Fuzz introspector
For issues and ideas: https://github.com/ossf/fuzz-introspector/issues

Fuzzer details

Fuzzer: sshsigopt_fuzz

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 0 0.0%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 31 100.%
All colors 31 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
0 0 None 2 2 opt_flag call site: 00005 /src/hpn-ssh/misc.c:2564
0 0 None 0 3 sshsigopt_parse call site: 00028 /src/hpn-ssh/sshsig.c:715
0 0 None 0 0 opt_dequote call site: 00012 /src/hpn-ssh/misc.c:2588
0 0 None 0 0 sshsigopt_parse call site: 00002 /src/hpn-ssh/sshsig.c:643

Runtime coverage analysis

Covered functions
7
Functions that are reachable but not covered
9
Reachable functions
16
Percentage of reachable functions covered
43.75%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
regress/misc/fuzz-harness/sshsigopt_fuzz.cc 1
sshsig.c 2
misc.c 4

Fuzzer: pubkey_fuzz

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 42 37.8%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 69 62.1%
All colors 111 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
158 158 5 :

['strlcpy', 'getpid', 'do_log', 'strrchr', 'match_pattern_list']

158 158 sshlogv call site: 00013 /src/hpn-ssh/log.c:481
82 242 4 :

['sshkey_xmss_params', 'sshlog', 'malloc', 'xmss_sign_open']

82 455 ssh_xmss_verify call site: 00000 /src/hpn-ssh/ssh-xmss.c:314
50 50 3 :

['EC_KEY_get0_public_key', 'EC_KEY_get0_group', 'sshkey_ec_validate_public']

52 52 ssh_ecdsa_deserialize_public call site: 00000 /src/hpn-ssh/ssh-ecdsa.c:177
13 13 1 :

['rsa_hash_id_from_keyname']

21 703 ssh_rsa_verify call site: 00000 /src/hpn-ssh/ssh-rsa.c:508
4 4 1 :

['timingsafe_bcmp']

4 9 openssh_RSA_verify call site: 00000 /src/hpn-ssh/ssh-rsa.c:659
2 217 2 :

['EC_KEY_set_public_key', 'sshbuf_get_string_direct']

6 221 sshbuf_get_eckey call site: 00000 /src/hpn-ssh/sshbuf-getput-crypto.c:110
2 2 1 :

['BN_clear_free']

2 2 sshbuf_get_bignum2 call site: 00000 /src/hpn-ssh/sshbuf-getput-crypto.c:48
2 2 1 :

['explicit_bzero']

2 2 sshkey_xmss_free_state call site: 00000 /src/hpn-ssh/sshkey-xmss.c:144
0 233 1 :

['sshkey_deserialize_sk']

0 233 ssh_ecdsa_sk_deserialize_public call site: 00000 /src/hpn-ssh/ssh-ecdsa-sk.c:133
0 222 1 :

['cert_free']

0 222 cert_new call site: 00083 /src/hpn-ssh/sshkey.c:595
0 220 1 :

['sshkey_free']

0 220 sshkey_new call site: 00081 /src/hpn-ssh/sshkey.c:630
0 203 1 :

['sshbuf_free']

0 203 sshbuf_froms call site: 00000 /src/hpn-ssh/sshbuf-getput-basic.c:561

Runtime coverage analysis

Covered functions
137
Functions that are reachable but not covered
32
Reachable functions
77
Percentage of reachable functions covered
58.44%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
regress/misc/fuzz-harness/pubkey_fuzz.cc 1
sshkey.c 11
sshbuf.c 9
misc.c 1
log.c 3
match.c 2
openbsd-compat/strlcpy.c 1
openbsd-compat/vis.c 2
openbsd-compat/freezero.c 1
sshbuf-getput-basic.c 3

Fuzzer: privkey_fuzz

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 45 34.6%
gold [1:9] 1 0.76%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 84 64.6%
All colors 130 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
158 158 5 :

['strlcpy', 'getpid', 'do_log', 'strrchr', 'match_pattern_list']

158 158 sshlogv call site: 00014 /src/hpn-ssh/log.c:481
82 242 4 :

['sshkey_xmss_params', 'sshlog', 'malloc', 'xmss_sign_open']

82 455 ssh_xmss_verify call site: 00000 /src/hpn-ssh/ssh-xmss.c:314
50 50 3 :

['EC_KEY_get0_public_key', 'EC_KEY_get0_group', 'sshkey_ec_validate_public']

52 52 ssh_ecdsa_deserialize_public call site: 00000 /src/hpn-ssh/ssh-ecdsa.c:177
13 13 1 :

['rsa_hash_id_from_keyname']

21 703 ssh_rsa_verify call site: 00000 /src/hpn-ssh/ssh-rsa.c:508
4 4 1 :

['timingsafe_bcmp']

4 9 openssh_RSA_verify call site: 00000 /src/hpn-ssh/ssh-rsa.c:659
2 217 2 :

['EC_KEY_set_public_key', 'sshbuf_get_string_direct']

6 221 sshbuf_get_eckey call site: 00000 /src/hpn-ssh/sshbuf-getput-crypto.c:110
2 2 1 :

['BN_clear_free']

2 2 sshbuf_get_bignum2 call site: 00000 /src/hpn-ssh/sshbuf-getput-crypto.c:48
0 233 1 :

['sshkey_deserialize_sk']

0 233 ssh_ecdsa_sk_deserialize_public call site: 00000 /src/hpn-ssh/ssh-ecdsa-sk.c:133
0 222 1 :

