1 /* $OpenBSD: test_parser_fuzz.c,v 1.5 2021/12/13 16:56:49 deraadt Exp $ */ 2 /* 3 * Fuzz tests for payload parsing 4 * 5 * Placed in the public domain 6 */ 7 8 #include <sys/socket.h> 9 #include <sys/queue.h> 10 #include <sys/uio.h> 11 12 #include <event.h> 13 #include <imsg.h> 14 #include <string.h> 15 16 #include "iked.h" 17 #include "ikev2.h" 18 #include "test_helper.h" 19 20 extern int ikev2_pld_payloads(struct iked *, struct iked_message *, 21 size_t, size_t, u_int); 22 23 void parser_fuzz_tests(void); 24 25 u_int8_t cookies[] = { 26 0xde, 0xad, 0xbe, 0xef, 0xca, 0xfe, 0x00, 0x01, /* initator cookie */ 27 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 /* responder cookie */ 28 }; 29 30 u_int8_t genhdr[] = { 31 0x00, 0x20, 0x22, 0x08, /* next, major/minor, exchange type, flags */ 32 0x00, 0x00, 0x00, 0x00, /* message ID */ 33 0x00, 0x00, 0x00, 0x00 /* total length */ 34 }; 35 36 u_int8_t sa_pld[] = { 37 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x08, 0x01, 0x01, 0x00, 0x00 38 }; 39 40 u_int8_t saxform_pld[] = { 41 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x3c, 42 0x01, 0x01, 0x00, 0x06, 0x03, 0x00, 0x00, 0x08, 43 0x03, 0x00, 0x00, 0x0c, 0x03, 0x00, 0x00, 0x0c, 44 0x01, 0x00, 0x00, 0x0c, 0x80, 0x0e, 0x00, 0xc0, 45 0x03, 0x00, 0x00, 0x08, 0x04, 0x00, 0x00, 0x0e, 46 0x03, 0x00, 0x00, 0x08, 0x02, 0x00, 0x00, 0x05, 47 0x03, 0x00, 0x00, 0x08, 0x02, 0x00, 0x00, 0x02, 48 0x00, 0x00, 0x00, 0x08, 0x02, 0x00, 0x00, 0x01 49 }; 50 51 u_int8_t ke_pld[] = { 52 0x00, 0x00, 0x01, 0x08, 0x00, 0x0e, 0x00, 0x00, 0x16, 0xcb, 53 0x68, 0xaf, 0x63, 0xfe, 0xb0, 0x58, 0x49, 0x0e, 0x7f, 0x85, 54 0x60, 0x53, 0x80, 0xae, 0x3f, 0x82, 0xf3, 0x35, 0x21, 0xd5, 55 0xae, 0x09, 0x1c, 0xfa, 0x68, 0xc2, 0xfb, 0x4b, 0xb3, 0x84, 56 0xda, 0xaf, 0x6e, 0xe2, 0x5e, 0xc5, 0xb6, 0x8c, 0x35, 0x3c, 57 0xec, 0x58, 0x7f, 0xa9, 0xf8, 0xa4, 0x24, 0xf3, 0xf8, 0xf4, 58 0x65, 0x59, 0x8c, 0x15, 0x4d, 0x2c, 0xf1, 0x5d, 0xeb, 0x57, 59 0x68, 0xfe, 0x75, 0x61, 0x5a, 0x80, 0x96, 0xa4, 0x0a, 0xad, 60 0x75, 0x71, 0xd8, 0xe0, 0x06, 0xbc, 0xde, 0x16, 0x6d, 0x1e, 61 0xd9, 0x5d, 0x2c, 0x00, 0x66, 0x43, 0x82, 0xe4, 0x6f, 0x5f, 62 0x95, 0xe7, 0x9b, 0xfd, 0xf2, 0xe2, 0xcb, 0xc5, 0xf1, 0x52, 63 0xdd, 0x3b, 0xed, 0x88, 0xd4, 0xa9, 0x13, 0x4e, 0x42, 0xe8, 64 0x60, 0x2d, 0x3c, 0xf6, 0xc8, 0xf0, 0x70, 0x42, 0xfa, 0x33, 65 0x7f, 0x28, 0xdf, 0x6b, 0x79, 0x2c, 0x79, 0x8f, 0xc0, 0x5d, 66 0x81, 0x7a, 0x62, 0xdb, 0xd4, 0x44, 0x3a, 0x3c, 0x21, 0xbf, 67 0x85, 0xc8, 0x0b, 0x8c, 0x77, 0x72, 0xe9, 0xfb, 0x50, 0x5c, 68 0x03, 0xa6, 0xb2, 0x3f, 0x17, 0x4a, 0xd1, 0xb3, 0x01, 0x30, 69 0xad, 0xe4, 0xfa, 0xe2, 0xba, 0x6f, 0x22, 0x83, 0xf4, 0xde, 70 0x38, 0x43, 0xe8, 0x27, 0x00, 0xb8, 0x95, 0xbe, 0x03, 0x8f, 71 0xcd, 0xd3, 0x72, 0xed, 0xa5, 0xed, 0x8d, 0xf4, 0x68, 0x98, 72 0xef, 0x59, 0xcc, 0xfb, 0x54, 0x89, 0xde, 0xa9, 0xd4, 0x88, 73 0xcd, 0xb9, 0xca, 0x09, 0xd3, 0xd5, 0x25, 0xb1, 0x8c, 0x58, 74 0x12, 0x9c, 0x69, 0x03, 0x72, 0x00, 0xc9, 0xca, 0x95, 0x8a, 75 0xce, 0x0d, 0xd2, 0xc8, 0x25, 0xe7, 0x7c, 0xed, 0x5e, 0xee, 76 0x35, 0x01, 0xfc, 0x00, 0x56, 0xed, 0xf3, 0x8d, 0x81, 0x6c, 77 0x3e, 0x86, 0x6a, 0x40, 0xac, 0xc7, 0x9c, 0x7a, 0xbf, 0x9f, 78 0x8e, 0x1f, 0xd8, 0x60 79 }; 80 81 u_int8_t nonce_pld[] = { 82 0x00, 0x00, 0x00, 0x24, 0x5f, 0x61, 0x42, 0x72, 0x7d, 0xb2, 83 0xa8, 0xc1, 0xfe, 0xb1, 0x38, 0x2e, 0xb8, 0x75, 0xa7, 0xc1, 84 0x1d, 0x8a, 0xa7, 0xb7, 0x9b, 0x92, 0xe2, 0x0e, 0x3a, 0x18, 85 0x20, 0xb6, 0x16, 0xf3, 0x35, 0x67, 86 }; 87 88 u_int8_t notify_pld[] = { 89 0x00, 0x00, 0x00, 0x1c, 0x00, 0x00, 0x40, 0x04, 0xc7, 0xa0, 90 0x68, 0x68, 0x09, 0x0a, 0x7f, 0x12, 0x0b, 0x13, 0xd3, 0x2f, 91 0xde, 0x64, 0x8b, 0xf1, 0xc3, 0x3c, 0x79, 0x8f, 0x00, 0x00, 92 0x00, 0x1c, 0x00, 0x00, 0x40, 0x05, 0x9f, 0xbc, 0x8c, 0xd0, 93 0x91, 0x5e, 0xa0, 0x87, 0x81, 0xab, 0x4f, 0xa1, 0x8a, 0xa7, 94 0xa8, 0xf9, 0xeb, 0xdf, 0x9f, 0x2c 95 }; 96 97 u_int8_t id_pld[] = { 98 0x00, 0x00, 0x00, 0x0c, 0x01, 0x00, 0x00, 0x00, 99 0xac, 0x12, 0x7d, 0x01 100 }; 101 102 u_int8_t cert_pld[] = { 103 0x00, 0x00, 0x01, 0x10, 0x0b, 0x00, 0x00, 0x00, 104 0x30, 0x82, 0x01, 0x0c, 0x02, 0x82, 0x01, 0x01, 0x00, 0x8a, 105 0x26, 0xf8, 0x9e, 0xe8, 0x09, 0x11, 0x6b, 0x3d, 0x00, 0xd3, 106 0x25, 0xf8, 0x9f, 0xe8, 0x09, 0x11, 0x6b, 0x3d, 0x10, 0xd3, 107 0x0b, 0x9a, 0xb0, 0xb7, 0xe4, 0x3e, 0x40, 0x59, 0xd7, 0x51, 108 0x03, 0xaf, 0x09, 0x79, 0x1b, 0x0d, 0x63, 0x66, 0x28, 0xaa, 109 0x97, 