diff options
| author | Matt Johnston <matt@ucc.asn.au> | 2020-10-20 23:34:38 +0800 |
|---|---|---|
| committer | Matt Johnston <matt@ucc.asn.au> | 2020-10-20 23:34:38 +0800 |
| commit | 1a7b944917cce0ef58d899c24166aa20ea041d52 (patch) | |
| tree | 59a3ff320604bd3f61b8d79f39243f59d63a518c | |
| parent | 3b400bd64e868e861a2977a2db3053fc72476abc (diff) | |
Load password and key for client fuzzer.
Add fuzz_dump()
| -rw-r--r-- | common-session.c | 5 | ||||
| -rw-r--r-- | fuzz-common.c | 35 | ||||
| -rw-r--r-- | fuzz-hostkeys.c | 17 | ||||
| -rw-r--r-- | fuzz.h | 7 | ||||
| -rw-r--r-- | packet.c | 5 |
5 files changed, 60 insertions, 9 deletions
diff --git a/common-session.c b/common-session.c index 7531563..f670576 100644 --- a/common-session.c +++ b/common-session.c @@ -465,6 +465,11 @@ static int ident_readln(int fd, char* buf, int count) { TRACE(("leave ident_readln: EOF")) return -1; } + +#ifdef DROPBEAR_FUZZ + fuzz_dump(&in, 1); +#endif + if (in == '\n') { /* end of ident string */ break; diff --git a/fuzz-common.c b/fuzz-common.c index 95b3937..60dab21 100644 --- a/fuzz-common.c +++ b/fuzz-common.c @@ -8,12 +8,14 @@ #include "session.h" #include "dbrandom.h" #include "bignum.h" +#include "atomicio.h" #include "fuzz-wrapfd.h" struct dropbear_fuzz_options fuzz; static void fuzz_dropbear_log(int UNUSED(priority), const char* format, va_list param); static void load_fixed_hostkeys(void); +static void load_fixed_client_key(void); void fuzz_common_setup(void) { disallow_core(); @@ -85,15 +87,39 @@ void fuzz_cli_setup(void) { "dbclient", "-y", "localhost", + "uptime" }; int argc = sizeof(argv) / sizeof(*argv); cli_getopts(argc, argv); + + load_fixed_client_key(); + /* Avoid password prompt */ + setenv(DROPBEAR_PASSWORD_ENV, "password", 1); } -static void load_fixed_hostkeys(void) { #include "fuzz-hostkeys.c" +static void load_fixed_client_key(void) { + + buffer *b = buf_new(3000); + sign_key *key; + enum signkey_type keytype; + + key = new_sign_key(); + keytype = DROPBEAR_SIGNKEY_ANY; + buf_putbytes(b, keyed25519, keyed25519_len); + buf_setpos(b, 0); + if (buf_get_priv_key(b, key, &keytype) == DROPBEAR_FAILURE) { + dropbear_exit("failed fixed ed25519 hostkey"); + } + list_append(cli_opts.privkeys, key); + + buf_free(b); +} + +static void load_fixed_hostkeys(void) { + buffer *b = buf_new(3000); enum signkey_type type; @@ -276,3 +302,10 @@ const void* fuzz_get_algo(const algo_type *algos, const char* name) { } assert(0); } + +void fuzz_dump(const unsigned char* data, size_t len) { + TRACE(("dump %zu", len)) + if (fuzz.dumping) { + assert(atomicio(vwrite, fuzz.recv_dumpfd, (void*)data, len) == len); + } +} diff --git a/fuzz-hostkeys.c b/fuzz-hostkeys.c index 3fff5cb..128c8d1 100644 --- a/fuzz-hostkeys.c +++ b/fuzz-hostkeys.c @@ -1,5 +1,6 @@ +/* To be included in fuzz-common.c */ -unsigned char keyr[] = { +static unsigned char keyr[] = { 0x00, 0x00, 0x00, 0x07, 0x73, 