[PATCH 1/3] fuzz: add test harness for fuzzing nul-terminated strings

[PATCH 1/3] fuzz: add test harness for fuzzing nul-terminated strings

[Ahmad Fatoum]

Many APIs expect NUL terminated strings, for example the JSON Web Token
decoding functions.

Add a helper to make it easy to fuzz such functions. As we are
allocating anew anyway, we pass along the buffer mutably as well as the
original size, so the harness is useful for a wider range of API.

Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 include/fuzz.h | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/include/fuzz.h b/include/fuzz.h
index bd95ae6203b0..caebc284d5db 100644
--- a/include/fuzz.h
+++ b/include/fuzz.h
@@ -9,6 +9,8 @@
 
 #include <linux/types.h>
 #include <linux/compiler_types.h>
+#include <linux/bug.h>
+#include <linux/string.h>
 #include <ramdisk.h>
 
 /**
@@ -65,6 +67,18 @@ extern const struct fuzz_test __barebox_fuzz_tests_end;
 	}							\
 	fuzz_test(_name, _func##_ramdisk)
 
+#define fuzz_test_str(_name, _func)				\
+	static int _func##_str(const u8 *_data, size_t size)	\
+	{							\
+		int ret;					\
+		char *data = memdup_nul(_data, size);		\
+		BUG_ON(!data);					\
+		ret = _func(data, size);			\
+		free(data);					\
+		return ret;					\
+	}							\
+	fuzz_test(_name, _func##_str)
+
 static inline int fuzz_test_once(const struct fuzz_test *test, const u8 *data, size_t len)
 {
 	return test->func(data, len);
-- 
2.39.5

[PATCH 2/3] test: self: jwt: add dedicated option for development_rsa2048.pem

[Ahmad Fatoum]

This test key can be useful beyond the JWT selftest, so add an option to
select it.

The key added by the option is stand-alone, i.e., it is not part of the
key ring and won't be consulted for FIT image verification.

Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 test/Kconfig       | 8 ++++++++
 test/self/Kconfig  | 1 +
 test/self/Makefile | 3 ++-
 3 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/test/Kconfig b/test/Kconfig
index 07b22f09e99b..50162ef5761f 100644
--- a/test/Kconfig
+++ b/test/Kconfig
@@ -46,4 +46,12 @@ config CMD_FUZZ
 
 endif
 
+config TEST_KEY_RSA2048
+	bool
+	help
+	  This is selected by crypto test code that needs a RSA2048 public
+	  key. The key added by this option is stand-alone, i.e., it is
+	  not part of the key ring and won't be consulted for FIT image
+	  verification.
+
 endif
diff --git a/test/self/Kconfig b/test/self/Kconfig
index 33d05e4cf205..4c43dfe3940d 100644
--- a/test/self/Kconfig
+++ b/test/self/Kconfig
@@ -86,6 +86,7 @@ config SELFTEST_JSON
 config SELFTEST_JWT
 	bool "JSON Web Token selftest"
 	depends on JWT
+	select TEST_KEY_RSA2048
 
 config SELFTEST_MMU
 	bool "MMU remapping selftest"
diff --git a/test/self/Makefile b/test/self/Makefile
index 6cf857ee98ff..9aa8aab78b31 100644
--- a/test/self/Makefile
+++ b/test/self/Makefile
@@ -10,7 +10,8 @@ obj-$(CONFIG_SELFTEST_ENVIRONMENT_VARIABLES) += envvar.o
 obj-$(CONFIG_SELFTEST_FS_RAMFS) += ramfs.o
 obj-$(CONFIG_SELFTEST_DIRFD) += dirfd.o
 obj-$(CONFIG_SELFTEST_JSON) += json.o
-obj-$(CONFIG_SELFTEST_JWT) += jwt.o development_rsa2048.pem.o
+obj-$(CONFIG_SELFTEST_JWT) += jwt.o
+obj-$(CONFIG_TEST_KEY_RSA2048) += development_rsa2048.pem.o
 obj-$(CONFIG_SELFTEST_DIGEST) += digest.o
 obj-$(CONFIG_SELFTEST_MMU) += mmu.o
 obj-$(CONFIG_SELFTEST_STRING) += string.o
-- 
2.39.5

[PATCH 3/3] security: jwt: add simple fuzzer

[Ahmad Fatoum]

The JWT format does only minimal string parsing before verifying the
signature, but let's add a fuzzer for that initial string parsing
anyway.

Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 images/Makefile.sandbox |  1 +
 security/Kconfig        |  1 +
 security/jwt.c          | 17 +++++++++++++++++
 3 files changed, 19 insertions(+)

diff --git a/images/Makefile.sandbox b/images/Makefile.sandbox
index b235a1195a7f..d13ffb0124b1 100644
--- a/images/Makefile.sandbox
+++ b/images/Makefile.sandbox
@@ -4,6 +4,7 @@ SYMLINK_TARGET_barebox = sandbox_main.elf
 symlink-$(CONFIG_SANDBOX) += barebox
 
 fuzzer-$(CONFIG_FILETYPE)	+= filetype
+fuzzer-$(CONFIG_JWT)		+= jwt
 fuzzer-$(CONFIG_FITIMAGE)	+= fit
 fuzzer-$(CONFIG_OFTREE)		+= dtb
 fuzzer-$(CONFIG_OFTREE)		+= fdt-compatible
diff --git a/security/Kconfig b/security/Kconfig
index 372fd275fde9..1902a1f036c4 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -92,6 +92,7 @@ config JWT
 	select JSMN
 	select BASE64
 	select CRYPTO_RSA
+	select TEST_KEY_RSA2048 if FUZZ
 
 menu "OP-TEE loading"
 
diff --git a/security/jwt.c b/security/jwt.c
index a6a7d7f788f8..e4be17dcfac0 100644
--- a/security/jwt.c
+++ b/security/jwt.c
@@ -8,6 +8,7 @@
 #include <linux/printk.h>
 #include <base64.h>
 #include <jsmn.h>
+#include <fuzz.h>
 #include <linux/ctype.h>
 
 #define JP(...)	(const char *[]) { __VA_ARGS__, NULL }
@@ -224,6 +225,22 @@ struct jwt *jwt_decode(const char *token, const struct jwt_key *key)
 	return ERR_PTR(ret);
 }
 
+static int fuzz_jwt(char *data, size_t size)
+{
+	struct jwt_key jwt_key;
+	struct jwt *jwt;
+	extern const struct rsa_public_key __key_development_rsa2048;
+
+	jwt_key.alg = JWT_ALG_RS256;
+	jwt_key.material.rsa_pub = &__key_development_rsa2048;
+
+	jwt = jwt_decode(data, &jwt_key);
+	if (!IS_ERR(jwt))
+		jwt_free(jwt);
+	return 0;
+}
+fuzz_test_str("jwt", fuzz_jwt);
+
 const char *jwt_get_payload(const struct jwt *t)
 {
 	return t->payload.content;
-- 
2.39.5