annotate fuzz/fuzz-common.c @ 1830:c32976db772f

Merge
author Matt Johnston <matt@ucc.asn.au>
date Mon, 11 Oct 2021 15:46:49 +0800
parents 19b28d2fbe30
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
1770
66b29b054896 Fix FUZZ_NO_REPLACE_STDERR for fuzz.c
Matt Johnston <matt@ucc.asn.au>
parents: 1768
diff changeset
1 #define FUZZ_NO_REPLACE_STDERR
1779
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
2 #define FUZZ_NO_REPLACE_GETPW
1348
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
3 #include "includes.h"
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
4
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
5 #include "includes.h"
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
6 #include "dbutil.h"
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
7 #include "runopts.h"
1353
f3c8975de38e setup svr_dropbear_exit
Matt Johnston <matt@ucc.asn.au>
parents: 1350
diff changeset
8 #include "crypto_desc.h"
f3c8975de38e setup svr_dropbear_exit
Matt Johnston <matt@ucc.asn.au>
parents: 1350
diff changeset
9 #include "session.h"
1356
3677a510f545 add wrapfd. improve fuzzer in makefile
Matt Johnston <matt@ucc.asn.au>
parents: 1353
diff changeset
10 #include "dbrandom.h"
1457
32f990cc96b1 fix bad assertion
Matt Johnston <matt@ucc.asn.au>
parents: 1456
diff changeset
11 #include "bignum.h"
1751
3b9b427925a0 Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents: 1742
diff changeset
12 #include "atomicio.h"
1356
3677a510f545 add wrapfd. improve fuzzer in makefile
Matt Johnston <matt@ucc.asn.au>
parents: 1353
diff changeset
13 #include "fuzz-wrapfd.h"
1768
096a66e45212 Fix fuzzing stderr override on os x
Matt Johnston <matt@ucc.asn.au>
parents: 1767
diff changeset
14 #include "fuzz.h"
096a66e45212 Fix fuzzing stderr override on os x
Matt Johnston <matt@ucc.asn.au>
parents: 1767
diff changeset
15
1348
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
16 struct dropbear_fuzz_options fuzz;
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
17
1373
9891bc31a1b3 fuzzers disable logging by default
Matt Johnston <matt@ucc.asn.au>
parents: 1369
diff changeset
18 static void fuzz_dropbear_log(int UNUSED(priority), const char* format, va_list param);
1348
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
19 static void load_fixed_hostkeys(void);
1751
3b9b427925a0 Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents: 1742
diff changeset
20 static void load_fixed_client_key(void);
1348
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
21
1758
1365661f6be6 Disable stderr output for fuzzer by default
Matt Johnston <matt@ucc.asn.au>
parents: 1757
diff changeset
22 // This runs automatically before main, due to contructor attribute in fuzz.h
1365661f6be6 Disable stderr output for fuzzer by default
Matt Johnston <matt@ucc.asn.au>
parents: 1757
diff changeset
23 void fuzz_early_setup(void) {
1365661f6be6 Disable stderr output for fuzzer by default
Matt Johnston <matt@ucc.asn.au>
parents: 1757
diff changeset
24 /* Set stderr to point to normal stderr by default */
1768
096a66e45212 Fix fuzzing stderr override on os x
Matt Johnston <matt@ucc.asn.au>
parents: 1767
diff changeset
25 fuzz.fake_stderr = stderr;
1758
1365661f6be6 Disable stderr output for fuzzer by default
Matt Johnston <matt@ucc.asn.au>
parents: 1757
diff changeset
26 }
1365661f6be6 Disable stderr output for fuzzer by default
Matt Johnston <matt@ucc.asn.au>
parents: 1757
diff changeset
27
1456
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1386
diff changeset
28 void fuzz_common_setup(void) {
1741
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents: 1740
diff changeset
29 disallow_core();
1348
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
30 fuzz.fuzzing = 1;
1357
08f4fa4dc6a0 closer to working
Matt Johnston <matt@ucc.asn.au>
parents: 1356
diff changeset
31 fuzz.wrapfds = 1;
1385
6c92e97553f1 Add a flag whether to longjmp, missed that last commit
Matt Johnston <matt@ucc.asn.au>
parents: 1383
diff changeset
32 fuzz.do_jmp = 1;
1356
3677a510f545 add wrapfd. improve fuzzer in makefile
Matt Johnston <matt@ucc.asn.au>
parents: 1353
diff changeset
33 fuzz.input = m_malloc(sizeof(buffer));
1373
9891bc31a1b3 fuzzers disable logging by default
Matt Johnston <matt@ucc.asn.au>
parents: 1369
diff changeset
34 _dropbear_log = fuzz_dropbear_log;
1350
2722f2347a48 crypto_init()
Matt Johnston <matt@ucc.asn.au>
parents: 1348
diff changeset
35 crypto_init();
1757
517fb7b62438 Add some more variation to fuzzer random number generation
Matt Johnston <matt@ucc.asn.au>
parents: 1756
diff changeset
36 fuzz_seed("start", 5);
1529
66a1a2547133 The fuzzer has managed to generated DSS key/signature pairs that
Matt Johnston <matt@ucc.asn.au>
parents: 1457
diff changeset
37 /* let any messages get flushed */
66a1a2547133 The fuzzer has managed to generated DSS key/signature pairs that
Matt Johnston <matt@ucc.asn.au>
parents: 1457
diff changeset
38 setlinebuf(stdout);
1758
1365661f6be6 Disable stderr output for fuzzer by default
Matt Johnston <matt@ucc.asn.au>
parents: 1757
diff changeset
39 #if DEBUG_TRACE
1365661f6be6 Disable stderr output for fuzzer by default
Matt Johnston <matt@ucc.asn.au>
parents: 1757
diff changeset
40 if (debug_trace)
1365661f6be6 Disable stderr output for fuzzer by default
