xref: /freebsd/contrib/libfido2/fuzz/fuzz_mgmt.c (revision 5ca8e32633c4ffbbcd6762e5888b6a4ba0708c6c)
1 /*
2  * Copyright (c) 2019-2022 Yubico AB. All rights reserved.
3  * Use of this source code is governed by a BSD-style
4  * license that can be found in the LICENSE file.
5  * SPDX-License-Identifier: BSD-2-Clause
6  */
7 
8 #include <assert.h>
9 #include <stdint.h>
10 #include <stdio.h>
11 #include <stdlib.h>
12 #include <string.h>
13 
14 #include "mutator_aux.h"
15 #include "wiredata_fido2.h"
16 #include "dummy.h"
17 
18 #include "../openbsd-compat/openbsd-compat.h"
19 
20 #define MAXRPID	64
21 
22 struct param {
23 	char pin1[MAXSTR];
24 	char pin2[MAXSTR];
25 	struct blob reset_wire_data;
26 	struct blob info_wire_data;
27 	struct blob set_pin_wire_data;
28 	struct blob change_pin_wire_data;
29 	struct blob retry_wire_data;
30 	struct blob config_wire_data;
31 	int seed;
32 };
33 
34 static const uint8_t dummy_reset_wire_data[] = {
35 	WIREDATA_CTAP_INIT,
36 	WIREDATA_CTAP_CBOR_INFO,
37 	WIREDATA_CTAP_KEEPALIVE,
38 	WIREDATA_CTAP_KEEPALIVE,
39 	WIREDATA_CTAP_KEEPALIVE,
40 	WIREDATA_CTAP_CBOR_STATUS,
41 };
42 
43 static const uint8_t dummy_info_wire_data[] = {
44 	WIREDATA_CTAP_INIT,
45 	WIREDATA_CTAP_CBOR_INFO,
46 	WIREDATA_CTAP_CBOR_INFO,
47 };
48 
49 static const uint8_t dummy_set_pin_wire_data[] = {
50 	WIREDATA_CTAP_INIT,
51 	WIREDATA_CTAP_CBOR_INFO,
52 	WIREDATA_CTAP_CBOR_AUTHKEY,
53 	WIREDATA_CTAP_CBOR_STATUS,
54 };
55 
56 static const uint8_t dummy_change_pin_wire_data[] = {
57 	WIREDATA_CTAP_INIT,
58 	WIREDATA_CTAP_CBOR_INFO,
59 	WIREDATA_CTAP_CBOR_AUTHKEY,
60 	WIREDATA_CTAP_CBOR_STATUS,
61 };
62 
63 static const uint8_t dummy_retry_wire_data[] = {
64 	WIREDATA_CTAP_INIT,
65 	WIREDATA_CTAP_CBOR_INFO,
66 	WIREDATA_CTAP_CBOR_RETRIES,
67 };
68 
69 static const uint8_t dummy_config_wire_data[] = {
70 	WIREDATA_CTAP_INIT,
71 	WIREDATA_CTAP_CBOR_INFO,
72 	WIREDATA_CTAP_CBOR_STATUS,
73 };
74 
75 struct param *
76 unpack(const uint8_t *ptr, size_t len)
77 {
78 	cbor_item_t *item = NULL, **v;
79 	struct cbor_load_result cbor;
80 	struct param *p;
81 	int ok = -1;
82 
83 	if ((p = calloc(1, sizeof(*p))) == NULL ||
84 	    (item = cbor_load(ptr, len, &cbor)) == NULL ||
85 	    cbor.read != len ||
86 	    cbor_isa_array(item) == false ||
87 	    cbor_array_is_definite(item) == false ||
88 	    cbor_array_size(item) != 9 ||
89 	    (v = cbor_array_handle(item)) == NULL)
90 		goto fail;
91 
92 	if (unpack_int(v[0], &p->seed) < 0 ||
93 	    unpack_string(v[1], p->pin1) < 0 ||
94 	    unpack_string(v[2], p->pin2) < 0 ||
95 	    unpack_blob(v[3], &p->reset_wire_data) < 0 ||
96 	    unpack_blob(v[4], &p->info_wire_data) < 0 ||
97 	    unpack_blob(v[5], &p->set_pin_wire_data) < 0 ||
98 	    unpack_blob(v[6], &p->change_pin_wire_data) < 0 ||
99 	    unpack_blob(v[7], &p->retry_wire_data) < 0 ||
100 	    unpack_blob(v[8], &p->config_wire_data) < 0)
101 		goto fail;
102 
