1 /* $OpenBSD: test_parser_fuzz.c,v 1.3 2019/05/11 16:30:23 patrick Exp $ */ 2 /* 3 * Fuzz tests for payload parsing 4 * 5 * Placed in the public domain 6 */ 7 8 #include <sys/socket.h> 9 #include <sys/param.h> 10 #include <sys/queue.h> 11 #include <sys/uio.h> 12 13 #include <event.h> 14 #include <imsg.h> 15 #include <string.h> 16 17 #include "iked.h" 18 #include "ikev2.h" 19 #include "test_helper.h" 20 21 extern int ikev2_pld_payloads(struct iked *, struct iked_message *, 22 size_t, size_t, u_int); 23 24 void parser_fuzz_tests(void); 25 26 u_int8_t cookies[] = { 27 0xde, 0xad, 0xbe, 0xef, 0xca, 0xfe, 0x00, 0x01, /* initator cookie */ 28 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 /* responder cookie */ 29 }; 30 31 u_int8_t genhdr[] = { 32 0x00, 0x20, 0x22, 0x08, /* next, major/minor, exchange type, flags */ 33 0x00, 0x00, 0x00, 0x00, /* message ID */ 34 0x00, 0x00, 0x00, 0x00 /* total length */ 35 }; 36 37 u_int8_t sa_pld[] = { 38 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x08, 0x01, 0x01, 0x00, 0x00 39 }; 40 41 u_int8_t saxform_pld[] = { 42 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x3c, 43 0x01, 0x01, 0x00, 0x06, 0x03, 0x00, 0x00, 0x08, 44 0x03, 0x00, 0x00, 0x0c, 0x03, 0x00, 0x00, 0x0c, 45 0x01, 0x00, 0x00, 0x0c, 0x80, 0x0e, 0x00, 0xc0, 46 0x03, 0x00, 0x00, 0x08, 0x04, 0x00, 0x00, 0x0e, 47 0x03, 0x00, 0x00, 0x08, 0x02, 0x00, 0x00, 0x05, 48 0x03, 0x00, 0x00, 0x08, 0x02, 0x00, 0x00, 0x02, 49 0x00, 0x00, 0x00, 0x08, 0x02, 0x00, 0x00, 0x01 50 }; 51 52 u_int8_t ke_pld[] = { 53 0x00, 0x00, 0x01, 0x08, 0x00, 0x0e, 0x00, 0x00, 0x16, 0xcb, 54 0x68, 0xaf, 0x63, 0xfe, 0xb0, 0x58, 0x49, 0x0e, 0x7f, 0x85, 55 0x60, 0x53, 0x80, 0xae, 0x3f, 0x82, 0xf3, 0x35, 0x21, 0xd5, 56 0xae, 0x09, 0x1c, 0xfa, 0x68, 0xc2, 0xfb, 0x4b, 0xb3, 0x84, 57 0xda, 0xaf, 0x6e, 0xe2, 0x5e, 0xc5, 0xb6, 0x8c, 0x35, 0x3c, 58 0xec, 0x58, 0x7f, 0xa9, 0xf8, 0xa4, 0x24, 0xf3, 0xf8, 0xf4, 59 0x65, 0x59, 0x8c, 0x15, 0x4d, 0x2c, 0xf1, 0x5d, 0xeb, 0x57, 60 0x68, 0xfe, 0x75, 0x61, 0x5a, 0x80, 0x96, 0xa4, 0x0a, 0xad, 61 0x75, 0x71, 0xd8, 0xe0, 0x06, 0xbc, 0xde, 0x16, 0x6d, 0x1e, 62 0xd9, 0x5d, 0x2c, 0x00, 0x66, 0x43, 0x82, 0xe4, 0x6f, 0x5f, 63 0x95, 0xe7, 0x9b, 0xfd, 0xf2, 0xe2, 0xcb, 0xc5, 0xf1, 0x52, 64 0xdd, 0x3b, 0xed, 0x88, 0xd4, 0xa9, 0x13, 0x4e, 0x42, 0xe8, 65 0x60, 0x2d, 0x3c, 0xf6, 0xc8, 0xf0, 0x70, 0x42, 0xfa, 0x33, 66 0x7f, 0x28, 0xdf, 0x6b, 0x79, 0x2c, 0x79, 0x8f, 0xc0, 0x5d, 67 0x81, 0x7a, 0x62, 0xdb, 0xd4, 0x44, 0x3a, 0x3c, 0x21, 0xbf, 68 0x85, 0xc8, 0x0b, 0x8c, 0x77, 0x72, 0xe9, 0xfb, 0x50, 0x5c, 69 0x03, 0xa6, 0xb2, 0x3f, 0x17, 0x4a, 0xd1, 0xb3, 0x01, 0x30, 70 0xad, 0xe4, 0xfa, 0xe2, 0xba, 0x6f, 0x22, 0x83, 0xf4, 0xde, 71 0x38, 0x43, 0xe8, 0x27, 0x00, 0xb8, 0x95, 0xbe, 0x03, 0x8f, 72 0xcd, 0xd3, 0x72, 0xed, 0xa5, 0xed, 0x8d, 0xf4, 0x68, 0x98, 73 0xef, 0x59, 0xcc, 0xfb, 0x54, 0x89, 0xde, 0xa9, 0xd4, 0x88, 74 0xcd, 0xb9, 0xca, 0x09, 0xd3, 0xd5, 0x25, 0xb1, 0x8c, 0x58, 75 0x12, 0x9c, 0x69, 0x03, 0x72, 0x00, 0xc9, 0xca, 0x95, 0x8a, 76 0xce, 0x0d, 0xd2, 0xc8, 0x25, 0xe7, 0x7c, 0xed, 0x5e, 0xee, 77 0x35, 0x01, 0xfc, 0x00, 0x56, 0xed, 0xf3, 0x8d, 0x81, 0x6c, 78 0x3e, 0x86, 0x6a, 0x40, 0xac, 0xc7, 0x9c, 0x7a, 0xbf, 0x9f, 79 0x8e, 0x1f, 0xd8, 0x60 80 }; 81 82 u_int8_t nonce_pld[] = { 83 0x00, 0x00, 0x00, 0x24, 0x5f, 0x61, 0x42, 0x72, 0x7d, 0xb2, 84 0xa8, 0xc1, 0xfe, 0xb1, 0x38, 0x2e, 0xb8, 0x75, 0xa7, 0xc1, 85 0x1d, 0x8a, 0xa7, 0xb7, 0x9b, 0x92, 0xe2, 0x0e, 0x3a, 0x18, 86 0x20, 0xb6, 0x16, 0xf3, 0x35, 0x67, 87 }; 88 89 u_int8_t notify_pld[] = { 90 0x00, 0x00, 0x00, 0x1c, 0x00, 0x00, 0x40, 0x04, 0xc7, 0xa0, 91 0x68, 0x68, 0x09, 0x0a, 0x7f, 0x12, 0x0b, 0x13, 0xd3, 0x2f, 92 0xde, 0x64, 0x8b, 0xf1, 0xc3, 0x3c, 0x79, 0x8f, 0x00, 0x00, 93 0x00, 0x1c, 0x00, 0x00, 0x40, 0x05, 0x9f, 0xbc, 0x8c, 0xd0, 94 0x91, 0x5e, 0xa0, 0x87, 0x81, 0xab, 0x4f, 0xa1, 0x8a, 0xa7, 95 0xa8, 0xf9, 0xeb, 0xdf, 0x9f, 0x2c 96 }; 97 98 u_int8_t id_pld[] = { 99 0x00, 0x00, 0x00, 0x0c, 0x01, 0x00, 0x00, 0x00, 100 0xac, 0x12, 0x7d, 0x01 101 }; 102 103 u_int8_t cert_pld[] = { 104 0x00, 0x00, 0x01, 0x10, 0x0b, 0x00, 0x00, 0x00, 105 0x30, 0x82, 0x01, 0x0c, 0x02, 0x82, 0x01, 0x01, 0x00, 0x8a, 106 0x26, 0xf8, 0x9e, 0xe8, 0x09, 0x11, 0x6b, 0x3d, 0x00, 0xd3, 107 0x25, 0xf8, 0x9f, 0xe8, 0x09, 0x11, 0x6b, 0x3d, 0x10, 0xd3, 108 0x0b, 0x9a, 0xb0, 0xb7, 0xe4, 0x3e, 0x40, 0x59, 0xd7, 0x51, 109 0x03, 0xaf, 0x09, 0x79, 0x1b, 0x0d, 0x63, 