Load password and key for client fuzzer.

Add fuzz_dump()
2025-02-07 05:17:28 +00:00 · 2020-10-20 23:34:38 +08:00 · 2020-10-20 23:34:38 +08:00 · 1a7b944917
commit 1a7b944917
parent 3b400bd64e
5 changed files with 60 additions and 9 deletions
--- a/common-session.c
+++ b/common-session.c
@ -465,6 +465,11 @@ static int ident_readln(int fd, char* buf, int count) {
 				TRACE(("leave ident_readln: EOF"))
 				return -1;
 			}
+
+#ifdef DROPBEAR_FUZZ
+			fuzz_dump(&in, 1);
+#endif
+
 			if (in == '\n') {
 				/* end of ident string */
 				break;
--- a/fuzz-common.c
+++ b/fuzz-common.c
@ -8,12 +8,14 @@
 #include "session.h"
 #include "dbrandom.h"
 #include "bignum.h"
+#include "atomicio.h"
 #include "fuzz-wrapfd.h"

 struct dropbear_fuzz_options fuzz;

 static void fuzz_dropbear_log(int UNUSED(priority), const char* format, va_list param);
 static void load_fixed_hostkeys(void);
+static void load_fixed_client_key(void);

 void fuzz_common_setup(void) {
 	disallow_core();
@ -85,14 +87,38 @@ void fuzz_cli_setup(void) {
 		"dbclient",
 		"-y",
        "localhost",
+        "uptime"
    };

    int argc = sizeof(argv) / sizeof(*argv);
    cli_getopts(argc, argv);
+
+    load_fixed_client_key();
+    /* Avoid password prompt */
+    setenv(DROPBEAR_PASSWORD_ENV, "password", 1);
+}
+
+#include "fuzz-hostkeys.c"   
+
+static void load_fixed_client_key(void) {
+
+    buffer *b = buf_new(3000);
+    sign_key *key;
+    enum signkey_type keytype;
+
+    key = new_sign_key();
+    keytype = DROPBEAR_SIGNKEY_ANY;
+    buf_putbytes(b, keyed25519, keyed25519_len);
+    buf_setpos(b, 0);
+    if (buf_get_priv_key(b, key, &keytype) == DROPBEAR_FAILURE) {
+        dropbear_exit("failed fixed ed25519 hostkey");
+    }
+    list_append(cli_opts.privkeys, key);
+
+    buf_free(b);
 }

 static void load_fixed_hostkeys(void) {
-#include "fuzz-hostkeys.c"   

    buffer *b = buf_new(3000);
    enum signkey_type type;
@ -276,3 +302,10 @@ const void* fuzz_get_algo(const algo_type *algos, const char* name) {
    }
    assert(0);
 }
+
+void fuzz_dump(const unsigned char* data, size_t len) {
+    TRACE(("dump %zu", len))
+    if (fuzz.dumping) {
+        assert(atomicio(vwrite, fuzz.recv_dumpfd, (void*)data, len) == len);
+    }
+}
--- a/fuzz-hostkeys.c
+++ b/fuzz-hostkeys.c
@ -1,5 +1,6 @@
+/* To be included in fuzz-common.c */