0xc8, 0x20, 0x4b, 0x28, 0x9b, 0x5e, 0x8c, 0xa9, 0x8f, 110 0x73, 0x81, 0xb4, 0xfa, 0xf4, 0xdd, 0x05, 0x69, 0x0b, 0x71, 111 0x72, 0xd8, 0xbb, 0xac, 0x4b, 0x6d, 0x67, 0x5a, 0xa2, 0x63, 112 0x5d, 0x6d, 0x27, 0xc5, 0xf4, 0xe6, 0x0a, 0xbd, 0x2b, 0x0a, 113 0x64, 0xb2, 0xcf, 0x59, 0x63, 0x9b, 0x5c, 0x4f, 0x26, 0x36, 114 0xe3, 0x10, 0x70, 0x3c, 0x39, 0x77, 0x55, 0x07, 0x1c, 0x12, 115 0xde, 0x60, 0x53, 0xa1, 0x70, 0xf4, 0xda, 0xfc, 0xcc, 0xec, 116 0xad, 0x6d, 0x34, 0xad, 0xe2, 0x36, 0x10, 0x93, 0x59, 0x0c, 117 0x81, 0x8d, 0x22, 0x7e, 0x57, 0xeb, 0x89, 0x26, 0xdb, 0x6e, 118 0x99, 0x9a, 0xde, 0xbe, 0xad, 0xef, 0xca, 0xaf, 0xfe, 0xfe, 119 0x99, 0x9a, 0xde, 0xbe, 0xad, 0xef, 0xca, 0xaf, 0xfe, 0xfe, 120 0x6f, 0xd4, 0xe4, 0x63, 0x6c, 0x3e, 0x83, 0x09, 0xf4, 0x32, 121 0x78, 0x3b, 0x71, 0xe9, 0x36, 0xb6, 0x92, 0xf6, 0xa8, 0x31, 122 0x4d, 0x7c, 0xd0, 0xa1, 0x30, 0x55, 0xb6, 0x6b, 0x9e, 0xb7, 123 0x41, 0xa8, 0x77, 0x6c, 0x96, 0xb8, 0xa2, 0x0c, 0x7d, 0x70, 124 0xca, 0x51, 0xb9, 0xad, 0xc5, 0x75, 0xa7, 0xf1, 0x1e, 0x0e, 125 0xca, 0x51, 0xb9, 0xad, 0xc5, 0x75, 0xa7, 0xf1, 0x1e, 0x0e, 126 0xf2, 0xcf, 0x69, 0xbf, 0x20, 0xe9, 0x97, 0x05, 0xdd, 0xf3, 127 0xf2, 0xcf, 0x69, 0xbf, 0x20, 0xe9, 0x97, 0x05, 0xdd, 0xf3, 128 0x32, 0x58, 0x37, 0x8c, 0x5d, 0x02, 0x05, 0x00, 0xd1, 0x76, 129 0x67, 0x01, 0x67, 0x75, 0x3b, 0xba, 0x45, 0xc2, 0xa2, 0x77, 130 0x3b, 0x7e, 0xb4, 0x03, 0x88, 0x08, 0x93, 0xfe, 0x07, 0x51, 131 0x8e, 0xcf 132 }; 133 134 u_int8_t certreq_pld[] = { 135 0x00, 0x00, 0x00, 0x05, 0x0b 136 }; 137 138 u_int8_t auth_pld[] = { 139 0x00, 0x00, 0x01, 0x08, 0x01, 0x00, 0x00, 0x00, 140 0x2a, 0x34, 0x80, 0x52, 0x3c, 0x86, 0x1c, 0xfa, 0x9a, 0x2b, 141 0x8b, 0xff, 0xbb, 0xb5, 0x0d, 0x6b, 0xa1, 0x62, 0x58, 0xd8, 142 0x16, 0xaa, 0x15, 0xe4, 0x34, 0x24, 0xca, 0xc3, 0x09, 0x08, 143 0x51, 0x69, 0x69, 0xef, 0xbd, 0xb7, 0xd4, 0xc5, 0x4f, 0x6c, 144 0x12, 0xd5, 0xd0, 0x0b, 0xc7, 0x66, 0x0d, 0xcb, 0x6d, 0x01, 145 0x7b, 0x8c, 0xec, 0x3d, 0x98, 0xe5, 0x2a, 0xac, 0x11, 0xde, 146 0x88, 0x2e, 0xf2, 0x22, 0x98, 0x13, 0x73, 0xa3, 0x38, 0xd0, 147 0x43, 0xf4, 0xc6, 0xf0, 0xc1, 0x24, 0x1a, 0x7a, 0x9f, 0xba, 148 0x03, 0x25, 0x49, 0xe5, 0x8e, 0xb7, 0x5d, 0x79, 0x76, 0xfd, 149 0x22, 0x5c, 0xba, 0x82, 0xb8, 0x75, 0x81, 0xc6, 0x79, 0xb3, 150 0x56, 0x44, 0x82, 0x80, 0x5a, 0x3c, 0xe8, 0x21, 0xe4, 0xdb, 151 0xfd, 0x1c, 0xd3, 0x18, 0xbd, 0x74, 0x22, 0x25, 0x44, 0xde, 152 0x0b, 0x7e, 0x6e, 0xdb, 0xe3, 0x3b, 0x17, 0xc1, 0x4d, 0x5e, 153 0x51, 0x87, 0xb0, 0x5a, 0xce, 0x5f, 0x23, 0xce, 0x18, 0x61, 154 0x03, 0x02, 0x7e, 0x4b, 0x36, 0xb0, 0x7c, 0x90, 0xcf, 0xac, 155 0x81, 0xc4, 0x45, 0xa3, 0x50, 0x01, 0x2e, 0x0a, 0xce, 0x62, 156 0x7a, 0xe0, 0xa7, 0xc0, 0x45, 0x5e, 0x90, 0xe2, 0x2e, 0xc6, 157 0x90, 0xe9, 0xbe, 0x8f, 0xe9, 0x31, 0xa9, 0xc9, 0x44, 0x62, 158 0x31, 0xb6, 0x13, 0xaf, 0xd5, 0x9a, 0x55, 0x9b, 0x14, 0xf9, 159 0x80, 0xcc, 0x73, 0xe3, 0x51, 0xdf, 0x2a, 0x04, 0x79, 0x0d, 160 0x04, 0xee, 0x4c, 0xa8, 0x9d, 0xaa, 0x67, 0x2f, 0x77, 0x87, 161 0x5e, 0x2d, 0x05, 0x95, 0xbe, 0x53, 0x45, 0x96, 0x8b, 0x89, 162 0x79, 0x5b, 0x48, 0xe2, 0x6f, 0x3a, 0xc9, 0xef, 0x83, 0x81, 163 0xcc, 0x4c, 0xfe, 0xb7, 0x40, 0x2d, 0xa5, 0xa5, 0x51, 0xb7, 164 0xad, 0x2f, 0x29, 0xd8, 0xc8, 0x02, 0xbe, 0x18, 0x09, 0xd0, 165 0xba, 0x71, 0x77, 0xfe, 0x2c, 0x6d 166 }; 167 168 u_int8_t delete_pld[] = { 169 0x2a, 0x00, 0x00, 0x10, 0x01, 0x08, 0x00, 0x01, /* IKE SA */ 170 0xde, 0xad, 0xbe, 0xef, 0xca, 0xfe, 0xaf, 0xfe, 171 0x00, 0x00, 0x00, 0x10, 0x03, 0x04, 0x00, 0x02, /* ESP SA */ 172 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff, 0x00, 0x11 173 }; 174 175 u_int8_t vendor_pld[] = { 176 0x00, 0x00, 0x00, 0x08, 0x11, 0x22, 0x33, 0x44 177 }; 178 179 u_int8_t ts_pld[] = { 180 0x00, 0x00, 0x00, 0x18, 0x01, 0x00, 0x00, 0x00, 181 0x07, 0x00, 0x00, 0x10, 0x00, 0x00, 0xff, 0xff, 182 0xac, 0x28, 0x7d, 0x00, 0xac, 0x28, 0x7d, 0xff 183 }; 184 185 uint8_t skf_1of1_pld[] = { 186 0x21, 0x00, 0x01, 0x98, 0x00, 0x01, 0x00, 0x01, 0x14, 0x77, 187 0x25, 0x7b, 0x82, 0xc0, 0xdb, 0x0b, 0x24, 0x36, 0x36, 0x13, 188 0x36, 0xe4, 0x99, 0xad, 0xf5, 0xaf, 0x26, 0x6f, 0x47, 0xd2, 189 0x0d, 0x65, 0xe1, 0xa8, 0xcb, 0x35, 0x1e, 0x53, 0xce, 0x6d, 190 0x8e, 0xf9, 0xe4, 0x51, 0xe3, 0x27, 0x10, 0x43, 0x38, 0x84, 191 0x54, 0x1d, 0x7a, 0x1a, 0x89, 0x34, 0x06, 0xb3, 0x62, 0x86, 192 0x98, 0x3b, 0x39, 0x91, 0x6e, 0xe8, 0x65, 0x3e, 0x31, 0xa8, 193 0x08, 0xfe, 0x83, 0x56, 0x30, 0xd3, 0xe0, 0xfd, 0x73, 0x92, 194 