ClearML/dropbear
1
0
Fork 0
mirror of https://github.com/clearml/dropbear synced 2025-02-11 23:23:30 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Load password and key for client fuzzer.

Browse Source 
Add fuzz_dump()
This commit is contained in:
Matt Johnston 2020-10-20 23:34:38 +08:00
parent 3b400bd64e
commit 1a7b944917
5 changed files with 60 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
common-session.c
View File

@ -465,6 +465,11 @@ static int ident_readln(int fd, char* buf, int count) {
TRACE(("leave ident_readln: EOF")) TRACE(("leave ident_readln: EOF"))
return -1; return -1;
} }
#ifdef DROPBEAR_FUZZ
fuzz_dump(&in, 1);
#endif
if (in == '\n') { if (in == '\n') {
/* end of ident string */ /* end of ident string */
break; break;

35
fuzz-common.c
View File

@ -8,12 +8,14 @@
#include "session.h" #include "session.h"
#include "dbrandom.h" #include "dbrandom.h"
#include "bignum.h" #include "bignum.h"
#include "atomicio.h"
#include "fuzz-wrapfd.h" #include "fuzz-wrapfd.h"
struct dropbear_fuzz_options fuzz; struct dropbear_fuzz_options fuzz;
static void fuzz_dropbear_log(int UNUSED(priority), const char* format, va_list param); static void fuzz_dropbear_log(int UNUSED(priority), const char* format, va_list param);
static void load_fixed_hostkeys(void); static void load_fixed_hostkeys(void);
static void load_fixed_client_key(void);
void fuzz_common_setup(void) { void fuzz_common_setup(void) {
disallow_core(); disallow_core();
@ -85,14 +87,38 @@ void fuzz_cli_setup(void) {
"dbclient", "dbclient",
"-y", "-y",
"localhost", "localhost",
"uptime"
}; };
int argc = sizeof(argv) / sizeof(*argv); int argc = sizeof(argv) / sizeof(*argv);
cli_getopts(argc, argv); cli_getopts(argc, argv);
load_fixed_client_key();
/* Avoid password prompt */
setenv(DROPBEAR_PASSWORD_ENV, "password", 1);
}
#include "fuzz-hostkeys.c"
static void load_fixed_client_key(void) {
buffer *b = buf_new(3000);
sign_key *key;
enum signkey_type keytype;
key = new_sign_key();
keytype = DROPBEAR_SIGNKEY_ANY;
buf_putbytes(b, keyed25519, keyed25519_len);
buf_setpos(b, 0);
if (buf_get_priv_key(b, key, &keytype) == DROPBEAR_FAILURE) {
dropbear_exit("failed fixed ed25519 hostkey");
}
list_append(cli_opts.privkeys, key);
buf_free(b);
} }
static void load_fixed_hostkeys(void) { static void load_fixed_hostkeys(void) {
#include "fuzz-hostkeys.c"
buffer *b = buf_new(3000); buffer *b = buf_new(3000);
enum signkey_type type; enum signkey_type type;
@ -276,3 +302,10 @@ const void* fuzz_get_algo(const algo_type *algos, const char* name) {
} }
assert(0); assert(0);
} }
void fuzz_dump(const unsigned char* data, size_t len) {
TRACE(("dump %zu", len))
if (fuzz.dumping) {
assert(atomicio(vwrite, fuzz.recv_dumpfd, (void*)data, len) == len);
}
}

