tests: Fuzz testing for PASN
Add test tools for fuzzing PASN initiator and responder handling of received PASN Authentication frames. Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
parent
2e840fb2ab
commit
66d7f554e2
7 changed files with 231 additions and 0 deletions
40
tests/fuzzing/pasn-init/Makefile
Normal file
40
tests/fuzzing/pasn-init/Makefile
Normal file
|
@ -0,0 +1,40 @@
|
||||||
|
ALL=pasn-init
|
||||||
|
include ../rules.include
|
||||||
|
|
||||||
|
CFLAGS += -DCONFIG_PASN
|
||||||
|
CFLAGS += -DCONFIG_SAE
|
||||||
|
CFLAGS += -DCONFIG_SHA256
|
||||||
|
CFLAGS += -DCONFIG_SHA384
|
||||||
|
CFLAGS += -DCONFIG_ECC
|
||||||
|
CFLAGS += -DCONFIG_FILS
|
||||||
|
CFLAGS += -DCONFIG_IEEE80211R
|
||||||
|
CFLAGS += -DCONFIG_PTKSA_CACHE
|
||||||
|
|
||||||
|
OBJS += $(SRC)/utils/common.o
|
||||||
|
OBJS += $(SRC)/utils/os_unix.o
|
||||||
|
OBJS += $(SRC)/utils/wpa_debug.o
|
||||||
|
OBJS += $(SRC)/utils/wpabuf.o
|
||||||
|
OBJS += $(SRC)/common/sae.o
|
||||||
|
OBJS += $(SRC)/common/dragonfly.o
|
||||||
|
OBJS += $(SRC)/common/wpa_common.o
|
||||||
|
OBJS += $(SRC)/common/ieee802_11_common.o
|
||||||
|
OBJS += $(SRC)/crypto/crypto_openssl.o
|
||||||
|
OBJS += $(SRC)/crypto/dh_groups.o
|
||||||
|
OBJS += $(SRC)/crypto/sha1-prf.o
|
||||||
|
OBJS += $(SRC)/crypto/sha256-prf.o
|
||||||
|
OBJS += $(SRC)/crypto/sha384-prf.o
|
||||||
|
OBJS += $(SRC)/crypto/sha256-kdf.o
|
||||||
|
OBJS += $(SRC)/crypto/sha384-kdf.o
|
||||||
|
OBJS += $(SRC)/rsn_supp/wpa_ie.o
|
||||||
|
OBJS += $(SRC)/pasn/pasn_initiator.o
|
||||||
|
|
||||||
|
OBJS += pasn-init.o
|
||||||
|
|
||||||
|
_OBJS_VAR := OBJS
|
||||||
|
include ../../../src/objs.mk
|
||||||
|
|
||||||
|
pasn-init: $(OBJS)
|
||||||
|
$(LDO) $(LDFLAGS) -o $@ $^ -lcrypto
|
||||||
|
|
||||||
|
clean: common-clean
|
||||||
|
rm -f pasn-init *~ *.o *.d ../*~ ../*.o ../*.d
|
BIN
tests/fuzzing/pasn-init/corpus/pasn-auth-2
Normal file
BIN
tests/fuzzing/pasn-init/corpus/pasn-auth-2
Normal file
Binary file not shown.
57
tests/fuzzing/pasn-init/pasn-init.c
Normal file
57
tests/fuzzing/pasn-init/pasn-init.c
Normal file
|
@ -0,0 +1,57 @@
|
||||||
|
/*
|
||||||
|
* PASN initiator fuzzer
|
||||||
|
* Copyright (c) 2022, Jouni Malinen <j@w1.fi>
|
||||||
|
*
|
||||||
|
* This software may be distributed under the terms of the BSD license.
|
||||||
|
* See README for more details.
