
The fwknop project supports various fuzzing strategies, and one of the most
important is usage of the 'American Fuzzy Lop' (AFL) fuzzer written by Michal
Zalewski (see: https://code.google.com/p/american-fuzzy-lop/). Because AFL is
not designed to handle encryption schemes (see the README included in the AFL
sources for more information on this), a special --enable-afl-fuzzing command
line switch is available to the fwknop autoconf configure script. This argument
allows encryption and base64 encoding to be bypassed when feeding SPA packet
data to fwknopd via stdin. It is the feature that enables AFL fuzzing.

This directory contains enabling scripts in order to make it easy to fuzz
fwknop with AFL. It is assumed that AFL is installed and in your path. The
files are in this directory are organized as follows:

afl-fuzzing.in   - Directory for initial AFL test case(s).
afl-fuzzing.out  - Directory for AFL results after a fuzzing run.

afl-compile.sh   - Script to compile fwknop underneath afl-gcc.
afl-fuzzing.in   - AFL input directory which contains input test cases.
afl-fuzzing.out  - AFL output directory.
afl-run.sh       - Script to invoke AFL with proper command line arguments to
                   fwknopd for fuzzing enablement.

For gcov code coverage only:

afl-compile-code-coverage.sh    - Compile fwknop with code coverage support.
afl-gen-code-coverage.sh        - Generate code coverage report after running
                                  afl-run.sh (and with coverage support
                                  compiled in)

Here is an example of what fwknopd produces when compiled for AFL support when
a dummy SPA packet is provided in non-encoded/encrypted form via fwknopd's
stdin:

$ ./fwknopd-stdin-test.sh
+ SPA_PKT=1716411011200157:root:1397329899:2.0.1:1:127.0.0.2,tcp/22:AAAAA
+ LD_LIBRARY_PATH=../../lib/.libs ../../server/.libs/fwknopd -c ../conf/default_fwknopd.conf -a ../conf/default_access.conf -A -f -t
+ echo -n 1716411011200157:root:1397329899:2.0.1:1:127.0.0.2,tcp/22:AAAAA
Warning: REQUIRE_SOURCE_ADDRESS not enabled for access stanza source: 'ANY'
SPA Field Values:
=================
   Random Value: 1716411011200157
       Username: root
      Timestamp: 1397329899
    FKO Version: 2.0.1
   Message Type: 1 (Access msg)
 Message String: 127.0.0.2,tcp/22
     Nat Access: <NULL>
    Server Auth: <NULL>
 Client Timeout: 0
    Digest Type: 3 (SHA256)
      HMAC Type: 0 (None)
Encryption Type: 1 (Rijndael)
Encryption Mode: 2 (CBC)
   Encoded Data: 1716411011200157:root:1397329899:2.0.1:1:127.0.0.2,tcp/22
SPA Data Digest: AAAAA
           HMAC: <NULL>
 Final SPA Data: 200157:root:1397329899:2.0.1:1:127.0.0.2,tcp/22:AAAAA

SPA packet decode: Success
