annotate fuzz/fuzz-common.c @ 1861:2b3a8026a6ce

Add re-exec for server This allows ASLR to re-randomize the address space for every connection, preventing some vulnerabilities from being exploitable by repeated probing. Overhead (memory and time) is yet to be confirmed. At present this is only enabled on Linux. Other BSD platforms with fexecve() would probably also work though have not been tested.
author Matt Johnston <matt@ucc.asn.au>
date Sun, 30 Jan 2022 10:14:56 +0800
parents 19b28d2fbe30
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
1770
66b29b054896 Fix FUZZ_NO_REPLACE_STDERR for fuzz.c
Matt Johnston <matt@ucc.asn.au>
parents: 1768
diff changeset
1 #define FUZZ_NO_REPLACE_STDERR
1779
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
2 #define FUZZ_NO_REPLACE_GETPW
1348
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
3 #include "includes.h"
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
4
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
5 #include "includes.h"
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
6 #include "dbutil.h"
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
7 #include "runopts.h"
1353
f3c8975de38e setup svr_dropbear_exit
Matt Johnston <matt@ucc.asn.au>
parents: 1350
diff changeset
8 #include "crypto_desc.h"
f3c8975de38e setup svr_dropbear_exit
Matt Johnston <matt@ucc.asn.au>
parents: 1350
diff changeset
9 #include "session.h"
1356
3677a510f545 add wrapfd. improve fuzzer in makefile
Matt Johnston <matt@ucc.asn.au>
parents: 1353
diff changeset
10 #include "dbrandom.h"
1457
32f990cc96b1 fix bad assertion
Matt Johnston <matt@ucc.asn.au>
parents: 1456
diff changeset
11 #include "bignum.h"
1751
3b9b427925a0 Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents: 1742
diff changeset
12 #include "atomicio.h"
1356
3677a510f545 add wrapfd. improve fuzzer in makefile
Matt Johnston <matt@ucc.asn.au>
parents: 1353
diff changeset
13 #include "fuzz-wrapfd.h"
1768
096a66e45212 Fix fuzzing stderr override on os x
Matt Johnston <matt@ucc.asn.au>
parents: 1767
diff changeset
14 #include "fuzz.h"
096a66e45212 Fix fuzzing stderr override on os x
Matt Johnston <matt@ucc.asn.au>
parents: 1767
diff changeset
15
1348
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
16 struct dropbear_fuzz_options fuzz;
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
17
1373
9891bc31a1b3 fuzzers disable logging by default
Matt Johnston <matt@ucc.asn.au>
parents: 1369
diff changeset
18 static void fuzz_dropbear_log(int UNUSED(priority), const char* format, va_list param);
1348
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
19 static void load_fixed_hostkeys(void);
1751
3b9b427925a0 Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents: 1742
diff changeset
20 static void load_fixed_client_key(void);
1348
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
21
1758
1365661f6be6 Disable stderr output for fuzzer by default
Matt Johnston <matt@ucc.asn.au>
parents: 1757
diff changeset
22 // This runs automatically before main, due to contructor attribute in fuzz.h
1365661f6be6 Disable stderr output for fuzzer by default
Matt Johnston <matt@ucc.asn.au>
parents: 1757
diff changeset
23 void fuzz_early_setup(void) {
1365661f6be6 Disable stderr output for fuzzer by default
Matt Johnston <matt@ucc.asn.au>
parents: 1757
diff changeset
24 /* Set stderr to point to normal stderr by default */
1768
096a66e45212 Fix fuzzing stderr override on os x
Matt Johnston <matt@ucc.asn.au>
parents: 1767
diff changeset
25 fuzz.fake_stderr = stderr;
1758
1365661f6be6 Disable stderr output for fuzzer by default
Matt Johnston <matt@ucc.asn.au>
parents: 1757
diff changeset
26 }
1365661f6be6 Disable stderr output for fuzzer by default
Matt Johnston <matt@ucc.asn.au>
parents: 1757
diff changeset
27
1456
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1386
diff changeset
28 void fuzz_common_setup(void) {
1741
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents: 1740
diff changeset
29 disallow_core();
1348
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
30 fuzz.fuzzing = 1;
1357
08f4fa4dc6a0 closer to working
Matt Johnston <matt@ucc.asn.au>
parents: 1356
diff changeset
31 fuzz.wrapfds = 1;
1385
6c92e97553f1 Add a flag whether to longjmp, missed that last commit
Matt Johnston <matt@ucc.asn.au>
parents: 1383
diff changeset
32 fuzz.do_jmp = 1;
1356
3677a510f545 add wrapfd. improve fuzzer in makefile
Matt Johnston <matt@ucc.asn.au>
parents: 1353
diff changeset
33 fuzz.input = m_malloc(sizeof(buffer));
1373
9891bc31a1b3 fuzzers disable logging by default
Matt Johnston <matt@ucc.asn.au>
parents: 1369
diff changeset
34 _dropbear_log = fuzz_dropbear_log;
1350
2722f2347a48 crypto_init()
Matt Johnston <matt@ucc.asn.au>
parents: 1348
diff changeset
35 crypto_init();
1757
517fb7b62438 Add some more variation to fuzzer random number generation
Matt Johnston <matt@ucc.asn.au>
parents: 1756
diff changeset
36 fuzz_seed("start", 5);
1529
66a1a2547133 The fuzzer has managed to generated DSS key/signature pairs that
Matt Johnston <matt@ucc.asn.au>
parents: 1457
diff changeset
37 /* let any messages get flushed */
66a1a2547133 The fuzzer has managed to generated DSS key/signature pairs that
Matt Johnston <matt@ucc.asn.au>
parents: 1457
diff changeset
38 setlinebuf(stdout);
1758
