Mercurial > dropbear
annotate fuzz/fuzz-common.c @ 1830:c32976db772f
Merge
author | Matt Johnston <matt@ucc.asn.au> |
---|---|
date | Mon, 11 Oct 2021 15:46:49 +0800 |
parents | 19b28d2fbe30 |
children |
rev | line source |
---|---|
1770
66b29b054896
Fix FUZZ_NO_REPLACE_STDERR for fuzz.c
Matt Johnston <matt@ucc.asn.au>
parents:
1768
diff
changeset
|
1 #define FUZZ_NO_REPLACE_STDERR |
1779
36d4c027cba7
fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents:
1778
diff
changeset
|
2 #define FUZZ_NO_REPLACE_GETPW |
1348 | 3 #include "includes.h" |
4 | |
5 #include "includes.h" | |
6 #include "dbutil.h" | |
7 #include "runopts.h" | |
1353 | 8 #include "crypto_desc.h" |
9 #include "session.h" | |
1356
3677a510f545
add wrapfd. improve fuzzer in makefile
Matt Johnston <matt@ucc.asn.au>
parents:
1353
diff
changeset
|
10 #include "dbrandom.h" |
1457 | 11 #include "bignum.h" |
1751
3b9b427925a0
Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents:
1742
diff
changeset
|
12 #include "atomicio.h" |
1356
3677a510f545
add wrapfd. improve fuzzer in makefile
Matt Johnston <matt@ucc.asn.au>
parents:
1353
diff
changeset
|
13 #include "fuzz-wrapfd.h" |
1768
096a66e45212
Fix fuzzing stderr override on os x
Matt Johnston <matt@ucc.asn.au>
parents:
1767
diff
changeset
|
14 #include "fuzz.h" |
096a66e45212
Fix fuzzing stderr override on os x
Matt Johnston <matt@ucc.asn.au>
parents:
1767
diff
changeset
|
15 |
1348 | 16 struct dropbear_fuzz_options fuzz; |
17 | |
1373
9891bc31a1b3
fuzzers disable logging by default
Matt Johnston <matt@ucc.asn.au>
parents:
1369
diff
changeset
|
18 static void fuzz_dropbear_log(int UNUSED(priority), const char* format, va_list param); |
1348 | 19 static void load_fixed_hostkeys(void); |
1751
3b9b427925a0
Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents:
1742
diff
changeset
|
20 static void load_fixed_client_key(void); |
1348 | 21 |
1758
1365661f6be6
Disable stderr output for fuzzer by default
Matt Johnston <matt@ucc.asn.au>
parents:
1757
diff
changeset
|
22 // This runs automatically before main, due to contructor attribute in fuzz.h |
1365661f6be6
Disable stderr output for fuzzer by default
Matt Johnston <matt@ucc.asn.au>
parents:
1757
diff
changeset
|
23 void fuzz_early_setup(void) { |
1365661f6be6
Disable stderr output for fuzzer by default
Matt Johnston <matt@ucc.asn.au>
parents:
1757
diff
changeset
|
24 /* Set stderr to point to normal stderr by default */ |
1768
096a66e45212
Fix fuzzing stderr override on os x
Matt Johnston <matt@ucc.asn.au>
parents:
1767
diff
changeset
|
25 fuzz.fake_stderr = stderr; |
1758
1365661f6be6
Disable stderr output for fuzzer by default
Matt Johnston <matt@ucc.asn.au>
parents:
1757
diff
changeset
|
26 } |
1365661f6be6
Disable stderr output for fuzzer by default
Matt Johnston <matt@ucc.asn.au>
parents:
1757
diff
changeset
|
27 |
1456
a90fdd2d2ed8
add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents:
1386
diff
changeset
|
28 void fuzz_common_setup(void) { |
1741
d1b279aa5ed1
Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents:
1740
diff
changeset
|
29 disallow_core(); |
1348 | 30 fuzz.fuzzing = 1; |
1357 | 31 fuzz.wrapfds = 1; |
1385
6c92e97553f1
Add a flag whether to longjmp, missed that last commit
Matt Johnston <matt@ucc.asn.au>
parents:
1383
diff
changeset
|
32 fuzz.do_jmp = 1; |
1356
3677a510f545
add wrapfd. improve fuzzer in makefile
Matt Johnston <matt@ucc.asn.au>
parents:
1353
diff
changeset
|
33 fuzz.input = m_malloc(sizeof(buffer)); |
1373
9891bc31a1b3
fuzzers disable logging by default
Matt Johnston <matt@ucc.asn.au>
parents:
1369
diff
changeset
|
34 _dropbear_log = fuzz_dropbear_log; |
1350 | 35 crypto_init(); |
1757
517fb7b62438
Add some more variation to fuzzer random number generation
Matt Johnston <matt@ucc.asn.au>
parents:
1756
diff
changeset
|
36 fuzz_seed("start", 5); |
1529
66a1a2547133
The fuzzer has managed to generated DSS key/signature pairs that
Matt Johnston <matt@ucc.asn.au>
parents:
1457
diff
changeset
|
37 /* let any messages get flushed */ |
66a1a2547133
The fuzzer has managed to generated DSS key/signature pairs that
Matt Johnston <matt@ucc.asn.au>
parents:
1457
diff
changeset
|
38 setlinebuf(stdout); |
1758
1365661f6be6
Disable stderr output for fuzzer by default
Matt Johnston <matt@ucc.asn.au>
parents:
1757
diff
changeset
|
39 #if DEBUG_TRACE |
1365661f6be6
Disable stderr output for fuzzer by default
Matt Johnston <matt@ucc.asn.au>
parents:
1757
diff
changeset
|
40 if (debug_trace) |
1365661f6be6
Disable stderr output for fuzzer by default
Matt Johnston <matt@ucc.asn.au>
parents:
1757
diff
changeset
|
41 { |
1365661f6be6
Disable stderr output for fuzzer by default
Matt Johnston <matt@ucc.asn.au>
parents:
1757
diff
changeset
|
42 fprintf(stderr, "Dropbear fuzzer: -v specified, not disabling stderr output\n"); |
1365661f6be6
Disable stderr output for fuzzer by default
Matt Johnston <matt@ucc.asn.au>
parents:
1757
diff
changeset
|
43 } |
1365661f6be6
Disable stderr output for fuzzer by default
Matt Johnston <matt@ucc.asn.au>
parents:
1757
diff
changeset
|
44 else |
1365661f6be6
Disable stderr output for fuzzer by default
Matt Johnston <matt@ucc.asn.au>
parents:
1757
diff
changeset
|
45 #endif |
1767
3e1e1f82eba6
Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents:
1765
diff
changeset
|
46 if (getenv("DROPBEAR_KEEP_STDERR")) { |
3e1e1f82eba6
Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents:
1765
diff
changeset
|
47 fprintf(stderr, "Dropbear fuzzer: DROPBEAR_KEEP_STDERR, not disabling stderr output\n"); |
3e1e1f82eba6
Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents:
1765
diff
changeset
|
48 } |
3e1e1f82eba6
Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents:
1765
diff
changeset
|
49 else |
1758
1365661f6be6
Disable stderr output for fuzzer by default
Matt Johnston <matt@ucc.asn.au>
parents:
1757
diff
changeset
|
50 { |
1767
3e1e1f82eba6
Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents:
