1 /*
2 * Copyright (c) 2022 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "dslm_fuzzer.h"
17
18 #include "parcel.h"
19 #include "securec.h"
20
21 #include "device_security_defines.h"
22 #include "device_security_info.h"
23 #include "device_security_level_callback_stub.h"
24 #include "dslm_core_process.h"
25 #include "dslm_credential.h"
26 #include "dslm_credential_utils.h"
27 #include "dslm_device_list.h"
28 #include "dslm_hidumper.h"
29 #include "dslm_hievent.h"
30 #include "dslm_messenger_wrapper.h"
31 #include "dslm_msg_serialize.h"
32 #include "dslm_msg_utils.h"
33 #include "dslm_rpc_process.h"
34 #include "dslm_service.h"
35 #include "hks_adapter.h"
36 #include "messenger_device_socket_manager.h"
37 #include "messenger_device_status_manager.h"
38 #include "utils_base64.h"
39 #include "utils_mem.h"
40 #include "utils_tlv.h"
41
42 #define CNT 1000
43 #define ITEMSTATE 4
44 #define MAX_ENTRY 8
45 #define MAX_MALLOC_LEN (1 * 1024 * 1024)
46 #define INIT_MAX 3
47 #define PTR_LEN 4
48 #define BLOB_SIZE 5
49
50 extern "C" int32_t OnPeerMsgReceived(const DeviceIdentify *devId, const uint8_t *msg, uint32_t len);
51 extern "C" int32_t OnSendResultNotifier(const DeviceIdentify *devId, uint64_t transNo, uint32_t result);
52 extern "C" bool MessengerGetDeviceOnlineStatus(const DeviceIdentify *devId, int32_t *level);
53
54 namespace OHOS {
55 namespace Security {
56 namespace DeviceSecurityLevel {
57 namespace {
58 const uint8_t mockBuffer[DEVICE_ID_MAX_LEN] = {0};
59
60 DslmService g_dslmService(DEVICE_SECURITY_LEVEL_MANAGER_SA_ID, true);
61 static int32_t g_init = 0;
62
63 const char *g_cred = "eyJ0eXAiOiAiRFNMIn0=.eyJ0eXBlIjogImRlYnVnIiwgIm1h"
64 "bnVmYWN0dXJlIjogIk9IT1MiLCAiYnJhbmQiOiAicmszNTY4IiwgIm1vZGVsIjog"
65 "InJrMzU2OCIsICJzb2Z0d2FyZVZlcnNpb24iOiAiMy4wLjAiLCAic2VjdXJpdHlM"
66 "ZXZlbCI6ICJTTDMiLCAic2lnblRpbWUiOiAiMjAyMjExMjYxNzMzNDMiLCAidmVy"
67 "c2lvbiI6ICIxLjAuMSJ9.MGUCMEPpiP8hOZlve/H81B7AvL4Fuwe8YYAdKckLEOc"
68 "EQKKTiNRM6irjXSwboMppAFNMSgIxAILC1S6KMp6Zp2ACppXF3j3fV0PBdLZOSO1"
69 "Lm9sqtdiJ5FidaAaMYlwdLMy3vfBeSg==.W3sidXNlclB1YmxpY0tleSI6ICJNSG"
70 "93RkFZSEtvWkl6ajBDQVFZSkt5UURBd0lJQVFFTEEySUFCQiszTHJWUU13cWlwc2"
71 "VnOUFBT0twMDJFeDNKOTJlUzdrK0k5cFJPWnVvOFZFQmVvbzF6Ris2MWhtVU5TMm"
72 "tjN0c3NTBVOExOT2pUamhUVGp2NW1CQjdBdnhnUDMwc3d3SDJ1dFVoczhGRzAwQU"
73 "xsOUZuWFZsSmNpaGo5SGJ0WjNnPT0iLCAic2lnbmF0dXJlIjogIk1HVUNNUUNIUV"
74 "dzYXNYc1NpL3dJUThmWW5PRlhsaWhTem5ETG1RSjBEOGp4U3RVM2Z2bk4xZkgzUV"
75 "JJUnRzM1lIK293bE9zQ01EY2pJU0pOK2J6M2g0VUU2UTl1NW92K0RHcFRHL2Vqd0"
76 "xTU2FyMHJzZ09ZSVovODdRb0p2QllaM2hFamlDcWQ1dz09In0sIHsidXNlclB1Ym"
77 "xpY0tleSI6ICJNSG93RkFZSEtvWkl6ajBDQVFZSkt5UURBd0lJQVFFTEEySUFCRk"
78 "RMR2M4YlhQT2RBYVpLN25OQUZrYkRoVHBwcTNaQW92T3FKZDJKMy9vdW14eG84Qn"
