Mercurial > dropbear
annotate FUZZER-NOTES.md @ 1672:3a97f14c0235
Add Chacha20-Poly1305, AES128-GCM and AES256-GCM support (#93)
* Add Chacha20-Poly1305 authenticated encryption
* Add general AEAD approach.
* Add [email protected] algo using LibTomCrypt chacha and
poly1305 routines.
Chacha20-Poly1305 is generally faster than AES256 on CPU w/o dedicated
AES instructions, having the same key size.
Compiling in will add ~5,5kB to binary size on x86-64.
function old new delta
chacha_crypt - 1397 +1397
_poly1305_block - 608 +608
poly1305_done - 595 +595
dropbear_chachapoly_crypt - 457 +457
.rodata 26976 27392 +416
poly1305_process - 290 +290
poly1305_init - 221 +221
chacha_setup - 218 +218
encrypt_packet 1068 1270 +202
dropbear_chachapoly_getlength - 147 +147
decrypt_packet 756 897 +141
chacha_ivctr64 - 137 +137
read_packet 543 637 +94
dropbear_chachapoly_start - 94 +94
read_kex_algos 792 880 +88
chacha_keystream - 69 +69
dropbear_mode_chachapoly - 48 +48
sshciphers 280 320 +40
dropbear_mode_none 24 48 +24
dropbear_mode_ctr 24 48 +24
dropbear_mode_cbc 24 48 +24
dropbear_chachapoly_mac - 24 +24
dropbear_chachapoly - 24 +24
gen_new_keys 848 854 +6
------------------------------------------------------------------------------
(add/remove: 14/0 grow/shrink: 10/0 up/down: 5388/0) Total: 5388 bytes
* Add AES128-GCM and AES256-GCM authenticated encryption
* Add general AES-GCM mode.
* Add [email protected] and [email protected] algo using
LibTomCrypt gcm routines.
AES-GCM is combination of AES CTR mode and GHASH, slower than AES-CTR on
CPU w/o dedicated AES/GHASH instructions therefore disabled by default.
Compiling in will add ~6kB to binary size on x86-64.
function old new delta
gcm_process - 1060 +1060
.rodata 26976 27808 +832
gcm_gf_mult - 820 +820
gcm_add_aad - 660 +660
gcm_shift_table - 512 +512
gcm_done - 471 +471
gcm_add_iv - 384 +384
gcm_init - 347 +347
dropbear_gcm_crypt - 309 +309
encrypt_packet 1068 1270 +202
decrypt_packet 756 897 +141
gcm_reset - 118 +118
read_packet 543 637 +94
read_kex_algos 792 880 +88
sshciphers 280 360 +80
gcm_mult_h - 80 +80
dropbear_gcm_start - 62 +62
dropbear_mode_gcm - 48 +48
dropbear_mode_none 24 48 +24
dropbear_mode_ctr 24 48 +24
dropbear_mode_cbc 24 48 +24
dropbear_ghash - 24 +24
dropbear_gcm_getlength - 24 +24
gen_new_keys 848 854 +6
------------------------------------------------------------------------------
(add/remove: 14/0 grow/shrink: 10/0 up/down: 6434/0) Total: 6434 bytes
| author | Vladislav Grishenko <themiron@users.noreply.github.com> |
|---|---|
| date | Mon, 25 May 2020 20:50:25 +0500 |
| parents | d32bcb5c557d |
| children |
| rev | line source |
|---|---|
| 1590 | 1 # Fuzzing Dropbear |
| 2 | |
| 3 Dropbear is process-per-session so it assumes calling `dropbear_exit()` | |
| 4 is fine at any point to clean up. This makes fuzzing a bit trickier. | |
| 5 A few pieces of wrapping infrastructure are used to work around this. | |
| 6 | |
| 7 The [libfuzzer](http://llvm.org/docs/LibFuzzer.html#fuzz-target) harness | |
| 8 expects a long running process to continually run a test function with | |
| 9 a string of crafted input. That process should not leak resources or exit. | |
| 10 | |
| 11 ## longjmp | |
| 12 | |
| 13 When dropbear runs in fuzz mode it sets up a | |
| 14 [`setjmp()`](http://man7.org/linux/man-pages/man3/setjmp.3.html) target prior | |
| 15 to launching the code to be fuzzed, and then [`dropbear_exit()`](dbutil.c#L125) | |
| 16 calls `longjmp()` back there. This avoids exiting though it doesn't free | |
| 17 memory or other resources. | |
| 18 | |
| 19 ## malloc Wrapper | |
| 20 | |
| 21 Dropbear normally uses a [`m_malloc()`](dbmalloc.c) function that is the same as `malloc()` but | |
