test: fuzz: Generate libfuzzer and OSS Fuzz tests

* Added python script gen_fuzz.py which reads include/tss2/tss2_sys.h
  and generates a fuzz target for all _Prepare and _Complete calls. It
  also generates Makefile-fuzz-generated.am for building each fuzz test.
* Modified Makefile-fuzz.am to include Makefile-fuzz-generated.am
* Added test/fuzz/main-sapi.cpp which defines a libfuzzer target used to
  fuzz SAPI calls.

Signed-off-by: John Andersen <john.s.andersen@intel.com>

2 files changed, 78 insertions, 10 deletions

diff --git a/test/fuzz/main-sapi.cpp b/test/fuzz/main-sapi.cpp
new file mode 100644
index 00000000..1435190f
--- /dev/null
+++ b/test/fuzz/main-sapi.cpp
@@ -0,0 +1,68 @@
+/* SPDX-License-Identifier: BSD-2 */
+/***********************************************************************
+ * Copyright (c) 2018, Intel Corporation
+ *
+ * All rights reserved.
+ ***********************************************************************/
+#include <stdbool.h>
+#include <stdlib.h>
+
+#define LOGMODULE test
+extern "C" {
+#include "tss2_sys.h"
+#include "tss2_tcti.h"
+#include "util/log.h"
+#include "test.h"
+#include "test-options.h"
+#include "context-util.h"
+#include "tss2-sys/sysapi_util.h"
+#include "tcti/tcti-fuzzing.h"
+}
+
+extern "C"
+int
+LLVMFuzzerTestOneInput (
+        const uint8_t *Data,
+        size_t Size)
+{
+    int ret;
+    TSS2_SYS_CONTEXT *sapi_context;
+    _TSS2_SYS_CONTEXT_BLOB *ctx = NULL;
+    TSS2_TCTI_FUZZING_CONTEXT *tcti_fuzzing = NULL;
+
+    /* Use the fuzzing tcti */
+    test_opts_t opts = {
+        .tcti_type      = FUZZING_TCTI,
+        .device_file    = DEVICE_PATH_DEFAULT,
+        .socket_address = HOSTNAME_DEFAULT,
+        .socket_port    = PORT_DEFAULT,
+    };
+
+    get_test_opts_from_env (&opts);
+    if (sanity_check_test_opts (&opts) != 0) {
+        LOG_ERROR("Checking test options");
+        exit(1); /* fatal error */
+    }
+
+    sapi_context = sapi_init_from_opts (&opts);
+    if (sapi_context == NULL) {
+        LOG_ERROR("SAPI context not initialized");
+        exit(1); /* fatal error */
+    }
+
+    ctx = syscontext_cast (sapi_context);
+    tcti_fuzzing = tcti_fuzzing_context_cast (ctx->tctiContext);
+    tcti_fuzzing->data = Data;
+    tcti_fuzzing->size = Size;
+
+    ret = test_invoke (sapi_context);
+
+    sapi_teardown_full (sapi_context);
+
+    if (ret) {
+        LOG_ERROR("Test failed");
+        exit(1); /* fatal error */
+    }
+
+    return 0;  // Non-zero return values are reserved for future use.
+}
diff --git a/test/fuzz/tcti/tcti-fuzzing.c b/test/fuzz/tcti/tcti-fuzzing.c
index c60e3bdd..726f4f71 100644
--- a/test/fuzz/tcti/tcti-fuzzing.c
+++ b/test/fuzz/tcti/tcti-fuzzing.c
@@ -60,12 +60,12 @@ fuzz_fill (
 {
     va_list ap;
     const uint8_t *data = NULL;
-    const uint8_t *curr = NULL;
+    const uint8_t *pointer_into_data = NULL;
     size_t size = 0U;
     size_t i = 0U;
-    void *dest;
-    size_t length = 0U;
-    size_t combined = 0U;
+    void *copy_into_type;
+    size_t copy_into_length = 0U;
+    size_t data_used = 0U;
     _TSS2_SYS_CONTEXT_BLOB *ctx = NULL;
     TSS2_TCTI_FUZZING_CONTEXT *tcti_fuzzing = NULL;
 
@@ -77,12 +77,12 @@ fuzz_fill (
     va_start (ap, count);
 
     for (i = 0U; i < (count / 2); ++i) {
-        length = va_arg (ap, size_t);
-        dest = va_arg (ap, void *);
-        if (size > (combined + length)) {
-            curr = &data[combined];
-            combined += length;
-            memcpy (dest, curr, length);
+        copy_into_length = va_arg (ap, size_t);
+        copy_into_type = va_arg (ap, void *);
+        if (size > (data_used + copy_into_length)) {
+            pointer_into_data = &data[data_used];
+            data_used += copy_into_length;
+            memcpy (copy_into_type, pointer_into_data, copy_into_length);
         }
     }