0x73, 0x68, 0x2d, 0x72, 0x73, 0x61, 0x00, 0x00, 0x00, 0x03, 0x01, 0x00, 0x01, 0x00, 0x00, 0x01, 0x01, 0x00, 0xb1, 0x06, 0x95, 0xc9, 0xa8, 0x38, 0xb9, 0x99, 0x91, 0xb5, 0x17, 0x39, 0xb9, @@ -69,8 +70,8 @@ unsigned char keyr[] = { 0xb0, 0x9b, 0xea, 0x18, 0x77, 0xf6, 0x25, 0x02, 0xb4, 0x5e, 0x71, 0xea, 0xa3 }; -unsigned int keyr_len = 805; -unsigned char keye[] = { +static unsigned int keyr_len = 805; +static unsigned char keye[] = { 0x00, 0x00, 0x00, 0x13, 0x65, 0x63, 0x64, 0x73, 0x61, 0x2d, 0x73, 0x68, 0x61, 0x32, 0x2d, 0x6e, 0x69, 0x73, 0x74, 0x70, 0x32, 0x35, 0x36, 0x00, 0x00, 0x00, 0x08, 0x6e, 0x69, 0x73, 0x74, 0x70, 0x32, 0x35, 0x36, 0x00, @@ -84,8 +85,8 @@ unsigned char keye[] = { 0x3c, 0x58, 0x28, 0x70, 0x9b, 0x23, 0x39, 0x51, 0xd7, 0xbc, 0xa7, 0x1a, 0xf5, 0xb4, 0x23, 0xd3, 0xf6, 0x17, 0xa6, 0x9c, 0x02 }; -unsigned int keye_len = 141; -unsigned char keyd[] = { +static unsigned int keye_len = 141; +static unsigned char keyd[] = { 0x00, 0x00, 0x00, 0x07, 0x73, 0x73, 0x68, 0x2d, 0x64, 0x73, 0x73, 0x00, 0x00, 0x00, 0x81, 0x00, 0xb0, 0x02, 0x19, 0x8b, 0xf3, 0x46, 0xf9, 0xc5, 0x47, 0x78, 0x3d, 0x7f, 0x04, 0x10, 0x0a, 0x43, 0x8e, 0x00, 0x9e, 0xa4, @@ -126,8 +127,8 @@ unsigned char keyd[] = { 0x7b, 0xac, 0xaa, 0x0c, 0xa2, 0xca, 0x7b, 0xa8, 0xd4, 0xdf, 0x68, 0x56, 0xf9, 0x39 }; -unsigned int keyd_len = 458; -unsigned char keyed25519[] = { +static unsigned int keyd_len = 458; +static unsigned char keyed25519[] = { 0x00, 0x00, 0x00, 0x0b, 0x73, 0x73, 0x68, 0x2d, 0x65, 0x64, 0x32, 0x35, 0x35, 0x31, 0x39, 0x00, 0x00, 0x00, 0x40, 0x10, 0xb3, 0x79, 0x06, 0xe5, 0x9b, 0xe7, 0xe4, 0x6e, 0xec, 0xfe, 0xa5, 0x39, 0x21, 0x7c, 0xf6, 0x66, @@ -136,4 +137,4 @@ unsigned char keyed25519[] = { 0xa4, 0xd5, 0xe9, 0x23, 0xfe, 0x8e, 0xd6, 0xd4, 0xf9, 0xb1, 0x11, 0x69, 0x7c, 0x57, 0x52, 0x0e, 0x41, 0xdb, 0x1b, 0x12, 0x87, 0xfa, 0xc9 }; -unsigned int keyed25519_len = 83; +static unsigned int keyed25519_len = 83; @@ -36,6 +36,7 @@ void fuzz_get_socket_address(int fd, char **local_host, char **local_port, char **remote_host, char **remote_port, int host_lookup); void fuzz_fake_send_kexdh_reply(void); int fuzz_spawn_command(int *ret_writefd, int *ret_readfd, int *ret_errfd, pid_t *ret_pid); +void fuzz_dump(const unsigned char* data, size_t len); // fake IO wrappers #ifndef FUZZ_SKIP_WRAP @@ -61,6 +62,12 @@ struct dropbear_fuzz_options { // dropbear_exit() jumps back int do_jmp; sigjmp_buf jmp; + + // write out decrypted session data to this FD if it's set + // flag - this needs to be set manually in cli-main.c etc + int dumping; + // the file descriptor + int recv_dumpfd; }; extern struct dropbear_fuzz_options fuzz; @@ -344,7 +344,12 @@ void decrypt_packet() { if (checkmac() != DROPBEAR_SUCCESS) { dropbear_exit("Integrity error"); } + } + +#if DROPBEAR_FUZZ + fuzz_dump(ses.readbuf->data, ses.readbuf->len); +#endif /* get padding length */ buf_setpos(ses.readbuf, PACKET_PADDING_OFF); |