dropbear: fuzz/fuzzer-kexdh.c annotate

annotate fuzz/fuzzer-kexdh.c @ 1861:2b3a8026a6ce

Add re-exec for server This allows ASLR to re-randomize the address space for every connection, preventing some vulnerabilities from being exploitable by repeated probing. Overhead (memory and time) is yet to be confirmed. At present this is only enabled on Linux. Other BSD platforms with fexecve() would probably also work though have not been tested.

author	Matt Johnston <matt@ucc.asn.au>
date	Sun, 30 Jan 2022 10:14:56 +0800
parents	0cc85b4a4abb
children

rev	line source
1589 35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1 #include "fuzz.h"
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2 #include "session.h"
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3 #include "fuzz-wrapfd.h"
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	4 #include "debug.h"
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	5 #include "runopts.h"
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	6 #include "algo.h"
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	7 #include "bignum.h"
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	8
1772 0cc85b4a4abb Move fuzzer-kex initialisation into a constructor function Matt Johnston <matt@ucc.asn.au> parents: 1756 diff changeset	9 static struct key_context* keep_newkeys = NULL;
0cc85b4a4abb Move fuzzer-kex initialisation into a constructor function Matt Johnston <matt@ucc.asn.au> parents: 1756 diff changeset	10 #define NUM_PARAMS 80
0cc85b4a4abb Move fuzzer-kex initialisation into a constructor function Matt Johnston <matt@ucc.asn.au> parents: 1756 diff changeset	11 static struct kex_dh_param *dh_params[NUM_PARAMS];
1589 35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	12
1772 0cc85b4a4abb Move fuzzer-kex initialisation into a constructor function Matt Johnston <matt@ucc.asn.au> parents: 1756 diff changeset	13 static void setup() __attribute__((constructor));
0cc85b4a4abb Move fuzzer-kex initialisation into a constructor function Matt Johnston <matt@ucc.asn.au> parents: 1756 diff changeset	14 // Perform initial setup here to avoid hitting timeouts on first run
0cc85b4a4abb Move fuzzer-kex initialisation into a constructor function Matt Johnston <matt@ucc.asn.au> parents: 1756 diff changeset	15 static void setup() {
0cc85b4a4abb Move fuzzer-kex initialisation into a constructor function Matt Johnston <matt@ucc.asn.au> parents: 1756 diff changeset	16 fuzz_common_setup();
0cc85b4a4abb Move fuzzer-kex initialisation into a constructor function Matt Johnston <matt@ucc.asn.au> parents: 1756 diff changeset	17 fuzz_svr_setup();
1589 35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	18
1772 0cc85b4a4abb Move fuzzer-kex initialisation into a constructor function Matt Johnston <matt@ucc.asn.au> parents: 1756 diff changeset	19 keep_newkeys = (struct key_context*)m_malloc(sizeof(struct key_context));
0cc85b4a4abb Move fuzzer-kex initialisation into a constructor function Matt Johnston <matt@ucc.asn.au> parents: 1756 diff changeset	20 keep_newkeys->algo_kex = fuzz_get_algo(sshkex, "diffie-hellman-group14-sha256");
0cc85b4a4abb Move fuzzer-kex initialisation into a constructor function Matt Johnston <matt@ucc.asn.au> parents: 1756 diff changeset	21 keep_newkeys->algo_hostkey = DROPBEAR_SIGNKEY_ECDSA_NISTP256;
0cc85b4a4abb Move fuzzer-kex initialisation into a constructor function Matt Johnston <matt@ucc.asn.au> parents: 1756 diff changeset	22 ses.newkeys = keep_newkeys;
1589 35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	23
1772 0cc85b4a4abb Move fuzzer-kex initialisation into a constructor function Matt Johnston <matt@ucc.asn.au> parents: 1756 diff changeset	24 /* Pre-generate parameters */
0cc85b4a4abb Move fuzzer-kex initialisation into a constructor function Matt Johnston <matt@ucc.asn.au> parents: 1756 diff changeset	25 int i;
0cc85b4a4abb Move fuzzer-kex initialisation into a constructor function Matt Johnston <matt@ucc.asn.au> parents: 1756 diff changeset	26 for (i = 0; i < NUM_PARAMS; i++) {
0cc85b4a4abb Move fuzzer-kex initialisation into a constructor function Matt Johnston <matt@ucc.asn.au> parents: 1756 diff changeset	27 dh_params[i] = gen_kexdh_param();