0x85, 0x2d, 0xae, 0x1d, 0x7d, 0xdb, 0x47, 0x05, 0x57, 0xe7, 195 0x8e, 0xc5, 0xa5, 0x1b, 0x0e, 0x85, 0x1f, 0x12, 0x6d, 0xe6, 196 0xdb, 0x3a, 0x3e, 0x99, 0xd1, 0x23, 0x41, 0xa4, 0x1c, 0x46, 197 0x38, 0xd1, 0xa8, 0x84, 0x96, 0x13, 0xdb, 0x2a, 0x1d, 0x3b, 198 0xb8, 0xd2, 0x04, 0xb3, 0x0d, 0xb4, 0x71, 0x90, 0xdb, 0xf6, 199 0x2d, 0x60, 0x01, 0xc2, 0xb2, 0x89, 0xbd, 0xe9, 0x95, 0x7b, 200 0x53, 0xa4, 0x94, 0x7e, 0x12, 0xe9, 0x5f, 0xfc, 0x51, 0x17, 201 0x94, 0x3e, 0xba, 0xc2, 0xa5, 0x4d, 0x3a, 0x4d, 0x4b, 0x95, 202 0x6d, 0x91, 0xc2, 0xb0, 0x2d, 0xb7, 0x24, 0xe8, 0x3b, 0xbd, 203 0xe0, 0xcc, 0x09, 0x50, 0x11, 0x83, 0xc0, 0xcd, 0x29, 0x33, 204 0xd5, 0x8f, 0x8a, 0xd1, 0xe3, 0xe8, 0x4f, 0x6a, 0x10, 0x4a, 205 0x64, 0x97, 0x0f, 0x38, 0x58, 0x8d, 0x7f, 0x5d, 0xb4, 0x6b, 206 0xa0, 0x42, 0x5e, 0x95, 0xe6, 0x08, 0x3e, 0x01, 0xf8, 0x82, 207 0x90, 0x81, 0xd4, 0x70, 0xb5, 0xb2, 0x8c, 0x64, 0xa9, 0x56, 208 0xdd, 0xc2, 0xda, 0xe1, 0xd3, 0xad, 0xf8, 0x5b, 0x99, 0x0b, 209 0x19, 0x5e, 0x88, 0x0d, 0x81, 0x04, 0x4d, 0xc1, 0x43, 0x41, 210 0xf1, 0xd3, 0x45, 0x65, 0x62, 0x70, 0x2f, 0xfa, 0x62, 0xbe, 211 0x7d, 0xf4, 0x94, 0x91, 0xe0, 0xbb, 0xb1, 0xbc, 0xe5, 0x27, 212 0xc8, 0x15, 0xd4, 0xcb, 0x82, 0x97, 0x15, 0x46, 0x82, 0xbb, 213 0x48, 0xbb, 0x16, 0x25, 0xbe, 0x82, 0xe4, 0x27, 0x80, 0xf3, 214 0xc2, 0x92, 0x3b, 0xd6, 0xc3, 0x65, 0x20, 0xec, 0x50, 0xdb, 215 0x6a, 0xcb, 0x47, 0x73, 0xf7, 0x98, 0xf1, 0x66, 0x5e, 0xc4, 216 0xe9, 0x87, 0xf8, 0xcb, 0x1e, 0x06, 0xa7, 0x67, 0xf5, 0xec, 217 0x73, 0xe5, 0xc7, 0x4d, 0xc2, 0x90, 0xe4, 0xdf, 0x9d, 0x1f, 218 0x05, 0x67, 0x99, 0xd6, 0xf0, 0xc4, 0x20, 0xbc, 0xf8, 0xf5, 219 0x3e, 0x19, 0xe9, 0x3a, 0x12, 0xe1, 0xcc, 0x9f, 0x81, 0x55, 220 0x1e, 0xad, 0xc8, 0xa3, 0xe5, 0x98, 0xbe, 0xe0, 0x4d, 0xb7, 221 0x6b, 0xd5, 0xbe, 0x6a, 0x3d, 0x76, 0xb6, 0xe2, 0xa5, 0xa7, 222 0x96, 0x68, 0xeb, 0x91, 0xee, 0x02, 0xfc, 0xe4, 0x01, 0xc3, 223 0x24, 0xda, 0x4c, 0xff, 0x10, 0x27, 0x78, 0xb0, 0x0b, 0x55, 224 0x5c, 0xce, 0x62, 0x7d, 0x33, 0x2b, 0x25, 0x99, 0xaa, 0x99, 225 0xea, 0xa3, 0x1d, 0xd8, 0x2b, 0x57, 0xb5, 0xe4, 0x04, 0x21, 226 0x75, 0xd9, 0xc4, 0xd0, 0x3d, 0xa1, 0xa5, 0x8f 227 }; 228 229 u_int8_t sk_pld[] = { 230 0x21, 0x00, 0x01, 0x94, 0x14, 0x77, 0x25, 0x7b, 0x82, 0xc0, 231 0xdb, 0x0b, 0x24, 0x36, 0x36, 0x13, 0x36, 0xe4, 0x99, 0xad, 232 0xf5, 0xaf, 0x26, 0x6f, 0x47, 0xd2, 0x0d, 0x65, 0xe1, 0xa8, 233 0xcb, 0x35, 0x1e, 0x53, 0xce, 0x6d, 0x8e, 0xf9, 0xe4, 0x51, 234 0xe3, 0x27, 0x10, 0x43, 0x38, 0x84, 0x54, 0x1d, 0x7a, 0x1a, 235 0x89, 0x34, 0x06, 0xb3, 0x62, 0x86, 0x98, 0x3b, 0x39, 0x91, 236 0x6e, 0xe8, 0x65, 0x3e, 0x31, 0xa8, 0x08, 0xfe, 0x83, 0x56, 237 0x30, 0xd3, 0xe0, 0xfd, 0x73, 0x92, 0x85, 0x2d, 0xae, 0x1d, 238 0x7d, 0xdb, 0x47, 0x05, 0x57, 0xe7, 0x8e, 0xc5, 0xa5, 0x1b, 239 0x0e, 0x85, 0x1f, 0x12, 0x6d, 0xe6, 0xdb, 0x3a, 0x3e, 0x99, 240 0xd1, 0x23, 0x41, 0xa4, 0x1c, 0x46, 0x38, 0xd1, 0xa8, 0x84, 241 0x96, 0x13, 0xdb, 0x2a, 0x1d, 0x3b, 0xb8, 0xd2, 0x04, 0xb3, 242 0x0d, 0xb4, 0x71, 0x90, 0xdb, 0xf6, 0x2d, 0x60, 0x01, 0xc2, 243 0xb2, 0x89, 0xbd, 0xe9, 0x95, 0x7b, 0x53, 0xa4, 0x94, 0x7e, 244 0x12, 0xe9, 0x5f, 0xfc, 0x51, 0x17, 0x94, 0x3e, 0xba, 0xc2, 245 0xa5, 0x4d, 0x3a, 0x4d, 0x4b, 0x95, 0x6d, 0x91, 0xc2, 0xb0, 246 0x2d, 0xb7, 0x24, 0xe8, 0x3b, 0xbd, 0xe0, 0xcc, 0x09, 0x50, 247 0x11, 0x83, 0xc0, 0xcd, 0x29, 0x33, 0xd5, 0x8f, 0x8a, 0xd1, 248 0xe3, 0xe8, 0x4f, 0x6a, 0x10, 0x4a, 0x64, 0x97, 0x0f, 0x38, 249 0x58, 0x8d, 0x7f, 0x5d, 0xb4, 0x6b, 0xa0, 0x42, 0x5e, 0x95, 250 0xe6, 0x08, 0x3e, 0x01, 0xf8, 0x82, 0x90, 0x81, 0xd4, 0x70, 251 0xb5, 0xb2, 0x8c, 0x64, 0xa9, 0x56, 0xdd, 0xc2, 0xda, 0xe1, 252 0xd3, 0xad, 0xf8, 0x5b, 0x99, 0x0b, 0x19, 0x5e, 0x88, 0x0d, 253 0x81, 0x04, 0x4d, 0xc1, 0x43, 0x41, 0xf1, 0xd3, 0x45, 0x65, 254 0x62, 0x70, 0x2f, 0xfa, 0x62, 0xbe, 0x7d, 0xf4, 0x94, 0x91, 255 0xe0, 0xbb, 0xb1, 0xbc, 0xe5, 0x27, 0xc8, 0x15, 0xd4, 0xcb, 256 0x82, 0x97, 0x15, 0x46, 0x82, 0xbb, 0x48, 0xbb, 0x16, 0x25, 257 0xbe, 0x82, 0xe4, 0x27, 0x80, 0xf3, 0xc2, 0x92, 0x3b, 0xd6, 258 0xc3, 0x65, 0x20, 0xec, 0x50, 0xdb, 0x6a, 0xcb, 0x47, 0x73, 259 0xf7, 0x98, 0xf1, 0x66, 0x5e, 0xc4, 0xe9, 0x87, 0xf8, 0xcb, 260 0x1e, 0x06, 0xa7, 0x67, 0xf5, 0xec, 0x73, 0xe5, 0xc7, 0x4d, 261 0xc2, 0x90, 0xe4, 0xdf, 0x9d, 0x1f, 0x05, 0x67, 0x99, 0xd6, 262 0xf0, 0xc4, 0x20, 0xbc, 0xf8, 0xf5, 0x3e, 0x19, 0xe9, 0x3a, 263 0x12, 0xe1, 0xcc, 0x9f, 0x81, 0x55, 0x1e, 0xad, 0xc8, 0xa3, 264 0xe5, 0x98, 0xbe, 0xe0, 0x4d, 0xb7, 0x6b, 