xref: /freebsd/contrib/libfido2/fuzz/mutator_aux.h (revision 257405d707d77bc55b38e7c2bb83b8a9247a86ae)
1 /*
2  * Copyright (c) 2019-2022 Yubico AB. All rights reserved.
3  * Use of this source code is governed by a BSD-style
4  * license that can be found in the LICENSE file.
5  * SPDX-License-Identifier: BSD-2-Clause
6  */
7 
8 #ifndef _MUTATOR_AUX_H
9 #define _MUTATOR_AUX_H
10 
11 #include <sys/types.h>
12 
13 #include <stddef.h>
14 #include <stdint.h>
15 #include <cbor.h>
16 
17 #include "../src/fido.h"
18 #include "../src/fido/bio.h"
19 #include "../src/fido/config.h"
20 #include "../src/fido/credman.h"
21 #include "../src/fido/eddsa.h"
22 #include "../src/fido/es256.h"
23 #include "../src/fido/es384.h"
24 #include "../src/fido/rs256.h"
25 #include "../src/netlink.h"
26 
27 /*
28  * As of LLVM 10.0.0, MSAN support in libFuzzer was still experimental.
29  * We therefore have to be careful when using our custom mutator, or
30  * MSAN will flag uninitialised reads on memory populated by libFuzzer.
31  * Since there is no way to suppress MSAN without regenerating object
32  * code (in which case you might as well rebuild libFuzzer with MSAN),
33  * we adjust our mutator to make it less accurate while allowing
34  * fuzzing to proceed.
35  */
36 
37 #if defined(__has_feature)
38 # if  __has_feature(memory_sanitizer)
39 #  include <sanitizer/msan_interface.h>
40 #  define NO_MSAN	__attribute__((no_sanitize("memory")))
41 #  define WITH_MSAN	1
42 # endif
43 #endif
44 
45 #if !defined(WITH_MSAN)
46 # define NO_MSAN
47 #endif
48 
49 #define MUTATE_SEED	0x01
50 #define MUTATE_PARAM	0x02
51 #define MUTATE_WIREDATA	0x04
52 #define MUTATE_ALL	(MUTATE_SEED | MUTATE_PARAM | MUTATE_WIREDATA)
53 
54 #define MAXSTR		1024
55 #define MAXBLOB		3600
56 #define MAXCORPUS	8192
57 
58 #define HID_DEV_HANDLE	0x68696421
59 #define NFC_DEV_HANDLE	0x6e666321
60 
61 struct blob {
62 	uint8_t body[MAXBLOB];
63 	size_t len;
64 };
65 
66 struct param;
67 
68 struct param *unpack(const uint8_t *, size_t);
69 size_t pack(uint8_t *, size_t, const struct param *);
70 size_t pack_dummy(uint8_t *, size_t);
71 void mutate(struct param *, unsigned int, unsigned int);
72 void test(const struct param *);
73 
74 void consume(const void *, size_t);
75 void consume_str(const char *);
76 
77 int unpack_blob(cbor_item_t *, struct blob *);
78 int unpack_byte(cbor_item_t *, uint8_t *);
79 int unpack_int(cbor_item_t *, int *);
80 int unpack_string(cbor_item_t *, char *);
81 
82 cbor_item_t *pack_blob(const struct blob *);
83 cbor_item_t *pack_byte(uint8_t);
84 cbor_item_t *pack_int(int);
85 cbor_item_t *pack_string(const char *);
86 
87 void mutate_byte(uint8_t *);
88 void mutate_int(int *);
89 void mutate_blob(struct blob *);
90 void mutate_string(char *);
91 
92 ssize_t fd_read(int, void *, size_t);
93 ssize_t fd_write(int, const void *, size_t);
94 
95 int nfc_read(void *, unsigned char *, size_t, int);
96 int nfc_write(void *, const unsigned char *, size_t);
97 
98 fido_dev_t *open_dev(int);
99 void set_wire_data(const uint8_t *, size_t);
100 
101 void fuzz_clock_reset(void);
102 void prng_init(unsigned long);
103 unsigned long prng_uint32(void);
104 
105 uint32_t uniform_random(uint32_t);
106 
107 void set_pcsc_parameters(const struct blob *);
108 void set_pcsc_io_functions(int (*)(void *, u_char *, size_t, int),
109     int (*)(void *, const u_char *, size_t), void (*)(const void *, size_t));
110 
111 #endif /* !_MUTATOR_AUX_H */
112