From 26b3f644285b3cdd0493677a6462ddda5742dede Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sat, 18 Apr 2015 16:27:18 +0300 Subject: [PATCH] tests: Add ap-mgmt-fuzzer This program can be used to run fuzzing tests for areas related to AP management frame parsing and processing. Signed-off-by: Jouni Malinen --- src/ap/Makefile | 65 ++++++++++++++- src/ap/ieee802_11.h | 1 + src/eap_server/Makefile | 19 ++++- src/eapol_auth/Makefile | 14 +++- src/radius/Makefile | 1 + tests/ap-mgmt-fuzzer/Makefile | 81 ++++++++++++++++++ tests/ap-mgmt-fuzzer/ap-mgmt-fuzzer.c | 116 ++++++++++++++++++++++++++ tests/ap-mgmt-fuzzer/auth.dat | Bin 0 -> 30 bytes tests/ap-mgmt-fuzzer/probe-req.dat | Bin 0 -> 83 bytes 9 files changed, 288 insertions(+), 9 deletions(-) create mode 100644 tests/ap-mgmt-fuzzer/Makefile create mode 100644 tests/ap-mgmt-fuzzer/ap-mgmt-fuzzer.c create mode 100644 tests/ap-mgmt-fuzzer/auth.dat create mode 100644 tests/ap-mgmt-fuzzer/probe-req.dat diff --git a/src/ap/Makefile b/src/ap/Makefile index adfd3dfd5..98788fef7 100644 --- a/src/ap/Makefile +++ b/src/ap/Makefile @@ -1,8 +1,67 @@ -all: - @echo Nothing to be made. +all: libap.a clean: - rm -f *~ *.o *.d *.gcno *.gcda *.gcov + rm -f *~ *.o *.d *.gcno *.gcda *.gcov libap.a install: @echo Nothing to be made. + +include ../lib.rules + +CFLAGS += -DHOSTAPD +CFLAGS += -DNEED_AP_MLME +CFLAGS += -DCONFIG_HS20 +CFLAGS += -DCONFIG_INTERWORKING +CFLAGS += -DCONFIG_IEEE80211R +CFLAGS += -DCONFIG_IEEE80211W +CFLAGS += -DCONFIG_WPS +CFLAGS += -DCONFIG_PROXYARP +CFLAGS += -DCONFIG_IAPP + +LIB_OBJS= \ + accounting.o \ + ap_config.o \ + ap_drv_ops.o \ + ap_list.o \ + ap_mlme.o \ + authsrv.o \ + beacon.o \ + bss_load.o \ + ctrl_iface_ap.o \ + dfs.o \ + dhcp_snoop.o \ + drv_callbacks.o \ + eap_user_db.o \ + gas_serv.o \ + hostapd.o \ + hs20.o \ + hw_features.o \ + iapp.o \ + ieee802_11_auth.o \ + ieee802_11.o \ + ieee802_11_ht.o \ + ieee802_11_shared.o \ + ieee802_11_vht.o \ + ieee802_1x.o \ + ndisc_snoop.o \ + p2p_hostapd.o \ + peerkey_auth.o \ + pmksa_cache_auth.o \ + preauth_auth.o \ + sta_info.o \ + tkip_countermeasures.o \ + utils.o \ + vlan_init.o \ + wmm.o \ + wnm_ap.o \ + wpa_auth.o \ + wpa_auth_ft.o \ + wpa_auth_glue.o \ + wpa_auth_ie.o \ + wps_hostapd.o \ + x_snoop.o + +libap.a: $(LIB_OBJS) + $(AR) crT $@ $? + +-include $(OBJS:%.o=%.d) diff --git a/src/ap/ieee802_11.h b/src/ap/ieee802_11.h index a8e9fa395..cc5e84279 100644 --- a/src/ap/ieee802_11.h +++ b/src/ap/ieee802_11.h @@ -14,6 +14,7 @@ struct hostapd_data; struct sta_info; struct hostapd_frame_info; struct ieee80211_ht_capabilities; +struct ieee80211_vht_capabilities; struct ieee80211_mgmt; int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len, diff --git a/src/eap_server/Makefile b/src/eap_server/Makefile index adfd3dfd5..1172b7246 100644 --- a/src/eap_server/Makefile +++ b/src/eap_server/Makefile @@ -1,8 +1,21 @@ -all: - @echo Nothing to be made. +all: libeap_server.a clean: - rm -f *~ *.o *.d *.gcno *.gcda *.gcov + rm -f *~ *.o *.d *.gcno *.gcda *.gcov