1365661f6be6 Disable stderr output for fuzzer by default
Matt Johnston <matt@ucc.asn.au>
parents: 1757
diff changeset
39 #if DEBUG_TRACE
1365661f6be6 Disable stderr output for fuzzer by default
Matt Johnston <matt@ucc.asn.au>
parents: 1757
diff changeset
40 if (debug_trace)
1365661f6be6 Disable stderr output for fuzzer by default
Matt Johnston <matt@ucc.asn.au>
parents: 1757
diff changeset
41 {
1365661f6be6 Disable stderr output for fuzzer by default
Matt Johnston <matt@ucc.asn.au>
parents: 1757
diff changeset
42 fprintf(stderr, "Dropbear fuzzer: -v specified, not disabling stderr output\n");
1365661f6be6 Disable stderr output for fuzzer by default
Matt Johnston <matt@ucc.asn.au>
parents: 1757
diff changeset
43 }
1365661f6be6 Disable stderr output for fuzzer by default
Matt Johnston <matt@ucc.asn.au>
parents: 1757
diff changeset
44 else
1365661f6be6 Disable stderr output for fuzzer by default
Matt Johnston <matt@ucc.asn.au>
parents: 1757
diff changeset
45 #endif
1767
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1765
diff changeset
46 if (getenv("DROPBEAR_KEEP_STDERR")) {
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1765
diff changeset
47 fprintf(stderr, "Dropbear fuzzer: DROPBEAR_KEEP_STDERR, not disabling stderr output\n");
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1765
diff changeset
48 }
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1765
diff changeset
49 else
1758
1365661f6be6 Disable stderr output for fuzzer by default
Matt Johnston <matt@ucc.asn.au>
parents: 1757
diff changeset
50 {
1767
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1765
diff changeset
51 fprintf(stderr, "Dropbear fuzzer: Disabling stderr output\n");
1768
096a66e45212 Fix fuzzing stderr override on os x
Matt Johnston <matt@ucc.asn.au>
parents: 1767
diff changeset
52 fuzz.fake_stderr = fopen("/dev/null", "w");
096a66e45212 Fix fuzzing stderr override on os x
Matt Johnston <matt@ucc.asn.au>
parents: 1767
diff changeset
53 assert(fuzz.fake_stderr);
1758
1365661f6be6 Disable stderr output for fuzzer by default
Matt Johnston <matt@ucc.asn.au>
parents: 1757
diff changeset
54 }
1348
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
55 }
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
56
1456
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1386
diff changeset
57 int fuzz_set_input(const uint8_t *Data, size_t Size) {
1356
3677a510f545 add wrapfd. improve fuzzer in makefile
Matt Johnston <matt@ucc.asn.au>
parents: 1353
diff changeset
58
3677a510f545 add wrapfd. improve fuzzer in makefile
Matt Johnston <matt@ucc.asn.au>
parents: 1353
diff changeset
59 fuzz.input->data = (unsigned char*)Data;
3677a510f545 add wrapfd. improve fuzzer in makefile
Matt Johnston <matt@ucc.asn.au>
parents: 1353
diff changeset
60 fuzz.input->size = Size;
3677a510f545 add wrapfd. improve fuzzer in makefile
Matt Johnston <matt@ucc.asn.au>
parents: 1353
diff changeset
61 fuzz.input->len = Size;
3677a510f545 add wrapfd. improve fuzzer in makefile
Matt Johnston <matt@ucc.asn.au>
parents: 1353
diff changeset
62 fuzz.input->pos = 0;
3677a510f545 add wrapfd. improve fuzzer in makefile
Matt Johnston <matt@ucc.asn.au>
parents: 1353
diff changeset
63
1358
6b89eb92f872 glaring wrapfd problems fixed
Matt Johnston <matt@ucc.asn.au>
parents: 1357
diff changeset
64 memset(&ses, 0x0, sizeof(ses));
6b89eb92f872 glaring wrapfd problems fixed
Matt Johnston <matt@ucc.asn.au>
parents: 1357
diff changeset
65 memset(&svr_ses, 0x0, sizeof(svr_ses));
1742
6e71440b1e47 Add fuzzer-client_nomaths, fix client fuzzer
Matt Johnston <matt@ucc.asn.au>
parents: 1741
diff changeset
66 memset(&cli_ses, 0x0, sizeof(cli_ses));
1740
dfbe947bdf0d Make wrapfd share a common buffer for all FDs
Matt Johnston <matt@ucc.asn.au>
parents: 1692
diff changeset
67 wrapfd_setup(fuzz.input);
1774
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1770
diff changeset
68 // printhex("input", fuzz.input->data, fuzz.input->len);
1356
3677a510f545 add wrapfd. improve fuzzer in makefile
Matt Johnston <matt@ucc.asn.au>
parents: 1353
diff changeset
69
1757
517fb7b62438 Add some more variation to fuzzer random number generation
Matt Johnston <matt@ucc.asn.au>
parents: 1756
diff changeset
70 fuzz_seed(fuzz.input->data, MIN(fuzz.input->len, 16));
1356
3677a510f545 add wrapfd. improve fuzzer in makefile
Matt Johnston <matt@ucc.asn.au>
parents: 1353
diff changeset
71
3677a510f545 add wrapfd. improve fuzzer in makefile
Matt Johnston <matt@ucc.asn.au>
parents: 1353
diff changeset
72 return DROPBEAR_SUCCESS;
3677a510f545 add wrapfd. improve fuzzer in makefile
Matt Johnston <matt@ucc.asn.au>
parents: 1353
diff changeset
73 }
3677a510f545 add wrapfd. improve fuzzer in makefile
Matt Johnston <matt@ucc.asn.au>
parents: 1353
diff changeset
74
1558
2f64cb3d3007 - #if not #ifdef for DROPBEAR_FUZZ
Matt Johnston <matt@ucc.asn.au>
parents: 1529
diff changeset
75 #if DEBUG_TRACE
1373
9891bc31a1b3 fuzzers disable logging by default
Matt Johnston <matt@ucc.asn.au>
parents: 1369
diff changeset
76 static void fuzz_dropbear_log(int UNUSED(priority), const char* format, va_list param) {
9891bc31a1b3 fuzzers disable logging by default
Matt Johnston <matt@ucc.asn.au>
parents: 1369
diff changeset
77 if (debug_trace) {
1558
2f64cb3d3007 - #if not #ifdef for DROPBEAR_FUZZ
Matt Johnston <matt@ucc.asn.au>
parents: 1529
