DGNum/hostapd
6
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

tests: New style fuzzing tool for EAP-AKA peer processing

Browse source 
Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2019-06-02 17:02:57 +03:00
parent 23ddc7b810
commit a1f3f88ac7
4 changed files with 166 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
src/eap_peer/eap_aka.c
View file

@ -927,8 +927,13 @@ static struct wpabuf * eap_aka_process_challenge(struct eap_sm *sm,
attr->checkcode_len)) { attr->checkcode_len)) {
wpa_printf(MSG_WARNING, "EAP-AKA: Invalid AT_CHECKCODE in the " wpa_printf(MSG_WARNING, "EAP-AKA: Invalid AT_CHECKCODE in the "
"message"); "message");
#ifdef TEST_FUZZ
wpa_printf(MSG_INFO,
"TEST: Ignore AT_CHECKCODE mismatch for fuzz testing");
#else /* TEST_FUZZ */
return eap_aka_client_error(data, id, return eap_aka_client_error(data, id,
EAP_AKA_UNABLE_TO_PROCESS_PACKET); EAP_AKA_UNABLE_TO_PROCESS_PACKET);
#endif /* TEST_FUZZ */
} }
#ifdef EAP_AKA_PRIME #ifdef EAP_AKA_PRIME
@ -1060,8 +1065,13 @@ static struct wpabuf * eap_aka_process_challenge(struct eap_sm *sm,
if (eap_aka_verify_mac(data, reqData, attr->mac, (u8 *) "", 0)) { if (eap_aka_verify_mac(data, reqData, attr->mac, (u8 *) "", 0)) {
wpa_printf(MSG_WARNING, "EAP-AKA: Challenge message " wpa_printf(MSG_WARNING, "EAP-AKA: Challenge message "
"used invalid AT_MAC"); "used invalid AT_MAC");
#ifdef TEST_FUZZ
wpa_printf(MSG_INFO,
"TEST: Ignore AT_MAC mismatch for fuzz testing");
#else /* TEST_FUZZ */
return eap_aka_client_error(data, id, return eap_aka_client_error(data, id,
EAP_AKA_UNABLE_TO_PROCESS_PACKET); EAP_AKA_UNABLE_TO_PROCESS_PACKET);
#endif /* TEST_FUZZ */
} }
/* Old reauthentication identity must not be used anymore. In /* Old reauthentication identity must not be used anymore. In
@ -1210,8 +1220,13 @@ static struct wpabuf * eap_aka_process_reauthentication(
if (attr->checkcode && if (attr->checkcode &&
eap_aka_verify_checkcode(data, attr->checkcode, eap_aka_verify_checkcode(data, attr->checkcode,
attr->checkcode_len)) { attr->checkcode_len)) {
#ifdef TEST_FUZZ
wpa_printf(MSG_INFO,
"TEST: Ignore AT_CHECKCODE mismatch for fuzz testing");
#else /* TEST_FUZZ */
wpa_printf(MSG_WARNING, "EAP-AKA: Invalid AT_CHECKCODE in the " wpa_printf(MSG_WARNING, "EAP-AKA: Invalid AT_CHECKCODE in the "
"message"); "message");
#endif /* TEST_FUZZ */
return eap_aka_client_error(data, id, return eap_aka_client_error(data, id,
EAP_AKA_UNABLE_TO_PROCESS_PACKET); EAP_AKA_UNABLE_TO_PROCESS_PACKET);
} }

21
tests/fuzzing/eap-aka-peer/Makefile Normal file
View file

@ -0,0 +1,21 @@
all: eap-aka-peer
include ../rules.include
CFLAGS += -DIEEE8021X_EAPOL
CFLAGS += -DCONFIG_USIM_SIMULATOR
OBJS += $(SRC)/eap_peer/eap_aka.o
OBJS += $(SRC)/eap_common/eap_sim_common.o
OBJS += $(SRC)/eap_common/eap_common.o
LIBS += $(SRC)/crypto/libcrypto.a
LIBS += $(SRC)/utils/libutils.a
eap-aka-peer: eap-aka-peer.o $(OBJS) $(LIBS)
$(Q)$(LDO) $(LDFLAGS) -o $@ $^ $(LIBS) $(ELIBS)
@$(E) " LD " $@
clean:
$(MAKE) -C $(SRC) clean
rm -f eap-aka-peer *~ *.o *.d ../*~ ../*.o ../*.d
-include $(OBJS:%.o=%.d)

BIN
tests/fuzzing/eap-aka-peer/corpus/server.msg Normal file
View file

Binary file not shown.

130
tests/fuzzing/eap-aka-peer/eap-aka-peer.c Normal file
View file

@ -0,0 +1,130 @@
/*
* EAP-AKA peer fuzzer
* Copyright (c) 2019, Jouni Malinen <j@w1.fi>
*
* This software may be distributed under the terms of the BSD license.
* See README for more details.
*/
#include "utils/includes.h"
#include "utils/common.h"
#include "eap_peer/eap_methods.h"
#include "eap_peer/eap_config.h"
#include "eap_peer/eap_i.h"
#include "../fuzzer-common.h"
int eap_peer_sim_register(void);
struct eap_method * registered_eap_method = NULL;
struct eap_method * eap_peer_method_alloc(int version, int vendor,
EapType method, const char *name)
{
struct eap_method *eap;
eap = os_zalloc(sizeof(*eap));
if (!eap)
return NULL;
eap->version = version;
eap->vendor = vendor;
eap->method = method;
eap->name = name;
return eap;
}
int eap_peer_method_register(struct eap_method *method)
{
registered_eap_method = method;
return 0;
}
static struct eap_peer_config eap_aka_config = {
.identity = (u8 *) "0232010000000000",
.identity_len = 16,
.password = (u8 *) "90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
.password_len = 78,
};
struct eap_peer_config * eap_get_config(struct eap_sm *sm)
{
return &eap_aka_config;
}
const u8 * eap_get_config_identity(struct eap_sm *sm, size_t *len)
{
static const char *id = "0232010000000000";
*len = os_strlen(id);
return (const u8 *) id;
}
const char * eap_get_config_phase1(struct eap_sm *sm)
{
return NULL;
}
void eap_set_anon_id(struct eap_sm *sm, const u8 *id, size_t len)
{
}
void eap_sm_request_identity(struct eap_sm *sm)
{
}
void eap_sm_request_sim(struct eap_sm *sm, const char *req)
{
}
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
{
const u8 *pos, *end;
struct eap_sm *sm;
void *priv;
struct eap_method_ret ret;
wpa_fuzzer_set_debug_level();
eap_peer_aka_register();
sm = os_zalloc(sizeof(*sm));
if (!sm)
return 0;
priv = registered_eap_method->init(sm);
os_memset(&ret, 0, sizeof(ret));
pos = data;
end = pos + size;
while (end - pos > 2) {
u16 flen;
struct wpabuf *buf, *req;
flen = WPA_GET_BE16(pos);
pos += 2;
if (end - pos < flen)
break;
req = wpabuf_alloc_copy(pos, flen);
if (!req)
break;
wpa_hexdump_buf(MSG_MSGDUMP, "fuzzer - request", req);
buf = registered_eap_method->process(sm, priv, &ret, req);
wpa_hexdump_buf(MSG_MSGDUMP, "fuzzer - local response", buf);
wpabuf_free(req);
wpabuf_free(buf);
pos += flen;
}
registered_eap_method->deinit(sm, priv);
os_free(registered_eap_method);
os_free(sm);
return 0;
}