Fuzz introspector
For issues and ideas: https://github.com/ossf/fuzz-introspector/issues
Project coverage
Per-fuzzer coverage

Table of contents

Project overview: openssh
High level conclusions
Reachability and coverage overview
Fuzzers overview
Project functions overview
Fuzzer details
Fuzzer: pubkey_fuzz
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: privkey_fuzz
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: sig_fuzz
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: authopt_fuzz
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: sshsigopt_fuzz
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: sshsig_fuzz
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: agent_fuzz
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: kex_fuzz
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Analyses and suggestions
Optimal target analysis
Remaining optimal interesting functions
All functions overview
Runtime coverage analysis
Complex functions with low coverage
Files and Directories in report
Files in report
Directories in report
Metadata section
Function call coverage
Function in each files in report
Report generation date: 2023-06-07

Project overview: openssh

High level conclusions

Reachability and coverage overview

Functions statically reachable by fuzzers
40.0%
518 / 1283
Cyclomatic complexity statically reachable by fuzzers
41.0%
3680 / 9052
Runtime code coverage of functions
49.0%
625 / 1283

Warning: The number of runtime covered functions are larger than the number of reachable functions. This means that Fuzz Introspector found there are more functions covered at runtime than what is considered reachable based on the static analysis. This is a limitation in the analysis as anything covered at runtime is by definition reachable by the fuzzers.
This is likely due to a limitation in the static analysis. In this case, the count of functions covered at runtime is the true value, which means this is what should be considered "achieved" by the fuzzer.

Use the project functions table below to query all functions that were not covered at runtime.

Fuzzers overview

Fuzzer Fuzzer filename Functions Reached Functions unreached Fuzzer depth Files reached Basic blocks reached Cyclomatic complexity Details
pubkey_fuzz regress/misc/fuzz-harness/pubkey_fuzz.cc 76 827 11 10 1038 472 pubkey_fuzz.cc
privkey_fuzz regress/misc/fuzz-harness/privkey_fuzz.cc 80 823 12 10 1106 507 privkey_fuzz.cc
sig_fuzz regress/misc/fuzz-harness/sig_fuzz.cc 55 855 14 10 686 350 sig_fuzz.cc
authopt_fuzz regress/misc/fuzz-harness/authopt_fuzz.cc 61 858 10 13 950 423 authopt_fuzz.cc
sshsigopt_fuzz regress/misc/fuzz-harness/sshsigopt_fuzz.cc 16 1017 3 3 163 84 sshsigopt_fuzz.cc
sshsig_fuzz regress/misc/fuzz-harness/sshsig_fuzz.cc 108 925 11 20 1428 697 sshsig_fuzz.cc
agent_fuzz regress/misc/fuzz-harness/agent_fuzz.cc 492 627 16 40 5763 2690 agent_fuzz.cc
kex_fuzz regress/misc/fuzz-harness/kex_fuzz.cc 448 850 17 43 5170 2450 kex_fuzz.cc

Project functions overview

The following table shows data about each function in the project. The functions included in this table correspond to all functions that exist in the executables of the fuzzers. As such, there may be functions that are from third-party libraries.

For further technical details on the meaning of columns in the below table, please see the Glossary .

Func name Functions filename Args Function call depth Reached by Fuzzers Fuzzers runtime hit Func lines hit % I Count BB Count Cyclomatic complexity Functions reached Reached by functions Accumulated cyclomatic complexity Undiscovered complexity

Fuzzer details

Fuzzer: pubkey_fuzz

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 36 32.7%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 74 67.2%
All colors 110 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
95 95 8 :

['strnvis', 'strlcpy', '__errno_location', 'syslog', 'openlog', 'strlen', 'write', 'closelog']

95 95 do_log call site: 00028 /src/openssh/log.c:351
13 13 1 :

['rsa_hash_id_from_keyname']

21 697 ssh_rsa_verify call site: 00000 /src/openssh/ssh-rsa.c:508
7 7 1 :

['strlcpy']

7 118 sshlogv call site: 00024 /src/openssh/log.c:484
4 4 1 :

['timingsafe_bcmp']

4 9 openssh_RSA_verify call site: 00000 /src/openssh/ssh-rsa.c:659
2 2 1 :

['BN_clear_free']

2 2 sshbuf_get_bignum2 call site: 00000 /src/openssh/sshbuf-getput-crypto.c:48
2 2 1 :

['explicit_bzero']

2 2 sshkey_xmss_free_state call site: 00000 /src/openssh/sshkey-xmss.c:144
2 2 1 :

['SHA512']

2 2 core_hash_SHA2 call site: 00000 /src/openssh/xmss_hash.c:55
0 220 1 :

['cert_free']

0 220 cert_new call site: 00083 /src/openssh/sshkey.c:587
0 218 1 :

['sshkey_free']

0 218 sshkey_new call site: 00081 /src/openssh/sshkey.c:622
0 201 1 :

['sshbuf_free']

0 201 sshbuf_froms call site: 00000 /src/openssh/sshbuf-getput-basic.c:561
0 201 1 :

['sshbuf_free']

0 201 sshbuf_fromb call site: 00049 /src/openssh/sshbuf.c:151
0 0 None 14 14 sshkey_ec_validate_public call site: 00000 /src/openssh/sshkey.c:2639

Runtime coverage analysis

Covered functions
163
Functions that are reachable but not covered
30
Reachable functions
76
Percentage of reachable functions covered
60.53%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
regress/misc/fuzz-harness/pubkey_fuzz.cc 1
sshkey.c 11
sshbuf.c 9
misc.c 1
log.c 3
match.c 2
openbsd-compat/strlcpy.c 1
openbsd-compat/vis.c 2
openbsd-compat/freezero.c 1
sshbuf-getput-basic.c 3

