Fuzz introspector
For issues and ideas: https://github.com/ossf/fuzz-introspector/issues
Project coverage
Per-fuzzer coverage

Table of contents

Project overview: openssh
High level conclusions
Reachability and coverage overview
Fuzzers overview
Project functions overview
Fuzzer details
Fuzzer: sshsigopt_fuzz
Call tree
Runtime coverage analysis
Files reached
Fuzzer: authkeys_fuzz
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: pubkey_fuzz
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: authopt_fuzz
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: sig_fuzz
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: privkey_fuzz
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: sshsig_fuzz
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: agent_fuzz
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: kex_fuzz
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Analyses and suggestions
Optimal target analysis
Remaining optimal interesting functions
All functions overview
Fuzz engine guidance
regress/misc/fuzz-harness/sshsigopt_fuzz.cc
Dictionary
Fuzzer function priority
regress/misc/fuzz-harness/authkeys_fuzz.cc
Dictionary
Fuzzer function priority
regress/misc/fuzz-harness/pubkey_fuzz.cc
Dictionary
Fuzzer function priority
regress/misc/fuzz-harness/authopt_fuzz.cc
Dictionary
Fuzzer function priority
regress/misc/fuzz-harness/sig_fuzz.cc
Dictionary
Fuzzer function priority
regress/misc/fuzz-harness/privkey_fuzz.cc
Dictionary
Fuzzer function priority
regress/misc/fuzz-harness/sshsig_fuzz.cc
Dictionary
Fuzzer function priority
regress/misc/fuzz-harness/agent_fuzz.cc
Dictionary
Fuzzer function priority
regress/misc/fuzz-harness/kex_fuzz.cc
Dictionary
Fuzzer function priority
Runtime coverage analysis
Complex functions with low coverage
Files and Directories in report
Files in report
Directories in report
Metadata section
Report generation date: 2026-06-07

Project overview: openssh

High level conclusions

Reachability and coverage overview

Functions statically reachable by fuzzers
32.0%
513 / 1596
Cyclomatic complexity statically reachable by fuzzers
39.0%
3674 / 9488
Runtime code coverage of functions
17.0%
267 / 1596

Fuzzers overview

Fuzzer Fuzzer filename Functions Reached Functions unreached Fuzzer depth Files reached Basic blocks reached Cyclomatic complexity Details
sshsigopt_fuzz regress/misc/fuzz-harness/sshsigopt_fuzz.cc 16 913 3 3 169 86 sshsigopt_fuzz.cc
authkeys_fuzz regress/misc/fuzz-harness/authkeys_fuzz.cc 202 734 17 28 2956 1256 authkeys_fuzz.cc
pubkey_fuzz regress/misc/fuzz-harness/pubkey_fuzz.cc 104 693 17 18 1329 581 pubkey_fuzz.cc
authopt_fuzz regress/misc/fuzz-harness/authopt_fuzz.cc 63 750 12 13 984 432 authopt_fuzz.cc
sig_fuzz regress/misc/fuzz-harness/sig_fuzz.cc 91 713 19 18 1020 443 sig_fuzz.cc
privkey_fuzz regress/misc/fuzz-harness/privkey_fuzz.cc 107 690 18 18 1397 614 privkey_fuzz.cc
sshsig_fuzz regress/misc/fuzz-harness/sshsig_fuzz.cc 128 801 16 22 1610 712 sshsig_fuzz.cc
agent_fuzz regress/misc/fuzz-harness/agent_fuzz.cc 406 562 16 39 5199 2307 agent_fuzz.cc
kex_fuzz regress/misc/fuzz-harness/kex_fuzz.cc 473 1149 20 46 5416 2496 kex_fuzz.cc

Project functions overview

The following table shows data about each function in the project. The functions included in this table correspond to all functions that exist in the executables of the fuzzers. As such, there may be functions that are from third-party libraries.

For further technical details on the meaning of columns in the below table, please see the Glossary .

Func name Functions filename Args Function call depth Reached by Fuzzers Runtime reached by Fuzzers Combined reached by Fuzzers Fuzzers runtime hit Func lines hit % I Count BB Count Cyclomatic complexity Functions reached Reached by functions Accumulated cyclomatic complexity Undiscovered complexity

Fuzzer details

Fuzzer: sshsigopt_fuzz

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 0 0.0%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 32 100.%
All colors 32 100

Runtime coverage analysis

Covered functions
7
Functions that are reachable but not covered
9
Reachable functions
16
Percentage of reachable functions covered
43.75%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
regress/misc/fuzz-harness/sshsigopt_fuzz.cc 1
sshsig.c 2
misc.c 4

Fuzzer: authkeys_fuzz

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 642 100.%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 0 0.0%
All colors 642 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
641 0 EP call site: 00000 auth_check_authkey_line

