From d7b8fc93a757d770bede539c8704b910ca95e96c Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sun, 2 Mar 2025 18:49:44 +0200 Subject: [PATCH] tests: Fuzzing tester for RADIUS message parsing Signed-off-by: Jouni Malinen --- tests/fuzzing/radius/.gitignore | 1 + tests/fuzzing/radius/Makefile | 29 +++++++++ .../radius/corpus/access-accept-eap.bin | Bin 0 -> 195 bytes .../radius/corpus/access-accept-tunnel-pw.bin | Bin 0 -> 59 bytes .../radius/corpus/access-challenge-eap.bin | Bin 0 -> 1459 bytes tests/fuzzing/radius/radius.c | 60 ++++++++++++++++++ 6 files changed, 90 insertions(+) create mode 100644 tests/fuzzing/radius/.gitignore create mode 100644 tests/fuzzing/radius/Makefile create mode 100644 tests/fuzzing/radius/corpus/access-accept-eap.bin create mode 100644 tests/fuzzing/radius/corpus/access-accept-tunnel-pw.bin create mode 100644 tests/fuzzing/radius/corpus/access-challenge-eap.bin create mode 100644 tests/fuzzing/radius/radius.c diff --git a/tests/fuzzing/radius/.gitignore b/tests/fuzzing/radius/.gitignore new file mode 100644 index 000000000..fa85644c1 --- /dev/null +++ b/tests/fuzzing/radius/.gitignore @@ -0,0 +1 @@ +radius diff --git a/tests/fuzzing/radius/Makefile b/tests/fuzzing/radius/Makefile new file mode 100644 index 000000000..76246ef0d --- /dev/null +++ b/tests/fuzzing/radius/Makefile @@ -0,0 +1,29 @@ +ALL=radius +include ../rules.include + +CFLAGS += -DCONFIG_IPV6 + +LIBS += $(SRC)/common/libcommon.a +LIBS += $(SRC)/crypto/libcrypto.a +LIBS += $(SRC)/utils/libutils.a + +ELIBS += $(SRC)/crypto/libcrypto.a + +OBJS += $(SRC)/radius/radius.o + +OBJS += radius.o + +_OBJS_VAR := OBJS +include ../../../src/objs.mk + +_OBJS_VAR := LIBS +include ../../../src/objs.mk + +_OBJS_VAR := ELIBS +include ../../../src/objs.mk + +radius: $(OBJS) $(LIBS) + $(LDO) $(LDFLAGS) -o $@ $^ $(LIBS) $(ELIBS) + +clean: common-clean + rm -f radius *~ *.o *.d ../*~ ../*.o ../*.d diff --git a/tests/fuzzing/radius/corpus/access-accept-eap.bin b/tests/fuzzing/radius/corpus/access-accept-eap.bin new file mode 100644 index 0000000000000000000000000000000000000000..aa2bff6826e86b1d4f6ff813bfcddff409642727 GIT binary patch literal 195 zc-jHO06hN!0|3KmXsk8h9Z`o5u_Zp}Qh1?I5^gbtzi}~b1Ke!~XQ1y_i%$jvmjDDB zIsgCxHxM-0bX7E{ci=r*!~T@SOeSN>^lR~2{HZUNp^V+hpw7bNnxT7!W1;Qf#F~NJ zrx+`gt{OT300B1m3K8`?A6cn2>xeeU}Rw6W?*4vU}RztXJ7!Dz^=&6z%I+cF2%sS!JvtGjX@LBlm*O8j7&_N z3^y)6UUvHN*>(e7HcqWJkGAi;jEvl@3n*gOizHAUhA znJ8Ak4D|mGGg8z*7-A$(acWUnYLOmT*r16~3E8!btPIRejQk8haW1ANMn;Ced~s(b zb+R0rZ|d-wo#ounzv*PpiA&5Dc_Dk8-<|srx$&ia?v=R5M~fwGx%X&ZzmQkTVEX5K z>c(ySr`bHuuk^D$l;SO+!d0*%FXYYy`y7eC+d5X8-|6<=`tbkT-L9;QKdcJW{#eOY zuYWf7&$F)e(mSh9IhQiZ_UYaf6mI)%DC;FBOAJ;kNsUOxAXnQW=`JFUE&>n7xtd_|6goYqv8E+mB*DA zzg2I@u0NSkyvA+a>DQHJ;cE{UFp1`VSn6E7x`<_?SV9S(*TMcE4XLSht1qy8`z3fw z`r^zb{`1~4F#}V<;>OJejT^urEGx{yWWZn`3u5xIh_Q$is#VDsHBMI%Ty>!I*M38R zOwS9?4dg-6$}AEFVhtio{_eDtZrr@;b%*Sg#+6$I3(hQmXkg05q0Pp~%F52j$f9YW zZlDU|8!)y>W|Wi^Sn2B{$CQ-?5a=6-gUl6V0Va?p)QAMduB<8xj{z6VAZAAY|7a_DL4YG;p&KSeGu} zQ7$$xFf}kTv^23au>j^`V*>*dV*@Cc8de}Ow0{rwEWPK;JC~&TB>#ntZo7`GlKbm- z;q6EF)2h*FRc)3NPi;+HUZ-!9Tx+>QYToHwBcqA;JUv@(iSEo`cVCxmYJUlaJ=;^GIbTPx1Ix)!qJ{XTIQsd>f);Y&WVt+9RQt^3qXRo9sFo97B9 E0H^u?YXATM literal 0 Hc-jL100001 diff --git a/tests/fuzzing/radius/radius.c b/tests/fuzzing/radius/radius.c new file mode 100644 index 000000000..34ca472a9 --- /dev/null +++ b/tests/fuzzing/radius/radius.c @@ -0,0 +1,60 @@ +/* + * hostapd - RADIUS fuzzer + * Copyright (c) 2025, Jouni Malinen + * + * This software may be distributed under the terms of the BSD license. + * See README for more details. + */ + +#include "utils/includes.h" + +#include "utils/common.h" +#include "radius/radius.h" +#include "../fuzzer-common.h" + + +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) +{ + struct radius_msg *msg, *sent_msg; + struct wpabuf *eap; + u8 buf[10]; + int untagged; + const unsigned int num_tagged = 5; + int tagged[num_tagged]; + char *pw; + int keylen; + + wpa_fuzzer_set_debug_level(); + + if (os_program_init()) + return 0; + + sent_msg = radius_msg_new(RADIUS_CODE_ACCESS_REQUEST, 123); + if (!sent_msg) + return -1; + radius_msg_finish(sent_msg, (const u8 *) "test", 4); + + msg = radius_msg_parse(data, size); + if (msg) { + radius_msg_dump(msg); + radius_msg_get_attr(msg, RADIUS_ATTR_NAS_IP_ADDRESS, + buf, sizeof(buf)); + radius_msg_get_vlanid(msg, &untagged, num_tagged, tagged); + eap = radius_msg_get_eap(msg); + wpa_hexdump_buf(MSG_INFO, "EAP", eap); + wpabuf_free(eap); + pw = radius_msg_get_tunnel_password(msg, &keylen, + (const u8 *) "test", 4, + sent_msg, 1); + if (pw) + wpa_printf(MSG_INFO, "PW: %s", pw); + os_free(pw); + radius_msg_free(msg); + } + + radius_msg_free(sent_msg); + + os_program_deinit(); + + return 0; +} -- 2.47.2