tests: New style fuzzing tool for EAP-SIM peer processing
Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
parent
991ff882fd
commit
23ddc7b810
5 changed files with 167 additions and 0 deletions
|
@ -945,10 +945,15 @@ u8 * eap_sim_parse_encr(const u8 *k_encr, const u8 *encr_data,
|
||||||
if (decrypted == NULL)
|
if (decrypted == NULL)
|
||||||
return NULL;
|
return NULL;
|
||||||
|
|
||||||
|
#ifdef TEST_FUZZ
|
||||||
|
wpa_printf(MSG_INFO,
|
||||||
|
"TEST: Skip AES-128-CBC decryption for fuzz testing");
|
||||||
|
#else /* TEST_FUZZ */
|
||||||
if (aes_128_cbc_decrypt(k_encr, iv, decrypted, encr_data_len)) {
|
if (aes_128_cbc_decrypt(k_encr, iv, decrypted, encr_data_len)) {
|
||||||
os_free(decrypted);
|
os_free(decrypted);
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
#endif /* TEST_FUZZ */
|
||||||
wpa_hexdump(MSG_MSGDUMP, "EAP-SIM: Decrypted AT_ENCR_DATA",
|
wpa_hexdump(MSG_MSGDUMP, "EAP-SIM: Decrypted AT_ENCR_DATA",
|
||||||
decrypted, encr_data_len);
|
decrypted, encr_data_len);
|
||||||
|
|
||||||
|
|
|
@ -799,8 +799,13 @@ static struct wpabuf * eap_sim_process_challenge(struct eap_sm *sm,
|
||||||
EAP_SIM_NONCE_MT_LEN)) {
|
EAP_SIM_NONCE_MT_LEN)) {
|
||||||
wpa_printf(MSG_WARNING, "EAP-SIM: Challenge message "
|
wpa_printf(MSG_WARNING, "EAP-SIM: Challenge message "
|
||||||
"used invalid AT_MAC");
|
"used invalid AT_MAC");
|
||||||
|
#ifdef TEST_FUZZ
|
||||||
|
wpa_printf(MSG_INFO,
|
||||||
|
"TEST: Ignore AT_MAC mismatch for fuzz testing");
|
||||||
|
#else /* TEST_FUZZ */
|
||||||
return eap_sim_client_error(data, id,
|
return eap_sim_client_error(data, id,
|
||||||
EAP_SIM_UNABLE_TO_PROCESS_PACKET);
|
EAP_SIM_UNABLE_TO_PROCESS_PACKET);
|
||||||
|
#endif /* TEST_FUZZ */
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Old reauthentication identity must not be used anymore. In
|
/* Old reauthentication identity must not be used anymore. In
|
||||||
|
@ -959,15 +964,27 @@ static struct wpabuf * eap_sim_process_reauthentication(
|
||||||
{
|
{
|
||||||
wpa_printf(MSG_WARNING, "EAP-SIM: Reauthentication "
|
wpa_printf(MSG_WARNING, "EAP-SIM: Reauthentication "
|
||||||
"did not have valid AT_MAC");
|
"did not have valid AT_MAC");
|
||||||
|
#ifdef TEST_FUZZ
|
||||||
|
wpa_printf(MSG_INFO,
|
||||||
|
"TEST: Ignore AT_MAC mismatch for fuzz testing");
|
||||||
|
#else /* TEST_FUZZ */
|
||||||
return eap_sim_client_error(data, id,
|
return eap_sim_client_error(data, id,
|
||||||
EAP_SIM_UNABLE_TO_PROCESS_PACKET);
|
EAP_SIM_UNABLE_TO_PROCESS_PACKET);
|
||||||
|
#endif /* TEST_FUZZ */
|
||||||
}
|
}
|
||||||
|
|
||||||
/* At this stage the received MAC has been verified. Use this MAC for
|
/* At this stage the received MAC has been verified. Use this MAC for
|
||||||
* reauth Session-Id calculation if all other checks pass.
