ssh_dh_init: 235| 1|{ 236| 1| unsigned long g_int = 2 ; /* G is defined as 2 by the ssh2 standards */ 237| 1| int rc; 238| 1| if (dh_crypto_initialized) { ------------------ | Branch (238:9): [True: 0, False: 1] ------------------ 239| 0| return SSH_OK; ------------------ | | 316| 0|#define SSH_OK 0 /* No error */ ------------------ 240| 0| } 241| 1| dh_crypto_initialized = 1; 242| | 243| 1| ssh_dh_generator = bignum_new(); ------------------ | | 70| 1|#define bignum_new() BN_new() ------------------ 244| 1| if (ssh_dh_generator == NULL) { ------------------ | Branch (244:9): [True: 0, False: 1] ------------------ 245| 0| goto error; 246| 0| } 247| 1| rc = bignum_set_word(ssh_dh_generator, g_int); ------------------ | | 77| 1|#define bignum_set_word(bn,n) BN_set_word(bn,n) ------------------ 248| 1| if (rc != 1) { ------------------ | Branch (248:9): [True: 0, False: 1] ------------------ 249| 0| goto error; 250| 0| } 251| | 252| 1| bignum_bin2bn(p_group1_value, P_GROUP1_LEN, &ssh_dh_group1); ------------------ | | 79| 1| do { \ | | 80| 1| (*dest) = BN_new(); \ | | 81| 1| if ((*dest) != NULL) { \ | | ------------------ | | | Branch (81:13): [True: 1, False: 0] | | ------------------ | | 82| 1| BN_bin2bn(data,datalen,(*dest)); \ | | 83| 1| } \ | | 84| 1| } while(0) | | ------------------ | | | Branch (84:13): [Folded, False: 1] | | ------------------ ------------------ 253| 1| if (ssh_dh_group1 == NULL) { ------------------ | Branch (253:9): [True: 0, False: 1] ------------------ 254| 0| goto error; 255| 0| } 256| 1| bignum_bin2bn(p_group14_value, P_GROUP14_LEN, &ssh_dh_group14); ------------------ | | 79| 1| do { \ | | 80| 1| (*dest) = BN_new(); \ | | 81| 1| if ((*dest) != NULL) { \ | | ------------------ | | | Branch (81:13): [True: 1, False: 0] | | ------------------ | | 82| 1| BN_bin2bn(data,datalen,(*dest)); \ | | 83| 1| } \ | | 84| 1| } while(0) | | ------------------ | | | Branch (84:13): [Folded, False: 1] | | ------------------ ------------------ 257| 1| if (ssh_dh_group14 == NULL) { ------------------ | Branch (257:9): [True: 0, False: 1] ------------------ 258| 0| goto error; 259| 0| } 260| 1| bignum_bin2bn(p_group16_value, P_GROUP16_LEN, &ssh_dh_group16); ------------------ | | 79| 1| do { \ | | 80| 1| (*dest) = BN_new(); \ | | 81| 1| if ((*dest) != NULL) { \ | | ------------------ | | | Branch (81:13): [True: 1, False: 0] | | ------------------ | | 82| 1| BN_bin2bn(data,datalen,(*dest)); \ | | 83| 1| } \ | | 84| 1| } while(0) | | ------------------ | | | Branch (84:13): [Folded, False: 1] | | ------------------ ------------------ 261| 1| if (ssh_dh_group16 == NULL) { ------------------ | Branch (261:9): [True: 0, False: 1] ------------------ 262| 0| goto error; 263| 0| } 264| 1| bignum_bin2bn(p_group18_value, P_GROUP18_LEN, &ssh_dh_group18); ------------------ | | 79| 1| do { \ | | 80| 1| (*dest) = BN_new(); \ | | 81| 1| if ((*dest) != NULL) { \ | | ------------------ | | | Branch (81:13): [True: 1, False: 0] | | ------------------ | | 82| 1| BN_bin2bn(data,datalen,(*dest)); \ | | 83| 1| } \ | | 84| 1| } while(0) | | ------------------ | | | Branch (84:13): [Folded, False: 1] | | ------------------ ------------------ 265| 1| if (ssh_dh_group18 == NULL) { ------------------ | Branch (265:9): [True: 0, False: 1] ------------------ 266| 0| goto error; 267| 0| } 268| | 269| 1| return 0; 270| 0|error: 271| 0| ssh_dh_finalize(); 272| 0| return SSH_ERROR; ------------------ | | 317| 0|#define SSH_ERROR -1 /* Error of some kind */ ------------------ 273| 1|} libssh_constructor: 114| 1|{ 115| | 116| 1| int rc; 117| | 118| 1| rc = _ssh_init(1); 119| | 120| 1| if (rc < 0) { ------------------ | Branch (120:9): [True: 0, False: 1] ------------------ 121| 0| fprintf(stderr, "Error in auto_init()\n"); 122| 0| } 123| | 124| 1| return; 125| 1|} ssh_init: 156| 1|int ssh_init(void) { 157| 1| return _ssh_init(0); 158| 1|} ssh_finalize: 241| 1|int ssh_finalize(void) { 242| 1| return _ssh_finalize(0); 243| 1|} init.c:_ssh_init: 62| 2|static int _ssh_init(unsigned constructor) { 63| | 64| 2| int rc = 0; 65| | 66| 2| if (!constructor) { ------------------ | Branch (66:9): [True: 1, False: 1] ------------------ 67| 1| ssh_mutex_lock(&ssh_init_mutex); 68| 1| } 69| | 70| 2| _ssh_initialized++; 71| | 72| 2| if (_ssh_initialized > 1) { ------------------ | Branch (72:9): [True: 1, False: 1] ------------------ 73| 1| rc = _ssh_init_ret; 74| 1| goto _ret; 75| 1| } 76| | 77| 1| rc = ssh_threads_init(); 78| 1| if (rc) { ------------------ | Branch (78:9): [True: 0, False: 1] ------------------ 79| 0| goto _ret; 80| 0| } 81| | 82| 1| rc = ssh_crypto_init(); 83| 1| if (rc) { ------------------ | Branch (83:9): [True: 0, False: 1] ------------------ 84| 0| goto _ret; 85| 0| } 86| | 87| 1| rc = ssh_dh_init(); 88| 1| if (rc) { ------------------ | Branch (88:9): [True: 0, False: 1] ------------------ 89| 0| goto _ret; 90| 0| } 91| | 92| 1| rc = ssh_socket_init(); 93| 1| if (rc) { ------------------ | Branch (93:9): [True: 0, False: 1] ------------------ 94| 0| goto _ret; 95| 0| } 96| | 97| 2|_ret: 98| 2| _ssh_init_ret = rc; 99| | 100| 2| if (!constructor) { ------------------ | Branch (100:9): [True: 1, False: 1] ------------------ 101| 1| ssh_mutex_unlock(&ssh_init_mutex); 102| 1| } 103| | 104| 2| return rc; 105| 1|} init.c:_ssh_finalize: 160| 1|static int _ssh_finalize(unsigned destructor) { 161| | 162| 1| if (!destructor) { ------------------ | Branch (162:9): [True: 1, False: 0] ------------------ 163| 1| ssh_mutex_lock(&ssh_init_mutex); 164| | 165| 1| if (_ssh_initialized > 1) { ------------------ | Branch (165:13): [True: 1, False: 0] ------------------ 166| 1| _ssh_initialized--; 167| 1| ssh_mutex_unlock(&ssh_init_mutex); 168| 1| return 0; 169| 1| } 170| | 171| 0| if (_ssh_initialized == 1) { ------------------ | Branch (171:13): [True: 0, False: 0] ------------------ 172| 0| if (_ssh_init_ret < 0) { ------------------ | Branch (172:17): [True: 0, False: 0] ------------------ 173| 0| ssh_mutex_unlock(&ssh_init_mutex); 174| 0| return 0; 175| 0| } 176| 0| } 177| 0| } 