From de613f2713d2dfcd3b03c00e5558a40997f52712 Mon Sep 17 00:00:00 2001
From: Damien Miller <djm@mindrot.org>
Date: Sat, 30 Jan 2021 12:03:30 +1100
Subject: [PATCH] ssh-agent fuzzer

---
 regress/misc/fuzz-harness/Makefile            |  47 +++--
 regress/misc/fuzz-harness/agent_fuzz.cc       |  15 ++
 regress/misc/fuzz-harness/agent_fuzz_helper.c | 169 ++++++++++++++++++
 3 files changed, 213 insertions(+), 18 deletions(-)
 create mode 100644 regress/misc/fuzz-harness/agent_fuzz.cc
 create mode 100644 regress/misc/fuzz-harness/agent_fuzz_helper.c

diff --git a/regress/misc/fuzz-harness/Makefile b/regress/misc/fuzz-harness/Makefile
index f5fda72f4..e879fcdae 100644
--- a/regress/misc/fuzz-harness/Makefile
+++ b/regress/misc/fuzz-harness/Makefile
@@ -1,41 +1,52 @@
 # NB. libssh and libopenbsd-compat should be built with the same sanitizer opts.
-CXX=clang++-9
-FUZZ_FLAGS=-fsanitize=address,fuzzer
+CC=clang-11
+CXX=clang++-11
+FUZZ_FLAGS=-fsanitize=address,fuzzer -fno-omit-frame-pointer
 FUZZ_LIBS=-lFuzzer
 
 CXXFLAGS=-O2 -g -Wall -Wextra -Wno-unused-parameter -I ../../.. $(FUZZ_FLAGS)
+CFLAGS=$(CXXFLAGS)
 LDFLAGS=-L ../../.. -L ../../../openbsd-compat -g $(FUZZ_FLAGS)
 LIBS=-lssh -lopenbsd-compat -lcrypto -lfido2 -lcbor $(FUZZ_LIBS)
-COMMON_OBJS=ssh-sk-null.o
+SK_NULL_OBJS=ssh-sk-null.o
+COMMON_DEPS=../../../libssh.a
 
 TARGETS=pubkey_fuzz sig_fuzz authopt_fuzz sshsig_fuzz \
-	sshsigopt_fuzz privkey_fuzz kex_fuzz
+	sshsigopt_fuzz privkey_fuzz kex_fuzz agent_fuzz
 
 all: $(TARGETS)
 
 .cc.o:
 	$(CXX) $(CXXFLAGS) -c $< -o $@
 
-pubkey_fuzz: pubkey_fuzz.o $(COMMON_OBJS)
-	$(CXX) -o $@ pubkey_fuzz.o $(COMMON_OBJS) $(LDFLAGS) $(LIBS)
+pubkey_fuzz: pubkey_fuzz.o $(SK_NULL_OBJS) $(COMMON_DEPS)
+	$(CXX) -o $@ pubkey_fuzz.o $(SK_NULL_OBJS) $(LDFLAGS) $(LIBS)
 
-sig_fuzz: sig_fuzz.o $(COMMON_OBJS)
-	$(CXX) -o $@ sig_fuzz.o $(COMMON_OBJS) $(LDFLAGS) $(LIBS)
+sig_fuzz: sig_fuzz.o $(SK_NULL_OBJS) $(COMMON_DEPS)
+	$(CXX) -o $@ sig_fuzz.o $(SK_NULL_OBJS) $(LDFLAGS) $(LIBS)
 
-authopt_fuzz: authopt_fuzz.o $(COMMON_OBJS)
-	$(CXX) -o $@ authopt_fuzz.o $(COMMON_OBJS) ../../../auth-options.o $(LDFLAGS) $(LIBS)
+authopt_fuzz: authopt_fuzz.o $(SK_NULL_OBJS) $(COMMON_DEPS)
+	$(CXX) -o $@ authopt_fuzz.o $(SK_NULL_OBJS) ../../../auth-options.o $(LDFLAGS) $(LIBS)
 
-sshsig_fuzz: sshsig_fuzz.o $(COMMON_OBJS)
-	$(CXX) -o $@ sshsig_fuzz.o $(COMMON_OBJS) ../../../sshsig.o $(LDFLAGS) $(LIBS)
+sshsig_fuzz: sshsig_fuzz.o $(SK_NULL_OBJS) $(COMMON_DEPS)
+	$(CXX) -o $@ sshsig_fuzz.o $(SK_NULL_OBJS) ../../../sshsig.o $(LDFLAGS) $(LIBS)
 
