tests: Fuzz testing for PASN

Add test tools for fuzzing PASN initiator and responder handling of
received PASN Authentication frames.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/tests/fuzzing/pasn-init/Makefile b/tests/fuzzing/pasn-init/Makefile
new file mode 100644 (file)
index 0000000..b848f27
--- /dev/null
+++ b/tests/fuzzing/pasn-init/Makefile
@@ -0,0 +1,40 @@
+ALL=pasn-init
+include ../rules.include
+
+CFLAGS += -DCONFIG_PASN
+CFLAGS += -DCONFIG_SAE
+CFLAGS += -DCONFIG_SHA256
+CFLAGS += -DCONFIG_SHA384
+CFLAGS += -DCONFIG_ECC
+CFLAGS += -DCONFIG_FILS
+CFLAGS += -DCONFIG_IEEE80211R
+CFLAGS += -DCONFIG_PTKSA_CACHE
+
+OBJS += $(SRC)/utils/common.o
+OBJS += $(SRC)/utils/os_unix.o
+OBJS += $(SRC)/utils/wpa_debug.o
+OBJS += $(SRC)/utils/wpabuf.o
+OBJS += $(SRC)/common/sae.o
+OBJS += $(SRC)/common/dragonfly.o
+OBJS += $(SRC)/common/wpa_common.o
+OBJS += $(SRC)/common/ieee802_11_common.o
+OBJS += $(SRC)/crypto/crypto_openssl.o
+OBJS += $(SRC)/crypto/dh_groups.o
+OBJS += $(SRC)/crypto/sha1-prf.o
+OBJS += $(SRC)/crypto/sha256-prf.o
+OBJS += $(SRC)/crypto/sha384-prf.o
+OBJS += $(SRC)/crypto/sha256-kdf.o
+OBJS += $(SRC)/crypto/sha384-kdf.o
+OBJS += $(SRC)/rsn_supp/wpa_ie.o
+OBJS += $(SRC)/pasn/pasn_initiator.o
+
+OBJS += pasn-init.o
+
+_OBJS_VAR := OBJS
+include ../../../src/objs.mk
+
+pasn-init: $(OBJS)
+       $(LDO) $(LDFLAGS) -o $@ $^ -lcrypto
+
+clean: common-clean
+       rm -f pasn-init *~ *.o *.d ../*~ ../*.o ../*.d

diff --git a/tests/fuzzing/pasn-init/corpus/pasn-auth-2 b/tests/fuzzing/pasn-init/corpus/pasn-auth-2
new file mode 100644 (file)
index 0000000..4ff5aac
Binary files /dev/null and b/tests/fuzzing/pasn-init/corpus/pasn-auth-2 differ

diff --git a/tests/fuzzing/pasn-init/pasn-init.c b/tests/fuzzing/pasn-init/pasn-init.c
new file mode 100644 (file)
index 0000000..680693e
--- /dev/null
+++ b/tests/fuzzing/pasn-init/pasn-init.c
@@ -0,0 +1,57 @@
+/*
+ * PASN initiator fuzzer
+ * Copyright (c) 2022, Jouni Malinen <j@w1.fi>
+ *
+ * This software may be distributed under the terms of the BSD license.
+ * See README for more details.
+ */
+
+#include "utils/includes.h"
+
+#include "utils/common.h"
+#include "common/defs.h"
+#include "common/wpa_common.h"
+#include "common/sae.h"
+#include "common/ieee802_11_defs.h"
+#include "crypto/sha384.h"
+#include "pasn/pasn_common.h"
+#include "../fuzzer-common.h"
+
+
+static int pasn_send_mgmt(void *ctx, const u8 *data, size_t data_len,
+                         int noack, unsigned int freq, unsigned int wait)
+{
+       return 0;
+}
+
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+       struct pasn_data pasn;
+       struct wpa_pasn_params_data pasn_data;
+       u8 own_addr[ETH_ALEN], bssid[ETH_ALEN];
+
+       wpa_fuzzer_set_debug_level();
+
+       if (os_program_init())
+               return 0;
+
+       os_memset(&pasn, 0, sizeof(pasn));
+       pasn.send_mgmt = pasn_send_mgmt;
+       hwaddr_aton("02:00:00:00:00:00", own_addr);
+       hwaddr_aton("02:00:00:00:03:00", bssid);
+       if (wpas_pasn_start(&pasn, own_addr, bssid, WPA_KEY_MGMT_PASN,
+                           WPA_CIPHER_CCMP, 19, 2412, NULL, 0, NULL, 0,
+                           NULL) < 0) {
+               wpa_printf(MSG_ERROR, "wpas_pasn_start failed");
+               goto fail;
+       }
+
+       wpa_pasn_auth_rx(&pasn, data, size, &pasn_data);
+
+fail:
+       wpa_pasn_reset(&pasn);
+       os_program_deinit();
+
+       return 0;
+}