103 	ok = 0;
104 fail:
105 	if (ok < 0) {
106 		free(p);
107 		p = NULL;
108 	}
109 
110 	if (item)
111 		cbor_decref(&item);
112 
113 	return p;
114 }
115 
116 size_t
117 pack(uint8_t *ptr, size_t len, const struct param *p)
118 {
119 	cbor_item_t *argv[9], *array = NULL;
120 	size_t cbor_alloc_len, cbor_len = 0;
121 	unsigned char *cbor = NULL;
122 
123 	memset(argv, 0, sizeof(argv));
124 
125 	if ((array = cbor_new_definite_array(9)) == NULL ||
126 	    (argv[0] = pack_int(p->seed)) == NULL ||
127 	    (argv[1] = pack_string(p->pin1)) == NULL ||
128 	    (argv[2] = pack_string(p->pin2)) == NULL ||
129 	    (argv[3] = pack_blob(&p->reset_wire_data)) == NULL ||
130 	    (argv[4] = pack_blob(&p->info_wire_data)) == NULL ||
131 	    (argv[5] = pack_blob(&p->set_pin_wire_data)) == NULL ||
132 	    (argv[6] = pack_blob(&p->change_pin_wire_data)) == NULL ||
133 	    (argv[7] = pack_blob(&p->retry_wire_data)) == NULL ||
134 	    (argv[8] = pack_blob(&p->config_wire_data)) == NULL)
135 		goto fail;
136 
137 	for (size_t i = 0; i < 9; i++)
138 		if (cbor_array_push(array, argv[i]) == false)
139 			goto fail;
140 
141 	if ((cbor_len = cbor_serialize_alloc(array, &cbor,
142 	    &cbor_alloc_len)) == 0 || cbor_len > len) {
143 		cbor_len = 0;
144 		goto fail;
145 	}
146 
147 	memcpy(ptr, cbor, cbor_len);
148 fail:
149 	for (size_t i = 0; i < 9; i++)
150 		if (argv[i])
151 			cbor_decref(&argv[i]);
152 
153 	if (array)
154 		cbor_decref(&array);
155 
156 	free(cbor);
157 
158 	return cbor_len;
159 }
160 
161 size_t
162 pack_dummy(uint8_t *ptr, size_t len)
163 {
164 	struct param dummy;
165 	uint8_t blob[MAXCORPUS];
166 	size_t blob_len;
167 
168 	memset(&dummy, 0, sizeof(dummy));
169 
170 	strlcpy(dummy.pin1, dummy_pin1, sizeof(dummy.pin1));
171 	strlcpy(dummy.pin2, dummy_pin2, sizeof(dummy.pin2));
172 
173 	dummy.reset_wire_data.len = sizeof(dummy_reset_wire_data);
174 	dummy.info_wire_data.len = sizeof(dummy_info_wire_data);
175 	dummy.set_pin_wire_data.len = sizeof(dummy_set_pin_wire_data);
176 	dummy.change_pin_wire_data.len = sizeof(dummy_change_pin_wire_data);
177 	dummy.retry_wire_data.len = sizeof(dummy_retry_wire_data);
178 	dummy.config_wire_data.len = sizeof(dummy_config_wire_data);
179 
180 	memcpy(&dummy.reset_wire_data.body, &dummy_reset_wire_data,
181 	    dummy.reset_wire_data.len);
182 	memcpy(&dummy.info_wire_data.body, &dummy_info_wire_data,
183 	    dummy.info_wire_data.len);
184 	memcpy(&dummy.set_pin_wire_data.body, &dummy_set_pin_wire_data,
185 	    dummy.set_pin_wire_data.len);
186 	memcpy(&dummy.change_pin_wire_data.body, &dummy_change_pin_wire_data,
187 	    dummy.change_pin_wire_data.len);
188 	memcpy(&dummy.retry_wire_data.body, &dummy_retry_wire_data,
189 	    dummy.retry_wire_data.len);
190 	memcpy(&dummy.config_wire_data.body, &dummy_config_wire_data,
191 	    dummy.config_wire_data.len);
192 
193 	assert((blob_len = pack(blob, sizeof(blob), &dummy)) != 0);
