diff options
author | Jakub Jelen <jjelen@redhat.com> | 2020-04-29 16:22:20 +0200 |
---|---|---|
committer | Andreas Schneider <asn@cryptomilk.org> | 2020-05-05 14:29:13 +0200 |
commit | 425c02cb9437f87daa817e3b62c4a3f5226daf37 (patch) | |
tree | 4f7291a73fc5dc2664786f371e22c779afd4cef6 | |
parent | ad8dedd4a481a48a51b2fed7371bc7073f0f31bd (diff) | |
download | libssh-425c02cb9437f87daa817e3b62c4a3f5226daf37.tar.gz libssh-425c02cb9437f87daa817e3b62c4a3f5226daf37.tar.xz libssh-425c02cb9437f87daa817e3b62c4a3f5226daf37.zip |
fuzz: Add instructions for corpus creation and first corpus files
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
-rw-r--r-- | tests/fuzz/README.md | 69 | ||||
-rw-r--r-- | tests/fuzz/ssh_client_fuzzer_corpus/0f9d75a6c1d365115772a502d42b6e48f453198a | bin | 0 -> 2055 bytes | |||
-rw-r--r-- | tests/fuzz/ssh_server_fuzzer_corpus/fd7bd24a85e712fb59159a512b69d34ca21c8383 | bin | 0 -> 2055 bytes |
3 files changed, 69 insertions, 0 deletions
diff --git a/tests/fuzz/README.md b/tests/fuzz/README.md new file mode 100644 index 00000000..12afbb51 --- /dev/null +++ b/tests/fuzz/README.md @@ -0,0 +1,69 @@ +# Simple fuzzers for libssh + +This directory contains fuzzer programs, that are usable either in +oss-fuzz infrastructure or suitable for running fuzzing locally or +even for reproducing crashes with given trace files. + +When building with clang, fuzzers are automatically built with address +sanitizer. With gcc, they are built as they are without instrumentation, +but they are suitable for debugging. + +## Background + +Fuzzing ssh protocol is complicated by the way that all the communication +between client and server is encrypted and authenticated using keys based +on random data, making it impossible to fuzz the actual underlying protocol +as every change in the encrypted data causes integrity errors. For that reason, +libssh needs to implement "none" cipher and MAC as described in RFC 4253 +and these need to be used during fuzzing to be able to accomplish +reproducibility and for fuzzers to be able to progress behind key exchange. + +## Corpus creation + +For effective fuzzing, we need to provide corpus of initial (valid) inputs that +can be used for deriving other inputs. libssh already supports creation of pcap +files (packet capture), which include all the information we need for fuzzing. +This file is also created from date before encryption and after decryption so +it is in plain text as we expect it, but we still need to adjust configuration +to use none cipher for the key exchange to be plausible. + +### Creating packet capture using example libssh client + + * Compile libssh with support for none cipher and pcap: + + cmake -DWITH_INSECURE_NONE=ON -DWITH_PCAP=ON ../ + + * Create a configuration file enabling none cipher and mac: + + printf 'Ciphers none\nMACs none' > /tmp/ssh_config + + * Generate test host key: + + ./examples/keygen2 -f /tmp/hostkey -t rsa + + * Run example libssh server: + + ./examples/samplesshd-cb -f /tmp/ssh_config -k /tmp/hostkey -p 22222 127.0.0.1 + + * In other terminal, run the example libssh client with pcap enabled (use mypassword for password): + + ./examples/ssh-client -F /tmp/ssh_config -l myuser -P /tmp/ssh.pcap -p 22222 127.0.0.1 + + * Kill the server (in the first terminal, press Ctrl+C) + + * Convert the pcap file to raw traces (separate client and server messages) usable by fuzzer: + + tshark -r /tmp/ssh.pcap -T fields -e data -Y "tcp.dstport==22222" | tr -d '\n',':' | xxd -r -ps > /tmp/ssh_server + tshark -r /tmp/ssh.pcap -T fields -e data -Y "tcp.dstport!=22222" | tr -d '\n',':' | xxd -r -ps > /tmp/ssh_client + + * Now we should be able to "replay" the sessions in respective fuzzers, getting some more coverage: + + LIBSSH_VERBOSITY=9 ./tests/fuzz/ssh_client_fuzzer /tmp/ssh_client + LIBSSH_VERBOSITY=9 ./tests/fuzz/ssh_server_fuzzer /tmp/ssh_server + + (note, that the client fuzzer fails now because of invalid hostkey signature; TODO) + + * Store the appropriately named traces in the fuzers directory: + + cp /tmp/ssh_client tests/fuzz/ssh_client_fuzzer_corpus/$(sha1sum /tmp/ssh_client | cut -d ' ' -f 1) + cp /tmp/ssh_server tests/fuzz/ssh_server_fuzzer_corpus/$(sha1sum /tmp/ssh_server | cut -d ' ' -f 1) diff --git a/tests/fuzz/ssh_client_fuzzer_corpus/0f9d75a6c1d365115772a502d42b6e48f453198a b/tests/fuzz/ssh_client_fuzzer_corpus/0f9d75a6c1d365115772a502d42b6e48f453198a Binary files differnew file mode 100644 index 00000000..26676029 --- /dev/null +++ b/tests/fuzz/ssh_client_fuzzer_corpus/0f9d75a6c1d365115772a502d42b6e48f453198a diff --git a/tests/fuzz/ssh_server_fuzzer_corpus/fd7bd24a85e712fb59159a512b69d34ca21c8383 b/tests/fuzz/ssh_server_fuzzer_corpus/fd7bd24a85e712fb59159a512b69d34ca21c8383 Binary files differnew file mode 100644 index 00000000..26676029 --- /dev/null +++ b/tests/fuzz/ssh_server_fuzzer_corpus/fd7bd24a85e712fb59159a512b69d34ca21c8383 |