Runtime coverage analysis

Covered functions
0
Functions that are reachable but not covered
202
Reachable functions
202
Percentage of reachable functions covered
0.0%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
regress/misc/fuzz-harness/authkeys_fuzz.cc 3
sshkey.c 40
sshbuf.c 14
misc.c 12
log.c 3
match.c 5
xmalloc.c 4
fatal.c 1
openbsd-compat/strlcpy.c 1
openbsd-compat/vis.c 2
cleanup.c 1
openbsd-compat/freezero.c 1
ssh-pkcs11-client.c 3
sshbuf-getput-basic.c 11
openbsd-compat/recallocarray.c 1
ssherr.c 1
ssherr-libcrypto.c 1
sshbuf-misc.c 2
openbsd-compat/base64.c 2
auth2-pubkeyfile.c 3
authfile.c 1
auth-options.c 9
openbsd-compat/strtonum.c 1
openbsd-compat/timingsafe_bcmp.c 1
digest-openssl.c 4
openbsd-compat/strlcat.c 1
addrmatch.c 2
addr.c 13

Fuzzer: pubkey_fuzz

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 121 46.5%
gold [1:9] 4 1.53%
yellow [10:29] 0 0.0%
greenyellow [30:49] 2 0.76%
lawngreen 50+ 133 51.1%
All colors 260 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
45 15 sshlog call site: 00015 match_pattern_list
44 144 sshkey_ssh_name_from_type_nid call site: 00144 sshkey_putb
10 114 sshkey_impl_from_key call site: 00114 helper_by_key
8 6 sshbuf_fromb call site: 00006 ssh_signal
3 110 sshkey_free call site: 00110 pkcs11_key_free
2 134 recallocarray call site: 00134 __errno_location
2 141 sshbuf_allocate call site: 00141 sshkey_ssh_name_from_type_nid
1 68 sshbuf_set_parent call site: 00068 sshbuf_free
1 88 type_from_name call site: 00088 strcasecmp
1 104 cert_new call site: 00104 cert_free
1 137 recallocarray call site: 00137 memset
1 194 sshkey_free_contents call site: 00194 munmap

Runtime coverage analysis

Covered functions
97
Functions that are reachable but not covered
55
Reachable functions
104
Percentage of reachable functions covered
47.12%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
regress/misc/fuzz-harness/pubkey_fuzz.cc 1
sshkey.c 24
sshbuf.c 14
misc.c 1
log.c 3
match.c 3
xmalloc.c 2
fatal.c 1
openbsd-compat/strlcpy.c 1
openbsd-compat/vis.c 2
cleanup.c 1
openbsd-compat/freezero.c 1
sshbuf-getput-basic.c 11
ssh-pkcs11-client.c 3
openbsd-compat/recallocarray.c 1
ssherr.c 1
ssherr-libcrypto.c 1
sshbuf-misc.c 1

Fuzzer: authopt_fuzz

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 64 39.5%
gold [1:9] 3 1.85%
yellow [10:29] 0 0.0%
greenyellow [30:49] 2 1.23%
lawngreen 50+ 93 57.4%
All colors 162 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
52 84 sshauthopt_parse call site: 00084 a2tun
4 50 recallocarray call site: 00050 __errno_location
3 152 sshauthopt_merge call site: 00152 dup_strings
2 156 sshauthopt_merge call site: 00156 sshauthopt_free
1 77 a2port call site: 00077 ntohs
1 148 dup_strings call site: 00148 dup_strings
1 150 sshauthopt_merge call site: 00150 dup_strings

Runtime coverage analysis

Covered functions
19
Functions that are reachable but not covered
44
Reachable functions
63
Percentage of reachable functions covered
30.16%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
regress/misc/fuzz-harness/authopt_fuzz.cc 1
auth-options.c 7
misc.c 8
openbsd-compat/recallocarray.c 1
openbsd-compat/strtonum.c 1
xmalloc.c 3
fatal.c 1
log.c 2
match.c 3
cleanup.c 1
openbsd-compat/strlcpy.c 1
openbsd-compat/vis.c 2
openbsd-compat/freezero.c 1

Fuzzer: sig_fuzz

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 158 75.2%
gold [1:9] 7 3.33%
yellow [10:29] 1 0.47%
greenyellow [30:49] 1 0.47%
lawngreen 50+ 43 20.4%
All colors 210 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
57 119 sshkey_ssh_name_from_type_nid call site: 00119 cert_free
45 30 sshlog call site: 00030 match_pattern_list
18 100 sshbuf_ptr call site: 00100 sshbuf_put
9 11 sshkey_is_cert call site: 00011 cert_new
9 87 sshkey_impl_from_key call site: 00087 helper_by_key
8 21 sshbuf_free call site: 00021 ssh_signal
7 79 sshbuf_free call site: 00079 sshkey_free
2 97 sshbuf_len call site: 00097 sshbuf_putb
1 7 sshkey_generate call site: 00007 sshkey_impl_from_type
1 76 sshbuf_free call site: 00076 freezero
1 202 LLVMFuzzerTestOneInput call site: 00202 sshkey_verify

Runtime coverage analysis

Covered functions
45
Functions that are reachable but not covered
70
Reachable functions
91
Percentage of reachable functions covered
23.08%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
regress/misc/fuzz-harness/sig_fuzz.cc 2
sshkey.c 19
sshbuf.c 9
misc.c 1
log.c 3
match.c 3
xmalloc.c 2
fatal.c 1
openbsd-compat/strlcpy.c 1
openbsd-compat/vis.c 2
cleanup.c 1
openbsd-compat/freezero.c 1
ssh-pkcs11-client.c 3
sshbuf-getput-basic.c 4
openbsd-compat/recallocarray.c 1
ssherr.c 1
ssherr-libcrypto.c 1
sshbuf-misc.c 1