['cert_free']

0 222 cert_new call site: 00093 /src/hpn-ssh/sshkey.c:595
0 220 1 :

['sshkey_free']

0 220 sshkey_new call site: 00091 /src/hpn-ssh/sshkey.c:630
0 203 1 :

['sshbuf_free']

0 203 sshbuf_froms call site: 00066 /src/hpn-ssh/sshbuf-getput-basic.c:561
0 203 1 :

['sshbuf_free']

0 203 sshbuf_fromb call site: 00080 /src/hpn-ssh/sshbuf.c:177

Runtime coverage analysis

Covered functions
153
Functions that are reachable but not covered
33
Reachable functions
81
Percentage of reachable functions covered
59.26%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
regress/misc/fuzz-harness/privkey_fuzz.cc 1
sshbuf.c 9
sshkey.c 14
sshbuf-getput-basic.c 4
misc.c 1
log.c 3
match.c 2
openbsd-compat/strlcpy.c 1
openbsd-compat/vis.c 2
openbsd-compat/freezero.c 1

Fuzzer: sig_fuzz

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 67 61.4%
gold [1:9] 8 7.33%
yellow [10:29] 1 0.91%
greenyellow [30:49] 1 0.91%
lawngreen 50+ 32 29.3%
All colors 109 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
453 453 2 :

['cert_new', 'sshkey_free']

453 453 sshkey_new call site: 00010 /src/hpn-ssh/sshkey.c:629
220 220 1 :

['sshkey_free']

220 220 sshkey_generate call site: 00007 /src/hpn-ssh/sshkey.c:1414
164 164 1 :

['_getentropy_fail']

168 229 _rs_stir call site: 00000 /src/hpn-ssh/openbsd-compat/arc4random.c:116
164 164 2 :

['ERR_get_error', 'sshfatal']

164 164 _ssh_compat_getentropy call site: 00000 /src/hpn-ssh/openbsd-compat/bsd-getentropy.c:45
158 158 5 :

['strlcpy', 'getpid', 'do_log', 'strrchr', 'match_pattern_list']

158 158 sshlogv call site: 00029 /src/hpn-ssh/log.c:481
73 73 2 :

['abort', 'ssh_err']

73 73 generate_or_die(int,unsignedint) call site: 00000 /src/hpn-ssh/regress/misc/fuzz-harness/sig_fuzz.cc:18
13 13 1 :

['rsa_hash_id_from_keyname']

21 703 ssh_rsa_verify call site: 00000 /src/hpn-ssh/ssh-rsa.c:508
4 4 1 :

['timingsafe_bcmp']

4 9 openssh_RSA_verify call site: 00000 /src/hpn-ssh/ssh-rsa.c:659
2 2 1 :

['_exit']

2 2 _rs_init call site: 00000 /src/hpn-ssh/openbsd-compat/arc4random.c:102
2 2 1 :

['memset']

2 2 _rs_forkdetect call site: 00000 /src/hpn-ssh/openbsd-compat/./arc4random.h:58
2 2 1 :

['munmap']

2 2 _rs_allocate call site: 00000 /src/hpn-ssh/openbsd-compat/./arc4random.h:71
2 2 1 :

['EC_KEY_free']

2 2 ssh_ecdsa_generate call site: 00000 /src/hpn-ssh/ssh-ecdsa.c:135

Runtime coverage analysis

Covered functions
106
Functions that are reachable but not covered
39
Reachable functions
56
Percentage of reachable functions covered
30.36%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
regress/misc/fuzz-harness/sig_fuzz.cc 2
sshkey.c 13
sshbuf.c 3
misc.c 1
log.c 3
match.c 2
openbsd-compat/strlcpy.c 1
openbsd-compat/vis.c 2
openbsd-compat/freezero.c 1
ssherr.c 1

Fuzzer: authopt_fuzz

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 56 37.0%
gold [1:9] 3 1.98%
yellow [10:29] 0 0.0%
greenyellow [30:49] 2 1.32%
lawngreen 50+ 90 59.6%
All colors 151 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
168 765 4 :

['xstrdup', 'strchr', 'free', 'a2tun']

168 765 a2tun call site: 00082 /src/hpn-ssh/misc.c:559
2 2 1 :

['getpagesize']

8 8 recallocarray call site: 00051 /src/hpn-ssh/openbsd-compat/recallocarray.c:64
2 2 1 :

['ntohs']

2 2 a2port call site: 00075 /src/hpn-ssh/misc.c:547
0 11 1 :

['sshauthopt_free']

0 11 sshauthopt_merge call site: 00145 /src/hpn-ssh/auth-options.c:635
0 0 None 12 100 sshauthopt_merge call site: 00132 /src/hpn-ssh/auth-options.c:541
0 0 None 8 19 sshauthopt_merge call site: 00142 /src/hpn-ssh/auth-options.c:614
0 0 None 6 675 sshauthopt_parse call site: 00003 /src/hpn-ssh/auth-options.c:333
0 0 None 2 2 recallocarray call site: 00053 /src/hpn-ssh/openbsd-compat/recallocarray.c:77
0 0 None 2 2 strtonum call site: 00071 /src/hpn-ssh/openbsd-compat/strtonum.c:52
0 0 None 0 11 sshauthopt_parse call site: 00004 /src/hpn-ssh/auth-options.c:335
0 0 None 0 11 sshauthopt_parse call site: 00041 /src/hpn-ssh/auth-options.c:405
0 0 None 0 11 sshauthopt_parse call site: 00044 /src/hpn-ssh/auth-options.c:417

