tests: New style fuzzing tool for SAE commit parsing

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/tests/fuzzing/sae/Makefile b/tests/fuzzing/sae/Makefile
new file mode 100644 (file)
index 0000000..0a56e06
--- /dev/null
+++ b/tests/fuzzing/sae/Makefile
@@ -0,0 +1,24 @@
+all: sae
+include ../rules.include
+
+CFLAGS += -DCONFIG_SHA256
+CFLAGS += -DCONFIG_ECC
+
+LIBS += $(SRC)/common/libcommon.a
+LIBS += $(SRC)/utils/libutils.a
+
+OBJS += $(SRC)/crypto/crypto_openssl.o
+LIBS += -lcrypto
+OBJS += $(SRC)/crypto/dh_groups.o
+OBJS += $(SRC)/crypto/sha256-prf.o
+OBJS += $(SRC)/crypto/sha256-kdf.o
+OBJS += $(SRC)/common/dragonfly.o
+
+sae: sae.o $(OBJS) $(LIBS)
+       $(LDO) $(LDFLAGS) -o $@ $^ $(LIBS)
+
+clean:
+       $(MAKE) -C $(SRC) clean
+       rm -f sae *~ *.o *.d ../*~ ../*.o ../*.d
+
+-include $(OBJS:%.o=%.d)

diff --git a/tests/fuzzing/sae/corpus/sae-commit-h2e-rejected-groups.dat b/tests/fuzzing/sae/corpus/sae-commit-h2e-rejected-groups.dat
new file mode 100644 (file)
index 0000000..cd129a4
Binary files /dev/null and b/tests/fuzzing/sae/corpus/sae-commit-h2e-rejected-groups.dat differ

diff --git a/tests/fuzzing/sae/corpus/sae-commit-h2e-token.dat b/tests/fuzzing/sae/corpus/sae-commit-h2e-token.dat
new file mode 100644 (file)
index 0000000..b2886c7
Binary files /dev/null and b/tests/fuzzing/sae/corpus/sae-commit-h2e-token.dat differ

diff --git a/tests/fuzzing/sae/corpus/sae-commit-pw-id.dat b/tests/fuzzing/sae/corpus/sae-commit-pw-id.dat
new file mode 100644 (file)
index 0000000..5ca903e
Binary files /dev/null and b/tests/fuzzing/sae/corpus/sae-commit-pw-id.dat differ

diff --git a/tests/fuzzing/sae/corpus/sae-commit-token.dat b/tests/fuzzing/sae/corpus/sae-commit-token.dat
new file mode 100644 (file)
index 0000000..b25cc49
Binary files /dev/null and b/tests/fuzzing/sae/corpus/sae-commit-token.dat differ

diff --git a/tests/fuzzing/sae/corpus/sae-commit-valid.dat b/tests/fuzzing/sae/corpus/sae-commit-valid.dat
new file mode 100644 (file)
index 0000000..eadfa49
Binary files /dev/null and b/tests/fuzzing/sae/corpus/sae-commit-valid.dat differ

diff --git a/tests/fuzzing/sae/sae.c b/tests/fuzzing/sae/sae.c
new file mode 100644 (file)
index 0000000..8819a4a
--- /dev/null
+++ b/tests/fuzzing/sae/sae.c
@@ -0,0 +1,39 @@
+/*
+ * SAE fuzzer
+ * Copyright (c) 2020, Jouni Malinen <j@w1.fi>
+ *
+ * This software may be distributed under the terms of the BSD license.
+ * See README for more details.
+ */
+
+#include "utils/includes.h"
+
+#include "utils/common.h"
+#include "common/sae.h"
+#include "../fuzzer-common.h"
+
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+       struct sae_data sae;
+       u16 res;
+       const u8 *token = NULL;
+       size_t token_len = 0;
+       int groups[] = { 19, 0 };
+
+       wpa_fuzzer_set_debug_level();
+
+       if (os_program_init())
+               return 0;
+
+       os_memset(&sae, 0, sizeof(sae));
+       res = sae_parse_commit(&sae, data, size, &token, &token_len, groups, 0);
+       wpa_printf(MSG_DEBUG, "sae_parse_commit(0): %u", res);
+       sae_clear_data(&sae);
+       res = sae_parse_commit(&sae, data, size, &token, &token_len, groups, 1);
+       wpa_printf(MSG_DEBUG, "sae_parse_commit(1): %u", res);
+       sae_clear_data(&sae);
+       os_program_deinit();
+
+       return 0;
+}