2 * wpa_supplicant - EAPOL fuzzer
3 * Copyright (c) 2015, Jouni Malinen <j@w1.fi>
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
9 #include "utils/includes.h"
11 #include "utils/common.h"
12 #include "utils/eloop.h"
13 #include "eapol_supp/eapol_supp_sm.h"
14 #include "rsn_supp/wpa.h"
20 struct eapol_sm *eapol;
24 static void test_send_eapol(void *eloop_data, void *user_ctx)
26 struct arg_ctx *ctx = eloop_data;
29 u8 src[ETH_ALEN] = { 0x02, 0x00, 0x00, 0x00, 0x00, 0x01 };
33 wpa_printf(MSG_INFO, "eapol-fuzzer: Send '%s'", ctx->fname);
35 data = os_readfile(ctx->fname, &len);
37 wpa_printf(MSG_ERROR, "Could not read '%s'", ctx->fname);
41 wpa_hexdump(MSG_MSGDUMP, "fuzzer - EAPOL", data, len);
43 eapol_sm_notify_portEnabled(ctx->eapol, TRUE);
45 wpa_sm_set_param(ctx->wpa, WPA_PARAM_PROTO, WPA_PROTO_RSN);
46 wpa_sm_set_param(ctx->wpa, WPA_PARAM_RSN_ENABLED, 1);
47 wpa_sm_set_param(ctx->wpa, WPA_PARAM_KEY_MGMT, WPA_KEY_MGMT_PSK);
48 wpa_sm_set_param(ctx->wpa, WPA_PARAM_PAIRWISE, WPA_CIPHER_CCMP);
49 wpa_sm_set_param(ctx->wpa, WPA_PARAM_GROUP, WPA_CIPHER_CCMP);
51 wpa_ie_len = sizeof(wpa_ie);
52 wpa_sm_set_assoc_wpa_ie_default(ctx->wpa, wpa_ie, &wpa_ie_len);
54 if (eapol_sm_rx_eapol(ctx->eapol, src, (u8 *) data, len) <= 0)
55 wpa_sm_rx_eapol(ctx->wpa, src, (u8 *) data, len);
63 static void * get_network_ctx(void *arg)
69 static void set_state(void *arg, enum wpa_states state)
74 static void deauthenticate(void *arg, int reason_code)
79 static u8 * alloc_eapol(void *arg, u8 type,
80 const void *data, u16 data_len,
81 size_t *msg_len, void **data_pos)
83 struct ieee802_1x_hdr *hdr;
85 *msg_len = sizeof(*hdr) + data_len;
86 hdr = os_malloc(*msg_len);
92 hdr->length = host_to_be16(data_len);
95 os_memcpy(hdr + 1, data, data_len);
97 os_memset(hdr + 1, 0, data_len);
106 static int ether_send(void *arg, const u8 *dest, u16 proto,
107 const u8 *buf, size_t len)
113 static int get_bssid(void *ctx, u8 *bssid)
119 static int eapol_send(void *ctx, int type, const u8 *buf, size_t len)
125 static int init_wpa(struct arg_ctx *arg)
127 struct wpa_sm_ctx *ctx;
129 ctx = os_zalloc(sizeof(*ctx));
131 wpa_printf(MSG_ERROR, "Failed to allocate WPA context.");
137 ctx->get_network_ctx = get_network_ctx;
138 ctx->set_state = set_state;
139 ctx->deauthenticate = deauthenticate;
140 ctx->alloc_eapol = alloc_eapol;
141 ctx->ether_send = ether_send;
142 ctx->get_bssid = get_bssid;
144 arg->wpa = wpa_sm_init(ctx);
145 return arg->wpa ? 0 : -1;
149 static int init_eapol(struct arg_ctx *arg)
151 struct eapol_ctx *ctx;
153 ctx = os_zalloc(sizeof(*ctx));
155 wpa_printf(MSG_ERROR, "Failed to allocate EAPOL context.");
161 ctx->eapol_send = eapol_send;
163 arg->eapol = eapol_sm_init(ctx);
164 return arg->eapol ? 0 : -1;
168 int main(int argc, char *argv[])
174 printf("usage: %s <file>\n", argv[0]);
178 if (os_program_init())
182 wpa_debug_show_keys = 1;
185 wpa_printf(MSG_ERROR, "Failed to initialize event loop");
189 os_memset(&ctx, 0, sizeof(ctx));
191 if (init_wpa(&ctx) || init_eapol(&ctx))
194 eloop_register_timeout(0, 0, test_send_eapol, &ctx, NULL);
196 wpa_printf(MSG_DEBUG, "Starting eloop");
198 wpa_printf(MSG_DEBUG, "eloop done");
203 wpa_sm_deinit(ctx.wpa);
205 eapol_sm_deinit(ctx.eapol);