tests: New style fuzzing tool for DPP URI parsing

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/tests/fuzzing/dpp-uri/Makefile b/tests/fuzzing/dpp-uri/Makefile
new file mode 100644 (file)
index 0000000..27b2fdd
--- /dev/null
+++ b/tests/fuzzing/dpp-uri/Makefile
@@ -0,0 +1,33 @@
+all: dpp-uri
+include ../rules.include
+
+CFLAGS += -DCONFIG_DPP
+CFLAGS += -DCONFIG_DPP2
+CFLAGS += -DCONFIG_SHA256
+CFLAGS += -DCONFIG_SHA384
+CFLAGS += -DCONFIG_SHA512
+CFLAGS += -DCONFIG_ECC
+CFLAGS += -DCONFIG_OPENSSL_CMAC
+
+LIBS += $(SRC)/common/libcommon.a
+LIBS += $(SRC)/utils/libutils.a
+
+OBJS += $(SRC)/crypto/crypto_openssl.o
+LIBS += -lcrypto
+
+OBJS += $(SRC)/crypto/aes-ctr.o
+OBJS += $(SRC)/crypto/aes-siv.o
+OBJS += $(SRC)/crypto/sha256-kdf.o
+OBJS += $(SRC)/crypto/sha384-kdf.o
+OBJS += $(SRC)/crypto/sha512-kdf.o
+OBJS += $(SRC)/tls/asn1.o
+OBJS += $(SRC)/common/dpp.o
+
+dpp-uri: dpp-uri.o $(OBJS) $(LIBS)
+       $(LDO) $(LDFLAGS) -o $@ $^ $(LIBS)
+
+clean:
+       $(MAKE) -C $(SRC) clean
+       rm -f dpp-uri *~ *.o *.d ../*~ ../*.o ../*.d
+
+-include $(OBJS:%.o=%.d)

diff --git a/tests/fuzzing/dpp-uri/corpus/1.dat b/tests/fuzzing/dpp-uri/corpus/1.dat
new file mode 100644 (file)
index 0000000..b2387e0
--- /dev/null
+++ b/tests/fuzzing/dpp-uri/corpus/1.dat
@@ -0,0 +1 @@
+DPP:K:MDkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDIgADM2206avxHJaHXgLMkq/24e0rsrfMP9K1Tm8gx+ovP0I=;;
\ No newline at end of file

diff --git a/tests/fuzzing/dpp-uri/corpus/2.dat b/tests/fuzzing/dpp-uri/corpus/2.dat
new file mode 100644 (file)
index 0000000..ee2ff90
--- /dev/null
+++ b/tests/fuzzing/dpp-uri/corpus/2.dat
@@ -0,0 +1 @@
+DPP:C:81/1,115/36;K:MDkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDIgADM2206avxHJaHXgLMkq/24e0rsrfMP9K1Tm8gx+ovP0I=;;
\ No newline at end of file

diff --git a/tests/fuzzing/dpp-uri/corpus/3.dat b/tests/fuzzing/dpp-uri/corpus/3.dat
new file mode 100644 (file)
index 0000000..ce7ad16
--- /dev/null
+++ b/tests/fuzzing/dpp-uri/corpus/3.dat
@@ -0,0 +1 @@
+DPP:I:SN=4774LH2b4044;M:010203040506;C:81/1,115/36;K:MDkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDIgADM2206avxHJaHXgLMkq/24e0rsrfMP9K1Tm8gx+ovP0I=;;
\ No newline at end of file

diff --git a/tests/fuzzing/dpp-uri/dpp-uri.c b/tests/fuzzing/dpp-uri/dpp-uri.c
new file mode 100644 (file)
index 0000000..77db5b8
--- /dev/null
+++ b/tests/fuzzing/dpp-uri/dpp-uri.c
@@ -0,0 +1,51 @@
+/*
+ * DPP URI fuzzer
+ * Copyright (c) 2020, Jouni Malinen <j@w1.fi>
+ *
+ * This software may be distributed under the terms of the BSD license.
+ * See README for more details.
+ */
+
+#include "utils/includes.h"
+
+#include "utils/common.h"
+#include "common/dpp.h"
+#include "../fuzzer-common.h"
+
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+       struct dpp_global *dpp;
+       struct dpp_global_config config;
+       struct dpp_bootstrap_info *bi;
+       char *uri;
+       char buf[1000];
+       int ret = -1;
+
+       wpa_fuzzer_set_debug_level();
+
+       if (os_program_init())
+               return 0;
+
+       uri = os_malloc(size + 1);
+       if (!uri)
+               goto out;
+       os_memcpy(uri, data, size);
+       uri[size] = '\0';
+       os_memset(&config, 0, sizeof(config));
+       dpp = dpp_global_init(&config);
+       if (!dpp)
+               goto out;
+
+       bi = dpp_add_qr_code(dpp, uri);
+       if (bi && dpp_bootstrap_info(dpp, bi->id, buf, sizeof(buf)) > 0)
+               wpa_printf(MSG_DEBUG, "DPP: %s", buf);
+       dpp_global_deinit(dpp);
+
+       ret = 0;
+out:
+       os_free(uri);
+       os_program_deinit();
+
+       return ret;
+}