Runtime coverage analysis

Covered functions
19
Functions that are reachable but not covered
42
Reachable functions
61
Percentage of reachable functions covered
31.15%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
regress/misc/fuzz-harness/authopt_fuzz.cc 1
auth-options.c 7
misc.c 8
openbsd-compat/recallocarray.c 1
openbsd-compat/strtonum.c 1
xmalloc.c 2
fatal.c 1
log.c 2
match.c 2
openbsd-compat/strlcpy.c 1
openbsd-compat/vis.c 2
cleanup.c 1
openbsd-compat/freezero.c 1

Fuzzer: agent_fuzz

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 1155 64.5%
gold [1:9] 41 2.29%
yellow [10:29] 67 3.74%
greenyellow [30:49] 17 0.94%
lawngreen 50+ 510 28.4%
All colors 1790 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
3671 5572 17 :

['agent_decode_alg', 'lookup_identity', 'read_passphrase', 'sshbuf_len', 'sshkey_fingerprint', 'sshkey_sign', 'sshkey_type', 'buf_equal', 'sshkey_equal', 'notify_start', 'sshbuf_ptr', 'parse_userauth_request', 'identity_permitted', 'strncmp', 'check_websafe_message_contents', 'confirm_key', 'sshkey_is_sk']

4321 10792 process_sign_request2 call site: 00813 /src/hpn-ssh/regress/misc/fuzz-harness/../../../ssh-agent.c:855
2025 2797 14 :

['lookup_identity', 'sshkey_equal_public', '__errno_location', 'realpath', 'sshkey_is_cert', 'monotime', 'xstrdup', 'pkcs11_add_provider', 'pkcs11_make_cert', 'socket_is_remote', 'match_pattern_list', 'dump_dest_constraints', 'strerror', 'add_p11_identity']

2025 4440 process_add_smartcard_key call site: 01447 /src/hpn-ssh/regress/misc/fuzz-harness/../../../ssh-agent.c:1576
1578 3222 6 :

['sshlog', 'free', 'permitted_by_dest_constraints', 'sshkey_fingerprint', 'sshfatal', 'sshkey_type']

1578 3222 identity_permitted call site: 00916 /src/hpn-ssh/regress/misc/fuzz-harness/../../../ssh-agent.c:483
763 763 3 :

['free', 'process_ext_session_bind', 'strcmp']

763 1267 process_extension call site: 01742 /src/hpn-ssh/regress/misc/fuzz-harness/../../../ssh-agent.c:1776
747 747 1 :

['parse_dest_constraint']

747 2111 parse_key_constraint_extension call site: 01340 /src/hpn-ssh/regress/misc/fuzz-harness/../../../ssh-agent.c:1207
428 428 1 :

['sshkey_parse_private_pem_fileblob']

428 428 sshkey_parse_private_fileblob_type call site: 00561 /src/hpn-ssh/sshkey.c:3596
344 344 6 :

['kill', '__errno_location', 'ssh_signal', 'waitpid', 'sshfatal', 'strerror']

344 344 notify_complete call site: 01237 /src/hpn-ssh/readpass.c:319
286 286 2 :

['chachapoly_new_mt', 'chachapoly_new']

288 293 cipher_init call site: 00304 /src/hpn-ssh/cipher.c:345
268 268 2 :

['chachapoly_crypt_mt', 'chachapoly_crypt']

268 268 cipher_crypt call site: 00465 /src/hpn-ssh/cipher.c:480
202 202 2 :

['chachapoly_free', 'chachapoly_free_mt']

206 211 cipher_free call site: 00515 /src/hpn-ssh/cipher.c:570
202 202 1 :

['cert_compare']

202 221 sshkey_equal call site: 00548 /src/hpn-ssh/sshkey.c:721
164 164 1 :

['_getentropy_fail']

168 229 _rs_stir call site: 00279 /src/hpn-ssh/openbsd-compat/arc4random.c:116

Runtime coverage analysis

Covered functions
266
Functions that are reachable but not covered
335
Reachable functions
510
Percentage of reachable functions covered
34.31%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
regress/misc/fuzz-harness/agent_fuzz.cc 1
regress/misc/fuzz-harness/agent_fuzz_helper.c 10
log.c 5
match.c 2
openbsd-compat/strlcpy.c 1
openbsd-compat/vis.c 2
xmalloc.c 6
fatal.c 1
regress/misc/fuzz-harness/../../../ssh-agent.c 40
ssh-pkcs11.c 30
sshkey.c 68
sshbuf.c 14
misc.c 6
openbsd-compat/freezero.c 1
sshbuf-getput-basic.c 17
openbsd-compat/recallocarray.c 1
sshbuf-misc.c 2
openbsd-compat/base64.c 2
cipher.c 8
openbsd-compat/bcrypt_pbkdf.c 2
hash.c 1
openbsd-compat/blowfish.c 6
openbsd-compat/arc4random.c 6
openbsd-compat/./arc4random.h 3
openbsd-compat/bsd-getentropy.c 1
openbsd-compat/./chacha_private.h 3
cipher-chachapoly-libcrypto-mt.c 10
cipher-chachapoly-libcrypto.c 3
cipher-ctr-mt.c 7
openbsd-compat/timingsafe_bcmp.c 1
poly1305.c 1
ssherr.c 1
digest-openssl.c 4
openbsd-compat/strlcat.c 1
readpass.c 6
openbsd-compat/readpassphrase.c 1
openbsd-compat/bsd-closefrom.c 2
ssh-sk.c 8
sshkey-xmss.c 1

