From cbd5be1b82c182d2e55656d29f19ae7f3ac91dea Mon Sep 17 00:00:00 2001
From: Matt Johnston <matt@ucc.asn.au>
Date: Fri, 26 May 2017 00:20:01 +0800
Subject: [PATCH] add fuzzer-verify

--HG--
branch : fuzz
---
 Makefile.in     |  5 ++++-
 fuzzer-verify.c | 44 ++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 48 insertions(+), 1 deletion(-)
 create mode 100644 fuzzer-verify.c

diff --git a/Makefile.in b/Makefile.in
index 94637eda..0ed124db 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -245,7 +245,7 @@ default_options.h: default_options.h.in
 ## Fuzzing targets
 
 # list of fuzz targets
-FUZZ_TARGETS=fuzzer-preauth fuzzer-pubkey
+FUZZ_TARGETS=fuzzer-preauth fuzzer-pubkey fuzzer-verify
 
 FUZZER_OPTIONS = $(addsuffix .options, $(FUZZ_TARGETS))
 
@@ -270,6 +270,9 @@ fuzzer-preauth: fuzzer-preauth.o $(HEADERS) $(LIBTOM_DEPS) Makefile $(svrfuzzobj
 fuzzer-pubkey: fuzzer-pubkey.o $(HEADERS) $(LIBTOM_DEPS) Makefile $(svrfuzzobjs)
 	$(CXX) $(CXXFLAGS) $@.o $(LDFLAGS) $(svrfuzzobjs) -o $@$(EXEEXT) $(LIBTOM_LIBS) $(LIBS) $(FUZZLIB) @CRYPTLIB@
 
+fuzzer-verify: fuzzer-verify.o $(HEADERS) $(LIBTOM_DEPS) Makefile $(svrfuzzobjs)
+	$(CXX) $(CXXFLAGS) $@.o $(LDFLAGS) $(svrfuzzobjs) -o $@$(EXEEXT) $(LIBTOM_LIBS) $(LIBS) $(FUZZLIB) @CRYPTLIB@
+
 fuzzer-%.options: Makefile
 	echo "[libfuzzer]"               > $@
 	echo "max_len = 50000"          >> $@
diff --git a/fuzzer-verify.c b/fuzzer-verify.c
new file mode 100644
index 00000000..7e23bc94
--- /dev/null
+++ b/fuzzer-verify.c
@@ -0,0 +1,44 @@
+#include "fuzz.h"
+#include "session.h"
+#include "fuzz-wrapfd.h"
+#include "debug.h"
+
+static void setup_fuzzer(void) {
+	common_setup_fuzzer();
+}
+
+static buffer *verifydata;
+
+/* Tests reading a public key and verifying a signature */
+int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+	static int once = 0;
+	if (!once) {
+		setup_fuzzer();
+		verifydata = buf_new(30);
+		buf_putstring(verifydata, "x", 1);
+		once = 1;
+	}
+
+	if (fuzzer_set_input(Data, Size) == DROPBEAR_FAILURE) {
+		return 0;
+	}
+
+	m_malloc_set_epoch(1);
+
+	if (setjmp(fuzz.jmp) == 0) {
+		sign_key *key = new_sign_key();
+		enum signkey_type type = DROPBEAR_SIGNKEY_ANY;
+		if (buf_get_pub_key(fuzz.input, key, &type) == DROPBEAR_SUCCESS) {
+			/* Don't expect random fuzz input to verify */
+			assert(buf_verify(fuzz.input, key, verifydata) == DROPBEAR_FAILURE);
+		}
+		sign_key_free(key);
+		m_malloc_free_epoch(1, 0);
+	} else {
+		m_malloc_free_epoch(1, 1);
+		TRACE(("dropbear_exit longjmped"))
+		// dropbear_exit jumped here
+	}
+
+	return 0;
+}
-- 
GitLab