1 /*
2 * Copyright (c) 2022 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "dslm_fuzzer.h"
17
18 #include "parcel.h"
19 #include "securec.h"
20
21 #include "device_security_defines.h"
22 #include "device_security_info.h"
23 #include "device_security_level_callback_stub.h"
24 #include "dslm_core_process.h"
25 #include "dslm_credential.h"
26 #include "dslm_credential_utils.h"
27 #include "dslm_device_list.h"
28 #include "dslm_hidumper.h"
29 #include "dslm_hievent.h"
30 #include "dslm_messenger_wrapper.h"
31 #include "dslm_msg_serialize.h"
32 #include "dslm_msg_utils.h"
33 #include "dslm_rpc_process.h"
34 #include "dslm_service.h"
35 #include "hks_adapter.h"
36 #include "messenger_device_socket_manager.h"
37 #include "messenger_device_status_manager.h"
38 #include "utils_base64.h"
39 #include "utils_mem.h"
40 #include "utils_tlv.h"
41 #include "hks_param.h"
42 #include "hks_type.h"
43 #include "external_interface_adapter.h"
44 #include "hks_adapter.h"
45 #include "dslm_test_link.h"
46
47 #define CNT 1000
48 #define ITEMSTATE 4
49 #define MAX_ENTRY 8
50 #define MAX_MALLOC_LEN (1 * 1024 * 1024)
51 #define INIT_MAX 3
52 #define PTR_LEN 4
53 #define BLOB_SIZE 5
54
55 extern "C" int32_t OnPeerMsgReceived(const DeviceIdentify *devId, const uint8_t *msg, uint32_t len);
56 extern "C" int32_t OnSendResultNotifier(const DeviceIdentify *devId, uint64_t transNo, uint32_t result);
57 extern "C" bool MessengerGetDeviceOnlineStatus(const DeviceIdentify *devId, int32_t *level);
58
59 namespace OHOS {
60 namespace Security {
61 namespace DeviceSecurityLevel {
62 namespace {
63 const uint8_t mockBuffer[DEVICE_ID_MAX_LEN] = {0};
64
65 DslmService g_dslmService(DEVICE_SECURITY_LEVEL_MANAGER_SA_ID, true);
66 static int32_t g_init = 0;
67
68 const char *g_cred = "eyJ0eXAiOiAiRFNMIn0=.eyJ0eXBlIjogImRlYnVnIiwgIm1h"
69 "bnVmYWN0dXJlIjogIk9IT1MiLCAiYnJhbmQiOiAicmszNTY4IiwgIm1vZGVsIjog"
70 "InJrMzU2OCIsICJzb2Z0d2FyZVZlcnNpb24iOiAiMy4wLjAiLCAic2VjdXJpdHlM"
71 "ZXZlbCI6ICJTTDMiLCAic2lnblRpbWUiOiAiMjAyMjExMjYxNzMzNDMiLCAidmVy"
72 "c2lvbiI6ICIxLjAuMSJ9.MGUCMEPpiP8hOZlve/H81B7AvL4Fuwe8YYAdKckLEOc"
73 "EQKKTiNRM6irjXSwboMppAFNMSgIxAILC1S6KMp6Zp2ACppXF3j3fV0PBdLZOSO1"
74 "Lm9sqtdiJ5FidaAaMYlwdLMy3vfBeSg==.W3sidXNlclB1YmxpY0tleSI6ICJNSG"
75 "93RkFZSEtvWkl6ajBDQVFZSkt5UURBd0lJQVFFTEEySUFCQiszTHJWUU13cWlwc2"
76 "VnOUFBT0twMDJFeDNKOTJlUzdrK0k5cFJPWnVvOFZFQmVvbzF6Ris2MWhtVU5TMm"
77 "tjN0c3NTBVOExOT2pUamhUVGp2NW1CQjdBdnhnUDMwc3d3SDJ1dFVoczhGRzAwQU"
78 "xsOUZuWFZsSmNpaGo5SGJ0WjNnPT0iLCAic2lnbmF0dXJlIjogIk1HVUNNUUNIUV"
79 "dzYXNYc1NpL3dJUThmWW5PRlhsaWhTem5ETG1RSjBEOGp4U3RVM2Z2bk4xZkgzUV"
80 "JJUnRzM1lIK293bE9zQ01EY2pJU0pOK2J6M2g0VUU2UTl1NW92K0RHcFRHL2Vqd0"
