diff options
Diffstat (limited to 'regress/misc')
-rw-r--r-- | regress/misc/Makefile | 3 | ||||
-rw-r--r-- | regress/misc/fuzz-harness/Makefile | 25 | ||||
-rw-r--r-- | regress/misc/fuzz-harness/README | 1 | ||||
-rw-r--r-- | regress/misc/fuzz-harness/authopt_fuzz.cc | 33 | ||||
-rw-r--r-- | regress/misc/fuzz-harness/pubkey_fuzz.cc | 18 | ||||
-rw-r--r-- | regress/misc/fuzz-harness/sig_fuzz.cc | 50 | ||||
-rw-r--r-- | regress/misc/kexfuzz/Makefile | 88 | ||||
-rw-r--r-- | regress/misc/kexfuzz/README | 34 | ||||
-rw-r--r-- | regress/misc/kexfuzz/kexfuzz.c | 459 |
9 files changed, 711 insertions, 0 deletions
diff --git a/regress/misc/Makefile b/regress/misc/Makefile new file mode 100644 index 0000000..14c0c27 --- /dev/null +++ b/regress/misc/Makefile @@ -0,0 +1,3 @@ +SUBDIR= kexfuzz + +.include <bsd.subdir.mk> diff --git a/regress/misc/fuzz-harness/Makefile b/regress/misc/fuzz-harness/Makefile new file mode 100644 index 0000000..a2aa444 --- /dev/null +++ b/regress/misc/fuzz-harness/Makefile @@ -0,0 +1,25 @@ +# NB. libssh and libopenbsd-compat should be built with the same sanitizer opts. +CXX=clang++-3.9 +FUZZ_FLAGS=-fsanitize=address,undefined -fsanitize-coverage=edge +FUZZ_LIBS=-lFuzzer + +CXXFLAGS=-O2 -g -Wall -Wextra -I ../../.. $(FUZZ_FLAGS) +LDFLAGS=-L ../../.. -L ../../../openbsd-compat -g $(FUZZ_FLAGS) +LIBS=-lssh -lopenbsd-compat -lcrypto $(FUZZ_LIBS) + +all: pubkey_fuzz sig_fuzz authopt_fuzz + +.cc.o: + $(CXX) $(CXXFLAGS) -c $< -o $@ + +pubkey_fuzz: pubkey_fuzz.o + $(CXX) -o $@ pubkey_fuzz.o $(LDFLAGS) $(LIBS) + +sig_fuzz: sig_fuzz.o + $(CXX) -o $@ sig_fuzz.o $(LDFLAGS) $(LIBS) + +authopt_fuzz: authopt_fuzz.o + $(CXX) -o $@ authopt_fuzz.o ../../../auth-options.o $(LDFLAGS) $(LIBS) + +clean: + -rm -f *.o pubkey_fuzz sig_fuzz authopt_fuzz diff --git a/regress/misc/fuzz-harness/README b/regress/misc/fuzz-harness/README new file mode 100644 index 0000000..ae6fbe7 --- /dev/null +++ b/regress/misc/fuzz-harness/README @@ -0,0 +1 @@ +This directory contains fuzzing harnesses for use with clang's libfuzzer. diff --git a/regress/misc/fuzz-harness/authopt_fuzz.cc b/regress/misc/fuzz-harness/authopt_fuzz.cc new file mode 100644 index 0000000..a76d5a3 --- /dev/null +++ b/regress/misc/fuzz-harness/authopt_fuzz.cc @@ -0,0 +1,33 @@ +#include <stddef.h> +#include <stdio.h> +#include <stdint.h> +#include <string.h> +#include <stdlib.h> + +extern "C" { + +#include "auth-options.h" + +int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) +{ + char *cp = (char *)malloc(size + 1); + struct sshauthopt *opts = NULL, *merge = NULL, *add = sshauthopt_new(); + + if (cp == NULL || add == NULL) + goto out; + memcpy(cp, data, size); + cp[size] = '\0'; + if ((opts = sshauthopt_parse(cp, NULL)) == NULL) + goto out; + if ((merge = sshauthopt_merge(opts, add, NULL)) == NULL) + goto out; + + out: + free(cp); + sshauthopt_free(add); + sshauthopt_free(opts); + sshauthopt_free(merge); + return 0; +} + +} // extern "C" diff --git a/regress/misc/fuzz-harness/pubkey_fuzz.cc b/regress/misc/fuzz-harness/pubkey_fuzz.cc new file mode 100644 index 