79 "Q4ZGhiQjBtR3FHQjE4V0hpTkUwNFRCS1RvYU9lQ3NtZEZ0dUtXcEtwZEtIRDdGL3"
80 "YvaXhxbHd6MnMzSk9scFQ3dUQzbjNieHFaVHJzMnFnPT0iLCAic2lnbmF0dXJlIj"
81 "ogIk1HUUNNSGthczBkZDgwUVpiQVB6eElhMXhBYmd1WlhwNjU0T29rL2VGR2M0ek"
82 "tLczlqYjVKK24waHJDcytoa0JrR0N0b3dJd1pYcGlYUjRiS1h3RUlTZmdpSDI4dk"
83 "ZaZVQxcFJCcnFkSHd2d3ErOXcrdWQzMkhkeC90YWhHZ1kySHVZZFNHZDUifSwgey"
84 "J1c2VyUHVibGljS2V5IjogIk1Ib3dGQVlIS29aSXpqMENBUVlKS3lRREF3SUlBUU"
85 "VMQTJJQUJEVTVaYkhESGl2TGgzRFN4UDEwbGluL2FIMXJabG1XMnBMZ3JwZ3BiL0"
86 "lnWkkrMzJyWC9QdFhURGZWYmVyRG93VkhURTJ0MFZMNzlnQ2wrbUVCL1dBeDVEZW"
87 "1lamlMNTJ6S0l6M2RTNWJxVHdYVExvRHZTSml3Z3dxYmZPMEZtK3c9PSIsICJzaW"
88 "duYXR1cmUiOiAiTUdRQ01HWlI0MUdsd1RnL0xUMGtFT3lTZnRHTDBlV04zb2dXdF"
89 "o0NTZ2VkdqMm56WnhsamFlN2pveWw4cWZHNjZSTUdTQUl3S2M3V2VpQ1c1UlFGSj"
90 "ROWitSRUErNVNpMHhRVFpOdzlhb1FTUG5LVTA0L2ZIWUhkVERNWitncUY3U3RJMD"
91 "ZTbSJ9XQ==";
92
93 typedef struct {
94 uint32_t code;
95 void (*process)(DeviceIdentify *deviceIdentify, Parcel &parcel);
96 } DslmFuzzerTable;
97
OnPeerMsgReceivedTest1(DeviceIdentify * deviceIdentify,Parcel & parcel)98 void OnPeerMsgReceivedTest1(DeviceIdentify *deviceIdentify, Parcel &parcel)
99 {
100 uint8_t jsonString[] = R"(
101 {"message":0, "payload":111}
102 )";
103 (void)OnPeerMsgReceived(deviceIdentify, jsonString, sizeof(jsonString));
104 }
105
OnPeerMsgReceivedTest2(DeviceIdentify * deviceIdentify,Parcel & parcel)106 void OnPeerMsgReceivedTest2(DeviceIdentify *deviceIdentify, Parcel &parcel)
107 {
108 uint8_t jsonString[] = R"(
109 {"message":1, "payload":{"challenge":"0102030405060708"}}
110 )";
111 (void)OnPeerMsgReceived(deviceIdentify, jsonString, sizeof(jsonString));
112 }
113
OnPeerMsgReceivedTest3(DeviceIdentify * deviceIdentify,Parcel & parcel)114 void OnPeerMsgReceivedTest3(DeviceIdentify *deviceIdentify, Parcel &parcel)
115 {
116 uint8_t jsonString[] = R"(
117 {"message":2, "payload":222}
118 )";
119 (void)OnPeerMsgReceived(deviceIdentify, jsonString, sizeof(jsonString));
120
121 uint32_t len = 0;
122 (void)OnPeerMsgReceived(deviceIdentify, jsonString, len);
123 }
124
ServiceTest(DeviceIdentify * deviceIdentify,Parcel & parcel)125 void ServiceTest(DeviceIdentify *deviceIdentify, Parcel &parcel)
126 {
127 if (g_init < INIT_MAX) {
128 uint8_t jsonString[] = R"(
129 {"message":0, "payload":111}
130 )";
131 uint64_t transNo = 1;
132 static DeviceIdentify self = {0, {0}};
133 int32_t level;
134 (void)InitService();
135 (void)MessengerGetDeviceOnlineStatus(deviceIdentify, &level);
136 (void)MessengerGetDeviceOnlineStatus(nullptr, &level);
137 (void)MessengerGetSelfDeviceIdentify(&self, &level);
138 (void)MessengerGetSelfDeviceIdentify(nullptr, &level);
139 MessengerSendMsgTo(transNo, deviceIdentify, jsonString, sizeof(jsonString));
140 g_init++;
141 }
142 }
