From 508b308768090016a75e205f1f7e5747bf3750b4 Mon Sep 17 00:00:00 2001
From: Andreas Steffen <andreas.steffen@strongswan.org>
Date: Fri, 2 Mar 2018 13:35:30 +0100
Subject: [PATCH] fuzz: Added PA-TNC fuzzer

---
 .gitignore         |  1 +
 fuzz/.gitignore    |  3 +-
 fuzz/Makefile.am   | 15 ++++++++--
 fuzz/fuzz_pa_tnc.c | 73 ++++++++++++++++++++++++++++++++++++++++++++++
 scripts/test.sh    |  3 +-
 5 files changed, 91 insertions(+), 4 deletions(-)
 create mode 100644 fuzz/fuzz_pa_tnc.c

diff --git a/.gitignore b/.gitignore
index cd0c30728..6b415b2fc 100644
--- a/.gitignore
+++ b/.gitignore
@@ -30,6 +30,7 @@ lex.yy.c
 plugin_constructors.c
 Doxyfile
 apidoc/
+fuzzing-corpora/
 *~
 *.orig
 *.patch
diff --git a/fuzz/.gitignore b/fuzz/.gitignore
index cbc050fb1..dbd3ef9fd 100644
--- a/fuzz/.gitignore
+++ b/fuzz/.gitignore
@@ -1,2 +1,3 @@
 fuzz_certs
-fuzz_crls
\ No newline at end of file
+fuzz_crls
+fuzz_pa_tnc
diff --git a/fuzz/Makefile.am b/fuzz/Makefile.am
index 3962896f6..d6e596b40 100644
--- a/fuzz/Makefile.am
+++ b/fuzz/Makefile.am
@@ -1,5 +1,8 @@
 AM_CPPFLAGS = @CPPFLAGS@ \
 	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libimcv \
+	-I$(top_srcdir)/src/libtncif \
+	-I$(top_srcdir)/src/libtpmtss \
 	-DPLUGINDIR=\""$(abs_top_builddir)/src/libstrongswan/plugins\"" \
 	-DPLUGINS="\"${fuzz_plugins}\""
 
@@ -8,7 +11,13 @@ fuzz_ldflags = ${libfuzzer} \
 	-Wl,-Bstatic -lgmp -Wl,-Bdynamic \
 	@FUZZING_LDFLAGS@
 
-FUZZ_TARGETS=fuzz_certs fuzz_crls
+pa_tnc_ldflags = \
+	$(top_builddir)/src/libimcv/.libs/libimcv.a \
+	$(top_builddir)/src/libtncif/.libs/libtncif.a \
+	$(top_builddir)/src/libtpmtss/.libs/libtpmtss.a \
+	$(fuzz_ldflags)
+
+FUZZ_TARGETS=fuzz_certs fuzz_crls fuzz_pa_tnc
 
 all-local: $(FUZZ_TARGETS)
 
@@ -20,6 +29,9 @@ fuzz_certs: fuzz_certs.c ${libfuzzer}
 fuzz_crls: fuzz_crls.c ${libfuzzer}
 	$(CC) $(AM_CPPFLAGS) $(CFLAGS) -o $@ $< $(fuzz_ldflags)
 
+fuzz_pa_tnc: fuzz_pa_tnc.c ${libfuzzer}
+	$(CC) $(AM_CPPFLAGS) $(CFLAGS) -o $@ $< $(pa_tnc_ldflags)
+
 noinst_LIBRARIES = libFuzzerLocal.a
 libFuzzerLocal_a_SOURCES = libFuzzerLocal.c
 libFuzzerLocal_a_LIBADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
@@ -27,7 +39,6 @@ libFuzzerLocal_a_LIBADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 check: all
 	for f in $(FUZZ_TARGETS); do \
 		corpus=$${f#fuzz_}; \
-		corpus=$${corpus%%_*}; \
 		./$$f $(FUZZING_CORPORA)/$${corpus}/*; \
 		crashes=$(FUZZING_CORPORA)/$${corpus}-crash; \
 		test ! -d $${crashes} || ./$$f $${crashes}/*; \
diff --git a/fuzz/fuzz_pa_tnc.c b/fuzz/fuzz_pa_tnc.c
new file mode 100644
index 000000000..6ee373300
--- /dev/null
+++ b/fuzz/fuzz_pa_tnc.c
@@ -0,0 +1,73 @@
+/*
+ * Copyright (C) 2018 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <library.h>
+#include <imcv.h>
+#include <pa_tnc/pa_tnc_msg.h>
+#include <ietf/ietf_attr_pa_tnc_error.h>
+#include <utils/debug.h>
+
+int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len)
+{
+	pa_tnc_msg_t *msg;
+	pa_tnc_attr_t *attr;
+	ietf_attr_pa_tnc_error_t *error;
+	linked_list_t *non_fatal_types;
+	enumerator_t *enumerator;
+	chunk_t chunk;
+
+	dbg_default_set_level(-1);
+	library_init(NULL, "fuzz_pa_tnc");
+	plugin_loader_add_plugindirs(PLUGINDIR, PLUGINS);
+	if (!lib->plugins->load(lib->plugins, PLUGINS))
+	{
+		return 1;
+	}
+	libimcv_init(FALSE);
+	chunk = chunk_create((u_char*)buf, len);
+
+	/* Parse incoming PA-TNC message */
+	msg = pa_tnc_msg_create_from_data(chunk);
+	if (msg->process(msg) == SUCCESS)
+	{
+		non_fatal_types = linked_list_create();
+		msg->process_ietf_std_errors(msg, non_fatal_types);
+		non_fatal_types->destroy(non_fatal_types);
+	}
+
+	/* enumerate correctly decoded attributes */
+	enumerator = msg->create_attribute_enumerator(msg);
+	while (enumerator->enumerate(enumerator, &attr))
+	{
+		attr->get_noskip_flag(attr);
+	}
+	enumerator->destroy(enumerator);
+
+	/* enumerate errors detected while parsing PA-TNC message and attributes */
+	enumerator = msg->create_error_enumerator(msg);
+	while (enumerator->enumerate(enumerator, &attr))
+	{
+		error = (ietf_attr_pa_tnc_error_t*)attr;
+		error->get_error_code(error);
+	}
+	enumerator->destroy(enumerator);
+
+	msg->destroy(msg);
+
+	libimcv_deinit();
+	lib->plugins->unload(lib->plugins);
+	library_deinit();
+	return 0;
+}
diff --git a/scripts/test.sh b/scripts/test.sh
index e7568df73..cea8ece38 100755
--- a/scripts/test.sh
+++ b/scripts/test.sh
@@ -126,7 +126,8 @@ osx)
 	;;
 fuzzing)
 	CFLAGS="$CFLAGS -DNO_CHECK_MEMWIPE"
-	CONFIG="--enable-fuzzing --enable-static --disable-shared --disable-scripts"
+	CONFIG="--enable-fuzzing --enable-static --disable-shared --disable-scripts
+			--enable-imc-test"
 	# don't run any of the unit tests
 	export TESTS_RUNNERS=
 	# prepare corpora