0000000..8bbc110 --- /dev/null +++ b/regress/misc/fuzz-harness/pubkey_fuzz.cc @@ -0,0 +1,18 @@ +#include <stddef.h> +#include <stdio.h> +#include <stdint.h> + +extern "C" { + +#include "sshkey.h" + +int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) +{ + struct sshkey *k = NULL; + int r = sshkey_from_blob(data, size, &k); + if (r == 0) sshkey_free(k); + return 0; +} + +} // extern + diff --git a/regress/misc/fuzz-harness/sig_fuzz.cc b/regress/misc/fuzz-harness/sig_fuzz.cc new file mode 100644 index 0000000..dd1fda0 --- /dev/null +++ b/regress/misc/fuzz-harness/sig_fuzz.cc @@ -0,0 +1,50 @@ +// cc_fuzz_target test for public key parsing. + +#include <stddef.h> +#include <stdio.h> +#include <stdint.h> +#include <stdlib.h> +#include <string.h> + +extern "C" { + +#include "includes.h" +#include "sshkey.h" +#include "ssherr.h" + +static struct sshkey *generate_or_die(int type, unsigned bits) { + int r; + struct sshkey *ret; + if ((r = sshkey_generate(type, bits, &ret)) != 0) { + fprintf(stderr, "generate(%d, %u): %s", type, bits, ssh_err(r)); + abort(); + } + return ret; +} + +int LLVMFuzzerTestOneInput(const uint8_t* sig, size_t slen) +{ +#ifdef WITH_OPENSSL + static struct sshkey *rsa = generate_or_die(KEY_RSA, 2048); + static struct sshkey *dsa = generate_or_die(KEY_DSA, 1024); + static struct sshkey *ecdsa256 = generate_or_die(KEY_ECDSA, 256); + static struct sshkey *ecdsa384 = generate_or_die(KEY_ECDSA, 384); + static struct sshkey *ecdsa521 = generate_or_die(KEY_ECDSA, 521); +#endif + static struct sshkey *ed25519 = generate_or_die(KEY_ED25519, 0); + static const char *data = "If everyone started announcing his nose had " + "run away, I don’t know how it would all end"; + static const size_t dlen = strlen(data); + +#ifdef WITH_OPENSSL + sshkey_verify(rsa, sig, slen, (const u_char *)data, dlen, NULL, 0); + sshkey_verify(dsa, sig, slen, (const u_char *)data, dlen, NULL, 0); + sshkey_verify(ecdsa256, sig, slen, (const u_char *)data, dlen, NULL, 0); + sshkey_verify(ecdsa384, sig, slen, (const u_char *)data, dlen, NULL, 0); + sshkey_verify(ecdsa521, sig, slen, (const u_char *)data, dlen, NULL, 0); +#endif + sshkey_verify(ed25519, sig, slen, (const u_char *)data, dlen, NULL, 0); + return 0; +} + +} // extern diff --git a/regress/misc/kexfuzz/Makefile b/regress/misc/kexfuzz/Makefile new file mode 100644 index 0000000..a7bb6b7 --- /dev/null +++ b/regress/misc/kexfuzz/Makefile @@ -0,0 +1,88 @@ +# $OpenBSD: Makefile,v 1.3 2017/12/21 05:46:35 djm Exp $ + +.include <bsd.own.mk> +.include <bsd.obj.mk> + +# XXX detect from ssh binary? +SSH1?= no +OPENSSL?= yes + +PROG= kexfuzz +SRCS= kexfuzz.c + +SSHREL=../../../../../usr.bin/ssh +.PATH: ${.CURDIR}/${SSHREL} +# From usr.bin/ssh +SRCS+=sshbuf-getput-basic.c sshbuf-getput-crypto.c sshbuf-misc.c sshbuf.c +SRCS+=atomicio.c sshkey.c authfile.c cipher.c log.c ssh-rsa.c ssh-dss.c +SRCS+=ssh-ecdsa.c ssh-ed25519.c mac.c umac.c umac128.c hmac.c misc.c +SRCS+=ssherr.c uidswap.c cleanup.c xmalloc.c match.c krl.c fatal.c +SRCS+=addrmatch.c bitmap.c packet.c dispatch.c canohost.c ssh_api.c +SRCS+=kex.c