From 1660d4b7a65d9ad2ce0deaa19d35579ca4084ac5 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Wed, 17 Apr 2024 10:06:26 +0200 Subject: Adding upstream version 2:2.6.1. Signed-off-by: Daniel Baumann --- tests/fuzz/FuzzerInterface.h | 81 +++ tests/fuzz/LUKS2.proto | 379 +++++++++++++ tests/fuzz/LUKS2_plain_JSON.proto | 190 +++++++ tests/fuzz/Makefile.am | 122 +++++ tests/fuzz/README.md | 66 +++ tests/fuzz/crypt2_load_fuzz.cc | 112 ++++ tests/fuzz/crypt2_load_fuzz.dict | 130 +++++ tests/fuzz/crypt2_load_ondisk_fuzz.cc | 64 +++ tests/fuzz/crypt2_load_ondisk_fuzz.dict | 9 + tests/fuzz/crypt2_load_proto_fuzz.cc | 51 ++ tests/fuzz/crypt2_load_proto_plain_json_fuzz.cc | 51 ++ tests/fuzz/crypt2_load_proto_plain_json_fuzz.dict | 72 +++ tests/fuzz/json_proto_converter.cc | 87 +++ tests/fuzz/json_proto_converter.h | 43 ++ tests/fuzz/oss-fuzz-build.sh | 152 ++++++ tests/fuzz/plain_json_proto_to_luks2.cc | 75 +++ tests/fuzz/plain_json_proto_to_luks2_converter.cc | 153 ++++++ tests/fuzz/plain_json_proto_to_luks2_converter.h | 58 ++ tests/fuzz/proto_to_luks2.cc | 75 +++ tests/fuzz/proto_to_luks2_converter.cc | 604 +++++++++++++++++++++ tests/fuzz/proto_to_luks2_converter.h | 91 ++++ .../unpoison-mutated-buffers-from-libfuzzer.patch | 29 + 22 files changed, 2694 insertions(+) create mode 100644 tests/fuzz/FuzzerInterface.h create mode 100644 tests/fuzz/LUKS2.proto create mode 100644 tests/fuzz/LUKS2_plain_JSON.proto create mode 100644 tests/fuzz/Makefile.am create mode 100644 tests/fuzz/README.md create mode 100644 tests/fuzz/crypt2_load_fuzz.cc create mode 100644 tests/fuzz/crypt2_load_fuzz.dict create mode 100644 tests/fuzz/crypt2_load_ondisk_fuzz.cc create mode 100644 tests/fuzz/crypt2_load_ondisk_fuzz.dict create mode 100644 tests/fuzz/crypt2_load_proto_fuzz.cc create mode 100644 tests/fuzz/crypt2_load_proto_plain_json_fuzz.cc create mode 100644 tests/fuzz/crypt2_load_proto_plain_json_fuzz.dict create mode 100644 tests/fuzz/json_proto_converter.cc create mode 100644 tests/fuzz/json_proto_converter.h create mode 100755 tests/fuzz/oss-fuzz-build.sh create mode 100644 tests/fuzz/plain_json_proto_to_luks2.cc create mode 100644 tests/fuzz/plain_json_proto_to_luks2_converter.cc create mode 100644 tests/fuzz/plain_json_proto_to_luks2_converter.h create mode 100644 tests/fuzz/proto_to_luks2.cc create mode 100644 tests/fuzz/proto_to_luks2_converter.cc create mode 100644 tests/fuzz/proto_to_luks2_converter.h create mode 100644 tests/fuzz/unpoison-mutated-buffers-from-libfuzzer.patch (limited to 'tests/fuzz') diff --git a/tests/fuzz/FuzzerInterface.h b/tests/fuzz/FuzzerInterface.h new file mode 100644 index 0000000..b238253 --- /dev/null +++ b/tests/fuzz/FuzzerInterface.h @@ -0,0 +1,81 @@ +// Based on https://github.com/llvm-mirror/compiler-rt/blob/master/lib/fuzzer/FuzzerInterface.h +// +//===- FuzzerInterface.h - Interface header for the Fuzzer ------*- C++ -* ===// +// +// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. +// See https://llvm.org/LICENSE.txt for license information. +// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception +// +//===----------------------------------------------------------------------===// +// Define the interface between libFuzzer and the library being tested. +//===----------------------------------------------------------------------===// + +// NOTE: the libFuzzer interface is thin and in the majority of cases +// you should not include this file into your target. In 95% of cases +// all you need is to define the following function in your file: +// extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size); + +// WARNING: keep the interface in C. + +#ifndef LLVM_FUZZER_INTERFACE_H +#define LLVM_FUZZER_INTERFACE_H + +#include +#include + +#ifdef __cplusplus +extern "C" { +#endif // __cplusplus + +// Define FUZZER_INTERFACE_VISIBILITY to set default visibility in a way that +// doesn't break MSVC. +#if defined(_WIN32) +#define FUZZER_INTERFACE_VISIBILITY __declspec(dllexport) +#else +#define FUZZER_INTERFACE_VISIBILITY __attribute__((visibility("default"))) +#endif + +// Mandatory user-provided target function. +// Executes the code under test with [Data, Data+Size) as the input. +// libFuzzer will invoke this function *many* times with different inputs. +// Must return 0. +FUZZER_INTERFACE_VISIBILITY int +LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size); + +// Optional user-provided initialization function. +// If provided, this function will be called by libFuzzer once at startup. +// It may read and modify argc/argv. +// Must return 0. +FUZZER_INTERFACE_VISIBILITY int LLVMFuzzerInitialize(int *argc, char ***argv); + +// Optional user-provided custom mutator. +// Mutates raw data in [Data, Data+Size) inplace. +// Returns the new size, which is not greater than MaxSize. +// Given the same Seed produces the same mutation. +FUZZER_INTERFACE_VISIBILITY size_t +LLVMFuzzerCustomMutator(uint8_t *Data, size_t Size, size_t MaxSize, + unsigned int Seed); + +// Optional user-provided custom cross-over function. +// Combines pieces of Data1 & Data2 together into Out. +// Returns the new size, which is not greater than MaxOutSize. +// Should produce the same mutation given the same Seed. +FUZZER_INTERFACE_VISIBILITY size_t +LLVMFuzzerCustomCrossOver(const uint8_t *Data1, size_t Size1, + const uint8_t *Data2, size_t Size2, uint8_t *Out, + size_t MaxOutSize, unsigned int Seed); + +// Experimental, may go away in future. +// libFuzzer-provided function to be used inside LLVMFuzzerCustomMutator. +// Mutates raw data in [Data, Data+Size) inplace. +// Returns the new size, which is not greater than MaxSize. +FUZZER_INTERFACE_VISIBILITY size_t +LLVMFuzzerMutate(uint8_t *Data, size_t Size, size_t MaxSize); + +#undef FUZZER_INTERFACE_VISIBILITY + +#ifdef __cplusplus +} // extern "C" +#endif // __cplusplus + +#endif // LLVM_FUZZER_INTERFACE_H diff --git a/tests/fuzz/LUKS2.proto b/tests/fuzz/LUKS2.proto new file mode 100644 index 0000000..3a0f287 --- /dev/null +++ b/tests/fuzz/LUKS2.proto @@ -0,0 +1,379 @@ +/* + * cryptsetup LUKS2 custom mutator + * + * Copyright (C) 2022-2023 Daniel Zatovic + * Copyright (C) 2022-2023 Red Hat, Inc. All rights reserved. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version 2 + * of the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +syntax = "proto2"; + +package LUKS2_proto; + +// --------------------------------------------------------------------------- +// ----------------------------- GENERIC OBJECTS ----------------------------- +// --------------------------------------------------------------------------- + +message object_id { + oneof id { + // int_id will be mapped to range -16 to 16 (mod 33) + // this way iy should be easier to generate valid + // object cross-references + uint32 int_id = 1; + string string_id = 2; + } +} + +message string_uint64 { + required bool negative = 1; + oneof number { + uint32 uint_num = 2; + string string_num = 3; + } +} + +enum hash_algorithm { + HASH_ALG_SHA1 = 1; + HASH_ALG_SHA256 = 2; +} + + +// --------------------------------------------------------------------------- +// ----------------------------- BINARY HEADER ------------------------------- +// --------------------------------------------------------------------------- + +enum luks2_magic { + INVALID = 0; + FIRST = 1; + SECOND = 2; +} + +enum luks_version { + ONE = 1; + TWO = 2; + THREE = 3; +} + +// we limit the size to 64KiB to make the fuzzing faster +// because the checksum needs to be calculated for the whole image +enum hdr_size { + size_16_KB = 16384; + size_32_KB = 32768; + size_64_KB = 65536; +// size_128_KB = 131072; +// size_256_KB = 262144; +// size_512_KB = 524288; +// size_1_MB = 1048576; +// size_2_MB = 2097152; +// size_4_MB = 4194304; +} + +enum seqid_description { + PRIMARY_GREATER = 0; + SECONDARY_GREATER = 1; + EQUAL = 2; +} + +// message luks2_hdr_disk { +// char magic[LUKS2_MAGIC_L]; +// //uint16_t version; /* Version 2 */ +// uint64_t hdr_size; /* in bytes, including JSON area */ +// uint64_t seqid; /* increased on every update */ +// char label[LUKS2_LABEL_L]; +// char checksum_alg[LUKS2_CHECKSUM_ALG_L]; +// uint8_t salt[LUKS2_SALT_L]; /* unique for every header/offset */ +// char uuid[LUKS2_UUID_L]; +// char subsystem[LUKS2_LABEL_L]; /* owner subsystem label */ +// uint64_t hdr_offset; /* offset from device start in bytes */ +// char _padding[184]; +// uint8_t csum[LUKS2_CHECKSUM_L]; +// } +message LUKS2_header { + required luks_version version = 1; + required luks2_magic magic = 2; + required hdr_size hdr_size = 3; + required bool use_correct_checksum = 4; + + optional uint64 selected_offset = 5; +} + +message LUKS2_both_headers { + required LUKS2_header primary_header = 1; + required LUKS2_header secondary_header = 2; + + required seqid_description seqid = 3; + required json_area_description json_area = 4; +} + +message json_area_description { + optional config_description config = 1; + repeated keyslot_description keyslots = 2; + repeated digest_description digests = 3; + repeated segment_description segments = 4; + repeated token_description tokens = 5; +} + +// --------------------------------------------------------------------------- +// ----------------------------- KEYSLOT OBJECT ------------------------------ +// --------------------------------------------------------------------------- + +enum keyslot_type { + KEYSLOT_TYPE_LUKS2 = 1; + KEYSLOT_TYPE_REENCRYPT = 2; + KEYSLOT_TYPE_PLACEHOLDER = 3; +} + +enum reencrypt_keyslot_mode { + MODE_REENCRYPT = 1; + MODE_ENCRYPT = 2; + MODE_DECRYPT = 3; +} + +enum reencrypt_keyslot_direction { + DIRECTION_FORWARD = 1; + DIRECTION_BACKWARD = 2; +} + +// The area object contains these mandatory fields: +// - type [string] the area type. +// - offset [string-uint64] the offset from the device start to the beginning of the binary area (in bytes). +// - size [string-uint64] the area size (in bytes). +// +// Area type raw contains these additional fields: +// - encryption [string] the area encryption algorithm, in dm-crypt notation (for example aes-xts-plain64). +// - key_size [integer] the area encryption key size. +// +// Area type none and journal (used only for reencryption optional extension) contain only mandatory fields. +// +// Area type checksum (used only for reencryption optional extension) contains these additional fields: +// - hash [string] The hash algorithm for the checksum resilience mode. +// - sector_size [integer] The data unit size for digest checksum calculated