ClearML/dropbear
1
0
Fork 0
mirror of https://github.com/clearml/dropbear synced 2025-04-05 21:25:08 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

closer to working

Browse Source 
--HG--
branch : fuzz
This commit is contained in:
Matt Johnston 2017-05-20 13:23:16 +08:00
parent e7cdb2ebe5
commit fdc6f32392
12 changed files with 103 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
common-kex.c
View File

@ -944,14 +944,9 @@ static void read_kex_algos() {
} }
#ifdef DROPBEAR_FUZZ #ifdef DROPBEAR_FUZZ
ses.newkeys->recv.algo_crypt = &dropbear_nocipher; if (fuzz.fuzzing) {
ses.newkeys->trans.algo_crypt = &dropbear_nocipher; fuzz_kex_fakealgos();
ses.newkeys->recv.crypt_mode = &dropbear_mode_none; }
ses.newkeys->trans.crypt_mode = &dropbear_mode_none;
ses.newkeys->recv.algo_mac = &dropbear_nohash;
ses.newkeys->trans.algo_mac = &dropbear_nohash;
ses.newkeys->recv.algo_comp = DROPBEAR_COMP_NONE;
ses.newkeys->trans.algo_comp = DROPBEAR_COMP_NONE;
#endif #endif
/* reserved for future extensions */ /* reserved for future extensions */

5
common-session.c
View File

@ -161,7 +161,12 @@ void session_loop(void(*loophandler)()) {
/* We get woken up when signal handlers write to this pipe. /* We get woken up when signal handlers write to this pipe.
SIGCHLD in svr-chansession is the only one currently. */ SIGCHLD in svr-chansession is the only one currently. */
#ifdef DROPBEAR_FUZZ
if (!fuzz.fuzzing)
#endif
{
FD_SET(ses.signal_pipe[0], &readfd); FD_SET(ses.signal_pipe[0], &readfd);
}
ses.channel_signal_pending = 0; ses.channel_signal_pending = 0;
/* set up for channels which can be read/written */ /* set up for channels which can be read/written */

2
dbrandom.c
View File

@ -28,8 +28,6 @@
#include "bignum.h" #include "bignum.h"
#include "dbrandom.h" #include "dbrandom.h"
#include "runopts.h" #include "runopts.h"
#include "fuzz.h"
/* this is used to generate unique output from the same hashpool */ /* this is used to generate unique output from the same hashpool */
static uint32_t counter = 0; static uint32_t counter = 0;

9
fuzz-common.c
View File

@ -1,7 +1,5 @@
#include "includes.h" #include "includes.h"
#ifdef DROPBEAR_FUZZ
#include "includes.h" #include "includes.h"
#include "fuzz.h" #include "fuzz.h"
#include "dbutil.h" #include "dbutil.h"
@ -17,6 +15,7 @@ static void load_fixed_hostkeys(void);
static void common_setup_fuzzer(void) { static void common_setup_fuzzer(void) {
fuzz.fuzzing = 1; fuzz.fuzzing = 1;
fuzz.wrapfds = 1;
fuzz.input = m_malloc(sizeof(buffer)); fuzz.input = m_malloc(sizeof(buffer));
crypto_init(); crypto_init();
} }
@ -30,7 +29,7 @@ int fuzzer_set_input(const uint8_t *Data, size_t Size) {
// get prefix. input format is // get prefix. input format is
// string prefix // string prefix
// uint32_t seed // uint32 wrapfd seed
// ... to be extended later // ... to be extended later
// [bytes] ssh input stream // [bytes] ssh input stream
@ -114,4 +113,6 @@ static void load_fixed_hostkeys(void) {
buf_free(b); buf_free(b);
} }
#endif /* DROPBEAR_FUZZ */ void fuzz_kex_fakealgos(void) {
ses.newkeys->recv.crypt_mode = &dropbear_mode_none;
}

4
fuzz-harness.c
View File

@ -8,6 +8,10 @@ int main(int argc, char ** argv) {
int i; int i;
buffer *input = buf_new(100000); buffer *input = buf_new(100000);
#if DROPBEAR_TRACE
debug_trace = 1;
#endif
for (i = 1; i < argc; i++) { for (i = 1; i < argc; i++) {
char* fn = argv[i]; char* fn = argv[i];
buf_setlen(input, 0); buf_setlen(input, 0);