Fuzzer: privkey_fuzz

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 123 44.8%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 2 0.72%
lawngreen 50+ 149 54.3%
All colors 274 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
45 16 sshlog call site: 00016 match_pattern_list
44 154 sshkey_ssh_name_from_type_nid call site: 00154 sshkey_putb
10 124 sshkey_impl_from_key call site: 00124 helper_by_key
8 7 sshbuf_ptr call site: 00007 ssh_signal
3 120 sshkey_free call site: 00120 pkcs11_key_free
2 144 recallocarray call site: 00144 __errno_location
2 151 sshbuf_allocate call site: 00151 sshkey_ssh_name_from_type_nid
1 73 type_from_name call site: 00073 strcasecmp
1 84 sshbuf_set_parent call site: 00084 sshbuf_free
1 97 sshbuf_fromb call site: 00097 sshbuf_free
1 114 cert_new call site: 00114 cert_free
1 147 recallocarray call site: 00147 memset

Runtime coverage analysis

Covered functions
108
Functions that are reachable but not covered
55
Reachable functions
107
Percentage of reachable functions covered
48.6%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
regress/misc/fuzz-harness/privkey_fuzz.cc 1
sshbuf.c 14
sshkey.c 27
sshbuf-getput-basic.c 11
misc.c 1
log.c 3
match.c 3
xmalloc.c 2
fatal.c 1
openbsd-compat/strlcpy.c 1
openbsd-compat/vis.c 2
cleanup.c 1
openbsd-compat/freezero.c 1
ssh-pkcs11-client.c 3
openbsd-compat/recallocarray.c 1
ssherr.c 1
ssherr-libcrypto.c 1
sshbuf-misc.c 1

Fuzzer: sshsig_fuzz

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 129 33.7%
gold [1:9] 3 0.78%
yellow [10:29] 2 0.52%
greenyellow [30:49] 4 1.04%
lawngreen 50+ 244 63.8%
All colors 382 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
31 254 sshkey_ssh_name_from_type_nid call site: 00254 sshkey_putb
28 35 match_pattern call site: 00035 sshfatal
10 113 sshsig_peek_hashalg call site: 00113 ssherr_libcrypto
10 238 sshkey_impl_from_key call site: 00238 helper_by_key
8 16 sshbuf_fromb call site: 00016 ssh_signal
6 6 log_init call site: 00006 fprintf
4 25 sshlog call site: 00025 match_pattern_list
4 145 hash_buffer call site: 00145 xstrdup
3 234 sshkey_free call site: 00234 pkcs11_key_free
2 140 ssh_digest_memory call site: 00140 ssh_err
2 168 recallocarray call site: 00168 __errno_location
2 175 sshbuf_allocate call site: 00175 ssh_err

Runtime coverage analysis

Covered functions
107
Functions that are reachable but not covered
53
Reachable functions
128
Percentage of reachable functions covered
58.59%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
regress/misc/fuzz-harness/sshsig_fuzz.cc 1
sshbuf.c 14
log.c 5
sshsig.c 6
misc.c 2
match.c 3
xmalloc.c 4
fatal.c 1
openbsd-compat/strlcpy.c 1
openbsd-compat/vis.c 2
cleanup.c 1
openbsd-compat/freezero.c 1
sshbuf-misc.c 2
openbsd-compat/timingsafe_bcmp.c 1
sshbuf-getput-basic.c 12
ssherr.c 1
ssherr-libcrypto.c 1
digest-openssl.c 5
openbsd-compat/strlcat.c 1
openbsd-compat/recallocarray.c 1
sshkey.c 25
ssh-pkcs11-client.c 3

Fuzzer: agent_fuzz

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 1196 66.9%
gold [1:9] 68 3.80%
yellow [10:29] 26 1.45%
greenyellow [30:49] 56 3.13%
lawngreen 50+ 441 24.6%
All colors 1787 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
378 880 identity_permitted call site: 00880 sshkey_sign
131 1564 process_add_smartcard_key call site: 01564 parse_key_constraints
118 1424 process_add_identity call site: 01424 sshkey_shield_private
70 1262 sshkey_puts_opts_internal call site: 01262 sshkey_shield_private
41 1333 sshkey_ssh_name call site: 01333 sshkey_shield_private
39 1738 process_extension call site: 01738 process_ext_session_bind
32 144 sshbuf_put_string call site: 00144 sshkey_putb
29 849 sshkey_fingerprint call site: 00849 parse_userauth_request
25 520 sshkey_parse_private2 call site: 00520 sshkey_parse_private_pem_fileblob
22 424 cipher_init call site: 00424 chachapoly_new
22 448 private2_decrypt call site: 00448 chachapoly_crypt
21 827 fingerprint_b64 call site: 00827 fingerprint_randomart

