diff options
author | Yifan Hong <elsk@google.com> | 2021-09-30 00:11:42 +0000 |
---|---|---|
committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2021-09-30 00:11:42 +0000 |
commit | 17e9554ac2cb51a9dff27b59587392b8cef717fc (patch) | |
tree | 5ac983343f60fd586a560eb1d2a7d5b32bfeeadb | |
parent | 28f0c8d19ef1019f41edf642477217d48157eb23 (diff) | |
parent | 7327be2f3a6fb0acdf9ec6a8a184b0f9d3621f43 (diff) | |
download | native-17e9554ac2cb51a9dff27b59587392b8cef717fc.tar.gz |
Merge "binder: fuzz TLS transport." am: 7327be2f3a
Original change: https://android-review.googlesource.com/c/platform/frameworks/native/+/1835927
Change-Id: I03f92d63755e879327585931d08ffb1caa97cedd
-rw-r--r-- | libs/binder/tests/binderRpcBenchmark.cpp | 2 | ||||
-rw-r--r-- | libs/binder/tests/include_tls_test_utils/binder/RpcTlsTestUtils.h | 6 | ||||
-rw-r--r-- | libs/binder/tests/rpc_fuzzer/Android.bp | 13 | ||||
-rwxr-xr-x | libs/binder/tests/rpc_fuzzer/create_certs.sh | 15 | ||||
-rw-r--r-- | libs/binder/tests/rpc_fuzzer/main.cpp | 64 | ||||
-rw-r--r-- | libs/binder/tests/rpc_fuzzer/server.crt | 16 | ||||
-rw-r--r-- | libs/binder/tests/rpc_fuzzer/server.key | 27 |
7 files changed, 138 insertions, 5 deletions
diff --git a/libs/binder/tests/binderRpcBenchmark.cpp b/libs/binder/tests/binderRpcBenchmark.cpp index 6bf6e9287f..f8718aad1e 100644 --- a/libs/binder/tests/binderRpcBenchmark.cpp +++ b/libs/binder/tests/binderRpcBenchmark.cpp @@ -96,7 +96,7 @@ std::unique_ptr<RpcTransportCtxFactory> makeFactoryTls() { auto cert = android::makeSelfSignedCert(pkey.get(), android::kCertValidSeconds); CHECK_NE(cert.get(), nullptr); - auto verifier = std::make_shared<RpcCertificateVerifierNoOp>(); + auto verifier = std::make_shared<RpcCertificateVerifierNoOp>(OK); auto auth = std::make_unique<RpcAuthPreSigned>(std::move(pkey), std::move(cert)); return RpcTransportCtxFactoryTls::make(verifier, std::move(auth)); } diff --git a/libs/binder/tests/include_tls_test_utils/binder/RpcTlsTestUtils.h b/libs/binder/tests/include_tls_test_utils/binder/RpcTlsTestUtils.h index cbf11bf50d..094addd690 100644 --- a/libs/binder/tests/include_tls_test_utils/binder/RpcTlsTestUtils.h +++ b/libs/binder/tests/include_tls_test_utils/binder/RpcTlsTestUtils.h @@ -80,7 +80,11 @@ private: // A RpcCertificateVerifier that does not verify anything. class RpcCertificateVerifierNoOp : public RpcCertificateVerifier { public: - status_t verify(const SSL*, uint8_t*) override { return OK; } + RpcCertificateVerifierNoOp(status_t status) : mStatus(status) {} + status_t verify(const SSL*, uint8_t*) override { return mStatus; } + +private: + status_t