tests: New style fuzzing tool for EAP-SIM peer processing

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/eap_common/eap_sim_common.c b/src/eap_common/eap_sim_common.c
index cfdd1bf4a8ab5cae00d1852fcaaf524e4d925409..1e0f80879dafdf38e75276882ec77ff55c35c8e2 100644 (file)
--- a/src/eap_common/eap_sim_common.c
+++ b/src/eap_common/eap_sim_common.c
@@ -945,10 +945,15 @@ u8 * eap_sim_parse_encr(const u8 *k_encr, const u8 *encr_data,
        if (decrypted == NULL)
                return NULL;
 
+#ifdef TEST_FUZZ
+               wpa_printf(MSG_INFO,
+                          "TEST: Skip AES-128-CBC decryption for fuzz testing");
+#else /* TEST_FUZZ */
        if (aes_128_cbc_decrypt(k_encr, iv, decrypted, encr_data_len)) {
                os_free(decrypted);
                return NULL;
        }
+#endif /* TEST_FUZZ */
        wpa_hexdump(MSG_MSGDUMP, "EAP-SIM: Decrypted AT_ENCR_DATA",
                    decrypted, encr_data_len);
 

diff --git a/src/eap_peer/eap_sim.c b/src/eap_peer/eap_sim.c
index b60577b7d4f5eb117ea709736103a0faac83e94f..c4070ab3329724563eee5f5012d77365211cd469 100644 (file)
--- a/src/eap_peer/eap_sim.c
+++ b/src/eap_peer/eap_sim.c
@@ -799,8 +799,13 @@ static struct wpabuf * eap_sim_process_challenge(struct eap_sm *sm,
                               EAP_SIM_NONCE_MT_LEN)) {
                wpa_printf(MSG_WARNING, "EAP-SIM: Challenge message "
                           "used invalid AT_MAC");
+#ifdef TEST_FUZZ
+               wpa_printf(MSG_INFO,
+                          "TEST: Ignore AT_MAC mismatch for fuzz testing");
+#else /* TEST_FUZZ */
                return eap_sim_client_error(data, id,
                                            EAP_SIM_UNABLE_TO_PROCESS_PACKET);
+#endif /* TEST_FUZZ */
        }
 
        /* Old reauthentication identity must not be used anymore. In
@@ -959,15 +964,27 @@ static struct wpabuf * eap_sim_process_reauthentication(
        {
                wpa_printf(MSG_WARNING, "EAP-SIM: Reauthentication "
                           "did not have valid AT_MAC");
+#ifdef TEST_FUZZ
+               wpa_printf(MSG_INFO,
+                          "TEST: Ignore AT_MAC mismatch for fuzz testing");
+#else /* TEST_FUZZ */
                return eap_sim_client_error(data, id,
                                            EAP_SIM_UNABLE_TO_PROCESS_PACKET);
+#endif /* TEST_FUZZ */
        }
 
        /* At this stage the received MAC has been verified. Use this MAC for
         * reauth Session-Id calculation if all other checks pass.
         * The peer does not use the local MAC but the received MAC in deriving
         * Session-Id. */
+#ifdef TEST_FUZZ
+       if (attr->mac)
+               os_memcpy(data->reauth_mac, attr->mac, EAP_SIM_MAC_LEN);
+       else
+               os_memset(data->reauth_mac, 0x12, EAP_SIM_MAC_LEN);
+#else /* TEST_FUZZ */
        os_memcpy(data->reauth_mac, attr->mac, EAP_SIM_MAC_LEN);
+#endif /* TEST_FUZZ */
        wpa_hexdump(MSG_DEBUG, "EAP-SIM: Server MAC",
                    data->reauth_mac, EAP_SIM_MAC_LEN);
 

diff --git a/tests/fuzzing/eap-sim-peer/Makefile b/tests/fuzzing/eap-sim-peer/Makefile
new file mode 100644 (file)
index 0000000..302717e
--- /dev/null
+++ b/tests/fuzzing/eap-sim-peer/Makefile
@@ -0,0 +1,21 @@
+all: eap-sim-peer
+include ../rules.include
+
+CFLAGS += -DIEEE8021X_EAPOL
+CFLAGS += -DCONFIG_SIM_SIMULATOR
+
+OBJS += $(SRC)/eap_peer/eap_sim.o
+OBJS += $(SRC)/eap_common/eap_sim_common.o
+OBJS += $(SRC)/eap_common/eap_common.o
+LIBS += $(SRC)/crypto/libcrypto.a
+LIBS += $(SRC)/utils/libutils.a
+
+eap-sim-peer: eap-sim-peer.o $(OBJS) $(LIBS)
+       $(Q)$(LDO) $(LDFLAGS) -o $@ $^ $(LIBS) $(ELIBS)
+       @$(E) "  LD " $@
+
+clean:
+       $(MAKE) -C $(SRC) clean
+       rm -f eap-sim-peer *~ *.o *.d ../*~ ../*.o ../*.d
+
+-include $(OBJS:%.o=%.d)