143
OnSendResultNotifierTest(DeviceIdentify * deviceIdentify,Parcel & parcel)144 void OnSendResultNotifierTest(DeviceIdentify *deviceIdentify, Parcel &parcel)
145 {
146 const DeviceIdentify identify = {DEVICE_ID_MAX_LEN, {0}};
147 (void)OnSendResultNotifier(&identify, 0, SUCCESS);
148 }
149
VerifyDslmCredentialTest(DeviceIdentify * deviceIdentify,Parcel & parcel)150 void VerifyDslmCredentialTest(DeviceIdentify *deviceIdentify, Parcel &parcel)
151 {
152 DslmCredInfo info;
153 AttestationList list;
154 memset_s(&info, sizeof(DslmCredInfo), 0, sizeof(DslmCredInfo));
155 memset_s(&list, sizeof(AttestationList), 0, sizeof(AttestationList));
156
157 (void)VerifyDslmCredential(g_cred, &info, &list);
158 (void)VerifyDslmCredential(nullptr, &info, &list);
159 FreeAttestationList(&list);
160 }
161
MessengerSendMsgToTest(DeviceIdentify * deviceIdentify,Parcel & parcel)162 void MessengerSendMsgToTest(DeviceIdentify *deviceIdentify, Parcel &parcel)
163 {
164 uint8_t jsonString[] = R"(
165 {"message":0, "payload":111}
166 )";
167 uint64_t transNo = 1;
168 static DeviceIdentify self = {0, {0}};
169 int32_t level;
170 (void)MessengerGetSelfDeviceIdentify(&self, &level);
171 MessengerSendMsgTo(transNo, deviceIdentify, jsonString, sizeof(jsonString));
172 MessengerSendMsgTo(transNo, nullptr, jsonString, sizeof(jsonString));
173 }
174
OnPeerStatusReceiverTest(DeviceIdentify * deviceIdentify,Parcel & parcel)175 void OnPeerStatusReceiverTest(DeviceIdentify *deviceIdentify, Parcel &parcel)
176 {
177 uint32_t status = parcel.ReadUint32() % 2;
178 int32_t level = -1;
179 (void)MessengerGetDeviceOnlineStatus(deviceIdentify, &level);
180 (void)MessengerGetDeviceOnlineStatus(nullptr, &level);
181 (void)OnPeerStatusReceiver(deviceIdentify, status, level);
182 }
183
DslmDumperTest(DeviceIdentify * deviceIdentify,Parcel & parcel)184 void DslmDumperTest(DeviceIdentify *deviceIdentify, Parcel &parcel)
185 {
186 DslmDumper(-1);
187 }
188
VerifyOhosDslmCredTest(DeviceIdentify * deviceIdentify,Parcel & parcel)189 void VerifyOhosDslmCredTest(DeviceIdentify *deviceIdentify, Parcel &parcel)
190 {
191 const DeviceIdentify device = {DEVICE_ID_MAX_LEN, {'a', 'b', 'c', 'd', 'e', 'f', 'a', 'b'}};
192 uint64_t challenge = 0x1234;
193 uint8_t info[] = {'a', 'b', 'c', 'd', 1, 3, 5, 7, 9};
194 DslmCredBuff cred = {CRED_TYPE_STANDARD, 9, info};
195 DslmCredInfo credInfo;
196 (void)memset_s(&credInfo, sizeof(DslmCredInfo), 0, sizeof(DslmCredInfo));
197 (void)VerifyOhosDslmCred(&device, challenge, &cred, &credInfo);
198
199 cred.type = CRED_TYPE_LARGE;
200 (void)VerifyOhosDslmCred(&device, challenge, &cred, &credInfo);
201 (void)VerifyOhosDslmCred(nullptr, challenge, &cred, &credInfo);
202 }
203
