xref: /freebsd/contrib/libfido2/fuzz/fuzz_largeblob.c (revision 7ef62cebc2f965b0f640263e179276928885e33d)
1 /*
2  * Copyright (c) 2020 Yubico AB. All rights reserved.
3  * Use of this source code is governed by a BSD-style
4  * license that can be found in the LICENSE file.
5  */
6 
7 #include <assert.h>
8 #include <stdint.h>
9 #include <stdio.h>
10 #include <stdlib.h>
11 #include <string.h>
12 
13 #include "mutator_aux.h"
14 #include "wiredata_fido2.h"
15 #include "dummy.h"
16 
17 #include "../openbsd-compat/openbsd-compat.h"
18 
19 /* Parameter set defining a FIDO2 "large blob" operation. */
20 struct param {
21 	char pin[MAXSTR];
22 	int seed;
23 	struct blob key;
24 	struct blob get_wiredata;
25 	struct blob set_wiredata;
26 };
27 
28 /*
29  * Collection of HID reports from an authenticator issued with a FIDO2
30  * 'authenticatorLargeBlobs' 'get' command.
31  */
32 static const uint8_t dummy_get_wiredata[] = {
33 	WIREDATA_CTAP_INIT,
34 	WIREDATA_CTAP_CBOR_INFO,
35 	WIREDATA_CTAP_CBOR_LARGEBLOB_GET_ARRAY
36 };
37 
38 /*
39  * Collection of HID reports from an authenticator issued with a FIDO2
40  * 'authenticatorLargeBlobs' 'set' command.
41  */
42 static const uint8_t dummy_set_wiredata[] = {
43 	WIREDATA_CTAP_INIT,
44 	WIREDATA_CTAP_CBOR_INFO,
45 	WIREDATA_CTAP_CBOR_LARGEBLOB_GET_ARRAY,
46 	WIREDATA_CTAP_CBOR_AUTHKEY,
47 	WIREDATA_CTAP_CBOR_PINTOKEN,
48 	WIREDATA_CTAP_CBOR_STATUS
49 };
50 
51 /*
52  * XXX this needs to match the encrypted blob embedded in
53  * WIREDATA_CTAP_CBOR_LARGEBLOB_GET_ARRAY.
54  */
55 static const uint8_t dummy_key[] = {
56 	0xa9, 0x1b, 0xc4, 0xdd, 0xfc, 0x9a, 0x93, 0x79,
57 	0x75, 0xba, 0xf7, 0x7f, 0x4d, 0x57, 0xfc, 0xa6,
58 	0xe1, 0xf8, 0x06, 0x43, 0x23, 0x99, 0x51, 0x32,
59 	0xce, 0x6e, 0x19, 0x84, 0x50, 0x13, 0x2d, 0x7b
60 };
61 
62 struct param *
63 unpack(const uint8_t *ptr, size_t len)
64 {
65 	cbor_item_t *item = NULL, **v;
66 	struct cbor_load_result cbor;
67 	struct param *p;
68 	int ok = -1;
69 
70 	if ((p = calloc(1, sizeof(*p))) == NULL ||
71 	    (item = cbor_load(ptr, len, &cbor)) == NULL ||
72 	    cbor.read != len ||
73 	    cbor_isa_array(item) == false ||
74 	    cbor_array_is_definite(item) == false ||
75 	    cbor_array_size(item) != 5 ||
76 	    (v = cbor_array_handle(item)) == NULL)
77 		goto fail;
78 
79 	if (unpack_int(v[0], &p->seed) < 0 ||
80 	    unpack_string(v[1], p->pin) < 0 ||
81 	    unpack_blob(v[2], &p->key) < 0 ||
82 	    unpack_blob(v[3], &p->get_wiredata) < 0 ||
83 	    unpack_blob(v[4], &p->set_wiredata) < 0)
84 		goto fail;
85 
86 	ok = 0;
87 fail:
88 	if (ok < 0) {
89 		free(p);
90 		p = NULL;
91 	}
92 
93 	if (item)
94 		cbor_decref(&item);
95 
96 	return p;
97 }
98 
99 size_t
100 pack(uint8_t *ptr, size_t len, const struct param *p)
101 {
102 	cbor_item_t *argv[5], *array = NULL;
103 	size_t cbor_alloc_len, cbor_len = 0;
104 	unsigned char *cbor = NULL;
105 
106 	memset(argv, 0, sizeof(argv));
107 
108 	if ((array = cbor_new_definite_array(5)) == NULL ||
109 	    (argv[0] = pack_int(p->seed)) == NULL ||
110 	    (argv[1] = pack_string(p->pin)) == NULL ||
111 	    (argv[2] = pack_blob(&p->key)) == NULL ||
112 	    (argv[3] = pack_blob(&p->get_wiredata)) == NULL ||
113 	    (argv[4] = pack_blob(&p->set_wiredata)) == NULL)
114 		goto fail;
115 
116 	for (size_t i = 0; i < 5; i++)
117 		if (cbor_array_push(array, argv[i]) == false)
118 			goto fail;
119 
120 	if ((cbor_len = cbor_serialize_alloc(array, &cbor,