0cc85b4a4abb Move fuzzer-kex initialisation into a constructor function Matt Johnston <matt@ucc.asn.au> parents: 1756 diff changeset	28 }
0cc85b4a4abb Move fuzzer-kex initialisation into a constructor function Matt Johnston <matt@ucc.asn.au> parents: 1756 diff changeset	29 }
1589 35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	30
1772 0cc85b4a4abb Move fuzzer-kex initialisation into a constructor function Matt Johnston <matt@ucc.asn.au> parents: 1756 diff changeset	31 int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
1589 35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	32 if (fuzz_set_input(Data, Size) == DROPBEAR_FAILURE) {
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	33 return 0;
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	34 }
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	35
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	36 m_malloc_set_epoch(1);
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	37
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	38 if (setjmp(fuzz.jmp) == 0) {
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	39 /* Based on recv_msg_kexdh_init()/send_msg_kexdh_reply()
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	40 with DROPBEAR_KEX_NORMAL_DH */
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	41 ses.newkeys = keep_newkeys;
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	42
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	43 /* Choose from the collection of ecdh params */
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	44 unsigned int e = buf_getint(fuzz.input);
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	45 struct kex_dh_param * dh_param = dh_params[e % NUM_PARAMS];
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	46
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	47 DEF_MP_INT(dh_e);
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	48 m_mp_init(&dh_e);
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	49 if (buf_getmpint(fuzz.input, &dh_e) != DROPBEAR_SUCCESS) {
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	50 dropbear_exit("Bad kex value");
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	51 }
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	52
1606 98d2b125eb89 kexhashbuf was much to small in kex fuzzers Matt Johnston <matt@ucc.asn.au> parents: 1601 diff changeset	53 ses.kexhashbuf = buf_new(KEXHASHBUF_MAX_INTS);
1589 35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	54 kexdh_comb_key(dh_param, &dh_e, svr_opts.hostkey);
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	55
1609 a57822db3eac Fix leaks in kex fuzzers Matt Johnston <matt@ucc.asn.au> parents: 1606 diff changeset	56 mp_clear(ses.dh_K);
1589 35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	57 m_free(ses.dh_K);
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	58 mp_clear(&dh_e);
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	59
1609 a57822db3eac Fix leaks in kex fuzzers Matt Johnston <matt@ucc.asn.au> parents: 1606 diff changeset	60 buf_free(ses.hash);
a57822db3eac Fix leaks in kex fuzzers Matt Johnston <matt@ucc.asn.au> parents: 1606 diff changeset	61 buf_free(ses.session_id);
a57822db3eac Fix leaks in kex fuzzers Matt Johnston <matt@ucc.asn.au> parents: 1606 diff changeset	62 /* kexhashbuf is freed in kexdh_comb_key */
a57822db3eac Fix leaks in kex fuzzers Matt Johnston <matt@ucc.asn.au> parents: 1606 diff changeset	63
1589 35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	64 m_malloc_free_epoch(1, 0);
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	65 } else {
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	66 m_malloc_free_epoch(1, 1);
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	67 TRACE(("dropbear_exit longjmped"))
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	68 /* dropbear_exit jumped here */
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	69 }
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	70
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	71 return 0;
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	72 }

Mercurial > dropbear

annotate fuzz/fuzzer-kexdh.c @ 1861:2b3a8026a6ce