194 
195 	if (blob_len > len) {
196 		memcpy(ptr, blob, len);
197 		return len;
198 	}
199 
200 	memcpy(ptr, blob, blob_len);
201 
202 	return blob_len;
203 }
204 
205 static void
206 dev_reset(const struct param *p)
207 {
208 	fido_dev_t *dev;
209 
210 	set_wire_data(p->reset_wire_data.body, p->reset_wire_data.len);
211 
212 	if ((dev = open_dev(0)) == NULL)
213 		return;
214 
215 	fido_dev_reset(dev);
216 	fido_dev_close(dev);
217 	fido_dev_free(&dev);
218 }
219 
220 static void
221 dev_get_cbor_info(const struct param *p)
222 {
223 	fido_dev_t *dev;
224 	fido_cbor_info_t *ci;
225 	uint64_t n;
226 	uint8_t proto, major, minor, build, flags;
227 	bool v;
228 
229 	set_wire_data(p->info_wire_data.body, p->info_wire_data.len);
230 
231 	if ((dev = open_dev(0)) == NULL)
232 		return;
233 
234 	proto = fido_dev_protocol(dev);
235 	major = fido_dev_major(dev);
236 	minor = fido_dev_minor(dev);
237 	build = fido_dev_build(dev);
238 	flags = fido_dev_flags(dev);
239 
240 	consume(&proto, sizeof(proto));
241 	consume(&major, sizeof(major));
242 	consume(&minor, sizeof(minor));
243 	consume(&build, sizeof(build));
244 	consume(&flags, sizeof(flags));
245 
246 	if ((ci = fido_cbor_info_new()) == NULL)
247 		goto out;
248 
249 	fido_dev_get_cbor_info(dev, ci);
250 
251 	for (size_t i = 0; i < fido_cbor_info_versions_len(ci); i++) {
252 		char * const *sa = fido_cbor_info_versions_ptr(ci);
253 		consume(sa[i], strlen(sa[i]));
254 	}
255 
256 	for (size_t i = 0; i < fido_cbor_info_extensions_len(ci); i++) {
257 		char * const *sa = fido_cbor_info_extensions_ptr(ci);
258 		consume(sa[i], strlen(sa[i]));
259 	}
260 
261 	for (size_t i = 0; i < fido_cbor_info_transports_len(ci); i++) {
262 		char * const *sa = fido_cbor_info_transports_ptr(ci);
263 		consume(sa[i], strlen(sa[i]));
264 	}
265 
266 	for (size_t i = 0; i < fido_cbor_info_options_len(ci); i++) {
267 		char * const *sa = fido_cbor_info_options_name_ptr(ci);
268 		const bool *va = fido_cbor_info_options_value_ptr(ci);
269 		consume(sa[i], strlen(sa[i]));
270 		consume(&va[i], sizeof(va[i]));
271 	}
272 
273 	/* +1 on purpose */
274 	for (size_t i = 0; i <= fido_cbor_info_algorithm_count(ci); i++) {
275 		const char *type = fido_cbor_info_algorithm_type(ci, i);
276 		int cose = fido_cbor_info_algorithm_cose(ci, i);
277 		consume_str(type);
278 		consume(&cose, sizeof(cose));
279 	}
280 
281 	for (size_t i = 0; i < fido_cbor_info_certs_len(ci); i++) {
282 		char * const *na = fido_cbor_info_certs_name_ptr(ci);
283 		const uint64_t *va = fido_cbor_info_certs_value_ptr(ci);
284 		consume(na[i], strlen(na[i]));
285 		consume(&va[i], sizeof(va[i]));
286 	}
287 
288 	n = fido_cbor_info_maxmsgsiz(ci);
289 	consume(&n, sizeof(n));
290 	n = fido_cbor_info_maxcredbloblen(ci);
291 	consume(&n, sizeof(n));
292 	n = fido_cbor_info_maxcredcntlst(ci);
293 	consume(&n, sizeof(n));
294 	n = fido_cbor_info_maxcredidlen(ci);
