2 * Testing tool for EAPOL-Key Supplicant routines
3 * Copyright (c) 2006-2019, Jouni Malinen <j@w1.fi>
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
9 #include "utils/includes.h"
11 #include "utils/common.h"
12 #include "utils/eloop.h"
13 #include "rsn_supp/wpa.h"
14 #include "../fuzzer-common.h"
23 u8 auth_addr
[ETH_ALEN
];
24 u8 supp_addr
[ETH_ALEN
];
27 /* from authenticator */
29 size_t auth_eapol_len
;
38 const struct wpa_driver_ops
*const wpa_drivers
[] = { NULL
};
41 static u8
* read_msg(struct wpa
*wpa
, size_t *ret_len
)
46 if (wpa
->data_len
- wpa
->data_offset
< 2) {
47 wpa_printf(MSG_ERROR
, "TEST-ERROR: Could not read msg len");
51 msg_len
= WPA_GET_BE16(&wpa
->data
[wpa
->data_offset
]);
52 wpa
->data_offset
+= 2;
54 msg
= os_malloc(msg_len
);
57 if (msg_len
> 0 && wpa
->data_len
- wpa
->data_offset
< msg_len
) {
58 wpa_printf(MSG_ERROR
, "TEST-ERROR: Truncated msg (msg_len=%u)",
64 os_memcpy(msg
, &wpa
->data
[wpa
->data_offset
], msg_len
);
65 wpa
->data_offset
+= msg_len
;
66 wpa_hexdump(MSG_DEBUG
, "TEST: Read message from file", msg
, msg_len
);
73 static int supp_get_bssid(void *ctx
, u8
*bssid
)
75 struct wpa
*wpa
= ctx
;
76 wpa_printf(MSG_DEBUG
, "SUPP: %s", __func__
);
77 os_memcpy(bssid
, wpa
->auth_addr
, ETH_ALEN
);
82 static void supp_set_state(void *ctx
, enum wpa_states state
)
84 wpa_printf(MSG_DEBUG
, "SUPP: %s(state=%d)", __func__
, state
);
88 static void supp_eapol_rx(void *eloop_data
, void *user_ctx
)
90 struct wpa
*wpa
= eloop_data
;
92 wpa_printf(MSG_DEBUG
, "SUPP: RX EAPOL frame");
93 wpa_sm_rx_eapol(wpa
->supp
, wpa
->auth_addr
, wpa
->auth_eapol
,
98 static int supp_read_msg(struct wpa
*wpa
)
100 os_free(wpa
->auth_eapol
);
101 wpa
->auth_eapol
= read_msg(wpa
, &wpa
->auth_eapol_len
);
102 if (!wpa
->auth_eapol
)
104 eloop_register_timeout(0, 0, supp_eapol_rx
, wpa
, NULL
);
109 static int supp_ether_send(void *ctx
, const u8
*dest
, u16 proto
, const u8
*buf
,
112 struct wpa
*wpa
= ctx
;
114 wpa_printf(MSG_DEBUG
, "SUPP: %s(dest=" MACSTR
" proto=0x%04x "
116 __func__
, MAC2STR(dest
), proto
, (unsigned long) len
);
118 return supp_read_msg(wpa
);
122 static u8
* supp_alloc_eapol(void *ctx
, u8 type
, const void *data
,
123 u16 data_len
, size_t *msg_len
, void **data_pos
)
125 struct ieee802_1x_hdr
*hdr
;
127 wpa_printf(MSG_DEBUG
, "SUPP: %s(type=%d data_len=%d)",
128 __func__
, type
, data_len
);
130 *msg_len
= sizeof(*hdr
) + data_len
;
131 hdr
= os_malloc(*msg_len
);
137 hdr
->length
= host_to_be16(data_len
);
140 os_memcpy(hdr
+ 1, data
, data_len
);
142 os_memset(hdr
+ 1, 0, data_len
);
151 static int supp_get_beacon_ie(void *ctx
)
153 struct wpa
*wpa
= ctx
;
155 static const u8 wpaie
[] = {
156 0xdd, 0x16, 0x00, 0x50, 0xf2, 0x01, 0x01, 0x00,
157 0x00, 0x50, 0xf2, 0x02, 0x01, 0x00, 0x00, 0x50,
158 0xf2, 0x02, 0x01, 0x00, 0x00, 0x50, 0xf2, 0x02
160 static const u8 rsne
[] = {
161 0x30, 0x14, 0x01, 0x00, 0x00, 0x0f, 0xac, 0x04,
162 0x01, 0x00, 0x00, 0x0f, 0xac, 0x04, 0x01, 0x00,
163 0x00, 0x0f, 0xac, 0x02, 0xc0, 0x00
166 wpa_printf(MSG_DEBUG
, "SUPP: %s", __func__
);
168 ie
= wpa
->wpa1
? wpaie
: rsne
;
169 if (ie
[0] == WLAN_EID_RSN
)
170 return wpa_sm_set_ap_rsn_ie(wpa
->supp
, ie
, 2 + ie
[1]);
171 return wpa_sm_set_ap_wpa_ie(wpa
->supp
, ie
, 2 + ie
[1]);
175 static int supp_set_key(void *ctx
, enum wpa_alg alg
,
176 const u8
*addr
, int key_idx
, int set_tx
,