Runtime coverage analysis

Covered functions
213
Functions that are reachable but not covered
237
Reachable functions
406
Percentage of reachable functions covered
41.63%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
regress/misc/fuzz-harness/agent_fuzz.cc 1
regress/misc/fuzz-harness/agent_fuzz_helper.c 9
log.c 6
match.c 3
xmalloc.c 6
fatal.c 1
openbsd-compat/strlcpy.c 1
openbsd-compat/vis.c 2
regress/misc/fuzz-harness/./../../../ssh-agent.c 43
ssh-pkcs11-client.c 13
openbsd-compat/recallocarray.c 1
sshbuf.c 15
misc.c 6
openbsd-compat/freezero.c 1
sshkey.c 77
sshbuf-getput-basic.c 18
ssherr.c 1
ssherr-libcrypto.c 1
sshbuf-misc.c 3
openbsd-compat/base64.c 2
cipher.c 8
openbsd-compat/bcrypt_pbkdf.c 2
openbsd-compat/../crypto_api.h 1
openbsd-compat/blowfish.c 6
openbsd-compat/arc4random.c 6
openbsd-compat/./arc4random.h 3
openbsd-compat/bsd-getentropy.c 1
openbsd-compat/./chacha_private.h 3
cipher-chachapoly-libcrypto.c 3
poly1305.c 1
openbsd-compat/timingsafe_bcmp.c 1
ssh-ecdsa.c 1
digest-openssl.c 4
openbsd-compat/strlcat.c 1
readpass.c 6
openbsd-compat/readpassphrase.c 1
openbsd-compat/bsd-closefrom.c 2
ssh-sk.c 8
atomicio.c 2

Fuzzer: kex_fuzz

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 1587 100.%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 0 0.0%
All colors 1587 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
1586 0 EP call site: 00000 ssh_init

Runtime coverage analysis

Covered functions
0
Functions that are reachable but not covered
473
Reachable functions
473
Percentage of reachable functions covered
0.0%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
regress/misc/fuzz-harness/kex_fuzz.cc 11
log.c 6
xmalloc.c 4
fatal.c 1
match.c 6
cleanup.c 1
openbsd-compat/strlcpy.c 1
openbsd-compat/vis.c 2
sshbuf.c 16
sshkey.c 51
misc.c 11
sshbuf-getput-basic.c 16
openbsd-compat/recallocarray.c 1
sshbuf-misc.c 3
openbsd-compat/base64.c 1
openbsd-compat/freezero.c 1
ssh-pkcs11-client.c 3
ssherr.c 1
ssherr-libcrypto.c 1
cipher.c 13
openbsd-compat/bcrypt_pbkdf.c 2
openbsd-compat/../crypto_api.h 1
openbsd-compat/blowfish.c 6
openbsd-compat/arc4random.c 6
openbsd-compat/./arc4random.h 3
openbsd-compat/bsd-getentropy.c 1
openbsd-compat/./chacha_private.h 3
cipher-chachapoly-libcrypto.c 4
poly1305.c 1
openbsd-compat/timingsafe_bcmp.c 1
ssh-ecdsa.c 1
ssh_api.c 11
entropy.c 1
openbsd-compat/openssl-compat.c 2
packet.c 51
kex.c 22
mac.c 6
umac.c 26
./umac.c 26
hmac.c 6
digest-openssl.c 9
canohost.c 7
kex-names.c 7
openbsd-compat/strlcat.c 1
compat.c 2
dispatch.c 2

Analyses and suggestions

Optimal target analysis

Remaining optimal interesting functions

The following table shows a list of functions that are optimal targets. Optimal targets are identified by finding the functions that in combination, yield a high code coverage.

Func name Functions filename Arg count Args Function depth hitcount instr count bb count cyclomatic complexity Reachable functions Incoming references total cyclomatic complexity Unreached complexity
kex_gen_client /src/openssh/kexgen.c 1 ['N/A'] 30 0 138 25 5 861 0 3174 1523
sshkey_check_revoked /src/openssh/authfile.c 2 ['N/A', 'N/A'] 22 0 55 9 2 198 0 1405 623
xxxmain /src/openssh/regress/misc/fuzz-harness/./../../../ssh-agent.c 2 ['int', 'N/A'] 28 0 1414 255 59 417 0 2407 442
kexgex_server /src/openssh/kexgexs.c 1 ['N/A'] 31 0 16 3 2 392 0 1978 160
sshkey_save_private /src/openssh/authfile.c 7 ['N/A', 'N/A', 'N/A', 'N/A', 'int', 'N/A', 'int'] 23 0 76 11 5 205 0 1115 118
ssh_krl_to_blob /src/openssh/krl.c 2 ['N/A', 'N/A'] 19 0 404 78 30 83 0 495 94
kex_gen_server /src/openssh/kexgen.c 1 ['N/A'] 30 0 16 3 2 769 0 2889 89
subprocess /src/openssh/misc.c 9 ['N/A', 'N/A', 'int', 'N/A', 'N/A', 'int', 'N/A', 'N/A', 'N/A'] 13 0 687 108 31 70 0 327 85
ssh_ecdsa_sk_verify /src/openssh/ssh-ecdsa-sk.c 8 ['N/A', 'N/A', 'size_t', 'N/A', 'size_t', 'N/A', 'int', 'N/A'] 17 0 597 104 43 90 0 530 84
ssh_packet_get_state /src/openssh/packet.c 2 ['N/A', 'N/A'] 16 0 314 50 23 59 0 364 77

