9 files changed, 711 insertions, 0 deletions
diff --git a/regress/misc/Makefile b/regress/misc/Makefile
new file mode 100644
index 0000000..14c0c27
--- /dev/null
+++ b/regress/misc/Makefile
@@ -0,0 +1,3 @@
+SUBDIR=		kexfuzz
+
+.include <bsd.subdir.mk>
diff --git a/regress/misc/fuzz-harness/Makefile b/regress/misc/fuzz-harness/Makefile
new file mode 100644
index 0000000..a2aa444
--- /dev/null
+++ b/regress/misc/fuzz-harness/Makefile
@@ -0,0 +1,25 @@
+# NB. libssh and libopenbsd-compat should be built with the same sanitizer opts.
+CXX=clang++-3.9
+FUZZ_FLAGS=-fsanitize=address,undefined -fsanitize-coverage=edge
+FUZZ_LIBS=-lFuzzer
+
+CXXFLAGS=-O2 -g -Wall -Wextra -I ../../.. $(FUZZ_FLAGS)
+LDFLAGS=-L ../../.. -L ../../../openbsd-compat -g $(FUZZ_FLAGS)
+LIBS=-lssh -lopenbsd-compat -lcrypto $(FUZZ_LIBS)
+
+all: pubkey_fuzz sig_fuzz authopt_fuzz
+
+.cc.o:
+	$(CXX) $(CXXFLAGS) -c $< -o $@
+
+pubkey_fuzz: pubkey_fuzz.o
+	$(CXX) -o $@ pubkey_fuzz.o $(LDFLAGS) $(LIBS)
+
+sig_fuzz: sig_fuzz.o
+	$(CXX) -o $@ sig_fuzz.o $(LDFLAGS) $(LIBS)
+
+authopt_fuzz: authopt_fuzz.o
+	$(CXX) -o $@ authopt_fuzz.o ../../../auth-options.o $(LDFLAGS) $(LIBS)
+
+clean:
+	-rm -f *.o pubkey_fuzz sig_fuzz authopt_fuzz
diff --git a/regress/misc/fuzz-harness/README b/regress/misc/fuzz-harness/README
new file mode 100644
index 0000000..ae6fbe7
--- /dev/null
+++ b/regress/misc/fuzz-harness/README
@@ -0,0 +1 @@
+This directory contains fuzzing harnesses for use with clang's libfuzzer.
diff --git a/regress/misc/fuzz-harness/authopt_fuzz.cc b/regress/misc/fuzz-harness/authopt_fuzz.cc
new file mode 100644
index 0000000..a76d5a3
--- /dev/null
+++ b/regress/misc/fuzz-harness/authopt_fuzz.cc
@@ -0,0 +1,33 @@
+#include <stddef.h>
+#include <stdio.h>
+#include <stdint.h>
+#include <string.h>
+#include <stdlib.h>
+
+extern "C" {
+
+#include "auth-options.h"
+
+int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
+{
+	char *cp = (char *)malloc(size + 1);
+	struct sshauthopt *opts = NULL, *merge = NULL, *add = sshauthopt_new();
+
+	if (cp == NULL || add == NULL)
+		goto out;
+	memcpy(cp, data, size);
+	cp[size] = '\0';
+	if ((opts = sshauthopt_parse(cp, NULL)) == NULL)
+		goto out;
+	if ((merge = sshauthopt_merge(opts, add, NULL)) == NULL)
+		goto out;
+
+ out:
+	free(cp);
+	sshauthopt_free(add);
+	sshauthopt_free(opts);
+	sshauthopt_free(merge);
+	return 0;
+}
+
+} // extern "C"
diff --git a/regress/misc/fuzz-harness/pubkey_fuzz.cc b/regress/misc/fuzz-harness/pubkey_fuzz.cc
new file mode 100644
index 0000000..8bbc110
--- /dev/null
+++ b/regress/misc/fuzz-harness/pubkey_fuzz.cc
@@ -0,0 +1,18 @@
+#include <stddef.h>
+#include <stdio.h>
+#include <stdint.h>
+
+extern "C" {
+
+#include "sshkey.h"
+
+int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
+{
+	struct sshkey *k = NULL;
+	int r = sshkey_from_blob(data, size, &k);
+	if (r == 0) sshkey_free(k);
+	return 0;
+}
+
+} // extern
+
diff --git a/regress/misc/fuzz-harness/sig_fuzz.cc b/regress/misc/fuzz-harness/sig_fuzz.cc
new file mode 100644
index 0000000..dd1fda0
--- /dev/null
+++ b/regress/misc/fuzz-harness/sig_fuzz.cc
@@ -0,0 +1,50 @@
+// cc_fuzz_target test for public key parsing.