kexc25519.c kexc25519c.c kexc25519s.c kexdh.c kexdhc.c kexdhs.c +SRCS+=kexecdh.c kexecdhc.c kexecdhs.c kexgex.c kexgexc.c kexgexs.c +SRCS+=dh.c compat.c +SRCS+=ed25519.c hash.c ge25519.c fe25519.c sc25519.c verify.c +SRCS+=cipher-chachapoly.c chacha.c poly1305.c +SRCS+=smult_curve25519_ref.c + +SRCS+=digest-openssl.c +#SRCS+=digest-libc.c + +NOMAN= 1 + +.if (${OPENSSL:L} == "yes") +CFLAGS+= -DWITH_OPENSSL +.else +# SSH v.1 requires OpenSSL. +SSH1= no +.endif + +.if (${SSH1:L} == "yes") +CFLAGS+= -DWITH_SSH1 +.endif + +# enable warnings +WARNINGS=Yes + +DEBUG=-g +CFLAGS+= -fstack-protector-all +CDIAGFLAGS= -Wall +CDIAGFLAGS+= -Wextra +CDIAGFLAGS+= -Werror +CDIAGFLAGS+= -Wchar-subscripts +CDIAGFLAGS+= -Wcomment +CDIAGFLAGS+= -Wformat +CDIAGFLAGS+= -Wformat-security +CDIAGFLAGS+= -Wimplicit +CDIAGFLAGS+= -Winline +CDIAGFLAGS+= -Wmissing-declarations +CDIAGFLAGS+= -Wmissing-prototypes +CDIAGFLAGS+= -Wparentheses +CDIAGFLAGS+= -Wpointer-arith +CDIAGFLAGS+= -Wreturn-type +CDIAGFLAGS+= -Wshadow +CDIAGFLAGS+= -Wsign-compare +CDIAGFLAGS+= -Wstrict-aliasing +CDIAGFLAGS+= -Wstrict-prototypes +CDIAGFLAGS+= -Wswitch +CDIAGFLAGS+= -Wtrigraphs +CDIAGFLAGS+= -Wuninitialized +CDIAGFLAGS+= -Wunused +CDIAGFLAGS+= -Wno-unused-parameter +.if ${COMPILER_VERSION:L} != "gcc3" +CDIAGFLAGS+= -Wold-style-definition +.endif + + +CFLAGS+=-I${.CURDIR}/${SSHREL} + +LDADD+= -lutil -lz +DPADD+= ${LIBUTIL} ${LIBZ} + +.if (${OPENSSL:L} == "yes") +LDADD+= -lcrypto +DPADD+= ${LIBCRYPTO} +.endif + +.include <bsd.prog.mk> + diff --git a/regress/misc/kexfuzz/README b/regress/misc/kexfuzz/README new file mode 100644 index 0000000..504c26f --- /dev/null +++ b/regress/misc/kexfuzz/README @@ -0,0 +1,34 @@ +This is a harness to help with fuzzing KEX. + +To use it, you first set it to count packets in each direction: + +./kexfuzz -K diffie-hellman-group1-sha1 -k host_ed25519_key -c +S2C: 29 +C2S: 31 + +Then get it to record a particular packet (in this case the 4th +packet from client->server): + +./kexfuzz -K diffie-hellman-group1-sha1 -k host_ed25519_key \ + -d -D C2S -i 3 -f packet_3 + +Fuzz the packet somehow: + +dd if=/dev/urandom of=packet_3 bs=32 count=1 # Just for example + +Then re-run the key exchange substituting the modified packet in +its original sequence: + +./kexfuzz -K diffie-hellman-group1-sha1 -k host_ed25519_key \ + -r -D C2S -i 3 -f packet_3 + +A comprehensive KEX fuzz run would fuzz every packet in both +directions for each key exchange type and every hostkey type. +This will take some time. + +Limitations: kexfuzz can't change the ordering of packets at +present. It is limited to replacing individual packets with +fuzzed variants with the same type. It really should allow +insertion, deletion on replacement of packets too. + +$OpenBSD: README,v 1.3 2017/10/20 02:13:41 djm Exp $ diff --git a/regress/misc/kexfuzz/kexfuzz.c b/regress/misc/kexfuzz/kexfuzz.c new file mode 100644 index 0000000..3e2c481 --- /dev/null +++ b/regress/misc/kexfuzz/kexfuzz.c @@ -0,0 +1,459 @@ +/* $OpenBSD: kexfuzz.c,v 1.4 2017/04/30 23:34:55 djm Exp $ */ +/* + * Fuzz