81 "xTU2FyMHJzZ09ZSVovODdRb0p2QllaM2hFamlDcWQ1dz09In0sIHsidXNlclB1Ym"
82 "xpY0tleSI6ICJNSG93RkFZSEtvWkl6ajBDQVFZSkt5UURBd0lJQVFFTEEySUFCRk"
83 "RMR2M4YlhQT2RBYVpLN25OQUZrYkRoVHBwcTNaQW92T3FKZDJKMy9vdW14eG84Qn"
84 "Q4ZGhiQjBtR3FHQjE4V0hpTkUwNFRCS1RvYU9lQ3NtZEZ0dUtXcEtwZEtIRDdGL3"
85 "YvaXhxbHd6MnMzSk9scFQ3dUQzbjNieHFaVHJzMnFnPT0iLCAic2lnbmF0dXJlIj"
86 "ogIk1HUUNNSGthczBkZDgwUVpiQVB6eElhMXhBYmd1WlhwNjU0T29rL2VGR2M0ek"
87 "tLczlqYjVKK24waHJDcytoa0JrR0N0b3dJd1pYcGlYUjRiS1h3RUlTZmdpSDI4dk"
88 "ZaZVQxcFJCcnFkSHd2d3ErOXcrdWQzMkhkeC90YWhHZ1kySHVZZFNHZDUifSwgey"
89 "J1c2VyUHVibGljS2V5IjogIk1Ib3dGQVlIS29aSXpqMENBUVlKS3lRREF3SUlBUU"
90 "VMQTJJQUJEVTVaYkhESGl2TGgzRFN4UDEwbGluL2FIMXJabG1XMnBMZ3JwZ3BiL0"
91 "lnWkkrMzJyWC9QdFhURGZWYmVyRG93VkhURTJ0MFZMNzlnQ2wrbUVCL1dBeDVEZW"
92 "1lamlMNTJ6S0l6M2RTNWJxVHdYVExvRHZTSml3Z3dxYmZPMEZtK3c9PSIsICJzaW"
93 "duYXR1cmUiOiAiTUdRQ01HWlI0MUdsd1RnL0xUMGtFT3lTZnRHTDBlV04zb2dXdF"
94 "o0NTZ2VkdqMm56WnhsamFlN2pveWw4cWZHNjZSTUdTQUl3S2M3V2VpQ1c1UlFGSj"
95 "ROWitSRUErNVNpMHhRVFpOdzlhb1FTUG5LVTA0L2ZIWUhkVERNWitncUY3U3RJMD"
96 "ZTbSJ9XQ==";
97
98 typedef struct {
99 uint32_t code;
100 void (*process)(DeviceIdentify *deviceIdentify, Parcel &parcel);
101 } DslmFuzzerTable;
102
OnPeerMsgReceivedTest1(DeviceIdentify * deviceIdentify,Parcel & parcel)103 void OnPeerMsgReceivedTest1(DeviceIdentify *deviceIdentify, Parcel &parcel)
104 {
105 uint8_t jsonString[] = R"(
106 {"message":0, "payload":111}
107 )";
108 (void)OnPeerMsgReceived(deviceIdentify, jsonString, sizeof(jsonString));
109 }
110
OnPeerMsgReceivedTest2(DeviceIdentify * deviceIdentify,Parcel & parcel)111 void OnPeerMsgReceivedTest2(DeviceIdentify *deviceIdentify, Parcel &parcel)
112 {
113 uint8_t jsonString[] = R"(
114 {"message":1, "payload":{"challenge":"0102030405060708"}}
115 )";
116 (void)OnPeerMsgReceived(deviceIdentify, jsonString, sizeof(jsonString));
117 }
118
OnPeerMsgReceivedTest3(DeviceIdentify * deviceIdentify,Parcel & parcel)119 void OnPeerMsgReceivedTest3(DeviceIdentify *deviceIdentify, Parcel &parcel)
120 {
121 uint8_t jsonString[] = R"(
122 {"message":2, "payload":222}
123 )";
124 (void)OnPeerMsgReceived(deviceIdentify, jsonString, sizeof(jsonString));
125
126 uint32_t len = 0;
127 (void)OnPeerMsgReceived(deviceIdentify, jsonString, len);
128 }
129
ServiceTest(DeviceIdentify * deviceIdentify,Parcel & parcel)130 void ServiceTest(DeviceIdentify *deviceIdentify, Parcel &parcel)
131 {
132 if (g_init < INIT_MAX) {
133 uint8_t jsonString[] = R"(
134 {"message":0, "payload":111}
135 )";
136 uint64_t transNo = 1;
137 static DeviceIdentify self = {0, {0}};
138 int32_t level;
139 (void)InitService();
140 (void)MessengerGetDeviceOnlineStatus(deviceIdentify, &level);
