Fuzz introspector
For issues and ideas: https://github.com/ossf/fuzz-introspector/issues
Project coverage
Per-fuzzer coverage

Table of contents

Project overview: hpn-ssh
High level conclusions
Reachability and coverage overview
Fuzzers overview
Project functions overview
Fuzzer details
Fuzzer: authopt_fuzz
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: sshsigopt_fuzz
Call tree
Runtime coverage analysis
Files reached
Fuzzer: pubkey_fuzz
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: sshsig_fuzz
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: privkey_fuzz
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: sig_fuzz
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: agent_fuzz
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: kex_fuzz
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Analyses and suggestions
Optimal target analysis
Remaining optimal interesting functions
All functions overview
Fuzz engine guidance
regress/misc/fuzz-harness/authopt_fuzz.cc
Dictionary
Fuzzer function priority
regress/misc/fuzz-harness/sshsigopt_fuzz.cc
Dictionary
Fuzzer function priority
regress/misc/fuzz-harness/pubkey_fuzz.cc
Dictionary
Fuzzer function priority
regress/misc/fuzz-harness/sshsig_fuzz.cc
Dictionary
Fuzzer function priority
regress/misc/fuzz-harness/privkey_fuzz.cc
Dictionary
Fuzzer function priority
regress/misc/fuzz-harness/sig_fuzz.cc
Dictionary
Fuzzer function priority
regress/misc/fuzz-harness/agent_fuzz.cc
Dictionary
Fuzzer function priority
regress/misc/fuzz-harness/kex_fuzz.cc
Dictionary
Fuzzer function priority
Runtime coverage analysis
Complex functions with low coverage
Files and Directories in report
Files in report
Directories in report
Metadata section
Report generation date: 2025-10-10

Project overview: hpn-ssh

High level conclusions

Reachability and coverage overview

Functions statically reachable by fuzzers
31.0%
519 / 1673
Cyclomatic complexity statically reachable by fuzzers
38.0%
3913 / 10317
Runtime code coverage of functions
26.0%
431 / 1673

Fuzzers overview

Fuzzer Fuzzer filename Functions Reached Functions unreached Fuzzer depth Files reached Basic blocks reached Cyclomatic complexity Details
authopt_fuzz regress/misc/fuzz-harness/authopt_fuzz.cc 61 926 10 13 962 427 authopt_fuzz.cc
sshsigopt_fuzz regress/misc/fuzz-harness/sshsigopt_fuzz.cc 16 1085 3 3 163 84 sshsigopt_fuzz.cc
pubkey_fuzz regress/misc/fuzz-harness/pubkey_fuzz.cc 80 891 11 11 1075 492 pubkey_fuzz.cc
sshsig_fuzz regress/misc/fuzz-harness/sshsig_fuzz.cc 112 989 11 20 1465 717 sshsig_fuzz.cc
privkey_fuzz regress/misc/fuzz-harness/privkey_fuzz.cc 84 887 12 11 1143 527 privkey_fuzz.cc
sig_fuzz regress/misc/fuzz-harness/sig_fuzz.cc 58 919 14 10 699 361 sig_fuzz.cc
agent_fuzz regress/misc/fuzz-harness/agent_fuzz.cc 518 667 16 40 6131 2868 agent_fuzz.cc
kex_fuzz regress/misc/fuzz-harness/kex_fuzz.cc 533 1198 19 47 6077 2853 kex_fuzz.cc

Project functions overview

The following table shows data about each function in the project. The functions included in this table correspond to all functions that exist in the executables of the fuzzers. As such, there may be functions that are from third-party libraries.

For further technical details on the meaning of columns in the below table, please see the Glossary .

Func name Functions filename Args Function call depth Reached by Fuzzers Runtime reached by Fuzzers Combined reached by Fuzzers Fuzzers runtime hit Func lines hit % I Count BB Count Cyclomatic complexity Functions reached Reached by functions Accumulated cyclomatic complexity Undiscovered complexity

Fuzzer details

Fuzzer: authopt_fuzz

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 57 36.7%
gold [1:9] 3 1.93%
yellow [10:29] 0 0.0%
greenyellow [30:49] 2 1.29%
lawngreen 50+ 93 60.0%
All colors 155 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
45 84 sshauthopt_parse call site: 00084 a2tun
4 50 recallocarray call site: 00050 __errno_location
3 145 sshauthopt_merge call site: 00145 dup_strings
2 149 sshauthopt_merge call site: 00149 sshauthopt_free
1 77 a2port call site: 00077 ntohs
1 141 dup_strings call site: 00141 dup_strings
1 143 sshauthopt_merge call site: 00143 dup_strings

Runtime coverage analysis

Covered functions
19
Functions that are reachable but not covered
42
Reachable functions
61
Percentage of reachable functions covered
31.15%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
regress/misc/fuzz-harness/authopt_fuzz.cc 1
auth-options.c 7
misc.c 8
openbsd-compat/recallocarray.c 1
openbsd-compat/strtonum.c 1
xmalloc.c 2
fatal.c 1
log.c 2
match.c 2
openbsd-compat/strlcpy.c 1
openbsd-compat/vis.c 2
cleanup.c 1
openbsd-compat/freezero.c 1