1765
diff
changeset
|
51 fprintf(stderr, "Dropbear fuzzer: Disabling stderr output\n"); |
1768
096a66e45212
Fix fuzzing stderr override on os x
Matt Johnston <matt@ucc.asn.au>
parents:
1767
diff
changeset
|
52 fuzz.fake_stderr = fopen("/dev/null", "w"); |
096a66e45212
Fix fuzzing stderr override on os x
Matt Johnston <matt@ucc.asn.au>
parents:
1767
diff
changeset
|
53 assert(fuzz.fake_stderr); |
1758
1365661f6be6
Disable stderr output for fuzzer by default
Matt Johnston <matt@ucc.asn.au>
parents:
1757
diff
changeset
|
54 } |
1348 | 55 } |
56 | |
1456
a90fdd2d2ed8
add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents:
1386
diff
changeset
|
57 int fuzz_set_input(const uint8_t *Data, size_t Size) { |
1356
3677a510f545
add wrapfd. improve fuzzer in makefile
Matt Johnston <matt@ucc.asn.au>
parents:
1353
diff
changeset
|
58 |
3677a510f545
add wrapfd. improve fuzzer in makefile
Matt Johnston <matt@ucc.asn.au>
parents:
1353
diff
changeset
|
59 fuzz.input->data = (unsigned char*)Data; |
3677a510f545
add wrapfd. improve fuzzer in makefile
Matt Johnston <matt@ucc.asn.au>
parents:
1353
diff
changeset
|
60 fuzz.input->size = Size; |
3677a510f545
add wrapfd. improve fuzzer in makefile
Matt Johnston <matt@ucc.asn.au>
parents:
1353
diff
changeset
|
61 fuzz.input->len = Size; |
3677a510f545
add wrapfd. improve fuzzer in makefile
Matt Johnston <matt@ucc.asn.au>
parents:
1353
diff
changeset
|
62 fuzz.input->pos = 0; |
3677a510f545
add wrapfd. improve fuzzer in makefile
Matt Johnston <matt@ucc.asn.au>
parents:
1353
diff
changeset
|
63 |
1358
6b89eb92f872
glaring wrapfd problems fixed
Matt Johnston <matt@ucc.asn.au>
parents:
1357
diff
changeset
|
64 memset(&ses, 0x0, sizeof(ses)); |
6b89eb92f872
glaring wrapfd problems fixed
Matt Johnston <matt@ucc.asn.au>
parents:
1357
diff
changeset
|
65 memset(&svr_ses, 0x0, sizeof(svr_ses)); |
1742
6e71440b1e47
Add fuzzer-client_nomaths, fix client fuzzer
Matt Johnston <matt@ucc.asn.au>
parents:
1741
diff
changeset
|
66 memset(&cli_ses, 0x0, sizeof(cli_ses)); |
1740
dfbe947bdf0d
Make wrapfd share a common buffer for all FDs
Matt Johnston <matt@ucc.asn.au>
parents:
1692
diff
changeset
|
67 wrapfd_setup(fuzz.input); |
1774
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1770
diff
changeset
|
68 // printhex("input", fuzz.input->data, fuzz.input->len); |
1356
3677a510f545
add wrapfd. improve fuzzer in makefile
Matt Johnston <matt@ucc.asn.au>
parents:
1353
diff
changeset
|
69 |
1757
517fb7b62438
Add some more variation to fuzzer random number generation
Matt Johnston <matt@ucc.asn.au>
parents:
1756
diff
changeset
|
70 fuzz_seed(fuzz.input->data, MIN(fuzz.input->len, 16)); |
1356
3677a510f545
add wrapfd. improve fuzzer in makefile
Matt Johnston <matt@ucc.asn.au>
parents:
1353
diff
changeset
|
71 |
3677a510f545
add wrapfd. improve fuzzer in makefile
Matt Johnston <matt@ucc.asn.au>
parents:
1353
diff
changeset
|
72 return DROPBEAR_SUCCESS; |
3677a510f545
add wrapfd. improve fuzzer in makefile
Matt Johnston <matt@ucc.asn.au>
parents:
1353
diff
changeset
|
73 } |
3677a510f545
add wrapfd. improve fuzzer in makefile
Matt Johnston <matt@ucc.asn.au>
parents:
1353
diff
changeset
|
74 |
1558
2f64cb3d3007
- #if not #ifdef for DROPBEAR_FUZZ
Matt Johnston <matt@ucc.asn.au>
parents:
1529
diff
changeset
|
75 #if DEBUG_TRACE |
1373
9891bc31a1b3
fuzzers disable logging by default
Matt Johnston <matt@ucc.asn.au>
parents:
1369
diff
changeset
|
76 static void fuzz_dropbear_log(int UNUSED(priority), const char* format, va_list param) { |
9891bc31a1b3
fuzzers disable logging by default
Matt Johnston <matt@ucc.asn.au>
parents:
1369
diff
changeset
|
77 if (debug_trace) { |
1558
2f64cb3d3007
- #if not #ifdef for DROPBEAR_FUZZ
Matt Johnston <matt@ucc.asn.au>
parents:
1529
diff
changeset
|
78 char printbuf[1024]; |
1373
9891bc31a1b3
fuzzers disable logging by default
Matt Johnston <matt@ucc.asn.au>
parents:
1369
diff
changeset
|
79 vsnprintf(printbuf, sizeof(printbuf), format, param); |
9891bc31a1b3
fuzzers disable logging by default
Matt Johnston <matt@ucc.asn.au>
parents:
1369
diff
changeset
|
80 fprintf(stderr, "%s\n", printbuf); |
9891bc31a1b3
fuzzers disable logging by default
Matt Johnston <matt@ucc.asn.au>
parents:
1369
diff
changeset
|
81 } |
9891bc31a1b3
fuzzers disable logging by default
Matt Johnston <matt@ucc.asn.au>
parents:
1369
diff
changeset
|
82 } |
1558
2f64cb3d3007
- #if not #ifdef for DROPBEAR_FUZZ
Matt Johnston <matt@ucc.asn.au>
parents:
1529
diff
changeset
|
83 #else |
2f64cb3d3007
- #if not #ifdef for DROPBEAR_FUZZ
Matt Johnston <matt@ucc.asn.au>
parents:
1529
diff
changeset
|
84 static void fuzz_dropbear_log(int UNUSED(priority), const char* UNUSED(format), va_list UNUSED(param)) { |
2f64cb3d3007
- #if not #ifdef for DROPBEAR_FUZZ
Matt Johnston <matt@ucc.asn.au>
parents:
1529
diff
changeset
|
85 /* No print */ |
2f64cb3d3007
- #if not #ifdef for DROPBEAR_FUZZ
Matt Johnston <matt@ucc.asn.au>
parents:
1529
diff
changeset
|
86 } |
2f64cb3d3007
- #if not #ifdef for DROPBEAR_FUZZ
Matt Johnston <matt@ucc.asn.au>
parents:
1529
diff
changeset
|
87 #endif /* DEBUG_TRACE */ |
1356
3677a510f545
add wrapfd. improve fuzzer in makefile
Matt Johnston <matt@ucc.asn.au>
parents:
1353
diff
changeset
|
88 |
1456
a90fdd2d2ed8
add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents:
1386
diff
changeset
|
89 void fuzz_svr_setup(void) { |
a90fdd2d2ed8
add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents:
1386
diff
changeset
|
90 fuzz_common_setup(); |
1353 | 91 |
92 _dropbear_exit = svr_dropbear_exit; | |
1348 | 93 |
94 char *argv[] = { | |
1742
6e71440b1e47
Add fuzzer-client_nomaths, fix client fuzzer
Matt Johnston <matt@ucc.asn.au>
parents:
1741
diff
changeset
|
95 "dropbear", |
1348 | 96 "-E", |
97 }; | |
98 | |
99 int argc = sizeof(argv) / sizeof(*argv); | |
100 svr_getopts(argc, argv); | |
101 | |
102 load_fixed_hostkeys(); | |
103 } | |
104 | |
1782
a6da10ac64b5