RequestDeviceSecurityInfoTest(DeviceIdentify * deviceIdentify,Parcel & parcel)204 void RequestDeviceSecurityInfoTest(DeviceIdentify *deviceIdentify, Parcel &parcel)
205 {
206 DeviceIdentify device = {DEVICE_ID_MAX_LEN, {0}};
207 int32_t level = 0;
208 DeviceSecurityInfo *info = nullptr;
209 (void)RequestDeviceSecurityInfo(&device, nullptr, &info);
210 (void)GetDeviceSecurityLevelValue(info, &level);
211 FreeDeviceSecurityInfo(info);
212 }
213
GetPeerDeviceOnlineStatusTest(DeviceIdentify * deviceIdentify,Parcel & parcel)214 void GetPeerDeviceOnlineStatusTest(DeviceIdentify *deviceIdentify, Parcel &parcel)
215 {
216 int32_t level;
217 (void)GetPeerDeviceOnlineStatus(deviceIdentify, &level);
218 (void)GetPeerDeviceOnlineStatus(nullptr, nullptr);
219 }
220
Base64EncodeAppTest(DeviceIdentify * deviceIdentify,Parcel & parcel)221 void Base64EncodeAppTest(DeviceIdentify *deviceIdentify, Parcel &parcel)
222 {
223 uint8_t src[] = {'a', 'b', 'c', 'd', '\0'};
224 uint32_t maxStrLen = 4;
225
226 (void)Base64EncodeApp(nullptr, sizeof(src));
227 (void)Base64EncodeApp(src, maxStrLen);
228 }
229
SerializeTest(DeviceIdentify * deviceIdentify,Parcel & parcel)230 void SerializeTest(DeviceIdentify *deviceIdentify, Parcel &parcel)
231 {
232 uint32_t size = 0;
233 int i = 0;
234 TlvCommon tlvs[MAX_ENTRY];
235
236 uint8_t buff[MAX_ENTRY * sizeof(TlvCommon)] = {0};
237 size = 0;
238 (void)memset_s(&buff[0], sizeof(buff), 0, sizeof(buff));
239 (void)memset_s(&tlvs[0], sizeof(tlvs), 0, sizeof(tlvs));
240
241 for (i = 0; i < MAX_ENTRY; i++) {
242 TlvCommon *ptr = (TlvCommon *)tlvs + i;
243 ptr->tag = 0x105;
244 ptr->len = PTR_LEN;
245 ptr->value = nullptr;
246 }
247
248 (void)Serialize(tlvs, MAX_ENTRY, buff, sizeof(buff), &size);
249 (void)Serialize(nullptr, MAX_ENTRY, buff, sizeof(buff), &size);
250 }
251
BufferToHksCertChainTest(DeviceIdentify * deviceIdentify,Parcel & parcel)252 void BufferToHksCertChainTest(DeviceIdentify *deviceIdentify, Parcel &parcel)
253 {
254 uint8_t buff[8];
255 uint32_t len = 8;
256 uint8_t *data;
257 memset_s(buff, sizeof(buff), 'c', sizeof(buff));
258 TlvCommon *ptr = (TlvCommon *)buff;
259 ptr->tag = 0x110;
260 ptr->len = PTR_LEN;
261 struct HksCertChain chain;
262 memset_s(&chain, sizeof(struct HksCertChain), 0, sizeof(struct HksCertChain));
263 CredType credType = CRED_TYPE_STANDARD;
264
265 (void)BufferToHksCertChain(buff, len, &chain);
266 (void)BufferToHksCertChain(nullptr, len, &chain);
267 (void)CreateDslmCred(credType, len, buff);
268 (void)CreateDslmCred(credType, len, nullptr);
269 (void)HksCertChainToBuffer(&chain, &data, &len);
270 (void)HksCertChainToBuffer(nullptr, &data, &len);
271 }
272
DestroyHksCertChainTest(DeviceIdentify * deviceIdentify,Parcel & parcel)273 void DestroyHksCertChainTest(DeviceIdentify *deviceIdentify, Parcel &parcel)
