# HG changeset patch # User Matt Johnston # Date 1519220964 -28800 # Node ID 66a1a2547133288bb684e72285996b3322b72fc5 # Parent b9e4fd5a0e72cc499b16d12c63d7b8b1b0909bee The fuzzer has managed to generated DSS key/signature pairs that verify. Avoid false positives from bogus keys that wouldn't be used diff -r b9e4fd5a0e72 -r 66a1a2547133 fuzz-common.c --- a/fuzz-common.c Wed Feb 21 21:03:42 2018 +0800 +++ b/fuzz-common.c Wed Feb 21 21:49:24 2018 +0800 @@ -22,6 +22,8 @@ fuzz.input = m_malloc(sizeof(buffer)); _dropbear_log = fuzz_dropbear_log; crypto_init(); + /* let any messages get flushed */ + setlinebuf(stdout); } int fuzz_set_input(const uint8_t *Data, size_t Size) { diff -r b9e4fd5a0e72 -r 66a1a2547133 fuzzer-verify.c --- a/fuzzer-verify.c Wed Feb 21 21:03:42 2018 +0800 +++ b/fuzzer-verify.c Wed Feb 21 21:49:24 2018 +0800 @@ -29,8 +29,28 @@ sign_key *key = new_sign_key(); enum signkey_type type = DROPBEAR_SIGNKEY_ANY; if (buf_get_pub_key(fuzz.input, key, &type) == DROPBEAR_SUCCESS) { - /* Don't expect random fuzz input to verify */ - assert(buf_verify(fuzz.input, key, verifydata) == DROPBEAR_FAILURE); + if (buf_verify(fuzz.input, key, verifydata) == DROPBEAR_SUCCESS) { + /* The fuzzer is capable of generating keys with a signature to match. + We don't want false positives if the key is bogus, since a client/server + wouldn't be trusting a bogus key anyway */ + int boguskey = 0; + + if (type == DROPBEAR_SIGNKEY_DSS) { + /* So far have seen dss keys with bad p/q/g domain parameters */ + int pprime, qprime; + assert(mp_prime_is_prime(key->dsskey->p, 5, &pprime) == MP_OKAY); + assert(mp_prime_is_prime(key->dsskey->q, 18, &qprime) == MP_OKAY); + boguskey = !(pprime && qprime); + /* Could also check g**q mod p == 1 */ + } + + if (!boguskey) { + printf("Random key/signature managed to verify!\n"); + abort(); + } + + + } } sign_key_free(key); m_malloc_free_epoch(1, 0);