1
/*
2
 * Copyright (c) 2019-2022 Yubico AB. All rights reserved.
3
 * Use of this source code is governed by a BSD-style
4
 * license that can be found in the LICENSE file.
5
 * SPDX-License-Identifier: BSD-2-Clause
6
 */
7

8
#include <assert.h>
9
#include <stdint.h>
10
#include <stdio.h>
11
#include <stdlib.h>
12
#include <string.h>
13

14
#include "mutator_aux.h"
15
#include "wiredata_fido2.h"
16
#include "dummy.h"
17

18
#include "../openbsd-compat/openbsd-compat.h"
19

20
#define MAXRPID	64
21

22
struct param {
23
	char pin1[MAXSTR];
24
	char pin2[MAXSTR];
25
	struct blob reset_wire_data;
26
	struct blob info_wire_data;
27
	struct blob set_pin_wire_data;
28
	struct blob change_pin_wire_data;
29
	struct blob retry_wire_data;
30
	struct blob config_wire_data;
31
	int seed;
32
};
33

34
static const uint8_t dummy_reset_wire_data[] = {
35
	WIREDATA_CTAP_INIT,
36
	WIREDATA_CTAP_CBOR_INFO,
37
	WIREDATA_CTAP_KEEPALIVE,
38
	WIREDATA_CTAP_KEEPALIVE,
39
	WIREDATA_CTAP_KEEPALIVE,
40
	WIREDATA_CTAP_CBOR_STATUS,
41
};
42

43
static const uint8_t dummy_info_wire_data[] = {
44
	WIREDATA_CTAP_INIT,
45
	WIREDATA_CTAP_CBOR_INFO,
46
	WIREDATA_CTAP_CBOR_INFO,
47
};
48

49
static const uint8_t dummy_set_pin_wire_data[] = {
50
	WIREDATA_CTAP_INIT,
51
	WIREDATA_CTAP_CBOR_INFO,
52
	WIREDATA_CTAP_CBOR_AUTHKEY,
53
	WIREDATA_CTAP_CBOR_STATUS,
54
};
55

56
static const uint8_t dummy_change_pin_wire_data[] = {
57
	WIREDATA_CTAP_INIT,
58
	WIREDATA_CTAP_CBOR_INFO,
59
	WIREDATA_CTAP_CBOR_AUTHKEY,
60
	WIREDATA_CTAP_CBOR_STATUS,
61
};
62

63
static const uint8_t dummy_retry_wire_data[] = {
64
	WIREDATA_CTAP_INIT,
65
	WIREDATA_CTAP_CBOR_INFO,
66
	WIREDATA_CTAP_CBOR_RETRIES,
67
};
68

69
static const uint8_t dummy_config_wire_data[] = {
70
	WIREDATA_CTAP_INIT,
71
	WIREDATA_CTAP_CBOR_INFO,
72
	WIREDATA_CTAP_CBOR_STATUS,
73
};
74

75
struct param *
76
unpack(const uint8_t *ptr, size_t len)
77
{
78
	cbor_item_t *item = NULL, **v;
79
	struct cbor_load_result cbor;
80
	struct param *p;
81
	int ok = -1;
82

83
	if ((p = calloc(1, sizeof(*p))) == NULL ||
84
	    (item = cbor_load(ptr, len, &cbor)) == NULL ||
85
	    cbor.read != len ||
86
	    cbor_isa_array(item) == false ||
87
	    cbor_array_is_definite(item) == false ||
88
	    cbor_array_size(item) != 9 ||
89
	    (v = cbor_array_handle(item)) == NULL)
90
		goto fail;
91

92
	if (unpack_int(v[0], &p->seed) < 0 ||
93
	    unpack_string(v[1], p->pin1) < 0 ||
94
	    unpack_string(v[2], p->pin2) < 0 ||
95
	    unpack_blob(v[3], &p->reset_wire_data) < 0 ||
96
	    unpack_blob(v[4], &p->info_wire_data) < 0 ||
97
	    unpack_blob(v[5], &p->set_pin_wire_data) < 0 ||
98
	    unpack_blob(v[6], &p->change_pin_wire_data) < 0 ||
99
	    unpack_blob(v[7], &p->retry_wire_data) < 0 ||
100
	    unpack_blob(v[8], &p->config_wire_data) < 0)
101
		goto fail;
102

