High level conclusions

Fuzzers reach 50.87% code coverage.

Fuzzers reach 59.23% of cyclomatic complexity.

Fuzzers reach 55.94% of all functions.

Fuzzer ssh_client_config_fuzzer is blocked:

The runtime code coverage of ssh_client_config_fuzzer covers 29.50% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer ssh_bind_config_fuzzer is blocked:

The runtime code coverage of ssh_bind_config_fuzzer covers 17.13% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer ssh_privkey_fuzzer is blocked:

The runtime code coverage of ssh_privkey_fuzzer covers 10.40% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Reachability and coverage overview

Functions statically reachable by fuzzers

541 / 967

Cyclomatic complexity statically reachable by fuzzers

4722 / 7972

Runtime code coverage of functions

492 / 967

The following table shows data about each function in the project. The functions included in this table correspond to all functions that exist in the executables of the fuzzers. As such, there may be functions that are from third-party libraries.

For further technical details on the meaning of columns in the below table, please see the Glossary .

Func name	Functions filename	Args	Function call depth	Reached by Fuzzers	Runtime reached by Fuzzers	Combined reached by Fuzzers	Fuzzers runtime hit	Func lines hit %	I Count	BB Count	Cyclomatic complexity	Functions reached	Reached by functions	Accumulated cyclomatic complexity	Undiscovered complexity

Fuzzer: ssh_privkey_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	494	92.8%
gold	[1:9]	18	3.38%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	20	3.75%
All colors	532	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
668	668	1 : View List ['ssh_pki_openssh_privkey_import']	668	668	ssh_pki_import_privkey_base64	call site: 00061	/src/libssh/src/pki.c:816
104	104	8 : View List ['EVP_PKEY_get0_EC_KEY', 'EVP_PKEY_free', 'ssh_key_type_to_char', 'ssh_key_new', 'ssh_key_free', 'pki_key_ecdsa_to_key_type', 'pki_key_ecdsa_to_nid', 'EVP_PKEY_base_id']	108	213	pki_private_key_from_base64	call site: 00497	/src/libssh/src/pki_crypto.c:1201
10	10	1 : View List ['ssh_dh_finalize']	10	10	ssh_dh_init	call site: 00046	/src/libssh/src/dh.c:260
4	39	3 : View List ['_ssh_log', 'OpenSSL_version_num', 'OpenSSL_version']	4	39	ssh_crypto_init	call site: 00013	/src/libssh/src/libcrypto.c:1349
2	2	1 : View List ['exit']	2	2	ssh_mutex_lock	call site: 00007	/src/libssh/src/threads/pthread.c:111
2	2	1 : View List ['exit']	2	2	ssh_mutex_unlock	call site: 00057	/src/libssh/src/threads/pthread.c:126
0	0	None	670	856	ssh_pki_import_privkey_base64	call site: 00059	/src/libssh/src/pki.c:806
0	0	None	116	256	pki_private_key_from_base64	call site: 00491	/src/libssh/src/pki_crypto.c:1186
0	0	None	116	256	pki_private_key_from_base64	call site: 00491	/src/libssh/src/pki_crypto.c:1187
0	0	None	10	10	ssh_dh_init	call site: 00037	/src/libssh/src/dh.c:239
0	0	None	10	10	ssh_dh_init	call site: 00038	/src/libssh/src/dh.c:243
0	0	None	10	10	ssh_dh_init	call site: 00040	/src/libssh/src/dh.c:248

Runtime coverage analysis

Covered functions

19

Functions that are reachable but not covered

155

Reachable functions

173

Percentage of reachable functions covered

10.4%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
tests/fuzz/ssh_privkey_fuzzer.c	1
src/base64.c	6
src/init.c	4
src/threads/pthread.c	3
src/threads.c	2
src/threads/libcrypto.c	2
src/libcrypto.c	3
src/log.c	9
src/dh.c	2
src/socket.c	2
src/poll.c	2
src/pki.c	11
src/pki_container_openssh.c	4
src/buffer.c	19
src/string.c	7
src/bignum.c	1
src/pki_crypto.c	13
src/external/bcrypt_pbkdf.c	2
src/md_crypto.c	3
src/external/blowfish.c	6
src/wrapper.c	1

Fuzzer: ssh_bind_config_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	609	74.6%
gold	[1:9]	36	4.41%
yellow	[10:29]	12	1.47%
greenyellow	[30:49]	10	1.22%
lawngreen	50+	149	18.2%
All colors	816	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
35	35	1 : View List ['_ssh_set_error_invalid']	35	35	ssh_bind_config_parse_line	call site: 00069	/src/libssh/src/bind_config.c:309
35	35	1 : View List ['_ssh_set_error_invalid']	35	35	ssh_bind_options_set	call site: 00611	/src/libssh/src/options.c:2343
35	35	1 : View List ['_ssh_set_error_invalid']	35	35	ssh_bind_options_set	call site: 00619	/src/libssh/src/options.c:2385
35	35	1 : View List ['_ssh_set_error_invalid']	35	35	ssh_bind_options_set	call site: 00630	/src/libssh/src/options.c:2428
35	35	1 : View List ['_ssh_set_error_invalid']	35	35	ssh_bind_options_set	call site: 00632	/src/libssh/src/options.c:2443
35	35	1 : View List ['_ssh_set_error_invalid']	35	35	ssh_bind_options_set	call site: 00707	/src/libssh/src/options.c:2458
35	35	1 : View List ['_ssh_set_error_invalid']	35	35	ssh_bind_options_set	call site: 00709	/src/libssh/src/options.c:2473
35	35	1 : View List ['_ssh_set_error_invalid']	35	35	ssh_bind_options_set	call site: 00711	/src/libssh/src/options.c:2488
35	35	1 : View List ['_ssh_set_error_invalid']	35	35	ssh_bind_options_set	call site: 00730	/src/libssh/src/options.c:2519
35	35	1 : View List ['_ssh_set_error_invalid']	35	35	ssh_bind_options_set	call site: 00732	/src/libssh/src/options.c:2534
21	21	4 : View List ['ssh_dh_finalize', 'ssh_socket_cleanup', 'ssh_threads_finalize', 'ssh_crypto_finalize']	21	33	_ssh_finalize	call site: 00806	/src/libssh/src/init.c:165
10	10	1 : View List ['ssh_dh_finalize']	10	10	ssh_dh_init	call site: 00045	/src/libssh/src/dh.c:260