harness for KEX code + * + * Placed in the public domain + */ + +#include "includes.h" + +#include <sys/types.h> +#include <sys/param.h> +#include <stdio.h> +#ifdef HAVE_STDINT_H +# include <stdint.h> +#endif +#include <stdlib.h> +#include <string.h> +#include <unistd.h> +#include <fcntl.h> +#ifdef HAVE_ERR_H +# include <err.h> +#endif + +#include "ssherr.h" +#include "ssh_api.h" +#include "sshbuf.h" +#include "packet.h" +#include "myproposal.h" +#include "authfile.h" +#include "log.h" + +struct ssh *active_state = NULL; /* XXX - needed for linking */ + +void kex_tests(void); +static int do_debug = 0; + +enum direction { S2C, C2S }; + +struct hook_ctx { + struct ssh *client, *server, *server2; + int *c2s, *s2c; + int trigger_direction, packet_index; + const char *dump_path; + struct sshbuf *replace_data; +}; + +static int +packet_hook(struct ssh *ssh, struct sshbuf *packet, u_char *typep, void *_ctx) +{ + struct hook_ctx *ctx = (struct hook_ctx *)_ctx; + int mydirection = ssh == ctx->client ? S2C : C2S; + int *packet_count = mydirection == S2C ? ctx->s2c : ctx->c2s; + FILE *dumpfile; + int r; + + if (do_debug) { + printf("%s packet %d type %u:\n", + mydirection == S2C ? "s2c" : "c2s", + *packet_count, *typep); + sshbuf_dump(packet, stdout); + } + if (mydirection == ctx->trigger_direction && + ctx->packet_index == *packet_count) { + if (ctx->replace_data != NULL) { + sshbuf_reset(packet); + /* Type is first byte of packet */ + if ((r = sshbuf_get_u8(ctx->replace_data, + typep)) != 0 || + (r = sshbuf_putb(packet, ctx->replace_data)) != 0) + return r; + if (do_debug) { + printf("***** replaced packet type %u\n", + *typep); + sshbuf_dump(packet, stdout); + } + } else if (ctx->dump_path != NULL) { + if ((dumpfile = fopen(ctx->dump_path, "w+")) == NULL) + err(1, "fopen %s", ctx->dump_path); + /* Write { type, packet } */ + if (fwrite(typep, 1, 1, dumpfile) != 1) + err(1, "fwrite type %s", ctx->dump_path); + if (sshbuf_len(packet) != 0 && + fwrite(sshbuf_ptr(packet), sshbuf_len(packet), + 1, dumpfile) != 1) + err(1, "fwrite body %s", ctx->dump_path); + if (do_debug) { + printf("***** dumped packet type %u len %zu\n", + *typep, sshbuf_len(packet)); + } + fclose(dumpfile); + /* No point in continuing */ + exit(0); + } + } + (*packet_count)++; + return 0; +} + +static int +do_send_and_receive(struct ssh *from, struct ssh *to) +{ + u_char type; + size_t len; + const u_char *buf; + int r; + + for (;;) { + if ((r = ssh_packet_next(from, &type)) != 0) { + fprintf(stderr, "ssh_packet_next: %s\n", ssh_err(r)); + return r; + } + + if (type != 0) + return 0; + buf = ssh_output_ptr(from, &len); + if (len == 0) + return 0; + if ((r = ssh_input_append(to, buf, len)) != 0) { + debug("ssh_input_append: %s", ssh_err(r)); + return r; + } + if ((r = ssh_output_consume(from, len)) != 0) { + debug("ssh_output_consume: %s", ssh_err(r)); + return r; + } + } +} + +/* Minimal test_helper.c scaffholding to make this standalone */ +const char *in_test = NULL; +#define TEST_START(a) \ + do { \ + in_test = (a); \ + if (do_debug) \ + fprintf(stderr, "test %s