1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
|
#include "includes.h"
#include "includes.h"
#include "fuzz.h"
#include "dbutil.h"
#include "runopts.h"
#include "crypto_desc.h"
#include "session.h"
#include "dbrandom.h"
#include "fuzz-wrapfd.h"
struct dropbear_fuzz_options fuzz;
static void load_fixed_hostkeys(void);
static void common_setup_fuzzer(void) {
fuzz.fuzzing = 1;
fuzz.wrapfds = 1;
fuzz.input = m_malloc(sizeof(buffer));
crypto_init();
}
int fuzzer_set_input(const uint8_t *Data, size_t Size) {
fuzz.input->data = (unsigned char*)Data;
fuzz.input->size = Size;
fuzz.input->len = Size;
fuzz.input->pos = 0;
// get prefix. input format is
// string prefix
// uint32 wrapfd seed
// ... to be extended later
// [bytes] ssh input stream
// be careful to avoid triggering buffer.c assertions
if (fuzz.input->len < 8) {
return DROPBEAR_FAILURE;
}
size_t prefix_size = buf_getint(fuzz.input);
if (prefix_size != 4) {
return DROPBEAR_FAILURE;
}
uint32_t wrapseed = buf_getint(fuzz.input);
wrapfd_setup(wrapseed);
seedrandom();
return DROPBEAR_SUCCESS;
}
void svr_setup_fuzzer(void) {
struct passwd *pw;
common_setup_fuzzer();
_dropbear_exit = svr_dropbear_exit;
_dropbear_log = svr_dropbear_log;
char *argv[] = {
"-E",
};
int argc = sizeof(argv) / sizeof(*argv);
svr_getopts(argc, argv);
/* user lookups might be slow, cache it */
pw = getpwuid(getuid());
dropbear_assert(pw);
fuzz.pw_name = m_strdup(pw->pw_name);
fuzz.pw_dir = m_strdup(pw->pw_dir);
fuzz.pw_shell = m_strdup(pw->pw_shell);
fuzz.pw_passwd = m_strdup("!!zzznope");
load_fixed_hostkeys();
}
static void load_fixed_hostkeys(void) {
#include "fuzz-hostkeys.c"
buffer *b = buf_new(3000);
enum signkey_type type;
TRACE(("load fixed hostkeys"))
svr_opts.hostkey = new_sign_key();
buf_setlen(b, 0);
buf_putbytes(b, keyr, keyr_len);
buf_setpos(b, 0);
type = DROPBEAR_SIGNKEY_RSA;
if (buf_get_priv_key(b, svr_opts.hostkey, &type) == DROPBEAR_FAILURE) {
dropbear_exit("failed fixed rsa hostkey");
}
buf_setlen(b, 0);
buf_putbytes(b, keyd, keyd_len);
buf_setpos(b, 0);
type = DROPBEAR_SIGNKEY_DSS;
if (buf_get_priv_key(b, svr_opts.hostkey, &type) == DROPBEAR_FAILURE) {
dropbear_exit("failed fixed dss hostkey");
}
buf_setlen(b, 0);
buf_putbytes(b, keye, keye_len);
buf_setpos(b, 0);
type = DROPBEAR_SIGNKEY_ECDSA_NISTP256;
if (buf_get_priv_key(b, svr_opts.hostkey, &type) == DROPBEAR_FAILURE) {
dropbear_exit("failed fixed ecdsa hostkey");
}
buf_free(b);
}
void fuzz_kex_fakealgos(void) {
ses.newkeys->recv.crypt_mode = &dropbear_mode_none;
}
|