Implementing fuzzers that target the above functions will improve reachability such that it becomes:

Functions statically reachable by fuzzers
74.0%
1180 / 1596
Cyclomatic complexity statically reachable by fuzzers
72.0%
6809 / 9488

All functions overview

If you implement fuzzers for these functions, the status of all functions in the project will be:

Func name Functions filename Args Function call depth Reached by Fuzzers Runtime reached by Fuzzers Combined reached by Fuzzers Fuzzers runtime hit Func lines hit % I Count BB Count Cyclomatic complexity Functions reached Reached by functions Accumulated cyclomatic complexity Undiscovered complexity

Fuzz engine guidance

This sections provides heuristics that can be used as input to a fuzz engine when running a given fuzz target. The current focus is on providing input that is usable by libFuzzer.

regress/misc/fuzz-harness/sshsigopt_fuzz.cc

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


regress/misc/fuzz-harness/authkeys_fuzz.cc

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


regress/misc/fuzz-harness/pubkey_fuzz.cc

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['sshlog', 'sshkey_ssh_name_from_type_nid', 'sshkey_impl_from_key', 'sshbuf_fromb', 'sshkey_free', 'recallocarray', 'sshbuf_allocate', 'sshbuf_set_parent', 'type_from_name', 'cert_new']

regress/misc/fuzz-harness/authopt_fuzz.cc

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['sshauthopt_parse', 'recallocarray', 'sshauthopt_merge', 'a2port', 'dup_strings']

regress/misc/fuzz-harness/sig_fuzz.cc

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['sshkey_ssh_name_from_type_nid', 'sshlog', 'sshbuf_ptr', 'sshkey_is_cert', 'sshkey_impl_from_key', 'sshbuf_free', 'sshbuf_len', 'sshkey_generate']

regress/misc/fuzz-harness/privkey_fuzz.cc

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['sshlog', 'sshkey_ssh_name_from_type_nid', 'sshkey_impl_from_key', 'sshbuf_ptr', 'sshkey_free', 'recallocarray', 'sshbuf_allocate', 'type_from_name', 'sshbuf_set_parent', 'sshbuf_fromb']

regress/misc/fuzz-harness/sshsig_fuzz.cc

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['sshkey_ssh_name_from_type_nid', 'match_pattern', 'sshsig_peek_hashalg', 'sshkey_impl_from_key', 'sshbuf_fromb', 'log_init', 'sshlog', 'hash_buffer', 'sshkey_free', 'ssh_digest_memory']

regress/misc/fuzz-harness/agent_fuzz.cc

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['identity_permitted', 'process_add_smartcard_key', 'process_add_identity', 'sshkey_puts_opts_internal', 'sshkey_ssh_name', 'process_extension', 'sshbuf_put_string', 'sshkey_fingerprint', 'sshkey_parse_private2', 'cipher_init']

regress/misc/fuzz-harness/kex_fuzz.cc

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Runtime coverage analysis

This section shows analysis of runtime coverage data.

For futher technical details on how this section is generated, please see the Glossary .

Complex functions with low coverage

Func name Function total lines Lines covered at runtime percentage covered Reached by fuzzers
sshbuf_dtob64 33 18 54.54% ['privkey_fuzz', 'pubkey_fuzz']
sshkey_ec_validate_public 35 15 42.85% ['kex_fuzz', 'privkey_fuzz', 'pubkey_fuzz', 'agent_fuzz']
sshauthopt_merge 93 50 53.76% ['authkeys_fuzz', 'authopt_fuzz']
crypto_sign_ed25519_keypair 42 21 50.0% ['sig_fuzz']
log_init 61 8 13.11% ['sshsig_fuzz', 'kex_fuzz', 'agent_fuzz']
ssh_err 130 37 28.46% ['sshsig_fuzz', 'pubkey_fuzz', 'agent_fuzz', 'sig_fuzz', 'authkeys_fuzz', 'kex_fuzz', 'privkey_fuzz']
cipher_init 69 24 34.78% ['kex_fuzz', 'agent_fuzz']
cipher_crypt 44 6 13.63% ['kex_fuzz', 'agent_fuzz']
strnvis 37 19 51.35% ['sshsig_fuzz', 'pubkey_fuzz', 'agent_fuzz', 'authopt_fuzz', 'sig_fuzz', 'authkeys_fuzz', 'kex_fuzz', 'privkey_fuzz']
process_sign_request2 131 36 27.48% ['agent_fuzz']
identity_permitted 68 12 17.64% ['agent_fuzz']
process_add_identity 104 24 23.07% ['agent_fuzz']
process_add_smartcard_key 82 27 32.92% ['agent_fuzz']
process_remove_smartcard_key 35 14 40.0% ['agent_fuzz']
sshkey_fingerprint 38 17 44.73% ['authkeys_fuzz', 'agent_fuzz']
private2_decrypt 120 65 54.16% ['kex_fuzz', 'agent_fuzz']

Files and Directories in report

This section shows which files and directories are considered in this report. The main reason for showing this is fuzz introspector may include more code in the reasoning than is desired. This section helps identify if too many files/directories are included, e.g. third party code, which may be irrelevant for the threat model. In the event too much is included, fuzz introspector supports a configuration file that can exclude data from the report. See the following link for more information on how to create a config file: link