starting\n", in_test); \ + } while (0) +#define TEST_DONE() \ + do { \ + if (do_debug) \ + fprintf(stderr, "test %s done\n", \ + in_test ? in_test : "???"); \ + in_test = NULL; \ + } while(0) +#define ASSERT_INT_EQ(a, b) \ + do { \ + if ((int)(a) != (int)(b)) { \ + fprintf(stderr, "%s %s:%d " \ + "%s (%d) != expected %s (%d)\n", \ + in_test ? in_test : "(none)", \ + __func__, __LINE__, #a, (int)(a), #b, (int)(b)); \ + exit(2); \ + } \ + } while (0) +#define ASSERT_INT_GE(a, b) \ + do { \ + if ((int)(a) < (int)(b)) { \ + fprintf(stderr, "%s %s:%d " \ + "%s (%d) < expected %s (%d)\n", \ + in_test ? in_test : "(none)", \ + __func__, __LINE__, #a, (int)(a), #b, (int)(b)); \ + exit(2); \ + } \ + } while (0) +#define ASSERT_PTR_NE(a, b) \ + do { \ + if ((a) == (b)) { \ + fprintf(stderr, "%s %s:%d " \ + "%s (%p) != expected %s (%p)\n", \ + in_test ? in_test : "(none)", \ + __func__, __LINE__, #a, (a), #b, (b)); \ + exit(2); \ + } \ + } while (0) + + +static void +run_kex(struct ssh *client, struct ssh *server) +{ + int r = 0; + + while (!server->kex->done || !client->kex->done) { + if ((r = do_send_and_receive(server, client)) != 0) { + debug("do_send_and_receive S2C: %s", ssh_err(r)); + break; + } + if ((r = do_send_and_receive(client, server)) != 0) { + debug("do_send_and_receive C2S: %s", ssh_err(r)); + break; + } + } + if (do_debug) + printf("done: %s\n", ssh_err(r)); + ASSERT_INT_EQ(r, 0); + ASSERT_INT_EQ(server->kex->done, 1); + ASSERT_INT_EQ(client->kex->done, 1); +} + +static void +do_kex_with_key(const char *kex, struct sshkey *prvkey, int *c2s, int *s2c, + int direction, int packet_index, + const char *dump_path, struct sshbuf *replace_data) +{ + struct ssh *client = NULL, *server = NULL, *server2 = NULL; + struct sshkey *pubkey = NULL; + struct sshbuf *state; + struct kex_params kex_params; + char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT }; + char *keyname = NULL; + struct hook_ctx hook_ctx; + + TEST_START("sshkey_from_private"); + ASSERT_INT_EQ(sshkey_from_private(prvkey, &pubkey), 0); + TEST_DONE(); + + TEST_START("ssh_init"); + memcpy(kex_params.proposal, myproposal, sizeof(myproposal)); + if (kex != NULL) + kex_params.proposal[PROPOSAL_KEX_ALGS] = strdup(kex); + keyname = strdup(sshkey_ssh_name(prvkey)); + ASSERT_PTR_NE(keyname, NULL); + kex_params.proposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = keyname; + ASSERT_INT_EQ(ssh_init(&client, 0, &kex_params), 0); + ASSERT_INT_EQ(ssh_init(&server, 1, &kex_params), 0); + ASSERT_INT_EQ(ssh_init(&server2, 1, NULL), 0); + ASSERT_PTR_NE(client, NULL); + ASSERT_PTR_NE(server, NULL); + ASSERT_PTR_NE(server2, NULL); + TEST_DONE(); + + hook_ctx.c2s = c2s; + hook_ctx.s2c = s2c; + hook_ctx.trigger_direction = direction; + hook_ctx.packet_index = packet_index; + hook_ctx.dump_path = dump_path; + hook_ctx.replace_data = replace_data; + hook_ctx.client = client; + hook_ctx.server = server; + hook_ctx.server2 = server2; + ssh_packet_set_input_hook(client, packet_hook, &hook_ctx); + ssh_packet_set_input_hook(server, packet_hook, &hook_ctx); + ssh_packet_set_input_hook(server2, packet_hook, &hook_ctx); + + TEST_START("ssh_add_hostkey"); + ASSERT_INT_EQ(ssh_add_hostkey(server, prvkey), 