1 /*
2 * Copyright (c) 2025 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "auth_credential_fuzzer.h"
17
18 #include <fuzzer/FuzzedDataProvider.h>
19 #include <string>
20
21 #include "device_manager_service_listener.h"
22 #include "dm_auth_message_processor.h"
23 #include "dm_auth_state.h"
24 #include "dm_freeze_process.h"
25
26 namespace OHOS {
27 namespace DistributedHardware {
28 constexpr uint32_t SERVICE = 2;
29
DerivativeSessionKeyFuzzTest(const uint8_t * data,size_t size)30 void DerivativeSessionKeyFuzzTest(const uint8_t* data, size_t size)
31 {
32 if ((data == nullptr) || (size < sizeof(int32_t))) {
33 return;
34 }
35 FuzzedDataProvider fdp(data, size);
36 std::shared_ptr<DmAuthContext> context = std::make_shared<DmAuthContext>();
37 context->IsProxyBind = true;
38 context->accesser.userId = fdp.ConsumeIntegral<int32_t>();
39 context->accesser.transmitSessionKeyId = fdp.ConsumeIntegral<int32_t>();
40 DmProxyAuthContext dmProxyAuthContext;
41 context->subjectProxyOnes.push_back(dmProxyAuthContext);
42 std::shared_ptr<AuthSrcCredentialAuthDoneState> authPtr = std::make_shared<AuthSrcCredentialAuthDoneState>();
43 context->authMessageProcessor = std::make_shared<DmAuthMessageProcessor>();
44 authPtr->DerivativeSessionKey(context);
45 }
46
DerivativeProxySessionKeyFuzzTest(const uint8_t * data,size_t size)47 void DerivativeProxySessionKeyFuzzTest(const uint8_t* data, size_t size)
48 {
49 if ((data == nullptr) || (size < sizeof(int32_t))) {
50 return;
51 }
52 FuzzedDataProvider fdp(data, size);
53 std::shared_ptr<DmAuthContext> context = std::make_shared<DmAuthContext>();
54 context->reUseCreId = fdp.ConsumeRandomLengthString();
55 context->IsProxyBind = true;
56 context->accesser.isAuthed = true;
57 context->accesser.deviceIdHash = fdp.ConsumeRandomLengthString();
58 context->accessee.deviceIdHash = fdp.ConsumeRandomLengthString();
59 context->accesser.tokenIdHash = fdp.ConsumeRandomLengthString();
60 context->accessee.tokenIdHash = fdp.ConsumeRandomLengthString();
61 context->accesser.userId = fdp.ConsumeIntegral<int32_t>();
62 context->accesser.transmitSkTimeStamp = fdp.ConsumeIntegral<int64_t>();
63 context->accesser.transmitSessionKeyId = fdp.ConsumeIntegral<int32_t>();
64 context->authMessageProcessor = std::make_shared<DmAuthMessageProcessor>();
65 DmProxyAuthContext dmProxyAuthContext;
66 context->subjectProxyOnes.push_back(dmProxyAuthContext);
67 std::shared_ptr<AuthSrcCredentialAuthDoneState> authSrcPtr = std::make_shared<AuthSrcCredentialAuthDoneState>();
68 authSrcPtr->DerivativeProxySessionKey(context);
69 std::shared_ptr<AuthSinkCredentialAuthNegotiateState> authSinkPtr =
70 std::make_shared<AuthSinkCredentialAuthNegotiateState>();
71 authSinkPtr->DerivativeSessionKey(context);
72 std::shared_ptr<AuthCredentialAgreeState> authCrePtr = std::make_shared<AuthSrcCredentialExchangeState>();
73 JsonObject jsonObject;
74 authCrePtr->GenerateTokenIds(context, jsonObject);
75 }
76
AuthCredentialFuzzTest(const uint8_t * data,size_t size)77 void AuthCredentialFuzzTest(const uint8_t* data, size_t size)
78 {
79 if ((data == nullptr) || (size < sizeof(int32_t))) {
80 return;
81 }
82 FreezeProcess freezeProcess;
83 FuzzedDataProvider fdp(data, size);
84 std::shared_ptr<DmAuthContext> context = std::make_shared<DmAuthContext>();
85 context->transmitData = fdp.ConsumeRandomLengthString();
86 context->requestId = fdp.ConsumeIntegral<int64_t>();
87 context->accesser.userId = fdp.ConsumeIntegral<int32_t>();
88 context->accesser.isGenerateLnnCredential = true;
89 context->isAppCredentialVerified = false;
90 context->accesser.bindLevel = SERVICE;
91 std::shared_ptr<DmAuthState> authFirst = std::make_shared<AuthSrcCredentialAuthNegotiateState>();
92 std::shared_ptr<AuthSrcCredentialAuthDoneState> authSecond = std::make_shared<AuthSrcCredentialAuthDoneState>();
93 std::shared_ptr<DmAuthState> authThird = std::make_shared<AuthSinkCredentialAuthNegotiateState>();
94 std::shared_ptr<DmAuthState> authForth = std::make_shared<AuthSrcCredentialExchangeState>();
95 std::shared_ptr<DmAuthState> authFifth = std::make_shared<AuthSinkCredentialExchangeState>();
96 std::shared_ptr<DmAuthState> authSixth = std::make_shared<AuthSrcCredentialAuthStartState>();
97
98 authFirst->Action(context);
99 authSecond->Action(context);
100 context->isAppCredentialVerified = true;
101 authSecond->Action(context);
102 context->accesser.isGenerateLnnCredential = false;
103 authFirst->GetStateType();
104 authSecond->GetStateType();
105 authThird->GetStateType();
106 authForth->GetStateType();
107 authFifth->GetStateType();
108 authSixth->GetStateType();
109
110 DerivativeSessionKeyFuzzTest(data, size);
111 DerivativeProxySessionKeyFuzzTest(data, size);
112 }
113 }
114 }
115
116 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)117 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
118 {
119 /* Run your code on data */
120 OHOS::DistributedHardware::AuthCredentialFuzzTest(data, size);
121 return 0;
122 }