High level conclusions

Fuzzers reach 59.71% of cyclomatic complexity.

Fuzzers reach 56.29% of all functions.

Fuzzer ssh_bind_config_fuzzer is blocked:

The runtime code coverage of ssh_bind_config_fuzzer covers 2.777% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer ssh_privkey_fuzzer is blocked:

The runtime code coverage of ssh_privkey_fuzzer covers 10.52% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer ssh_client_config_fuzzer is blocked:

The runtime code coverage of ssh_client_config_fuzzer covers 2.476% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Reachability and coverage overview

Functions statically reachable by fuzzers

510 / 906

Cyclomatic complexity statically reachable by fuzzers

4570 / 7653

Runtime code coverage of functions

417 / 906

The following table shows data about each function in the project. The functions included in this table correspond to all functions that exist in the executables of the fuzzers. As such, there may be functions that are from third-party libraries.

For further technical details on the meaning of columns in the below table, please see the Glossary .

Func name	Functions filename	Args	Function call depth	Reached by Fuzzers	Fuzzers runtime hit	Func lines hit %	I Count	BB Count	Cyclomatic complexity	Functions reached	Reached by functions	Accumulated cyclomatic complexity	Undiscovered complexity

Fuzzer: ssh_client_config_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	765	97.5%
gold	[1:9]	18	2.29%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	1	0.12%
All colors	784	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
39	39	3 : View List ['_ssh_log', 'OpenSSL_version_num', 'OpenSSL_version']	39	39	ssh_crypto_init	call site: 00012	/src/libssh/src/libcrypto.c:1342
10	10	1 : View List ['ssh_dh_finalize']	10	10	ssh_dh_init	call site: 00045	/src/libssh/src/dh.c:260
0	0	None	10	10	ssh_dh_init	call site: 00036	/src/libssh/src/dh.c:239
0	0	None	10	10	ssh_dh_init	call site: 00037	/src/libssh/src/dh.c:243
0	0	None	10	10	ssh_dh_init	call site: 00039	/src/libssh/src/dh.c:248
0	0	None	10	10	ssh_dh_init	call site: 00041	/src/libssh/src/dh.c:252
0	0	None	10	10	ssh_dh_init	call site: 00043	/src/libssh/src/dh.c:256
0	0	None	6	92	_ssh_init	call site: 00003	/src/libssh/src/init.c:66
0	0	None	6	6	_ssh_init	call site: 00004	/src/libssh/src/init.c:72
0	0	None	6	6	_ssh_init	call site: 00008	/src/libssh/src/init.c:78
0	0	None	6	6	_ssh_init	call site: 00011	/src/libssh/src/init.c:83
0	0	None	6	6	_ssh_init	call site: 00035	/src/libssh/src/init.c:88

Runtime coverage analysis

Covered functions

9

Functions that are reachable but not covered

315

Reachable functions

323

Percentage of reachable functions covered

2.48%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
tests/fuzz/ssh_client_config_fuzzer.c	1
src/init.c	4
src/threads/pthread.c	3
src/threads.c	2
src/threads/libcrypto.c	2
src/libcrypto.c	2
src/log.c	12
src/dh.c	2
src/socket.c	6
src/poll.c	6
src/session.c	3
src/wrapper.c	4
src/error.c	3
src/buffer.c	5
src/misc.c	21
src/agent.c	3
src/channels.c	1
src/pcap.c	1
src/pki.c	2
src/pki_crypto.c	1
src/string.c	4
src/dh_crypto.c	1
src/messages.c	1
src/auth.c	2
src/callbacks.c	1
src/options.c	2
src/config_parser.c	6
src/kex.c	6
src/token.c	7
src/config.c	11
src/match.c	8

Fuzzer: ssh_pubkey_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	383	59.8%
gold	[1:9]	56	8.75%
yellow	[10:29]	17	2.65%
greenyellow	[30:49]	9	1.40%
lawngreen	50+	175	27.3%
All colors	640	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
138	218	3 : View List ['_ssh_log', 'ssh_pki_export_privkey_to_pubkey', 'ssh_key_free']	138	218	ssh_pki_import_pubkey_file	call site: 00505	/src/libssh/src/pki.c:1884
41	113	12 : View List ['EVP_PKEY_free', 'EVP_PKEY_get_raw_public_key', 'malloc', 'pki_key_ecdsa_to_nid', 'ssh_key_free', 'EVP_PKEY_get_raw_private_key', 'EVP_PKEY_get0_EC_KEY', 'pki_key_ecdsa_to_key_type', 'ssh_key_type_to_char', 'EVP_PKEY_base_id', 'free', 'ssh_key_new']	57	409	pki_private_key_from_base64	call site: 00512	/src/libssh/src/pki_crypto.c:1033
21	21	4 : View List ['ssh_socket_cleanup', 'ssh_crypto_finalize', 'ssh_threads_finalize', 'ssh_dh_finalize']	21	33	_ssh_finalize	call site: 00630	/src/libssh/src/init.c:165
10	10	1 : View List ['ssh_pki_key_ecdsa_name']	10	141	pki_import_pubkey_buffer	call site: 00282	/src/libssh/src/pki.c:1463
10	10	1 : View List ['ssh_dh_finalize']	10	10	ssh_dh_init	call site: 00044	/src/libssh/src/dh.c:260
7	7	2 : View List ['__errno_location', 'ssh_strerror']	7	42	ssh_pki_import_pubkey_file	call site: 00083	/src/libssh/src/pki.c:1857
6	6	1 : View List ['buffer_shift']	6	19	ssh_buffer_add_data	call site: 00117	/src/libssh/src/buffer.c:318
6	6	1 : View List ['buffer_shift']	6	19	ssh_buffer_allocate_size	call site: 00103	/src/libssh/src/buffer.c:347
4	39	3 : View List ['_ssh_log', 'OpenSSL_version_num', 'OpenSSL_version']	4	39	ssh_crypto_init	call site: 00011	/src/libssh/src/libcrypto.c:1342
4	4	2 : View List ['EVP_PKEY_free', 'RSA_free']	4	4	pki_pubkey_build_rsa	call site: 00244	/src/libssh/src/pki_crypto.c:1376
2	2	1 : View List ['explicit_bzero']	2	28	ssh_key_clean	call site: 00303	/src/libssh/src/pki.c:146
2	2	1 : View List ['abort']	2	2	ssh_buffer_unpack_va	call site: 00169	/src/libssh/src/buffer.c:1260

