tests: Fuzzing tester for RADIUS message parsing

author Jouni Malinen <j@w1.fi>

Sun, 2 Mar 2025 16:49:44 +0000 (18:49 +0200)

committer Jouni Malinen <j@w1.fi>

Sun, 2 Mar 2025 17:30:15 +0000 (19:30 +0200)
author Jouni Malinen <j@w1.fi>
Sun, 2 Mar 2025 16:49:44 +0000 (18:49 +0200)
committer Jouni Malinen <j@w1.fi>
Sun, 2 Mar 2025 17:30:15 +0000 (19:30 +0200)
diff --git a/tests/fuzzing/radius/.gitignore b/tests/fuzzing/radius/.gitignore

new file mode 100644 (file)

index 0000000..fa85644
--- /dev/null
+++ b/tests/fuzzing/radius/.gitignore
@@ -0,0 +1 @@
+radius
diff --git a/tests/fuzzing/radius/Makefile b/tests/fuzzing/radius/Makefile

new file mode 100644 (file)

index 0000000..76246ef
--- /dev/null
+++ b/tests/fuzzing/radius/Makefile
@@ -0,0 +1,29 @@
+ALL=radius
+include ../rules.include
+
+CFLAGS += -DCONFIG_IPV6
+
+LIBS += $(SRC)/common/libcommon.a
+LIBS += $(SRC)/crypto/libcrypto.a
+LIBS += $(SRC)/utils/libutils.a
+
+ELIBS += $(SRC)/crypto/libcrypto.a
+
+OBJS += $(SRC)/radius/radius.o
+
+OBJS += radius.o
+
+_OBJS_VAR := OBJS
+include ../../../src/objs.mk
+
+_OBJS_VAR := LIBS
+include ../../../src/objs.mk
+
+_OBJS_VAR := ELIBS
+include ../../../src/objs.mk
+
+radius: $(OBJS) $(LIBS)
+       $(LDO) $(LDFLAGS) -o $@ $^ $(LIBS) $(ELIBS)
+
+clean: common-clean
+       rm -f radius *~ *.o *.d ../*~ ../*.o ../*.d
diff --git a/tests/fuzzing/radius/corpus/access-accept-eap.bin b/tests/fuzzing/radius/corpus/access-accept-eap.bin

new file mode 100644 (file)

index 0000000..aa2bff6

Binary files /dev/null and b/tests/fuzzing/radius/corpus/access-accept-eap.bin differ
diff --git a/tests/fuzzing/radius/corpus/access-accept-tunnel-pw.bin b/tests/fuzzing/radius/corpus/access-accept-tunnel-pw.bin

new file mode 100644 (file)

index 0000000..5909d96

Binary files /dev/null and b/tests/fuzzing/radius/corpus/access-accept-tunnel-pw.bin differ
diff --git a/tests/fuzzing/radius/corpus/access-challenge-eap.bin b/tests/fuzzing/radius/corpus/access-challenge-eap.bin

new file mode 100644 (file)

index 0000000..d25f309

Binary files /dev/null and b/tests/fuzzing/radius/corpus/access-challenge-eap.bin differ
diff --git a/tests/fuzzing/radius/radius.c b/tests/fuzzing/radius/radius.c

new file mode 100644 (file)

index 0000000..34ca472
--- /dev/null
+++ b/tests/fuzzing/radius/radius.c
@@ -0,0 +1,60 @@
+/*
+ * hostapd - RADIUS fuzzer
+ * Copyright (c) 2025, Jouni Malinen <j@w1.fi>
+ *
+ * This software may be distributed under the terms of the BSD license.
+ * See README for more details.
+ */
+
+#include "utils/includes.h"
+
+#include "utils/common.h"
+#include "radius/radius.h"
+#include "../fuzzer-common.h"
+
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+       struct radius_msg *msg, *sent_msg;
+       struct wpabuf *eap;
+       u8 buf[10];
+       int untagged;
+       const unsigned int num_tagged = 5;
+       int tagged[num_tagged];
+       char *pw;
+       int keylen;
+
+       wpa_fuzzer_set_debug_level();
+
+       if (os_program_init())
+               return 0;
+
+       sent_msg = radius_msg_new(RADIUS_CODE_ACCESS_REQUEST, 123);
+       if (!sent_msg)
+               return -1;
+       radius_msg_finish(sent_msg, (const u8 *) "test", 4);
+
+       msg = radius_msg_parse(data, size);
+       if (msg) {
+               radius_msg_dump(msg);
+               radius_msg_get_attr(msg, RADIUS_ATTR_NAS_IP_ADDRESS,
+                                   buf, sizeof(buf));
+               radius_msg_get_vlanid(msg, &untagged, num_tagged, tagged);
+               eap = radius_msg_get_eap(msg);
+               wpa_hexdump_buf(MSG_INFO, "EAP", eap);
+               wpabuf_free(eap);
+               pw = radius_msg_get_tunnel_password(msg, &keylen,
+                                                   (const u8 *) "test", 4,
+                                                   sent_msg, 1);
+               if (pw)
+                       wpa_printf(MSG_INFO, "PW: %s", pw);
+               os_free(pw);
+               radius_msg_free(msg);
+       }
+
+       radius_msg_free(sent_msg);
+
+       os_program_deinit();
+
+       return 0;
+}
author	Jouni Malinen <j@w1.fi>
	Sun, 2 Mar 2025 16:49:44 +0000 (18:49 +0200)
committer	Jouni Malinen <j@w1.fi>
	Sun, 2 Mar 2025 17:30:15 +0000 (19:30 +0200)
tests/fuzzing/radius/.gitignore	[new file with mode: 0644]	patch \| blob
tests/fuzzing/radius/Makefile	[new file with mode: 0644]	patch \| blob
tests/fuzzing/radius/corpus/access-accept-eap.bin	[new file with mode: 0644]	patch \| blob
tests/fuzzing/radius/corpus/access-accept-tunnel-pw.bin	[new file with mode: 0644]	patch \| blob
tests/fuzzing/radius/corpus/access-challenge-eap.bin	[new file with mode: 0644]	patch \| blob
tests/fuzzing/radius/radius.c	[new file with mode: 0644]	patch \| blob