1 /*
2 * Copyright (c) 2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "cmusertrustedstore_fuzzer.h"
17
18 #include "cm_fuzz_test_common.h"
19 #include "cert_manager_api.h"
20 #include "cm_cert_data_user.h"
21 #include "cm_ipc_client_serialization.h"
22 #include "cm_ipc_service.h"
23 #include "cm_param.h"
24 #include "cert_manager_status.h"
25 #include "cm_type.h"
26
27 using namespace CmFuzzTest;
28 namespace OHOS {
29 constexpr uint32_t TEST_USERID = 100;
30 constexpr uint32_t MIN_DATA_USE_TIME = 10;
InstallUserCert(uint8_t * tmpData,uint32_t * remainSize,uint32_t * offset,struct CmBlob * keyUri)31 static bool InstallUserCert(uint8_t *tmpData, uint32_t *remainSize, uint32_t *offset, struct CmBlob *keyUri)
32 {
33 uint32_t userId = TEST_USERID;
34 if (TenPercentChanceOfBeingTrue(tmpData, remainSize, offset)) {
35 if (!GetUintFromBuffer(tmpData, remainSize, offset, &userId)) {
36 return false;
37 }
38 }
39
40 uint32_t status = CERT_STATUS_ENABLED;
41 if (TenPercentChanceOfBeingTrue(tmpData, remainSize, offset)) {
42 if (!GetUintFromBuffer(tmpData, remainSize, offset, &status)) {
43 return false;
44 }
45 }
46 struct CmBlob userCert = { sizeof(g_certData01), const_cast<uint8_t *>(g_certData01) };
47 static uint8_t certAliasBuf01[] = "40dc992e";
48 struct CmBlob certAlias = { sizeof(certAliasBuf01), certAliasBuf01 };
49 struct CmParam params01[] = {
50 { .tag = CM_TAG_PARAM0_BUFFER, .blob = userCert },
51 { .tag = CM_TAG_PARAM1_BUFFER, .blob = certAlias },
52 { .tag = CM_TAG_PARAM0_UINT32, .uint32Param = userId },
53 { .tag = CM_TAG_PARAM1_UINT32, .uint32Param = status },
54 };
55 struct CmParamSet *paramSet01 = NULL;
56 int32_t ret = CmParamsToParamSet(params01, CM_ARRAY_SIZE(params01), ¶mSet01);
57 if (ret != CM_SUCCESS) {
58 return false;
59 }
60 struct CmBlob paramSetBlob = { paramSet01->paramSetSize, reinterpret_cast<uint8_t *>(paramSet01) };
61 (void)CmIpcServiceInstallUserCert(¶mSetBlob, keyUri, nullptr);
62 CmFreeParamSet(¶mSet01);
63 return true;
64 }
SetUserCertStatus(uint8_t * tmpData,uint32_t * remainSize,uint32_t * offset,struct CmBlob * keyUri)65 static bool SetUserCertStatus(uint8_t *tmpData, uint32_t *remainSize, uint32_t *offset, struct CmBlob *keyUri)
66 {
67 if (TenPercentChanceOfBeingTrue(tmpData, remainSize, offset)) {
68 if (!GetCmBlobFromBuffer(tmpData, remainSize, offset, keyUri)) {
69 return false;
70 }
71 }
72 uint32_t store = CM_USER_TRUSTED_STORE;
73 if (TenPercentChanceOfBeingTrue(tmpData, remainSize, offset)) {
74 if (!GetUintFromBuffer(tmpData, remainSize, offset, &store)) {
75 return false;
76 }
77 }
78
79 uint32_t state = CERT_STATUS_ENABLED;
80 if (TenPercentChanceOfBeingTrue(tmpData, remainSize, offset)) {
81 if (!GetUintFromBuffer(tmpData, remainSize, offset, &state)) {
82 return false;
83 }
84 }
85
86 struct CmParam params02[] = {
