2017-05-13 14:50:54 +00:00
|
|
|
#include "includes.h"
|
|
|
|
|
|
|
|
|
|
#include "includes.h"
|
|
|
|
|
#include "fuzz.h"
|
|
|
|
|
#include "dbutil.h"
|
|
|
|
|
#include "runopts.h"
|
2017-05-18 15:36:54 +00:00
|
|
|
#include "crypto_desc.h"
|
|
|
|
|
#include "session.h"
|
2017-05-18 16:48:46 +00:00
|
|
|
#include "dbrandom.h"
|
|
|
|
|
#include "fuzz-wrapfd.h"
|
2017-05-13 14:50:54 +00:00
|
|
|
|
|
|
|
|
struct dropbear_fuzz_options fuzz;
|
|
|
|
|
|
2017-05-24 16:12:07 +00:00
|
|
|
static void fuzz_dropbear_log(int UNUSED(priority), const char* format, va_list param);
|
2017-05-13 14:50:54 +00:00
|
|
|
static void load_fixed_hostkeys(void);
|
|
|
|
|
|
2017-05-23 14:43:34 +00:00
|
|
|
void common_setup_fuzzer(void) {
|
2017-05-13 14:50:54 +00:00
|
|
|
fuzz.fuzzing = 1;
|
2017-05-20 05:23:16 +00:00
|
|
|
fuzz.wrapfds = 1;
|
2017-05-18 16:48:46 +00:00
|
|
|
fuzz.input = m_malloc(sizeof(buffer));
|
2017-05-24 16:12:07 +00:00
|
|
|
_dropbear_log = fuzz_dropbear_log;
|
2017-05-13 15:45:51 +00:00
|
|
|
crypto_init();
|
2017-05-13 14:50:54 +00:00
|
|
|
}
|
|
|
|
|
|
2017-05-18 16:48:46 +00:00
|
|
|
int fuzzer_set_input(const uint8_t *Data, size_t Size) {
|
|
|
|
|
|
|
|
|
|
fuzz.input->data = (unsigned char*)Data;
|
|
|
|
|
fuzz.input->size = Size;
|
|
|
|
|
fuzz.input->len = Size;
|
|
|
|
|
fuzz.input->pos = 0;
|
|
|
|
|
|
2017-05-20 14:47:19 +00:00
|
|
|
memset(&ses, 0x0, sizeof(ses));
|
|
|
|
|
memset(&svr_ses, 0x0, sizeof(svr_ses));
|
|
|
|
|
|
2017-05-18 16:48:46 +00:00
|
|
|
// get prefix. input format is
|
|
|
|
|
// string prefix
|
2017-05-20 05:23:16 +00:00
|
|
|
// uint32 wrapfd seed
|
2017-05-18 16:48:46 +00:00
|
|
|
// ... to be extended later
|
|
|
|
|
// [bytes] ssh input stream
|
|
|
|
|
|
|
|
|
|
// be careful to avoid triggering buffer.c assertions
|
|
|
|
|
if (fuzz.input->len < 8) {
|
|
|
|
|
return DROPBEAR_FAILURE;
|
|
|
|
|
}
|
|
|
|
|
size_t prefix_size = buf_getint(fuzz.input);
|
|
|
|
|
if (prefix_size != 4) {
|
|
|
|
|
return DROPBEAR_FAILURE;
|
|
|
|
|
}
|
|
|
|
|
uint32_t wrapseed = buf_getint(fuzz.input);
|
|
|
|
|
wrapfd_setup(wrapseed);
|
|
|
|
|
|
2017-05-23 14:43:34 +00:00
|
|
|
fuzz_seed();
|
2017-05-18 16:48:46 +00:00
|
|
|
|
|
|
|
|
return DROPBEAR_SUCCESS;
|
|
|
|
|
}
|
|
|
|
|
|
2017-05-24 16:12:07 +00:00
|
|
|
static void fuzz_dropbear_log(int UNUSED(priority), const char* format, va_list param) {
|
|
|
|
|
|
|
|
|
|
char printbuf[1024];
|
|
|
|
|
|
|
|
|
|
#if DEBUG_TRACE
|
|
|
|
|