| 22 exits if allocation fails. In fuzzing mode this is replaced with a tracking allocator | |
| 23 that stores all allocations in a linked list. After the `longjmp()` occurs the fuzzer target | |
| 24 calls [`m_malloc_free_epoch(1, 1)`](dbmalloc.c) to clean up any unreleased memory. | |
| 25 | |
| 26 If the fuzz target runs to completion it calls `m_malloc_free_epoch(1, 0)` which will reset | |
| 27 the tracked allocations but will not free memory - that allows libfuzzer's leak checking | |
| 28 to detect leaks in normal operation. | |
| 29 | |
| 30 ## File Descriptor Input | |
| 31 | |
| 32 As a network process Dropbear reads and writes from a socket. The wrappers for | |
| 33 `read()`/`write()`/`select()` in [fuzz-wrapfd.c](fuzz-wrapfd.c) will read from the | |
| 34 fuzzer input that has been set up with `wrapfd_add()`. `write()` output is | |
| 35 currently discarded. | |
| 36 These also test error paths such as EINTR and short reads with certain probabilities. | |
| 37 | |
| 38 This allows running the entire dropbear server process with network input provided by the | |
| 39 fuzzer, without many modifications to the main code. At the time of writing this | |
| 40 only runs the pre-authentication stages, though post-authentication could be run similarly. | |
| 41 | |
| 42 ## Encryption and Randomness | |
| 43 | |
| 44 When running in fuzzing mode Dropbear uses a [fixed seed](dbrandom.c#L185) | |
| 45 every time so that failures can be reproduced. | |
| 46 | |
| 47 Since the fuzzer cannot generate valid encrypted input the packet decryption and | |
| 1591 | 48 message authentication calls are disabled, see [packet.c](packet.c). |
| 1590 | 49 MAC failures are set to occur with a low probability to test that error path. |
| 50 | |
| 51 ## Fuzzers | |
| 52 | |
| 53 Current fuzzers are | |
| 54 | |
| 1591 | 55 - [fuzzer-preauth](fuzzer-preauth.c) - the fuzzer input is treated as a stream of session input. This will |
| 1590 | 56 test key exchange, packet ordering, authentication attempts etc. |
| 57 | |
| 1591 | 58 - [fuzzer-preauth_nomaths](fuzzer-preauth_nomaths.c) - the same as fuzzer-preauth but with asymmetric crypto |
| 1590 | 59 routines replaced with dummies for faster runtime. corpora are shared |
| 60 between fuzzers by [oss-fuzz](https://github.com/google/oss-fuzz) so this | |
| 61 will help fuzzer-preauth too. | |
| 62 | |
| 1591 | 63 - [fuzzer-verify](fuzzer-verify.c) - read a key and signature from fuzzer input and verify that signature. |
| 1590 | 64 It would not be expected to pass, though some keys with bad parameters are |
| 65 able to validate with a trivial signature - extra checks are added for that. | |
| 66 | |
| 1591 | 67 - [fuzzer-pubkey](fuzzer-pubkey.c) - test parsing of an `authorized_keys` line. |
| 1590 | 68 |
| 1591 | 69 - [fuzzer-kexdh](fuzzer-kexdh.c) - test Diffie-Hellman key exchange where the fuzz input is the |
| 70 ephemeral public key that would be received over the network. This is testing `mp_expt_mod()` | |
| 71 and and other libtommath routines. | |
| 1590 | 72 |
| 1591 | 73 - [fuzzer-kexecdh](fuzzer-kexecdh.c) - test Elliptic Curve Diffie-Hellman key exchange like fuzzer-kexdh. |
| 74 This is testing libtommath ECC routines. | |
|
1659
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
1591
diff
changeset
|
75 |
|
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
1591
diff
changeset
|
76 - [fuzzer-kexcurve25519](fuzzer-kexcurve25519.c) - test Curve25519 Elliptic Curve Diffie-Hellman key exchange |
|
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
1591
diff
changeset
|
77 like fuzzer-kexecdh. This is testing `dropbear_curve25519_scalarmult()` and other libtommath routines. |