From 173bfbf7886608a4a7abbfac6a42ac4bf4a3432d Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 20 Sep 2020 16:14:20 +0100 Subject: New upstream version 1.5.0 --- fuzz/fuzz_credman.c | 314 +++++++++++++++++++++++++++------------------------- 1 file changed, 163 insertions(+), 151 deletions(-) (limited to 'fuzz/fuzz_credman.c') diff --git a/fuzz/fuzz_credman.c b/fuzz/fuzz_credman.c index 323d0a9..db0dfb8 100644 --- a/fuzz/fuzz_credman.c +++ b/fuzz/fuzz_credman.c @@ -19,25 +19,16 @@ #include "../openbsd-compat/openbsd-compat.h" -#define TAG_META_WIRE_DATA 0x01 -#define TAG_RP_WIRE_DATA 0x02 -#define TAG_RK_WIRE_DATA 0x03 -#define TAG_DEL_WIRE_DATA 0x04 -#define TAG_CRED_ID 0x05 -#define TAG_PIN 0x06 -#define TAG_RP_ID 0x07 -#define TAG_SEED 0x08 - /* Parameter set defining a FIDO2 credential management operation. */ struct param { - char pin[MAXSTR]; - char rp_id[MAXSTR]; - int seed; - struct blob cred_id; - struct blob del_wire_data; - struct blob meta_wire_data; - struct blob rk_wire_data; - struct blob rp_wire_data; + char pin[MAXSTR]; + char rp_id[MAXSTR]; + int seed; + struct blob cred_id; + struct blob del_wire_data; + struct blob meta_wire_data; + struct blob rk_wire_data; + struct blob rp_wire_data; }; /* @@ -88,56 +79,136 @@ static const uint8_t dummy_del_wire_data[] = { WIREDATA_CTAP_CBOR_STATUS, }; -int LLVMFuzzerTestOneInput(const uint8_t *, size_t); -size_t LLVMFuzzerCustomMutator(uint8_t *, size_t, size_t, unsigned int); - -static int -unpack(const uint8_t *ptr, size_t len, struct param *p) NO_MSAN +struct param * +unpack(const uint8_t *ptr, size_t len) { - uint8_t **pp = (void *)&ptr; - - if (unpack_string(TAG_PIN, pp, &len, p->pin) < 0 || - unpack_string(TAG_RP_ID, pp, &len, p->rp_id) < 0 || - unpack_blob(TAG_CRED_ID, pp, &len, &p->cred_id) < 0 || - unpack_blob(TAG_META_WIRE_DATA, pp, &len, &p->meta_wire_data) < 0 || - unpack_blob(TAG_RP_WIRE_DATA, pp, &len, &p->rp_wire_data) < 0 || - unpack_blob(TAG_RK_WIRE_DATA, pp, &len, &p->rk_wire_data) < 0 || - unpack_blob(TAG_DEL_WIRE_DATA, pp, &len, &p->del_wire_data) < 0 || - unpack_int(TAG_SEED, pp, &len, &p->seed) < 0) - return (-1); - - return (0); + cbor_item_t *item = NULL, **v; + struct cbor_load_result cbor; + struct param *p; + int ok = -1; + + if ((p = calloc(1, sizeof(*p))) == NULL || + (item = cbor_load(ptr, len, &cbor)) == NULL || + cbor.read != len || + cbor_isa_array(item) == false || + cbor_array_is_definite(item) == false || + cbor_array_size(item) != 8 || + (v = cbor_array_handle(item)) == NULL) + goto fail; + + if (unpack_int(v[0], &p->seed) < 0 || + unpack_string(v[1], p->pin) < 0 || + unpack_string(v[2], p->rp_id) < 0 || + unpack_blob(v[3], &p->cred_id) < 0 || + unpack_blob(v[4], &p->meta_wire_data) < 0 || + unpack_blob(v[5], &p->rp_wire_data) < 0 || + unpack_blob(v[6], &p->rk_wire_data) < 0 || + unpack_blob(v[7], &p->del_wire_data) < 0) + goto fail; + + ok = 0; +fail: + if (ok < 0) { + free(p); + p = NULL; + } + + if (item) + cbor_decref(&item); + + return p; } -static size_t +size_t pack(uint8_t *ptr, size_t len, const struct param *p) { - const size_t max = len; - - if (pack_string(TAG_PIN, &ptr, &len, p->pin) < 0 || - pack_string(TAG_RP_ID, &ptr, &len, p->rp_id) < 0 || - pack_blob(TAG_CRED_ID, &ptr, &len, &p->cred_id) < 0 || - pack_blob(TAG_META_WIRE_DATA, &ptr, &len, &p->meta_wire_data) < 0 || - pack_blob(TAG_RP_WIRE_DATA, &ptr, &len, &p->rp_wire_data) < 0 || - pack_blob(TAG_RK_WIRE_DATA, &ptr, &len, &p->rk_wire_data) < 0 || - pack_blob(TAG_DEL_WIRE_DATA, &ptr, &len, &p->del_wire_data) < 0 || - pack_int(TAG_SEED, &ptr, &len, p->seed) < 0) - return (0); - - return (max - len); + cbor_item_t *argv[8], *array = NULL; + size_t cbor_alloc_len, cbor_len = 0; + unsigned char *cbor = NULL; + + memset(argv, 0, sizeof(argv)); + + if ((array = cbor_new_definite_array(8)) == NULL || + (argv[0] = pack_int(p->seed)) == NULL || + (argv[1] = pack_string(p->pin)) == NULL || + (argv[2] = pack_string(p->rp_id)) == NULL || + (argv[3] = pack_blob(&p->cred_id)) == NULL || + (argv[4] = pack_blob(&p->meta_wire_data)) == NULL || + (argv[5] = pack_blob(&p->rp_wire_data)) == NULL || + (argv[6] = pack_blob(&p->rk_wire_data)) == NULL || + (argv[7] = pack_blob(&p->del_wire_data)) == NULL) + goto fail; + + for (size_t i = 0; i < 8; i++) + if (cbor_array_push(array, argv[i]) == false) + goto fail; + + if ((cbor_len = cbor_serialize_alloc(array, &cbor, + &cbor_alloc_len)) > len) { + cbor_len = 0; + goto fail; + } + + memcpy(ptr, cbor, cbor_len); +fail: + for (size_t i = 0; i < 8; i++) + if (argv[i]) + cbor_decref(&argv[i]); + + if (array) + cbor_decref(&array); + + free(cbor); + + return cbor_len; } -static size_t -input_len(int max) +size_t +pack_dummy(uint8_t *ptr, size_t len) { - return (2 * len_string(max) + 5 * len_blob(max) + len_int()); + struct param dummy; + uint8_t blob[4096]; + size_t blob_len; + + memset(&dummy, 0, sizeof(dummy)); + + strlcpy(dummy.pin, dummy_pin, sizeof(dummy.pin)); + strlcpy(dummy.rp_id, dummy_rp_id, sizeof(dummy.rp_id)); + + dummy.meta_wire_data.len = sizeof(dummy_meta_wire_data); + dummy.rp_wire_data.len = sizeof(dummy_rp_wire_data); + dummy.rk_wire_data.len = sizeof(dummy_rk_wire_data); + dummy.del_wire_data.len = sizeof(dummy_del_wire_data); + dummy.cred_id.len = sizeof(dummy_cred_id); + + memcpy(&dummy.meta_wire_data.body, &dummy_meta_wire_data, + dummy.meta_wire_data.len); + memcpy(&dummy.rp_wire_data.body, &dummy_rp_wire_data, + dummy.rp_wire_data.len); + memcpy(&dummy.rk_wire_data.body, &dummy_rk_wire_data, + dummy.rk_wire_data.len); + memcpy(&dummy.del_wire_data.body, &dummy_del_wire_data, + dummy.del_wire_data.len); + memcpy(&dummy.cred_id.body, &dummy_cred_id, dummy.cred_id.len); + + assert((blob_len = pack(blob, sizeof(blob), &dummy)) != 0); + + if (blob_len > len) { + memcpy(ptr, blob, len); + return len; + } + + memcpy(ptr, blob, blob_len); + + return blob_len; } static fido_dev_t * -prepare_dev() +prepare_dev(void) { - fido_dev_t *dev; - fido_dev_io_t io; + fido_dev_t *dev; + fido_dev_io_t io; + bool x; memset(&io, 0, sizeof(io)); @@ -149,14 +220,19 @@ prepare_dev() if ((dev = fido_dev_new()) == NULL || fido_dev_set_io_functions(dev, &io) != FIDO_OK || fido_dev_open(dev, "nodev") != FIDO_OK) { fido_dev_free(&dev); - return (NULL); + return NULL; } - return (dev); + x = fido_dev_is_fido2(dev); + consume(&x, sizeof(x)); + x = fido_dev_supports_cred_prot(dev); + consume(&x, sizeof(x)); + + return dev; } static void -get_metadata(struct param *p) +get_metadata(const struct param *p) { fido_dev_t *dev; fido_credman_metadata_t *metadata; @@ -187,7 +263,7 @@ get_metadata(struct param *p) } static void -get_rp_list(struct param *p) +get_rp_list(const struct param *p) { fido_dev_t *dev; fido_credman_rp_t *rp; @@ -221,12 +297,12 @@ get_rp_list(struct param *p) } static void -get_rk_list(struct param *p) +get_rk_list(const struct param *p) { fido_dev_t *dev; fido_credman_rk_t *rk; const fido_cred_t *cred; - int type; + int val; set_wire_data(p->rk_wire_data.body, p->rk_wire_data.len); @@ -247,8 +323,8 @@ get_rk_list(struct param *p) assert(i >= fido_credman_rk_count(rk)); continue; } - type = fido_cred_type(cred); - consume(&type, sizeof(type)); + val = fido_cred_type(cred); + consume(&val, sizeof(val)); consume(fido_cred_id_ptr(cred), fido_cred_id_len(cred)); consume(fido_cred_pubkey_ptr(cred), fido_cred_pubkey_len(cred)); consume(fido_cred_user_id_ptr(cred), @@ -257,6 +333,8 @@ get_rk_list(struct param *p) xstrlen(fido_cred_user_name(cred))); consume(fido_cred_display_name(cred), xstrlen(fido_cred_display_name(cred))); + val = fido_cred_prot(cred); + consume(&val, sizeof(val)); } fido_credman_rk_free(&rk); @@ -265,7 +343,7 @@ get_rk_list(struct param *p) } static void -del_rk(struct param *p) +del_rk(const struct param *p) { fido_dev_t *dev; @@ -279,101 +357,35 @@ del_rk(struct param *p) fido_dev_free(&dev); } -int -LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) +void +test(const struct param *p) { - struct param p; - - memset(&p, 0, sizeof(p)); - - if (size < input_len(GETLEN_MIN) || size > input_len(GETLEN_MAX) || - unpack(data, size, &p) < 0) - return (0); - - prng_init((unsigned int)p.seed); - + prng_init((unsigned int)p->seed); fido_init(FIDO_DEBUG); fido_set_log_handler(consume_str); - get_metadata(&p); - get_rp_list(&p); - get_rk_list(&p); - del_rk(&p); - - return (0); + get_metadata(p); + get_rp_list(p); + get_rk_list(p); + del_rk(p); } -static size_t -pack_dummy(uint8_t *ptr, size_t len) +void +mutate(struct param *p, unsigned int seed, unsigned int flags) NO_MSAN { - struct param dummy; - uint8_t blob[32768]; - size_t blob_len; - - memset(&dummy, 0, sizeof(dummy)); - - strlcpy(dummy.pin, dummy_pin, sizeof(dummy.pin)); - strlcpy(dummy.rp_id, dummy_rp_id, sizeof(dummy.rp_id)); + if (flags & MUTATE_SEED) + p->seed = (int)seed; - dummy.meta_wire_data.len = sizeof(dummy_meta_wire_data); - dummy.rp_wire_data.len = sizeof(dummy_rp_wire_data); - dummy.rk_wire_data.len = sizeof(dummy_rk_wire_data); - dummy.del_wire_data.len = sizeof(dummy_del_wire_data); - dummy.cred_id.len = sizeof(dummy_cred_id); - - memcpy(&dummy.meta_wire_data.body, &dummy_meta_wire_data, - dummy.meta_wire_data.len); - memcpy(&dummy.rp_wire_data.body, &dummy_rp_wire_data, - dummy.rp_wire_data.len); - memcpy(&dummy.rk_wire_data.body, &dummy_rk_wire_data, - dummy.rk_wire_data.len); - memcpy(&dummy.del_wire_data.body, &dummy_del_wire_data, - dummy.del_wire_data.len); - memcpy(&dummy.cred_id.body, &dummy_cred_id, dummy.cred_id.len); - - blob_len = pack(blob, sizeof(blob), &dummy); - assert(blob_len != 0); - - if (blob_len > len) { - memcpy(ptr, blob, len); - return (len); + if (flags & MUTATE_PARAM) { + mutate_blob(&p->cred_id); + mutate_string(p->pin); + mutate_string(p->rp_id); } - memcpy(ptr, blob, blob_len); - - return (blob_len); -} - -size_t -LLVMFuzzerCustomMutator(uint8_t *data, size_t size, size_t maxsize, - unsigned int seed) NO_MSAN -{ - struct param p; - uint8_t blob[16384]; - size_t blob_len; - - memset(&p, 0, sizeof(p)); - - if (unpack(data, size, &p) < 0) - return (pack_dummy(data, maxsize)); - - p.seed = (int)seed; - - mutate_blob(&p.cred_id); - mutate_blob(&p.meta_wire_data); - mutate_blob(&p.rp_wire_data); - mutate_blob(&p.rk_wire_data); - mutate_blob(&p.del_wire_data); - - mutate_string(p.pin); - mutate_string(p.rp_id); - - blob_len = pack(blob, sizeof(blob), &p); - - if (blob_len == 0 || blob_len > maxsize) - return (0); - - memcpy(data, blob, blob_len); - - return (blob_len); + if (flags & MUTATE_WIREDATA) { + mutate_blob(&p->meta_wire_data); + mutate_blob(&p->rp_wire_data); + mutate_blob(&p->rk_wire_data); + mutate_blob(&p->del_wire_data); + } } -- cgit v1.2.3