1 /*
2 * Copyright (c) 2025 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15 #include <fuzzer/FuzzedDataProvider.h>
16 #include <vector>
17
18 #include "auth_message_processor_fuzzer.h"
19
20 #include "auth_manager.h"
21 #include "deviceprofile_connector.h"
22 #include "device_manager_service_listener.h"
23 #include "dm_anonymous.h"
24 #include "dm_auth_context.h"
25 #include "dm_auth_manager_base.h"
26 #include "dm_auth_message_processor.h"
27 #include "dm_auth_state_machine.h"
28 #include "dm_constants.h"
29 #include "dm_crypto.h"
30 #include "dm_log.h"
31
32
33 namespace OHOS {
34 namespace DistributedHardware {
35 namespace {
36 std::shared_ptr<DmAuthMessageProcessor> dmAuthMessageProcessor_ = std::make_shared<DmAuthMessageProcessor>();
37 std::shared_ptr<SoftbusConnector> softbusConnector = std::make_shared<SoftbusConnector>();
38 std::shared_ptr<IDeviceManagerServiceListener> listener = std::make_shared<DeviceManagerServiceListener>();
39 std::shared_ptr<HiChainAuthConnector> hiChainAuthConnector = std::make_shared<HiChainAuthConnector>();
40 std::shared_ptr<HiChainConnector> hiChainConnector = std::make_shared<HiChainConnector>();
41 std::shared_ptr<AuthManager> authManager = std::make_shared<AuthSrcManager>(softbusConnector,
42 hiChainConnector, listener, hiChainAuthConnector);
43 std::shared_ptr<DmAuthContext> context_ = authManager->GetAuthContext();
44 }
45
GenerateJsonObject(JsonObject & jsonObject,FuzzedDataProvider & fdp)46 void GenerateJsonObject(JsonObject &jsonObject, FuzzedDataProvider &fdp)
47 {
48 jsonObject[TAG_DATA] = fdp.ConsumeRandomLengthString();
49 jsonObject[TAG_PEER_PKG_NAME] = fdp.ConsumeRandomLengthString();
50 jsonObject[TAG_DM_VERSION_V2] = fdp.ConsumeRandomLengthString();
51 jsonObject[TAG_USER_ID] = fdp.ConsumeRandomLengthString();
52 jsonObject[TAG_DEVICE_ID_HASH] = fdp.ConsumeRandomLengthString();
53 jsonObject[TAG_ACCOUNT_ID_HASH] = fdp.ConsumeRandomLengthString();
54 jsonObject[TAG_TOKEN_ID_HASH] = fdp.ConsumeRandomLengthString();
55 jsonObject[TAG_BUNDLE_NAME_V2] = fdp.ConsumeRandomLengthString();
56 jsonObject[TAG_EXTRA_INFO] = fdp.ConsumeRandomLengthString();
57 jsonObject[TAG_PEER_BUNDLE_NAME_V2] = fdp.ConsumeRandomLengthString();
58 jsonObject[DM_TAG_LOGICAL_SESSION_ID] = fdp.ConsumeIntegral<uint64_t>();
59 jsonObject[TAG_PEER_DISPLAY_ID] = fdp.ConsumeIntegral<int32_t>();
60 jsonObject[TAG_TRANSMIT_SK_ID] = fdp.ConsumeRandomLengthString();
61 jsonObject[TAG_TRANSMIT_SK_TIMESTAMP] = fdp.ConsumeIntegral<int64_t>();
62 jsonObject[TAG_TRANSMIT_CREDENTIAL_ID] = fdp.ConsumeRandomLengthString();
63 jsonObject[TAG_DMVERSION] = fdp.ConsumeRandomLengthString();
64 jsonObject[TAG_LNN_SK_ID] = fdp.ConsumeRandomLengthString();
65 jsonObject[TAG_LNN_SK_TIMESTAMP] = fdp.ConsumeIntegral<int64_t>();
66 jsonObject[TAG_LNN_CREDENTIAL_ID] = fdp.ConsumeRandomLengthString();
67 jsonObject[TAG_MSG_TYPE] = fdp.ConsumeIntegral<int32_t>();
68 jsonObject[TAG_SYNC] = fdp.ConsumeRandomLengthString();
69 jsonObject[TAG_ACCESS] = fdp.ConsumeRandomLengthString();
70 jsonObject[TAG_DEVICE_VERSION] = fdp.ConsumeRandomLengthString();
71 jsonObject[TAG_DEVICE_NAME] = fdp.ConsumeRandomLengthString();
72 jsonObject[TAG_NETWORKID_ID] = fdp.ConsumeRandomLengthString();
73 jsonObject[PARAM_KEY_SUBJECT_PROXYED_SUBJECTS] = fdp.ConsumeRandomLengthString();
74 }
75
AuthContextFuzzTest(FuzzedDataProvider & fdp)76 void AuthContextFuzzTest(FuzzedDataProvider &fdp)