Fuzzer: privkey_fuzz

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 39 30.2%
gold [1:9] 1 0.77%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 89 68.9%
All colors 129 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
95 95 8 :

['strnvis', 'strlcpy', '__errno_location', 'syslog', 'openlog', 'strlen', 'write', 'closelog']

95 95 do_log call site: 00029 /src/openssh/log.c:351
82 240 4 :

['xmss_sign_open', 'malloc', 'sshlog', 'sshkey_xmss_params']

82 451 ssh_xmss_verify call site: 00000 /src/openssh/ssh-xmss.c:312
13 13 1 :

['rsa_hash_id_from_keyname']

21 697 ssh_rsa_verify call site: 00000 /src/openssh/ssh-rsa.c:508
7 7 1 :

['strlcpy']

7 118 sshlogv call site: 00025 /src/openssh/log.c:484
2 2 1 :

['BN_clear_free']

2 2 sshbuf_get_bignum2 call site: 00000 /src/openssh/sshbuf-getput-crypto.c:48
0 705 1 :

['sshbuf_put_u8']

0 710 sshbuf_dtob64 call site: 00000 /src/openssh/sshbuf-misc.c:111
0 220 1 :

['cert_free']

0 220 cert_new call site: 00093 /src/openssh/sshkey.c:587
0 218 1 :

['sshkey_free']

0 218 sshkey_new call site: 00091 /src/openssh/sshkey.c:622
0 205 1 :

['ssh_digest_buffer']

0 607 webauthn_check_prepare_hash call site: 00000 /src/openssh/ssh-ecdsa-sk.c:217
0 201 1 :

['sshbuf_free']

0 201 sshbuf_froms call site: 00066 /src/openssh/sshbuf-getput-basic.c:561
0 201 1 :

['sshbuf_free']

0 201 sshbuf_fromb call site: 00080 /src/openssh/sshbuf.c:151
0 5 1 :

['freezero']

0 206 ssh_xmss_verify call site: 00000 /src/openssh/ssh-xmss.c:342

Runtime coverage analysis

Covered functions
169
Functions that are reachable but not covered
31
Reachable functions
80
Percentage of reachable functions covered
61.25%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
regress/misc/fuzz-harness/privkey_fuzz.cc 1
sshbuf.c 9
sshkey.c 14
sshbuf-getput-basic.c 4
misc.c 1
log.c 3
match.c 2
openbsd-compat/strlcpy.c 1
openbsd-compat/vis.c 2
openbsd-compat/freezero.c 1

Fuzzer: sig_fuzz

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 60 55.5%
gold [1:9] 8 7.40%
yellow [10:29] 1 0.92%
greenyellow [30:49] 7 6.48%
lawngreen 50+ 32 29.6%
All colors 108 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
446 446 2 :

['sshkey_free', 'cert_new']

446 446 sshkey_new call site: 00010 /src/openssh/sshkey.c:621
218 218 1 :

['sshkey_free']

218 218 sshkey_generate call site: 00007 /src/openssh/sshkey.c:1406
162 162 1 :

['_getentropy_fail']

166 227 _rs_stir call site: 00000 /src/openssh/openbsd-compat/arc4random.c:116
162 162 2 :

['sshfatal', 'ERR_get_error']

162 162 _ssh_compat_getentropy call site: 00000 /src/openssh/openbsd-compat/bsd-getentropy.c:45
95 95 8 :

['strnvis', 'strlcpy', '__errno_location', 'syslog', 'openlog', 'strlen', 'write', 'closelog']

95 95 do_log call site: 00043 /src/openssh/log.c:351
73 73 2 :

['abort', 'ssh_err']

73 73 generate_or_die(int,unsignedint) call site: 00000 /src/openssh/regress/misc/fuzz-harness/sig_fuzz.cc:18
13 13 1 :

['rsa_hash_id_from_keyname']

21 697 ssh_rsa_verify call site: 00000 /src/openssh/ssh-rsa.c:508
7 7 1 :

['strlcpy']

7 118 sshlogv call site: 00039 /src/openssh/log.c:484
4 4 1 :

['timingsafe_bcmp']

4 9 openssh_RSA_verify call site: 00000 /src/openssh/ssh-rsa.c:659
2 2 1 :

['_exit']

2 2 _rs_init call site: 00000 /src/openssh/openbsd-compat/arc4random.c:102
2 2 1 :

['memset']

2 2 _rs_forkdetect call site: 00000 /src/openssh/openbsd-compat/./arc4random.h:58
2 2 1 :

['munmap']

2 2 _rs_allocate call site: 00000 /src/openssh/openbsd-compat/./arc4random.h:71

Runtime coverage analysis

Covered functions
107
Functions that are reachable but not covered
37
Reachable functions
55
Percentage of reachable functions covered
32.73%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
regress/misc/fuzz-harness/sig_fuzz.cc 2
sshkey.c 13
sshbuf.c 3
misc.c 1
log.c 3
match.c 2
openbsd-compat/strlcpy.c 1
openbsd-compat/vis.c 2
openbsd-compat/freezero.c 1
ssherr.c 1

Fuzzer: authopt_fuzz

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 56 36.8%
gold [1:9] 3 1.97%
yellow [10:29] 1 0.65%
greenyellow [30:49] 1 0.65%
lawngreen 50+ 91 59.8%
All colors 152 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
166 757 4 :

['strchr', 'a2tun', 'xstrdup', 'free']

166 757 a2tun call site: 00082 /src/openssh/misc.c:510
2 2 1 :

['getpagesize']

8 8 recallocarray call site: 00051 /src/openssh/openbsd-compat/recallocarray.c:64
2 2 1 :

['ntohs']

