Fuzz introspector: pubkey_fuzz
For issues and ideas: https://github.com/ossf/fuzz-introspector/issues

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
158 158 5 :

['do_log', 'match_pattern_list', 'getpid', 'strlcpy', 'strrchr']

158 158 sshlogv call site: 00015 /src/hpn-ssh/log.c:469
82 243 4 :

['xmss_sign_open', 'malloc', 'sshkey_xmss_params', 'sshlog']

82 452 ssh_xmss_verify call site: 00000 /src/hpn-ssh/ssh-xmss.c:314
49 49 5 :

['EVP_PKEY_set1_EC_KEY', 'sshkey_ec_validate_public', 'EVP_PKEY_new', 'EC_KEY_get0_group', 'EC_KEY_get0_public_key']

55 55 ssh_ecdsa_deserialize_public call site: 00000 /src/hpn-ssh/ssh-ecdsa.c:251
13 13 1 :

['rsa_hash_id_from_keyname']

23 674 ssh_rsa_verify call site: 00000 /src/hpn-ssh/ssh-rsa.c:504
2 219 2 :

['EC_KEY_set_public_key', 'sshbuf_get_string_direct']

6 223 sshbuf_get_eckey call site: 00000 /src/hpn-ssh/sshbuf-getput-crypto.c:110
2 2 1 :

['BN_clear_free']

2 2 sshbuf_get_bignum2 call site: 00000 /src/hpn-ssh/sshbuf-getput-crypto.c:48
2 2 1 :

['explicit_bzero']

2 2 sshkey_xmss_free_state call site: 00000 /src/hpn-ssh/sshkey-xmss.c:144
2 2 1 :

['munmap']

2 2 sshkey_prekey_free call site: 00106 /src/hpn-ssh/sshkey.c:781
0 235 1 :

['sshkey_deserialize_sk']

0 235 ssh_ecdsa_sk_deserialize_public call site: 00000 /src/hpn-ssh/ssh-ecdsa-sk.c:133
0 225 1 :

['sshkey_free']

0 225 sshkey_new call site: 00087 /src/hpn-ssh/sshkey.c:734
0 225 1 :

['cert_free']

0 225 cert_new call site: 00089 /src/hpn-ssh/sshkey.c:699
0 199 1 :

['sshbuf_free']