103
	ok = 0;
104
fail:
105
	if (ok < 0) {
106
		free(p);
107
		p = NULL;
108
	}
109

110
	if (item)
111
		cbor_decref(&item);
112

113
	return p;
114
}
115

116
size_t
117
pack(uint8_t *ptr, size_t len, const struct param *p)
118
{
119
	cbor_item_t *argv[9], *array = NULL;
120
	size_t cbor_alloc_len, cbor_len = 0;
121
	unsigned char *cbor = NULL;
122

123
	memset(argv, 0, sizeof(argv));
124

125
	if ((array = cbor_new_definite_array(9)) == NULL ||
126
	    (argv[0] = pack_int(p->seed)) == NULL ||
127
	    (argv[1] = pack_string(p->pin1)) == NULL ||
128
	    (argv[2] = pack_string(p->pin2)) == NULL ||
129
	    (argv[3] = pack_blob(&p->reset_wire_data)) == NULL ||
130
	    (argv[4] = pack_blob(&p->info_wire_data)) == NULL ||
131
	    (argv[5] = pack_blob(&p->set_pin_wire_data)) == NULL ||
132
	    (argv[6] = pack_blob(&p->change_pin_wire_data)) == NULL ||
133
	    (argv[7] = pack_blob(&p->retry_wire_data)) == NULL ||
134
	    (argv[8] = pack_blob(&p->config_wire_data)) == NULL)
135
		goto fail;
136

137
	for (size_t i = 0; i < 9; i++)
138
		if (cbor_array_push(array, argv[i]) == false)
139
			goto fail;
140

141
	if ((cbor_len = cbor_serialize_alloc(array, &cbor,
142
	    &cbor_alloc_len)) == 0 || cbor_len > len) {
143
		cbor_len = 0;
144
		goto fail;
145
	}
146

147
	memcpy(ptr, cbor, cbor_len);
148
fail:
149
	for (size_t i = 0; i < 9; i++)
150
		if (argv[i])
151
			cbor_decref(&argv[i]);
152

153
	if (array)
154
		cbor_decref(&array);
155

156
	free(cbor);
157

158
	return cbor_len;
159
}
160

161
size_t
162
pack_dummy(uint8_t *ptr, size_t len)
163
{
164
	struct param dummy;
165
	uint8_t blob[MAXCORPUS];
166
	size_t blob_len;
167

168
	memset(&dummy, 0, sizeof(dummy));
169

170
	strlcpy(dummy.pin1, dummy_pin1, sizeof(dummy.pin1));
171
	strlcpy(dummy.pin2, dummy_pin2, sizeof(dummy.pin2));
172

173
	dummy.reset_wire_data.len = sizeof(dummy_reset_wire_data);
174
	dummy.info_wire_data.len = sizeof(dummy_info_wire_data);
175
	dummy.set_pin_wire_data.len = sizeof(dummy_set_pin_wire_data);
176
	dummy.change_pin_wire_data.len = sizeof(dummy_change_pin_wire_data);
177
	dummy.retry_wire_data.len = sizeof(dummy_retry_wire_data);
178
	dummy.config_wire_data.len = sizeof(dummy_config_wire_data);
179

180
	memcpy(&dummy.reset_wire_data.body, &dummy_reset_wire_data,
181
	    dummy.reset_wire_data.len);
182
	memcpy(&dummy.info_wire_data.body, &dummy_info_wire_data,
183
	    dummy.info_wire_data.len);
184
	memcpy(&dummy.set_pin_wire_data.body, &dummy_set_pin_wire_data,
185
	    dummy.set_pin_wire_data.len);
186
	memcpy(&dummy.change_pin_wire_data.body, &dummy_change_pin_wire_data,
187
	    dummy.change_pin_wire_data.len);
188
	memcpy(&dummy.retry_wire_data.body, &dummy_retry_wire_data,
189
	    dummy.retry_wire_data.len);
190
	memcpy(&dummy.config_wire_data.body, &dummy_config_wire_data,
191
	    dummy.config_wire_data.len);
192