Matt Johnston <matt@ucc.asn.au>
parents: 1757
diff changeset
41 {
1365661f6be6 Disable stderr output for fuzzer by default
Matt Johnston <matt@ucc.asn.au>
parents: 1757
diff changeset
42 fprintf(stderr, "Dropbear fuzzer: -v specified, not disabling stderr output\n");
1365661f6be6 Disable stderr output for fuzzer by default
Matt Johnston <matt@ucc.asn.au>
parents: 1757
diff changeset
43 }
1365661f6be6 Disable stderr output for fuzzer by default
Matt Johnston <matt@ucc.asn.au>
parents: 1757
diff changeset
44 else
1365661f6be6 Disable stderr output for fuzzer by default
Matt Johnston <matt@ucc.asn.au>
parents: 1757
diff changeset
45 #endif
1767
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1765
diff changeset
46 if (getenv("DROPBEAR_KEEP_STDERR")) {
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1765
diff changeset
47 fprintf(stderr, "Dropbear fuzzer: DROPBEAR_KEEP_STDERR, not disabling stderr output\n");
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1765
diff changeset
48 }
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1765
diff changeset
49 else
1758
1365661f6be6 Disable stderr output for fuzzer by default
Matt Johnston <matt@ucc.asn.au>
parents: 1757
diff changeset
50 {
1767
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1765
diff changeset
51 fprintf(stderr, "Dropbear fuzzer: Disabling stderr output\n");
1768
096a66e45212 Fix fuzzing stderr override on os x
Matt Johnston <matt@ucc.asn.au>
parents: 1767
diff changeset
52 fuzz.fake_stderr = fopen("/dev/null", "w");
096a66e45212 Fix fuzzing stderr override on os x
Matt Johnston <matt@ucc.asn.au>
parents: 1767
diff changeset
53 assert(fuzz.fake_stderr);
1758
1365661f6be6 Disable stderr output for fuzzer by default
Matt Johnston <matt@ucc.asn.au>
parents: 1757
diff changeset
54 }
1348
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
55 }
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
56
1456
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1386
diff changeset
57 int fuzz_set_input(const uint8_t *Data, size_t Size) {
1356
3677a510f545 add wrapfd. improve fuzzer in makefile
Matt Johnston <matt@ucc.asn.au>
parents: 1353
diff changeset
58
3677a510f545 add wrapfd. improve fuzzer in makefile
Matt Johnston <matt@ucc.asn.au>
parents: 1353
diff changeset
59 fuzz.input->data = (unsigned char*)Data;
3677a510f545 add wrapfd. improve fuzzer in makefile
Matt Johnston <matt@ucc.asn.au>
parents: 1353
diff changeset
60 fuzz.input->size = Size;
3677a510f545 add wrapfd. improve fuzzer in makefile
Matt Johnston <matt@ucc.asn.au>
parents: 1353
diff changeset
61 fuzz.input->len = Size;
3677a510f545 add wrapfd. improve fuzzer in makefile
Matt Johnston <matt@ucc.asn.au>
parents: 1353
diff changeset
62 fuzz.input->pos = 0;
3677a510f545 add wrapfd. improve fuzzer in makefile
Matt Johnston <matt@ucc.asn.au>
parents: 1353
diff changeset
63
1358
6b89eb92f872 glaring wrapfd problems fixed
Matt Johnston <matt@ucc.asn.au>
parents: 1357
diff changeset
64 memset(&ses, 0x0, sizeof(ses));
6b89eb92f872 glaring wrapfd problems fixed
Matt Johnston <matt@ucc.asn.au>
parents: 1357
diff changeset
65 memset(&svr_ses, 0x0, sizeof(svr_ses));
1742
6e71440b1e47 Add fuzzer-client_nomaths, fix client fuzzer
Matt Johnston <matt@ucc.asn.au>
parents: 1741
diff changeset
66 memset(&cli_ses, 0x0, sizeof(cli_ses));
1740
dfbe947bdf0d Make wrapfd share a common buffer for all FDs
Matt Johnston <matt@ucc.asn.au>
parents: 1692
diff changeset
67 wrapfd_setup(fuzz.input);
1774
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1770
diff changeset
68 // printhex("input", fuzz.input->data, fuzz.input->len);
1356
3677a510f545 add wrapfd. improve fuzzer in makefile
Matt Johnston <matt@ucc.asn.au>
parents: 1353
diff changeset
69
1757
517fb7b62438 Add some more variation to fuzzer random number generation
Matt Johnston <matt@ucc.asn.au>
parents: 1756
diff changeset
70 fuzz_seed(fuzz.input->data, MIN(fuzz.input->len, 16));
1356
3677a510f545 add wrapfd. improve fuzzer in makefile
Matt Johnston <matt@ucc.asn.au>
parents: 1353
diff changeset
71
3677a510f545 add wrapfd. improve fuzzer in makefile
Matt Johnston <matt@ucc.asn.au>
parents: 1353
diff changeset
72 return DROPBEAR_SUCCESS;
3677a510f545 add wrapfd. improve fuzzer in makefile
Matt Johnston <matt@ucc.asn.au>
parents: 1353
diff changeset
73 }
3677a510f545 add wrapfd. improve fuzzer in makefile
Matt Johnston <matt@ucc.asn.au>
parents: 1353
diff changeset
74
1558
2f64cb3d3007 - #if not #ifdef for DROPBEAR_FUZZ
Matt Johnston <matt@ucc.asn.au>
parents: 1529
diff changeset
75 #if DEBUG_TRACE
1373
9891bc31a1b3 fuzzers disable logging by default
Matt Johnston <matt@ucc.asn.au>
parents: 1369
diff changeset
76 static void fuzz_dropbear_log(int UNUSED(priority), const char* format, va_list param) {
9891bc31a1b3 fuzzers disable logging by default
Matt Johnston <matt@ucc.asn.au>
parents: 1369
diff changeset
77 if (debug_trace) {
1558
2f64cb3d3007 - #if not #ifdef for DROPBEAR_FUZZ
Matt Johnston <matt@ucc.asn.au>
parents: 1529
diff changeset
78 char printbuf[1024];
1373
9891bc31a1b3 fuzzers disable logging by default
Matt Johnston <matt@ucc.asn.au>
parents: 1369
diff changeset
79 vsnprintf(printbuf, sizeof(printbuf), format, param);