mStatus; }; } // namespace android diff --git a/libs/binder/tests/rpc_fuzzer/Android.bp b/libs/binder/tests/rpc_fuzzer/Android.bp index be55eba033..c0f0a12121 100644 --- a/libs/binder/tests/rpc_fuzzer/Android.bp +++ b/libs/binder/tests/rpc_fuzzer/Android.bp @@ -19,12 +19,19 @@ cc_fuzz { srcs: [ "main.cpp", ], + // Not using libbinder_tls_shared_deps to use deterministic boringssl libraries. static_libs: [ "libbase", "libcutils", "liblog", + "libbinder_tls_static", + "libbinder_tls_test_utils", + "libssl_fuzz_unsafe", + "libcrypto_fuzz_unsafe", + ], + cflags: [ + "-DBORINGSSL_UNSAFE_DETERMINISTIC_MODE" // for RAND_reset_for_fuzzing ], - target: { android: { shared_libs: [ @@ -39,4 +46,8 @@ cc_fuzz { ], }, }, + data: [ + "server.crt", + "server.key", + ], } diff --git a/libs/binder/tests/rpc_fuzzer/create_certs.sh b/libs/binder/tests/rpc_fuzzer/create_certs.sh new file mode 100755 index 0000000000..4ae4cb1e9b --- /dev/null +++ b/libs/binder/tests/rpc_fuzzer/create_certs.sh @@ -0,0 +1,15 @@ +#!/bin/sh + +# As explained in +# https://gist.github.com/darrenjs/4645f115d10aa4b5cebf57483ec82eca + +openssl genrsa -des3 -passout pass:xxxx -out server.pass.key 2048 +openssl rsa -passin pass:xxxx -in server.pass.key -out server.key +rm -f server.pass.key + +openssl req \ + -subj "/" \ + -new -key server.key -out server.csr + +openssl x509 -req -sha256 -days 99999 -in server.csr -signkey server.key -out server.crt +rm -f server.csr diff --git a/libs/binder/tests/rpc_fuzzer/main.cpp b/libs/binder/tests/rpc_fuzzer/main.cpp index c848798b28..518849a3e4 100644 --- a/libs/binder/tests/rpc_fuzzer/main.cpp +++ b/libs/binder/tests/rpc_fuzzer/main.cpp @@ -13,13 +13,20 @@ * See the License for the specific language governing permissions and * limitations under the License. */ + +#include <android-base/file.h> #include <android-base/logging.h> #include <android-base/unique_fd.h> #include <binder/Binder.h> #include <binder/Parcel.h> #include <binder/RpcServer.h> -#include <binder/RpcSession.h> +#include <binder/RpcTlsTestUtils.h> +#include <binder/RpcTransport.h> +#include <binder/RpcTransportRaw.h> +#include <binder/RpcTransportTls.h> #include <fuzzer/FuzzedDataProvider.h> +#include <openssl/rand.h> +#include <openssl/ssl.h> #include <sys/resource.h> #include <sys/un.h> @@ -51,13 +58,66 @@ class SomeBinder : public BBinder { } }; +int passwordCallback(char* buf, int size, int /*rwflag*/, void* /*u*/) { + constexpr const char pass[] = "xxxx"; // See create_certs.sh + if (size <= 0) return 0; + int numCopy = std::min<int>(size, sizeof(pass)); + (void)memcpy(buf, pass, numCopy); + return numCopy; +} + +struct