From 66d7f554e2b221d50dd291c0b247cf13b98ca49d Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Sun, 6 Nov 2022 17:12:21 +0200
Subject: [PATCH] tests: Fuzz testing for PASN

Add test tools for fuzzing PASN initiator and responder handling of
received PASN Authentication frames.

Signed-off-by: Jouni Malinen <j@w1.fi>
---
 tests/fuzzing/pasn-init/Makefile           |  40 +++++++++
 tests/fuzzing/pasn-init/corpus/pasn-auth-2 | Bin 0 -> 117 bytes
 tests/fuzzing/pasn-init/pasn-init.c        |  57 +++++++++++++
 tests/fuzzing/pasn-resp/Makefile           |  40 +++++++++
 tests/fuzzing/pasn-resp/corpus/pasn-auth-1 | Bin 0 -> 102 bytes
 tests/fuzzing/pasn-resp/corpus/pasn-auth-3 | Bin 0 -> 53 bytes
 tests/fuzzing/pasn-resp/pasn-resp.c        |  94 +++++++++++++++++++++
 7 files changed, 231 insertions(+)
 create mode 100644 tests/fuzzing/pasn-init/Makefile
 create mode 100644 tests/fuzzing/pasn-init/corpus/pasn-auth-2
 create mode 100644 tests/fuzzing/pasn-init/pasn-init.c
 create mode 100644 tests/fuzzing/pasn-resp/Makefile
 create mode 100644 tests/fuzzing/pasn-resp/corpus/pasn-auth-1
 create mode 100644 tests/fuzzing/pasn-resp/corpus/pasn-auth-3
 create mode 100644 tests/fuzzing/pasn-resp/pasn-resp.c

diff --git a/tests/fuzzing/pasn-init/Makefile b/tests/fuzzing/pasn-init/Makefile
new file mode 100644
index 000000000..b848f271e
--- /dev/null
+++ b/tests/fuzzing/pasn-init/Makefile
@@ -0,0 +1,40 @@
+ALL=pasn-init
+include ../rules.include
+
+CFLAGS += -DCONFIG_PASN
+CFLAGS += -DCONFIG_SAE
+CFLAGS += -DCONFIG_SHA256
+CFLAGS += -DCONFIG_SHA384
+CFLAGS += -DCONFIG_ECC
+CFLAGS += -DCONFIG_FILS
+CFLAGS += -DCONFIG_IEEE80211R
+CFLAGS += -DCONFIG_PTKSA_CACHE
+
+OBJS += $(SRC)/utils/common.o
+OBJS += $(SRC)/utils/os_unix.o
+OBJS += $(SRC)/utils/wpa_debug.o
+OBJS += $(SRC)/utils/wpabuf.o
+OBJS += $(SRC)/common/sae.o
+OBJS += $(SRC)/common/dragonfly.o
+OBJS += $(SRC)/common/wpa_common.o
+OBJS += $(SRC)/common/ieee802_11_common.o
+OBJS += $(SRC)/crypto/crypto_openssl.o
+OBJS += $(SRC)/crypto/dh_groups.o
+OBJS += $(SRC)/crypto/sha1-prf.o
+OBJS += $(SRC)/crypto/sha256-prf.o
+OBJS += $(SRC)/crypto/sha384-prf.o
+OBJS += $(SRC)/crypto/sha256-kdf.o
+OBJS += $(SRC)/crypto/sha384-kdf.o
+OBJS += $(SRC)/rsn_supp/wpa_ie.o
+OBJS += $(SRC)/pasn/pasn_initiator.o
+
+OBJS += pasn-init.o
+
+_OBJS_VAR := OBJS
+include ../../../src/objs.mk
+
+pasn-init: $(OBJS)
+	$(LDO) $(LDFLAGS) -o $@ $^ -lcrypto
+
+clean: common-clean
+	rm -f pasn-init *~ *.o *.d ../*~ ../*.o ../*.d
diff --git a/tests/fuzzing/pasn-init/corpus/pasn-auth-2 b/tests/fuzzing/pasn-init/corpus/pasn-auth-2
new file mode 100644
index 0000000000000000000000000000000000000000..4ff5aac84d7a32dfa381c85e0e58ee6f69543ed2
GIT binary patch
literal 117
zcmdnMV8zJ900JPA8A>WJu!C6!Qj81?{A<|3Bny}nJpfV+6#K89!o(oVpvd&@U+<on
z)LWT}?2<NiDOaPEmS)G!V9Bk$R4%slM^@399)U7Wj?+S-CH|i?B$+=4?fwP;Vr3oJ

