tests: New style fuzzing tool for EAPOL frame processing (supplicant)

author Jouni Malinen <j@w1.fi>

Sat, 1 Jun 2019 13:46:21 +0000 (16:46 +0300)

committer Jouni Malinen <j@w1.fi>

Sun, 2 Jun 2019 10:00:39 +0000 (13:00 +0300)
author Jouni Malinen <j@w1.fi>
Sat, 1 Jun 2019 13:46:21 +0000 (16:46 +0300)
committer Jouni Malinen <j@w1.fi>
Sun, 2 Jun 2019 10:00:39 +0000 (13:00 +0300)
diff --git a/tests/fuzzing/eapol-supp/Makefile b/tests/fuzzing/eapol-supp/Makefile

new file mode 100644 (file)

index 0000000..41a505d
--- /dev/null
+++ b/tests/fuzzing/eapol-supp/Makefile
@@ -0,0 +1,23 @@
+all: eapol-supp
+include ../rules.include
+
+CFLAGS += -DIEEE8021X_EAPOL
+
+LIBS += $(SRC)/common/libcommon.a
+LIBS += $(SRC)/crypto/libcrypto.a
+LIBS += $(SRC)/tls/libtls.a
+LIBS += $(SRC)/rsn_supp/librsn_supp.a
+LIBS += $(SRC)/eapol_supp/libeapol_supp.a
+LIBS += $(SRC)/eap_peer/libeap_peer.a
+LIBS += $(SRC)/eap_common/libeap_common.a
+LIBS += $(SRC)/l2_packet/libl2_packet.a
+LIBS += $(SRC)/utils/libutils.a
+
+eapol-supp: eapol-supp.o $(OBJS) $(LIBS)
+       $(LDO) $(LDFLAGS) -o $@ $^ -Wl,--start-group $(LIBS) -Wl,--end-group
+
+clean:
+       $(MAKE) -C $(SRC) clean
+       rm -f eapol-supp *~ *.o *.d ../*~ ../*.o ../*.d
+
+-include $(OBJS:%.o=%.d)
diff --git a/tests/fuzzing/eapol-supp/corpus/eap-req-identity.dat b/tests/fuzzing/eapol-supp/corpus/eap-req-identity.dat

new file mode 100644 (file)

index 0000000..768b277

Binary files /dev/null and b/tests/fuzzing/eapol-supp/corpus/eap-req-identity.dat differ
diff --git a/tests/fuzzing/eapol-supp/corpus/eap-req-sim.dat b/tests/fuzzing/eapol-supp/corpus/eap-req-sim.dat

new file mode 100644 (file)

index 0000000..eb854aa

Binary files /dev/null and b/tests/fuzzing/eapol-supp/corpus/eap-req-sim.dat differ
diff --git a/tests/fuzzing/eapol-supp/corpus/eapol-key-m1.dat b/tests/fuzzing/eapol-supp/corpus/eapol-key-m1.dat

new file mode 100644 (file)

index 0000000..937721c

Binary files /dev/null and b/tests/fuzzing/eapol-supp/corpus/eapol-key-m1.dat differ
diff --git a/tests/fuzzing/eapol-supp/eapol-supp.c b/tests/fuzzing/eapol-supp/eapol-supp.c

new file mode 100644 (file)