177 const u8
*seq
, size_t seq_len
,
178 const u8
*key
, size_t key_len
)
180 wpa_printf(MSG_DEBUG
, "SUPP: %s(alg=%d addr=" MACSTR
" key_idx=%d "
182 __func__
, alg
, MAC2STR(addr
), key_idx
, set_tx
);
183 wpa_hexdump(MSG_DEBUG
, "SUPP: set_key - seq", seq
, seq_len
);
184 wpa_hexdump(MSG_DEBUG
, "SUPP: set_key - key", key
, key_len
);
189 static int supp_mlme_setprotection(void *ctx
, const u8
*addr
,
190 int protection_type
, int key_type
)
192 wpa_printf(MSG_DEBUG
, "SUPP: %s(addr=" MACSTR
" protection_type=%d "
194 __func__
, MAC2STR(addr
), protection_type
, key_type
);
199 static void supp_cancel_auth_timeout(void *ctx
)
201 wpa_printf(MSG_DEBUG
, "SUPP: %s", __func__
);
205 static void * supp_get_network_ctx(void *ctx
)
211 static void supp_deauthenticate(void *ctx
, u16 reason_code
)
213 wpa_printf(MSG_DEBUG
, "SUPP: %s(%d)", __func__
, reason_code
);
217 static enum wpa_states
supp_get_state(void *ctx
)
219 return WPA_COMPLETED
;
223 static int supp_init(struct wpa
*wpa
)
225 struct wpa_sm_ctx
*ctx
= os_zalloc(sizeof(*ctx
));
232 ctx
->set_state
= supp_set_state
;
233 ctx
->get_bssid
= supp_get_bssid
;
234 ctx
->ether_send
= supp_ether_send
;
235 ctx
->get_beacon_ie
= supp_get_beacon_ie
;
236 ctx
->alloc_eapol
= supp_alloc_eapol
;
237 ctx
->set_key
= supp_set_key
;
238 ctx
->mlme_setprotection
= supp_mlme_setprotection
;
239 ctx
->cancel_auth_timeout
= supp_cancel_auth_timeout
;
240 ctx
->get_network_ctx
= supp_get_network_ctx
;
241 ctx
->deauthenticate
= supp_deauthenticate
;
242 ctx
->get_state
= supp_get_state
;
243 wpa
->supp
= wpa_sm_init(ctx
);
245 wpa_printf(MSG_DEBUG
, "SUPP: wpa_sm_init() failed");
249 wpa_sm_set_own_addr(wpa
->supp
, wpa
->supp_addr
);
251 wpa_sm_set_param(wpa
->supp
, WPA_PARAM_RSN_ENABLED
, 0);
252 wpa_sm_set_param(wpa
->supp
, WPA_PARAM_PROTO
, WPA_PROTO_WPA
);
253 wpa_sm_set_param(wpa
->supp
, WPA_PARAM_PAIRWISE
,
255 wpa_sm_set_param(wpa
->supp
, WPA_PARAM_GROUP
, WPA_CIPHER_TKIP
);
256 wpa_sm_set_param(wpa
->supp
, WPA_PARAM_KEY_MGMT
,
259 wpa_sm_set_param(wpa
->supp
, WPA_PARAM_RSN_ENABLED
, 1);
260 wpa_sm_set_param(wpa
->supp
, WPA_PARAM_PROTO
, WPA_PROTO_RSN
);
261 wpa_sm_set_param(wpa
->supp
, WPA_PARAM_PAIRWISE
,
263 wpa_sm_set_param(wpa
->supp
, WPA_PARAM_GROUP
, WPA_CIPHER_CCMP
);
264 wpa_sm_set_param(wpa
->supp
, WPA_PARAM_KEY_MGMT
,
266 wpa_sm_set_param(wpa
->supp
, WPA_PARAM_MFP
,
267 MGMT_FRAME_PROTECTION_OPTIONAL
);
269 wpa_sm_set_pmk(wpa
->supp
, wpa
->psk
, PMK_LEN
, NULL
, NULL
);
271 wpa
->supp_ie_len
= sizeof(wpa
->supp_ie
);
272 if (wpa_sm_set_assoc_wpa_ie_default(wpa
->supp
, wpa
->supp_ie
,
273 &wpa
->supp_ie_len
) < 0) {
274 wpa_printf(MSG_DEBUG
, "SUPP: wpa_sm_set_assoc_wpa_ie_default()"
279 wpa_sm_notify_assoc(wpa
->supp
, wpa
->auth_addr
);
286 static void deinit(struct wpa
*wpa
)
288 wpa_sm_deinit(wpa
->supp
);
289 os_free(wpa
->auth_eapol
);
290 wpa
->auth_eapol
= NULL
;
294 int LLVMFuzzerTestOneInput(const uint8_t *data
, size_t size
)
298 wpa_fuzzer_set_debug_level();
300 if (os_program_init())
303 os_memset(&wpa
, 0, sizeof(wpa
));
307 os_memset(wpa
.auth_addr
, 0x12, ETH_ALEN
);
308 os_memset(wpa
.supp_addr
, 0x32, ETH_ALEN
);
309 os_memset(wpa
.psk
, 0x44, PMK_LEN
);
312 wpa_printf(MSG_ERROR
, "Failed to initialize event loop");
316 if (supp_init(&wpa
) < 0)
319 wpa_printf(MSG_DEBUG
, "Starting eloop");
321 wpa_printf(MSG_DEBUG
, "eloop done");