Fuzzer: sshsigopt_fuzz

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 0 0.0%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 32 100.%
All colors 32 100

Runtime coverage analysis

Covered functions
7
Functions that are reachable but not covered
9
Reachable functions
16
Percentage of reachable functions covered
43.75%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
regress/misc/fuzz-harness/sshsigopt_fuzz.cc 1
sshsig.c 2
misc.c 4

Fuzzer: pubkey_fuzz

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 51 26.8%
gold [1:9] 4 2.10%
yellow [10:29] 0 0.0%
greenyellow [30:49] 2 1.05%
lawngreen 50+ 133 70.0%
All colors 190 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
34 15 sshlog call site: 00015 do_log
8 6 sshbuf_fromb call site: 00006 ssh_signal
2 124 recallocarray call site: 00124 __errno_location
1 57 sshbuf_set_parent call site: 00057 sshbuf_free
1 77 type_from_name call site: 00077 strcasecmp
1 94 cert_new call site: 00094 cert_free
1 106 sshkey_free_contents call site: 00106 munmap
1 108 sshkey_free call site: 00108 sshkey_free
1 127 recallocarray call site: 00127 memset
1 143 sshbuf_froms call site: 00143 sshbuf_free

Runtime coverage analysis

Covered functions
135
Functions that are reachable but not covered
33
Reachable functions
80
Percentage of reachable functions covered
58.75%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
regress/misc/fuzz-harness/pubkey_fuzz.cc 1
sshkey.c 19
sshbuf.c 14
misc.c 1
log.c 3
match.c 2
openbsd-compat/strlcpy.c 1
openbsd-compat/vis.c 2
openbsd-compat/freezero.c 1
sshbuf-getput-basic.c 9
openbsd-compat/recallocarray.c 1

Fuzzer: sshsig_fuzz

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 79 24.3%
gold [1:9] 3 0.92%
yellow [10:29] 3 0.92%
greenyellow [30:49] 6 1.85%
lawngreen 50+ 233 71.9%
All colors 324 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
26 33 match_pattern_list call site: 00033 do_log
8 16 sshbuf_fromb call site: 00016 ssh_signal
8 125 hash_buffer call site: 00125 xstrdup
6 6 log_init call site: 00006 fprintf
4 25 sshlog call site: 00025 match_pattern_list
2 101 sshsig_peek_hashalg call site: 00101 __errno_location
2 120 ssh_digest_memory call site: 00120 sshlog
2 134 tohex call site: 00134 sshfatal
2 157 recallocarray call site: 00157 __errno_location
2 164 sshbuf_allocate call site: 00164 sshlog
2 187 sshbuf_put_stringb call site: 00187 sshlog
2 301 sshsig_wrap_verify call site: 00301 sshlog

Runtime coverage analysis

Covered functions
156
Functions that are reachable but not covered
39
Reachable functions
112
Percentage of reachable functions covered
65.18%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
regress/misc/fuzz-harness/sshsig_fuzz.cc 1
sshbuf.c 14
log.c 5
sshsig.c 6
misc.c 2
match.c 2
openbsd-compat/strlcpy.c 1
openbsd-compat/vis.c 2
openbsd-compat/freezero.c 1
sshbuf-misc.c 1
openbsd-compat/timingsafe_bcmp.c 1
sshbuf-getput-basic.c 12
ssherr.c 1
digest-openssl.c 5
xmalloc.c 3
fatal.c 1
cleanup.c 1
openbsd-compat/strlcat.c 1
openbsd-compat/recallocarray.c 1
sshkey.c 21

Fuzzer: privkey_fuzz

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 53 25.9%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 2 0.98%
lawngreen 50+ 149 73.0%
All colors 204 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
34 16 sshlog call site: 00016 do_log
8 7 sshbuf_ptr call site: 00007 ssh_signal
2 134 recallocarray call site: 00134 __errno_location
1 62 type_from_name call site: 00062 strcasecmp
1 73 sshbuf_set_parent call site: 00073 sshbuf_free
1 86 sshbuf_fromb call site: 00086 sshbuf_free
1 104 cert_new call site: 00104 cert_free
1 116 sshkey_free_contents call site: 00116 munmap
1 118 sshkey_free call site: 00118 sshkey_free
1 137 recallocarray call site: 00137 memset
1 193 sshkey_froms call site: 00193 sshkey_ecdsa_nid_from_name
1 198 sshkey_private_deserialize call site: 00198 strcmp

Runtime coverage analysis

Covered functions
162
Functions that are reachable but not covered
34
Reachable functions
84
Percentage of reachable functions covered
59.52%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
regress/misc/fuzz-harness/privkey_fuzz.cc 1
sshbuf.c 14
sshkey.c 22
sshbuf-getput-basic.c 9
misc.c 1
log.c 3
match.c 2
openbsd-compat/strlcpy.c 1
openbsd-compat/vis.c 2
openbsd-compat/freezero.c 1
openbsd-compat/recallocarray.c 1

