Mercurial > dropbear
annotate fuzz/fuzzerkexcurve25519.c @ 1774:833bf9947603
Fuzzing  get rid of "prefix" for streams
Improved packet generation with sshpacketmutator
author  Matt Johnston <matt@ucc.asn.au> 

date  Sun, 01 Nov 2020 23:44:58 +0800 
parents  0cc85b4a4abb 
children 
rev  line source 

1659
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset

1 #include "fuzz.h" 
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset

2 #include "session.h" 
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset

3 #include "fuzzwrapfd.h" 
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset

4 #include "debug.h" 
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset

5 #include "runopts.h" 
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset

6 #include "algo.h" 
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset

7 #include "bignum.h" 
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset

8 
1772
0cc85b4a4abb
Move fuzzerkex initialisation into a constructor function
Matt Johnston <matt@ucc.asn.au>
parents:
1756
diff
changeset

9 static struct key_context* keep_newkeys = NULL; 
0cc85b4a4abb
Move fuzzerkex initialisation into a constructor function
Matt Johnston <matt@ucc.asn.au>
parents:
1756
diff
changeset

10 /* An arbitrary limit */ 
0cc85b4a4abb
Move fuzzerkex initialisation into a constructor function
Matt Johnston <matt@ucc.asn.au>
parents:
1756
diff
changeset

11 #define NUM_PARAMS 80 
0cc85b4a4abb
Move fuzzerkex initialisation into a constructor function
Matt Johnston <matt@ucc.asn.au>
parents:
1756
diff
changeset

12 static struct kex_curve25519_param *curve25519_params[NUM_PARAMS]; 
1659
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset

13 
1772
0cc85b4a4abb
Move fuzzerkex initialisation into a constructor function
Matt Johnston <matt@ucc.asn.au>
parents:
1756
diff
changeset

14 static void setup() __attribute__((constructor)); 
0cc85b4a4abb
Move fuzzerkex initialisation into a constructor function
Matt Johnston <matt@ucc.asn.au>
parents:
1756
diff
changeset

15 // Perform initial setup here to avoid hitting timeouts on first run 
0cc85b4a4abb
Move fuzzerkex initialisation into a constructor function
Matt Johnston <matt@ucc.asn.au>
parents:
1756
diff
changeset

16 static void setup() { 
0cc85b4a4abb
Move fuzzerkex initialisation into a constructor function
Matt Johnston <matt@ucc.asn.au>
parents:
1756
diff
changeset

17 fuzz_common_setup(); 
0cc85b4a4abb
Move fuzzerkex initialisation into a constructor function
Matt Johnston <matt@ucc.asn.au>
parents:
1756
diff
changeset

18 fuzz_svr_setup(); 
1659
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset

19 
1772
0cc85b4a4abb
Move fuzzerkex initialisation into a constructor function
Matt Johnston <matt@ucc.asn.au>
parents:
1756
diff
changeset

20 keep_newkeys = (struct key_context*)m_malloc(sizeof(struct key_context)); 
0cc85b4a4abb
Move fuzzerkex initialisation into a constructor function
Matt Johnston <matt@ucc.asn.au>
parents:
1756
diff
changeset

21 keep_newkeys>algo_kex = fuzz_get_algo(sshkex, "curve25519sha256"); 
0cc85b4a4abb
Move fuzzerkex initialisation into a constructor function
Matt Johnston <matt@ucc.asn.au>
parents:
1756
diff
changeset

22 keep_newkeys>algo_hostkey = DROPBEAR_SIGNKEY_ED25519; 
0cc85b4a4abb
Move fuzzerkex initialisation into a constructor function
Matt Johnston <matt@ucc.asn.au>
parents:
1756
diff
changeset

23 ses.newkeys = keep_newkeys; 
1659
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset

24 
1772
0cc85b4a4abb
Move fuzzerkex initialisation into a constructor function
Matt Johnston <matt@ucc.asn.au>
parents:
1756
diff
changeset

25 /* Pregenerate parameters */ 
0cc85b4a4abb
Move fuzzerkex initialisation into a constructor function
Matt Johnston <matt@ucc.asn.au>
parents:
1756
diff
changeset

26 int i; 
0cc85b4a4abb
Move fuzzerkex initialisation into a constructor function
Matt Johnston <matt@ucc.asn.au>
parents:
1756
diff
changeset

27 for (i = 0; i < NUM_PARAMS; i++) { 
0cc85b4a4abb
Move fuzzerkex initialisation into a constructor function
Matt Johnston <matt@ucc.asn.au>
parents:
1756
diff
changeset

28 curve25519_params[i] = gen_kexcurve25519_param(); 
0cc85b4a4abb
Move fuzzerkex initialisation into a constructor function
Matt Johnston <matt@ucc.asn.au>
parents:
1756
diff
changeset

29 } 
0cc85b4a4abb
Move fuzzerkex initialisation into a constructor function
Matt Johnston <matt@ucc.asn.au>
parents:
1756
diff
changeset

30 } 
1659
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset

31 
1772
0cc85b4a4abb
Move fuzzerkex initialisation into a constructor function
Matt Johnston <matt@ucc.asn.au>
parents:
1756
diff
changeset

32 int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { 
1659
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset

33 if (fuzz_set_input(Data, Size) == DROPBEAR_FAILURE) { 
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset

34 return 0; 
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset

35 } 
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset

36 
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset

37 m_malloc_set_epoch(1); 
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset

38 
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset

39 if (setjmp(fuzz.jmp) == 0) { 
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset

40 /* Based on recv_msg_kexdh_init()/send_msg_kexdh_reply() 
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset

41 with DROPBEAR_KEX_CURVE25519 */ 
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset

42 ses.newkeys = keep_newkeys; 
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset

43 
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset

44 /* Choose from the collection of curve25519 params */ 
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset

45 unsigned int e = buf_getint(fuzz.input); 
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset

46 struct kex_curve25519_param *curve25519_param = curve25519_params[e % NUM_PARAMS]; 
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset

47 
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset

48 buffer * ecdh_qs = buf_getstringbuf(fuzz.input); 
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset

49 
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset

50 ses.kexhashbuf = buf_new(KEXHASHBUF_MAX_INTS); 
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset

51 kexcurve25519_comb_key(curve25519_param, ecdh_qs, svr_opts.hostkey); 
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset

52 
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset

53 mp_clear(ses.dh_K); 
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset

54 m_free(ses.dh_K); 
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset

55 buf_free(ecdh_qs); 
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset

56 
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset

57 buf_free(ses.hash); 
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset

58 buf_free(ses.session_id); 
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset

59 /* kexhashbuf is freed in kexdh_comb_key */ 
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset

60 
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset

61 m_malloc_free_epoch(1, 0); 
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset

62 } else { 
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset

63 m_malloc_free_epoch(1, 1); 
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset

64 TRACE(("dropbear_exit longjmped")) 
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset

65 /* dropbear_exit jumped here */ 
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset

66 } 
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset

67 
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset

68 return 0; 
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset

69 } 