if (debug_trace) {
|
|
|
|
|
vsnprintf(printbuf, sizeof(printbuf), format, param);
|
|
|
|
|
fprintf(stderr, "%s\n", printbuf);
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
}
|
2017-05-18 16:48:46 +00:00
|
|
|
|
2017-05-13 14:50:54 +00:00
|
|
|
void svr_setup_fuzzer(void) {
|
|
|
|
|
struct passwd *pw;
|
|
|
|
|
|
|
|
|
|
common_setup_fuzzer();
|
2017-05-18 15:36:54 +00:00
|
|
|
|
|
|
|
|
_dropbear_exit = svr_dropbear_exit;
|
2017-05-13 14:50:54 +00:00
|
|
|
|
|
|
|
|
char *argv[] = {
|
|
|
|
|
"-E",
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
int argc = sizeof(argv) / sizeof(*argv);
|
|
|
|
|
svr_getopts(argc, argv);
|
|
|
|
|
|
|
|
|
|
/* user lookups might be slow, cache it */
|
|
|
|
|
pw = getpwuid(getuid());
|
|
|
|
|
dropbear_assert(pw);
|
|
|
|
|
fuzz.pw_name = m_strdup(pw->pw_name);
|
|
|
|
|
fuzz.pw_dir = m_strdup(pw->pw_dir);
|
|
|
|
|
fuzz.pw_shell = m_strdup(pw->pw_shell);
|
|
|
|
|
fuzz.pw_passwd = m_strdup("!!zzznope");
|
|
|
|
|
|
|
|
|
|
load_fixed_hostkeys();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void load_fixed_hostkeys(void) {
|
|
|
|
|
#include "fuzz-hostkeys.c"
|
|
|
|
|
|
|
|
|
|
buffer *b = buf_new(3000);
|
|
|
|
|
enum signkey_type type;
|
|
|
|
|
|
|
|
|
|
TRACE(("load fixed hostkeys"))
|
|
|
|
|
|
|
|
|
|
svr_opts.hostkey = new_sign_key();
|
|
|
|
|
|
|
|
|
|
buf_setlen(b, 0);
|
|
|
|
|
buf_putbytes(b, keyr, keyr_len);
|
|
|
|
|
buf_setpos(b, 0);
|
|
|
|
|
type = DROPBEAR_SIGNKEY_RSA;
|
|
|
|
|
if (buf_get_priv_key(b, svr_opts.hostkey, &type) == DROPBEAR_FAILURE) {
|
|
|
|
|
dropbear_exit("failed fixed rsa hostkey");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
buf_setlen(b, 0);
|
|
|
|
|
buf_putbytes(b, keyd, keyd_len);
|
|
|
|
|
buf_setpos(b, 0);
|
|
|
|
|
type = DROPBEAR_SIGNKEY_DSS;
|
|
|
|
|
if (buf_get_priv_key(b, svr_opts.hostkey, &type) == DROPBEAR_FAILURE) {
|
|
|
|
|
dropbear_exit("failed fixed dss hostkey");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
buf_setlen(b, 0);
|
|
|
|
|
buf_putbytes(b, keye, keye_len);
|
|
|
|
|
buf_setpos(b, 0);
|
|
|
|
|
type = DROPBEAR_SIGNKEY_ECDSA_NISTP256;
|
|
|
|
|
if (buf_get_priv_key(b, svr_opts.hostkey, &type) == DROPBEAR_FAILURE) {
|
|
|
|
|
dropbear_exit("failed fixed ecdsa hostkey");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
buf_free(b);
|
|
|
|
|
}
|
|
|
|
|
|
2017-05-20 05:23:16 +00:00
|
|
|
void fuzz_kex_fakealgos(void) {
|
|
|
|
|
ses.newkeys->recv.crypt_mode = &dropbear_mode_none;
|
|
|
|
|
}
|
