1234353SdimThis is a harness to help with fuzzing KEX. 2193323Sed 3193323SedTo use it, you first set it to count packets in each direction: 4193323Sed 5193323Sed./kexfuzz -K diffie-hellman-group1-sha1 -k host_ed25519_key -c 6193323SedS2C: 29 7193323SedC2S: 31 8193323Sed 9193323SedThen get it to record a particular packet (in this case the 4th 10193323Sedpacket from client->server): 11193323Sed 12193323Sed./kexfuzz -K diffie-hellman-group1-sha1 -k host_ed25519_key \ 13193323Sed -d -D C2S -i 3 -f packet_3 14193323Sed 15193323SedFuzz the packet somehow: 16234353Sdim 17193323Seddd if=/dev/urandom of=packet_3 bs=32 count=1 # Just for example 18193323Sed 19193323SedThen re-run the key exchange substituting the modified packet in 20193323Sedits original sequence: 21193323Sed 22249423Sdim./kexfuzz -K diffie-hellman-group1-sha1 -k host_ed25519_key \ 23249423Sdim -r -D C2S -i 3 -f packet_3 24249423Sdim 25193323SedA comprehensive KEX fuzz run would fuzz every packet in both 26193323Seddirections for each key exchange type and every hostkey type. 27249423SdimThis will take some time. 28193323Sed 29193323SedLimitations: kexfuzz can't change the ordering of packets at 30249423Sdimpresent. It is limited to replacing individual packets with 31249423Sdimfuzzed variants with the same type. It really should allow 32249423Sdiminsertion, deletion on replacement of packets too. 33249423Sdim