tests: Fuzz testing for PASN

Add test tools for fuzzing PASN initiator and responder handling of received PASN Authentication frames. Signed-off-by: Jouni Malinen <j@w1.fi>
2022-11-06 17:12:21 +02:00 · 2022-11-06 17:12:21 +02:00 · 66d7f554e2
commit 66d7f554e2
parent 2e840fb2ab
7 changed files with 231 additions and 0 deletions
--- a/tests/fuzzing/pasn-init/Makefile
+++ b/tests/fuzzing/pasn-init/Makefile
@ -0,0 +1,40 @@
+ALL=pasn-init
+include ../rules.include
+
+CFLAGS += -DCONFIG_PASN
+CFLAGS += -DCONFIG_SAE
+CFLAGS += -DCONFIG_SHA256
+CFLAGS += -DCONFIG_SHA384
+CFLAGS += -DCONFIG_ECC
+CFLAGS += -DCONFIG_FILS
+CFLAGS += -DCONFIG_IEEE80211R
+CFLAGS += -DCONFIG_PTKSA_CACHE
+
+OBJS += $(SRC)/utils/common.o
+OBJS += $(SRC)/utils/os_unix.o
+OBJS += $(SRC)/utils/wpa_debug.o
+OBJS += $(SRC)/utils/wpabuf.o
+OBJS += $(SRC)/common/sae.o
+OBJS += $(SRC)/common/dragonfly.o
+OBJS += $(SRC)/common/wpa_common.o
+OBJS += $(SRC)/common/ieee802_11_common.o
+OBJS += $(SRC)/crypto/crypto_openssl.o
+OBJS += $(SRC)/crypto/dh_groups.o
+OBJS += $(SRC)/crypto/sha1-prf.o
+OBJS += $(SRC)/crypto/sha256-prf.o
+OBJS += $(SRC)/crypto/sha384-prf.o
+OBJS += $(SRC)/crypto/sha256-kdf.o
+OBJS += $(SRC)/crypto/sha384-kdf.o
+OBJS += $(SRC)/rsn_supp/wpa_ie.o
+OBJS += $(SRC)/pasn/pasn_initiator.o
+
+OBJS += pasn-init.o
+
+_OBJS_VAR := OBJS
+include ../../../src/objs.mk
+
+pasn-init: $(OBJS)
+	$(LDO) $(LDFLAGS) -o $@ $^ -lcrypto
+
+clean: common-clean
+	rm -f pasn-init *~ *.o *.d ../*~ ../*.o ../*.d
--- a/tests/fuzzing/pasn-init/corpus/pasn-auth-2
+++ b/tests/fuzzing/pasn-init/corpus/pasn-auth-2
--- a/tests/fuzzing/pasn-init/pasn-init.c
+++ b/tests/fuzzing/pasn-init/pasn-init.c
@ -0,0 +1,57 @@
+/*
+ * PASN initiator fuzzer
+ * Copyright (c) 2022, Jouni Malinen <j@w1.fi>
+ *
+ * This software may be distributed under the terms of the BSD license.
+ * See README for more details.
+ */
+
+#include "utils/includes.h"
+
+#include "utils/common.h"
+#include "common/defs.h"
+#include "common/wpa_common.h"
+#include "common/sae.h"
+#include "common/ieee802_11_defs.h"
+#include "crypto/sha384.h"
+#include "pasn/pasn_common.h"
+#include "../fuzzer-common.h"
+
+
+static int pasn_send_mgmt(void *ctx, const u8 *data, size_t data_len,
+			  int noack, unsigned int freq, unsigned int wait)
+{
+	return 0;
+}
+
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+	struct pasn_data pasn;
+	struct wpa_pasn_params_data pasn_data;
+	u8 own_addr[ETH_ALEN], bssid[ETH_ALEN];
+
+	wpa_fuzzer_set_debug_level();
+
+	if (os_program_init())
+		return 0;
+
+	os_memset(&pasn, 0, sizeof(pasn));
+	pasn.send_mgmt = pasn_send_mgmt;
+	hwaddr_aton("02:00:00:00:00:00", own_addr);
+	hwaddr_aton("02:00:00:00:03:00", bssid);
+	if (wpas_pasn_start(&pasn, own_addr, bssid, WPA_KEY_MGMT_PASN,
+			    WPA_CIPHER_CCMP, 19, 2412, NULL, 0, NULL, 0,
+			    NULL) < 0) {
+		wpa_printf(MSG_ERROR, "wpas_pasn_start failed");
+		goto fail;
+	}
+
+	wpa_pasn_auth_rx(&pasn, data, size, &pasn_data);
+
+fail:
+	wpa_pasn_reset(&pasn);
+	os_program_deinit();
+
+	return 0;
+}
--- a/tests/fuzzing/pasn-resp/Makefile
+++ b/tests/fuzzing/pasn-resp/Makefile
@ -0,0 +1,40 @@
+ALL=pasn-resp
+include ../rules.include
+
+CFLAGS += -DCONFIG_PASN
+CFLAGS += -DCONFIG_SAE
+CFLAGS += -DCONFIG_SHA256
+CFLAGS += -DCONFIG_SHA384
+CFLAGS += -DCONFIG_ECC
+CFLAGS += -DCONFIG_FILS
+CFLAGS += -DCONFIG_IEEE80211R
+
+OBJS += $(SRC)/utils/common.o
+OBJS += $(SRC)/utils/os_unix.o
+OBJS += $(SRC)/utils/wpa_debug.o