0 199 sshbuf_froms call site: 00142 /src/hpn-ssh/sshbuf-getput-basic.c:561

Fuzzer calltree

0 LLVMFuzzerTestOneInput [function] [call site] 00000
1 sshkey_from_blob [function] [call site] 00001
2 sshbuf_from [function] [call site] 00002
3 calloc [call site] 00003
2 sshkey_from_blob_internal [function] [call site] 00004
3 sshbuf_fromb [function] [call site] 00005
4 sshbuf_check_sanity [function] [call site] 00006
5 ssh_signal [function] [call site] 00007
6 memset [call site] 00008
6 sigfillset [call site] 00009
6 sigaction [call site] 00010
6 strsignal [call site] 00011
6 __errno_location [call site] 00012
6 strerror [call site] 00013
6 sshlog [function] [call site] 00014
7 sshlogv [function] [call site] 00015
8 strrchr [call site] 00016
8 getpid [call site] 00017
8 snprintf [call site] 00018
8 match_pattern_list [function] [call site] 00019
9 strlen [call site] 00020
9 __ctype_b_loc [call site] 00021
9 tolower [call site] 00022
9 match_pattern [function] [call site] 00023
10 match_pattern [function] [call site] 00024
11 match_pattern [function] [call site] 00025
8 snprintf [call site] 00026
8 snprintf [call site] 00027
8 strlcpy [function] [call site] 00028
8 do_log [function] [call site] 00029
9 __errno_location [call site] 00030
9 snprintf [call site] 00031
9 vsnprintf [call site] 00032
9 vsnprintf [call site] 00033
9 snprintf [call site] 00034
9 strlcpy [function] [call site] 00035
9 strnvis [function] [call site] 00036
10 __ctype_b_loc [call site] 00037
10 vis [function] [call site] 00038
11 __ctype_b_loc [call site] 00039
11 __ctype_b_loc [call site] 00040
10 vis [function] [call site] 00041
9 snprintf [call site] 00042
9 strlen [call site] 00043
9 write [call site] 00044
9 openlog [call site] 00045
9 syslog [call site] 00046
9 closelog [call site] 00047
9 __errno_location [call site] 00048
5 raise [call site] 00049
4 sshbuf_ptr [function] [call site] 00050
5 sshbuf_check_sanity [function] [call site] 00051
4 sshbuf_len [function] [call site] 00052
5 sshbuf_check_sanity [function] [call site] 00053
4 sshbuf_from [function] [call site] 00054
4 sshbuf_set_parent [function] [call site] 00055
5 sshbuf_check_sanity [function] [call site] 00056
5 sshbuf_check_sanity [function] [call site] 00057
4 sshbuf_free [function] [call site] 00058
5 sshbuf_check_sanity [function] [call site] 00059
5 sshbuf_free [function] [call site] 00060
6 freezero [function] [call site] 00061
7 explicit_bzero [call site] 00062
6 freezero [function] [call site] 00063
3 sshbuf_get_cstring [function] [call site] 00064
4 sshbuf_peek_string_direct [function] [call site] 00065
5 sshbuf_ptr [function] [call site] 00066
5 sshbuf_len [function] [call site] 00067
5 sshbuf_len [function] [call site] 00068
4 memchr [call site] 00069
4 sshbuf_get_string_direct [function] [call site] 00070
5 sshbuf_peek_string_direct [function] [call site] 00071
5 sshbuf_consume [function] [call site] 00072
6 sshbuf_check_sanity [function] [call site] 00073
6 sshbuf_len [function] [call site] 00074
3 sshkey_type_from_name [function] [call site] 00075
4 type_from_name [function] [call site] 00076
5 strcmp [call site] 00077
5 strcasecmp [call site] 00078
3 sshkey_type_is_cert [function] [call site] 00079
4 sshkey_impl_from_type [function] [call site] 00080
3 sshkey_impl_from_type [function] [call site] 00081
3 sshkey_new [function] [call site] 00082
4 sshkey_impl_from_type [function] [call site] 00083
4 calloc [call site] 00084
4 sshkey_is_cert [function] [call site] 00085
5 sshkey_type_is_cert [function] [call site] 00086
4 cert_new [function] [call site] 00087
5 calloc [call site] 00088
5 sshbuf_new_label [function] [call site] 00089
6 calloc [call site] 00090
6 strncpy [call site] 00091
6 calloc [call site] 00092
5 sshbuf_new_label [function] [call site] 00093
5 sshbuf_new_label [function] [call site] 00094
5 cert_free [function] [call site] 00095
6 sshbuf_free [function] [call site] 00096
6 sshbuf_free [function] [call site] 00097
6 sshbuf_free [function] [call site] 00098
6 sshkey_free [function] [call site] 00099