9891bc31a1b3 fuzzers disable logging by default
Matt Johnston <matt@ucc.asn.au>
parents: 1369
diff changeset
80 fprintf(stderr, "%s\n", printbuf);
9891bc31a1b3 fuzzers disable logging by default
Matt Johnston <matt@ucc.asn.au>
parents: 1369
diff changeset
81 }
9891bc31a1b3 fuzzers disable logging by default
Matt Johnston <matt@ucc.asn.au>
parents: 1369
diff changeset
82 }
1558
2f64cb3d3007 - #if not #ifdef for DROPBEAR_FUZZ
Matt Johnston <matt@ucc.asn.au>
parents: 1529
diff changeset
83 #else
2f64cb3d3007 - #if not #ifdef for DROPBEAR_FUZZ
Matt Johnston <matt@ucc.asn.au>
parents: 1529
diff changeset
84 static void fuzz_dropbear_log(int UNUSED(priority), const char* UNUSED(format), va_list UNUSED(param)) {
2f64cb3d3007 - #if not #ifdef for DROPBEAR_FUZZ
Matt Johnston <matt@ucc.asn.au>
parents: 1529
diff changeset
85 /* No print */
2f64cb3d3007 - #if not #ifdef for DROPBEAR_FUZZ
Matt Johnston <matt@ucc.asn.au>
parents: 1529
diff changeset
86 }
2f64cb3d3007 - #if not #ifdef for DROPBEAR_FUZZ
Matt Johnston <matt@ucc.asn.au>
parents: 1529
diff changeset
87 #endif /* DEBUG_TRACE */
1356
3677a510f545 add wrapfd. improve fuzzer in makefile
Matt Johnston <matt@ucc.asn.au>
parents: 1353
diff changeset
88
1456
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1386
diff changeset
89 void fuzz_svr_setup(void) {
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1386
diff changeset
90 fuzz_common_setup();
1353
f3c8975de38e setup svr_dropbear_exit
Matt Johnston <matt@ucc.asn.au>
parents: 1350
diff changeset
91
f3c8975de38e setup svr_dropbear_exit
Matt Johnston <matt@ucc.asn.au>
parents: 1350
diff changeset
92 _dropbear_exit = svr_dropbear_exit;
1348
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
93
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
94 char *argv[] = {
1742
6e71440b1e47 Add fuzzer-client_nomaths, fix client fuzzer
Matt Johnston <matt@ucc.asn.au>
parents: 1741
diff changeset
95 "dropbear",
1348
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
96 "-E",
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
97 };
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
98
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
99 int argc = sizeof(argv) / sizeof(*argv);
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
100 svr_getopts(argc, argv);
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
101
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
102 load_fixed_hostkeys();
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
103 }
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
104
1782
a6da10ac64b5 fuzz: make postauth set authdone properly
Matt Johnston <matt@ucc.asn.au>
parents: 1780
diff changeset
105 void fuzz_svr_hook_preloop() {
a6da10ac64b5 fuzz: make postauth set authdone properly
Matt Johnston <matt@ucc.asn.au>
parents: 1780
diff changeset
106 if (fuzz.svr_postauth) {
a6da10ac64b5 fuzz: make postauth set authdone properly
Matt Johnston <matt@ucc.asn.au>
parents: 1780
diff changeset
107 ses.authstate.authdone = 1;
a6da10ac64b5 fuzz: make postauth set authdone properly
Matt Johnston <matt@ucc.asn.au>
parents: 1780
diff changeset
108 fill_passwd("root");
a6da10ac64b5 fuzz: make postauth set authdone properly
Matt Johnston <matt@ucc.asn.au>
parents: 1780
diff changeset
109 }
a6da10ac64b5 fuzz: make postauth set authdone properly
Matt Johnston <matt@ucc.asn.au>
parents: 1780
diff changeset
110 }
a6da10ac64b5 fuzz: make postauth set authdone properly
Matt Johnston <matt@ucc.asn.au>
parents: 1780
diff changeset
111
1740
dfbe947bdf0d Make wrapfd share a common buffer for all FDs
Matt Johnston <matt@ucc.asn.au>
parents: 1692
diff changeset
112 void fuzz_cli_setup(void) {
dfbe947bdf0d Make wrapfd share a common buffer for all FDs
Matt Johnston <matt@ucc.asn.au>
parents: 1692
diff changeset
113 fuzz_common_setup();
dfbe947bdf0d Make wrapfd share a common buffer for all FDs
Matt Johnston <matt@ucc.asn.au>
parents: 1692
diff changeset
114
1741
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents: 1740
diff changeset
115 _dropbear_exit = cli_dropbear_exit;
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents: 1740
diff changeset
116 _dropbear_log = cli_dropbear_log;
1740
dfbe947bdf0d Make wrapfd share a common buffer for all FDs
Matt Johnston <matt@ucc.asn.au>
parents: 1692
diff changeset
117
dfbe947bdf0d Make wrapfd share a common buffer for all FDs
Matt Johnston <matt@ucc.asn.au>
parents: 1692
diff changeset
118 char *argv[] = {
1742
6e71440b1e47 Add fuzzer-client_nomaths, fix client fuzzer
Matt Johnston <matt@ucc.asn.au>
parents: 1741
diff changeset
119 "dbclient",
1741
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents: 1740
diff changeset
120 "-y",
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents: 1740
diff changeset
121 "localhost",
1751
3b9b427925a0 Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents: 1742
diff changeset
122 "uptime"
1740
dfbe947bdf0d Make wrapfd share a common buffer for all FDs
Matt Johnston <matt@ucc.asn.au>
parents: 1692
diff changeset
123 };
dfbe947bdf0d Make wrapfd share a common buffer for all FDs
Matt Johnston <matt@ucc.asn.au>
parents: 1692
diff changeset
124
dfbe947bdf0d Make wrapfd share a common buffer for all FDs
Matt Johnston <matt@ucc.asn.au>
parents: 1692