Runtime coverage analysis

Covered functions

64

Functions that are reachable but not covered

129

Reachable functions

192

Percentage of reachable functions covered

32.81%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
tests/fuzz/ssh_pubkey_fuzzer.c	1
src/init.c	4
src/threads/pthread.c	3
src/threads.c	2
src/threads/libcrypto.c	2
src/libcrypto.c	3
src/log.c	9
src/dh.c	2
src/socket.c	2
src/poll.c	2
src/misc.c	2
src/pki.c	14
src/pki_container_openssh.c	4
src/base64.c	4
src/buffer.c	19
src/string.c	7
src/bignum.c	1
src/pki_crypto.c	12
src/external/bcrypt_pbkdf.c	2
src/md_crypto.c	3
src/external/blowfish.c	6
src/wrapper.c	1
src/pki_ed25519_common.c	2

Fuzzer: ssh_privkey_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	495	92.8%
gold	[1:9]	18	3.37%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	20	3.75%
All colors	533	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
658	658	1 : View List ['ssh_pki_openssh_privkey_import']	658	658	ssh_pki_import_privkey_base64	call site: 00061	/src/libssh/src/pki.c:819
113	113	12 : View List ['EVP_PKEY_free', 'EVP_PKEY_get_raw_public_key', 'malloc', 'pki_key_ecdsa_to_nid', 'ssh_key_free', 'EVP_PKEY_get_raw_private_key', 'EVP_PKEY_get0_EC_KEY', 'pki_key_ecdsa_to_key_type', 'ssh_key_type_to_char', 'EVP_PKEY_base_id', 'free', 'ssh_key_new']	129	409	pki_private_key_from_base64	call site: 00484	/src/libssh/src/pki_crypto.c:1033
4	39	3 : View List ['_ssh_log', 'OpenSSL_version_num', 'OpenSSL_version']	4	39	ssh_crypto_init	call site: 00013	/src/libssh/src/libcrypto.c:1342
2	2	1 : View List ['exit']	2	2	ssh_mutex_lock	call site: 00007	/src/libssh/src/threads/pthread.c:111
2	2	1 : View List ['exit']	2	2	ssh_mutex_unlock	call site: 00057	/src/libssh/src/threads/pthread.c:126
0	0	None	660	861	ssh_pki_import_privkey_base64	call site: 00059	/src/libssh/src/pki.c:809
0	0	None	137	452	pki_private_key_from_base64	call site: 00478	/src/libssh/src/pki_crypto.c:1018
0	0	None	137	452	pki_private_key_from_base64	call site: 00478	/src/libssh/src/pki_crypto.c:1019
0	0	None	10	10	ssh_dh_init	call site: 00037	/src/libssh/src/dh.c:239
0	0	None	10	10	ssh_dh_init	call site: 00038	/src/libssh/src/dh.c:243
0	0	None	10	10	ssh_dh_init	call site: 00042	/src/libssh/src/dh.c:252
0	0	None	10	10	ssh_dh_init	call site: 00044	/src/libssh/src/dh.c:256

Runtime coverage analysis

Covered functions

19

Functions that are reachable but not covered

153

Reachable functions

171

Percentage of reachable functions covered

10.53%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
tests/fuzz/ssh_privkey_fuzzer.c	1
src/base64.c	6
src/init.c	4
src/threads/pthread.c	3
src/threads.c	2
src/threads/libcrypto.c	2
src/libcrypto.c	3
src/log.c	9
src/dh.c	2
src/socket.c	2
src/poll.c	2
src/pki.c	11
src/pki_container_openssh.c	4
src/buffer.c	19
src/string.c	7
src/bignum.c	1
src/pki_crypto.c	11
src/external/bcrypt_pbkdf.c	2
src/md_crypto.c	3
src/external/blowfish.c	6
src/wrapper.c	1
src/pki_ed25519_common.c	1