Runtime coverage analysis

Covered functions

50

Functions that are reachable but not covered

237

Reachable functions

286

Percentage of reachable functions covered

17.13%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
tests/fuzz/ssh_bind_config_fuzzer.c	1
src/init.c	4
src/threads/pthread.c	3
src/threads.c	2
src/threads/libcrypto.c	2
src/libcrypto.c	3
src/log.c	10
src/dh.c	2
src/socket.c	2
src/poll.c	2
src/bind.c	2
src/bind_config.c	6
src/error.c	3
src/config_parser.c	2
src/options.c	5
src/pki.c	14
src/pki_container_openssh.c	4
src/base64.c	4
src/buffer.c	19
src/string.c	7
src/bignum.c	1
src/pki_crypto.c	15
src/external/bcrypt_pbkdf.c	2
src/md_crypto.c	3
src/external/blowfish.c	6
src/wrapper.c	1
src/misc.c	3
src/kex.c	6
src/token.c	7

Fuzzer: ssh_pubkey_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	400	60.5%
gold	[1:9]	56	8.47%
yellow	[10:29]	19	2.87%
greenyellow	[30:49]	13	1.96%
lawngreen	50+	173	26.1%
All colors	661	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
185	262	3 : View List ['ssh_key_free', '_ssh_log', 'ssh_pki_export_privkey_to_pubkey']	185	262	ssh_pki_import_pubkey_file	call site: 00518	/src/libssh/src/pki.c:1885
35	104	8 : View List ['EVP_PKEY_get0_EC_KEY', 'EVP_PKEY_free', 'ssh_key_type_to_char', 'ssh_key_new', 'ssh_key_free', 'pki_key_ecdsa_to_key_type', 'pki_key_ecdsa_to_nid', 'EVP_PKEY_base_id']	39	213	pki_private_key_from_base64	call site: 00525	/src/libssh/src/pki_crypto.c:1201
21	21	4 : View List ['ssh_dh_finalize', 'ssh_socket_cleanup', 'ssh_threads_finalize', 'ssh_crypto_finalize']	21	33	_ssh_finalize	call site: 00651	/src/libssh/src/init.c:165
10	10	1 : View List ['ssh_pki_key_ecdsa_name']	10	138	pki_import_pubkey_buffer	call site: 00282	/src/libssh/src/pki.c:1466
10	10	1 : View List ['ssh_dh_finalize']	10	10	ssh_dh_init	call site: 00044	/src/libssh/src/dh.c:260
7	7	2 : View List ['__errno_location', 'ssh_strerror']	7	42	ssh_pki_import_pubkey_file	call site: 00083	/src/libssh/src/pki.c:1858
6	6	1 : View List ['buffer_shift']	6	19	ssh_buffer_add_data	call site: 00117	/src/libssh/src/buffer.c:318
6	6	1 : View List ['buffer_shift']	6	19	ssh_buffer_allocate_size	call site: 00103	/src/libssh/src/buffer.c:347
4	39	3 : View List ['_ssh_log', 'OpenSSL_version_num', 'OpenSSL_version']	4	39	ssh_crypto_init	call site: 00011	/src/libssh/src/libcrypto.c:1349
4	39	3 : View List ['_ssh_log', 'ERR_get_error', 'ERR_error_string']	4	39	pki_pubkey_build_ed25519	call site: 00300	/src/libssh/src/pki_crypto.c:474
4	4	2 : View List ['EVP_PKEY_free', 'RSA_free']	4	4	pki_pubkey_build_rsa	call site: 00244	/src/libssh/src/pki_crypto.c:1491
2	2	1 : View List ['abort']	2	2	ssh_buffer_unpack_va	call site: 00169	/src/libssh/src/buffer.c:1295

Runtime coverage analysis

Covered functions

65

Functions that are reachable but not covered

131

Reachable functions

195

Percentage of reachable functions covered

32.82%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
tests/fuzz/ssh_pubkey_fuzzer.c	1
src/init.c	4
src/threads/pthread.c	3
src/threads.c	2
src/threads/libcrypto.c	2
src/libcrypto.c	3
src/log.c	9
src/dh.c	2
src/socket.c	2
src/poll.c	2
src/misc.c	2
src/pki.c	14
src/pki_container_openssh.c	4
src/base64.c	4
src/buffer.c	19
src/string.c	7
src/bignum.c	1
src/pki_crypto.c	14
src/external/bcrypt_pbkdf.c	2
src/md_crypto.c	3
src/external/blowfish.c	6
src/wrapper.c	1

