1 /*
2 * Copyright (c) 2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "cmusertrustedstore_fuzzer.h"
17
18 #include "cm_fuzz_test_common.h"
19 #include "cm_test_common.h"
20 #include "cert_manager_api.h"
21 #include "cm_cert_data_user.h"
22 #include "cm_ipc_client_serialization.h"
23 #include "cm_ipc_service.h"
24 #include "cm_param.h"
25 #include "cert_manager_status.h"
26 #include "cm_type.h"
27
28 using namespace CmFuzzTest;
29 namespace OHOS {
30 constexpr uint32_t TEST_USERID = 100;
31 constexpr uint32_t MIN_DATA_USE_TIME = 10;
InstallUserCert(uint8_t * tmpData,uint32_t * remainSize,uint32_t * offset,struct CmBlob * keyUri)32 static bool InstallUserCert(uint8_t *tmpData, uint32_t *remainSize, uint32_t *offset, struct CmBlob *keyUri)
33 {
34 uint32_t userId = TEST_USERID;
35 if (TenPercentChanceOfBeingTrue(tmpData, remainSize, offset)) {
36 if (!GetUintFromBuffer(tmpData, remainSize, offset, &userId)) {
37 return false;
38 }
39 }
40
41 uint32_t status = CERT_STATUS_ENABLED;
42 if (TenPercentChanceOfBeingTrue(tmpData, remainSize, offset)) {
43 if (!GetUintFromBuffer(tmpData, remainSize, offset, &status)) {
44 return false;
45 }
46 }
47 struct CmBlob userCert = { sizeof(g_certData01), const_cast<uint8_t *>(g_certData01) };
48 static uint8_t certAliasBuf01[] = "40dc992e";
49 struct CmBlob certAlias = { sizeof(certAliasBuf01), certAliasBuf01 };
50 struct CmParam params01[] = {
51 { .tag = CM_TAG_PARAM0_BUFFER, .blob = userCert },
52 { .tag = CM_TAG_PARAM1_BUFFER, .blob = certAlias },
53 { .tag = CM_TAG_PARAM0_UINT32, .uint32Param = userId },
54 { .tag = CM_TAG_PARAM1_UINT32, .uint32Param = status },
55 };
56 struct CmParamSet *paramSet01 = NULL;
57 int32_t ret = CmParamsToParamSet(params01, CM_ARRAY_SIZE(params01), ¶mSet01);
58 if (ret != CM_SUCCESS) {
59 return false;
60 }
61 struct CmBlob paramSetBlob = { paramSet01->paramSetSize, reinterpret_cast<uint8_t *>(paramSet01) };
62 (void)CmIpcServiceInstallUserCert(¶mSetBlob, keyUri, nullptr);
63 CmFreeParamSet(¶mSet01);
64 return true;
65 }
SetUserCertStatus(uint8_t * tmpData,uint32_t * remainSize,uint32_t * offset,struct CmBlob * keyUri)66 static bool SetUserCertStatus(uint8_t *tmpData, uint32_t *remainSize, uint32_t *offset, struct CmBlob *keyUri)
67 {
68 if (TenPercentChanceOfBeingTrue(tmpData, remainSize, offset)) {
69 if (!GetCmBlobFromBuffer(tmpData, remainSize, offset, keyUri)) {
70 return false;
71 }
72 }
73 uint32_t store = CM_USER_TRUSTED_STORE;
74 if (TenPercentChanceOfBeingTrue(tmpData, remainSize, offset)) {
75 if (!GetUintFromBuffer(tmpData, remainSize, offset, &store)) {
76 return false;
77 }
78 }
79
80 uint32_t state = CERT_STATUS_ENABLED;
81 if (TenPercentChanceOfBeingTrue(tmpData, remainSize, offset)) {
82 if (!GetUintFromBuffer(tmpData, remainSize, offset, &state)) {
83 return false;
84 }
85 }
86
87 struct CmParam params02[] = {