+
+#include <stddef.h>
+#include <stdio.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+
+extern "C" {
+
+#include "includes.h"
+#include "sshkey.h"
+#include "ssherr.h"
+
+static struct sshkey *generate_or_die(int type, unsigned bits) {
+  int r;
+  struct sshkey *ret;
+  if ((r = sshkey_generate(type, bits, &ret)) != 0) {
+    fprintf(stderr, "generate(%d, %u): %s", type, bits, ssh_err(r));
+    abort();
+  }
+  return ret;
+}
+
+int LLVMFuzzerTestOneInput(const uint8_t* sig, size_t slen)
+{
+#ifdef WITH_OPENSSL
+  static struct sshkey *rsa = generate_or_die(KEY_RSA, 2048);
+  static struct sshkey *dsa = generate_or_die(KEY_DSA, 1024);
+  static struct sshkey *ecdsa256 = generate_or_die(KEY_ECDSA, 256);
+  static struct sshkey *ecdsa384 = generate_or_die(KEY_ECDSA, 384);
+  static struct sshkey *ecdsa521 = generate_or_die(KEY_ECDSA, 521);
+#endif
+  static struct sshkey *ed25519 = generate_or_die(KEY_ED25519, 0);
+  static const char *data = "If everyone started announcing his nose had "
+      "run away, I don’t know how it would all end";
+  static const size_t dlen = strlen(data);
+
+#ifdef WITH_OPENSSL
+  sshkey_verify(rsa, sig, slen, (const u_char *)data, dlen, NULL, 0);
+  sshkey_verify(dsa, sig, slen, (const u_char *)data, dlen, NULL, 0);
+  sshkey_verify(ecdsa256, sig, slen, (const u_char *)data, dlen, NULL, 0);
+  sshkey_verify(ecdsa384, sig, slen, (const u_char *)data, dlen, NULL, 0);
+  sshkey_verify(ecdsa521, sig, slen, (const u_char *)data, dlen, NULL, 0);
+#endif
+  sshkey_verify(ed25519, sig, slen, (const u_char *)data, dlen, NULL, 0);
+  return 0;
+}
+
+} // extern
diff --git a/regress/misc/kexfuzz/Makefile b/regress/misc/kexfuzz/Makefile
new file mode 100644
index 0000000..a7bb6b7
--- /dev/null
+++ b/regress/misc/kexfuzz/Makefile
@@ -0,0 +1,88 @@
+#	$OpenBSD: Makefile,v 1.3 2017/12/21 05:46:35 djm Exp $
+
+.include <bsd.own.mk>
+.include <bsd.obj.mk>
+
+# XXX detect from ssh binary?
+SSH1?=		no
+OPENSSL?=	yes
+
+PROG=	kexfuzz
+SRCS=	kexfuzz.c
+
+SSHREL=../../../../../usr.bin/ssh
+.PATH: ${.CURDIR}/${SSHREL}
+# From usr.bin/ssh
+SRCS+=sshbuf-getput-basic.c sshbuf-getput-crypto.c sshbuf-misc.c sshbuf.c
+SRCS+=atomicio.c sshkey.c authfile.c cipher.c log.c ssh-rsa.c ssh-dss.c
+SRCS+=ssh-ecdsa.c ssh-ed25519.c mac.c umac.c umac128.c hmac.c misc.c
+SRCS+=ssherr.c uidswap.c cleanup.c xmalloc.c match.c krl.c fatal.c
+SRCS+=addrmatch.c bitmap.c packet.c dispatch.c canohost.c ssh_api.c
+SRCS+=kex.c kexc25519.c kexc25519c.c kexc25519s.c kexdh.c kexdhc.c kexdhs.c
+SRCS+=kexecdh.c kexecdhc.c kexecdhs.c kexgex.c kexgexc.c kexgexs.c
+SRCS+=dh.c compat.c
+SRCS+=ed25519.c hash.c ge25519.c fe25519.c sc25519.c verify.c
+SRCS+=cipher-chachapoly.c chacha.c poly1305.c
+SRCS+=smult_curve25519_ref.c
+
+SRCS+=digest-openssl.c
+#SRCS+=digest-libc.c
+
+NOMAN=	1
+
+.if (${OPENSSL:L} == "yes")
+CFLAGS+=	-DWITH_OPENSSL
+.else
+# SSH v.1 requires OpenSSL.
