fuzz: Added PA-TNC fuzzer

This commit is contained in:
Andreas Steffen 2018-03-02 13:35:30 +01:00
parent ce4b8f65d6
commit 508b308768
5 changed files with 91 additions and 4 deletions

1
.gitignore vendored
View File

@ -30,6 +30,7 @@ lex.yy.c
plugin_constructors.c plugin_constructors.c
Doxyfile Doxyfile
apidoc/ apidoc/
fuzzing-corpora/
*~ *~
*.orig *.orig
*.patch *.patch

3
fuzz/.gitignore vendored
View File

@ -1,2 +1,3 @@
fuzz_certs fuzz_certs
fuzz_crls fuzz_crls
fuzz_pa_tnc

View File

@ -1,5 +1,8 @@
AM_CPPFLAGS = @CPPFLAGS@ \ AM_CPPFLAGS = @CPPFLAGS@ \
-I$(top_srcdir)/src/libstrongswan \ -I$(top_srcdir)/src/libstrongswan \
-I$(top_srcdir)/src/libimcv \
-I$(top_srcdir)/src/libtncif \
-I$(top_srcdir)/src/libtpmtss \
-DPLUGINDIR=\""$(abs_top_builddir)/src/libstrongswan/plugins\"" \ -DPLUGINDIR=\""$(abs_top_builddir)/src/libstrongswan/plugins\"" \
-DPLUGINS="\"${fuzz_plugins}\"" -DPLUGINS="\"${fuzz_plugins}\""
@ -8,7 +11,13 @@ fuzz_ldflags = ${libfuzzer} \
-Wl,-Bstatic -lgmp -Wl,-Bdynamic \ -Wl,-Bstatic -lgmp -Wl,-Bdynamic \
@FUZZING_LDFLAGS@ @FUZZING_LDFLAGS@
FUZZ_TARGETS=fuzz_certs fuzz_crls pa_tnc_ldflags = \
$(top_builddir)/src/libimcv/.libs/libimcv.a \
$(top_builddir)/src/libtncif/.libs/libtncif.a \
$(top_builddir)/src/libtpmtss/.libs/libtpmtss.a \
$(fuzz_ldflags)
FUZZ_TARGETS=fuzz_certs fuzz_crls fuzz_pa_tnc
all-local: $(FUZZ_TARGETS) all-local: $(FUZZ_TARGETS)
@ -20,6 +29,9 @@ fuzz_certs: fuzz_certs.c ${libfuzzer}
fuzz_crls: fuzz_crls.c ${libfuzzer} fuzz_crls: fuzz_crls.c ${libfuzzer}
$(CC) $(AM_CPPFLAGS) $(CFLAGS) -o $@ $< $(fuzz_ldflags) $(CC) $(AM_CPPFLAGS) $(CFLAGS) -o $@ $< $(fuzz_ldflags)
fuzz_pa_tnc: fuzz_pa_tnc.c ${libfuzzer}
$(CC) $(AM_CPPFLAGS) $(CFLAGS) -o $@ $< $(pa_tnc_ldflags)
noinst_LIBRARIES = libFuzzerLocal.a noinst_LIBRARIES = libFuzzerLocal.a
libFuzzerLocal_a_SOURCES = libFuzzerLocal.c libFuzzerLocal_a_SOURCES = libFuzzerLocal.c
libFuzzerLocal_a_LIBADD = $(top_builddir)/src/libstrongswan/libstrongswan.la libFuzzerLocal_a_LIBADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
@ -27,7 +39,6 @@ libFuzzerLocal_a_LIBADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
check: all check: all
for f in $(FUZZ_TARGETS); do \ for f in $(FUZZ_TARGETS); do \
corpus=$${f#fuzz_}; \ corpus=$${f#fuzz_}; \
corpus=$${corpus%%_*}; \
./$$f $(FUZZING_CORPORA)/$${corpus}/*; \ ./$$f $(FUZZING_CORPORA)/$${corpus}/*; \
crashes=$(FUZZING_CORPORA)/$${corpus}-crash; \ crashes=$(FUZZING_CORPORA)/$${corpus}-crash; \
test ! -d $${crashes} || ./$$f $${crashes}/*; \ test ! -d $${crashes} || ./$$f $${crashes}/*; \

73
fuzz/fuzz_pa_tnc.c Normal file
View File

@ -0,0 +1,73 @@
/*
* Copyright (C) 2018 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
#include <library.h>
#include <imcv.h>
#include <pa_tnc/pa_tnc_msg.h>
#include <ietf/ietf_attr_pa_tnc_error.h>
#include <utils/debug.h>
int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len)
{
pa_tnc_msg_t *msg;
pa_tnc_attr_t *attr;
ietf_attr_pa_tnc_error_t *error;
linked_list_t *non_fatal_types;
enumerator_t *enumerator;
chunk_t chunk;
dbg_default_set_level(-1);
library_init(NULL, "fuzz_pa_tnc");
plugin_loader_add_plugindirs(PLUGINDIR, PLUGINS);
if (!lib->plugins->load(lib->plugins, PLUGINS))
{
return 1;
}
libimcv_init(FALSE);
chunk = chunk_create((u_char*)buf, len);
/* Parse incoming PA-TNC message */
msg = pa_tnc_msg_create_from_data(chunk);
if (msg->process(msg) == SUCCESS)
{
non_fatal_types = linked_list_create();
msg->process_ietf_std_errors(msg, non_fatal_types);
non_fatal_types->destroy(non_fatal_types);
}
/* enumerate correctly decoded attributes */
enumerator = msg->create_attribute_enumerator(msg);
while (enumerator->enumerate(enumerator, &attr))
{
attr->get_noskip_flag(attr);
}
enumerator->destroy(enumerator);
/* enumerate errors detected while parsing PA-TNC message and attributes */
enumerator = msg->create_error_enumerator(msg);
while (enumerator->enumerate(enumerator, &attr))
{
error = (ietf_attr_pa_tnc_error_t*)attr;
error->get_error_code(error);
}
enumerator->destroy(enumerator);
msg->destroy(msg);
libimcv_deinit();
lib->plugins->unload(lib->plugins);
library_deinit();
return 0;
}

View File

@ -126,7 +126,8 @@ osx)
;; ;;
fuzzing) fuzzing)
CFLAGS="$CFLAGS -DNO_CHECK_MEMWIPE" CFLAGS="$CFLAGS -DNO_CHECK_MEMWIPE"
CONFIG="--enable-fuzzing --enable-static --disable-shared --disable-scripts" CONFIG="--enable-fuzzing --enable-static --disable-shared --disable-scripts
--enable-imc-test"
# don't run any of the unit tests # don't run any of the unit tests
export TESTS_RUNNERS= export TESTS_RUNNERS=
# prepare corpora # prepare corpora