Fuzzer: ssh_bind_config_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	806	97.6%
gold	[1:9]	18	2.18%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	1	0.12%
All colors	825	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
39	39	3 : View List ['_ssh_log', 'OpenSSL_version_num', 'OpenSSL_version']	39	39	ssh_crypto_init	call site: 00012	/src/libssh/src/libcrypto.c:1342
10	10	1 : View List ['ssh_dh_finalize']	10	10	ssh_dh_init	call site: 00045	/src/libssh/src/dh.c:260
0	0	None	10	10	ssh_dh_init	call site: 00036	/src/libssh/src/dh.c:239
0	0	None	10	10	ssh_dh_init	call site: 00037	/src/libssh/src/dh.c:243
0	0	None	10	10	ssh_dh_init	call site: 00039	/src/libssh/src/dh.c:248
0	0	None	10	10	ssh_dh_init	call site: 00041	/src/libssh/src/dh.c:252
0	0	None	10	10	ssh_dh_init	call site: 00043	/src/libssh/src/dh.c:256
0	0	None	6	92	_ssh_init	call site: 00003	/src/libssh/src/init.c:66
0	0	None	6	6	_ssh_init	call site: 00004	/src/libssh/src/init.c:72
0	0	None	6	6	_ssh_init	call site: 00008	/src/libssh/src/init.c:78
0	0	None	6	6	_ssh_init	call site: 00011	/src/libssh/src/init.c:83
0	0	None	6	6	_ssh_init	call site: 00035	/src/libssh/src/init.c:88

Runtime coverage analysis

Covered functions

9

Functions that are reachable but not covered

280

Reachable functions

288

Percentage of reachable functions covered

2.78%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
tests/fuzz/ssh_bind_config_fuzzer.c	1
src/init.c	4
src/threads/pthread.c	3
src/threads.c	2
src/threads/libcrypto.c	2
src/libcrypto.c	3
src/log.c	10
src/dh.c	2
src/socket.c	2
src/poll.c	2
src/bind.c	2
src/bind_config.c	6
src/error.c	3
src/config_parser.c	2
src/options.c	5
src/pki.c	15
src/pki_container_openssh.c	4
src/base64.c	4
src/buffer.c	19
src/string.c	7
src/bignum.c	1
src/pki_crypto.c	13
src/external/bcrypt_pbkdf.c	2
src/md_crypto.c	3
src/external/blowfish.c	6
src/wrapper.c	1
src/pki_ed25519_common.c	1
src/misc.c	3
src/kex.c	6
src/token.c	7

Fuzzer: ssh_known_hosts_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	110	26.8%
gold	[1:9]	21	5.13%
yellow	[10:29]	3	0.73%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	275	67.2%
All colors	409	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
21	21	4 : View List ['ssh_socket_cleanup', 'ssh_crypto_finalize', 'ssh_threads_finalize', 'ssh_dh_finalize']	21	33	_ssh_finalize	call site: 00398	/src/libssh/src/init.c:165
10	10	1 : View List ['ssh_pki_key_ecdsa_name']	10	141	pki_import_pubkey_buffer	call site: 00307	/src/libssh/src/pki.c:1463
10	10	1 : View List ['ssh_dh_finalize']	10	10	ssh_dh_init	call site: 00050	/src/libssh/src/dh.c:260
7	42	3 : View List ['__errno_location', 'ssh_strerror', '_ssh_log']	7	42	ssh_known_hosts_read_entries	call site: 00064	/src/libssh/src/knownhosts.c:236
6	6	1 : View List ['buffer_shift']	6	19	ssh_buffer_add_data	call site: 00106	/src/libssh/src/buffer.c:318
6	6	1 : View List ['buffer_shift']	6	19	ssh_buffer_allocate_size	call site: 00092	/src/libssh/src/buffer.c:347
6	6	2 : View List ['EC_KEY_get0_private_key', 'BN_cmp']	6	6	pki_key_compare	call site: 00381	/src/libssh/src/pki_crypto.c:858
4	39	3 : View List ['_ssh_log', 'OpenSSL_version_num', 'OpenSSL_version']	4	39	ssh_crypto_init	call site: 00017	/src/libssh/src/libcrypto.c:1342
4	4	1 : View List ['ssh_key_is_private']	8	92	ssh_key_cmp	call site: 00357	/src/libssh/src/pki.c:672
4	4	2 : View List ['EVP_PKEY_free', 'RSA_free']	4	4	pki_pubkey_build_rsa	call site: 00268	/src/libssh/src/pki_crypto.c:1376
2	12	3 : View List ['ssh_buffer_get_len', 'memcmp', 'ssh_buffer_get']	2	12	ssh_key_cmp	call site: 00363	/src/libssh/src/pki.c:688
2	2	1 : View List ['explicit_bzero']	2	28	ssh_key_clean	call site: 00328	/src/libssh/src/pki.c:146

Runtime coverage analysis

Covered functions

82

Functions that are reachable but not covered

92

Reachable functions

173

Percentage of reachable functions covered

46.82%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
tests/fuzz/ssh_known_hosts_fuzzer.c	1
src/init.c	4
src/threads/pthread.c	3
src/threads.c	2
src/threads/libcrypto.c	2
src/libcrypto.c	5
src/log.c	9
src/dh.c	2
src/socket.c	2
src/poll.c	2
src/knownhosts.c	7
src/misc.c	8
src/base64.c	4
src/buffer.c	19
src/match.c	3
src/pki.c	12
src/string.c	7
src/bignum.c	1
src/pki_crypto.c	6
src/pki_ed25519_common.c	1