178| | 179| | /* If the counter reaches zero or it is the destructor calling, finalize */ 180| 0| ssh_dh_finalize(); 181| 0| ssh_crypto_finalize(); 182| 0| ssh_socket_cleanup(); 183| | /* It is important to finalize threading after CRYPTO because 184| | * it still depends on it */ 185| 0| ssh_threads_finalize(); 186| | 187| 0| _ssh_initialized = 0; 188| | 189| 0| if (!destructor) { ------------------ | Branch (189:9): [True: 0, False: 0] ------------------ 190| 0| ssh_mutex_unlock(&ssh_init_mutex); 191| 0| } 192| | 193| |#if (defined(_WIN32) && !defined(HAVE_PTHREAD)) 194| | if (ssh_init_mutex != NULL) { 195| | DeleteCriticalSection(ssh_init_mutex); 196| | SAFE_FREE(ssh_init_mutex); 197| | } 198| |#endif 199| | 200| 0| return 0; 201| 1|} ssh_crypto_init: 1391| 1|{ 1392| |#ifndef HAVE_OPENSSL_EVP_CHACHA20 1393| | size_t i; 1394| |#endif 1395| | 1396| 1| if (libcrypto_initialized) { ------------------ | Branch (1396:9): [True: 0, False: 1] ------------------ 1397| 0| return SSH_OK; ------------------ | | 316| 0|#define SSH_OK 0 /* No error */ ------------------ 1398| 0| } 1399| 1| if (OpenSSL_version_num() != OPENSSL_VERSION_NUMBER) { ------------------ | Branch (1399:9): [True: 0, False: 1] ------------------ 1400| 0| SSH_LOG(SSH_LOG_DEBUG, ------------------ | | 281| 0| _ssh_log(priority, __func__, __VA_ARGS__) ------------------ 1401| 0| "libssh compiled with %s " 1402| 0| "headers, currently running with %s.", 1403| 0| OPENSSL_VERSION_TEXT, 1404| 0| OpenSSL_version(OpenSSL_version_num())); 1405| 0| } 1406| |#ifdef CAN_DISABLE_AESNI 1407| | /* 1408| | * disable AES-NI when running within Valgrind, because they generate 1409| | * too many "uninitialized memory access" false positives 1410| | */ 1411| | if (RUNNING_ON_VALGRIND) { 1412| | SSH_LOG(SSH_LOG_INFO, "Running within Valgrind, disabling AES-NI"); 1413| | /* Bit #57 denotes AES-NI instruction set extension */ 1414| | OPENSSL_ia32cap &= ~(1LL << 57); 1415| | } 1416| |#endif /* CAN_DISABLE_AESNI */ 1417| | 1418| |#ifndef HAVE_OPENSSL_EVP_CHACHA20 1419| | for (i = 0; ssh_ciphertab[i].name != NULL; i++) { 1420| | int cmp; 1421| | 1422| | cmp = strcmp(ssh_ciphertab[i].name, "chacha20-poly1305@openssh.com"); 1423| | if (cmp == 0) { 1424| | memcpy(&ssh_ciphertab[i], 1425| | ssh_get_chacha20poly1305_cipher(), 1426| | sizeof(struct ssh_cipher_struct)); 1427| | break; 1428| | } 1429| | } 1430| |#endif /* HAVE_OPENSSL_EVP_CHACHA20 */ 1431| | 1432| 1| libcrypto_initialized = 1; 1433| | 1434| 1| return SSH_OK; ------------------ | | 316| 1|#define SSH_OK 0 /* No error */ ------------------ 1435| 1|} ssh_poll_init: 91| 1|{ 92| 1| return; 93| 1|} ssh_socket_init: 132| 1|{ 133| 1| if (sockets_initialized == 0) { ------------------ | Branch (133:9): [True: 1, False: 0] ------------------ 134| |#ifdef _WIN32 135| | struct WSAData wsaData; 136| | 137| | /* Initiates use of the Winsock DLL by a process. */ 138| | if (WSAStartup(MAKEWORD(2, 0), &wsaData) != 0) { 139| | return -1; 140| | } 141| |#endif 142| 1| ssh_poll_init(); 143| | 144| 