diff changeset
78 char printbuf[1024];
1373
9891bc31a1b3 fuzzers disable logging by default
Matt Johnston <matt@ucc.asn.au>
parents: 1369
diff changeset
79 vsnprintf(printbuf, sizeof(printbuf), format, param);
9891bc31a1b3 fuzzers disable logging by default
Matt Johnston <matt@ucc.asn.au>
parents: 1369
diff changeset
80 fprintf(stderr, "%s\n", printbuf);
9891bc31a1b3 fuzzers disable logging by default
Matt Johnston <matt@ucc.asn.au>
parents: 1369
diff changeset
81 }
9891bc31a1b3 fuzzers disable logging by default
Matt Johnston <matt@ucc.asn.au>
parents: 1369
diff changeset
82 }
1558
2f64cb3d3007 - #if not #ifdef for DROPBEAR_FUZZ
Matt Johnston <matt@ucc.asn.au>
parents: 1529
diff changeset
83 #else
2f64cb3d3007 - #if not #ifdef for DROPBEAR_FUZZ
Matt Johnston <matt@ucc.asn.au>
parents: 1529
diff changeset
84 static void fuzz_dropbear_log(int UNUSED(priority), const char* UNUSED(format), va_list UNUSED(param)) {
2f64cb3d3007 - #if not #ifdef for DROPBEAR_FUZZ
Matt Johnston <matt@ucc.asn.au>
parents: 1529
diff changeset
85 /* No print */
2f64cb3d3007 - #if not #ifdef for DROPBEAR_FUZZ
Matt Johnston <matt@ucc.asn.au>
parents: 1529
diff changeset
86 }
2f64cb3d3007 - #if not #ifdef for DROPBEAR_FUZZ
Matt Johnston <matt@ucc.asn.au>
parents: 1529
diff changeset
87 #endif /* DEBUG_TRACE */
1356
3677a510f545 add wrapfd. improve fuzzer in makefile
Matt Johnston <matt@ucc.asn.au>
parents: 1353
diff changeset
88
1456
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1386
diff changeset
89 void fuzz_svr_setup(void) {
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1386
diff changeset
90 fuzz_common_setup();
1353
f3c8975de38e setup svr_dropbear_exit
Matt Johnston <matt@ucc.asn.au>
parents: 1350
diff changeset
91
f3c8975de38e setup svr_dropbear_exit
Matt Johnston <matt@ucc.asn.au>
parents: 1350
diff changeset
92 _dropbear_exit = svr_dropbear_exit;
1348
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
93
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
94 char *argv[] = {
1742
6e71440b1e47 Add fuzzer-client_nomaths, fix client fuzzer
Matt Johnston <matt@ucc.asn.au>
parents: 1741
diff changeset
95 "dropbear",
1348
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
96 "-E",
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
97 };
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
98
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
99 int argc = sizeof(argv) / sizeof(*argv);
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
100 svr_getopts(argc, argv);
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
101
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
102 load_fixed_hostkeys();
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
103 }
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
104
1782
a6da10ac64b5 fuzz: make postauth set authdone properly
Matt Johnston <matt@ucc.asn.au>
parents: 1780
diff changeset
105 void fuzz_svr_hook_preloop() {
a6da10ac64b5 fuzz: make postauth set authdone properly
Matt Johnston <matt@ucc.asn.au>
parents: 1780
diff changeset
106 if (fuzz.svr_postauth) {
a6da10ac64b5 fuzz: make postauth set authdone properly
Matt Johnston <matt@ucc.asn.au>
parents: 1780
diff changeset
107 ses.authstate.authdone = 1;
a6da10ac64b5 fuzz: make postauth set authdone properly
Matt Johnston <matt@ucc.asn.au>
parents: 1780
diff changeset
108 fill_passwd("root");
a6da10ac64b5 fuzz: make postauth set authdone properly
Matt Johnston <matt@ucc.asn.au>
parents: 1780
diff changeset
109 }
a6da10ac64b5 fuzz: make postauth set authdone properly
Matt Johnston <matt@ucc.asn.au>
parents: 1780
diff changeset
110 }
a6da10ac64b5 fuzz: make postauth set authdone properly
Matt Johnston <matt@ucc.asn.au>
parents: 1780
diff changeset
111
1740
dfbe947bdf0d Make wrapfd share a common buffer for all FDs
Matt Johnston <matt@ucc.asn.au>
parents: 1692
diff changeset
112 void fuzz_cli_setup(void) {
dfbe947bdf0d Make wrapfd share a common buffer for all FDs
Matt Johnston <matt@ucc.asn.au>
parents: 1692
diff changeset
113 fuzz_common_setup();
dfbe947bdf0d Make wrapfd share a common buffer for all FDs
Matt Johnston <matt@ucc.asn.au>
parents: 1692
diff changeset
114
1741
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents: 1740
diff changeset
115 _dropbear_exit = cli_dropbear_exit;
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents: 1740
diff changeset
116 _dropbear_log = cli_dropbear_log;
1740
dfbe947bdf0d Make wrapfd share a common buffer for all FDs
Matt Johnston <matt@ucc.asn.au>
parents: 1692
diff changeset
117
dfbe947bdf0d Make wrapfd share a common buffer for all FDs
Matt Johnston <matt@ucc.asn.au>
parents: 1692
diff changeset
118 char *argv[] = {
1742
6e71440b1e47 Add fuzzer-client_nomaths, fix client fuzzer
Matt Johnston <matt@ucc.asn.au>
parents: 1741
diff changeset
119 "dbclient",
1741
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents: 1740
diff changeset
120 "-y",
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents: 1740
diff changeset
121 "localhost",
1751
3b9b427925a0 Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents: 1742
diff changeset
122 "uptime"
1740
dfbe947bdf0d Make wrapfd share a common buffer for all FDs
Matt Johnston <matt@ucc.asn.au>
parents: 1692
diff changeset
123 };
dfbe947bdf0d Make wrapfd share a common buffer for all FDs
