dropbear: fuzz/fuzzer-kexecdh.c annotate

annotate fuzz/fuzzer-kexecdh.c @ 1861:2b3a8026a6ce

Add re-exec for server This allows ASLR to re-randomize the address space for every connection, preventing some vulnerabilities from being exploitable by repeated probing. Overhead (memory and time) is yet to be confirmed. At present this is only enabled on Linux. Other BSD platforms with fexecve() would probably also work though have not been tested.

author	Matt Johnston <matt@ucc.asn.au>
date	Sun, 30 Jan 2022 10:14:56 +0800
parents	0cc85b4a4abb
children

rev	line source
1589 35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1 #include "fuzz.h"
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2 #include "session.h"
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3 #include "fuzz-wrapfd.h"
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	4 #include "debug.h"
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	5 #include "runopts.h"
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	6 #include "algo.h"
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	7 #include "bignum.h"
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	8
1772 0cc85b4a4abb Move fuzzer-kex initialisation into a constructor function Matt Johnston <matt@ucc.asn.au> parents: 1756 diff changeset	9 static const struct dropbear_kex ecdh[3]; / 256, 384, 521 */
0cc85b4a4abb Move fuzzer-kex initialisation into a constructor function Matt Johnston <matt@ucc.asn.au> parents: 1756 diff changeset	10 static struct key_context* keep_newkeys = NULL;
0cc85b4a4abb Move fuzzer-kex initialisation into a constructor function Matt Johnston <matt@ucc.asn.au> parents: 1756 diff changeset	11 /* number of generated parameters. An arbitrary limit, but will delay startup */
0cc85b4a4abb Move fuzzer-kex initialisation into a constructor function Matt Johnston <matt@ucc.asn.au> parents: 1756 diff changeset	12 #define NUM_PARAMS 80
0cc85b4a4abb Move fuzzer-kex initialisation into a constructor function Matt Johnston <matt@ucc.asn.au> parents: 1756 diff changeset	13 static struct kex_ecdh_param *ecdh_params[NUM_PARAMS];
1589 35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	14
1772 0cc85b4a4abb Move fuzzer-kex initialisation into a constructor function Matt Johnston <matt@ucc.asn.au> parents: 1756 diff changeset	15 static void setup() __attribute__((constructor));
0cc85b4a4abb Move fuzzer-kex initialisation into a constructor function Matt Johnston <matt@ucc.asn.au> parents: 1756 diff changeset	16 // Perform initial setup here to avoid hitting timeouts on first run
0cc85b4a4abb Move fuzzer-kex initialisation into a constructor function Matt Johnston <matt@ucc.asn.au> parents: 1756 diff changeset	17 static void setup() {
0cc85b4a4abb Move fuzzer-kex initialisation into a constructor function Matt Johnston <matt@ucc.asn.au> parents: 1756 diff changeset	18 fuzz_common_setup();
0cc85b4a4abb Move fuzzer-kex initialisation into a constructor function Matt Johnston <matt@ucc.asn.au> parents: 1756 diff changeset	19 fuzz_svr_setup();
1589 35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	20
1772 0cc85b4a4abb Move fuzzer-kex initialisation into a constructor function Matt Johnston <matt@ucc.asn.au> parents: 1756 diff changeset	21 /* ses gets zeroed by fuzz_set_input */
0cc85b4a4abb Move fuzzer-kex initialisation into a constructor function Matt Johnston <matt@ucc.asn.au> parents: 1756 diff changeset	22 keep_newkeys = (struct key_context*)m_malloc(sizeof(struct key_context));
0cc85b4a4abb Move fuzzer-kex initialisation into a constructor function Matt Johnston <matt@ucc.asn.au> parents: 1756 diff changeset	23 ecdh[0] = fuzz_get_algo(sshkex, "ecdh-sha2-nistp256");
0cc85b4a4abb Move fuzzer-kex initialisation into a constructor function Matt Johnston <matt@ucc.asn.au> parents: 1756 diff changeset	24 ecdh[1] = fuzz_get_algo(sshkex, "ecdh-sha2-nistp384");
0cc85b4a4abb Move fuzzer-kex initialisation into a constructor function Matt Johnston <matt@ucc.asn.au> parents: 1756 diff changeset	25 ecdh[2] = fuzz_get_algo(sshkex, "ecdh-sha2-nistp521");
0cc85b4a4abb Move fuzzer-kex initialisation into a constructor function Matt Johnston <matt@ucc.asn.au> parents: 1756 diff changeset	26 assert(ecdh[0]);
0cc85b4a4abb Move fuzzer-kex initialisation into a constructor function Matt Johnston <matt@ucc.asn.au> parents: 1756 diff changeset	27 assert(ecdh[1]);
0cc85b4a4abb Move fuzzer-kex initialisation into a constructor function Matt Johnston <matt@ucc.asn.au> parents: 1756 diff changeset	28 assert(ecdh[2]);
0cc85b4a4abb Move fuzzer-kex initialisation into a constructor function Matt Johnston <matt@ucc.asn.au> parents: 1756 diff changeset	29 keep_newkeys->algo_hostkey = DROPBEAR_SIGNKEY_ECDSA_NISTP256;
0cc85b4a4abb Move fuzzer-kex initialisation into a constructor function Matt Johnston <matt@ucc.asn.au> parents: 1756 diff changeset	30 ses.newkeys = keep_newkeys;
1589 35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	31
1772 0cc85b4a4abb Move fuzzer-kex initialisation into a constructor function Matt Johnston <matt@ucc.asn.au> parents: 1756 diff changeset	32 /* Pre-generate parameters */
