dropbear: fuzz/fuzz-common.c annotate

annotate fuzz/fuzz-common.c @ 1861:2b3a8026a6ce

Add re-exec for server This allows ASLR to re-randomize the address space for every connection, preventing some vulnerabilities from being exploitable by repeated probing. Overhead (memory and time) is yet to be confirmed. At present this is only enabled on Linux. Other BSD platforms with fexecve() would probably also work though have not been tested.

author	Matt Johnston <matt@ucc.asn.au>
date	Sun, 30 Jan 2022 10:14:56 +0800
parents	19b28d2fbe30
children

rev	line source
1770 66b29b054896 Fix FUZZ_NO_REPLACE_STDERR for fuzz.c Matt Johnston <matt@ucc.asn.au> parents: 1768 diff changeset	1 #define FUZZ_NO_REPLACE_STDERR
1779 36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam Matt Johnston <matt@ucc.asn.au> parents: 1778 diff changeset	2 #define FUZZ_NO_REPLACE_GETPW
1348 5c2899e35b63 fuzz harness Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3 #include "includes.h"
5c2899e35b63 fuzz harness Matt Johnston <matt@ucc.asn.au> parents: diff changeset	4
5c2899e35b63 fuzz harness Matt Johnston <matt@ucc.asn.au> parents: diff changeset	5 #include "includes.h"
5c2899e35b63 fuzz harness Matt Johnston <matt@ucc.asn.au> parents: diff changeset	6 #include "dbutil.h"
5c2899e35b63 fuzz harness Matt Johnston <matt@ucc.asn.au> parents: diff changeset	7 #include "runopts.h"
1353 f3c8975de38e setup svr_dropbear_exit Matt Johnston <matt@ucc.asn.au> parents: 1350 diff changeset	8 #include "crypto_desc.h"
f3c8975de38e setup svr_dropbear_exit Matt Johnston <matt@ucc.asn.au> parents: 1350 diff changeset	9 #include "session.h"
1356 3677a510f545 add wrapfd. improve fuzzer in makefile Matt Johnston <matt@ucc.asn.au> parents: 1353 diff changeset	10 #include "dbrandom.h"
1457 32f990cc96b1 fix bad assertion Matt Johnston <matt@ucc.asn.au> parents: 1456 diff changeset	11 #include "bignum.h"
1751 3b9b427925a0 Load password and key for client fuzzer. Matt Johnston <matt@ucc.asn.au> parents: 1742 diff changeset	12 #include "atomicio.h"
1356 3677a510f545 add wrapfd. improve fuzzer in makefile Matt Johnston <matt@ucc.asn.au> parents: 1353 diff changeset	13 #include "fuzz-wrapfd.h"
1768 096a66e45212 Fix fuzzing stderr override on os x Matt Johnston <matt@ucc.asn.au> parents: 1767 diff changeset	14 #include "fuzz.h"
096a66e45212 Fix fuzzing stderr override on os x Matt Johnston <matt@ucc.asn.au> parents: 1767 diff changeset	15
1348 5c2899e35b63 fuzz harness Matt Johnston <matt@ucc.asn.au> parents: diff changeset	16 struct dropbear_fuzz_options fuzz;
5c2899e35b63 fuzz harness Matt Johnston <matt@ucc.asn.au> parents: diff changeset	17
1373 9891bc31a1b3 fuzzers disable logging by default Matt Johnston <matt@ucc.asn.au> parents: 1369 diff changeset	18 static void fuzz_dropbear_log(int UNUSED(priority), const char* format, va_list param);
1348 5c2899e35b63 fuzz harness Matt Johnston <matt@ucc.asn.au> parents: diff changeset	19 static void load_fixed_hostkeys(void);
1751 3b9b427925a0 Load password and key for client fuzzer. Matt Johnston <matt@ucc.asn.au> parents: 1742 diff changeset	20 static void load_fixed_client_key(void);
1348 5c2899e35b63 fuzz harness Matt Johnston <matt@ucc.asn.au> parents: diff changeset	21
1758 1365661f6be6 Disable stderr output for fuzzer by default Matt Johnston <matt@ucc.asn.au> parents: 1757 diff changeset	22 // This runs automatically before main, due to contructor attribute in fuzz.h
1365661f6be6 Disable stderr output for fuzzer by default Matt Johnston <matt@ucc.asn.au> parents: 1757 diff changeset	23 void fuzz_early_setup(void) {
1365661f6be6 Disable stderr output for fuzzer by default Matt Johnston <matt@ucc.asn.au> parents: 1757 diff changeset	24 /* Set stderr to point to normal stderr by default */
1768 096a66e45212 Fix fuzzing stderr override on os x Matt Johnston <matt@ucc.asn.au> parents: 1767 diff changeset	25 fuzz.fake_stderr = stderr;
1758 1365661f6be6 Disable stderr output for fuzzer by default Matt Johnston <matt@ucc.asn.au> parents: 1757 diff changeset	26 }
1365661f6be6 Disable stderr output for fuzzer by default Matt Johnston <matt@ucc.asn.au> parents: 1757 diff changeset	27
1456 a90fdd2d2ed8 add fuzzer-preauth_nomaths Matt Johnston <matt@ucc.asn.au> parents: 1386 diff changeset	28 void fuzz_common_setup(void) {
1741 d1b279aa5ed1 Get client fuzzer building and starting (fails straight away) Matt Johnston <matt@ucc.asn.au> parents: 1740 diff changeset	29 disallow_core();
1348 5c2899e35b63 fuzz harness Matt Johnston <matt@ucc.asn.au> parents: diff changeset	30 fuzz.fuzzing = 1;
1357 08f4fa4dc6a0 closer to working Matt Johnston <matt@ucc.asn.au> parents: 1356 diff changeset	31 fuzz.wrapfds = 1;
1385 6c92e97553f1 Add a flag whether to longjmp, missed that last commit Matt Johnston <matt@ucc.asn.au> parents: 1383 diff changeset	32 fuzz.do_jmp = 1;
1356 3677a510f545 add wrapfd. improve fuzzer in makefile Matt Johnston <matt@ucc.asn.au> parents: 1353 diff changeset	33 fuzz.input = m_malloc(sizeof(buffer));
1373 9891bc31a1b3 fuzzers disable logging by default Matt Johnston <matt@ucc.asn.au> parents: 1369 diff changeset	34 _dropbear_log = fuzz_dropbear_log;
1350 2722f2347a48 crypto_init() Matt Johnston <matt@ucc.asn.au> parents: 1348 diff changeset	35 crypto_init();
1757 517fb7b62438 Add some more variation to fuzzer random number generation Matt Johnston <matt@ucc.asn.au> parents: 1756 diff changeset	36 fuzz_seed("start", 5);
1529 66a1a2547133 The fuzzer has managed to generated DSS key/signature pairs that Matt Johnston <matt@ucc.asn.au> parents: 1457 diff changeset	37 /* let any messages get flushed */
66a1a2547133 The fuzzer has managed to generated DSS key/signature pairs that Matt Johnston <matt@ucc.asn.au> parents: 1457 diff changeset	38 setlinebuf(stdout);
1758 1365661f6be6 Disable stderr output for fuzzer by default Matt Johnston <matt@ucc.asn.au> parents: 1757 diff changeset	39 #if DEBUG_TRACE
1365661f6be6 Disable stderr output for fuzzer by default Matt Johnston <matt@ucc.asn.au> parents: 1757 diff changeset	40 if (debug_trace)
1365661f6be6 Disable stderr output for fuzzer by default Matt Johnston <matt@ucc.asn.au> parents: 1757 diff changeset	41 {
1365661f6be6 Disable stderr output for fuzzer by default Matt Johnston <matt@ucc.asn.au> parents: 1757 diff changeset	42 fprintf(stderr, "Dropbear fuzzer: -v specified, not disabling stderr output\n");
1365661f6be6 Disable stderr output for fuzzer by default Matt Johnston <matt@ucc.asn.au> parents: 1757 diff changeset	43 }
1365661f6be6 Disable stderr output for fuzzer by default Matt Johnston <matt@ucc.asn.au> parents: 1757 diff changeset	44 else
1365661f6be6 Disable stderr output for fuzzer by default Matt Johnston <matt@ucc.asn.au> parents: 1757 diff changeset	45 #endif
1767 3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths Matt Johnston <matt@ucc.asn.au> parents: 1765 diff changeset	46 if (getenv("DROPBEAR_KEEP_STDERR")) {
