'[openssh-commits] [openssh] 01/01: fuzzer for authorized_keys parsing'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openssh-commits
Subject:    [openssh-commits] [openssh] 01/01: fuzzer for authorized_keys parsing
From:       git+noreply () mindrot ! org
Date:       2022-05-27 7:01:30
Message-ID: a26c049a02f34f47 () fuyu ! mindrot ! org
[Download RAW message or body]

This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

commit 9b3ad432ad2f19319bcc089370e356c6315d682f
Author: Damien Miller <djm@mindrot.org>
Date:   Fri May 27 17:00:43 2022 +1000

    fuzzer for authorized_keys parsing
    
    mostly redundant to authopt_fuzz, but it's sensitive code so IMO it
    makes sense to test this layer too
---
 regress/misc/fuzz-harness/Makefile         |  5 +-
 regress/misc/fuzz-harness/authkeys_fuzz.cc | 76 ++++++++++++++++++++++++++++++
 2 files changed, 80 insertions(+), 1 deletion(-)

diff --git a/regress/misc/fuzz-harness/Makefile b/regress/misc/fuzz-harness/Makefile
index 3938ac85..0b4238fd 100644
--- a/regress/misc/fuzz-harness/Makefile
+++ b/regress/misc/fuzz-harness/Makefile
@@ -11,7 +11,7 @@ LIBS=-lssh -lopenbsd-compat -lmd -lcrypto -lfido2 -lcbor \
$(FUZZ_LIBS)  SK_NULL_OBJS=ssh-sk-null.o
 COMMON_DEPS=../../../libssh.a
 
-TARGETS=pubkey_fuzz sig_fuzz authopt_fuzz sshsig_fuzz \
+TARGETS=pubkey_fuzz sig_fuzz authopt_fuzz authkeys_fuzz sshsig_fuzz \
 	sshsigopt_fuzz privkey_fuzz kex_fuzz agent_fuzz
 
 all: $(TARGETS)
@@ -28,6 +28,9 @@ sig_fuzz: sig_fuzz.o $(SK_NULL_OBJS) $(COMMON_DEPS)
 authopt_fuzz: authopt_fuzz.o $(SK_NULL_OBJS) $(COMMON_DEPS)
 	$(CXX) -o $@ authopt_fuzz.o $(SK_NULL_OBJS) ../../../auth-options.o $(LDFLAGS) \
$(LIBS)  
+authkeys_fuzz: authkeys_fuzz.o $(SK_NULL_OBJS) $(COMMON_DEPS)
+	$(CXX) -o $@ authkeys_fuzz.o $(SK_NULL_OBJS) ../../../auth-options.o \
../../../auth2-pubkeyfile.o $(LDFLAGS) $(LIBS) +
 sshsig_fuzz: sshsig_fuzz.o $(SK_NULL_OBJS) $(COMMON_DEPS)
 	$(CXX) -o $@ sshsig_fuzz.o $(SK_NULL_OBJS) ../../../sshsig.o $(LDFLAGS) $(LIBS)
 
diff --git a/regress/misc/fuzz-harness/authkeys_fuzz.cc \
b/regress/misc/fuzz-harness/authkeys_fuzz.cc new file mode 100644
index 00000000..6fe001fa
--- /dev/null
+++ b/regress/misc/fuzz-harness/authkeys_fuzz.cc
@@ -0,0 +1,76 @@
+#include <stddef.h>
+#include <stdio.h>
+#include <stdint.h>
+#include <string.h>
+#include <stdlib.h>
+#include <pwd.h>
+#include <unistd.h>
+
+extern "C" {
+
+#include "hostfile.h"
+#include "auth.h"
+#include "auth-options.h"
+#include "sshkey.h"
+
+// testdata/id_ed25519.pub and testdata/id_ed25519-cert.pub
+const char *pubkey = "ssh-ed25519 \
AAAAC3NzaC1lZDI1NTE5AAAAIDPQXmEVMVLmeFRyafKMVWgPDkv8/uRBTwmcEDatZzMD";  +const char \
*certtext = "ssh-ed25519-cert-v01@openssh.com \
AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIMDQjYH6XRzH3j3MW1DdjCoAfvrHfgjnVG \
F+sLK0pBfqAAAAIDPQXmEVMVLmeFRyafKMVWgPDkv8/uRBTwmcEDatZzMDAAAAAAAAA+sAAAABAAAAB3VseXNz \
ZXMAAAAXAAAAB3VseXNzZXMAAAAIb2R5c3NldXMAAAAAAAAAAP//////////AAAAAAAAAIIAAAAVcGVybWl0LV \
gxMS1mb3J3YXJkaW5nAAAAAAAAABdwZXJtaXQtYWdlbnQtZm9yd2FyZGluZwAAAAAAAAAWcGVybWl0LXBvcnQt \
Zm9yd2FyZGluZwAAAAAAAAAKcGVybWl0LXB0eQAAAAAAAAAOcGVybWl0LXVzZXItcmMAAAAAAAAAAAAAADMAAAALc3N \
[...] +
+// stubs
+void auth_debug_add(const char *fmt,...)
+{
+}
+
+void
+auth_log_authopts(const char *loc, const struct sshauthopt *opts, int do_remote)
+{
+}
+
+int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
+{
+	char *tmp, *o, *cp = (char *)malloc(size + 1 + strlen(pubkey) + 1);
+	struct sshauthopt *opts = NULL;
+	struct passwd *pw = getpwuid(getuid());
+	static struct sshkey *key, *cert;
+
+	if (key == NULL) {
+		if ((key = sshkey_new(KEY_UNSPEC)) == NULL ||
+		    (cert = sshkey_new(KEY_UNSPEC)) == NULL)
+			abort();
+		if ((o = tmp = strdup(pubkey)) == NULL ||
+		    sshkey_read(key, &tmp) != 0)
+			abort();
+		free(o);
+		if ((o = tmp = strdup(certtext)) == NULL ||
+		    sshkey_read(cert, &tmp) != 0)
+			abort();
+		free(o);
+	}
+	if (cp == NULL || pw == NULL || key == NULL || cert == NULL)
+		abort();
+	memcpy(cp, data, size);
+	cp[size] = ' ';
+	memcpy(cp + size + 1, key, strlen(pubkey) + 1);
+
+	// Try key.
+	if ((tmp = strdup(cp)) == NULL)
+		abort();
+	(void) auth_check_authkey_line(pw, key, tmp, "127.0.0.1", "localhost",
+	    "fuzz", &opts);
+	free(tmp);
+	sshauthopt_free(opts);
+
+	// Try cert.
+	if ((tmp = strdup(cp)) == NULL)
+		abort();
+	(void) auth_check_authkey_line(pw, cert, tmp, "127.0.0.1", "localhost",
+	    "fuzz", &opts);
+	free(tmp);
+	sshauthopt_free(opts);
+
+	free(cp);
+	return 0;
+}
+
+} // extern "C"

-- 
To stop receiving notification emails like this one, please contact
djm@mindrot.org.
_______________________________________________
openssh-commits mailing list
openssh-commits@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-commits


[prev in list] [next in list] [prev in thread] [next in thread] 