fuzz: make postauth set authdone properly
Matt Johnston <matt@ucc.asn.au>
parents:
1780
diff
changeset
|
105 void fuzz_svr_hook_preloop() { |
a6da10ac64b5
fuzz: make postauth set authdone properly
Matt Johnston <matt@ucc.asn.au>
parents:
1780
diff
changeset
|
106 if (fuzz.svr_postauth) { |
a6da10ac64b5
fuzz: make postauth set authdone properly
Matt Johnston <matt@ucc.asn.au>
parents:
1780
diff
changeset
|
107 ses.authstate.authdone = 1; |
a6da10ac64b5
fuzz: make postauth set authdone properly
Matt Johnston <matt@ucc.asn.au>
parents:
1780
diff
changeset
|
108 fill_passwd("root"); |
a6da10ac64b5
fuzz: make postauth set authdone properly
Matt Johnston <matt@ucc.asn.au>
parents:
1780
diff
changeset
|
109 } |
a6da10ac64b5
fuzz: make postauth set authdone properly
Matt Johnston <matt@ucc.asn.au>
parents:
1780
diff
changeset
|
110 } |
a6da10ac64b5
fuzz: make postauth set authdone properly
Matt Johnston <matt@ucc.asn.au>
parents:
1780
diff
changeset
|
111 |
1740
dfbe947bdf0d
Make wrapfd share a common buffer for all FDs
Matt Johnston <matt@ucc.asn.au>
parents:
1692
diff
changeset
|
112 void fuzz_cli_setup(void) { |
dfbe947bdf0d
Make wrapfd share a common buffer for all FDs
Matt Johnston <matt@ucc.asn.au>
parents:
1692
diff
changeset
|
113 fuzz_common_setup(); |
dfbe947bdf0d
Make wrapfd share a common buffer for all FDs
Matt Johnston <matt@ucc.asn.au>
parents:
1692
diff
changeset
|
114 |
1741
d1b279aa5ed1
Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents:
1740
diff
changeset
|
115 _dropbear_exit = cli_dropbear_exit; |
d1b279aa5ed1
Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents:
1740
diff
changeset
|
116 _dropbear_log = cli_dropbear_log; |
1740
dfbe947bdf0d
Make wrapfd share a common buffer for all FDs
Matt Johnston <matt@ucc.asn.au>
parents:
1692
diff
changeset
|
117 |
dfbe947bdf0d
Make wrapfd share a common buffer for all FDs
Matt Johnston <matt@ucc.asn.au>
parents:
1692
diff
changeset
|
118 char *argv[] = { |
1742
6e71440b1e47
Add fuzzer-client_nomaths, fix client fuzzer
Matt Johnston <matt@ucc.asn.au>
parents:
1741
diff
changeset
|
119 "dbclient", |
1741
d1b279aa5ed1
Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents:
1740
diff
changeset
|
120 "-y", |
d1b279aa5ed1
Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents:
1740
diff
changeset
|
121 "localhost", |
1751
3b9b427925a0
Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents:
1742
diff
changeset
|
122 "uptime" |
1740
dfbe947bdf0d
Make wrapfd share a common buffer for all FDs
Matt Johnston <matt@ucc.asn.au>
parents:
1692
diff
changeset
|
123 }; |
dfbe947bdf0d
Make wrapfd share a common buffer for all FDs
Matt Johnston <matt@ucc.asn.au>
parents:
1692
diff
changeset
|
124 |
dfbe947bdf0d
Make wrapfd share a common buffer for all FDs
Matt Johnston <matt@ucc.asn.au>
parents:
1692
diff
changeset
|
125 int argc = sizeof(argv) / sizeof(*argv); |
dfbe947bdf0d
Make wrapfd share a common buffer for all FDs
Matt Johnston <matt@ucc.asn.au>
parents:
1692
diff
changeset
|
126 cli_getopts(argc, argv); |
1751
3b9b427925a0
Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents:
1742
diff
changeset
|
127 |
3b9b427925a0
Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents:
1742
diff
changeset
|
128 load_fixed_client_key(); |
3b9b427925a0
Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents:
1742
diff
changeset
|
129 /* Avoid password prompt */ |
3b9b427925a0
Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents:
1742
diff
changeset
|
130 setenv(DROPBEAR_PASSWORD_ENV, "password", 1); |
3b9b427925a0
Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents:
1742
diff
changeset
|
131 } |
3b9b427925a0
Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents:
1742
diff
changeset
|
132 |
3b9b427925a0
Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents:
1742
diff
changeset
|
133 #include "fuzz-hostkeys.c" |
3b9b427925a0
Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents:
1742
diff
changeset
|
134 |
3b9b427925a0
Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents:
1742
diff
changeset
|
135 static void load_fixed_client_key(void) { |
3b9b427925a0
Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents:
1742
diff
changeset
|
136 |
3b9b427925a0
Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents:
1742
diff
changeset
|
137 buffer *b = buf_new(3000); |
3b9b427925a0
Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents:
1742
diff
changeset
|
138 sign_key *key; |
3b9b427925a0
Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents:
1742
diff
changeset
|
139 enum signkey_type keytype; |
3b9b427925a0
Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents:
1742
diff
changeset
|
140 |
3b9b427925a0
Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents:
1742
diff
changeset
|
141 key = new_sign_key(); |
3b9b427925a0
Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents:
1742
diff
changeset
|
142 keytype = DROPBEAR_SIGNKEY_ANY; |
3b9b427925a0
Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents:
1742
diff
changeset
|
143 buf_putbytes(b, keyed25519, keyed25519_len); |
3b9b427925a0
Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents:
1742
diff
changeset
|
144 buf_setpos(b, 0); |
3b9b427925a0
Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents:
1742
diff
changeset
|
145 if (buf_get_priv_key(b, key, &keytype) == DROPBEAR_FAILURE) { |
3b9b427925a0
Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents:
1742
diff
changeset
|
146 dropbear_exit("failed fixed ed25519 hostkey"); |
3b9b427925a0
Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents:
1742
diff
changeset
|
147 } |
3b9b427925a0
Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents:
1742
diff
changeset
|
148 list_append(cli_opts.privkeys, key); |
3b9b427925a0
Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents:
1742
diff
changeset
|
149 |
3b9b427925a0
Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents:
1742
diff