141 (void)MessengerGetDeviceOnlineStatus(nullptr, &level);
142 (void)MessengerGetSelfDeviceIdentify(&self, &level);
143 (void)MessengerGetSelfDeviceIdentify(nullptr, &level);
144 MessengerSendMsgTo(transNo, deviceIdentify, jsonString, sizeof(jsonString));
145 g_init++;
146 }
147 }
148
OnSendResultNotifierTest(DeviceIdentify * deviceIdentify,Parcel & parcel)149 void OnSendResultNotifierTest(DeviceIdentify *deviceIdentify, Parcel &parcel)
150 {
151 const DeviceIdentify identify = {DEVICE_ID_MAX_LEN, {0}};
152 (void)OnSendResultNotifier(&identify, 0, SUCCESS);
153 }
154
VerifyDslmCredentialTest(DeviceIdentify * deviceIdentify,Parcel & parcel)155 void VerifyDslmCredentialTest(DeviceIdentify *deviceIdentify, Parcel &parcel)
156 {
157 DslmCredInfo info;
158 AttestationList list;
159 memset_s(&info, sizeof(DslmCredInfo), 0, sizeof(DslmCredInfo));
160 memset_s(&list, sizeof(AttestationList), 0, sizeof(AttestationList));
161
162 (void)VerifyDslmCredential(g_cred, &info, &list);
163 (void)VerifyDslmCredential(nullptr, &info, &list);
164 FreeAttestationList(&list);
165 }
166
MessengerSendMsgToTest(DeviceIdentify * deviceIdentify,Parcel & parcel)167 void MessengerSendMsgToTest(DeviceIdentify *deviceIdentify, Parcel &parcel)
168 {
169 uint8_t jsonString[] = R"(
170 {"message":0, "payload":111}
171 )";
172 uint64_t transNo = 1;
173 static DeviceIdentify self = {0, {0}};
174 int32_t level;
175 (void)MessengerGetSelfDeviceIdentify(&self, &level);
176 MessengerSendMsgTo(transNo, deviceIdentify, jsonString, sizeof(jsonString));
177 MessengerSendMsgTo(transNo, nullptr, jsonString, sizeof(jsonString));
178 }
179
OnPeerStatusReceiverTest(DeviceIdentify * deviceIdentify,Parcel & parcel)180 void OnPeerStatusReceiverTest(DeviceIdentify *deviceIdentify, Parcel &parcel)
181 {
182 uint32_t status = parcel.ReadUint32() % 2;
183 int32_t level = -1;
184 (void)MessengerGetDeviceOnlineStatus(deviceIdentify, &level);
185 (void)MessengerGetDeviceOnlineStatus(nullptr, &level);
186 (void)OnPeerStatusReceiver(deviceIdentify, status, level);
187 }
188
DslmDumperTest(DeviceIdentify * deviceIdentify,Parcel & parcel)189 void DslmDumperTest(DeviceIdentify *deviceIdentify, Parcel &parcel)
190 {
191 DslmDumper(-1);
192 }
193
VerifyOhosDslmCredTest(DeviceIdentify * deviceIdentify,Parcel & parcel)194 void VerifyOhosDslmCredTest(DeviceIdentify *deviceIdentify, Parcel &parcel)
195 {
196 const DeviceIdentify device = {DEVICE_ID_MAX_LEN, {'a', 'b', 'c', 'd', 'e', 'f', 'a', 'b'}};
197 uint64_t challenge = 0x1234;
198 uint8_t info[] = {'a', 'b', 'c', 'd', 1, 3, 5, 7, 9};
199 DslmCredBuff cred = {CRED_TYPE_STANDARD, 9, info};
200 DslmCredInfo credInfo;