Fuzzer: sig_fuzz

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 74 60.1%
gold [1:9] 7 5.69%
yellow [10:29] 1 0.81%
greenyellow [30:49] 1 0.81%
lawngreen 50+ 40 32.5%
All colors 123 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
34 31 sshlog call site: 00031 do_log
19 69 sshbuf_free call site: 00069 sshkey_free
10 11 sshkey_is_cert call site: 00011 cert_new
8 22 sshbuf_free call site: 00022 ssh_signal
1 7 sshkey_generate call site: 00007 sshkey_impl_from_type
1 66 sshbuf_free call site: 00066 freezero
1 115 LLVMFuzzerTestOneInput call site: 00115 sshkey_verify

Runtime coverage analysis

Covered functions
101
Functions that are reachable but not covered
41
Reachable functions
58
Percentage of reachable functions covered
29.31%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
regress/misc/fuzz-harness/sig_fuzz.cc 2
sshkey.c 14
sshbuf.c 3
misc.c 1
log.c 3
match.c 2
openbsd-compat/strlcpy.c 1
openbsd-compat/vis.c 2
openbsd-compat/freezero.c 1
ssherr.c 1

Fuzzer: agent_fuzz

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 1466 71.0%
gold [1:9] 71 3.43%
yellow [10:29] 27 1.30%
greenyellow [30:49] 45 2.18%
lawngreen 50+ 455 22.0%
All colors 2064 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
385 1045 identity_permitted call site: 01045 sshkey_sign
316 1673 process_add_smartcard_key call site: 01673 pkcs11_add_provider
185 371 cipher_init call site: 00371 evp_aes_ctr_mt
128 1523 process_add_identity call site: 01523 sshkey_shield_private
51 558 private2_decrypt call site: 00558 chachapoly_crypt_mt
41 1431 sshkey_ssh_name call site: 01431 sshkey_shield_private
41 2015 process_extension call site: 02015 process_ext_session_bind
29 1014 sshkey_fingerprint call site: 01014 parse_userauth_request
25 662 sshkey_parse_private_fileblob_type call site: 00662 sshkey_parse_private_pem_fileblob
21 992 fingerprint_b64 call site: 00992 fingerprint_randomart
19 52 xstrdup call site: 00052 pkcs11_terminate
19 688 sshkey_check_rsa_length call site: 00688 sshkey_new

Runtime coverage analysis

Covered functions
246
Functions that are reachable but not covered
351
Reachable functions
518
Percentage of reachable functions covered
32.24%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
regress/misc/fuzz-harness/agent_fuzz.cc 1
regress/misc/fuzz-harness/agent_fuzz_helper.c 10
log.c 5
match.c 2
openbsd-compat/strlcpy.c 1
openbsd-compat/vis.c 2
xmalloc.c 6
fatal.c 1
regress/misc/fuzz-harness/../../../ssh-agent.c 41
ssh-pkcs11.c 30
sshkey.c 75
sshbuf.c 14
misc.c 6
openbsd-compat/freezero.c 1
sshbuf-getput-basic.c 18
openbsd-compat/recallocarray.c 1
sshbuf-misc.c 2
openbsd-compat/base64.c 2
cipher.c 8
openbsd-compat/bcrypt_pbkdf.c 2
hash.c 1
openbsd-compat/blowfish.c 6
openbsd-compat/arc4random.c 6
openbsd-compat/./arc4random.h 3
openbsd-compat/bsd-getentropy.c 1
openbsd-compat/./chacha_private.h 3
cipher-chachapoly-libcrypto-mt.c 10
cipher-chachapoly-libcrypto.c 3
cipher-ctr-mt.c 7
openbsd-compat/timingsafe_bcmp.c 1
poly1305.c 1
ssh-ecdsa.c 1
ssherr.c 1
digest-openssl.c 4
openbsd-compat/strlcat.c 1
readpass.c 6
openbsd-compat/readpassphrase.c 1
openbsd-compat/bsd-closefrom.c 2
ssh-sk.c 8
sshkey-xmss.c 1

Fuzzer: kex_fuzz

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 1040 57.7%
gold [1:9] 182 10.1%
yellow [10:29] 5 0.27%
greenyellow [30:49] 21 1.16%
lawngreen 50+ 553 30.7%
All colors 1801 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
187 334 cipher_init call site: 00334 evp_aes_ctr_mt
99 1107 ssh_digest_bytes call site: 01107 umac_final
91 1293 ssh_packet_send2_wrapped call site: 01293 kex_start_rekex
51 523 private2_decrypt call site: 00523 chachapoly_crypt_mt
44 874 ssh_remote_ipaddr call site: 00874 get_peer_ipaddr
36 263 private2_decrypt call site: 00263 bcrypt_pbkdf
32 1237 ssh_packet_close_internal call site: 01237 ssh_packet_clear_keys
25 627 sshkey_parse_private_fileblob_type call site: 00627 sshkey_parse_private_pem_fileblob
24 1658 ssh_packet_next call site: 01658 sshpkt_disconnect
23 1498 choose_comp call site: 01498 ssh_remote_port
19 653 sshkey_check_rsa_length call site: 00653 sshkey_new
18 1088 ssh_packet_send2_wrapped call site: 01088 sshbuf_ptr

