Home | History | Annotate | only in /external/openssh/regress/misc/kexfuzz
Up to higher level directory
NameDateSize
kexfuzz.c22-Oct-202012.1K
Makefile22-Oct-20201.5K
README22-Oct-20201K

README

      1 This is a harness to help with fuzzing KEX.
      2 
      3 To use it, you first set it to count packets in each direction:
      4 
      5 ./kexfuzz -K diffie-hellman-group1-sha1 -k host_ed25519_key -c
      6 S2C: 29
      7 C2S: 31
      8 
      9 Then get it to record a particular packet (in this case the 4th
     10 packet from client->server):
     11 
     12 ./kexfuzz -K diffie-hellman-group1-sha1 -k host_ed25519_key \
     13     -d -D C2S -i 3 -f packet_3
     14 
     15 Fuzz the packet somehow:
     16 
     17 dd if=/dev/urandom of=packet_3 bs=32 count=1 # Just for example
     18 
     19 Then re-run the key exchange substituting the modified packet in
     20 its original sequence:
     21 
     22 ./kexfuzz -K diffie-hellman-group1-sha1 -k host_ed25519_key \
     23     -r -D C2S -i 3 -f packet_3
     24 
     25 A comprehensive KEX fuzz run would fuzz every packet in both
     26 directions for each key exchange type and every hostkey type.
     27 This will take some time.
     28 
     29 Limitations: kexfuzz can't change the ordering of packets at
     30 present. It is limited to replacing individual packets with
     31 fuzzed variants with the same type. It really should allow
     32 insertion, deletion on replacement of packets too.
     33