0xd5, 0xbe, 0x6a, 265 0x3d, 0x76, 0xb6, 0xe2, 0xa5, 0xa7, 0x96, 0x68, 0xeb, 0x91, 266 0xee, 0x02, 0xfc, 0xe4, 0x01, 0xc3, 0x24, 0xda, 0x4c, 0xff, 267 0x10, 0x27, 0x78, 0xb0, 0x0b, 0x55, 0x5c, 0xce, 0x62, 0x7d, 268 0x33, 0x2b, 0x25, 0x99, 0xaa, 0x99, 0xea, 0xa3, 0x1d, 0xd8, 269 0x2b, 0x57, 0xb5, 0xe4, 0x04, 0x21, 0x75, 0xd9, 0xc4, 0xd0, 270 0x3d, 0xa1, 0xa5, 0x8f 271 }; 272 273 u_int8_t cp_pld[] = { 274 0x2f, 0x00, 0x00, 0x0c, 275 0x01, 0x00, 0x00, 0x00, /* REQUEST */ 276 0x00, 0x01, 0x00, 0x00, /* INTERNAL_IP4_ADDRESS */ 277 0x2f, 0x00, 0x00, 0x10, 278 0x02, 0x00, 0x00, 0x00, /* REPLY */ 279 0x00, 0x01, 0x00, 0x04, /* INTERNAL_IP4_ADDRESS */ 280 0xaa, 0xbb, 0xcc, 0xdd, /* 170.187.204.221 */ 281 0x2f, 0x00, 0x00, 0x08, 282 0x03, 0x00, 0x00, 0x00, /* SET (empty) */ 283 0x2f, 0x00, 0x00, 0x24, 284 0x02, 0x00, 0x00, 0x00, /* REPLY */ 285 0x00, 0x01, 0x00, 0x04, /* INTERNAL_IP4_ADDRESS */ 286 0xaa, 0xaa, 0xaa, 0xaa, /* 170.170.170.170 */ 287 0x00, 0x02, 0x00, 0x04, /* INTERNAL_IP4_NETMASK */ 288 0xbb, 0xbb, 0xbb, 0xbb, /* 187.187.187.187 */ 289 0x00, 0x03, 0x00, 0x04, /* INTERNAL_IP4_DNS */ 290 0xcc, 0xcc, 0xcc, 0xcc, /* 204.204.204.204 */ 291 0x00, 0x08, 0x00, 0x00, /* INTERNAL_IP6_ADDRESS */ 292 0x00, 0x00, 0x00, 0x08, 293 0x04, 0x00, 0x00, 0x00, /* ACK (empty) */ 294 }; 295 296 u_int8_t eap_pld[] = { 297 0x30, 0x00, 0x00, 0x09, 298 0x01, 0x00, 0x00, 0x05, 0x01, 299 0x30, 0x00, 0x00, 0x0c, 300 0x02, 0x00, 0x00, 0x05, 0x01, 0xfa, 0xfb, 0xfc, 301 0x30, 0x00, 0x00, 0x08, 302 0x03, 0x00, 0x00, 0x04, 303 0x00, 0x00, 0x00, 0x08, 304 0x04, 0x00, 0x00, 0x04 305 }; 306 307 /* Valid initator packet */ 308 u_int8_t valid_packet[] = { 309 0xde, 0xad, 0xbe, 0xef, 0xca, 0xfe, 0x00, 0x01, 0x00, 0x00, 310 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x21, 0x20, 0x22, 0x08, 311 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0xc0, 0x22, 0x00, 312 0x00, 0x40, 0x00, 0x00, 0x00, 0x3c, 0x01, 0x01, 0x00, 0x06, 313 0x03, 0x00, 0x00, 0x08, 0x03, 0x00, 0x00, 0x0c, 0x03, 0x00, 314 0x00, 0x0c, 0x01, 0x00, 0x00, 0x0c, 0x80, 0x0e, 0x00, 0xc0, 315 0x03, 0x00, 0x00, 0x08, 0x04, 0x00, 0x00, 0x0e, 0x03, 0x00, 316 0x00, 0x08, 0x02, 0x00, 0x00, 0x05, 0x03, 0x00, 0x00, 0x08, 317 0x02, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x08, 0x02, 0x00, 318 0x00, 0x01, 0x28, 0x00, 0x01, 0x08, 0x00, 0x0e, 0x00, 0x00, 319 0x16, 0xcb, 0x68, 0xaf, 0x63, 0xfe, 0xb0, 0x58, 0x49, 0x0e, 320 0x7f, 0x85, 0x60, 0x53, 0x80, 0xae, 0x3f, 0x82, 0xf3, 0x35, 321 0x21, 0xd5, 0xae, 0x09, 0x1c, 0xfa, 0x68, 0xc2, 0xfb, 0x4b, 322 0xb3, 0x84, 0xda, 0xaf, 0x6e, 0xe2, 0x5e, 0xc5, 0xb6, 0x8c, 323 0x35, 0x3c, 0xec, 0x58, 0x7f, 0xa9, 0xf8, 0xa4, 0x24, 0xf3, 324 0xf8, 0xf4, 0x65, 0x59, 0x8c, 0x15, 0x4d, 0x2c, 0xf1, 0x5d, 325 0xeb, 0x57, 0x68, 0xfe, 0x75, 0x61, 0x5a, 0x80, 0x96, 0xa4, 326 0x0a, 0xad, 0x75, 0x71, 0xd8, 0xe0, 0x06, 0xbc, 0xde, 0x16, 327 0x6d, 0x1e, 0xd9, 0x5d, 0x2c, 0x00, 0x66, 0x43, 0x82, 0xe4, 328 0x6f, 0x5f, 0x95, 0xe7, 0x9b, 0xfd, 0xf2, 0xe2, 0xcb, 0xc5, 329 0xf1, 0x52, 0xdd, 0x3b, 0xed, 0x88, 0xd4, 0xa9, 0x13, 0x4e, 330 0x42, 0xe8, 0x60, 0x2d, 0x3c, 0xf6, 0xc8, 0xf0, 0x70, 0x42, 331 0xfa, 0x33, 0x7f, 0x28, 0xdf, 0x6b, 0x79, 0x2c, 0x79, 0x8f, 332 0xc0, 0x5d, 0x81, 0x7a, 0x62, 0xdb, 0xd4, 0x44, 0x3a, 0x3c, 333 0x21, 0xbf, 0x85, 0xc8, 0x0b, 0x8c, 0x77, 0x72, 0xe9, 0xfb, 334 0x50, 0x5c, 0x03, 0xa6, 0xb2, 0x3f, 0x17, 0x4a, 0xd1, 0xb3, 335 0x01, 0x30, 0xad, 0xe4, 0xfa, 0xe2, 0xba, 0x6f, 0x22, 0x83, 336 0xf4, 0xde, 0x38, 0x43, 0xe8, 0x27, 0x00, 0xb8, 0x95, 0xbe, 337 0x03, 0x8f, 0xcd, 0xd3, 0x72, 0xed, 0xa5, 0xed, 0x8d, 0xf4, 338 0x68, 0x98, 0xef, 0x59, 0xcc, 0xfb, 0x54, 0x89, 0xde, 0xa9, 339 0xd4, 0x88, 0xcd, 0xb9, 0xca, 0x09, 0xd3, 0xd5, 0x25, 0xb1, 340 0x8c, 0x58, 0x12, 0x9c, 0x69, 0x03, 0x72, 0x00, 0xc9, 0xca, 341 0x95, 0x8a, 0xce, 0x0d, 0xd2, 0xc8, 0x25, 0xe7, 0x7c, 0xed, 342 0x5e, 0xee, 0x35, 0x01, 0xfc, 0x00, 0x56, 0xed, 0xf3, 0x8d, 343 0x81, 0x6c, 0x3e, 0x86, 0x6a, 0x40, 0xac, 0xc7, 0x9c, 0x7a, 344 0xbf, 0x9f, 0x8e, 0x1f, 0xd8, 0x60, 0x29, 0x00, 0x00, 0x24, 345 0x5f, 0x61, 0x42, 0x72, 0x7d, 0xb2, 0xa8, 0xc1, 0xfe, 0xb1, 346 0x38, 0x2e, 0xb8, 0x75, 0xa7, 0xc1, 0x1d, 0x8a, 0xa7, 0xb7, 347 0x9b, 0x92, 0xe2, 0x0e, 0x3a, 0x18, 0x20, 0xb6, 0x16, 0xf3, 348 0x35, 0x67, 0x29, 0x00, 0x00, 0x1c, 0x00, 0x00, 0x40, 0x04, 349 0xc7, 0xa0, 0x68, 0x68, 0x09, 0x0a, 0x7f, 0x12, 0x0b, 0x13, 350 0xd3, 0x2f, 0xde, 0x64, 0x8b, 0xf1, 