cr50_fuzz: Add libprotobuf-mutator support.

This uses protocol buffers to model what actions can be taken with
pinweaver at a higher level of abstraction than the raw requests to
greatly increase the coverage that can be achieved by fuzzing, while
still allowing for invalid inputs to be checked.

BRANCH=none
BUG=chromium:876582
TEST=sudo emerge libprotobuf-mutator &&
  make -j buildfuzztests && ./build/host/cr50_fuzz/cr50_fuzz.exe

Change-Id: Ie7ce569650ca06866f277f36eae61df2684de60c
Signed-off-by: Allen Webb <allenwebb@google.com>
Reviewed-on: https://chromium-review.googlesource.com/1184107
Reviewed-by: Mattias Nissler <mnissler@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>

1 files changed, 31 insertions, 0 deletions

diff --git a/fuzz/cr50_fuzz.proto b/fuzz/cr50_fuzz.proto
new file mode 100644
index 0000000000..0291eacd88
--- /dev/null
+++ b/fuzz/cr50_fuzz.proto
@@ -0,0 +1,31 @@
+// Copyright 2018 The Chromium OS Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+syntax = "proto3";
+
+package fuzz;
+
+import public "fuzz/pinweaver/pinweaver.proto";
+
+message RandomBytes {
+  bytes value = 1;
+}
+
+message Cr50SubAction {
+  // Allows a logical representation of an action (PinWeaver) or a literal
+  // representation (RandomBytes). The logical representation fills out the
+  // expected values of particular fields when they are empty or not part of the
+  // proto so that the fuzzer can reach parts of the code without having to
+  // brute force an HMAC. The literal representation allows for the fuzzer to
+  // represent inputs that cannot be represented with the logical
+  // representation.
+  oneof sub_action {
+    RandomBytes random_bytes = 1;
+    pinweaver.Request pinweaver = 2;
+  }
+}
+
+message Cr50FuzzerInput {
+  repeated Cr50SubAction sub_actions = 1;
+}