]>
Commit | Line | Data |
---|---|---|
46c3befe JM |
1 | /* |
2 | * wpa_supplicant - EAPOL fuzzer | |
3 | * Copyright (c) 2015, Jouni Malinen <j@w1.fi> | |
4 | * | |
5 | * This software may be distributed under the terms of the BSD license. | |
6 | * See README for more details. | |
7 | */ | |
8 | ||
9 | #include "utils/includes.h" | |
10 | ||
11 | #include "utils/common.h" | |
12 | #include "utils/eloop.h" | |
13 | #include "eapol_supp/eapol_supp_sm.h" | |
14 | #include "rsn_supp/wpa.h" | |
7a27e5e0 | 15 | #include "rsn_supp/wpa_i.h" |
46c3befe JM |
16 | |
17 | ||
18 | struct arg_ctx { | |
19 | const char *fname; | |
20 | struct wpa_sm *wpa; | |
21 | struct eapol_sm *eapol; | |
22 | }; | |
23 | ||
24 | ||
25 | static void test_send_eapol(void *eloop_data, void *user_ctx) | |
26 | { | |
27 | struct arg_ctx *ctx = eloop_data; | |
28 | char *data; | |
29 | size_t len; | |
30 | u8 src[ETH_ALEN] = { 0x02, 0x00, 0x00, 0x00, 0x00, 0x01 }; | |
31 | u8 wpa_ie[200]; | |
32 | size_t wpa_ie_len; | |
33 | ||
34 | wpa_printf(MSG_INFO, "eapol-fuzzer: Send '%s'", ctx->fname); | |
35 | ||
36 | data = os_readfile(ctx->fname, &len); | |
37 | if (!data) { | |
38 | wpa_printf(MSG_ERROR, "Could not read '%s'", ctx->fname); | |
39 | goto out; | |
40 | } | |
41 | ||
42 | wpa_hexdump(MSG_MSGDUMP, "fuzzer - EAPOL", data, len); | |
43 | ||
44 | eapol_sm_notify_portEnabled(ctx->eapol, TRUE); | |
45 | ||
46 | wpa_sm_set_param(ctx->wpa, WPA_PARAM_PROTO, WPA_PROTO_RSN); | |
47 | wpa_sm_set_param(ctx->wpa, WPA_PARAM_RSN_ENABLED, 1); | |
48 | wpa_sm_set_param(ctx->wpa, WPA_PARAM_KEY_MGMT, WPA_KEY_MGMT_PSK); | |
49 | wpa_sm_set_param(ctx->wpa, WPA_PARAM_PAIRWISE, WPA_CIPHER_CCMP); | |
50 | wpa_sm_set_param(ctx->wpa, WPA_PARAM_GROUP, WPA_CIPHER_CCMP); | |
51 | ||
52 | wpa_ie_len = sizeof(wpa_ie); | |
53 | wpa_sm_set_assoc_wpa_ie_default(ctx->wpa, wpa_ie, &wpa_ie_len); | |
54 | ||
55 | if (eapol_sm_rx_eapol(ctx->eapol, src, (u8 *) data, len) <= 0) | |
56 | wpa_sm_rx_eapol(ctx->wpa, src, (u8 *) data, len); | |
57 | ||
58 | out: | |
59 | os_free(data); | |
60 | eloop_terminate(); | |
61 | } | |
62 | ||
63 | ||
64 | static void * get_network_ctx(void *arg) | |
65 | { | |
66 | return (void *) 1; | |
67 | } | |
68 | ||
69 | ||
70 | static void set_state(void *arg, enum wpa_states state) | |
71 | { | |
72 | } | |
73 | ||
74 | ||
4be17ffb | 75 | static void deauthenticate(void *arg, u16 reason_code) |
46c3befe JM |
76 | { |
77 | } | |
78 | ||
79 | ||
80 | static u8 * alloc_eapol(void *arg, u8 type, | |
81 | const void *data, u16 data_len, | |
82 | size_t *msg_len, void **data_pos) | |
83 | { | |
84 | struct ieee802_1x_hdr *hdr; | |
85 | ||
86 | *msg_len = sizeof(*hdr) + data_len; | |
87 | hdr = os_malloc(*msg_len); | |
88 | if (hdr == NULL) | |
89 | return NULL; | |
90 | ||
91 | hdr->version = 2; | |
92 | hdr->type = type; | |
93 | hdr->length = host_to_be16(data_len); | |
94 | ||
95 | if (data) | |
96 | os_memcpy(hdr + 1, data, data_len); | |
97 | else | |
98 | os_memset(hdr + 1, 0, data_len); | |