Matt Johnston <matt@ucc.asn.au>
parents: 1692
diff changeset
124
dfbe947bdf0d Make wrapfd share a common buffer for all FDs
Matt Johnston <matt@ucc.asn.au>
parents: 1692
diff changeset
125 int argc = sizeof(argv) / sizeof(*argv);
dfbe947bdf0d Make wrapfd share a common buffer for all FDs
Matt Johnston <matt@ucc.asn.au>
parents: 1692
diff changeset
126 cli_getopts(argc, argv);
1751
3b9b427925a0 Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents: 1742
diff changeset
127
3b9b427925a0 Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents: 1742
diff changeset
128 load_fixed_client_key();
3b9b427925a0 Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents: 1742
diff changeset
129 /* Avoid password prompt */
3b9b427925a0 Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents: 1742
diff changeset
130 setenv(DROPBEAR_PASSWORD_ENV, "password", 1);
3b9b427925a0 Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents: 1742
diff changeset
131 }
3b9b427925a0 Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents: 1742
diff changeset
132
3b9b427925a0 Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents: 1742
diff changeset
133 #include "fuzz-hostkeys.c"
3b9b427925a0 Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents: 1742
diff changeset
134
3b9b427925a0 Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents: 1742
diff changeset
135 static void load_fixed_client_key(void) {
3b9b427925a0 Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents: 1742
diff changeset
136
3b9b427925a0 Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents: 1742
diff changeset
137 buffer *b = buf_new(3000);
3b9b427925a0 Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents: 1742
diff changeset
138 sign_key *key;
3b9b427925a0 Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents: 1742
diff changeset
139 enum signkey_type keytype;
3b9b427925a0 Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents: 1742
diff changeset
140
3b9b427925a0 Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents: 1742
diff changeset
141 key = new_sign_key();
3b9b427925a0 Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents: 1742
diff changeset
142 keytype = DROPBEAR_SIGNKEY_ANY;
3b9b427925a0 Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents: 1742
diff changeset
143 buf_putbytes(b, keyed25519, keyed25519_len);
3b9b427925a0 Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents: 1742
diff changeset
144 buf_setpos(b, 0);
3b9b427925a0 Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents: 1742
diff changeset
145 if (buf_get_priv_key(b, key, &keytype) == DROPBEAR_FAILURE) {
3b9b427925a0 Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents: 1742
diff changeset
146 dropbear_exit("failed fixed ed25519 hostkey");
3b9b427925a0 Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents: 1742
diff changeset
147 }
3b9b427925a0 Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents: 1742
diff changeset
148 list_append(cli_opts.privkeys, key);
3b9b427925a0 Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents: 1742
diff changeset
149
3b9b427925a0 Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents: 1742
diff changeset
150 buf_free(b);
1740
dfbe947bdf0d Make wrapfd share a common buffer for all FDs
Matt Johnston <matt@ucc.asn.au>
parents: 1692
diff changeset
151 }
dfbe947bdf0d Make wrapfd share a common buffer for all FDs
Matt Johnston <matt@ucc.asn.au>
parents: 1692
diff changeset
152
1348
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
153 static void load_fixed_hostkeys(void) {
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
154
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
155 buffer *b = buf_new(3000);
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
156 enum signkey_type type;
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
157
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
158 TRACE(("load fixed hostkeys"))
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
159
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
160 svr_opts.hostkey = new_sign_key();
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
161
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
162 buf_setlen(b, 0);
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
163 buf_putbytes(b, keyr, keyr_len);
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
164 buf_setpos(b, 0);
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
165 type = DROPBEAR_SIGNKEY_RSA;
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
166 if (buf_get_priv_key(b, svr_opts.hostkey, &type) == DROPBEAR_FAILURE) {
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
167 dropbear_exit("failed fixed rsa hostkey");
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
168 }
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
169
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
170 buf_setlen(b, 0);
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
171 buf_putbytes(b, keyd, keyd_len);
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
172 buf_setpos(b, 0);
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
173 type = DROPBEAR_SIGNKEY_DSS;
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
174 if (buf_get_priv_key(b, svr_opts.hostkey, &type) == DROPBEAR_FAILURE) {
