From 41a10324492e09183d6758bd310a32ec66702b50 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Sat, 4 Apr 2020 18:28:06 +0300
Subject: [PATCH] tests: New style fuzzing tool for SAE commit parsing

Signed-off-by: Jouni Malinen <j@w1.fi>
---
 tests/fuzzing/sae/Makefile                    |  24 +++++++++++
 .../corpus/sae-commit-h2e-rejected-groups.dat | Bin 0 -> 102 bytes
 .../sae/corpus/sae-commit-h2e-token.dat       | Bin 0 -> 101 bytes
 tests/fuzzing/sae/corpus/sae-commit-pw-id.dat | Bin 0 -> 101 bytes
 tests/fuzzing/sae/corpus/sae-commit-token.dat | Bin 0 -> 130 bytes
 tests/fuzzing/sae/corpus/sae-commit-valid.dat | Bin 0 -> 98 bytes
 tests/fuzzing/sae/sae.c                       |  39 ++++++++++++++++++
 7 files changed, 63 insertions(+)
 create mode 100644 tests/fuzzing/sae/Makefile
 create mode 100644 tests/fuzzing/sae/corpus/sae-commit-h2e-rejected-groups.dat
 create mode 100644 tests/fuzzing/sae/corpus/sae-commit-h2e-token.dat
 create mode 100644 tests/fuzzing/sae/corpus/sae-commit-pw-id.dat
 create mode 100644 tests/fuzzing/sae/corpus/sae-commit-token.dat
 create mode 100644 tests/fuzzing/sae/corpus/sae-commit-valid.dat
 create mode 100644 tests/fuzzing/sae/sae.c

diff --git a/tests/fuzzing/sae/Makefile b/tests/fuzzing/sae/Makefile
new file mode 100644
index 000000000..0a56e0628
--- /dev/null
+++ b/tests/fuzzing/sae/Makefile
@@ -0,0 +1,24 @@
+all: sae
+include ../rules.include
+
+CFLAGS += -DCONFIG_SHA256
+CFLAGS += -DCONFIG_ECC
+
+LIBS += $(SRC)/common/libcommon.a
+LIBS += $(SRC)/utils/libutils.a
+
+OBJS += $(SRC)/crypto/crypto_openssl.o
+LIBS += -lcrypto
+OBJS += $(SRC)/crypto/dh_groups.o
+OBJS += $(SRC)/crypto/sha256-prf.o
+OBJS += $(SRC)/crypto/sha256-kdf.o
+OBJS += $(SRC)/common/dragonfly.o
+
+sae: sae.o $(OBJS) $(LIBS)
+	$(LDO) $(LDFLAGS) -o $@ $^ $(LIBS)
+
+clean:
+	$(MAKE) -C $(SRC) clean
+	rm -f sae *~ *.o *.d ../*~ ../*.o ../*.d
+
+-include $(OBJS:%.o=%.d)
diff --git a/tests/fuzzing/sae/corpus/sae-commit-h2e-rejected-groups.dat b/tests/fuzzing/sae/corpus/sae-commit-h2e-rejected-groups.dat
new file mode 100644
index 0000000000000000000000000000000000000000..cd129a474a726d28b51b2280127d1d650eb04cda
GIT binary patch
literal 102
zcmV-s0Ga<208|=nJjbH(_K3tR3*!ii@RWbONRp*d1ON1&E-_G}%;8~xd<7qxPmG)o
zv8AFTOtIEWsptP(>a*mwgSoYf78o<))4MF>>^d|^j!KwdSE!+=hWTauMQcasx=vVV
IrT+q409Fh%GXMYp

literal 0
HcmV?d00001

diff --git a/tests/fuzzing/sae/corpus/sae-commit-h2e-token.dat b/tests/fuzzing/sae/corpus/sae-commit-h2e-token.dat
new file mode 100644
index 0000000000000000000000000000000000000000..b2886c70d20902b56d93407b8ab2c2c1016ee221
GIT binary patch
literal 101
zcmV-r0Gj_308|=nJjbH(_K3tR3*!ii@RWbONRp*d1ON1&E-_G}%;8~xd<7qxPmG)o
zv8AFTOtIEWsptP(>a*mwgSoYf78o<))4MF>>^d|^j!KwdSE!+=hWTauMQcasx=vVV
HrT+n4A=orC