Fuzzer: ssh_known_hosts_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	114	27.4%
gold	[1:9]	21	5.04%
yellow	[10:29]	3	0.72%
greenyellow	[30:49]	3	0.72%
lawngreen	50+	275	66.1%
All colors	416	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
21	21	4 : View List ['ssh_dh_finalize', 'ssh_socket_cleanup', 'ssh_threads_finalize', 'ssh_crypto_finalize']	21	33	_ssh_finalize	call site: 00405	/src/libssh/src/init.c:165
10	10	1 : View List ['ssh_pki_key_ecdsa_name']	10	138	pki_import_pubkey_buffer	call site: 00307	/src/libssh/src/pki.c:1466
10	10	1 : View List ['ssh_dh_finalize']	10	10	ssh_dh_init	call site: 00050	/src/libssh/src/dh.c:260
7	42	3 : View List ['__errno_location', '_ssh_log', 'ssh_strerror']	7	42	ssh_known_hosts_read_entries	call site: 00064	/src/libssh/src/knownhosts.c:236
6	6	1 : View List ['buffer_shift']	6	19	ssh_buffer_add_data	call site: 00106	/src/libssh/src/buffer.c:318
6	6	1 : View List ['buffer_shift']	6	19	ssh_buffer_allocate_size	call site: 00092	/src/libssh/src/buffer.c:347
6	6	2 : View List ['BN_cmp', 'EC_KEY_get0_private_key']	6	6	pki_key_compare	call site: 00386	/src/libssh/src/pki_crypto.c:1025
4	39	3 : View List ['_ssh_log', 'OpenSSL_version_num', 'OpenSSL_version']	4	39	ssh_crypto_init	call site: 00017	/src/libssh/src/libcrypto.c:1349
4	39	3 : View List ['_ssh_log', 'ERR_get_error', 'ERR_error_string']	4	39	pki_pubkey_build_ed25519	call site: 00325	/src/libssh/src/pki_crypto.c:474
4	4	1 : View List ['ssh_key_is_private']	8	92	ssh_key_cmp	call site: 00365	/src/libssh/src/pki.c:667
4	4	2 : View List ['EVP_PKEY_free', 'RSA_free']	4	4	pki_pubkey_build_rsa	call site: 00268	/src/libssh/src/pki_crypto.c:1491
2	12	3 : View List ['memcmp', 'ssh_buffer_get_len', 'ssh_buffer_get']	2	12	ssh_key_cmp	call site: 00371	/src/libssh/src/pki.c:683

Runtime coverage analysis

Covered functions

82

Functions that are reachable but not covered

96

Reachable functions

177

Percentage of reachable functions covered

45.76%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
tests/fuzz/ssh_known_hosts_fuzzer.c	1
src/init.c	4
src/threads/pthread.c	3
src/threads.c	2
src/threads/libcrypto.c	2
src/libcrypto.c	5
src/log.c	9
src/dh.c	2
src/socket.c	2
src/poll.c	2
src/knownhosts.c	7
src/misc.c	8
src/base64.c	4
src/buffer.c	19
src/match.c	3
src/pki.c	12
src/string.c	7
src/bignum.c	1
src/pki_crypto.c	7

Fuzzer: ssh_client_config_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	314	40.0%
gold	[1:9]	77	9.80%
yellow	[10:29]	38	4.84%
greenyellow	[30:49]	34	4.33%
lawngreen	50+	322	41.0%
All colors	785	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
133	1107	9 : View List ['ssh_config_match', '_ssh_log', 'match_cidr_address_list', 'ssh_match_exec', 'ssh_config_get_match_opcode', 'ssh_get_local_username', 'ssh_config_get_str_tok', 'ssh_match_localnetwork', 'ssh_config_get_token']	133	1338	ssh_config_parse_line	call site: 00527	/src/libssh/src/config.c:976
68	68	1 : View List ['ssh_message_free']	91	291	ssh_free	call site: 00176	/src/libssh/src/session.c:272
23	23	1 : View List ['ssh_poll_ctx_free']	114	767	ssh_free	call site: 00112	/src/libssh/src/session.c:245
21	21	1 : View List ['ssh_kbdint_free']	23	205	ssh_free	call site: 00184	/src/libssh/src/session.c:283
21	21	4 : View List ['ssh_dh_finalize', 'ssh_socket_cleanup', 'ssh_threads_finalize', 'ssh_crypto_finalize']	21	33	_ssh_finalize	call site: 00775	/src/libssh/src/init.c:165
16	16	1 : View List ['ssh_poll_free']	29	134	ssh_socket_close	call site: 00116	/src/libssh/src/socket.c:482
10	10	1 : View List ['ssh_dh_finalize']	10	10	ssh_dh_init	call site: 00045	/src/libssh/src/dh.c:260
6	6	1 : View List ['buffer_shift']	6	19	ssh_buffer_allocate_size	call site: 00068	/src/libssh/src/buffer.c:347
4	39	3 : View List ['_ssh_log', 'OpenSSL_version_num', 'OpenSSL_version']	4	39	ssh_crypto_init	call site: 00012	/src/libssh/src/libcrypto.c:1349
4	4	1 : View List ['strdup']	6	6	ssh_remove_from_default_algos	call site: 00372	/src/libssh/src/kex.c:1303
4	4	1 : View List ['explicit_bzero']	4	4	ssh_buffer_free	call site: 00077	/src/libssh/src/buffer.c:157
3	3	1 : View List ['ssh_pcap_context_free']	117	861	ssh_free	call site: 00110	/src/libssh/src/session.c:236