58
fuzz-wrapfd.c
View File

@ -1,6 +1,9 @@
#define FUZZ_SKIP_WRAP 1
#include "includes.h" #include "includes.h"
#include "fuzz-wrapfd.h" #include "fuzz-wrapfd.h"
#include "fuzz.h"
static const int IOWRAP_MAXFD = FD_SETSIZE-1; static const int IOWRAP_MAXFD = FD_SETSIZE-1;
static const int MAX_RANDOM_IN = 50000; static const int MAX_RANDOM_IN = 50000;
static const double CHANCE_CLOSE = 1.0 / 300; static const double CHANCE_CLOSE = 1.0 / 300;
@ -22,6 +25,7 @@ static unsigned int nused;
static unsigned short rand_state[3]; static unsigned short rand_state[3];
void wrapfd_setup(uint32_t seed) { void wrapfd_setup(uint32_t seed) {
TRACE(("wrapfd_setup %x", seed))
nused = 0; nused = 0;
memset(wrap_fds, 0x0, sizeof(wrap_fds)); memset(wrap_fds, 0x0, sizeof(wrap_fds));
@ -35,6 +39,8 @@ void wrapfd_add(int fd, buffer *buf, enum wrapfd_mode mode) {
assert(wrap_fds[fd].mode == UNUSED); assert(wrap_fds[fd].mode == UNUSED);
assert(buf || mode == RANDOMIN); assert(buf || mode == RANDOMIN);
TRACE(("wrapfd_add %d buf %p mode %d", fd, buf, mode))
wrap_fds[fd].mode = mode; wrap_fds[fd].mode = mode;
wrap_fds[fd].buf = buf; wrap_fds[fd].buf = buf;
wrap_used[nused] = fd; wrap_used[nused] = fd;
@ -49,6 +55,8 @@ void wrapfd_remove(int fd) {
assert(wrap_fds[fd].mode != UNUSED); assert(wrap_fds[fd].mode != UNUSED);
wrap_fds[fd].mode = UNUSED; wrap_fds[fd].mode = UNUSED;
TRACE(("wrapfd_remove %d", fd))
// remove from used list // remove from used list
for (i = 0, j = 0; i < nused; i++) { for (i = 0, j = 0; i < nused; i++) {
if (wrap_used[i] != fd) { if (wrap_used[i] != fd) {
@ -64,7 +72,12 @@ int wrapfd_read(int fd, void *out, size_t count) {
size_t maxread; size_t maxread;
buffer *buf; buffer *buf;
if (fd < 0 || fd > IOWRAP_MAXFD || wrap_fds[fd].mode != UNUSED) { if (!fuzz.wrapfds) {
return read(fd, out, count);
}
if (fd < 0 || fd > IOWRAP_MAXFD || wrap_fds[fd].mode == UNUSED) {
// XXX - assertion failure?
TRACE(("Bad read descriptor %d\n", fd)) TRACE(("Bad read descriptor %d\n", fd))
errno = EBADF; errno = EBADF;
return -1; return -1;
@ -86,7 +99,9 @@ int wrapfd_read(int fd, void *out, size_t count) {
if (buf) { if (buf) {
maxread = MIN(buf->len - buf->pos, count); maxread = MIN(buf->len - buf->pos, count);
// returns 0 if buf is EOF, as intended // returns 0 if buf is EOF, as intended
if (maxread > 0) {
maxread = nrand48(rand_state) % maxread + 1; maxread = nrand48(rand_state) % maxread + 1;
}
memcpy(out, buf_getptr(buf, maxread), maxread); memcpy(out, buf_getptr(buf, maxread), maxread);
buf_incrpos(buf, maxread); buf_incrpos(buf, maxread);
return maxread; return maxread;
@ -101,7 +116,13 @@ int wrapfd_read(int fd, void *out, size_t count) {
int wrapfd_write(int fd, const void* in, size_t count) { int wrapfd_write(int fd, const void* in, size_t count) {
unsigned const volatile char* volin = in; unsigned const volatile char* volin = in;
unsigned int i; unsigned int i;
if (fd < 0 || fd > IOWRAP_MAXFD || wrap_fds[fd].mode != UNUSED) {
if (!fuzz.wrapfds) {