0x66, 0x28, 0xaa, 110 0x97, 0xc8, 0x20, 0x4b, 0x28, 0x9b, 0x5e, 0x8c, 0xa9, 0x8f, 111 0x73, 0x81, 0xb4, 0xfa, 0xf4, 0xdd, 0x05, 0x69, 0x0b, 0x71, 112 0x72, 0xd8, 0xbb, 0xac, 0x4b, 0x6d, 0x67, 0x5a, 0xa2, 0x63, 113 0x5d, 0x6d, 0x27, 0xc5, 0xf4, 0xe6, 0x0a, 0xbd, 0x2b, 0x0a, 114 0x64, 0xb2, 0xcf, 0x59, 0x63, 0x9b, 0x5c, 0x4f, 0x26, 0x36, 115 0xe3, 0x10, 0x70, 0x3c, 0x39, 0x77, 0x55, 0x07, 0x1c, 0x12, 116 0xde, 0x60, 0x53, 0xa1, 0x70, 0xf4, 0xda, 0xfc, 0xcc, 0xec, 117 0xad, 0x6d, 0x34, 0xad, 0xe2, 0x36, 0x10, 0x93, 0x59, 0x0c, 118 0x81, 0x8d, 0x22, 0x7e, 0x57, 0xeb, 0x89, 0x26, 0xdb, 0x6e, 119 0x99, 0x9a, 0xde, 0xbe, 0xad, 0xef, 0xca, 0xaf, 0xfe, 0xfe, 120 0x99, 0x9a, 0xde, 0xbe, 0xad, 0xef, 0xca, 0xaf, 0xfe, 0xfe, 121 0x6f, 0xd4, 0xe4, 0x63, 0x6c, 0x3e, 0x83, 0x09, 0xf4, 0x32, 122 0x78, 0x3b, 0x71, 0xe9, 0x36, 0xb6, 0x92, 0xf6, 0xa8, 0x31, 123 0x4d, 0x7c, 0xd0, 0xa1, 0x30, 0x55, 0xb6, 0x6b, 0x9e, 0xb7, 124 0x41, 0xa8, 0x77, 0x6c, 0x96, 0xb8, 0xa2, 0x0c, 0x7d, 0x70, 125 0xca, 0x51, 0xb9, 0xad, 0xc5, 0x75, 0xa7, 0xf1, 0x1e, 0x0e, 126 0xca, 0x51, 0xb9, 0xad, 0xc5, 0x75, 0xa7, 0xf1, 0x1e, 0x0e, 127 0xf2, 0xcf, 0x69, 0xbf, 0x20, 0xe9, 0x97, 0x05, 0xdd, 0xf3, 128 0xf2, 0xcf, 0x69, 0xbf, 0x20, 0xe9, 0x97, 0x05, 0xdd, 0xf3, 129 0x32, 0x58, 0x37, 0x8c, 0x5d, 0x02, 0x05, 0x00, 0xd1, 0x76, 130 0x67, 0x01, 0x67, 0x75, 0x3b, 0xba, 0x45, 0xc2, 0xa2, 0x77, 131 0x3b, 0x7e, 0xb4, 0x03, 0x88, 0x08, 0x93, 0xfe, 0x07, 0x51, 132 0x8e, 0xcf 133 }; 134 135 u_int8_t certreq_pld[] = { 136 0x00, 0x00, 0x00, 0x05, 0x0b 137 }; 138 139 u_int8_t auth_pld[] = { 140 0x00, 0x00, 0x01, 0x08, 0x01, 0x00, 0x00, 0x00, 141 0x2a, 0x34, 0x80, 0x52, 0x3c, 0x86, 0x1c, 0xfa, 0x9a, 0x2b, 142 0x8b, 0xff, 0xbb, 0xb5, 0x0d, 0x6b, 0xa1, 0x62, 0x58, 0xd8, 143 0x16, 0xaa, 0x15, 0xe4, 0x34, 0x24, 0xca, 0xc3, 0x09, 0x08, 144 0x51, 0x69, 0x69, 0xef, 0xbd, 0xb7, 0xd4, 0xc5, 0x4f, 0x6c, 145 0x12, 0xd5, 0xd0, 0x0b, 0xc7, 0x66, 0x0d, 0xcb, 0x6d, 0x01, 146 0x7b, 0x8c, 0xec, 0x3d, 0x98, 0xe5, 0x2a, 0xac, 0x11, 0xde, 147 0x88, 0x2e, 0xf2, 0x22, 0x98, 0x13, 0x73, 0xa3, 0x38, 0xd0, 148 0x43, 0xf4, 0xc6, 0xf0, 0xc1, 0x24, 0x1a, 0x7a, 0x9f, 0xba, 149 0x03, 0x25, 0x49, 0xe5, 0x8e, 0xb7, 0x5d, 0x79, 0x76, 0xfd, 150 0x22, 0x5c, 0xba, 0x82, 0xb8, 0x75, 0x81, 0xc6, 0x79, 0xb3, 151 0x56, 0x44, 0x82, 0x80, 0x5a, 0x3c, 0xe8, 0x21, 0xe4, 0xdb, 152 0xfd, 0x1c, 0xd3, 0x18, 0xbd, 0x74, 0x22, 0x25, 0x44, 0xde, 153 0x0b, 0x7e, 0x6e, 0xdb, 0xe3, 0x3b, 0x17, 0xc1, 0x4d, 0x5e, 154 0x51, 0x87, 0xb0, 0x5a, 0xce, 0x5f, 0x23, 0xce, 0x18, 0x61, 155 0x03, 0x02, 0x7e, 0x4b, 0x36, 0xb0, 0x7c, 0x90, 0xcf, 0xac, 156 0x81, 0xc4, 0x45, 0xa3, 0x50, 0x01, 0x2e, 0x0a, 0xce, 0x62, 157 0x7a, 0xe0, 0xa7, 0xc0, 0x45, 0x5e, 0x90, 0xe2, 0x2e, 0xc6, 158 0x90, 0xe9, 0xbe, 0x8f, 0xe9, 0x31, 0xa9, 0xc9, 0x44, 0x62, 159 0x31, 0xb6, 0x13, 0xaf, 0xd5, 0x9a, 0x55, 0x9b, 0x14, 0xf9, 160 0x80, 0xcc, 0x73, 0xe3, 0x51, 0xdf, 0x2a, 0x04, 0x79, 0x0d, 161 0x04, 0xee, 0x4c, 0xa8, 0x9d, 0xaa, 0x67, 0x2f, 0x77, 0x87, 162 0x5e, 0x2d, 0x05, 0x95, 0xbe, 0x53, 0x45, 0x96, 0x8b, 0x89, 163 0x79, 0x5b, 0x48, 0xe2, 0x6f, 0x3a, 0xc9, 0xef, 0x83, 0x81, 164 0xcc, 0x4c, 0xfe, 0xb7, 0x40, 0x2d, 0xa5, 0xa5, 0x51, 0xb7, 165 0xad, 0x2f, 0x29, 0xd8, 0xc8, 0x02, 0xbe, 0x18, 0x09, 0xd0, 166 0xba, 0x71, 0x77, 0xfe, 0x2c, 0x6d 167 }; 168 169 u_int8_t delete_pld[] = { 170 0x2a, 0x00, 0x00, 0x10, 0x01, 0x08, 0x00, 0x01, /* IKE SA */ 171 0xde, 0xad, 0xbe, 0xef, 0xca, 0xfe, 0xaf, 0xfe, 172 0x00, 0x00, 0x00, 0x10, 0x03, 0x04, 0x00, 0x02, /* ESP SA */ 173 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff, 0x00, 0x11 174 }; 175 176 u_int8_t vendor_pld[] = { 177 0x00, 0x00, 0x00, 0x08, 0x11, 0x22, 0x33, 0x44 178 }; 179 180 u_int8_t ts_pld[] = { 181 0x00, 0x00, 0x00, 0x18, 0x01, 0x00, 0x00, 0x00, 182 0x07, 0x00, 0x00, 0x10, 0x00, 0x00, 0xff, 0xff, 183 0xac, 0x28, 0x7d, 0x00, 0xac, 0x28, 0x7d, 0xff 184 }; 185 186 uint8_t skf_1of1_pld[] = { 187 0x21, 0x00, 0x01, 0x98, 0x00, 0x01, 0x00, 0x01, 0x14, 0x77, 188 0x25, 0x7b, 0x82, 0xc0, 0xdb, 0x0b, 0x24, 0x36, 0x36, 0x13, 189 0x36, 0xe4, 0x99, 0xad, 0xf5, 0xaf, 0x26, 0x6f, 0x47, 0xd2, 190 0x0d, 0x65, 0xe1, 0xa8, 0xcb, 0x35, 0x1e, 0x53, 0xce, 0x6d, 191 0x8e, 0xf9, 0xe4, 0x51, 0xe3, 0x27, 0x10, 0x43, 0x38, 0x84, 192 0x54, 0x1d, 0x7a, 0x1a, 0x89, 0x34, 0x06, 0xb3, 0x62, 0x86, 193 0x98, 0x3b, 0x39, 0x91, 0x6e, 0xe8, 0x65, 0x3e, 0x31, 0xa8, 194 0x08, 0xfe, 0x83, 0x56, 0x30, 0xd3, 