with the hash algorithm. +// +// Area type datashift (used only for reencryption optional extension) contains this additional field: +// - shift_size [string-uint64] The data shift (in bytes) performed during reencryption (shift direction is according to direction field). + +enum keyslot_area_type { + KEYSLOT_AREA_TYPE_RAW = 1; + KEYSLOT_AREA_TYPE_NONE = 2; + KEYSLOT_AREA_TYPE_JOURNAL = 3; + KEYSLOT_AREA_TYPE_CHECKSUM = 4; + KEYSLOT_AREA_TYPE_DATASHIFT = 5; +} + +message keyslot_area_description { + // mandatory fields + optional keyslot_area_type type = 1; + optional string_uint64 offset = 2; + optional string_uint64 size = 3; + + // raw type fields + optional string encryption = 4; + optional int32 key_size = 5; + + // checksum type field + optional hash_algorithm hash = 6; + optional int32 sector_size = 7; + + // datashift type fields + optional string_uint64 shift_size = 8; +} + +// The object describes PBKDF attributes used for the keyslot. +// The kdf object mandatory fields are: +// - type [string] the PBKDF type. +// - salt [base64] the salt for PBKDF (binary data). +// +// The pbkdf2 type (compatible with LUKS1) contains these additional fields: +// - hash [string] the hash algorithm for the PBKDF2 (SHA-256). +// - iterations [integer] the PBKDF2 iterations count. +// +// The argon2i and argon2id type contains these additional fields: +// - time [integer] the time cost (in fact the iterations count for Argon2). +// - memory [integer] the memory cost, in kilobytes. If not available, the keyslot cannot be unlocked. +// - cpus [integer] the required number of threads (CPU cores number cost). If not available, unlocking will be slower. + +enum keyslot_kdf_type { + KEYSLOT_KDF_TYPE_PBKDF2 = 1; + KEYSLOT_KDF_TYPE_ARGON2I = 2; + KEYSLOT_KDF_TYPE_ARGON2ID = 3; +} + +message keyslot_kdf_description { + optional keyslot_kdf_type type = 1; + optional string salt = 2; + + // pbkdf2 type + optional hash_algorithm hash = 3; + optional int32 iterations = 4; + + // argon2i and argon2id types + optional int32 time = 5; + optional int32 memory = 6; + optional int32 cpus = 7; +} + +enum keyslot_af_type { + KEYSLOT_AF_TYPE_LUKS1 = 1; +} + +// The af (anti-forensic splitter) object contains this madatory field: +// - type [string] the anti-forensic function type. +// AF type luks1 (compatible with LUKS1 [1]) contains these additional fields: +// - stripes [integer] the number of stripes, for historical reasons only the 4000 value is supported. +// - hash [string] the hash algorithm used. + +message keyslot_af_description { + optional keyslot_af_type type = 1; + optional int32 stripes = 2; + optional hash_algorithm hash = 3; +} + +// - type [string] the keyslot type. +// - key_size [integer] the key size (in bytes) stored in keyslot. +// - priority [integer,optional] the keyslot priority. Here 0 means ignore (the slot should be used only if explicitly stated), 1 means normal priority and 2 means high priority (tried before normal priority). + +// REENCRYPT +// The key size field must be set to 1. The area type must be none, checksum, +// journal or datashift. +// The reencrypt object must contain these additional fields: +// - mode [string] the reencryption mode. reencrypt, encrypt and decrypt +// - direction [string] the reencryption direction. forward backward + +// - area [object] the allocated area in the binary keyslots area. +// LUKS2 object must contain these additional fields: +// - kdf [object] the PBKDF type and parameters used. +// - af [object] the anti-forensic splitter [1] (only the luks1 type is currently +// used). + +message keyslot_description { + // type + required object_id oid = 1; + + optional keyslot_type type = 2; + optional int32 key_size = 3; + optional int32 priority = 4; + + // reencrypt extension + optional reencrypt_keyslot_mode mode = 5; + optional reencrypt_keyslot_direction direction = 6; + + // objects + optional keyslot_area_description area = 7; + optional keyslot_kdf_description kdf = 8; + optional keyslot_af_description af = 9; +} + +// --------------------------------------------------------------------------- +// ------------------------------ DIGEST OBJECT ------------------------------ +// --------------------------------------------------------------------------- + +message digest_description { + required object_id oid = 1; + + optional keyslot_kdf_type type = 2; + repeated object_id keyslots = 3; + repeated object_id segments = 4; + optional string salt = 5; + optional string digest = 6; + + // pbkdf2 digest fields + optional hash_algorithm hash = 7; + optional int32 iterations = 8; +} + +// --------------------------------------------------------------------------- +// ----------------------------- SEGMENT OBJECT ------------------------------ +// --------------------------------------------------------------------------- + +enum segment_type { + SEGMENT_TYPE_LINEAR = 1; + SEGMENT_TYPE_CRYPT = 2; +} + +enum segment_flag { + IN_REENCRYPTION = 1; + BACKUP_FINAL = 2; + BACKUP_PREVIOUS = 3; + BACKUP_MOVED_SEGMENT = 4; +} + +message segment_integrity_description { + optional string type = 1; + optional string journal_encryption = 2; + optional string journal_integrity = 3; +} + +message segment_description { + required object_id oid = 1; + optional segment_type type = 2; + optional string_uint64 offset = 3; + optional string_uint64 size = 4; + repeated segment_flag flags = 5; + + // segment type crypt + optional string_uint64 iv_tweak = 6; + optional string encryption = 7; + optional int32 sector_size = 8; + optional segment_integrity_description integrity = 9; +} + +// --------------------------------------------------------------------------- +// ------------------------------ TOKEN OBJECT ------------------------------- +// --------------------------------------------------------------------------- + +message token_description { + required object_id oid = 1; + + optional string type = 2; + repeated object_id keyslots = 3; + optional string key_description = 4; +} + +// --------------------------------------------------------------------------- +// ------------------------------ CONFIG OBJECT ------------------------------ +// --------------------------------------------------------------------------- + +// - allow-discards allows TRIM (discards) on the active device. +// - same-cpu-crypt compatibility performance flag for dm-crypt [3] to per- form encryption using the same CPU that originated the request. +// - submit-from-crypt-cpus compatibility performance flag for dm-crypt [3] to disable offloading write requests to a separate thread after encryption. +// - no-journal disable data journalling for dm-integrity [10]. +// - no-read-workqueue compatibility performance flag for dm-crypt [3] to bypass dm-crypt read workqueue and process read requests synchronously. +// - no-write-workqueue compatibility performance flag for dm-crypt [3] to bypass dm-crypt write workqueue and process write requests synchronously. +enum config_flag { + CONFIG_FLAG_ALLOW_DISCARDS = 1; + CONFIG_FLAG_SAME_CPU_CRYPT = 2; + CONFIG_FLAG_SUBMIT_FROM_CRYPT_CPUS = 3; + CONFIG_FLAG_NO_JOURNAL = 4; + CONFIG_FLAG_NO_READ_WORKQUEUE = 5; + CONFIG_FLAG_NO_WRITE_WORKQUEUE = 6; +} + +enum config_requirement { + CONFIG_REQUIREMENT_OFFLINE_REENCRYPT = 1; + CONFIG_REQUIREMENT_ONLINE_REENCRYPT_V2 = 2; +} + +// - json_size [string-uint64] the JSON area size (in bytes). Must match the binary header. +// - keyslots_size [string-uint64] the binary keyslot area size (in bytes). Must be aligned to 4096 bytes. +// - flags [array, optional] the array of string objects with persistent flags for the device. +// - requirements [array, optional] the array of string objects with additional required features for the LUKS device. + +message config_description { + required bool use_primary_hdr_size = 2; + + repeated config_flag config_flags = 3; + repeated config_requirement requirements = 4; +} diff --git a/tests/fuzz/LUKS2_plain_JSON.proto b/tests/fuzz/LUKS2_plain_JSON.proto new file mode 100644 index 0000000..59096b7 --- /dev/null +++ b/tests/fuzz/LUKS2_plain_JSON.proto @@ -0,0 +1,190 @@ +/* + * cryptsetup LUKS2 custom mutator + * + * Copyright (C) 2022-2023 Daniel Zatovic + * Copyright (C) 2022-2023 Red Hat, Inc. All rights reserved. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version 2 + * of the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +syntax = "proto2"; + +package json_proto; + +// --------------------------------------------------------------------------- +// ----------------------------- GENERIC OBJECTS ----------------------------- +// --------------------------------------------------------------------------- + +message object_id { + oneof id { + // int_id will be mapped to range -16 to 16 (mod 33) + // this way iy should be easier to generate valid + // object cross-references + uint32 int_id = 1; + string string_id = 2; + } +} + +message string_uint64 { + required bool negative = 1; + oneof number { + uint32 uint_num = 2; + string string_num = 3; + } +} + +enum hash_algorithm { + HASH_ALG_SHA1 = 1; + HASH_ALG_SHA256 = 2; +} + + +// --------------------------------------------------------------------------- +// ----------------------------- BINARY HEADER ------------------------------- +// --------------------------------------------------------------------------- + +enum luks2_magic { + INVALID = 0; + FIRST = 1; + SECOND = 2; +} + +enum luks_version { + ONE = 1; + TWO = 2; + THREE = 3; +} + +// we limit the size to 64KiB to make the fuzzing faster +// because the checksum needs to be calculated for the whole image +enum hdr_size { + size_16_KB = 16384; + size_32_KB = 32768; + size_64_KB = 65536; +// size_128_KB = 131072; +// size_256_KB = 262144; +// size_512_KB = 524288; +// size_1_MB = 1048576; +// size_2_MB = 2097152; +// size_4_MB = 4194304; +} + +enum seqid_description { + PRIMARY_GREATER = 0; + SECONDARY_GREATER = 1; + EQUAL = 2; +} + +// message luks2_hdr_disk { +// char magic[LUKS2_MAGIC_L]; +// //uint16_t version; /* Version 2 */ +// uint64_t hdr_size; /* in bytes, including JSON area */ +// uint64_t seqid; /* increased on every update */ +// char label[LUKS2_LABEL_L]; +// char checksum_alg[LUKS2_CHECKSUM_ALG_L]; +// uint8_t salt[LUKS2_SALT_L]; /* unique for every header/offset */ +// char uuid[LUKS2_UUID_L]; +// char subsystem[LUKS2_LABEL_L]; /* owner subsystem label */ +// uint64_t hdr_offset; /* offset from device start in bytes */ +// char _padding[184]; +// uint8_t csum[LUKS2_CHECKSUM_L]; +// } +message