1| sockets_initialized = 1; 145| 1| } 146| | 147| 1| return 0; 148| 1|} ssh_threads_init: 42| 1|{ 43| 1| static int threads_initialized = 0; 44| 1| int rc; 45| | 46| 1| if (threads_initialized) { ------------------ | Branch (46:9): [True: 0, False: 1] ------------------ 47| 0| return SSH_OK; ------------------ | | 316| 0|#define SSH_OK 0 /* No error */ ------------------ 48| 0| } 49| | 50| | /* first initialize the user_callbacks with our default handlers if not 51| | * already the case 52| | */ 53| 1| if (user_callbacks == NULL){ ------------------ | Branch (53:9): [True: 1, False: 0] ------------------ 54| 1| user_callbacks = ssh_threads_get_default(); 55| 1| } 56| | 57| | /* Then initialize the crypto libraries threading callbacks */ 58| 1| rc = crypto_thread_init(user_callbacks); 59| 1| if (rc == SSH_OK) { ------------------ | | 316| 1|#define SSH_OK 0 /* No error */ ------------------ | Branch (59:9): [True: 1, False: 0] ------------------ 60| 1| threads_initialized = 1; 61| 1| } 62| 1| return rc; 63| 1|} crypto_thread_init: 28| 1|{ 29| 1| (void) cb; 30| 1| return SSH_OK; ------------------ | | 316| 1|#define SSH_OK 0 /* No error */ ------------------ 31| 1|} ssh_mutex_lock: 102| 2|{ 103| 2| int rc; 104| | 105| 2| if (mutex == NULL) { ------------------ | Branch (105:9): [True: 0, False: 2] ------------------ 106| 0| exit(EINVAL); 107| 0| } 108| | 109| 2| rc = pthread_mutex_lock(mutex); 110| | 111| 2| if (rc) { ------------------ | Branch (111:9): [True: 0, False: 2] ------------------ 112| 0| exit(rc); 113| 0| } 114| 2|} ssh_mutex_unlock: 117| 2|{ 118| 2| int rc; 119| | 120| 2| if (mutex == NULL) { ------------------ | Branch (120:9): [True: 0, False: 2] ------------------ 121| 0| exit(EINVAL); 122| 0| } 123| | 124| 2| rc = pthread_mutex_unlock(mutex); 125| | 126| 2| if (rc) { ------------------ | Branch (126:9): [True: 0, False: 2] ------------------ 127| 0| exit(rc); 128| 0| } 129| 2|} ssh_threads_get_default: 132| 1|{ 133| 1| return &ssh_threads_pthread; 134| 1|} nalloc_init: 114| 1|{ 115| 1| if (nalloc_initialized) { ------------------ | Branch (115:9): [True: 0, False: 1] ------------------ 116| 0| return; 117| 0| } 118| 1| nalloc_initialized = true; 119| 1| char *bitmask = getenv("NALLOC_FREQ"); 120| 1| if (bitmask) { ------------------ | Branch (120:9): [True: 0, False: 1] ------------------ 121| 0| int shift = atoi(bitmask); 122| 0| if (shift > 0 && shift < 31) { ------------------ | Branch (122:13): [True: 0, False: 0] | Branch (122:26): [True: 0, False: 0] ------------------ 123| 0| nalloc_bitmask = 1 << shift; 124| 0| nalloc_random_bitmask = false; 125| 0| } else if (shift == 0) { ------------------ | Branch (125:20): [True: 0, False: 0] ------------------ 126| 0| nalloc_random_bitmask = false; 127| 0| nalloc_bitmask = 0; 128| 0| } 129| 1| } else if (prog == NULL || strstr(prog, "nalloc") == NULL) { ------------------ | Branch (129:16): [True: 0, False: 1] | Branch (129:32): [True: 1, False: 0] ------------------ 130| 1| nalloc_random_bitmask = false; 131| 