+OBJS += $(SRC)/utils/wpabuf.o
+OBJS += $(SRC)/utils/eloop.o
+OBJS += $(SRC)/common/sae.o
+OBJS += $(SRC)/common/dragonfly.o
+OBJS += $(SRC)/common/wpa_common.o
+OBJS += $(SRC)/common/ieee802_11_common.o
+OBJS += $(SRC)/crypto/crypto_openssl.o
+OBJS += $(SRC)/crypto/dh_groups.o
+OBJS += $(SRC)/crypto/sha1-prf.o
+OBJS += $(SRC)/crypto/sha256-prf.o
+OBJS += $(SRC)/crypto/sha384-prf.o
+OBJS += $(SRC)/crypto/sha256-kdf.o
+OBJS += $(SRC)/crypto/sha384-kdf.o
+OBJS += $(SRC)/ap/comeback_token.o
+OBJS += $(SRC)/pasn/pasn_responder.o
+
+OBJS += pasn-resp.o
+
+_OBJS_VAR := OBJS
+include ../../../src/objs.mk
+
+pasn-resp: $(OBJS)
+	$(LDO) $(LDFLAGS) -o $@ $^ -lcrypto
+
+clean: common-clean
+	rm -f pasn-resp *~ *.o *.d ../*~ ../*.o ../*.d
--- a/tests/fuzzing/pasn-resp/corpus/pasn-auth-1
+++ b/tests/fuzzing/pasn-resp/corpus/pasn-auth-1
--- a/tests/fuzzing/pasn-resp/corpus/pasn-auth-3
+++ b/tests/fuzzing/pasn-resp/corpus/pasn-auth-3
--- a/tests/fuzzing/pasn-resp/pasn-resp.c
+++ b/tests/fuzzing/pasn-resp/pasn-resp.c
@ -0,0 +1,94 @@
+/*
+ * PASN responder fuzzer
+ * Copyright (c) 2022, Jouni Malinen <j@w1.fi>
+ *
+ * This software may be distributed under the terms of the BSD license.
+ * See README for more details.
+ */
+
+#include "utils/includes.h"
+
+#include "utils/common.h"
+#include "utils/eloop.h"
+#include "common/defs.h"
+#include "common/wpa_common.h"
+#include "common/sae.h"
+#include "common/ieee802_11_defs.h"
+#include "crypto/sha384.h"
+#include "crypto/crypto.h"
+#include "pasn/pasn_common.h"
+#include "../fuzzer-common.h"
+
+
+struct eapol_state_machine;
+
+struct rsn_pmksa_cache_entry *
+pmksa_cache_auth_add(struct rsn_pmksa_cache *pmksa,
+		     const u8 *pmk, size_t pmk_len, const u8 *pmkid,
+		     const u8 *kck, size_t kck_len,
+		     const u8 *aa, const u8 *spa, int session_timeout,
+		     struct eapol_state_machine *eapol, int akmp)
+{
+	return NULL;
+}
+
+
+struct rsn_pmksa_cache_entry *
+pmksa_cache_auth_get(struct rsn_pmksa_cache *pmksa,
+		     const u8 *spa, const u8 *pmkid)
+{
+	return NULL;
+}
+
+
+static int pasn_send_mgmt(void *ctx, const u8 *data, size_t data_len,
+			  int noack, unsigned int freq, unsigned int wait)
+{
+	return 0;
+}
+
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+	struct pasn_data pasn;
+	u8 own_addr[ETH_ALEN], bssid[ETH_ALEN];
+
+	wpa_fuzzer_set_debug_level();
+
+	if (os_program_init())
+		return 0;
+
+	if (eloop_init()) {
+		wpa_printf(MSG_ERROR, "Failed to initialize event loop");
+		return 0;
+	}
+
+	os_memset(&pasn, 0, sizeof(pasn));
+	pasn.send_mgmt = pasn_send_mgmt;
+	hwaddr_aton("02:00:00:00:03:00", own_addr);
+	hwaddr_aton("02:00:00:00:00:00", bssid);
+	os_memcpy(pasn.own_addr, own_addr, ETH_ALEN);
+	os_memcpy(pasn.bssid, bssid, ETH_ALEN);
+	pasn.wpa_key_mgmt = WPA_KEY_MGMT_PASN;
+	pasn.rsn_pairwise = WPA_CIPHER_CCMP;
+
+	wpa_printf(MSG_DEBUG, "TESTING: Try to parse as PASN Auth 1");
+	if (handle_auth_pasn_1(&pasn, own_addr, bssid,
+			       (const struct ieee80211_mgmt *) data, size))
+		wpa_printf(MSG_ERROR, "handle_auth_pasn_1 failed");
+
+	wpa_printf(MSG_DEBUG, "TESTING: Try to parse as PASN Auth 3");
+	if (handle_auth_pasn_3(&pasn, own_addr, bssid,
+			       (const struct ieee80211_mgmt *) data, size))
+		wpa_printf(MSG_ERROR, "handle_auth_pasn_3 failed");
+
+	if (pasn.ecdh) {
+		crypto_ecdh_deinit(pasn.ecdh);
+		pasn.ecdh = NULL;
+	}
+
+	eloop_destroy();
+	os_program_deinit();
+
+	return 0;
+}