+SSH1=		no
+.endif
+
+.if (${SSH1:L} == "yes")
+CFLAGS+=	-DWITH_SSH1
+.endif
+
+# enable warnings
+WARNINGS=Yes
+
+DEBUG=-g
+CFLAGS+=	-fstack-protector-all
+CDIAGFLAGS=	-Wall
+CDIAGFLAGS+=	-Wextra
+CDIAGFLAGS+=	-Werror
+CDIAGFLAGS+=	-Wchar-subscripts
+CDIAGFLAGS+=	-Wcomment
+CDIAGFLAGS+=	-Wformat
+CDIAGFLAGS+=	-Wformat-security
+CDIAGFLAGS+=	-Wimplicit
+CDIAGFLAGS+=	-Winline
+CDIAGFLAGS+=	-Wmissing-declarations
+CDIAGFLAGS+=	-Wmissing-prototypes
+CDIAGFLAGS+=	-Wparentheses
+CDIAGFLAGS+=	-Wpointer-arith
+CDIAGFLAGS+=	-Wreturn-type
+CDIAGFLAGS+=	-Wshadow
+CDIAGFLAGS+=	-Wsign-compare
+CDIAGFLAGS+=	-Wstrict-aliasing
+CDIAGFLAGS+=	-Wstrict-prototypes
+CDIAGFLAGS+=	-Wswitch
+CDIAGFLAGS+=	-Wtrigraphs
+CDIAGFLAGS+=	-Wuninitialized
+CDIAGFLAGS+=	-Wunused
+CDIAGFLAGS+=	-Wno-unused-parameter
+.if ${COMPILER_VERSION:L} != "gcc3"
+CDIAGFLAGS+=	-Wold-style-definition
+.endif
+
+
+CFLAGS+=-I${.CURDIR}/${SSHREL}
+
+LDADD+= -lutil -lz
+DPADD+= ${LIBUTIL} ${LIBZ}
+
+.if (${OPENSSL:L} == "yes")
+LDADD+= -lcrypto
+DPADD+= ${LIBCRYPTO}
+.endif
+
+.include <bsd.prog.mk>
+
diff --git a/regress/misc/kexfuzz/README b/regress/misc/kexfuzz/README
new file mode 100644
index 0000000..504c26f
--- /dev/null
+++ b/regress/misc/kexfuzz/README
@@ -0,0 +1,34 @@
+This is a harness to help with fuzzing KEX.
+
+To use it, you first set it to count packets in each direction:
+
+./kexfuzz -K diffie-hellman-group1-sha1 -k host_ed25519_key -c
+S2C: 29
+C2S: 31
+
+Then get it to record a particular packet (in this case the 4th
+packet from client->server):
+
+./kexfuzz -K diffie-hellman-group1-sha1 -k host_ed25519_key \
+    -d -D C2S -i 3 -f packet_3
+
+Fuzz the packet somehow:
+
+dd if=/dev/urandom of=packet_3 bs=32 count=1 # Just for example
+
+Then re-run the key exchange substituting the modified packet in
+its original sequence:
+
+./kexfuzz -K diffie-hellman-group1-sha1 -k host_ed25519_key \
+    -r -D C2S -i 3 -f packet_3
+
+A comprehensive KEX fuzz run would fuzz every packet in both
+directions for each key exchange type and every hostkey type.
+This will take some time.
+
+Limitations: kexfuzz can't change the ordering of packets at
+present. It is limited to replacing individual packets with
+fuzzed variants with the same type. It really should allow
+insertion, deletion on replacement of packets too.
