/* * Copyright 2019 Andreas Schneider * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ #include #include #include #include #define LIBSSH_STATIC 1 #include #include static int auth_callback(const char *prompt, char *buf, size_t len, int echo, int verify, void *userdata) { (void)prompt; /* unused */ (void)echo; /* unused */ (void)userdata; /* unused */ snprintf(buf, len, "secret"); return 0; } struct ssh_callbacks_struct cb = { .userdata = NULL, .auth_function = auth_callback, }; static void select_loop(ssh_session session, ssh_channel channel) { ssh_connector connector_in, connector_out, connector_err; ssh_event event = ssh_event_new(); /* stdin */ connector_in = ssh_connector_new(session); ssh_connector_set_out_channel(connector_in, channel, SSH_CONNECTOR_STDINOUT); ssh_connector_set_in_fd(connector_in, 0); ssh_event_add_connector(event, connector_in); /* stdout */ connector_out = ssh_connector_new(session); ssh_connector_set_out_fd(connector_out, 1); ssh_connector_set_in_channel(connector_out, channel, SSH_CONNECTOR_STDINOUT); ssh_event_add_connector(event, connector_out); /* stderr */ connector_err = ssh_connector_new(session); ssh_connector_set_out_fd(connector_err, 2); ssh_connector_set_in_channel(connector_err, channel, SSH_CONNECTOR_STDERR); ssh_event_add_connector(event, connector_err); while (ssh_channel_is_open(channel)) { ssh_event_dopoll(event, 60000); } ssh_event_remove_connector(event, connector_in); ssh_event_remove_connector(event, connector_out); ssh_event_remove_connector(event, connector_err); ssh_connector_free(connector_in); ssh_connector_free(connector_out); ssh_connector_free(connector_err); ssh_event_free(event); } extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { ssh_session session = NULL; ssh_channel channel = NULL; char *banner = NULL; const char *env = NULL; int socket_fds[2] = {-1, -1}; ssize_t nwritten; bool no = false; int rc; /* Set up the socket to send data */ rc = socketpair(AF_UNIX, SOCK_STREAM, 0, socket_fds); assert(rc == 0); nwritten = send(socket_fds[1], data, size, 0); assert(nwritten == size); rc = shutdown(socket_fds[1], SHUT_WR); assert(rc == 0); ssh_init(); session = ssh_new(); assert(session != NULL); env = getenv("LIBSSH_VERBOSITY"); if (env != NULL && strlen(env) > 0) { ssh_options_set(session, SSH_OPTIONS_LOG_VERBOSITY_STR, env); } rc = ssh_options_set(session, SSH_OPTIONS_FD, &socket_fds[0]); assert(rc == 0); rc = ssh_options_set(session, SSH_OPTIONS_HOST, "127.0.0.1"); assert(rc == 0); rc = ssh_options_set(session, SSH_OPTIONS_USER, "alice"); assert(rc == 0); rc = ssh_options_set(session, SSH_OPTIONS_CIPHERS_C_S, "none"); assert(rc == 0); rc = ssh_options_set(session, SSH_OPTIONS_CIPHERS_S_C, "none"); assert(rc == 0); rc = ssh_options_set(session, SSH_OPTIONS_HMAC_C_S, "none"); assert(rc == 0); rc = ssh_options_set(session, SSH_OPTIONS_HMAC_S_C, "none"); assert(rc == 0); rc = ssh_options_set(session, SSH_OPTIONS_PROCESS_CONFIG, &no); assert(rc == 0); ssh_callbacks_init(&cb); ssh_set_callbacks(session, &cb); rc = ssh_connect(session); if (rc != SSH_OK) { goto out; } rc = ssh_userauth_none(session, NULL); if (rc != SSH_OK) { goto out; } channel = ssh_channel_new(session); assert(channel != NULL); rc = ssh_channel_open_session(channel); if (rc != SSH_OK) { goto out; } rc = ssh_channel_request_exec(channel, "ls"); assert(rc == SSH_OK); select_loop(session, channel); out: ssh_channel_free(channel); ssh_disconnect(session); ssh_free(session); ssh_finalize(); close(socket_fds[0]); close(socket_fds[1]); return 0; }