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
175 dropbear_exit("failed fixed dss hostkey");
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
176 }
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
177
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
178 buf_setlen(b, 0);
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
179 buf_putbytes(b, keye, keye_len);
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
180 buf_setpos(b, 0);
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
181 type = DROPBEAR_SIGNKEY_ECDSA_NISTP256;
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
182 if (buf_get_priv_key(b, svr_opts.hostkey, &type) == DROPBEAR_FAILURE) {
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
183 dropbear_exit("failed fixed ecdsa hostkey");
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
184 }
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
185
1659
d32bcb5c557d Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents: 1589
diff changeset
186 buf_setlen(b, 0);
d32bcb5c557d Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents: 1589
diff changeset
187 buf_putbytes(b, keyed25519, keyed25519_len);
d32bcb5c557d Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents: 1589
diff changeset
188 buf_setpos(b, 0);
d32bcb5c557d Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents: 1589
diff changeset
189 type = DROPBEAR_SIGNKEY_ED25519;
d32bcb5c557d Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents: 1589
diff changeset
190 if (buf_get_priv_key(b, svr_opts.hostkey, &type) == DROPBEAR_FAILURE) {
d32bcb5c557d Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents: 1589
diff changeset
191 dropbear_exit("failed fixed ed25519 hostkey");
d32bcb5c557d Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents: 1589
diff changeset
192 }
d32bcb5c557d Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents: 1589
diff changeset
193
1348
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
194 buf_free(b);
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
195 }
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
196
1357
08f4fa4dc6a0 closer to working
Matt Johnston <matt@ucc.asn.au>
parents: 1356
diff changeset
197 void fuzz_kex_fakealgos(void) {
08f4fa4dc6a0 closer to working
Matt Johnston <matt@ucc.asn.au>
parents: 1356
diff changeset
198 ses.newkeys->recv.crypt_mode = &dropbear_mode_none;
1774
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1770
diff changeset
199 ses.newkeys->recv.algo_mac = &dropbear_nohash;
1357
08f4fa4dc6a0 closer to working
Matt Johnston <matt@ucc.asn.au>
parents: 1356
diff changeset
200 }
1383
f03cfe9c76ac Disable setnonblocking(), get_socket_address(), set_sock_priority()
Matt Johnston <matt@ucc.asn.au>
parents: 1377
diff changeset
201
f03cfe9c76ac Disable setnonblocking(), get_socket_address(), set_sock_priority()
Matt Johnston <matt@ucc.asn.au>
parents: 1377
diff changeset
202 void fuzz_get_socket_address(int UNUSED(fd), char **local_host, char **local_port,
f03cfe9c76ac Disable setnonblocking(), get_socket_address(), set_sock_priority()
Matt Johnston <matt@ucc.asn.au>
parents: 1377
diff changeset
203 char **remote_host, char **remote_port, int UNUSED(host_lookup)) {
f03cfe9c76ac Disable setnonblocking(), get_socket_address(), set_sock_priority()
Matt Johnston <matt@ucc.asn.au>
parents: 1377
diff changeset
204 if (local_host) {
f03cfe9c76ac Disable setnonblocking(), get_socket_address(), set_sock_priority()
Matt Johnston <matt@ucc.asn.au>
parents: 1377
diff changeset
205 *local_host = m_strdup("fuzzlocalhost");
f03cfe9c76ac Disable setnonblocking(), get_socket_address(), set_sock_priority()
Matt Johnston <matt@ucc.asn.au>
parents: 1377
diff changeset
206 }
f03cfe9c76ac Disable setnonblocking(), get_socket_address(), set_sock_priority()
Matt Johnston <matt@ucc.asn.au>
parents: 1377
diff changeset
207 if (local_port) {
f03cfe9c76ac Disable setnonblocking(), get_socket_address(), set_sock_priority()
Matt Johnston <matt@ucc.asn.au>
parents: 1377
diff changeset
208 *local_port = m_strdup("1234");
f03cfe9c76ac Disable setnonblocking(), get_socket_address(), set_sock_priority()
Matt Johnston <matt@ucc.asn.au>
parents: 1377
diff changeset
209 }
f03cfe9c76ac Disable setnonblocking(), get_socket_address(), set_sock_priority()
Matt Johnston <matt@ucc.asn.au>
parents: 1377
diff changeset
210 if (remote_host) {
f03cfe9c76ac Disable setnonblocking(), get_socket_address(), set_sock_priority()
Matt Johnston <matt@ucc.asn.au>
parents: 1377
diff changeset
211 *remote_host = m_strdup("fuzzremotehost");
f03cfe9c76ac Disable setnonblocking(), get_socket_address(), set_sock_priority()
Matt Johnston <matt@ucc.asn.au>
parents: 1377
diff changeset
212 }
f03cfe9c76ac Disable setnonblocking(), get_socket_address(), set_sock_priority()
Matt Johnston <matt@ucc.asn.au>
parents: 1377
diff changeset
213 if (remote_port) {
f03cfe9c76ac Disable setnonblocking(), get_socket_address(), set_sock_priority()
Matt Johnston <matt@ucc.asn.au>
parents: 1377
diff changeset
214 *remote_port = m_strdup("9876");
f03cfe9c76ac Disable setnonblocking(), get_socket_address(), set_sock_priority()
Matt Johnston <matt@ucc.asn.au>
parents: 1377
diff changeset
215 }
f03cfe9c76ac Disable setnonblocking(), get_socket_address(), set_sock_priority()
Matt Johnston <matt@ucc.asn.au>
parents: 1377