193
	assert((blob_len = pack(blob, sizeof(blob), &dummy)) != 0);
194

195
	if (blob_len > len) {
196
		memcpy(ptr, blob, len);
197
		return len;
198
	}
199

200
	memcpy(ptr, blob, blob_len);
201

202
	return blob_len;
203
}
204

205
static void
206
dev_reset(const struct param *p)
207
{
208
	fido_dev_t *dev;
209

210
	set_wire_data(p->reset_wire_data.body, p->reset_wire_data.len);
211

212
	if ((dev = open_dev(0)) == NULL)
213
		return;
214

215
	fido_dev_reset(dev);
216
	fido_dev_close(dev);
217
	fido_dev_free(&dev);
218
}
219

220
static void
221
dev_get_cbor_info(const struct param *p)
222
{
223
	fido_dev_t *dev;
224
	fido_cbor_info_t *ci;
225
	uint64_t n;
226
	uint8_t proto, major, minor, build, flags;
227
	bool v;
228

229
	set_wire_data(p->info_wire_data.body, p->info_wire_data.len);
230

231
	if ((dev = open_dev(0)) == NULL)
232
		return;
233

234
	proto = fido_dev_protocol(dev);
235
	major = fido_dev_major(dev);
236
	minor = fido_dev_minor(dev);
237
	build = fido_dev_build(dev);
238
	flags = fido_dev_flags(dev);
239

240
	consume(&proto, sizeof(proto));
241
	consume(&major, sizeof(major));
242
	consume(&minor, sizeof(minor));
243
	consume(&build, sizeof(build));
244
	consume(&flags, sizeof(flags));
245

246
	if ((ci = fido_cbor_info_new()) == NULL)
247
		goto out;
248

249
	fido_dev_get_cbor_info(dev, ci);
250

251
	for (size_t i = 0; i < fido_cbor_info_versions_len(ci); i++) {
252
		char * const *sa = fido_cbor_info_versions_ptr(ci);
253
		consume(sa[i], strlen(sa[i]));
254
	}
255

256
	for (size_t i = 0; i < fido_cbor_info_extensions_len(ci); i++) {
257
		char * const *sa = fido_cbor_info_extensions_ptr(ci);
258
		consume(sa[i], strlen(sa[i]));
259
	}
260

261
	for (size_t i = 0; i < fido_cbor_info_transports_len(ci); i++) {
262
		char * const *sa = fido_cbor_info_transports_ptr(ci);
263
		consume(sa[i], strlen(sa[i]));
264
	}
265

266
	for (size_t i = 0; i < fido_cbor_info_options_len(ci); i++) {
267
		char * const *sa = fido_cbor_info_options_name_ptr(ci);
268
		const bool *va = fido_cbor_info_options_value_ptr(ci);
269
		consume(sa[i], strlen(sa[i]));
270
		consume(&va[i], sizeof(va[i]));
271
	}
272

273
	/* +1 on purpose */
274
	for (size_t i = 0; i <= fido_cbor_info_algorithm_count(ci); i++) {
275
		const char *type = fido_cbor_info_algorithm_type(ci, i);
276
		int cose = fido_cbor_info_algorithm_cose(ci, i);
277
		consume_str(type);
278
		consume(&cose, sizeof(cose));
279
	}
280

281
	for (size_t i = 0; i < fido_cbor_info_certs_len(ci); i++) {
282
		char * const *na = fido_cbor_info_certs_name_ptr(ci);
283
		const uint64_t *va = fido_cbor_info_certs_value_ptr(ci);
284
		consume(na[i], strlen(na[i]));
285
		consume(&va[i], sizeof(va[i]));
286
	}
287