17
fuzz-hostkeys.c
View File

@ -1,5 +1,6 @@
/* To be included in fuzz-common.c */
unsigned char keyr[] = { static unsigned char keyr[] = {
0x00, 0x00, 0x00, 0x07, 0x73, 0x73, 0x68, 0x2d, 0x72, 0x73, 0x61, 0x00, 0x00, 0x00, 0x00, 0x07, 0x73, 0x73, 0x68, 0x2d, 0x72, 0x73, 0x61, 0x00,
0x00, 0x00, 0x03, 0x01, 0x00, 0x01, 0x00, 0x00, 0x01, 0x01, 0x00, 0xb1, 0x00, 0x00, 0x03, 0x01, 0x00, 0x01, 0x00, 0x00, 0x01, 0x01, 0x00, 0xb1,
0x06, 0x95, 0xc9, 0xa8, 0x38, 0xb9, 0x99, 0x91, 0xb5, 0x17, 0x39, 0xb9, 0x06, 0x95, 0xc9, 0xa8, 0x38, 0xb9, 0x99, 0x91, 0xb5, 0x17, 0x39, 0xb9,
@ -69,8 +70,8 @@ unsigned char keyr[] = {
0xb0, 0x9b, 0xea, 0x18, 0x77, 0xf6, 0x25, 0x02, 0xb4, 0x5e, 0x71, 0xea, 0xb0, 0x9b, 0xea, 0x18, 0x77, 0xf6, 0x25, 0x02, 0xb4, 0x5e, 0x71, 0xea,
0xa3 0xa3
}; };
unsigned int keyr_len = 805; static unsigned int keyr_len = 805;
unsigned char keye[] = { static unsigned char keye[] = {
0x00, 0x00, 0x00, 0x13, 0x65, 0x63, 0x64, 0x73, 0x61, 0x2d, 0x73, 0x68, 0x00, 0x00, 0x00, 0x13, 0x65, 0x63, 0x64, 0x73, 0x61, 0x2d, 0x73, 0x68,
0x61, 0x32, 0x2d, 0x6e, 0x69, 0x73, 0x74, 0x70, 0x32, 0x35, 0x36, 0x00, 0x61, 0x32, 0x2d, 0x6e, 0x69, 0x73, 0x74, 0x70, 0x32, 0x35, 0x36, 0x00,
0x00, 0x00, 0x08, 0x6e, 0x69, 0x73, 0x74, 0x70, 0x32, 0x35, 0x36, 0x00, 0x00, 0x00, 0x08, 0x6e, 0x69, 0x73, 0x74, 0x70, 0x32, 0x35, 0x36, 0x00,
@ -84,8 +85,8 @@ unsigned char keye[] = {
0x3c, 0x58, 0x28, 0x70, 0x9b, 0x23, 0x39, 0x51, 0xd7, 0xbc, 0xa7, 0x1a, 0x3c, 0x58, 0x28, 0x70, 0x9b, 0x23, 0x39, 0x51, 0xd7, 0xbc, 0xa7, 0x1a,
0xf5, 0xb4, 0x23, 0xd3, 0xf6, 0x17, 0xa6, 0x9c, 0x02 0xf5, 0xb4, 0x23, 0xd3, 0xf6, 0x17, 0xa6, 0x9c, 0x02
}; };
unsigned int keye_len = 141; static unsigned int keye_len = 141;
unsigned char keyd[] = { static unsigned char keyd[] = {
0x00, 0x00, 0x00, 0x07, 0x73, 0x73, 0x68, 0x2d, 0x64, 0x73, 0x73, 0x00, 0x00, 0x00, 0x00, 0x07, 0x73, 0x73, 0x68, 0x2d, 0x64, 0x73, 0x73, 0x00,
0x00, 0x00, 0x81, 0x00, 0xb0, 0x02, 0x19, 0x8b, 0xf3, 0x46, 0xf9, 0xc5, 0x00, 0x00, 0x81, 0x00, 0xb0, 0x02, 0x19, 0x8b, 0xf3, 0x46, 0xf9, 0xc5,
0x47, 0x78, 0x3d, 0x7f, 0x04, 0x10, 0x0a, 0x43, 0x8e, 0x00, 0x9e, 0xa4, 0x47, 0x78, 0x3d, 0x7f, 0x04, 0x10, 0x0a, 0x43, 0x8e, 0x00, 0x9e, 0xa4,
@ -126,8 +127,8 @@ unsigned char keyd[] = {
0x7b, 0xac, 0xaa, 0x0c, 0xa2, 0xca, 0x7b, 0xa8, 0xd4, 0xdf, 0x68, 0x56, 0x7b, 0xac, 0xaa, 0x0c, 0xa2, 0xca, 0x7b, 0xa8, 0xd4, 0xdf, 0x68, 0x56,
0xf9, 0x39 0xf9, 0x39
}; };
unsigned int keyd_len = 458; static unsigned int keyd_len = 458;
unsigned char keyed25519[] = { static unsigned char keyed25519[] = {
0x00, 0x00, 0x00, 0x0b, 0x73, 0x73, 0x68, 0x2d, 0x65, 0x64, 0x32, 0x35, 0x00, 0x00, 0x00, 0x0b, 0x73, 0x73, 0x68, 0x2d, 0x65, 0x64, 0x32, 0x35,
0x35, 0x31, 0x39, 0x00, 0x00, 0x00, 0x40, 0x10, 0xb3, 0x79, 0x06, 0xe5, 0x35, 0x31, 0x39, 0x00, 0x00, 0x00, 0x40, 0x10, 0xb3, 0x79, 0x06, 0xe5,
0x9b, 0xe7, 0xe4, 0x6e, 0xec, 0xfe, 0xa5, 0x39, 0x21, 0x7c, 0xf6, 0x66, 0x9b, 0xe7, 0xe4, 0x6e, 0xec, 0xfe, 0xa5, 0x39, 0x21, 0x7c, 0xf6, 0x66,
@ -136,4 +137,4 @@ unsigned char keyed25519[] = {
0xa4, 0xd5, 0xe9, 0x23, 0xfe, 0x8e, 0xd6, 0xd4, 0xf9, 0xb1, 0x11, 0x69, 0xa4, 0xd5, 0xe9, 0x23, 0xfe, 0x8e, 0xd6, 0xd4, 0xf9, 0xb1, 0x11, 0x69,
0x7c, 0x57, 0x52, 0x0e, 0x41, 0xdb, 0x1b, 0x12, 0x87, 0xfa, 0xc9 0x7c, 0x57, 0x52, 0x0e, 0x41, 0xdb, 0x1b, 0x12, 0x87, 0xfa, 0xc9
}; };
unsigned int keyed25519_len = 83; static unsigned int keyed25519_len = 83;