88 { .tag = CM_TAG_PARAM0_BUFFER, .blob = *keyUri },
89 { .tag = CM_TAG_PARAM0_UINT32, .uint32Param = store },
90 { .tag = CM_TAG_PARAM1_UINT32, .uint32Param = state },
91 };
92
93 struct CmParamSet *paramSet02 = nullptr;
94 int32_t ret = CmParamsToParamSet(¶ms02[0], CM_ARRAY_SIZE(params02), ¶mSet02);
95 if (ret != CM_SUCCESS) {
96 return false;
97 }
98 struct CmBlob paramSetBlob = { paramSet02->paramSetSize, reinterpret_cast<uint8_t*>(paramSet02) };
99 (void)CmIpcServiceSetUserCertStatus(¶mSetBlob, nullptr, nullptr);
100 CmFreeParamSet(¶mSet02);
101 return true;
102 }
103
GetAllUserCert(uint8_t * tmpData,uint32_t * remainSize,uint32_t * offset)104 static bool GetAllUserCert(uint8_t *tmpData, uint32_t *remainSize, uint32_t *offset)
105 {
106 uint32_t store = CM_USER_TRUSTED_STORE;
107 if (TenPercentChanceOfBeingTrue(tmpData, remainSize, offset)) {
108 if (!GetUintFromBuffer(tmpData, remainSize, offset, &store)) {
109 return false;
110 }
111 }
112 uint8_t *certListBlobData = reinterpret_cast<uint8_t *>(CmMalloc(CERT_LIST_LEN));
113 if (certListBlobData == nullptr) {
114 return false;
115 }
116 struct CmBlob certListBlob = { CERT_LIST_LEN, certListBlobData };
117 struct CmParam params03[] = {
118 { .tag = CM_TAG_PARAM0_UINT32, .uint32Param = store },
119 };
120 struct CmParamSet *paramSet03 = nullptr;
121 int32_t ret = CmParamsToParamSet(¶ms03[0], CM_ARRAY_SIZE(params03), ¶mSet03);
122 if (ret != CM_SUCCESS) {
123 CmFree(certListBlobData);
124 return false;
125 }
126 struct CmBlob paramSetBlob = { paramSet03->paramSetSize, reinterpret_cast<uint8_t*>(paramSet03) };
127 (void)CmIpcServiceGetUserCertList(¶mSetBlob, &certListBlob, nullptr);
128 CmFree(certListBlobData);
129 CmFreeParamSet(¶mSet03);
130 return true;
131 }
132
GetUserCert(uint8_t * tmpData,uint32_t * remainSize,uint32_t * offset,struct CmBlob * keyUri)133 static bool GetUserCert(uint8_t *tmpData, uint32_t *remainSize, uint32_t *offset, struct CmBlob *keyUri)
134 {
135 if (TenPercentChanceOfBeingTrue(tmpData, remainSize, offset)) {
136 if (!GetCmBlobFromBuffer(tmpData, remainSize, offset, keyUri)) {
137 return false;
138 }
139 }
140 uint32_t store = CM_USER_TRUSTED_STORE;
141 if (TenPercentChanceOfBeingTrue(tmpData, remainSize, offset)) {
142 if (!GetUintFromBuffer(tmpData, remainSize, offset, &store)) {
143 return false;
144 }
145 }
146 uint8_t *certInfoData = reinterpret_cast<uint8_t *>(CmMalloc(CERT_INFO_LEN));
147 if (certInfoData == nullptr) {
148 return false;
149 }
150 CmBlob certInfoBlob = { CERT_INFO_LEN, certInfoData };
151 struct CmParam params04[] = {
152 { .tag = CM_TAG_PARAM0_BUFFER, .blob = *keyUri },
153 { .tag = CM_TAG_PARAM0_UINT32, .uint32Param = store },
154 };
155 struct CmParamSet *paramSet04 = nullptr;
156 int32_t ret = CmParamsToParamSet(¶ms04[0], CM_ARRAY_SIZE(params04), ¶mSet04);
157 if (ret != CM_SUCCESS) {
