The JWT format does only minimal string parsing before verifying the signature, but let's add a fuzzer for that initial string parsing anyway.
Signed-off-by: Ahmad Fatoum <[email protected]> --- images/Makefile.sandbox | 1 + security/Kconfig | 1 + security/jwt.c | 17 +++++++++++++++++ 3 files changed, 19 insertions(+) diff --git a/images/Makefile.sandbox b/images/Makefile.sandbox index b235a1195a7f..d13ffb0124b1 100644 --- a/images/Makefile.sandbox +++ b/images/Makefile.sandbox @@ -4,6 +4,7 @@ SYMLINK_TARGET_barebox = sandbox_main.elf symlink-$(CONFIG_SANDBOX) += barebox fuzzer-$(CONFIG_FILETYPE) += filetype +fuzzer-$(CONFIG_JWT) += jwt fuzzer-$(CONFIG_FITIMAGE) += fit fuzzer-$(CONFIG_OFTREE) += dtb fuzzer-$(CONFIG_OFTREE) += fdt-compatible diff --git a/security/Kconfig b/security/Kconfig index 372fd275fde9..1902a1f036c4 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -92,6 +92,7 @@ config JWT select JSMN select BASE64 select CRYPTO_RSA + select TEST_KEY_RSA2048 if FUZZ menu "OP-TEE loading" diff --git a/security/jwt.c b/security/jwt.c index a6a7d7f788f8..e4be17dcfac0 100644 --- a/security/jwt.c +++ b/security/jwt.c @@ -8,6 +8,7 @@ #include <linux/printk.h> #include <base64.h> #include <jsmn.h> +#include <fuzz.h> #include <linux/ctype.h> #define JP(...) (const char *[]) { __VA_ARGS__, NULL } @@ -224,6 +225,22 @@ struct jwt *jwt_decode(const char *token, const struct jwt_key *key) return ERR_PTR(ret); } +static int fuzz_jwt(char *data, size_t size) +{ + struct jwt_key jwt_key; + struct jwt *jwt; + extern const struct rsa_public_key __key_development_rsa2048; + + jwt_key.alg = JWT_ALG_RS256; + jwt_key.material.rsa_pub = &__key_development_rsa2048; + + jwt = jwt_decode(data, &jwt_key); + if (!IS_ERR(jwt)) + jwt_free(jwt); + return 0; +} +fuzz_test_str("jwt", fuzz_jwt); + const char *jwt_get_payload(const struct jwt *t) { return t->payload.content; -- 2.39.5
