Added privacy_crypto_fuzzer

exec/s: 603 Test: ./privacy_crypto_fuzzer Bug: 265234582 Change-Id: I6b922ba288742229749419c35fd71fded6125859
2023-02-13 18:28:40 +05:30
parent a252eba173
commit 7f9f3f3f4b
3 changed files with 188 additions and 0 deletions
--- a/fuzzer/Android.bp
+++ b/fuzzer/Android.bp
@@ -92,3 +92,9 @@ cc_fuzz {
    srcs: ["policy_timers_fuzzer.cpp"],
    defaults: ["libcdm_fuzzer_defaults"],
 }
+
+cc_fuzz {
+    name: "privacy_crypto_fuzzer",
+    srcs: ["privacy_crypto_fuzzer.cpp"],
+    defaults: ["libcdm_fuzzer_defaults"],
+}
--- a/fuzzer/README.md
+++ b/fuzzer/README.md
@@ -6,6 +6,7 @@
 + [system_id_extractor_fuzzer](#SystemIdExtractor)
 + [service_certificate_fuzzer](#ServiceCertificate)
 + [policy_timers_fuzzer](#PolicyTimers)
+ [privacy_crypto_fuzzer](#PrivacyCrypto)

 # <a name="PolicyEngine"></a> Fuzzer for PolicyEngine

@@ -123,3 +124,31 @@ PolicyTimers supports the following parameters:
 ```
  $ adb sync data
  $ adb shell /data/fuzz/arm64/policy_timers_fuzzer/vendor/policy_timers_fuzzer
+```
+
+# <a name="PrivacyCrypto"></a> Fuzzer for PrivacyCrypto
+
+PrivacyCrypto supports the following parameters:
+1. Message (parameter name: "message")
+2. Key (parameter name: "key")
+3. Iv (parameter name: "iv")
+4. Data (parameter name: 'data')
+5. CertIndex (parameter name: 'certIndex')
+
+| Parameter| Valid Values| Configured Value|
+|------------- |-------------| ----- |
+|`message`| `String` |Value obtained from FuzzedDataProvider|
+|`key`| `String` |Value obtained from FuzzedDataProvider|
+|`iv`| `String` |Value obtained from FuzzedDataProvider|
+|`data`| `String` |Value obtained from FuzzedDataProvider|
+|`certIndex`| `Integer` |Value obtained from FuzzedDataProvider|
+
+#### Steps to run
+1. Build the fuzzer
+```
+  $ mm -j$(nproc) privacy_crypto_fuzzer
+```
+2. Run on device
+```
+  $ adb sync data
+  $ adb shell /data/fuzz/arm64/privacy_crypto_fuzzer/vendor/privacy_crypto_fuzzer
--- a/fuzzer/privacy_crypto_fuzzer.cpp
+++ b/fuzzer/privacy_crypto_fuzzer.cpp
@@ -0,0 +1,153 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+#include "license.h"
+#include "privacy_crypto.h"
+#include "properties.h"
+#include "vendor_widevine_fuzz_helper.h"
+#include "wv_cdm_constants.h"
+#include <string_conversions.h>
+
+using namespace wvcdm;
+using namespace video_widevine;
+using video_widevine::DrmCertificate;
+using video_widevine::SignedDrmCertificate;
+
+constexpr int32_t kMaxByte = 256;
+constexpr int32_t kMinFirstComponent = 0;
+constexpr int32_t kMaxFirstComponent = 2;
+constexpr int32_t kMinSecondComponent = 0;
+constexpr int32_t kMaxSecondComponent = 39;
+constexpr int32_t kMinNumComponent = 0;
+constexpr int32_t kMaxNumComponent = 10;
+
+class PrivacyCryptoFuzzer {
+public:
+  PrivacyCryptoFuzzer(const uint8_t *data, size_t size) : mFdp(data, size){};
+  void process();
+  std::string createOid() {
+    std::string oid;
+    int32_t firstComponent = mFdp.ConsumeIntegralInRange<uint8_t>(
+        kMinFirstComponent, kMaxFirstComponent);
+    oid += std::to_string(firstComponent);
+    oid += '.';
+    uint32_t temp = 0;
+    if (firstComponent != 2) {
+      temp = mFdp.ConsumeIntegralInRange<uint32_t>(kMinSecondComponent,
+                                                   kMaxSecondComponent);
+    } else {
+      temp = mFdp.ConsumeIntegral<uint32_t>();
+    }
+    oid += std::to_string(temp);
+    int32_t numComponent = mFdp.ConsumeIntegralInRange<int32_t>(
+        kMinNumComponent, kMaxNumComponent);
+    for (int32_t i = 0; i < numComponent; ++i) {
+      oid += '.';