0xc3, 0x3c, 0x79, 0x8f, 351 0x00, 0x00, 0x00, 0x1c, 0x00, 0x00, 0x40, 0x05, 0x9f, 0xbc, 352 0x8c, 0xd0, 0x91, 0x5e, 0xa0, 0x87, 0x81, 0xab, 0x4f, 0xa1, 353 0x8a, 0xa7, 0xa8, 0xf9, 0xeb, 0xdf, 0x9f, 0x2c 354 }; 355 356 #define OFFSET_ICOOKIE 0 357 #define OFFSET_RCOOKIE 8 358 #define OFFSET_NEXTPAYLOAD (0 + sizeof(cookies)) 359 #define OFFSET_VERSION (1 + sizeof(cookies)) 360 #define OFFSET_EXCHANGE (2 + sizeof(cookies)) 361 #define OFFSET_LENGTH (8 + sizeof(cookies)) 362 363 static u_int8_t * 364 get_icookie(u_int8_t *data) 365 { 366 return &data[OFFSET_ICOOKIE]; 367 } 368 369 static u_int8_t * 370 get_rcookie(u_int8_t *data) 371 { 372 return &data[OFFSET_RCOOKIE]; 373 } 374 375 static u_int8_t 376 get_nextpayload(u_int8_t *data) 377 { 378 return data[OFFSET_NEXTPAYLOAD]; 379 } 380 381 static u_int8_t 382 get_version(u_int8_t *data) 383 { 384 return data[OFFSET_VERSION]; 385 } 386 387 static u_int8_t 388 get_exchange(u_int8_t *data) 389 { 390 return data[OFFSET_EXCHANGE]; 391 } 392 393 static u_int32_t 394 get_length(u_int8_t *data) 395 { 396 return *(u_int32_t *)&data[OFFSET_LENGTH]; 397 } 398 399 static void 400 set_length(u_int8_t *data, u_int32_t length) 401 { 402 u_int32_t *p; 403 404 p = (u_int32_t *)&data[OFFSET_LENGTH]; 405 *p = htobe32(length); 406 } 407 408 static void 409 set_nextpayload(u_int8_t *data, u_int8_t next) 410 { 411 data[OFFSET_NEXTPAYLOAD] = next; 412 } 413 414 static void 415 prepare_header(struct ike_header *hdr, struct ibuf *data) 416 { 417 bzero(hdr, sizeof(*hdr)); 418 bcopy(get_icookie(ibuf_data(data)), &hdr->ike_ispi, 419 sizeof(hdr->ike_ispi)); 420 bcopy(get_rcookie(ibuf_data(data)), &hdr->ike_rspi, 421 sizeof(hdr->ike_rspi)); 422 hdr->ike_nextpayload = get_nextpayload(ibuf_data(data)); 423 hdr->ike_version = get_version(ibuf_data(data)); 424 hdr->ike_exchange = get_exchange(ibuf_data(data)); 425 hdr->ike_length = get_length(ibuf_data(data)); 426 } 427 428 static void 429 prepare_message(struct iked_message *msg, struct ibuf *data) 430 { 431 static struct iked_sa sa; 432 433 bzero(&sa, sizeof(sa)); 434 bzero(msg, sizeof(*msg)); 435 436 msg->msg_sa = &sa; 437 msg->msg_data = data; 438 msg->msg_e = 1; 439 msg->msg_parent = msg; 440 } 441 442 static void 443 perform_test(struct fuzz *fuzz) 444 { 445 struct ibuf *fuzzed; 446 struct ike_header hdr; 447 struct iked_message msg; 448 449 bzero(&hdr, sizeof(hdr)); 450 bzero(&msg, sizeof(msg)); 451 452 for (; !fuzz_done(fuzz); fuzz_next(fuzz)) { 453 ASSERT_PTR_NE(fuzzed = ibuf_new(fuzz_ptr(fuzz), fuzz_len(fuzz)), 454 NULL); 455 print_hex(ibuf_data(fuzzed), 0, ibuf_size(fuzzed)); 456 457 /* We need at least cookies and generic header. */ 458 if (ibuf_size(fuzzed) < sizeof(cookies) + sizeof(genhdr)) { 459 ibuf_free(fuzzed); 460 continue; 461 } 462 463 prepare_header(&hdr, fuzzed); 464 prepare_message(&msg, fuzzed); 465 466 ikev2_pld_parse(NULL, &hdr, &msg, 0); 467 468 ibuf_free(fuzzed); 469 } 470 } 471 472 void 473 parser_fuzz_tests(void) 474 { 475 struct fuzz *fuzz; 476 struct ike_header hdr; 477 struct iked_message msg; 478 struct ibuf *data; 479 480 #if 0 481 log_init(3); 482 #endif 483 484 TEST_START("fuzz generic header"); 485 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 486 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 487 set_length(ibuf_data(data), ibuf_size(data)); 488 print_hex(ibuf_data(data), 0, ibuf_size(data)); 489 prepare_header(&hdr, data); 490 prepare_message(&msg, data); 491 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 492 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 493 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 494 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 495 FUZZ_BASE64, 496 ibuf_data(data), ibuf_size(data)); 497 ibuf_free(data); 498 perform_test(fuzz); 499 TEST_DONE(); 500 501 TEST_START("fuzz skf_1of1 payload"); 502 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 503 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 504 ASSERT_INT_EQ(ibuf_add(data, skf_1of1_pld, sizeof(skf_1of1_pld)), 0); 505 set_length(ibuf_data(data), ibuf_size(data)); 506 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_SKF); 507 print_hex(ibuf_data(data), 0, ibuf_size(data)); 508 prepare_header(&hdr, data); 509 prepare_message(&msg, data); 510 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 511 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 