Runtime coverage analysis

Covered functions

96

Functions that are reachable but not covered

227

Reachable functions

322

Percentage of reachable functions covered

29.5%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
tests/fuzz/ssh_client_config_fuzzer.c	1
src/init.c	4
src/threads/pthread.c	3
src/threads.c	2
src/threads/libcrypto.c	2
src/libcrypto.c	2
src/log.c	12
src/dh.c	2
src/socket.c	6
src/poll.c	6
src/session.c	3
src/wrapper.c	4
src/error.c	3
src/buffer.c	5
src/misc.c	21
src/agent.c	3
src/channels.c	1
src/pcap.c	1
src/pki.c	2
src/pki_crypto.c	1
src/string.c	4
src/dh_crypto.c	1
src/gzip.c	1
src/messages.c	1
src/auth.c	2
src/callbacks.c	1
src/options.c	2
src/config_parser.c	6
src/kex.c	6
src/token.c	7
src/config.c	11
src/match.c	8

Fuzzer: ssh_server_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	1457	64.9%
gold	[1:9]	25	1.11%
yellow	[10:29]	21	0.93%
greenyellow	[30:49]	8	0.35%
lawngreen	50+	731	32.6%
All colors	2242	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
2482	2482	1 : View List ['ssh_execute_message_callback']	2482	2482	ssh_message_queue	call site: 00000	/src/libssh/src/messages.c:505
2447	2548	4 : View List ['ssh_session_set_disconnect_message', 'ssh_message_free', 'ssh_send_disconnect', '_ssh_set_error']	2447	5188	ssh_packet_channel_open	call site: 00000	/src/libssh/src/messages.c:1342
2429	2524	10 : View List ['_ssh_log', 'strchr', 'dh_handshake', 'kex_select_kex_type', 'ssh_buffer_reinit', 'strlen', 'free', 'calloc', 'ssh_string_free', '_ssh_set_error_oom']	2429	2524	ssh_send_kex	call site: 02060	/src/libssh/src/kex.c:1136
2419	2489	2 : View List ['_ssh_log', 'ssh_send_rekex']	2419	2489	ssh_packet_socket_callback	call site: 00000	/src/libssh/src/packet.c:1494
1310	1310	1 : View List ['ssh_set_client_kex']	1318	1980	ssh_packet_kexinit	call site: 00000	/src/libssh/src/kex.c:414
764	764	1 : View List ['ssh_bind_import_keys']	776	1331	ssh_bind_accept_fd	call site: 00918	/src/libssh/src/bind.c:521
668	668	1 : View List ['ssh_pki_openssh_privkey_import']	668	668	ssh_pki_import_privkey_base64	call site: 00206	/src/libssh/src/pki.c:816
481	7539	15 : View List ['ssh_make_sessionid', '_ssh_log', 'ssh_buffer_add_data', 'ssh_get_key_params', 'ssh_buffer_add_u32', 'ssh_sntrup761x25519_build_k', 'ssh_buffer_add_ssh_string', 'ntohl', 'ssh_string_data', 'ssh_packet_send', 'ssh_buffer_add_u8', 'ssh_sntrup761x25519_init', 'ssh_dh_get_next_server_publickey_blob', 'ssh_srv_pki_do_sign_sessionid', '_ssh_set_error_oom']	481	7739	ssh_packet_server_sntrup761x25519_init	call site: 00000	/src/libssh/src/sntrup761.c:370
316	3085	6 : View List ['ssh_key_free', 'ssh_message_queue', 'strcmp', 'ssh_key_cmp', 'ssh_string_free', 'ssh_get_server_publickey']	316	3293	ssh_packet_userauth_request	call site: 00000	/src/libssh/src/messages.c:1039
263	263	2 : View List ['ssh_pcap_context_write', 'strlen']	263	263	ssh_send_banner	call site: 01041	/src/libssh/src/client.c:234
259	261	2 : View List ['ssh_pcap_context_write', 'ssh_buffer_get']	2809	10855	ssh_packet_socket_callback	call site: 00000	/src/libssh/src/packet.c:1363
259	259	1 : View List ['ssh_pcap_context_write']	259	1315	packet_send2	call site: 01705	/src/libssh/src/packet.c:1841

Runtime coverage analysis

Covered functions

344

Functions that are reachable but not covered

296

Reachable functions

510

Percentage of reachable functions covered

41.96%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
tests/fuzz/ssh_server_fuzzer.c	2
src/bind.c	4
src/session.c	7
src/wrapper.c	10
src/socket.c	16
src/error.c	3
src/buffer.c	31
src/misc.c	28
src/agent.c	3
src/channels.c	1
src/pcap.c	5
src/poll.c	20
src/log.c	12
src/pki.c	20
src/pki_crypto.c	19
src/string.c	9
src/dh_crypto.c	6
src/gzip.c	4
src/messages.c	1
src/auth.c	2
src/callbacks.c	2
src/options.c	7
src/pki_container_openssh.c	4
src/base64.c	4
src/bignum.c	4
src/libcrypto.c	7
src/external/bcrypt_pbkdf.c	2
src/md_crypto.c	20
src/external/blowfish.c	6
src/kex.c	18
src/token.c	7
src/server.c	4
src/client.c	3
src/getrandom_crypto.c	1
src/packet.c	10
src/knownhosts.c	10
src/config_parser.c	1
src/config.c	1
src/match.c	3
src/packet_crypt.c	1
src/dh.c	3
src/kdf.c	5
src/dh-gex.c	1
src/ecdh_crypto.c	3
src/curve25519.c	1
src/curve25519_crypto.c	1
src/sntrup761.c	4
src/external/sntrup761.c	24