diff changeset
216 }
1456
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1386
diff changeset
217
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1386
diff changeset
218 /* cut down version of svr_send_msg_kexdh_reply() that skips slow maths. Still populates structures */
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1386
diff changeset
219 void fuzz_fake_send_kexdh_reply(void) {
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1386
diff changeset
220 assert(!ses.dh_K);
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1386
diff changeset
221 m_mp_alloc_init_multi(&ses.dh_K, NULL);
1692
1051e4eea25a Update LibTomMath to 1.2.0 (#84)
Steffen Jaeckel <s@jaeckel.eu>
parents: 1659
diff changeset
222 mp_set_ul(ses.dh_K, 12345678uL);
1456
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1386
diff changeset
223 finish_kexhashbuf();
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1386
diff changeset
224 }
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1386
diff changeset
225
1740
dfbe947bdf0d Make wrapfd share a common buffer for all FDs
Matt Johnston <matt@ucc.asn.au>
parents: 1692
diff changeset
226 /* fake version of spawn_command() */
dfbe947bdf0d Make wrapfd share a common buffer for all FDs
Matt Johnston <matt@ucc.asn.au>
parents: 1692
diff changeset
227 int fuzz_spawn_command(int *ret_writefd, int *ret_readfd, int *ret_errfd, pid_t *ret_pid) {
1777
97ad26e397a5 Add server postauth fuzzer, wrap connect_remote()
Matt Johnston <matt@ucc.asn.au>
parents: 1775
diff changeset
228 *ret_writefd = wrapfd_new_dummy();
97ad26e397a5 Add server postauth fuzzer, wrap connect_remote()
Matt Johnston <matt@ucc.asn.au>
parents: 1775
diff changeset
229 *ret_readfd = wrapfd_new_dummy();
1740
dfbe947bdf0d Make wrapfd share a common buffer for all FDs
Matt Johnston <matt@ucc.asn.au>
parents: 1692
diff changeset
230 if (ret_errfd) {
1777
97ad26e397a5 Add server postauth fuzzer, wrap connect_remote()
Matt Johnston <matt@ucc.asn.au>
parents: 1775
diff changeset
231 *ret_errfd = wrapfd_new_dummy();
1740
dfbe947bdf0d Make wrapfd share a common buffer for all FDs
Matt Johnston <matt@ucc.asn.au>
parents: 1692
diff changeset
232 }
1802
19b28d2fbe30 fuzz: handle errors from wrapfd_new_dummy()
Matt Johnston <matt@ucc.asn.au>
parents: 1801
diff changeset
233 if (*ret_writefd == -1 || *ret_readfd == -1 || (ret_errfd && *ret_errfd == -1)) {
19b28d2fbe30 fuzz: handle errors from wrapfd_new_dummy()
Matt Johnston <matt@ucc.asn.au>
parents: 1801
diff changeset
234 m_close(*ret_writefd);
19b28d2fbe30 fuzz: handle errors from wrapfd_new_dummy()
Matt Johnston <matt@ucc.asn.au>
parents: 1801
diff changeset
235 m_close(*ret_readfd);
19b28d2fbe30 fuzz: handle errors from wrapfd_new_dummy()
Matt Johnston <matt@ucc.asn.au>
parents: 1801
diff changeset
236 if (ret_errfd) {
19b28d2fbe30 fuzz: handle errors from wrapfd_new_dummy()
Matt Johnston <matt@ucc.asn.au>
parents: 1801
diff changeset
237 m_close(*ret_errfd);
19b28d2fbe30 fuzz: handle errors from wrapfd_new_dummy()
Matt Johnston <matt@ucc.asn.au>
parents: 1801
diff changeset
238 }
19b28d2fbe30 fuzz: handle errors from wrapfd_new_dummy()
Matt Johnston <matt@ucc.asn.au>
parents: 1801
diff changeset
239 return DROPBEAR_FAILURE;
19b28d2fbe30 fuzz: handle errors from wrapfd_new_dummy()
Matt Johnston <matt@ucc.asn.au>
parents: 1801
diff changeset
240 } else {
19b28d2fbe30 fuzz: handle errors from wrapfd_new_dummy()
Matt Johnston <matt@ucc.asn.au>
parents: 1801
diff changeset
241 *ret_pid = 999;
19b28d2fbe30 fuzz: handle errors from wrapfd_new_dummy()
Matt Johnston <matt@ucc.asn.au>
parents: 1801
diff changeset
242 return DROPBEAR_SUCCESS;
19b28d2fbe30 fuzz: handle errors from wrapfd_new_dummy()
Matt Johnston <matt@ucc.asn.au>
parents: 1801
diff changeset
243
19b28d2fbe30 fuzz: handle errors from wrapfd_new_dummy()
Matt Johnston <matt@ucc.asn.au>
parents: 1801
diff changeset
244 }
1740
dfbe947bdf0d Make wrapfd share a common buffer for all FDs
Matt Johnston <matt@ucc.asn.au>
parents: 1692
diff changeset
245 }
dfbe947bdf0d Make wrapfd share a common buffer for all FDs
Matt Johnston <matt@ucc.asn.au>
parents: 1692
diff changeset
246
1786
a3b39df57c8b fuzz: add an always-failing dropbear_listen() replacement
Matt Johnston <matt@ucc.asn.au>
parents: 1785
diff changeset
247 /* Fake dropbear_listen, always returns failure for now.
a3b39df57c8b fuzz: add an always-failing dropbear_listen() replacement
Matt Johnston <matt@ucc.asn.au>
parents: 1785
diff changeset
248 TODO make it sometimes return success with wrapfd_new_dummy() sockets.
a3b39df57c8b fuzz: add an always-failing dropbear_listen() replacement
Matt Johnston <matt@ucc.asn.au>
parents: 1785
diff changeset
249 Making the listeners fake a new incoming connection will be harder. */
a3b39df57c8b fuzz: add an always-failing dropbear_listen() replacement
Matt Johnston <matt@ucc.asn.au>
parents: 1785
diff changeset
250 /* Listen on address:port.
a3b39df57c8b fuzz: add an always-failing dropbear_listen() replacement
Matt Johnston <matt@ucc.asn.au>
parents: 1785
diff changeset
251 * Special cases are address of "" listening on everything,
a3b39df57c8b fuzz: add an always-failing dropbear_listen() replacement
Matt Johnston <matt@ucc.asn.au>
parents: 1785
diff changeset
252 * and address of NULL listening on localhost only.