+
+$OpenBSD: README,v 1.3 2017/10/20 02:13:41 djm Exp $
diff --git a/regress/misc/kexfuzz/kexfuzz.c b/regress/misc/kexfuzz/kexfuzz.c
new file mode 100644
index 0000000..3e2c481
--- /dev/null
+++ b/regress/misc/kexfuzz/kexfuzz.c
@@ -0,0 +1,459 @@
+/* 	$OpenBSD: kexfuzz.c,v 1.4 2017/04/30 23:34:55 djm Exp $ */
+/*
+ * Fuzz harness for KEX code
+ *
+ * Placed in the public domain
+ */
+
+#include "includes.h"
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <stdio.h>
+#ifdef HAVE_STDINT_H
+# include <stdint.h>
+#endif
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <fcntl.h>
+#ifdef HAVE_ERR_H
+# include <err.h>
+#endif
+
+#include "ssherr.h"
+#include "ssh_api.h"
+#include "sshbuf.h"
+#include "packet.h"
+#include "myproposal.h"
+#include "authfile.h"
+#include "log.h"
+
+struct ssh *active_state = NULL; /* XXX - needed for linking */
+
+void kex_tests(void);
+static int do_debug = 0;
+
+enum direction { S2C, C2S };
+
+struct hook_ctx {
+	struct ssh *client, *server, *server2;
+	int *c2s, *s2c;
+	int trigger_direction, packet_index;
+	const char *dump_path;
+	struct sshbuf *replace_data;
+};
+
+static int
+packet_hook(struct ssh *ssh, struct sshbuf *packet, u_char *typep, void *_ctx)
+{
+	struct hook_ctx *ctx = (struct hook_ctx *)_ctx;
+	int mydirection = ssh == ctx->client ? S2C : C2S;
+	int *packet_count = mydirection == S2C ? ctx->s2c : ctx->c2s;
+	FILE *dumpfile;
+	int r;
+
+	if (do_debug) {
+		printf("%s packet %d type %u:\n",
+		    mydirection == S2C ? "s2c" : "c2s",
+		    *packet_count, *typep);
+		sshbuf_dump(packet, stdout);
+	}
+	if (mydirection == ctx->trigger_direction &&
+	    ctx->packet_index == *packet_count) {
+		if (ctx->replace_data != NULL) {
+			sshbuf_reset(packet);
+			/* Type is first byte of packet */
+			if ((r = sshbuf_get_u8(ctx->replace_data,
+			    typep)) != 0 ||
+			    (r = sshbuf_putb(packet, ctx->replace_data)) != 0)
+				return r;
+			if (do_debug) {
+				printf("***** replaced packet type %u\n",
+				    *typep);
+				sshbuf_dump(packet, stdout);
+			}
+		} else if (ctx->dump_path != NULL) {
+			if ((dumpfile = fopen(ctx->dump_path, "w+")) == NULL)
+				err(1, "fopen %s", ctx->dump_path);
+			/* Write { type, packet } */
+			if (fwrite(typep, 1, 1, dumpfile) != 1)
+				err(1, "fwrite type %s", ctx->dump_path);
+			if (sshbuf_len(packet) != 0 &&
+			    fwrite(sshbuf_ptr(packet), sshbuf_len(packet),
+			    1, dumpfile) != 1)
+				err(1, "fwrite body %s", ctx->dump_path);
+			if (do_debug) {
+				printf("***** dumped packet type %u len %zu\n",
+				    *typep, sshbuf_len(packet));
+			}
+			fclose(dumpfile);
+			/* No point in continuing */
+			exit(0);
+		}
+	}
+	(*packet_count)++;
+	return 0;
+}
+
+static int
+do_send_and_receive(struct ssh *from, struct ssh *to)
+{
+	u_char type;
+	size_t len;
+	const u_char *buf;
+	int r;
+
+	for (;;) {
+		if ((r = ssh_packet_next(from, &type)) != 0) {
+			fprintf(stderr, "ssh_packet_next: %s\n", ssh_err(r));
+			return r;
+		}
+
+		if (type != 0)
+			return 0;
+		buf = ssh_output_ptr(from, &len);
+		if (len == 0)
+			return 0;
+		if ((r = ssh_input_append(to, buf, len)) != 0) {
+			debug("ssh_input_append: %s", ssh_err(r));
+			return r;
+		}
+		if ((r = ssh_output_consume(from, len)) != 0) {
+			debug("ssh_output_consume: %s", ssh_err(r));
+			return r;