295 	consume(&n, sizeof(n));
296 	n = fido_cbor_info_maxlargeblob(ci);
297 	consume(&n, sizeof(n));
298 	n = fido_cbor_info_fwversion(ci);
299 	consume(&n, sizeof(n));
300 	n = fido_cbor_info_minpinlen(ci);
301 	consume(&n, sizeof(n));
302 	n = fido_cbor_info_maxrpid_minpinlen(ci);
303 	consume(&n, sizeof(n));
304 	n = fido_cbor_info_uv_attempts(ci);
305 	consume(&n, sizeof(n));
306 	n = fido_cbor_info_uv_modality(ci);
307 	consume(&n, sizeof(n));
308 	n = (uint64_t)fido_cbor_info_rk_remaining(ci);
309 	consume(&n, sizeof(n));
310 
311 	consume(fido_cbor_info_aaguid_ptr(ci), fido_cbor_info_aaguid_len(ci));
312 	consume(fido_cbor_info_protocols_ptr(ci),
313 	    fido_cbor_info_protocols_len(ci));
314 
315 	v = fido_cbor_info_new_pin_required(ci);
316 	consume(&v, sizeof(v));
317 
318 out:
319 	fido_dev_close(dev);
320 	fido_dev_free(&dev);
321 
322 	fido_cbor_info_free(&ci);
323 }
324 
325 static void
326 dev_set_pin(const struct param *p)
327 {
328 	fido_dev_t *dev;
329 
330 	set_wire_data(p->set_pin_wire_data.body, p->set_pin_wire_data.len);
331 
332 	if ((dev = open_dev(0)) == NULL)
333 		return;
334 
335 	fido_dev_set_pin(dev, p->pin1, NULL);
336 	fido_dev_close(dev);
337 	fido_dev_free(&dev);
338 }
339 
340 static void
341 dev_change_pin(const struct param *p)
342 {
343 	fido_dev_t *dev;
344 
345 	set_wire_data(p->change_pin_wire_data.body, p->change_pin_wire_data.len);
346 
347 	if ((dev = open_dev(0)) == NULL)
348 		return;
349 
350 	fido_dev_set_pin(dev, p->pin2, p->pin1);
351 	fido_dev_close(dev);
352 	fido_dev_free(&dev);
353 }
354 
355 static void
356 dev_get_retry_count(const struct param *p)
357 {
358 	fido_dev_t *dev;
359 	int n = 0;
360 
361 	set_wire_data(p->retry_wire_data.body, p->retry_wire_data.len);
362 
363 	if ((dev = open_dev(0)) == NULL)
364 		return;
365 
366 	fido_dev_get_retry_count(dev, &n);
367 	consume(&n, sizeof(n));
368 	fido_dev_close(dev);
369 	fido_dev_free(&dev);
370 }
371 
372 static void
373 dev_get_uv_retry_count(const struct param *p)
374 {
375 	fido_dev_t *dev;
376 	int n = 0;
377 
378 	set_wire_data(p->retry_wire_data.body, p->retry_wire_data.len);
379 
380 	if ((dev = open_dev(0)) == NULL)
381 		return;
382 
383 	fido_dev_get_uv_retry_count(dev, &n);
384 	consume(&n, sizeof(n));
385 	fido_dev_close(dev);
386 	fido_dev_free(&dev);
387 }
388 
389 static void
390 dev_enable_entattest(const struct param *p)
391 {
392 	fido_dev_t *dev;
393 	const char *pin;
394 	int r;
395 
396 	set_wire_data(p->config_wire_data.body, p->config_wire_data.len);
397 	if ((dev = open_dev(0)) == NULL)
398 		return;
399 	pin = p->pin1;
400 	if (strlen(pin) == 0)
401 		pin = NULL;
402 	r = fido_dev_enable_entattest(dev, pin);
403 	consume_str(fido_strerr(r));
404 	fido_dev_close(dev);
405 	fido_dev_free(&dev);
406 }
407 
408 static void
409 dev_toggle_always_uv(const struct param *p)
410 {
411 	fido_dev_t *dev;
412 	const char *pin;
413 	int r;
