fuzz: Add fuzzer targeting RADIUS messages Signed-off-by: Arthur Chan <arthur.chan@adalogics.com>
diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml index b9c1336..a2135ec 100644 --- a/.github/workflows/cifuzz.yml +++ b/.github/workflows/cifuzz.yml
@@ -35,6 +35,7 @@ uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master with: oss-fuzz-project-name: 'strongswan' + report-timeouts: true output-sarif: true language: c sanitizer: ${{ matrix.sanitizer }}
diff --git a/fuzz/.gitignore b/fuzz/.gitignore index ca184d8..d011637 100644 --- a/fuzz/.gitignore +++ b/fuzz/.gitignore
@@ -10,4 +10,5 @@ fuzz_ocsp_rsp_def fuzz_pa_tnc fuzz_pb_tnc +fuzz_radius fuzz_vici
diff --git a/fuzz/Makefile.am b/fuzz/Makefile.am index dba75c8..d5aa1d6 100644 --- a/fuzz/Makefile.am +++ b/fuzz/Makefile.am
@@ -43,6 +43,10 @@ $(top_builddir)/src/libradius/.libs/libradius.a \ $(fuzz_ldflags) +radius_ldflags = \ + $(top_builddir)/src/libradius/.libs/libradius.a \ + $(fuzz_ldflags) + # fuzzers that use crypto plugins in a significant way fuzzers_with_plugins = \ fuzz_certs fuzz_crls fuzz_ocsp_req fuzz_ocsp_rsp @@ -51,7 +55,7 @@ fuzzers_with_cus = $(fuzzers_with_plugins:%=%_cus) fuzzers_no_plugins = \ - fuzz_ids fuzz_ike fuzz_pa_tnc fuzz_pb_tnc fuzz_vici + fuzz_ids fuzz_ike fuzz_pa_tnc fuzz_pb_tnc fuzz_radius fuzz_vici ALL_FUZZERS=$(fuzzers_with_def) $(fuzzers_with_cus) $(fuzzers_no_plugins) @@ -95,6 +99,9 @@ fuzz_ike: fuzz_ike.c ${libfuzzer} $(CC) $(AM_CPPFLAGS) $(CFLAGS) -o $@ $< $(charon_ldflags) +fuzz_radius: fuzz_radius.c ${libfuzzer} + $(CC) $(fuzz_cppflags_def) $(CFLAGS) -o $@ $< $(radius_ldflags) + fuzz_vici: fuzz_vici.c ${libfuzzer} $(CC) $(AM_CPPFLAGS) $(CFLAGS) -o $@ $< $(charon_ldflags)
diff --git a/fuzz/fuzz_radius.c b/fuzz/fuzz_radius.c new file mode 100644 index 0000000..bfaf81d --- /dev/null +++ b/fuzz/fuzz_radius.c
@@ -0,0 +1,75 @@ +/* + * Copyright (C) 2026 Arthur SC Chan + * + * Copyright (C) secunet Security Networks AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include <library.h> +#include <utils/debug.h> +#include <radius_message.h> + +int LLVMFuzzerInitialize(int *argc, char ***argv) +{ + dbg_default_set_level(-1); + library_init(NULL, "fuzz_radius"); + if (!lib->plugins->load(lib->plugins, PLUGINS)) + { + return 1; + } + return 0; +} + +int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len) +{ + enumerator_t *enumerator; + radius_message_t *msg; + hasher_t *hasher; + signer_t *signer; + chunk_t data, attr_data; + int type, count, vendor; + + if (len < 20) + { + return 0; + } + + data = chunk_create((u_char*)buf, len); + msg = radius_message_parse(data); + + if (msg) + { + enumerator = msg->create_enumerator(msg); + count = 0; + while (count++ < 10000 && + enumerator->enumerate(enumerator, &type, &attr_data)); + enumerator->destroy(enumerator); + + enumerator = msg->create_vendor_enumerator(msg); + count = 0; + while (count++ < 10000 && + enumerator->enumerate(enumerator, &vendor, &type, &attr_data)); + enumerator->destroy(enumerator); + + hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5); + signer = lib->crypto->create_signer(lib->crypto, AUTH_HMAC_MD5_128); + if (!hasher || !signer) + { + return 1; + } + msg->verify(msg, NULL, chunk_empty, hasher, signer); + hasher->destroy(hasher); + signer->destroy(signer); + msg->destroy(msg); + } + return 0; +}