1 /*
2  * Copyright (C) 2021 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include "fuzzer/FuzzedDataProvider.h"
18 #include <inttypes.h>
19 #include <keystore/keystore_get.h>
20 
21 using namespace std;
22 
23 constexpr int32_t kMaxKeySize = 256;
24 const string kValidStrKeyPrefix[] = {"USRSKEY_",
25                                      "PLATFORM_VPN_",
26                                      "USRPKEY_",
27                                      "CACERT_",
28                                      "VPN_"
29                                      "USRCERT_",
30                                      "WIFI_"};
31 constexpr char kStrGrantKeyPrefix[] = "ks2_keystore-engine_grant_id:";
32 constexpr char kStrKeySuffix[] = "LOCKDOWN_VPN";
33 constexpr size_t kGrantIdSize = 20;
34 
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)35 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
36     FuzzedDataProvider fdp = FuzzedDataProvider(data, size);
37     size_t keyLength = fdp.ConsumeIntegralInRange<size_t>(0, kMaxKeySize);
38     bool usePrefix = fdp.ConsumeBool();
39     string strKeyPrefix;
40     size_t strKeyPrefixLength = 0;
41     size_t strKeySuffixLength = min(fdp.remaining_bytes(), keyLength);
42     if (usePrefix) {
43         strKeyPrefix = fdp.PickValueInArray(kValidStrKeyPrefix);
44         strKeyPrefixLength = sizeof(strKeyPrefix);
45         strKeySuffixLength =
46             (strKeySuffixLength > strKeyPrefixLength) ? strKeySuffixLength - strKeyPrefixLength : 0;
47     }
48     string strKeySuffix =
49         fdp.ConsumeBool() ? string(kStrKeySuffix) : fdp.ConsumeBytesAsString(strKeySuffixLength);
50     string strKey;
51     strKey = usePrefix ? strKeyPrefix + strKeySuffix : strKeySuffix;
52     if (fdp.ConsumeBool()) {
53         uint64_t grant = fdp.ConsumeIntegral<uint64_t>();
54         char grantId[kGrantIdSize] = "";
55         snprintf(grantId, kGrantIdSize, "%" PRIx64, grant);
56         strKey = strKey + string(kStrGrantKeyPrefix) + grantId;
57     }
58     const char* key = strKey.c_str();
59     uint8_t* value = nullptr;
60     keystore_get(key, strlen(key), &value);
61     free(value);
62     return 0;
63 }
64