1313010SdesThis is a harness to help with fuzzing KEX. 2313010Sdes 3313010SdesTo use it, you first set it to count packets in each direction: 4313010Sdes 5313010Sdes./kexfuzz -K diffie-hellman-group1-sha1 -k host_ed25519_key -c 6313010SdesS2C: 29 7313010SdesC2S: 31 8313010Sdes 9313010SdesThen get it to record a particular packet (in this case the 4th 10313010Sdespacket from client->server): 11313010Sdes 12313010Sdes./kexfuzz -K diffie-hellman-group1-sha1 -k host_ed25519_key \ 13313010Sdes -d -D C2S -i 3 -f packet_3 14313010Sdes 15313010SdesFuzz the packet somehow: 16313010Sdes 17313010Sdesdd if=/dev/urandom of=packet_3 bs=32 count=1 # Just for example 18313010Sdes 19313010SdesThen re-run the key exchange substituting the modified packet in 20313010Sdesits original sequence: 21313010Sdes 22313010Sdes./kexfuzz -K diffie-hellman-group1-sha1 -k host_ed25519_key \ 23313010Sdes -r -D C2S -i 3 -f packet_3 24313010Sdes 25313010SdesA comprehensive KEX fuzz run would fuzz every packet in both 26313010Sdesdirections for each key exchange type and every hostkey type. 27313010SdesThis will take some time. 28313010Sdes 29