LUKS2_header { + required luks_version version = 1; + required luks2_magic magic = 2; + required hdr_size hdr_size = 3; + required bool use_correct_checksum = 4; + + optional uint64 selected_offset = 5; +} + +message LUKS2_both_headers { + required LUKS2_header primary_header = 1; + required LUKS2_header secondary_header = 2; + + required seqid_description seqid = 3; + required JsonObject json_area = 4; +} + +message JsonObject { + required string name = 1; + required JsonValue value = 2; +} + +message JsonValue { + oneof value { + // Json value types: + + // null: null, will be used when 'oneof' contains nothing + + // object: another json object of any type + JsonObject object_value = 1; + + // array: an array of values + ArrayValue array_value = 2; + + // number: can be an integer, a float, an exponent + NumberValue number_value = 3; + + // string: unicode string + StringValue string_value = 4; + + // boolean: true or talse + BooleanValue boolean_value = 5; + } +} + +message ArrayValue { + repeated JsonValue value = 1; +} + +message NumberInteger { + required int64 value = 1; +} + +message NumberFloat { + required double value = 1; +} + +message NumberExponent { + required int32 base = 1; + required int32 exponent = 2; + required bool use_uppercase = 3; +} + +message NumberExponentFrac { + required float base = 1; + required int32 exponent = 2; + required bool use_uppercase = 3; +} + +message NumberValue { + required NumberInteger integer_value = 1; + + // integer_value is used when oneof field below has nothing. + oneof value { + NumberFloat float_value = 2; + NumberExponent exponent_value = 3; + NumberExponentFrac exponent_frac_value = 4; + } +} + +message StringValue { + required string value = 1; +} + +message BooleanValue { + required bool value = 1; +} diff --git a/tests/fuzz/Makefile.am b/tests/fuzz/Makefile.am new file mode 100644 index 0000000..c7a6cdf --- /dev/null +++ b/tests/fuzz/Makefile.am @@ -0,0 +1,122 @@ +EXTRA_DIST = README.md oss-fuzz-build.sh +dist_noinst_DATA = \ + LUKS2.proto \ + LUKS2_plain_JSON.proto \ + crypt2_load_fuzz.dict \ + crypt2_load_ondisk_fuzz.dict \ + crypt2_load_proto_plain_json_fuzz.dict \ + unpoison-mutated-buffers-from-libfuzzer.patch +CLEANFILES = \ + LUKS2.pb.h \ + LUKS2.pb.cc \ + LUKS2_plain_JSON.pb.h \ + LUKS2_plain_JSON.pb.cc + +distclean-local: + -rm -rf out build + +LIB_FUZZING_ENGINE := $(if $(LIB_FUZZING_ENGINE),$(LIB_FUZZING_ENGINE),"-fsanitize=fuzzer") +SANITIZER := $(if $(SANITIZER),,"-fsanitize=address") + +DEPS_PATH := $(top_srcdir)/tests/fuzz/build/static_lib_deps + +crypt2_load_fuzz_SOURCES = FuzzerInterface.h crypt2_load_fuzz.cc +crypt2_load_fuzz_LDADD = ../../libcryptsetup.la ../../libcrypto_backend.la -L$(DEPS_PATH)/lib +crypt2_load_fuzz_LDFLAGS = $(AM_LDFLAGS) $(LIB_FUZZING_ENGINE) $(SANITIZER) +crypt2_load_fuzz_CXXFLAGS = $(AM_CXXFLAGS) -I$(top_srcdir)/lib -I$(top_srcdir)/tests/fuzz + +crypt2_load_ondisk_fuzz_SOURCES = FuzzerInterface.h crypt2_load_ondisk_fuzz.cc +crypt2_load_ondisk_fuzz_LDADD = ../../libcryptsetup.la -L$(DEPS_PATH)/lib +crypt2_load_ondisk_fuzz_LDFLAGS = $(AM_LDFLAGS) $(LIB_FUZZING_ENGINE) $(SANITIZER) +crypt2_load_ondisk_fuzz_CXXFLAGS = $(AM_CXXFLAGS) -I$(top_srcdir)/lib -I$(top_srcdir)/tests/fuzz + +test-environment-m: + @ if test ! -d $(DEPS_PATH); then \ + echo "You need to build static libraries first; use oss-fuzz-build.sh script."; \ + exit 1; \ + fi +test-environment: | test-environment-m $(DEPS_PATH) + +LUKS2.pb.h: LUKS2.proto + $(DEPS_PATH)/bin/protoc LUKS2.proto --cpp_out=. +LUKS2.pb.cc: LUKS2.pb.h + +LUKS2_plain_JSON.pb.h: LUKS2_plain_JSON.proto + $(DEPS_PATH)/bin/protoc LUKS2_plain_JSON.proto --cpp_out=. +LUKS2_plain_JSON.pb.cc: LUKS2_plain_JSON.pb.h + +crypt2_load_proto_fuzz-crypt2_load_proto_fuzz.$(OBJEXT): LUKS2.pb.cc +crypt2_load_proto_plain_json_fuzz-crypt2_load_proto_plain_json_fuzz.$(OBJEXT): LUKS2_plain_JSON.pb.cc + +nodist_crypt2_load_proto_fuzz_SOURCES = LUKS2.pb.h LUKS2.pb.cc +crypt2_load_proto_fuzz_SOURCES = FuzzerInterface.h \ + crypt2_load_proto_fuzz.cc \ + proto_to_luks2_converter.h \ + proto_to_luks2_converter.cc +crypt2_load_proto_fuzz_LDADD = \ + ../../libcryptsetup.la \ + ../../libcrypto_backend.la \ + -L$(DEPS_PATH)/lib -lprotobuf-mutator-libfuzzer -lprotobuf-mutator -lprotobuf +crypt2_load_proto_fuzz_LDFLAGS = $(AM_LDFLAGS) $(LIB_FUZZING_ENGINE) $(SANITIZER) +crypt2_load_proto_fuzz_CXXFLAGS = $(AM_CXXFLAGS) \ + -I$(top_srcdir)/lib \ + -I$(top_srcdir)/tests/fuzz \ + -I$(DEPS_PATH)/include \ + -I$(DEPS_PATH)/include/libprotobuf-mutator -I$(DEPS_PATH)/include/libprotobuf-mutator/src + +nodist_crypt2_load_proto_plain_json_fuzz_SOURCES = LUKS2_plain_JSON.pb.h LUKS2_plain_JSON.pb.cc +crypt2_load_proto_plain_json_fuzz_SOURCES = FuzzerInterface.h \ + crypt2_load_proto_plain_json_fuzz.cc \ + json_proto_converter.h \ + json_proto_converter.cc \ + plain_json_proto_to_luks2_converter.h \ + plain_json_proto_to_luks2_converter.cc +crypt2_load_proto_plain_json_fuzz_LDADD = \ + ../../libcryptsetup.la \ + ../../libcrypto_backend.la \ + -L$(DEPS_PATH)/lib -lprotobuf-mutator-libfuzzer -lprotobuf-mutator -lprotobuf +crypt2_load_proto_plain_json_fuzz_LDFLAGS = $(AM_LDFLAGS) $(LIB_FUZZING_ENGINE) $(SANITIZER) +crypt2_load_proto_plain_json_fuzz_CXXFLAGS = $(AM_CXXFLAGS) \ + -I$(top_srcdir)/lib \ + -I$(top_srcdir)/tests/fuzz \ + -I$(DEPS_PATH)/include \ + -I$(DEPS_PATH)/include/libprotobuf-mutator -I$(DEPS_PATH)/include/libprotobuf-mutator/src + +nodist_proto_to_luks2_SOURCES = LUKS2.pb.h LUKS2.pb.cc +proto_to_luks2_SOURCES = \ + proto_to_luks2.cc \ + proto_to_luks2_converter.h \ + proto_to_luks2_converter.cc +proto_to_luks2_LDADD = ../../libcryptsetup.la ../../libcrypto_backend.la -L$(DEPS_PATH)/lib -lprotobuf +proto_to_luks2_LDFLAGS = $(AM_LDFLAGS) -fsanitize=fuzzer-no-link $(SANITIZER) +proto_to_luks2_CXXFLAGS = $(AM_CXXFLAGS) \ + -I$(top_srcdir)/lib \ + -I$(top_srcdir)/tests/fuzz \ + -I$(DEPS_PATH)/include + +nodist_plain_json_proto_to_luks2_SOURCES = LUKS2_plain_JSON.pb.h LUKS2_plain_JSON.pb.cc +plain_json_proto_to_luks2_SOURCES = \ + plain_json_proto_to_luks2.cc \ + plain_json_proto_to_luks2_converter.h \ + plain_json_proto_to_luks2_converter.cc \ + json_proto_converter.h \ + json_proto_converter.cc +plain_json_proto_to_luks2_LDADD = ../../libcryptsetup.la ../../libcrypto_backend.la -L$(DEPS_PATH)/lib -lprotobuf +plain_json_proto_to_luks2_LDFLAGS = $(AM_LDFLAGS) -fsanitize=fuzzer-no-link $(SANITIZER) +plain_json_proto_to_luks2_CXXFLAGS = $(AM_CXXFLAGS) \ + -I$(top_srcdir)/lib \ + -I$(top_srcdir)/tests/fuzz \ + -I$(DEPS_PATH)/include + +if ENABLE_FUZZ_TARGETS +noinst_PROGRAMS = \ + crypt2_load_fuzz \ + crypt2_load_ondisk_fuzz \ + crypt2_load_proto_fuzz \ + crypt2_load_proto_plain_json_fuzz \ + proto_to_luks2 \ + plain_json_proto_to_luks2 + +fuzz-targets: test-environment $(noinst_PROGRAMS) +.PHONY: fuzz-targets +endif diff --git a/tests/fuzz/README.md b/tests/fuzz/README.md new file mode 100644 index 0000000..fdcfa27 --- /dev/null +++ b/tests/fuzz/README.md @@ -0,0 +1,66 @@ +# Fuzzing target for cryptsetup project + +This directory contains experimental targets for fuzzing testing. +It can be run in the OSS-Fuzz project but also compiled separately. + +# Requirements + +Fuzzers use address sanitizer. To properly detect problems, all +important libraries must be compiled statically with sanitizer enabled. + +Compilation requires *clang* and *clang++* compilers (gcc is not +supported yet). + +# Standalone build + +The script `oss-fuzz-build.sh` can be used to prepare the tree +with pre-compiled library dependencies. +We use upstream git for projects, which can clash with locally +installed versions. The best is to use only basic system installation +without development packages (script will use custom include, libs, +and pkg-config paths). + +# Build Docker image and fuzzers + +You can also run OSS-Fuzz in a Docker image, use these commands +to prepare fuzzers: +``` +sudo python3 infra/helper.py build_image cryptsetup +sudo python3 infra/helper.py build_fuzzers cryptsetup +``` +On SELinux systems also add (https://github.com/google/oss-fuzz/issues/30): +``` +sudo chcon -Rt svirt_sandbox_file_t build/ +``` + +# Run LUKS2 fuzzer +`FUZZER_NAME` can be one of: `crypt2_load_fuzz`, `crypt2_load_proto_fuzz`, `crypt2_load_proto_plain_json_fuzz` +``` +FUZZER_NAME="crypt2_load_proto_plain_json_fuzz" +sudo mkdir -p build/corpus/cryptsetup/$FUZZER_NAME +sudo python infra/helper.py run_fuzzer --corpus-dir build/corpus/cryptsetup/$FUZZER_NAME/ --sanitizer address cryptsetup $FUZZER_NAME '-jobs=8 -workers=8' +``` + +The output of the parallel threads will be written to `fuzz-.log` (where `` is the number of the process). +You can watch it using e.g.: +``` +tail -f build/out/cryptsetup/fuzz-* +``` + +Optionally, you can use experimental `fork` mode for parallelization and the output will be displayed directly on the terminal: +``` +sudo python infra/helper.py run_fuzzer --corpus-dir build/corpus/cryptsetup/$FUZZER_NAME/ --sanitizer address cryptsetup $FUZZER_NAME '-fork=8 ' +``` + +# Rebuild fuzz targets for coverage +``` +sudo python infra/helper.py build_fuzzers --sanitizer coverage cryptsetup +``` + +# Generate coverage report +``` +sudo python infra/helper.py coverage cryptsetup --no-corpus-download --fuzz-target $FUZZER_NAME +``` + +# Further information +For more details, you can look into the [Using fuzzing for Linux disk encryption tools](https://is.muni.cz/th/bum03/?lang=en) thesis. diff --git a/tests/fuzz/crypt2_load_fuzz.cc b/tests/fuzz/crypt2_load_fuzz.cc new file mode 100644 index 0000000..1251d72 --- /dev/null +++ b/tests/fuzz/crypt2_load_fuzz.cc @@ -0,0 +1,112 @@ +/* + * cryptsetup LUKS2 fuzz target + * + * Copyright (C) 2022-2023 Daniel Zatovic + * Copyright (C) 2022-2023 Red Hat, Inc. All rights reserved. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version 2 + * of the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +extern "C" { +#define FILESIZE (16777216) +#include "src/cryptsetup.h" +#include +#include "luks2/luks2.h" +#include "crypto_backend/crypto_backend.h" +#include "FuzzerInterface.h" + +static int calculate_checksum(const uint8_t* data, size_t size) { + struct crypt_hash *hd = NULL; + struct luks2_hdr_disk *hdr = NULL; + int hash_size; + uint64_t hdr_size1, hdr_size2; + int r = 0; + + /* primary header */ + if (sizeof(struct luks2_hdr_disk) > size) + return 0; + hdr = CONST_CAST(struct luks2_hdr_disk *) data; + + hdr_size1 = be64_to_cpu(hdr->hdr_size); + if (hdr_size1 > size) + return 0; + memset(&hdr->csum, 0, LUKS2_CHECKSUM_L); + if ((r = crypt_hash_init(&hd, "sha256"))) + goto out; + if ((r = crypt_hash_write(hd, CONST_CAST(char*) data, hdr_size1))) + goto out; + hash_size = crypt_hash_size("sha256"); + if (hash_size <= 0) { + r = 1; + goto out; + } + if ((r = crypt_hash_final(hd, (char*)&hdr->csum, (size_t)hash_size))) + goto out; + crypt_hash_destroy(hd); + + /* secondary header */ + if (hdr_size1 < sizeof(struct luks2_hdr_disk)) + hdr_size1 = sizeof(struct luks2_hdr_disk); + + if (hdr_size1 + sizeof(struct luks2_hdr_disk) > size) + return 0; + hdr = CONST_CAST(struct luks2_hdr_disk *) (data + hdr_size1); + + hdr_size2 = be64_to_cpu(hdr->hdr_size); + if (hdr_size2 > size || (hdr_size1 + hdr_size2) > size) + return 0; + + memset(&hdr->csum, 0, LUKS2_CHECKSUM_L); + if ((r = crypt_hash_init(&hd, "sha256"))) + goto out; + if ((r = crypt_hash_write(hd, (char*) hdr, hdr_size2))) + goto out; + if ((r = crypt_hash_final(hd, (char*)&hdr->csum, (size_t)hash_size))) + goto out; + +out: + if (hd) + crypt_hash_destroy(hd); + return r; +} + +int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + int fd; + struct crypt_device *cd = NULL; + char name[] = "/tmp/test-script-fuzz.XXXXXX"; + + if (calculate_checksum(data, size)) + return 0; + + fd = mkostemp(name, O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC); + if (fd == -1) + err(EXIT_FAILURE, "mkostemp() failed"); + + /* enlarge header */ + if (ftruncate(fd, FILESIZE) == -1) + goto out; + + if (write_buffer(fd, data, size) != (ssize_t)size) + goto out; + + if (crypt_init(&cd, name) == 0) + (void)crypt_load(cd, CRYPT_LUKS2, NULL); + crypt_free(cd); +out: + close(fd); + unlink(name); + return 0; +} +} diff --git a/tests/fuzz/crypt2_load_fuzz.dict b/tests/fuzz/crypt2_load_fuzz.dict new file mode 100644 index 0000000..fedf1a4 --- /dev/null +++ b/tests/fuzz/crypt2_load_fuzz.dict @@ -0,0 +1,130 @@ +# LUKS2 dictionary based on AFL dictionary for JSON +# ------------------------------------------------- +# JSON dictionary from https://github.com/google/AFL/blob/master/dictionaries/json.dict +# Inspired by a dictionary by Jakub Wilk +# +# LUKS2 keywords by Daniel Zatovic + +"0" +",0" +":0" +"0:" +"-1.2e+3" + +"true" +"false" +"null" + +"\"\"" +",\"\"" +":\"\"" +"\"\":" + +"{}" +",{}" +":{}" +"{\"\":0}" +"{{}}" + +"[]" +",[]" +":[]" +"[0]" +"[[]]" + +"''" +"\\" +"\\b" +"\\f" +"\\n" +"\\r" +"\\t" +"\\u0000" +"\\x00" +"\\0" +"\\uD800\\uDC00" +"\\uDBFF\\uDFFF" + +"\"\":0" +"//" +"/**/" + +"$ref" +"type" +"coordinates" +"@context" +"@id" + +"," +":" + +"1024" +"2048" +"4096" +"512" +"aegis128-random" +"aes-cbc:essiv:sha256" +"aes-xts-plain64" +"af" +"allow-discards" +"area" +"argon2i" +"argon2id" +"backup-final" +"backup-moved-segment" +"backup-previous" +"checksum" +"config" +"cpus" +"crypt" +"datashift" +"digest" +"digests" +"direction" +"encryption" +"flags" +"hash" +"in-reencryption" +"integrity" +"iterations" +"iv_tweak" +"journal" +"journal_encryption" +"journal_integrity" +"json_size" +"kdf" +"key_description" +"key_size" +"keyslots" +"keyslots_size" +"linear" +"luks2" +"luks2-keyring" +"LUKS\xBA\xBE" +"memory" +"mode" +"no-journal" +"none" +"no-read-workqueue" +"no-write-workqueue" +"offline-reencrypt" +"offset" +"online-reencrypt-v2" +"pbkdf2" +"priority" +"raw" +"reencrypt" +"requirements" +"salt" +"same-cpu-crypt" +"sector_size" +"segments" +"serpent-xts-plain64" +"shift_size" +"size" +"SKUL\xBA\xBE" +"stripes" +"submit-from-crypt-cpus" +"time" +"tokens" +"twofish-xts-plain64" diff --git a/tests/fuzz/crypt2_load_ondisk_fuzz.cc b/tests/fuzz/crypt2_load_ondisk_fuzz.cc new file mode 100644 index 0000000..9b5328d --- /dev/null +++ b/tests/fuzz/crypt2_load_ondisk_fuzz.cc @@ -0,0 +1,64 @@ +/* + * cryptsetup LUKS1, FileVault, BitLocker fuzz target + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version 2 + * of the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +extern "C" { +#define FILESIZE (16777216) +#include "src/cryptsetup.h" +#include +#include "luks1/luks.h" +#include "crypto_backend/crypto_backend.h" +#include "FuzzerInterface.h" + +void empty_log(int level, const char *msg, void *usrptr) {} + +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + int fd, r; + struct crypt_device *cd = NULL; + char name[] = "/tmp/test-script-fuzz.XXXXXX"; + + fd = mkostemp(name, O_RDWR | O_CREAT | O_EXCL | O_CLOEXEC); + if (fd == -1) + err(EXIT_FAILURE, "mkostemp() failed"); + + /* enlarge header */ + if (ftruncate(fd, FILESIZE) == -1) + goto out; + + if (write_buffer(fd, data, size) != (ssize_t) size) + goto out; + + crypt_set_log_callback(NULL, empty_log, NULL); + + if (crypt_init(&cd, name) == 0) { + r = crypt_load(cd, CRYPT_LUKS1, NULL); + if (r == 0) + goto out; + + r = crypt_load(cd, CRYPT_FVAULT2, NULL); + if (r == 0) + goto out; + + (void) crypt_load(cd, CRYPT_BITLK, NULL); + } +out: + crypt_free(cd); + close(fd); + unlink(name); + return 0; +} +} diff --git a/tests/fuzz/crypt2_load_ondisk_fuzz.dict b/tests/fuzz/crypt2_load_ondisk_fuzz.dict new file mode 100644 index 0000000..3923db5 --- /dev/null +++ b/tests/fuzz/crypt2_load_ondisk_fuzz.dict @@ -0,0 +1,9 @@ +"aegis128-random" +"aes-cbc:essiv:sha256" +"aes-xts-plain64" +"aes-lrv-plain64" +"twofish-xts-plain64" +"serpent-xts-plain64" +"whirpool" +"sha256" +"sha1" diff --git a/tests/fuzz/crypt2_load_proto_fuzz.cc b/tests/fuzz/crypt2_load_proto_fuzz.cc new file mode 100644 index 0000000..498c006 --- /dev/null +++ b/tests/fuzz/crypt2_load_proto_fuzz.cc @@ -0,0 +1,51 @@ +/* + * cryptsetup LUKS2 custom mutator fuzz target + * + * Copyright (C) 2022-2023 Daniel Zatovic + * Copyright (C) 2022-2023 Red Hat, Inc. All rights reserved. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version 2 + * of the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +#include "LUKS2.pb.h" +#include "proto_to_luks2_converter.h" +#include "libfuzzer/libfuzzer_macro.h" +#include "FuzzerInterface.h" + +extern "C" { +#include +#include +#include +#include +} + +DEFINE_PROTO_FUZZER(const LUKS2_proto::LUKS2_both_headers &headers) { + struct crypt_device *cd = NULL; + char name[] = "/tmp/test-proto-fuzz.XXXXXX"; + int fd = mkostemp(name, O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC); + + if (fd < 0) + err(EXIT_FAILURE, "mkostemp() failed"); + + LUKS2_proto::LUKS2ProtoConverter converter; + converter.convert(headers, fd); + + if (crypt_init(&cd, name) == 0) + (void)crypt_load(cd, CRYPT_LUKS2, NULL); + crypt_free(cd); + + close(fd); + unlink(name); +} diff --git a/tests/fuzz/crypt2_load_proto_plain_json_fuzz.cc b/tests/fuzz/crypt2_load_proto_plain_json_fuzz.cc new file mode 100644 index 0000000..f3565ab --- /dev/null +++ b/tests/fuzz/crypt2_load_proto_plain_json_fuzz.cc @@ -0,0 +1,51 @@ +/* + * cryptsetup LUKS2 custom mutator fuzz target + * + * Copyright (C) 2022-2023 Daniel Zatovic + * Copyright (C) 2022-2023 Red Hat, Inc. All rights reserved. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version 2 + * of the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +#include "LUKS2_plain_JSON.pb.h" +#include "plain_json_proto_to_luks2_converter.h" +#include "libfuzzer/libfuzzer_macro.h" +#include "FuzzerInterface.h" + +extern "C" { +#include +#include +#include +#include +} + +DEFINE_PROTO_FUZZER(const json_proto::LUKS2_both_headers &headers) { + struct crypt_device *cd = NULL; + char name[] = "/tmp/test-proto-fuzz.XXXXXX"; + int fd = mkostemp(name, O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC); + + if (fd < 0) + err(EXIT_FAILURE, "mkostemp() failed"); + + json_proto::LUKS2ProtoConverter converter; + converter.convert(headers, fd); + + if (crypt_init(&cd, name) == 0) + (void)crypt_load(cd, CRYPT_LUKS2, NULL); + crypt_free(cd); + + close(fd); + unlink(name); +} diff --git a/tests/fuzz/crypt2_load_proto_plain_json_fuzz.dict b/tests/fuzz/crypt2_load_proto_plain_json_fuzz.dict new file mode 100644 index 0000000..7d83151 --- /dev/null +++ b/tests/fuzz/crypt2_load_proto_plain_json_fuzz.dict @@ -0,0 +1,72 @@ +# LUKS2 keywords by Daniel Zatovic + +"1024" +"2048" +"4096" +"512" +"aegis128-random" +"aes-cbc:essiv:sha256" +"aes-xts-plain64" +"af" +"allow-discards" +"area" +"argon2i" +"argon2id" +"backup-final" +"backup-moved-segment" +"backup-previous" +"checksum" +"config" +"cpus" +"crypt" +"datashift" +"digest" +"digests" +"direction" +"encryption" +"flags" +"hash" +"in-reencryption" +"integrity" +"iterations" +"iv_tweak" +"journal" +"journal_encryption" +"journal_integrity" +"json_size" +"kdf" +"key_description" +"key_size" +"keyslots" +"keyslots_size" +"linear" +"luks2" +"luks2-keyring" +"LUKS\xBA\xBE" +"memory" +"mode" +"no-journal" +"none" +"no-read-workqueue" +"no-write-workqueue" +"offline-reencrypt" +"offset" +"online-reencrypt-v2" +"pbkdf2" +"priority" +"raw" +"reencrypt" +"requirements" +"salt" +"same-cpu-crypt" +"sector_size" +"segments" +"serpent-xts-plain64" +"shift_size" +"size" +"SKUL\xBA\xBE" +"stripes" +"submit-from-crypt-cpus" +"time" +"tokens" +"twofish-xts-plain64" diff --git a/tests/fuzz/json_proto_converter.cc b/tests/fuzz/json_proto_converter.cc new file mode 100644 index 0000000..ed453be --- /dev/null +++ b/tests/fuzz/json_proto_converter.cc @@ -0,0 +1,87 @@ +// Copyright 2020 Google Inc. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +//////////////////////////////////////////////////////////////////////////////// + +#include "json_proto_converter.h" + +namespace json_proto { + +void JsonProtoConverter::AppendArray(const ArrayValue& array_value) { + data_ << '['; + bool need_comma = false; + for (const auto& value : array_value.value()) { + // Trailing comma inside of an array makes JSON invalid, avoid adding that. + if (need_comma) + data_ << ','; + else + need_comma = true; + + AppendValue(value); + } + data_ << ']'; +} + +void JsonProtoConverter::AppendNumber(const NumberValue& number_value) { + if (number_value.has_float_value()) { + data_ << number_value.float_value().value(); + } else if (number_value.has_exponent_value()) { + auto value = number_value.exponent_value(); + data_ << value.base(); + data_ << (value.use_uppercase() ? 'E' : 'e'); + data_ << value.exponent(); + } else if (number_value.has_exponent_frac_value()) { + auto value = number_value.exponent_value(); + data_ << value.base(); + data_ << (value.use_uppercase() ? 