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include "utils/includes.h"
|
||||||
|
|
||||||
|
#include "utils/common.h"
|
||||||
|
#include "common/defs.h"
|
||||||
|
#include "common/wpa_common.h"
|
||||||
|
#include "common/sae.h"
|
||||||
|
#include "common/ieee802_11_defs.h"
|
||||||
|
#include "crypto/sha384.h"
|
||||||
|
#include "pasn/pasn_common.h"
|
||||||
|
#include "../fuzzer-common.h"
|
||||||
|
|
||||||
|
|
||||||
|
static int pasn_send_mgmt(void *ctx, const u8 *data, size_t data_len,
|
||||||
|
int noack, unsigned int freq, unsigned int wait)
|
||||||
|
{
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
|
||||||
|
{
|
||||||
|
struct pasn_data pasn;
|
||||||
|
struct wpa_pasn_params_data pasn_data;
|
||||||
|
u8 own_addr[ETH_ALEN], bssid[ETH_ALEN];
|
||||||
|
|
||||||
|
wpa_fuzzer_set_debug_level();
|
||||||
|
|
||||||
|
if (os_program_init())
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
os_memset(&pasn, 0, sizeof(pasn));
|
||||||
|
pasn.send_mgmt = pasn_send_mgmt;
|
||||||
|
hwaddr_aton("02:00:00:00:00:00", own_addr);
|
||||||
|
hwaddr_aton("02:00:00:00:03:00", bssid);
|
||||||
|
if (wpas_pasn_start(&pasn, own_addr, bssid, WPA_KEY_MGMT_PASN,
|
||||||
|
WPA_CIPHER_CCMP, 19, 2412, NULL, 0, NULL, 0,
|
||||||
|
NULL) < 0) {
|
||||||
|
wpa_printf(MSG_ERROR, "wpas_pasn_start failed");
|
||||||
|
goto fail;
|
||||||
|
}
|
||||||
|
|
||||||
|
wpa_pasn_auth_rx(&pasn, data, size, &pasn_data);
|
||||||
|
|
||||||
|
fail:
|
||||||
|
wpa_pasn_reset(&pasn);
|
||||||
|
os_program_deinit();
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
40
tests/fuzzing/pasn-resp/Makefile
Normal file
40
tests/fuzzing/pasn-resp/Makefile
Normal file
|
@ -0,0 +1,40 @@
|
||||||
|
ALL=pasn-resp
|
||||||
|
include ../rules.include
|
||||||
|
|
||||||
|
CFLAGS += -DCONFIG_PASN
|
||||||
|
CFLAGS += -DCONFIG_SAE
|
||||||
|
CFLAGS += -DCONFIG_SHA256
|
||||||
|
CFLAGS += -DCONFIG_SHA384
|
||||||
|
CFLAGS += -DCONFIG_ECC
|
||||||
|
CFLAGS += -DCONFIG_FILS
|
||||||
|
CFLAGS += -DCONFIG_IEEE80211R
|
||||||
|
|
||||||
|
OBJS += $(SRC)/utils/common.o
|
||||||
|
OBJS += $(SRC)/utils/os_unix.o
|
||||||
|
OBJS += $(SRC)/utils/wpa_debug.o
|
||||||
|
OBJS += $(SRC)/utils/wpabuf.o
|
||||||
|
OBJS += $(SRC)/utils/eloop.o
|
||||||
|
OBJS += $(SRC)/common/sae.o
|
||||||
|
OBJS += $(SRC)/common/dragonfly.o
|
||||||
|
OBJS += $(SRC)/common/wpa_common.o
|
||||||
|
OBJS += $(SRC)/common/ieee802_11_common.o
|
||||||
|
OBJS += $(SRC)/crypto/crypto_openssl.o
|
||||||
|
OBJS += $(SRC)/crypto/dh_groups.o
|
||||||
|
OBJS += $(SRC)/crypto/sha1-prf.o
|
||||||
|
OBJS += $(SRC)/crypto/sha256-prf.o
|
||||||
|
OBJS += $(SRC)/crypto/sha384-prf.o
|
||||||
|
OBJS += $(SRC)/crypto/sha256-kdf.o
|
||||||
|
OBJS += $(SRC)/crypto/sha384-kdf.o
|
||||||
|
OBJS += $(SRC)/ap/comeback_token.o
|
||||||
|
OBJS += $(SRC)/pasn/pasn_responder.o
|
||||||
|
|
||||||
|
OBJS += pasn-resp.o
|
||||||
|
|
||||||
|
_OBJS_VAR := OBJS
|
||||||
|
include ../../../src/objs.mk
|
||||||
|
|
||||||
|
pasn-resp: $(OBJS)
|
||||||
|
$(LDO) $(LDFLAGS) -o $@ $^ -lcrypto
|
||||||
|
|
||||||
|
clean: common-clean
|
||||||
|
rm -f pasn-resp *~ *.o *.d ../*~ ../*.o ../*.d
|
BIN
tests/fuzzing/pasn-resp/corpus/pasn-auth-1
Normal file
BIN
tests/fuzzing/pasn-resp/corpus/pasn-auth-1
Normal file
Binary file not shown.
BIN
tests/fuzzing/pasn-resp/corpus/pasn-auth-3
Normal file
BIN
tests/fuzzing/pasn-resp/corpus/pasn-auth-3
Normal file
Binary file not shown.