0xe0, 0xfd, 0x73, 0x92, 195 0x85, 0x2d, 0xae, 0x1d, 0x7d, 0xdb, 0x47, 0x05, 0x57, 0xe7, 196 0x8e, 0xc5, 0xa5, 0x1b, 0x0e, 0x85, 0x1f, 0x12, 0x6d, 0xe6, 197 0xdb, 0x3a, 0x3e, 0x99, 0xd1, 0x23, 0x41, 0xa4, 0x1c, 0x46, 198 0x38, 0xd1, 0xa8, 0x84, 0x96, 0x13, 0xdb, 0x2a, 0x1d, 0x3b, 199 0xb8, 0xd2, 0x04, 0xb3, 0x0d, 0xb4, 0x71, 0x90, 0xdb, 0xf6, 200 0x2d, 0x60, 0x01, 0xc2, 0xb2, 0x89, 0xbd, 0xe9, 0x95, 0x7b, 201 0x53, 0xa4, 0x94, 0x7e, 0x12, 0xe9, 0x5f, 0xfc, 0x51, 0x17, 202 0x94, 0x3e, 0xba, 0xc2, 0xa5, 0x4d, 0x3a, 0x4d, 0x4b, 0x95, 203 0x6d, 0x91, 0xc2, 0xb0, 0x2d, 0xb7, 0x24, 0xe8, 0x3b, 0xbd, 204 0xe0, 0xcc, 0x09, 0x50, 0x11, 0x83, 0xc0, 0xcd, 0x29, 0x33, 205 0xd5, 0x8f, 0x8a, 0xd1, 0xe3, 0xe8, 0x4f, 0x6a, 0x10, 0x4a, 206 0x64, 0x97, 0x0f, 0x38, 0x58, 0x8d, 0x7f, 0x5d, 0xb4, 0x6b, 207 0xa0, 0x42, 0x5e, 0x95, 0xe6, 0x08, 0x3e, 0x01, 0xf8, 0x82, 208 0x90, 0x81, 0xd4, 0x70, 0xb5, 0xb2, 0x8c, 0x64, 0xa9, 0x56, 209 0xdd, 0xc2, 0xda, 0xe1, 0xd3, 0xad, 0xf8, 0x5b, 0x99, 0x0b, 210 0x19, 0x5e, 0x88, 0x0d, 0x81, 0x04, 0x4d, 0xc1, 0x43, 0x41, 211 0xf1, 0xd3, 0x45, 0x65, 0x62, 0x70, 0x2f, 0xfa, 0x62, 0xbe, 212 0x7d, 0xf4, 0x94, 0x91, 0xe0, 0xbb, 0xb1, 0xbc, 0xe5, 0x27, 213 0xc8, 0x15, 0xd4, 0xcb, 0x82, 0x97, 0x15, 0x46, 0x82, 0xbb, 214 0x48, 0xbb, 0x16, 0x25, 0xbe, 0x82, 0xe4, 0x27, 0x80, 0xf3, 215 0xc2, 0x92, 0x3b, 0xd6, 0xc3, 0x65, 0x20, 0xec, 0x50, 0xdb, 216 0x6a, 0xcb, 0x47, 0x73, 0xf7, 0x98, 0xf1, 0x66, 0x5e, 0xc4, 217 0xe9, 0x87, 0xf8, 0xcb, 0x1e, 0x06, 0xa7, 0x67, 0xf5, 0xec, 218 0x73, 0xe5, 0xc7, 0x4d, 0xc2, 0x90, 0xe4, 0xdf, 0x9d, 0x1f, 219 0x05, 0x67, 0x99, 0xd6, 0xf0, 0xc4, 0x20, 0xbc, 0xf8, 0xf5, 220 0x3e, 0x19, 0xe9, 0x3a, 0x12, 0xe1, 0xcc, 0x9f, 0x81, 0x55, 221 0x1e, 0xad, 0xc8, 0xa3, 0xe5, 0x98, 0xbe, 0xe0, 0x4d, 0xb7, 222 0x6b, 0xd5, 0xbe, 0x6a, 0x3d, 0x76, 0xb6, 0xe2, 0xa5, 0xa7, 223 0x96, 0x68, 0xeb, 0x91, 0xee, 0x02, 0xfc, 0xe4, 0x01, 0xc3, 224 0x24, 0xda, 0x4c, 0xff, 0x10, 0x27, 0x78, 0xb0, 0x0b, 0x55, 225 0x5c, 0xce, 0x62, 0x7d, 0x33, 0x2b, 0x25, 0x99, 0xaa, 0x99, 226 0xea, 0xa3, 0x1d, 0xd8, 0x2b, 0x57, 0xb5, 0xe4, 0x04, 0x21, 227 0x75, 0xd9, 0xc4, 0xd0, 0x3d, 0xa1, 0xa5, 0x8f 228 }; 229 230 u_int8_t sk_pld[] = { 231 0x21, 0x00, 0x01, 0x94, 0x14, 0x77, 0x25, 0x7b, 0x82, 0xc0, 232 0xdb, 0x0b, 0x24, 0x36, 0x36, 0x13, 0x36, 0xe4, 0x99, 0xad, 233 0xf5, 0xaf, 0x26, 0x6f, 0x47, 0xd2, 0x0d, 0x65, 0xe1, 0xa8, 234 0xcb, 0x35, 0x1e, 0x53, 0xce, 0x6d, 0x8e, 0xf9, 0xe4, 0x51, 235 0xe3, 0x27, 0x10, 0x43, 0x38, 0x84, 0x54, 0x1d, 0x7a, 0x1a, 236 0x89, 0x34, 0x06, 0xb3, 0x62, 0x86, 0x98, 0x3b, 0x39, 0x91, 237 0x6e, 0xe8, 0x65, 0x3e, 0x31, 0xa8, 0x08, 0xfe, 0x83, 0x56, 238 0x30, 0xd3, 0xe0, 0xfd, 0x73, 0x92, 0x85, 0x2d, 0xae, 0x1d, 239 0x7d, 0xdb, 0x47, 0x05, 0x57, 0xe7, 0x8e, 0xc5, 0xa5, 0x1b, 240 0x0e, 0x85, 0x1f, 0x12, 0x6d, 0xe6, 0xdb, 0x3a, 0x3e, 0x99, 241 0xd1, 0x23, 0x41, 0xa4, 0x1c, 0x46, 0x38, 0xd1, 0xa8, 0x84, 242 0x96, 0x13, 0xdb, 0x2a, 0x1d, 0x3b, 0xb8, 0xd2, 0x04, 0xb3, 243 0x0d, 0xb4, 0x71, 0x90, 0xdb, 0xf6, 0x2d, 0x60, 0x01, 0xc2, 244 0xb2, 0x89, 0xbd, 0xe9, 0x95, 0x7b, 0x53, 0xa4, 0x94, 0x7e, 245 0x12, 0xe9, 0x5f, 0xfc, 0x51, 0x17, 0x94, 0x3e, 0xba, 0xc2, 246 0xa5, 0x4d, 0x3a, 0x4d, 0x4b, 0x95, 0x6d, 0x91, 0xc2, 0xb0, 247 0x2d, 0xb7, 0x24, 0xe8, 0x3b, 0xbd, 0xe0, 0xcc, 0x09, 0x50, 248 0x11, 0x83, 0xc0, 0xcd, 0x29, 0x33, 0xd5, 0x8f, 0x8a, 0xd1, 249 0xe3, 0xe8, 0x4f, 0x6a, 0x10, 0x4a, 0x64, 0x97, 0x0f, 0x38, 250 0x58, 0x8d, 0x7f, 0x5d, 0xb4, 0x6b, 0xa0, 0x42, 0x5e, 0x95, 251 0xe6, 0x08, 0x3e, 0x01, 0xf8, 0x82, 0x90, 0x81, 0xd4, 0x70, 252 0xb5, 0xb2, 0x8c, 0x64, 0xa9, 0x56, 0xdd, 0xc2, 0xda, 0xe1, 253 0xd3, 0xad, 0xf8, 0x5b, 0x99, 0x0b, 0x19, 0x5e, 0x88, 0x0d, 254 0x81, 0x04, 0x4d, 0xc1, 0x43, 0x41, 0xf1, 0xd3, 0x45, 0x65, 255 0x62, 0x70, 0x2f, 0xfa, 0x62, 0xbe, 0x7d, 0xf4, 0x94, 0x91, 256 0xe0, 0xbb, 0xb1, 0xbc, 0xe5, 0x27, 0xc8, 0x15, 0xd4, 0xcb, 257 0x82, 0x97, 0x15, 0x46, 0x82, 0xbb, 0x48, 0xbb, 0x16, 0x25, 258 0xbe, 0x82, 0xe4, 0x27, 0x80, 0xf3, 0xc2, 0x92, 0x3b, 0xd6, 259 0xc3, 0x65, 0x20, 0xec, 0x50, 0xdb, 0x6a, 0xcb, 0x47, 0x73, 260 0xf7, 0x98, 0xf1, 0x66, 0x5e, 0xc4, 0xe9, 0x87, 0xf8, 0xcb, 261 0x1e, 0x06, 0xa7, 0x67, 0xf5, 0xec, 0x73, 0xe5, 0xc7, 0x4d, 262 0xc2, 0x90, 0xe4, 0xdf, 0x9d, 0x1f, 0x05, 0x67, 0x99, 0xd6, 263 0xf0, 0xc4, 0x20, 0xbc, 0xf8, 0xf5, 0x3e, 0x19, 0xe9, 0x3a, 264 0x12, 0xe1, 0xcc, 0x9f, 0x81, 0x55, 0x1e, 0xad, 0xc8, 0xa3, 265 0xe5, 0x98, 