'E' : 'e'); + data_ << value.exponent(); + } else { + data_ << number_value.integer_value().value(); + } +} + +void JsonProtoConverter::AppendObject(const JsonObject& json_object) { + data_ << '{' << '"' << json_object.name() << '"' << ':'; + AppendValue(json_object.value()); + data_ << '}'; +} + +void JsonProtoConverter::AppendValue(const JsonValue& json_value) { + if (json_value.has_object_value()) { + AppendObject(json_value.object_value()); + } else if (json_value.has_array_value()) { + AppendArray(json_value.array_value()); + } else if (json_value.has_number_value()) { + AppendNumber(json_value.number_value()); + } else if (json_value.has_string_value()) { + data_ << '"' << json_value.string_value().value() << '"'; + } else if (json_value.has_boolean_value()) { + data_ << (json_value.boolean_value().value() ? "true" : "false"); + } else { + data_ << "null"; + } +} + +std::string JsonProtoConverter::Convert(const JsonObject& json_object) { + AppendObject(json_object); + return data_.str(); +} + +std::string JsonProtoConverter::Convert( + const json_proto::ArrayValue& json_array) { + AppendArray(json_array); + return data_.str(); +} + +} // namespace json_proto diff --git a/tests/fuzz/json_proto_converter.h b/tests/fuzz/json_proto_converter.h new file mode 100644 index 0000000..ca52d67 --- /dev/null +++ b/tests/fuzz/json_proto_converter.h @@ -0,0 +1,43 @@ +// Copyright 2020 Google Inc. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +//////////////////////////////////////////////////////////////////////////////// + +#ifndef JSON_PROTO_CONVERTER_H_ +#define JSON_PROTO_CONVERTER_H_ + +#include +#include + +#include "LUKS2_plain_JSON.pb.h" + +namespace json_proto { + +class JsonProtoConverter { + public: + std::string Convert(const json_proto::JsonObject&); + std::string Convert(const json_proto::ArrayValue&); + + private: + std::stringstream data_; + + void AppendArray(const json_proto::ArrayValue&); + void AppendNumber(const json_proto::NumberValue&); + void AppendObject(const json_proto::JsonObject&); + void AppendValue(const json_proto::JsonValue&); +}; + +} // namespace json_proto + +#endif // TESTING_LIBFUZZER_PROTO_JSON_PROTO_CONVERTER_H_ diff --git a/tests/fuzz/oss-fuzz-build.sh b/tests/fuzz/oss-fuzz-build.sh new file mode 100755 index 0000000..b2f643f --- /dev/null +++ b/tests/fuzz/oss-fuzz-build.sh @@ -0,0 +1,152 @@ +#!/usr/bin/env bash + +function in_oss_fuzz() +{ + test -n "$FUZZING_ENGINE" +} + +echo "Running cryptsetup OSS-Fuzz build script." +env +set -ex +PWD=$(pwd) + +export LC_CTYPE=C.UTF-8 + +export SRC=${SRC:-$PWD/build} +export OUT="${OUT:-$PWD/out}" +export DEPS_PATH=$SRC/static_lib_deps + +export PKG_CONFIG_PATH="$DEPS_PATH"/lib/pkgconfig + +export CC=${CC:-clang} +export CXX=${CXX:-clang++} +export LIB_FUZZING_ENGINE="${LIB_FUZZING_ENGINE:--fsanitize=fuzzer}" + +SANITIZER="${SANITIZER:-address -fsanitize-address-use-after-scope}" +flags="-O1 -fno-omit-frame-pointer -gline-tables-only -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=$SANITIZER -fsanitize=fuzzer-no-link" + +export CFLAGS="${CFLAGS:-$flags} -I$DEPS_PATH/include" +export CXXFLAGS="${CXXFLAGS:-$flags} -I$DEPS_PATH/include" +export LDFLAGS="${LDFLAGS-} -L$DEPS_PATH/lib" + +ENABLED_FUZZERS=${ENABLED_FUZZERS:-crypt2_load_fuzz crypt2_load_ondisk_fuzz crypt2_load_proto_plain_json_fuzz} + +mkdir -p $SRC +mkdir -p $OUT +mkdir -p $DEPS_PATH +cd $SRC + +LIBFUZZER_PATCH="$PWD/unpoison-mutated-buffers-from-libfuzzer.patch" +in_oss_fuzz && LIBFUZZER_PATCH="$PWD/cryptsetup/tests/fuzz/unpoison-mutated-buffers-from-libfuzzer.patch" + +in_oss_fuzz && apt-get update && apt-get install -y \ + make autoconf automake autopoint libtool pkg-config \ + sharutils gettext expect keyutils ninja-build \ + bison + +[ ! -d zlib ] && git clone --depth 1 https://github.com/madler/zlib.git +[ ! -d xz ] && git clone https://git.tukaani.org/xz.git +[ ! -d json-c ] && git clone --depth 1 https://github.com/json-c/json-c.git +[ ! -d lvm2 ] && git clone --depth 1 https://sourceware.org/git/lvm2.git +[ ! -d popt ] && git clone --depth 1 https://github.com/rpm-software-management/popt.git +[ ! -d libprotobuf-mutator ] && git clone --depth 1 https://github.com/google/libprotobuf-mutator.git \ + && [ "$SANITIZER" == "memory" ] && ( cd libprotobuf-mutator; patch -p1 < $LIBFUZZER_PATCH ) +[ ! -d openssl ] && git clone --depth 1 https://github.com/openssl/openssl +[ ! -d util-linux ] && git clone --depth 1 https://github.com/util-linux/util-linux +[ ! -d cryptsetup_fuzzing ] && git clone --depth 1 https://gitlab.com/cryptsetup/cryptsetup_fuzzing.git + +cd openssl +./Configure --prefix="$DEPS_PATH" --libdir=lib no-shared no-module no-asm +make build_generated +make -j libcrypto.a +make install_dev +cd .. + +cd util-linux +./autogen.sh +./configure --prefix="$DEPS_PATH" --enable-static --disable-shared -disable-all-programs --enable-libuuid --enable-libblkid +make -j +make install +cd .. + +cd zlib +./configure --prefix="$DEPS_PATH" --static +make -j +make install +cd .. + +cd xz +./autogen.sh --no-po4a +./configure --prefix="$DEPS_PATH" --enable-static --disable-shared +make -j +make install +cd .. + +cd json-c +mkdir -p build +rm -fr build/* +cd build +cmake .. -DCMAKE_INSTALL_PREFIX="$DEPS_PATH" -DBUILD_SHARED_LIBS=OFF -DBUILD_STATIC_LIBS=ON +make -j +make install +cd ../.. + +cd lvm2 +./configure --prefix="$DEPS_PATH" --enable-static_link --disable-udev_sync --enable-pkgconfig --disable-selinux +make -j libdm.device-mapper +# build of dmsetup.static is broken +# make install_device-mapper +cp ./libdm/ioctl/libdevmapper.a "$DEPS_PATH"/lib/ +cp ./libdm/libdevmapper.h "$DEPS_PATH"/include/ +cp ./libdm/libdevmapper.pc "$PKG_CONFIG_PATH" +cd .. + +cd popt +# --no-undefined is incompatible with sanitizers +sed -i -e 's/-Wl,--no-undefined //' src/CMakeLists.txt +mkdir -p build +rm -fr build/* +cd build +cmake .. -DCMAKE_INSTALL_PREFIX="$DEPS_PATH" -DBUILD_SHARED_LIBS=OFF +make -j +make install +cd ../.. + +cd libprotobuf-mutator +mkdir -p build +rm -fr build/* +cd build +cmake .. -GNinja \ + -DCMAKE_INSTALL_PREFIX="$DEPS_PATH" \ + -DPKG_CONFIG_PATH="$PKG_CONFIG_PATH" \ + -DLIB_PROTO_MUTATOR_TESTING=OFF \ + -DLIB_PROTO_MUTATOR_DOWNLOAD_PROTOBUF=ON +ninja +ninja install +cd external.protobuf; +cp -Rf bin lib include "$DEPS_PATH"; +cd ../../.. + +if in_oss_fuzz; then + mkdir -p cryptsetup/tests/fuzz/build + ln -s ../../../../static_lib_deps cryptsetup/tests/fuzz/build/static_lib_deps + cd cryptsetup +else + cd ../../.. +fi +./autogen.sh +./configure --enable-static --disable-asciidoc --disable-ssh-token --disable-udev --disable-selinux --with-crypto_backend=openssl --disable-shared --enable-fuzz-targets +make clean +make -j fuzz-targets + +for fuzzer in $ENABLED_FUZZERS; do + cp tests/fuzz/$fuzzer $OUT + cp $SRC/cryptsetup_fuzzing/${fuzzer}_seed_corpus.zip $OUT + + # optionally copy the dictionary if it exists + if [ -e tests/fuzz/${fuzzer}.dict ]; then + cp tests/fuzz/${fuzzer}.dict $OUT + fi +done + +cd $PWD diff --git a/tests/fuzz/plain_json_proto_to_luks2.cc b/tests/fuzz/plain_json_proto_to_luks2.cc new file mode 100644 index 0000000..8c56c15 --- /dev/null +++ b/tests/fuzz/plain_json_proto_to_luks2.cc @@ -0,0 +1,75 @@ +/* + * cryptsetup LUKS2 protobuf to image converter + * + * Copyright (C) 2022-2023 Daniel Zatovic + * Copyright (C) 2022-2023 Red Hat, Inc. All rights reserved. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version 2 + * of the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +#include +#include + +#include +#include + +#include +#include + +#include "plain_json_proto_to_luks2_converter.h" + +using namespace json_proto; + +int main(int argc, char *argv[]) { + LUKS2_both_headers headers; + LUKS2ProtoConverter converter; + int fd; + + std::string out_img_name; + + if (argc != 2) { + std::cerr << "Usage: " << argv[0] << " \n"; + return EXIT_FAILURE; + } + + fd = open(argv[1], O_RDONLY); + if (fd < 0) { + std::cerr << "Failed to open " << argv[1] << std::endl; + return EXIT_FAILURE; + } + + google::protobuf::io::FileInputStream fileInput(fd); + + if (!google::protobuf::TextFormat::Parse(&fileInput, &headers)) { + std::cerr << "Failed to parse protobuf " << argv[1] << std::endl; + close(fd); + return EXIT_FAILURE; + } + close(fd); + + out_img_name = argv[1]; + out_img_name += ".img"; + + fd = open(out_img_name.c_str(), O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC|O_TRUNC, 0644); + if (fd < 0) { + std::cerr << "Failed to open output file " << out_img_name << std::endl; + return EXIT_FAILURE; + } + converter.set_write_headers_only(false); + converter.convert(headers, fd); + + close(fd); + return EXIT_SUCCESS; +} diff --git a/tests/fuzz/plain_json_proto_to_luks2_converter.cc b/tests/fuzz/plain_json_proto_to_luks2_converter.cc new file mode 100644 index 0000000..823c0c5 --- /dev/null +++ b/tests/fuzz/plain_json_proto_to_luks2_converter.cc @@ -0,0 +1,153 @@ +/* + * cryptsetup LUKS2 custom mutator fuzz target + * + * Copyright (C) 2022-2023 Daniel Zatovic + * Copyright (C) 2022-2023 Red Hat, Inc. All rights reserved. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version 2 + * of the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +#include "plain_json_proto_to_luks2_converter.h" +#include "json_proto_converter.h" + +extern "C" { +#include "src/cryptsetup.h" +#include "luks2/luks2.h" +#include +} + +namespace json_proto { + +void LUKS2ProtoConverter::emit_luks2_binary_header(const LUKS2_header &header_proto, int fd, uint64_t offset, uint64_t seqid, const std::string &json_text) { + struct luks2_hdr_disk hdr = {}; + int r; + + if (hd) + crypt_hash_destroy(hd); + if (crypt_hash_init(&hd, "sha256")) + err(EXIT_FAILURE, "crypt_hash_init failed"); + + + r = lseek(fd, offset, SEEK_SET); + if (r == -1) + err(EXIT_FAILURE, "lseek failed"); + + switch (header_proto.magic()) { + case INVALID: + memset(&hdr.magic, 0, LUKS2_MAGIC_L); + break; + case FIRST: + memcpy(&hdr.magic, LUKS2_MAGIC_1ST, LUKS2_MAGIC_L); + break; + case SECOND: + memcpy(&hdr.magic, LUKS2_MAGIC_2ND, LUKS2_MAGIC_L); + break; + } + hdr.version = cpu_to_be16(header_proto.version()); + hdr.hdr_size = cpu_to_be64(header_proto.hdr_size()); + hdr.seqid = cpu_to_be64(seqid); + strncpy(hdr.checksum_alg, "sha256", LUKS2_CHECKSUM_ALG_L); + hdr.checksum_alg[LUKS2_CHECKSUM_ALG_L - 1] = '\0'; + strncpy(hdr.uuid, "af7f64ea-3233-4581-946b-6187d812841e", LUKS2_UUID_L); + memset(hdr.salt, 1, LUKS2_SALT_L); + + + if (header_proto.has_selected_offset()) + hdr.hdr_offset = cpu_to_be64(header_proto.selected_offset()); + else + hdr.hdr_offset = cpu_to_be64(offset); + + if (write_buffer(fd, &hdr, LUKS2_HDR_BIN_LEN) != LUKS2_HDR_BIN_LEN) + err(EXIT_FAILURE, "write_buffer failed"); + if (crypt_hash_write(hd, (char*)&hdr, LUKS2_HDR_BIN_LEN)) + err(EXIT_FAILURE, "crypt_hash_write