Fuzzer: ssh_server_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	1354	63.3%
gold	[1:9]	19	0.88%
yellow	[10:29]	4	0.18%
greenyellow	[30:49]	6	0.28%
lawngreen	50+	753	35.2%
All colors	2136	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
2516	8036	7 : View List ['ssh_list_get_iterator', 'ssh_packet_send', 'ssh_message_handle_channel_request', 'strcmp', 'free', '_ssh_buffer_pack', '_ssh_buffer_unpack']	2516	8386	channel_rcv_request	call site: 00000	/src/libssh/src/channels.c:797
2381	2481	13 : View List ['ssh_list_get_iterator', 'grow_window', 'ssh_buffer_get', '_ssh_set_error', 'ssh_buffer_get_ssh_string', 'ssh_buffer_pass_bytes', 'ssh_string_free', 'ssh_string_data', 'ssh_string_len', 'ssh_buffer_get_u32', 'ntohl', 'ssh_buffer_get_len', 'channel_default_bufferize']	2381	2691	channel_rcv_data	call site: 00000	/src/libssh/src/channels.c:592
2334	2334	1 : View List ['ssh_execute_message_callback']	2334	2334	ssh_message_queue	call site: 00000	/src/libssh/src/messages.c:478
2309	2403	10 : View List ['_ssh_log', 'ssh_buffer_reinit', '_ssh_set_error_oom', 'strlen', 'dh_handshake', 'calloc', 'strchr', 'ssh_string_free', 'free', 'kex_select_kex_type']	2309	2403	ssh_send_kex	call site: 02010	/src/libssh/src/kex.c:1101
2299	2332	3 : View List ['ssh_send_disconnect', 'ssh_session_set_disconnect_message', '_ssh_set_error']	2299	4889	ssh_packet_channel_open	call site: 00000	/src/libssh/src/messages.c:1215
2280	2280	1 : View List ['ssh_message_global_request_reply_success']	2280	2350	ssh_packet_global_request	call site: 00000	/src/libssh/src/messages.c:1679
2279	2349	2 : View List ['ssh_send_rekex', '_ssh_log']	2279	2349	ssh_packet_socket_callback	call site: 00000	/src/libssh/src/packet.c:1404
2277	4613	3 : View List ['ssh_message_reply_default', '_ssh_log', 'ssh_message_channel_request_open_reply_accept_channel']	2277	4613	ssh_execute_server_request	call site: 00000	/src/libssh/src/messages.c:191
1306	1306	1 : View List ['ssh_set_client_kex']	1314	1976	ssh_packet_kexinit	call site: 00000	/src/libssh/src/kex.c:386
770	770	1 : View List ['ssh_bind_import_keys']	782	1196	ssh_bind_accept_fd	call site: 00926	/src/libssh/src/bind.c:520
658	658	1 : View List ['ssh_pki_openssh_privkey_import']	658	658	ssh_pki_import_privkey_base64	call site: 00205	/src/libssh/src/pki.c:819
251	251	2 : View List ['strlen', 'ssh_pcap_context_write']	251	251	ssh_send_banner	call site: 01029	/src/libssh/src/client.c:234

Runtime coverage analysis

Covered functions

325

Functions that are reachable but not covered

272

Reachable functions

482

Percentage of reachable functions covered

43.57%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
tests/fuzz/ssh_server_fuzzer.c	2
src/bind.c	4
src/session.c	7
src/wrapper.c	10
src/socket.c	16
src/error.c	3
src/buffer.c	31
src/misc.c	28
src/agent.c	3
src/channels.c	1
src/pcap.c	5
src/poll.c	20
src/log.c	12
src/pki.c	20
src/pki_crypto.c	17
src/string.c	9
src/dh_crypto.c	6
src/messages.c	1
src/auth.c	2
src/callbacks.c	2
src/options.c	7
src/pki_container_openssh.c	4
src/base64.c	4
src/bignum.c	2
src/libcrypto.c	7
src/external/bcrypt_pbkdf.c	2
src/md_crypto.c	20
src/external/blowfish.c	6
src/pki_ed25519_common.c	5
src/kex.c	18
src/token.c	7
src/server.c	4
src/client.c	3
src/getrandom_crypto.c	1
src/packet.c	10
src/knownhosts.c	10
src/config_parser.c	1
src/config.c	1
src/match.c	3
src/gzip.c	3
src/packet_crypt.c	1
src/dh.c	3
src/kdf.c	5
src/dh-gex.c	1
src/ecdh_crypto.c	3
src/curve25519.c	2