0xbe, 0xe0, 0x4d, 0xb7, 0x6b, 0xd5, 0xbe, 0x6a, 266 0x3d, 0x76, 0xb6, 0xe2, 0xa5, 0xa7, 0x96, 0x68, 0xeb, 0x91, 267 0xee, 0x02, 0xfc, 0xe4, 0x01, 0xc3, 0x24, 0xda, 0x4c, 0xff, 268 0x10, 0x27, 0x78, 0xb0, 0x0b, 0x55, 0x5c, 0xce, 0x62, 0x7d, 269 0x33, 0x2b, 0x25, 0x99, 0xaa, 0x99, 0xea, 0xa3, 0x1d, 0xd8, 270 0x2b, 0x57, 0xb5, 0xe4, 0x04, 0x21, 0x75, 0xd9, 0xc4, 0xd0, 271 0x3d, 0xa1, 0xa5, 0x8f 272 }; 273 274 u_int8_t cp_pld[] = { 275 0x2f, 0x00, 0x00, 0x0c, 276 0x01, 0x00, 0x00, 0x00, /* REQUEST */ 277 0x00, 0x01, 0x00, 0x00, /* INTERNAL_IP4_ADDRESS */ 278 0x2f, 0x00, 0x00, 0x10, 279 0x02, 0x00, 0x00, 0x00, /* REPLY */ 280 0x00, 0x01, 0x00, 0x04, /* INTERNAL_IP4_ADDRESS */ 281 0xaa, 0xbb, 0xcc, 0xdd, /* 170.187.204.221 */ 282 0x2f, 0x00, 0x00, 0x08, 283 0x03, 0x00, 0x00, 0x00, /* SET (empty) */ 284 0x2f, 0x00, 0x00, 0x24, 285 0x02, 0x00, 0x00, 0x00, /* REPLY */ 286 0x00, 0x01, 0x00, 0x04, /* INTERNAL_IP4_ADDRESS */ 287 0xaa, 0xaa, 0xaa, 0xaa, /* 170.170.170.170 */ 288 0x00, 0x02, 0x00, 0x04, /* INTERNAL_IP4_NETMASK */ 289 0xbb, 0xbb, 0xbb, 0xbb, /* 187.187.187.187 */ 290 0x00, 0x03, 0x00, 0x04, /* INTERNAL_IP4_DNS */ 291 0xcc, 0xcc, 0xcc, 0xcc, /* 204.204.204.204 */ 292 0x00, 0x08, 0x00, 0x00, /* INTERNAL_IP6_ADDRESS */ 293 0x00, 0x00, 0x00, 0x08, 294 0x04, 0x00, 0x00, 0x00, /* ACK (empty) */ 295 }; 296 297 u_int8_t eap_pld[] = { 298 0x30, 0x00, 0x00, 0x09, 299 0x01, 0x00, 0x00, 0x05, 0x01, 300 0x30, 0x00, 0x00, 0x0c, 301 0x02, 0x00, 0x00, 0x05, 0x01, 0xfa, 0xfb, 0xfc, 302 0x30, 0x00, 0x00, 0x08, 303 0x03, 0x00, 0x00, 0x04, 304 0x00, 0x00, 0x00, 0x08, 305 0x04, 0x00, 0x00, 0x04 306 }; 307 308 /* Valid initator packet */ 309 u_int8_t valid_packet[] = { 310 0xde, 0xad, 0xbe, 0xef, 0xca, 0xfe, 0x00, 0x01, 0x00, 0x00, 311 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x21, 0x20, 0x22, 0x08, 312 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0xc0, 0x22, 0x00, 313 0x00, 0x40, 0x00, 0x00, 0x00, 0x3c, 0x01, 0x01, 0x00, 0x06, 314 0x03, 0x00, 0x00, 0x08, 0x03, 0x00, 0x00, 0x0c, 0x03, 0x00, 315 0x00, 0x0c, 0x01, 0x00, 0x00, 0x0c, 0x80, 0x0e, 0x00, 0xc0, 316 0x03, 0x00, 0x00, 0x08, 0x04, 0x00, 0x00, 0x0e, 0x03, 0x00, 317 0x00, 0x08, 0x02, 0x00, 0x00, 0x05, 0x03, 0x00, 0x00, 0x08, 318 0x02, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x08, 0x02, 0x00, 319 0x00, 0x01, 0x28, 0x00, 0x01, 0x08, 0x00, 0x0e, 0x00, 0x00, 320 0x16, 0xcb, 0x68, 0xaf, 0x63, 0xfe, 0xb0, 0x58, 0x49, 0x0e, 321 0x7f, 0x85, 0x60, 0x53, 0x80, 0xae, 0x3f, 0x82, 0xf3, 0x35, 322 0x21, 0xd5, 0xae, 0x09, 0x1c, 0xfa, 0x68, 0xc2, 0xfb, 0x4b, 323 0xb3, 0x84, 0xda, 0xaf, 0x6e, 0xe2, 0x5e, 0xc5, 0xb6, 0x8c, 324 0x35, 0x3c, 0xec, 0x58, 0x7f, 0xa9, 0xf8, 0xa4, 0x24, 0xf3, 325 0xf8, 0xf4, 0x65, 0x59, 0x8c, 0x15, 0x4d, 0x2c, 0xf1, 0x5d, 326 0xeb, 0x57, 0x68, 0xfe, 0x75, 0x61, 0x5a, 0x80, 0x96, 0xa4, 327 0x0a, 0xad, 0x75, 0x71, 0xd8, 0xe0, 0x06, 0xbc, 0xde, 0x16, 328 0x6d, 0x1e, 0xd9, 0x5d, 0x2c, 0x00, 0x66, 0x43, 0x82, 0xe4, 329 0x6f, 0x5f, 0x95, 0xe7, 0x9b, 0xfd, 0xf2, 0xe2, 0xcb, 0xc5, 330 0xf1, 0x52, 0xdd, 0x3b, 0xed, 0x88, 0xd4, 0xa9, 0x13, 0x4e, 331 0x42, 0xe8, 0x60, 0x2d, 0x3c, 0xf6, 0xc8, 0xf0, 0x70, 0x42, 332 0xfa, 0x33, 0x7f, 0x28, 0xdf, 0x6b, 0x79, 0x2c, 0x79, 0x8f, 333 0xc0, 0x5d, 0x81, 0x7a, 0x62, 0xdb, 0xd4, 0x44, 0x3a, 0x3c, 334 0x21, 0xbf, 0x85, 0xc8, 0x0b, 0x8c, 0x77, 0x72, 0xe9, 0xfb, 335 0x50, 0x5c, 0x03, 0xa6, 0xb2, 0x3f, 0x17, 0x4a, 0xd1, 0xb3, 336 0x01, 0x30, 0xad, 0xe4, 0xfa, 0xe2, 0xba, 0x6f, 0x22, 0x83, 337 0xf4, 0xde, 0x38, 0x43, 0xe8, 0x27, 0x00, 0xb8, 0x95, 0xbe, 338 0x03, 0x8f, 0xcd, 0xd3, 0x72, 0xed, 0xa5, 0xed, 0x8d, 0xf4, 339 0x68, 0x98, 0xef, 0x59, 0xcc, 0xfb, 0x54, 0x89, 0xde, 0xa9, 340 0xd4, 0x88, 0xcd, 0xb9, 0xca, 0x09, 0xd3, 0xd5, 0x25, 0xb1, 341 0x8c, 0x58, 0x12, 0x9c, 0x69, 0x03, 0x72, 0x00, 0xc9, 0xca, 342 0x95, 0x8a, 0xce, 0x0d, 0xd2, 0xc8, 0x25, 0xe7, 0x7c, 0xed, 343 0x5e, 0xee, 0x35, 0x01, 0xfc, 0x00, 0x56, 0xed, 0xf3, 0x8d, 344 0x81, 0x6c, 0x3e, 0x86, 0x6a, 0x40, 0xac, 0xc7, 0x9c, 0x7a, 345 0xbf, 0x9f, 0x8e, 0x1f, 0xd8, 0x60, 0x29, 0x00, 0x00, 0x24, 346 0x5f, 0x61, 0x42, 0x72, 0x7d, 0xb2, 0xa8, 0xc1, 0xfe, 0xb1, 347 0x38, 0x2e, 0xb8, 0x75, 0xa7, 0xc1, 0x1d, 0x8a, 0xa7, 0xb7, 348 0x9b, 0x92, 0xe2, 0x0e, 0x3a, 0x18, 0x20, 0xb6, 0x16, 0xf3, 349 0x35, 0x67, 0x29, 0x00, 0x00, 0x1c, 0x00, 0x00, 0x40, 0x04, 350 0xc7, 0xa0, 0x68, 0x68, 0x09, 0x0a, 0x7f, 0x12, 0x0b, 0x13, 351 