274 {
275 struct HksCertChain *chain = (struct HksCertChain *)MALLOC(sizeof(struct HksCertChain));
276 struct HksBlob *blob = (struct HksBlob *)MALLOC(sizeof(struct HksBlob));
277 blob->size = BLOB_SIZE;
278 blob->data = nullptr;
279 chain->certs = blob;
280 chain->certsCount = 1;
281
282 DestroyHksCertChain(chain);
283 DestroyHksCertChain(nullptr);
284 }
285
DefaultInitDslmCredTest(DeviceIdentify * deviceIdentify,Parcel & parcel)286 void DefaultInitDslmCredTest(DeviceIdentify *deviceIdentify, Parcel &parcel)
287 {
288 DslmCredInfo credInfo;
289 DefaultInitDslmCred(&credInfo);
290 }
291
BuildDeviceSecInfoResponseTest(DeviceIdentify * deviceIdentify,Parcel & parcel)292 void BuildDeviceSecInfoResponseTest(DeviceIdentify *deviceIdentify, Parcel &parcel)
293 {
294 uint64_t challenge = 0x1234;
295 uint8_t info[] = {'a', 'b', 'c', 'd', 1, 3, 5, 7, 9};
296 DslmCredBuff cred = {CRED_TYPE_STANDARD, 9, info};
297 MessageBuff *msg = NULL;
298 (void)BuildDeviceSecInfoResponse(challenge, &cred, &msg);
299 (void)BuildDeviceSecInfoResponse(challenge, nullptr, &msg);
300 }
301
ReportHiEventTest(DeviceIdentify * deviceIdentify,Parcel & parcel)302 void ReportHiEventTest(DeviceIdentify *deviceIdentify, Parcel &parcel)
303 {
304 uint32_t errorType = ERR_MSG_NOT_INIT;
305 ReportHiEventServiceStartFailed(errorType);
306
307 DslmDeviceInfo *info = (DslmDeviceInfo *)MALLOC(sizeof(DslmDeviceInfo));
308 (void)memset_s(info, sizeof(DslmDeviceInfo), 0, sizeof(DslmDeviceInfo));
309 info->lastRequestTime = 10U;
310 ReportHiEventInfoSync(nullptr);
311 ReportHiEventInfoSync(info);
312 ReportHiEventAppInvoke(nullptr);
313 FREE(info);
314 info = nullptr;
315 }
316
317 DslmFuzzerTable g_fuzzerTable[] = {{0, OnPeerMsgReceivedTest1}, {1, OnPeerMsgReceivedTest2},
318 {2, OnPeerMsgReceivedTest3}, {3, ServiceTest}, {4, OnSendResultNotifierTest}, {5, VerifyDslmCredentialTest},
319 {6, MessengerSendMsgToTest}, {7, OnPeerStatusReceiverTest}, {8, DslmDumperTest}, {9, VerifyOhosDslmCredTest},
320 {10, RequestDeviceSecurityInfoTest}, {11, GetPeerDeviceOnlineStatusTest}, {12, Base64EncodeAppTest},
321 {13, SerializeTest}, {14, BufferToHksCertChainTest}, {15, DestroyHksCertChainTest}, {16, DefaultInitDslmCredTest},
322 {17, BuildDeviceSecInfoResponseTest}, {18, ReportHiEventTest}};
323
OnPeerMsgReceivedFuzzer(Parcel & parcel)324 void OnPeerMsgReceivedFuzzer(Parcel &parcel)
325 {
326 SECURITY_LOG_INFO("begin");
327 DeviceIdentify deviceIdentify = {};
328 deviceIdentify.length = DEVICE_ID_MAX_LEN;
329 const uint8_t *buffer = parcel.ReadBuffer(DEVICE_ID_MAX_LEN);
330 if (buffer != nullptr) {
331 (void)memcpy_s(deviceIdentify.identity, DEVICE_ID_MAX_LEN, buffer, DEVICE_ID_MAX_LEN);
332 }
333
334 static int cnt = 0;