2 2 a2port call site: 00075 /src/openssh/misc.c:498
0 11 1 :

['sshauthopt_free']

0 11 sshauthopt_merge call site: 00146 /src/openssh/auth-options.c:631
0 0 None 12 94 sshauthopt_merge call site: 00132 /src/openssh/auth-options.c:537
0 0 None 8 19 sshauthopt_merge call site: 00143 /src/openssh/auth-options.c:610
0 0 None 6 673 sshauthopt_parse call site: 00003 /src/openssh/auth-options.c:329
0 0 None 2 2 recallocarray call site: 00053 /src/openssh/openbsd-compat/recallocarray.c:77
0 0 None 2 2 strtonum call site: 00071 /src/openssh/openbsd-compat/strtonum.c:52
0 0 None 0 11 sshauthopt_parse call site: 00004 /src/openssh/auth-options.c:331
0 0 None 0 11 sshauthopt_parse call site: 00041 /src/openssh/auth-options.c:401
0 0 None 0 11 sshauthopt_parse call site: 00044 /src/openssh/auth-options.c:413

Runtime coverage analysis

Covered functions
19
Functions that are reachable but not covered
42
Reachable functions
61
Percentage of reachable functions covered
31.15%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
regress/misc/fuzz-harness/authopt_fuzz.cc 1
auth-options.c 7
misc.c 8
openbsd-compat/recallocarray.c 1
openbsd-compat/strtonum.c 1
xmalloc.c 2
fatal.c 1
log.c 2
match.c 2
openbsd-compat/strlcpy.c 1
openbsd-compat/vis.c 2
cleanup.c 1
openbsd-compat/freezero.c 1

Fuzzer: sshsigopt_fuzz

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 0 0.0%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 31 100.%
All colors 31 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
0 0 None 2 2 opt_flag call site: 00005 /src/openssh/misc.c:2500
0 0 None 0 3 sshsigopt_parse call site: 00028 /src/openssh/sshsig.c:704
0 0 None 0 0 opt_dequote call site: 00012 /src/openssh/misc.c:2524
0 0 None 0 0 sshsigopt_parse call site: 00002 /src/openssh/sshsig.c:632

Runtime coverage analysis

Covered functions
7
Functions that are reachable but not covered
9
Reachable functions
16
Percentage of reachable functions covered
43.75%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
regress/misc/fuzz-harness/sshsigopt_fuzz.cc 1
sshsig.c 2
misc.c 4

Fuzzer: sshsig_fuzz

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 64 24.0%
gold [1:9] 3 1.12%
yellow [10:29] 1 0.37%
greenyellow [30:49] 7 2.63%
lawngreen 50+ 191 71.8%
All colors 266 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
164 164 1 :

['xstrdup']

164 164 tohex call site: 00119 /src/openssh/misc.c:1496
160 160 1 :

['sshfatal']

160 160 xcalloc call site: 00131 /src/openssh/xmalloc.c:56
88 95 8 :

['strnvis', 'strlcpy', '__errno_location', 'syslog', 'openlog', 'strlen', 'write', 'closelog']

88 95 do_log call site: 00038 /src/openssh/log.c:351
82 240 4 :

['xmss_sign_open', 'malloc', 'sshlog', 'sshkey_xmss_params']

82 451 ssh_xmss_verify call site: 00000 /src/openssh/ssh-xmss.c:312
50 50 3 :

['sshkey_ec_validate_public', 'EC_KEY_get0_group', 'EC_KEY_get0_public_key']

52 52 ssh_ecdsa_deserialize_public call site: 00000 /src/openssh/ssh-ecdsa.c:177
13 13 1 :

['rsa_hash_id_from_keyname']

21 697 ssh_rsa_verify call site: 00000 /src/openssh/ssh-rsa.c:508
6 6 3 :

['exit', 'openlog', 'closelog']

6 6 log_init call site: 00008 /src/openssh/log.c:213
2 215 2 :

['EC_KEY_set_public_key', 'sshbuf_get_string_direct']

6 219 sshbuf_get_eckey call site: 00000 /src/openssh/sshbuf-getput-crypto.c:110
2 2 1 :

['strlen']

2 2 strlcat call site: 00134 /src/openssh/openbsd-compat/strlcat.c:48
2 2 1 :

['BN_clear_free']

2 2 sshbuf_get_bignum2 call site: 00000 /src/openssh/sshbuf-getput-crypto.c:48
0 231 1 :

['sshkey_deserialize_sk']

0 231 ssh_ecdsa_sk_deserialize_public call site: 00000 /src/openssh/ssh-ecdsa-sk.c:133
0 227 2 :

['ssh_err', 'sshlog']

2 430 hash_buffer call site: 00142 /src/openssh/sshsig.c:417

Runtime coverage analysis

Covered functions
160
Functions that are reachable but not covered
35
Reachable functions
108
Percentage of reachable functions covered
67.59%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
regress/misc/fuzz-harness/sshsig_fuzz.cc 1
sshbuf.c 13
log.c 5
sshsig.c 6
misc.c 2
match.c 2
openbsd-compat/strlcpy.c 1
openbsd-compat/vis.c 2
openbsd-compat/freezero.c 1
sshbuf-misc.c 1
openbsd-compat/timingsafe_bcmp.c 1
sshbuf-getput-basic.c 10
ssherr.c 1
digest-openssl.c 5
xmalloc.c 3
fatal.c 1
cleanup.c 1
openbsd-compat/strlcat.c 1
openbsd-compat/recallocarray.c 1
sshkey.c 17

Fuzzer: agent_fuzz

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 1228 68.9%
gold [1:9] 58 3.25%
yellow [10:29] 47 2.63%
greenyellow [30:49] 11 0.61%
lawngreen 50+ 437 24.5%
All colors 1781 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
3900 5114 17 :