0xd3, 0x2f, 0xde, 0x64, 0x8b, 0xf1, 0xc3, 0x3c, 0x79, 0x8f, 352 0x00, 0x00, 0x00, 0x1c, 0x00, 0x00, 0x40, 0x05, 0x9f, 0xbc, 353 0x8c, 0xd0, 0x91, 0x5e, 0xa0, 0x87, 0x81, 0xab, 0x4f, 0xa1, 354 0x8a, 0xa7, 0xa8, 0xf9, 0xeb, 0xdf, 0x9f, 0x2c 355 }; 356 357 #define OFFSET_ICOOKIE 0 358 #define OFFSET_RCOOKIE 8 359 #define OFFSET_NEXTPAYLOAD (0 + sizeof(cookies)) 360 #define OFFSET_VERSION (1 + sizeof(cookies)) 361 #define OFFSET_EXCHANGE (2 + sizeof(cookies)) 362 #define OFFSET_LENGTH (8 + sizeof(cookies)) 363 364 static u_int8_t * 365 get_icookie(u_int8_t *data) 366 { 367 return &data[OFFSET_ICOOKIE]; 368 } 369 370 static u_int8_t * 371 get_rcookie(u_int8_t *data) 372 { 373 return &data[OFFSET_RCOOKIE]; 374 } 375 376 static u_int8_t 377 get_nextpayload(u_int8_t *data) 378 { 379 return data[OFFSET_NEXTPAYLOAD]; 380 } 381 382 static u_int8_t 383 get_version(u_int8_t *data) 384 { 385 return data[OFFSET_VERSION]; 386 } 387 388 static u_int8_t 389 get_exchange(u_int8_t *data) 390 { 391 return data[OFFSET_EXCHANGE]; 392 } 393 394 static u_int32_t 395 get_length(u_int8_t *data) 396 { 397 return *(u_int32_t *)&data[OFFSET_LENGTH]; 398 } 399 400 static void 401 set_length(u_int8_t *data, u_int32_t length) 402 { 403 u_int32_t *p; 404 405 p = (u_int32_t *)&data[OFFSET_LENGTH]; 406 *p = htobe32(length); 407 } 408 409 static void 410 set_nextpayload(u_int8_t *data, u_int8_t next) 411 { 412 data[OFFSET_NEXTPAYLOAD] = next; 413 } 414 415 static void 416 prepare_header(struct ike_header *hdr, struct ibuf *data) 417 { 418 bzero(hdr, sizeof(*hdr)); 419 bcopy(get_icookie(ibuf_data(data)), &hdr->ike_ispi, 420 sizeof(hdr->ike_ispi)); 421 bcopy(get_rcookie(ibuf_data(data)), &hdr->ike_rspi, 422 sizeof(hdr->ike_rspi)); 423 hdr->ike_nextpayload = get_nextpayload(ibuf_data(data)); 424 hdr->ike_version = get_version(ibuf_data(data)); 425 hdr->ike_exchange = get_exchange(ibuf_data(data)); 426 hdr->ike_length = get_length(ibuf_data(data)); 427 } 428 429 static void 430 prepare_message(struct iked_message *msg, struct ibuf *data) 431 { 432 static struct iked_sa sa; 433 434 bzero(&sa, sizeof(sa)); 435 bzero(msg, sizeof(*msg)); 436 437 msg->msg_sa = &sa; 438 msg->msg_data = data; 439 msg->msg_e = 1; 440 } 441 442 static void 443 perform_test(struct fuzz *fuzz) 444 { 445 struct ibuf *fuzzed; 446 struct ike_header hdr; 447 struct iked_message msg; 448 449 bzero(&hdr, sizeof(hdr)); 450 bzero(&msg, sizeof(msg)); 451 452 for (; !fuzz_done(fuzz); fuzz_next(fuzz)) { 453 ASSERT_PTR_NE(fuzzed = ibuf_new(fuzz_ptr(fuzz), fuzz_len(fuzz)), 454 NULL); 455 print_hex(ibuf_data(fuzzed), 0, ibuf_size(fuzzed)); 456 457 /* We need at least cookies and generic header. */ 458 if (ibuf_size(fuzzed) < sizeof(cookies) + sizeof(genhdr)) { 459 ibuf_free(fuzzed); 460 continue; 461 } 462 463 prepare_header(&hdr, fuzzed); 464 prepare_message(&msg, fuzzed); 465 466 ikev2_pld_parse(NULL, &hdr, &msg, 0); 467 468 ibuf_free(fuzzed); 469 } 470 } 471 472 void 473 parser_fuzz_tests(void) 474 { 475 struct fuzz *fuzz; 476 struct ike_header hdr; 477 struct iked_message msg; 478 struct ibuf *data; 479 480 #if 0 481 log_init(3); 482 #endif 483 484 TEST_START("fuzz generic header"); 485 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 486 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 487 set_length(ibuf_data(data), ibuf_size(data)); 488 print_hex(ibuf_data(data), 0, ibuf_size(data)); 489 prepare_header(&hdr, data); 490 prepare_message(&msg, data); 491 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 492 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 493 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 494 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 495 FUZZ_BASE64, 496 ibuf_data(data), ibuf_size(data)); 497 ibuf_free(data); 498 perform_test(fuzz); 499 TEST_DONE(); 500 501 TEST_START("fuzz skf_1of1 payload"); 502 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 503 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 504 ASSERT_INT_EQ(ibuf_add(data, skf_1of1_pld, sizeof(skf_1of1_pld)), 0); 505 set_length(ibuf_data(data), ibuf_size(data)); 506 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_SKF); 507 print_hex(ibuf_data(data), 0, ibuf_size(data)); 508 prepare_header(&hdr, data); 509 prepare_message(&msg, data); 510 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 511 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 