/libfido2/fuzz/mutator_aux.h
Line | Count | Source |
1 | | /* |
2 | | * Copyright (c) 2019-2022 Yubico AB. All rights reserved. |
3 | | * Use of this source code is governed by a BSD-style |
4 | | * license that can be found in the LICENSE file. |
5 | | */ |
6 | | |
7 | | #ifndef _MUTATOR_AUX_H |
8 | | #define _MUTATOR_AUX_H |
9 | | |
10 | | #include <stddef.h> |
11 | | #include <stdint.h> |
12 | | #include <cbor.h> |
13 | | |
14 | | #include "../src/fido.h" |
15 | | #include "../src/fido/bio.h" |
16 | | #include "../src/fido/config.h" |
17 | | #include "../src/fido/credman.h" |
18 | | #include "../src/fido/eddsa.h" |
19 | | #include "../src/fido/es256.h" |
20 | | #include "../src/fido/es256.h" |
21 | | #include "../src/fido/rs256.h" |
22 | | #include "../src/netlink.h" |
23 | | |
24 | | /* |
25 | | * As of LLVM 10.0.0, MSAN support in libFuzzer was still experimental. |
26 | | * We therefore have to be careful when using our custom mutator, or |
27 | | * MSAN will flag uninitialised reads on memory populated by libFuzzer. |
28 | | * Since there is no way to suppress MSAN without regenerating object |
29 | | * code (in which case you might as well rebuild libFuzzer with MSAN), |
30 | | * we adjust our mutator to make it less accurate while allowing |
31 | | * fuzzing to proceed. |
32 | | */ |
33 | | |
34 | | #if defined(__has_feature) |
35 | | # if __has_feature(memory_sanitizer) |
36 | | # include <sanitizer/msan_interface.h> |
37 | | # define NO_MSAN __attribute__((no_sanitize("memory"))) |
38 | | # define WITH_MSAN 1 |
39 | | # endif |
40 | | #endif |
41 | | |
42 | | #if !defined(WITH_MSAN) |
43 | | # define NO_MSAN |
44 | | #endif |
45 | | |
46 | | #define MUTATE_SEED 0x01 |
47 | | #define MUTATE_PARAM 0x02 |
48 | | #define MUTATE_WIREDATA 0x04 |
49 | | #define MUTATE_ALL (MUTATE_SEED | MUTATE_PARAM | MUTATE_WIREDATA) |
50 | | |
51 | | #define MAXSTR 1024 |
52 | | #define MAXBLOB 3600 |
53 | | |
54 | | #define HID_DEV_HANDLE 0x68696421 |
55 | 1.03k | #define NFC_DEV_HANDLE 0x6e666321 |
56 | | |
57 | | struct blob { |
58 | | uint8_t body[MAXBLOB]; |
59 | | size_t len; |
60 | | }; |
61 | | |
62 | | struct param; |
63 | | |
64 | | struct param *unpack(const uint8_t *, size_t); |
65 | | size_t pack(uint8_t *, size_t, const struct param *); |
66 | | size_t pack_dummy(uint8_t *, size_t); |
67 | | void mutate(struct param *, unsigned int, unsigned int); |
68 | | void test(const struct param *); |
69 | | |
70 | | void consume(const void *, size_t); |
71 | | void consume_str(const char *); |
72 | | |
73 | | int unpack_blob(cbor_item_t *, struct blob *); |
74 | | int unpack_byte(cbor_item_t *, uint8_t *); |
75 | | int unpack_int(cbor_item_t *, int *); |
76 | | int unpack_string(cbor_item_t *, char *); |
77 | | |
78 | | cbor_item_t *pack_blob(const struct blob *); |
79 | | cbor_item_t *pack_byte(uint8_t); |
80 | | cbor_item_t *pack_int(int); |
81 | | cbor_item_t *pack_string(const char *); |
82 | | |
83 | | void mutate_byte(uint8_t *); |
84 | | void mutate_int(int *); |
85 | | void mutate_blob(struct blob *); |
86 | | void mutate_string(char *); |
87 | | |
88 | | ssize_t fd_read(int, void *, size_t); |
89 | | ssize_t fd_write(int, const void *, size_t); |
90 | | |
91 | | int nfc_read(void *, unsigned char *, size_t, int); |
92 | | int nfc_write(void *, const unsigned char *, size_t); |
93 | | |
94 | | fido_dev_t *open_dev(int); |
95 | | void set_wire_data(const uint8_t *, size_t); |
96 | | |
97 | | void fuzz_clock_reset(void); |
98 | | void prng_init(unsigned long); |
99 | | unsigned long prng_uint32(void); |
100 | | |
101 | | uint32_t uniform_random(uint32_t); |
102 | | |
103 | | void set_pcsc_parameters(const struct blob *); |
104 | | void set_pcsc_io_functions(int (*)(void *, u_char *, size_t, int), |
105 | | int (*)(void *, const u_char *, size_t), void (*)(const void *, size_t)); |
106 | | |
107 | | #endif /* !_MUTATOR_AUX_H */ |