diff options
| author | Max Spector <mspector@google.com> | 2020-07-17 05:41:12 +0000 |
|---|---|---|
| committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2020-07-17 05:41:12 +0000 |
| commit | 9d6c5404f3e2d70b3ccec5796ff3f1a7cb46e061 (patch) | |
| tree | 3616b93e8d42a8c2baba0f030a24cd904f8bd1e8 | |
| parent | 4303129c6447132f925ff2134269b01de9f7c36a (diff) | |
| parent | ccc18b89afda511adf354a84942adacf938e721a (diff) | |
| download | platform_tools_security-9d6c5404f3e2d70b3ccec5796ff3f1a7cb46e061.tar.gz platform_tools_security-9d6c5404f3e2d70b3ccec5796ff3f1a7cb46e061.tar.bz2 platform_tools_security-9d6c5404f3e2d70b3ccec5796ff3f1a7cb46e061.zip | |
Merge "Fuzzer for pppd" am: 5de12c6227 am: ccc18b89af
Original change: https://android-review.googlesource.com/c/platform/tools/security/+/1349485
Change-Id: I628ec62d77696454d347eed3cb10e510529ee3ee
| -rw-r--r-- | fuzzing/orphans/pppd/Android.bp | 31 | ||||
| -rw-r--r-- | fuzzing/orphans/pppd/eap_fuzz.cc | 215 | ||||
| -rw-r--r-- | fuzzing/orphans/pppd/eap_fuzz.proto | 133 | ||||
| -rw-r--r-- | fuzzing/orphans/pppd/eap_fuzz_Cproxy.c | 28 | ||||
| -rw-r--r-- | fuzzing/orphans/pppd/eap_fuzz_Cproxy.h | 56 |
5 files changed, 463 insertions, 0 deletions
diff --git a/fuzzing/orphans/pppd/Android.bp b/fuzzing/orphans/pppd/Android.bp new file mode 100644 index 0000000..fa50408 --- /dev/null +++ b/fuzzing/orphans/pppd/Android.bp @@ -0,0 +1,31 @@ +cc_fuzz { + name: "eap_pppd_fuzz", + + srcs: [ + "eap_fuzz.proto", + "eap_fuzz.cc", + "eap_fuzz_Cproxy.c", + ], + + static_libs: [ + "libprotobuf-mutator", + "libpppd", + ], + shared_libs: [ + "libprotobuf-cpp-full", + "libdl", + "liblog", + "libcutils", + "libcrypto", + ], + + cflags: [ + "-Wno-unused-parameter", + ], + + ldflags: ["-rdynamic"], + required: [ + "pppol2tp-android", + "pppopptp-android", + ], +} diff --git a/fuzzing/orphans/pppd/eap_fuzz.cc b/fuzzing/orphans/pppd/eap_fuzz.cc new file mode 100644 index 0000000..5372e15 --- /dev/null +++ b/fuzzing/orphans/pppd/eap_fuzz.cc @@ -0,0 +1,215 @@ +#include <stdint.h> +extern "C" { +#include "eap_fuzz_Cproxy.h" +} + +#include <src/libfuzzer/libfuzzer_macro.h> +#include "eap_fuzz.pb.h" + +#define S_MALLOC(var, size) \ +do { \ + if ((var = (uint8_t *)malloc(size)) == NULL) { \ + return; \ + } \ +} while(0) + +void write_header(uint8_t *packet, uint16_t data_size, uint8_t type) +{ + data_size += EAP_HEADERLEN; + //the packet type + *(packet)++ = type&0xff; + //id + *(packet)++ = 0x0; + //the length as big endian short + *(packet)++ = ((data_size >> 8)&0xff); + *(packet)++ = data_size&0xff; +} + +DEFINE_BINARY_PROTO_FUZZER(const eap_fuzz::proto::PacketSet &packets){ + init(); + + for(const eap_fuzz::proto::Packet& packet: packets.packets()){ + uint8_t *fuzz_packet = NULL; + size_t packet_len = 0; + std::string data = ""; + uint8_t packet_type = -1; + switch(packet.PacketType_case()){ + case eap_fuzz::proto::Packet::kEapRequest: { + packet_type = EAP_REQUEST; + uint8_t eap_request_type = -1; + auto eap_request = packet.eap_request(); + switch(eap_request.EapRequestType_case()){ + case eap_fuzz::proto::EapRequest::kIdentity: { + eap_request_type = EAPT_IDENTITY; + data = eap_request.identity().data(); + S_MALLOC(fuzz_packet, data.size()+EAP_HEADERLEN+1); + break; + } + case eap_fuzz::proto::EapRequest::kNotification: { + eap_request_type = EAPT_NOTIFICATION; + data = eap_request.notification().data(); + S_MALLOC(fuzz_packet, data.size()+EAP_HEADERLEN+1); + break; + } + case eap_fuzz::proto::EapRequest::kMd5Chap: { + eap_request_type = EAPT_MD5CHAP; + data = eap_request.md5chap().data(); + S_MALLOC(fuzz_packet, data.size()+EAP_HEADERLEN+1); + break; + } + case eap_fuzz::proto::EapRequest::kSrp: { + auto request_srp = eap_request.srp(); + eap_request_type = EAPT_SRP; + uint8_t srp_type = -1; + switch(request_srp.EspMessage_case()){ + case eap_fuzz::proto::EaptRequestSRP::kSrpChallenge:{ + data = request_srp.srp_challenge().data(); + srp_type = EAPSRP_CHALLENGE; + break; + } + case eap_fuzz::proto::EaptRequestSRP::kSrpValidator:{ + data = request_srp.srp_validator().data(); + srp_type = EAPSRP_SVALIDATOR; + break; + } + case eap_fuzz::proto::EaptRequestSRP::kSrpKey:{ + data = request_srp.srp_key().data(); + srp_type = EAPSRP_SKEY; + break; + } + case eap_fuzz::proto::EaptRequestSRP::kSrpLwreChallenge:{ + data = request_srp.srp_lwre_challenge().data(); + srp_type = EAPSRP_LWRECHALLENGE; + break; + } + case eap_fuzz::proto::EaptRequestSRP::ESPMESSAGE_NOT_SET:{ + return; + } + + } + S_MALLOC(fuzz_packet, data.size()+EAP_HEADERLEN+2); + *(fuzz_packet+EAP_HEADERLEN+1) = srp_type; + packet_len++; + break; + } + case eap_fuzz::proto::EapRequest::EAPREQUESTTYPE_NOT_SET: { + return; + } + } + *(fuzz_packet+EAP_HEADERLEN) = eap_request_type; + ++packet_len; + break; + } + + case eap_fuzz::proto::Packet::kEapResponse: { + packet_type = EAP_RESPONSE; + auto eap_response = packet.eap_response(); + uint8_t eap_response_type = -1; + switch(eap_response.EapResponseType_case()){ + case eap_fuzz::proto::EapResponse::kIdentity: { + eap_response_type = EAPT_IDENTITY; + data = eap_response.identity().data(); + S_MALLOC(fuzz_packet, data.size()+EAP_HEADERLEN+1); + break; + } + case eap_fuzz::proto::EapResponse::kNotification: { + eap_response_type = EAPT_NOTIFICATION; + data = eap_response.notification().data(); + S_MALLOC(fuzz_packet, data.size()+EAP_HEADERLEN+1); + break; + } + case eap_fuzz::proto::EapResponse::kMd5Chap: { + eap_response_type = EAPT_MD5CHAP; + data = eap_response.md5chap().data(); + S_MALLOC(fuzz_packet, data.size()+EAP_HEADERLEN+1); + break; + } + case eap_fuzz::proto::EapResponse::kNak: { + eap_response_type = EAPT_NAK; + auto response_nak = eap_response.nak(); + uint8_t nak_type = -1; + switch(response_nak.EaptResponseNAKType_case()){ + case eap_fuzz::proto::EaptResponseNAK::kSrp:{ + nak_type = EAPT_SRP; + break; + + } + case eap_fuzz::proto::EaptResponseNAK::kMd5Chap:{ + nak_type = EAPT_MD5CHAP; + break; + + } + case eap_fuzz::proto::EaptResponseNAK::EAPTRESPONSENAKTYPE_NOT_SET:{ + return; + } + } + S_MALLOC(fuzz_packet, data.size()+EAP_HEADERLEN+2); + *(fuzz_packet+EAP_HEADERLEN+1) = nak_type; + packet_len++; + break; + } + case eap_fuzz::proto::EapResponse::kSrp: { + auto response_srp = eap_response.srp(); + eap_response_type = EAPT_SRP; + uint8_t srp_type = -1; + switch(response_srp.EspMessage_case()){ + case eap_fuzz::proto::EaptResponseSRP::kSrpChallenge:{ + data = response_srp.srp_challenge().data(); + srp_type = EAPSRP_LWRECHALLENGE; + break; + } + case eap_fuzz::proto::EaptResponseSRP::kSrpCvalidator:{ + data = response_srp.srp_cvalidator().data(); + srp_type = EAPSRP_CVALIDATOR; + break; + } + case