+      oid += std::to_string(mFdp.ConsumeIntegral<uint32_t>());
+    }
+    return oid;
+  }
+
+private:
+  FuzzedDataProvider mFdp;
+};
+
+void PrivacyCryptoFuzzer::process() {
+  AesCbcKey aesCbcKey;
+  RsaPublicKey rsaPubKey;
+
+  while (mFdp.remaining_bytes()) {
+    auto privacyCrptoApi = mFdp.PickValueInArray<const std::function<void()>>({
+        [&]() {
+          /**
+           * This Implementation is required to initialize RSA-public_key
+           * correctly.
+           */
+          FuzzCdmClientPropertySet propertySet(&mFdp);
+          propertySet.enable_privacy_mode();
+          propertySet.set_service_certificate(kTestSignedCertificate);
+          PropertiesTestPeer::ForceReinit();
+          PropertiesTestPeer::AddSessionPropertySet(kTestSessionId1,
+                                                    &propertySet);
+          std::string rawServiceCertificate;
+          PropertiesTestPeer::GetServiceCertificate(kTestSessionId1,
+                                                    &rawServiceCertificate);
+          SignedDrmCertificate signedRootCertificate;
+          std::string rootCertStr(
+              reinterpret_cast<const char *>(&kRootCertForProd[0]),
+              sizeof(kRootCertForProd));
+          signedRootCertificate.ParseFromString(rootCertStr);
+          DrmCertificate rootCert;
+          rootCert.ParseFromString(signedRootCertificate.drm_certificate());
+          rsaPubKey.Init(mFdp.ConsumeBool()
+                             ? rootCert.public_key()
+                             : mFdp.ConsumeRandomLengthString(kMaxByte));
+        },
+        [&]() {
+          std::string cipherText;
+          std::string message = mFdp.ConsumeRandomLengthString(kMaxByte);
+          rsaPubKey.Encrypt(message, &cipherText);
+        },
+        [&]() {
+          rsaPubKey.VerifySignature(
+              mFdp.ConsumeRandomLengthString(kMaxByte) /* message */,
+              mFdp.ConsumeRandomLengthString(kMaxByte) /* signature */);
+        },
+        [&]() {
+          std::string key = mFdp.ConsumeRandomLengthString(SERVICE_KEY_SIZE);
+          if (mFdp.ConsumeBool()) {
+            key.resize(SERVICE_KEY_SIZE, '0');
+          }
+          aesCbcKey.Init(key);
+        },
+        [&]() {
+          std::string encId;
+          std::string iv = mFdp.ConsumeRandomLengthString(KEY_IV_SIZE);
+          if (mFdp.ConsumeBool()) {
+            iv.resize(KEY_IV_SIZE, '0');
+          }
+          aesCbcKey.Encrypt(mFdp.ConsumeRandomLengthString(kMaxByte),
+                            mFdp.ConsumeBool() ? &encId : nullptr,
+                            mFdp.ConsumeBool() ? &iv : nullptr);
+        },
+        [&]() {
+          std::string data = mFdp.ConsumeRandomLengthString(kMaxByte);
+          Md5Hash(data);
+        },
+        [&]() {
+          std::string data = mFdp.ConsumeRandomLengthString(kMaxByte);
+          Sha256Hash(data);
+        },
+        [&]() {
+          size_t certIndex = mFdp.ConsumeBool() ? mFdp.ConsumeIntegral<size_t>()
+                                                : kOemCertSystemIdIndex;
+          uint32_t value = 0;
+          std::string oid = createOid();
+          ExtractExtensionValueFromCertificate(
+              mFdp.ConsumeBool() ? kOemCertStr
+                                 : mFdp.ConsumeRandomLengthString(kMaxByte),
+              oid, certIndex, &value);
+        },
+    });
+    privacyCrptoApi();
+  }
+}
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+  PrivacyCryptoFuzzer privacyCryptoFuzzer(data, size);
+  privacyCryptoFuzzer.process();
+  return 0;
+}