17 files changed, 59 insertions, 40 deletions

diff --git a/Makefile.in b/Makefile.in
index 182cb42..42a142c 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -62,7 +62,7 @@ CONVERTOBJS=dropbearconvert.o keyimport.o
 SCPOBJS=scp.o progressmeter.o atomicio.o scpmisc.o compat.o
 
 ifeq (@DROPBEAR_FUZZ@, 1)
-	allobjs = $(COMMONOBJS) fuzz-common.o  fuzz-wrapfd.o $(CLISVROBJS) $(CLIOBJS) $(SVROBJS) @CRYPTLIB@
+	allobjs = $(COMMONOBJS) fuzz/fuzz-common.o  fuzz/fuzz-wrapfd.o $(CLISVROBJS) $(CLIOBJS) $(SVROBJS) @CRYPTLIB@
 	allobjs:=$(subst svr-main.o, ,$(allobjs))
 	allobjs:=$(subst cli-main.o, ,$(allobjs))
 
@@ -72,6 +72,7 @@ ifeq (@DROPBEAR_FUZZ@, 1)
 	dropbearconvertobjs=$(allobjs) $(CONVERTOBJS)
 	# CXX only set when fuzzing
 	CXX=@CXX@
+	FUZZ_CLEAN=fuzz-clean
 else
 	dropbearobjs=$(COMMONOBJS) $(CLISVROBJS) $(SVROBJS)
 	dbclientobjs=$(COMMONOBJS) $(CLISVROBJS) $(CLIOBJS)
@@ -246,7 +247,7 @@ ltm-clean:
 sizes: dropbear
 	objdump -t dropbear|grep ".text"|cut -d "." -f 2|sort -rn
 
-clean: $(LIBTOM_CLEAN) thisclean
+clean: $(LIBTOM_CLEAN) $(FUZZ_CLEAN) thisclean
 
 thisclean:
 	-rm -f dropbear$(EXEEXT) dbclient$(EXEEXT) dropbearkey$(EXEEXT) \
@@ -271,47 +272,24 @@ FUZZ_TARGETS=fuzzer-preauth fuzzer-pubkey fuzzer-verify fuzzer-preauth_nomaths \
 	fuzzer-kexdh fuzzer-kexecdh fuzzer-kexcurve25519 fuzzer-client fuzzer-client_nomaths
 
 FUZZER_OPTIONS = $(addsuffix .options, $(FUZZ_TARGETS))
+FUZZ_OBJS = $(addprefix fuzz/,$(addsuffix .o,$(FUZZ_TARGETS)))
 
 list-fuzz-targets:
 	@echo $(FUZZ_TARGETS)
 
 # fuzzers that don't use libfuzzer, just a standalone harness that feeds inputs
-fuzzstandalone: FUZZLIB=fuzz-harness.o
-fuzzstandalone: fuzz-harness.o fuzz-targets
-
-fuzz-harness.o: $(HEADERS) $(LIBTOM_DEPS) Makefile $(allobjs) fuzz-common.o
-
-# build all the fuzzers. This will require fail to link unless built with
-# make fuzz-targets FUZZLIB=-lFuzzer.a 
-# or similar - the library provides main().
+fuzzstandalone: FUZZLIB=fuzz/fuzz-harness.o
+fuzzstandalone: fuzz/fuzz-harness.o fuzz-targets
+
+# Build all the fuzzers. Usually like
+#   make fuzz-targets FUZZLIB=-lFuzzer.a 
+# the library provides main(). Otherwise
+#   make fuzzstandalone
+# provides a main in fuzz-harness.c
 fuzz-targets: $(FUZZ_TARGETS) $(FUZZER_OPTIONS)
 