201 (void)memset_s(&credInfo, sizeof(DslmCredInfo), 0, sizeof(DslmCredInfo));
202 (void)VerifyOhosDslmCred(&device, challenge, &cred, &credInfo);
203
204 cred.type = CRED_TYPE_LARGE;
205 (void)VerifyOhosDslmCred(&device, challenge, &cred, &credInfo);
206 (void)VerifyOhosDslmCred(nullptr, challenge, &cred, &credInfo);
207 }
208
RequestDeviceSecurityInfoTest(DeviceIdentify * deviceIdentify,Parcel & parcel)209 void RequestDeviceSecurityInfoTest(DeviceIdentify *deviceIdentify, Parcel &parcel)
210 {
211 DeviceIdentify device = {DEVICE_ID_MAX_LEN, {0}};
212 int32_t level = 0;
213 DeviceSecurityInfo *info = nullptr;
214 (void)RequestDeviceSecurityInfo(&device, nullptr, &info);
215 (void)GetDeviceSecurityLevelValue(info, &level);
216 FreeDeviceSecurityInfo(info);
217 }
218
GetPeerDeviceOnlineStatusTest(DeviceIdentify * deviceIdentify,Parcel & parcel)219 void GetPeerDeviceOnlineStatusTest(DeviceIdentify *deviceIdentify, Parcel &parcel)
220 {
221 int32_t level;
222 (void)GetPeerDeviceOnlineStatus(deviceIdentify, &level);
223 (void)GetPeerDeviceOnlineStatus(nullptr, nullptr);
224 }
225
Base64EncodeAppTest(DeviceIdentify * deviceIdentify,Parcel & parcel)226 void Base64EncodeAppTest(DeviceIdentify *deviceIdentify, Parcel &parcel)
227 {
228 uint8_t src[] = {'a', 'b', 'c', 'd', '\0'};
229 uint32_t maxStrLen = 4;
230
231 (void)Base64EncodeApp(nullptr, sizeof(src));
232 (void)Base64EncodeApp(src, maxStrLen);
233 }
234
SerializeTest(DeviceIdentify * deviceIdentify,Parcel & parcel)235 void SerializeTest(DeviceIdentify *deviceIdentify, Parcel &parcel)
236 {
237 uint32_t size = 0;
238 int i = 0;
239 TlvCommon tlvs[MAX_ENTRY];
240
241 uint8_t buff[MAX_ENTRY * sizeof(TlvCommon)] = {0};
242 size = 0;
243 (void)memset_s(&buff[0], sizeof(buff), 0, sizeof(buff));
244 (void)memset_s(&tlvs[0], sizeof(tlvs), 0, sizeof(tlvs));
245
246 for (i = 0; i < MAX_ENTRY; i++) {
247 TlvCommon *ptr = (TlvCommon *)tlvs + i;
248 ptr->tag = 0x105;
249 ptr->len = PTR_LEN;
250 ptr->value = nullptr;
251 }
252
253 (void)Serialize(tlvs, MAX_ENTRY, buff, sizeof(buff), &size);
254 (void)Serialize(nullptr, MAX_ENTRY, buff, sizeof(buff), &size);
255 }
256
BufferToHksCertChainTest(DeviceIdentify * deviceIdentify,Parcel & parcel)257 void BufferToHksCertChainTest(DeviceIdentify *deviceIdentify, Parcel &parcel)
258 {
259 uint8_t buff[8];
260 uint32_t len = 8;
261 uint8_t *data;
262 memset_s(buff, sizeof(buff), 'c', sizeof(buff));
263 TlvCommon *ptr = (TlvCommon *)buff;
264 ptr->tag = 0x110;
265 ptr->len = PTR_LEN;
266 struct HksCertChain chain;
267 memset_s(&chain, sizeof(struct HksCertChain), 0, sizeof(struct HksCertChain));
268 CredType credType = CRED_TYPE_STANDARD;