7 sshkey_free_contents [function] [call site] 00100
8 sshkey_impl_from_type [function] [call site] 00101
8 sshkey_is_cert [function] [call site] 00102
8 cert_free [function] [call site] 00103
9 freezero [function] [call site] 00104
8 freezero [function] [call site] 00105
8 sshkey_prekey_free [function] [call site] 00106
9 munmap [call site] 00107
7 freezero [function] [call site] 00108
4 sshkey_free [function] [call site] 00109
3 sshkey_type_is_cert [function] [call site] 00110
3 sshbuf_get_string_direct [function] [call site] 00111
3 sshkey_is_cert [function] [call site] 00112
3 cert_parse [function] [call site] 00113
4 sshbuf_putb [function] [call site] 00114
5 sshbuf_ptr [function] [call site] 00115
5 sshbuf_len [function] [call site] 00116
5 sshbuf_put [function] [call site] 00117
6 sshbuf_reserve [function] [call site] 00118
7 sshbuf_allocate [function] [call site] 00119
8 sshbuf_check_reserve [function] [call site] 00120
9 sshbuf_check_sanity [function] [call site] 00121
8 sshbuf_maybe_pack [function] [call site] 00122
8 recallocarray [function] [call site] 00123
9 calloc [call site] 00124
9 __errno_location [call site] 00125
9 __errno_location [call site] 00126
9 getpagesize [call site] 00127
9 memset [call site] 00128
9 memset [call site] 00129
9 explicit_bzero [call site] 00130
8 sshbuf_check_reserve [function] [call site] 00131
4 sshbuf_get_u64 [function] [call site] 00132
5 sshbuf_ptr [function] [call site] 00133
5 sshbuf_consume [function] [call site] 00134
4 sshbuf_get_u32 [function] [call site] 00135
5 sshbuf_ptr [function] [call site] 00136
5 sshbuf_consume [function] [call site] 00137
4 sshbuf_get_cstring [function] [call site] 00138
4 sshbuf_froms [function] [call site] 00139
5 sshbuf_peek_string_direct [function] [call site] 00140
5 sshbuf_from [function] [call site] 00141
5 sshbuf_consume [function] [call site] 00142
5 sshbuf_set_parent [function] [call site] 00143
5 sshbuf_free [function] [call site] 00144
4 sshbuf_get_u64 [function] [call site] 00145
4 sshbuf_get_u64 [function] [call site] 00146
4 sshbuf_froms [function] [call site] 00147
4 sshbuf_froms [function] [call site] 00148
4 sshbuf_get_string_direct [function] [call site] 00149
4 sshbuf_froms [function] [call site] 00150
4 sshbuf_len [function] [call site] 00151
4 sshbuf_get_string [function] [call site] 00152
5 sshbuf_get_string_direct [function] [call site] 00153
4 sshbuf_len [function] [call site] 00154
4 sshbuf_get_cstring [function] [call site] 00155
4 recallocarray [function] [call site] 00156
4 sshbuf_putb [function] [call site] 00157
4 sshbuf_putb [function] [call site] 00158
4 sshbuf_len [function] [call site] 00159
4 sshbuf_get_string_direct [function] [call site] 00160
4 sshbuf_get_string_direct [function] [call site] 00161
4 sshbuf_reset [function] [call site] 00162
5 sshbuf_check_sanity [function] [call site] 00163
5 recallocarray [function] [call site] 00164
5 explicit_bzero [call site] 00165
4 sshbuf_len [function] [call site] 00166
4 sshbuf_get_string_direct [function] [call site] 00167
4 sshbuf_get_string_direct [function] [call site] 00168
4 sshbuf_reset [function] [call site] 00169
4 sshkey_from_blob_internal [function] [call site] 00170
5 sshbuf_len [function] [call site] 00171
5 sshbuf_free [function] [call site] 00172
5 sshkey_free [function] [call site] 00173
4 sshkey_type_is_valid_ca [function] [call site] 00174
5 sshkey_impl_from_type [function] [call site] 00175
4 sshbuf_ptr [function] [call site] 00176
4 sshkey_verify [function] [call site] 00177
5 sshkey_impl_from_key [function] [call site] 00178
6 sshkey_impl_from_type_nid [function] [call site] 00179
4 sshkey_get_sigtype [function] [call site] 00180
5 sshbuf_from [function] [call site] 00181
5 sshbuf_get_cstring [function] [call site] 00182
5 sshbuf_free [function] [call site] 00183
4 sshbuf_free [function] [call site] 00184
4 sshbuf_free [function] [call site] 00185
4 sshbuf_free [function] [call site] 00186
4 sshbuf_free [function] [call site] 00187
2 sshbuf_free [function] [call site] 00188
1 sshkey_free [function] [call site] 00189