1 /*
2  * Copyright (C) 2021 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at:
7  *
8  * http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  *
16  */
17 #include <hardware/hw_auth_token.h>
18 #include <keymasterV4_0/keymaster_utils.h>
19 #include "keymaster4_common.h"
20 
21 namespace android::hardware::keymaster::V4_0::fuzzer {
22 
23 using android::hardware::keymaster::V4_0::SecurityLevel;
24 using android::hardware::keymaster::V4_0::VerificationToken;
25 using android::hardware::keymaster::V4_0::support::deserializeVerificationToken;
26 using android::hardware::keymaster::V4_0::support::serializeVerificationToken;
27 
28 constexpr SecurityLevel kSecurityLevel[]{
29         SecurityLevel::SOFTWARE,
30         SecurityLevel::TRUSTED_ENVIRONMENT,
31         SecurityLevel::STRONGBOX,
32 };
33 constexpr size_t kMaxVectorSize = 100;
34 constexpr size_t kMaxCharacters = 100;
35 
36 class KeyMaster4UtilsFuzzer {
37   public:
38     void process(const uint8_t* data, size_t size);
39 
40   private:
41     void invokeKeyMasterUtils();
42     std::unique_ptr<FuzzedDataProvider> mFdp = nullptr;
43 };
44 
invokeKeyMasterUtils()45 void KeyMaster4UtilsFuzzer::invokeKeyMasterUtils() {
46     support::getOsVersion();
47     support::getOsPatchlevel();
48 
49     while (mFdp->remaining_bytes() > 0) {
50         auto keymaster_function = mFdp->PickValueInArray<const std::function<void()>>({
51                 [&]() {
52                     VerificationToken token;
53                     token.challenge = mFdp->ConsumeIntegral<uint64_t>();
54                     token.timestamp = mFdp->ConsumeIntegral<uint64_t>();
55                     token.securityLevel = mFdp->PickValueInArray(kSecurityLevel);
56                     size_t vectorSize = mFdp->ConsumeIntegralInRange<size_t>(0, kMaxVectorSize);
57                     token.mac.resize(vectorSize);
58                     for (size_t n = 0; n < vectorSize; ++n) {
59                         token.mac[n] = mFdp->ConsumeIntegral<uint8_t>();
60                     }
61                     std::optional<std::vector<uint8_t>> serialized =
62                             serializeVerificationToken(token);
63                     if (serialized.has_value()) {
64                         std::optional<VerificationToken> deserialized =
65                                 deserializeVerificationToken(serialized.value());
66                     }
67                 },
68                 [&]() {
69                     std::vector<uint8_t> dataVector;
70                     size_t size = mFdp->ConsumeIntegralInRange<size_t>(0, sizeof(hw_auth_token_t));
71                     dataVector = mFdp->ConsumeBytes<uint8_t>(size);
72                     support::blob2hidlVec(dataVector.data(), dataVector.size());
73                     support::blob2hidlVec(dataVector);
74                     HardwareAuthToken authToken = support::hidlVec2AuthToken(dataVector);
75                     hidl_vec<uint8_t> volatile hidlVector = support::authToken2HidlVec(authToken);
76                 },
77                 [&]() {
78                     std::string str = mFdp->ConsumeRandomLengthString(kMaxCharacters);
79                     support::blob2hidlVec(str);
80                 },
81         });
82         keymaster_function();
83     }
84     return;
85 }
86 
process(const uint8_t * data,size_t size)87 void KeyMaster4UtilsFuzzer::process(const uint8_t* data, size_t size) {
88     mFdp = std::make_unique<FuzzedDataProvider>(data, size);
89     invokeKeyMasterUtils();
90 }
91 
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)92 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
93     KeyMaster4UtilsFuzzer kmUtilsFuzzer;
94     kmUtilsFuzzer.process(data, size);
95     return 0;
96 }
97 
98 }  // namespace android::hardware::keymaster::V4_0::fuzzer
99