Fuzzer: ssh_client_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	2363	73.2%
gold	[1:9]	97	3.00%
yellow	[10:29]	37	1.14%
greenyellow	[30:49]	45	1.39%
lawngreen	50+	682	21.1%
All colors	3224	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
2440	2440	1 : View List ['ssh_channel_close']	2440	2480	ssh_channel_free	call site: 03198	/src/libssh/src/channels.c:1267
2381	2481	13 : View List ['ssh_list_get_iterator', 'grow_window', 'ssh_buffer_get', '_ssh_set_error', 'ssh_buffer_get_ssh_string', 'ssh_buffer_pass_bytes', 'ssh_string_free', 'ssh_string_data', 'ssh_string_len', 'ssh_buffer_get_u32', 'ntohl', 'ssh_buffer_get_len', 'channel_default_bufferize']	2381	2691	channel_rcv_data	call site: 00000	/src/libssh/src/channels.c:592
2279	2349	2 : View List ['ssh_send_rekex', '_ssh_log']	2279	2349	ssh_packet_socket_callback	call site: 00000	/src/libssh/src/packet.c:1404
791	804	10 : View List ['ssh_list_get_iterator', 'fclose', 'known_hosts_read_line', '__ctype_b_loc', 'strcspn', 'ssh_knownhosts_entry_free', 'ssh_list_append', 'ssh_known_hosts_parse_line', 'ssh_list_new', 'ssh_known_hosts_entries_compare']	791	804	ssh_known_hosts_read_entries	call site: 01048	/src/libssh/src/knownhosts.c:236
251	251	2 : View List ['strlen', 'ssh_pcap_context_write']	251	251	ssh_send_banner	call site: 00000	/src/libssh/src/client.c:234
247	249	2 : View List ['ssh_buffer_get', 'ssh_pcap_context_write']	2655	10284	ssh_packet_socket_callback	call site: 00000	/src/libssh/src/packet.c:1273
247	247	1 : View List ['ssh_pcap_context_write']	247	1276	packet_send2	call site: 01613	/src/libssh/src/packet.c:1753
245	245	1 : View List ['server_set_kex']	253	915	ssh_packet_kexinit	call site: 00000	/src/libssh/src/kex.c:386
222	258	9 : View List ['ssh_list_get_iterator', 'strncat', 'ssh_list_free', 'ssh_knownhosts_entry_free', 'ssh_known_host_sigs_from_hostkey_type', 'strlen', 'ssh_list_remove', 'ssh_list_count', 'ssh_remove_duplicates']	222	258	ssh_known_hosts_get_algorithms_names	call site: 01497	/src/libssh/src/knownhosts.c:571
163	163	1 : View List ['pki_ed25519_private_key_to_blob']	163	338	pki_key_to_blob	call site: 01746	/src/libssh/src/pki_crypto.c:1640
123	170	6 : View List ['ssh_find_all_matching', 'ssh_append_without_duplicates', '_ssh_set_error_oom', 'ssh_keep_fips_algos', 'free', 'FIPS_mode']	123	310	ssh_client_select_hostkeys	call site: 01490	/src/libssh/src/kex.c:690
91	91	1 : View List ['ssh_add_to_default_algos']	145	228	ssh_options_set_algo	call site: 00338	/src/libssh/src/options.c:275

Runtime coverage analysis

Covered functions

311

Functions that are reachable but not covered

427

Reachable functions

673

Percentage of reachable functions covered

36.55%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
tests/fuzz/ssh_client_fuzzer.c	2
src/init.c	5
src/threads/pthread.c	3
src/threads.c	3
src/threads/libcrypto.c	2
src/libcrypto.c	8
src/log.c	13
src/dh.c	6
src/socket.c	25
src/poll.c	27
src/session.c	9
src/wrapper.c	10
src/error.c	4
src/buffer.c	31
src/misc.c	28
src/agent.c	11
src/channels.c	31
src/pcap.c	5
src/pki.c	40
src/pki_crypto.c	21
src/string.c	11
src/dh_crypto.c	6
src/messages.c	1
src/auth.c	11
src/callbacks.c	6
src/options.c	4
src/config_parser.c	6
src/kex.c	18
src/token.c	7
src/config.c	11
src/client.c	7
src/match.c	9
src/connect.c	4
src/knownhosts.c	14
src/base64.c	6
src/bignum.c	2
src/pki_ed25519_common.c	6
src/packet.c	10
src/getrandom_crypto.c	1
src/server.c	1
src/gzip.c	3
src/packet_crypt.c	1
src/md_crypto.c	20
src/kdf.c	5
src/dh-gex.c	1
src/ecdh_crypto.c	3
src/curve25519.c	2
src/pki_container_openssh.c	5
src/external/bcrypt_pbkdf.c	2
src/external/blowfish.c	6
src/connector.c	17

Optimal target analysis

Remaining optimal interesting functions

The following table shows a list of functions that are optimal targets. Optimal targets are identified by finding the functions that in combination, yield a high code coverage.

Func name	Functions filename	Arg count	Args	Function depth	hitcount	instr count	bb count	cyclomatic complexity	Reachable functions	Incoming references	total cyclomatic complexity	Unreached complexity
ssh_packet_userauth_request	/src/libssh/src/messages.c	4	['N/A', 'char', 'N/A', 'N/A']	33	0	714	143	41	416	0	2776	366
ssh_packet_socket_callback	/src/libssh/src/packet.c	3	['N/A', 'size_t', 'N/A']	25	0	1020	133	47	376	1	2511	230
ssh_channel_request_pty	/src/libssh/src/channels.c	1	['N/A']	24	0	16	3	2	398	0	2582	163
ssh_server_connection_callback	/src/libssh/src/server.c	1	['N/A']	27	0	494	85	25	382	0	2449	153
ssh_packet_server_dhgex_request	/src/libssh/src/dh-gex.c	4	['N/A', 'char', 'N/A', 'N/A']	16	0	296	51	18	369	0	2366	95
ssh_pki_export_privkey_file	/src/libssh/src/pki.c	5	['N/A', 'N/A', 'N/A', 'N/A', 'N/A']	13	0	32	3	2	119	0	534	86
ssh_packet_server_dhgex_init	/src/libssh/src/dh-gex.c	4	['N/A', 'char', 'N/A', 'N/A']	18	0	31	3	2	403	0	2599	69
channel_rcv_request	/src/libssh/src/channels.c	4	['N/A', 'char', 'N/A', 'N/A']	21	0	763	137	43	387	0	2560	69
ssh_packet_kexinit	/src/libssh/src/kex.c	4	['N/A', 'char', 'N/A', 'N/A']	13	0	975	164	54	214	0	1434	67
ssh_channel_select	/src/libssh/src/channels.c	4	['N/A', 'N/A', 'N/A', 'N/A']	11	0	654	137	40	88	0	405	66