diff changeset
125 int argc = sizeof(argv) / sizeof(*argv);
dfbe947bdf0d Make wrapfd share a common buffer for all FDs
Matt Johnston <matt@ucc.asn.au>
parents: 1692
diff changeset
126 cli_getopts(argc, argv);
1751
3b9b427925a0 Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents: 1742
diff changeset
127
3b9b427925a0 Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents: 1742
diff changeset
128 load_fixed_client_key();
3b9b427925a0 Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents: 1742
diff changeset
129 /* Avoid password prompt */
3b9b427925a0 Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents: 1742
diff changeset
130 setenv(DROPBEAR_PASSWORD_ENV, "password", 1);
3b9b427925a0 Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents: 1742
diff changeset
131 }
3b9b427925a0 Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents: 1742
diff changeset
132
3b9b427925a0 Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents: 1742
diff changeset
133 #include "fuzz-hostkeys.c"
3b9b427925a0 Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents: 1742
diff changeset
134
3b9b427925a0 Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents: 1742
diff changeset
135 static void load_fixed_client_key(void) {
3b9b427925a0 Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents: 1742
diff changeset
136
3b9b427925a0 Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents: 1742
diff changeset
137 buffer *b = buf_new(3000);
3b9b427925a0 Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents: 1742
diff changeset
138 sign_key *key;
3b9b427925a0 Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents: 1742
diff changeset
139 enum signkey_type keytype;
3b9b427925a0 Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents: 1742
diff changeset
140
3b9b427925a0 Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents: 1742
diff changeset
141 key = new_sign_key();
3b9b427925a0 Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents: 1742
diff changeset
142 keytype = DROPBEAR_SIGNKEY_ANY;
3b9b427925a0 Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents: 1742
diff changeset
143 buf_putbytes(b, keyed25519, keyed25519_len);
3b9b427925a0 Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents: 1742
diff changeset
144 buf_setpos(b, 0);
3b9b427925a0 Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents: 1742
diff changeset
145 if (buf_get_priv_key(b, key, &keytype) == DROPBEAR_FAILURE) {
3b9b427925a0 Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents: 1742
diff changeset
146 dropbear_exit("failed fixed ed25519 hostkey");
3b9b427925a0 Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents: 1742
diff changeset
147 }
3b9b427925a0 Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents: 1742
diff changeset
148 list_append(cli_opts.privkeys, key);
3b9b427925a0 Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents: 1742
diff changeset
149
3b9b427925a0 Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents: 1742
diff changeset
150 buf_free(b);
1740
dfbe947bdf0d Make wrapfd share a common buffer for all FDs
Matt Johnston <matt@ucc.asn.au>
parents: 1692
diff changeset
151 }
dfbe947bdf0d Make wrapfd share a common buffer for all FDs
Matt Johnston <matt@ucc.asn.au>
parents: 1692
diff changeset
152
1348
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
153 static void load_fixed_hostkeys(void) {
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
154
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
155 buffer *b = buf_new(3000);
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
156 enum signkey_type type;
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
157
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
158 TRACE(("load fixed hostkeys"))
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
159
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
160 svr_opts.hostkey = new_sign_key();
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
161
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
162 buf_setlen(b, 0);
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
163 buf_putbytes(b, keyr, keyr_len);
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
164 buf_setpos(b, 0);
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
165 type = DROPBEAR_SIGNKEY_RSA;
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
166 if (buf_get_priv_key(b, svr_opts.hostkey, &type) == DROPBEAR_FAILURE) {
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
167 dropbear_exit("failed fixed rsa hostkey");
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
168 }
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
169
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
170 buf_setlen(b, 0);
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
171 buf_putbytes(b, keyd, keyd_len);
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
172 buf_setpos(b, 0);
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
173 type = DROPBEAR_SIGNKEY_DSS;
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
174 if (buf_get_priv_key(b, svr_opts.hostkey, &type) == DROPBEAR_FAILURE) {
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
175 dropbear_exit("failed fixed dss hostkey");
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