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths Matt Johnston <matt@ucc.asn.au> parents: 1765 diff changeset	47 fprintf(stderr, "Dropbear fuzzer: DROPBEAR_KEEP_STDERR, not disabling stderr output\n");
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths Matt Johnston <matt@ucc.asn.au> parents: 1765 diff changeset	48 }
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths Matt Johnston <matt@ucc.asn.au> parents: 1765 diff changeset	49 else
1758 1365661f6be6 Disable stderr output for fuzzer by default Matt Johnston <matt@ucc.asn.au> parents: 1757 diff changeset	50 {
1767 3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths Matt Johnston <matt@ucc.asn.au> parents: 1765 diff changeset	51 fprintf(stderr, "Dropbear fuzzer: Disabling stderr output\n");
1768 096a66e45212 Fix fuzzing stderr override on os x Matt Johnston <matt@ucc.asn.au> parents: 1767 diff changeset	52 fuzz.fake_stderr = fopen("/dev/null", "w");
096a66e45212 Fix fuzzing stderr override on os x Matt Johnston <matt@ucc.asn.au> parents: 1767 diff changeset	53 assert(fuzz.fake_stderr);
1758 1365661f6be6 Disable stderr output for fuzzer by default Matt Johnston <matt@ucc.asn.au> parents: 1757 diff changeset	54 }
1348 5c2899e35b63 fuzz harness Matt Johnston <matt@ucc.asn.au> parents: diff changeset	55 }
5c2899e35b63 fuzz harness Matt Johnston <matt@ucc.asn.au> parents: diff changeset	56
1456 a90fdd2d2ed8 add fuzzer-preauth_nomaths Matt Johnston <matt@ucc.asn.au> parents: 1386 diff changeset	57 int fuzz_set_input(const uint8_t *Data, size_t Size) {
1356 3677a510f545 add wrapfd. improve fuzzer in makefile Matt Johnston <matt@ucc.asn.au> parents: 1353 diff changeset	58
3677a510f545 add wrapfd. improve fuzzer in makefile Matt Johnston <matt@ucc.asn.au> parents: 1353 diff changeset	59 fuzz.input->data = (unsigned char*)Data;
3677a510f545 add wrapfd. improve fuzzer in makefile Matt Johnston <matt@ucc.asn.au> parents: 1353 diff changeset	60 fuzz.input->size = Size;
3677a510f545 add wrapfd. improve fuzzer in makefile Matt Johnston <matt@ucc.asn.au> parents: 1353 diff changeset	61 fuzz.input->len = Size;
3677a510f545 add wrapfd. improve fuzzer in makefile Matt Johnston <matt@ucc.asn.au> parents: 1353 diff changeset	62 fuzz.input->pos = 0;
3677a510f545 add wrapfd. improve fuzzer in makefile Matt Johnston <matt@ucc.asn.au> parents: 1353 diff changeset	63
1358 6b89eb92f872 glaring wrapfd problems fixed Matt Johnston <matt@ucc.asn.au> parents: 1357 diff changeset	64 memset(&ses, 0x0, sizeof(ses));
6b89eb92f872 glaring wrapfd problems fixed Matt Johnston <matt@ucc.asn.au> parents: 1357 diff changeset	65 memset(&svr_ses, 0x0, sizeof(svr_ses));
1742 6e71440b1e47 Add fuzzer-client_nomaths, fix client fuzzer Matt Johnston <matt@ucc.asn.au> parents: 1741 diff changeset	66 memset(&cli_ses, 0x0, sizeof(cli_ses));
1740 dfbe947bdf0d Make wrapfd share a common buffer for all FDs Matt Johnston <matt@ucc.asn.au> parents: 1692 diff changeset	67 wrapfd_setup(fuzz.input);
1774 833bf9947603 Fuzzing - get rid of "prefix" for streams Matt Johnston <matt@ucc.asn.au> parents: 1770 diff changeset	68 // printhex("input", fuzz.input->data, fuzz.input->len);
1356 3677a510f545 add wrapfd. improve fuzzer in makefile Matt Johnston <matt@ucc.asn.au> parents: 1353 diff changeset	69
1757 517fb7b62438 Add some more variation to fuzzer random number generation Matt Johnston <matt@ucc.asn.au> parents: 1756 diff changeset	70 fuzz_seed(fuzz.input->data, MIN(fuzz.input->len, 16));
1356 3677a510f545 add wrapfd. improve fuzzer in makefile Matt Johnston <matt@ucc.asn.au> parents: 1353 diff changeset	71
3677a510f545 add wrapfd. improve fuzzer in makefile Matt Johnston <matt@ucc.asn.au> parents: 1353 diff changeset	72 return DROPBEAR_SUCCESS;
3677a510f545 add wrapfd. improve fuzzer in makefile Matt Johnston <matt@ucc.asn.au> parents: 1353 diff changeset	73 }
3677a510f545 add wrapfd. improve fuzzer in makefile Matt Johnston <matt@ucc.asn.au> parents: 1353 diff changeset	74
1558 2f64cb3d3007 - #if not #ifdef for DROPBEAR_FUZZ Matt Johnston <matt@ucc.asn.au> parents: 1529 diff changeset	75 #if DEBUG_TRACE
1373 9891bc31a1b3 fuzzers disable logging by default Matt Johnston <matt@ucc.asn.au> parents: 1369 diff changeset	76 static void fuzz_dropbear_log(int UNUSED(priority), const char* format, va_list param) {
9891bc31a1b3 fuzzers disable logging by default Matt Johnston <matt@ucc.asn.au> parents: 1369 diff changeset	77 if (debug_trace) {
1558 2f64cb3d3007 - #if not #ifdef for DROPBEAR_FUZZ Matt Johnston <matt@ucc.asn.au> parents: 1529 diff changeset	78 char printbuf[1024];
1373 9891bc31a1b3 fuzzers disable logging by default Matt Johnston <matt@ucc.asn.au> parents: 1369 diff changeset	79 vsnprintf(printbuf, sizeof(printbuf), format, param);
9891bc31a1b3 fuzzers disable logging by default Matt Johnston <matt@ucc.asn.au> parents: 1369 diff changeset	80 fprintf(stderr, "%s\n", printbuf);
9891bc31a1b3 fuzzers disable logging by default Matt Johnston <matt@ucc.asn.au> parents: 1369 diff changeset	81 }
9891bc31a1b3 fuzzers disable logging by default Matt Johnston <matt@ucc.asn.au> parents: 1369 diff changeset	82 }
1558 2f64cb3d3007 - #if not #ifdef for DROPBEAR_FUZZ Matt Johnston <matt@ucc.asn.au> parents: 1529 diff changeset	83 #else
2f64cb3d3007 - #if not #ifdef for DROPBEAR_FUZZ Matt Johnston <matt@ucc.asn.au> parents: 1529 diff changeset	84 static void fuzz_dropbear_log(int UNUSED(priority), const char* UNUSED(format), va_list UNUSED(param)) {
2f64cb3d3007 - #if not #ifdef for DROPBEAR_FUZZ Matt Johnston <matt@ucc.asn.au> parents: 1529 diff changeset	85 /* No print */
2f64cb3d3007 - #if not #ifdef for DROPBEAR_FUZZ Matt Johnston <matt@ucc.asn.au> parents: 1529 diff changeset	86 }
2f64cb3d3007 - #if not #ifdef for DROPBEAR_FUZZ Matt Johnston <matt@ucc.asn.au> parents: 1529 diff changeset	87 #endif /* DEBUG_TRACE */
1356 3677a510f545 add wrapfd. improve fuzzer in makefile Matt Johnston <matt@ucc.asn.au> parents: 1353 diff changeset	88
1456 a90fdd2d2ed8 add fuzzer-preauth_nomaths Matt Johnston <matt@ucc.asn.au> parents: 1386 diff changeset	89 void fuzz_svr_setup(void) {
a90fdd2d2ed8 add fuzzer-preauth_nomaths Matt Johnston <matt@ucc.asn.au> parents: 1386 diff changeset	90 fuzz_common_setup();
1353 f3c8975de38e setup svr_dropbear_exit Matt Johnston <matt@ucc.asn.au> parents: 1350 diff changeset	91
f3c8975de38e setup svr_dropbear_exit Matt Johnston <matt@ucc.asn.au> parents: 1350 diff changeset	92 _dropbear_exit = svr_dropbear_exit;
1348 5c2899e35b63 fuzz harness Matt Johnston <matt@ucc.asn.au> parents: diff changeset	93
5c2899e35b63 fuzz harness Matt Johnston <matt@ucc.asn.au> parents: diff changeset	94 char *argv[] = {
1742 6e71440b1e47 Add fuzzer-client_nomaths, fix client fuzzer Matt Johnston <matt@ucc.asn.au> parents: 1741 diff changeset	95 "dropbear",