Fuzzer: sshsig_fuzz

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 71 26.5%
gold [1:9] 3 1.12%
yellow [10:29] 1 0.37%
greenyellow [30:49] 8 2.99%
lawngreen 50+ 184 68.9%
All colors 267 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
166 166 1 :

['xstrdup']

166 166 tohex call site: 00118 /src/hpn-ssh/misc.c:1548
162 162 1 :

['sshfatal']

162 162 xcalloc call site: 00130 /src/hpn-ssh/xmalloc.c:56
122 158 5 :

['strlcpy', 'getpid', 'do_log', 'strrchr', 'match_pattern_list']

122 158 sshlogv call site: 00023 /src/hpn-ssh/log.c:481
82 242 4 :

['sshkey_xmss_params', 'sshlog', 'malloc', 'xmss_sign_open']

82 455 ssh_xmss_verify call site: 00000 /src/hpn-ssh/ssh-xmss.c:314
50 50 3 :

['EC_KEY_get0_public_key', 'EC_KEY_get0_group', 'sshkey_ec_validate_public']

52 52 ssh_ecdsa_deserialize_public call site: 00000 /src/hpn-ssh/ssh-ecdsa.c:177
13 13 1 :

['rsa_hash_id_from_keyname']

21 703 ssh_rsa_verify call site: 00000 /src/hpn-ssh/ssh-rsa.c:508
6 6 3 :

['exit', 'openlog', 'closelog']

6 6 log_init call site: 00008 /src/hpn-ssh/log.c:220
2 217 2 :

['EC_KEY_set_public_key', 'sshbuf_get_string_direct']

6 221 sshbuf_get_eckey call site: 00000 /src/hpn-ssh/sshbuf-getput-crypto.c:110
2 2 1 :

['strlen']

2 2 strlcat call site: 00133 /src/hpn-ssh/openbsd-compat/strlcat.c:48
2 2 1 :

['BN_clear_free']

2 2 sshbuf_get_bignum2 call site: 00000 /src/hpn-ssh/sshbuf-getput-crypto.c:48
0 233 1 :

['sshkey_deserialize_sk']

0 233 ssh_ecdsa_sk_deserialize_public call site: 00000 /src/hpn-ssh/ssh-ecdsa-sk.c:133
0 229 2 :

['sshlog', 'ssh_err']

2 434 hash_buffer call site: 00143 /src/hpn-ssh/sshsig.c:428

Runtime coverage analysis

Covered functions
158
Functions that are reachable but not covered
38
Reachable functions
109
Percentage of reachable functions covered
65.14%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
regress/misc/fuzz-harness/sshsig_fuzz.cc 1
sshbuf.c 13
log.c 5
sshsig.c 6
misc.c 2
match.c 2
openbsd-compat/strlcpy.c 1
openbsd-compat/vis.c 2
openbsd-compat/freezero.c 1
sshbuf-misc.c 1
openbsd-compat/timingsafe_bcmp.c 1
sshbuf-getput-basic.c 10
ssherr.c 1
digest-openssl.c 5
xmalloc.c 3
fatal.c 1
cleanup.c 1
openbsd-compat/strlcat.c 1
openbsd-compat/recallocarray.c 1
sshkey.c 17

Fuzzer: kex_fuzz

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 888 55.3%
gold [1:9] 177 11.0%
yellow [10:29] 2 0.12%
greenyellow [30:49] 16 0.99%
lawngreen 50+ 520 32.4%
All colors 1603 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
1637 4037 9 :

['ssh_packet_send2_wrapped', 'sshlog', 'memset', 'sshbuf_len', 'kex_start_rekex', 'monotime', 'sshbuf_free', 'free', 'ssh_packet_need_rekeying']

1637 4037 ssh_packet_send2 call site: 00929 /src/hpn-ssh/packet.c:1378
1461 1461 1 :

['ssh_packet_disconnect']

2314 2845 ssh_packet_send2_wrapped call site: 01073 /src/hpn-ssh/packet.c:1287
1461 1461 1 :

['ssh_packet_disconnect']

2054 5332 kex_choose_conf call site: 01289 /src/hpn-ssh/kex.c:1286
1461 1461 1 :

['ssh_packet_disconnect']

1912 8733 ssh_packet_read_poll2 call site: 01528 /src/hpn-ssh/packet.c:1698
790 790 4 :

['get_peer_port', 'get_peer_ipaddr', 'get_local_port', 'get_local_ipaddr']

790 790 ssh_remote_ipaddr call site: 00755 /src/hpn-ssh/packet.c:548
657 657 1 :

['ssh_set_newkeys']

657 657 ssh_packet_send2_wrapped call site: 01151 /src/hpn-ssh/packet.c:1306
604 920 4 :

['free', 'sshlog', 'sshfatal', 'match_filter_denylist']

604 920 compat_kex_proposal call site: 00813 /src/hpn-ssh/compat.c:176
593 2930 16 :

['sshlog', 'match_list', 'cipher_by_name', 'ssh_remote_ipaddr', 'xstrdup', 'free', 'choose_comp', 'cipher_authlen', 'cipher_seclen', 'choose_mac', 'choose_enc', 'proposals_match', 'calloc', 'ssh_remote_port', 'sshfatal', 'strcmp']