269
270 (void)BufferToHksCertChain(buff, len, &chain);
271 (void)BufferToHksCertChain(nullptr, len, &chain);
272 (void)CreateDslmCred(credType, len, buff);
273 (void)CreateDslmCred(credType, len, nullptr);
274 (void)HksCertChainToBuffer(&chain, &data, &len);
275 (void)HksCertChainToBuffer(nullptr, &data, &len);
276 }
277
DestroyHksCertChainTest(DeviceIdentify * deviceIdentify,Parcel & parcel)278 void DestroyHksCertChainTest(DeviceIdentify *deviceIdentify, Parcel &parcel)
279 {
280 struct HksCertChain *chain = (struct HksCertChain *)MALLOC(sizeof(struct HksCertChain));
281 struct HksBlob *blob = (struct HksBlob *)MALLOC(sizeof(struct HksBlob));
282 blob->size = BLOB_SIZE;
283 blob->data = nullptr;
284 chain->certs = blob;
285 chain->certsCount = 1;
286
287 DestroyHksCertChain(chain);
288 DestroyHksCertChain(nullptr);
289 }
290
DefaultInitDslmCredTest(DeviceIdentify * deviceIdentify,Parcel & parcel)291 void DefaultInitDslmCredTest(DeviceIdentify *deviceIdentify, Parcel &parcel)
292 {
293 DslmCredInfo credInfo;
294 DefaultInitDslmCred(&credInfo);
295 }
296
BuildDeviceSecInfoResponseTest(DeviceIdentify * deviceIdentify,Parcel & parcel)297 void BuildDeviceSecInfoResponseTest(DeviceIdentify *deviceIdentify, Parcel &parcel)
298 {
299 uint64_t challenge = 0x1234;
300 uint8_t info[] = {'a', 'b', 'c', 'd', 1, 3, 5, 7, 9};
301 DslmCredBuff cred = {CRED_TYPE_STANDARD, 9, info};
302 MessageBuff *msg = NULL;
303 (void)BuildDeviceSecInfoResponse(challenge, &cred, &msg);
304 (void)BuildDeviceSecInfoResponse(challenge, nullptr, &msg);
305 }
306
ReportHiEventTest(DeviceIdentify * deviceIdentify,Parcel & parcel)307 void ReportHiEventTest(DeviceIdentify *deviceIdentify, Parcel &parcel)
308 {
309 uint32_t errorType = ERR_MSG_NOT_INIT;
310 ReportHiEventServiceStartFailed(errorType);
311
312 DslmDeviceInfo *info = (DslmDeviceInfo *)MALLOC(sizeof(DslmDeviceInfo));
313 (void)memset_s(info, sizeof(DslmDeviceInfo), 0, sizeof(DslmDeviceInfo));
314 info->lastRequestTime = 10U;
315 ReportHiEventInfoSync(nullptr);
316 ReportHiEventInfoSync(info);
317 ReportHiEventAppInvoke(nullptr);
318 FREE(info);
319 info = nullptr;
320 }
321
ConstructHksCertChainTest(DeviceIdentify * deviceIdentify,Parcel & parcel)322 void ConstructHksCertChainTest(DeviceIdentify *deviceIdentify, Parcel &parcel)
323 {
324 struct HksCertChain *chain = nullptr;
325
326 {
327 (void)ConstructHksCertChain(&chain, nullptr);
328 }
329
330 {
331 struct HksCertChainInitParams param;
332 param.certChainExist = false;
333 param.certCountValid = true;
334 param.certDataExist = true;
335
336 (void)ConstructHksCertChain(&chain, ¶m);
337 }
338
339 {
340 struct HksCertChainInitParams param;
