1 /*
2 * Copyright (c) 2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "cmusertrustedstore_fuzzer.h"
17
18 #include "cm_fuzz_test_common.h"
19 #include "cert_manager_api.h"
20 #include "cm_test_common.h"
21 #include "cm_cert_data_user.h"
22 #include "cm_ipc_client_serialization.h"
23 #include "cm_ipc_service.h"
24 #include "cm_param.h"
25 #include "cert_manager_status.h"
26
27 using namespace CmFuzzTest;
28 namespace OHOS {
29 constexpr uint32_t MIN_DATA_USE_TIME = 10;
InstallUserCert(uint8_t * tmpData,uint32_t * remainSize,uint32_t * offset,struct CmBlob * keyUri)30 static bool InstallUserCert(uint8_t *tmpData, uint32_t *remainSize, uint32_t *offset, struct CmBlob *keyUri)
31 {
32 uint32_t userId = TEST_USERID;
33 if (TenPercentChanceOfBeingTrue(tmpData, remainSize, offset)) {
34 if (!GetUintFromBuffer(tmpData, remainSize, offset, &userId)) {
35 return false;
36 }
37 }
38
39 uint32_t status = CERT_STATUS_ENABLED;
40 if (TenPercentChanceOfBeingTrue(tmpData, remainSize, offset)) {
41 if (!GetUintFromBuffer(tmpData, remainSize, offset, &status)) {
42 return false;
43 }
44 }
45 struct CmBlob userCert = { sizeof(g_certData01), const_cast<uint8_t *>(g_certData01) };
46 static uint8_t certAliasBuf01[] = "40dc992e";
47 struct CmBlob certAlias = { sizeof(certAliasBuf01), certAliasBuf01 };
48 struct CmParam params01[] = {
49 { .tag = CM_TAG_PARAM0_BUFFER, .blob = userCert },
50 { .tag = CM_TAG_PARAM1_BUFFER, .blob = certAlias },
51 { .tag = CM_TAG_PARAM0_UINT32, .uint32Param = userId },
52 { .tag = CM_TAG_PARAM1_UINT32, .uint32Param = status },
53 };
54 struct CmParamSet *paramSet01 = NULL;
55 int32_t ret = CmParamsToParamSet(params01, CM_ARRAY_SIZE(params01), ¶mSet01);
56 if (ret != CM_SUCCESS) {
57 return false;
58 }
59 struct CmBlob paramSetBlob = { paramSet01->paramSetSize, reinterpret_cast<uint8_t *>(paramSet01) };
60 (void)CmIpcServiceInstallUserCert(¶mSetBlob, keyUri, nullptr);
61 CmFreeParamSet(¶mSet01);
62 return true;
63 }
SetUserCertStatus(uint8_t * tmpData,uint32_t * remainSize,uint32_t * offset,struct CmBlob * keyUri)64 static bool SetUserCertStatus(uint8_t *tmpData, uint32_t *remainSize, uint32_t *offset, struct CmBlob *keyUri)
65 {
66 if (TenPercentChanceOfBeingTrue(tmpData, remainSize, offset)) {
67 if (!GetCmBlobFromBuffer(tmpData, remainSize, offset, keyUri)) {
68 return false;
69 }
70 }
71 uint32_t store = CM_USER_TRUSTED_STORE;
72 if (TenPercentChanceOfBeingTrue(tmpData, remainSize, offset)) {
73 if (!GetUintFromBuffer(tmpData, remainSize, offset, &store)) {
74 return false;
75 }
76 }
77
78 uint32_t state = CERT_STATUS_ENABLED;
79 if (TenPercentChanceOfBeingTrue(tmpData, remainSize, offset)) {
80 if (!GetUintFromBuffer(tmpData, remainSize, offset, &state)) {
81 return false;
82 }
83 }
84
85 struct CmParam params02[] = {
86 { .tag = CM_TAG_PARAM0_BUFFER, .blob = *keyUri },