288
	n = fido_cbor_info_maxmsgsiz(ci);
289
	consume(&n, sizeof(n));
290
	n = fido_cbor_info_maxcredbloblen(ci);
291
	consume(&n, sizeof(n));
292
	n = fido_cbor_info_maxcredcntlst(ci);
293
	consume(&n, sizeof(n));
294
	n = fido_cbor_info_maxcredidlen(ci);
295
	consume(&n, sizeof(n));
296
	n = fido_cbor_info_maxlargeblob(ci);
297
	consume(&n, sizeof(n));
298
	n = fido_cbor_info_fwversion(ci);
299
	consume(&n, sizeof(n));
300
	n = fido_cbor_info_minpinlen(ci);
301
	consume(&n, sizeof(n));
302
	n = fido_cbor_info_maxrpid_minpinlen(ci);
303
	consume(&n, sizeof(n));
304
	n = fido_cbor_info_uv_attempts(ci);
305
	consume(&n, sizeof(n));
306
	n = fido_cbor_info_uv_modality(ci);
307
	consume(&n, sizeof(n));
308
	n = (uint64_t)fido_cbor_info_rk_remaining(ci);
309
	consume(&n, sizeof(n));
310

311
	consume(fido_cbor_info_aaguid_ptr(ci), fido_cbor_info_aaguid_len(ci));
312
	consume(fido_cbor_info_protocols_ptr(ci),
313
	    fido_cbor_info_protocols_len(ci));
314

315
	v = fido_cbor_info_new_pin_required(ci);
316
	consume(&v, sizeof(v));
317

318
out:
319
	fido_dev_close(dev);
320
	fido_dev_free(&dev);
321

322
	fido_cbor_info_free(&ci);
323
}
324

325
static void
326
dev_set_pin(const struct param *p)
327
{
328
	fido_dev_t *dev;
329

330
	set_wire_data(p->set_pin_wire_data.body, p->set_pin_wire_data.len);
331

332
	if ((dev = open_dev(0)) == NULL)
333
		return;
334

335
	fido_dev_set_pin(dev, p->pin1, NULL);
336
	fido_dev_close(dev);
337
	fido_dev_free(&dev);
338
}
339

340
static void
341
dev_change_pin(const struct param *p)
342
{
343
	fido_dev_t *dev;
344

345
	set_wire_data(p->change_pin_wire_data.body, p->change_pin_wire_data.len);
346

347
	if ((dev = open_dev(0)) == NULL)
348
		return;
349

350
	fido_dev_set_pin(dev, p->pin2, p->pin1);
351
	fido_dev_close(dev);
352
	fido_dev_free(&dev);
353
}
354

355
static void
356
dev_get_retry_count(const struct param *p)
357
{
358
	fido_dev_t *dev;
359
	int n = 0;
360

361
	set_wire_data(p->retry_wire_data.body, p->retry_wire_data.len);
362

363
	if ((dev = open_dev(0)) == NULL)
364
		return;
365

366
	fido_dev_get_retry_count(dev, &n);
367
	consume(&n, sizeof(n));
368
	fido_dev_close(dev);
369
	fido_dev_free(&dev);
370
}
371

372
static void
373
dev_get_uv_retry_count(const struct param *p)
374
{
375
	fido_dev_t *dev;
376
	int n = 0;
377

378
	set_wire_data(p->retry_wire_data.body, p->retry_wire_data.len);
379

380
	if ((dev = open_dev(0)) == NULL)
381
		return;
382

383
	fido_dev_get_uv_retry_count(dev, &n);
384
	consume(&n, sizeof(n));
385
	fido_dev_close(dev);
386
	fido_dev_free(&dev);
387
}
388

389
static void
390
dev_enable_entattest(const struct param *p)
391
{
392
	fido_dev_t *dev;
393
	const char *pin;
394
	int r;
395

396
	set_wire_data(p->config_wire_data.body, p->config_wire_data.len);
397
	if ((dev = open_dev(0)) == NULL)
398
		return;
399
	pin = p->pin1;
400
	if (strlen(pin) == 0)
401
		pin = NULL;
402
	r = fido_dev_enable_entattest(dev, pin);
403
	consume_str(fido_strerr(r));
404
	fido_dev_close(dev);
405
	fido_dev_free(&dev);
406
}
407

408
static void
409
dev_toggle_always_uv(const struct param *p)
410
{
411
	fido_dev_t *dev;
412
	const char *pin;
413
	int r;
414