99 | ||
100 | if (data_pos) | |
101 | *data_pos = hdr + 1; | |
102 | ||
103 | return (u8 *) hdr; | |
104 | } | |
105 | ||
106 | ||
107 | static int ether_send(void *arg, const u8 *dest, u16 proto, | |
108 | const u8 *buf, size_t len) | |
109 | { | |
110 | return 0; | |
111 | } | |
112 | ||
113 | ||
114 | static int get_bssid(void *ctx, u8 *bssid) | |
115 | { | |
116 | return -1; | |
117 | } | |
118 | ||
119 | ||
120 | static int eapol_send(void *ctx, int type, const u8 *buf, size_t len) | |
121 | { | |
122 | return 0; | |
123 | } | |
124 | ||
125 | ||
126 | static int init_wpa(struct arg_ctx *arg) | |
127 | { | |
128 | struct wpa_sm_ctx *ctx; | |
129 | ||
130 | ctx = os_zalloc(sizeof(*ctx)); | |
131 | if (ctx == NULL) { | |
132 | wpa_printf(MSG_ERROR, "Failed to allocate WPA context."); | |
133 | return -1; | |
134 | } | |
135 | ||
136 | ctx->ctx = arg; | |
137 | ctx->msg_ctx = arg; | |
138 | ctx->get_network_ctx = get_network_ctx; | |
139 | ctx->set_state = set_state; | |
140 | ctx->deauthenticate = deauthenticate; | |
141 | ctx->alloc_eapol = alloc_eapol; | |
142 | ctx->ether_send = ether_send; | |
143 | ctx->get_bssid = get_bssid; | |
144 | ||
145 | arg->wpa = wpa_sm_init(ctx); | |
7a27e5e0 JM |
146 | if (!arg->wpa) |
147 | return -1; | |
148 | arg->wpa->pmk_len = PMK_LEN; | |
149 | return 0; | |
46c3befe JM |
150 | } |
151 | ||
152 | ||
153 | static int init_eapol(struct arg_ctx *arg) | |
154 | { | |
155 | struct eapol_ctx *ctx; | |
156 | ||
157 | ctx = os_zalloc(sizeof(*ctx)); | |
158 | if (ctx == NULL) { | |
159 | wpa_printf(MSG_ERROR, "Failed to allocate EAPOL context."); | |
160 | return -1; | |
161 | } | |
162 | ||
163 | ctx->ctx = arg; | |
164 | ctx->msg_ctx = arg; | |
165 | ctx->eapol_send = eapol_send; | |
166 | ||
167 | arg->eapol = eapol_sm_init(ctx); | |
168 | return arg->eapol ? 0 : -1; | |
169 | } | |
170 | ||
171 | ||
172 | int main(int argc, char *argv[]) | |
173 | { | |
174 | struct arg_ctx ctx; | |
175 | int ret = -1; | |
176 | ||
177 | if (argc < 2) { | |
178 | printf("usage: %s <file>\n", argv[0]); | |
179 | return -1; | |
180 | } | |
181 | ||
182 | if (os_program_init()) | |
183 | return -1; | |
184 | ||
185 | wpa_debug_level = 0; | |
186 | wpa_debug_show_keys = 1; | |
187 | ||
188 | if (eloop_init()) { | |
189 | wpa_printf(MSG_ERROR, "Failed to initialize event loop"); | |
190 | return -1; | |
191 | } | |
192 | ||
193 | os_memset(&ctx, 0, sizeof(ctx)); | |
194 | ctx.fname = argv[1]; | |
195 | if (init_wpa(&ctx) || init_eapol(&ctx)) | |
196 | goto fail; | |
197 | ||
198 | eloop_register_timeout(0, 0, test_send_eapol, &ctx, NULL); | |
199 | ||
200 | wpa_printf(MSG_DEBUG, "Starting eloop"); | |
201 | eloop_run(); | |
202 | wpa_printf(MSG_DEBUG, "eloop done"); | |
203 | ||
204 | ret = 0; | |
205 | fail: | |
206 | if (ctx.wpa) | |
207 | wpa_sm_deinit(ctx.wpa); | |
208 | if (ctx.eapol) | |
209 | eapol_sm_deinit(ctx.eapol); | |
210 | ||
211 | eloop_destroy(); | |
212 | os_program_deinit(); | |
213 | ||
214 | return ret; | |
215 | } |