# HG changeset patch # User Matt Johnston # Date 1495550614 -28800 # Node ID ddfcadca3c4cf6c232054d4ca60e487ae9e08aa9 # Parent 10df23099071fe84a4659d9783c2b97ebe117261 fuzzer-pubkey diff -r 10df23099071 -r ddfcadca3c4c Makefile.in --- a/Makefile.in Tue May 23 22:29:21 2017 +0800 +++ b/Makefile.in Tue May 23 22:43:34 2017 +0800 @@ -245,7 +245,7 @@ ## Fuzzing targets # list of fuzz targets -FUZZ_TARGETS=fuzzer-preauth +FUZZ_TARGETS=fuzzer-preauth fuzzer-pubkey list-fuzz-targets: @echo $(FUZZ_TARGETS) @@ -265,6 +265,9 @@ fuzzer-preauth: fuzzer-preauth.o $(HEADERS) $(LIBTOM_DEPS) Makefile $(svrfuzzobjs) $(CXX) $(CXXFLAGS) $@.o $(LDFLAGS) $(svrfuzzobjs) -o $@$(EXEEXT) $(LIBTOM_LIBS) $(LIBS) $(FUZZLIB) @CRYPTLIB@ +fuzzer-pubkey: fuzzer-pubkey.o $(HEADERS) $(LIBTOM_DEPS) Makefile $(svrfuzzobjs) + $(CXX) $(CXXFLAGS) $@.o $(LDFLAGS) $(svrfuzzobjs) -o $@$(EXEEXT) $(LIBTOM_LIBS) $(LIBS) $(FUZZLIB) @CRYPTLIB@ + # run this to update hardcoded hostkeys for for fuzzing. # hostkeys.c is checked in to hg. fuzz-hostkeys: diff -r 10df23099071 -r ddfcadca3c4c dbrandom.c --- a/dbrandom.c Tue May 23 22:29:21 2017 +0800 +++ b/dbrandom.c Tue May 23 22:43:34 2017 +0800 @@ -182,7 +182,7 @@ } #ifdef DROPBEAR_FUZZ -void seedfuzz(void) { +void fuzz_seed(void) { hash_state hs; sha1_init(&hs); sha1_process(&hs, "fuzzfuzzfuzz", strlen("fuzzfuzzfuzz")); diff -r 10df23099071 -r ddfcadca3c4c dbrandom.h --- a/dbrandom.h Tue May 23 22:29:21 2017 +0800 +++ b/dbrandom.h Tue May 23 22:43:34 2017 +0800 @@ -31,8 +31,5 @@ void genrandom(unsigned char* buf, unsigned int len); void addrandom(unsigned char * buf, unsigned int len); void gen_random_mpint(mp_int *max, mp_int *rand); -#ifdef DROPBEAR_FUZZ -void seedfuzz(void); -#endif #endif /* DROPBEAR_RANDOM_H_ */ diff -r 10df23099071 -r ddfcadca3c4c dbutil.c --- a/dbutil.c Tue May 23 22:29:21 2017 +0800 +++ b/dbutil.c Tue May 23 22:43:34 2017 +0800 @@ -120,6 +120,13 @@ _dropbear_log(LOG_INFO, fmtbuf, param); +#ifdef DROPBEAR_FUZZ + // longjmp before cleaning up svr_opts + if (fuzz.fuzzing) { + longjmp(fuzz.jmp, 1); + } +#endif + exit(exitcode); } diff -r 10df23099071 -r ddfcadca3c4c fuzz-common.c --- a/fuzz-common.c Tue May 23 22:29:21 2017 +0800 +++ b/fuzz-common.c Tue May 23 22:43:34 2017 +0800 @@ -13,7 +13,7 @@ static void load_fixed_hostkeys(void); -static void common_setup_fuzzer(void) { +void common_setup_fuzzer(void) { fuzz.fuzzing = 1; fuzz.wrapfds = 1; fuzz.input = m_malloc(sizeof(buffer)); @@ -47,7 +47,7 @@ uint32_t wrapseed = buf_getint(fuzz.input); wrapfd_setup(wrapseed); - seedfuzz(); + fuzz_seed(); return DROPBEAR_SUCCESS; } diff -r 10df23099071 -r ddfcadca3c4c fuzz.h --- a/fuzz.h Tue May 23 22:29:21 2017 +0800 +++ b/fuzz.h Tue May 23 22:43:34 2017 +0800 @@ -10,12 +10,19 @@ #include "fuzz-wrapfd.h" // once per process +void common_setup_fuzzer(void); void svr_setup_fuzzer(void); // once per input. returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE int fuzzer_set_input(const uint8_t *Data, size_t Size); +// fuzzer functions that intrude into general code void fuzz_kex_fakealgos(void); +int fuzz_checkpubkey_line(buffer* line, int line_num, char* filename, + const char* algo, unsigned int algolen, + const unsigned char* keyblob, unsigned int keybloblen); +extern const char * const * fuzz_signkey_names; +void fuzz_seed(void); // fake IO wrappers #ifndef FUZZ_SKIP_WRAP diff -r 10df23099071 -r ddfcadca3c4c fuzzer-pubkey.c --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/fuzzer-pubkey.c Tue May 23 22:43:34 2017 +0800 @@ -0,0 +1,49 @@ +#include "fuzz.h" +#include "session.h" +#include "fuzz-wrapfd.h" +#include "debug.h" + +static void setup_fuzzer(void) { + common_setup_fuzzer(); +} + +int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { + static int once = 0; + if (!once) { + setup_fuzzer(); + once = 1; + } + + m_malloc_set_epoch(1); + + fuzz_seed(); + fuzz.input->data = (unsigned char*)Data; + fuzz.input->len = Size; + fuzz.input->size = Size; + fuzz.input->pos = 0; + + if (Size < 4) { + return 0; + } + + // choose a keytype based on input + uint8_t b = 0; + size_t i; + for (i = 0; i < Size; i++) { + b ^= Data[i]; + } + const char* algoname = fuzz_signkey_names[b%DROPBEAR_SIGNKEY_NUM_NAMED]; + const char* keyblob = "fakekeyblob"; + + if (setjmp(fuzz.jmp) == 0) { + fuzz_checkpubkey_line(fuzz.input, 5, "/home/me/authorized_keys", + algoname, strlen(algoname), + keyblob, strlen(keyblob)); + } else { + m_malloc_free_epoch(1); + TRACE(("dropbear_exit longjmped")) + // dropbear_exit jumped here + } + + return 0; +} diff -r 10df23099071 -r ddfcadca3c4c signkey.c --- a/signkey.c Tue May 23 22:29:21 2017 +0800 +++ b/signkey.c Tue May 23 22:43:34 2017 +0800 @@ -620,3 +620,8 @@ return ret; } #endif + +#ifdef DROPBEAR_FUZZ +const char * const * fuzz_signkey_names = signkey_names; + +#endif