diff options
Diffstat (limited to 'regress/misc/kexfuzz/README')
| -rw-r--r-- | regress/misc/kexfuzz/README | 28 |
1 files changed, 28 insertions, 0 deletions
diff --git a/regress/misc/kexfuzz/README b/regress/misc/kexfuzz/README new file mode 100644 index 000000000..8b215b5bf --- /dev/null +++ b/regress/misc/kexfuzz/README | |||
| @@ -0,0 +1,28 @@ | |||
| 1 | This is a harness to help with fuzzing KEX. | ||
| 2 | |||
| 3 | To use it, you first set it to count packets in each direction: | ||
| 4 | |||
| 5 | ./kexfuzz -K diffie-hellman-group1-sha1 -k host_ed25519_key -c | ||
| 6 | S2C: 29 | ||
| 7 | C2S: 31 | ||
| 8 | |||
| 9 | Then get it to record a particular packet (in this case the 4th | ||
| 10 | packet from client->server): | ||
| 11 | |||
| 12 | ./kexfuzz -K diffie-hellman-group1-sha1 -k host_ed25519_key \ | ||
| 13 | -d -D C2S -i 3 -f packet_3 | ||
| 14 | |||
| 15 | Fuzz the packet somehow: | ||
| 16 | |||
| 17 | dd if=/dev/urandom of=packet_3 bs=32 count=1 # Just for example | ||
| 18 | |||
| 19 | Then re-run the key exchange substituting the modified packet in | ||
| 20 | its original sequence: | ||
| 21 | |||
| 22 | ./kexfuzz -K diffie-hellman-group1-sha1 -k host_ed25519_key \ | ||
| 23 | -r -D C2S -i 3 -f packet_3 | ||
| 24 | |||
| 25 | A comprehensive KEX fuzz run would fuzz every packet in both | ||
| 26 | directions for each key exchange type and every hostkey type. | ||
| 27 | This will take some time. | ||
| 28 | |||