summaryrefslogtreecommitdiff
path: root/regress/misc/kexfuzz/README
blob: 8b215b5bf01e8da8ace9edb46010e015fe94b00a (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
This is a harness to help with fuzzing KEX.

To use it, you first set it to count packets in each direction:

./kexfuzz -K diffie-hellman-group1-sha1 -k host_ed25519_key -c
S2C: 29
C2S: 31

Then get it to record a particular packet (in this case the 4th
packet from client->server):

./kexfuzz -K diffie-hellman-group1-sha1 -k host_ed25519_key \
    -d -D C2S -i 3 -f packet_3

Fuzz the packet somehow:

dd if=/dev/urandom of=packet_3 bs=32 count=1 # Just for example

Then re-run the key exchange substituting the modified packet in
its original sequence:

./kexfuzz -K diffie-hellman-group1-sha1 -k host_ed25519_key \
    -r -D C2S -i 3 -f packet_3

A comprehensive KEX fuzz run would fuzz every packet in both
directions for each key exchange type and every hostkey type.
This will take some time.