Mercurial > dropbear
annotate fuzz/fuzzerkexcurve25519.c @ 1774:833bf9947603
Fuzzing  get rid of "prefix" for streams
Improved packet generation with sshpacketmutator
author  Matt Johnston <matt@ucc.asn.au> 

date  Sun, 01 Nov 2020 23:44:58 +0800 
parents  0cc85b4a4abb 
children 
rev  line source 

1 #include "fuzz.h" 
2 #include "session.h" 
3 #include "fuzzwrapfd.h" 
4 #include "debug.h" 
5 #include "runopts.h" 
6 #include "algo.h" 
7 #include "bignum.h" 
8 
9 static struct key_context* keep_newkeys = NULL; 
10 /* An arbitrary limit */ 
11 #define NUM_PARAMS 80 
12 static struct kex_curve25519_param *curve25519_params[NUM_PARAMS]; 
13 
14 static void setup() __attribute__((constructor)); 
15 // Perform initial setup here to avoid hitting timeouts on first run 
16 static void setup() { 
17 fuzz_common_setup(); 
18 fuzz_svr_setup(); 
19 
20 keep_newkeys = (struct key_context*)m_malloc(sizeof(struct key_context)); 
21 keep_newkeys>algo_kex = fuzz_get_algo(sshkex, "curve25519sha256"); 
22 keep_newkeys>algo_hostkey = DROPBEAR_SIGNKEY_ED25519; 
23 ses.newkeys = keep_newkeys; 
24 
25 /* Pregenerate parameters */ 
26 int i; 
27 for (i = 0; i < NUM_PARAMS; i++) { 
28 curve25519_params[i] = gen_kexcurve25519_param(); 
29 } 
30 } 
31 
32 int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { 
33 if (fuzz_set_input(Data, Size) == DROPBEAR_FAILURE) { 
34 return 0; 
35 } 
36 
37 m_malloc_set_epoch(1); 
38 
39 if (setjmp(fuzz.jmp) == 0) { 
40 /* Based on recv_msg_kexdh_init()/send_msg_kexdh_reply() 
41 with DROPBEAR_KEX_CURVE25519 */ 
42 ses.newkeys = keep_newkeys; 
43 
44 /* Choose from the collection of curve25519 params */ 
45 unsigned int e = buf_getint(fuzz.input); 
46 struct kex_curve25519_param *curve25519_param = curve25519_params[e % NUM_PARAMS]; 
47 
48 buffer * ecdh_qs = buf_getstringbuf(fuzz.input); 
49 
50 ses.kexhashbuf = buf_new(KEXHASHBUF_MAX_INTS); 
51 kexcurve25519_comb_key(curve25519_param, ecdh_qs, svr_opts.hostkey); 
52 
53 mp_clear(ses.dh_K); 
54 m_free(ses.dh_K); 
55 buf_free(ecdh_qs); 
56 
57 buf_free(ses.hash); 
58 buf_free(ses.session_id); 
59 /* kexhashbuf is freed in kexdh_comb_key */ 
60 
61 m_malloc_free_epoch(1, 0); 
62 } else { 
63 m_malloc_free_epoch(1, 1); 
64 TRACE(("dropbear_exit longjmped")) 
65 /* dropbear_exit jumped here */ 
66 } 
67 
68 return 0; 
69 } 