changeset
|
150 buf_free(b); |
1740
dfbe947bdf0d
Make wrapfd share a common buffer for all FDs
Matt Johnston <matt@ucc.asn.au>
parents:
1692
diff
changeset
|
151 } |
dfbe947bdf0d
Make wrapfd share a common buffer for all FDs
Matt Johnston <matt@ucc.asn.au>
parents:
1692
diff
changeset
|
152 |
1348 | 153 static void load_fixed_hostkeys(void) { |
154 | |
155 buffer *b = buf_new(3000); | |
156 enum signkey_type type; | |
157 | |
158 TRACE(("load fixed hostkeys")) | |
159 | |
160 svr_opts.hostkey = new_sign_key(); | |
161 | |
162 buf_setlen(b, 0); | |
163 buf_putbytes(b, keyr, keyr_len); | |
164 buf_setpos(b, 0); | |
165 type = DROPBEAR_SIGNKEY_RSA; | |
166 if (buf_get_priv_key(b, svr_opts.hostkey, &type) == DROPBEAR_FAILURE) { | |
167 dropbear_exit("failed fixed rsa hostkey"); | |
168 } | |
169 | |
170 buf_setlen(b, 0); | |
171 buf_putbytes(b, keyd, keyd_len); | |
172 buf_setpos(b, 0); | |
173 type = DROPBEAR_SIGNKEY_DSS; | |
174 if (buf_get_priv_key(b, svr_opts.hostkey, &type) == DROPBEAR_FAILURE) { | |
175 dropbear_exit("failed fixed dss hostkey"); | |
176 } | |
177 | |
178 buf_setlen(b, 0); | |
179 buf_putbytes(b, keye, keye_len); | |
180 buf_setpos(b, 0); | |
181 type = DROPBEAR_SIGNKEY_ECDSA_NISTP256; | |
182 if (buf_get_priv_key(b, svr_opts.hostkey, &type) == DROPBEAR_FAILURE) { | |
183 dropbear_exit("failed fixed ecdsa hostkey"); | |
184 } | |
185 | |
1659
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
1589
diff
changeset
|
186 buf_setlen(b, 0); |
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
1589
diff
changeset
|
187 buf_putbytes(b, keyed25519, keyed25519_len); |
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
1589
diff
changeset
|
188 buf_setpos(b, 0); |
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
1589
diff
changeset
|
189 type = DROPBEAR_SIGNKEY_ED25519; |
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
1589
diff
changeset
|
190 if (buf_get_priv_key(b, svr_opts.hostkey, &type) == DROPBEAR_FAILURE) { |
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
1589
diff
changeset
|
191 dropbear_exit("failed fixed ed25519 hostkey"); |
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
1589
diff
changeset
|
192 } |
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
1589
diff
changeset
|
193 |
1348 | 194 buf_free(b); |
195 } | |
196 | |
1357 | 197 void fuzz_kex_fakealgos(void) { |
198 ses.newkeys->recv.crypt_mode = &dropbear_mode_none; | |
1774
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1770
diff
changeset
|
199 ses.newkeys->recv.algo_mac = &dropbear_nohash; |
1357 | 200 } |
1383
f03cfe9c76ac
Disable setnonblocking(), get_socket_address(), set_sock_priority()
Matt Johnston <matt@ucc.asn.au>
parents:
1377
diff
changeset
|
201 |
f03cfe9c76ac
Disable setnonblocking(), get_socket_address(), set_sock_priority()
Matt Johnston <matt@ucc.asn.au>
parents:
1377
diff
changeset
|
202 void fuzz_get_socket_address(int UNUSED(fd), char **local_host, char **local_port, |
f03cfe9c76ac
Disable setnonblocking(), get_socket_address(), set_sock_priority()
Matt Johnston <matt@ucc.asn.au>
parents:
1377
diff
changeset
|
203 char **remote_host, char **remote_port, int UNUSED(host_lookup)) { |
f03cfe9c76ac
Disable setnonblocking(), get_socket_address(), set_sock_priority()
Matt Johnston <matt@ucc.asn.au>
parents:
1377
diff
changeset
|
204 if (local_host) { |
f03cfe9c76ac
Disable setnonblocking(), get_socket_address(), set_sock_priority()
Matt Johnston <matt@ucc.asn.au>
parents:
1377
diff
changeset
|
205 *local_host = m_strdup("fuzzlocalhost"); |
f03cfe9c76ac
Disable setnonblocking(), get_socket_address(), set_sock_priority()
Matt Johnston <matt@ucc.asn.au>
parents:
1377
diff
changeset
|
206 } |
f03cfe9c76ac
Disable setnonblocking(), get_socket_address(), set_sock_priority()
Matt Johnston <matt@ucc.asn.au>
parents:
1377
diff
changeset
|
207 if (local_port) { |
f03cfe9c76ac
Disable setnonblocking(), get_socket_address(), set_sock_priority()
Matt Johnston <matt@ucc.asn.au>
parents:
1377
diff
changeset
|
208 *local_port = m_strdup("1234"); |
f03cfe9c76ac
Disable setnonblocking(), get_socket_address(), set_sock_priority()
Matt Johnston <matt@ucc.asn.au>
parents:
1377
diff
changeset
|
209 } |
f03cfe9c76ac
Disable setnonblocking(), get_socket_address(), set_sock_priority()
Matt Johnston <matt@ucc.asn.au>
parents:
1377
diff
changeset
|
210 if (remote_host) { |
f03cfe9c76ac
Disable setnonblocking(), get_socket_address(), set_sock_priority()
Matt Johnston <matt@ucc.asn.au>
parents:
1377
diff
changeset
|
211 *remote_host = m_strdup("fuzzremotehost"); |
f03cfe9c76ac
Disable setnonblocking(), get_socket_address(), set_sock_priority()
Matt Johnston <matt@ucc.asn.au>
parents:
1377
diff
changeset
|
212 } |
f03cfe9c76ac
Disable setnonblocking(), get_socket_address(), set_sock_priority()
Matt Johnston <matt@ucc.asn.au>
parents:
1377
diff
changeset
|
213 if (remote_port) { |
f03cfe9c76ac
Disable setnonblocking(), get_socket_address(), set_sock_priority()
Matt Johnston <matt@ucc.asn.au>
parents:
1377
diff
changeset
|
214 *remote_port = m_strdup("9876"); |
f03cfe9c76ac
Disable setnonblocking(), get_socket_address(), set_sock_priority()
Matt Johnston <matt@ucc.asn.au>
parents:
1377
diff
changeset
|
215 } |
f03cfe9c76ac
Disable setnonblocking(), get_socket_address(), set_sock_priority()
Matt Johnston <matt@ucc.asn.au>
parents:
1377
diff
changeset
|
216 } |
1456
a90fdd2d2ed8
add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents:
1386
diff
changeset
|
217 |
a90fdd2d2ed8
add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents:
1386
diff
changeset
|
218 /* cut down version of svr_send_msg_kexdh_reply() that skips slow maths. Still populates structures */ |
a90fdd2d2ed8
add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents:
1386
diff
changeset
|
219 void fuzz_fake_send_kexdh_reply(void) { |
a90fdd2d2ed8
add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents:
1386
diff
changeset
|
