1 /*
2 * EAP-SIM peer fuzzer
3 * Copyright (c) 2019, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "utils/includes.h"
10
11 #include "utils/common.h"
12 #include "eap_peer/eap_methods.h"
13 #include "eap_peer/eap_config.h"
14 #include "eap_peer/eap_i.h"
15 #include "../fuzzer-common.h"
16
17 int eap_peer_sim_register(void);
18
19 struct eap_method * registered_eap_method = NULL;
20
21
eap_peer_method_alloc(int version,int vendor,enum eap_type method,const char * name)22 struct eap_method * eap_peer_method_alloc(int version, int vendor,
23 enum eap_type method,
24 const char *name)
25 {
26 struct eap_method *eap;
27 eap = os_zalloc(sizeof(*eap));
28 if (!eap)
29 return NULL;
30 eap->version = version;
31 eap->vendor = vendor;
32 eap->method = method;
33 eap->name = name;
34 return eap;
35 }
36
37
eap_peer_method_register(struct eap_method * method)38 int eap_peer_method_register(struct eap_method *method)
39 {
40 registered_eap_method = method;
41 return 0;
42 }
43
44
45 static struct eap_peer_config eap_mschapv2_config = {
46 .identity = (u8 *) "user",
47 .identity_len = 4,
48 .password = (u8 *) "password",
49 .password_len = 8,
50 };
51
eap_get_config(struct eap_sm * sm)52 struct eap_peer_config * eap_get_config(struct eap_sm *sm)
53 {
54 return &eap_mschapv2_config;
55 }
56
57
eap_get_config_identity(struct eap_sm * sm,size_t * len)58 const u8 * eap_get_config_identity(struct eap_sm *sm, size_t *len)
59 {
60 static const char *id = "user";
61
62 *len = os_strlen(id);
63 return (const u8 *) id;
64 }
65
66
eap_get_config_password(struct eap_sm * sm,size_t * len)67 const u8 * eap_get_config_password(struct eap_sm *sm, size_t *len)
68 {
69 struct eap_peer_config *config = eap_get_config(sm);
70
71 *len = config->password_len;
72 return config->password;
73 }
74
75
eap_get_config_password2(struct eap_sm * sm,size_t * len,int * hash)76 const u8 * eap_get_config_password2(struct eap_sm *sm, size_t *len, int *hash)
77 {
78 struct eap_peer_config *config = eap_get_config(sm);
79
80 *len = config->password_len;
81 if (hash)
82 *hash = !!(config->flags & EAP_CONFIG_FLAGS_PASSWORD_NTHASH);
83 return config->password;
84 }
85
86
eap_get_config_new_password(struct eap_sm * sm,size_t * len)87 const u8 * eap_get_config_new_password(struct eap_sm *sm, size_t *len)
88 {
89 *len = 3;
90 return (const u8 *) "new";
91 }
92
93
eap_sm_request_identity(struct eap_sm * sm)94 void eap_sm_request_identity(struct eap_sm *sm)
95 {
96 }
97
98
eap_sm_request_password(struct eap_sm * sm)99 void eap_sm_request_password(struct eap_sm *sm)
100 {
101 }
102
103
eap_sm_request_new_password(struct eap_sm * sm)104 void eap_sm_request_new_password(struct eap_sm *sm)
105 {
106 }
107
108
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)109 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
110 {
111 const u8 *pos, *end;
112 struct eap_sm *sm;
113 void *priv;
114 struct eap_method_ret ret;
115
116 wpa_fuzzer_set_debug_level();
117
118 eap_peer_mschapv2_register();
119 sm = os_zalloc(sizeof(*sm));
120 if (!sm)
121 return 0;
122 priv = registered_eap_method->init(sm);
123 os_memset(&ret, 0, sizeof(ret));
124
125 pos = data;
126 end = pos + size;
127
128 while (end - pos > 2) {
129 u16 flen;
130 struct wpabuf *buf, *req;
131
132 flen = WPA_GET_BE16(pos);
133 pos += 2;
134 if (end - pos < flen)
135 break;
136 req = wpabuf_alloc_copy(pos, flen);
137 if (!req)
138 break;
139 wpa_hexdump_buf(MSG_MSGDUMP, "fuzzer - request", req);
140 buf = registered_eap_method->process(sm, priv, &ret, req);
141 wpa_hexdump_buf(MSG_MSGDUMP, "fuzzer - local response", buf);
142 wpabuf_free(req);
143 wpabuf_free(buf);
144 pos += flen;
145 }
146
147 registered_eap_method->deinit(sm, priv);
148 os_free(registered_eap_method);
149 os_free(sm);
150
151 return 0;
152 }
153