+		}
+	}
+}
+
+/* Minimal test_helper.c scaffholding to make this standalone */
+const char *in_test = NULL;
+#define TEST_START(a)	\
+	do { \
+		in_test = (a); \
+		if (do_debug) \
+			fprintf(stderr, "test %s starting\n", in_test); \
+	} while (0)
+#define TEST_DONE()	\
+	do { \
+		if (do_debug) \
+			fprintf(stderr, "test %s done\n", \
+			    in_test ? in_test : "???"); \
+		in_test = NULL; \
+	} while(0)
+#define ASSERT_INT_EQ(a, b) \
+	do { \
+		if ((int)(a) != (int)(b)) { \
+			fprintf(stderr, "%s %s:%d " \
+			    "%s (%d) != expected %s (%d)\n", \
+			    in_test ? in_test : "(none)", \
+			    __func__, __LINE__, #a, (int)(a), #b, (int)(b)); \
+			exit(2); \
+		} \
+	} while (0)
+#define ASSERT_INT_GE(a, b) \
+	do { \
+		if ((int)(a) < (int)(b)) { \
+			fprintf(stderr, "%s %s:%d " \
+			    "%s (%d) < expected %s (%d)\n", \
+			    in_test ? in_test : "(none)", \
+			    __func__, __LINE__, #a, (int)(a), #b, (int)(b)); \
+			exit(2); \
+		} \
+	} while (0)
+#define ASSERT_PTR_NE(a, b) \
+	do { \
+		if ((a) == (b)) { \
+			fprintf(stderr, "%s %s:%d " \
+			    "%s (%p) != expected %s (%p)\n", \
+			    in_test ? in_test : "(none)", \
+			    __func__, __LINE__, #a, (a), #b, (b)); \
+			exit(2); \
+		} \
+	} while (0)
+
+
+static void
+run_kex(struct ssh *client, struct ssh *server)
+{
+	int r = 0;
+
+	while (!server->kex->done || !client->kex->done) {
+		if ((r = do_send_and_receive(server, client)) != 0) {
+			debug("do_send_and_receive S2C: %s", ssh_err(r));
+			break;
+		}
+		if ((r = do_send_and_receive(client, server)) != 0) {
+			debug("do_send_and_receive C2S: %s", ssh_err(r));
+			break;
+		}
+	}
+	if (do_debug)
+		printf("done: %s\n", ssh_err(r));
+	ASSERT_INT_EQ(r, 0);
+	ASSERT_INT_EQ(server->kex->done, 1);
+	ASSERT_INT_EQ(client->kex->done, 1);
+}
+
+static void
+do_kex_with_key(const char *kex, struct sshkey *prvkey, int *c2s, int *s2c,
+    int direction, int packet_index,
+    const char *dump_path, struct sshbuf *replace_data)
+{
+	struct ssh *client = NULL, *server = NULL, *server2 = NULL;
+	struct sshkey *pubkey = NULL;
+	struct sshbuf *state;
+	struct kex_params kex_params;
+	char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT };
+	char *keyname = NULL;
+	struct hook_ctx hook_ctx;
+
+	TEST_START("sshkey_from_private");
+	ASSERT_INT_EQ(sshkey_from_private(prvkey, &pubkey), 0);
+	TEST_DONE();
+
+	TEST_START("ssh_init");
+	memcpy(kex_params.proposal, myproposal, sizeof(myproposal));
+	if (kex != NULL)
+		kex_params.proposal[PROPOSAL_KEX_ALGS] = strdup(kex);
+	keyname = strdup(sshkey_ssh_name(prvkey));
+	ASSERT_PTR_NE(keyname, NULL);
+	kex_params.proposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = keyname;
+	ASSERT_INT_EQ(ssh_init(&client, 0, &kex_params), 0);
+	ASSERT_INT_EQ(ssh_init(&server, 1, &kex_params), 0);
+	ASSERT_INT_EQ(ssh_init(&server2, 1, NULL), 0);
+	ASSERT_PTR_NE(client, NULL);
+	ASSERT_PTR_NE(server, NULL);
+	ASSERT_PTR_NE(server2, NULL);
+	TEST_DONE();
+
+	hook_ctx.c2s = c2s;
+	hook_ctx.s2c = s2c;
+	hook_ctx.trigger_direction = direction;
+	hook_ctx.packet_index = packet_index;
+	hook_ctx.dump_path = dump_path;
+	hook_ctx.replace_data = replace_data;
+	hook_ctx.client = client;
+	hook_ctx.server = server;
+	hook_ctx.server2 = server2;
+	ssh_packet_set_input_hook(client, packet_hook, &hook_ctx);
