tests/eapol-fuzzer/eapol-fuzzer.c

   1 /*
   2  * wpa_supplicant - EAPOL fuzzer
   3  * Copyright (c) 2015, Jouni Malinen <j@w1.fi>
   4  *
   5  * This software may be distributed under the terms of the BSD license.
   6  * See README for more details.
   7  */
   8
   9 #include "utils/includes.h"
  10
  11 #include "utils/common.h"
  12 #include "utils/eloop.h"
  13 #include "eapol_supp/eapol_supp_sm.h"
  14 #include "rsn_supp/wpa.h"
  15 #include "rsn_supp/wpa_i.h"
  16
  17
  18 struct arg_ctx {
  19         const char *fname;
  20         struct wpa_sm *wpa;
  21         struct eapol_sm *eapol;
  22 };
  23
  24
  25 static void test_send_eapol(void *eloop_data, void *user_ctx)
  26 {
  27         struct arg_ctx *ctx = eloop_data;
  28         char *data;
  29         size_t len;
  30         u8 src[ETH_ALEN] = { 0x02, 0x00, 0x00, 0x00, 0x00, 0x01 };
  31         u8 wpa_ie[200];
  32         size_t wpa_ie_len;
  33
  34         wpa_printf(MSG_INFO, "eapol-fuzzer: Send '%s'", ctx->fname);
  35
  36         data = os_readfile(ctx->fname, &len);
  37         if (!data) {
  38                 wpa_printf(MSG_ERROR, "Could not read '%s'", ctx->fname);
  39                 goto out;
  40         }
  41
  42         wpa_hexdump(MSG_MSGDUMP, "fuzzer - EAPOL", data, len);
  43
  44         eapol_sm_notify_portEnabled(ctx->eapol, TRUE);
  45
  46         wpa_sm_set_param(ctx->wpa, WPA_PARAM_PROTO, WPA_PROTO_RSN);
  47         wpa_sm_set_param(ctx->wpa, WPA_PARAM_RSN_ENABLED, 1);
  48         wpa_sm_set_param(ctx->wpa, WPA_PARAM_KEY_MGMT, WPA_KEY_MGMT_PSK);
  49         wpa_sm_set_param(ctx->wpa, WPA_PARAM_PAIRWISE, WPA_CIPHER_CCMP);
  50         wpa_sm_set_param(ctx->wpa, WPA_PARAM_GROUP, WPA_CIPHER_CCMP);
  51
  52         wpa_ie_len = sizeof(wpa_ie);
  53         wpa_sm_set_assoc_wpa_ie_default(ctx->wpa, wpa_ie, &wpa_ie_len);
  54
  55         if (eapol_sm_rx_eapol(ctx->eapol, src, (u8 *) data, len) <= 0)
  56                 wpa_sm_rx_eapol(ctx->wpa, src, (u8 *) data, len);
  57
  58 out:
  59         os_free(data);
  60         eloop_terminate();
  61 }
  62
  63
  64 static void * get_network_ctx(void *arg)
  65 {
  66         return (void *) 1;
  67 }
  68
  69
  70 static void set_state(void *arg, enum wpa_states state)
  71 {
  72 }
  73
  74
  75 static void deauthenticate(void *arg, u16 reason_code)
  76 {
  77 }
  78
  79
  80 static u8 * alloc_eapol(void *arg, u8 type,
  81                         const void *data, u16 data_len,
  82                         size_t *msg_len, void **data_pos)
  83 {
  84         struct ieee802_1x_hdr *hdr;
  85
  86         *msg_len = sizeof(*hdr) + data_len;
  87         hdr = os_malloc(*msg_len);
  88         if (hdr == NULL)
  89                 return NULL;
  90
  91         hdr->version = 2;
  92         hdr->type = type;
  93         hdr->length = host_to_be16(data_len);
  94
  95         if (data)
  96                 os_memcpy(hdr + 1, data, data_len);
  97         else
  98                 os_memset(hdr + 1, 0, data_len);
  99
 100         if (data_pos)
 101                 *data_pos = hdr + 1;
 102
 103         return (u8 *) hdr;
 104 }
 105
 106
 107 static int ether_send(void *arg, const u8 *dest, u16 proto,
 108                       const u8 *buf, size_t len)
 109 {
 110         return 0;
 111 }
 112
 113
 114 static int get_bssid(void *ctx, u8 *bssid)
 115 {
 116         return -1;
 117 }
 118
 119
 120 static int eapol_send(void *ctx, int type, const u8 *buf, size_t len)
 121 {
 122         return 0;
 123 }
 124
 125
 126 static int init_wpa(struct arg_ctx *arg)
 127 {
 128         struct wpa_sm_ctx *ctx;
 129
 130         ctx = os_zalloc(sizeof(*ctx));
 131         if (ctx == NULL) {
 132                 wpa_printf(MSG_ERROR, "Failed to allocate WPA context.");
 133                 return -1;
 134         }
 135
 136         ctx->ctx = arg;
 137         ctx->msg_ctx = arg;
 138         ctx->get_network_ctx = get_network_ctx;
 139         ctx->set_state = set_state;
 140         ctx->deauthenticate = deauthenticate;
 141         ctx->alloc_eapol = alloc_eapol;
 142         ctx->ether_send = ether_send;
 143         ctx->get_bssid = get_bssid;
 144
 145         arg->wpa = wpa_sm_init(ctx);
 146         if (!arg->wpa)
 147                 return -1;
 148         arg->wpa->pmk_len = PMK_LEN;
 149         return 0;
 150 }
 151
 152
 153 static int init_eapol(struct arg_ctx *arg)
 154 {
 155         struct eapol_ctx *ctx;
 156
 157         ctx = os_zalloc(sizeof(*ctx));
 158         if (ctx == NULL) {
 159                 wpa_printf(MSG_ERROR, "Failed to allocate EAPOL context.");
 160                 return -1;
 161         }
 162
 163         ctx->ctx = arg;
 164         ctx->msg_ctx = arg;
 165         ctx->eapol_send = eapol_send;
 166
 167         arg->eapol = eapol_sm_init(ctx);
 168         return arg->eapol ? 0 : -1;
 169 }
 170
 171
 172 int main(int argc, char *argv[])
 173 {
 174         struct arg_ctx ctx;
 175         int ret = -1;
 176
 177         if (argc < 2) {
 178                 printf("usage: %s <file>\n", argv[0]);
 179                 return -1;
 180         }
 181
 182         if (os_program_init())
 183                 return -1;
 184
 185         wpa_debug_level = 0;
 186         wpa_debug_show_keys = 1;
 187
 188         if (eloop_init()) {
 189                 wpa_printf(MSG_ERROR, "Failed to initialize event loop");
 190                 return -1;
 191         }
 192
 193         os_memset(&ctx, 0, sizeof(ctx));
 194         ctx.fname = argv[1];
 195         if (init_wpa(&ctx) || init_eapol(&ctx))
 196                 goto fail;
 197
 198         eloop_register_timeout(0, 0, test_send_eapol, &ctx, NULL);
 199
 200         wpa_printf(MSG_DEBUG, "Starting eloop");
 201         eloop_run();
 202         wpa_printf(MSG_DEBUG, "eloop done");
 203
 204         ret = 0;
 205 fail:
 206         if (ctx.wpa)
 207                 wpa_sm_deinit(ctx.wpa);
 208         if (ctx.eapol)
 209                 eapol_sm_deinit(ctx.eapol);
 210
 211         eloop_destroy();
 212         os_program_deinit();
 213
 214         return ret;
 215 }