ServerAuth { + bssl::UniquePtr<EVP_PKEY> pkey; + bssl::UniquePtr<X509> cert; +}; + +// Use pre-configured keys because runtime generated keys / certificates are not +// deterministic, and the algorithm is time consuming. +ServerAuth readServerKeyAndCert() { + ServerAuth ret; + + auto keyPath = android::base::GetExecutableDirectory() + "/data/server.key"; + bssl::UniquePtr<BIO> keyBio(BIO_new_file(keyPath.c_str(), "r")); + ret.pkey.reset(PEM_read_bio_PrivateKey(keyBio.get(), nullptr, passwordCallback, nullptr)); + CHECK_NE(ret.pkey.get(), nullptr); + + auto certPath = android::base::GetExecutableDirectory() + "/data/server.crt"; + bssl::UniquePtr<BIO> certBio(BIO_new_file(certPath.c_str(), "r")); + ret.cert.reset(PEM_read_bio_X509(certBio.get(), nullptr, nullptr, nullptr)); + CHECK_NE(ret.cert.get(), nullptr); + + return ret; +} + +std::unique_ptr<RpcAuth> createServerRpcAuth() { + static auto sAuth = readServerKeyAndCert(); + + CHECK(EVP_PKEY_up_ref(sAuth.pkey.get())); + bssl::UniquePtr<EVP_PKEY> pkey(sAuth.pkey.get()); + CHECK(X509_up_ref(sAuth.cert.get())); + bssl::UniquePtr<X509> cert(sAuth.cert.get()); + + return std::make_unique<RpcAuthPreSigned>(std::move(pkey), std::move(cert)); +} + +std::unique_ptr<RpcTransportCtxFactory> makeTransportCtxFactory(FuzzedDataProvider* provider) { + bool isTls = provider->ConsumeBool(); + if (!isTls) { + return RpcTransportCtxFactoryRaw::make(); + } + status_t verifyStatus = provider->ConsumeIntegral<status_t>(); + auto verifier = std::make_shared<RpcCertificateVerifierNoOp>(verifyStatus); + return RpcTransportCtxFactoryTls::make(verifier, createServerRpcAuth()); +} + extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { if (size > 50000) return 0; FuzzedDataProvider provider(data, size); + RAND_reset_for_fuzzing(); unlink(kSock.c_str()); - sp<RpcServer> server = RpcServer::make(); + sp<RpcServer> server = RpcServer::make(makeTransportCtxFactory(&provider)); server->setRootObject(sp<SomeBinder>::make()); server->iUnderstandThisCodeIsExperimentalAndIWillNotUseItInProduction(); CHECK_EQ(OK, server->setupUnixDomainServer(kSock.c_str())); diff --git a/libs/binder/tests/rpc_fuzzer/server.crt b/libs/binder/tests/rpc_fuzzer/server.crt new file mode 100644 index 0000000000..9142474ba3 --- /dev/null +++ b/libs/binder/tests/rpc_fuzzer/server.crt @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE----- +MIICiTCCAXECFG1ggXE36l2WXeG6YTnaRVB7EmgQMA0GCSqGSIb3DQEBCwUAMAAw +IBcNMjEwOTI5MDEzOTEzWhgPMjI5NTA3MTQwMTM5MTNaMAAwggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQDE3KnhPMwINpP5aIHIo/3GTlROZOK5AmkEsWmP +w8smSWo2hJ7M0sOhruvOz82WORj48K8C0W72yFN+e9g32qoNMJFP/s6j1RWmaAKZ +eSQUq6ixyaGhFLBOoukVykfTnY4qn4RbX5HzgpAPR1gv5ELvMXXPrxvtpIcVIrhm +/dBQIa3iHZS6kypNbmRx/nhDVU8FK9s9WU5VLpbuNxv+m4X4Y1M/VZNatUMx5I0o +ystV4JTqzjRZRPR4sxtMhu8/A11JsBVLeu8ZM/0IGCjmLOF4hy5a5YDv8MOJtdG2 +LI7ibZNtyrZiKwwhJc3tElzeIFit4T5Xjx69y/EMS4Hwhf3zAgMBAAEwDQYJKoZI +hvcNAQELBQADggEBAD3gRbUybW7P2CihMyskTgS9HoIT9c02JWjtueWQIiQkyqTB +6QdUQTHM5weil6TiW8NfpQQUIvrh66Pkph65shvFqxUsjdW25b4RbfUldFihfs1n +kTa+e+hZONnVuzLvezIs2b8dygH9GA5y2OiLxwrMUcyaoCHGwKF7iOE0SJhfx0kY +JDs4O+gAVjEsBSc24pm9aHBxgRCiEm1I4+RZf6PRBIz1ZadGBFsCZ+Gj6wyLP2Wq +kjjMiV6o8pEjJjM+Oi4GfxvNewMCd2hMZYuJYpYC3cc7fPIpx8luidqKJdve8c6m +KQ+dJ6ZQxEi0Zc9Jzre7NNoVcpIdc8SbkEM/DDo= +-----END CERTIFICATE----- diff --git a/libs/binder/tests/rpc_fuzzer/server.key b/libs/binder/tests/rpc_fuzzer/server.key new file mode 100644 index 0000000000..743470eefd --- /dev/null +++ b/libs/binder/tests/rpc_fuzzer/server.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpQIBAAKCAQEAxNyp4TzMCDaT+WiByKP9xk5UTmTiuQJpBLFpj8PLJklqNoSe +zNLDoa7rzs/NljkY+PCvAtFu9shTfnvYN9qqDTCRT/7Oo9UVpmgCmXkkFKuoscmh +oRSwTqLpFcpH052OKp+EW1+R84KQD0dYL+RC7zF1z68b7aSHFSK4Zv3QUCGt4h2U +upMqTW5kcf54Q1VPBSvbPVlOVS6W7jcb/puF+GNTP1WTWrVDMeSNKMrLVeCU6s40 +WUT0eLMbTIbvPwNdSbAVS3rvGTP9CBgo5izheIcuWuWA7/DDibXRtiyO4m2Tbcq2 +YisMISXN7RJc3iBYreE+V48evcvxDEuB8IX98wIDAQABAoIBACcI5jp+NqrOP6st +uMZTFifzMi5VPMuYmcBPeXIDTc3qsr/ari5JAHeX2rQoakiGS9hYySsS4iDW+g9T +eT0iA6QX5Ehrawf7YY6cgx9xcOEUZJ/ULlNlacw961/huzpPvHfhJ3qCycryMaSF +7guZBFivgv/KZgxKGmrrdosdeufYXL3eHWZIrvcN4cDVgxslZg0o3Y5kCW3/KmDO +QwvBlqgja93yImmkFA5BA/hQUsWuMBiR0xAd4b1NSBVCGTAYuCm6Up+6tIxeBSu5 +MVnNXbAIyVkbAS+gaR4uut6ObzFwUyGKDMaMpJ0LHLbusZy0svevu6Hjx+eH0ePC +rj1xmDECgYEA4WR+1m3Tej0botG68+pZ8yLBgomSBAqpINCFkMEGQ2sQ1CqMMkHq +8LAQNotU56W/0/H3eQemE3qBSKt1BUffpCvCHWkL9DRyDNhiq9U2PvV2Lx0Bv77e +ET5MSDECUjlIsDqnv2qbq/m23BiP7AM8c9s6HjD0PqptyHjLlWHK86kCgYEA35hW +AZEqMzsTNVQ8lXQtbqCyv8lls1SJbvIf3b5KItw9CwqpLr+UXssXh713j+yMW+WN +3nv5+VaggkNBa9fHdqQEYT0L52OnLNjsfTlVhP5g2lOIa5VQYb/wqF1TaiZ27SGU +lmLqiyArZgTnc3yo1wuIRPAbYbbm6CVnz7bm5jsCgYEAqfov7WZF5hnPjaq9YtWJ +oGLFrLwy8flYMvcOw2vOXWmQ93Be6kfr9jfRAlFxZoEJeb0w9IVgKbBpb3Ree+0I +K7cUXTmrWi9zE1zcjNnuXuyehElL2F8I+dgRjx/msDujJcQWXbT4UWmxDas4XrTS +Ek1yNvKUP+4nfNgcMDvf4oECgYEAjgfYajpqEgzukKunqFAaI/HUWdt2zMlgW6dV +8qdTtH0uEXt+KIHtn6FmmwURk8zxA9b3nWInUeljIBvUzMpOm+BoH9SFYUB+CxDo +eEsZNdfYchcpyx0X6F/iYTCXMhCo7syr9DN1RVbz+mQXGdcP8ToUH6Zd3l4uozxP +izRly80CgYEAqz7fCgQH74BwHoroSNdD3Cn6KNVx+oPuwRmzO4xMSOGyd/dNB2NA +uzzuCTbrzC0jCXpqR0Bh9gYMjxyRZbifPX/YuFHyCIKK4+SQfeC4ZEwmSJVGWeh7 +3NksFJPCH4K3KbLNputByWJWOgKUdy70e/xOi83acBAVyRs+7H9LocE= +-----END RSA PRIVATE KEY----- |