changeset 1751:3b9b427925a0

Load password and key for client fuzzer. Add fuzz_dump()
author Matt Johnston <matt@ucc.asn.au>
date Tue, 20 Oct 2020 23:34:38 +0800
parents 7cb8bc5ce8b9
children 36e77a51d5e4
files common-session.c fuzz-common.c fuzz-hostkeys.c fuzz.h packet.c
diffstat 5 files changed, 60 insertions(+), 9 deletions(-) [+]
line wrap: on
line diff
--- a/common-session.c	Tue Oct 20 23:33:45 2020 +0800
+++ b/common-session.c	Tue Oct 20 23:34:38 2020 +0800
@@ -465,6 +465,11 @@
 				TRACE(("leave ident_readln: EOF"))
 				return -1;
 			}
+
+#ifdef DROPBEAR_FUZZ
+			fuzz_dump(&in, 1);
+#endif
+
 			if (in == '\n') {
 				/* end of ident string */
 				break;
--- a/fuzz-common.c	Tue Oct 20 23:33:45 2020 +0800
+++ b/fuzz-common.c	Tue Oct 20 23:34:38 2020 +0800
@@ -8,12 +8,14 @@
 #include "session.h"
 #include "dbrandom.h"
 #include "bignum.h"
+#include "atomicio.h"
 #include "fuzz-wrapfd.h"
 
 struct dropbear_fuzz_options fuzz;
 
 static void fuzz_dropbear_log(int UNUSED(priority), const char* format, va_list param);
 static void load_fixed_hostkeys(void);
+static void load_fixed_client_key(void);
 
 void fuzz_common_setup(void) {
 	disallow_core();
@@ -85,14 +87,38 @@
 		"dbclient",
 		"-y",
         "localhost",
+        "uptime"
     };
 
     int argc = sizeof(argv) / sizeof(*argv);
     cli_getopts(argc, argv);
+
+    load_fixed_client_key();
+    /* Avoid password prompt */
+    setenv(DROPBEAR_PASSWORD_ENV, "password", 1);
+}
+
+#include "fuzz-hostkeys.c"   
+
+static void load_fixed_client_key(void) {
+
+    buffer *b = buf_new(3000);
+    sign_key *key;
+    enum signkey_type keytype;
+
+    key = new_sign_key();
+    keytype = DROPBEAR_SIGNKEY_ANY;
+    buf_putbytes(b, keyed25519, keyed25519_len);
+    buf_setpos(b, 0);
+    if (buf_get_priv_key(b, key, &keytype) == DROPBEAR_FAILURE) {
+        dropbear_exit("failed fixed ed25519 hostkey");
+    }
+    list_append(cli_opts.privkeys, key);
+
+    buf_free(b);
 }
 
 static void load_fixed_hostkeys(void) {
-#include "fuzz-hostkeys.c"   
 
     buffer *b = buf_new(3000);
     enum signkey_type type;
@@ -276,3 +302,10 @@
     }
     assert(0);
 }
+
+void fuzz_dump(const unsigned char* data, size_t len) {
+    TRACE(("dump %zu", len))
+    if (fuzz.dumping) {
+        assert(atomicio(vwrite, fuzz.recv_dumpfd, (void*)data, len) == len);
+    }
+}
--- a/fuzz-hostkeys.c	Tue Oct 20 23:33:45 2020 +0800
+++ b/fuzz-hostkeys.c	Tue Oct 20 23:34:38 2020 +0800
@@ -1,5 +1,6 @@
+/* To be included in fuzz-common.c */
 
