ssh-agent fuzzer

2021-01-30 12:03:30 +11:00 · 2021-01-30 12:03:30 +11:00 · de613f2713
parent 7e96c877bc
commit de613f2713
3 changed files with 213 additions and 18 deletions
--- a/regress/misc/fuzz-harness/Makefile
+++ b/regress/misc/fuzz-harness/Makefile
@ -1,41 +1,52 @@
 # NB. libssh and libopenbsd-compat should be built with the same sanitizer opts.
-CXX=clang++-9
-FUZZ_FLAGS=-fsanitize=address,fuzzer
+CC=clang-11
+CXX=clang++-11
+FUZZ_FLAGS=-fsanitize=address,fuzzer -fno-omit-frame-pointer
 FUZZ_LIBS=-lFuzzer

 CXXFLAGS=-O2 -g -Wall -Wextra -Wno-unused-parameter -I ../../.. $(FUZZ_FLAGS)
+CFLAGS=$(CXXFLAGS)
 LDFLAGS=-L ../../.. -L ../../../openbsd-compat -g $(FUZZ_FLAGS)
 LIBS=-lssh -lopenbsd-compat -lcrypto -lfido2 -lcbor $(FUZZ_LIBS)
-COMMON_OBJS=ssh-sk-null.o
+SK_NULL_OBJS=ssh-sk-null.o
+COMMON_DEPS=../../../libssh.a

 TARGETS=pubkey_fuzz sig_fuzz authopt_fuzz sshsig_fuzz \
-	sshsigopt_fuzz privkey_fuzz kex_fuzz
+	sshsigopt_fuzz privkey_fuzz kex_fuzz agent_fuzz

 all: $(TARGETS)

 .cc.o:
 	$(CXX) $(CXXFLAGS) -c $< -o $@

-pubkey_fuzz: pubkey_fuzz.o $(COMMON_OBJS)
-	$(CXX) -o $@ pubkey_fuzz.o $(COMMON_OBJS) $(LDFLAGS) $(LIBS)
+pubkey_fuzz: pubkey_fuzz.o $(SK_NULL_OBJS) $(COMMON_DEPS)
+	$(CXX) -o $@ pubkey_fuzz.o $(SK_NULL_OBJS) $(LDFLAGS) $(LIBS)

-sig_fuzz: sig_fuzz.o $(COMMON_OBJS)
-	$(CXX) -o $@ sig_fuzz.o $(COMMON_OBJS) $(LDFLAGS) $(LIBS)
+sig_fuzz: sig_fuzz.o $(SK_NULL_OBJS) $(COMMON_DEPS)
+	$(CXX) -o $@ sig_fuzz.o $(SK_NULL_OBJS) $(LDFLAGS) $(LIBS)

-authopt_fuzz: authopt_fuzz.o $(COMMON_OBJS)
-	$(CXX) -o $@ authopt_fuzz.o $(COMMON_OBJS) ../../../auth-options.o $(LDFLAGS) $(LIBS)
+authopt_fuzz: authopt_fuzz.o $(SK_NULL_OBJS) $(COMMON_DEPS)
+	$(CXX) -o $@ authopt_fuzz.o $(SK_NULL_OBJS) ../../../auth-options.o $(LDFLAGS) $(LIBS)

-sshsig_fuzz: sshsig_fuzz.o $(COMMON_OBJS)
-	$(CXX) -o $@ sshsig_fuzz.o $(COMMON_OBJS) ../../../sshsig.o $(LDFLAGS) $(LIBS)
+sshsig_fuzz: sshsig_fuzz.o $(SK_NULL_OBJS) $(COMMON_DEPS)
+	$(CXX) -o $@ sshsig_fuzz.o $(SK_NULL_OBJS) ../../../sshsig.o $(LDFLAGS) $(LIBS)

