1 /*
2 * EAP-SIM peer fuzzer
3 * Copyright (c) 2019, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "utils/includes.h"
10
11 #include "utils/common.h"
12 #include "eap_peer/eap_methods.h"
13 #include "eap_peer/eap_config.h"
14 #include "eap_peer/eap_i.h"
15 #include "../fuzzer-common.h"
16
17 int eap_peer_sim_register(void);
18
19 struct eap_method * registered_eap_method = NULL;
20
21
eap_peer_method_alloc(int version,int vendor,enum eap_type method,const char * name)22 struct eap_method * eap_peer_method_alloc(int version, int vendor,
23 enum eap_type method,
24 const char *name)
25 {
26 struct eap_method *eap;
27 eap = os_zalloc(sizeof(*eap));
28 if (!eap)
29 return NULL;
30 eap->version = version;
31 eap->vendor = vendor;
32 eap->method = method;
33 eap->name = name;
34 return eap;
35 }
36
37
eap_peer_method_register(struct eap_method * method)38 int eap_peer_method_register(struct eap_method *method)
39 {
40 registered_eap_method = method;
41 return 0;
42 }
43
44
45 static struct eap_peer_config eap_sim_config = {
46 .identity = (u8 *) "1232010000000000",
47 .identity_len = 16,
48 .password = (u8 *) "90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
49 .password_len = 65,
50 };
51
eap_get_config(struct eap_sm * sm)52 struct eap_peer_config * eap_get_config(struct eap_sm *sm)
53 {
54 return &eap_sim_config;
55 }
56
57
eap_get_config_identity(struct eap_sm * sm,size_t * len)58 const u8 * eap_get_config_identity(struct eap_sm *sm, size_t *len)
59 {
60 static const char *id = "1232010000000000";
61
62 *len = os_strlen(id);
63 return (const u8 *) id;
64 }
65
66
eap_set_anon_id(struct eap_sm * sm,const u8 * id,size_t len)67 void eap_set_anon_id(struct eap_sm *sm, const u8 *id, size_t len)
68 {
69 }
70
71
eap_sm_request_identity(struct eap_sm * sm)72 void eap_sm_request_identity(struct eap_sm *sm)
73 {
74 }
75
76
eap_sm_request_sim(struct eap_sm * sm,const char * req)77 void eap_sm_request_sim(struct eap_sm *sm, const char *req)
78 {
79 }
80
81
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)82 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
83 {
84 const u8 *pos, *end;
85 struct eap_sm *sm;
86 void *priv;
87 struct eap_method_ret ret;
88 unsigned int count = 0;
89
90 wpa_fuzzer_set_debug_level();
91
92 eap_peer_sim_register();
93 sm = os_zalloc(sizeof(*sm));
94 if (!sm)
95 return 0;
96 priv = registered_eap_method->init(sm);
97 os_memset(&ret, 0, sizeof(ret));
98
99 pos = data;
100 end = pos + size;
101
102 while (end - pos > 2 && count < 100) {
103 u16 flen;
104 struct wpabuf *buf, *req;
105
106 flen = WPA_GET_BE16(pos);
107 pos += 2;
108 if (end - pos < flen)
109 break;
110 req = wpabuf_alloc_copy(pos, flen);
111 if (!req)
112 break;
113 wpa_hexdump_buf(MSG_MSGDUMP, "fuzzer - request", req);
114 buf = registered_eap_method->process(sm, priv, &ret, req);
115 wpa_hexdump_buf(MSG_MSGDUMP, "fuzzer - local response", buf);
116 wpabuf_free(req);
117 wpabuf_free(buf);
118 pos += flen;
119 count++;
120 }
121
122 registered_eap_method->deinit(sm, priv);
123 os_free(registered_eap_method);
124 os_free(sm);
125
126 return 0;
127 }
128