['sshkey_equal', 'sshkey_fingerprint', 'sshbuf_ptr', 'notify_start', 'agent_decode_alg', 'buf_equal', 'strncmp', 'parse_userauth_request', 'sshkey_is_sk', 'check_websafe_message_contents', 'sshkey_sign', 'read_passphrase', 'lookup_identity', 'confirm_key', 'sshkey_type', 'sshbuf_len', 'identity_permitted']

4542 10236 process_sign_request2 call site: 00637 /src/openssh/regress/misc/fuzz-harness/../../../ssh-agent.c:738
2603 3708 18 :

['realpath', 'match_pattern_list', 'monotime', 'parse_key_constraints', 'sshkey_fingerprint', 'sshbuf_reset', 'xcalloc', 'sshkey_shield_private', 'sshkey_ssh_name', 'sshkey_is_sk', 'sshfatal', '__errno_location', 'identity_permitted', 'strcasecmp', 'strerror', 'lookup_identity', 'sshkey_type', 'xstrdup']

2603 6077 process_add_identity call site: 01319 /src/openssh/regress/misc/fuzz-harness/../../../ssh-agent.c:1209
2338 2984 6 :

['permitted_by_dest_constraints', 'sshfatal', 'sshkey_fingerprint', 'free', 'sshkey_type', 'sshlog']

2338 2984 identity_permitted call site: 00739 /src/openssh/regress/misc/fuzz-harness/../../../ssh-agent.c:385
738 738 3 :

['free', 'strcmp', 'process_ext_session_bind']

738 1218 process_extension call site: 01737 /src/openssh/regress/misc/fuzz-harness/../../../ssh-agent.c:1576
423 423 1 :

['sshkey_parse_private_pem_fileblob']

423 423 sshkey_parse_private_fileblob_type call site: 00384 /src/openssh/sshkey.c:3537
396 1161 4 :

['sshfatal', 'lookup_identity', 'identity_permitted', 'free_identity']

396 1859 process_remove_identity call site: 01438 /src/openssh/regress/misc/fuzz-harness/../../../ssh-agent.c:883
340 340 6 :

['waitpid', 'kill', 'ssh_signal', 'sshfatal', '__errno_location', 'strerror']

340 340 notify_complete call site: 01262 /src/openssh/readpass.c:319
200 200 1 :

['cert_compare']

200 219 sshkey_equal call site: 00371 /src/openssh/sshkey.c:713
162 162 1 :

['_getentropy_fail']

166 227 _rs_stir call site: 00267 /src/openssh/openbsd-compat/arc4random.c:116
162 162 2 :

['sshfatal', 'ERR_get_error']

162 162 _ssh_compat_getentropy call site: 00268 /src/openssh/openbsd-compat/bsd-getentropy.c:45
160 231 2 :

['ssh_err', 'sshfatal']

160 231 no_identities call site: 00594 /src/openssh/regress/misc/fuzz-harness/../../../ssh-agent.c:1362
160 231 2 :

['ssh_err', 'sshfatal']

160 231 send_status call site: 00606 /src/openssh/regress/misc/fuzz-harness/../../../ssh-agent.c:502

Runtime coverage analysis

Covered functions
236
Functions that are reachable but not covered
317
Reachable functions
492
Percentage of reachable functions covered
35.57%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
regress/misc/fuzz-harness/agent_fuzz.cc 1
regress/misc/fuzz-harness/agent_fuzz_helper.c 9
log.c 5
match.c 2
openbsd-compat/strlcpy.c 1
openbsd-compat/vis.c 2
xmalloc.c 6
fatal.c 1
regress/misc/fuzz-harness/../../../ssh-agent.c 35
sshkey.c 67
sshbuf.c 14
misc.c 5
openbsd-compat/freezero.c 1
sshbuf-getput-basic.c 17
openbsd-compat/recallocarray.c 1
sshbuf-misc.c 2
openbsd-compat/base64.c 2
cipher.c 8
openbsd-compat/bcrypt_pbkdf.c 2
hash.c 1
openbsd-compat/blowfish.c 6
openbsd-compat/arc4random.c 6
openbsd-compat/./arc4random.h 3
openbsd-compat/bsd-getentropy.c 1
openbsd-compat/./chacha_private.h 3
cipher-chachapoly-libcrypto.c 3
poly1305.c 1
openbsd-compat/timingsafe_bcmp.c 1
ssherr.c 1
digest-openssl.c 4
openbsd-compat/strlcat.c 1
readpass.c 6
openbsd-compat/readpassphrase.c 2
openbsd-compat/bsd-closefrom.c 2
ssh-sk.c 8
regress/misc/sk-dummy/sk-dummy.c 9
ed25519.c 34
openbsd-compat/sha2.c 5
sshkey-xmss.c 1
ssh-pkcs11.c 29

Fuzzer: kex_fuzz

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 489 35.4%
gold [1:9] 140 10.1%
yellow [10:29] 2 0.14%
greenyellow [30:49] 1 0.07%
lawngreen 50+ 748 54.2%
All colors 1380 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
941 941 1 :

['kex_send_ext_info']

941 1097 kex_send_newkeys call site: 00000 /src/openssh/kex.c:523
782 782 4 :

['get_local_ipaddr', 'get_peer_ipaddr', 'get_peer_port', 'get_local_port']

782 782 ssh_remote_ipaddr call site: 00579 /src/openssh/packet.c:521
721 731 8 :

['rewind', 'getline', 'BN_clear_free', 'free', 'arc4random_uniform', 'fclose', 'dh_new_group', 'parse_prime']

721 1411 choose_dh call site: 00000 /src/openssh/dh.c:167
542 747 7 :