414 
415 	set_wire_data(p->config_wire_data.body, p->config_wire_data.len);
416 	if ((dev = open_dev(0)) == NULL)
417 		return;
418 	pin = p->pin1;
419 	if (strlen(pin) == 0)
420 		pin = NULL;
421 	r = fido_dev_toggle_always_uv(dev, pin);
422 	consume_str(fido_strerr(r));
423 	fido_dev_close(dev);
424 	fido_dev_free(&dev);
425 }
426 
427 static void
428 dev_force_pin_change(const struct param *p)
429 {
430 	fido_dev_t *dev;
431 	const char *pin;
432 	int r;
433 
434 	set_wire_data(p->config_wire_data.body, p->config_wire_data.len);
435 	if ((dev = open_dev(0)) == NULL)
436 		return;
437 	pin = p->pin1;
438 	if (strlen(pin) == 0)
439 		pin = NULL;
440 	r = fido_dev_force_pin_change(dev, pin);
441 	consume_str(fido_strerr(r));
442 	fido_dev_close(dev);
443 	fido_dev_free(&dev);
444 }
445 
446 static void
447 dev_set_pin_minlen(const struct param *p)
448 {
449 	fido_dev_t *dev;
450 	const char *pin;
451 	int r;
452 
453 	set_wire_data(p->config_wire_data.body, p->config_wire_data.len);
454 	if ((dev = open_dev(0)) == NULL)
455 		return;
456 	pin = p->pin1;
457 	if (strlen(pin) == 0)
458 		pin = NULL;
459 	r = fido_dev_set_pin_minlen(dev, strlen(p->pin2), pin);
460 	consume_str(fido_strerr(r));
461 	fido_dev_close(dev);
462 	fido_dev_free(&dev);
463 }
464 
465 static void
466 dev_set_pin_minlen_rpid(const struct param *p)
467 {
468 	fido_dev_t *dev;
469 	const char *rpid[MAXRPID];
470 	const char *pin;
471 	size_t n;
472 	int r;
473 
474 	set_wire_data(p->config_wire_data.body, p->config_wire_data.len);
475 	if ((dev = open_dev(0)) == NULL)
476 		return;
477 	n = uniform_random(MAXRPID);
478 	for (size_t i = 0; i < n; i++)
479 		rpid[i] = dummy_rp_id;
480 	pin = p->pin1;
481 	if (strlen(pin) == 0)
482 		pin = NULL;
483 	r = fido_dev_set_pin_minlen_rpid(dev, rpid, n, pin);
484 	consume_str(fido_strerr(r));
485 	fido_dev_close(dev);
486 	fido_dev_free(&dev);
487 }
488 
489 void
490 test(const struct param *p)
491 {
492 	prng_init((unsigned int)p->seed);
493 	fuzz_clock_reset();
494 	fido_init(FIDO_DEBUG);
495 	fido_set_log_handler(consume_str);
496 
497 	dev_reset(p);
498 	dev_get_cbor_info(p);
499 	dev_set_pin(p);
500 	dev_change_pin(p);
501 	dev_get_retry_count(p);
502 	dev_get_uv_retry_count(p);
503 	dev_enable_entattest(p);
504 	dev_toggle_always_uv(p);
505 	dev_force_pin_change(p);
506 	dev_set_pin_minlen(p);
507 	dev_set_pin_minlen_rpid(p);
508 }
509 
510 void
511 mutate(struct param *p, unsigned int seed, unsigned int flags) NO_MSAN
512 {
513 	if (flags & MUTATE_SEED)
514 		p->seed = (int)seed;
515 
516 	if (flags & MUTATE_PARAM) {
517 		mutate_string(p->pin1);
518 		mutate_string(p->pin2);
519 	}
520 
521 	if (flags & MUTATE_WIREDATA) {
522 		mutate_blob(&p->reset_wire_data);
523 		mutate_blob(&p->info_wire_data);
524 		mutate_blob(&p->set_pin_wire_data);
525 		mutate_blob(&p->change_pin_wire_data);
526 		mutate_blob(&p->retry_wire_data);
527 	}
528 }
529