-sshsigopt_fuzz: sshsigopt_fuzz.o $(COMMON_OBJS)
-	$(CXX) -o $@ sshsigopt_fuzz.o $(COMMON_OBJS) ../../../sshsig.o $(LDFLAGS) $(LIBS)
+sshsigopt_fuzz: sshsigopt_fuzz.o $(SK_NULL_OBJS) $(COMMON_DEPS)
+	$(CXX) -o $@ sshsigopt_fuzz.o $(SK_NULL_OBJS) ../../../sshsig.o $(LDFLAGS) $(LIBS)
 
-privkey_fuzz: privkey_fuzz.o $(COMMON_OBJS)
-	$(CXX) -o $@ privkey_fuzz.o $(COMMON_OBJS) $(LDFLAGS) $(LIBS)
+privkey_fuzz: privkey_fuzz.o $(SK_NULL_OBJS) $(COMMON_DEPS)
+	$(CXX) -o $@ privkey_fuzz.o $(SK_NULL_OBJS) $(LDFLAGS) $(LIBS)
 
-kex_fuzz: kex_fuzz.o $(COMMON_OBJS)
-	$(CXX) -o $@ kex_fuzz.o $(COMMON_OBJS) $(LDFLAGS) $(LIBS) -lz
+kex_fuzz: kex_fuzz.o $(SK_NULL_OBJS) $(COMMON_DEPS)
+	$(CXX) -o $@ kex_fuzz.o $(SK_NULL_OBJS) $(LDFLAGS) $(LIBS) -lz
+
+agent_fuzz: agent_fuzz.o agent_fuzz_helper.o sk-dummy.o ../../../ssh-sk.o $(COMMON_DEPS)
+	$(CXX) -o $@ agent_fuzz.o agent_fuzz_helper.o sk-dummy.o ../../../ssh-sk.o $(LDFLAGS) $(LIBS) -lz
+
+agent_fuzz_helper.o: agent_fuzz_helper.c ../../../ssh-agent.c
+
+sk-dummy.o: ../sk-dummy/sk-dummy.c
+	$(CC) $(CFLAGS) -c -o $@ ../sk-dummy/sk-dummy.c -DSK_DUMMY_INTEGRATE=1 $(LDFLAGS)
 