341 param.certChainExist = true;
342 param.certCountValid = false;
343 param.certDataExist = true;
344
345 (void)ConstructHksCertChain(&chain, ¶m);
346 }
347
348 {
349 struct HksCertChainInitParams param;
350 param.certChainExist = true;
351 param.certCountValid = true;
352 param.certDataExist = false;
353
354 (void)ConstructHksCertChain(&chain, ¶m);
355 }
356 }
357
FillHksParamSetTest(DeviceIdentify * deviceIdentify,Parcel & parcel)358 void FillHksParamSetTest(DeviceIdentify *deviceIdentify, Parcel &parcel)
359 {
360 struct HksParamSet *paramSet = nullptr;
361 struct HksParam *param = nullptr;
362 int32_t paramNums = 0;
363 (void)FillHksParamSet(¶mSet, param, paramNums);
364 }
365
HksGenerateKeyAdapterTest(DeviceIdentify * deviceIdentify,Parcel & parcel)366 void HksGenerateKeyAdapterTest(DeviceIdentify *deviceIdentify, Parcel &parcel)
367 {
368 const HksBlob *keyAlias1 = nullptr;
369
370 (void)HksGenerateKeyAdapter(keyAlias1);
371 }
372
373 DslmFuzzerTable g_fuzzerTable[] = {{0, OnPeerMsgReceivedTest1}, {1, OnPeerMsgReceivedTest2},
374 {2, OnPeerMsgReceivedTest3}, {3, ServiceTest}, {4, OnSendResultNotifierTest}, {5, VerifyDslmCredentialTest},
375 {6, MessengerSendMsgToTest}, {7, OnPeerStatusReceiverTest}, {8, DslmDumperTest}, {9, VerifyOhosDslmCredTest},
376 {10, RequestDeviceSecurityInfoTest}, {11, GetPeerDeviceOnlineStatusTest}, {12, Base64EncodeAppTest},
377 {13, SerializeTest}, {14, BufferToHksCertChainTest}, {15, DestroyHksCertChainTest}, {16, DefaultInitDslmCredTest},
378 {17, BuildDeviceSecInfoResponseTest}, {18, ReportHiEventTest}, {19, FillHksParamSetTest},
379 {20, HksGenerateKeyAdapterTest}, {21, ConstructHksCertChainTest}};
380
OnPeerMsgReceivedFuzzer(Parcel & parcel)381 void OnPeerMsgReceivedFuzzer(Parcel &parcel)
382 {
383 SECURITY_LOG_INFO("begin");
384 DeviceIdentify deviceIdentify = {};
385 deviceIdentify.length = DEVICE_ID_MAX_LEN;
386 const uint8_t *buffer = parcel.ReadBuffer(DEVICE_ID_MAX_LEN);
387 if (buffer != nullptr) {
388 (void)memcpy_s(deviceIdentify.identity, DEVICE_ID_MAX_LEN, buffer, DEVICE_ID_MAX_LEN);
389 }
390
391 static int cnt = 0;
392 cnt++;
393 if (cnt <= CNT) {
394 DslmDeviceInfo *info = CreatOrGetDslmDeviceInfo(&deviceIdentify);
395 if (info != nullptr) {
396 info->machine.currState = parcel.ReadUint32() % ITEMSTATE;
397 }
398 }
399
400 uint32_t a = parcel.ReadUint32() % 22;
401 for (uint32_t i = 0; i < sizeof(g_fuzzerTable) / sizeof(DslmFuzzerTable); ++i) {
402 if (g_fuzzerTable[i].code == a) {
403 g_fuzzerTable[i].process(&deviceIdentify, parcel);
404 }
405 }
406
407 SECURITY_LOG_INFO("end");
408 }
409
OnRemoteRequestFuzzer(Parcel & parcel)410 void OnRemoteRequestFuzzer(Parcel &parcel)