libeap_server.a install: @echo Nothing to be made. + +include ../lib.rules + +CFLAGS += -DCONFIG_HS20 + +LIB_OBJS= \ + eap_server.o \ + eap_server_identity.o \ + eap_server_methods.o + +libeap_server.a: $(LIB_OBJS) + $(AR) crT $@ $? + +-include $(OBJS:%.o=%.d) diff --git a/src/eapol_auth/Makefile b/src/eapol_auth/Makefile index adfd3dfd5..7b927a127 100644 --- a/src/eapol_auth/Makefile +++ b/src/eapol_auth/Makefile @@ -1,8 +1,16 @@ -all: - @echo Nothing to be made. +all: libeapol_auth.a clean: - rm -f *~ *.o *.d *.gcno *.gcda *.gcov + rm -f *~ *.o *.d *.gcno *.gcda *.gcov libeapol_auth.a install: @echo Nothing to be made. + +include ../lib.rules + +LIB_OBJS = eapol_auth_sm.o eapol_auth_dump.o + +libeapol_auth.a: $(LIB_OBJS) + $(AR) crT $@ $? + +-include $(OBJS:%.o=%.d) diff --git a/src/radius/Makefile b/src/radius/Makefile index b5d063dac..3ad4751df 100644 --- a/src/radius/Makefile +++ b/src/radius/Makefile @@ -14,6 +14,7 @@ CFLAGS += -DCONFIG_IPV6 LIB_OBJS= \ radius.o \ radius_client.o \ + radius_das.o \ radius_server.o libradius.a: $(LIB_OBJS) diff --git a/tests/ap-mgmt-fuzzer/Makefile b/tests/ap-mgmt-fuzzer/Makefile new file mode 100644 index 000000000..141a6f621 --- /dev/null +++ b/tests/ap-mgmt-fuzzer/Makefile @@ -0,0 +1,81 @@ +all: ap-mgmt-fuzzer + +ifndef CC +CC=gcc +endif + +ifndef LDO +LDO=$(CC) +endif + +ifndef CFLAGS +CFLAGS = -MMD -O2 -Wall -g +endif + +SRC=../../src + +CFLAGS += -I$(SRC) +CFLAGS += -I$(SRC)/utils +CFLAGS += -DCONFIG_WNM +CFLAGS += -DCONFIG_INTERWORKING +CFLAGS += -DCONFIG_GAS +CFLAGS += -DCONFIG_HS20 +CFLAGS += -DIEEE8021X_EAPOL +CFLAGS += -DNEED_AP_MLME + +$(SRC)/utils/libutils.a: + $(MAKE) -C $(SRC)/utils + +$(SRC)/common/libcommon.a: + $(MAKE) -C $(SRC)/common + +$(SRC)/crypto/libcrypto.a: + $(MAKE) -C $(SRC)/crypto + +$(SRC)/tls/libtls.a: + $(MAKE) -C $(SRC)/tls + +$(SRC)/wps/libwps.a: + $(MAKE) -C $(SRC)/wps + +$(SRC)/eap_common/libeap_common.a: + $(MAKE) -C $(SRC)/eap_common + +$(SRC)/eap_server/libeap_server.a: + $(MAKE) -C $(SRC)/eap_server + +$(SRC)/l2_packet/libl2_packet.a: + $(MAKE) -C $(SRC)/l2_packet + +$(SRC)/eapol_auth/libeapol_auth.a: + $(MAKE) -C $(SRC)/eapol_auth + +$(SRC)/ap/libap.a: + $(MAKE) -C $(SRC)/ap + +$(SRC)/radius/libradius.a: + $(MAKE) -C $(SRC)/radius + +LIBS += $(SRC)/common/libcommon.a +LIBS += $(SRC)/crypto/libcrypto.a +LIBS += $(SRC)/tls/libtls.a +LIBS += $(SRC)/wps/libwps.a +LIBS += $(SRC)/eap_server/libeap_server.a +LIBS += $(SRC)/eap_common/libeap_common.a +LIBS += $(SRC)/l2_packet/libl2_packet.a +LIBS += $(SRC)/ap/libap.a +LIBS += $(SRC)/eapol_auth/libeapol_auth.a +LIBS += $(SRC)/radius/libradius.a +LIBS += $(SRC)/utils/libutils.a + +ELIBS += $(SRC)/crypto/libcrypto.a +ELIBS += $(SRC)/tls/libtls.a + +ap-mgmt-fuzzer: ap-mgmt-fuzzer.o $(OBJS) $(LIBS) + $(LDO) $(LDFLAGS) -o $@ $^ $(LIBS) $(ELIBS) + +clean: + $(MAKE) -C $(SRC) clean + rm -f ap-mgmt-fuzzer *~ *.o *.d + +-include $(OBJS:%.o=%.d) diff --git a/tests/ap-mgmt-fuzzer/ap-mgmt-fuzzer.c b/tests/ap-mgmt-fuzzer/ap-mgmt-fuzzer.c new file mode 100644 