1This is a harness to help with fuzzing KEX. 2 3To use it, you first set it to count packets in each direction: 4 5./kexfuzz -K diffie-hellman-group1-sha1 -k host_ed25519_key -c 6S2C: 29 7C2S: 31 8 9Then get it to record a particular packet (in this case the 4th 10packet from client->server): 11 12./kexfuzz -K diffie-hellman-group1-sha1 -k host_ed25519_key \ 13 -d -D C2S -i 3 -f packet_3 14 15Fuzz the packet somehow: 16 17dd if=/dev/urandom of=packet_3 bs=32 count=1 # Just for example 18 19Then re-run the key exchange substituting the modified packet in 20its original sequence: 21 22./kexfuzz -K diffie-hellman-group1-sha1 -k host_ed25519_key \ 23 -r -D C2S -i 3 -f packet_3 24 25A comprehensive KEX fuzz run would fuzz every packet in both 26directions for each key exchange type and every hostkey type. 27This will take some time. 28 29Limitations: kexfuzz can't change the ordering of packets at 30present. It is limited to replacing individual packets with 31fuzzed variants with the same type. It really should allow 32insertion, deletion on replacement of packets too. 33