-sshsigopt_fuzz: sshsigopt_fuzz.o $(COMMON_OBJS)
-	$(CXX) -o $@ sshsigopt_fuzz.o $(COMMON_OBJS) ../../../sshsig.o $(LDFLAGS) $(LIBS)
+sshsigopt_fuzz: sshsigopt_fuzz.o $(SK_NULL_OBJS) $(COMMON_DEPS)
+	$(CXX) -o $@ sshsigopt_fuzz.o $(SK_NULL_OBJS) ../../../sshsig.o $(LDFLAGS) $(LIBS)

-privkey_fuzz: privkey_fuzz.o $(COMMON_OBJS)
-	$(CXX) -o $@ privkey_fuzz.o $(COMMON_OBJS) $(LDFLAGS) $(LIBS)
+privkey_fuzz: privkey_fuzz.o $(SK_NULL_OBJS) $(COMMON_DEPS)
+	$(CXX) -o $@ privkey_fuzz.o $(SK_NULL_OBJS) $(LDFLAGS) $(LIBS)

-kex_fuzz: kex_fuzz.o $(COMMON_OBJS)
-	$(CXX) -o $@ kex_fuzz.o $(COMMON_OBJS) $(LDFLAGS) $(LIBS) -lz
+kex_fuzz: kex_fuzz.o $(SK_NULL_OBJS) $(COMMON_DEPS)
+	$(CXX) -o $@ kex_fuzz.o $(SK_NULL_OBJS) $(LDFLAGS) $(LIBS) -lz
+
+agent_fuzz: agent_fuzz.o agent_fuzz_helper.o sk-dummy.o ../../../ssh-sk.o $(COMMON_DEPS)
+	$(CXX) -o $@ agent_fuzz.o agent_fuzz_helper.o sk-dummy.o ../../../ssh-sk.o $(LDFLAGS) $(LIBS) -lz
+
+agent_fuzz_helper.o: agent_fuzz_helper.c ../../../ssh-agent.c
+
+sk-dummy.o: ../sk-dummy/sk-dummy.c
+	$(CC) $(CFLAGS) -c -o $@ ../sk-dummy/sk-dummy.c -DSK_DUMMY_INTEGRATE=1 $(LDFLAGS)