index 000000000..7d65af7a0 --- /dev/null +++ b/tests/ap-mgmt-fuzzer/ap-mgmt-fuzzer.c @@ -0,0 +1,116 @@ +/* + * hostapd - Management frame fuzzer + * Copyright (c) 2015, Jouni Malinen + * + * This software may be distributed under the terms of the BSD license. + * See README for more details. + */ + +#include "utils/includes.h" + +#include "utils/common.h" +#include "utils/eloop.h" +#include "ap/hostapd.h" +#include "ap/ieee802_11.h" + + +struct wpa_driver_ops *wpa_drivers[] = +{ + NULL +}; + + +struct arg_ctx { + const char *fname; + struct hostapd_iface iface; + struct hostapd_data hapd; + struct wpa_driver_ops driver; + struct hostapd_config iconf; + struct hostapd_bss_config conf; +}; + + +static void test_send_mgmt(void *eloop_data, void *user_ctx) +{ + struct arg_ctx *ctx = eloop_data; + char *data; + size_t len; + struct hostapd_frame_info fi; + + wpa_printf(MSG_INFO, "ap-mgmt-fuzzer: Send '%s'", ctx->fname); + + data = os_readfile(ctx->fname, &len); + if (!data) { + wpa_printf(MSG_ERROR, "Could not read '%s'", ctx->fname); + goto out; + } + + wpa_hexdump(MSG_MSGDUMP, "fuzzer - WNM", data, len); + + os_memset(&fi, 0, sizeof(fi)); + ieee802_11_mgmt(&ctx->hapd, (u8 *) data, len, &fi); + +out: + os_free(data); + eloop_terminate(); +} + + +static int init_hapd(struct arg_ctx *ctx) +{ + struct hostapd_data *hapd = &ctx->hapd; + + hapd->driver = &ctx->driver; + os_memcpy(hapd->own_addr, "\x02\x00\x00\x00\x03\x00", ETH_ALEN); + hapd->iface = &ctx->iface; + hapd->iface->conf = hostapd_config_defaults();; + if (!hapd->iface->conf) + return -1; + hapd->iconf = hapd->iface->conf; + hapd->conf = hapd->iconf->bss[0]; + hostapd_config_defaults_bss(hapd->conf); + + return 0; +} + + +int main(int argc, char *argv[]) +{ + struct arg_ctx ctx; + int ret = -1; + + if (argc < 2) { + printf("usage: %s \n", argv[0]); + return -1; + } + + if (os_program_init()) + return -1; + + wpa_debug_level = 0; + wpa_debug_show_keys = 1; + + if (eloop_init()) { + wpa_printf(MSG_ERROR, "Failed to initialize event loop"); + return -1; + } + + os_memset(&ctx, 0, sizeof(ctx)); + ctx.fname = argv[1]; + if (init_hapd(&ctx)) + goto fail; + + eloop_register_timeout(0, 0, test_send_mgmt, &ctx, NULL); + + wpa_printf(MSG_DEBUG, "Starting eloop"); + eloop_run(); + wpa_printf(MSG_DEBUG, "eloop done"); + + ret = 0; +fail: + hostapd_config_free(ctx.hapd.iconf); + eloop_destroy(); + os_program_deinit(); + + return ret; +} diff --git a/tests/ap-mgmt-fuzzer/auth.dat b/tests/ap-mgmt-fuzzer/auth.dat new file mode 100644 index 0000000000000000000000000000000000000000..0eb36e5aab3db9f6b754475269029b0b2299a9da GIT binary patch literal 30 ccmdnMV8zJ9z`(%F03sQ{Br}5mki`hZ033}02><{9 literal 0 HcmV?d00001 diff --git a/tests/ap-mgmt-fuzzer/probe-req.dat b/tests/ap-mgmt-fuzzer/probe-req.dat new file mode 100644 index 0000000000000000000000000000000000000000..a5fba77adc59cd10b1022d9a72d6ef97c83b8392 GIT binary patch literal 83 zcmZ=@U|{$U224N}j16Kjaxk%Qi}46as2H&rcqHU7GcxK*6$wcH{|}Od07e*tfuWv* Lg@KC+DBu79BqI^~ literal 0 HcmV?d00001