77 {
78 DmAuthSide side = DmAuthSide::DM_AUTH_LOCAL_SIDE;
79 DmAuthScope scope = DmAuthScope::DM_AUTH_SCOPE_INVALID;
80 std::string publicKey = fdp.ConsumeRandomLengthString();
81 context_->SetPublicKey(side, scope, publicKey);
82 }
83
AuthMessageProcessorFuzzTestNext(JsonObject & jsonObject)84 void AuthMessageProcessorFuzzTestNext(JsonObject &jsonObject)
85 {
86 dmAuthMessageProcessor_ -> ParseAuthStartMessage(jsonObject, context_);
87 dmAuthMessageProcessor_ -> ParseNegotiateMessage(jsonObject, context_);
88 dmAuthMessageProcessor_ -> ParseMessageRespAclNegotiate(jsonObject, context_);
89 dmAuthMessageProcessor_ -> ParseMessageReqUserConfirm(jsonObject, context_);
90 dmAuthMessageProcessor_ -> ParseMessageRespUserConfirm(jsonObject, context_);
91 dmAuthMessageProcessor_ -> ParseMessageReqPinAuthStart(jsonObject, context_);
92 dmAuthMessageProcessor_ -> ParseMessageRespPinAuthStart(jsonObject, context_);
93 dmAuthMessageProcessor_ -> ParseMessageReqPinAuthNegotiate(jsonObject, context_);
94 dmAuthMessageProcessor_ -> ParseMessageRespPinAuthNegotiate(jsonObject, context_);
95 dmAuthMessageProcessor_ -> ParseMessageReqCredExchange(jsonObject, context_);
96 dmAuthMessageProcessor_ -> ParseMessageRspCredExchange(jsonObject, context_);
97 dmAuthMessageProcessor_ -> ParseMessageNegotiateTransmit(jsonObject, context_);
98 dmAuthMessageProcessor_ -> ParseMessageSyncReq(jsonObject, context_);
99 dmAuthMessageProcessor_ -> ParseMessageSyncResp(jsonObject, context_);
100 dmAuthMessageProcessor_ -> ParseMessageSinkFinish(jsonObject, context_);
101 dmAuthMessageProcessor_ -> ParseMessageSrcFinish(jsonObject, context_);
102 dmAuthMessageProcessor_ -> ParseMessageReverseUltrasonicStart(jsonObject, context_);
103 dmAuthMessageProcessor_ -> ParseMessageReverseUltrasonicDone(jsonObject, context_);
104 dmAuthMessageProcessor_ -> ParseMessageForwardUltrasonicStart(jsonObject, context_);
105 dmAuthMessageProcessor_ -> ParseMessageForwardUltrasonicNegotiate(jsonObject, context_);
106 dmAuthMessageProcessor_ -> CreateNegotiateMessage(context_, jsonObject);
107 dmAuthMessageProcessor_ -> CreateRespNegotiateMessage(context_, jsonObject);
108 dmAuthMessageProcessor_ -> CreateMessageReqUserConfirm(context_, jsonObject);
109 dmAuthMessageProcessor_ -> CreateMessageRespUserConfirm(context_, jsonObject);
110 dmAuthMessageProcessor_ -> CreateMessageReqPinAuthStart(context_, jsonObject);
111 dmAuthMessageProcessor_ -> CreateMessageRespPinAuthStart(context_, jsonObject);
112 dmAuthMessageProcessor_ -> CreateMessageReqPinAuthNegotiate(context_, jsonObject);
113 dmAuthMessageProcessor_ -> CreateMessageRespPinAuthNegotiate(context_, jsonObject);
114 dmAuthMessageProcessor_ -> CreateMessageReqCredExchange(context_, jsonObject);
115 dmAuthMessageProcessor_ -> CreateMessageRspCredExchange(context_, jsonObject);
116 dmAuthMessageProcessor_ -> CreateMessageReqCredAuthStart(context_, jsonObject);
117 dmAuthMessageProcessor_ -> CreateCredentialNegotiateMessage(context_, jsonObject);
118 dmAuthMessageProcessor_ -> CreateNegotiateOldMessage(context_, jsonObject);
119 dmAuthMessageProcessor_ -> CreateSyncMessage(context_, jsonObject);
120 dmAuthMessageProcessor_ -> CreateMessageSyncResp(context_, jsonObject);
121 dmAuthMessageProcessor_ -> CreateMessageFinish(context_, jsonObject);
122 dmAuthMessageProcessor_ -> CreateMessageForwardUltrasonicStart(context_, jsonObject);
