/src/dropbear/fuzz/fuzzer-kexcurve25519.c

Source (jump to first uncovered line)
#include "fuzz.h"
#include "session.h"
#include "fuzz-wrapfd.h"
#include "debug.h"
#include "runopts.h"
#include "algo.h"
#include "bignum.h"

static struct key_context* keep_newkeys = NULL;
/* An arbitrary limit */
#define NUM_PARAMS 80
static struct kex_curve25519_param *curve25519_params[NUM_PARAMS];

static void setup() __attribute__((constructor));
// Perform initial setup here to avoid hitting timeouts on first run
static void setup() {
  fuzz_common_setup();
  fuzz_svr_setup();

  keep_newkeys = (struct key_context*)m_malloc(sizeof(struct key_context));
  keep_newkeys->algo_kex = fuzz_get_algo(sshkex, "curve25519-sha256");
  keep_newkeys->algo_hostkey = DROPBEAR_SIGNKEY_ED25519;
  ses.newkeys = keep_newkeys;

  /* Pre-generate parameters */
  int i;
  for (i = 0; i < NUM_PARAMS; i++) {
    curve25519_params[i] = gen_kexcurve25519_param();
  }
}

int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
  if (fuzz_set_input(Data, Size) == DROPBEAR_FAILURE) {
    return 0;
  }

  m_malloc_set_epoch(1);

  if (setjmp(fuzz.jmp) == 0) {
    /* Based on recv_msg_kexdh_init()/send_msg_kexdh_reply() 
    with DROPBEAR_KEX_CURVE25519 */
    ses.newkeys = keep_newkeys;

    /* Choose from the collection of curve25519 params */
    unsigned int e = buf_getint(fuzz.input);
    struct kex_curve25519_param *curve25519_param = curve25519_params[e % NUM_PARAMS];

    buffer * ecdh_qs = buf_getstringbuf(fuzz.input);

    ses.kexhashbuf = buf_new(KEXHASHBUF_MAX_INTS);
    kexcurve25519_comb_key(curve25519_param, ecdh_qs, svr_opts.hostkey);

    mp_clear(ses.dh_K);
    m_free(ses.dh_K);
    buf_free(ecdh_qs);

    buf_free(ses.hash);
    buf_free(ses.session_id);
    /* kexhashbuf is freed in kexdh_comb_key */

    m_malloc_free_epoch(1, 0);
  } else {
    m_malloc_free_epoch(1, 1);
    TRACE(("dropbear_exit longjmped"))
    /* dropbear_exit jumped here */
  }

  return 0;
}

Line	Count	Source (jump to first uncovered line)
1		#include "fuzz.h"
2		#include "session.h"
3		#include "fuzz-wrapfd.h"
4		#include "debug.h"
5		#include "runopts.h"
6		#include "algo.h"
7		#include "bignum.h"
8
9		static struct key_context* keep_newkeys = NULL;
10		/* An arbitrary limit */
11	947	#define NUM_PARAMS 80
12		static struct kex_curve25519_param *curve25519_params[NUM_PARAMS];
13
14		static void setup() __attribute__((constructor));
15		// Perform initial setup here to avoid hitting timeouts on first run
16	2	static void setup() {
17	2	fuzz_common_setup();
18	2	fuzz_svr_setup();
19
20	2	keep_newkeys = (struct key_context*)m_malloc(sizeof(struct key_context));
21	2	keep_newkeys->algo_kex = fuzz_get_algo(sshkex, "curve25519-sha256");
22	2	keep_newkeys->algo_hostkey = DROPBEAR_SIGNKEY_ED25519;
23	2	ses.newkeys = keep_newkeys;
24
25		/* Pre-generate parameters */
26	2	int i;
27	162	for (i = 0; i < NUM_PARAMS; i++) {
28	160	curve25519_params[i] = gen_kexcurve25519_param();
29	160	}
30	2	}
31
32	785	int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
33	785	if (fuzz_set_input(Data, Size) == DROPBEAR_FAILURE) {
34	0	return 0;
35	0	}
36
37	785	m_malloc_set_epoch(1);
38
39	785	if (setjmp(fuzz.jmp) == 0) {
40		/* Based on recv_msg_kexdh_init()/send_msg_kexdh_reply()
41		with DROPBEAR_KEX_CURVE25519 */
42	785	ses.newkeys = keep_newkeys;
43
44		/* Choose from the collection of curve25519 params */
45	785	unsigned int e = buf_getint(fuzz.input);
46	785	struct kex_curve25519_param *curve25519_param = curve25519_params[e % NUM_PARAMS];
47
48	785	buffer * ecdh_qs = buf_getstringbuf(fuzz.input);
49
50	785	ses.kexhashbuf = buf_new(KEXHASHBUF_MAX_INTS);
51	785	kexcurve25519_comb_key(curve25519_param, ecdh_qs, svr_opts.hostkey);
52
53	785	mp_clear(ses.dh_K);
54	785	m_free(ses.dh_K);
55	785	buf_free(ecdh_qs);
56
57	785	buf_free(ses.hash);
58	785	buf_free(ses.session_id);
59		/* kexhashbuf is freed in kexdh_comb_key */
60
61	785	m_malloc_free_epoch(1, 0);
62	785	} else {
63	0	m_malloc_free_epoch(1, 1);
64	0	TRACE(("dropbear_exit longjmped"))
65		/* dropbear_exit jumped here */
66	0	}
67
68	785	return 0;
69	785	}

Coverage Report

Created: 2023-06-07 06:49