Fuzzer: ssh_client_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	2456	73.5%
gold	[1:9]	52	1.55%
yellow	[10:29]	42	1.25%
greenyellow	[30:49]	58	1.73%
lawngreen	50+	732	21.9%
All colors	3340	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
2628	2634	3 : View List ['ssh_channel_do_free', 'ssh_channel_close', 'ssh_list_free']	2628	2634	ssh_channel_free	call site: 03313	/src/libssh/src/channels.c:1278
2419	2489	2 : View List ['_ssh_log', 'ssh_send_rekex']	2419	2489	ssh_packet_socket_callback	call site: 00000	/src/libssh/src/packet.c:1494
796	809	10 : View List ['__ctype_b_loc', 'ssh_known_hosts_entries_compare', 'ssh_list_append', 'known_hosts_read_line', 'fclose', 'ssh_known_hosts_parse_line', 'ssh_list_get_iterator', 'ssh_knownhosts_entry_free', 'strcspn', 'ssh_list_new']	796	809	ssh_known_hosts_read_entries	call site: 01051	/src/libssh/src/knownhosts.c:236
263	263	2 : View List ['ssh_pcap_context_write', 'strlen']	263	263	ssh_send_banner	call site: 00000	/src/libssh/src/client.c:234
259	261	2 : View List ['ssh_pcap_context_write', 'ssh_buffer_get']	2809	10855	ssh_packet_socket_callback	call site: 00000	/src/libssh/src/packet.c:1363
259	259	1 : View List ['ssh_pcap_context_write']	259	1315	packet_send2	call site: 01629	/src/libssh/src/packet.c:1841
247	2761	6 : View List ['_ssh_log', 'ssh_sntrup761x25519_build_k', 'ssh_packet_send', 'ssh_string_data', 'ssh_buffer_add_u8', 'ssh_buffer_get_ssh_string']	247	2830	ssh_packet_client_sntrup761x25519_reply	call site: 00000	/src/libssh/src/sntrup761.c:270
245	245	1 : View List ['server_set_kex']	253	915	ssh_packet_kexinit	call site: 00000	/src/libssh/src/kex.c:414
216	252	9 : View List ['ssh_remove_duplicates', 'ssh_list_remove', 'ssh_list_count', 'ssh_list_get_iterator', 'ssh_known_host_sigs_from_hostkey_type', 'strlen', 'strncat', 'ssh_knownhosts_entry_free', 'ssh_list_free']	216	252	ssh_known_hosts_get_algorithms_names	call site: 01511	/src/libssh/src/knownhosts.c:571
123	170	6 : View List ['ssh_keep_fips_algos', 'free', 'FIPS_mode', 'ssh_find_all_matching', 'ssh_append_without_duplicates', '_ssh_set_error_oom']	123	310	ssh_client_select_hostkeys	call site: 01504	/src/libssh/src/kex.c:718
91	91	1 : View List ['ssh_add_to_default_algos']	145	228	ssh_options_set_algo	call site: 00339	/src/libssh/src/options.c:275
68	74	2 : View List ['ssh_message_free', '_ssh_list_pop_head']	68	86	ssh_disconnect	call site: 03236	/src/libssh/src/client.c:881

Runtime coverage analysis

Covered functions

333

Functions that are reachable but not covered

435

Reachable functions

704

Percentage of reachable functions covered

38.21%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
tests/fuzz/ssh_client_fuzzer.c	2
src/init.c	5
src/threads/pthread.c	3
src/threads.c	3
src/threads/libcrypto.c	2
src/libcrypto.c	8
src/log.c	13
src/dh.c	6
src/socket.c	25
src/poll.c	27
src/session.c	9
src/wrapper.c	10
src/error.c	4
src/buffer.c	31
src/misc.c	28
src/agent.c	11
src/channels.c	31
src/pcap.c	5
src/pki.c	40
src/pki_crypto.c	23
src/string.c	11
src/dh_crypto.c	6
src/gzip.c	4
src/messages.c	1
src/auth.c	13
src/callbacks.c	6
src/options.c	4
src/config_parser.c	6
src/kex.c	18
src/token.c	7
src/config.c	12
src/client.c	7
src/match.c	9
src/connect.c	4
src/knownhosts.c	14
src/base64.c	6
src/bignum.c	4
src/packet.c	10
src/getrandom_crypto.c	1
src/server.c	1
src/packet_crypt.c	1
src/md_crypto.c	20
src/kdf.c	5
src/dh-gex.c	1
src/ecdh_crypto.c	3
src/curve25519.c	1
src/curve25519_crypto.c	1
src/sntrup761.c	4
src/external/sntrup761.c	24
src/pki_container_openssh.c	5
src/external/bcrypt_pbkdf.c	2
src/external/blowfish.c	6
src/pki_ed25519_common.c	1
src/connector.c	17

Optimal target analysis

Remaining optimal interesting functions

The following table shows a list of functions that are optimal targets. Optimal targets are identified by finding the functions that in combination, yield a high code coverage.