593 2938 kex_choose_conf call site: 01334 /src/hpn-ssh/kex.c:1369
548 755 7 :

['ssh_packet_have_data_to_write', 'ppoll', '__errno_location', 'monotime_tv', 'ms_to_timespec', 'ssh_packet_write_poll', 'ms_subtract_diff']

548 755 ssh_packet_write_wait call site: 01127 /src/hpn-ssh/packet.c:2142
469 847 2 :

['sshbuf_len', 'ssh_packet_stop_discard']

469 847 ssh_packet_start_discard call site: 01497 /src/hpn-ssh/packet.c:439
428 428 1 :

['sshkey_parse_private_pem_fileblob']

428 428 sshkey_parse_private_fileblob_type call site: 00531 /src/hpn-ssh/sshkey.c:3596
354 356 8 :

['EVP_CipherInit', 'EVP_CIPHER_CTX_ctrl', 'evp_aes_ctr_mt', 'strstr', 'EVP_CIPHER_CTX_set_key_length', 'EVP_CIPHER_CTX_new', 'cipher_authlen', 'EVP_CIPHER_CTX_key_length']

356 363 cipher_init call site: 00323 /src/hpn-ssh/cipher.c:361

Runtime coverage analysis

Covered functions
230
Functions that are reachable but not covered
312
Reachable functions
524
Percentage of reachable functions covered
40.46%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
regress/misc/fuzz-harness/kex_fuzz.cc 11
log.c 6
xmalloc.c 5
fatal.c 1
match.c 5
openbsd-compat/strlcpy.c 1
openbsd-compat/vis.c 2
cleanup.c 1
sshbuf.c 18
sshkey.c 42
misc.c 11
sshbuf-getput-basic.c 15
openbsd-compat/recallocarray.c 1
sshbuf-misc.c 2
openbsd-compat/base64.c 1
openbsd-compat/freezero.c 1
cipher.c 14
openbsd-compat/bcrypt_pbkdf.c 2
hash.c 1
openbsd-compat/blowfish.c 6
openbsd-compat/arc4random.c 6
openbsd-compat/./arc4random.h 3
openbsd-compat/bsd-getentropy.c 1
openbsd-compat/./chacha_private.h 3
cipher-chachapoly-libcrypto-mt.c 11
cipher-chachapoly-libcrypto.c 4
cipher-ctr-mt.c 7
openbsd-compat/timingsafe_bcmp.c 1
poly1305.c 1
ssherr.c 1
ssh_api.c 11
entropy.c 1
openbsd-compat/openssl-compat.c 2
packet.c 50
kex.c 26
mac.c 6
umac.c 27
./umac.c 27
hmac.c 6
digest-openssl.c 9
canohost.c 7
openbsd-compat/strlcat.c 1
compat.c 2
dispatch.c 2
openbsd-compat/fmt_scaled.c 1

Analyses and suggestions

Optimal target analysis

Remaining optimal interesting functions

The following table shows a list of functions that are optimal targets. Optimal targets are identified by finding the functions that in combination, yield a high code coverage.

Func name Functions filename Arg count Args Function depth hitcount instr count bb count cyclomatic complexity Reachable functions Incoming references total cyclomatic complexity Unreached complexity
sshkey_check_revoked /src/hpn-ssh/authfile.c 2 ['N/A', 'N/A'] 22 0 58 9 2 179 0 1405 650
kex_gen_client /src/hpn-ssh/kexgen.c 1 ['N/A'] 27 0 134 24 5 516 0 2553 583
ssh_xmss_sign /src/hpn-ssh/ssh-xmss.c 9 ['N/A', 'N/A', 'N/A', 'N/A', 'size_t', 'N/A', 'N/A', 'N/A', 'int'] 15 0 375 67 27 215 0 1138 339
xxxmain /src/hpn-ssh/regress/misc/fuzz-harness/../../../ssh-agent.c 2 ['int', 'N/A'] 19 0 848 142 33 505 0 2798 297
kexgex_server /src/hpn-ssh/kexgexs.c 1 ['N/A'] 28 0 17 3 2 441 0 2288 174
ssh_sk_sign /src/hpn-ssh/regress/misc/sk-dummy/sk-dummy.c 10 ['int', 'N/A', 'size_t', 'N/A', 'N/A', 'size_t', 'char', 'N/A', 'N/A', 'N/A'] 7 0 180 22 7 63 0 199 162
sshauthopt_from_cert /src/hpn-ssh/auth-options.c 1 ['N/A'] 7 0 108 19 9 73 0 490 129
sshkey_save_private /src/hpn-ssh/authfile.c 7 ['N/A', 'N/A', 'N/A', 'N/A', 'int', 'N/A', 'int'] 22 0 86 11 5 257 0 1351 127
ssh_krl_to_blob /src/hpn-ssh/krl.c 2 ['N/A', 'N/A'] 17 0 412 78 30 79 0 492 96
sshsig_find_principals /src/hpn-ssh/sshsig.c 4 ['N/A', 'N/A', 'size_t', 'N/A'] 13 0 143 16 7 124 0 868 84

Implementing fuzzers that target the above functions will improve reachability such that it becomes:

Functions statically reachable by fuzzers
64.0%
847 / 1318
Cyclomatic complexity statically reachable by fuzzers
67.0%
6354 / 9452

All functions overview

If you implement fuzzers for these functions, the status of all functions in the project will be:

Func name Functions filename Args Function call depth Reached by Fuzzers Fuzzers runtime hit Func lines hit % I Count BB Count Cyclomatic complexity Functions reached Reached by functions Accumulated cyclomatic complexity Undiscovered complexity

Fuzz engine guidance

This sections provides heuristics that can be used as input to a fuzz engine when running a given fuzz target. The current focus is on providing input that is usable by libFuzzer.

regress/misc/fuzz-harness/sshsigopt_fuzz.cc

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


regress/misc/fuzz-harness/pubkey_fuzz.cc

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['sshlog', 'sshbuf_fromb', 'sshbuf_set_parent', 'cert_new', 'sshkey_free']

regress/misc/fuzz-harness/privkey_fuzz.cc

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['sshlog', 'sshbuf_ptr', 'sshkey_private_deserialize', 'sshbuf_set_parent', 'sshbuf_fromb', 'cert_new', 'sshkey_free']

regress/misc/fuzz-harness/sig_fuzz.cc

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['sshlog', 'freezero', 'sshkey_is_cert', 'sshbuf_free']

regress/misc/fuzz-harness/authopt_fuzz.cc

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['sshauthopt_parse', 'recallocarray', 'sshauthopt_merge', 'a2port', 'dup_strings']

regress/misc/fuzz-harness/agent_fuzz.cc

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['process_add_smartcard_key', 'identity_permitted', 'cipher_init', 'sshkey_unshield_private', 'private2_decrypt', 'parse_key_constraint_extension', 'sshkey_fingerprint', 'sshkey_verify', 'sshkey_parse_private_fileblob_type']

regress/misc/fuzz-harness/sshsig_fuzz.cc

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['match_pattern_list', 'hash_buffer', 'log_init', 'sshbuf_fromb', 'sshlog', 'ssh_digest_memory', 'tohex', 'sshbuf_allocate', 'sshbuf_put_stringb', 'sshsig_wrap_verify']

regress/misc/fuzz-harness/kex_fuzz.cc

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['cipher_init', 'ssh_digest_bytes', 'ssh_packet_send2_wrapped', 'private2_decrypt', 'sshbuf_get_string', 'ssh_remote_ipaddr', 'ssh_packet_close_internal', 'choose_comp', 'sshkey_parse_private_fileblob_type', 'ssh_packet_next']

Files and Directories in report

This section shows which files and directories are considered in this report. The main reason for showing this is fuzz introspector may include more code in the reasoning than is desired. This section helps identify if too many files/directories are included, e.g. third party code, which may be irrelevant for the threat model. In the event too much is included, fuzz introspector supports a configuration file that can exclude data from the report. See the following link for more information on how to create a config file: link