87 { .tag = CM_TAG_PARAM0_UINT32, .uint32Param = store },
88 { .tag = CM_TAG_PARAM1_UINT32, .uint32Param = state },
89 };
90
91 struct CmParamSet *paramSet02 = nullptr;
92 int32_t ret = CmParamsToParamSet(¶ms02[0], CM_ARRAY_SIZE(params02), ¶mSet02);
93 if (ret != CM_SUCCESS) {
94 return false;
95 }
96 struct CmBlob paramSetBlob = { paramSet02->paramSetSize, reinterpret_cast<uint8_t*>(paramSet02) };
97 (void)CmIpcServiceSetUserCertStatus(¶mSetBlob, nullptr, nullptr);
98 CmFreeParamSet(¶mSet02);
99 return true;
100 }
101
GetAllUserCert(uint8_t * tmpData,uint32_t * remainSize,uint32_t * offset)102 static bool GetAllUserCert(uint8_t *tmpData, uint32_t *remainSize, uint32_t *offset)
103 {
104 uint32_t store = CM_USER_TRUSTED_STORE;
105 if (TenPercentChanceOfBeingTrue(tmpData, remainSize, offset)) {
106 if (!GetUintFromBuffer(tmpData, remainSize, offset, &store)) {
107 return false;
108 }
109 }
110 uint8_t *certListBlobData = reinterpret_cast<uint8_t *>(CmMalloc(CERT_LIST_LEN));
111 if (certListBlobData == nullptr) {
112 return false;
113 }
114 struct CmBlob certListBlob = { CERT_LIST_LEN, certListBlobData };
115 struct CmParam params03[] = {
116 { .tag = CM_TAG_PARAM0_UINT32, .uint32Param = store },
117 };
118 struct CmParamSet *paramSet03 = nullptr;
119 int32_t ret = CmParamsToParamSet(¶ms03[0], CM_ARRAY_SIZE(params03), ¶mSet03);
120 if (ret != CM_SUCCESS) {
121 CmFree(certListBlobData);
122 return false;
123 }
124 struct CmBlob paramSetBlob = { paramSet03->paramSetSize, reinterpret_cast<uint8_t*>(paramSet03) };
125 (void)CmIpcServiceGetUserCertList(¶mSetBlob, &certListBlob, nullptr);
126 CmFree(certListBlobData);
127 CmFreeParamSet(¶mSet03);
128 return true;
129 }
130
GetUserCert(uint8_t * tmpData,uint32_t * remainSize,uint32_t * offset,struct CmBlob * keyUri)131 static bool GetUserCert(uint8_t *tmpData, uint32_t *remainSize, uint32_t *offset, struct CmBlob *keyUri)
132 {
133 if (TenPercentChanceOfBeingTrue(tmpData, remainSize, offset)) {
134 if (!GetCmBlobFromBuffer(tmpData, remainSize, offset, keyUri)) {
135 return false;
136 }
137 }
138 uint32_t store = CM_USER_TRUSTED_STORE;
139 if (TenPercentChanceOfBeingTrue(tmpData, remainSize, offset)) {
140 if (!GetUintFromBuffer(tmpData, remainSize, offset, &store)) {
141 return false;
142 }
143 }
144 uint8_t *certInfoData = reinterpret_cast<uint8_t *>(CmMalloc(CERT_INFO_LEN));
145 if (certInfoData == nullptr) {
146 return false;
147 }
148 CmBlob certInfoBlob = { CERT_INFO_LEN, certInfoData };
149 struct CmParam params04[] = {
150 { .tag = CM_TAG_PARAM0_BUFFER, .blob = *keyUri },
151 { .tag = CM_TAG_PARAM0_UINT32, .uint32Param = store },
152 };
153 struct CmParamSet *paramSet04 = nullptr;
154 int32_t ret = CmParamsToParamSet(¶ms04[0], CM_ARRAY_SIZE(params04), ¶mSet04);
155 if (ret != CM_SUCCESS) {
156 CmFree(certInfoData);