failed"); + + size_t hdr_json_area_len = header_proto.hdr_size() - LUKS2_HDR_BIN_LEN; + uint8_t csum[LUKS2_CHECKSUM_L]; + + size_t write_size = json_text.length() > hdr_json_area_len - 1 ? hdr_json_area_len - 1 : json_text.length(); + if (write_buffer(fd, json_text.c_str(), write_size) != (ssize_t)write_size) + err(EXIT_FAILURE, "write_buffer failed"); + if (crypt_hash_write(hd, json_text.c_str(), write_size)) + err(EXIT_FAILURE, "crypt_hash_write failed"); + + for (size_t i = 0; i < (hdr_json_area_len - write_size); i++) { + if (crypt_hash_write(hd, "\0", 1)) + err(EXIT_FAILURE, "crypt_hash_write failed"); + } + + if (header_proto.use_correct_checksum()) { + if (lseek(fd, offset + offsetof(luks2_hdr_disk, csum), SEEK_SET) == -1) + err(EXIT_FAILURE, "lseek failed"); + + int hash_size = crypt_hash_size("sha256"); + if (hash_size <= 0) + err(EXIT_FAILURE, "crypt_hash_size failed"); + + if (crypt_hash_final(hd, (char*)csum, (size_t)hash_size)) + err(EXIT_FAILURE, "crypt_hash_final failed"); + if (write_buffer(fd, csum, hash_size) != hash_size) + err(EXIT_FAILURE, "write_buffer failed"); + } +} + +void LUKS2ProtoConverter::set_write_headers_only(bool headers_only) { + write_headers_only = headers_only; +} + +void LUKS2ProtoConverter::convert(const LUKS2_both_headers &headers, int fd) { + uint64_t primary_seqid, secondary_seqid; + int result; + + size_t out_size = headers.primary_header().hdr_size() + headers.secondary_header().hdr_size(); + + if (!write_headers_only) + out_size += KEYSLOTS_SIZE + DATA_SIZE; + + result = ftruncate(fd, out_size); + if (result == -1) + err(EXIT_FAILURE, "truncate failed"); + + result = lseek(fd, 0, SEEK_SET); + if (result == -1) + err(EXIT_FAILURE, "lseek failed"); + + switch (headers.seqid()) { + case EQUAL: + primary_seqid = 1; + secondary_seqid = 1; + break; + case PRIMARY_GREATER: + primary_seqid = 2; + secondary_seqid = 1; + break; + case SECONDARY_GREATER: + primary_seqid = 1; + secondary_seqid = 2; + break; + } + + JsonProtoConverter converter; + std::string json_text = converter.Convert(headers.json_area()); + + emit_luks2_binary_header(headers.primary_header(), fd, 0, primary_seqid, json_text); + emit_luks2_binary_header(headers.secondary_header(), fd, headers.primary_header().hdr_size(), secondary_seqid, json_text); +} + +LUKS2ProtoConverter::~LUKS2ProtoConverter() { + if (hd) + crypt_hash_destroy(hd); +} +} // namespace LUKS2_proto diff --git a/tests/fuzz/plain_json_proto_to_luks2_converter.h b/tests/fuzz/plain_json_proto_to_luks2_converter.h new file mode 100644 index 0000000..7decf9f --- /dev/null +++ b/tests/fuzz/plain_json_proto_to_luks2_converter.h @@ -0,0 +1,58 @@ +/* + * cryptsetup LUKS2 custom mutator fuzz target + * + * Copyright (C) 2022-2023 Daniel Zatovic + * Copyright (C) 2022-2023 Red Hat, Inc. All rights reserved. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version 2 + * of the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +#ifndef LUKS2_PROTO_CONVERTER_H_ +#define LUKS2_PROTO_CONVERTER_H_ + +#include +#include +#include + +#include "LUKS2_plain_JSON.pb.h" +extern "C" { +#include "crypto_backend/crypto_backend.h" +} + +namespace json_proto { + +class LUKS2ProtoConverter { + public: + ~LUKS2ProtoConverter(); + void create_jobj(const LUKS2_both_headers &headers, uint64_t hdr_size); + void convert(const LUKS2_both_headers &headers, int fd); + void create_jobj(const LUKS2_both_headers &headers); + void emit_luks2_binary_header(const LUKS2_header &header_proto, int fd, uint64_t offset, uint64_t seqid, const std::string &json_text); + + void set_write_headers_only(bool headers_only); + + const uint8_t *get_out_buffer(); + size_t get_out_size(); + + static const uint64_t KEYSLOTS_SIZE = 3 * 1024 * 1024; + static const uint64_t DATA_SIZE = 16 * 1024 * 1024; + private: + bool write_headers_only = false; + struct crypt_hash *hd = NULL; +}; + +} // namespace LUKS2_proto + +#endif // LUKS2_PROTO_CONVERTER_H_ diff --git a/tests/fuzz/proto_to_luks2.cc b/tests/fuzz/proto_to_luks2.cc new file mode 100644 index 0000000..4a27cad --- /dev/null +++ b/tests/fuzz/proto_to_luks2.cc @@ -0,0 +1,75 @@ +/* + * cryptsetup LUKS2 protobuf to image converter + * + * Copyright (C) 2022-2023 Daniel Zatovic + * Copyright (C) 2022-2023 Red Hat, Inc. All rights reserved. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version 2 + * of the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +#include +#include + +#include +#include + +#include +#include + +#include "proto_to_luks2_converter.h" + +using namespace LUKS2_proto; + +int main(int argc, char *argv[]) { + LUKS2_both_headers headers; + LUKS2ProtoConverter converter; + int fd; + + std::string out_img_name; + + if (argc != 2) { + std::cerr << "Usage: " << argv[0] << " \n"; + return EXIT_FAILURE; + } + + fd = open(argv[1], O_RDONLY); + if (fd < 0) { + std::cerr << "Failed to open " << argv[1] << std::endl; + return EXIT_FAILURE; + } + + google::protobuf::io::FileInputStream fileInput(fd); + + if (!google::protobuf::TextFormat::Parse(&fileInput, &headers)) { + std::cerr << "Failed to parse protobuf " << argv[1] << std::endl; + close(fd); + return EXIT_FAILURE; + } + close(fd); + + out_img_name = argv[1]; + out_img_name += ".img"; + + fd = open(out_img_name.c_str(), O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC|O_TRUNC, 0644); + if (fd < 0) { + std::cerr << "Failed to open output file " << out_img_name << std::endl; + return EXIT_FAILURE; + } + converter.set_write_headers_only(false); + converter.convert(headers, fd); + + close(fd); + return EXIT_SUCCESS; +} diff --git a/tests/fuzz/proto_to_luks2_converter.cc b/tests/fuzz/proto_to_luks2_converter.cc new file mode 100644 index 0000000..96a70b7 --- /dev/null +++ b/tests/fuzz/proto_to_luks2_converter.cc @@ -0,0 +1,604 @@ +/* + * cryptsetup LUKS2 custom mutator fuzz target + * + * Copyright (C) 2022-2023 Daniel Zatovic + * Copyright (C) 2022-2023 Red Hat, Inc. All rights reserved. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version 2 + * of the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +#include "proto_to_luks2_converter.h" +#include + +extern "C" { +#include "src/cryptsetup.h" +#include "luks2/luks2.h" +#include +} + +namespace LUKS2_proto { + +std::string LUKS2ProtoConverter::string_uint64_to_string(const string_uint64 &str_u64) { + std::ostringstream os; + + if (str_u64.negative()) + os << "-"; + + if (str_u64.has_uint_num()) + os << str_u64.uint_num(); + else if (str_u64.has_string_num()) + os << str_u64.string_num(); + + return os.str(); +} + +std::string LUKS2ProtoConverter::object_id_to_string(const object_id &oid) { + std::ostringstream os; + + if (oid.has_int_id()) { + os << (oid.int_id() % 33) - 16; + } else if (oid.has_string_id()) { + os << oid.string_id(); + } + + return os.str(); +} + +std::string LUKS2ProtoConverter::hash_algorithm_to_string(const hash_algorithm type) { + switch (type) { + case HASH_ALG_SHA1: + return "sha1"; + case HASH_ALG_SHA256: + return "sha256"; + } +} + +std::string LUKS2ProtoConverter::keyslot_area_type_to_string(const keyslot_area_type type) { + switch (type) { + case KEYSLOT_AREA_TYPE_RAW: + return "raw"; + case KEYSLOT_AREA_TYPE_NONE: + return "none"; + case KEYSLOT_AREA_TYPE_JOURNAL: + return "journal"; + case KEYSLOT_AREA_TYPE_CHECKSUM: + return "checksum"; + case KEYSLOT_AREA_TYPE_DATASHIFT: + return "datashift"; + } +} + +void LUKS2ProtoConverter::generate_keyslot_area(struct json_object *jobj_area, const keyslot_area_description &keyslot_area_desc) { + // mandatory fields + if (keyslot_area_desc.has_type()) + json_object_object_add(jobj_area, "type", json_object_new_string(keyslot_area_type_to_string(keyslot_area_desc.type()).c_str())); + if (keyslot_area_desc.has_offset()) + json_object_object_add(jobj_area, "offset", json_object_new_string(string_uint64_to_string(keyslot_area_desc.offset()).c_str())); + if (keyslot_area_desc.has_size()) + json_object_object_add(jobj_area, "size", json_object_new_string(string_uint64_to_string(keyslot_area_desc.size()).c_str())); + + // raw type fields + if (keyslot_area_desc.has_encryption()) + json_object_object_add(jobj_area, "encryption", json_object_new_string(keyslot_area_desc.encryption().c_str())); + if (keyslot_area_desc.has_key_size()) + json_object_object_add(jobj_area, "key_size", json_object_new_int(keyslot_area_desc.key_size())); + + // checksum type fields + if (keyslot_area_desc.has_hash()) + json_object_object_add(jobj_area, "hash", json_object_new_string(hash_algorithm_to_string(keyslot_area_desc.hash()).c_str())); + if (keyslot_area_desc.has_sector_size()) + json_object_object_add(jobj_area, "sector_size", json_object_new_int(keyslot_area_desc.sector_size())); + + // datashift type fields + if (keyslot_area_desc.has_shift_size()) + json_object_object_add(jobj_area, "shift_size", json_object_new_string(string_uint64_to_string(keyslot_area_desc.shift_size()).c_str())); +} + +std::string LUKS2ProtoConverter::keyslot_kdf_type_to_string(const keyslot_kdf_type type) { + switch (type) { + case KEYSLOT_KDF_TYPE_PBKDF2: + return "pbkdf2"; + case KEYSLOT_KDF_TYPE_ARGON2I: + return "argon2i"; + case KEYSLOT_KDF_TYPE_ARGON2ID: + return "argon2id"; + } +} + +void LUKS2ProtoConverter::generate_keyslot_kdf(struct json_object *jobj_kdf, const keyslot_kdf_description &keyslot_kdf_desc) { + // mandatory fields + if (keyslot_kdf_desc.has_type()) + json_object_object_add(jobj_kdf, "type", json_object_new_string(keyslot_kdf_type_to_string(keyslot_kdf_desc.type()).c_str())); + + if (keyslot_kdf_desc.has_salt()) + json_object_object_add(jobj_kdf, "salt", json_object_new_string(keyslot_kdf_desc.salt().c_str())); + else + json_object_object_add(jobj_kdf, "salt", json_object_new_string("6vz4xK7cjan92rDA5JF8O6Jk2HouV0O8DMB6GlztVk=")); + + // pbkdf2 type + if (keyslot_kdf_desc.has_hash()) + json_object_object_add(jobj_kdf, "hash", json_object_new_string(hash_algorithm_to_string(keyslot_kdf_desc.hash()).c_str())); + if (keyslot_kdf_desc.has_iterations()) + json_object_object_add(jobj_kdf, "iterations", json_object_new_int(keyslot_kdf_desc.iterations())); + + // argon2i and argon2id types + if (keyslot_kdf_desc.has_time()) + json_object_object_add(jobj_kdf, "time", json_object_new_int(keyslot_kdf_desc.time())); + if (keyslot_kdf_desc.has_memory()) + json_object_object_add(jobj_kdf, "memory", json_object_new_int(keyslot_kdf_desc.memory())); + if (keyslot_kdf_desc.has_cpus()) + json_object_object_add(jobj_kdf, "cpus", json_object_new_int(keyslot_kdf_desc.cpus())); +} + +std::string