1348 5c2899e35b63 fuzz harness Matt Johnston <matt@ucc.asn.au> parents: diff changeset	96 "-E",
5c2899e35b63 fuzz harness Matt Johnston <matt@ucc.asn.au> parents: diff changeset	97 };
5c2899e35b63 fuzz harness Matt Johnston <matt@ucc.asn.au> parents: diff changeset	98
5c2899e35b63 fuzz harness Matt Johnston <matt@ucc.asn.au> parents: diff changeset	99 int argc = sizeof(argv) / sizeof(*argv);
5c2899e35b63 fuzz harness Matt Johnston <matt@ucc.asn.au> parents: diff changeset	100 svr_getopts(argc, argv);
5c2899e35b63 fuzz harness Matt Johnston <matt@ucc.asn.au> parents: diff changeset	101
5c2899e35b63 fuzz harness Matt Johnston <matt@ucc.asn.au> parents: diff changeset	102 load_fixed_hostkeys();
5c2899e35b63 fuzz harness Matt Johnston <matt@ucc.asn.au> parents: diff changeset	103 }
5c2899e35b63 fuzz harness Matt Johnston <matt@ucc.asn.au> parents: diff changeset	104
1782 a6da10ac64b5 fuzz: make postauth set authdone properly Matt Johnston <matt@ucc.asn.au> parents: 1780 diff changeset	105 void fuzz_svr_hook_preloop() {
a6da10ac64b5 fuzz: make postauth set authdone properly Matt Johnston <matt@ucc.asn.au> parents: 1780 diff changeset	106 if (fuzz.svr_postauth) {
a6da10ac64b5 fuzz: make postauth set authdone properly Matt Johnston <matt@ucc.asn.au> parents: 1780 diff changeset	107 ses.authstate.authdone = 1;
a6da10ac64b5 fuzz: make postauth set authdone properly Matt Johnston <matt@ucc.asn.au> parents: 1780 diff changeset	108 fill_passwd("root");
a6da10ac64b5 fuzz: make postauth set authdone properly Matt Johnston <matt@ucc.asn.au> parents: 1780 diff changeset	109 }
a6da10ac64b5 fuzz: make postauth set authdone properly Matt Johnston <matt@ucc.asn.au> parents: 1780 diff changeset	110 }
a6da10ac64b5 fuzz: make postauth set authdone properly Matt Johnston <matt@ucc.asn.au> parents: 1780 diff changeset	111
1740 dfbe947bdf0d Make wrapfd share a common buffer for all FDs Matt Johnston <matt@ucc.asn.au> parents: 1692 diff changeset	112 void fuzz_cli_setup(void) {
dfbe947bdf0d Make wrapfd share a common buffer for all FDs Matt Johnston <matt@ucc.asn.au> parents: 1692 diff changeset	113 fuzz_common_setup();
dfbe947bdf0d Make wrapfd share a common buffer for all FDs Matt Johnston <matt@ucc.asn.au> parents: 1692 diff changeset	114
1741 d1b279aa5ed1 Get client fuzzer building and starting (fails straight away) Matt Johnston <matt@ucc.asn.au> parents: 1740 diff changeset	115 _dropbear_exit = cli_dropbear_exit;
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away) Matt Johnston <matt@ucc.asn.au> parents: 1740 diff changeset	116 _dropbear_log = cli_dropbear_log;
1740 dfbe947bdf0d Make wrapfd share a common buffer for all FDs Matt Johnston <matt@ucc.asn.au> parents: 1692 diff changeset	117
dfbe947bdf0d Make wrapfd share a common buffer for all FDs Matt Johnston <matt@ucc.asn.au> parents: 1692 diff changeset	118 char *argv[] = {
1742 6e71440b1e47 Add fuzzer-client_nomaths, fix client fuzzer Matt Johnston <matt@ucc.asn.au> parents: 1741 diff changeset	119 "dbclient",
1741 d1b279aa5ed1 Get client fuzzer building and starting (fails straight away) Matt Johnston <matt@ucc.asn.au> parents: 1740 diff changeset	120 "-y",
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away) Matt Johnston <matt@ucc.asn.au> parents: 1740 diff changeset	121 "localhost",
1751 3b9b427925a0 Load password and key for client fuzzer. Matt Johnston <matt@ucc.asn.au> parents: 1742 diff changeset	122 "uptime"
1740 dfbe947bdf0d Make wrapfd share a common buffer for all FDs Matt Johnston <matt@ucc.asn.au> parents: 1692 diff changeset	123 };
dfbe947bdf0d Make wrapfd share a common buffer for all FDs Matt Johnston <matt@ucc.asn.au> parents: 1692 diff changeset	124
dfbe947bdf0d Make wrapfd share a common buffer for all FDs Matt Johnston <matt@ucc.asn.au> parents: 1692 diff changeset	125 int argc = sizeof(argv) / sizeof(*argv);
dfbe947bdf0d Make wrapfd share a common buffer for all FDs Matt Johnston <matt@ucc.asn.au> parents: 1692 diff changeset	126 cli_getopts(argc, argv);
1751 3b9b427925a0 Load password and key for client fuzzer. Matt Johnston <matt@ucc.asn.au> parents: 1742 diff changeset	127
3b9b427925a0 Load password and key for client fuzzer. Matt Johnston <matt@ucc.asn.au> parents: 1742 diff changeset	128 load_fixed_client_key();
3b9b427925a0 Load password and key for client fuzzer. Matt Johnston <matt@ucc.asn.au> parents: 1742 diff changeset	129 /* Avoid password prompt */
3b9b427925a0 Load password and key for client fuzzer. Matt Johnston <matt@ucc.asn.au> parents: 1742 diff changeset	130 setenv(DROPBEAR_PASSWORD_ENV, "password", 1);
3b9b427925a0 Load password and key for client fuzzer. Matt Johnston <matt@ucc.asn.au> parents: 1742 diff changeset	131 }
3b9b427925a0 Load password and key for client fuzzer. Matt Johnston <matt@ucc.asn.au> parents: 1742 diff changeset	132
3b9b427925a0 Load password and key for client fuzzer. Matt Johnston <matt@ucc.asn.au> parents: 1742 diff changeset	133 #include "fuzz-hostkeys.c"
3b9b427925a0 Load password and key for client fuzzer. Matt Johnston <matt@ucc.asn.au> parents: 1742 diff changeset	134
3b9b427925a0 Load password and key for client fuzzer. Matt Johnston <matt@ucc.asn.au> parents: 1742 diff changeset	135 static void load_fixed_client_key(void) {
3b9b427925a0 Load password and key for client fuzzer. Matt Johnston <matt@ucc.asn.au> parents: 1742 diff changeset	136
3b9b427925a0 Load password and key for client fuzzer. Matt Johnston <matt@ucc.asn.au> parents: 1742 diff changeset	137 buffer *b = buf_new(3000);
3b9b427925a0 Load password and key for client fuzzer. Matt Johnston <matt@ucc.asn.au> parents: 1742 diff changeset	138 sign_key *key;
3b9b427925a0 Load password and key for client fuzzer. Matt Johnston <matt@ucc.asn.au> parents: 1742 diff changeset	139 enum signkey_type keytype;
3b9b427925a0 Load password and key for client fuzzer. Matt Johnston <matt@ucc.asn.au> parents: 1742 diff changeset	140
3b9b427925a0 Load password and key for client fuzzer. Matt Johnston <matt@ucc.asn.au> parents: 1742 diff changeset	141 key = new_sign_key();
3b9b427925a0 Load password and key for client fuzzer. Matt Johnston <matt@ucc.asn.au> parents: 1742 diff changeset	142 keytype = DROPBEAR_SIGNKEY_ANY;
3b9b427925a0 Load password and key for client fuzzer. Matt Johnston <matt@ucc.asn.au> parents: 1742 diff changeset	143 buf_putbytes(b, keyed25519, keyed25519_len);
3b9b427925a0 Load password and key for client fuzzer. Matt Johnston <matt@ucc.asn.au> parents: 1742 diff changeset	144 buf_setpos(b, 0);
3b9b427925a0 Load password and key for client fuzzer. Matt Johnston <matt@ucc.asn.au> parents: 1742 diff changeset	145 if (buf_get_priv_key(b, key, &keytype) == DROPBEAR_FAILURE) {
3b9b427925a0 Load password and key for client fuzzer. Matt Johnston <matt@ucc.asn.au> parents: 1742 diff changeset	146 dropbear_exit("failed fixed ed25519 hostkey");