-unsigned char keyr[] = {
+static unsigned char keyr[] = {
   0x00, 0x00, 0x00, 0x07, 0x73, 0x73, 0x68, 0x2d, 0x72, 0x73, 0x61, 0x00,
   0x00, 0x00, 0x03, 0x01, 0x00, 0x01, 0x00, 0x00, 0x01, 0x01, 0x00, 0xb1,
   0x06, 0x95, 0xc9, 0xa8, 0x38, 0xb9, 0x99, 0x91, 0xb5, 0x17, 0x39, 0xb9,
@@ -69,8 +70,8 @@
   0xb0, 0x9b, 0xea, 0x18, 0x77, 0xf6, 0x25, 0x02, 0xb4, 0x5e, 0x71, 0xea,
   0xa3
 };
-unsigned int keyr_len = 805;
-unsigned char keye[] = {
+static unsigned int keyr_len = 805;
+static unsigned char keye[] = {
   0x00, 0x00, 0x00, 0x13, 0x65, 0x63, 0x64, 0x73, 0x61, 0x2d, 0x73, 0x68,
   0x61, 0x32, 0x2d, 0x6e, 0x69, 0x73, 0x74, 0x70, 0x32, 0x35, 0x36, 0x00,
   0x00, 0x00, 0x08, 0x6e, 0x69, 0x73, 0x74, 0x70, 0x32, 0x35, 0x36, 0x00,
@@ -84,8 +85,8 @@
   0x3c, 0x58, 0x28, 0x70, 0x9b, 0x23, 0x39, 0x51, 0xd7, 0xbc, 0xa7, 0x1a,
   0xf5, 0xb4, 0x23, 0xd3, 0xf6, 0x17, 0xa6, 0x9c, 0x02
 };
-unsigned int keye_len = 141;
-unsigned char keyd[] = {
+static unsigned int keye_len = 141;
+static unsigned char keyd[] = {
   0x00, 0x00, 0x00, 0x07, 0x73, 0x73, 0x68, 0x2d, 0x64, 0x73, 0x73, 0x00,
   0x00, 0x00, 0x81, 0x00, 0xb0, 0x02, 0x19, 0x8b, 0xf3, 0x46, 0xf9, 0xc5,
   0x47, 0x78, 0x3d, 0x7f, 0x04, 0x10, 0x0a, 0x43, 0x8e, 0x00, 0x9e, 0xa4,
@@ -126,8 +127,8 @@
   0x7b, 0xac, 0xaa, 0x0c, 0xa2, 0xca, 0x7b, 0xa8, 0xd4, 0xdf, 0x68, 0x56,
   0xf9, 0x39
 };
-unsigned int keyd_len = 458;
-unsigned char keyed25519[] = {
+static unsigned int keyd_len = 458;
+static unsigned char keyed25519[] = {
   0x00, 0x00, 0x00, 0x0b, 0x73, 0x73, 0x68, 0x2d, 0x65, 0x64, 0x32, 0x35,
   0x35, 0x31, 0x39, 0x00, 0x00, 0x00, 0x40, 0x10, 0xb3, 0x79, 0x06, 0xe5,
   0x9b, 0xe7, 0xe4, 0x6e, 0xec, 0xfe, 0xa5, 0x39, 0x21, 0x7c, 0xf6, 0x66,
@@ -136,4 +137,4 @@
   0xa4, 0xd5, 0xe9, 0x23, 0xfe, 0x8e, 0xd6, 0xd4, 0xf9, 0xb1, 0x11, 0x69,
   0x7c, 0x57, 0x52, 0x0e, 0x41, 0xdb, 0x1b, 0x12, 0x87, 0xfa, 0xc9
 };
-unsigned int keyed25519_len = 83;
+static unsigned int keyed25519_len = 83;
--- a/fuzz.h	Tue Oct 20 23:33:45 2020 +0800
+++ b/fuzz.h	Tue Oct 20 23:34:38 2020 +0800
@@ -36,6 +36,7 @@
                         char **remote_host, char **remote_port, int host_lookup);
 void fuzz_fake_send_kexdh_reply(void);
 int fuzz_spawn_command(int *ret_writefd, int *ret_readfd, int *ret_errfd, pid_t *ret_pid);
+void fuzz_dump(const unsigned char* data, size_t len);
 
 // fake IO wrappers
 #ifndef FUZZ_SKIP_WRAP
@@ -61,6 +62,12 @@
     // dropbear_exit() jumps back
     int do_jmp;
     sigjmp_buf jmp;
+
+    // write out decrypted session data to this FD if it's set
+    // flag - this needs to be set manually in cli-main.c etc
+    int dumping;
+    // the file descriptor
+    int recv_dumpfd;
 };
 
 extern struct dropbear_fuzz_options fuzz;
--- a/packet.c	Tue Oct 20 23:33:45 2020 +0800
+++ b/packet.c	Tue Oct 20 23:34:38 2020 +0800
@@ -344,7 +344,12 @@
 		if (checkmac() != DROPBEAR_SUCCESS) {
 			dropbear_exit("Integrity error");
 		}
+
 	}
+	
+#if DROPBEAR_FUZZ
+	fuzz_dump(ses.readbuf->data, ses.readbuf->len);
+#endif
 
 	/* get padding length */
 	buf_setpos(ses.readbuf, PACKET_PADDING_OFF);