-unsigned char keyr[] = {
+static unsigned char keyr[] = {
  0x00, 0x00, 0x00, 0x07, 0x73, 0x73, 0x68, 0x2d, 0x72, 0x73, 0x61, 0x00,
  0x00, 0x00, 0x03, 0x01, 0x00, 0x01, 0x00, 0x00, 0x01, 0x01, 0x00, 0xb1,
  0x06, 0x95, 0xc9, 0xa8, 0x38, 0xb9, 0x99, 0x91, 0xb5, 0x17, 0x39, 0xb9,
@ -69,8 +70,8 @@ unsigned char keyr[] = {
  0xb0, 0x9b, 0xea, 0x18, 0x77, 0xf6, 0x25, 0x02, 0xb4, 0x5e, 0x71, 0xea,
  0xa3
 };
-unsigned int keyr_len = 805;
-unsigned char keye[] = {
+static unsigned int keyr_len = 805;
+static unsigned char keye[] = {
  0x00, 0x00, 0x00, 0x13, 0x65, 0x63, 0x64, 0x73, 0x61, 0x2d, 0x73, 0x68,
  0x61, 0x32, 0x2d, 0x6e, 0x69, 0x73, 0x74, 0x70, 0x32, 0x35, 0x36, 0x00,
  0x00, 0x00, 0x08, 0x6e, 0x69, 0x73, 0x74, 0x70, 0x32, 0x35, 0x36, 0x00,
@ -84,8 +85,8 @@ unsigned char keye[] = {
  0x3c, 0x58, 0x28, 0x70, 0x9b, 0x23, 0x39, 0x51, 0xd7, 0xbc, 0xa7, 0x1a,
  0xf5, 0xb4, 0x23, 0xd3, 0xf6, 0x17, 0xa6, 0x9c, 0x02
 };
-unsigned int keye_len = 141;
-unsigned char keyd[] = {
+static unsigned int keye_len = 141;
+static unsigned char keyd[] = {
  0x00, 0x00, 0x00, 0x07, 0x73, 0x73, 0x68, 0x2d, 0x64, 0x73, 0x73, 0x00,
  0x00, 0x00, 0x81, 0x00, 0xb0, 0x02, 0x19, 0x8b, 0xf3, 0x46, 0xf9, 0xc5,
  0x47, 0x78, 0x3d, 0x7f, 0x04, 0x10, 0x0a, 0x43, 0x8e, 0x00, 0x9e, 0xa4,
@ -126,8 +127,8 @@ unsigned char keyd[] = {
  0x7b, 0xac, 0xaa, 0x0c, 0xa2, 0xca, 0x7b, 0xa8, 0xd4, 0xdf, 0x68, 0x56,
  0xf9, 0x39
 };
-unsigned int keyd_len = 458;
-unsigned char keyed25519[] = {
+static unsigned int keyd_len = 458;
+static unsigned char keyed25519[] = {
  0x00, 0x00, 0x00, 0x0b, 0x73, 0x73, 0x68, 0x2d, 0x65, 0x64, 0x32, 0x35,
  0x35, 0x31, 0x39, 0x00, 0x00, 0x00, 0x40, 0x10, 0xb3, 0x79, 0x06, 0xe5,
  0x9b, 0xe7, 0xe4, 0x6e, 0xec, 0xfe, 0xa5, 0x39, 0x21, 0x7c, 0xf6, 0x66,
@ -136,4 +137,4 @@ unsigned char keyed25519[] = {
  0xa4, 0xd5, 0xe9, 0x23, 0xfe, 0x8e, 0xd6, 0xd4, 0xf9, 0xb1, 0x11, 0x69,
  0x7c, 0x57, 0x52, 0x0e, 0x41, 0xdb, 0x1b, 0x12, 0x87, 0xfa, 0xc9
 };
-unsigned int keyed25519_len = 83;
+static unsigned int keyed25519_len = 83;
--- a/fuzz.h
+++ b/fuzz.h
@ -36,6 +36,7 @@ void fuzz_get_socket_address(int fd, char **local_host, char **local_port,
                        char **remote_host, char **remote_port, int host_lookup);
 void fuzz_fake_send_kexdh_reply(void);
 int fuzz_spawn_command(int *ret_writefd, int *ret_readfd, int *ret_errfd, pid_t *ret_pid);
+void fuzz_dump(const unsigned char* data, size_t len);

 // fake IO wrappers
 #ifndef FUZZ_SKIP_WRAP
@ -61,6 +62,12 @@ struct dropbear_fuzz_options {
    // dropbear_exit() jumps back
    int do_jmp;
    sigjmp_buf jmp;
+
+    // write out decrypted session data to this FD if it's set
+    // flag - this needs to be set manually in cli-main.c etc
+    int dumping;
+    // the file descriptor
+    int recv_dumpfd;
 };

 extern struct dropbear_fuzz_options fuzz;
--- a/packet.c
+++ b/packet.c
@ -344,7 +344,12 @@ void decrypt_packet() {
 		if (checkmac() != DROPBEAR_SUCCESS) {
 			dropbear_exit("Integrity error");
 		}
+
 	}
+	
+#if DROPBEAR_FUZZ
+	fuzz_dump(ses.readbuf->data, ses.readbuf->len);
+#endif

 	/* get padding length */
 	buf_setpos(ses.readbuf, PACKET_PADDING_OFF);