 clean:
 	-rm -f *.o $(TARGETS)
diff --git a/regress/misc/fuzz-harness/agent_fuzz.cc b/regress/misc/fuzz-harness/agent_fuzz.cc
new file mode 100644
index 000000000..ad85b2f9a
--- /dev/null
+++ b/regress/misc/fuzz-harness/agent_fuzz.cc
@@ -0,0 +1,15 @@
+// cc_fuzz_target test for ssh-agent.
+extern "C" {
+
+#include <stdint.h>
+#include <sys/types.h>
+
+extern void test_one(const uint8_t* s, size_t slen);
+
+int LLVMFuzzerTestOneInput(const uint8_t* s, size_t slen)
+{
+	test_one(s, slen);
+	return 0;
+}
+
+} // extern
diff --git a/regress/misc/fuzz-harness/agent_fuzz_helper.c b/regress/misc/fuzz-harness/agent_fuzz_helper.c
new file mode 100644
index 000000000..79cdc6102
--- /dev/null
+++ b/regress/misc/fuzz-harness/agent_fuzz_helper.c
@@ -0,0 +1,169 @@
+#include "fixed-keys.h"
+#include <assert.h>
+
+#define main(ac, av) xxxmain(ac, av)
+#include "../../../ssh-agent.c"
+
+void test_one(const uint8_t* s, size_t slen);
+
+static int
+devnull_or_die(void)
+{
+	int fd;
+
+	if ((fd = open("/dev/null", O_RDWR)) == -1) {
+		error_f("open /dev/null: %s", strerror(errno));
+		abort();
+	}
+	return fd;
+}
+
+static struct sshkey *
+pubkey_or_die(const char *s)
+{
+	char *tmp, *cp;
+	struct sshkey *pubkey;
+	int r;
+
+	tmp = cp = xstrdup(s);
+	if ((pubkey = sshkey_new(KEY_UNSPEC)) == NULL)
+		abort();
+	if ((r = sshkey_read(pubkey, &cp)) != 0) {
+		error_fr(r, "parse");
+		abort();
+	}
+	free(tmp);
+	return pubkey;
+}
+
+static struct sshkey *
+privkey_or_die(const char *s)
+{
+	int r;
+	struct sshbuf *b;
+	struct sshkey *privkey;
+
+	if ((b = sshbuf_from(s, strlen(s))) == NULL) {
+		error_f("sshbuf_from failed");
+		abort();
+	}
+	if ((r = sshkey_parse_private_fileblob(b, "", &privkey, NULL)) != 0) {
+		error_fr(r, "parse");
+		abort();
+	}
+	sshbuf_free(b);
+	return privkey;
+}
+
+static void
+add_key(const char *privkey, const char *certpath)
+{
+	Identity *id;
+	int r;
+	struct sshkey *cert;
+
+	id = xcalloc(1, sizeof(Identity));
+	TAILQ_INSERT_TAIL(&idtab->idlist, id, next);
+	idtab->nentries++;
+	id->key = privkey_or_die(privkey);
+	id->comment = xstrdup("rhododaktulos Eos");
+	if (sshkey_is_sk(id->key))
+		id->sk_provider = xstrdup("internal");
+
+	/* Now the cert too */
+	id = xcalloc(1, sizeof(Identity));
+	TAILQ_INSERT_TAIL(&idtab->idlist, id, next);
+	idtab->nentries++;
+	id->key = privkey_or_die(privkey);
+	cert = pubkey_or_die(certpath);
+	if ((r = sshkey_to_certified(id->key)) != 0) {
+		error_fr(r, "sshkey_to_certified");
+		abort();
+	}
+	if ((r = sshkey_cert_copy(cert, id->key)) != 0) {
+		error_fr(r, "sshkey_cert_copy");
+		abort();
+	}
+	sshkey_free(cert);
+	id->comment = xstrdup("outis");
+	if (sshkey_is_sk(id->key))
+		id->sk_provider = xstrdup("internal");
+}
+
+static void
+cleanup_idtab(void)
+{
+	Identity *id;
+
+	if (idtab == NULL) return;
+	for (id = TAILQ_FIRST(&idtab->idlist); id;
+	    id = TAILQ_FIRST(&idtab->idlist)) {
+		TAILQ_REMOVE(&idtab->idlist, id, next);
+		free_identity(id);
+	}
+	free(idtab);
+	idtab = NULL;
+}
+
+static void
+reset_idtab(void)
+{
+	cleanup_idtab();
+	idtab_init();
+	// Load keys.
+	add_key(PRIV_RSA, CERT_RSA);
+	add_key(PRIV_DSA, CERT_DSA);
+	add_key(PRIV_ECDSA, CERT_ECDSA);
+	add_key(PRIV_ED25519, CERT_ED25519);
+	add_key(PRIV_ECDSA_SK, CERT_ECDSA_SK);
+	add_key(PRIV_ED25519_SK, CERT_ED25519_SK);
+}
+
+static void
+cleanup_sockettab(void)
+{
+	u_int i;
+	for (i = 0; i < sockets_alloc; i++) {
+		if (sockets[i].type != AUTH_UNUSED)
+			close_socket(sockets + i);
+	}
+	free(sockets);
+	sockets = NULL;
+	sockets_alloc = 0;
+}
+
+static void
+reset_sockettab(int devnull)
+{
+	int fd;
+
+	cleanup_sockettab();
+	if ((fd = dup(devnull)) == -1) {
+		error_f("dup: %s", strerror(errno));
+		abort();
+	}
+	new_socket(AUTH_CONNECTION, fd);
+	assert(sockets[0].type == AUTH_CONNECTION);
+	assert(sockets[0].fd == fd);
+}
+
+void
+test_one(const uint8_t* s, size_t slen)
+{
+	static int devnull = -1;
+
+	if (devnull == -1) {
+		log_init(__progname, SYSLOG_LEVEL_DEBUG3,
+		    SYSLOG_FACILITY_AUTH, 1);
+		devnull = devnull_or_die();
+		allowed_providers = xstrdup("");
+		setenv("DISPLAY", "", 1); /* ban askpass */
+	}
+
+	reset_idtab();
+	reset_sockettab(devnull);
+	(void)sshbuf_put_string(sockets[0].input, s, slen);
+	process_message(0);
+	cleanup_idtab();
+	cleanup_sockettab();
+}