/libfido2/fuzz/mutator_aux.h
Line | Count | Source |
1 | | /* |
2 | | * Copyright (c) 2019-2022 Yubico AB. All rights reserved. |
3 | | * Use of this source code is governed by a BSD-style |
4 | | * license that can be found in the LICENSE file. |
5 | | * SPDX-License-Identifier: BSD-2-Clause |
6 | | */ |
7 | | |
8 | | #ifndef _MUTATOR_AUX_H |
9 | | #define _MUTATOR_AUX_H |
10 | | |
11 | | #include <sys/types.h> |
12 | | |
13 | | #include <stddef.h> |
14 | | #include <stdint.h> |
15 | | #include <cbor.h> |
16 | | |
17 | | #include "../src/fido.h" |
18 | | #include "../src/fido/bio.h" |
19 | | #include "../src/fido/config.h" |
20 | | #include "../src/fido/credman.h" |
21 | | #include "../src/fido/eddsa.h" |
22 | | #include "../src/fido/es256.h" |
23 | | #include "../src/fido/es384.h" |
24 | | #include "../src/fido/rs256.h" |
25 | | #include "../src/netlink.h" |
26 | | |
27 | | /* |
28 | | * As of LLVM 10.0.0, MSAN support in libFuzzer was still experimental. |
29 | | * We therefore have to be careful when using our custom mutator, or |
30 | | * MSAN will flag uninitialised reads on memory populated by libFuzzer. |
31 | | * Since there is no way to suppress MSAN without regenerating object |
32 | | * code (in which case you might as well rebuild libFuzzer with MSAN), |
33 | | * we adjust our mutator to make it less accurate while allowing |
34 | | * fuzzing to proceed. |
35 | | */ |
36 | | |
37 | | #if defined(__has_feature) |
38 | | # if __has_feature(memory_sanitizer) |
39 | | # include <sanitizer/msan_interface.h> |
40 | | # define NO_MSAN __attribute__((no_sanitize("memory"))) |
41 | | # define WITH_MSAN 1 |
42 | | # endif |
43 | | #endif |
44 | | |
45 | | #if !defined(WITH_MSAN) |
46 | | # define NO_MSAN |
47 | | #endif |
48 | | |
49 | | #define MUTATE_SEED 0x01 |
50 | | #define MUTATE_PARAM 0x02 |
51 | | #define MUTATE_WIREDATA 0x04 |
52 | | #define MUTATE_ALL (MUTATE_SEED | MUTATE_PARAM | MUTATE_WIREDATA) |
53 | | |
54 | | #define MAXSTR 1024 |
55 | | #define MAXBLOB 3600 |
56 | | #define MAXCORPUS 8192 |
57 | | |
58 | | #define HID_DEV_HANDLE 0x68696421 |
59 | 1.65k | #define NFC_DEV_HANDLE 0x6e666321 |
60 | | |
61 | | struct blob { |
62 | | uint8_t body[MAXBLOB]; |
63 | | size_t len; |
64 | | }; |
65 | | |
66 | | struct param; |
67 | | |
68 | | struct param *unpack(const uint8_t *, size_t); |
69 | | size_t pack(uint8_t *, size_t, const struct param *); |
70 | | size_t pack_dummy(uint8_t *, size_t); |
71 | | void mutate(struct param *, unsigned int, unsigned int); |
72 | | void test(const struct param *); |
73 | | |
74 | | void consume(const void *, size_t); |
75 | | void consume_str(const char *); |
76 | | |
77 | | int unpack_blob(cbor_item_t *, struct blob *); |
78 | | int unpack_byte(cbor_item_t *, uint8_t *); |
79 | | int unpack_int(cbor_item_t *, int *); |
80 | | int unpack_string(cbor_item_t *, char *); |
81 | | |
82 | | cbor_item_t *pack_blob(const struct blob *); |
83 | | cbor_item_t *pack_byte(uint8_t); |
84 | | cbor_item_t *pack_int(int); |
85 | | cbor_item_t *pack_string(const char *); |
86 | | |
87 | | void mutate_byte(uint8_t *); |
88 | | void mutate_int(int *); |
89 | | void mutate_blob(struct blob *); |
90 | | void mutate_string(char *); |
91 | | |
92 | | ssize_t fd_read(int, void *, size_t); |
93 | | ssize_t fd_write(int, const void *, size_t); |
94 | | |
95 | | int nfc_read(void *, unsigned char *, size_t, int); |
96 | | int nfc_write(void *, const unsigned char *, size_t); |
97 | | |
98 | | fido_dev_t *open_dev(int); |
99 | | void set_wire_data(const uint8_t *, size_t); |
100 | | |
101 | | void fuzz_clock_reset(void); |
102 | | void prng_init(unsigned long); |
103 | | unsigned long prng_uint32(void); |
104 | | |
105 | | uint32_t uniform_random(uint32_t); |
106 | | |
107 | | void set_pcsc_parameters(const struct blob *); |
108 | | void set_pcsc_io_functions(int (*)(void *, u_char *, size_t, int), |
109 | | int (*)(void *, const u_char *, size_t), void (*)(const void *, size_t)); |
110 | | |
111 | | #endif /* !_MUTATOR_AUX_H */ |