220 assert(!ses.dh_K); |
a90fdd2d2ed8
add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents:
1386
diff
changeset
|
221 m_mp_alloc_init_multi(&ses.dh_K, NULL); |
1692
1051e4eea25a
Update LibTomMath to 1.2.0 (#84)
Steffen Jaeckel <s@jaeckel.eu>
parents:
1659
diff
changeset
|
222 mp_set_ul(ses.dh_K, 12345678uL); |
1456
a90fdd2d2ed8
add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents:
1386
diff
changeset
|
223 finish_kexhashbuf(); |
a90fdd2d2ed8
add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents:
1386
diff
changeset
|
224 } |
a90fdd2d2ed8
add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents:
1386
diff
changeset
|
225 |
1740
dfbe947bdf0d
Make wrapfd share a common buffer for all FDs
Matt Johnston <matt@ucc.asn.au>
parents:
1692
diff
changeset
|
226 /* fake version of spawn_command() */ |
dfbe947bdf0d
Make wrapfd share a common buffer for all FDs
Matt Johnston <matt@ucc.asn.au>
parents:
1692
diff
changeset
|
227 int fuzz_spawn_command(int *ret_writefd, int *ret_readfd, int *ret_errfd, pid_t *ret_pid) { |
1777
97ad26e397a5
Add server postauth fuzzer, wrap connect_remote()
Matt Johnston <matt@ucc.asn.au>
parents:
1775
diff
changeset
|
228 *ret_writefd = wrapfd_new_dummy(); |
97ad26e397a5
Add server postauth fuzzer, wrap connect_remote()
Matt Johnston <matt@ucc.asn.au>
parents:
1775
diff
changeset
|
229 *ret_readfd = wrapfd_new_dummy(); |
1740
dfbe947bdf0d
Make wrapfd share a common buffer for all FDs
Matt Johnston <matt@ucc.asn.au>
parents:
1692
diff
changeset
|
230 if (ret_errfd) { |
1777
97ad26e397a5
Add server postauth fuzzer, wrap connect_remote()
Matt Johnston <matt@ucc.asn.au>
parents:
1775
diff
changeset
|
231 *ret_errfd = wrapfd_new_dummy(); |
1740
dfbe947bdf0d
Make wrapfd share a common buffer for all FDs
Matt Johnston <matt@ucc.asn.au>
parents:
1692
diff
changeset
|
232 } |
1802
19b28d2fbe30
fuzz: handle errors from wrapfd_new_dummy()
Matt Johnston <matt@ucc.asn.au>
parents:
1801
diff
changeset
|
233 if (*ret_writefd == -1 || *ret_readfd == -1 || (ret_errfd && *ret_errfd == -1)) { |
19b28d2fbe30
fuzz: handle errors from wrapfd_new_dummy()
Matt Johnston <matt@ucc.asn.au>
parents:
1801
diff
changeset
|
234 m_close(*ret_writefd); |
19b28d2fbe30
fuzz: handle errors from wrapfd_new_dummy()
Matt Johnston <matt@ucc.asn.au>
parents:
1801
diff
changeset
|
235 m_close(*ret_readfd); |
19b28d2fbe30
fuzz: handle errors from wrapfd_new_dummy()
Matt Johnston <matt@ucc.asn.au>
parents:
1801
diff
changeset
|
236 if (ret_errfd) { |
19b28d2fbe30
fuzz: handle errors from wrapfd_new_dummy()
Matt Johnston <matt@ucc.asn.au>
parents:
1801
diff
changeset
|
237 m_close(*ret_errfd); |
19b28d2fbe30
fuzz: handle errors from wrapfd_new_dummy()
Matt Johnston <matt@ucc.asn.au>
parents:
1801
diff
changeset
|
238 } |
19b28d2fbe30
fuzz: handle errors from wrapfd_new_dummy()
Matt Johnston <matt@ucc.asn.au>
parents:
1801
diff
changeset
|
239 return DROPBEAR_FAILURE; |
19b28d2fbe30
fuzz: handle errors from wrapfd_new_dummy()
Matt Johnston <matt@ucc.asn.au>
parents:
1801
diff
changeset
|
240 } else { |
19b28d2fbe30
fuzz: handle errors from wrapfd_new_dummy()
Matt Johnston <matt@ucc.asn.au>
parents:
1801
diff
changeset
|
241 *ret_pid = 999; |
19b28d2fbe30
fuzz: handle errors from wrapfd_new_dummy()
Matt Johnston <matt@ucc.asn.au>
parents:
1801
diff
changeset
|
242 return DROPBEAR_SUCCESS; |
19b28d2fbe30
fuzz: handle errors from wrapfd_new_dummy()
Matt Johnston <matt@ucc.asn.au>
parents:
1801
diff
changeset
|
243 |
19b28d2fbe30
fuzz: handle errors from wrapfd_new_dummy()
Matt Johnston <matt@ucc.asn.au>
parents:
1801
diff
changeset
|
244 } |
1740
dfbe947bdf0d
Make wrapfd share a common buffer for all FDs
Matt Johnston <matt@ucc.asn.au>
parents:
1692
diff
changeset
|
245 } |
dfbe947bdf0d
Make wrapfd share a common buffer for all FDs
Matt Johnston <matt@ucc.asn.au>
parents:
1692
diff
changeset
|
246 |
1786
a3b39df57c8b
fuzz: add an always-failing dropbear_listen() replacement
Matt Johnston <matt@ucc.asn.au>
parents:
1785
diff
changeset
|
247 /* Fake dropbear_listen, always returns failure for now. |
a3b39df57c8b
fuzz: add an always-failing dropbear_listen() replacement
Matt Johnston <matt@ucc.asn.au>
parents:
1785
diff
changeset
|
248 TODO make it sometimes return success with wrapfd_new_dummy() sockets. |
a3b39df57c8b
fuzz: add an always-failing dropbear_listen() replacement
Matt Johnston <matt@ucc.asn.au>
parents:
1785
diff
changeset
|
249 Making the listeners fake a new incoming connection will be harder. */ |
a3b39df57c8b
fuzz: add an always-failing dropbear_listen() replacement
Matt Johnston <matt@ucc.asn.au>
parents:
1785
diff
changeset
|
250 /* Listen on address:port. |
a3b39df57c8b
fuzz: add an always-failing dropbear_listen() replacement
Matt Johnston <matt@ucc.asn.au>
parents:
1785
diff
changeset
|
251 * Special cases are address of "" listening on everything, |
a3b39df57c8b
fuzz: add an always-failing dropbear_listen() replacement
Matt Johnston <matt@ucc.asn.au>
parents:
1785
diff
changeset
|
252 * and address of NULL listening on localhost only. |
a3b39df57c8b
fuzz: add an always-failing dropbear_listen() replacement
Matt Johnston <matt@ucc.asn.au>
parents:
1785
diff
changeset
|
253 * Returns the number of sockets bound on success, or -1 on failure. On |
a3b39df57c8b
fuzz: add an always-failing dropbear_listen() replacement
Matt Johnston <matt@ucc.asn.au>
parents:
1785
diff
changeset
|
254 * failure, if errstring wasn't NULL, it'll be a newly malloced error |
a3b39df57c8b
fuzz: add an always-failing dropbear_listen() replacement
Matt Johnston <matt@ucc.asn.au>
parents:
1785
diff
changeset
|
255 * string.*/ |
a3b39df57c8b
fuzz: add an always-failing dropbear_listen() replacement
Matt Johnston <matt@ucc.asn.au>
parents:
1785
diff
changeset
|
256 int fuzz_dropbear_listen(const char* UNUSED(address), const char* UNUSED(port), |
a3b39df57c8b
fuzz: add an always-failing dropbear_listen() replacement