7
fuzz.h
View File

@ -36,6 +36,7 @@ void fuzz_get_socket_address(int fd, char **local_host, char **local_port,
char **remote_host, char **remote_port, int host_lookup); char **remote_host, char **remote_port, int host_lookup);
void fuzz_fake_send_kexdh_reply(void); void fuzz_fake_send_kexdh_reply(void);
int fuzz_spawn_command(int *ret_writefd, int *ret_readfd, int *ret_errfd, pid_t *ret_pid); int fuzz_spawn_command(int *ret_writefd, int *ret_readfd, int *ret_errfd, pid_t *ret_pid);
void fuzz_dump(const unsigned char* data, size_t len);
// fake IO wrappers // fake IO wrappers
#ifndef FUZZ_SKIP_WRAP #ifndef FUZZ_SKIP_WRAP
@ -61,6 +62,12 @@ struct dropbear_fuzz_options {
// dropbear_exit() jumps back // dropbear_exit() jumps back
int do_jmp; int do_jmp;
sigjmp_buf jmp; sigjmp_buf jmp;
// write out decrypted session data to this FD if it's set
// flag - this needs to be set manually in cli-main.c etc
int dumping;
// the file descriptor
int recv_dumpfd;
}; };
extern struct dropbear_fuzz_options fuzz; extern struct dropbear_fuzz_options fuzz;

5
packet.c
View File

@ -344,7 +344,12 @@ void decrypt_packet() {
if (checkmac() != DROPBEAR_SUCCESS) { if (checkmac() != DROPBEAR_SUCCESS) {
dropbear_exit("Integrity error"); dropbear_exit("Integrity error");
} }
} }
#if DROPBEAR_FUZZ
fuzz_dump(ses.readbuf->data, ses.readbuf->len);
#endif
/* get padding length */ /* get padding length */
buf_setpos(ses.readbuf, PACKET_PADDING_OFF); buf_setpos(ses.readbuf, PACKET_PADDING_OFF);