512 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 513 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 514 FUZZ_BASE64, 515 ibuf_data(data), ibuf_size(data)); 516 ibuf_free(data); 517 perform_test(fuzz); 518 TEST_DONE(); 519 520 TEST_START("fuzz sa payload"); 521 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 522 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 523 ASSERT_INT_EQ(ibuf_add(data, sa_pld, sizeof(sa_pld)), 0); 524 set_length(ibuf_data(data), ibuf_size(data)); 525 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_SA); 526 print_hex(ibuf_data(data), 0, ibuf_size(data)); 527 prepare_header(&hdr, data); 528 prepare_message(&msg, data); 529 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 530 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 531 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 532 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 533 FUZZ_BASE64, 534 ibuf_data(data), ibuf_size(data)); 535 ibuf_free(data); 536 perform_test(fuzz); 537 TEST_DONE(); 538 539 TEST_START("fuzz sa and xform payload"); 540 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 541 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 542 ASSERT_INT_EQ(ibuf_add(data, saxform_pld, sizeof(saxform_pld)), 0); 543 set_length(ibuf_data(data), ibuf_size(data)); 544 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_SA); 545 print_hex(ibuf_data(data), 0, ibuf_size(data)); 546 prepare_header(&hdr, data); 547 prepare_message(&msg, data); 548 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 549 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 550 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 551 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 552 FUZZ_BASE64, 553 ibuf_data(data), ibuf_size(data)); 554 ibuf_free(data); 555 perform_test(fuzz); 556 TEST_DONE(); 557 558 TEST_START("fuzz ke payload"); 559 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 560 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 561 ASSERT_INT_EQ(ibuf_add(data, ke_pld, sizeof(ke_pld)), 0); 562 set_length(ibuf_data(data), ibuf_size(data)); 563 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_KE); 564 print_hex(ibuf_data(data), 0, ibuf_size(data)); 565 prepare_header(&hdr, data); 566 prepare_message(&msg, data); 567 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 568 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 569 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 570 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 571 FUZZ_BASE64, 572 ibuf_data(data), ibuf_size(data)); 573 ibuf_free(data); 574 perform_test(fuzz); 575 TEST_DONE(); 576 577 TEST_START("fuzz nonce payload"); 578 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 579 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 580 ASSERT_INT_EQ(ibuf_add(data, nonce_pld, sizeof(nonce_pld)), 0); 581 set_length(ibuf_data(data), ibuf_size(data)); 582 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_NONCE); 583 print_hex(ibuf_data(data), 0, ibuf_size(data)); 584 prepare_header(&hdr, data); 585 prepare_message(&msg, data); 586 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 587 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 588 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 589 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 590 FUZZ_BASE64, 591 ibuf_data(data), ibuf_size(data)); 592 ibuf_free(data); 593 perform_test(fuzz); 594 TEST_DONE(); 595 596 TEST_START("fuzz notify payload"); 597 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 598 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 599 ASSERT_INT_EQ(ibuf_add(data, notify_pld, sizeof(notify_pld)), 0); 600 set_length(ibuf_data(data), ibuf_size(data)); 601 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_NOTIFY); 602 print_hex(ibuf_data(data), 0, ibuf_size(data)); 603 prepare_header(&hdr, data); 604 prepare_message(&msg, data); 605 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 606 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 607 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 608 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 609 FUZZ_BASE64, 610 ibuf_data(data), ibuf_size(data)); 611 ibuf_free(data); 612 perform_test(fuzz); 613 TEST_DONE(); 614 615 TEST_START("fuzz id payload"); 616 