Runtime coverage analysis

Covered functions
230
Functions that are reachable but not covered
315
Reachable functions
533
Percentage of reachable functions covered
40.9%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
regress/misc/fuzz-harness/kex_fuzz.cc 11
log.c 6
xmalloc.c 5
fatal.c 1
match.c 5
openbsd-compat/strlcpy.c 1
openbsd-compat/vis.c 2
cleanup.c 1
sshbuf.c 18
sshkey.c 48
misc.c 11
sshbuf-getput-basic.c 16
openbsd-compat/recallocarray.c 1
sshbuf-misc.c 2
openbsd-compat/base64.c 1
openbsd-compat/freezero.c 1
cipher.c 14
openbsd-compat/bcrypt_pbkdf.c 2
hash.c 1
openbsd-compat/blowfish.c 6
openbsd-compat/arc4random.c 6
openbsd-compat/./arc4random.h 3
openbsd-compat/bsd-getentropy.c 1
openbsd-compat/./chacha_private.h 3
cipher-chachapoly-libcrypto-mt.c 11
cipher-chachapoly-libcrypto.c 4
cipher-ctr-mt.c 7
openbsd-compat/timingsafe_bcmp.c 1
poly1305.c 1
ssh-ecdsa.c 1
ssherr.c 1
ssh_api.c 11
entropy.c 1
openbsd-compat/openssl-compat.c 2
packet.c 51
kex.c 23
mac.c 6
umac.c 27
./umac.c 27
hmac.c 6
digest-openssl.c 9
canohost.c 7
kex-names.c 7
openbsd-compat/strlcat.c 1
compat.c 2
dispatch.c 2
openbsd-compat/fmt_scaled.c 1

Analyses and suggestions

Optimal target analysis

Remaining optimal interesting functions

The following table shows a list of functions that are optimal targets. Optimal targets are identified by finding the functions that in combination, yield a high code coverage.

Func name Functions filename Arg count Args Function depth hitcount instr count bb count cyclomatic complexity Reachable functions Incoming references total cyclomatic complexity Unreached complexity
kex_gen_client /src/hpn-ssh/kexgen.c 1 ['N/A'] 27 0 138 25 5 856 0 3383 1413
sshkey_check_revoked /src/hpn-ssh/authfile.c 2 ['N/A', 'N/A'] 20 0 55 9 2 182 0 1417 637
ssh_xmss_sign /src/hpn-ssh/ssh-xmss.c 9 ['N/A', 'N/A', 'N/A', 'N/A', 'size_t', 'N/A', 'N/A', 'N/A', 'int'] 15 0 357 67 27 215 0 1140 339
xxxmain /src/hpn-ssh/regress/misc/fuzz-harness/../../../ssh-agent.c 2 ['int', 'N/A'] 22 0 1027 187 46 514 0 2840 319
kexgex_server /src/hpn-ssh/kexgexs.c 1 ['N/A'] 28 0 16 3 2 447 0 2305 173
ssh_sk_sign /src/hpn-ssh/regress/misc/sk-dummy/sk-dummy.c 10 ['int', 'N/A', 'size_t', 'N/A', 'N/A', 'size_t', 'char', 'N/A', 'N/A', 'N/A'] 7 0 165 22 7 63 0 199 162
sshauthopt_from_cert /src/hpn-ssh/auth-options.c 1 ['N/A'] 7 0 106 19 9 74 0 503 124

Implementing fuzzers that target the above functions will improve reachability such that it becomes:

Functions statically reachable by fuzzers
70.0%
1171 / 1673
Cyclomatic complexity statically reachable by fuzzers
67.0%
6950 / 10317

All functions overview

If you implement fuzzers for these functions, the status of all functions in the project will be:

Func name Functions filename Args Function call depth Reached by Fuzzers Runtime reached by Fuzzers Combined reached by Fuzzers Fuzzers runtime hit Func lines hit % I Count BB Count Cyclomatic complexity Functions reached Reached by functions Accumulated cyclomatic complexity Undiscovered complexity

Fuzz engine guidance

This sections provides heuristics that can be used as input to a fuzz engine when running a given fuzz target. The current focus is on providing input that is usable by libFuzzer.