Func name	Functions filename	Arg count	Args	Function depth	hitcount	instr count	bb count	cyclomatic complexity	Reachable functions	Incoming references	total cyclomatic complexity	Unreached complexity
ssh_packet_userauth_request	/src/libssh/src/messages.c	4	['N/A', 'char', 'N/A', 'N/A']	34	0	920	187	54	451	0	3003	398
ssh_packet_socket_callback	/src/libssh/src/packet.c	3	['N/A', 'size_t', 'N/A']	26	0	1020	133	47	407	1	2669	240
ssh_channel_request_pty	/src/libssh/src/channels.c	1	['N/A']	25	0	16	3	2	429	0	2730	163
ssh_server_connection_callback	/src/libssh/src/server.c	1	['N/A']	28	0	494	85	25	415	0	2602	158
ssh_packet_server_sntrup761x25519_init	/src/libssh/src/sntrup761.c	4	['N/A', 'char', 'N/A', 'N/A']	27	0	410	64	24	452	0	2817	143
ssh_packet_server_dhgex_request	/src/libssh/src/dh-gex.c	4	['N/A', 'char', 'N/A', 'N/A']	17	0	296	51	18	400	0	2516	97
ssh_pki_export_privkey_file	/src/libssh/src/pki.c	5	['N/A', 'N/A', 'N/A', 'N/A', 'N/A']	12	0	32	3	2	121	0	553	85
channel_rcv_request	/src/libssh/src/channels.c	4	['N/A', 'char', 'N/A', 'N/A']	22	0	763	137	43	418	0	2714	69
ssh_channel_select	/src/libssh/src/channels.c	4	['N/A', 'N/A', 'N/A', 'N/A']	11	0	657	137	40	88	0	406	67
ssh_packet_kexinit	/src/libssh/src/kex.c	4	['N/A', 'char', 'N/A', 'N/A']	15	0	975	164	54	217	0	1438	67

Implementing fuzzers that target the above functions will improve reachability such that it becomes:

Functions statically reachable by fuzzers

668 / 967

Cyclomatic complexity statically reachable by fuzzers

6108 / 7972

All functions overview

If you implement fuzzers for these functions, the status of all functions in the project will be:

Func name	Functions filename	Args	Function call depth	Reached by Fuzzers	Runtime reached by Fuzzers	Combined reached by Fuzzers	Fuzzers runtime hit	Func lines hit %	I Count	BB Count	Cyclomatic complexity	Functions reached	Reached by functions	Accumulated cyclomatic complexity	Undiscovered complexity

This sections provides heuristics that can be used as input to a fuzz engine when running a given fuzz target. The current focus is on providing input that is usable by libFuzzer.

tests/fuzz/ssh_privkey_fuzzer.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['ssh_pki_import_privkey_base64', 'pki_private_key_from_base64', '_ssh_log', 'ssh_dh_init', 'ssh_crypto_init', '_ssh_init', 'ssh_mutex_lock', 'ssh_mutex_unlock']

tests/fuzz/ssh_bind_config_fuzzer.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['ssh_bind_config_parse_line', 'ssh_bind_options_set', '_ssh_finalize', 'ssh_dh_init', 'ssh_crypto_init', 'ssh_log_function', 'current_timestring']

tests/fuzz/ssh_pubkey_fuzzer.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['ssh_pki_openssh_import', 'pki_private_key_from_base64', '_ssh_log', 'ssh_pki_import_pubkey_file', '_ssh_finalize', 'ssh_dh_init', 'ssh_buffer_unpack_va']

tests/fuzz/ssh_known_hosts_fuzzer.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['_ssh_log', 'ssh_buffer_unpack_va', '_ssh_finalize', 'ssh_dh_init', 'hmac_init', 'ssh_key_cmp', 'ssh_known_hosts_read_entries', 'ssh_crypto_init']

tests/fuzz/ssh_client_config_fuzzer.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['_ssh_log', 'ssh_socket_close', 'ssh_options_set', 'ssh_free', 'ssh_config_parse_line', 'match_cidr_address_list', 'crypto_free']

tests/fuzz/ssh_server_fuzzer.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['ssh_list_prepend', 'sha512_final', 'ssh_packet_send', 'ssh_curve25519_init', 'pki_key_dup', 'ssh_buffer_pack_va', 'ssh_bind_options_set', 'ssh_find_all_matching', 'ssh_pki_import_pubkey_blob', 'packet_send2']

tests/fuzz/ssh_client_fuzzer.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['ssh_pki_import_pubkey_blob', 'ssh_string_copy', 'ssh_userauth_get_response', 'ssh_path_expand_escape', 'ssh_lowercase', 'pki_import_cert_buffer', 'ssh_connect', 'ssh_client_sntrup761x25519_init', 'ssh_options_set', 'packet_send2']

This section shows analysis of runtime coverage data.

For futher technical details on how this section is generated, please see the Glossary .