Implementing fuzzers that target the above functions will improve reachability such that it becomes:

Functions statically reachable by fuzzers

615 / 906

Cyclomatic complexity statically reachable by fuzzers

5835 / 7653

All functions overview

If you implement fuzzers for these functions, the status of all functions in the project will be:

Func name	Functions filename	Args	Function call depth	Reached by Fuzzers	Fuzzers runtime hit	Func lines hit %	I Count	BB Count	Cyclomatic complexity	Functions reached	Reached by functions	Accumulated cyclomatic complexity	Undiscovered complexity

This sections provides heuristics that can be used as input to a fuzz engine when running a given fuzz target. The current focus is on providing input that is usable by libFuzzer.

tests/fuzz/ssh_client_config_fuzzer.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['ssh_socket_init', 'ssh_crypto_init', 'ssh_dh_init']

tests/fuzz/ssh_pubkey_fuzzer.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['ssh_pki_openssh_import', 'pki_private_key_from_base64', '_ssh_log', 'ssh_pki_import_pubkey_file', '_ssh_finalize', 'ssh_dh_init', 'ssh_buffer_unpack_va']

tests/fuzz/ssh_privkey_fuzzer.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['ssh_pki_import_privkey_base64', 'pki_private_key_from_base64', '_ssh_log', 'ssh_dh_init', 'ssh_crypto_init', '_ssh_init', 'ssh_mutex_lock', 'ssh_mutex_unlock']

tests/fuzz/ssh_bind_config_fuzzer.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['ssh_socket_init', 'ssh_crypto_init', 'ssh_dh_init']

tests/fuzz/ssh_known_hosts_fuzzer.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['_ssh_log', 'ssh_buffer_unpack_va', '_ssh_finalize', 'ssh_dh_init', 'hmac_init', 'ssh_key_cmp', 'ssh_known_hosts_read_entries', 'ssh_crypto_init']

tests/fuzz/ssh_server_fuzzer.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['ssh_packet_send', 'sha512_final', 'ssh_buffer_pack_va', 'ssh_bind_options_set', 'ssh_find_all_matching', 'ssh_pki_import_pubkey_blob', 'pki_private_key_from_base64', 'cipher_new', 'ssh_pki_import_privkey_base64', 'packet_send2']

tests/fuzz/ssh_client_fuzzer.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['ssh_pki_import_pubkey_blob', 'ssh_userauth_get_response', 'ssh_path_expand_escape', 'channel_open', 'ssh_lowercase', 'pki_import_cert_buffer', 'ssh_connect', 'ssh_client_curve25519_init', 'ssh_options_set', 'ssh_string_copy']

This section shows analysis of runtime coverage data.

For futher technical details on how this section is generated, please see the Glossary .

Complex functions with low coverage

Func name	Function total lines	Lines covered at runtime	percentage covered	Reached by fuzzers
ssh_dh_init	36	19	52.77%	['ssh_client_config_fuzzer', 'ssh_pubkey_fuzzer', 'ssh_privkey_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_known_hosts_fuzzer', 'ssh_client_fuzzer']
pki_private_key_from_base64	124	44	35.48%	['ssh_client_config_fuzzer', 'ssh_pubkey_fuzzer', 'ssh_privkey_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']
pki_pubkey_build_rsa	33	18	54.54%	['ssh_client_config_fuzzer', 'ssh_pubkey_fuzzer', 'ssh_privkey_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_known_hosts_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']
hmac_init	38	17	44.73%	['ssh_known_hosts_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']
ssh_key_cmp	43	22	51.16%	['ssh_known_hosts_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']
ssh_bind_accept_fd	109	40	36.69%	['ssh_server_fuzzer']
ssh_packet_channel_open_conf	51	20	39.21%	[]
ssh_packet_channel_open_fail	43	12	27.90%	[]
channel_rcv_change_window	35	18	51.42%	[]
channel_rcv_data	99	19	19.19%	[]
channel_rcv_close	33	10	30.30%	[]
channel_rcv_request	147	12	8.163%	[]
ssh_curve25519_init	47	25	53.19%	['ssh_server_fuzzer', 'ssh_client_fuzzer']
ssh_retrieve_dhgroup	52	16	30.76%	[]
sshkdf_derive_key	73	25	34.24%	['ssh_server_fuzzer', 'ssh_client_fuzzer']
ssh_mac_ctx_init	36	19	52.77%	['ssh_server_fuzzer', 'ssh_client_fuzzer']
ssh_send_kex	89	48	53.93%	['ssh_server_fuzzer', 'ssh_client_fuzzer']
ssh_hashbufout_add_cookie	31	17	54.83%	['ssh_server_fuzzer', 'ssh_client_fuzzer']
ssh_message_free	56	24	42.85%	['ssh_client_config_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']
ssh_packet_channel_open	94	46	48.93%	[]
ssh_packet_global_request	157	45	28.66%	[]
ssh_message_queue	35	18	51.42%	[]
ssh_execute_server_request	205	30	14.63%	[]
ssh_bind_options_set	352	104	29.54%	['ssh_client_config_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_server_fuzzer']
ssh_packet_send	62	24	38.70%	['ssh_server_fuzzer', 'ssh_client_fuzzer']
ssh_packet_encrypt	90	37	41.11%	['ssh_server_fuzzer', 'ssh_client_fuzzer']
ssh_key_signature_to_char	33	16	48.48%	['ssh_client_fuzzer']
ssh_pki_import_privkey_file	63	27	42.85%	['ssh_client_config_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']
ssh_pki_export_signature_blob	47	25	53.19%	['ssh_client_fuzzer']
pki_key_dup	176	66	37.5%	['ssh_pubkey_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']
pki_key_to_blob	251	130	51.79%	['ssh_server_fuzzer', 'ssh_client_fuzzer']
pki_sign_data	82	44	53.65%	['ssh_client_fuzzer']
ssh_get_key_params	44	20	45.45%	[]
ssh_auth_reply_default	44	12	27.27%	[]
ssh_socket_close	33	15	45.45%	['ssh_client_config_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']
ssh_userauth_get_response	41	15	36.58%	['ssh_client_fuzzer']
ssh_channel_new	44	22	50.0%	['ssh_client_fuzzer']
ssh_channel_free	34	13	38.23%	['ssh_client_fuzzer']
ssh_connect	122	61	50.0%	['ssh_client_fuzzer']
ssh_config_parse_uri	96	29	30.20%	['ssh_client_config_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']
ssh_client_select_hostkeys	70	27	38.57%	['ssh_server_fuzzer', 'ssh_client_fuzzer']
ssh_known_hosts_get_algorithms_names	75	25	33.33%	['ssh_server_fuzzer', 'ssh_client_fuzzer']
ssh_path_expand_escape	130	46	35.38%	['ssh_client_config_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']
ssh_options_set	690	121	17.53%	['ssh_client_config_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']
ssh_options_apply	119	53	44.53%	['ssh_server_fuzzer', 'ssh_client_fuzzer']

