[PATCH 3/3] security: jwt: add simple fuzzer

[Ahmad Fatoum]

The JWT format does only minimal string parsing before verifying the
signature, but let's add a fuzzer for that initial string parsing
anyway.

Signed-off-by: Ahmad Fatoum <a.fatoum at pengutronix.de>
---
 images/Makefile.sandbox |  1 +
 security/Kconfig        |  1 +
 security/jwt.c          | 17 +++++++++++++++++
 3 files changed, 19 insertions(+)

diff --git a/images/Makefile.sandbox b/images/Makefile.sandbox
index b235a1195a7f..d13ffb0124b1 100644
--- a/images/Makefile.sandbox
+++ b/images/Makefile.sandbox
@@ -4,6 +4,7 @@ SYMLINK_TARGET_barebox = sandbox_main.elf
 symlink-$(CONFIG_SANDBOX) += barebox
 
 fuzzer-$(CONFIG_FILETYPE)	+= filetype
+fuzzer-$(CONFIG_JWT)		+= jwt
 fuzzer-$(CONFIG_FITIMAGE)	+= fit
 fuzzer-$(CONFIG_OFTREE)		+= dtb
 fuzzer-$(CONFIG_OFTREE)		+= fdt-compatible
diff --git a/security/Kconfig b/security/Kconfig
index 372fd275fde9..1902a1f036c4 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -92,6 +92,7 @@ config JWT
 	select JSMN
 	select BASE64
 	select CRYPTO_RSA
+	select TEST_KEY_RSA2048 if FUZZ
 
 menu "OP-TEE loading"
 
diff --git a/security/jwt.c b/security/jwt.c
index a6a7d7f788f8..e4be17dcfac0 100644
--- a/security/jwt.c
+++ b/security/jwt.c
@@ -8,6 +8,7 @@
 #include <linux/printk.h>
 #include <base64.h>
 #include <jsmn.h>
+#include <fuzz.h>
 #include <linux/ctype.h>
 
 #define JP(...)	(const char *[]) { __VA_ARGS__, NULL }
@@ -224,6 +225,22 @@ struct jwt *jwt_decode(const char *token, const struct jwt_key *key)
 	return ERR_PTR(ret);
 }
 
+static int fuzz_jwt(char *data, size_t size)
+{
+	struct jwt_key jwt_key;
+	struct jwt *jwt;
+	extern const struct rsa_public_key __key_development_rsa2048;
+
+	jwt_key.alg = JWT_ALG_RS256;
+	jwt_key.material.rsa_pub = &__key_development_rsa2048;
+
+	jwt = jwt_decode(data, &jwt_key);
+	if (!IS_ERR(jwt))
+		jwt_free(jwt);
+	return 0;
+}
+fuzz_test_str("jwt", fuzz_jwt);
+
 const char *jwt_get_payload(const struct jwt *t)
 {
 	return t->payload.content;
-- 
2.39.5