1 /*
2 * Copyright (C) 2021 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at:
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 *
16 */
17 #include <hardware/hw_auth_token.h>
18 #include <keymasterV4_0/keymaster_utils.h>
19 #include "keymaster4_common.h"
20
21 namespace android::hardware::keymaster::V4_0::fuzzer {
22
23 using android::hardware::keymaster::V4_0::SecurityLevel;
24 using android::hardware::keymaster::V4_0::VerificationToken;
25 using android::hardware::keymaster::V4_0::support::deserializeVerificationToken;
26 using android::hardware::keymaster::V4_0::support::serializeVerificationToken;
27
28 constexpr SecurityLevel kSecurityLevel[]{
29 SecurityLevel::SOFTWARE,
30 SecurityLevel::TRUSTED_ENVIRONMENT,
31 SecurityLevel::STRONGBOX,
32 };
33 constexpr size_t kMaxVectorSize = 100;
34 constexpr size_t kMaxCharacters = 100;
35
36 class KeyMaster4UtilsFuzzer {
37 public:
38 void process(const uint8_t* data, size_t size);
39
40 private:
41 void invokeKeyMasterUtils();
42 std::unique_ptr<FuzzedDataProvider> mFdp = nullptr;
43 };
44
invokeKeyMasterUtils()45 void KeyMaster4UtilsFuzzer::invokeKeyMasterUtils() {
46 support::getOsVersion();
47 support::getOsPatchlevel();
48
49 while (mFdp->remaining_bytes() > 0) {
50 auto keymaster_function = mFdp->PickValueInArray<const std::function<void()>>({
51 [&]() {
52 VerificationToken token;
53 token.challenge = mFdp->ConsumeIntegral<uint64_t>();
54 token.timestamp = mFdp->ConsumeIntegral<uint64_t>();
55 token.securityLevel = mFdp->PickValueInArray(kSecurityLevel);
56 size_t vectorSize = mFdp->ConsumeIntegralInRange<size_t>(0, kMaxVectorSize);
57 token.mac.resize(vectorSize);
58 for (size_t n = 0; n < vectorSize; ++n) {
59 token.mac[n] = mFdp->ConsumeIntegral<uint8_t>();
60 }
61 std::optional<std::vector<uint8_t>> serialized =
62 serializeVerificationToken(token);
63 if (serialized.has_value()) {
64 std::optional<VerificationToken> deserialized =
65 deserializeVerificationToken(serialized.value());
66 }
67 },
68 [&]() {
69 std::vector<uint8_t> dataVector;
70 size_t size = mFdp->ConsumeIntegralInRange<size_t>(0, sizeof(hw_auth_token_t));
71 dataVector = mFdp->ConsumeBytes<uint8_t>(size);
72 support::blob2hidlVec(dataVector.data(), dataVector.size());
73 support::blob2hidlVec(dataVector);
74 HardwareAuthToken authToken = support::hidlVec2AuthToken(dataVector);
75 hidl_vec<uint8_t> volatile hidlVector = support::authToken2HidlVec(authToken);
76 },
77 [&]() {
78 std::string str = mFdp->ConsumeRandomLengthString(kMaxCharacters);
79 support::blob2hidlVec(str);
80 },
81 });
82 keymaster_function();
83 }
84 return;
85 }
86
process(const uint8_t * data,size_t size)87 void KeyMaster4UtilsFuzzer::process(const uint8_t* data, size_t size) {
88 mFdp = std::make_unique<FuzzedDataProvider>(data, size);
89 invokeKeyMasterUtils();
90 }
91
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)92 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
93 KeyMaster4UtilsFuzzer kmUtilsFuzzer;
94 kmUtilsFuzzer.process(data, size);
95 return 0;
96 }
97
98 } // namespace android::hardware::keymaster::V4_0::fuzzer
99