3b9b427925a0 Load password and key for client fuzzer. Matt Johnston <matt@ucc.asn.au> parents: 1742 diff changeset	147 }
3b9b427925a0 Load password and key for client fuzzer. Matt Johnston <matt@ucc.asn.au> parents: 1742 diff changeset	148 list_append(cli_opts.privkeys, key);
3b9b427925a0 Load password and key for client fuzzer. Matt Johnston <matt@ucc.asn.au> parents: 1742 diff changeset	149
3b9b427925a0 Load password and key for client fuzzer. Matt Johnston <matt@ucc.asn.au> parents: 1742 diff changeset	150 buf_free(b);
1740 dfbe947bdf0d Make wrapfd share a common buffer for all FDs Matt Johnston <matt@ucc.asn.au> parents: 1692 diff changeset	151 }
dfbe947bdf0d Make wrapfd share a common buffer for all FDs Matt Johnston <matt@ucc.asn.au> parents: 1692 diff changeset	152
1348 5c2899e35b63 fuzz harness Matt Johnston <matt@ucc.asn.au> parents: diff changeset	153 static void load_fixed_hostkeys(void) {
5c2899e35b63 fuzz harness Matt Johnston <matt@ucc.asn.au> parents: diff changeset	154
5c2899e35b63 fuzz harness Matt Johnston <matt@ucc.asn.au> parents: diff changeset	155 buffer *b = buf_new(3000);
5c2899e35b63 fuzz harness Matt Johnston <matt@ucc.asn.au> parents: diff changeset	156 enum signkey_type type;
5c2899e35b63 fuzz harness Matt Johnston <matt@ucc.asn.au> parents: diff changeset	157
5c2899e35b63 fuzz harness Matt Johnston <matt@ucc.asn.au> parents: diff changeset	158 TRACE(("load fixed hostkeys"))
5c2899e35b63 fuzz harness Matt Johnston <matt@ucc.asn.au> parents: diff changeset	159
5c2899e35b63 fuzz harness Matt Johnston <matt@ucc.asn.au> parents: diff changeset	160 svr_opts.hostkey = new_sign_key();
5c2899e35b63 fuzz harness Matt Johnston <matt@ucc.asn.au> parents: diff changeset	161
5c2899e35b63 fuzz harness Matt Johnston <matt@ucc.asn.au> parents: diff changeset	162 buf_setlen(b, 0);
5c2899e35b63 fuzz harness Matt Johnston <matt@ucc.asn.au> parents: diff changeset	163 buf_putbytes(b, keyr, keyr_len);
5c2899e35b63 fuzz harness Matt Johnston <matt@ucc.asn.au> parents: diff changeset	164 buf_setpos(b, 0);
5c2899e35b63 fuzz harness Matt Johnston <matt@ucc.asn.au> parents: diff changeset	165 type = DROPBEAR_SIGNKEY_RSA;
5c2899e35b63 fuzz harness Matt Johnston <matt@ucc.asn.au> parents: diff changeset	166 if (buf_get_priv_key(b, svr_opts.hostkey, &type) == DROPBEAR_FAILURE) {
5c2899e35b63 fuzz harness Matt Johnston <matt@ucc.asn.au> parents: diff changeset	167 dropbear_exit("failed fixed rsa hostkey");
5c2899e35b63 fuzz harness Matt Johnston <matt@ucc.asn.au> parents: diff changeset	168 }
5c2899e35b63 fuzz harness Matt Johnston <matt@ucc.asn.au> parents: diff changeset	169
5c2899e35b63 fuzz harness Matt Johnston <matt@ucc.asn.au> parents: diff changeset	170 buf_setlen(b, 0);
5c2899e35b63 fuzz harness Matt Johnston <matt@ucc.asn.au> parents: diff changeset	171 buf_putbytes(b, keyd, keyd_len);
5c2899e35b63 fuzz harness Matt Johnston <matt@ucc.asn.au> parents: diff changeset	172 buf_setpos(b, 0);
5c2899e35b63 fuzz harness Matt Johnston <matt@ucc.asn.au> parents: diff changeset	173 type = DROPBEAR_SIGNKEY_DSS;
5c2899e35b63 fuzz harness Matt Johnston <matt@ucc.asn.au> parents: diff changeset	174 if (buf_get_priv_key(b, svr_opts.hostkey, &type) == DROPBEAR_FAILURE) {
5c2899e35b63 fuzz harness Matt Johnston <matt@ucc.asn.au> parents: diff changeset	175 dropbear_exit("failed fixed dss hostkey");
5c2899e35b63 fuzz harness Matt Johnston <matt@ucc.asn.au> parents: diff changeset	176 }
5c2899e35b63 fuzz harness Matt Johnston <matt@ucc.asn.au> parents: diff changeset	177
5c2899e35b63 fuzz harness Matt Johnston <matt@ucc.asn.au> parents: diff changeset	178 buf_setlen(b, 0);
5c2899e35b63 fuzz harness Matt Johnston <matt@ucc.asn.au> parents: diff changeset	179 buf_putbytes(b, keye, keye_len);
5c2899e35b63 fuzz harness Matt Johnston <matt@ucc.asn.au> parents: diff changeset	180 buf_setpos(b, 0);
5c2899e35b63 fuzz harness Matt Johnston <matt@ucc.asn.au> parents: diff changeset	181 type = DROPBEAR_SIGNKEY_ECDSA_NISTP256;
5c2899e35b63 fuzz harness Matt Johnston <matt@ucc.asn.au> parents: diff changeset	182 if (buf_get_priv_key(b, svr_opts.hostkey, &type) == DROPBEAR_FAILURE) {
5c2899e35b63 fuzz harness Matt Johnston <matt@ucc.asn.au> parents: diff changeset	183 dropbear_exit("failed fixed ecdsa hostkey");
5c2899e35b63 fuzz harness Matt Johnston <matt@ucc.asn.au> parents: diff changeset	184 }
5c2899e35b63 fuzz harness Matt Johnston <matt@ucc.asn.au> parents: diff changeset	185
1659 d32bcb5c557d Add Ed25519 support (#91) Vladislav Grishenko <themiron@users.noreply.github.com> parents: 1589 diff changeset	186 buf_setlen(b, 0);
d32bcb5c557d Add Ed25519 support (#91) Vladislav Grishenko <themiron@users.noreply.github.com> parents: 1589 diff changeset	187 buf_putbytes(b, keyed25519, keyed25519_len);
d32bcb5c557d Add Ed25519 support (#91) Vladislav Grishenko <themiron@users.noreply.github.com> parents: 1589 diff changeset	188 buf_setpos(b, 0);
d32bcb5c557d Add Ed25519 support (#91) Vladislav Grishenko <themiron@users.noreply.github.com> parents: 1589 diff changeset	189 type = DROPBEAR_SIGNKEY_ED25519;
d32bcb5c557d Add Ed25519 support (#91) Vladislav Grishenko <themiron@users.noreply.github.com> parents: 1589 diff changeset	190 if (buf_get_priv_key(b, svr_opts.hostkey, &type) == DROPBEAR_FAILURE) {
d32bcb5c557d Add Ed25519 support (#91) Vladislav Grishenko <themiron@users.noreply.github.com> parents: 1589 diff changeset	191 dropbear_exit("failed fixed ed25519 hostkey");
d32bcb5c557d Add Ed25519 support (#91) Vladislav Grishenko <themiron@users.noreply.github.com> parents: 1589 diff changeset	192 }
d32bcb5c557d Add Ed25519 support (#91) Vladislav Grishenko <themiron@users.noreply.github.com> parents: 1589 diff changeset	193
1348 5c2899e35b63 fuzz harness Matt Johnston <matt@ucc.asn.au> parents: diff changeset	194 buf_free(b);
5c2899e35b63 fuzz harness Matt Johnston <matt@ucc.asn.au> parents: diff changeset	195 }
5c2899e35b63 fuzz harness Matt Johnston <matt@ucc.asn.au> parents: diff changeset	196
1357 08f4fa4dc6a0 closer to working Matt Johnston <matt@ucc.asn.au> parents: 1356 diff changeset	197 void fuzz_kex_fakealgos(void) {
08f4fa4dc6a0 closer to working Matt Johnston <matt@ucc.asn.au> parents: 1356 diff changeset	198 ses.newkeys->recv.crypt_mode = &dropbear_mode_none;
1774 833bf9947603 Fuzzing - get rid of "prefix" for streams Matt Johnston <matt@ucc.asn.au> parents: 1770 diff changeset	199 ses.newkeys->recv.algo_mac = &dropbear_nohash;
1357 08f4fa4dc6a0 closer to working Matt Johnston <matt@ucc.asn.au> parents: 1356 diff changeset	200 }
1383 f03cfe9c76ac Disable setnonblocking(), get_socket_address(), set_sock_priority() Matt Johnston <matt@ucc.asn.au> parents: 1377 diff changeset	201
f03cfe9c76ac Disable setnonblocking(), get_socket_address(), set_sock_priority() Matt Johnston <matt@ucc.asn.au> parents: 1377 diff changeset	202 void fuzz_get_socket_address(int UNUSED(fd), char local_host, char local_port,