literal 0
HcmV?d00001

diff --git a/tests/fuzzing/pasn-init/pasn-init.c b/tests/fuzzing/pasn-init/pasn-init.c
new file mode 100644
index 000000000..680693e8f
--- /dev/null
+++ b/tests/fuzzing/pasn-init/pasn-init.c
@@ -0,0 +1,57 @@
+/*
+ * PASN initiator fuzzer
+ * Copyright (c) 2022, Jouni Malinen <j@w1.fi>
+ *
+ * This software may be distributed under the terms of the BSD license.
+ * See README for more details.
+ */
+
+#include "utils/includes.h"
+
+#include "utils/common.h"
+#include "common/defs.h"
+#include "common/wpa_common.h"
+#include "common/sae.h"
+#include "common/ieee802_11_defs.h"
+#include "crypto/sha384.h"
+#include "pasn/pasn_common.h"
+#include "../fuzzer-common.h"
+
+
+static int pasn_send_mgmt(void *ctx, const u8 *data, size_t data_len,
+			  int noack, unsigned int freq, unsigned int wait)
+{
+	return 0;
+}
+
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+	struct pasn_data pasn;
+	struct wpa_pasn_params_data pasn_data;
+	u8 own_addr[ETH_ALEN], bssid[ETH_ALEN];
+
+	wpa_fuzzer_set_debug_level();
+
+	if (os_program_init())
+		return 0;
+
+	os_memset(&pasn, 0, sizeof(pasn));
+	pasn.send_mgmt = pasn_send_mgmt;
+	hwaddr_aton("02:00:00:00:00:00", own_addr);
+	hwaddr_aton("02:00:00:00:03:00", bssid);
+	if (wpas_pasn_start(&pasn, own_addr, bssid, WPA_KEY_MGMT_PASN,
+			    WPA_CIPHER_CCMP, 19, 2412, NULL, 0, NULL, 0,
+			    NULL) < 0) {
+		wpa_printf(MSG_ERROR, "wpas_pasn_start failed");
+		goto fail;
+	}
+
+	wpa_pasn_auth_rx(&pasn, data, size, &pasn_data);
+
+fail:
+	wpa_pasn_reset(&pasn);
+	os_program_deinit();
+
+	return 0;
+}
diff --git a/tests/fuzzing/pasn-resp/Makefile b/tests/fuzzing/pasn-resp/Makefile
new file mode 100644
index 000000000..85a5279d7
--- /dev/null
+++ b/tests/fuzzing/pasn-resp/Makefile
@@ -0,0 +1,40 @@
+ALL=pasn-resp
+include ../rules.include
+
+CFLAGS += -DCONFIG_PASN
+CFLAGS += -DCONFIG_SAE
+CFLAGS += -DCONFIG_SHA256
+CFLAGS += -DCONFIG_SHA384
+CFLAGS += -DCONFIG_ECC
+CFLAGS += -DCONFIG_FILS
+CFLAGS += -DCONFIG_IEEE80211R
+
+OBJS += $(SRC)/utils/common.o
+OBJS += $(SRC)/utils/os_unix.o
+OBJS += $(SRC)/utils/wpa_debug.o
+OBJS += $(SRC)/utils/wpabuf.o
+OBJS += $(SRC)/utils/eloop.o
+OBJS += $(SRC)/common/sae.o
+OBJS += $(SRC)/common/dragonfly.o
+OBJS += $(SRC)/common/wpa_common.o
+OBJS += $(SRC)/common/ieee802_11_common.o
+OBJS += $(SRC)/crypto/crypto_openssl.o
+OBJS += $(SRC)/crypto/dh_groups.o
+OBJS += $(SRC)/crypto/sha1-prf.o
+OBJS += $(SRC)/crypto/sha256-prf.o
+OBJS += $(SRC)/crypto/sha384-prf.o
+OBJS += $(SRC)/crypto/sha256-kdf.o
+OBJS += $(SRC)/crypto/sha384-kdf.o
+OBJS += $(SRC)/ap/comeback_token.o
+OBJS += $(SRC)/pasn/pasn_responder.o
+
+OBJS += pasn-resp.o
+
+_OBJS_VAR := OBJS
+include ../../../src/objs.mk
+
+pasn-resp: $(OBJS)
+	$(LDO) $(LDFLAGS) -o $@ $^ -lcrypto
+
+clean: common-clean
+	rm -f pasn-resp *~ *.o *.d ../*~ ../*.o ../*.d
diff --git a/tests/fuzzing/pasn-resp/corpus/pasn-auth-1 b/tests/fuzzing/pasn-resp/corpus/pasn-auth-1
new file mode 100644
index 0000000000000000000000000000000000000000..2d5f1d68e750f6879a74e02221238ce92ad67810
GIT binary patch
literal 102
zcmdnMV8zJ9z`(%F03sQ{Br}5o13LpFkY^wTB>C5{gGm-JDS7~;3@G+rJ%x!um_d>0
p?-AR#pQK~E8<?WsUjN+vqy4}=<2&*5i>Ka`S3F(r|LqH-0stO_8tni8