158 CmFree(certInfoData);
159 return false;
160 }
161 struct CmBlob paramSetBlob = { paramSet04->paramSetSize, reinterpret_cast<uint8_t*>(paramSet04) };
162 (void)CmIpcServiceGetUserCertInfo(¶mSetBlob, &certInfoBlob, nullptr);
163 CmFree(certInfoData);
164 CmFreeParamSet(¶mSet04);
165 return true;
166 }
167
UnInstallUserCert(uint8_t * tmpData,uint32_t * remainSize,uint32_t * offset,struct CmBlob * keyUri)168 static bool UnInstallUserCert(uint8_t *tmpData, uint32_t *remainSize, uint32_t *offset, struct CmBlob *keyUri)
169 {
170 if (TenPercentChanceOfBeingTrue(tmpData, remainSize, offset)) {
171 if (!GetCmBlobFromBuffer(tmpData, remainSize, offset, keyUri)) {
172 return false;
173 }
174 }
175
176 uint32_t store = CM_USER_TRUSTED_STORE;
177 if (TenPercentChanceOfBeingTrue(tmpData, remainSize, offset)) {
178 if (!GetUintFromBuffer(tmpData, remainSize, offset, &store)) {
179 return false;
180 }
181 }
182 struct CmParam params05[] = {
183 { .tag = CM_TAG_PARAM0_BUFFER, .blob = *keyUri },
184 { .tag = CM_TAG_PARAM0_UINT32, .uint32Param = store },
185 };
186 struct CmParamSet *paramSet05 = NULL;
187 int32_t ret = CmParamsToParamSet(params05, CM_ARRAY_SIZE(params05), ¶mSet05);
188 if (ret != CM_SUCCESS) {
189 return false;
190 }
191 struct CmBlob paramSetBlob = { paramSet05->paramSetSize, reinterpret_cast<uint8_t *>(paramSet05) };
192 (void)CmIpcServiceUninstallUserCert(¶mSetBlob, nullptr, nullptr);
193 CmFreeParamSet(¶mSet05);
194 return true;
195 }
196
DoSomethingInterestingWithMyAPI(const uint8_t * data,size_t size)197 bool DoSomethingInterestingWithMyAPI(const uint8_t* data, size_t size)
198 {
199 uint8_t *tmpData = nullptr;
200 if (!CopyMyData(data, size, sizeof(uint32_t) * MIN_DATA_USE_TIME, &tmpData)) {
201 return false;
202 }
203
204 uint32_t remainSize = static_cast<uint32_t>(size);
205 uint32_t offset = 0;
206 CertmanagerTest::MockHapToken mockHap;
207
208 bool ret = false;
209 uint8_t keyUriData[] = "1d3472b9.0";
210 struct CmBlob keyUri = { sizeof(keyUriData), &keyUriData[0] };
211
212 do {
213 if (!InstallUserCert(tmpData, &remainSize, &offset, &keyUri)) {
214 break;
215 }
216
217 if (!SetUserCertStatus(tmpData, &remainSize, &offset, &keyUri)) {
218 break;
219 }
220
221 if (!GetAllUserCert(tmpData, &remainSize, &offset)) {
222 break;
223 }
224
225 if (!GetUserCert(tmpData, &remainSize, &offset, &keyUri)) {
226 break;
227 }
228
229 if (!UnInstallUserCert(tmpData, &remainSize, &offset, &keyUri)) {
230 break;
231 }
232 ret = true;
233 } while (0);
234 (void)CmIpcServiceUninstallAllUserCert(nullptr, nullptr, nullptr);
235 CmFree(tmpData);
236 return ret;
237 }
238 }
239
240
241 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)242 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
243 {
244 /* Run your code on data */
245 OHOS::DoSomethingInterestingWithMyAPI(data, size);
246 return 0;
247 }
248
249