dropbear: fuzzer-kexecdh.c annotate

annotate fuzzer-kexecdh.c @ 1629:258b57b208ae

Fix for issue successfull login of disabled user (#78) This commit introduces fix for scenario: 1. Root login disabled on dropbear 2. PAM authentication model enabled While login as root user, after prompt for password user is being notified about login failrue, but after second attempt of prompt for password within same session, login becames succesfull. Signed-off-by: Pawel Rapkiewicz <[email protected]>

author	vincentto13 <33652988+vincentto13@users.noreply.github.com>
date	Wed, 20 Mar 2019 15:03:40 +0100
parents	a57822db3eac
children

rev	line source
1589 35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1 #include "fuzz.h"
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2 #include "session.h"
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3 #include "fuzz-wrapfd.h"
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	4 #include "debug.h"
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	5 #include "runopts.h"
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	6 #include "algo.h"
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	7 #include "bignum.h"
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	8
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	9 int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	10 static int once = 0;
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	11 static const struct dropbear_kex ecdh[3]; / 256, 384, 521 */
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	12 static struct key_context* keep_newkeys = NULL;
1592 46506b32650a reduce number of params so it doesn't hit a timeout Matt Johnston <matt@ucc.asn.au> parents: 1589 diff changeset	13 /* number of generated parameters is limited by the timeout for the first run */
1595 4fe7cc9e45eb reduce number of dh parameters so fuzzer doesn't timeout Matt Johnston <matt@ucc.asn.au> parents: 1592 diff changeset	14 #define NUM_PARAMS 80
1589 35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	15 static struct kex_ecdh_param *ecdh_params[NUM_PARAMS];
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	16
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	17 if (!once) {
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	18 fuzz_common_setup();
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	19 fuzz_svr_setup();
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	20
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	21 /* ses gets zeroed by fuzz_set_input */
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	22 keep_newkeys = (struct key_context*)m_malloc(sizeof(struct key_context));
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	23 ecdh[0] = fuzz_get_algo(sshkex, "ecdh-sha2-nistp256");
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	24 ecdh[1] = fuzz_get_algo(sshkex, "ecdh-sha2-nistp384");
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	25 ecdh[2] = fuzz_get_algo(sshkex, "ecdh-sha2-nistp521");
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	26 assert(ecdh[0]);
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	27 assert(ecdh[1]);
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	28 assert(ecdh[2]);
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	29 keep_newkeys->algo_hostkey = DROPBEAR_SIGNKEY_ECDSA_NISTP256;
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	30 ses.newkeys = keep_newkeys;
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	31
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	32 /* Pre-generate parameters */
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	33 int i;
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	34 for (i = 0; i < NUM_PARAMS; i++) {
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	35 ses.newkeys->algo_kex = ecdh[i % 3];
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	36 ecdh_params[i] = gen_kexecdh_param();
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	37 }
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	38
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	39 once = 1;
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	40 }
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	41
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	42 if (fuzz_set_input(Data, Size) == DROPBEAR_FAILURE) {
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	43 return 0;
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	44 }
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	45
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	46 m_malloc_set_epoch(1);
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	47
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	48 if (setjmp(fuzz.jmp) == 0) {
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	49 /* Based on recv_msg_kexdh_init()/send_msg_kexdh_reply()
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	50 with DROPBEAR_KEX_ECDH */
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	51 ses.newkeys = keep_newkeys;
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	52
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	53 /* random choice of ecdh 256, 384, 521 */
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	54 unsigned char b = buf_getbyte(fuzz.input);
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	55 ses.newkeys->algo_kex = ecdh[b % 3];
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	56
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	57 /* Choose from the collection of ecdh params */
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	58 unsigned int e = buf_getint(fuzz.input);
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	59 struct kex_ecdh_param *ecdh_param = ecdh_params[e % NUM_PARAMS];
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	60
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	61 buffer * ecdh_qs = buf_getstringbuf(fuzz.input);
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	62
1606 98d2b125eb89 kexhashbuf was much to small in kex fuzzers Matt Johnston <matt@ucc.asn.au> parents: 1595 diff changeset	63 ses.kexhashbuf = buf_new(KEXHASHBUF_MAX_INTS);
1589 35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	64 kexecdh_comb_key(ecdh_param, ecdh_qs, svr_opts.hostkey);
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	65
1609 a57822db3eac Fix leaks in kex fuzzers Matt Johnston <matt@ucc.asn.au> parents: 1606 diff changeset	66 mp_clear(ses.dh_K);
1589 35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	67 m_free(ses.dh_K);
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	68 buf_free(ecdh_qs);
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	69
1609 a57822db3eac Fix leaks in kex fuzzers Matt Johnston <matt@ucc.asn.au> parents: 1606 diff changeset	70 buf_free(ses.hash);
a57822db3eac Fix leaks in kex fuzzers Matt Johnston <matt@ucc.asn.au> parents: 1606 diff changeset	71 buf_free(ses.session_id);
a57822db3eac Fix leaks in kex fuzzers Matt Johnston <matt@ucc.asn.au> parents: 1606 diff changeset	72 /* kexhashbuf is freed in kexdh_comb_key */
a57822db3eac Fix leaks in kex fuzzers Matt Johnston <matt@ucc.asn.au> parents: 1606 diff changeset	73
1589 35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	74 m_malloc_free_epoch(1, 0);
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	75 } else {
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	76 m_malloc_free_epoch(1, 1);
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	77 TRACE(("dropbear_exit longjmped"))
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	78 /* dropbear_exit jumped here */
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	79 }
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	80
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	81 return 0;
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	82 }

Mercurial > dropbear

annotate fuzzer-kexecdh.c @ 1629:258b57b208ae