literal 0
HcmV?d00001

diff --git a/tests/fuzzing/pasn-resp/corpus/pasn-auth-3 b/tests/fuzzing/pasn-resp/corpus/pasn-auth-3
new file mode 100644
index 0000000000000000000000000000000000000000..8addacdca79c698885741e38e25f0faec439e83b
GIT binary patch
literal 53
zcmdnMV8zJ9z`(%F03sQ{Br}5n13OTJf#E-M3IjurfW?YC>@Vlf3A?u;#Hlj5yaE8L
ClM7$~

literal 0
HcmV?d00001

diff --git a/tests/fuzzing/pasn-resp/pasn-resp.c b/tests/fuzzing/pasn-resp/pasn-resp.c
new file mode 100644
index 000000000..d907020b3
--- /dev/null
+++ b/tests/fuzzing/pasn-resp/pasn-resp.c
@@ -0,0 +1,94 @@
+/*
+ * PASN responder fuzzer
+ * Copyright (c) 2022, Jouni Malinen <j@w1.fi>
+ *
+ * This software may be distributed under the terms of the BSD license.
+ * See README for more details.
+ */
+
+#include "utils/includes.h"
+
+#include "utils/common.h"
+#include "utils/eloop.h"
+#include "common/defs.h"
+#include "common/wpa_common.h"
+#include "common/sae.h"
+#include "common/ieee802_11_defs.h"
+#include "crypto/sha384.h"
+#include "crypto/crypto.h"
+#include "pasn/pasn_common.h"
+#include "../fuzzer-common.h"
+
+
+struct eapol_state_machine;
+
+struct rsn_pmksa_cache_entry *
+pmksa_cache_auth_add(struct rsn_pmksa_cache *pmksa,
+		     const u8 *pmk, size_t pmk_len, const u8 *pmkid,
+		     const u8 *kck, size_t kck_len,
+		     const u8 *aa, const u8 *spa, int session_timeout,
+		     struct eapol_state_machine *eapol, int akmp)
+{
+	return NULL;
+}
+
+
+struct rsn_pmksa_cache_entry *
+pmksa_cache_auth_get(struct rsn_pmksa_cache *pmksa,
+		     const u8 *spa, const u8 *pmkid)
+{
+	return NULL;
+}
+
+
+static int pasn_send_mgmt(void *ctx, const u8 *data, size_t data_len,
+			  int noack, unsigned int freq, unsigned int wait)
+{
+	return 0;
+}
+
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+	struct pasn_data pasn;
+	u8 own_addr[ETH_ALEN], bssid[ETH_ALEN];
+
+	wpa_fuzzer_set_debug_level();
+
+	if (os_program_init())
+		return 0;
+
+	if (eloop_init()) {
+		wpa_printf(MSG_ERROR, "Failed to initialize event loop");
+		return 0;
+	}
+
+	os_memset(&pasn, 0, sizeof(pasn));
+	pasn.send_mgmt = pasn_send_mgmt;
+	hwaddr_aton("02:00:00:00:03:00", own_addr);
+	hwaddr_aton("02:00:00:00:00:00", bssid);
+	os_memcpy(pasn.own_addr, own_addr, ETH_ALEN);
+	os_memcpy(pasn.bssid, bssid, ETH_ALEN);
+	pasn.wpa_key_mgmt = WPA_KEY_MGMT_PASN;
+	pasn.rsn_pairwise = WPA_CIPHER_CCMP;
+
+	wpa_printf(MSG_DEBUG, "TESTING: Try to parse as PASN Auth 1");
+	if (handle_auth_pasn_1(&pasn, own_addr, bssid,
+			       (const struct ieee80211_mgmt *) data, size))
+		wpa_printf(MSG_ERROR, "handle_auth_pasn_1 failed");
+
+	wpa_printf(MSG_DEBUG, "TESTING: Try to parse as PASN Auth 3");
+	if (handle_auth_pasn_3(&pasn, own_addr, bssid,
+			       (const struct ieee80211_mgmt *) data, size))
+		wpa_printf(MSG_ERROR, "handle_auth_pasn_3 failed");
+
+	if (pasn.ecdh) {
+		crypto_ecdh_deinit(pasn.ecdh);
+		pasn.ecdh = NULL;
+	}
+
+	eloop_destroy();
+	os_program_deinit();
+
+	return 0;
+}