This section shows which files and directories are considered in this report. The main reason for showing this is fuzz introspector may include more code in the reasoning than is desired. This section helps identify if too many files/directories are included, e.g. third party code, which may be irrelevant for the threat model. In the event too much is included, fuzz introspector supports a configuration file that can exclude data from the report. See the following link for more information on how to create a config file: link

Files in report

Source file	Reached by	Covered by
	[]	[]
/src/libssh/src/pki_ed25519_common.c	['ssh_pubkey_fuzzer', 'ssh_privkey_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_known_hosts_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_known_hosts_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/kdf.c	['ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_server_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/buffer.c	['ssh_client_config_fuzzer', 'ssh_pubkey_fuzzer', 'ssh_privkey_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_known_hosts_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_pubkey_fuzzer', 'ssh_known_hosts_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/dh-gex.c	['ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_server_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/crypto_common.c	[]	[]
/src/libssh/tests/fuzz/ssh_bind_config_fuzzer.c	['ssh_bind_config_fuzzer']	[]
/src/libssh/tests/fuzz/ssh_known_hosts_fuzzer.c	['ssh_known_hosts_fuzzer']	['ssh_known_hosts_fuzzer']
/src/libssh/src/kex.c	['ssh_client_config_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_server_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/external/bcrypt_pbkdf.c	['ssh_pubkey_fuzzer', 'ssh_privkey_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']	[]
/src/libssh/src/config_parser.c	['ssh_client_config_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_client_fuzzer']
/src/libssh/src/connect.c	['ssh_client_fuzzer']	[]
/src/libssh/tests/fuzz/ssh_client_config_fuzzer.c	['ssh_client_config_fuzzer']	[]
/src/libssh/src/options.c	['ssh_client_config_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_server_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/knownhosts.c	['ssh_known_hosts_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_known_hosts_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/packet_cb.c	[]	[]
/src/libssh/src/session.c	['ssh_client_config_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_server_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/messages.c	['ssh_client_config_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_server_fuzzer']
/src/libssh/src/bignum.c	['ssh_pubkey_fuzzer', 'ssh_privkey_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_known_hosts_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_pubkey_fuzzer', 'ssh_known_hosts_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']
/src/libssh/tests/fuzz/ssh_pubkey_fuzzer.c	['ssh_pubkey_fuzzer']	['ssh_pubkey_fuzzer']
/src/libssh/src/threads/pthread.c	['ssh_client_config_fuzzer', 'ssh_pubkey_fuzzer', 'ssh_privkey_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_known_hosts_fuzzer', 'ssh_client_fuzzer']	['ssh_client_config_fuzzer', 'ssh_pubkey_fuzzer', 'ssh_privkey_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_known_hosts_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/token.c	['ssh_client_config_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_server_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/bind_config.c	['ssh_bind_config_fuzzer']	[]
/src/libssh/src/socket.c	['ssh_client_config_fuzzer', 'ssh_pubkey_fuzzer', 'ssh_privkey_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_known_hosts_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_client_config_fuzzer', 'ssh_pubkey_fuzzer', 'ssh_privkey_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_known_hosts_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/external/blowfish.c	['ssh_pubkey_fuzzer', 'ssh_privkey_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']	[]
/src/libssh/src/channels.c	['ssh_client_config_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_server_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/pcap.c	['ssh_client_config_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']	[]
/src/libssh/src/client.c	['ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_server_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/ecdh.c	[]	[]
/src/libssh/src/gzip.c	['ssh_server_fuzzer', 'ssh_client_fuzzer']	[]
/src/libssh/src/getrandom_crypto.c	['ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_server_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/callbacks.c	['ssh_client_config_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_server_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/error.c	['ssh_client_config_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_server_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/server.c	['ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_server_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/poll.c	['ssh_client_config_fuzzer', 'ssh_pubkey_fuzzer', 'ssh_privkey_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_known_hosts_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_client_config_fuzzer', 'ssh_pubkey_fuzzer', 'ssh_privkey_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_known_hosts_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/dh.c	['ssh_client_config_fuzzer', 'ssh_pubkey_fuzzer', 