/src/dropbear/fuzz/fuzzer-kexmlkem-srv.c
Line | Count | Source |
1 | | #include "fuzz.h" |
2 | | #include "session.h" |
3 | | #include "fuzz-wrapfd.h" |
4 | | #include "debug.h" |
5 | | #include "runopts.h" |
6 | | #include "algo.h" |
7 | | |
8 | | static struct key_context* keep_newkeys = NULL; |
9 | | |
10 | | static void setup() __attribute__((constructor)); |
11 | 2 | static void setup() { |
12 | 2 | fuzz_common_setup(); |
13 | 2 | fuzz_svr_setup(); |
14 | | |
15 | 2 | keep_newkeys = (struct key_context*)m_malloc(sizeof(struct key_context)); |
16 | 2 | keep_newkeys->algo_kex = fuzz_get_algo(sshkex, "mlkem768x25519-sha256"); |
17 | 2 | keep_newkeys->algo_hostkey = DROPBEAR_SIGNKEY_ED25519; |
18 | 2 | } |
19 | | |
20 | 757 | int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { |
21 | 757 | if (fuzz_set_input(Data, Size) == DROPBEAR_FAILURE) { |
22 | 0 | return 0; |
23 | 0 | } |
24 | | |
25 | 757 | m_malloc_set_epoch(1); |
26 | | |
27 | 757 | if (setjmp(fuzz.jmp) == 0) { |
28 | 757 | ses.newkeys = keep_newkeys; |
29 | | |
30 | 757 | struct kex_pqhybrid_param *param = gen_kexpqhybrid_param(); |
31 | | |
32 | 757 | buffer * q_c = buf_getstringbuf(fuzz.input); |
33 | | |
34 | 757 | ses.kexhashbuf = buf_new(KEXHASHBUF_MAX_INTS); |
35 | 757 | kexpqhybrid_comb_key(param, q_c, svr_opts.hostkey); |
36 | | |
37 | 757 | free_kexpqhybrid_param(param); |
38 | | |
39 | 757 | buf_free(ses.dh_K_bytes); |
40 | 757 | buf_free(q_c); |
41 | | |
42 | 757 | buf_free(ses.hash); |
43 | 757 | buf_free(ses.session_id); |
44 | | /* kexhashbuf is freed in kexpqhybrid_comb_key */ |
45 | | |
46 | 757 | m_malloc_free_epoch(1, 0); |
47 | 757 | } else { |
48 | 0 | m_malloc_free_epoch(1, 1); |
49 | 0 | TRACE(("dropbear_exit longjmped")) |
50 | | /* dropbear_exit jumped here */ |
51 | 0 | } |
52 | | |
53 | 757 | return 0; |
54 | 757 | } |