fuzz: Added PA-TNC fuzzer
authorAndreas Steffen <andreas.steffen@strongswan.org>
Fri, 2 Mar 2018 12:35:30 +0000 (13:35 +0100)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Tue, 12 Jun 2018 19:47:39 +0000 (21:47 +0200)
.gitignore
fuzz/.gitignore
fuzz/Makefile.am
fuzz/fuzz_pa_tnc.c [new file with mode: 0644]
scripts/test.sh

index cd0c307..6b415b2 100644 (file)
@@ -30,6 +30,7 @@ lex.yy.c
 plugin_constructors.c
 Doxyfile
 apidoc/
+fuzzing-corpora/
 *~
 *.orig
 *.patch
index cbc050f..dbd3ef9 100644 (file)
@@ -1,2 +1,3 @@
 fuzz_certs
-fuzz_crls
\ No newline at end of file
+fuzz_crls
+fuzz_pa_tnc
index 3962896..d6e596b 100644 (file)
@@ -1,5 +1,8 @@
 AM_CPPFLAGS = @CPPFLAGS@ \
        -I$(top_srcdir)/src/libstrongswan \
+       -I$(top_srcdir)/src/libimcv \
+       -I$(top_srcdir)/src/libtncif \
+       -I$(top_srcdir)/src/libtpmtss \
        -DPLUGINDIR=\""$(abs_top_builddir)/src/libstrongswan/plugins\"" \
        -DPLUGINS="\"${fuzz_plugins}\""
 
@@ -8,7 +11,13 @@ fuzz_ldflags = ${libfuzzer} \
        -Wl,-Bstatic -lgmp -Wl,-Bdynamic \
        @FUZZING_LDFLAGS@
 
-FUZZ_TARGETS=fuzz_certs fuzz_crls
+pa_tnc_ldflags = \
+       $(top_builddir)/src/libimcv/.libs/libimcv.a \
+       $(top_builddir)/src/libtncif/.libs/libtncif.a \
+       $(top_builddir)/src/libtpmtss/.libs/libtpmtss.a \
+       $(fuzz_ldflags)
+
+FUZZ_TARGETS=fuzz_certs fuzz_crls fuzz_pa_tnc
 
 all-local: $(FUZZ_TARGETS)
 
@@ -20,6 +29,9 @@ fuzz_certs: fuzz_certs.c ${libfuzzer}
 fuzz_crls: fuzz_crls.c ${libfuzzer}
        $(CC) $(AM_CPPFLAGS) $(CFLAGS) -o $@ $< $(fuzz_ldflags)
 
+fuzz_pa_tnc: fuzz_pa_tnc.c ${libfuzzer}
+       $(CC) $(AM_CPPFLAGS) $(CFLAGS) -o $@ $< $(pa_tnc_ldflags)
+
 noinst_LIBRARIES = libFuzzerLocal.a
 libFuzzerLocal_a_SOURCES = libFuzzerLocal.c
 libFuzzerLocal_a_LIBADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
@@ -27,7 +39,6 @@ libFuzzerLocal_a_LIBADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 check: all
        for f in $(FUZZ_TARGETS); do \
                corpus=$${f#fuzz_}; \
-               corpus=$${corpus%%_*}; \
                ./$$f $(FUZZING_CORPORA)/$${corpus}/*; \
                crashes=$(FUZZING_CORPORA)/$${corpus}-crash; \
                test ! -d $${crashes} || ./$$f $${crashes}/*; \
diff --git a/fuzz/fuzz_pa_tnc.c b/fuzz/fuzz_pa_tnc.c
new file mode 100644 (file)
index 0000000..6ee3733
--- /dev/null
@@ -0,0 +1,73 @@
+/*
+ * Copyright (C) 2018 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <library.h>
+#include <imcv.h>
+#include <pa_tnc/pa_tnc_msg.h>
+#include <ietf/ietf_attr_pa_tnc_error.h>
+#include <utils/debug.h>
+
+int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len)
+{
+       pa_tnc_msg_t *msg;
+       pa_tnc_attr_t *attr;
+       ietf_attr_pa_tnc_error_t *error;
+       linked_list_t *non_fatal_types;
+       enumerator_t *enumerator;
+       chunk_t chunk;
+
+       dbg_default_set_level(-1);
+       library_init(NULL, "fuzz_pa_tnc");
+       plugin_loader_add_plugindirs(PLUGINDIR, PLUGINS);
+       if (!lib->plugins->load(lib->plugins, PLUGINS))
+       {
+               return 1;
+       }
+       libimcv_init(FALSE);
+       chunk = chunk_create((u_char*)buf, len);
+
+       /* Parse incoming PA-TNC message */
+       msg = pa_tnc_msg_create_from_data(chunk);
+       if (msg->process(msg) == SUCCESS)
+       {
+               non_fatal_types = linked_list_create();
+               msg->process_ietf_std_errors(msg, non_fatal_types);
+               non_fatal_types->destroy(non_fatal_types);
+       }
+
+       /* enumerate correctly decoded attributes */
+       enumerator = msg->create_attribute_enumerator(msg);
+       while (enumerator->enumerate(enumerator, &attr))
+       {
+               attr->get_noskip_flag(attr);
+       }
+       enumerator->destroy(enumerator);
+
+       /* enumerate errors detected while parsing PA-TNC message and attributes */
+       enumerator = msg->create_error_enumerator(msg);
+       while (enumerator->enumerate(enumerator, &attr))
+       {
+               error = (ietf_attr_pa_tnc_error_t*)attr;
+               error->get_error_code(error);
+       }
+       enumerator->destroy(enumerator);
+
+       msg->destroy(msg);
+
+       libimcv_deinit();
+       lib->plugins->unload(lib->plugins);
+       library_deinit();
+       return 0;
+}
index e7568df..cea8ece 100755 (executable)
@@ -126,7 +126,8 @@ osx)
        ;;
 fuzzing)
        CFLAGS="$CFLAGS -DNO_CHECK_MEMWIPE"
-       CONFIG="--enable-fuzzing --enable-static --disable-shared --disable-scripts"
+       CONFIG="--enable-fuzzing --enable-static --disable-shared --disable-scripts
+                       --enable-imc-test"
        # don't run any of the unit tests
        export TESTS_RUNNERS=
        # prepare corpora