176 }
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
177
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
178 buf_setlen(b, 0);
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
179 buf_putbytes(b, keye, keye_len);
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
180 buf_setpos(b, 0);
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
181 type = DROPBEAR_SIGNKEY_ECDSA_NISTP256;
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
182 if (buf_get_priv_key(b, svr_opts.hostkey, &type) == DROPBEAR_FAILURE) {
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
183 dropbear_exit("failed fixed ecdsa hostkey");
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
184 }
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
185
1659
d32bcb5c557d Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents: 1589
diff changeset
186 buf_setlen(b, 0);
d32bcb5c557d Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents: 1589
diff changeset
187 buf_putbytes(b, keyed25519, keyed25519_len);
d32bcb5c557d Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents: 1589
diff changeset
188 buf_setpos(b, 0);
d32bcb5c557d Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents: 1589
diff changeset
189 type = DROPBEAR_SIGNKEY_ED25519;
d32bcb5c557d Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents: 1589
diff changeset
190 if (buf_get_priv_key(b, svr_opts.hostkey, &type) == DROPBEAR_FAILURE) {
d32bcb5c557d Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents: 1589
diff changeset
191 dropbear_exit("failed fixed ed25519 hostkey");
d32bcb5c557d Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents: 1589
diff changeset
192 }
d32bcb5c557d Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents: 1589
diff changeset
193
1348
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
194 buf_free(b);
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
195 }
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
196
1357
08f4fa4dc6a0 closer to working
Matt Johnston <matt@ucc.asn.au>
parents: 1356
diff changeset
197 void fuzz_kex_fakealgos(void) {
08f4fa4dc6a0 closer to working
Matt Johnston <matt@ucc.asn.au>
parents: 1356
diff changeset
198 ses.newkeys->recv.crypt_mode = &dropbear_mode_none;
1774
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1770
diff changeset
199 ses.newkeys->recv.algo_mac = &dropbear_nohash;
1357
08f4fa4dc6a0 closer to working
Matt Johnston <matt@ucc.asn.au>
parents: 1356
diff changeset
200 }
1383
f03cfe9c76ac Disable setnonblocking(), get_socket_address(), set_sock_priority()
Matt Johnston <matt@ucc.asn.au>
parents: 1377
diff changeset
201
f03cfe9c76ac Disable setnonblocking(), get_socket_address(), set_sock_priority()
Matt Johnston <matt@ucc.asn.au>
parents: 1377
diff changeset
202 void fuzz_get_socket_address(int UNUSED(fd), char **local_host, char **local_port,
f03cfe9c76ac Disable setnonblocking(), get_socket_address(), set_sock_priority()
Matt Johnston <matt@ucc.asn.au>
parents: 1377
diff changeset
203 char **remote_host, char **remote_port, int UNUSED(host_lookup)) {
f03cfe9c76ac Disable setnonblocking(), get_socket_address(), set_sock_priority()
Matt Johnston <matt@ucc.asn.au>
parents: 1377
diff changeset
204 if (local_host) {
f03cfe9c76ac Disable setnonblocking(), get_socket_address(), set_sock_priority()
Matt Johnston <matt@ucc.asn.au>
parents: 1377
diff changeset
205 *local_host = m_strdup("fuzzlocalhost");
f03cfe9c76ac Disable setnonblocking(), get_socket_address(), set_sock_priority()
Matt Johnston <matt@ucc.asn.au>
parents: 1377
diff changeset
206 }
f03cfe9c76ac Disable setnonblocking(), get_socket_address(), set_sock_priority()
Matt Johnston <matt@ucc.asn.au>
parents: 1377
diff changeset
207 if (local_port) {
f03cfe9c76ac Disable setnonblocking(), get_socket_address(), set_sock_priority()
Matt Johnston <matt@ucc.asn.au>
parents: 1377
diff changeset
208 *local_port = m_strdup("1234");
f03cfe9c76ac Disable setnonblocking(), get_socket_address(), set_sock_priority()
Matt Johnston <matt@ucc.asn.au>
parents: 1377
diff changeset
209 }
f03cfe9c76ac Disable setnonblocking(), get_socket_address(), set_sock_priority()
Matt Johnston <matt@ucc.asn.au>
parents: 1377
diff changeset
210 if (remote_host) {
f03cfe9c76ac Disable setnonblocking(), get_socket_address(), set_sock_priority()
Matt Johnston <matt@ucc.asn.au>
parents: 1377
diff changeset
211 *remote_host = m_strdup("fuzzremotehost");
f03cfe9c76ac Disable setnonblocking(), get_socket_address(), set_sock_priority()
Matt Johnston <matt@ucc.asn.au>
parents: 1377
diff changeset
212 }
f03cfe9c76ac Disable setnonblocking(), get_socket_address(), set_sock_priority()
Matt Johnston <matt@ucc.asn.au>
parents: 1377
diff changeset
213 if (remote_port) {
f03cfe9c76ac Disable setnonblocking(), get_socket_address(), set_sock_priority()
Matt Johnston <matt@ucc.asn.au>
parents: 1377
diff changeset
214 *remote_port = m_strdup("9876");
f03cfe9c76ac Disable setnonblocking(), get_socket_address(), set_sock_priority()
Matt Johnston <matt@ucc.asn.au>
parents: 1377
diff changeset
215 }
f03cfe9c76ac Disable setnonblocking(), get_socket_address(), set_sock_priority()
Matt Johnston <matt@ucc.asn.au>
parents: 1377
diff changeset
216 }
1456
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1386
