changeset 1529:66a1a2547133 fuzz

The fuzzer has managed to generated DSS key/signature pairs that verify. Avoid false positives from bogus keys that wouldn't be used
author Matt Johnston <matt@ucc.asn.au>
date Wed, 21 Feb 2018 21:49:24 +0800
parents b9e4fd5a0e72
children 63fa53d3b6c7
files fuzz-common.c fuzzer-verify.c
diffstat 2 files changed, 24 insertions(+), 2 deletions(-) [+]
line wrap: on
line diff
--- a/fuzz-common.c	Wed Feb 21 21:03:42 2018 +0800
+++ b/fuzz-common.c	Wed Feb 21 21:49:24 2018 +0800
@@ -22,6 +22,8 @@
     fuzz.input = m_malloc(sizeof(buffer));
     _dropbear_log = fuzz_dropbear_log;
     crypto_init();
+    /* let any messages get flushed */
+    setlinebuf(stdout);
 }
 
 int fuzz_set_input(const uint8_t *Data, size_t Size) {
--- a/fuzzer-verify.c	Wed Feb 21 21:03:42 2018 +0800
+++ b/fuzzer-verify.c	Wed Feb 21 21:49:24 2018 +0800
@@ -29,8 +29,28 @@
 		sign_key *key = new_sign_key();
 		enum signkey_type type = DROPBEAR_SIGNKEY_ANY;
 		if (buf_get_pub_key(fuzz.input, key, &type) == DROPBEAR_SUCCESS) {
-			/* Don't expect random fuzz input to verify */
-			assert(buf_verify(fuzz.input, key, verifydata) == DROPBEAR_FAILURE);
+			if (buf_verify(fuzz.input, key, verifydata) == DROPBEAR_SUCCESS) {
+				/* The fuzzer is capable of generating keys with a signature to match.
+				We don't want false positives if the key is bogus, since a client/server 
+				wouldn't be trusting a bogus key anyway */
+				int boguskey = 0;
+
+				if (type == DROPBEAR_SIGNKEY_DSS) {
+					/* So far have seen dss keys with bad p/q/g domain parameters */
+					int pprime, qprime;
+				    assert(mp_prime_is_prime(key->dsskey->p, 5, &pprime) == MP_OKAY);
+				    assert(mp_prime_is_prime(key->dsskey->q, 18, &qprime) == MP_OKAY);
+				    boguskey = !(pprime && qprime);
+				    /* Could also check g**q mod p == 1 */
+				}
+
+				if (!boguskey) {
+					printf("Random key/signature managed to verify!\n");
+					abort();
+				}
+
+
+			}
 		}
 		sign_key_free(key);
 		m_malloc_free_epoch(1, 0);