Files in report

Source file Reached by Covered by
[] []
/src/hpn-ssh/platform-misc.c [] []
/src/hpn-ssh/openbsd-compat/readpassphrase.c ['agent_fuzz'] []
/src/hpn-ssh/hash.c ['agent_fuzz', 'kex_fuzz'] ['agent_fuzz']
/src/hpn-ssh/openbsd-compat/arc4random.c ['agent_fuzz', 'kex_fuzz'] ['agent_fuzz', 'kex_fuzz']
/src/hpn-ssh/utf8.c [] []
/src/hpn-ssh/sntrup761.c [] []
/src/hpn-ssh/kexgexc.c [] []
/src/hpn-ssh/digest-openssl.c ['agent_fuzz', 'sshsig_fuzz', 'kex_fuzz'] ['agent_fuzz', 'sshsig_fuzz', 'kex_fuzz']
/src/hpn-ssh/sshbuf.c ['pubkey_fuzz', 'privkey_fuzz', 'sig_fuzz', 'agent_fuzz', 'sshsig_fuzz', 'kex_fuzz'] ['pubkey_fuzz', 'privkey_fuzz', 'sig_fuzz', 'agent_fuzz', 'sshsig_fuzz', 'kex_fuzz']
/src/hpn-ssh/openbsd-compat/freezero.c ['pubkey_fuzz', 'privkey_fuzz', 'sig_fuzz', 'authopt_fuzz', 'agent_fuzz', 'sshsig_fuzz', 'kex_fuzz'] ['pubkey_fuzz', 'privkey_fuzz', 'sig_fuzz', 'authopt_fuzz', 'agent_fuzz', 'sshsig_fuzz', 'kex_fuzz']
/src/hpn-ssh/umac.c ['kex_fuzz'] []
/src/hpn-ssh/sshkey.c ['pubkey_fuzz', 'privkey_fuzz', 'sig_fuzz', 'agent_fuzz', 'sshsig_fuzz', 'kex_fuzz'] ['pubkey_fuzz', 'privkey_fuzz', 'sig_fuzz', 'agent_fuzz', 'sshsig_fuzz', 'kex_fuzz']
/src/hpn-ssh/regress/misc/fuzz-harness/../../../ssh-agent.c ['agent_fuzz'] []
/src/hpn-ssh/xmalloc.c ['authopt_fuzz', 'agent_fuzz', 'sshsig_fuzz', 'kex_fuzz'] ['agent_fuzz', 'sshsig_fuzz', 'kex_fuzz']
/src/hpn-ssh/addrmatch.c [] []
/src/hpn-ssh/sshbuf-misc.c ['agent_fuzz', 'sshsig_fuzz', 'kex_fuzz'] ['agent_fuzz', 'sshsig_fuzz', 'kex_fuzz']
/src/hpn-ssh/regress/misc/fuzz-harness/kex_fuzz.cc ['kex_fuzz'] ['kex_fuzz']
/src/hpn-ssh/xmss_wots.c [] []
/src/hpn-ssh/openbsd-compat/./arc4random.h ['agent_fuzz', 'kex_fuzz'] []
/src/hpn-ssh/xmss_fast.c [] []
/src/hpn-ssh/openbsd-compat/vis.c ['pubkey_fuzz', 'privkey_fuzz', 'sig_fuzz', 'authopt_fuzz', 'agent_fuzz', 'sshsig_fuzz', 'kex_fuzz'] ['agent_fuzz', 'kex_fuzz']
/src/hpn-ssh/regress/misc/fuzz-harness/authopt_fuzz.cc ['authopt_fuzz'] ['authopt_fuzz']
/src/hpn-ssh/openbsd-compat/bcrypt_pbkdf.c ['agent_fuzz', 'kex_fuzz'] ['agent_fuzz']
/src/hpn-ssh/openbsd-compat/bsd-misc.c [] []
/src/hpn-ssh/kexgen.c [] []
/src/hpn-ssh/atomicio.c [] []
/src/hpn-ssh/addr.c [] []
/src/hpn-ssh/sshsig.c ['sshsigopt_fuzz', 'sshsig_fuzz'] ['sshsigopt_fuzz', 'sshsig_fuzz']
/src/hpn-ssh/sshbuf-getput-crypto.c [] []
/src/hpn-ssh/ssh-sk.c ['agent_fuzz'] []
/src/hpn-ssh/ssh-ecdsa-sk.c [] []
/src/hpn-ssh/./umac.c ['kex_fuzz'] []
/src/hpn-ssh/kexgexs.c [] []
/src/hpn-ssh/cipher-chachapoly-libcrypto-mt.c ['agent_fuzz', 'kex_fuzz'] []
/src/hpn-ssh/cipher.c ['agent_fuzz', 'kex_fuzz'] ['agent_fuzz', 'kex_fuzz']
/src/hpn-ssh/cleanup.c ['authopt_fuzz', 'sshsig_fuzz', 'kex_fuzz'] []
/src/hpn-ssh/mac.c ['kex_fuzz'] ['kex_fuzz']
/src/hpn-ssh/ed25519.c [] []
/src/hpn-ssh/sshkey-xmss.c ['agent_fuzz'] []
/src/hpn-ssh/sshbuf-io.c [] []
/src/hpn-ssh/misc.c ['sshsigopt_fuzz', 'pubkey_fuzz', 'privkey_fuzz', 'sig_fuzz', 'authopt_fuzz', 'agent_fuzz', 'sshsig_fuzz', 'kex_fuzz'] ['sshsigopt_fuzz', 'authopt_fuzz', 'agent_fuzz', 'sshsig_fuzz']
/src/hpn-ssh/dh.c [] []
/src/hpn-ssh/kex.c ['kex_fuzz'] ['kex_fuzz']
/src/hpn-ssh/hmac.c ['kex_fuzz'] ['kex_fuzz']
/src/hpn-ssh/ssh-pkcs11.c ['agent_fuzz'] []
/src/hpn-ssh/authfile.c [] []
/src/hpn-ssh/regress/misc/fuzz-harness/privkey_fuzz.cc ['privkey_fuzz'] ['privkey_fuzz']
/src/hpn-ssh/regress/misc/fuzz-harness/agent_fuzz_helper.c ['agent_fuzz'] ['agent_fuzz']
/src/hpn-ssh/openbsd-compat/strlcat.c ['agent_fuzz', 'sshsig_fuzz', 'kex_fuzz'] ['agent_fuzz', 'sshsig_fuzz', 'kex_fuzz']
/src/hpn-ssh/regress/misc/fuzz-harness/pubkey_fuzz.cc ['pubkey_fuzz'] ['pubkey_fuzz']
/src/hpn-ssh/xmss_hash.c [] []
/src/hpn-ssh/ssh_api.c ['kex_fuzz'] ['kex_fuzz']
/src/hpn-ssh/canohost.c ['kex_fuzz'] []
/src/hpn-ssh/ssh-ed25519-sk.c [] []