'ssh_privkey_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_known_hosts_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_client_config_fuzzer', 'ssh_pubkey_fuzzer', 'ssh_privkey_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_known_hosts_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/wrapper.c	['ssh_client_config_fuzzer', 'ssh_pubkey_fuzzer', 'ssh_privkey_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_server_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/log.c	['ssh_client_config_fuzzer', 'ssh_pubkey_fuzzer', 'ssh_privkey_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_known_hosts_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_pubkey_fuzzer', 'ssh_privkey_fuzzer', 'ssh_known_hosts_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/match.c	['ssh_client_config_fuzzer', 'ssh_known_hosts_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_known_hosts_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/ttyopts.c	[]	[]
/src/libssh/src/bind.c	['ssh_bind_config_fuzzer', 'ssh_server_fuzzer']	['ssh_server_fuzzer']
/src/libssh/src/md_crypto.c	['ssh_pubkey_fuzzer', 'ssh_privkey_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_server_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/threads/libcrypto.c	['ssh_client_config_fuzzer', 'ssh_pubkey_fuzzer', 'ssh_privkey_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_known_hosts_fuzzer', 'ssh_client_fuzzer']	['ssh_client_config_fuzzer', 'ssh_pubkey_fuzzer', 'ssh_privkey_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_known_hosts_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/agent.c	['ssh_client_config_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_server_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/libcrypto.c	['ssh_client_config_fuzzer', 'ssh_pubkey_fuzzer', 'ssh_privkey_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_known_hosts_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_client_config_fuzzer', 'ssh_pubkey_fuzzer', 'ssh_privkey_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_known_hosts_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/threads.c	['ssh_client_config_fuzzer', 'ssh_pubkey_fuzzer', 'ssh_privkey_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_known_hosts_fuzzer', 'ssh_client_fuzzer']	['ssh_client_config_fuzzer', 'ssh_pubkey_fuzzer', 'ssh_privkey_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_known_hosts_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/curve25519.c	['ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_server_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/init.c	['ssh_client_config_fuzzer', 'ssh_pubkey_fuzzer', 'ssh_privkey_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_known_hosts_fuzzer', 'ssh_client_fuzzer']	['ssh_client_config_fuzzer', 'ssh_pubkey_fuzzer', 'ssh_privkey_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_known_hosts_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/packet.c	['ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_server_fuzzer', 'ssh_client_fuzzer']
/src/libssh/tests/fuzz/ssh_client_fuzzer.c	['ssh_client_fuzzer']	['ssh_client_fuzzer']
/src/libssh/src/pki_container_openssh.c	['ssh_pubkey_fuzzer', 'ssh_privkey_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_pubkey_fuzzer']
/src/libssh/src/dh_crypto.c	['ssh_client_config_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_server_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/string.c	['ssh_client_config_fuzzer', 'ssh_pubkey_fuzzer', 'ssh_privkey_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_known_hosts_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_pubkey_fuzzer', 'ssh_known_hosts_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/misc.c	['ssh_client_config_fuzzer', 'ssh_pubkey_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_known_hosts_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_pubkey_fuzzer', 'ssh_known_hosts_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/pki.c	['ssh_client_config_fuzzer', 'ssh_pubkey_fuzzer', 'ssh_privkey_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_known_hosts_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_pubkey_fuzzer', 'ssh_privkey_fuzzer', 'ssh_known_hosts_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/pki_crypto.c	['ssh_client_config_fuzzer', 'ssh_pubkey_fuzzer', 'ssh_privkey_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_known_hosts_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_pubkey_fuzzer', 'ssh_privkey_fuzzer', 'ssh_known_hosts_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/config.c	['ssh_client_config_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']	[]
/src/libssh/src/auth.c	['ssh_client_config_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_server_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/packet_crypt.c	['ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_server_fuzzer', 'ssh_client_fuzzer']
/src/libssh/src/ecdh_crypto.c	['ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_server_fuzzer', 'ssh_client_fuzzer']
/src/libssh/tests/fuzz/ssh_privkey_fuzzer.c	['ssh_privkey_fuzzer']	['ssh_privkey_fuzzer']
/src/libssh/src/base64.c	['ssh_pubkey_fuzzer', 'ssh_privkey_fuzzer', 'ssh_bind_config_fuzzer', 'ssh_known_hosts_fuzzer', 'ssh_server_fuzzer', 'ssh_client_fuzzer']	['ssh_pubkey_fuzzer', 'ssh_privkey_fuzzer', 'ssh_known_hosts_fuzzer']
/src/libssh/tests/fuzz/ssh_server_fuzzer.c	['ssh_server_fuzzer']	['ssh_server_fuzzer']
/src/libssh/src/connector.c	['ssh_client_fuzzer']	[]

Directories in report

Directory
/src/libssh/src/
/src/libssh/tests/fuzz/
/src/libssh/src/threads/
/src/libssh/src/external/