512 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 513 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 514 FUZZ_BASE64, 515 ibuf_data(data), ibuf_size(data)); 516 ibuf_free(data); 517 perform_test(fuzz); 518 TEST_DONE(); 519 520 TEST_START("fuzz sa payload"); 521 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 522 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 523 ASSERT_INT_EQ(ibuf_add(data, sa_pld, sizeof(sa_pld)), 0); 524 set_length(ibuf_data(data), ibuf_size(data)); 525 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_SA); 526 print_hex(ibuf_data(data), 0, ibuf_size(data)); 527 prepare_header(&hdr, data); 528 prepare_message(&msg, data); 529 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 530 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 531 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 532 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 533 FUZZ_BASE64, 534 ibuf_data(data), ibuf_size(data)); 535 ibuf_free(data); 536 perform_test(fuzz); 537 TEST_DONE(); 538 539 TEST_START("fuzz sa and xform payload"); 540 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 541 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 542 ASSERT_INT_EQ(ibuf_add(data, saxform_pld, sizeof(saxform_pld)), 0); 543 set_length(ibuf_data(data), ibuf_size(data)); 544 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_SA); 545 print_hex(ibuf_data(data), 0, ibuf_size(data)); 546 prepare_header(&hdr, data); 547 prepare_message(&msg, data); 548 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 549 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 550 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 551 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 552 FUZZ_BASE64, 553 ibuf_data(data), ibuf_size(data)); 554 ibuf_free(data); 555 perform_test(fuzz); 556 TEST_DONE(); 557 558 TEST_START("fuzz ke payload"); 559 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 560 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 561 ASSERT_INT_EQ(ibuf_add(data, ke_pld, sizeof(ke_pld)), 0); 562 set_length(ibuf_data(data), ibuf_size(data)); 563 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_KE); 564 print_hex(ibuf_data(data), 0, ibuf_size(data)); 565 prepare_header(&hdr, data); 566 prepare_message(&msg, data); 567 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 568 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 569 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 570 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 571 FUZZ_BASE64, 572 ibuf_data(data), ibuf_size(data)); 573 ibuf_free(data); 574 perform_test(fuzz); 575 TEST_DONE(); 576 577 TEST_START("fuzz nonce payload"); 578 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 579 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 580 ASSERT_INT_EQ(ibuf_add(data, nonce_pld, sizeof(nonce_pld)), 0); 581 set_length(ibuf_data(data), ibuf_size(data)); 582 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_NONCE); 583 print_hex(ibuf_data(data), 0, ibuf_size(data)); 584 prepare_header(&hdr, data); 585 prepare_message(&msg, data); 586 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 587 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 588 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 589 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 590 FUZZ_BASE64, 591 ibuf_data(data), ibuf_size(data)); 592 ibuf_free(data); 593 perform_test(fuzz); 594 TEST_DONE(); 595 596 TEST_START("fuzz notify payload"); 597 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 598 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 599 ASSERT_INT_EQ(ibuf_add(data, notify_pld, sizeof(notify_pld)), 0); 600 set_length(ibuf_data(data), ibuf_size(data)); 601 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_NOTIFY); 602 print_hex(ibuf_data(data), 0, ibuf_size(data)); 603 prepare_header(&hdr, data); 604 prepare_message(&msg, data); 605 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 606 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 607 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 608 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 609 FUZZ_BASE64, 610 ibuf_data(data), ibuf_size(data)); 611 ibuf_free(data); 612 perform_test(fuzz); 613 TEST_DONE(); 614 615 TEST_START("fuzz id payload"); 616 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 