-fuzzer-preauth: fuzzer-preauth.o fuzz-harness.o
-	$(CXX) $(CXXFLAGS) $@.o $(LDFLAGS) $(allobjs) -o $@$(EXEEXT) $(LIBTOM_LIBS) $(LIBS) $(FUZZLIB) @CRYPTLIB@
-
-fuzzer-preauth_nomaths: fuzzer-preauth_nomaths.o fuzz-harness.o
-	$(CXX) $(CXXFLAGS) $@.o $(LDFLAGS) $(allobjs) -o $@$(EXEEXT) $(LIBTOM_LIBS) $(LIBS) $(FUZZLIB) @CRYPTLIB@
-
-fuzzer-pubkey: fuzzer-pubkey.o fuzz-harness.o
-	$(CXX) $(CXXFLAGS) $@.o $(LDFLAGS) $(allobjs) -o $@$(EXEEXT) $(LIBTOM_LIBS) $(LIBS) $(FUZZLIB) @CRYPTLIB@
-
-fuzzer-verify: fuzzer-verify.o fuzz-harness.o
-	$(CXX) $(CXXFLAGS) $@.o $(LDFLAGS) $(allobjs) -o $@$(EXEEXT) $(LIBTOM_LIBS) $(LIBS) $(FUZZLIB) @CRYPTLIB@
-
-fuzzer-kexdh: fuzzer-kexdh.o fuzz-harness.o
-	$(CXX) $(CXXFLAGS) $@.o $(LDFLAGS) $(allobjs) -o $@$(EXEEXT) $(LIBTOM_LIBS) $(LIBS) $(FUZZLIB) @CRYPTLIB@
-
-fuzzer-kexecdh: fuzzer-kexecdh.o fuzz-harness.o
-	$(CXX) $(CXXFLAGS) $@.o $(LDFLAGS) $(allobjs) -o $@$(EXEEXT) $(LIBTOM_LIBS) $(LIBS) $(FUZZLIB) @CRYPTLIB@
-
-fuzzer-kexcurve25519: fuzzer-kexcurve25519.o fuzz-harness.o
-	$(CXX) $(CXXFLAGS) $@.o $(LDFLAGS) $(allobjs) -o $@$(EXEEXT) $(LIBTOM_LIBS) $(LIBS) $(FUZZLIB) @CRYPTLIB@
-
-fuzzer-client: fuzzer-client.o fuzz-harness.o
-	$(CXX) $(CXXFLAGS) $@.o $(LDFLAGS) $(allobjs) -o $@$(EXEEXT) $(LIBTOM_LIBS) $(LIBS) $(FUZZLIB) @CRYPTLIB@
-
-fuzzer-client_nomaths: fuzzer-client_nomaths.o fuzz-harness.o
-	$(CXX) $(CXXFLAGS) $@.o $(LDFLAGS) $(allobjs) -o $@$(EXEEXT) $(LIBTOM_LIBS) $(LIBS) $(FUZZLIB) @CRYPTLIB@
+$(FUZZ_TARGETS): $(FUZZ_OBJS) $(allobjs) $(LIBTOM_DEPS) 
+	$(CXX) $(CXXFLAGS) fuzz/$@.o $(LDFLAGS) $(allobjs) -o $@$(EXEEXT) $(LIBTOM_LIBS) $(LIBS) $(FUZZLIB) -lcrypt
 
 fuzzer-%.options: Makefile
 	echo "[libfuzzer]"               > $@
@@ -329,3 +307,6 @@ fuzz-hostkeys:
 	/usr/bin/xxd -i -a keye >> hostkeys.c
 	/usr/bin/xxd -i -a keyd >> hostkeys.c
 	/usr/bin/xxd -i -a keyed25519 >> hostkeys.c
+
+fuzz-clean:
+	-rm -f fuzz/*.o $(FUZZ_TARGETS) $(FUZZER_OPTIONS)
diff --git a/configure.ac b/configure.ac
index 473cea5..8f552a8 100644
--- a/configure.ac
+++ b/configure.ac
@@ -347,6 +347,7 @@ AC_ARG_ENABLE(fuzz,
             DROPBEAR_FUZZ=1
             # libfuzzer needs linking with c++ libraries
             AC_PROG_CXX
+			mkdir -pv fuzz
         else
             AC_DEFINE(DROPBEAR_FUZZ, 0, Fuzzing)
             AC_MSG_NOTICE(Disabling fuzzing)
diff --git a/dbrandom.c b/dbrandom.c
index d7340a3..faada2a 100644
--- a/dbrandom.c
+++ b/dbrandom.c
@@ -150,10 +150,11 @@ static void write_urandom()
 }
 