87 { .tag = CM_TAG_PARAM0_BUFFER, .blob = *keyUri },
88 { .tag = CM_TAG_PARAM0_UINT32, .uint32Param = store },
89 { .tag = CM_TAG_PARAM1_UINT32, .uint32Param = state },
90 };
91
92 struct CmParamSet *paramSet02 = nullptr;
93 int32_t ret = CmParamsToParamSet(¶ms02[0], CM_ARRAY_SIZE(params02), ¶mSet02);
94 if (ret != CM_SUCCESS) {
95 return false;
96 }
97 struct CmBlob paramSetBlob = { paramSet02->paramSetSize, reinterpret_cast<uint8_t*>(paramSet02) };
98 (void)CmIpcServiceSetUserCertStatus(¶mSetBlob, nullptr, nullptr);
99 CmFreeParamSet(¶mSet02);
100 return true;
101 }
102
GetAllUserCert(uint8_t * tmpData,uint32_t * remainSize,uint32_t * offset)103 static bool GetAllUserCert(uint8_t *tmpData, uint32_t *remainSize, uint32_t *offset)
104 {
105 uint32_t store = CM_USER_TRUSTED_STORE;
106 if (TenPercentChanceOfBeingTrue(tmpData, remainSize, offset)) {
107 if (!GetUintFromBuffer(tmpData, remainSize, offset, &store)) {
108 return false;
109 }
110 }
111 uint8_t *certListBlobData = reinterpret_cast<uint8_t *>(CmMalloc(CERT_LIST_LEN));
112 if (certListBlobData == nullptr) {
113 return false;
114 }
115 struct CmBlob certListBlob = { CERT_LIST_LEN, certListBlobData };
116 struct CmParam params03[] = {
117 { .tag = CM_TAG_PARAM0_UINT32, .uint32Param = store },
118 };
119 struct CmParamSet *paramSet03 = nullptr;
120 int32_t ret = CmParamsToParamSet(¶ms03[0], CM_ARRAY_SIZE(params03), ¶mSet03);
121 if (ret != CM_SUCCESS) {
122 CmFree(certListBlobData);
123 return false;
124 }
125 struct CmBlob paramSetBlob = { paramSet03->paramSetSize, reinterpret_cast<uint8_t*>(paramSet03) };
126 (void)CmIpcServiceGetUserCertList(¶mSetBlob, &certListBlob, nullptr);
127 CmFree(certListBlobData);
128 CmFreeParamSet(¶mSet03);
129 return true;
130 }
131
GetUserCert(uint8_t * tmpData,uint32_t * remainSize,uint32_t * offset,struct CmBlob * keyUri)132 static bool GetUserCert(uint8_t *tmpData, uint32_t *remainSize, uint32_t *offset, struct CmBlob *keyUri)
133 {
134 if (TenPercentChanceOfBeingTrue(tmpData, remainSize, offset)) {
135 if (!GetCmBlobFromBuffer(tmpData, remainSize, offset, keyUri)) {
136 return false;
137 }
138 }
139 uint32_t store = CM_USER_TRUSTED_STORE;
140 if (TenPercentChanceOfBeingTrue(tmpData, remainSize, offset)) {
141 if (!GetUintFromBuffer(tmpData, remainSize, offset, &store)) {
142 return false;
143 }
144 }
145 uint8_t *certInfoData = reinterpret_cast<uint8_t *>(CmMalloc(CERT_INFO_LEN));
146 if (certInfoData == nullptr) {
147 return false;
148 }
149 CmBlob certInfoBlob = { CERT_INFO_LEN, certInfoData };
150 struct CmParam params04[] = {
151 { .tag = CM_TAG_PARAM0_BUFFER, .blob = *keyUri },
152 { .tag = CM_TAG_PARAM0_UINT32, .uint32Param = store },
153 };
154 struct CmParamSet *paramSet04 = nullptr;
155 int32_t ret = CmParamsToParamSet(¶ms04[0], CM_ARRAY_SIZE(params04), ¶mSet04);
156 if (ret != CM_SUCCESS) {