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 617 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 618 ASSERT_INT_EQ(ibuf_add(data, id_pld, sizeof(id_pld)), 0); 619 set_length(ibuf_data(data), ibuf_size(data)); 620 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_IDi); 621 print_hex(ibuf_data(data), 0, ibuf_size(data)); 622 prepare_header(&hdr, data); 623 prepare_message(&msg, data); 624 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 625 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 626 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 627 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 628 FUZZ_BASE64, 629 ibuf_data(data), ibuf_size(data)); 630 ibuf_free(data); 631 perform_test(fuzz); 632 TEST_DONE(); 633 634 TEST_START("fuzz cert payload"); 635 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 636 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 637 ASSERT_INT_EQ(ibuf_add(data, cert_pld, sizeof(cert_pld)), 0); 638 set_length(ibuf_data(data), ibuf_size(data)); 639 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_CERT); 640 print_hex(ibuf_data(data), 0, ibuf_size(data)); 641 prepare_header(&hdr, data); 642 prepare_message(&msg, data); 643 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 644 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 645 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 646 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 647 FUZZ_BASE64, 648 ibuf_data(data), ibuf_size(data)); 649 ibuf_free(data); 650 perform_test(fuzz); 651 TEST_DONE(); 652 653 TEST_START("fuzz certreq payload"); 654 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 655 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 656 ASSERT_INT_EQ(ibuf_add(data, certreq_pld, sizeof(certreq_pld)), 0); 657 set_length(ibuf_data(data), ibuf_size(data)); 658 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_CERTREQ); 659 print_hex(ibuf_data(data), 0, ibuf_size(data)); 660 prepare_header(&hdr, data); 661 prepare_message(&msg, data); 662 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 663 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 664 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 665 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 666 FUZZ_BASE64, 667 ibuf_data(data), ibuf_size(data)); 668 ibuf_free(data); 669 perform_test(fuzz); 670 TEST_DONE(); 671 672 TEST_START("fuzz auth payload"); 673 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 674 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 675 ASSERT_INT_EQ(ibuf_add(data, auth_pld, sizeof(auth_pld)), 0); 676 set_length(ibuf_data(data), ibuf_size(data)); 677 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_AUTH); 678 print_hex(ibuf_data(data), 0, ibuf_size(data)); 679 prepare_header(&hdr, data); 680 prepare_message(&msg, data); 681 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 682 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 683 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 684 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 685 FUZZ_BASE64, 686 ibuf_data(data), ibuf_size(data)); 687 ibuf_free(data); 688 perform_test(fuzz); 689 TEST_DONE(); 690 691 TEST_START("fuzz delete notify payload"); 692 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 693 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 694 ASSERT_INT_EQ(ibuf_add(data, delete_pld, sizeof(delete_pld)), 0); 695 set_length(ibuf_data(data), ibuf_size(data)); 696 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_DELETE); 697 print_hex(ibuf_data(data), 0, ibuf_size(data)); 698 prepare_header(&hdr, data); 699 prepare_message(&msg, data); 700 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 701 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 702 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 703 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 704 FUZZ_BASE64, 705 ibuf_data(data), ibuf_size(data)); 706 ibuf_free(data); 707 perform_test(fuzz); 708 TEST_DONE(); 709 710 TEST_START("fuzz vendor id payload"); 711 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 712 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 713 ASSERT_INT_EQ(ibuf_add(data, vendor_pld, sizeof(vendor_pld)), 0); 714 set_length(ibuf_data(data), ibuf_size(data)); 715 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_VENDOR); 716 print_hex(ibuf_data(data), 