Complex functions with low coverage

Func name	Function total lines	Lines covered at runtime	percentage covered	Reached by fuzzers
ssh_dh_init	36	19	52.77%	['ssh_known_hosts_fuzzer', 'ssh_pubkey_fuzzer', 'ssh_client_config_fuzzer', 'ssh_server_fuzzer', 'ssh_privkey_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_client_fuzzer']
pki_private_key_from_base64	78	40	51.28%	['ssh_pubkey_fuzzer', 'ssh_client_config_fuzzer', 'ssh_server_fuzzer', 'ssh_privkey_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_client_fuzzer']
ssh_bind_options_set	352	173	49.14%	['ssh_client_config_fuzzer', 'ssh_server_fuzzer', 'ssh_bind_config_fuzzer']
pki_pubkey_build_rsa	33	18	54.54%	['ssh_known_hosts_fuzzer', 'ssh_pubkey_fuzzer', 'ssh_client_config_fuzzer', 'ssh_server_fuzzer', 'ssh_privkey_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_client_fuzzer']
hmac_init	38	17	44.73%	['ssh_known_hosts_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer']
ssh_key_cmp	39	18	46.15%	['ssh_known_hosts_fuzzer', 'ssh_client_fuzzer', 'ssh_server_fuzzer']
ssh_config_make_absolute	41	19	46.34%	['ssh_client_fuzzer', 'ssh_client_config_fuzzer', 'ssh_bind_config_fuzzer']
match_cidr_address_list	168	55	32.73%	['ssh_client_fuzzer', 'ssh_client_config_fuzzer', 'ssh_bind_config_fuzzer']
ssh_options_set	690	341	49.42%	['ssh_client_fuzzer', 'ssh_client_config_fuzzer', 'ssh_server_fuzzer', 'ssh_bind_config_fuzzer']
ssh_socket_close	33	15	45.45%	['ssh_client_fuzzer', 'ssh_client_config_fuzzer', 'ssh_server_fuzzer']
ssh_bind_accept_fd	109	40	36.69%	['ssh_server_fuzzer']
ssh_channel_new	44	22	50.0%	['ssh_client_fuzzer', 'ssh_server_fuzzer']
channel_default_bufferize	45	18	40.0%	['ssh_server_fuzzer']
ssh_curve25519_init	46	24	52.17%	['ssh_client_fuzzer', 'ssh_server_fuzzer']
ssh_retrieve_dhgroup	52	16	30.76%	['ssh_server_fuzzer']
sshkdf_derive_key	73	25	34.24%	['ssh_client_fuzzer', 'ssh_server_fuzzer']
ssh_mac_ctx_init	36	19	52.77%	['ssh_client_fuzzer', 'ssh_server_fuzzer']
ssh_send_kex	89	48	53.93%	['ssh_client_fuzzer', 'ssh_server_fuzzer']
ssh_hashbufout_add_cookie	31	17	54.83%	['ssh_client_fuzzer', 'ssh_server_fuzzer']
ssh_message_queue	35	18	51.42%	['ssh_server_fuzzer']
ssh_execute_server_request	230	80	34.78%	['ssh_server_fuzzer']
ssh_msg_userauth_build_digest	53	29	54.71%	['ssh_server_fuzzer']
ssh_packet_send	62	24	38.70%	['ssh_client_fuzzer', 'ssh_server_fuzzer']
ssh_packet_encrypt	90	37	41.11%	['ssh_client_fuzzer', 'ssh_server_fuzzer']
ssh_key_signature_to_char	33	16	48.48%	['ssh_client_fuzzer', 'ssh_server_fuzzer']
ssh_pki_import_privkey_file	63	27	42.85%	['ssh_client_fuzzer', 'ssh_client_config_fuzzer', 'ssh_server_fuzzer', 'ssh_bind_config_fuzzer']
ssh_pki_export_signature_blob	47	25	53.19%	['ssh_client_fuzzer', 'ssh_server_fuzzer']
pki_key_dup	257	66	25.68%	['ssh_client_fuzzer', 'ssh_server_fuzzer', 'ssh_pubkey_fuzzer']
pki_key_to_blob	324	124	38.27%	['ssh_client_fuzzer', 'ssh_server_fuzzer']
pki_sign_data	82	44	53.65%	['ssh_client_fuzzer', 'ssh_server_fuzzer']
ssh_get_key_params	44	20	45.45%	['ssh_server_fuzzer']
ssh_auth_reply_default	44	12	27.27%	['ssh_server_fuzzer']
ssh_packet_server_sntrup761x25519_init	120	29	24.16%	['ssh_server_fuzzer']
ssh_userauth_get_response	41	7	17.07%	['ssh_client_fuzzer']
ssh_channel_free	38	5	13.15%	['ssh_client_fuzzer']
ssh_connect	122	61	50.0%	['ssh_client_fuzzer']
ssh_client_select_hostkeys	70	27	38.57%	['ssh_client_fuzzer', 'ssh_server_fuzzer']
revert_kex_callbacks	35	5	14.28%	['ssh_client_fuzzer']
ssh_known_hosts_get_algorithms_names	75	25	33.33%	['ssh_client_fuzzer', 'ssh_server_fuzzer']
ssh_options_apply	119	53	44.53%	['ssh_client_fuzzer', 'ssh_server_fuzzer']
ssh_packet_client_sntrup761x25519_reply	64	35	54.68%	['ssh_client_fuzzer']

This section shows which files and directories are considered in this report. The main reason for showing this is fuzz introspector may include more code in the reasoning than is desired. This section helps identify if too many files/directories are included, e.g. third party code, which may be irrelevant for the threat model. In the event too much is included, fuzz introspector supports a configuration file that can exclude data from the report. See the following link for more information on how to create a config file: link