157 return false;
158 }
159 struct CmBlob paramSetBlob = { paramSet04->paramSetSize, reinterpret_cast<uint8_t*>(paramSet04) };
160 (void)CmIpcServiceGetUserCertInfo(¶mSetBlob, &certInfoBlob, nullptr);
161 CmFree(certInfoData);
162 CmFreeParamSet(¶mSet04);
163 return true;
164 }
165
UnInstallUserCert(uint8_t * tmpData,uint32_t * remainSize,uint32_t * offset,struct CmBlob * keyUri)166 static bool UnInstallUserCert(uint8_t *tmpData, uint32_t *remainSize, uint32_t *offset, struct CmBlob *keyUri)
167 {
168 if (TenPercentChanceOfBeingTrue(tmpData, remainSize, offset)) {
169 if (!GetCmBlobFromBuffer(tmpData, remainSize, offset, keyUri)) {
170 return false;
171 }
172 }
173
174 uint32_t store = CM_USER_TRUSTED_STORE;
175 if (TenPercentChanceOfBeingTrue(tmpData, remainSize, offset)) {
176 if (!GetUintFromBuffer(tmpData, remainSize, offset, &store)) {
177 return false;
178 }
179 }
180 struct CmParam params05[] = {
181 { .tag = CM_TAG_PARAM0_BUFFER, .blob = *keyUri },
182 { .tag = CM_TAG_PARAM0_UINT32, .uint32Param = store },
183 };
184 struct CmParamSet *paramSet05 = NULL;
185 int32_t ret = CmParamsToParamSet(params05, CM_ARRAY_SIZE(params05), ¶mSet05);
186 if (ret != CM_SUCCESS) {
187 return false;
188 }
189 struct CmBlob paramSetBlob = { paramSet05->paramSetSize, reinterpret_cast<uint8_t *>(paramSet05) };
190 (void)CmIpcServiceUninstallUserCert(¶mSetBlob, nullptr, nullptr);
191 CmFreeParamSet(¶mSet05);
192 return true;
193 }
194
DoSomethingInterestingWithMyAPI(const uint8_t * data,size_t size)195 bool DoSomethingInterestingWithMyAPI(const uint8_t* data, size_t size)
196 {
197 uint8_t *tmpData = nullptr;
198 if (!CopyMyData(data, size, sizeof(uint32_t) * MIN_DATA_USE_TIME, &tmpData)) {
199 return false;
200 }
201
202 uint32_t remainSize = static_cast<uint32_t>(size);
203 uint32_t offset = 0;
204 CertmanagerTest::SetATPermission();
205
206 bool ret = false;
207 uint8_t keyUriData[] = "1d3472b9.0";
208 struct CmBlob keyUri = { sizeof(keyUriData), &keyUriData[0] };
209
210 do {
211 if (!InstallUserCert(tmpData, &remainSize, &offset, &keyUri)) {
212 break;
213 }
214
215 if (!SetUserCertStatus(tmpData, &remainSize, &offset, &keyUri)) {
216 break;
217 }
218
219 if (!GetAllUserCert(tmpData, &remainSize, &offset)) {
220 break;
221 }
222
223 if (!GetUserCert(tmpData, &remainSize, &offset, &keyUri)) {
224 break;
225 }
226
227 if (!UnInstallUserCert(tmpData, &remainSize, &offset, &keyUri)) {
228 break;
229 }
230 ret = true;
231 } while (0);
232 (void)CmIpcServiceUninstallAllUserCert(nullptr, nullptr, nullptr);
233 CmFree(tmpData);
234 return ret;
235 }
236 }
237
238
239 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)240 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
241 {
242 /* Run your code on data */
243 OHOS::DoSomethingInterestingWithMyAPI(data, size);
244 return 0;
245 }
246
247