 #if DROPBEAR_FUZZ
-void fuzz_seed(void) {
+void fuzz_seed(const unsigned char* dat, unsigned int len) {
 	hash_state hs;
 	sha1_init(&hs);
 	sha1_process(&hs, "fuzzfuzzfuzz", strlen("fuzzfuzzfuzz"));
+	sha1_process(&hs, dat, len);
 	sha1_done(&hs, hashpool);
 
 	counter = 0;
diff --git a/fuzz.h b/fuzz.h
index b5dc7e8..f25a835 100644
--- a/fuzz.h
+++ b/fuzz.h
@@ -15,6 +15,10 @@ void fuzz_common_setup(void);
 void fuzz_svr_setup(void);
 void fuzz_cli_setup(void);
 
+// constructor attribute so it runs before main(), including
+// in non-fuzzing mode.
+void fuzz_early_setup(void) __attribute__((constructor));
+
 // must be called once per fuzz iteration. 
 // returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE
 int fuzz_set_input(const uint8_t *Data, size_t Size);
@@ -29,7 +33,7 @@ int fuzz_checkpubkey_line(buffer* line, int line_num, char* filename,
         const char* algo, unsigned int algolen,
         const unsigned char* keyblob, unsigned int keybloblen);
 extern const char * const * fuzz_signkey_names;
-void fuzz_seed(void);
+void fuzz_seed(const unsigned char* dat, unsigned int len);
 
 // helpers
 void fuzz_get_socket_address(int fd, char **local_host, char **local_port,
@@ -68,10 +72,21 @@ struct dropbear_fuzz_options {
     int dumping;
     // the file descriptor
     int recv_dumpfd;
+
+    // avoid filling fuzzing logs, this points to /dev/null
+    FILE *stderr;
 };
 
 extern struct dropbear_fuzz_options fuzz;
 
+/* This is a bodge but seems to work.
+ glibc stdio.h has the comment 
+ "C89/C99 say they're macros.  Make them happy." */
+#ifdef stderr
+#undef stderr
+#endif
+#define stderr (fuzz.stderr)
+
 #endif // DROPBEAR_FUZZ
 
 #endif /* DROPBEAR_FUZZ_H */
diff --git a/fuzz-common.c b/fuzz/fuzz-common.c
index 60dab21..065b7d9 100644
--- a/fuzz-common.c
+++ b/fuzz/fuzz-common.c
@@ -11,12 +11,21 @@
 #include "atomicio.h"
 #include "fuzz-wrapfd.h"
 
+/* fuzz.h redefines stderr, we don't want that here */
+#undef stderr
+
 struct dropbear_fuzz_options fuzz;
 
 static void fuzz_dropbear_log(int UNUSED(priority), const char* format, va_list param);
 static void load_fixed_hostkeys(void);
 static void load_fixed_client_key(void);
 