123 dmAuthMessageProcessor_ -> CreateMessageReverseUltrasonicStart(context_, jsonObject);
124 dmAuthMessageProcessor_ -> CreateMessageForwardUltrasonicNegotiate(context_, jsonObject);
125 dmAuthMessageProcessor_ -> CreateMessageReverseUltrasonicDone(context_, jsonObject);
126 dmAuthMessageProcessor_ -> CheckLogicalSessionId(jsonObject, context_);
127 std::string message = jsonObject.Dump();
128 dmAuthMessageProcessor_ -> ParseMessage(context_, message);
129 DmAccessControlTable table;
130 FromJson(jsonObject, table);
131 DmAccessToSync sync;
132 FromJson(jsonObject, sync);
133 }
134
AuthMessageProcessorFuzzTestNextTwo(FuzzedDataProvider & fdp,JsonObject & jsonObject)135 void AuthMessageProcessorFuzzTestNextTwo(FuzzedDataProvider &fdp, JsonObject &jsonObject)
136 {
137 int32_t userId = fdp.ConsumeIntegral<int32_t>();
138 int32_t skId = fdp.ConsumeIntegral<int32_t>();
139 std::string suffix = fdp.ConsumeRandomLengthString();
140 int64_t tokenId = fdp.ConsumeIntegral<int64_t>();
141 DistributedDeviceProfile::AccessControlProfile acl;
142 DistributedDeviceProfile::Accesser accesser;
143 DistributedDeviceProfile::Accessee accessee;
144 acl.SetExtraData(fdp.ConsumeRandomLengthString());
145 accesser.SetAccesserExtraData(fdp.ConsumeRandomLengthString());
146 accessee.SetAccesseeExtraData(fdp.ConsumeRandomLengthString());
147 DmProxyAuthContext dmProxyAuthContext;
148 dmProxyAuthContext.customData = fdp.ConsumeRandomLengthString();
149 context_->IsProxyBind = false;
150 context_->subjectProxyOnes.clear();
151 dmAuthMessageProcessor_->ParseProxyCredExchangeToSync(context_, jsonObject);
152 context_->IsProxyBind = true;
153 context_->subjectProxyOnes.emplace_back(dmProxyAuthContext);
154 dmAuthMessageProcessor_->ParseProxyCredExchangeToSync(context_, jsonObject);
155 dmAuthMessageProcessor_->CreateProxyNegotiateMessage(context_, jsonObject);
156 dmAuthMessageProcessor_->CreateProxyRespNegotiateMessage(context_, jsonObject);
157 dmAuthMessageProcessor_->CreateProxyCredExchangeMessage(context_, jsonObject);
158 dmAuthMessageProcessor_->ParseProxyAccessToSync(context_, jsonObject);
159 dmAuthMessageProcessor_->ParseProxyNegotiateMessage(jsonObject, context_);
160 context_->accessee.dmVersion = DM_VERSION_5_1_0;
161 dmAuthMessageProcessor_->ParseMessageProxyRespAclNegotiate(jsonObject, context_);
162 context_->accessee.dmVersion = DM_VERSION_5_1_1;
163 dmAuthMessageProcessor_->ParseMessageProxyRespAclNegotiate(jsonObject, context_);
164 dmAuthMessageProcessor_->ParseMessageProxyReqUserConfirm(jsonObject, context_);
165 dmAuthMessageProcessor_->ParseMessageProxyRespUserConfirm(jsonObject, context_);
166 dmAuthMessageProcessor_->CreateMessageProxyReqUserConfirm(context_, jsonObject);
167 dmAuthMessageProcessor_->CreateProxyAccessMessage(context_, jsonObject);
168 dmAuthMessageProcessor_->cryptoMgr_ = std::make_shared<CryptoMgr>();
169 dmAuthMessageProcessor_->SaveDerivativeSessionKeyToDP(userId, suffix, skId);
170 dmAuthMessageProcessor_->GetSessionKey(userId, skId);
171 context_->accesser.extraInfo = "";
172 dmAuthMessageProcessor_->SetProxyAccess(context_, dmProxyAuthContext, accesser, accessee);
173 dmAuthMessageProcessor_->PutProxyAccessControlList(context_, acl, accesser, accessee);
174 dmAuthMessageProcessor_->IsExistTheToken(jsonObject, tokenId);
175 dmAuthMessageProcessor_->SetAclProxyRelate(context_);
176 acl.accesser_.SetAccesserExtraData("");