return write(fd, in, count);
}
if (fd < 0 || fd > IOWRAP_MAXFD || wrap_fds[fd].mode == UNUSED) {
// XXX - assertion failure?
TRACE(("Bad read descriptor %d\n", fd)) TRACE(("Bad read descriptor %d\n", fd))
errno = EBADF; errno = EBADF;
return -1; return -1;
@ -128,11 +149,15 @@ int wrapfd_write(int fd, const void* in, size_t count) {
} }
int wrapfd_select(int nfds, fd_set *readfds, fd_set *writefds, int wrapfd_select(int nfds, fd_set *readfds, fd_set *writefds,
fd_set *UNUSED(exceptfds), struct timeval *UNUSED(timeout)) { fd_set *exceptfds, struct timeval *timeout) {
int i, nset; int i, nset, sel;
int ret = 0; int ret = 0;
int fdlist[IOWRAP_MAXFD+1] = {0}; int fdlist[IOWRAP_MAXFD+1] = {0};
if (!fuzz.wrapfds) {
return select(nfds, readfds, writefds, exceptfds, timeout);
}
assert(nfds <= IOWRAP_MAXFD+1); assert(nfds <= IOWRAP_MAXFD+1);
if (erand48(rand_state) < CHANCE_INTR) { if (erand48(rand_state) < CHANCE_INTR) {
@ -141,24 +166,26 @@ int wrapfd_select(int nfds, fd_set *readfds, fd_set *writefds,
} }
// read // read
if (erand48(rand_state) < CHANCE_READ1) { if (readfds != NULL && erand48(rand_state) < CHANCE_READ1) {
for (i = 0, nset = 0; i < nfds; i++) { for (i = 0, nset = 0; i < nfds; i++) {
if (FD_ISSET(i, readfds)) { if (FD_ISSET(i, readfds)) {
assert(wrap_fds[i].mode != UNUSED); assert(wrap_fds[i].mode != UNUSED);
fdlist[nset] = i; fdlist[nset] = i;
nset++;
} }
} }
FD_ZERO(readfds); FD_ZERO(readfds);
if (nset > 0) { if (nset > 0) {
// set one // set one
FD_SET(fdlist[random() % nset], readfds); sel = fdlist[nrand48(rand_state) % nset];
FD_SET(sel, readfds);
ret++; ret++;
if (erand48(rand_state) < CHANCE_READ2) { if (erand48(rand_state) < CHANCE_READ2) {
i = fdlist[random() % nset]; sel = fdlist[nrand48(rand_state) % nset];
if (!FD_ISSET(i, readfds)) { if (!FD_ISSET(sel, readfds)) {
FD_SET(i, readfds); FD_SET(sel, readfds);
ret++; ret++;
} }
} }
@ -166,24 +193,26 @@ int wrapfd_select(int nfds, fd_set *readfds, fd_set *writefds,
} }
// write // write
if (erand48(rand_state) < CHANCE_WRITE1) { if (writefds != NULL && erand48(rand_state) < CHANCE_WRITE1) {
for (i = 0, nset = 0; i < nfds; i++) { for (i = 0, nset = 0; i < nfds; i++) {
if (FD_ISSET(i, writefds)) { if (FD_ISSET(i, writefds)) {
assert(wrap_fds[i].mode != UNUSED); assert(wrap_fds[i].mode != UNUSED);
fdlist[nset] = i; fdlist[nset] = i;
nset++;
} }
} }
FD_ZERO(writefds); FD_ZERO(writefds);
// set one // set one
if (nset > 0) { if (nset > 0) {
FD_SET(fdlist[nrand48(rand_state) % nset], writefds); sel = fdlist[nrand48(rand_state) % nset];
FD_SET(sel, writefds);
ret++; ret++;
if (erand48(rand_state) < CHANCE_WRITE2) { if (erand48(rand_state) < CHANCE_WRITE2) {
i = fdlist[nrand48(rand_state) % nset]; sel = fdlist[nrand48(rand_state) % nset];
if (!FD_ISSET(i, writefds)) { if (!FD_ISSET(sel, writefds)) {
FD_SET(i, writefds); FD_SET(sel, writefds);
ret++; ret++;
} }
} }
@ -191,3 +220,4 @@ int wrapfd_select(int nfds, fd_set *readfds, fd_set *writefds,
} }
return ret; return ret;
} }

