1 /*
2 * Copyright (c) 2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "cmsystemtrustedstore_fuzzer.h"
17
18 #include "cm_fuzz_test_common.h"
19 #include "cm_test_common.h"
20 #include "cert_manager_api.h"
21 #include "cm_ipc_client_serialization.h"
22 #include "cm_ipc_service.h"
23 #include "cm_param.h"
24 #include "cert_manager_status.h"
25
26 using namespace CmFuzzTest;
27 namespace OHOS {
28 constexpr uint32_t MIN_DATA_USE_TIME = 6;
SetSysCertStatus(uint8_t * tmpData,uint32_t * remainSize,uint32_t * offset,struct CmBlob * keyUri)29 static bool SetSysCertStatus(uint8_t *tmpData, uint32_t *remainSize, uint32_t *offset, struct CmBlob *keyUri)
30 {
31 if (TenPercentChanceOfBeingTrue(tmpData, remainSize, offset)) {
32 if (!GetCmBlobFromBuffer(tmpData, remainSize, offset, keyUri)) {
33 return false;
34 }
35 }
36 uint32_t store = CM_SYSTEM_TRUSTED_STORE;
37 if (TenPercentChanceOfBeingTrue(tmpData, remainSize, offset)) {
38 if (!GetUintFromBuffer(tmpData, remainSize, offset, &store)) {
39 return false;
40 }
41 }
42
43 uint32_t state = CERT_STATUS_ENABLED;
44 if (TenPercentChanceOfBeingTrue(tmpData, remainSize, offset)) {
45 if (!GetUintFromBuffer(tmpData, remainSize, offset, &state)) {
46 return false;
47 }
48 }
49
50 struct CmParam params01[] = {
51 { .tag = CM_TAG_PARAM0_BUFFER, .blob = *keyUri },
52 { .tag = CM_TAG_PARAM0_UINT32, .uint32Param = store },
53 { .tag = CM_TAG_PARAM1_UINT32, .uint32Param = state },
54 };
55
56 struct CmParamSet *paramSet01 = nullptr;
57 int32_t ret = CmParamsToParamSet(¶ms01[0], CM_ARRAY_SIZE(params01), ¶mSet01);
58 if (ret != CM_SUCCESS) {
59 return false;
60 }
61 struct CmBlob paramSetBlob = { paramSet01->paramSetSize, reinterpret_cast<uint8_t*>(paramSet01) };
62 (void)CmIpcServiceSetCertStatus(¶mSetBlob, nullptr, nullptr);
63 CmFreeParamSet(¶mSet01);
64 return true;
65 }
66
GetAllSysCert(uint8_t * tmpData,uint32_t * remainSize,uint32_t * offset)67 static bool GetAllSysCert(uint8_t *tmpData, uint32_t *remainSize, uint32_t *offset)
68 {
69 uint32_t store = CM_SYSTEM_TRUSTED_STORE;
70 if (TenPercentChanceOfBeingTrue(tmpData, remainSize, offset)) {
71 if (!GetUintFromBuffer(tmpData, remainSize, offset, &store)) {
72 return false;
73 }
74 }
75 uint8_t *certListBlobData = reinterpret_cast<uint8_t *>(CmMalloc(CERT_LIST_LEN));
76 if (certListBlobData == nullptr) {
77 return false;
78 }
79 struct CmBlob certListBlob = { CERT_LIST_LEN, certListBlobData };
80 struct CmParam params02[] = {
81 { .tag = CM_TAG_PARAM0_UINT32, .uint32Param = store },
82 };
83 struct CmParamSet *paramSet02 = nullptr;
84 int32_t ret = CmParamsToParamSet(¶ms02[0], CM_ARRAY_SIZE(params02), ¶mSet02);
85 if (ret != CM_SUCCESS) {
86 CmFree(certListBlobData);
87 return false;
88 }
89 struct CmBlob paramSetBlob = { paramSet02->paramSetSize, reinterpret_cast<uint8_t*>(paramSet02) };
90 (void)CmIpcServiceGetCertificateList(¶mSetBlob, &certListBlob, nullptr);
91 CmFree(certListBlobData);
92 CmFreeParamSet(¶mSet02);
93 return true;
94 }
95
GetSysCert(uint8_t * tmpData,uint32_t * remainSize,uint32_t * offset,struct CmBlob * keyUri)96 static bool GetSysCert(uint8_t *tmpData, uint32_t *remainSize, uint32_t *offset, struct CmBlob *keyUri)
97 {
98 if (TenPercentChanceOfBeingTrue(tmpData, remainSize, offset)) {
99 if (!GetCmBlobFromBuffer(tmpData, remainSize, offset, keyUri)) {
100 return false;
101 }
102 }
103 uint32_t store = CM_SYSTEM_TRUSTED_STORE;
104 if (TenPercentChanceOfBeingTrue(tmpData, remainSize, offset)) {
105 if (!GetUintFromBuffer(tmpData, remainSize, offset, &store)) {
106 return false;
107 }
108 }
109 uint8_t *certInfoData = reinterpret_cast<uint8_t *>(CmMalloc(CERT_INFO_LEN));
110 if (certInfoData == nullptr) {
111 return false;
112 }
113 CmBlob certInfoBlob = { CERT_INFO_LEN, certInfoData };
114 struct CmParam params03[] = {
115 { .tag = CM_TAG_PARAM0_BUFFER, .blob = *keyUri },
116 { .tag = CM_TAG_PARAM0_UINT32, .uint32Param = store },
117 };
118 struct CmParamSet *paramSet03 = nullptr;
119 int32_t ret = CmParamsToParamSet(¶ms03[0], CM_ARRAY_SIZE(params03), ¶mSet03);
120 if (ret != CM_SUCCESS) {
121 CmFree(certInfoData);
122 return false;
123 }
124 struct CmBlob paramSetBlob = { paramSet03->paramSetSize, reinterpret_cast<uint8_t*>(paramSet03) };
125 (void)CmIpcServiceGetCertificateInfo(¶mSetBlob, &certInfoBlob, nullptr);
126 CmFree(certInfoData);
127 CmFreeParamSet(¶mSet03);
128 return true;
129 }
130
DoSomethingInterestingWithMyAPI(const uint8_t * data,size_t size)131 bool DoSomethingInterestingWithMyAPI(const uint8_t* data, size_t size)
132 {
133 uint8_t *tmpData = nullptr;
134 if (!CopyMyData(data, size, sizeof(uint32_t) * MIN_DATA_USE_TIME, &tmpData)) {
135 return false;
136 }
137
138 uint32_t remainSize = static_cast<uint32_t>(size);
139 uint32_t offset = 0;
140 CertmanagerTest::MockHapToken mockHap;
141
142 bool ret = false;
143 uint8_t keyUriData[] = "1d3472b9.0";
144 struct CmBlob keyUri = { sizeof(keyUriData), &keyUriData[0] };
145
146 do {
147 if (!SetSysCertStatus(tmpData, &remainSize, &offset, &keyUri)) {
148 break;
149 }
150
151 if (!GetAllSysCert(tmpData, &remainSize, &offset)) {
152 break;
153 }
154
155 if (!GetSysCert(tmpData, &remainSize, &offset, &keyUri)) {
156 break;
157 }
158 ret = true;
159 } while (0);
160 CmFree(tmpData);
161 return ret;
162 }
163 }
164
165
166 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)167 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
168 {
169 /* Run your code on data */
170 OHOS::DoSomethingInterestingWithMyAPI(data, size);
171 return 0;
172 }
173
174