eap_fuzz::proto::EaptResponseSRP::kSrpCkey:{ + data = response_srp.srp_ckey().data(); + srp_type = EAPSRP_CKEY; + break; + } + case eap_fuzz::proto::EaptResponseSRP::kSrpAck:{ + data = response_srp.srp_ack().data(); + srp_type = EAPSRP_ACK; + break; + } + case eap_fuzz::proto::EaptResponseSRP::ESPMESSAGE_NOT_SET:{ + return; + } + + } + S_MALLOC(fuzz_packet, data.size()+EAP_HEADERLEN+2); + *(fuzz_packet+EAP_HEADERLEN+1) = srp_type; + packet_len++; + break; + } + case eap_fuzz::proto::EapResponse::EAPRESPONSETYPE_NOT_SET: { + return; + } + } + *(fuzz_packet+EAP_HEADERLEN) = eap_response_type; + ++packet_len; + break; + } + case eap_fuzz::proto::Packet::kEapSuccess: { + packet_type = EAP_SUCCESS; + data = packet.eap_success().data(); + S_MALLOC(fuzz_packet, data.size()+EAP_HEADERLEN); + break; + } + case eap_fuzz::proto::Packet::kEapFailure: { + packet_type = EAP_FAILURE; + data = packet.eap_failure().data(); + S_MALLOC(fuzz_packet, data.size()+EAP_HEADERLEN); + break; + } + case eap_fuzz::proto::Packet::PACKETTYPE_NOT_SET: { + return; + } + } + write_header(fuzz_packet, data.size()+packet_len, packet_type); + memcpy(fuzz_packet+EAP_HEADERLEN+packet_len, data.data(), data.size()); + proxy_packet(fuzz_packet, data.size()+EAP_HEADERLEN+packet_len); + free(fuzz_packet); + } +} diff --git a/fuzzing/orphans/pppd/eap_fuzz.proto b/fuzzing/orphans/pppd/eap_fuzz.proto new file mode 100644 index 0000000..6d41214 --- /dev/null +++ b/fuzzing/orphans/pppd/eap_fuzz.proto @@ -0,0 +1,133 @@ +syntax = "proto2"; +package eap_fuzz.proto; + +message PacketSet{ + repeated Packet packets = 1; +} + +message Packet{ + oneof PacketType { + EapRequest eap_request = 1; + EapResponse eap_response = 2; + EapSuccess eap_success = 3; + EapFailure eap_failure = 4; + } +} + +message EapRequest{ + oneof EapRequestType{ + EaptRequestIdentity identity = 1; + EsptRequestNotification notification = 2; + EaptRequestMD5Chap md5chap = 3; + EaptRequestSRP srp = 4; + } + +} + +message EaptRequestIdentity{ + required bytes data = 1; +} + +message EsptRequestNotification{ + required bytes data = 1; +} + +message EaptRequestMD5Chap{ + required bytes data = 2; +} +message EaptRequestSRP{ + oneof EspMessage { + EapRequestSRPChallenge srp_challenge = 1; + EapRequestSRPKey srp_key = 2; + EapRequestSRPValidator srp_validator = 3; + EapRequestSRPLWREChallenge srp_lwre_challenge = 4; + } +} + +message EapRequestSRPChallenge{ + required bytes data = 1; +} + +message EapRequestSRPKey{ + required bytes data = 1; +} + +message EapRequestSRPValidator { + required bytes data = 1; +} + +message EapRequestSRPLWREChallenge{ + required bytes data = 1; +} + +message EapResponse{ + oneof EapResponseType{ + EaptResponseIdentity identity = 1; + EsptResponseNotification notification = 2; + EaptResponseNAK nak = 3; + EaptResponseMD5Chap md5chap = 4; + EaptResponseSRP srp = 5; + } +} + +message EaptResponseIdentity{ + required bytes data = 1; +} + +message EsptResponseNotification{ + required bytes data = 1; +} + +message EaptResponseNAK{ + oneof EaptResponseNAKType{ + EaptResponseNAKSRP srp = 1; + EaptResponseNAKMD5Chap md5_chap = 2; + } +} + + +message EaptResponseNAKSRP{ + required bytes data = 1; +} + +message EaptResponseNAKMD5Chap { + required bytes data = 1; +} + +message EaptResponseMD5Chap { + required bytes data = 