|
* reauth Session-Id calculation if all other checks pass.
|
||||||
* The peer does not use the local MAC but the received MAC in deriving
|
* The peer does not use the local MAC but the received MAC in deriving
|
||||||
* Session-Id. */
|
* Session-Id. */
|
||||||
|
#ifdef TEST_FUZZ
|
||||||
|
if (attr->mac)
|
||||||
|
os_memcpy(data->reauth_mac, attr->mac, EAP_SIM_MAC_LEN);
|
||||||
|
else
|
||||||
|
os_memset(data->reauth_mac, 0x12, EAP_SIM_MAC_LEN);
|
||||||
|
#else /* TEST_FUZZ */
|
||||||
os_memcpy(data->reauth_mac, attr->mac, EAP_SIM_MAC_LEN);
|
os_memcpy(data->reauth_mac, attr->mac, EAP_SIM_MAC_LEN);
|
||||||
|
#endif /* TEST_FUZZ */
|
||||||
wpa_hexdump(MSG_DEBUG, "EAP-SIM: Server MAC",
|
wpa_hexdump(MSG_DEBUG, "EAP-SIM: Server MAC",
|
||||||
data->reauth_mac, EAP_SIM_MAC_LEN);
|
data->reauth_mac, EAP_SIM_MAC_LEN);
|
||||||
|
|
||||||
|
|
21
tests/fuzzing/eap-sim-peer/Makefile
Normal file
21
tests/fuzzing/eap-sim-peer/Makefile
Normal file
|
@ -0,0 +1,21 @@
|
||||||
|
all: eap-sim-peer
|
||||||
|
include ../rules.include
|
||||||
|
|
||||||
|
CFLAGS += -DIEEE8021X_EAPOL
|
||||||
|
CFLAGS += -DCONFIG_SIM_SIMULATOR
|
||||||
|
|
||||||
|
OBJS += $(SRC)/eap_peer/eap_sim.o
|
||||||
|
OBJS += $(SRC)/eap_common/eap_sim_common.o
|
||||||
|
OBJS += $(SRC)/eap_common/eap_common.o
|
||||||
|
LIBS += $(SRC)/crypto/libcrypto.a
|
||||||
|
LIBS += $(SRC)/utils/libutils.a
|
||||||
|
|
||||||
|
eap-sim-peer: eap-sim-peer.o $(OBJS) $(LIBS)
|
||||||
|
$(Q)$(LDO) $(LDFLAGS) -o $@ $^ $(LIBS) $(ELIBS)
|
||||||
|
@$(E) " LD " $@
|
||||||
|
|
||||||
|
clean:
|
||||||
|
$(MAKE) -C $(SRC) clean
|
||||||
|
rm -f eap-sim-peer *~ *.o *.d ../*~ ../*.o ../*.d
|
||||||
|
|
||||||
|
-include $(OBJS:%.o=%.d)
|
BIN
tests/fuzzing/eap-sim-peer/corpus/server.msg
Normal file
BIN
tests/fuzzing/eap-sim-peer/corpus/server.msg
Normal file
Binary file not shown.
124
tests/fuzzing/eap-sim-peer/eap-sim-peer.c
Normal file
124
tests/fuzzing/eap-sim-peer/eap-sim-peer.c
Normal file
|
@ -0,0 +1,124 @@
|
||||||
|
/*
|
||||||
|
* EAP-SIM peer fuzzer
|
||||||
|
* Copyright (c) 2019, Jouni Malinen <j@w1.fi>
|
||||||
|
*
|
||||||
|
* This software may be distributed under the terms of the BSD license.
|
||||||
|
* See README for more details.