+// This runs automatically before main, due to contructor attribute in fuzz.h
+void fuzz_early_setup(void) {
+    /* Set stderr to point to normal stderr by default */
+    fuzz.stderr = stderr;
+}
+
 void fuzz_common_setup(void) {
 	disallow_core();
     fuzz.fuzzing = 1;
@@ -25,9 +34,21 @@ void fuzz_common_setup(void) {
     fuzz.input = m_malloc(sizeof(buffer));
     _dropbear_log = fuzz_dropbear_log;
     crypto_init();
-    fuzz_seed();
+    fuzz_seed("start", 5);
     /* let any messages get flushed */
     setlinebuf(stdout);
+#if DEBUG_TRACE
+    if (debug_trace)
+    {
+        fprintf(stderr, "Dropbear fuzzer: -v specified, not disabling stderr output\n");
+    }
+    else
+#endif
+    {
+        fprintf(stderr, "Dropbear fuzzer: Disabling stderr output\n");
+        fuzz.stderr = fopen("/dev/null", "w");
+        assert(fuzz.stderr);
+    }
 }
 
 int fuzz_set_input(const uint8_t *Data, size_t Size) {
@@ -42,7 +63,7 @@ int fuzz_set_input(const uint8_t *Data, size_t Size) {
     memset(&cli_ses, 0x0, sizeof(cli_ses));
     wrapfd_setup(fuzz.input);
 
-    fuzz_seed();
+    fuzz_seed(fuzz.input->data, MIN(fuzz.input->len, 16));
 
     return DROPBEAR_SUCCESS;
 }
diff --git a/fuzz-harness.c b/fuzz/fuzz-harness.c
index ced707c..ced707c 100644
--- a/fuzz-harness.c
+++ b/fuzz/fuzz-harness.c
diff --git a/fuzz-hostkeys.c b/fuzz/fuzz-hostkeys.c
index 128c8d1..128c8d1 100644
--- a/fuzz-hostkeys.c
+++ b/fuzz/fuzz-hostkeys.c
diff --git a/fuzz-wrapfd.c b/fuzz/fuzz-wrapfd.c
index c6d59fc..c6d59fc 100644
--- a/fuzz-wrapfd.c
+++ b/fuzz/fuzz-wrapfd.c
diff --git a/fuzzer-client.c b/fuzz/fuzzer-client.c
index eb59f46..eb59f46 100644
--- a/fuzzer-client.c
+++ b/fuzz/fuzzer-client.c
diff --git a/fuzzer-client_nomaths.c b/fuzz/fuzzer-client_nomaths.c
index e0910a7..e0910a7 100644
--- a/fuzzer-client_nomaths.c
+++ b/fuzz/fuzzer-client_nomaths.c
diff --git a/fuzzer-kexcurve25519.c b/fuzz/fuzzer-kexcurve25519.c
index f2eab14..f2eab14 100644
--- a/fuzzer-kexcurve25519.c
+++ b/fuzz/fuzzer-kexcurve25519.c
diff --git a/fuzzer-kexdh.c b/fuzz/fuzzer-kexdh.c
index 224ff58..224ff58 100644
--- a/fuzzer-kexdh.c
+++ b/fuzz/fuzzer-kexdh.c
diff --git a/fuzzer-kexecdh.c b/fuzz/fuzzer-kexecdh.c
index c3a450a..c3a450a 100644
--- a/fuzzer-kexecdh.c
+++ b/fuzz/fuzzer-kexecdh.c
diff --git a/fuzzer-preauth.c b/fuzz/fuzzer-preauth.c
index 3ac49f4..3ac49f4 100644
--- a/fuzzer-preauth.c
+++ b/fuzz/fuzzer-preauth.c
diff --git a/fuzzer-preauth_nomaths.c b/fuzz/fuzzer-preauth_nomaths.c
index efdc2c3..efdc2c3 100644
--- a/fuzzer-preauth_nomaths.c
+++ b/fuzz/fuzzer-preauth_nomaths.c
diff --git a/fuzzer-pubkey.c b/fuzz/fuzzer-pubkey.c
index 7c12cdc..7c12cdc 100644
--- a/fuzzer-pubkey.c
+++ b/fuzz/fuzzer-pubkey.c
diff --git a/fuzzer-verify.c b/fuzz/fuzzer-verify.c
index a0ad086..a0ad086 100644
--- a/fuzzer-verify.c
+++ b/fuzz/fuzzer-verify.c