diff --git a/tests/fuzzing/pasn-resp/Makefile b/tests/fuzzing/pasn-resp/Makefile
new file mode 100644 (file)
index 0000000..85a5279
--- /dev/null
+++ b/tests/fuzzing/pasn-resp/Makefile
@@ -0,0 +1,40 @@
+ALL=pasn-resp
+include ../rules.include
+
+CFLAGS += -DCONFIG_PASN
+CFLAGS += -DCONFIG_SAE
+CFLAGS += -DCONFIG_SHA256
+CFLAGS += -DCONFIG_SHA384
+CFLAGS += -DCONFIG_ECC
+CFLAGS += -DCONFIG_FILS
+CFLAGS += -DCONFIG_IEEE80211R
+
+OBJS += $(SRC)/utils/common.o
+OBJS += $(SRC)/utils/os_unix.o
+OBJS += $(SRC)/utils/wpa_debug.o
+OBJS += $(SRC)/utils/wpabuf.o
+OBJS += $(SRC)/utils/eloop.o
+OBJS += $(SRC)/common/sae.o
+OBJS += $(SRC)/common/dragonfly.o
+OBJS += $(SRC)/common/wpa_common.o
+OBJS += $(SRC)/common/ieee802_11_common.o
+OBJS += $(SRC)/crypto/crypto_openssl.o
+OBJS += $(SRC)/crypto/dh_groups.o
+OBJS += $(SRC)/crypto/sha1-prf.o
+OBJS += $(SRC)/crypto/sha256-prf.o
+OBJS += $(SRC)/crypto/sha384-prf.o
+OBJS += $(SRC)/crypto/sha256-kdf.o
+OBJS += $(SRC)/crypto/sha384-kdf.o
+OBJS += $(SRC)/ap/comeback_token.o
+OBJS += $(SRC)/pasn/pasn_responder.o
+
+OBJS += pasn-resp.o
+
+_OBJS_VAR := OBJS
+include ../../../src/objs.mk
+
+pasn-resp: $(OBJS)
+       $(LDO) $(LDFLAGS) -o $@ $^ -lcrypto
+
+clean: common-clean
+       rm -f pasn-resp *~ *.o *.d ../*~ ../*.o ../*.d

diff --git a/tests/fuzzing/pasn-resp/corpus/pasn-auth-1 b/tests/fuzzing/pasn-resp/corpus/pasn-auth-1
new file mode 100644 (file)
index 0000000..2d5f1d6
Binary files /dev/null and b/tests/fuzzing/pasn-resp/corpus/pasn-auth-1 differ

diff --git a/tests/fuzzing/pasn-resp/corpus/pasn-auth-3 b/tests/fuzzing/pasn-resp/corpus/pasn-auth-3
new file mode 100644 (file)
index 0000000..8addacd
Binary files /dev/null and b/tests/fuzzing/pasn-resp/corpus/pasn-auth-3 differ

diff --git a/tests/fuzzing/pasn-resp/pasn-resp.c b/tests/fuzzing/pasn-resp/pasn-resp.c
new file mode 100644 (file)
index 0000000..d907020
--- /dev/null
+++ b/tests/fuzzing/pasn-resp/pasn-resp.c
@@ -0,0 +1,94 @@
+/*
+ * PASN responder fuzzer
+ * Copyright (c) 2022, Jouni Malinen <j@w1.fi>
+ *
+ * This software may be distributed under the terms of the BSD license.
+ * See README for more details.
+ */
+
+#include "utils/includes.h"
+
+#include "utils/common.h"
+#include "utils/eloop.h"
+#include "common/defs.h"
+#include "common/wpa_common.h"
+#include "common/sae.h"
+#include "common/ieee802_11_defs.h"
+#include "crypto/sha384.h"
+#include "crypto/crypto.h"
+#include "pasn/pasn_common.h"
+#include "../fuzzer-common.h"
+
+
+struct eapol_state_machine;
+
+struct rsn_pmksa_cache_entry *
+pmksa_cache_auth_add(struct rsn_pmksa_cache *pmksa,
+                    const u8 *pmk, size_t pmk_len, const u8 *pmkid,
+                    const u8 *kck, size_t kck_len,
+                    const u8 *aa, const u8 *spa, int session_timeout,
+                    struct eapol_state_machine *eapol, int akmp)
+{
+       return NULL;
+}
+
+
+struct rsn_pmksa_cache_entry *
+pmksa_cache_auth_get(struct rsn_pmksa_cache *pmksa,
+                    const u8 *spa, const u8 *pmkid)
+{
+       return NULL;
+}
+
+
+static int pasn_send_mgmt(void *ctx, const u8 *data, size_t data_len,
+                         int noack, unsigned int freq, unsigned int wait)
+{
+       return 0;
+}
+
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+       struct pasn_data pasn;
+       u8 own_addr[ETH_ALEN], bssid[ETH_ALEN];
+
+       wpa_fuzzer_set_debug_level();
+
+       if (os_program_init())
+               return 0;
+
+       if (eloop_init()) {
+               wpa_printf(MSG_ERROR, "Failed to initialize event loop");
+               return 0;
+       }
+
+       os_memset(&pasn, 0, sizeof(pasn));
+       pasn.send_mgmt = pasn_send_mgmt;
+       hwaddr_aton("02:00:00:00:03:00", own_addr);
+       hwaddr_aton("02:00:00:00:00:00", bssid);
+       os_memcpy(pasn.own_addr, own_addr, ETH_ALEN);
+       os_memcpy(pasn.bssid, bssid, ETH_ALEN);
+       pasn.wpa_key_mgmt = WPA_KEY_MGMT_PASN;
+       pasn.rsn_pairwise = WPA_CIPHER_CCMP;
+
+       wpa_printf(MSG_DEBUG, "TESTING: Try to parse as PASN Auth 1");
+       if (handle_auth_pasn_1(&pasn, own_addr, bssid,
+                              (const struct ieee80211_mgmt *) data, size))
+               wpa_printf(MSG_ERROR, "handle_auth_pasn_1 failed");
+
+       wpa_printf(MSG_DEBUG, "TESTING: Try to parse as PASN Auth 3");
+       if (handle_auth_pasn_3(&pasn, own_addr, bssid,
+                              (const struct ieee80211_mgmt *) data, size))
+               wpa_printf(MSG_ERROR, "handle_auth_pasn_3 failed");
+
+       if (pasn.ecdh) {
+               crypto_ecdh_deinit(pasn.ecdh);
+               pasn.ecdh = NULL;
+       }
+
+       eloop_destroy();
+       os_program_deinit();
+
+       return 0;
+}