regress/misc/fuzz-harness/authopt_fuzz.cc

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['sshauthopt_parse', 'recallocarray', 'sshauthopt_merge', 'a2port', 'dup_strings']

regress/misc/fuzz-harness/sshsigopt_fuzz.cc

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


regress/misc/fuzz-harness/pubkey_fuzz.cc

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['sshlog', 'sshbuf_fromb', 'recallocarray', 'sshbuf_set_parent', 'type_from_name', 'cert_new', 'sshkey_free_contents', 'sshkey_free', 'sshbuf_froms']

regress/misc/fuzz-harness/sshsig_fuzz.cc

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['match_pattern_list', 'sshbuf_fromb', 'hash_buffer', 'log_init', 'sshlog', 'sshsig_peek_hashalg', 'ssh_digest_memory', 'tohex', 'recallocarray', 'sshbuf_allocate']

regress/misc/fuzz-harness/privkey_fuzz.cc

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['sshlog', 'sshbuf_ptr', 'recallocarray', 'type_from_name', 'sshbuf_set_parent', 'sshbuf_fromb', 'cert_new', 'sshkey_free_contents', 'sshkey_free']

regress/misc/fuzz-harness/sig_fuzz.cc

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['sshlog', 'sshbuf_free', 'sshkey_is_cert', 'sshkey_generate', 'LLVMFuzzerTestOneInput']

regress/misc/fuzz-harness/agent_fuzz.cc

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['identity_permitted', 'process_add_smartcard_key', 'cipher_init', 'process_add_identity', 'private2_decrypt', 'sshkey_ssh_name', 'process_extension', 'sshkey_fingerprint', 'sshkey_parse_private_fileblob_type', 'fingerprint_b64']

regress/misc/fuzz-harness/kex_fuzz.cc

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['cipher_init', 'ssh_digest_bytes', 'ssh_packet_send2_wrapped', 'private2_decrypt', 'ssh_remote_ipaddr', 'ssh_packet_close_internal', 'sshkey_parse_private_fileblob_type', 'ssh_packet_next', 'choose_comp']

Runtime coverage analysis

This section shows analysis of runtime coverage data.

For futher technical details on how this section is generated, please see the Glossary .

Complex functions with low coverage

Func name Function total lines Lines covered at runtime percentage covered Reached by fuzzers
sshauthopt_merge 93 50 53.76% ['authopt_fuzz']
log_init 61 8 13.11% ['kex_fuzz', 'sshsig_fuzz', 'agent_fuzz']
ssh_err 128 56 43.75% ['kex_fuzz', 'sshsig_fuzz', 'sig_fuzz', 'agent_fuzz']
sshbuf_dtob64 33 18 54.54% ['privkey_fuzz']
cipher_init 82 25 30.48% ['kex_fuzz', 'agent_fuzz']
cipher_crypt 50 6 12.0% ['kex_fuzz', 'agent_fuzz']
strnvis 37 19 51.35% ['pubkey_fuzz', 'agent_fuzz', 'kex_fuzz', 'sshsig_fuzz', 'sig_fuzz', 'authopt_fuzz', 'privkey_fuzz']
process_sign_request2 131 36 27.48% ['agent_fuzz']
identity_permitted 68 12 17.64% ['agent_fuzz']
process_add_identity 104 24 23.07% ['agent_fuzz']
process_add_smartcard_key 82 27 32.92% ['agent_fuzz']
process_remove_smartcard_key 35 14 40.0% ['agent_fuzz']
sshkey_fingerprint 38 17 44.73% ['agent_fuzz']
private2_decrypt 122 66 54.09% ['kex_fuzz', 'agent_fuzz']
kex_send_kexinit 31 17 54.83% ['kex_fuzz']
ssh_packet_send2_wrapped 130 55 42.30% ['kex_fuzz']
ssh_packet_send2 54 15 27.77% ['kex_fuzz']
ssh_packet_read_poll2 179 95 53.07% ['kex_fuzz']
ssh_packet_write_wait 40 8 20.0% ['kex_fuzz']

Files and Directories in report

This section shows which files and directories are considered in this report. The main reason for showing this is fuzz introspector may include more code in the reasoning than is desired. This section helps identify if too many files/directories are included, e.g. third party code, which may be irrelevant for the threat model. In the event too much is included, fuzz introspector supports a configuration file that can exclude data from the report. See the following link for more information on how to create a config file: link