0); + ASSERT_INT_EQ(ssh_add_hostkey(client, pubkey), 0); + TEST_DONE(); + + TEST_START("kex"); + run_kex(client, server); + TEST_DONE(); + + TEST_START("rekeying client"); + ASSERT_INT_EQ(kex_send_kexinit(client), 0); + run_kex(client, server); + TEST_DONE(); + + TEST_START("rekeying server"); + ASSERT_INT_EQ(kex_send_kexinit(server), 0); + run_kex(client, server); + TEST_DONE(); + + TEST_START("ssh_packet_get_state"); + state = sshbuf_new(); + ASSERT_PTR_NE(state, NULL); + ASSERT_INT_EQ(ssh_packet_get_state(server, state), 0); + ASSERT_INT_GE(sshbuf_len(state), 1); + TEST_DONE(); + + TEST_START("ssh_packet_set_state"); + ASSERT_INT_EQ(ssh_add_hostkey(server2, prvkey), 0); + kex_free(server2->kex); /* XXX or should ssh_packet_set_state()? */ + ASSERT_INT_EQ(ssh_packet_set_state(server2, state), 0); + ASSERT_INT_EQ(sshbuf_len(state), 0); + sshbuf_free(state); + ASSERT_PTR_NE(server2->kex, NULL); + /* XXX we need to set the callbacks */ +#ifdef WITH_OPENSSL + server2->kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; + server2->kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server; + server2->kex->kex[KEX_DH_GRP14_SHA256] = kexdh_server; + server2->kex->kex[KEX_DH_GRP16_SHA512] = kexdh_server; + server2->kex->kex[KEX_DH_GRP18_SHA512] = kexdh_server; + server2->kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; + server2->kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; +# ifdef OPENSSL_HAS_ECC + server2->kex->kex[KEX_ECDH_SHA2] = kexecdh_server; +# endif +#endif + server2->kex->kex[KEX_C25519_SHA256] = kexc25519_server; + server2->kex->load_host_public_key = server->kex->load_host_public_key; + server2->kex->load_host_private_key = server->kex->load_host_private_key; + server2->kex->sign = server->kex->sign; + TEST_DONE(); + + TEST_START("rekeying server2"); + ASSERT_INT_EQ(kex_send_kexinit(server2), 0); + run_kex(client, server2); + ASSERT_INT_EQ(kex_send_kexinit(client), 0); + run_kex(client, server2); + TEST_DONE(); + + TEST_START("cleanup"); + sshkey_free(pubkey); + ssh_free(client); + ssh_free(server); + ssh_free(server2); + free(keyname); + TEST_DONE(); +} + +static void +usage(void) +{ + fprintf(stderr, + "Usage: kexfuzz [-hcdrv] [-D direction] [-f data_file]\n" + " [-K kex_alg] [-k private_key] [-i packet_index]\n" + "\n" + "Options:\n" + " -h Display this help\n" + " -c Count packets sent during KEX\n" + " -d Dump mode: record KEX packet to data file\n" + " -r Replace mode: replace packet with data file\n" + " -v Turn on verbose logging\n" + " -D S2C|C2S Packet direction for replacement or dump\n" + " -f data_file Path to data file for replacement or dump\n" + " -K kex_alg Name of KEX algorithm to test (see below)\n" + " -k private_key Path to private key file\n" + " -i packet_index Index of packet to replace or dump (from 0)\n" + "\n" + "Available KEX algorithms: %s\n", kex_alg_list(' ')); +} + +static void +badusage(const char *bad) +{ + fprintf(stderr, "Invalid