changeset 1369:ddfcadca3c4c fuzz

fuzzer-pubkey
author Matt Johnston <matt@ucc.asn.au>
date Tue, 23 May 2017 22:43:34 +0800
parents 10df23099071
children dd5d7b7141b9
files Makefile.in dbrandom.c dbrandom.h dbutil.c fuzz-common.c fuzz.h fuzzer-pubkey.c signkey.c
diffstat 8 files changed, 75 insertions(+), 7 deletions(-) [+]
line wrap: on
line diff
--- a/Makefile.in	Tue May 23 22:29:21 2017 +0800
+++ b/Makefile.in	Tue May 23 22:43:34 2017 +0800
@@ -245,7 +245,7 @@
 ## Fuzzing targets
 
 # list of fuzz targets
-FUZZ_TARGETS=fuzzer-preauth
+FUZZ_TARGETS=fuzzer-preauth fuzzer-pubkey
 
 list-fuzz-targets:
 	@echo $(FUZZ_TARGETS)
@@ -265,6 +265,9 @@
 fuzzer-preauth: fuzzer-preauth.o $(HEADERS) $(LIBTOM_DEPS) Makefile $(svrfuzzobjs)
 	$(CXX) $(CXXFLAGS) [email protected] $(LDFLAGS) $(svrfuzzobjs) -o $@$(EXEEXT) $(LIBTOM_LIBS) $(LIBS) $(FUZZLIB) @CRYPTLIB@
 
+fuzzer-pubkey: fuzzer-pubkey.o $(HEADERS) $(LIBTOM_DEPS) Makefile $(svrfuzzobjs)
+	$(CXX) $(CXXFLAGS) [email protected] $(LDFLAGS) $(svrfuzzobjs) -o $@$(EXEEXT) $(LIBTOM_LIBS) $(LIBS) $(FUZZLIB) @CRYPTLIB@
+
 # run this to update hardcoded hostkeys for for fuzzing. 
 # hostkeys.c is checked in to hg.
 fuzz-hostkeys:
--- a/dbrandom.c	Tue May 23 22:29:21 2017 +0800
+++ b/dbrandom.c	Tue May 23 22:43:34 2017 +0800
@@ -182,7 +182,7 @@
 }
 
 #ifdef DROPBEAR_FUZZ
-void seedfuzz(void) {
+void fuzz_seed(void) {
 	hash_state hs;
 	sha1_init(&hs);
 	sha1_process(&hs, "fuzzfuzzfuzz", strlen("fuzzfuzzfuzz"));
--- a/dbrandom.h	Tue May 23 22:29:21 2017 +0800
+++ b/dbrandom.h	Tue May 23 22:43:34 2017 +0800
@@ -31,8 +31,5 @@
 void genrandom(unsigned char* buf, unsigned int len);
 void addrandom(unsigned char * buf, unsigned int len);
 void gen_random_mpint(mp_int *max, mp_int *rand);
-#ifdef DROPBEAR_FUZZ
-void seedfuzz(void);
-#endif
 
 #endif /* DROPBEAR_RANDOM_H_ */
--- a/dbutil.c	Tue May 23 22:29:21 2017 +0800
+++ b/dbutil.c	Tue May 23 22:43:34 2017 +0800
@@ -120,6 +120,13 @@
 
 	_dropbear_log(LOG_INFO, fmtbuf, param);
 
+#ifdef DROPBEAR_FUZZ
+	// longjmp before cleaning up svr_opts
+    if (fuzz.fuzzing) {
+        longjmp(fuzz.jmp, 1);
+    }
+#endif
+
 	exit(exitcode);
 }
 
--- a/fuzz-common.c	Tue May 23 22:29:21 2017 +0800
+++ b/fuzz-common.c	Tue May 23 22:43:34 2017 +0800
@@ -13,7 +13,7 @@
 
 static void load_fixed_hostkeys(void);
 
-static void common_setup_fuzzer(void) {
+void common_setup_fuzzer(void) {
     fuzz.fuzzing = 1;
     fuzz.wrapfds = 1;
     fuzz.input = m_malloc(sizeof(buffer));
@@ -47,7 +47,7 @@
     uint32_t wrapseed = buf_getint(fuzz.input);
     wrapfd_setup(wrapseed);
 
-    seedfuzz();
+    fuzz_seed();
 
     return DROPBEAR_SUCCESS;
 }
--- a/fuzz.h	Tue May 23 22:29:21 2017 +0800
+++ b/fuzz.h	Tue May 23 22:43:34 2017 +0800
@@ -10,12 +10,19 @@
 #include "fuzz-wrapfd.h"
 
 // once per process
+void common_setup_fuzzer(void);
 void svr_setup_fuzzer(void);
 
 // once per input. returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE
 int fuzzer_set_input(const uint8_t *Data, size_t Size);
 
+// fuzzer functions that intrude into general code
 void fuzz_kex_fakealgos(void);
+int fuzz_checkpubkey_line(buffer* line, int line_num, char* filename,
+        const char* algo, unsigned int algolen,
+        const unsigned char* keyblob, unsigned int keybloblen);
+extern const char * const * fuzz_signkey_names;
+void fuzz_seed(void);
 
 // fake IO wrappers
 #ifndef FUZZ_SKIP_WRAP
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/fuzzer-pubkey.c	Tue May 23 22:43:34 2017 +0800
@@ -0,0 +1,49 @@
+#include "fuzz.h"
+#include "session.h"
+#include "fuzz-wrapfd.h"
+#include "debug.h"
+
+static void setup_fuzzer(void) {
+	common_setup_fuzzer();
+}
+
+int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+	static int once = 0;
+	if (!once) {
+		setup_fuzzer();
+		once = 1;
+	}
+
+	m_malloc_set_epoch(1);
+
+    fuzz_seed();
+    fuzz.input->data = (unsigned char*)Data;
+    fuzz.input->len = Size;
+    fuzz.input->size = Size;
+    fuzz.input->pos = 0;
+
+    if (Size < 4) {
+    	return 0;
+    }
+
+    // choose a keytype based on input
+    uint8_t b = 0;
+    size_t i;
+    for (i = 0; i < Size; i++) {
+    	b ^= Data[i];
+    }
+    const char* algoname = fuzz_signkey_names[b%DROPBEAR_SIGNKEY_NUM_NAMED];
+    const char* keyblob = "fakekeyblob";
+
+	if (setjmp(fuzz.jmp) == 0) {
+		fuzz_checkpubkey_line(fuzz.input, 5, "/home/me/authorized_keys", 
+			algoname, strlen(algoname),
+			keyblob, strlen(keyblob));
+	} else {
+		m_malloc_free_epoch(1);
+		TRACE(("dropbear_exit longjmped"))
+		// dropbear_exit jumped here
+	}
+
+	return 0;
+}
--- a/signkey.c	Tue May 23 22:29:21 2017 +0800
+++ b/signkey.c	Tue May 23 22:43:34 2017 +0800
@@ -620,3 +620,8 @@
 	return ret;
 }
 #endif
+
+#ifdef DROPBEAR_FUZZ
+const char * const * fuzz_signkey_names = signkey_names;
+
+#endif