617 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 618 ASSERT_INT_EQ(ibuf_add(data, id_pld, sizeof(id_pld)), 0); 619 set_length(ibuf_data(data), ibuf_size(data)); 620 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_IDi); 621 print_hex(ibuf_data(data), 0, ibuf_size(data)); 622 prepare_header(&hdr, data); 623 prepare_message(&msg, data); 624 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 625 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 626 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 627 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 628 FUZZ_BASE64, 629 ibuf_data(data), ibuf_size(data)); 630 ibuf_free(data); 631 perform_test(fuzz); 632 TEST_DONE(); 633 634 TEST_START("fuzz cert payload"); 635 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 636 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 637 ASSERT_INT_EQ(ibuf_add(data, cert_pld, sizeof(cert_pld)), 0); 638 set_length(ibuf_data(data), ibuf_size(data)); 639 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_CERT); 640 print_hex(ibuf_data(data), 0, ibuf_size(data)); 641 prepare_header(&hdr, data); 642 prepare_message(&msg, data); 643 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 644 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 645 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 646 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 647 FUZZ_BASE64, 648 ibuf_data(data), ibuf_size(data)); 649 ibuf_free(data); 650 perform_test(fuzz); 651 TEST_DONE(); 652 653 TEST_START("fuzz certreq payload"); 654 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 655 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 656 ASSERT_INT_EQ(ibuf_add(data, certreq_pld, sizeof(certreq_pld)), 0); 657 set_length(ibuf_data(data), ibuf_size(data)); 658 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_CERTREQ); 659 print_hex(ibuf_data(data), 0, ibuf_size(data)); 660 prepare_header(&hdr, data); 661 prepare_message(&msg, data); 662 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 663 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 664 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 665 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 666 FUZZ_BASE64, 667 ibuf_data(data), ibuf_size(data)); 668 ibuf_free(data); 669 perform_test(fuzz); 670 TEST_DONE(); 671 672 TEST_START("fuzz auth payload"); 673 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 674 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 675 ASSERT_INT_EQ(ibuf_add(data, auth_pld, sizeof(auth_pld)), 0); 676 set_length(ibuf_data(data), ibuf_size(data)); 677 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_AUTH); 678 print_hex(ibuf_data(data), 0, ibuf_size(data)); 679 prepare_header(&hdr, data); 680 prepare_message(&msg, data); 681 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 682 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 683 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 684 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 685 FUZZ_BASE64, 686 ibuf_data(data), ibuf_size(data)); 687 ibuf_free(data); 688 perform_test(fuzz); 689 TEST_DONE(); 690 691 TEST_START("fuzz delete notify payload"); 692 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 693 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 694 ASSERT_INT_EQ(ibuf_add(data, delete_pld, sizeof(delete_pld)), 0); 695 set_length(ibuf_data(data), ibuf_size(data)); 696 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_DELETE); 697 print_hex(ibuf_data(data), 0, ibuf_size(data)); 698 prepare_header(&hdr, data); 699 prepare_message(&msg, data); 700 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 701 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 702 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 703 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 704 FUZZ_BASE64, 705 ibuf_data(data), ibuf_size(data)); 706 ibuf_free(data); 707 perform_test(fuzz); 708 TEST_DONE(); 709 710 TEST_START("fuzz vendor id payload"); 711 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 712 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 713 ASSERT_INT_EQ(ibuf_add(data, vendor_pld, sizeof(vendor_pld)), 0); 714 set_length(ibuf_data(data), ibuf_size(data)); 715 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_VENDOR); 716 print_hex(ibuf_data(data), 