 · 2025-07-21 21:11:47 +02:00
parent c17112f070
commit 1ea1782036
3 changed files with 79 additions and 0 deletions
--- a/tests/fuzz/CMakeLists.txt
+++ b/tests/fuzz/CMakeLists.txt
@ -32,6 +32,7 @@ fuzzer(ssh_client_config_fuzzer)
 fuzzer(ssh_known_hosts_fuzzer)
 fuzzer(ssh_privkey_fuzzer)
 fuzzer(ssh_pubkey_fuzzer)
+fuzzer(ssh_sshsig_fuzzer)
 if (WITH_SERVER)
    fuzzer(ssh_server_fuzzer)
    fuzzer(ssh_bind_config_fuzzer)
--- a/tests/fuzz/ssh_sshsig_fuzzer.c
+++ b/tests/fuzz/ssh_sshsig_fuzzer.c
@ -0,0 +1,64 @@
+/*
+ * Copyright 2025 Jakub Jelen <jjelen@redhat.com>
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#define LIBSSH_STATIC 1
+#include "libssh/libssh.h"
+
+static void _fuzz_finalize(void)
+{
+    ssh_finalize();
+}
+
+int LLVMFuzzerInitialize(int *argc, char ***argv)
+{
+    (void)argc;
+    (void)argv;
+
+    ssh_init();
+
+    atexit(_fuzz_finalize);
+
+    return 0;
+}
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+    ssh_key pkey = NULL;
+    const char input[] = "badc0de";
+    const char namespace[] = "namespace";
+    char *signature = NULL;
+    int rc;
+
+    signature = (char *)malloc(size + 1);
+    if (signature == NULL) {
+        return 1;
+    }
+    strncpy(signature, (const char *)data, size);
+    signature[size] = '\0';
+
+    rc = sshsig_verify(input, sizeof(input), signature, namespace, &pkey);
+    free(signature);
+    if (rc != SSH_OK) {
+        return 1;
+    }
+    ssh_key_free(pkey);
+
+    return 0;
+}
--- a/tests/fuzz/ssh_sshsig_fuzzer_corups/5645ecda3771cd2737f0aff9b88eb26a36b10964
+++ b/tests/fuzz/ssh_sshsig_fuzzer_corups/5645ecda3771cd2737f0aff9b88eb26a36b10964
@ -0,0 +1,14 @@
+-----BEGIN SSH SIGNATURE-----
+U1NIU0lHAAAAAQAAARcAAAAHc3NoLXJzYQAAAAMBAAEAAAEBALP3yM/hsvPV41IV3mzatq
+7NStESRGVw233KH29dxEgyfX0m3fkZQlDOovn6BFVdt8VnWp3bNgZJ+9rRopyWnSIDllPp
+KMafoEZrSSxPzjYgCiUKkSt3jiTQR+gLfejTKieBsL+ehuFuvLj4A8FFUMFSHOhHOkcqYs
+wxPkvvoErwUCFVELe15D3Fzsjec7o+ag4WTOJelezoPS1o+P9iBeWnLyo3yDKXqpp6fc+
+gU2GULbkFOm9VbhGIV8rzOi5DMJ3bFRoeOpAyjJkUIcgPAOqrywJYjDKvPJOYEeAHiXk56
+g0f0NdtCOjzKmDZeky05PPyqJzjjw0f11xm94heu8AAAAJbmFtZXNwYWNlAAAAAAAAAAZz
+aGE1MTIAAAEUAAAADHJzYS1zaGEyLTUxMgAAAQApuWdMEHGcQgCagN8Tgcs72DEuLMBp/v
+DXbjHbSyGRrcWcusZEvLClWkEJaouuvf7Vpqs1SaJvwW9nIcK0Md9UgZMXFOFMbKGg8LzC
+YKp7O6Qud7skUgWclP4qyQrFWhYOfuijNY2rWajy+F42DI28j84CYx9bvHHWtqCEGihKdn
+KLJltw/D7T3GnoKOeknOUl1Kr4Ca3G+qxSLxNsu0sa6TtP7ZnH+75tSlHunhVhOKHKf/f4
+YpjMCjuPIOolMbFm+UFojZcGMVvyZKelV2m4dPQ7OMpGcl7KTRMAbzm7yfsQeHSc132pnn
+OwfsIiy75wDBtvudMSFOYftG1EeEzN
+-----END SSH SIGNATURE-----