415
	set_wire_data(p->config_wire_data.body, p->config_wire_data.len);
416
	if ((dev = open_dev(0)) == NULL)
417
		return;
418
	pin = p->pin1;
419
	if (strlen(pin) == 0)
420
		pin = NULL;
421
	r = fido_dev_toggle_always_uv(dev, pin);
422
	consume_str(fido_strerr(r));
423
	fido_dev_close(dev);
424
	fido_dev_free(&dev);
425
}
426

427
static void
428
dev_force_pin_change(const struct param *p)
429
{
430
	fido_dev_t *dev;
431
	const char *pin;
432
	int r;
433

434
	set_wire_data(p->config_wire_data.body, p->config_wire_data.len);
435
	if ((dev = open_dev(0)) == NULL)
436
		return;
437
	pin = p->pin1;
438
	if (strlen(pin) == 0)
439
		pin = NULL;
440
	r = fido_dev_force_pin_change(dev, pin);
441
	consume_str(fido_strerr(r));
442
	fido_dev_close(dev);
443
	fido_dev_free(&dev);
444
}
445

446
static void
447
dev_set_pin_minlen(const struct param *p)
448
{
449
	fido_dev_t *dev;
450
	const char *pin;
451
	int r;
452

453
	set_wire_data(p->config_wire_data.body, p->config_wire_data.len);
454
	if ((dev = open_dev(0)) == NULL)
455
		return;
456
	pin = p->pin1;
457
	if (strlen(pin) == 0)
458
		pin = NULL;
459
	r = fido_dev_set_pin_minlen(dev, strlen(p->pin2), pin);
460
	consume_str(fido_strerr(r));
461
	fido_dev_close(dev);
462
	fido_dev_free(&dev);
463
}
464

465
static void
466
dev_set_pin_minlen_rpid(const struct param *p)
467
{
468
	fido_dev_t *dev;
469
	const char *rpid[MAXRPID];
470
	const char *pin;
471
	size_t n;
472
	int r;
473

474
	set_wire_data(p->config_wire_data.body, p->config_wire_data.len);
475
	if ((dev = open_dev(0)) == NULL)
476
		return;
477
	n = uniform_random(MAXRPID);
478
	for (size_t i = 0; i < n; i++)
479
		rpid[i] = dummy_rp_id;
480
	pin = p->pin1;
481
	if (strlen(pin) == 0)
482
		pin = NULL;
483
	r = fido_dev_set_pin_minlen_rpid(dev, rpid, n, pin);
484
	consume_str(fido_strerr(r));
485
	fido_dev_close(dev);
486
	fido_dev_free(&dev);
487
}
488

489
void
490
test(const struct param *p)
491
{
492
	prng_init((unsigned int)p->seed);
493
	fuzz_clock_reset();
494
	fido_init(FIDO_DEBUG);
495
	fido_set_log_handler(consume_str);
496

497
	dev_reset(p);
498
	dev_get_cbor_info(p);
499
	dev_set_pin(p);
500
	dev_change_pin(p);
501
	dev_get_retry_count(p);
502
	dev_get_uv_retry_count(p);
503
	dev_enable_entattest(p);
504
	dev_toggle_always_uv(p);
505
	dev_force_pin_change(p);
506
	dev_set_pin_minlen(p);
507
	dev_set_pin_minlen_rpid(p);
508
}
509

510
void
511
mutate(struct param *p, unsigned int seed, unsigned int flags) NO_MSAN
512
{
513
	if (flags & MUTATE_SEED)
514
		p->seed = (int)seed;
515

516
	if (flags & MUTATE_PARAM) {
517
		mutate_string(p->pin1);
518
		mutate_string(p->pin2);
519
	}
520

521
	if (flags & MUTATE_WIREDATA) {
522
		mutate_blob(&p->reset_wire_data);
523
		mutate_blob(&p->info_wire_data);
524
		mutate_blob(&p->set_pin_wire_data);
525
		mutate_blob(&p->change_pin_wire_data);
526
		mutate_blob(&p->retry_wire_data);
527
	}
528
}
529

530