157 CmFree(certInfoData);
158 return false;
159 }
160 struct CmBlob paramSetBlob = { paramSet04->paramSetSize, reinterpret_cast<uint8_t*>(paramSet04) };
161 (void)CmIpcServiceGetUserCertInfo(¶mSetBlob, &certInfoBlob, nullptr);
162 CmFree(certInfoData);
163 CmFreeParamSet(¶mSet04);
164 return true;
165 }
166
UnInstallUserCert(uint8_t * tmpData,uint32_t * remainSize,uint32_t * offset,struct CmBlob * keyUri)167 static bool UnInstallUserCert(uint8_t *tmpData, uint32_t *remainSize, uint32_t *offset, struct CmBlob *keyUri)
168 {
169 if (TenPercentChanceOfBeingTrue(tmpData, remainSize, offset)) {
170 if (!GetCmBlobFromBuffer(tmpData, remainSize, offset, keyUri)) {
171 return false;
172 }
173 }
174
175 uint32_t store = CM_USER_TRUSTED_STORE;
176 if (TenPercentChanceOfBeingTrue(tmpData, remainSize, offset)) {
177 if (!GetUintFromBuffer(tmpData, remainSize, offset, &store)) {
178 return false;
179 }
180 }
181 struct CmParam params05[] = {
182 { .tag = CM_TAG_PARAM0_BUFFER, .blob = *keyUri },
183 { .tag = CM_TAG_PARAM0_UINT32, .uint32Param = store },
184 };
185 struct CmParamSet *paramSet05 = NULL;
186 int32_t ret = CmParamsToParamSet(params05, CM_ARRAY_SIZE(params05), ¶mSet05);
187 if (ret != CM_SUCCESS) {
188 return false;
189 }
190 struct CmBlob paramSetBlob = { paramSet05->paramSetSize, reinterpret_cast<uint8_t *>(paramSet05) };
191 (void)CmIpcServiceUninstallUserCert(¶mSetBlob, nullptr, nullptr);
192 CmFreeParamSet(¶mSet05);
193 return true;
194 }
195
DoSomethingInterestingWithMyAPI(const uint8_t * data,size_t size)196 bool DoSomethingInterestingWithMyAPI(const uint8_t* data, size_t size)
197 {
198 uint8_t *tmpData = nullptr;
199 if (!CopyMyData(data, size, sizeof(uint32_t) * MIN_DATA_USE_TIME, &tmpData)) {
200 return false;
201 }
202
203 uint32_t remainSize = static_cast<uint32_t>(size);
204 uint32_t offset = 0;
205 SetATPermission();
206
207 bool ret = false;
208 uint8_t keyUriData[] = "1d3472b9.0";
209 struct CmBlob keyUri = { sizeof(keyUriData), &keyUriData[0] };
210
211 do {
212 if (!InstallUserCert(tmpData, &remainSize, &offset, &keyUri)) {
213 break;
214 }
215
216 if (!SetUserCertStatus(tmpData, &remainSize, &offset, &keyUri)) {
217 break;
218 }
219
220 if (!GetAllUserCert(tmpData, &remainSize, &offset)) {
221 break;
222 }
223
224 if (!GetUserCert(tmpData, &remainSize, &offset, &keyUri)) {
225 break;
226 }
227
228 if (!UnInstallUserCert(tmpData, &remainSize, &offset, &keyUri)) {
229 break;
230 }
231 ret = true;
232 } while (0);
233 (void)CmIpcServiceUninstallAllUserCert(nullptr, nullptr, nullptr);
234 CmFree(tmpData);
235 return ret;
236 }
237 }
238
239
240 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)241 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
242 {
243 /* Run your code on data */
244 OHOS::DoSomethingInterestingWithMyAPI(data, size);
245 return 0;
246 }
247
248