f03cfe9c76ac Disable setnonblocking(), get_socket_address(), set_sock_priority() Matt Johnston <matt@ucc.asn.au> parents: 1377 diff changeset	203 char remote_host, char remote_port, int UNUSED(host_lookup)) {
f03cfe9c76ac Disable setnonblocking(), get_socket_address(), set_sock_priority() Matt Johnston <matt@ucc.asn.au> parents: 1377 diff changeset	204 if (local_host) {
f03cfe9c76ac Disable setnonblocking(), get_socket_address(), set_sock_priority() Matt Johnston <matt@ucc.asn.au> parents: 1377 diff changeset	205 *local_host = m_strdup("fuzzlocalhost");
f03cfe9c76ac Disable setnonblocking(), get_socket_address(), set_sock_priority() Matt Johnston <matt@ucc.asn.au> parents: 1377 diff changeset	206 }
f03cfe9c76ac Disable setnonblocking(), get_socket_address(), set_sock_priority() Matt Johnston <matt@ucc.asn.au> parents: 1377 diff changeset	207 if (local_port) {
f03cfe9c76ac Disable setnonblocking(), get_socket_address(), set_sock_priority() Matt Johnston <matt@ucc.asn.au> parents: 1377 diff changeset	208 *local_port = m_strdup("1234");
f03cfe9c76ac Disable setnonblocking(), get_socket_address(), set_sock_priority() Matt Johnston <matt@ucc.asn.au> parents: 1377 diff changeset	209 }
f03cfe9c76ac Disable setnonblocking(), get_socket_address(), set_sock_priority() Matt Johnston <matt@ucc.asn.au> parents: 1377 diff changeset	210 if (remote_host) {
f03cfe9c76ac Disable setnonblocking(), get_socket_address(), set_sock_priority() Matt Johnston <matt@ucc.asn.au> parents: 1377 diff changeset	211 *remote_host = m_strdup("fuzzremotehost");
f03cfe9c76ac Disable setnonblocking(), get_socket_address(), set_sock_priority() Matt Johnston <matt@ucc.asn.au> parents: 1377 diff changeset	212 }
f03cfe9c76ac Disable setnonblocking(), get_socket_address(), set_sock_priority() Matt Johnston <matt@ucc.asn.au> parents: 1377 diff changeset	213 if (remote_port) {
f03cfe9c76ac Disable setnonblocking(), get_socket_address(), set_sock_priority() Matt Johnston <matt@ucc.asn.au> parents: 1377 diff changeset	214 *remote_port = m_strdup("9876");
f03cfe9c76ac Disable setnonblocking(), get_socket_address(), set_sock_priority() Matt Johnston <matt@ucc.asn.au> parents: 1377 diff changeset	215 }
f03cfe9c76ac Disable setnonblocking(), get_socket_address(), set_sock_priority() Matt Johnston <matt@ucc.asn.au> parents: 1377 diff changeset	216 }
1456 a90fdd2d2ed8 add fuzzer-preauth_nomaths Matt Johnston <matt@ucc.asn.au> parents: 1386 diff changeset	217
a90fdd2d2ed8 add fuzzer-preauth_nomaths Matt Johnston <matt@ucc.asn.au> parents: 1386 diff changeset	218 /* cut down version of svr_send_msg_kexdh_reply() that skips slow maths. Still populates structures */
a90fdd2d2ed8 add fuzzer-preauth_nomaths Matt Johnston <matt@ucc.asn.au> parents: 1386 diff changeset	219 void fuzz_fake_send_kexdh_reply(void) {
a90fdd2d2ed8 add fuzzer-preauth_nomaths Matt Johnston <matt@ucc.asn.au> parents: 1386 diff changeset	220 assert(!ses.dh_K);
a90fdd2d2ed8 add fuzzer-preauth_nomaths Matt Johnston <matt@ucc.asn.au> parents: 1386 diff changeset	221 m_mp_alloc_init_multi(&ses.dh_K, NULL);
1692 1051e4eea25a Update LibTomMath to 1.2.0 (#84) Steffen Jaeckel <s@jaeckel.eu> parents: 1659 diff changeset	222 mp_set_ul(ses.dh_K, 12345678uL);
1456 a90fdd2d2ed8 add fuzzer-preauth_nomaths Matt Johnston <matt@ucc.asn.au> parents: 1386 diff changeset	223 finish_kexhashbuf();
a90fdd2d2ed8 add fuzzer-preauth_nomaths Matt Johnston <matt@ucc.asn.au> parents: 1386 diff changeset	224 }
a90fdd2d2ed8 add fuzzer-preauth_nomaths Matt Johnston <matt@ucc.asn.au> parents: 1386 diff changeset	225
1740 dfbe947bdf0d Make wrapfd share a common buffer for all FDs Matt Johnston <matt@ucc.asn.au> parents: 1692 diff changeset	226 /* fake version of spawn_command() */
dfbe947bdf0d Make wrapfd share a common buffer for all FDs Matt Johnston <matt@ucc.asn.au> parents: 1692 diff changeset	227 int fuzz_spawn_command(int ret_writefd, int ret_readfd, int ret_errfd, pid_t ret_pid) {
1777 97ad26e397a5 Add server postauth fuzzer, wrap connect_remote() Matt Johnston <matt@ucc.asn.au> parents: 1775 diff changeset	228 *ret_writefd = wrapfd_new_dummy();
97ad26e397a5 Add server postauth fuzzer, wrap connect_remote() Matt Johnston <matt@ucc.asn.au> parents: 1775 diff changeset	229 *ret_readfd = wrapfd_new_dummy();
1740 dfbe947bdf0d Make wrapfd share a common buffer for all FDs Matt Johnston <matt@ucc.asn.au> parents: 1692 diff changeset	230 if (ret_errfd) {
1777 97ad26e397a5 Add server postauth fuzzer, wrap connect_remote() Matt Johnston <matt@ucc.asn.au> parents: 1775 diff changeset	231 *ret_errfd = wrapfd_new_dummy();
1740 dfbe947bdf0d Make wrapfd share a common buffer for all FDs Matt Johnston <matt@ucc.asn.au> parents: 1692 diff changeset	232 }
1802 19b28d2fbe30 fuzz: handle errors from wrapfd_new_dummy() Matt Johnston <matt@ucc.asn.au> parents: 1801 diff changeset	233 if (ret_writefd == -1 \|\| ret_readfd == -1 \|\| (ret_errfd && *ret_errfd == -1)) {
19b28d2fbe30 fuzz: handle errors from wrapfd_new_dummy() Matt Johnston <matt@ucc.asn.au> parents: 1801 diff changeset	234 m_close(*ret_writefd);
19b28d2fbe30 fuzz: handle errors from wrapfd_new_dummy() Matt Johnston <matt@ucc.asn.au> parents: 1801 diff changeset	235 m_close(*ret_readfd);
19b28d2fbe30 fuzz: handle errors from wrapfd_new_dummy() Matt Johnston <matt@ucc.asn.au> parents: 1801 diff changeset	236 if (ret_errfd) {
19b28d2fbe30 fuzz: handle errors from wrapfd_new_dummy() Matt Johnston <matt@ucc.asn.au> parents: 1801 diff changeset	237 m_close(*ret_errfd);
19b28d2fbe30 fuzz: handle errors from wrapfd_new_dummy() Matt Johnston <matt@ucc.asn.au> parents: 1801 diff changeset	238 }
19b28d2fbe30 fuzz: handle errors from wrapfd_new_dummy() Matt Johnston <matt@ucc.asn.au> parents: 1801 diff changeset	239 return DROPBEAR_FAILURE;
19b28d2fbe30 fuzz: handle errors from wrapfd_new_dummy() Matt Johnston <matt@ucc.asn.au> parents: 1801 diff changeset	240 } else {
19b28d2fbe30 fuzz: handle errors from wrapfd_new_dummy() Matt Johnston <matt@ucc.asn.au> parents: 1801 diff changeset	241 *ret_pid = 999;
19b28d2fbe30 fuzz: handle errors from wrapfd_new_dummy() Matt Johnston <matt@ucc.asn.au> parents: 1801 diff changeset	242 return DROPBEAR_SUCCESS;
19b28d2fbe30 fuzz: handle errors from wrapfd_new_dummy() Matt Johnston <matt@ucc.asn.au> parents: 1801 diff changeset	243
19b28d2fbe30 fuzz: handle errors from wrapfd_new_dummy() Matt Johnston <matt@ucc.asn.au> parents: 1801 diff changeset	244 }
1740 dfbe947bdf0d Make wrapfd share a common buffer for all FDs Matt Johnston <matt@ucc.asn.au> parents: 1692 diff changeset	245 }
dfbe947bdf0d Make wrapfd share a common buffer for all FDs Matt Johnston <matt@ucc.asn.au> parents: 1692 diff changeset	246
1786 a3b39df57c8b fuzz: add an always-failing dropbear_listen() replacement Matt Johnston <matt@ucc.asn.au> parents: 1785 diff changeset	247 /* Fake dropbear_listen, always returns failure for now.