literal 0
HcmV?d00001

diff --git a/tests/fuzzing/sae/corpus/sae-commit-pw-id.dat b/tests/fuzzing/sae/corpus/sae-commit-pw-id.dat
new file mode 100644
index 0000000000000000000000000000000000000000..5ca903ed20160871f74acbec6f5677b8a0da26d7
GIT binary patch
literal 101
zcmV-r0Gj_308|=nJjbH(_K3tR3*!ii@RWbONRp*d1ON1&E-_G}%;8~xd<7qxPmG)o
zv8AFTOtIEWsptP(>a*mwgSoYf78o<))4MF>>^d|^j!KwdSE!+=hWTauMQcasx=vVV
HrT+mTA)GV!

literal 0
HcmV?d00001

diff --git a/tests/fuzzing/sae/corpus/sae-commit-token.dat b/tests/fuzzing/sae/corpus/sae-commit-token.dat
new file mode 100644
index 0000000000000000000000000000000000000000..b25cc49f8e106b67bf25f144507a9d8d72b0c705
GIT binary patch
literal 130
zcmWe;AOu3Ba&3+;`uMHmhz|E-j;;?=>i2p~S{lgw|I2(m!+^zS9ws)_u*%Q!@0r8D
zap@vupN-eNS3dtA^J?>xZOuEkc8f_EKf1hI=gAu@6OTTx842Ml7OrUfnfk{y+x^8Z
Izle;b0ElZc)&Kwi

literal 0
HcmV?d00001

diff --git a/tests/fuzzing/sae/corpus/sae-commit-valid.dat b/tests/fuzzing/sae/corpus/sae-commit-valid.dat
new file mode 100644
index 0000000000000000000000000000000000000000..eadfa4993b89ad45438a77849cecd14f420cf7ba
GIT binary patch
literal 98
zcmV-o0G<C608|=nJjbH(_K3tR3*!ii@RWbONRp*d1ON1&E-_G}%;8~xd<7qxPmG)o
zv8AFTOtIEWsptP(>a*mwgSoYf78o<))4MF>>^d|^j!KwdSE!+=hWTauMQcasx=vVV
ErG@J<)&Kwi

literal 0
HcmV?d00001

diff --git a/tests/fuzzing/sae/sae.c b/tests/fuzzing/sae/sae.c
new file mode 100644
index 000000000..8819a4abb
--- /dev/null
+++ b/tests/fuzzing/sae/sae.c
@@ -0,0 +1,39 @@
+/*
+ * SAE fuzzer
+ * Copyright (c) 2020, Jouni Malinen <j@w1.fi>
+ *
+ * This software may be distributed under the terms of the BSD license.
+ * See README for more details.
+ */
+
+#include "utils/includes.h"
+
+#include "utils/common.h"
+#include "common/sae.h"
+#include "../fuzzer-common.h"
+
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+	struct sae_data sae;
+	u16 res;
+	const u8 *token = NULL;
+	size_t token_len = 0;
+	int groups[] = { 19, 0 };
+
+	wpa_fuzzer_set_debug_level();
+
+	if (os_program_init())
+		return 0;
+
+	os_memset(&sae, 0, sizeof(sae));
+	res = sae_parse_commit(&sae, data, size, &token, &token_len, groups, 0);
+	wpa_printf(MSG_DEBUG, "sae_parse_commit(0): %u", res);
+	sae_clear_data(&sae);
+	res = sae_parse_commit(&sae, data, size, &token, &token_len, groups, 1);
+	wpa_printf(MSG_DEBUG, "sae_parse_commit(1): %u", res);
+	sae_clear_data(&sae);
+	os_program_deinit();
+
+	return 0;
+}