Mercurial > dropbear

comparison fuzz-common.c @ 1580:7f2be495dff6 coverity

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
merge coverity
author Matt Johnston <matt@ucc.asn.au>
date Sun, 04 Mar 2018 15:07:09 +0800
parents 92c93b4a3646
children 35af85194268
comparison
equal deleted inserted replaced
1545:0b991dec7ab9 1580:7f2be495dff6
1 #include "includes.h"
2
3 #include "includes.h"
4 #include "fuzz.h"
5 #include "dbutil.h"
6 #include "runopts.h"
7 #include "crypto_desc.h"
8 #include "session.h"
9 #include "dbrandom.h"
10 #include "bignum.h"
11 #include "fuzz-wrapfd.h"
12
13 struct dropbear_fuzz_options fuzz;
14
15 static void fuzz_dropbear_log(int UNUSED(priority), const char* format, va_list param);
16 static void load_fixed_hostkeys(void);
17
18 void fuzz_common_setup(void) {
19 fuzz.fuzzing = 1;
20 fuzz.wrapfds = 1;
21 fuzz.do_jmp = 1;
22 fuzz.input = m_malloc(sizeof(buffer));
23 _dropbear_log = fuzz_dropbear_log;
24 crypto_init();
25 /* let any messages get flushed */
26 setlinebuf(stdout);
27 }
28
29 int fuzz_set_input(const uint8_t *Data, size_t Size) {
30
31 fuzz.input->data = (unsigned char*)Data;
32 fuzz.input->size = Size;
33 fuzz.input->len = Size;
34 fuzz.input->pos = 0;
35
36 memset(&ses, 0x0, sizeof(ses));
37 memset(&svr_ses, 0x0, sizeof(svr_ses));
38 wrapfd_setup();
39
40 fuzz_seed();
41
42 return DROPBEAR_SUCCESS;
43 }
44
45 #if DEBUG_TRACE
46 static void fuzz_dropbear_log(int UNUSED(priority), const char* format, va_list param) {
47 if (debug_trace) {
48 char printbuf[1024];
49 vsnprintf(printbuf, sizeof(printbuf), format, param);
50 fprintf(stderr, "%s\n", printbuf);
51 }
52 }
53 #else
54 static void fuzz_dropbear_log(int UNUSED(priority), const char* UNUSED(format), va_list UNUSED(param)) {
55 /* No print */
56 }
57 #endif /* DEBUG_TRACE */
58
59 void fuzz_svr_setup(void) {
60 fuzz_common_setup();
61
62 _dropbear_exit = svr_dropbear_exit;
63
64 char *argv[] = {
65 "-E",
66 };
67
68 int argc = sizeof(argv) / sizeof(*argv);
69 svr_getopts(argc, argv);
70
71 /* user lookups might be slow, cache it */
72 fuzz.pw_name = m_strdup("person");
73 fuzz.pw_dir = m_strdup("/tmp");
74 fuzz.pw_shell = m_strdup("/bin/zsh");
75 fuzz.pw_passwd = m_strdup("!!zzznope");
76
77 load_fixed_hostkeys();
78 }
79
80 static void load_fixed_hostkeys(void) {
81 #include "fuzz-hostkeys.c"
82
83 buffer *b = buf_new(3000);
84 enum signkey_type type;
85
86 TRACE(("load fixed hostkeys"))
87
88 svr_opts.hostkey = new_sign_key();
89
90 buf_setlen(b, 0);
91 buf_putbytes(b, keyr, keyr_len);
92 buf_setpos(b, 0);
93 type = DROPBEAR_SIGNKEY_RSA;
94 if (buf_get_priv_key(b, svr_opts.hostkey, &type) == DROPBEAR_FAILURE) {
95 dropbear_exit("failed fixed rsa hostkey");
96 }
97
98 buf_setlen(b, 0);
99 buf_putbytes(b, keyd, keyd_len);
100 buf_setpos(b, 0);
101 type = DROPBEAR_SIGNKEY_DSS;
102 if (buf_get_priv_key(b, svr_opts.hostkey, &type) == DROPBEAR_FAILURE) {
103 dropbear_exit("failed fixed dss hostkey");
104 }
105
106 buf_setlen(b, 0);
107 buf_putbytes(b, keye, keye_len);
108 buf_setpos(b, 0);
109 type = DROPBEAR_SIGNKEY_ECDSA_NISTP256;
110 if (buf_get_priv_key(b, svr_opts.hostkey, &type) == DROPBEAR_FAILURE) {
111 dropbear_exit("failed fixed ecdsa hostkey");
112 }
113
114 buf_free(b);
115 }
116
117 void fuzz_kex_fakealgos(void) {
118 ses.newkeys->recv.crypt_mode = &dropbear_mode_none;
119 }
120
121 void fuzz_get_socket_address(int UNUSED(fd), char **local_host, char **local_port,
122 char **remote_host, char **remote_port, int UNUSED(host_lookup)) {
123 if (local_host) {
124 *local_host = m_strdup("fuzzlocalhost");
125 }
126 if (local_port) {
127 *local_port = m_strdup("1234");
128 }
129 if (remote_host) {
130 *remote_host = m_strdup("fuzzremotehost");
131 }
132 if (remote_port) {
133 *remote_port = m_strdup("9876");
134 }
135 }
136
137 /* cut down version of svr_send_msg_kexdh_reply() that skips slow maths. Still populates structures */
138 void fuzz_fake_send_kexdh_reply(void) {
139 assert(!ses.dh_K);
140 m_mp_alloc_init_multi(&ses.dh_K, NULL);
141 mp_set_int(ses.dh_K, 12345678);
142 finish_kexhashbuf();
143 }
144
145 int fuzz_run_preauth(const uint8_t *Data, size_t Size, int skip_kexmaths) {
146 static int once = 0;
147 if (!once) {
148 fuzz_svr_setup();
149 fuzz.skip_kexmaths = skip_kexmaths;
150 once = 1;
151 }
152
153 if (fuzz_set_input(Data, Size) == DROPBEAR_FAILURE) {
154 return 0;
155 }
156
157 /*
158 get prefix. input format is
159 string prefix
160 uint32 wrapfd seed
161 ... to be extended later
162 [bytes] ssh input stream
163 */
164
165 /* be careful to avoid triggering buffer.c assertions */
166 if (fuzz.input->len < 8) {
167 return 0;
168 }
169 size_t prefix_size = buf_getint(fuzz.input);
170 if (prefix_size != 4) {
171 return 0;
172 }
173 uint32_t wrapseed = buf_getint(fuzz.input);
174 wrapfd_setseed(wrapseed);
175
176 int fakesock = 20;
177 wrapfd_add(fakesock, fuzz.input, PLAIN);
178
179 m_malloc_set_epoch(1);
180 if (setjmp(fuzz.jmp) == 0) {
181 svr_session(fakesock, fakesock);
182 m_malloc_free_epoch(1, 0);
183 } else {
184 m_malloc_free_epoch(1, 1);
185 TRACE(("dropbear_exit longjmped"))
186 /* dropbear_exit jumped here */
187 }
188
189 return 0;
190 }