 clean:
 	-rm -f *.o $(TARGETS)
--- a/regress/misc/fuzz-harness/agent_fuzz.cc
+++ b/regress/misc/fuzz-harness/agent_fuzz.cc
@ -0,0 +1,15 @@
+// cc_fuzz_target test for ssh-agent.
+extern "C" {
+
+#include <stdint.h>
+#include <sys/types.h>
+
+extern void test_one(const uint8_t* s, size_t slen);
+
+int LLVMFuzzerTestOneInput(const uint8_t* s, size_t slen)
+{
+	test_one(s, slen);
+	return 0;
+}
+
+} // extern
--- a/regress/misc/fuzz-harness/agent_fuzz_helper.c
+++ b/regress/misc/fuzz-harness/agent_fuzz_helper.c
@ -0,0 +1,169 @@
+#include "fixed-keys.h"
+#include <assert.h>
+
+#define main(ac, av) xxxmain(ac, av)
+#include "../../../ssh-agent.c"
+
+void test_one(const uint8_t* s, size_t slen);
+
+static int
+devnull_or_die(void)
+{
+	int fd;
+
+	if ((fd = open("/dev/null", O_RDWR)) == -1) {
+		error_f("open /dev/null: %s", strerror(errno));
+		abort();
+	}
+	return fd;
+}
+
+static struct sshkey *
+pubkey_or_die(const char *s)
+{
+	char *tmp, *cp;
+	struct sshkey *pubkey;
+	int r;
+
+	tmp = cp = xstrdup(s);
+	if ((pubkey = sshkey_new(KEY_UNSPEC)) == NULL)
+		abort();
+	if ((r = sshkey_read(pubkey, &cp)) != 0) {
+		error_fr(r, "parse");
+		abort();
+	}
+	free(tmp);
+	return pubkey;
+}
+
+static struct sshkey *
+privkey_or_die(const char *s)
+{
+	int r;
+	struct sshbuf *b;
+	struct sshkey *privkey;
+
+	if ((b = sshbuf_from(s, strlen(s))) == NULL) {
+		error_f("sshbuf_from failed");
+		abort();
+	}
+	if ((r = sshkey_parse_private_fileblob(b, "", &privkey, NULL)) != 0) {
+		error_fr(r, "parse");
+		abort();
+	}
+	sshbuf_free(b);
+	return privkey;
+}
+
+static void
+add_key(const char *privkey, const char *certpath)
+{
+	Identity *id;
+	int r;
+	struct sshkey *cert;
+
+	id = xcalloc(1, sizeof(Identity));
+	TAILQ_INSERT_TAIL(&idtab->idlist, id, next);
+	idtab->nentries++;
+	id->key = privkey_or_die(privkey);
+	id->comment = xstrdup("rhododaktulos Eos");
+	if (sshkey_is_sk(id->key))
+		id->sk_provider = xstrdup("internal");
+
+	/* Now the cert too */
+	id = xcalloc(1, sizeof(Identity));
+	TAILQ_INSERT_TAIL(&idtab->idlist, id, next);
+	idtab->nentries++;
+	id->key = privkey_or_die(privkey);
+	cert = pubkey_or_die(certpath);
+	if ((r = sshkey_to_certified(id->key)) != 0) {
+		error_fr(r, "sshkey_to_certified");
+		abort();
+	}
+	if ((r = sshkey_cert_copy(cert, id->key)) != 0) {
+		error_fr(r, "sshkey_cert_copy");
+		abort();
+	}
+	sshkey_free(cert);
+	id->comment = xstrdup("outis");
+	if (sshkey_is_sk(id->key))
+		id->sk_provider = xstrdup("internal");
+}
+
+static void
+cleanup_idtab(void)
+{
+	Identity *id;
+
+	if (idtab == NULL) return;
+	for (id = TAILQ_FIRST(&idtab->idlist); id;
+	    id = TAILQ_FIRST(&idtab->idlist)) {
+		TAILQ_REMOVE(&idtab->idlist, id, next);
+		free_identity(id);
+	}
+	free(idtab);
+	idtab = NULL;
+}
+
+static void
+reset_idtab(void)
+{
+	cleanup_idtab();
+	idtab_init();
+	// Load keys.
+	add_key(PRIV_RSA, CERT_RSA);
+	add_key(PRIV_DSA, CERT_DSA);
+	add_key(PRIV_ECDSA, CERT_ECDSA);
+	add_key(PRIV_ED25519, CERT_ED25519);
+	add_key(PRIV_ECDSA_SK, CERT_ECDSA_SK);
+	add_key(PRIV_ED25519_SK, CERT_ED25519_SK);
+}
+
+static void
+cleanup_sockettab(void)
+{
+	u_int i;
+	for (i = 0; i < sockets_alloc; i++) {
+		if (sockets[i].type != AUTH_UNUSED)
+			close_socket(sockets + i);
+	}
+	free(sockets);
+	sockets = NULL;
+	sockets_alloc = 0;
+}
+
+static void
+reset_sockettab(int devnull)
+{
+	int fd;
+
+	cleanup_sockettab();
+	if ((fd = dup(devnull)) == -1) {
+		error_f("dup: %s", strerror(errno));
+		abort();
+	}
+	new_socket(AUTH_CONNECTION, fd);
+	assert(sockets[0].type == AUTH_CONNECTION);
+	assert(sockets[0].fd == fd);
+}
+
+void
+test_one(const uint8_t* s, size_t slen)
+{
+	static int devnull = -1;
+
+	if (devnull == -1) {
+		log_init(__progname, SYSLOG_LEVEL_DEBUG3,
+		    SYSLOG_FACILITY_AUTH, 1);
+		devnull = devnull_or_die();
+		allowed_providers = xstrdup("");
+		setenv("DISPLAY", "", 1); /* ban askpass */
+	}
+
+	reset_idtab();
+	reset_sockettab(devnull);
+	(void)sshbuf_put_string(sockets[0].input, s, slen);
+	process_message(0);
+	cleanup_idtab();
+	cleanup_sockettab();
+}