['ssh_packet_have_data_to_write', 'ssh_packet_write_poll', '__errno_location', 'ppoll', 'monotime_tv', 'ms_subtract_diff', 'ms_to_timespec']

542 747 ssh_packet_write_wait call site: 01295 /src/openssh/packet.c:2012
423 423 1 :

['sshkey_parse_private_pem_fileblob']

423 423 sshkey_parse_private_fileblob_type call site: 00360 /src/openssh/sshkey.c:3537
283 505 3 :

['bcrypt_pbkdf', 'strlen', 'sshbuf_get_string']

287 3025 private2_decrypt call site: 00199 /src/openssh/sshkey.c:3017
279 279 1 :

['ssh_packet_read_poll2_mux']

279 279 ssh_packet_read_poll2 call site: 01224 /src/openssh/packet.c:1490
250 5317 12 :

['sshbuf_get_u8', 'sshbuf_ptr', 'sshbuf_reset', 'sshpkt_disconnect', 'ssh_packet_write_wait', 'uncompress_buffer', 'sshbuf_consume_end', 'sshbuf_consume', 'ssh_packet_log_type', 'ssh_packet_check_rekey', 'sshbuf_putb', 'ssh_packet_enable_delayed_compress']

250 5629 ssh_packet_read_poll2 call site: 01286 /src/openssh/packet.c:1612
250 921 3 :

['sshbuf_reset', 'sshbuf_putb', 'uncompress_buffer']

250 3544 ssh_packet_read_poll2 call site: 01314 /src/openssh/packet.c:1658
228 446 2 :

['sshkey_free', 'cert_new']

228 446 sshkey_new call site: 00159 /src/openssh/sshkey.c:621
220 220 1 :

['cert_free']

220 230 sshkey_free_contents call site: 00173 /src/openssh/sshkey.c:652
212 445 4 :

['sshbuf_get_string', 'sshkey_xmss_pklen', 'sshkey_is_cert', 'sshkey_xmss_deserialize_pk_info']

212 450 ssh_xmss_deserialize_public call site: 00000 /src/openssh/ssh-xmss.c:140

Runtime coverage analysis

Covered functions
492
Functions that are reachable but not covered
176
Reachable functions
448
Percentage of reachable functions covered
60.71%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
regress/misc/fuzz-harness/kex_fuzz.cc 11
log.c 5
xmalloc.c 4
fatal.c 1
match.c 3
openbsd-compat/strlcpy.c 1
openbsd-compat/vis.c 2
cleanup.c 1
sshbuf.c 16
sshkey.c 49
misc.c 10
sshbuf-getput-basic.c 16
openbsd-compat/recallocarray.c 1
sshbuf-misc.c 2
openbsd-compat/base64.c 1
openbsd-compat/freezero.c 1
cipher.c 13
openbsd-compat/bcrypt_pbkdf.c 2
hash.c 1
openbsd-compat/blowfish.c 6
openbsd-compat/arc4random.c 6
openbsd-compat/./arc4random.h 3
openbsd-compat/bsd-getentropy.c 1
openbsd-compat/./chacha_private.h 3
cipher-chachapoly-libcrypto.c 4
poly1305.c 1
openbsd-compat/timingsafe_bcmp.c 1
ssherr.c 1
ssh_api.c 15
entropy.c 1
openbsd-compat/openssl-compat.c 2
packet.c 43
kex.c 21
mac.c 6
umac.c 26
./umac.c 26
hmac.c 6
digest-openssl.c 9
canohost.c 7
dispatch.c 2
regress/misc/fuzz-harness/ssh-sk-null.cc 1
compat.c 1
openbsd-compat/strlcat.c 1

Analyses and suggestions

Optimal target analysis

Remaining optimal interesting functions

The following table shows a list of functions that are optimal targets. Optimal targets are identified by finding the functions that in combination, yield a high code coverage.

Func name Functions filename Arg count Args Function depth hitcount instr count bb count cyclomatic complexity Reachable functions Incoming references total cyclomatic complexity Unreached complexity
sshkey_check_revoked /src/openssh/authfile.c 2 ['struct.sshkey *', 'char *'] 8 0 58 9 2 174 0 1336 666
kex_gen_client /src/openssh/kexgen.c 1 ['struct.ssh.317 *'] 10 0 134 24 5 392 0 1943 517
ssh_xmss_sign /src/openssh/ssh-xmss.c 9 ['struct.sshkey.4 *', 'char **', 'size_t *', 'char *', 'size_t ', 'char *', 'char *', 'char *', 'int '] 6 0 377 67 27 140 0 824 335
xxxmain /src/openssh/regress/misc/fuzz-harness/../../../ssh-agent.c 2 ['int ', 'char **'] 11 0 816 137 32 492 0 2673 290
kexgex_server /src/openssh/kexgexs.c 1 ['struct.ssh.268 *'] 9 0 17 3 2 318 0 1685 174
sshauthopt_from_cert /src/openssh/auth-options.c 1 ['struct.sshkey *'] 9 0 108 19 9 73 0 488 129
sshkey_save_private /src/openssh/authfile.c 7 ['struct.sshkey *', 'char *', 'char *', 'char *', 'int ', 'char *', 'int '] 8 0 86 11 5 186 0 1048 122
ssh_krl_to_blob /src/openssh/krl.c 4 ['struct.ssh_krl *', 'struct.sshbuf *', 'struct.sshkey **', 'int '] 7 0 495 91 35 169 0 1004 101
subprocess /src/openssh/misc.c 9 ['char *', 'char *', 'int ', 'char **', 'struct._IO_FILE **', 'int ', 'struct.passwd *', 'func_type *', 'func_type *'] 3 0 709 108 31 69 0 324 87
ssh_dispatch_run_fatal /src/openssh/dispatch.c 3 ['struct.ssh.349 *', 'int ', 'int *'] 8 0 40 5 2 248 0 1336 85

Implementing fuzzers that target the above functions will improve reachability such that it becomes:

Functions statically reachable by fuzzers
63.0%
810 / 1283
Cyclomatic complexity statically reachable by fuzzers
67.0%
6036 / 9052

All functions overview

If you implement fuzzers for these functions, the status of all functions in the project will be:

Func name Functions filename Args Function call depth Reached by Fuzzers Fuzzers runtime hit Func lines hit % I Count BB Count Cyclomatic complexity Functions reached Reached by functions Accumulated cyclomatic complexity Undiscovered complexity

Runtime coverage analysis

This section shows analysis of runtime coverage data.