diff changeset
217
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1386
diff changeset
218 /* cut down version of svr_send_msg_kexdh_reply() that skips slow maths. Still populates structures */
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1386
diff changeset
219 void fuzz_fake_send_kexdh_reply(void) {
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1386
diff changeset
220 assert(!ses.dh_K);
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1386
diff changeset
221 m_mp_alloc_init_multi(&ses.dh_K, NULL);
1692
1051e4eea25a Update LibTomMath to 1.2.0 (#84)
Steffen Jaeckel <s@jaeckel.eu>
parents: 1659
diff changeset
222 mp_set_ul(ses.dh_K, 12345678uL);
1456
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1386
diff changeset
223 finish_kexhashbuf();
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1386
diff changeset
224 }
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1386
diff changeset
225
1740
dfbe947bdf0d Make wrapfd share a common buffer for all FDs
Matt Johnston <matt@ucc.asn.au>
parents: 1692
diff changeset
226 /* fake version of spawn_command() */
dfbe947bdf0d Make wrapfd share a common buffer for all FDs
Matt Johnston <matt@ucc.asn.au>
parents: 1692
diff changeset
227 int fuzz_spawn_command(int *ret_writefd, int *ret_readfd, int *ret_errfd, pid_t *ret_pid) {
1777
97ad26e397a5 Add server postauth fuzzer, wrap connect_remote()
Matt Johnston <matt@ucc.asn.au>
parents: 1775
diff changeset
228 *ret_writefd = wrapfd_new_dummy();
97ad26e397a5 Add server postauth fuzzer, wrap connect_remote()
Matt Johnston <matt@ucc.asn.au>
parents: 1775
diff changeset
229 *ret_readfd = wrapfd_new_dummy();
1740
dfbe947bdf0d Make wrapfd share a common buffer for all FDs
Matt Johnston <matt@ucc.asn.au>
parents: 1692
diff changeset
230 if (ret_errfd) {
1777
97ad26e397a5 Add server postauth fuzzer, wrap connect_remote()
Matt Johnston <matt@ucc.asn.au>
parents: 1775
diff changeset
231 *ret_errfd = wrapfd_new_dummy();
1740
dfbe947bdf0d Make wrapfd share a common buffer for all FDs
Matt Johnston <matt@ucc.asn.au>
parents: 1692
diff changeset
232 }
1802
19b28d2fbe30 fuzz: handle errors from wrapfd_new_dummy()
Matt Johnston <matt@ucc.asn.au>
parents: 1801
diff changeset
233 if (*ret_writefd == -1 || *ret_readfd == -1 || (ret_errfd && *ret_errfd == -1)) {
19b28d2fbe30 fuzz: handle errors from wrapfd_new_dummy()
Matt Johnston <matt@ucc.asn.au>
parents: 1801
diff changeset
234 m_close(*ret_writefd);
19b28d2fbe30 fuzz: handle errors from wrapfd_new_dummy()
Matt Johnston <matt@ucc.asn.au>
parents: 1801
diff changeset
235 m_close(*ret_readfd);
19b28d2fbe30 fuzz: handle errors from wrapfd_new_dummy()
Matt Johnston <matt@ucc.asn.au>
parents: 1801
diff changeset
236 if (ret_errfd) {
19b28d2fbe30 fuzz: handle errors from wrapfd_new_dummy()
Matt Johnston <matt@ucc.asn.au>
parents: 1801
diff changeset
237 m_close(*ret_errfd);
19b28d2fbe30 fuzz: handle errors from wrapfd_new_dummy()
Matt Johnston <matt@ucc.asn.au>
parents: 1801
diff changeset
238 }
19b28d2fbe30 fuzz: handle errors from wrapfd_new_dummy()
Matt Johnston <matt@ucc.asn.au>
parents: 1801
diff changeset
239 return DROPBEAR_FAILURE;
19b28d2fbe30 fuzz: handle errors from wrapfd_new_dummy()
Matt Johnston <matt@ucc.asn.au>
parents: 1801
diff changeset
240 } else {
19b28d2fbe30 fuzz: handle errors from wrapfd_new_dummy()
Matt Johnston <matt@ucc.asn.au>
parents: 1801
diff changeset
241 *ret_pid = 999;
19b28d2fbe30 fuzz: handle errors from wrapfd_new_dummy()
Matt Johnston <matt@ucc.asn.au>
parents: 1801
diff changeset
242 return DROPBEAR_SUCCESS;
19b28d2fbe30 fuzz: handle errors from wrapfd_new_dummy()
Matt Johnston <matt@ucc.asn.au>
parents: 1801
diff changeset
243
19b28d2fbe30 fuzz: handle errors from wrapfd_new_dummy()
Matt Johnston <matt@ucc.asn.au>
parents: 1801
diff changeset
244 }
1740
dfbe947bdf0d Make wrapfd share a common buffer for all FDs
Matt Johnston <matt@ucc.asn.au>
parents: 1692
diff changeset
245 }
dfbe947bdf0d Make wrapfd share a common buffer for all FDs
Matt Johnston <matt@ucc.asn.au>
parents: 1692
diff changeset
246
1786
a3b39df57c8b fuzz: add an always-failing dropbear_listen() replacement
Matt Johnston <matt@ucc.asn.au>
parents: 1785
diff changeset
247 /* Fake dropbear_listen, always returns failure for now.
a3b39df57c8b fuzz: add an always-failing dropbear_listen() replacement
Matt Johnston <matt@ucc.asn.au>
parents: 1785
diff changeset
248 TODO make it sometimes return success with wrapfd_new_dummy() sockets.
a3b39df57c8b fuzz: add an always-failing dropbear_listen() replacement
Matt Johnston <matt@ucc.asn.au>
parents: 1785
diff changeset
249 Making the listeners fake a new incoming connection will be harder. */
a3b39df57c8b fuzz: add an always-failing dropbear_listen() replacement
Matt Johnston <matt@ucc.asn.au>
parents: 1785
diff changeset
250 /* Listen on address:port.
a3b39df57c8b fuzz: add an always-failing dropbear_listen() replacement
Matt Johnston <matt@ucc.asn.au>
parents: 1785
diff changeset
251 * Special cases are address of "" listening on everything,
a3b39df57c8b fuzz: add an always-failing dropbear_listen() replacement
Matt Johnston <matt@ucc.asn.au>
parents: 1785
diff changeset
252 * and address of NULL listening on localhost only.
