Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ee2196d1 authored by Akhilesh Sanikop's avatar Akhilesh Sanikop
Browse files

Added keymint_rkpsupport_fuzzer 

exec/s: 30
Test: ./keymint_rkpsupport_fuzzer
Bug: 337985606

Change-Id: Ib6955d188351ce3fc598a0f27ad626f718d542b8
parent ddbaa66b

security/keymint/support/fuzzer/Android.bp

+11 −0
Original line number Original line Diff line number Diff line
@@ -92,3 +92,14 @@ cc_fuzz { 
        "keymint_remote_fuzzer_defaults",

        "keymint_remote_fuzzer_defaults",

    ],

    ],

}

}



cc_fuzz {

    name: "keymint_rkpsupport_fuzzer",

    srcs: [

        "keymint_rkpsupport_fuzzer.cpp",

    ],

    defaults: [

        "keymint_fuzzer_defaults",

        "keymint_remote_fuzzer_defaults",

    ],

}

security/keymint/support/fuzzer/README.md

+28 −0
Original line number Original line Diff line number Diff line
@@ -13,6 +13,7 @@ The plugins feed the entire input data to the module. This ensures that the plug 
+ [keymint_attestation_fuzzer](#KeyMintAttestation)

+ [keymint_attestation_fuzzer](#KeyMintAttestation)

+ [keymint_authSet_fuzzer](#KeyMintAuthSet)

+ [keymint_authSet_fuzzer](#KeyMintAuthSet)

+ [keymint_remote_prov_fuzzer](#KeyMintRemoteProv)

+ [keymint_remote_prov_fuzzer](#KeyMintRemoteProv)

+ [keymint_rkpsupport_fuzzer](#KeyMintRemoteKeyProvSupport)





# <a name="KeyMintAttestation"></a> Fuzzer for KeyMintAttestation

# <a name="KeyMintAttestation"></a> Fuzzer for KeyMintAttestation

KeyMintAttestation supports the following parameters:

KeyMintAttestation supports the following parameters:
@@ -101,3 +102,30 @@ $ mm -j$(nproc) keymint_remote_prov_fuzzer 
$ adb sync data

$ adb sync data

$ adb shell /data/fuzz/arm64/keymint_remote_prov_fuzzer/keymint_remote_prov_fuzzer

$ adb shell /data/fuzz/arm64/keymint_remote_prov_fuzzer/keymint_remote_prov_fuzzer

```

```



# <a name="KeyMintRemoteKeyProvSupport"></a> Fuzzer for KeyMintRemoteKeyProvSupport

KeyMintRemoteKeyProvSupport supports the following parameters:

1. SupportedEekCurve(parameter name: "supportedEekCurve")

2. Length(parameter name: "length")

3. SerialNumberProp(parameter name: "serialNoProp")

4. InstanceName(parameter name: "instanceName")

5. Value(parameter name: "value")



| Parameter| Valid Values| Configured Value|

|------------- |--------------| -------------------- |

|`supportedEekCurve`| `uint8_t` |Value obtained from FuzzedDataProvider|

|`length`| `uint8_t` |Value obtained from FuzzedDataProvider|

|`serialNoProp`| `string` |Value obtained from FuzzedDataProvider|

|`instanceName`| `string` |Value obtained from FuzzedDataProvider|

|`value`| `uint8_t` |Value obtained from FuzzedDataProvider|



#### Steps to run

1. Build the fuzzer

```

$ mm -j$(nproc) keymint_rkpsupport_fuzzer

```

2. Run on device

```

$ adb sync data

$ adb shell /data/fuzz/arm64/keymint_rkpsupport_fuzzer/keymint_rkpsupport_fuzzer

```

security/keymint/support/fuzzer/keymint_rkpsupport_fuzzer.cpp

0 → 100644
+65 −0
Original line number Original line Diff line number Diff line 
/*

 * Copyright (C) 2024 The Android Open Source Project

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at:

 *

 * http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 *

 */

#include <fuzzer/FuzzedDataProvider.h>

#include <remote_prov/remote_prov_utils.h>



namespace android::hardware::security::keymint_support::fuzzer {



using namespace aidl::android::hardware::security::keymint::remote_prov;



constexpr size_t kMaxBytes = 128;



class KeyMintRemoteKeyProvSupport {

  public:

    KeyMintRemoteKeyProvSupport(const uint8_t* data, size_t size) : mFdp(data, size) {}

    void process();



  private:

    FuzzedDataProvider mFdp;

};



void KeyMintRemoteKeyProvSupport::process() {

    while (mFdp.remaining_bytes()) {

        auto invokeProvAPI = mFdp.PickValueInArray<const std::function<void()>>({

                [&]() {

                    std::vector<uint8_t> eekId;

                    if (mFdp.ConsumeBool()) {

                        eekId = mFdp.ConsumeBytes<uint8_t>(kMaxBytes);

                    }

                    generateEekChain(mFdp.ConsumeIntegral<uint8_t>() /* supportedEekCurve */,

                                     mFdp.ConsumeIntegral<uint8_t>() /* length */, eekId);

                },

                [&]() { getProdEekChain(mFdp.ConsumeIntegral<uint8_t>() /* supportedEekCurve */); },

                [&]() {

                    std::string serialNoProp = mFdp.ConsumeRandomLengthString(kMaxBytes);

                    std::string instanceName = mFdp.ConsumeRandomLengthString(kMaxBytes);

                    cppbor::Array array;

                    array.add(mFdp.ConsumeIntegral<uint8_t>() /* value */);

                    jsonEncodeCsrWithBuild(instanceName, array, serialNoProp);

                },

        });

        invokeProvAPI();

    }

}



extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {

    KeyMintRemoteKeyProvSupport keymintRKPSupport(data, size);

    keymintRKPSupport.process();

    return 0;

}



}  // namespace android::hardware::security::keymint_support::fuzzer