Files in report

Source file Reached by Covered by
[] []
/src/openssh/openbsd-compat/../crypto_api.h ['agent_fuzz', 'kex_fuzz'] []
/src/openssh/log.c ['authkeys_fuzz', 'pubkey_fuzz', 'authopt_fuzz', 'sig_fuzz', 'privkey_fuzz', 'sshsig_fuzz', 'agent_fuzz', 'kex_fuzz'] ['pubkey_fuzz', 'sig_fuzz', 'privkey_fuzz', 'sshsig_fuzz', 'agent_fuzz']
/src/openssh/./libcrux_mlkem768_sha3.h [] []
/src/openssh/utf8.c [] []
/src/openssh/openbsd-compat/arc4random.c ['agent_fuzz', 'kex_fuzz'] ['agent_fuzz']
/src/openssh/ssh-ecdsa.c ['agent_fuzz', 'kex_fuzz'] ['agent_fuzz']
/src/openssh/regress/misc/fuzz-harness/kex_fuzz.cc ['kex_fuzz'] []
/src/openssh/addrmatch.c ['authkeys_fuzz'] []
/src/openssh/ssh-ed25519.c [] []
/src/openssh/openbsd-compat/bsd-getpeereid.c [] []
/src/openssh/mac.c ['kex_fuzz'] []
/src/openssh/openbsd-compat/recallocarray.c ['authkeys_fuzz', 'pubkey_fuzz', 'authopt_fuzz', 'sig_fuzz', 'privkey_fuzz', 'sshsig_fuzz', 'agent_fuzz', 'kex_fuzz'] ['pubkey_fuzz', 'authopt_fuzz', 'privkey_fuzz', 'sshsig_fuzz', 'agent_fuzz']
/src/openssh/auth2-pubkeyfile.c ['authkeys_fuzz'] []
/src/openssh/packet.c ['kex_fuzz'] []
/src/openssh/kexc25519.c [] []
/src/openssh/platform-misc.c [] []
/src/openssh/misc-agent.c [] []
/src/openssh/regress/misc/fuzz-harness/agent_fuzz.cc ['agent_fuzz'] ['agent_fuzz']
/src/openssh/cipher-chachapoly-libcrypto.c ['agent_fuzz', 'kex_fuzz'] []
/src/openssh/krl.c [] []
/src/openssh/openbsd-compat/fmt_scaled.c [] []
/src/openssh/kexdh.c [] []
/src/openssh/sshkey.c ['authkeys_fuzz', 'pubkey_fuzz', 'sig_fuzz', 'privkey_fuzz', 'sshsig_fuzz', 'agent_fuzz', 'kex_fuzz'] ['pubkey_fuzz', 'sig_fuzz', 'privkey_fuzz', 'sshsig_fuzz', 'agent_fuzz']
/src/openssh/openbsd-compat/openssl-compat.c ['kex_fuzz'] []
/src/openssh/./umac.c ['kex_fuzz'] []
/src/openssh/ed25519-openssl.c [] []
/src/openssh/hmac.c ['kex_fuzz'] []
/src/openssh/sshbuf-getput-basic.c ['authkeys_fuzz', 'pubkey_fuzz', 'sig_fuzz', 'privkey_fuzz', 'sshsig_fuzz', 'agent_fuzz', 'kex_fuzz'] ['pubkey_fuzz', 'sig_fuzz', 'privkey_fuzz', 'sshsig_fuzz', 'agent_fuzz']
/src/openssh/sshsig.c ['sshsigopt_fuzz', 'sshsig_fuzz'] ['sshsigopt_fuzz', 'sshsig_fuzz']
/src/openssh/regress/misc/fuzz-harness/authkeys_fuzz.cc ['authkeys_fuzz'] []
/src/openssh/openbsd-compat/strtonum.c ['authkeys_fuzz', 'authopt_fuzz'] ['authopt_fuzz']
/src/openssh/regress/misc/fuzz-harness/ssh-sk-null.cc [] []
/src/openssh/platform-pledge.c [] []
/src/openssh/digest-openssl.c ['authkeys_fuzz', 'sshsig_fuzz', 'agent_fuzz', 'kex_fuzz'] ['sshsig_fuzz', 'agent_fuzz']
/src/openssh/regress/misc/fuzz-harness/../sk-dummy/sk-dummy.c [] []
/src/openssh/platform-tracing.c [] []
/src/openssh/regress/misc/fuzz-harness/agent_fuzz_helper.c ['agent_fuzz'] ['agent_fuzz']
/src/openssh/openbsd-compat/port-net.c [] []
/src/openssh/sshbuf-misc.c ['authkeys_fuzz', 'pubkey_fuzz', 'sig_fuzz', 'privkey_fuzz', 'sshsig_fuzz', 'agent_fuzz', 'kex_fuzz'] ['pubkey_fuzz', 'privkey_fuzz', 'sshsig_fuzz', 'agent_fuzz']
/src/openssh/openbsd-compat/getopt_long.c [] []
/src/openssh/authfile.c ['authkeys_fuzz'] []
/src/openssh/regress/misc/fuzz-harness/privkey_fuzz.cc ['privkey_fuzz'] ['privkey_fuzz']
/src/openssh/entropy.c ['kex_fuzz'] []
/src/openssh/match.c ['authkeys_fuzz', 'pubkey_fuzz', 'authopt_fuzz', 'sig_fuzz', 'privkey_fuzz', 'sshsig_fuzz', 'agent_fuzz', 'kex_fuzz'] ['sshsig_fuzz']
/src/openssh/ssh-ed25519-sk.c [] []
/src/openssh/openbsd-compat/blowfish.c ['agent_fuzz', 'kex_fuzz'] ['agent_fuzz']
/src/openssh/kexmlkem768x25519.c [] []
/src/openssh/openbsd-compat/./arc4random.h ['agent_fuzz', 'kex_fuzz'] []
/src/openssh/regress/misc/fuzz-harness/pubkey_fuzz.cc ['pubkey_fuzz'] ['pubkey_fuzz']
/src/openssh/ssherr.c ['authkeys_fuzz', 'pubkey_fuzz', 'sig_fuzz', 'privkey_fuzz', 'sshsig_fuzz', 'agent_fuzz', 'kex_fuzz'] ['sshsig_fuzz', 'agent_fuzz']
/src/openssh/poly1305.c ['agent_fuzz', 'kex_fuzz'] []
/src/openssh/umac.c ['kex_fuzz'] []
/src/openssh/sntrup761.c [] []
/src/openssh/kexgexc.c [] []