For futher technical details on how this section is generated, please see the Glossary .

Complex functions with low coverage

Func name Function total lines Lines covered at runtime percentage covered Reached by fuzzers
sshbuf_dtob64 33 18 54.54% []
sshauthopt_merge 94 51 54.25% ['authopt_fuzz']
log_init 61 8 13.11% ['sshsig_fuzz', 'agent_fuzz', 'kex_fuzz']
ssh_err 128 70 54.68% ['sig_fuzz', 'sshsig_fuzz', 'agent_fuzz', 'kex_fuzz']
cipher_init 69 24 34.78% ['agent_fuzz', 'kex_fuzz']
cipher_crypt 44 6 13.63% ['agent_fuzz', 'kex_fuzz']
strnvis 37 19 51.35% ['pubkey_fuzz', 'privkey_fuzz', 'sig_fuzz', 'authopt_fuzz', 'sshsig_fuzz', 'agent_fuzz', 'kex_fuzz']
process_sign_request2 130 38 29.23% ['agent_fuzz']
identity_permitted 64 12 18.75% ['agent_fuzz']
process_add_identity 96 25 26.04% ['agent_fuzz']
process_add_smartcard_key 69 24 34.78% ['agent_fuzz']
process_remove_smartcard_key 35 14 40.0% ['agent_fuzz']
private2_decrypt 120 65 54.16% ['agent_fuzz', 'kex_fuzz']
choose_dh 65 11 16.92% []
kex_send_kexinit 31 17 54.83% ['kex_fuzz']
ssh_packet_send2 54 20 37.03% ['kex_fuzz']
ssh_packet_write_wait 40 8 20.0% ['kex_fuzz']
sshkey_unshield_private 55 9 16.36% ['agent_fuzz', 'kex_fuzz']

Files and Directories in report

This section shows which files and directories are considered in this report. The main reason for showing this is fuzz introspector may include more code in the reasoning than is desired. This section helps identify if too many files/directories are included, e.g. third party code, which may be irrelevant for the threat model. In the event too much is included, fuzz introspector supports a configuration file that can exclude data from the report. See the following link for more information on how to create a config file: link