335 cnt++;
336 if (cnt <= CNT) {
337 DslmDeviceInfo *info = CreatOrGetDslmDeviceInfo(&deviceIdentify);
338 if (info != nullptr) {
339 info->machine.currState = parcel.ReadUint32() % ITEMSTATE;
340 }
341 }
342
343 uint32_t a = parcel.ReadUint32() % 19;
344 for (uint32_t i = 0; i < sizeof(g_fuzzerTable) / sizeof(DslmFuzzerTable); ++i) {
345 if (g_fuzzerTable[i].code == a) {
346 g_fuzzerTable[i].process(&deviceIdentify, parcel);
347 }
348 }
349
350 SECURITY_LOG_INFO("end");
351 }
352
OnRemoteRequestFuzzer(Parcel & parcel)353 void OnRemoteRequestFuzzer(Parcel &parcel)
354 {
355 SECURITY_LOG_INFO("begin");
356 MessageParcel data;
357 MessageParcel reply;
358 MessageOption option;
359
360 data.WriteInterfaceToken(IDeviceSecurityLevel::GetDescriptor());
361
362 /* DeviceIdentify */
363 data.WriteUint32(parcel.ReadUint32());
364 const uint8_t *buffer = parcel.ReadBuffer(DEVICE_ID_MAX_LEN);
365 if (buffer == nullptr) {
366 data.WriteBuffer(mockBuffer, DEVICE_ID_MAX_LEN);
367 } else {
368 data.WriteBuffer(buffer, DEVICE_ID_MAX_LEN);
369 }
370
371 /* option */
372 data.WriteUint64(parcel.ReadUint64());
373 data.WriteUint32(parcel.ReadUint32());
374 data.WriteUint32(parcel.ReadUint32());
375
376 sptr<IRemoteObject> callback = new (std::nothrow) DeviceSecurityLevelCallbackStub(
377 [](uint32_t code, MessageParcel &data, MessageParcel &reply, MessageOption &option) {
378 SECURITY_LOG_INFO("DeviceSecurityLevelCallbackStub called");
379 return 0;
380 });
381 /* callback */
382 data.WriteRemoteObject(callback);
383 /* cookie */
384 data.WriteUint32(parcel.ReadUint32());
385
386 g_dslmService.OnRemoteRequest(parcel.ReadUint32(), data, reply, option);
387 SECURITY_LOG_INFO("end");
388 }
389
DslmFuzzTest(const uint8_t * data,size_t size)390 void DslmFuzzTest(const uint8_t *data, size_t size)
391 {
392 Parcel parcel;
393 parcel.WriteBuffer(data, size);
394 parcel.RewindRead(0);
395 if (parcel.ReadBool()) {
396 OnPeerMsgReceivedFuzzer(parcel);
397 } else {
398 OnRemoteRequestFuzzer(parcel);
399 }
400 }
401 } // namespace
402 } // namespace DeviceSecurityLevel
403 } // namespace Security
404 } // namespace OHOS
405
406 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)407 extern "C" int32_t LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
408 {
409 static int initCount = 0;
410 if (initCount == 0) {
411 const ProcessDslmCredFunctions func = {
412 .initFunc = InitOhosDslmCred,
413 .requestFunc = RequestOhosDslmCred,
414 .verifyFunc = VerifyOhosDslmCred,
415 .credTypeCnt = 2,
416 .credTypeArray = {CRED_TYPE_STANDARD, CRED_TYPE_SMALL},
417 };
418 InitDslmCredentialFunctions(&func);
419 initCount = 1;
420 }
421 OHOS::Security::DeviceSecurityLevel::DslmFuzzTest(data, size);
422 return 0;
423 }
424