diff --git a/tests/fuzzing/eap-sim-peer/corpus/server.msg b/tests/fuzzing/eap-sim-peer/corpus/server.msg
new file mode 100644 (file)
index 0000000..adb9f6c
Binary files /dev/null and b/tests/fuzzing/eap-sim-peer/corpus/server.msg differ

diff --git a/tests/fuzzing/eap-sim-peer/eap-sim-peer.c b/tests/fuzzing/eap-sim-peer/eap-sim-peer.c
new file mode 100644 (file)
index 0000000..ce701f3
--- /dev/null
+++ b/tests/fuzzing/eap-sim-peer/eap-sim-peer.c
@@ -0,0 +1,124 @@
+/*
+ * EAP-SIM peer fuzzer
+ * Copyright (c) 2019, Jouni Malinen <j@w1.fi>
+ *
+ * This software may be distributed under the terms of the BSD license.
+ * See README for more details.
+ */
+
+#include "utils/includes.h"
+
+#include "utils/common.h"
+#include "eap_peer/eap_methods.h"
+#include "eap_peer/eap_config.h"
+#include "eap_peer/eap_i.h"
+#include "../fuzzer-common.h"
+
+int eap_peer_sim_register(void);
+
+struct eap_method * registered_eap_method = NULL;
+
+
+struct eap_method * eap_peer_method_alloc(int version, int vendor,
+                                         EapType method, const char *name)
+{
+       struct eap_method *eap;
+       eap = os_zalloc(sizeof(*eap));
+       if (!eap)
+               return NULL;
+       eap->version = version;
+       eap->vendor = vendor;
+       eap->method = method;
+       eap->name = name;
+       return eap;
+}
+
+
+int eap_peer_method_register(struct eap_method *method)
+{
+       registered_eap_method = method;
+       return 0;
+}
+
+
+static struct eap_peer_config eap_sim_config = {
+       .identity = (u8 *) "1232010000000000",
+       .identity_len = 16,
+       .password = (u8 *) "90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
+       .password_len = 65,
+};
+
+struct eap_peer_config * eap_get_config(struct eap_sm *sm)
+{
+       return &eap_sim_config;
+}
+
+
+const u8 * eap_get_config_identity(struct eap_sm *sm, size_t *len)
+{
+       static const char *id = "1232010000000000";
+
+       *len = os_strlen(id);
+       return (const u8 *) id;
+}
+
+
+void eap_set_anon_id(struct eap_sm *sm, const u8 *id, size_t len)
+{
+}
+
+
+void eap_sm_request_identity(struct eap_sm *sm)
+{
+}
+
+
+void eap_sm_request_sim(struct eap_sm *sm, const char *req)
+{
+}
+
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+       const u8 *pos, *end;
+       struct eap_sm *sm;
+       void *priv;
+       struct eap_method_ret ret;
+
+       wpa_fuzzer_set_debug_level();
+
+       eap_peer_sim_register();
+       sm = os_zalloc(sizeof(*sm));
+       if (!sm)
+               return 0;
+       priv = registered_eap_method->init(sm);
+       os_memset(&ret, 0, sizeof(ret));
+
+       pos = data;
+       end = pos + size;
+
+       while (end - pos > 2) {
+               u16 flen;
+               struct wpabuf *buf, *req;
+
+               flen = WPA_GET_BE16(pos);
+               pos += 2;
+               if (end - pos < flen)
+                       break;
+               req = wpabuf_alloc_copy(pos, flen);
+               if (!req)
+                       break;
+               wpa_hexdump_buf(MSG_MSGDUMP, "fuzzer - request", req);
+               buf = registered_eap_method->process(sm, priv, &ret, req);
+               wpa_hexdump_buf(MSG_MSGDUMP, "fuzzer - local response", buf);
+               wpabuf_free(req);
+               wpabuf_free(buf);
+               pos += flen;
+       }
+
+       registered_eap_method->deinit(sm, priv);
+       os_free(registered_eap_method);
+       os_free(sm);
+
+       return 0;
+}