Files in report

Source file Reached by Covered by
[] []
/src/openssh/ssh-ecdsa.c [] []
/src/openssh/openbsd-compat/freezero.c ['pubkey_fuzz', 'privkey_fuzz', 'sig_fuzz', 'authopt_fuzz', 'sshsig_fuzz', 'agent_fuzz', 'kex_fuzz'] ['pubkey_fuzz', 'privkey_fuzz', 'sig_fuzz', 'authopt_fuzz', 'sshsig_fuzz', 'agent_fuzz', 'kex_fuzz']
/src/openssh/openbsd-compat/bsd-closefrom.c ['agent_fuzz'] []
/src/openssh/xmalloc.c ['authopt_fuzz', 'sshsig_fuzz', 'agent_fuzz', 'kex_fuzz'] ['sshsig_fuzz', 'agent_fuzz', 'kex_fuzz']
/src/openssh/openbsd-compat/base64.c ['agent_fuzz', 'kex_fuzz'] ['agent_fuzz', 'kex_fuzz']
/src/openssh/match.c ['pubkey_fuzz', 'privkey_fuzz', 'sig_fuzz', 'authopt_fuzz', 'sshsig_fuzz', 'agent_fuzz', 'kex_fuzz'] ['sshsig_fuzz', 'kex_fuzz']
/src/openssh/kex.c ['kex_fuzz'] ['kex_fuzz']
/src/openssh/regress/misc/fuzz-harness/kex_fuzz.cc ['kex_fuzz'] ['kex_fuzz']
/src/openssh/cleanup.c ['authopt_fuzz', 'sshsig_fuzz', 'kex_fuzz'] []
/src/openssh/regress/misc/fuzz-harness/authopt_fuzz.cc ['authopt_fuzz'] ['authopt_fuzz']
/src/openssh/regress/misc/fuzz-harness/agent_fuzz.cc ['agent_fuzz'] ['agent_fuzz']
/src/openssh/utf8.c [] []
/src/openssh/entropy.c ['kex_fuzz'] ['kex_fuzz']
/src/openssh/openbsd-compat/recallocarray.c ['authopt_fuzz', 'sshsig_fuzz', 'agent_fuzz', 'kex_fuzz'] ['authopt_fuzz', 'sshsig_fuzz', 'agent_fuzz', 'kex_fuzz']
/src/openssh/openbsd-compat/bsd-misc.c [] []
/src/openssh/platform-misc.c [] []
/src/openssh/openbsd-compat/readpassphrase.c ['agent_fuzz'] []
/src/openssh/authfile.c [] []
/src/openssh/openbsd-compat/strlcpy.c ['pubkey_fuzz', 'privkey_fuzz', 'sig_fuzz', 'authopt_fuzz', 'sshsig_fuzz', 'agent_fuzz', 'kex_fuzz'] ['sshsig_fuzz', 'agent_fuzz', 'kex_fuzz']
/src/openssh/sntrup761.c [] []
/src/openssh/kexgen.c [] []
/src/openssh/ssh-rsa.c [] []
/src/openssh/kexgexc.c [] []
/src/openssh/log.c ['pubkey_fuzz', 'privkey_fuzz', 'sig_fuzz', 'authopt_fuzz', 'sshsig_fuzz', 'agent_fuzz', 'kex_fuzz'] ['pubkey_fuzz', 'privkey_fuzz', 'sig_fuzz', 'sshsig_fuzz', 'agent_fuzz', 'kex_fuzz']
/src/openssh/openbsd-compat/./arc4random.h ['agent_fuzz', 'kex_fuzz'] []
/src/openssh/xmss_wots.c [] []
/src/openssh/openbsd-compat/libressl-api-compat.c [] []
/src/openssh/digest-openssl.c ['sshsig_fuzz', 'agent_fuzz', 'kex_fuzz'] ['sshsig_fuzz', 'kex_fuzz']
/src/openssh/openbsd-compat/port-net.c [] []
/src/openssh/xmss_fast.c [] []
/src/openssh/regress/misc/fuzz-harness/sshsigopt_fuzz.cc ['sshsigopt_fuzz'] ['sshsigopt_fuzz']
/src/openssh/ssh_api.c ['kex_fuzz'] ['kex_fuzz']
/src/openssh/krl.c [] []
/src/openssh/xmss_hash.c [] []
/src/openssh/auth-options.c ['authopt_fuzz'] ['authopt_fuzz']
/src/openssh/misc.c ['pubkey_fuzz', 'privkey_fuzz', 'sig_fuzz', 'authopt_fuzz', 'sshsigopt_fuzz', 'sshsig_fuzz', 'agent_fuzz', 'kex_fuzz'] ['authopt_fuzz', 'sshsigopt_fuzz', 'sshsig_fuzz', 'agent_fuzz', 'kex_fuzz']
/src/openssh/regress/misc/fuzz-harness/ssh-sk-null.cc ['kex_fuzz'] []
/src/openssh/sshbuf-misc.c ['sshsig_fuzz', 'agent_fuzz', 'kex_fuzz'] ['sshsig_fuzz', 'agent_fuzz', 'kex_fuzz']
/src/openssh/packet.c ['kex_fuzz'] ['kex_fuzz']
/src/openssh/openbsd-compat/vis.c ['pubkey_fuzz', 'privkey_fuzz', 'sig_fuzz', 'authopt_fuzz', 'sshsig_fuzz', 'agent_fuzz', 'kex_fuzz'] ['agent_fuzz', 'kex_fuzz']
/src/openssh/openbsd-compat/bcrypt_pbkdf.c ['agent_fuzz', 'kex_fuzz'] ['agent_fuzz']
/src/openssh/ssh-pkcs11.c ['agent_fuzz'] []
/src/openssh/openbsd-compat/sha2.c ['agent_fuzz'] []
/src/openssh/kexecdh.c [] []
/src/openssh/openbsd-compat/strlcat.c ['sshsig_fuzz', 'agent_fuzz', 'kex_fuzz'] ['sshsig_fuzz', 'kex_fuzz']
/src/openssh/kexgexs.c [] []
/src/openssh/sshbuf.c ['pubkey_fuzz', 'privkey_fuzz', 'sig_fuzz', 'sshsig_fuzz', 'agent_fuzz', 'kex_fuzz'] ['pubkey_fuzz', 'privkey_fuzz', 'sig_fuzz', 'sshsig_fuzz', 'agent_fuzz', 'kex_fuzz']
/src/openssh/./umac.c ['kex_fuzz'] ['kex_fuzz']
/src/openssh/sshkey.c ['pubkey_fuzz', 'privkey_fuzz', 'sig_fuzz', 'sshsig_fuzz', 'agent_fuzz', 'kex_fuzz'] ['pubkey_fuzz', 'privkey_fuzz', 'sig_fuzz', 'sshsig_fuzz', 'agent_fuzz', 'kex_fuzz']
/src/openssh/openbsd-compat/./chacha_private.h ['agent_fuzz', 'kex_fuzz'] []
/src/openssh/ssh-ecdsa-sk.c [] []
/src/openssh/addr.c [] []
/src/openssh/sshbuf-getput-basic.c ['pubkey_fuzz', 'privkey_fuzz', 'sshsig_fuzz', 'agent_fuzz', 'kex_fuzz'] ['pubkey_fuzz', 'privkey_fuzz', 'sshsig_fuzz', 'agent_fuzz', 'kex_fuzz']
/src/openssh/sshsig.c ['sshsigopt_fuzz', 'sshsig_fuzz'] ['sshsigopt_fuzz', 'sshsig_fuzz']
/src/openssh/ssh-ed25519.c [] []
/src/openssh/openbsd-compat/strtonum.c ['authopt_fuzz'] ['authopt_fuzz']
/src/openssh/addrmatch.c [] []
/src/openssh/openbsd-compat/bsd-getpeereid.c [] []
/src/openssh/regress/misc/sk-dummy/sk-dummy.c ['agent_fuzz'] []
/src/openssh/bitmap.c [] []
/src/openssh/kexdh.c [] []
/src/openssh/platform-tracing.c [] []
/src/openssh/fatal.c ['authopt_fuzz', 'sshsig_fuzz', 'agent_fuzz', 'kex_fuzz'] []
/src/openssh/xmss_hash_address.c [] []
/src/openssh/sshbuf-io.c [] []
/src/openssh/umac.c ['kex_fuzz'] ['kex_fuzz']
/src/openssh/openbsd-compat/getopt_long.c [] []
/src/openssh/openbsd-compat/timingsafe_bcmp.c ['sshsig_fuzz', 'agent_fuzz', 'kex_fuzz'] ['sshsig_fuzz', 'agent_fuzz', 'kex_fuzz']
/src/openssh/ssh-dss.c [] []
/src/openssh/kexc25519.c [] []
/src/openssh/openbsd-compat/bsd-getentropy.c ['agent_fuzz', 'kex_fuzz'] ['agent_fuzz', 'kex_fuzz']
/src/openssh/openbsd-compat/arc4random.c ['agent_fuzz', 'kex_fuzz'] ['agent_fuzz', 'kex_fuzz']
/src/openssh/ed25519.c ['agent_fuzz'] ['agent_fuzz']
/src/openssh/regress/misc/fuzz-harness/sshsig_fuzz.cc ['sshsig_fuzz'] ['sshsig_fuzz']
/src/openssh/cipher-chachapoly-libcrypto.c ['agent_fuzz', 'kex_fuzz'] []
/src/openssh/platform-pledge.c [] []
/src/openssh/ssh-ed25519-sk.c [] []
/src/openssh/kexsntrup761x25519.c [] []
/src/openssh/canohost.c ['kex_fuzz'] []
/src/openssh/readpass.c ['agent_fuzz'] ['agent_fuzz']
/src/openssh/dispatch.c ['kex_fuzz'] ['kex_fuzz']
/src/openssh/dh.c [] []
/src/openssh/poly1305.c ['agent_fuzz', 'kex_fuzz'] []
/src/openssh/smult_curve25519_ref.c [] []
/src/openssh/openbsd-compat/blowfish.c ['agent_fuzz', 'kex_fuzz'] ['agent_fuzz']
/src/openssh/sshkey-xmss.c ['agent_fuzz'] []
/src/openssh/openbsd-compat/arc4random_uniform.c [] []
/src/openssh/hash.c ['agent_fuzz', 'kex_fuzz'] ['agent_fuzz', 'kex_fuzz']
/src/openssh/atomicio.c [] []
/src/openssh/ssh-sk.c ['agent_fuzz'] []
/src/openssh/hmac.c ['kex_fuzz'] ['kex_fuzz']
/src/openssh/ssherr.c ['sig_fuzz', 'sshsig_fuzz', 'agent_fuzz', 'kex_fuzz'] ['sshsig_fuzz', 'agent_fuzz', 'kex_fuzz']
/src/openssh/kexgex.c [] []
/src/openssh/mac.c ['kex_fuzz'] ['kex_fuzz']
/src/openssh/sshbuf-getput-crypto.c [] []
/src/openssh/regress/misc/fuzz-harness/sig_fuzz.cc ['sig_fuzz'] ['sig_fuzz']
/src/openssh/cipher.c ['agent_fuzz', 'kex_fuzz'] ['agent_fuzz', 'kex_fuzz']
/src/openssh/compat.c ['kex_fuzz'] ['kex_fuzz']
/src/openssh/ssh-xmss.c [] []
/src/openssh/regress/misc/fuzz-harness/agent_fuzz_helper.c ['agent_fuzz'] ['agent_fuzz']
/src/openssh/regress/misc/fuzz-harness/pubkey_fuzz.cc ['pubkey_fuzz'] ['pubkey_fuzz']
/src/openssh/regress/misc/fuzz-harness/privkey_fuzz.cc ['privkey_fuzz'] ['privkey_fuzz']
/src/openssh/xmss_commons.c [] []
/src/openssh/regress/misc/fuzz-harness/../../../ssh-agent.c ['agent_fuzz'] []
/src/openssh/openbsd-compat/openssl-compat.c ['kex_fuzz'] ['kex_fuzz']