1; +} + +message EaptResponseSRP{ + oneof EspMessage { + EapResponseSRPCKey srp_ckey = 1; + EapResponseSRPCValidator srp_cvalidator = 2; + EapResponseSRPACK srp_ack = 3; + EapResponseSRPLWEChallenge srp_challenge = 4; + } +} + +message EapResponseSRPCKey { + required bytes data = 1; +} + +message EapResponseSRPCValidator{ + required bytes data = 1; +} + +message EapResponseSRPACK{ + required bytes data = 1; +} + +message EapResponseSRPLWEChallenge{ + required bytes data = 1; +} + +message EapSuccess{ + required bytes data = 1; +} + +message EapFailure{ + required bytes data = 1; +} + diff --git a/fuzzing/orphans/pppd/eap_fuzz_Cproxy.c b/fuzzing/orphans/pppd/eap_fuzz_Cproxy.c new file mode 100644 index 0000000..e2b7d98 --- /dev/null +++ b/fuzzing/orphans/pppd/eap_fuzz_Cproxy.c @@ -0,0 +1,28 @@ +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <unistd.h> +#include <stdint.h> +#include <pwd.h> +#include <sys/types.h> +#include <sys/stat.h> +#include <fcntl.h> +#include <assert.h> +#include <errno.h> + +#include "pppd.h" +#include "pathnames.h" +#include "md5.h" +#include "eap.h" +#include "magic.h" + +void init() +{ + eap_protent.init(0); +} + + +void proxy_packet(uint8_t *data, int len) +{ + eap_protent.input(0, data, len); +} diff --git a/fuzzing/orphans/pppd/eap_fuzz_Cproxy.h b/fuzzing/orphans/pppd/eap_fuzz_Cproxy.h new file mode 100644 index 0000000..6846f5e --- /dev/null +++ b/fuzzing/orphans/pppd/eap_fuzz_Cproxy.h @@ -0,0 +1,56 @@ +//from pppd.h, can't include it directly in the fuzzer because C -> C++ issues +#define EAP_HEADERLEN 4 + +/* EAP message codes. */ +#define EAP_REQUEST 1 +#define EAP_RESPONSE 2 +#define EAP_SUCCESS 3 +#define EAP_FAILURE 4 + +/* EAP types */ +#define EAPT_IDENTITY 1 +#define EAPT_NOTIFICATION 2 +#define EAPT_NAK 3 /* (response only) */ +#define EAPT_MD5CHAP 4 +#define EAPT_OTP 5 /* One-Time Password; RFC 1938 */ +#define EAPT_TOKEN 6 /* Generic Token Card */ +/* 7 and 8 are unassigned. */ +#define EAPT_RSA 9 /* RSA Public Key Authentication */ +#define EAPT_DSS 10 /* DSS Unilateral */ +#define EAPT_KEA 11 /* KEA */ +#define EAPT_KEA_VALIDATE 12 /* KEA-VALIDATE */ +#define EAPT_TLS 13 /* EAP-TLS */ +#define EAPT_DEFENDER 14 /* Defender Token (AXENT) */ +#define EAPT_W2K 15 /* Windows 2000 EAP */ +#define EAPT_ARCOT 16 /* Arcot Systems */ +#define EAPT_CISCOWIRELESS 17 /* Cisco Wireless */ +#define EAPT_NOKIACARD 18 /* Nokia IP smart card */ +#define EAPT_SRP 19 /* Secure Remote Password */ +/* 20 is deprecated */ + +/* EAP SRP-SHA1 Subtypes */ +#define EAPSRP_CHALLENGE 1 /* Request 1 - Challenge */ +#define EAPSRP_CKEY 1 /* Response 1 - Client Key */ +#define EAPSRP_SKEY 2 /* Request 2 - Server Key */ +#define EAPSRP_CVALIDATOR 2 /* Response 2 - Client Validator */ +#define EAPSRP_SVALIDATOR 3 /* Request 3 - Server Validator */ +#define EAPSRP_ACK 3 /* Response 3 - final ack */ +#define EAPSRP_LWRECHALLENGE 4 /* Req/resp 4 - Lightweight rechal */ + +#define SRPVAL_EBIT 0x00000001 /* Use shared key for ECP */ + +#define SRP_PSEUDO_ID "pseudo_" +#define SRP_PSEUDO_LEN 7 + +#define MD5_SIGNATURE_SIZE 16 +#define MIN_CHALLENGE_LENGTH 16 +#define MAX_CHALLENGE_LENGTH 24 + +void init(); +void proxy_packet(uint8_t *data, int len); + +//override output so we don't write to a broken fd +void output (int unit, unsigned char *p, int len) +{ + +} |