94
tests/fuzzing/pasn-resp/pasn-resp.c
Normal file
94
tests/fuzzing/pasn-resp/pasn-resp.c
Normal file
|
@ -0,0 +1,94 @@
|
||||||
|
/*
|
||||||
|
* PASN responder fuzzer
|
||||||
|
* Copyright (c) 2022, Jouni Malinen <j@w1.fi>
|
||||||
|
*
|
||||||
|
* This software may be distributed under the terms of the BSD license.
|
||||||
|
* See README for more details.
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include "utils/includes.h"
|
||||||
|
|
||||||
|
#include "utils/common.h"
|
||||||
|
#include "utils/eloop.h"
|
||||||
|
#include "common/defs.h"
|
||||||
|
#include "common/wpa_common.h"
|
||||||
|
#include "common/sae.h"
|
||||||
|
#include "common/ieee802_11_defs.h"
|
||||||
|
#include "crypto/sha384.h"
|
||||||
|
#include "crypto/crypto.h"
|
||||||
|
#include "pasn/pasn_common.h"
|
||||||
|
#include "../fuzzer-common.h"
|
||||||
|
|
||||||
|
|
||||||
|
struct eapol_state_machine;
|
||||||
|
|
||||||
|
struct rsn_pmksa_cache_entry *
|
||||||
|
pmksa_cache_auth_add(struct rsn_pmksa_cache *pmksa,
|
||||||
|
const u8 *pmk, size_t pmk_len, const u8 *pmkid,
|
||||||
|
const u8 *kck, size_t kck_len,
|
||||||
|
const u8 *aa, const u8 *spa, int session_timeout,
|
||||||
|
struct eapol_state_machine *eapol, int akmp)
|
||||||
|
{
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
struct rsn_pmksa_cache_entry *
|
||||||
|
pmksa_cache_auth_get(struct rsn_pmksa_cache *pmksa,
|
||||||
|
const u8 *spa, const u8 *pmkid)
|
||||||
|
{
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
static int pasn_send_mgmt(void *ctx, const u8 *data, size_t data_len,
|
||||||
|
int noack, unsigned int freq, unsigned int wait)
|
||||||
|
{
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
|
||||||
|
{
|
||||||
|
struct pasn_data pasn;
|
||||||
|
u8 own_addr[ETH_ALEN], bssid[ETH_ALEN];
|
||||||
|
|
||||||
|
wpa_fuzzer_set_debug_level();
|
||||||
|
|
||||||
|
if (os_program_init())
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
if (eloop_init()) {
|
||||||
|
wpa_printf(MSG_ERROR, "Failed to initialize event loop");
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
os_memset(&pasn, 0, sizeof(pasn));
|
||||||
|
pasn.send_mgmt = pasn_send_mgmt;
|
||||||
|
hwaddr_aton("02:00:00:00:03:00", own_addr);
|
||||||
|
hwaddr_aton("02:00:00:00:00:00", bssid);
|
||||||
|
os_memcpy(pasn.own_addr, own_addr, ETH_ALEN);
|
||||||
|
os_memcpy(pasn.bssid, bssid, ETH_ALEN);
|
||||||
|
pasn.wpa_key_mgmt = WPA_KEY_MGMT_PASN;
|
||||||
|
pasn.rsn_pairwise = WPA_CIPHER_CCMP;
|
||||||
|
|
||||||
|
wpa_printf(MSG_DEBUG, "TESTING: Try to parse as PASN Auth 1");
|
||||||
|
if (handle_auth_pasn_1(&pasn, own_addr, bssid,
|
||||||
|
(const struct ieee80211_mgmt *) data, size))
|
||||||
|
wpa_printf(MSG_ERROR, "handle_auth_pasn_1 failed");
|
||||||
|
|
||||||
|
wpa_printf(MSG_DEBUG, "TESTING: Try to parse as PASN Auth 3");
|
||||||
|
if (handle_auth_pasn_3(&pasn, own_addr, bssid,
|
||||||
|
(const struct ieee80211_mgmt *) data, size))
|
||||||
|
wpa_printf(MSG_ERROR, "handle_auth_pasn_3 failed");
|
||||||
|
|
||||||
|
if (pasn.ecdh) {
|
||||||
|
crypto_ecdh_deinit(pasn.ecdh);
|
||||||
|
pasn.ecdh = NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
eloop_destroy();
|
||||||
|
os_program_deinit();
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
Loading…
Reference in a new issue