/src/openssh/ssh-sk.c ['agent_fuzz'] []
/src/openssh/openbsd-compat/./chacha_private.h ['agent_fuzz', 'kex_fuzz'] []
/src/openssh/kexecdh.c [] []
/src/openssh/regress/misc/fuzz-harness/sshsig_fuzz.cc ['sshsig_fuzz'] ['sshsig_fuzz']
/src/openssh/kexsntrup761x25519.c [] []
/src/openssh/ssh-pkcs11-client.c ['authkeys_fuzz', 'pubkey_fuzz', 'sig_fuzz', 'privkey_fuzz', 'sshsig_fuzz', 'agent_fuzz', 'kex_fuzz'] []
/src/openssh/openbsd-compat/strlcpy.c ['authkeys_fuzz', 'pubkey_fuzz', 'authopt_fuzz', 'sig_fuzz', 'privkey_fuzz', 'sshsig_fuzz', 'agent_fuzz', 'kex_fuzz'] ['agent_fuzz']
/src/openssh/sshbuf.c ['authkeys_fuzz', 'pubkey_fuzz', 'sig_fuzz', 'privkey_fuzz', 'sshsig_fuzz', 'agent_fuzz', 'kex_fuzz'] ['pubkey_fuzz', 'sig_fuzz', 'privkey_fuzz', 'sshsig_fuzz', 'agent_fuzz']
/src/openssh/regress/misc/fuzz-harness/sig_fuzz.cc ['sig_fuzz'] ['sig_fuzz']
/src/openssh/sshbuf-io.c [] []
/src/openssh/atomicio.c ['agent_fuzz'] []
/src/openssh/addr.c ['authkeys_fuzz'] []
/src/openssh/kexgexs.c [] []
/src/openssh/kexgen.c [] []
/src/openssh/openbsd-compat/arc4random_uniform.c [] []
/src/openssh/openbsd-compat/vis.c ['authkeys_fuzz', 'pubkey_fuzz', 'authopt_fuzz', 'sig_fuzz', 'privkey_fuzz', 'sshsig_fuzz', 'agent_fuzz', 'kex_fuzz'] ['agent_fuzz']
/src/openssh/openbsd-compat/base64.c ['authkeys_fuzz', 'agent_fuzz', 'kex_fuzz'] ['agent_fuzz']
/src/openssh/regress/misc/fuzz-harness/sshsigopt_fuzz.cc ['sshsigopt_fuzz'] ['sshsigopt_fuzz']
/src/openssh/bitmap.c [] []
/src/openssh/misc.c ['sshsigopt_fuzz', 'authkeys_fuzz', 'pubkey_fuzz', 'authopt_fuzz', 'sig_fuzz', 'privkey_fuzz', 'sshsig_fuzz', 'agent_fuzz', 'kex_fuzz'] ['sshsigopt_fuzz', 'authopt_fuzz', 'sshsig_fuzz', 'agent_fuzz']
/src/openssh/compat.c ['kex_fuzz'] []
/src/openssh/regress/misc/fuzz-harness/./../../../ssh-agent.c ['agent_fuzz'] []
/src/openssh/openbsd-compat/timingsafe_bcmp.c ['authkeys_fuzz', 'sshsig_fuzz', 'agent_fuzz', 'kex_fuzz'] ['sshsig_fuzz', 'agent_fuzz']
/src/openssh/ssh-rsa.c [] []
/src/openssh/dh.c [] []
/src/openssh/kex-names.c ['kex_fuzz'] []
/src/openssh/cleanup.c ['authkeys_fuzz', 'pubkey_fuzz', 'authopt_fuzz', 'sig_fuzz', 'privkey_fuzz', 'sshsig_fuzz', 'kex_fuzz'] []
/src/openssh/ssh-ecdsa-sk.c [] []
/src/openssh/readpass.c ['agent_fuzz'] ['agent_fuzz']
/src/openssh/fatal.c ['authkeys_fuzz', 'pubkey_fuzz', 'authopt_fuzz', 'sig_fuzz', 'privkey_fuzz', 'sshsig_fuzz', 'agent_fuzz', 'kex_fuzz'] []
/src/openssh/openbsd-compat/bsd-closefrom.c ['agent_fuzz'] []
/src/openssh/openbsd-compat/freezero.c ['authkeys_fuzz', 'pubkey_fuzz', 'authopt_fuzz', 'sig_fuzz', 'privkey_fuzz', 'sshsig_fuzz', 'agent_fuzz', 'kex_fuzz'] ['pubkey_fuzz', 'authopt_fuzz', 'sig_fuzz', 'privkey_fuzz', 'sshsig_fuzz', 'agent_fuzz']
/src/openssh/auth-options.c ['authkeys_fuzz', 'authopt_fuzz'] ['authopt_fuzz']
/src/openssh/ssh_api.c ['kex_fuzz'] []
/src/openssh/regress/misc/fuzz-harness/authopt_fuzz.cc ['authopt_fuzz'] ['authopt_fuzz']
/src/openssh/canohost.c ['kex_fuzz'] []
/src/openssh/sshbuf-getput-crypto.c [] []
/src/openssh/smult_curve25519_ref.c [] []
/src/openssh/kexgex.c [] []
/src/openssh/openbsd-compat/bsd-getentropy.c ['agent_fuzz', 'kex_fuzz'] ['agent_fuzz']
/src/openssh/openbsd-compat/libressl-api-compat.c [] []
/src/openssh/dispatch.c ['kex_fuzz'] []
/src/openssh/ssherr-libcrypto.c ['authkeys_fuzz', 'pubkey_fuzz', 'sig_fuzz', 'privkey_fuzz', 'sshsig_fuzz', 'agent_fuzz', 'kex_fuzz'] []
/src/openssh/openbsd-compat/bsd-misc.c [] []
/src/openssh/xmalloc.c ['authkeys_fuzz', 'pubkey_fuzz', 'authopt_fuzz', 'sig_fuzz', 'privkey_fuzz', 'sshsig_fuzz', 'agent_fuzz', 'kex_fuzz'] ['sshsig_fuzz', 'agent_fuzz']
/src/openssh/openbsd-compat/readpassphrase.c ['agent_fuzz'] []
/src/openssh/openbsd-compat/strlcat.c ['authkeys_fuzz', 'sshsig_fuzz', 'agent_fuzz', 'kex_fuzz'] ['sshsig_fuzz', 'agent_fuzz']
/src/openssh/kex.c ['kex_fuzz'] []
/src/openssh/cipher.c ['agent_fuzz', 'kex_fuzz'] ['agent_fuzz']
/src/openssh/openbsd-compat/bcrypt_pbkdf.c ['agent_fuzz', 'kex_fuzz'] ['agent_fuzz']