Matt Johnston <matt@ucc.asn.au>
parents:
1785
diff
changeset
|
257 int *UNUSED(socks), unsigned int UNUSED(sockcount), char **errstring, int *UNUSED(maxfd)) { |
a3b39df57c8b
fuzz: add an always-failing dropbear_listen() replacement
Matt Johnston <matt@ucc.asn.au>
parents:
1785
diff
changeset
|
258 if (errstring) { |
a3b39df57c8b
fuzz: add an always-failing dropbear_listen() replacement
Matt Johnston <matt@ucc.asn.au>
parents:
1785
diff
changeset
|
259 *errstring = m_strdup("fuzzing can't listen (yet)"); |
a3b39df57c8b
fuzz: add an always-failing dropbear_listen() replacement
Matt Johnston <matt@ucc.asn.au>
parents:
1785
diff
changeset
|
260 } |
a3b39df57c8b
fuzz: add an always-failing dropbear_listen() replacement
Matt Johnston <matt@ucc.asn.au>
parents:
1785
diff
changeset
|
261 return -1; |
a3b39df57c8b
fuzz: add an always-failing dropbear_listen() replacement
Matt Johnston <matt@ucc.asn.au>
parents:
1785
diff
changeset
|
262 } |
a3b39df57c8b
fuzz: add an always-failing dropbear_listen() replacement
Matt Johnston <matt@ucc.asn.au>
parents:
1785
diff
changeset
|
263 |
1782
a6da10ac64b5
fuzz: make postauth set authdone properly
Matt Johnston <matt@ucc.asn.au>
parents:
1780
diff
changeset
|
264 int fuzz_run_server(const uint8_t *Data, size_t Size, int skip_kexmaths, int postauth) { |
1456
a90fdd2d2ed8
add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents:
1386
diff
changeset
|
265 static int once = 0; |
a90fdd2d2ed8
add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents:
1386
diff
changeset
|
266 if (!once) { |
a90fdd2d2ed8
add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents:
1386
diff
changeset
|
267 fuzz_svr_setup(); |
a90fdd2d2ed8
add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents:
1386
diff
changeset
|
268 fuzz.skip_kexmaths = skip_kexmaths; |
a90fdd2d2ed8
add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents:
1386
diff
changeset
|
269 once = 1; |
a90fdd2d2ed8
add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents:
1386
diff
changeset
|
270 } |
a90fdd2d2ed8
add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents:
1386
diff
changeset
|
271 |
1782
a6da10ac64b5
fuzz: make postauth set authdone properly
Matt Johnston <matt@ucc.asn.au>
parents:
1780
diff
changeset
|
272 fuzz.svr_postauth = postauth; |
a6da10ac64b5
fuzz: make postauth set authdone properly
Matt Johnston <matt@ucc.asn.au>
parents:
1780
diff
changeset
|
273 |
1456
a90fdd2d2ed8
add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents:
1386
diff
changeset
|
274 if (fuzz_set_input(Data, Size) == DROPBEAR_FAILURE) { |
a90fdd2d2ed8
add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents:
1386
diff
changeset
|
275 return 0; |
a90fdd2d2ed8
add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents:
1386
diff
changeset
|
276 } |
a90fdd2d2ed8
add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents:
1386
diff
changeset
|
277 |
1774
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1770
diff
changeset
|
278 uint32_t wrapseed; |
1775
8179eabe16c9
fuzzing - fix some wrong types and -lcrypt on macos
Matt Johnston <matt@ucc.asn.au>
parents:
1774
diff
changeset
|
279 genrandom((void*)&wrapseed, sizeof(wrapseed)); |
1456
a90fdd2d2ed8
add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents:
1386
diff
changeset
|
280 wrapfd_setseed(wrapseed); |
a90fdd2d2ed8
add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents:
1386
diff
changeset
|
281 |
1777
97ad26e397a5
Add server postauth fuzzer, wrap connect_remote()
Matt Johnston <matt@ucc.asn.au>
parents:
1775
diff
changeset
|
282 int fakesock = wrapfd_new_fuzzinput(); |
97ad26e397a5
Add server postauth fuzzer, wrap connect_remote()
Matt Johnston <matt@ucc.asn.au>
parents:
1775
diff
changeset
|
283 |
1456
a90fdd2d2ed8
add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents:
1386
diff
changeset
|
284 m_malloc_set_epoch(1); |
1760
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
1758
diff
changeset
|
285 fuzz.do_jmp = 1; |
1456
a90fdd2d2ed8
add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents:
1386
diff
changeset
|
286 if (setjmp(fuzz.jmp) == 0) { |
a90fdd2d2ed8
add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents:
1386
diff
changeset
|
287 svr_session(fakesock, fakesock); |
a90fdd2d2ed8
add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents:
1386
diff
changeset
|
288 m_malloc_free_epoch(1, 0); |
a90fdd2d2ed8
add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents:
1386
diff
changeset
|
289 } else { |
1760
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
1758
diff
changeset
|
290 fuzz.do_jmp = 0; |
1456
a90fdd2d2ed8
add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents:
1386
diff
changeset
|
291 m_malloc_free_epoch(1, 1); |
a90fdd2d2ed8
add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents:
1386
diff
changeset
|
292 TRACE(("dropbear_exit longjmped")) |
1559
92c93b4a3646
Fix to be able to compile normal(ish) binaries with --enable-fuzz
Matt Johnston <matt@ucc.asn.au>
parents:
1558
diff
changeset
|
293 /* dropbear_exit jumped here */ |
1456
a90fdd2d2ed8
add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents:
1386
diff
changeset
|
294 } |
a90fdd2d2ed8
add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents:
1386
diff
changeset
|
295 |
a90fdd2d2ed8
add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents:
1386
diff
changeset
|
296 return 0; |
a90fdd2d2ed8
add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents:
1386
diff
changeset
|
297 } |
1589
35af85194268
Add kexdh and kexecdh fuzzers
Matt Johnston <matt@ucc.asn.au>
parents:
1559
diff
changeset
|
298 |
1741
d1b279aa5ed1
Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents:
1740
diff
changeset
|
299 int fuzz_run_client(const uint8_t *Data, size_t Size, int skip_kexmaths) { |
d1b279aa5ed1
Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents:
1740
diff
changeset
|
300 static int once = 0; |
d1b279aa5ed1
Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents:
1740
diff
changeset
|
301 if (!once) { |
d1b279aa5ed1
Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents:
1740
diff
changeset
|
302 fuzz_cli_setup(); |
d1b279aa5ed1
Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents:
1740
diff
changeset
|
303 fuzz.skip_kexmaths = skip_kexmaths; |
d1b279aa5ed1
Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents:
1740
diff
changeset
|
304 once = 1; |
d1b279aa5ed1
Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents:
1740
diff
changeset
|
305 } |
d1b279aa5ed1
Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents:
1740
diff
changeset
|
306 |
d1b279aa5ed1
Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents:
1740
diff
changeset
|
307 if (fuzz_set_input(Data, Size) == DROPBEAR_FAILURE) { |
d1b279aa5ed1
Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents:
1740
diff
changeset
|
308 return 0; |
d1b279aa5ed1
Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents:
1740
diff
changeset
|
309 } |
d1b279aa5ed1
Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents:
1740
diff
changeset
|
310 |
1774
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1770
diff
changeset
|
311 // Allow to proceed sooner |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1770
diff
changeset
|
312 ses.kexstate.donefirstkex = 1; |
1741
d1b279aa5ed1
Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents:
1740
diff
changeset
|
313 |
1774
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1770
diff
changeset
|
314 uint32_t wrapseed; |
1775
8179eabe16c9
fuzzing - fix some wrong types and -lcrypt on macos
Matt Johnston <matt@ucc.asn.au>
parents:
1774
diff
changeset
|
315 genrandom((void*)&wrapseed, sizeof(wrapseed)); |
1741
d1b279aa5ed1
Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents:
1740
diff
changeset
|
316 wrapfd_setseed(wrapseed); |
d1b279aa5ed1
Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents:
1740
diff
changeset
|
317 |
1777
97ad26e397a5
Add server postauth fuzzer, wrap connect_remote()
Matt Johnston <matt@ucc.asn.au>
parents:
1775
diff
changeset
|
318 int fakesock = wrapfd_new_fuzzinput(); |
1741
d1b279aa5ed1
Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents:
1740
diff
changeset
|
319 |
d1b279aa5ed1
Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents:
1740
diff
changeset
|
320 m_malloc_set_epoch(1); |
1760
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
1758
diff
changeset
|
321 fuzz.do_jmp = 1; |
1741
d1b279aa5ed1
Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents:
1740
diff
changeset
|
322 if (setjmp(fuzz.jmp) == 0) { |
d1b279aa5ed1
Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents:
1740
diff
changeset
|
323 cli_session(fakesock, fakesock, NULL, 0); |
d1b279aa5ed1
Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents:
1740
diff
changeset
|
324 m_malloc_free_epoch(1, 0); |
d1b279aa5ed1
Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents:
1740
diff
changeset
|
325 } else { |
1760
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
1758
diff
changeset
|
326 fuzz.do_jmp = 0; |
1741
d1b279aa5ed1
Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents:
1740
diff
changeset
|
327 m_malloc_free_epoch(1, 1); |
d1b279aa5ed1
Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents:
1740
diff
changeset
|
328 TRACE(("dropbear_exit longjmped")) |
d1b279aa5ed1
Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents:
1740
diff
changeset
|
329 /* dropbear_exit jumped here */ |
d1b279aa5ed1
Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents:
1740
diff
changeset
|
330 } |
d1b279aa5ed1
Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents:
1740
diff
changeset
|
331 |
d1b279aa5ed1
Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents:
1740
diff
changeset
|
332 return 0; |
d1b279aa5ed1
Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents:
1740
diff
changeset
|
333 } |
d1b279aa5ed1
Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents:
1740
diff
changeset
|
334 |
1589
35af85194268
Add kexdh and kexecdh fuzzers
Matt Johnston <matt@ucc.asn.au>
parents:
1559
diff
changeset
|
335 const void* fuzz_get_algo(const algo_type *algos, const char* name) { |
35af85194268
Add kexdh and kexecdh fuzzers
Matt Johnston <matt@ucc.asn.au>
parents:
1559
diff
changeset
|
336 const algo_type *t; |
35af85194268
Add kexdh and kexecdh fuzzers
Matt Johnston <matt@ucc.asn.au>
parents:
1559
diff
changeset
|
337 for (t = algos; t->name; t++) { |
35af85194268
Add kexdh and kexecdh fuzzers
Matt Johnston <matt@ucc.asn.au>
parents:
1559
diff
changeset
|
338 if (strcmp(t->name, name) == 0) { |
35af85194268
Add kexdh and kexecdh fuzzers
Matt Johnston <matt@ucc.asn.au>
parents:
1559
diff
changeset
|
339 return t->data; |
35af85194268
Add kexdh and kexecdh fuzzers
Matt Johnston <matt@ucc.asn.au>
parents:
1559
diff
changeset
|
340 } |
35af85194268
Add kexdh and kexecdh fuzzers
Matt Johnston <matt@ucc.asn.au>
parents:
1559
diff
changeset
|
341 } |
35af85194268
Add kexdh and kexecdh fuzzers
Matt Johnston <matt@ucc.asn.au>
parents:
1559
diff
changeset
|
342 assert(0); |
35af85194268
Add kexdh and kexecdh fuzzers
Matt Johnston <matt@ucc.asn.au>
parents:
1559
diff
changeset
|
343 } |
1751
3b9b427925a0
Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents:
1742
diff
changeset
|
344 |
3b9b427925a0
Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents:
1742
diff
changeset
|
345 void fuzz_dump(const unsigned char* data, size_t len) { |
3b9b427925a0
Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents:
1742
diff
changeset
|
346 if (fuzz.dumping) { |
1799
8df3d6aa5f23
fuzz: avoid extraneous printing
Matt Johnston <matt@ucc.asn.au>
parents:
1786
diff
changeset
|
347 TRACE(("dump %zu", len)) |
1751
3b9b427925a0
Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents:
1742
diff
changeset
|
348 assert(atomicio(vwrite, fuzz.recv_dumpfd, (void*)data, len) == len); |