options\n"); + fprintf(stderr, "%s\n", bad); + usage(); + exit(1); +} + +int +main(int argc, char **argv) +{ + int ch, fd, r; + int count_flag = 0, dump_flag = 0, replace_flag = 0; + int packet_index = -1, direction = -1; + int s2c = 0, c2s = 0; /* packet counts */ + const char *kex = NULL, *kpath = NULL, *data_path = NULL; + struct sshkey *key = NULL; + struct sshbuf *replace_data = NULL; + + setvbuf(stdout, NULL, _IONBF, 0); + while ((ch = getopt(argc, argv, "hcdrvD:f:K:k:i:")) != -1) { + switch (ch) { + case 'h': + usage(); + return 0; + case 'c': + count_flag = 1; + break; + case 'd': + dump_flag = 1; + break; + case 'r': + replace_flag = 1; + break; + case 'v': + do_debug = 1; + break; + + case 'D': + if (strcasecmp(optarg, "s2c") == 0) + direction = S2C; + else if (strcasecmp(optarg, "c2s") == 0) + direction = C2S; + else + badusage("Invalid direction (-D)"); + break; + case 'f': + data_path = optarg; + break; + case 'K': + kex = optarg; + break; + case 'k': + kpath = optarg; + break; + case 'i': + packet_index = atoi(optarg); + if (packet_index < 0) + badusage("Invalid packet index"); + break; + default: + badusage("unsupported flag"); + } + } + argc -= optind; + argv += optind; + + log_init(argv[0], do_debug ? SYSLOG_LEVEL_DEBUG3 : SYSLOG_LEVEL_INFO, + SYSLOG_FACILITY_USER, 1); + + /* Must select a single mode */ + if ((count_flag + dump_flag + replace_flag) != 1) + badusage("Must select one mode: -c, -d or -r"); + /* KEX type is mandatory */ + if (kex == NULL || !kex_names_valid(kex) || strchr(kex, ',') != NULL) + badusage("Missing or invalid kex type (-K flag)"); + /* Valid key is mandatory */ + if (kpath == NULL) + badusage("Missing private key (-k flag)"); + if ((fd = open(kpath, O_RDONLY)) == -1) + err(1, "open %s", kpath); + if ((r = sshkey_load_private_type_fd(fd, KEY_UNSPEC, NULL, + &key, NULL)) != 0) + errx(1, "Unable to load key %s: %s", kpath, ssh_err(r)); + close(fd); + /* XXX check that it is a private key */ + /* XXX support certificates */ + if (key == NULL || key->type == KEY_UNSPEC) + badusage("Invalid key file (-k flag)"); + + /* Replace (fuzz) mode */ + if (replace_flag) { + if (packet_index == -1 || direction == -1 || data_path == NULL) + badusage("Replace (-r) mode must specify direction " + "(-D) packet index (-i) and data path (-f)"); + if ((fd = open(data_path, O_RDONLY)) == -1) + err(1, "open %s", data_path); + replace_data = sshbuf_new(); + if ((r = sshkey_load_file(fd, replace_data)) != 0) + errx(1, "read %s: %s", data_path, ssh_err(r)); + close(fd); + } + + /* Dump mode */ + if (dump_flag) { + if (packet_index == -1 || direction == -1 || data_path == NULL) + badusage("Dump (-d) mode must specify direction " + "(-D), packet index (-i) and data path (-f)"); + } + + /* Count mode needs no further flags */ + + do_kex_with_key(kex, key, &c2s, &s2c, + direction, packet_index, + dump_flag ? data_path : NULL, + replace_flag ? replace_data : NULL); + sshkey_free(key); + sshbuf_free(replace_data); + + if (count_flag) { + printf("S2C: %d\n", s2c); + printf("C2S: %d\n", c2s); + } + + return 0; +} |