Commit 50fc4c24a6 for strongswan.org
commit 50fc4c24a6464a44112d470a1c23e8b8fcdd2708
Author: Arthur Chan <arthur.chan@adalogics.com>
Date: Wed Mar 11 22:21:16 2026 +0000
fuzz: Add fuzzer targeting RADIUS messages
Closes strongswan/strongswan#3027
Signed-off-by: Arthur Chan <arthur.chan@adalogics.com>
diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml
index b9c1336c22..a2135ecea6 100644
--- a/.github/workflows/cifuzz.yml
+++ b/.github/workflows/cifuzz.yml
@@ -35,6 +35,7 @@ jobs:
uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
with:
oss-fuzz-project-name: 'strongswan'
+ report-timeouts: true
output-sarif: true
language: c
sanitizer: ${{ matrix.sanitizer }}
diff --git a/fuzz/.gitignore b/fuzz/.gitignore
index ca184d868c..d01163707b 100644
--- a/fuzz/.gitignore
+++ b/fuzz/.gitignore
@@ -10,4 +10,5 @@ fuzz_ocsp_rsp_cus
fuzz_ocsp_rsp_def
fuzz_pa_tnc
fuzz_pb_tnc
+fuzz_radius
fuzz_vici
diff --git a/fuzz/Makefile.am b/fuzz/Makefile.am
index dba75c84a7..d5aa1d6c76 100644
--- a/fuzz/Makefile.am
+++ b/fuzz/Makefile.am
@@ -43,6 +43,10 @@ charon_ldflags = \
$(top_builddir)/src/libradius/.libs/libradius.a \
$(fuzz_ldflags)
+radius_ldflags = \
+ $(top_builddir)/src/libradius/.libs/libradius.a \
+ $(fuzz_ldflags)
+
# fuzzers that use crypto plugins in a significant way
fuzzers_with_plugins = \
fuzz_certs fuzz_crls fuzz_ocsp_req fuzz_ocsp_rsp
@@ -51,7 +55,7 @@ fuzzers_with_def = $(fuzzers_with_plugins:%=%_def)
fuzzers_with_cus = $(fuzzers_with_plugins:%=%_cus)
fuzzers_no_plugins = \
- fuzz_ids fuzz_ike fuzz_pa_tnc fuzz_pb_tnc fuzz_vici
+ fuzz_ids fuzz_ike fuzz_pa_tnc fuzz_pb_tnc fuzz_radius fuzz_vici
ALL_FUZZERS=$(fuzzers_with_def) $(fuzzers_with_cus) $(fuzzers_no_plugins)
@@ -95,6 +99,9 @@ fuzz_ids: fuzz_ids.c ${libfuzzer}
fuzz_ike: fuzz_ike.c ${libfuzzer}
$(CC) $(AM_CPPFLAGS) $(CFLAGS) -o $@ $< $(charon_ldflags)
+fuzz_radius: fuzz_radius.c ${libfuzzer}
+ $(CC) $(fuzz_cppflags_def) $(CFLAGS) -o $@ $< $(radius_ldflags)
+
fuzz_vici: fuzz_vici.c ${libfuzzer}
$(CC) $(AM_CPPFLAGS) $(CFLAGS) -o $@ $< $(charon_ldflags)
diff --git a/fuzz/fuzz_radius.c b/fuzz/fuzz_radius.c
new file mode 100644
index 0000000000..bfaf81d78d
--- /dev/null
+++ b/fuzz/fuzz_radius.c
@@ -0,0 +1,75 @@
+/*
+ * Copyright (C) 2026 Arthur SC Chan
+ *
+ * Copyright (C) secunet Security Networks AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include <library.h>
+#include <utils/debug.h>
+#include <radius_message.h>
+
+int LLVMFuzzerInitialize(int *argc, char ***argv)
+{
+ dbg_default_set_level(-1);
+ library_init(NULL, "fuzz_radius");
+ if (!lib->plugins->load(lib->plugins, PLUGINS))
+ {
+ return 1;
+ }
+ return 0;
+}
+
+int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len)
+{
+ enumerator_t *enumerator;
+ radius_message_t *msg;
+ hasher_t *hasher;
+ signer_t *signer;
+ chunk_t data, attr_data;
+ int type, count, vendor;
+
+ if (len < 20)
+ {
+ return 0;
+ }
+
+ data = chunk_create((u_char*)buf, len);
+ msg = radius_message_parse(data);
+
+ if (msg)
+ {
+ enumerator = msg->create_enumerator(msg);
+ count = 0;
+ while (count++ < 10000 &&
+ enumerator->enumerate(enumerator, &type, &attr_data));
+ enumerator->destroy(enumerator);
+
+ enumerator = msg->create_vendor_enumerator(msg);
+ count = 0;
+ while (count++ < 10000 &&
+ enumerator->enumerate(enumerator, &vendor, &type, &attr_data));
+ enumerator->destroy(enumerator);
+
+ hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
+ signer = lib->crypto->create_signer(lib->crypto, AUTH_HMAC_MD5_128);
+ if (!hasher || !signer)
+ {
+ return 1;
+ }
+ msg->verify(msg, NULL, chunk_empty, hasher, signer);
+ hasher->destroy(hasher);
+ signer->destroy(signer);
+ msg->destroy(msg);
+ }
+ return 0;
+}