+	ssh_packet_set_input_hook(server, packet_hook, &hook_ctx);
+	ssh_packet_set_input_hook(server2, packet_hook, &hook_ctx);
+
+	TEST_START("ssh_add_hostkey");
+	ASSERT_INT_EQ(ssh_add_hostkey(server, prvkey), 0);
+	ASSERT_INT_EQ(ssh_add_hostkey(client, pubkey), 0);
+	TEST_DONE();
+
+	TEST_START("kex");
+	run_kex(client, server);
+	TEST_DONE();
+
+	TEST_START("rekeying client");
+	ASSERT_INT_EQ(kex_send_kexinit(client), 0);
+	run_kex(client, server);
+	TEST_DONE();
+
+	TEST_START("rekeying server");
+	ASSERT_INT_EQ(kex_send_kexinit(server), 0);
+	run_kex(client, server);
+	TEST_DONE();
+
+	TEST_START("ssh_packet_get_state");
+	state = sshbuf_new();
+	ASSERT_PTR_NE(state, NULL);
+	ASSERT_INT_EQ(ssh_packet_get_state(server, state), 0);
+	ASSERT_INT_GE(sshbuf_len(state), 1);
+	TEST_DONE();
+
+	TEST_START("ssh_packet_set_state");
+	ASSERT_INT_EQ(ssh_add_hostkey(server2, prvkey), 0);
+	kex_free(server2->kex);	/* XXX or should ssh_packet_set_state()? */
+	ASSERT_INT_EQ(ssh_packet_set_state(server2, state), 0);
+	ASSERT_INT_EQ(sshbuf_len(state), 0);
+	sshbuf_free(state);
+	ASSERT_PTR_NE(server2->kex, NULL);
+	/* XXX we need to set the callbacks */
+#ifdef WITH_OPENSSL
+	server2->kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
+	server2->kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server;
+	server2->kex->kex[KEX_DH_GRP14_SHA256] = kexdh_server;
+	server2->kex->kex[KEX_DH_GRP16_SHA512] = kexdh_server;
+	server2->kex->kex[KEX_DH_GRP18_SHA512] = kexdh_server;
+	server2->kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
+	server2->kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
+# ifdef OPENSSL_HAS_ECC
+	server2->kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
+# endif
+#endif
+	server2->kex->kex[KEX_C25519_SHA256] = kexc25519_server;
+	server2->kex->load_host_public_key = server->kex->load_host_public_key;
+	server2->kex->load_host_private_key = server->kex->load_host_private_key;
+	server2->kex->sign = server->kex->sign;
+	TEST_DONE();
+
+	TEST_START("rekeying server2");
+	ASSERT_INT_EQ(kex_send_kexinit(server2), 0);
+	run_kex(client, server2);
+	ASSERT_INT_EQ(kex_send_kexinit(client), 0);
+	run_kex(client, server2);
+	TEST_DONE();
+
+	TEST_START("cleanup");
+	sshkey_free(pubkey);
+	ssh_free(client);
+	ssh_free(server);
+	ssh_free(server2);
+	free(keyname);
+	TEST_DONE();
+}
+
+static void
+usage(void)
+{
+	fprintf(stderr,
+	    "Usage: kexfuzz [-hcdrv] [-D direction] [-f data_file]\n"
+	    "               [-K kex_alg] [-k private_key] [-i packet_index]\n"
+	    "\n"
+	    "Options:\n"
+	    "    -h               Display this help\n"
+	    "    -c               Count packets sent during KEX\n"
+	    "    -d               Dump mode: record KEX packet to data file\n"
+	    "    -r               Replace mode: replace packet with data file\n"
+	    "    -v               Turn on verbose logging\n"
+	    "    -D S2C|C2S       Packet direction for replacement or dump\n"
+	    "    -f data_file     Path to data file for replacement or dump\n"
+	    "    -K kex_alg       Name of KEX algorithm to test (see below)\n"
+	    "    -k private_key   Path to private key file\n"
+	    "    -i packet_index  Index of packet to replace or dump (from 0)\n"
+	    "\n"
+	    "Available KEX algorithms: %s\n", kex_alg_list(' '));