1| nalloc_bitmask = 0; 132| 1| return; 133| 1| } 134| | 135| 0| char *verbose = getenv("NALLOC_VERBOSE"); 136| 0| if (verbose) { ------------------ | Branch (136:9): [True: 0, False: 0] ------------------ 137| | nalloc_verbose = true; 138| 0| } 139| 0|} calloc: 307| 2|{ 308| 2| if (nalloc_fail(size, "calloc")) { ------------------ | Branch (308:9): [True: 0, False: 2] ------------------ 309| 0| errno = ENOMEM; 310| 0| return NULL; 311| 0| } 312| 2| return nalloc_calloc(nmemb, size); ------------------ | | 259| 2|#define nalloc_calloc(s, n) __libc_calloc(s, n) ------------------ 313| 2|} malloc: 316| 51|{ 317| 51| if (nalloc_fail(size, "malloc")) { ------------------ | Branch (317:9): [True: 0, False: 51] ------------------ 318| 0| errno = ENOMEM; 319| 0| return NULL; 320| 0| } 321| 51| return nalloc_malloc(size); ------------------ | | 258| 51|#define nalloc_malloc(s) __libc_malloc(s) ------------------ 322| 51|} realloc: 325| 1|{ 326| 1| if (nalloc_fail(size, "realloc")) { ------------------ | Branch (326:9): [True: 0, False: 1] ------------------ 327| 0| errno = ENOMEM; 328| 0| return NULL; 329| 0| } 330| 1| return nalloc_realloc(ptr, size); ------------------ | | 260| 1|#define nalloc_realloc(p, s) __libc_realloc(p, s) ------------------ 331| 1|} ssh_client_config_fuzzer.c:nalloc_fail: 194| 54|{ 195| | // do not fail before thread init 196| 54| if (nalloc_runs == 0) { ------------------ | Branch (196:9): [True: 54, False: 0] ------------------ 197| 54| return false; 198| 54| } 199| 0| if (__sync_fetch_and_add(&nalloc_running, 1) != 1) { ------------------ | Branch (199:9): [True: 0, False: 0] ------------------ 200| | // do not fail allocations outside of fuzzer input 201| | // and do not fail inside of this function 202| 0| __sync_fetch_and_sub(&nalloc_running, 1); 203| 0| return false; 204| 0| } 205| 0| nalloc_random_update((uint8_t)size); 206| 0| if (size >= 0x100) { ------------------ | Branch (206:9): [True: 0, False: 0] ------------------ 207| 0| nalloc_random_update((uint8_t)(size >> 8)); 208| 0| if (size >= 0x10000) { ------------------ | Branch (208:13): [True: 0, False: 0] ------------------ 209| 0| nalloc_random_update((uint8_t)(size >> 16)); 210| | // bigger may already fail or oom 211| 0| } 212| 0| } 213| 0| if (((nalloc_random_state ^ nalloc_magic) & nalloc_bitmask) == 0) { ------------------ | Branch (213:9): [True: 0, False: 0] ------------------ 214| 0| if (nalloc_backtrace_exclude(size, op)) { ------------------ | Branch (214:13): [True: 0, False: 0] ------------------ 215| 0| __sync_fetch_and_sub(&nalloc_running, 1); 216| 0| return false; 217| 0| } 218| 0| __sync_fetch_and_sub(&nalloc_running, 1); 219| 0| return true; 220| 0| } 221| 0| __sync_fetch_and_sub(&nalloc_running, 1); 222| | return false; 223| 0|} LLVMFuzzerInitialize: 34| 1|{ 35| 1| (void)argc; 36| | 37| 1| nalloc_init(*argv[0]); 38| | 39| 1| ssh_init(); 40| | 41| 1| atexit(_fuzz_finalize); 42| | 43| 1| return 0; 44| 1|} ssh_client_config_fuzzer.c:_fuzz_finalize: 29| 1|{ 30| 1| ssh_finalize(); 31| 1|}