# HG changeset patch # User Matt Johnston # Date 1603208078 -28800 # Node ID 3b9b427925a0869bfd48d4dbde8b207cf63f993b # Parent 7cb8bc5ce8b99f197e590a3d73c4e94242e361f3 Load password and key for client fuzzer. Add fuzz_dump() diff -r 7cb8bc5ce8b9 -r 3b9b427925a0 common-session.c --- a/common-session.c Tue Oct 20 23:33:45 2020 +0800 +++ b/common-session.c Tue Oct 20 23:34:38 2020 +0800 @@ -465,6 +465,11 @@ TRACE(("leave ident_readln: EOF")) return -1; } + +#ifdef DROPBEAR_FUZZ + fuzz_dump(&in, 1); +#endif + if (in == '\n') { /* end of ident string */ break; diff -r 7cb8bc5ce8b9 -r 3b9b427925a0 fuzz-common.c --- a/fuzz-common.c Tue Oct 20 23:33:45 2020 +0800 +++ b/fuzz-common.c Tue Oct 20 23:34:38 2020 +0800 @@ -8,12 +8,14 @@ #include "session.h" #include "dbrandom.h" #include "bignum.h" +#include "atomicio.h" #include "fuzz-wrapfd.h" struct dropbear_fuzz_options fuzz; static void fuzz_dropbear_log(int UNUSED(priority), const char* format, va_list param); static void load_fixed_hostkeys(void); +static void load_fixed_client_key(void); void fuzz_common_setup(void) { disallow_core(); @@ -85,14 +87,38 @@ "dbclient", "-y", "localhost", + "uptime" }; int argc = sizeof(argv) / sizeof(*argv); cli_getopts(argc, argv); + + load_fixed_client_key(); + /* Avoid password prompt */ + setenv(DROPBEAR_PASSWORD_ENV, "password", 1); +} + +#include "fuzz-hostkeys.c" + +static void load_fixed_client_key(void) { + + buffer *b = buf_new(3000); + sign_key *key; + enum signkey_type keytype; + + key = new_sign_key(); + keytype = DROPBEAR_SIGNKEY_ANY; + buf_putbytes(b, keyed25519, keyed25519_len); + buf_setpos(b, 0); + if (buf_get_priv_key(b, key, &keytype) == DROPBEAR_FAILURE) { + dropbear_exit("failed fixed ed25519 hostkey"); + } + list_append(cli_opts.privkeys, key); + + buf_free(b); } static void load_fixed_hostkeys(void) { -#include "fuzz-hostkeys.c" buffer *b = buf_new(3000); enum signkey_type type; @@ -276,3 +302,10 @@ } assert(0); } + +void fuzz_dump(const unsigned char* data, size_t len) { + TRACE(("dump %zu", len)) + if (fuzz.dumping) { + assert(atomicio(vwrite, fuzz.recv_dumpfd, (void*)data, len) == len); + } +} diff -r 7cb8bc5ce8b9 -r 3b9b427925a0 fuzz-hostkeys.c --- a/fuzz-hostkeys.c Tue Oct 20 23:33:45 2020 +0800 +++ b/fuzz-hostkeys.c Tue Oct 20 23:34:38 2020 +0800 @@ -1,5 +1,6 @@ +/* To be included in fuzz-common.c */ -unsigned char keyr[] = { +static unsigned char keyr[] = { 0x00, 0x00, 0x00, 0x07, 0x73, 0x73, 0x68, 0x2d, 0x72, 0x73, 0x61, 0x00, 0x00, 0x00, 0x03, 0x01, 0x00, 0x01, 0x00, 0x00, 0x01, 0x01, 0x00, 0xb1, 0x06, 0x95, 0xc9, 0xa8, 0x38, 0xb9, 0x99, 0x91, 0xb5, 0x17, 0x39, 0xb9, @@ -69,8 +70,8 @@ 0xb0, 0x9b, 0xea, 0x18, 0x77, 0xf6, 0x25, 0x02, 