121 	    &cbor_alloc_len)) > len) {
122 		cbor_len = 0;
123 		goto fail;
124 	}
125 
126 	memcpy(ptr, cbor, cbor_len);
127 fail:
128 	for (size_t i = 0; i < 5; i++)
129 		if (argv[i])
130 			cbor_decref(&argv[i]);
131 
132 	if (array)
133 		cbor_decref(&array);
134 
135 	free(cbor);
136 
137 	return cbor_len;
138 }
139 
140 size_t
141 pack_dummy(uint8_t *ptr, size_t len)
142 {
143 	struct param dummy;
144 	uint8_t blob[4096];
145 	size_t blob_len;
146 
147 	memset(&dummy, 0, sizeof(dummy));
148 
149 	strlcpy(dummy.pin, dummy_pin, sizeof(dummy.pin));
150 
151 	dummy.get_wiredata.len = sizeof(dummy_get_wiredata);
152 	dummy.set_wiredata.len = sizeof(dummy_set_wiredata);
153 	dummy.key.len = sizeof(dummy_key);
154 
155 	memcpy(&dummy.get_wiredata.body, &dummy_get_wiredata,
156 	    dummy.get_wiredata.len);
157 	memcpy(&dummy.set_wiredata.body, &dummy_set_wiredata,
158 	    dummy.set_wiredata.len);
159 	memcpy(&dummy.key.body, &dummy_key, dummy.key.len);
160 
161 	assert((blob_len = pack(blob, sizeof(blob), &dummy)) != 0);
162 
163 	if (blob_len > len) {
164 		memcpy(ptr, blob, len);
165 		return len;
166 	}
167 
168 	memcpy(ptr, blob, blob_len);
169 
170 	return blob_len;
171 }
172 
173 static fido_dev_t *
174 prepare_dev(void)
175 {
176 	fido_dev_t *dev;
177 
178 	if ((dev = open_dev(0)) == NULL)
179 		return NULL;
180 
181 	return dev;
182 }
183 
184 static void
185 get_blob(const struct param *p, int array)
186 {
187 	fido_dev_t *dev;
188 	u_char *ptr = NULL;
189 	size_t len = 0;
190 
191 	set_wire_data(p->get_wiredata.body, p->get_wiredata.len);
192 
193 	if ((dev = prepare_dev()) == NULL)
194 		return;
195 
196 	if (array)
197 		fido_dev_largeblob_get_array(dev, &ptr, &len);
198 	else
199 		fido_dev_largeblob_get(dev, p->key.body, p->key.len, &ptr, &len);
200 	consume(ptr, len);
201 	free(ptr);
202 
203 	fido_dev_close(dev);
204 	fido_dev_free(&dev);
205 }
206 
207 
208 static void
209 set_blob(const struct param *p, int op)
210 {
211 	fido_dev_t *dev;
212 	const char *pin;
213 
214 	set_wire_data(p->set_wiredata.body, p->set_wiredata.len);
215 
216 	if ((dev = prepare_dev()) == NULL)
217 		return;
218 	pin = p->pin;
219 	if (strlen(pin) == 0)
220 		pin = NULL;
221 
222 	switch (op) {
223 	case 0:
224 		fido_dev_largeblob_remove(dev, p->key.body, p->key.len, pin);
225 		break;
226 	case 1:
227 		/* XXX reuse p->get_wiredata as the blob to be set */
228 		fido_dev_largeblob_set(dev, p->key.body, p->key.len,
229 		    p->get_wiredata.body, p->get_wiredata.len, pin);
230 		break;
231 	case 2:
232 		/* XXX reuse p->get_wiredata as the body of the cbor array */
233 		fido_dev_largeblob_set_array(dev, p->get_wiredata.body,
234 		    p->get_wiredata.len, pin);
235 	}
236 
237 	fido_dev_close(dev);
238 	fido_dev_free(&dev);
239 }
240 
241 void
242 test(const struct param *p)
243 {
244 	prng_init((unsigned int)p->seed);
245 	fuzz_clock_reset();
246 	fido_init(FIDO_DEBUG);
247 	fido_set_log_handler(consume_str);
248 
249 	get_blob(p, 0);
250 	get_blob(p, 1);
251 	set_blob(p, 0);
252 	set_blob(p, 1);
253 	set_blob(p, 2);
254 }
255 
256 void
257 mutate(struct param *p, unsigned int seed, unsigned int flags) NO_MSAN
258 {
259 	if (flags & MUTATE_SEED)
260 		p->seed = (int)seed;
261 
262 	if (flags & MUTATE_PARAM) {
263 		mutate_blob(&p->key);
264 		mutate_string(p->pin);
265 	}
266 
267 	if (flags & MUTATE_WIREDATA) {
268 		mutate_blob(&p->get_wiredata);
269 		mutate_blob(&p->set_wiredata);
270 	}
271 }
272