index 0000000..6f0b8cb
--- /dev/null
+++ b/tests/fuzzing/eapol-supp/eapol-supp.c
@@ -0,0 +1,198 @@
+/*
+ * wpa_supplicant - EAPOL fuzzer
+ * Copyright (c) 2015-2019, Jouni Malinen <j@w1.fi>
+ *
+ * This software may be distributed under the terms of the BSD license.
+ * See README for more details.
+ */
+
+#include "utils/includes.h"
+
+#include "utils/common.h"
+#include "utils/eloop.h"
+#include "eapol_supp/eapol_supp_sm.h"
+#include "rsn_supp/wpa.h"
+#include "rsn_supp/wpa_i.h"
+#include "../fuzzer-common.h"
+
+
+struct arg_ctx {
+       const u8 *data;
+       size_t data_len;
+       struct wpa_sm *wpa;
+       struct eapol_sm *eapol;
+};
+
+
+static void test_send_eapol(void *eloop_data, void *user_ctx)
+{
+       struct arg_ctx *ctx = eloop_data;
+       u8 src[ETH_ALEN] = { 0x02, 0x00, 0x00, 0x00, 0x00, 0x01 };
+       u8 wpa_ie[200];
+       size_t wpa_ie_len;
+
+       wpa_hexdump(MSG_MSGDUMP, "fuzzer - EAPOL", ctx->data, ctx->data_len);
+
+       eapol_sm_notify_portEnabled(ctx->eapol, TRUE);
+
+       wpa_sm_set_param(ctx->wpa, WPA_PARAM_PROTO, WPA_PROTO_RSN);
+       wpa_sm_set_param(ctx->wpa, WPA_PARAM_RSN_ENABLED, 1);
+       wpa_sm_set_param(ctx->wpa, WPA_PARAM_KEY_MGMT, WPA_KEY_MGMT_PSK);
+       wpa_sm_set_param(ctx->wpa, WPA_PARAM_PAIRWISE, WPA_CIPHER_CCMP);
+       wpa_sm_set_param(ctx->wpa, WPA_PARAM_GROUP, WPA_CIPHER_CCMP);
+
+       wpa_ie_len = sizeof(wpa_ie);
+       wpa_sm_set_assoc_wpa_ie_default(ctx->wpa, wpa_ie, &wpa_ie_len);
+
+       if (eapol_sm_rx_eapol(ctx->eapol, src, ctx->data, ctx->data_len) <= 0)
+               wpa_sm_rx_eapol(ctx->wpa, src, ctx->data, ctx->data_len);
+
+       eloop_terminate();
+}
+
+
+static void * get_network_ctx(void *arg)
+{
+       return (void *) 1;
+}
+
+
+static void set_state(void *arg, enum wpa_states state)
+{
+}
+
+
+static void deauthenticate(void *arg, u16 reason_code)
+{
+}
+
+
+static u8 * alloc_eapol(void *arg, u8 type,
+                       const void *data, u16 data_len,
+                       size_t *msg_len, void **data_pos)
+{
+       struct ieee802_1x_hdr *hdr;
+
+       *msg_len = sizeof(*hdr) + data_len;
+       hdr = os_malloc(*msg_len);
+       if (hdr == NULL)
+               return NULL;
+
+       hdr->version = 2;
+       hdr->type = type;
+       hdr->length = host_to_be16(data_len);
+
+       if (data)
+               os_memcpy(hdr + 1, data, data_len);
+       else
+               os_memset(hdr + 1, 0, data_len);
+
+       if (data_pos)
+               *data_pos = hdr + 1;
+
+       return (u8 *) hdr;
+}
+
+
+static int ether_send(void *arg, const u8 *dest, u16 proto,
+                     const u8 *buf, size_t len)
+{
+       return 0;
+}
+
+
+static int get_bssid(void *ctx, u8 *bssid)
+{
+       return -1;
+}
+
+
+static int eapol_send(void *ctx, int type, const u8 *buf, size_t len)
+{
+       return 0;
+}
+
+
+static int init_wpa(struct arg_ctx *arg)
+{
+       struct wpa_sm_ctx *ctx;
+
+       ctx = os_zalloc(sizeof(*ctx));
+       if (ctx == NULL) {
+               wpa_printf(MSG_ERROR, "Failed to allocate WPA context.");
+               return -1;
+       }
+
+       ctx->ctx = arg;
+       ctx->msg_ctx = arg;
+       ctx->get_network_ctx = get_network_ctx;
+       ctx->set_state = set_state;
+       ctx->deauthenticate = deauthenticate;
+       ctx->alloc_eapol = alloc_eapol;
+       ctx->ether_send = ether_send;
+       ctx->get_bssid = get_bssid;
+
+       arg->wpa = wpa_sm_init(ctx);
+       if (!arg->wpa)
+               return -1;
+       arg->wpa->pmk_len = PMK_LEN;
+       return 0;
+}
+
+
+static int init_eapol(struct arg_ctx *arg)
+{
+       struct eapol_ctx *ctx;
+
+       ctx = os_zalloc(sizeof(*ctx));
+       if (ctx == NULL) {
+               wpa_printf(MSG_ERROR, "Failed to allocate EAPOL context.");
+               return -1;
+       }
+
+       ctx->ctx = arg;
+       ctx->msg_ctx = arg;
+       ctx->eapol_send = eapol_send;
+
+       arg->eapol = eapol_sm_init(ctx);
+       return arg->eapol ? 0 : -1;
+}
+
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+       struct arg_ctx ctx;
+
+       wpa_fuzzer_set_debug_level();
+
+       if (os_program_init())
+               return 0;
+
+       if (eloop_init()) {
+               wpa_printf(MSG_ERROR, "Failed to initialize event loop");
+               return 0;
+       }
+
+       os_memset(&ctx, 0, sizeof(ctx));
+       ctx.data = data;
+       ctx.data_len = size;
+       if (init_wpa(&ctx) || init_eapol(&ctx))
+               goto fail;
+
+       eloop_register_timeout(0, 0, test_send_eapol, &ctx, NULL);
+
+       wpa_printf(MSG_DEBUG, "Starting eloop");
+       eloop_run();
+       wpa_printf(MSG_DEBUG, "eloop done");
+
+fail:
+       if (ctx.wpa)
+               wpa_sm_deinit(ctx.wpa);
+       if (ctx.eapol)
+               eapol_sm_deinit(ctx.eapol);
+
+       eloop_destroy();
+       os_program_deinit();
+
+       return 0;
+}
author	Jouni Malinen <j@w1.fi>
	Sat, 1 Jun 2019 13:46:21 +0000 (16:46 +0300)
committer	Jouni Malinen <j@w1.fi>
	Sun, 2 Jun 2019 10:00:39 +0000 (13:00 +0300)
tests/fuzzing/eapol-supp/Makefile	[new file with mode: 0644]	patch \| blob
tests/fuzzing/eapol-supp/corpus/eap-req-identity.dat	[new file with mode: 0644]	patch \| blob
tests/fuzzing/eapol-supp/corpus/eap-req-sim.dat	[new file with mode: 0644]	patch \| blob
tests/fuzzing/eapol-supp/corpus/eapol-key-m1.dat	[new file with mode: 0644]	patch \| blob
tests/fuzzing/eapol-supp/eapol-supp.c	[new file with mode: 0644]	patch \| blob