411 {
412 SECURITY_LOG_INFO("begin");
413 MessageParcel data;
414 MessageParcel reply;
415 MessageOption option;
416
417 data.WriteInterfaceToken(IDeviceSecurityLevel::GetDescriptor());
418
419 /* DeviceIdentify */
420 data.WriteUint32(parcel.ReadUint32());
421 const uint8_t *buffer = parcel.ReadBuffer(DEVICE_ID_MAX_LEN);
422 if (buffer == nullptr) {
423 data.WriteBuffer(mockBuffer, DEVICE_ID_MAX_LEN);
424 } else {
425 data.WriteBuffer(buffer, DEVICE_ID_MAX_LEN);
426 }
427
428 /* option */
429 data.WriteUint64(parcel.ReadUint64());
430 data.WriteUint32(parcel.ReadUint32());
431 data.WriteUint32(parcel.ReadUint32());
432
433 sptr<IRemoteObject> callback = new (std::nothrow) DeviceSecurityLevelCallbackStub(
434 [](uint32_t code, MessageParcel &data, MessageParcel &reply, MessageOption &option) {
435 SECURITY_LOG_INFO("DeviceSecurityLevelCallbackStub called");
436 return 0;
437 });
438 /* callback */
439 data.WriteRemoteObject(callback);
440 /* cookie */
441 data.WriteUint32(parcel.ReadUint32());
442
443 g_dslmService.OnRemoteRequest(parcel.ReadUint32(), data, reply, option);
444 SECURITY_LOG_INFO("end");
445 }
446
UtServerOnShutdownFuzz()447 void UtServerOnShutdownFuzz()
448 {
449 DeviceIdentify idt {.length = 1, .identity = {'a'}};
450
451 char dummy[] = {'a', 0};
452 PeerSocketInfo peer = {.name = dummy, .networkId = dummy};
453 UtServerOnBind(1, peer);
454 UtClientOnBind(1, &idt);
455
456 UtCreateOrRestartSocketCloseTimerWithLock(0);
457 UtCreateOrRestartSocketCloseTimerWithLock(1);
458
459 UtServerOnBytes(1, dummy, 1);
460 UtClientOnBytes(1, dummy, 1);
461 }
462
DslmFuzzTest(const uint8_t * data,size_t size)463 void DslmFuzzTest(const uint8_t *data, size_t size)
464 {
465 Parcel parcel;
466 parcel.WriteBuffer(data, size);
467 parcel.RewindRead(0);
468 if (parcel.ReadBool()) {
469 OnPeerMsgReceivedFuzzer(parcel);
470 } else {
471 OnRemoteRequestFuzzer(parcel);
472 }
473 UtServerOnShutdownFuzz();
474 }
475 } // namespace
476 } // namespace DeviceSecurityLevel
477 } // namespace Security
478 } // namespace OHOS
479
480 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)481 extern "C" int32_t LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
482 {
483 static int initCount = 0;
484 if (initCount == 0) {
485 const ProcessDslmCredFunctions func = {
486 .initFunc = InitOhosDslmCred,
487 .requestFunc = RequestOhosDslmCred,
488 .verifyFunc = VerifyOhosDslmCred,
489 .credTypeCnt = 2,
490 .credTypeArray = {CRED_TYPE_STANDARD, CRED_TYPE_SMALL},
491 };
492 InitDslmCredentialFunctions(&func);
493 initCount = 1;
494 }
495 OHOS::Security::DeviceSecurityLevel::DslmFuzzTest(data, size);
496 return 0;
497 }
498