0, ibuf_size(data)); 717 prepare_header(&hdr, data); 718 prepare_message(&msg, data); 719 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 720 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 721 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 722 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 723 FUZZ_BASE64, 724 ibuf_data(data), ibuf_size(data)); 725 ibuf_free(data); 726 perform_test(fuzz); 727 TEST_DONE(); 728 729 TEST_START("fuzz traffic selector initiator payload"); 730 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 731 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 732 ASSERT_INT_EQ(ibuf_add(data, ts_pld, sizeof(ts_pld)), 0); 733 set_length(ibuf_data(data), ibuf_size(data)); 734 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_TSi); 735 print_hex(ibuf_data(data), 0, ibuf_size(data)); 736 prepare_header(&hdr, data); 737 prepare_message(&msg, data); 738 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 739 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 740 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 741 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 742 FUZZ_BASE64, 743 ibuf_data(data), ibuf_size(data)); 744 ibuf_free(data); 745 perform_test(fuzz); 746 TEST_DONE(); 747 748 TEST_START("fuzz traffic selector responder payload"); 749 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 750 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 751 ASSERT_INT_EQ(ibuf_add(data, ts_pld, sizeof(ts_pld)), 0); 752 set_length(ibuf_data(data), ibuf_size(data)); 753 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_TSr); 754 print_hex(ibuf_data(data), 0, ibuf_size(data)); 755 prepare_header(&hdr, data); 756 prepare_message(&msg, data); 757 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 758 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 759 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 760 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 761 FUZZ_BASE64, 762 ibuf_data(data), ibuf_size(data)); 763 ibuf_free(data); 764 perform_test(fuzz); 765 TEST_DONE(); 766 767 TEST_START("fuzz configuration payload"); 768 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 769 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 770 ASSERT_INT_EQ(ibuf_add(data, cp_pld, sizeof(cp_pld)), 0); 771 set_length(ibuf_data(data), ibuf_size(data)); 772 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_CP); 773 print_hex(ibuf_data(data), 0, ibuf_size(data)); 774 prepare_header(&hdr, data); 775 prepare_message(&msg, data); 776 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 777 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 778 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 779 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 780 FUZZ_BASE64, 781 ibuf_data(data), ibuf_size(data)); 782 ibuf_free(data); 783 perform_test(fuzz); 784 TEST_DONE(); 785 786 TEST_START("fuzz eap payload"); 787 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 788 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 789 ASSERT_INT_EQ(ibuf_add(data, eap_pld, sizeof(eap_pld)), 0); 790 set_length(ibuf_data(data), ibuf_size(data)); 791 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_EAP); 792 print_hex(ibuf_data(data), 0, ibuf_size(data)); 793 prepare_header(&hdr, data); 794 prepare_message(&msg, data); 795 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 796 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 797 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 798 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 799 FUZZ_BASE64, 800 ibuf_data(data), ibuf_size(data)); 801 ibuf_free(data); 802 perform_test(fuzz); 803 TEST_DONE(); 804 805 TEST_START("fuzz full valid packet"); 806 ASSERT_PTR_NE(data = ibuf_new(valid_packet, sizeof(valid_packet)), 807 NULL); 808 set_length(ibuf_data(data), ibuf_size(data)); 809 print_hex(ibuf_data(data), 0, ibuf_size(data)); 810 prepare_header(&hdr, data); 811 prepare_message(&msg, data); 812 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 813 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 814 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 815 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 816 FUZZ_BASE64, 817 ibuf_data(data), ibuf_size(data)); 818 ibuf_free(data); 819 perform_test(fuzz); 820 TEST_DONE(); 821 } 822