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include "utils/includes.h"
|
||||||
|
|
||||||
|
#include "utils/common.h"
|
||||||
|
#include "eap_peer/eap_methods.h"
|
||||||
|
#include "eap_peer/eap_config.h"
|
||||||
|
#include "eap_peer/eap_i.h"
|
||||||
|
#include "../fuzzer-common.h"
|
||||||
|
|
||||||
|
int eap_peer_sim_register(void);
|
||||||
|
|
||||||
|
struct eap_method * registered_eap_method = NULL;
|
||||||
|
|
||||||
|
|
||||||
|
struct eap_method * eap_peer_method_alloc(int version, int vendor,
|
||||||
|
EapType method, const char *name)
|
||||||
|
{
|
||||||
|
struct eap_method *eap;
|
||||||
|
eap = os_zalloc(sizeof(*eap));
|
||||||
|
if (!eap)
|
||||||
|
return NULL;
|
||||||
|
eap->version = version;
|
||||||
|
eap->vendor = vendor;
|
||||||
|
eap->method = method;
|
||||||
|
eap->name = name;
|
||||||
|
return eap;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
int eap_peer_method_register(struct eap_method *method)
|
||||||
|
{
|
||||||
|
registered_eap_method = method;
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
static struct eap_peer_config eap_sim_config = {
|
||||||
|
.identity = (u8 *) "1232010000000000",
|
||||||
|
.identity_len = 16,
|
||||||
|
.password = (u8 *) "90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
|
||||||
|
.password_len = 65,
|
||||||
|
};
|
||||||
|
|
||||||
|
struct eap_peer_config * eap_get_config(struct eap_sm *sm)
|
||||||
|
{
|
||||||
|
return &eap_sim_config;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
const u8 * eap_get_config_identity(struct eap_sm *sm, size_t *len)
|
||||||
|
{
|
||||||
|
static const char *id = "1232010000000000";
|
||||||
|
|
||||||
|
*len = os_strlen(id);
|
||||||
|
return (const u8 *) id;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
void eap_set_anon_id(struct eap_sm *sm, const u8 *id, size_t len)
|
||||||
|
{
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
void eap_sm_request_identity(struct eap_sm *sm)
|
||||||
|
{
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
void eap_sm_request_sim(struct eap_sm *sm, const char *req)
|
||||||
|
{
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
|
||||||
|
{
|
||||||
|
const u8 *pos, *end;
|
||||||
|
struct eap_sm *sm;
|
||||||
|
void *priv;
|
||||||
|
struct eap_method_ret ret;
|
||||||
|
|
||||||
|
wpa_fuzzer_set_debug_level();
|
||||||
|
|
||||||
|
eap_peer_sim_register();
|
||||||
|
sm = os_zalloc(sizeof(*sm));
|
||||||
|
if (!sm)
|
||||||
|
return 0;
|
||||||
|
priv = registered_eap_method->init(sm);
|
||||||
|
os_memset(&ret, 0, sizeof(ret));
|
||||||
|
|
||||||
|
pos = data;
|
||||||
|
end = pos + size;
|
||||||
|
|
||||||
|
while (end - pos > 2) {
|
||||||
|
u16 flen;
|
||||||
|
struct wpabuf *buf, *req;
|
||||||
|
|
||||||
|
flen = WPA_GET_BE16(pos);
|
||||||
|
pos += 2;
|
||||||
|
if (end - pos < flen)
|
||||||
|
break;
|
||||||
|
req = wpabuf_alloc_copy(pos, flen);
|
||||||
|
if (!req)
|
||||||
|
break;
|
||||||
|
wpa_hexdump_buf(MSG_MSGDUMP, "fuzzer - request", req);
|
||||||
|
buf = registered_eap_method->process(sm, priv, &ret, req);
|
||||||
|
wpa_hexdump_buf(MSG_MSGDUMP, "fuzzer - local response", buf);
|
||||||
|
wpabuf_free(req);
|
||||||
|
wpabuf_free(buf);
|
||||||
|
pos += flen;
|
||||||
|
}
|
||||||
|
|
||||||
|
registered_eap_method->deinit(sm, priv);
|
||||||
|
os_free(registered_eap_method);
|
||||||
|
os_free(sm);
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
Loading…
Reference in a new issue