Files in report

Source file	Reached by	Covered by
	[]	[]
/src/libssh/src/log.c	['ssh_privkey_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_pubkey_fuzzer', 'ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_privkey_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_pubkey_fuzzer', 'ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/pki.c	['ssh_privkey_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_pubkey_fuzzer', 'ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_privkey_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_pubkey_fuzzer', 'ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/wrapper.c	['ssh_privkey_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_pubkey_fuzzer', 'ssh_client_config_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_client_config_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']
/src/libssh/tests/fuzz/ssh_client_fuzzer.c	['ssh_client_fuzzer']	['ssh_client_fuzzer']
/src/libssh/src/token.c	['ssh_bind_config_fuzzer', 'ssh_client_config_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_bind_config_fuzzer', 'ssh_client_config_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']
/src/libssh/tests/fuzz/ssh_known_hosts_fuzzer.c	['ssh_known_hosts_fuzzer']	['ssh_known_hosts_fuzzer']
/src/libssh/src/connector.c	['ssh_client_fuzzer']	[]
/src/libssh/tests/fuzz/ssh_server_fuzzer.c	['ssh_server_fuzzer']	['ssh_server_fuzzer']
/src/libssh/src/bignum.c	['ssh_privkey_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_pubkey_fuzzer', 'ssh_known_hosts_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_pubkey_fuzzer', 'ssh_known_hosts_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']
/src/libssh/tests/fuzz/ssh_privkey_fuzzer.c	['ssh_privkey_fuzzer']	['ssh_privkey_fuzzer']
/src/libssh/src/config.c	['ssh_client_config_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_client_config_fuzzer']
/src/libssh/src/poll.c	['ssh_privkey_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_pubkey_fuzzer', 'ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_privkey_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_pubkey_fuzzer', 'ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/auth.c	['ssh_client_config_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_client_config_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/sntrup761.c	['ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_server_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/error.c	['ssh_bind_config_fuzzer', 'ssh_client_config_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_bind_config_fuzzer', 'ssh_client_config_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/messages.c	['ssh_client_config_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_server_fuzzer']
/src/libssh/src/bind.c	['ssh_bind_config_fuzzer', 'ssh_server_fuzzer']	['ssh_bind_config_fuzzer', 'ssh_server_fuzzer']
/src/libssh/src/options.c	['ssh_bind_config_fuzzer', 'ssh_client_config_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_bind_config_fuzzer', 'ssh_client_config_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/ecdh.c	[]	[]
/src/libssh/src/pki_container_openssh.c	['ssh_privkey_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_pubkey_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_pubkey_fuzzer']
/src/libssh/src/base64.c	['ssh_privkey_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_pubkey_fuzzer', 'ssh_known_hosts_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_privkey_fuzzer', 'ssh_pubkey_fuzzer', 'ssh_known_hosts_fuzzer']
/src/libssh/tests/fuzz/ssh_pubkey_fuzzer.c	['ssh_pubkey_fuzzer']	['ssh_pubkey_fuzzer']
/src/libssh/src/kdf.c	['ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_server_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/misc.c	['ssh_bind_config_fuzzer', 'ssh_pubkey_fuzzer', 'ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_pubkey_fuzzer', 'ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/threads/pthread.c	['ssh_privkey_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_pubkey_fuzzer', 'ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_client_fuzzer']	['ssh_privkey_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_pubkey_fuzzer', 'ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/kex.c	['ssh_bind_config_fuzzer', 'ssh_client_config_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_bind_config_fuzzer', 'ssh_client_config_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/pki_ed25519_common.c	['ssh_client_fuzzer']	['ssh_client_fuzzer']
/src/libssh/src/buffer.c	['ssh_privkey_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_pubkey_fuzzer', 'ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_pubkey_fuzzer', 'ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/gzip.c	['ssh_client_config_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_client_config_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/ecdh_crypto.c	['ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_server_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/dh-gex.c	['ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_server_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/init.c	['ssh_privkey_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_pubkey_fuzzer', 'ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_client_fuzzer']	['ssh_privkey_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_pubkey_fuzzer', 'ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/client.c	['ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_server_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/match.c	['ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/callbacks.c	['ssh_client_config_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_client_config_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/dh_crypto.c	['ssh_client_config_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_client_config_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/threads.c	['ssh_privkey_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_pubkey_fuzzer', 'ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_client_fuzzer']	['ssh_privkey_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_pubkey_fuzzer', 'ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/string.c	['ssh_privkey_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_pubkey_fuzzer', 'ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_pubkey_fuzzer', 'ssh_known_hosts_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/packet_cb.c	[]	[]
/src/libssh/src/packet_crypt.c	['ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_server_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/config_parser.c	['ssh_bind_config_fuzzer', 'ssh_client_config_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_bind_config_fuzzer', 'ssh_client_config_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/getrandom_crypto.c	['ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_server_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/external/blowfish.c	['ssh_privkey_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_pubkey_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']	[]
/src/libssh/src/session.c	['ssh_client_config_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_client_config_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/socket.c	['ssh_privkey_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_pubkey_fuzzer', 'ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_privkey_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_pubkey_fuzzer', 'ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/threads/libcrypto.c	['ssh_privkey_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_pubkey_fuzzer', 'ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_client_fuzzer']	['ssh_privkey_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_pubkey_fuzzer', 'ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/knownhosts.c	['ssh_known_hosts_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_known_hosts_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/packet.c	['ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_server_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/curve25519_crypto.c	['ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_server_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/external/bcrypt_pbkdf.c	['ssh_privkey_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_pubkey_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']	[]
/src/libssh/src/agent.c	['ssh_client_config_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_client_config_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/pki_crypto.c	['ssh_privkey_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_pubkey_fuzzer', 'ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_privkey_fuzzer', 'ssh_pubkey_fuzzer', 'ssh_known_hosts_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/channels.c	['ssh_client_config_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_server_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/server.c	['ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_server_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/md_crypto.c	['ssh_privkey_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_pubkey_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_server_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/curve25519.c	['ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_server_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/pcap.c	['ssh_client_config_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']	[]
/src/libssh/src/libcrypto.c	['ssh_privkey_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_pubkey_fuzzer', 'ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_privkey_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_pubkey_fuzzer', 'ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/ttyopts.c	[]	[]
/src/libssh/src/crypto_common.c	[]	[]
/src/libssh/tests/fuzz/ssh_bind_config_fuzzer.c	['ssh_bind_config_fuzzer']	['ssh_bind_config_fuzzer']
/src/libssh/src/connect.c	['ssh_client_fuzzer']	[]
/src/libssh/src/bind_config.c	['ssh_bind_config_fuzzer']	['ssh_bind_config_fuzzer']
/src/libssh/src/external/sntrup761.c	['ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_client_fuzzer']
/src/libssh/src/dh.c	['ssh_privkey_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_pubkey_fuzzer', 'ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_privkey_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_pubkey_fuzzer', 'ssh_known_hosts_fuzzer', 'ssh_client_config_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']
/src/libssh/tests/fuzz/ssh_client_config_fuzzer.c	['ssh_client_config_fuzzer']	['ssh_client_config_fuzzer']

Directories in report

Directory
/src/libssh/src/external/
/src/libssh/src/threads/
/src/libssh/src/
/src/libssh/tests/fuzz/