+}
+
+static void
+badusage(const char *bad)
+{
+	fprintf(stderr, "Invalid options\n");
+	fprintf(stderr, "%s\n", bad);
+	usage();
+	exit(1);
+}
+
+int
+main(int argc, char **argv)
+{
+	int ch, fd, r;
+	int count_flag = 0, dump_flag = 0, replace_flag = 0;
+	int packet_index = -1, direction = -1;
+	int s2c = 0, c2s = 0; /* packet counts */
+	const char *kex = NULL, *kpath = NULL, *data_path = NULL;
+	struct sshkey *key = NULL;
+	struct sshbuf *replace_data = NULL;
+
+	setvbuf(stdout, NULL, _IONBF, 0);
+	while ((ch = getopt(argc, argv, "hcdrvD:f:K:k:i:")) != -1) {
+		switch (ch) {
+		case 'h':
+			usage();
+			return 0;
+		case 'c':
+			count_flag = 1;
+			break;
+		case 'd':
+			dump_flag = 1;
+			break;
+		case 'r':
+			replace_flag = 1;
+			break;
+		case 'v':
+			do_debug = 1;
+			break;
+
+		case 'D':
+			if (strcasecmp(optarg, "s2c") == 0)
+				direction = S2C;
+			else if (strcasecmp(optarg, "c2s") == 0)
+				direction = C2S;
+			else
+				badusage("Invalid direction (-D)");
+			break;
+		case 'f':
+			data_path = optarg;
+			break;
+		case 'K':
+			kex = optarg;
+			break;
+		case 'k':
+			kpath = optarg;
+			break;
+		case 'i':
+			packet_index = atoi(optarg);
+			if (packet_index < 0)
+				badusage("Invalid packet index");
+			break;
+		default:
+			badusage("unsupported flag");
+		}
+	}
+	argc -= optind;
+	argv += optind;
+
+	log_init(argv[0], do_debug ? SYSLOG_LEVEL_DEBUG3 : SYSLOG_LEVEL_INFO,
+	    SYSLOG_FACILITY_USER, 1);
+
+	/* Must select a single mode */
+	if ((count_flag + dump_flag + replace_flag) != 1)
+		badusage("Must select one mode: -c, -d or -r");
+	/* KEX type is mandatory */
+	if (kex == NULL || !kex_names_valid(kex) || strchr(kex, ',') != NULL)
+		badusage("Missing or invalid kex type (-K flag)");
+	/* Valid key is mandatory */
+	if (kpath == NULL)
+		badusage("Missing private key (-k flag)");
+	if ((fd = open(kpath, O_RDONLY)) == -1)
+		err(1, "open %s", kpath);
+	if ((r = sshkey_load_private_type_fd(fd, KEY_UNSPEC, NULL,
+	    &key, NULL)) != 0)
+		errx(1, "Unable to load key %s: %s", kpath, ssh_err(r));
+	close(fd);
+	/* XXX check that it is a private key */
+	/* XXX support certificates */
+	if (key == NULL || key->type == KEY_UNSPEC)
+		badusage("Invalid key file (-k flag)");
+
+	/* Replace (fuzz) mode */
+	if (replace_flag) {
+		if (packet_index == -1 || direction == -1 || data_path == NULL)
+			badusage("Replace (-r) mode must specify direction "
+			    "(-D) packet index (-i) and data path (-f)");
+		if ((fd = open(data_path, O_RDONLY)) == -1)
+			err(1, "open %s", data_path);
+		replace_data = sshbuf_new();
+		if ((r = sshkey_load_file(fd, replace_data)) != 0)
+			errx(1, "read %s: %s", data_path, ssh_err(r));
+		close(fd);
+	}
+
+	/* Dump mode */
+	if (dump_flag) {
+		if (packet_index == -1 || direction == -1 || data_path == NULL)
+			badusage("Dump (-d) mode must specify direction "
+			    "(-D), packet index (-i) and data path (-f)");
+	}
+
+	/* Count mode needs no further flags */
+
+	do_kex_with_key(kex, key, &c2s, &s2c,
+	    direction, packet_index,
+	    dump_flag ? data_path : NULL,
+	    replace_flag ? replace_data : NULL);
+	sshkey_free(key);
+	sshbuf_free(replace_data);
+
+	if (count_flag) {
+		printf("S2C: %d\n", s2c);
+		printf("C2S: %d\n", c2s);
+	}
+
+	return 0;
+}