Directories in report

Directory
/src/openssh/
/src/openssh/./
/src/openssh/openbsd-compat/./
/src/openssh/regress/misc/fuzz-harness/../sk-dummy/
/src/openssh/openbsd-compat/../
/src/openssh/regress/misc/fuzz-harness/
/src/openssh/openbsd-compat/
/src/openssh/regress/misc/fuzz-harness/./../../../

Metadata section

This sections shows the raw data that is used to produce this report. This is mainly used for further processing and developer debugging.

Fuzzer Calltree file Program data file Coverage file
sshsigopt_fuzz fuzzerLogFile-0-G9GkenWU94.data fuzzerLogFile-0-G9GkenWU94.data.yaml sshsigopt_fuzz.covreport
authkeys_fuzz fuzzerLogFile-0-x8na8pW42n.data fuzzerLogFile-0-x8na8pW42n.data.yaml authkeys_fuzz.covreport
pubkey_fuzz fuzzerLogFile-0-5diN2dS209.data fuzzerLogFile-0-5diN2dS209.data.yaml pubkey_fuzz.covreport
authopt_fuzz fuzzerLogFile-0-OXK21pxEtQ.data fuzzerLogFile-0-OXK21pxEtQ.data.yaml authopt_fuzz.covreport
sig_fuzz fuzzerLogFile-0-ne3JbmAy3P.data fuzzerLogFile-0-ne3JbmAy3P.data.yaml sig_fuzz.covreport
privkey_fuzz fuzzerLogFile-0-du395xuSef.data fuzzerLogFile-0-du395xuSef.data.yaml privkey_fuzz.covreport
sshsig_fuzz fuzzerLogFile-0-KPNfGRE96T.data fuzzerLogFile-0-KPNfGRE96T.data.yaml sshsig_fuzz.covreport
agent_fuzz fuzzerLogFile-0-HqosY8tJv3.data fuzzerLogFile-0-HqosY8tJv3.data.yaml agent_fuzz.covreport
kex_fuzz fuzzerLogFile-0-JAaLa70uti.data fuzzerLogFile-0-JAaLa70uti.data.yaml kex_fuzz.covreport