3b9b427925a0
Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents:
1742
diff
changeset
|
349 } |
3b9b427925a0
Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents:
1742
diff
changeset
|
350 } |
1779
36d4c027cba7
fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents:
1778
diff
changeset
|
351 |
36d4c027cba7
fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents:
1778
diff
changeset
|
352 static struct passwd pwd_root = { |
36d4c027cba7
fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents:
1778
diff
changeset
|
353 .pw_name = "root", |
36d4c027cba7
fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents:
1778
diff
changeset
|
354 .pw_passwd = "!", |
36d4c027cba7
fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents:
1778
diff
changeset
|
355 .pw_uid = 0, |
36d4c027cba7
fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents:
1778
diff
changeset
|
356 .pw_gid = 0, |
36d4c027cba7
fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents:
1778
diff
changeset
|
357 .pw_dir = "/root", |
36d4c027cba7
fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents:
1778
diff
changeset
|
358 .pw_shell = "/bin/sh", |
36d4c027cba7
fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents:
1778
diff
changeset
|
359 }; |
36d4c027cba7
fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents:
1778
diff
changeset
|
360 |
36d4c027cba7
fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents:
1778
diff
changeset
|
361 static struct passwd pwd_other = { |
36d4c027cba7
fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents:
1778
diff
changeset
|
362 .pw_name = "other", |
36d4c027cba7
fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents:
1778
diff
changeset
|
363 .pw_passwd = "!", |
36d4c027cba7
fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents:
1778
diff
changeset
|
364 .pw_uid = 100, |
36d4c027cba7
fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents:
1778
diff
changeset
|
365 .pw_gid = 100, |
36d4c027cba7
fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents:
1778
diff
changeset
|
366 .pw_dir = "/home/other", |
36d4c027cba7
fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents:
1778
diff
changeset
|
367 .pw_shell = "/bin/sh", |
36d4c027cba7
fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents:
1778
diff
changeset
|
368 }; |
36d4c027cba7
fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents:
1778
diff
changeset
|
369 |
36d4c027cba7
fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents:
1778
diff
changeset
|
370 |
36d4c027cba7
fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents:
1778
diff
changeset
|
371 /* oss-fuzz runs fuzzers under minijail, without /etc/passwd. |
36d4c027cba7
fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents:
1778
diff
changeset
|
372 We provide sufficient values for the fuzzers to run */ |
36d4c027cba7
fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents:
1778
diff
changeset
|
373 struct passwd* fuzz_getpwnam(const char *login) { |
36d4c027cba7
fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents:
1778
diff
changeset
|
374 if (!fuzz.fuzzing) { |
36d4c027cba7
fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents:
1778
diff
changeset
|
375 return getpwnam(login); |
36d4c027cba7
fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents:
1778
diff
changeset
|
376 } |
36d4c027cba7
fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents:
1778
diff
changeset
|
377 if (strcmp(login, pwd_other.pw_name) == 0) { |
36d4c027cba7
fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents:
1778
diff
changeset
|
378 return &pwd_other; |
36d4c027cba7
fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents:
1778
diff
changeset
|
379 } |
36d4c027cba7
fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents:
1778
diff
changeset
|
380 if (strcmp(login, pwd_root.pw_name) == 0) { |
36d4c027cba7
fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents:
1778
diff
changeset
|
381 return &pwd_root; |
36d4c027cba7
fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents:
1778
diff
changeset
|
382 } |
36d4c027cba7
fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents:
1778
diff
changeset
|
383 return NULL; |
36d4c027cba7
fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents:
1778
diff
changeset
|
384 } |
36d4c027cba7
fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents:
1778
diff
changeset
|
385 |
36d4c027cba7
fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents:
1778
diff
changeset
|
386 struct passwd* fuzz_getpwuid(uid_t uid) { |
36d4c027cba7
fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents:
1778
diff
changeset
|
387 if (!fuzz.fuzzing) { |
36d4c027cba7
fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents:
1778
diff
changeset
|
388 return getpwuid(uid); |
36d4c027cba7
fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents:
1778
diff
changeset
|
389 } |
36d4c027cba7
fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents:
1778
diff
changeset
|
390 if (uid == pwd_other.pw_uid) { |
36d4c027cba7
fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents:
1778
diff
changeset
|
391 return &pwd_other; |
36d4c027cba7
fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents:
1778
diff
changeset
|
392 } |
36d4c027cba7
fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents:
1778
diff
changeset
|
393 if (uid == pwd_root.pw_uid) { |
36d4c027cba7
fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents:
1778
diff
changeset
|
394 return &pwd_root; |
36d4c027cba7
fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents:
1778
diff
changeset
|
395 } |
36d4c027cba7
fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents:
1778
diff
changeset
|
396 return NULL; |
36d4c027cba7
fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents:
1778
diff
changeset
|
397 } |
36d4c027cba7
fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents:
1778
diff
changeset
|
398 |