6
fuzz-wrapfd.h
View File

@ -14,4 +14,10 @@ void wrapfd_setup(uint32_t wrapseed);
// doesn't take ownership of buf. buf is optional. // doesn't take ownership of buf. buf is optional.
void wrapfd_add(int fd, buffer *buf, enum wrapfd_mode mode); void wrapfd_add(int fd, buffer *buf, enum wrapfd_mode mode);
// called via #defines for read/write/select
int wrapfd_read(int fd, void *out, size_t count);
int wrapfd_write(int fd, const void* in, size_t count);
int wrapfd_select(int nfds, fd_set *readfds, fd_set *writefds,
fd_set *exceptfds, struct timeval *timeout);
#endif // FUZZ_WRAPFD_H #endif // FUZZ_WRAPFD_H

22
fuzz.h
View File

@ -1,10 +1,13 @@
#ifndef DROPBEAR_FUZZ_H #ifndef DROPBEAR_FUZZ_H
#define DROPBEAR_FUZZ_H #define DROPBEAR_FUZZ_H
#include "config.h"
#ifdef DROPBEAR_FUZZ
#include "includes.h" #include "includes.h"
#include "buffer.h" #include "buffer.h"
#include "algo.h"
#ifdef DROPBEAR_FUZZ #include "fuzz-wrapfd.h"
// once per process // once per process
void svr_setup_fuzzer(void); void svr_setup_fuzzer(void);
@ -12,6 +15,16 @@ void svr_setup_fuzzer(void);
// once per input. returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE // once per input. returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE
int fuzzer_set_input(const uint8_t *Data, size_t Size); int fuzzer_set_input(const uint8_t *Data, size_t Size);
void fuzz_kex_fakealgos(void);
// fake IO wrappers
#ifndef FUZZ_SKIP_WRAP
#define select(nfds, readfds, writefds, exceptfds, timeout) \
wrapfd_select(nfds, readfds, writefds, exceptfds, timeout)
#define write(fd, buf, count) wrapfd_write(fd, buf, count)
#define read(fd, buf, count) wrapfd_read(fd, buf, count)
#endif // FUZZ_SKIP_WRAP
struct dropbear_fuzz_options { struct dropbear_fuzz_options {
int fuzzing; int fuzzing;
@ -20,6 +33,9 @@ struct dropbear_fuzz_options {
// fuzzing input // fuzzing input
buffer *input; buffer *input;
struct dropbear_cipher recv_cipher;
struct dropbear_hash recv_mac;
int wrapfds;
// dropbear_exit() jumps back // dropbear_exit() jumps back
sigjmp_buf jmp; sigjmp_buf jmp;
@ -34,6 +50,6 @@ struct dropbear_fuzz_options {
extern struct dropbear_fuzz_options fuzz; extern struct dropbear_fuzz_options fuzz;
#endif #endif // DROPBEAR_FUZZ
#endif /* DROPBEAR_FUZZ_H */ #endif /* DROPBEAR_FUZZ_H */

1
fuzzer-preauth.c
View File

@ -24,6 +24,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
if (setjmp(fuzz.jmp) == 0) { if (setjmp(fuzz.jmp) == 0) {
svr_session(fakesock, fakesock); svr_session(fakesock, fakesock);
} else { } else {
TRACE(("dropbear_exit longjmped"))
// dropbear_exit jumped here // dropbear_exit jumped here
} }

3
includes.h
View File

@ -133,7 +133,6 @@
#include <tommath.h> #include <tommath.h>
#endif #endif
#include "compat.h" #include "compat.h"
#ifndef HAVE_U_INT8_T #ifndef HAVE_U_INT8_T
@ -164,6 +163,8 @@ typedef u_int32_t uint32_t;
#include "fake-rfc2553.h" #include "fake-rfc2553.h"
#include "fuzz.h"
#ifndef LOG_AUTHPRIV #ifndef LOG_AUTHPRIV
#define LOG_AUTHPRIV LOG_AUTH #define LOG_AUTHPRIV LOG_AUTH
#endif #endif

1
netio.c
View File

@ -195,6 +195,7 @@ void set_connect_fds(fd_set *writefd) {
} }
iter = next_iter; iter = next_iter;
} }
TRACE(("leave set_connect_fds"))
} }
void handle_connect_fds(fd_set *writefd) { void handle_connect_fds(fd_set *writefd) {

12
packet.c
View File

@ -36,7 +36,6 @@
#include "channel.h" #include "channel.h"
#include "netio.h" #include "netio.h"
#include "runopts.h" #include "runopts.h"
#include "fuzz.h"
static int read_packet_init(void); static int read_packet_init(void);
static void make_mac(unsigned int seqno, const struct key_context_directional * key_state, static void make_mac(unsigned int seqno, const struct key_context_directional * key_state,
@ -371,6 +370,17 @@ static int checkmac() {
buf_setpos(ses.readbuf, 0); buf_setpos(ses.readbuf, 0);
make_mac(ses.recvseq, &ses.keys->recv, ses.readbuf, contents_len, mac_bytes); make_mac(ses.recvseq, &ses.keys->recv, ses.readbuf, contents_len, mac_bytes);
#ifdef DROPBEAR_FUZZ
if (fuzz.fuzzing) {
// fail 1 in 1000 times to test error path
unsigned int value = *((unsigned int*)&mac_bytes);
if (value % 1000 == 0) {
return DROPBEAR_FAILURE;
}
return DROPBEAR_SUCCESS;
}
#endif
/* compare the hash */ /* compare the hash */
buf_setpos(ses.readbuf, contents_len); buf_setpos(ses.readbuf, contents_len);
if (constant_time_memcmp(mac_bytes, buf_getptr(ses.readbuf, mac_size), mac_size) != 0) { if (constant_time_memcmp(mac_bytes, buf_getptr(ses.readbuf, mac_size), mac_size) != 0) {