Directories in report

Directory
/src/openssh/regress/misc/fuzz-harness/
/src/openssh/openbsd-compat/
/src/openssh/./
/src/openssh/
/src/openssh/regress/misc/fuzz-harness/../../../
/src/openssh/regress/misc/sk-dummy/
/src/openssh/openbsd-compat/./

Metadata section

This sections shows the raw data that is used to produce this report. This is mainly used for further processing and developer debugging.

Fuzzer Calltree file Program data file Coverage file
pubkey_fuzz fuzzerLogFile-0-9yh0fVzaTo.data fuzzerLogFile-0-9yh0fVzaTo.data.yaml pubkey_fuzz.covreport
privkey_fuzz fuzzerLogFile-0-luOcg3ik1x.data fuzzerLogFile-0-luOcg3ik1x.data.yaml privkey_fuzz.covreport
sig_fuzz fuzzerLogFile-0-073rHKMbbs.data fuzzerLogFile-0-073rHKMbbs.data.yaml sig_fuzz.covreport
authopt_fuzz fuzzerLogFile-0-dQlcOdCxgp.data fuzzerLogFile-0-dQlcOdCxgp.data.yaml authopt_fuzz.covreport
sshsigopt_fuzz fuzzerLogFile-0-hWiPJRHJ9W.data fuzzerLogFile-0-hWiPJRHJ9W.data.yaml sshsigopt_fuzz.covreport
sshsig_fuzz fuzzerLogFile-0-ZVlki2Yx31.data fuzzerLogFile-0-ZVlki2Yx31.data.yaml sshsig_fuzz.covreport
agent_fuzz fuzzerLogFile-0-nLPkMgFZu3.data fuzzerLogFile-0-nLPkMgFZu3.data.yaml agent_fuzz.covreport
kex_fuzz fuzzerLogFile-0-vYII3w8MpM.data fuzzerLogFile-0-vYII3w8MpM.data.yaml kex_fuzz.covreport