a3b39df57c8b fuzz: add an always-failing dropbear_listen() replacement
Matt Johnston <matt@ucc.asn.au>
parents: 1785
diff changeset
253 * Returns the number of sockets bound on success, or -1 on failure. On
a3b39df57c8b fuzz: add an always-failing dropbear_listen() replacement
Matt Johnston <matt@ucc.asn.au>
parents: 1785
diff changeset
254 * failure, if errstring wasn't NULL, it'll be a newly malloced error
a3b39df57c8b fuzz: add an always-failing dropbear_listen() replacement
Matt Johnston <matt@ucc.asn.au>
parents: 1785
diff changeset
255 * string.*/
a3b39df57c8b fuzz: add an always-failing dropbear_listen() replacement
Matt Johnston <matt@ucc.asn.au>
parents: 1785
diff changeset
256 int fuzz_dropbear_listen(const char* UNUSED(address), const char* UNUSED(port),
a3b39df57c8b fuzz: add an always-failing dropbear_listen() replacement
Matt Johnston <matt@ucc.asn.au>
parents: 1785
diff changeset
257 int *UNUSED(socks), unsigned int UNUSED(sockcount), char **errstring, int *UNUSED(maxfd)) {
a3b39df57c8b fuzz: add an always-failing dropbear_listen() replacement
Matt Johnston <matt@ucc.asn.au>
parents: 1785
diff changeset
258 if (errstring) {
a3b39df57c8b fuzz: add an always-failing dropbear_listen() replacement
Matt Johnston <matt@ucc.asn.au>
parents: 1785
diff changeset
259 *errstring = m_strdup("fuzzing can't listen (yet)");
a3b39df57c8b fuzz: add an always-failing dropbear_listen() replacement
Matt Johnston <matt@ucc.asn.au>
parents: 1785
diff changeset
260 }
a3b39df57c8b fuzz: add an always-failing dropbear_listen() replacement
Matt Johnston <matt@ucc.asn.au>
parents: 1785
diff changeset
261 return -1;
a3b39df57c8b fuzz: add an always-failing dropbear_listen() replacement
Matt Johnston <matt@ucc.asn.au>
parents: 1785
diff changeset
262 }
a3b39df57c8b fuzz: add an always-failing dropbear_listen() replacement
Matt Johnston <matt@ucc.asn.au>
parents: 1785
diff changeset
263
1782
a6da10ac64b5 fuzz: make postauth set authdone properly
Matt Johnston <matt@ucc.asn.au>
parents: 1780
diff changeset
264 int fuzz_run_server(const uint8_t *Data, size_t Size, int skip_kexmaths, int postauth) {
1456
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1386
diff changeset
265 static int once = 0;
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1386
diff changeset
266 if (!once) {
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1386
diff changeset
267 fuzz_svr_setup();
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1386
diff changeset
268 fuzz.skip_kexmaths = skip_kexmaths;
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1386
diff changeset
269 once = 1;
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1386
diff changeset
270 }
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1386
diff changeset
271
1782
a6da10ac64b5 fuzz: make postauth set authdone properly
Matt Johnston <matt@ucc.asn.au>
parents: 1780
diff changeset
272 fuzz.svr_postauth = postauth;
a6da10ac64b5 fuzz: make postauth set authdone properly
Matt Johnston <matt@ucc.asn.au>
parents: 1780
diff changeset
273
1456
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1386
diff changeset
274 if (fuzz_set_input(Data, Size) == DROPBEAR_FAILURE) {
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1386
diff changeset
275 return 0;
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1386
diff changeset
276 }
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1386
diff changeset
277
1774
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1770
diff changeset
278 uint32_t wrapseed;
1775
8179eabe16c9 fuzzing - fix some wrong types and -lcrypt on macos
Matt Johnston <matt@ucc.asn.au>
parents: 1774
diff changeset
279 genrandom((void*)&wrapseed, sizeof(wrapseed));
1456
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1386
diff changeset
280 wrapfd_setseed(wrapseed);
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1386
diff changeset
281
1777
97ad26e397a5 Add server postauth fuzzer, wrap connect_remote()
Matt Johnston <matt@ucc.asn.au>
parents: 1775
diff changeset
282 int fakesock = wrapfd_new_fuzzinput();
97ad26e397a5 Add server postauth fuzzer, wrap connect_remote()
Matt Johnston <matt@ucc.asn.au>
parents: 1775
diff changeset
283
1456
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1386
diff changeset
284 m_malloc_set_epoch(1);
1760
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents: 1758
diff changeset
285 fuzz.do_jmp = 1;
1456
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1386
diff changeset
286 if (setjmp(fuzz.jmp) == 0) {
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1386
diff changeset
287 svr_session(fakesock, fakesock);
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1386
diff changeset
288 m_malloc_free_epoch(1, 0);
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1386
diff changeset
289 } else {
1760
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents: 1758
diff changeset
290 fuzz.do_jmp = 0;
1456
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1386
diff changeset
291 m_malloc_free_epoch(1, 1);
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1386
diff changeset
292 TRACE(("dropbear_exit longjmped"))
1559
92c93b4a3646 Fix to be able to compile normal(ish) binaries with --enable-fuzz
Matt Johnston <matt@ucc.asn.au>
parents: 1558
diff changeset
293 /* dropbear_exit jumped here */
1456
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1386
diff changeset
294 }
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1386
diff changeset
295
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1386
diff changeset
296 return 0;
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1386
diff changeset
297 }
1589
35af85194268 Add kexdh and kexecdh fuzzers
Matt Johnston <matt@ucc.asn.au>
parents: 1559
diff changeset
298
1741
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents: 1740
diff changeset
299 int fuzz_run_client(const uint8_t *Data, size_t Size, int skip_kexmaths) {
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents: 1740
diff changeset
300 static int once = 0;
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents: 1740
diff changeset
301 if (!once) {
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents: 1740
diff changeset
302 fuzz_cli_setup();
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents: 1740
diff changeset
303 fuzz.skip_kexmaths = skip_kexmaths;
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents: 1740
diff changeset
304 once = 1;
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents: 1740
diff changeset
305 }
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents: 1740
diff changeset
306
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents: 1740
diff changeset
307 if (fuzz_set_input(Data, Size) == DROPBEAR_FAILURE) {
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents: 1740
diff changeset
308 return 0;
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents: 1740
diff changeset
309 }
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents: 1740
diff changeset
310
1774
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1770
diff changeset
311 // Allow to proceed sooner
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1770
diff changeset
312 ses.kexstate.donefirstkex = 1;
1741
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents: 1740
diff changeset
313
1774
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1770
diff changeset
314 uint32_t wrapseed;
1775
8179eabe16c9 fuzzing - fix some wrong types and -lcrypt on macos
Matt Johnston <matt@ucc.asn.au>
parents: 1774
diff changeset
315 genrandom((void*)&wrapseed, sizeof(wrapseed));
1741
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents: 1740