a3b39df57c8b fuzz: add an always-failing dropbear_listen() replacement
Matt Johnston <matt@ucc.asn.au>
parents: 1785
diff changeset
253 * Returns the number of sockets bound on success, or -1 on failure. On
a3b39df57c8b fuzz: add an always-failing dropbear_listen() replacement
Matt Johnston <matt@ucc.asn.au>
parents: 1785
diff changeset
254 * failure, if errstring wasn't NULL, it'll be a newly malloced error
a3b39df57c8b fuzz: add an always-failing dropbear_listen() replacement
Matt Johnston <matt@ucc.asn.au>
parents: 1785
diff changeset
255 * string.*/
a3b39df57c8b fuzz: add an always-failing dropbear_listen() replacement
Matt Johnston <matt@ucc.asn.au>
parents: 1785
diff changeset
256 int fuzz_dropbear_listen(const char* UNUSED(address), const char* UNUSED(port),
a3b39df57c8b fuzz: add an always-failing dropbear_listen() replacement
Matt Johnston <matt@ucc.asn.au>
parents: 1785
diff changeset
257 int *UNUSED(socks), unsigned int UNUSED(sockcount), char **errstring, int *UNUSED(maxfd)) {
a3b39df57c8b fuzz: add an always-failing dropbear_listen() replacement
Matt Johnston <matt@ucc.asn.au>
parents: 1785
diff changeset
258 if (errstring) {
a3b39df57c8b fuzz: add an always-failing dropbear_listen() replacement
Matt Johnston <matt@ucc.asn.au>
parents: 1785
diff changeset
259 *errstring = m_strdup("fuzzing can't listen (yet)");
a3b39df57c8b fuzz: add an always-failing dropbear_listen() replacement
Matt Johnston <matt@ucc.asn.au>
parents: 1785
diff changeset
260 }
a3b39df57c8b fuzz: add an always-failing dropbear_listen() replacement
Matt Johnston <matt@ucc.asn.au>
parents: 1785
diff changeset
261 return -1;
a3b39df57c8b fuzz: add an always-failing dropbear_listen() replacement
Matt Johnston <matt@ucc.asn.au>
parents: 1785
diff changeset
262 }
a3b39df57c8b fuzz: add an always-failing dropbear_listen() replacement
Matt Johnston <matt@ucc.asn.au>
parents: 1785
diff changeset
263
1782
a6da10ac64b5 fuzz: make postauth set authdone properly
Matt Johnston <matt@ucc.asn.au>
parents: 1780
diff changeset
264 int fuzz_run_server(const uint8_t *Data, size_t Size, int skip_kexmaths, int postauth) {
1456
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1386
diff changeset
265 static int once = 0;
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1386
diff changeset
266 if (!once) {
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1386
diff changeset
267 fuzz_svr_setup();
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1386
diff changeset
268 fuzz.skip_kexmaths = skip_kexmaths;
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1386
diff changeset
269 once = 1;
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1386
diff changeset
270 }
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1386
diff changeset
271
1782
a6da10ac64b5 fuzz: make postauth set authdone properly
Matt Johnston <matt@ucc.asn.au>
parents: 1780
diff changeset
272 fuzz.svr_postauth = postauth;
a6da10ac64b5 fuzz: make postauth set authdone properly
Matt Johnston <matt@ucc.asn.au>
parents: 1780
diff changeset
273
1456
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1386
diff changeset
274 if (fuzz_set_input(Data, Size) == DROPBEAR_FAILURE) {
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1386
diff changeset
275 return 0;
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1386
diff changeset
276 }
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1386
diff changeset
277
1774
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1770
diff changeset
278 uint32_t wrapseed;
1775
8179eabe16c9 fuzzing - fix some wrong types and -lcrypt on macos
Matt Johnston <matt@ucc.asn.au>
parents: 1774
diff changeset
279 genrandom((void*)&wrapseed, sizeof(wrapseed));
1456
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1386
diff changeset
280 wrapfd_setseed(wrapseed);
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1386
diff changeset
281
1777
97ad26e397a5 Add server postauth fuzzer, wrap connect_remote()
Matt Johnston <matt@ucc.asn.au>
parents: 1775
diff changeset
282 int fakesock = wrapfd_new_fuzzinput();
97ad26e397a5 Add server postauth fuzzer, wrap connect_remote()
Matt Johnston <matt@ucc.asn.au>
parents: 1775
diff changeset
283
1456
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1386
diff changeset
284 m_malloc_set_epoch(1);
1760
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents: 1758
diff changeset
285 fuzz.do_jmp = 1;
1456
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1386
diff changeset
286 if (setjmp(fuzz.jmp) == 0) {
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1386
diff changeset
287 svr_session(fakesock, fakesock);
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1386
diff changeset
288 m_malloc_free_epoch(1, 0);
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1386
diff changeset
289 } else {
1760
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents: 1758
diff changeset
290 fuzz.do_jmp = 0;
1456
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1386
diff changeset
291 m_malloc_free_epoch(1, 1);
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1386
diff changeset
292 TRACE(("dropbear_exit longjmped"))
1559
92c93b4a3646 Fix to be able to compile normal(ish) binaries with --enable-fuzz
Matt Johnston <matt@ucc.asn.au>
parents: 1558
diff changeset
293 /* dropbear_exit jumped here */
1456
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1386
diff changeset
294 }
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1386
diff changeset
295
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1386
diff changeset
296 return 0;
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1386
diff changeset
297 }
1589
35af85194268 Add kexdh and kexecdh fuzzers
Matt Johnston <matt@ucc.asn.au>
parents: 1559
diff changeset
298
1741
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents: 1740
diff changeset
299 int fuzz_run_client(const uint8_t *Data, size_t Size, int skip_kexmaths) {
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents: 1740
diff changeset
300 static int once = 0;
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents: 1740
diff changeset
301 if (!once) {
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents: 1740
diff changeset
302 fuzz_cli_setup();
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents: 1740
diff changeset
303 fuzz.skip_kexmaths = skip_kexmaths;
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents: 1740
diff changeset
304 once = 1;
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents: 1740
diff changeset
305 }
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents: 1740
diff changeset
306
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents: 1740
diff changeset
307 if (fuzz_set_input(Data, Size) == DROPBEAR_FAILURE) {
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents: 1740
diff changeset
308 return 0;
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents: 1740
diff changeset
309 }
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents: 1740
diff changeset
310
1774
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1770
diff changeset
311 // Allow to proceed sooner
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1770
diff changeset
312 ses.kexstate.donefirstkex = 1;
1741
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents: 1740
diff changeset
313
1774
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1770
diff changeset
314 uint32_t wrapseed;
1775
8179eabe16c9 fuzzing - fix some wrong types and -lcrypt on macos
Matt Johnston <matt@ucc.asn.au>
parents: 1774
diff changeset
315 genrandom((void*)&wrapseed, sizeof(wrapseed));
1741
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents: 1740