a3b39df57c8b fuzz: add an always-failing dropbear_listen() replacement Matt Johnston <matt@ucc.asn.au> parents: 1785 diff changeset	248 TODO make it sometimes return success with wrapfd_new_dummy() sockets.
a3b39df57c8b fuzz: add an always-failing dropbear_listen() replacement Matt Johnston <matt@ucc.asn.au> parents: 1785 diff changeset	249 Making the listeners fake a new incoming connection will be harder. */
a3b39df57c8b fuzz: add an always-failing dropbear_listen() replacement Matt Johnston <matt@ucc.asn.au> parents: 1785 diff changeset	250 /* Listen on address:port.
a3b39df57c8b fuzz: add an always-failing dropbear_listen() replacement Matt Johnston <matt@ucc.asn.au> parents: 1785 diff changeset	251 * Special cases are address of "" listening on everything,
a3b39df57c8b fuzz: add an always-failing dropbear_listen() replacement Matt Johnston <matt@ucc.asn.au> parents: 1785 diff changeset	252 * and address of NULL listening on localhost only.
a3b39df57c8b fuzz: add an always-failing dropbear_listen() replacement Matt Johnston <matt@ucc.asn.au> parents: 1785 diff changeset	253 * Returns the number of sockets bound on success, or -1 on failure. On
a3b39df57c8b fuzz: add an always-failing dropbear_listen() replacement Matt Johnston <matt@ucc.asn.au> parents: 1785 diff changeset	254 * failure, if errstring wasn't NULL, it'll be a newly malloced error
a3b39df57c8b fuzz: add an always-failing dropbear_listen() replacement Matt Johnston <matt@ucc.asn.au> parents: 1785 diff changeset	255 * string.*/
a3b39df57c8b fuzz: add an always-failing dropbear_listen() replacement Matt Johnston <matt@ucc.asn.au> parents: 1785 diff changeset	256 int fuzz_dropbear_listen(const char* UNUSED(address), const char* UNUSED(port),
a3b39df57c8b fuzz: add an always-failing dropbear_listen() replacement Matt Johnston <matt@ucc.asn.au> parents: 1785 diff changeset	257 int UNUSED(socks), unsigned int UNUSED(sockcount), char errstring, int UNUSED(maxfd)) {
a3b39df57c8b fuzz: add an always-failing dropbear_listen() replacement Matt Johnston <matt@ucc.asn.au> parents: 1785 diff changeset	258 if (errstring) {
a3b39df57c8b fuzz: add an always-failing dropbear_listen() replacement Matt Johnston <matt@ucc.asn.au> parents: 1785 diff changeset	259 *errstring = m_strdup("fuzzing can't listen (yet)");
a3b39df57c8b fuzz: add an always-failing dropbear_listen() replacement Matt Johnston <matt@ucc.asn.au> parents: 1785 diff changeset	260 }
a3b39df57c8b fuzz: add an always-failing dropbear_listen() replacement Matt Johnston <matt@ucc.asn.au> parents: 1785 diff changeset	261 return -1;
a3b39df57c8b fuzz: add an always-failing dropbear_listen() replacement Matt Johnston <matt@ucc.asn.au> parents: 1785 diff changeset	262 }
a3b39df57c8b fuzz: add an always-failing dropbear_listen() replacement Matt Johnston <matt@ucc.asn.au> parents: 1785 diff changeset	263
1782 a6da10ac64b5 fuzz: make postauth set authdone properly Matt Johnston <matt@ucc.asn.au> parents: 1780 diff changeset	264 int fuzz_run_server(const uint8_t *Data, size_t Size, int skip_kexmaths, int postauth) {
1456 a90fdd2d2ed8 add fuzzer-preauth_nomaths Matt Johnston <matt@ucc.asn.au> parents: 1386 diff changeset	265 static int once = 0;
a90fdd2d2ed8 add fuzzer-preauth_nomaths Matt Johnston <matt@ucc.asn.au> parents: 1386 diff changeset	266 if (!once) {
a90fdd2d2ed8 add fuzzer-preauth_nomaths Matt Johnston <matt@ucc.asn.au> parents: 1386 diff changeset	267 fuzz_svr_setup();
a90fdd2d2ed8 add fuzzer-preauth_nomaths Matt Johnston <matt@ucc.asn.au> parents: 1386 diff changeset	268 fuzz.skip_kexmaths = skip_kexmaths;
a90fdd2d2ed8 add fuzzer-preauth_nomaths Matt Johnston <matt@ucc.asn.au> parents: 1386 diff changeset	269 once = 1;
a90fdd2d2ed8 add fuzzer-preauth_nomaths Matt Johnston <matt@ucc.asn.au> parents: 1386 diff changeset	270 }
a90fdd2d2ed8 add fuzzer-preauth_nomaths Matt Johnston <matt@ucc.asn.au> parents: 1386 diff changeset	271
1782 a6da10ac64b5 fuzz: make postauth set authdone properly Matt Johnston <matt@ucc.asn.au> parents: 1780 diff changeset	272 fuzz.svr_postauth = postauth;
a6da10ac64b5 fuzz: make postauth set authdone properly Matt Johnston <matt@ucc.asn.au> parents: 1780 diff changeset	273
1456 a90fdd2d2ed8 add fuzzer-preauth_nomaths Matt Johnston <matt@ucc.asn.au> parents: 1386 diff changeset	274 if (fuzz_set_input(Data, Size) == DROPBEAR_FAILURE) {
a90fdd2d2ed8 add fuzzer-preauth_nomaths Matt Johnston <matt@ucc.asn.au> parents: 1386 diff changeset	275 return 0;
a90fdd2d2ed8 add fuzzer-preauth_nomaths Matt Johnston <matt@ucc.asn.au> parents: 1386 diff changeset	276 }
a90fdd2d2ed8 add fuzzer-preauth_nomaths Matt Johnston <matt@ucc.asn.au> parents: 1386 diff changeset	277
1774 833bf9947603 Fuzzing - get rid of "prefix" for streams Matt Johnston <matt@ucc.asn.au> parents: 1770 diff changeset	278 uint32_t wrapseed;
1775 8179eabe16c9 fuzzing - fix some wrong types and -lcrypt on macos Matt Johnston <matt@ucc.asn.au> parents: 1774 diff changeset	279 genrandom((void*)&wrapseed, sizeof(wrapseed));
1456 a90fdd2d2ed8 add fuzzer-preauth_nomaths Matt Johnston <matt@ucc.asn.au> parents: 1386 diff changeset	280 wrapfd_setseed(wrapseed);
a90fdd2d2ed8 add fuzzer-preauth_nomaths Matt Johnston <matt@ucc.asn.au> parents: 1386 diff changeset	281
1777 97ad26e397a5 Add server postauth fuzzer, wrap connect_remote() Matt Johnston <matt@ucc.asn.au> parents: 1775 diff changeset	282 int fakesock = wrapfd_new_fuzzinput();
97ad26e397a5 Add server postauth fuzzer, wrap connect_remote() Matt Johnston <matt@ucc.asn.au> parents: 1775 diff changeset	283
1456 a90fdd2d2ed8 add fuzzer-preauth_nomaths Matt Johnston <matt@ucc.asn.au> parents: 1386 diff changeset	284 m_malloc_set_epoch(1);
1760 2406a9987810 Add first try at fuzzing custom mutator Matt Johnston <matt@ucc.asn.au> parents: 1758 diff changeset	285 fuzz.do_jmp = 1;
1456 a90fdd2d2ed8 add fuzzer-preauth_nomaths Matt Johnston <matt@ucc.asn.au> parents: 1386 diff changeset	286 if (setjmp(fuzz.jmp) == 0) {
a90fdd2d2ed8 add fuzzer-preauth_nomaths Matt Johnston <matt@ucc.asn.au> parents: 1386 diff changeset	287 svr_session(fakesock, fakesock);
a90fdd2d2ed8 add fuzzer-preauth_nomaths Matt Johnston <matt@ucc.asn.au> parents: 1386 diff changeset	288 m_malloc_free_epoch(1, 0);
a90fdd2d2ed8 add fuzzer-preauth_nomaths Matt Johnston <matt@ucc.asn.au> parents: 1386 diff changeset	289 } else {
1760 2406a9987810 Add first try at fuzzing custom mutator Matt Johnston <matt@ucc.asn.au> parents: 1758 diff changeset	290 fuzz.do_jmp = 0;
1456 a90fdd2d2ed8 add fuzzer-preauth_nomaths Matt Johnston <matt@ucc.asn.au> parents: 1386 diff changeset	291 m_malloc_free_epoch(1, 1);
a90fdd2d2ed8 add fuzzer-preauth_nomaths Matt Johnston <matt@ucc.asn.au> parents: 1386 diff changeset	292 TRACE(("dropbear_exit longjmped"))
1559 92c93b4a3646 Fix to be able to compile normal(ish) binaries with --enable-fuzz Matt Johnston <matt@ucc.asn.au> parents: 1558 diff changeset	293 /* dropbear_exit jumped here */
1456 a90fdd2d2ed8 add fuzzer-preauth_nomaths Matt Johnston <matt@ucc.asn.au> parents: 1386 diff changeset	294 }
a90fdd2d2ed8 add fuzzer-preauth_nomaths Matt Johnston <matt@ucc.asn.au> parents: 1386 diff changeset	295