Files in report

Source file Reached by Covered by
[] []
/src/hpn-ssh/sshsig.c ['sshsigopt_fuzz', 'sshsig_fuzz'] ['sshsigopt_fuzz', 'sshsig_fuzz']
/src/hpn-ssh/dispatch.c ['kex_fuzz'] ['kex_fuzz']
/src/hpn-ssh/openbsd-compat/bsd-getentropy.c ['agent_fuzz', 'kex_fuzz'] ['agent_fuzz', 'kex_fuzz']
/src/hpn-ssh/utf8.c [] []
/src/hpn-ssh/match.c ['authopt_fuzz', 'pubkey_fuzz', 'sshsig_fuzz', 'privkey_fuzz', 'sig_fuzz', 'agent_fuzz', 'kex_fuzz'] ['sshsig_fuzz', 'kex_fuzz']
/src/hpn-ssh/regress/misc/fuzz-harness/authopt_fuzz.cc ['authopt_fuzz'] ['authopt_fuzz']
/src/hpn-ssh/authfile.c [] []
/src/hpn-ssh/mac.c ['kex_fuzz'] ['kex_fuzz']
/src/hpn-ssh/smult_curve25519_ref.c [] []
/src/hpn-ssh/openbsd-compat/readpassphrase.c ['agent_fuzz'] []
/src/hpn-ssh/regress/misc/fuzz-harness/kex_fuzz.cc ['kex_fuzz'] ['kex_fuzz']
/src/hpn-ssh/ssh-sk.c ['agent_fuzz'] []
/src/hpn-ssh/ssh-ed25519-sk.c [] []
/src/hpn-ssh/openbsd-compat/fmt_scaled.c ['kex_fuzz'] []
/src/hpn-ssh/ssh_api.c ['kex_fuzz'] ['kex_fuzz']
/src/hpn-ssh/sshbuf.c ['pubkey_fuzz', 'sshsig_fuzz', 'privkey_fuzz', 'sig_fuzz', 'agent_fuzz', 'kex_fuzz'] ['pubkey_fuzz', 'sshsig_fuzz', 'privkey_fuzz', 'sig_fuzz', 'agent_fuzz', 'kex_fuzz']
/src/hpn-ssh/kexsntrup761x25519.c [] []
/src/hpn-ssh/kexecdh.c [] []
/src/hpn-ssh/./libcrux_mlkem768_sha3.h [] []
/src/hpn-ssh/sshkey.c ['pubkey_fuzz', 'sshsig_fuzz', 'privkey_fuzz', 'sig_fuzz', 'agent_fuzz', 'kex_fuzz'] ['pubkey_fuzz', 'sshsig_fuzz', 'privkey_fuzz', 'sig_fuzz', 'agent_fuzz', 'kex_fuzz']
/src/hpn-ssh/platform-pledge.c [] []
/src/hpn-ssh/openbsd-compat/bcrypt_pbkdf.c ['agent_fuzz', 'kex_fuzz'] ['agent_fuzz']
/src/hpn-ssh/openbsd-compat/recallocarray.c ['authopt_fuzz', 'pubkey_fuzz', 'sshsig_fuzz', 'privkey_fuzz', 'agent_fuzz', 'kex_fuzz'] ['authopt_fuzz', 'pubkey_fuzz', 'sshsig_fuzz', 'privkey_fuzz', 'agent_fuzz', 'kex_fuzz']
/src/hpn-ssh/openbsd-compat/arc4random_uniform.c [] []
/src/hpn-ssh/cleanup.c ['authopt_fuzz', 'sshsig_fuzz', 'kex_fuzz'] []
/src/hpn-ssh/openbsd-compat/openssl-compat.c ['kex_fuzz'] ['kex_fuzz']
/src/hpn-ssh/dh.c [] []
/src/hpn-ssh/log.c ['authopt_fuzz', 'pubkey_fuzz', 'sshsig_fuzz', 'privkey_fuzz', 'sig_fuzz', 'agent_fuzz', 'kex_fuzz'] ['pubkey_fuzz', 'sshsig_fuzz', 'privkey_fuzz', 'sig_fuzz', 'agent_fuzz', 'kex_fuzz']
/src/hpn-ssh/./umac.c ['kex_fuzz'] []
/src/hpn-ssh/compat.c ['kex_fuzz'] ['kex_fuzz']
/src/hpn-ssh/sshbuf-misc.c ['sshsig_fuzz', 'agent_fuzz', 'kex_fuzz'] ['sshsig_fuzz', 'agent_fuzz', 'kex_fuzz']
/src/hpn-ssh/fatal.c ['authopt_fuzz', 'sshsig_fuzz', 'agent_fuzz', 'kex_fuzz'] []
/src/hpn-ssh/sshbuf-getput-crypto.c [] []
/src/hpn-ssh/xmss_hash_address.c [] []
/src/hpn-ssh/addrmatch.c [] []
/src/hpn-ssh/openbsd-compat/arc4random.c ['agent_fuzz', 'kex_fuzz'] ['agent_fuzz', 'kex_fuzz']
/src/hpn-ssh/openbsd-compat/./chacha_private.h ['agent_fuzz', 'kex_fuzz'] []
/src/hpn-ssh/regress/misc/fuzz-harness/agent_fuzz_helper.c ['agent_fuzz'] ['agent_fuzz']
/src/hpn-ssh/regress/misc/fuzz-harness/sig_fuzz.cc ['sig_fuzz'] ['sig_fuzz']
/src/hpn-ssh/misc.c ['authopt_fuzz', 'sshsigopt_fuzz', 'pubkey_fuzz', 'sshsig_fuzz', 'privkey_fuzz', 'sig_fuzz', 'agent_fuzz', 'kex_fuzz'] ['authopt_fuzz', 'sshsigopt_fuzz', 'sshsig_fuzz', 'agent_fuzz']
/src/hpn-ssh/regress/misc/sk-dummy/sk-dummy.c [] []
/src/hpn-ssh/ed25519.c [] []
/src/hpn-ssh/openbsd-compat/vis.c ['authopt_fuzz', 'pubkey_fuzz', 'sshsig_fuzz', 'privkey_fuzz', 'sig_fuzz', 'agent_fuzz', 'kex_fuzz'] ['agent_fuzz', 'kex_fuzz']
/src/hpn-ssh/platform-tracing.c [] []
/src/hpn-ssh/poly1305.c ['agent_fuzz', 'kex_fuzz'] []
/src/hpn-ssh/ssh-ecdsa-sk.c [] []
/src/hpn-ssh/ssh-xmss.c [] []
/src/hpn-ssh/kexgen.c [] []
/src/hpn-ssh/ssh-pkcs11.c ['agent_fuzz'] []
/src/hpn-ssh/kexmlkem768x25519.c [] []
/src/hpn-ssh/packet.c ['kex_fuzz'] ['kex_fuzz']