/src/hpn-ssh/openbsd-compat/./chacha_private.h ['agent_fuzz', 'kex_fuzz'] []
/src/hpn-ssh/openbsd-compat/strlcpy.c ['pubkey_fuzz', 'privkey_fuzz', 'sig_fuzz', 'authopt_fuzz', 'agent_fuzz', 'sshsig_fuzz', 'kex_fuzz'] ['agent_fuzz', 'kex_fuzz']
/src/hpn-ssh/xmss_hash_address.c [] []
/src/hpn-ssh/regress/misc/fuzz-harness/agent_fuzz.cc ['agent_fuzz'] ['agent_fuzz']
/src/hpn-ssh/openbsd-compat/bsd-getpeereid.c [] []
/src/hpn-ssh/match.c ['pubkey_fuzz', 'privkey_fuzz', 'sig_fuzz', 'authopt_fuzz', 'agent_fuzz', 'sshsig_fuzz', 'kex_fuzz'] ['sshsig_fuzz', 'kex_fuzz']
/src/hpn-ssh/sshbuf-getput-basic.c ['pubkey_fuzz', 'privkey_fuzz', 'agent_fuzz', 'sshsig_fuzz', 'kex_fuzz'] ['pubkey_fuzz', 'privkey_fuzz', 'agent_fuzz', 'sshsig_fuzz', 'kex_fuzz']
/src/hpn-ssh/ssh-rsa.c [] []
/src/hpn-ssh/kexc25519.c [] []
/src/hpn-ssh/openbsd-compat/timingsafe_bcmp.c ['agent_fuzz', 'sshsig_fuzz', 'kex_fuzz'] ['agent_fuzz', 'sshsig_fuzz']
/src/hpn-ssh/ssh-xmss.c [] []
/src/hpn-ssh/ssh-ecdsa.c [] []
/src/hpn-ssh/poly1305.c ['agent_fuzz', 'kex_fuzz'] []
/src/hpn-ssh/regress/misc/fuzz-harness/sig_fuzz.cc ['sig_fuzz'] ['sig_fuzz']
/src/hpn-ssh/kexgex.c [] []
/src/hpn-ssh/regress/misc/fuzz-harness/ssh-sk-null.cc [] []
/src/hpn-ssh/openbsd-compat/bsd-getentropy.c ['agent_fuzz', 'kex_fuzz'] ['agent_fuzz', 'kex_fuzz']
/src/hpn-ssh/log.c ['pubkey_fuzz', 'privkey_fuzz', 'sig_fuzz', 'authopt_fuzz', 'agent_fuzz', 'sshsig_fuzz', 'kex_fuzz'] ['pubkey_fuzz', 'privkey_fuzz', 'sig_fuzz', 'agent_fuzz', 'sshsig_fuzz', 'kex_fuzz']
/src/hpn-ssh/ssh-ed25519.c [] []
/src/hpn-ssh/platform-tracing.c [] []
/src/hpn-ssh/packet.c ['kex_fuzz'] ['kex_fuzz']
/src/hpn-ssh/platform-pledge.c [] []
/src/hpn-ssh/kexecdh.c [] []
/src/hpn-ssh/openbsd-compat/libressl-api-compat.c [] []
/src/hpn-ssh/openbsd-compat/openssl-compat.c ['kex_fuzz'] ['kex_fuzz']
/src/hpn-ssh/compat.c ['kex_fuzz'] ['kex_fuzz']
/src/hpn-ssh/cipher-chachapoly-libcrypto.c ['agent_fuzz', 'kex_fuzz'] []
/src/hpn-ssh/openbsd-compat/base64.c ['agent_fuzz', 'kex_fuzz'] ['agent_fuzz', 'kex_fuzz']
/src/hpn-ssh/kexsntrup761x25519.c [] []
/src/hpn-ssh/readpass.c ['agent_fuzz'] ['agent_fuzz']
/src/hpn-ssh/bitmap.c [] []
/src/hpn-ssh/openbsd-compat/strtonum.c ['authopt_fuzz'] ['authopt_fuzz']
/src/hpn-ssh/fatal.c ['authopt_fuzz', 'agent_fuzz', 'sshsig_fuzz', 'kex_fuzz'] []
/src/hpn-ssh/regress/misc/fuzz-harness/sshsig_fuzz.cc ['sshsig_fuzz'] ['sshsig_fuzz']
/src/hpn-ssh/openbsd-compat/port-net.c [] []
/src/hpn-ssh/openbsd-compat/recallocarray.c ['authopt_fuzz', 'agent_fuzz', 'sshsig_fuzz', 'kex_fuzz'] ['authopt_fuzz', 'agent_fuzz', 'sshsig_fuzz', 'kex_fuzz']
/src/hpn-ssh/openbsd-compat/getopt_long.c [] []
/src/hpn-ssh/ssh-dss.c [] []
/src/hpn-ssh/entropy.c ['kex_fuzz'] ['kex_fuzz']
/src/hpn-ssh/krl.c [] []
/src/hpn-ssh/auth-options.c ['authopt_fuzz'] ['authopt_fuzz']
/src/hpn-ssh/openbsd-compat/fmt_scaled.c ['kex_fuzz'] []
/src/hpn-ssh/ssherr.c ['sig_fuzz', 'agent_fuzz', 'sshsig_fuzz', 'kex_fuzz'] ['agent_fuzz', 'sshsig_fuzz', 'kex_fuzz']
/src/hpn-ssh/smult_curve25519_ref.c [] []
/src/hpn-ssh/openbsd-compat/bsd-closefrom.c ['agent_fuzz'] []
/src/hpn-ssh/regress/misc/sk-dummy/sk-dummy.c [] []
/src/hpn-ssh/openbsd-compat/arc4random_uniform.c [] []
/src/hpn-ssh/cipher-ctr-mt.c ['agent_fuzz', 'kex_fuzz'] []
/src/hpn-ssh/kexdh.c [] []
/src/hpn-ssh/dispatch.c ['kex_fuzz'] ['kex_fuzz']
/src/hpn-ssh/regress/misc/fuzz-harness/sshsigopt_fuzz.cc ['sshsigopt_fuzz'] ['sshsigopt_fuzz']
/src/hpn-ssh/openbsd-compat/blowfish.c ['agent_fuzz', 'kex_fuzz'] ['agent_fuzz']
/src/hpn-ssh/xmss_commons.c [] []

Directories in report

Directory
/src/hpn-ssh/regress/misc/fuzz-harness/../../../
/src/hpn-ssh/regress/misc/sk-dummy/
/src/hpn-ssh/./
/src/hpn-ssh/openbsd-compat/
/src/hpn-ssh/regress/misc/fuzz-harness/
/src/hpn-ssh/
/src/hpn-ssh/openbsd-compat/./