Mercurial > dropbear
comparison fuzzer-verify.c @ 1563:1cbb7b3d6703
Merge fuzzing branch
| author | Matt Johnston <matt@ucc.asn.au> |
|---|---|
| date | Wed, 28 Feb 2018 22:12:05 +0800 |
| parents | 92c93b4a3646 |
| children | f52919ffd3b1 |
comparison
equal
deleted
inserted
replaced
| 1560:f5026f7486de | 1563:1cbb7b3d6703 |
|---|---|
| 1 #include "fuzz.h" | |
| 2 #include "session.h" | |
| 3 #include "fuzz-wrapfd.h" | |
| 4 #include "debug.h" | |
| 5 | |
| 6 static void setup_fuzzer(void) { | |
| 7 fuzz_common_setup(); | |
| 8 } | |
| 9 | |
| 10 static buffer *verifydata; | |
| 11 | |
| 12 /* Tests reading a public key and verifying a signature */ | |
| 13 int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { | |
| 14 static int once = 0; | |
| 15 if (!once) { | |
| 16 setup_fuzzer(); | |
| 17 verifydata = buf_new(30); | |
| 18 buf_putstring(verifydata, "x", 1); | |
| 19 once = 1; | |
| 20 } | |
| 21 | |
| 22 if (fuzz_set_input(Data, Size) == DROPBEAR_FAILURE) { | |
| 23 return 0; | |
| 24 } | |
| 25 | |
| 26 m_malloc_set_epoch(1); | |
| 27 | |
| 28 if (setjmp(fuzz.jmp) == 0) { | |
| 29 sign_key *key = new_sign_key(); | |
| 30 enum signkey_type type = DROPBEAR_SIGNKEY_ANY; | |
| 31 if (buf_get_pub_key(fuzz.input, key, &type) == DROPBEAR_SUCCESS) { | |
| 32 if (buf_verify(fuzz.input, key, verifydata) == DROPBEAR_SUCCESS) { | |
| 33 /* The fuzzer is capable of generating keys with a signature to match. | |
| 34 We don't want false positives if the key is bogus, since a client/server | |
| 35 wouldn't be trusting a bogus key anyway */ | |
| 36 int boguskey = 0; | |
| 37 | |
| 38 if (type == DROPBEAR_SIGNKEY_DSS) { | |
| 39 /* So far have seen dss keys with bad p/q/g domain parameters */ | |
| 40 int pprime, qprime; | |
| 41 assert(mp_prime_is_prime(key->dsskey->p, 5, &pprime) == MP_OKAY); | |
| 42 assert(mp_prime_is_prime(key->dsskey->q, 18, &qprime) == MP_OKAY); | |
| 43 boguskey = !(pprime && qprime); | |
| 44 /* Could also check g**q mod p == 1 */ | |
| 45 } | |
| 46 | |
| 47 if (!boguskey) { | |
| 48 printf("Random key/signature managed to verify!\n"); | |
| 49 abort(); | |
| 50 } | |
| 51 | |
| 52 | |
| 53 } | |
| 54 } | |
| 55 sign_key_free(key); | |
| 56 m_malloc_free_epoch(1, 0); | |
| 57 } else { | |
| 58 m_malloc_free_epoch(1, 1); | |
| 59 TRACE(("dropbear_exit longjmped")) | |
| 60 /* dropbear_exit jumped here */ | |
| 61 } | |
| 62 | |
| 63 return 0; | |
| 64 } |