LUKS2ProtoConverter::keyslot_af_type_to_string(const keyslot_af_type type) { + switch (type) { + case KEYSLOT_AF_TYPE_LUKS1: + return "luks1"; + } +} + +void LUKS2ProtoConverter::generate_keyslot_af(struct json_object *jobj_af, const keyslot_af_description &keyslot_af_desc) { + if (keyslot_af_desc.has_type()) + json_object_object_add(jobj_af, "type", json_object_new_string(keyslot_af_type_to_string(keyslot_af_desc.type()).c_str())); + if (keyslot_af_desc.has_stripes()) + json_object_object_add(jobj_af, "stripes", json_object_new_int(keyslot_af_desc.stripes())); + if (keyslot_af_desc.has_hash()) + json_object_object_add(jobj_af, "hash", json_object_new_string(hash_algorithm_to_string(keyslot_af_desc.hash()).c_str())); +} + +std::string LUKS2ProtoConverter::keyslot_type_to_string(const keyslot_type type) { + switch (type) { + case KEYSLOT_TYPE_LUKS2: + return "luks2"; + case KEYSLOT_TYPE_REENCRYPT: + return "reencrypt"; + case KEYSLOT_TYPE_PLACEHOLDER: + return "placeholder"; + } +} + +std::string LUKS2ProtoConverter::reencrypt_keyslot_mode_to_string(const reencrypt_keyslot_mode mode) { + switch (mode) { + case MODE_REENCRYPT: + return "reencrypt"; + case MODE_ENCRYPT: + return "encrypt"; + case MODE_DECRYPT: + return "decrypt"; + } +} + +std::string LUKS2ProtoConverter::reencrypt_keyslot_direction_to_string(const reencrypt_keyslot_direction direction) { + switch (direction) { + case DIRECTION_FORWARD: + return "forward"; + case DIRECTION_BACKWARD: + return "backward"; + } +} + +void LUKS2ProtoConverter::generate_keyslot(struct json_object *jobj_keyslots, const keyslot_description &keyslot_desc) { + struct json_object *jobj_keyslot, *jobj_area, *jobj_kdf, *jobj_af; + + jobj_keyslot = json_object_new_object(); + if (keyslot_desc.has_type()) + json_object_object_add(jobj_keyslot, "type", json_object_new_string(keyslot_type_to_string(keyslot_desc.type()).c_str())); + if (keyslot_desc.has_key_size()) + json_object_object_add(jobj_keyslot, "key_size", json_object_new_int(keyslot_desc.key_size())); + if (keyslot_desc.has_priority()) + json_object_object_add(jobj_keyslot, "priority", json_object_new_int(keyslot_desc.priority())); + if (keyslot_desc.has_mode()) + json_object_object_add(jobj_keyslot, "mode", json_object_new_int(keyslot_desc.mode())); + if (keyslot_desc.has_direction()) + json_object_object_add(jobj_keyslot, "direction", json_object_new_int(keyslot_desc.direction())); + + /* Area object */ + if (keyslot_desc.has_area()) { + jobj_area = json_object_new_object(); + generate_keyslot_area(jobj_area, keyslot_desc.area()); + json_object_object_add(jobj_keyslot, "area", jobj_area); + } + + /* KDF object */ + if (keyslot_desc.has_kdf()) { + jobj_kdf = json_object_new_object(); + generate_keyslot_kdf(jobj_kdf, keyslot_desc.kdf()); + json_object_object_add(jobj_keyslot, "kdf", jobj_kdf); + } + + /* AF object */ + if (keyslot_desc.has_af()) { + jobj_af = json_object_new_object(); + generate_keyslot_af(jobj_af, keyslot_desc.af()); + json_object_object_add(jobj_keyslot, "af", jobj_af); + } + + json_object_object_add(jobj_keyslots, object_id_to_string(keyslot_desc.oid()).c_str(), jobj_keyslot); +} + +void LUKS2ProtoConverter::generate_token(struct json_object *jobj_tokens, const token_description &token_desc) { + struct json_object *jobj_token, *jobj_keyslots; + jobj_token = json_object_new_object(); + + if (token_desc.has_type()) + json_object_object_add(jobj_token, "type", json_object_new_string(token_desc.type().c_str())); + + if (token_desc.has_key_description()) + json_object_object_add(jobj_token, "key_description", json_object_new_string(token_desc.key_description().c_str())); + + if (!token_desc.keyslots().empty()) { + jobj_keyslots = json_object_new_array(); + + for (const object_id& oid : token_desc.keyslots()) { + json_object_array_add(jobj_keyslots, + json_object_new_string(object_id_to_string(oid).c_str())); + } + + /* Replace or add new keyslots array */ + json_object_object_add(jobj_token, "keyslots", jobj_keyslots); + } + + json_object_object_add(jobj_tokens, object_id_to_string(token_desc.oid()).c_str(), jobj_token); +} + +void LUKS2ProtoConverter::generate_digest(struct json_object *jobj_digests, const digest_description &digest_desc) { + struct json_object *jobj_digest, *jobj_keyslots, *jobj_segments; + + jobj_digest = json_object_new_object(); + + if (digest_desc.has_type()) + json_object_object_add(jobj_digest, "type", json_object_new_string(keyslot_kdf_type_to_string(digest_desc.type()).c_str())); + + if (!digest_desc.keyslots().empty()) { + jobj_keyslots = json_object_new_array(); + + for (const object_id& oid : digest_desc.keyslots()) { + json_object_array_add(jobj_keyslots, + json_object_new_string(object_id_to_string(oid).c_str())); + } + + /* Replace or add new keyslots array */ + json_object_object_add(jobj_digest, "keyslots", jobj_keyslots); + } + + if (!digest_desc.segments().empty()) { + jobj_segments = json_object_new_array(); + + for (const object_id& oid : digest_desc.segments()) { + json_object_array_add(jobj_segments, + json_object_new_string(object_id_to_string(oid).c_str())); + } + + /* Replace or add new segments array */ + json_object_object_add(jobj_digest, "segments", jobj_segments); + } + + if (digest_desc.has_salt()) + json_object_object_add(jobj_digest, "salt", json_object_new_string(digest_desc.salt().c_str())); + if (digest_desc.has_digest()) + json_object_object_add(jobj_digest, "digest", json_object_new_string(digest_desc.digest().c_str())); + if (digest_desc.has_hash()) + json_object_object_add(jobj_digest, "hash", json_object_new_string(hash_algorithm_to_string(digest_desc.hash()).c_str())); + if (digest_desc.has_iterations()) + json_object_object_add(jobj_digest, "iterations", json_object_new_int(digest_desc.iterations())); + + json_object_object_add(jobj_digests, object_id_to_string(digest_desc.oid()).c_str(), jobj_digest); +} + +std::string LUKS2ProtoConverter::segment_type_to_string(segment_type type) { + switch (type) { + case SEGMENT_TYPE_LINEAR: + return "linear"; + case SEGMENT_TYPE_CRYPT: + return "crypt"; + } +} + +std::string LUKS2ProtoConverter::segment_flag_to_string(segment_flag flag) { + switch (flag) { + case IN_REENCRYPTION: + return "in-reencryption"; + case BACKUP_FINAL: + return "backup-final"; + case BACKUP_PREVIOUS: + return "backup-previous"; + case BACKUP_MOVED_SEGMENT: + return "backup-moved-segment"; + } +} + +void LUKS2ProtoConverter::generate_segment_integrity(struct json_object *jobj_integrity, const segment_integrity_description &segment_integrity_desc) { + if (segment_integrity_desc.has_type()) + json_object_object_add(jobj_integrity, "type", json_object_new_string(segment_integrity_desc.type().c_str())); + if (segment_integrity_desc.has_journal_encryption()) + json_object_object_add(jobj_integrity, "journal_encryption", json_object_new_string(segment_integrity_desc.journal_encryption().c_str())); + if (segment_integrity_desc.has_journal_integrity()) + json_object_object_add(jobj_integrity, "journal_integrity", json_object_new_string(segment_integrity_desc.journal_integrity().c_str())); +} + +void LUKS2ProtoConverter::generate_segment(struct json_object *jobj_segments, const segment_description &segment_desc) { + json_object *jobj_flags, *jobj_integrity; + json_object *jobj_segment = json_object_new_object(); + + if (segment_desc.has_type()) + json_object_object_add(jobj_segment, "type", json_object_new_string(segment_type_to_string(segment_desc.type()).c_str())); + + if (segment_desc.has_offset()) + json_object_object_add(jobj_segment, "offset", json_object_new_string(string_uint64_to_string(segment_desc.offset()).c_str())); + if (segment_desc.has_size()) + json_object_object_add(jobj_segment, "size", json_object_new_string(string_uint64_to_string(segment_desc.size()).c_str())); + + if (!segment_desc.flags().empty()) { + jobj_flags = json_object_new_array(); + + for (const int flag : segment_desc.flags()) { + json_object_array_add(jobj_flags, + json_object_new_string(segment_flag_to_string(segment_flag(flag)).c_str())); + } + + /* Replace or add new flags array */ + json_object_object_add(jobj_segment, "flags", jobj_flags); + } + + if (segment_desc.has_iv_tweak()) + json_object_object_add(jobj_segment, "iv_tweak", json_object_new_string(string_uint64_to_string(segment_desc.iv_tweak()).c_str())); + if (segment_desc.has_encryption()) + json_object_object_add(jobj_segment, "encryption", json_object_new_string(segment_desc.encryption().c_str())); + if (segment_desc.has_sector_size()) + json_object_object_add(jobj_segment, "sector_size", json_object_new_int(segment_desc.sector_size())); + + if (segment_desc.has_integrity()) { + jobj_integrity = json_object_new_object(); + generate_segment_integrity(jobj_integrity, segment_desc.integrity()); + json_object_object_add(jobj_segment, "integrity", jobj_integrity); + } + + json_object_object_add(jobj_segments, object_id_to_string(segment_desc.oid()).c_str(), jobj_segment); +} + +void LUKS2ProtoConverter::create_jobj(const LUKS2_both_headers &headers) { + json_object *jobj_keyslots = NULL; + json_object *jobj_digests = NULL; + json_object *jobj_segments = NULL; + json_object *jobj_tokens = NULL; + + const json_area_description &json_desc = headers.json_area(); + + jobj = json_object_new_object(); + if (!jobj) + return; + + jobj_keyslots = json_object_new_object(); + for (const keyslot_description &keyslot_desc : json_desc.keyslots()) { + generate_keyslot(jobj_keyslots, keyslot_desc); + } + json_object_object_add(jobj, "keyslots", jobj_keyslots); + + jobj_digests = json_object_new_object(); + for (const digest_description &digest_desc : json_desc.digests()) { + generate_digest(jobj_digests, digest_desc); + } + json_object_object_add(jobj, "digests", jobj_digests); + + jobj_segments = json_object_new_object(); + for (const segment_description &segment_desc : json_desc.segments()) { + generate_segment(jobj_segments, segment_desc); + } + json_object_object_add(jobj, "segments", jobj_segments); + + jobj_tokens = json_object_new_object(); + for (const token_description &token_desc : json_desc.tokens()) { + generate_token(jobj_tokens, token_desc); + } + json_object_object_add(jobj, "tokens", jobj_tokens); + + if (json_desc.has_config()) { + uint64_t hdr_size = json_desc.config().use_primary_hdr_size() ? headers.primary_header().hdr_size() : headers.secondary_header().hdr_size(); + generate_config(json_desc.config(), hdr_size - LUKS2_HDR_BIN_LEN, KEYSLOTS_SIZE); + } +} + +void