/src/hpn-ssh/openbsd-compat/strlcat.c ['sshsig_fuzz', 'agent_fuzz', 'kex_fuzz'] ['sshsig_fuzz', 'agent_fuzz', 'kex_fuzz']
/src/hpn-ssh/kexgexc.c [] []
/src/hpn-ssh/hmac.c ['kex_fuzz'] ['kex_fuzz']
/src/hpn-ssh/xmalloc.c ['authopt_fuzz', 'sshsig_fuzz', 'agent_fuzz', 'kex_fuzz'] ['sshsig_fuzz', 'agent_fuzz', 'kex_fuzz']
/src/hpn-ssh/kexdh.c [] []
/src/hpn-ssh/entropy.c ['kex_fuzz'] ['kex_fuzz']
/src/hpn-ssh/bitmap.c [] []
/src/hpn-ssh/digest-openssl.c ['sshsig_fuzz', 'agent_fuzz', 'kex_fuzz'] ['sshsig_fuzz', 'agent_fuzz', 'kex_fuzz']
/src/hpn-ssh/openbsd-compat/libressl-api-compat.c [] []
/src/hpn-ssh/openbsd-compat/base64.c ['agent_fuzz', 'kex_fuzz'] ['agent_fuzz', 'kex_fuzz']
/src/hpn-ssh/krl.c [] []
/src/hpn-ssh/canohost.c ['kex_fuzz'] []
/src/hpn-ssh/openbsd-compat/getopt_long.c [] []
/src/hpn-ssh/auth-options.c ['authopt_fuzz'] ['authopt_fuzz']
/src/hpn-ssh/regress/misc/fuzz-harness/pubkey_fuzz.cc ['pubkey_fuzz'] ['pubkey_fuzz']
/src/hpn-ssh/xmss_fast.c [] []
/src/hpn-ssh/kexc25519.c [] []
/src/hpn-ssh/xmss_wots.c [] []
/src/hpn-ssh/openbsd-compat/strtonum.c ['authopt_fuzz'] ['authopt_fuzz']
/src/hpn-ssh/openbsd-compat/timingsafe_bcmp.c ['sshsig_fuzz', 'agent_fuzz', 'kex_fuzz'] ['sshsig_fuzz', 'agent_fuzz']
/src/hpn-ssh/regress/misc/fuzz-harness/sshsigopt_fuzz.cc ['sshsigopt_fuzz'] ['sshsigopt_fuzz']
/src/hpn-ssh/sntrup761.c [] []
/src/hpn-ssh/kexgexs.c [] []
/src/hpn-ssh/umac.c ['kex_fuzz'] []
/src/hpn-ssh/xmss_hash.c [] []
/src/hpn-ssh/openbsd-compat/strlcpy.c ['authopt_fuzz', 'pubkey_fuzz', 'sshsig_fuzz', 'privkey_fuzz', 'sig_fuzz', 'agent_fuzz', 'kex_fuzz'] ['agent_fuzz', 'kex_fuzz']
/src/hpn-ssh/kexgex.c [] []
/src/hpn-ssh/kex.c ['kex_fuzz'] ['kex_fuzz']
/src/hpn-ssh/openbsd-compat/bsd-closefrom.c ['agent_fuzz'] []
/src/hpn-ssh/sshbuf-getput-basic.c ['pubkey_fuzz', 'sshsig_fuzz', 'privkey_fuzz', 'agent_fuzz', 'kex_fuzz'] ['pubkey_fuzz', 'sshsig_fuzz', 'privkey_fuzz', 'agent_fuzz', 'kex_fuzz']
/src/hpn-ssh/sshkey-xmss.c ['agent_fuzz'] []
/src/hpn-ssh/readpass.c ['agent_fuzz'] ['agent_fuzz']
/usr/include/x86_64-linux-gnu/bits/uintn-identity.h [] []
/src/hpn-ssh/cipher-chachapoly-libcrypto-mt.c ['agent_fuzz', 'kex_fuzz'] []
/src/hpn-ssh/cipher.c ['agent_fuzz', 'kex_fuzz'] ['agent_fuzz', 'kex_fuzz']
/src/hpn-ssh/cipher-ctr-mt.c ['agent_fuzz', 'kex_fuzz'] []
/src/hpn-ssh/regress/misc/fuzz-harness/agent_fuzz.cc ['agent_fuzz'] ['agent_fuzz']
/src/hpn-ssh/addr.c [] []
/src/hpn-ssh/openbsd-compat/bsd-misc.c [] []
/src/hpn-ssh/sshbuf-io.c [] []
/src/hpn-ssh/regress/misc/fuzz-harness/privkey_fuzz.cc ['privkey_fuzz'] ['privkey_fuzz']
/src/hpn-ssh/openbsd-compat/port-net.c [] []
/src/hpn-ssh/kex-names.c ['kex_fuzz'] ['kex_fuzz']
/src/hpn-ssh/regress/misc/fuzz-harness/ssh-sk-null.cc [] []
/src/hpn-ssh/regress/misc/fuzz-harness/sshsig_fuzz.cc ['sshsig_fuzz'] ['sshsig_fuzz']
/src/hpn-ssh/openbsd-compat/bsd-getpeereid.c [] []
/src/hpn-ssh/cipher-chachapoly-libcrypto.c ['agent_fuzz', 'kex_fuzz'] []
/src/hpn-ssh/openbsd-compat/blowfish.c ['agent_fuzz', 'kex_fuzz'] ['agent_fuzz']
/src/hpn-ssh/ssherr.c ['sshsig_fuzz', 'sig_fuzz', 'agent_fuzz', 'kex_fuzz'] ['sshsig_fuzz', 'agent_fuzz', 'kex_fuzz']
/src/hpn-ssh/xmss_commons.c [] []
/src/hpn-ssh/openbsd-compat/freezero.c ['authopt_fuzz', 'pubkey_fuzz', 'sshsig_fuzz', 'privkey_fuzz', 'sig_fuzz', 'agent_fuzz', 'kex_fuzz'] ['authopt_fuzz', 'pubkey_fuzz', 'sshsig_fuzz', 'privkey_fuzz', 'sig_fuzz', 'agent_fuzz', 'kex_fuzz']
/src/hpn-ssh/atomicio.c [] []
/src/hpn-ssh/ssh-rsa.c [] []
/src/hpn-ssh/ssh-ecdsa.c ['agent_fuzz', 'kex_fuzz'] ['agent_fuzz', 'kex_fuzz']
/src/hpn-ssh/openbsd-compat/./arc4random.h ['agent_fuzz', 'kex_fuzz'] []
/src/hpn-ssh/hash.c ['agent_fuzz', 'kex_fuzz'] ['agent_fuzz']
/src/hpn-ssh/regress/misc/fuzz-harness/../../../ssh-agent.c ['agent_fuzz'] []
/src/hpn-ssh/ssh-ed25519.c [] []
/src/hpn-ssh/platform-misc.c [] []

