fuzz: Added PB-TNC fuzzer
authorAndreas Steffen <andreas.steffen@strongswan.org>
Fri, 9 Mar 2018 13:40:00 +0000 (14:40 +0100)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Tue, 12 Jun 2018 19:47:40 +0000 (21:47 +0200)
configure.ac
fuzz/.gitignore
fuzz/Makefile.am
fuzz/fuzz_pb_tnc.c [new file with mode: 0644]
scripts/test.sh

index fb1ff39..66b11eb 100644 (file)
@@ -431,7 +431,7 @@ if test x$eap_radius = xtrue -o x$radattr = xtrue -o x$tnc_pdp = xtrue; then
        radius=true;
 fi
 
-if test x$tnc_imc = xtrue -o x$tnc_imv = xtrue -o x$tnccs_11 = xtrue -o x$tnccs_11 = xtrue -o x$tnccs_dynamic = xtrue -o x$eap_tnc = xtrue; then
+if test x$tnc_imc = xtrue -o x$tnc_imv = xtrue -o x$tnccs_11 = xtrue -o x$tnccs_20 = xtrue -o x$tnccs_dynamic = xtrue -o x$eap_tnc = xtrue; then
        tnc_tnccs=true;
 fi
 
index dbd3ef9..765d23a 100644 (file)
@@ -1,3 +1,4 @@
 fuzz_certs
 fuzz_crls
 fuzz_pa_tnc
+fuzz_pb_tnc
index d6e596b..df228d3 100644 (file)
@@ -3,6 +3,8 @@ AM_CPPFLAGS = @CPPFLAGS@ \
        -I$(top_srcdir)/src/libimcv \
        -I$(top_srcdir)/src/libtncif \
        -I$(top_srcdir)/src/libtpmtss \
+       -I$(top_srcdir)/src/libtnccs \
+       -I$(top_srcdir)/src/libtnccs/plugins/tnccs_20 \
        -DPLUGINDIR=\""$(abs_top_builddir)/src/libstrongswan/plugins\"" \
        -DPLUGINS="\"${fuzz_plugins}\""
 
@@ -17,7 +19,12 @@ pa_tnc_ldflags = \
        $(top_builddir)/src/libtpmtss/.libs/libtpmtss.a \
        $(fuzz_ldflags)
 
-FUZZ_TARGETS=fuzz_certs fuzz_crls fuzz_pa_tnc
+pb_tnc_ldflags = \
+       $(top_builddir)/src/libtnccs/.libs/libtnccs.a \
+       $(top_builddir)/src/libtncif/.libs/libtncif.a \
+       $(fuzz_ldflags)
+
+FUZZ_TARGETS=fuzz_certs fuzz_crls fuzz_pa_tnc fuzz_pb_tnc
 
 all-local: $(FUZZ_TARGETS)
 
@@ -32,6 +39,9 @@ fuzz_crls: fuzz_crls.c ${libfuzzer}
 fuzz_pa_tnc: fuzz_pa_tnc.c ${libfuzzer}
        $(CC) $(AM_CPPFLAGS) $(CFLAGS) -o $@ $< $(pa_tnc_ldflags)
 
+fuzz_pb_tnc: fuzz_pb_tnc.c ${libfuzzer}
+       $(CC) $(AM_CPPFLAGS) $(CFLAGS) -o $@ $< $(pb_tnc_ldflags)
+
 noinst_LIBRARIES = libFuzzerLocal.a
 libFuzzerLocal_a_SOURCES = libFuzzerLocal.c
 libFuzzerLocal_a_LIBADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
diff --git a/fuzz/fuzz_pb_tnc.c b/fuzz/fuzz_pb_tnc.c
new file mode 100644 (file)
index 0000000..e8f23c9
--- /dev/null
@@ -0,0 +1,78 @@
+/*
+ * Copyright (C) 2018 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <library.h>
+#include <batch/pb_tnc_batch.h>
+#include <messages/ietf/pb_error_msg.h>
+#include <state_machine/pb_tnc_state_machine.h>
+#include <utils/debug.h>
+
+
+int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len)
+{
+       pb_tnc_batch_t *batch;
+       pb_tnc_state_machine_t *state;
+       pb_tnc_msg_t *msg;
+       pb_error_msg_t *error;
+       enumerator_t *enumerator;
+       bool from_server;
+       chunk_t chunk;
+
+       dbg_default_set_level(-1);
+       library_init(NULL, "fuzz_pb_tnc");
+       plugin_loader_add_plugindirs(PLUGINDIR, PLUGINS);
+       if (!lib->plugins->load(lib->plugins, PLUGINS))
+       {
+               return 1;
+       }
+       chunk = chunk_create((u_char*)buf, len);
+
+       INIT(state,
+               .receive_batch = (void*)return_true,
+               .set_empty_cdata = (void*)nop,
+       );
+
+       /* parse incoming PB-TNC batch */
+       batch = pb_tnc_batch_create_from_data(chunk);
+       if (batch->process_header(batch, TRUE, FALSE, &from_server) == SUCCESS ||
+               batch->process_header(batch, TRUE, TRUE, &from_server) == SUCCESS)
+       {
+               batch->process(batch, state);
+       }
+
+       /* enumerate correctly decoded PB-TNC messages */
+       enumerator = batch->create_msg_enumerator(batch);
+       while (enumerator->enumerate(enumerator, &msg))
+       {
+               msg->get_type(msg);
+       }
+       enumerator->destroy(enumerator);
+
+       /* enumerate errors detected while parsing PB-TNC batch and messages */
+       enumerator = batch->create_error_enumerator(batch);
+       while (enumerator->enumerate(enumerator, &msg))
+       {
+               error = (pb_error_msg_t*)msg;
+               error->get_error_code(error);
+       }
+       enumerator->destroy(enumerator);
+
+       batch->destroy(batch);
+
+       free(state);
+       lib->plugins->unload(lib->plugins);
+       library_deinit();
+       return 0;
+}
index cea8ece..f8ffdce 100755 (executable)
@@ -127,7 +127,7 @@ osx)
 fuzzing)
        CFLAGS="$CFLAGS -DNO_CHECK_MEMWIPE"
        CONFIG="--enable-fuzzing --enable-static --disable-shared --disable-scripts
-                       --enable-imc-test"
+                       --enable-imc-test --enable-tnccs-20"
        # don't run any of the unit tests
        export TESTS_RUNNERS=
        # prepare corpora