diff changeset
316 wrapfd_setseed(wrapseed);
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents: 1740
diff changeset
317
1777
97ad26e397a5 Add server postauth fuzzer, wrap connect_remote()
Matt Johnston <matt@ucc.asn.au>
parents: 1775
diff changeset
318 int fakesock = wrapfd_new_fuzzinput();
1741
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents: 1740
diff changeset
319
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents: 1740
diff changeset
320 m_malloc_set_epoch(1);
1760
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents: 1758
diff changeset
321 fuzz.do_jmp = 1;
1741
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents: 1740
diff changeset
322 if (setjmp(fuzz.jmp) == 0) {
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents: 1740
diff changeset
323 cli_session(fakesock, fakesock, NULL, 0);
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents: 1740
diff changeset
324 m_malloc_free_epoch(1, 0);
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents: 1740
diff changeset
325 } else {
1760
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents: 1758
diff changeset
326 fuzz.do_jmp = 0;
1741
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents: 1740
diff changeset
327 m_malloc_free_epoch(1, 1);
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents: 1740
diff changeset
328 TRACE(("dropbear_exit longjmped"))
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents: 1740
diff changeset
329 /* dropbear_exit jumped here */
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents: 1740
diff changeset
330 }
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents: 1740
diff changeset
331
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents: 1740
diff changeset
332 return 0;
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents: 1740
diff changeset
333 }
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents: 1740
diff changeset
334
1589
35af85194268 Add kexdh and kexecdh fuzzers
Matt Johnston <matt@ucc.asn.au>
parents: 1559
diff changeset
335 const void* fuzz_get_algo(const algo_type *algos, const char* name) {
35af85194268 Add kexdh and kexecdh fuzzers
Matt Johnston <matt@ucc.asn.au>
parents: 1559
diff changeset
336 const algo_type *t;
35af85194268 Add kexdh and kexecdh fuzzers
Matt Johnston <matt@ucc.asn.au>
parents: 1559
diff changeset
337 for (t = algos; t->name; t++) {
35af85194268 Add kexdh and kexecdh fuzzers
Matt Johnston <matt@ucc.asn.au>
parents: 1559
diff changeset
338 if (strcmp(t->name, name) == 0) {
35af85194268 Add kexdh and kexecdh fuzzers
Matt Johnston <matt@ucc.asn.au>
parents: 1559
diff changeset
339 return t->data;
35af85194268 Add kexdh and kexecdh fuzzers
Matt Johnston <matt@ucc.asn.au>
parents: 1559
diff changeset
340 }
35af85194268 Add kexdh and kexecdh fuzzers
Matt Johnston <matt@ucc.asn.au>
parents: 1559
diff changeset
341 }
35af85194268 Add kexdh and kexecdh fuzzers
Matt Johnston <matt@ucc.asn.au>
parents: 1559
diff changeset
342 assert(0);
35af85194268 Add kexdh and kexecdh fuzzers
Matt Johnston <matt@ucc.asn.au>
parents: 1559
diff changeset
343 }
1751
3b9b427925a0 Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents: 1742
diff changeset
344
3b9b427925a0 Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents: 1742
diff changeset
345 void fuzz_dump(const unsigned char* data, size_t len) {
3b9b427925a0 Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents: 1742
diff changeset
346 if (fuzz.dumping) {
1799
8df3d6aa5f23 fuzz: avoid extraneous printing
Matt Johnston <matt@ucc.asn.au>
parents: 1786
diff changeset
347 TRACE(("dump %zu", len))
1751
3b9b427925a0 Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents: 1742
diff changeset
348 assert(atomicio(vwrite, fuzz.recv_dumpfd, (void*)data, len) == len);
3b9b427925a0 Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents: 1742
diff changeset
349 }
3b9b427925a0 Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents: 1742
diff changeset
350 }
1779
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
351
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
352 static struct passwd pwd_root = {
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
353 .pw_name = "root",
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
354 .pw_passwd = "!",
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
355 .pw_uid = 0,
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
356 .pw_gid = 0,
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
357 .pw_dir = "/root",
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
358 .pw_shell = "/bin/sh",
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
359 };
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
360
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
361 static struct passwd pwd_other = {
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
362 .pw_name = "other",
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
363 .pw_passwd = "!",
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
364 .pw_uid = 100,
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
365 .pw_gid = 100,
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
366 .pw_dir = "/home/other",
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
367 .pw_shell = "/bin/sh",
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
368 };
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
369
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
370
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
371 /* oss-fuzz runs fuzzers under minijail, without /etc/passwd.
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
372 We provide sufficient values for the fuzzers to run */
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
373 struct passwd* fuzz_getpwnam(const char *login) {
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
374 if (!fuzz.fuzzing) {
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
375 return getpwnam(login);
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
376 }
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
377 if (strcmp(login, pwd_other.pw_name) == 0) {
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
378 return &pwd_other;
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
379 }
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
380 if (strcmp(login, pwd_root.pw_name) == 0) {
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
381 return &pwd_root;
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
382 }
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
383 return NULL;
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
384 }
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
385
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
386 struct passwd* fuzz_getpwuid(uid_t uid) {
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
387 if (!fuzz.fuzzing) {
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
388 return getpwuid(uid);
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
389 }
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
390 if (uid == pwd_other.pw_uid) {
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
391 return &pwd_other;
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
392 }
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
393 if (uid == pwd_root.pw_uid) {
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
394 return &pwd_root;
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
395 }
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
396 return NULL;
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
397 }
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
398