Directories in report

Directory
/usr/include/x86_64-linux-gnu/bits/
/src/hpn-ssh/regress/misc/fuzz-harness/
/src/hpn-ssh/regress/misc/sk-dummy/
/src/hpn-ssh/openbsd-compat/./
/src/hpn-ssh/
/src/hpn-ssh/openbsd-compat/
/src/hpn-ssh/./
/src/hpn-ssh/regress/misc/fuzz-harness/../../../

Metadata section

This sections shows the raw data that is used to produce this report. This is mainly used for further processing and developer debugging.

Fuzzer Calltree file Program data file Coverage file
authopt_fuzz fuzzerLogFile-0-5owCY4olkZ.data fuzzerLogFile-0-5owCY4olkZ.data.yaml authopt_fuzz.covreport
sshsigopt_fuzz fuzzerLogFile-0-iHVHuBS0BJ.data fuzzerLogFile-0-iHVHuBS0BJ.data.yaml sshsigopt_fuzz.covreport
pubkey_fuzz fuzzerLogFile-0-jKmepuhmEw.data fuzzerLogFile-0-jKmepuhmEw.data.yaml pubkey_fuzz.covreport
sshsig_fuzz fuzzerLogFile-0-TmhrhlBW09.data fuzzerLogFile-0-TmhrhlBW09.data.yaml sshsig_fuzz.covreport
privkey_fuzz fuzzerLogFile-0-DUyMQ54rnV.data fuzzerLogFile-0-DUyMQ54rnV.data.yaml privkey_fuzz.covreport
sig_fuzz fuzzerLogFile-0-W76Q1u0kSj.data fuzzerLogFile-0-W76Q1u0kSj.data.yaml sig_fuzz.covreport
agent_fuzz fuzzerLogFile-0-gSpyFcBJD5.data fuzzerLogFile-0-gSpyFcBJD5.data.yaml agent_fuzz.covreport
kex_fuzz fuzzerLogFile-0-dGviVyhIcY.data fuzzerLogFile-0-dGviVyhIcY.data.yaml kex_fuzz.covreport