0cc85b4a4abb Move fuzzer-kex initialisation into a constructor function Matt Johnston <matt@ucc.asn.au> parents: 1756 diff changeset	33 int i;
0cc85b4a4abb Move fuzzer-kex initialisation into a constructor function Matt Johnston <matt@ucc.asn.au> parents: 1756 diff changeset	34 for (i = 0; i < NUM_PARAMS; i++) {
0cc85b4a4abb Move fuzzer-kex initialisation into a constructor function Matt Johnston <matt@ucc.asn.au> parents: 1756 diff changeset	35 ses.newkeys->algo_kex = ecdh[i % 3];
0cc85b4a4abb Move fuzzer-kex initialisation into a constructor function Matt Johnston <matt@ucc.asn.au> parents: 1756 diff changeset	36 ecdh_params[i] = gen_kexecdh_param();
0cc85b4a4abb Move fuzzer-kex initialisation into a constructor function Matt Johnston <matt@ucc.asn.au> parents: 1756 diff changeset	37 }
0cc85b4a4abb Move fuzzer-kex initialisation into a constructor function Matt Johnston <matt@ucc.asn.au> parents: 1756 diff changeset	38 }
1589 35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	39
1772 0cc85b4a4abb Move fuzzer-kex initialisation into a constructor function Matt Johnston <matt@ucc.asn.au> parents: 1756 diff changeset	40 int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
1589 35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	41
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	42 if (fuzz_set_input(Data, Size) == DROPBEAR_FAILURE) {
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	43 return 0;
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	44 }
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	45
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	46 m_malloc_set_epoch(1);
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	47
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	48 if (setjmp(fuzz.jmp) == 0) {
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	49 /* Based on recv_msg_kexdh_init()/send_msg_kexdh_reply()
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	50 with DROPBEAR_KEX_ECDH */
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	51 ses.newkeys = keep_newkeys;
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	52
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	53 /* random choice of ecdh 256, 384, 521 */
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	54 unsigned char b = buf_getbyte(fuzz.input);
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	55 ses.newkeys->algo_kex = ecdh[b % 3];
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	56
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	57 /* Choose from the collection of ecdh params */
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	58 unsigned int e = buf_getint(fuzz.input);
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	59 struct kex_ecdh_param *ecdh_param = ecdh_params[e % NUM_PARAMS];
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	60
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	61 buffer * ecdh_qs = buf_getstringbuf(fuzz.input);
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	62
1606 98d2b125eb89 kexhashbuf was much to small in kex fuzzers Matt Johnston <matt@ucc.asn.au> parents: 1595 diff changeset	63 ses.kexhashbuf = buf_new(KEXHASHBUF_MAX_INTS);
1589 35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	64 kexecdh_comb_key(ecdh_param, ecdh_qs, svr_opts.hostkey);
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	65
1609 a57822db3eac Fix leaks in kex fuzzers Matt Johnston <matt@ucc.asn.au> parents: 1606 diff changeset	66 mp_clear(ses.dh_K);
1589 35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	67 m_free(ses.dh_K);
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	68 buf_free(ecdh_qs);
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	69
1609 a57822db3eac Fix leaks in kex fuzzers Matt Johnston <matt@ucc.asn.au> parents: 1606 diff changeset	70 buf_free(ses.hash);
a57822db3eac Fix leaks in kex fuzzers Matt Johnston <matt@ucc.asn.au> parents: 1606 diff changeset	71 buf_free(ses.session_id);
a57822db3eac Fix leaks in kex fuzzers Matt Johnston <matt@ucc.asn.au> parents: 1606 diff changeset	72 /* kexhashbuf is freed in kexdh_comb_key */
a57822db3eac Fix leaks in kex fuzzers Matt Johnston <matt@ucc.asn.au> parents: 1606 diff changeset	73
1589 35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	74 m_malloc_free_epoch(1, 0);
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	75 } else {
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	76 m_malloc_free_epoch(1, 1);
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	77 TRACE(("dropbear_exit longjmped"))
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	78 /* dropbear_exit jumped here */
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	79 }
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	80
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	81 return 0;
35af85194268 Add kexdh and kexecdh fuzzers Matt Johnston <matt@ucc.asn.au> parents: diff changeset	82 }

Mercurial > dropbear

annotate fuzz/fuzzer-kexecdh.c @ 1861:2b3a8026a6ce