a90fdd2d2ed8 add fuzzer-preauth_nomaths Matt Johnston <matt@ucc.asn.au> parents: 1386 diff changeset	296 return 0;
a90fdd2d2ed8 add fuzzer-preauth_nomaths Matt Johnston <matt@ucc.asn.au> parents: 1386 diff changeset	297 }
1589 35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: 1559 diff changeset	298
1741 d1b279aa5ed1 Get client fuzzer building and starting (fails straight away) Matt Johnston <matt@ucc.asn.au> parents: 1740 diff changeset	299 int fuzz_run_client(const uint8_t *Data, size_t Size, int skip_kexmaths) {
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away) Matt Johnston <matt@ucc.asn.au> parents: 1740 diff changeset	300 static int once = 0;
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away) Matt Johnston <matt@ucc.asn.au> parents: 1740 diff changeset	301 if (!once) {
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away) Matt Johnston <matt@ucc.asn.au> parents: 1740 diff changeset	302 fuzz_cli_setup();
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away) Matt Johnston <matt@ucc.asn.au> parents: 1740 diff changeset	303 fuzz.skip_kexmaths = skip_kexmaths;
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away) Matt Johnston <matt@ucc.asn.au> parents: 1740 diff changeset	304 once = 1;
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away) Matt Johnston <matt@ucc.asn.au> parents: 1740 diff changeset	305 }
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away) Matt Johnston <matt@ucc.asn.au> parents: 1740 diff changeset	306
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away) Matt Johnston <matt@ucc.asn.au> parents: 1740 diff changeset	307 if (fuzz_set_input(Data, Size) == DROPBEAR_FAILURE) {
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away) Matt Johnston <matt@ucc.asn.au> parents: 1740 diff changeset	308 return 0;
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away) Matt Johnston <matt@ucc.asn.au> parents: 1740 diff changeset	309 }
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away) Matt Johnston <matt@ucc.asn.au> parents: 1740 diff changeset	310
1774 833bf9947603 Fuzzing - get rid of "prefix" for streams Matt Johnston <matt@ucc.asn.au> parents: 1770 diff changeset	311 // Allow to proceed sooner
833bf9947603 Fuzzing - get rid of "prefix" for streams Matt Johnston <matt@ucc.asn.au> parents: 1770 diff changeset	312 ses.kexstate.donefirstkex = 1;
1741 d1b279aa5ed1 Get client fuzzer building and starting (fails straight away) Matt Johnston <matt@ucc.asn.au> parents: 1740 diff changeset	313
1774 833bf9947603 Fuzzing - get rid of "prefix" for streams Matt Johnston <matt@ucc.asn.au> parents: 1770 diff changeset	314 uint32_t wrapseed;
1775 8179eabe16c9 fuzzing - fix some wrong types and -lcrypt on macos Matt Johnston <matt@ucc.asn.au> parents: 1774 diff changeset	315 genrandom((void*)&wrapseed, sizeof(wrapseed));
1741 d1b279aa5ed1 Get client fuzzer building and starting (fails straight away) Matt Johnston <matt@ucc.asn.au> parents: 1740 diff changeset	316 wrapfd_setseed(wrapseed);
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away) Matt Johnston <matt@ucc.asn.au> parents: 1740 diff changeset	317
1777 97ad26e397a5 Add server postauth fuzzer, wrap connect_remote() Matt Johnston <matt@ucc.asn.au> parents: 1775 diff changeset	318 int fakesock = wrapfd_new_fuzzinput();
1741 d1b279aa5ed1 Get client fuzzer building and starting (fails straight away) Matt Johnston <matt@ucc.asn.au> parents: 1740 diff changeset	319
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away) Matt Johnston <matt@ucc.asn.au> parents: 1740 diff changeset	320 m_malloc_set_epoch(1);
1760 2406a9987810 Add first try at fuzzing custom mutator Matt Johnston <matt@ucc.asn.au> parents: 1758 diff changeset	321 fuzz.do_jmp = 1;
1741 d1b279aa5ed1 Get client fuzzer building and starting (fails straight away) Matt Johnston <matt@ucc.asn.au> parents: 1740 diff changeset	322 if (setjmp(fuzz.jmp) == 0) {
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away) Matt Johnston <matt@ucc.asn.au> parents: 1740 diff changeset	323 cli_session(fakesock, fakesock, NULL, 0);
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away) Matt Johnston <matt@ucc.asn.au> parents: 1740 diff changeset	324 m_malloc_free_epoch(1, 0);
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away) Matt Johnston <matt@ucc.asn.au> parents: 1740 diff changeset	325 } else {
1760 2406a9987810 Add first try at fuzzing custom mutator Matt Johnston <matt@ucc.asn.au> parents: 1758 diff changeset	326 fuzz.do_jmp = 0;
1741 d1b279aa5ed1 Get client fuzzer building and starting (fails straight away) Matt Johnston <matt@ucc.asn.au> parents: 1740 diff changeset	327 m_malloc_free_epoch(1, 1);
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away) Matt Johnston <matt@ucc.asn.au> parents: 1740 diff changeset	328 TRACE(("dropbear_exit longjmped"))
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away) Matt Johnston <matt@ucc.asn.au> parents: 1740 diff changeset	329 /* dropbear_exit jumped here */
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away) Matt Johnston <matt@ucc.asn.au> parents: 1740 diff changeset	330 }
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away) Matt Johnston <matt@ucc.asn.au> parents: 1740 diff changeset	331
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away) Matt Johnston <matt@ucc.asn.au> parents: 1740 diff changeset	332 return 0;
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away) Matt Johnston <matt@ucc.asn.au> parents: 1740 diff changeset	333 }
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away) Matt Johnston <matt@ucc.asn.au> parents: 1740 diff changeset	334
1589 35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: 1559 diff changeset	335 const void* fuzz_get_algo(const algo_type algos, const char name) {
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: 1559 diff changeset	336 const algo_type *t;
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: 1559 diff changeset	337 for (t = algos; t->name; t++) {
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: 1559 diff changeset	338 if (strcmp(t->name, name) == 0) {
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: 1559 diff changeset	339 return t->data;
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: 1559 diff changeset	340 }
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: 1559 diff changeset	341 }
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: 1559 diff changeset	342 assert(0);
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: 1559 diff changeset	343 }
1751 3b9b427925a0 Load password and key for client fuzzer. Matt Johnston <matt@ucc.asn.au> parents: 1742 diff changeset	344
3b9b427925a0 Load password and key for client fuzzer. Matt Johnston <matt@ucc.asn.au> parents: 1742 diff changeset	345 void fuzz_dump(const unsigned char* data, size_t len) {
3b9b427925a0 Load password and key for client fuzzer. Matt Johnston <matt@ucc.asn.au> parents: 1742 diff changeset	346 if (fuzz.dumping) {
1799 8df3d6aa5f23 fuzz: avoid extraneous printing Matt Johnston <matt@ucc.asn.au> parents: 1786 diff changeset	347 TRACE(("dump %zu", len))
