1 /*
2 * Copyright (C) 2021 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at:
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 *
16 */
17 #include <hardware/hw_auth_token.h>
18 #include <keymasterV4_0/keymaster_utils.h>
19 #include "keymaster4_common.h"
20
21 namespace android::hardware::keymaster::V4_0::fuzzer {
22
23 using android::hardware::keymaster::V4_0::SecurityLevel;
24 using android::hardware::keymaster::V4_0::VerificationToken;
25 using android::hardware::keymaster::V4_0::support::deserializeVerificationToken;
26 using android::hardware::keymaster::V4_0::support::serializeVerificationToken;
27
28 constexpr SecurityLevel kSecurityLevel[]{
29 SecurityLevel::SOFTWARE,
30 SecurityLevel::TRUSTED_ENVIRONMENT,
31 SecurityLevel::STRONGBOX,
32 };
33 constexpr size_t kMaxVectorSize = 100;
34 constexpr size_t kMaxCharacters = 100;
35
36 class KeyMaster4UtilsFuzzer {
37 public:
38 void process(const uint8_t* data, size_t size);
39
40 private:
41 void invokeKeyMasterUtils();
42 std::unique_ptr<FuzzedDataProvider> mFdp = nullptr;
43 };
44
invokeKeyMasterUtils()45 void KeyMaster4UtilsFuzzer::invokeKeyMasterUtils() {
46 support::getOsVersion();
47 support::getOsPatchlevel();
48
49 VerificationToken token;
50 token.challenge = mFdp->ConsumeIntegral<uint64_t>();
51 token.timestamp = mFdp->ConsumeIntegral<uint64_t>();
52 token.securityLevel = mFdp->PickValueInArray(kSecurityLevel);
53 size_t vectorSize = mFdp->ConsumeIntegralInRange<size_t>(0, kMaxVectorSize);
54 token.mac.resize(vectorSize);
55 for (size_t n = 0; n < vectorSize; ++n) {
56 token.mac[n] = n;
57 }
58 std::optional<std::vector<uint8_t>> serialized = serializeVerificationToken(token);
59 if (serialized.has_value()) {
60 std::optional<VerificationToken> deserialized =
61 deserializeVerificationToken(serialized.value());
62 }
63
64 std::vector<uint8_t> dataVector;
65 size_t size = mFdp->ConsumeIntegralInRange<size_t>(0, sizeof(hw_auth_token_t));
66 dataVector = mFdp->ConsumeBytes<uint8_t>(size);
67 support::blob2hidlVec(dataVector.data(), dataVector.size());
68
69 support::blob2hidlVec(dataVector);
70
71 std::string str = mFdp->ConsumeRandomLengthString(kMaxCharacters);
72 support::blob2hidlVec(str);
73
74 HardwareAuthToken authToken = support::hidlVec2AuthToken(dataVector);
75 hidl_vec<uint8_t> volatile hidlVector = support::authToken2HidlVec(authToken);
76 }
77
process(const uint8_t * data,size_t size)78 void KeyMaster4UtilsFuzzer::process(const uint8_t* data, size_t size) {
79 mFdp = std::make_unique<FuzzedDataProvider>(data, size);
80 invokeKeyMasterUtils();
81 }
82
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)83 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
84 KeyMaster4UtilsFuzzer kmUtilsFuzzer;
85 kmUtilsFuzzer.process(data, size);
86 return 0;
87 }
88
89 } // namespace android::hardware::keymaster::V4_0::fuzzer
90