0xb4, 0x5e, 0x71, 0xea, 0xa3 }; -unsigned int keyr_len = 805; -unsigned char keye[] = { +static unsigned int keyr_len = 805; +static unsigned char keye[] = { 0x00, 0x00, 0x00, 0x13, 0x65, 0x63, 0x64, 0x73, 0x61, 0x2d, 0x73, 0x68, 0x61, 0x32, 0x2d, 0x6e, 0x69, 0x73, 0x74, 0x70, 0x32, 0x35, 0x36, 0x00, 0x00, 0x00, 0x08, 0x6e, 0x69, 0x73, 0x74, 0x70, 0x32, 0x35, 0x36, 0x00, @@ -84,8 +85,8 @@ 0x3c, 0x58, 0x28, 0x70, 0x9b, 0x23, 0x39, 0x51, 0xd7, 0xbc, 0xa7, 0x1a, 0xf5, 0xb4, 0x23, 0xd3, 0xf6, 0x17, 0xa6, 0x9c, 0x02 }; -unsigned int keye_len = 141; -unsigned char keyd[] = { +static unsigned int keye_len = 141; +static unsigned char keyd[] = { 0x00, 0x00, 0x00, 0x07, 0x73, 0x73, 0x68, 0x2d, 0x64, 0x73, 0x73, 0x00, 0x00, 0x00, 0x81, 0x00, 0xb0, 0x02, 0x19, 0x8b, 0xf3, 0x46, 0xf9, 0xc5, 0x47, 0x78, 0x3d, 0x7f, 0x04, 0x10, 0x0a, 0x43, 0x8e, 0x00, 0x9e, 0xa4, @@ -126,8 +127,8 @@ 0x7b, 0xac, 0xaa, 0x0c, 0xa2, 0xca, 0x7b, 0xa8, 0xd4, 0xdf, 0x68, 0x56, 0xf9, 0x39 }; -unsigned int keyd_len = 458; -unsigned char keyed25519[] = { +static unsigned int keyd_len = 458; +static unsigned char keyed25519[] = { 0x00, 0x00, 0x00, 0x0b, 0x73, 0x73, 0x68, 0x2d, 0x65, 0x64, 0x32, 0x35, 0x35, 0x31, 0x39, 0x00, 0x00, 0x00, 0x40, 0x10, 0xb3, 0x79, 0x06, 0xe5, 0x9b, 0xe7, 0xe4, 0x6e, 0xec, 0xfe, 0xa5, 0x39, 0x21, 0x7c, 0xf6, 0x66, @@ -136,4 +137,4 @@ 0xa4, 0xd5, 0xe9, 0x23, 0xfe, 0x8e, 0xd6, 0xd4, 0xf9, 0xb1, 0x11, 0x69, 0x7c, 0x57, 0x52, 0x0e, 0x41, 0xdb, 0x1b, 0x12, 0x87, 0xfa, 0xc9 }; -unsigned int keyed25519_len = 83; +static unsigned int keyed25519_len = 83; diff -r 7cb8bc5ce8b9 -r 3b9b427925a0 fuzz.h --- a/fuzz.h Tue Oct 20 23:33:45 2020 +0800 +++ b/fuzz.h Tue Oct 20 23:34:38 2020 +0800 @@ -36,6 +36,7 @@ char **remote_host, char **remote_port, int host_lookup); void fuzz_fake_send_kexdh_reply(void); int fuzz_spawn_command(int *ret_writefd, int *ret_readfd, int *ret_errfd, pid_t *ret_pid); +void fuzz_dump(const unsigned char* data, size_t len); // fake IO wrappers #ifndef FUZZ_SKIP_WRAP @@ -61,6 +62,12 @@ // dropbear_exit() jumps back int do_jmp; sigjmp_buf jmp; + + // write out decrypted session data to this FD if it's set + // flag - this needs to be set manually in cli-main.c etc + int dumping; + // the file descriptor + int recv_dumpfd; }; extern struct dropbear_fuzz_options fuzz; diff -r 7cb8bc5ce8b9 -r 3b9b427925a0 packet.c --- a/packet.c Tue Oct 20 23:33:45 2020 +0800 +++ b/packet.c Tue Oct 20 23:34:38 2020 +0800 @@ -344,7 +344,12 @@ if (checkmac() != DROPBEAR_SUCCESS) { dropbear_exit("Integrity error"); } + } + +#if DROPBEAR_FUZZ + fuzz_dump(ses.readbuf->data, ses.readbuf->len); +#endif /* get padding length */ buf_setpos(ses.readbuf, PACKET_PADDING_OFF);