1751 3b9b427925a0 Load password and key for client fuzzer. Matt Johnston <matt@ucc.asn.au> parents: 1742 diff changeset	348 assert(atomicio(vwrite, fuzz.recv_dumpfd, (void*)data, len) == len);
3b9b427925a0 Load password and key for client fuzzer. Matt Johnston <matt@ucc.asn.au> parents: 1742 diff changeset	349 }
3b9b427925a0 Load password and key for client fuzzer. Matt Johnston <matt@ucc.asn.au> parents: 1742 diff changeset	350 }
1779 36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam Matt Johnston <matt@ucc.asn.au> parents: 1778 diff changeset	351
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam Matt Johnston <matt@ucc.asn.au> parents: 1778 diff changeset	352 static struct passwd pwd_root = {
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam Matt Johnston <matt@ucc.asn.au> parents: 1778 diff changeset	353 .pw_name = "root",
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam Matt Johnston <matt@ucc.asn.au> parents: 1778 diff changeset	354 .pw_passwd = "!",
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam Matt Johnston <matt@ucc.asn.au> parents: 1778 diff changeset	355 .pw_uid = 0,
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam Matt Johnston <matt@ucc.asn.au> parents: 1778 diff changeset	356 .pw_gid = 0,
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam Matt Johnston <matt@ucc.asn.au> parents: 1778 diff changeset	357 .pw_dir = "/root",
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam Matt Johnston <matt@ucc.asn.au> parents: 1778 diff changeset	358 .pw_shell = "/bin/sh",
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam Matt Johnston <matt@ucc.asn.au> parents: 1778 diff changeset	359 };
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam Matt Johnston <matt@ucc.asn.au> parents: 1778 diff changeset	360
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam Matt Johnston <matt@ucc.asn.au> parents: 1778 diff changeset	361 static struct passwd pwd_other = {
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam Matt Johnston <matt@ucc.asn.au> parents: 1778 diff changeset	362 .pw_name = "other",
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam Matt Johnston <matt@ucc.asn.au> parents: 1778 diff changeset	363 .pw_passwd = "!",
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam Matt Johnston <matt@ucc.asn.au> parents: 1778 diff changeset	364 .pw_uid = 100,
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam Matt Johnston <matt@ucc.asn.au> parents: 1778 diff changeset	365 .pw_gid = 100,
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam Matt Johnston <matt@ucc.asn.au> parents: 1778 diff changeset	366 .pw_dir = "/home/other",
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam Matt Johnston <matt@ucc.asn.au> parents: 1778 diff changeset	367 .pw_shell = "/bin/sh",
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam Matt Johnston <matt@ucc.asn.au> parents: 1778 diff changeset	368 };
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam Matt Johnston <matt@ucc.asn.au> parents: 1778 diff changeset	369
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam Matt Johnston <matt@ucc.asn.au> parents: 1778 diff changeset	370
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam Matt Johnston <matt@ucc.asn.au> parents: 1778 diff changeset	371 /* oss-fuzz runs fuzzers under minijail, without /etc/passwd.
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam Matt Johnston <matt@ucc.asn.au> parents: 1778 diff changeset	372 We provide sufficient values for the fuzzers to run */
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam Matt Johnston <matt@ucc.asn.au> parents: 1778 diff changeset	373 struct passwd* fuzz_getpwnam(const char *login) {
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam Matt Johnston <matt@ucc.asn.au> parents: 1778 diff changeset	374 if (!fuzz.fuzzing) {
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam Matt Johnston <matt@ucc.asn.au> parents: 1778 diff changeset	375 return getpwnam(login);
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam Matt Johnston <matt@ucc.asn.au> parents: 1778 diff changeset	376 }
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam Matt Johnston <matt@ucc.asn.au> parents: 1778 diff changeset	377 if (strcmp(login, pwd_other.pw_name) == 0) {
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam Matt Johnston <matt@ucc.asn.au> parents: 1778 diff changeset	378 return &pwd_other;
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam Matt Johnston <matt@ucc.asn.au> parents: 1778 diff changeset	379 }
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam Matt Johnston <matt@ucc.asn.au> parents: 1778 diff changeset	380 if (strcmp(login, pwd_root.pw_name) == 0) {
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam Matt Johnston <matt@ucc.asn.au> parents: 1778 diff changeset	381 return &pwd_root;
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam Matt Johnston <matt@ucc.asn.au> parents: 1778 diff changeset	382 }
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam Matt Johnston <matt@ucc.asn.au> parents: 1778 diff changeset	383 return NULL;
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam Matt Johnston <matt@ucc.asn.au> parents: 1778 diff changeset	384 }
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam Matt Johnston <matt@ucc.asn.au> parents: 1778 diff changeset	385
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam Matt Johnston <matt@ucc.asn.au> parents: 1778 diff changeset	386 struct passwd* fuzz_getpwuid(uid_t uid) {
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam Matt Johnston <matt@ucc.asn.au> parents: 1778 diff changeset	387 if (!fuzz.fuzzing) {
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam Matt Johnston <matt@ucc.asn.au> parents: 1778 diff changeset	388 return getpwuid(uid);
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam Matt Johnston <matt@ucc.asn.au> parents: 1778 diff changeset	389 }
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam Matt Johnston <matt@ucc.asn.au> parents: 1778 diff changeset	390 if (uid == pwd_other.pw_uid) {
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam Matt Johnston <matt@ucc.asn.au> parents: 1778 diff changeset	391 return &pwd_other;
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam Matt Johnston <matt@ucc.asn.au> parents: 1778 diff changeset	392 }
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam Matt Johnston <matt@ucc.asn.au> parents: 1778 diff changeset	393 if (uid == pwd_root.pw_uid) {
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam Matt Johnston <matt@ucc.asn.au> parents: 1778 diff changeset	394 return &pwd_root;
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam Matt Johnston <matt@ucc.asn.au> parents: 1778 diff changeset	395 }
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam Matt Johnston <matt@ucc.asn.au> parents: 1778 diff changeset	396 return NULL;
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam Matt Johnston <matt@ucc.asn.au> parents: 1778 diff changeset	397 }
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam Matt Johnston <matt@ucc.asn.au> parents: 1778 diff changeset	398

Mercurial > dropbear

annotate fuzz/fuzz-common.c @ 1861:2b3a8026a6ce