0, ibuf_size(data)); 717 prepare_header(&hdr, data); 718 prepare_message(&msg, data); 719 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 720 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 721 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 722 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 723 FUZZ_BASE64, 724 ibuf_data(data), ibuf_size(data)); 725 ibuf_free(data); 726 perform_test(fuzz); 727 TEST_DONE(); 728 729 TEST_START("fuzz traffic selector initiator payload"); 730 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 731 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 732 ASSERT_INT_EQ(ibuf_add(data, ts_pld, sizeof(ts_pld)), 0); 733 set_length(ibuf_data(data), ibuf_size(data)); 734 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_TSi); 735 print_hex(ibuf_data(data), 0, ibuf_size(data)); 736 prepare_header(&hdr, data); 737 prepare_message(&msg, data); 738 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 739 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 740 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 741 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 742 FUZZ_BASE64, 743 ibuf_data(data), ibuf_size(data)); 744 ibuf_free(data); 745 perform_test(fuzz); 746 TEST_DONE(); 747 748 TEST_START("fuzz traffic selector responder payload"); 749 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 750 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 751 ASSERT_INT_EQ(ibuf_add(data, ts_pld, sizeof(ts_pld)), 0); 752 set_length(ibuf_data(data), ibuf_size(data)); 753 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_TSr); 754 print_hex(ibuf_data(data), 0, ibuf_size(data)); 755 prepare_header(&hdr, data); 756 prepare_message(&msg, data); 757 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 758 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 759 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 760 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 761 FUZZ_BASE64, 762 ibuf_data(data), ibuf_size(data)); 763 ibuf_free(data); 764 perform_test(fuzz); 765 TEST_DONE(); 766 767 TEST_START("fuzz configuration payload"); 768 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 769 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 770 ASSERT_INT_EQ(ibuf_add(data, cp_pld, sizeof(cp_pld)), 0); 771 set_length(ibuf_data(data), ibuf_size(data)); 772 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_CP); 773 print_hex(ibuf_data(data), 0, ibuf_size(data)); 774 prepare_header(&hdr, data); 775 prepare_message(&msg, data); 776 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 777 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 778 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 779 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 780 FUZZ_BASE64, 781 ibuf_data(data), ibuf_size(data)); 782 ibuf_free(data); 783 perform_test(fuzz); 784 TEST_DONE(); 785 786 TEST_START("fuzz eap payload"); 787 ASSERT_PTR_NE(data = ibuf_new(cookies, sizeof(cookies)), NULL); 788 ASSERT_INT_EQ(ibuf_add(data, genhdr, sizeof(genhdr)), 0); 789 ASSERT_INT_EQ(ibuf_add(data, eap_pld, sizeof(eap_pld)), 0); 790 set_length(ibuf_data(data), ibuf_size(data)); 791 set_nextpayload(ibuf_data(data), IKEV2_PAYLOAD_EAP); 792 print_hex(ibuf_data(data), 0, ibuf_size(data)); 793 prepare_header(&hdr, data); 794 prepare_message(&msg, data); 795 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 796 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 797 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 798 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 799 FUZZ_BASE64, 800 ibuf_data(data), ibuf_size(data)); 801 ibuf_free(data); 802 perform_test(fuzz); 803 TEST_DONE(); 804 805 TEST_START("fuzz full valid packet"); 806 ASSERT_PTR_NE(data = ibuf_new(valid_packet, sizeof(valid_packet)), 807 NULL); 808 set_length(ibuf_data(data), ibuf_size(data)); 809 print_hex(ibuf_data(data), 0, ibuf_size(data)); 810 prepare_header(&hdr, data); 811 prepare_message(&msg, data); 812 ASSERT_INT_EQ(ikev2_pld_parse(NULL, &hdr, &msg, 0), 0); 813 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | 814 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 815 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END | 816 FUZZ_BASE64, 817 ibuf_data(data), ibuf_size(data)); 818 ibuf_free(data); 819 perform_test(fuzz); 820 TEST_DONE(); 821 } 822