diff changeset
316 wrapfd_setseed(wrapseed);
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents: 1740
diff changeset
317
1777
97ad26e397a5 Add server postauth fuzzer, wrap connect_remote()
Matt Johnston <matt@ucc.asn.au>
parents: 1775
diff changeset
318 int fakesock = wrapfd_new_fuzzinput();
1741
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents: 1740
diff changeset
319
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents: 1740
diff changeset
320 m_malloc_set_epoch(1);
1760
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents: 1758
diff changeset
321 fuzz.do_jmp = 1;
1741
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents: 1740
diff changeset
322 if (setjmp(fuzz.jmp) == 0) {
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents: 1740
diff changeset
323 cli_session(fakesock, fakesock, NULL, 0);
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents: 1740
diff changeset
324 m_malloc_free_epoch(1, 0);
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents: 1740
diff changeset
325 } else {
1760
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents: 1758
diff changeset
326 fuzz.do_jmp = 0;
1741
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents: 1740
diff changeset
327 m_malloc_free_epoch(1, 1);
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents: 1740
diff changeset
328 TRACE(("dropbear_exit longjmped"))
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents: 1740
diff changeset
329 /* dropbear_exit jumped here */
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents: 1740
diff changeset
330 }
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents: 1740
diff changeset
331
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents: 1740
diff changeset
332 return 0;
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents: 1740
diff changeset
333 }
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents: 1740
diff changeset
334
1589
35af85194268 Add kexdh and kexecdh fuzzers
Matt Johnston <matt@ucc.asn.au>
parents: 1559
diff changeset
335 const void* fuzz_get_algo(const algo_type *algos, const char* name) {
35af85194268 Add kexdh and kexecdh fuzzers
Matt Johnston <matt@ucc.asn.au>
parents: 1559
diff changeset
336 const algo_type *t;
35af85194268 Add kexdh and kexecdh fuzzers
Matt Johnston <matt@ucc.asn.au>
parents: 1559
diff changeset
337 for (t = algos; t->name; t++) {
35af85194268 Add kexdh and kexecdh fuzzers
Matt Johnston <matt@ucc.asn.au>
parents: 1559
diff changeset
338 if (strcmp(t->name, name) == 0) {
35af85194268 Add kexdh and kexecdh fuzzers
Matt Johnston <matt@ucc.asn.au>
parents: 1559
diff changeset
339 return t->data;
35af85194268 Add kexdh and kexecdh fuzzers
Matt Johnston <matt@ucc.asn.au>
parents: 1559
diff changeset
340 }
35af85194268 Add kexdh and kexecdh fuzzers
Matt Johnston <matt@ucc.asn.au>
parents: 1559
diff changeset
341 }
35af85194268 Add kexdh and kexecdh fuzzers
Matt Johnston <matt@ucc.asn.au>
parents: 1559
diff changeset
342 assert(0);
35af85194268 Add kexdh and kexecdh fuzzers
Matt Johnston <matt@ucc.asn.au>
parents: 1559
diff changeset
343 }
1751
3b9b427925a0 Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents: 1742
diff changeset
344
3b9b427925a0 Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents: 1742
diff changeset
345 void fuzz_dump(const unsigned char* data, size_t len) {
3b9b427925a0 Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents: 1742
diff changeset
346 if (fuzz.dumping) {
1799
8df3d6aa5f23 fuzz: avoid extraneous printing
Matt Johnston <matt@ucc.asn.au>
parents: 1786
diff changeset
347 TRACE(("dump %zu", len))
1751
3b9b427925a0 Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents: 1742
diff changeset
348 assert(atomicio(vwrite, fuzz.recv_dumpfd, (void*)data, len) == len);
3b9b427925a0 Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents: 1742
diff changeset
349 }
3b9b427925a0 Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents: 1742
diff changeset
350 }
1779
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
351
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
352 static struct passwd pwd_root = {
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
353 .pw_name = "root",
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
354 .pw_passwd = "!",
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
355 .pw_uid = 0,
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
356 .pw_gid = 0,
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
357 .pw_dir = "/root",
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
358 .pw_shell = "/bin/sh",
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
359 };
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
360
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
361 static struct passwd pwd_other = {
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
362 .pw_name = "other",
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
363 .pw_passwd = "!",
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
364 .pw_uid = 100,
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
365 .pw_gid = 100,
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
366 .pw_dir = "/home/other",
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
367 .pw_shell = "/bin/sh",
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
368 };
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
369
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
370
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
371 /* oss-fuzz runs fuzzers under minijail, without /etc/passwd.
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
372 We provide sufficient values for the fuzzers to run */
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
373 struct passwd* fuzz_getpwnam(const char *login) {
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
374 if (!fuzz.fuzzing) {
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
375 return getpwnam(login);
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
376 }
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
377 if (strcmp(login, pwd_other.pw_name) == 0) {
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
378 return &pwd_other;
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
379 }
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
380 if (strcmp(login, pwd_root.pw_name) == 0) {
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
381 return &pwd_root;
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
382 }
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
383 return NULL;
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
384 }
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
385
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
386 struct passwd* fuzz_getpwuid(uid_t uid) {
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
387 if (!fuzz.fuzzing) {
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
388 return getpwuid(uid);
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
389 }
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
390 if (uid == pwd_other.pw_uid) {
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
391 return &pwd_other;
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
392 }
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
393 if (uid == pwd_root.pw_uid) {
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
394 return &pwd_root;
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
395 }
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
396 return NULL;
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
397 }
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
398