177 acl.accessee_.SetAccesseeExtraData("");
178 dmAuthMessageProcessor_->SetAclProxyRelate(context_, acl);
179 }
180
AuthMessageProcessorFuzzTest(const uint8_t * data,size_t size)181 void AuthMessageProcessorFuzzTest(const uint8_t* data, size_t size)
182 {
183 if ((data == nullptr) || (size < sizeof(int32_t))) {
184 return;
185 }
186 FuzzedDataProvider fdp(data, size);
187 std::string message = fdp.ConsumeRandomLengthString();
188 std::string inputStr = fdp.ConsumeRandomLengthString();
189 std::string compressed = fdp.ConsumeRandomLengthString();
190 std::string trustDeviceId = fdp.ConsumeRandomLengthString();
191 std::string encSyncMsg = fdp.ConsumeRandomLengthString();
192 std::string enSyncMsg = fdp.ConsumeRandomLengthString();
193 std::string aclStr = fdp.ConsumeRandomLengthString();
194 uint32_t keyLen = fdp.ConsumeIntegralInRange<uint32_t>(0, 1024);
195 uint32_t oriLen = fdp.ConsumeIntegralInRange<uint32_t>(0, 1024);
196 std::vector<uint8_t> sessionKey = fdp.ConsumeBytes<uint8_t>(keyLen);
197 int32_t userId = fdp.ConsumeIntegral<int32_t>();
198 int32_t skId = fdp.ConsumeIntegral<int32_t>();
199 DistributedDeviceProfile::AccessControlProfile acl;
200 DistributedDeviceProfile::Accesser accesser;
201 DistributedDeviceProfile::Accessee accessee;
202 acl.SetExtraData(fdp.ConsumeRandomLengthString());
203 accesser.SetAccesserExtraData(fdp.ConsumeRandomLengthString());
204 accessee.SetAccesseeExtraData(fdp.ConsumeRandomLengthString());
205 DmAccess access;
206 JsonObject jsonObject;
207 GenerateJsonObject(jsonObject, fdp);
208 dmAuthMessageProcessor_ -> ParseMessage(context_, message);
209 dmAuthMessageProcessor_ -> CreateMessage(DmMessageType::MSG_TYPE_REQ_ACL_NEGOTIATE, context_);
210 dmAuthMessageProcessor_ -> CreateAndSendMsg(DmMessageType::MSG_TYPE_REQ_ACL_NEGOTIATE, context_);
211 dmAuthMessageProcessor_ -> SaveSessionKey(sessionKey.data(), keyLen);
212 dmAuthMessageProcessor_ -> SaveSessionKeyToDP(userId, skId);
213 dmAuthMessageProcessor_ -> DeleteSessionKeyToDP(userId, skId);
214 dmAuthMessageProcessor_ -> CompressSyncMsg(inputStr);
215 dmAuthMessageProcessor_ -> DecompressSyncMsg(compressed, oriLen);
216 dmAuthMessageProcessor_ -> Base64Encode(inputStr);
217 dmAuthMessageProcessor_ -> Base64Decode(inputStr);
218 dmAuthMessageProcessor_ -> PutAccessControlList(context_, access, trustDeviceId);
219 dmAuthMessageProcessor_ -> EncryptSyncMessage(context_, access, encSyncMsg);
220 dmAuthMessageProcessor_ -> DecryptSyncMessage(context_, access, enSyncMsg);
221 dmAuthMessageProcessor_ -> ParseSyncMessage(context_, access, jsonObject);
222 dmAuthMessageProcessor_ -> CheckAccessValidityAndAssign(context_, access, access);
223 dmAuthMessageProcessor_ -> ACLToStr(acl, aclStr);
224 dmAuthMessageProcessor_ -> SetAccessControlList(context_, acl);
225 dmAuthMessageProcessor_ -> SetTransmitAccessControlList(context_, accesser, accessee);
226 dmAuthMessageProcessor_ -> SetLnnAccessControlList(context_, accesser, accessee);
227 AuthMessageProcessorFuzzTestNext(jsonObject);
228 AuthMessageProcessorFuzzTestNextTwo(fdp, jsonObject);
229 AuthContextFuzzTest(fdp);
230 }
231 }
232 }
233
234 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)235 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
236 {
237 /* Run your code on data */
238 OHOS::DistributedHardware::AuthMessageProcessorFuzzTest(data, size);
239
240 return 0;
241 }
242