LUKS2ProtoConverter::emit_luks2_binary_header(const LUKS2_header &header_proto, int fd, uint64_t offset, uint64_t seqid) { + struct luks2_hdr_disk hdr = {}; + int r; + + if (hd) + crypt_hash_destroy(hd); + if (crypt_hash_init(&hd, "sha256")) + err(EXIT_FAILURE, "crypt_hash_init failed"); + + + r = lseek(fd, offset, SEEK_SET); + if (r == -1) + err(EXIT_FAILURE, "lseek failed"); + + switch (header_proto.magic()) { + case INVALID: + memset(&hdr.magic, 0, LUKS2_MAGIC_L); + break; + case FIRST: + memcpy(&hdr.magic, LUKS2_MAGIC_1ST, LUKS2_MAGIC_L); + break; + case SECOND: + memcpy(&hdr.magic, LUKS2_MAGIC_2ND, LUKS2_MAGIC_L); + break; + } + hdr.version = cpu_to_be16(header_proto.version()); + hdr.hdr_size = cpu_to_be64(header_proto.hdr_size()); + hdr.seqid = cpu_to_be64(seqid); + strncpy(hdr.checksum_alg, "sha256", LUKS2_CHECKSUM_ALG_L); + hdr.checksum_alg[LUKS2_CHECKSUM_ALG_L - 1] = '\0'; + strncpy(hdr.uuid, "af7f64ea-3233-4581-946b-6187d812841e", LUKS2_UUID_L); + memset(hdr.salt, 1, LUKS2_SALT_L); + + + if (header_proto.has_selected_offset()) + hdr.hdr_offset = cpu_to_be64(header_proto.selected_offset()); + else + hdr.hdr_offset = cpu_to_be64(offset); + + if (write_buffer(fd, &hdr, LUKS2_HDR_BIN_LEN) != LUKS2_HDR_BIN_LEN) + err(EXIT_FAILURE, "write_buffer failed"); + if (crypt_hash_write(hd, (char*)&hdr, LUKS2_HDR_BIN_LEN)) + err(EXIT_FAILURE, "crypt_hash_write failed"); + + size_t hdr_json_area_len = header_proto.hdr_size() - LUKS2_HDR_BIN_LEN; + size_t json_text_len; + const char *json_text; + uint8_t csum[LUKS2_CHECKSUM_L]; + + if (jobj) { + json_text = json_object_to_json_string_ext((struct json_object *)jobj, JSON_C_TO_STRING_PLAIN | JSON_C_TO_STRING_NOSLASHESCAPE); + if (!json_text || !*json_text) + err(EXIT_FAILURE, "json_object_to_json_string_ext failed"); + + json_text_len = strlen(json_text); + + size_t write_size = json_text_len > hdr_json_area_len - 1 ? hdr_json_area_len - 1 : json_text_len; + if (write_buffer(fd, json_text, write_size) != (ssize_t)write_size) + err(EXIT_FAILURE, "write_buffer failed"); + if (crypt_hash_write(hd, json_text, write_size)) + err(EXIT_FAILURE, "crypt_hash_write failed"); + + for (size_t i = 0; i < (hdr_json_area_len - write_size); i++) { + if (crypt_hash_write(hd, "\0", 1)) + err(EXIT_FAILURE, "crypt_hash_write failed"); + } + } + + if (header_proto.use_correct_checksum()) { + if (lseek(fd, offset + offsetof(luks2_hdr_disk, csum), SEEK_SET) == -1) + err(EXIT_FAILURE, "lseek failed"); + + int hash_size = crypt_hash_size("sha256"); + if (hash_size <= 0) + err(EXIT_FAILURE, "crypt_hash_size failed"); + + if (crypt_hash_final(hd, (char*)csum, (size_t)hash_size)) + err(EXIT_FAILURE, "crypt_hash_final failed"); + if (write_buffer(fd, csum, hash_size) != hash_size) + err(EXIT_FAILURE, "write_buffer failed"); + } +} + +void LUKS2ProtoConverter::set_write_headers_only(bool headers_only) { + write_headers_only = headers_only; +} + +void LUKS2ProtoConverter::convert(const LUKS2_both_headers &headers, int fd) { + uint64_t primary_seqid, secondary_seqid; + int result; + + size_t out_size = headers.primary_header().hdr_size() + headers.secondary_header().hdr_size(); + + if (!write_headers_only) + out_size += KEYSLOTS_SIZE + DATA_SIZE; + + result = ftruncate(fd, out_size); + if (result == -1) + err(EXIT_FAILURE, "truncate failed"); + + result = lseek(fd, 0, SEEK_SET); + if (result == -1) + err(EXIT_FAILURE, "lseek failed"); + + switch (headers.seqid()) { + case EQUAL: + primary_seqid = 1; + secondary_seqid = 1; + break; + case PRIMARY_GREATER: + primary_seqid = 2; + secondary_seqid = 1; + break; + case SECONDARY_GREATER: + primary_seqid = 1; + secondary_seqid = 2; + break; + } + + create_jobj(headers); + emit_luks2_binary_header(headers.primary_header(), fd, 0, primary_seqid); + emit_luks2_binary_header(headers.secondary_header(), fd, headers.primary_header().hdr_size(), secondary_seqid); +} + +std::string LUKS2ProtoConverter::config_flag_to_string(config_flag flag) { + switch (flag) { + case CONFIG_FLAG_ALLOW_DISCARDS: + return "allow-discards"; + case CONFIG_FLAG_SAME_CPU_CRYPT: + return "same-cpu-crypt"; + case CONFIG_FLAG_SUBMIT_FROM_CRYPT_CPUS: + return "submit-from-crypt-cpus"; + case CONFIG_FLAG_NO_JOURNAL: + return "no-journal"; + case CONFIG_FLAG_NO_READ_WORKQUEUE: + return "no-read-workqueue"; + case CONFIG_FLAG_NO_WRITE_WORKQUEUE: + return "no-write-workqueue"; + } +} + +std::string LUKS2ProtoConverter::config_requirement_to_string(config_requirement requirement) { + switch (requirement) { + case CONFIG_REQUIREMENT_OFFLINE_REENCRYPT: + return "offline-reencrypt"; + case CONFIG_REQUIREMENT_ONLINE_REENCRYPT_V2: + return "online-reencrypt-v2"; + } +} + +void LUKS2ProtoConverter::generate_config(const config_description &config_desc, uint64_t json_size, uint64_t keyslots_size) { + json_object *jobj_config, *jobj_flags, *jobj_requirements, *jobj_mandatory; + jobj_config = json_object_new_object(); + + json_object_object_add(jobj_config, "json_size", json_object_new_string(std::to_string(json_size).c_str())); + json_object_object_add(jobj_config, "keyslots_size", json_object_new_string(std::to_string(keyslots_size).c_str())); + + if (!config_desc.config_flags().empty()) { + jobj_flags = json_object_new_array(); + + for (const int flag : config_desc.config_flags()) { + json_object_array_add(jobj_flags, + json_object_new_string(config_flag_to_string(config_flag(flag)).c_str())); + } + + /* Replace or add new flags array */ + json_object_object_add(jobj_config, "flags", jobj_flags); + } + + if (!config_desc.requirements().empty()) { + jobj_requirements = json_object_new_object(); + jobj_mandatory = json_object_new_array(); + + for (const int requirement : config_desc.requirements()) { + json_object_array_add(jobj_mandatory, + json_object_new_string(config_requirement_to_string(config_requirement(requirement)).c_str())); + } + + /* Replace or add new requirements array */ + json_object_object_add(jobj_requirements, "mandatory", jobj_mandatory); + json_object_object_add(jobj_config, "requirements", jobj_requirements); + } + + json_object_object_add(jobj, "config", jobj_config); +} + +LUKS2ProtoConverter::~LUKS2ProtoConverter() { + json_object_put(jobj); + if (hd) + crypt_hash_destroy(hd); +} +} // namespace LUKS2_proto diff --git a/tests/fuzz/proto_to_luks2_converter.h b/tests/fuzz/proto_to_luks2_converter.h new file mode 100644 index 0000000..9f926d0 --- /dev/null +++ b/tests/fuzz/proto_to_luks2_converter.h @@ -0,0 +1,91 @@ +/* + * cryptsetup LUKS2 custom mutator fuzz target + * + * Copyright (C) 2022-2023 Daniel Zatovic + * Copyright (C) 2022-2023 Red Hat, Inc. All rights reserved. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version 2 + * of the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +#ifndef LUKS2_PROTO_CONVERTER_H_ +#define LUKS2_PROTO_CONVERTER_H_ + +#include +#include +#include + +#include "LUKS2.pb.h" +extern "C" { +#include "crypto_backend/crypto_backend.h" +} + +namespace LUKS2_proto { + +class LUKS2ProtoConverter { + public: + ~LUKS2ProtoConverter(); + std::string string_uint64_to_string(const string_uint64 &str_u64); + std::string hash_algorithm_to_string(const hash_algorithm type); + std::string object_id_to_string(const object_id &oid); + + std::string keyslot_area_type_to_string(const keyslot_area_type type); + std::string keyslot_kdf_type_to_string(const keyslot_kdf_type type); + std::string reencrypt_keyslot_mode_to_string(const reencrypt_keyslot_mode mode); + std::string keyslot_type_to_string(const keyslot_type type); + std::string reencrypt_keyslot_direction_to_string(const reencrypt_keyslot_direction direction); + std::string keyslot_af_type_to_string(const keyslot_af_type type); + + std::string config_flag_to_string(config_flag flag); + std::string config_requirement_to_string(config_requirement requirements); + + std::string segment_type_to_string(segment_type type); + std::string segment_flag_to_string(segment_flag flag); + + void generate_keyslot(struct json_object *jobj_keyslots, const keyslot_description &keyslot_desc); + void generate_keyslot_area(struct json_object *jobj_area, const keyslot_area_description &keyslot_area_desc); + void generate_keyslot_kdf(struct json_object *jobj_kdf, const keyslot_kdf_description &keyslot_kdf_desc); + void generate_keyslot_af(struct json_object *jobj_af, const keyslot_af_description &keyslot_af_desc); + + void generate_token(struct json_object *jobj_tokens, const token_description &token_desc); + + void generate_digest(struct json_object *jobj_digests, const digest_description &digest_desc); + + void generate_segment_integrity(struct json_object *jobj_integrity, const segment_integrity_description &segment_integrity_desc); + void generate_segment(struct json_object *jobj_segments, const segment_description &segment_desc); + + void generate_config(const config_description &config_desc, uint64_t json_size, uint64_t keyslots_size); + + void create_jobj(const LUKS2_both_headers &headers, uint64_t hdr_size); + void emit_luks2_binary_header(uint64_t offset, uint64_t seqid, bool is_primary, uint64_t hdr_size); + void convert(const LUKS2_both_headers &headers, int fd); + void create_jobj(const LUKS2_both_headers &headers); + void emit_luks2_binary_header(const LUKS2_header &header_proto, int fd, uint64_t offset, uint64_t seqid); + + void set_write_headers_only(bool headers_only); + + const uint8_t *get_out_buffer(); + size_t get_out_size(); + + static const uint64_t KEYSLOTS_SIZE = 3 * 1024 * 1024; + static const uint64_t DATA_SIZE = 16 * 1024 * 1024; + private: + bool write_headers_only = false; + struct crypt_hash *hd = NULL; + struct ::json_object *jobj = NULL; +}; + +} // namespace LUKS2_proto + +#endif // LUKS2_PROTO_CONVERTER_H_ diff --git a/tests/fuzz/unpoison-mutated-buffers-from-libfuzzer.patch b/tests/fuzz/unpoison-mutated-buffers-from-libfuzzer.patch new file mode 100644 index 0000000..1f48339 --- /dev/null +++ b/tests/fuzz/unpoison-mutated-buffers-from-libfuzzer.patch @@ -0,0 +1,29 @@ +diff --git a/src/libfuzzer/libfuzzer_mutator.cc b/src/libfuzzer/libfuzzer_mutator.cc +index 34d144c..b671fd4 100644 +--- a/src/libfuzzer/libfuzzer_mutator.cc ++++ b/src/libfuzzer/libfuzzer_mutator.cc +@@ -14,6 +14,8 @@ + + #include "src/libfuzzer/libfuzzer_mutator.h" + ++#include ++ + #include + + #include +@@ -64,6 +66,7 @@ template + T MutateValue(T v) { + size_t size = + LLVMFuzzerMutate(reinterpret_cast(&v), sizeof(v), sizeof(v)); ++ __msan_unpoison(reinterpret_cast(&v), size); + memset(reinterpret_cast(&v) + size, 0, sizeof(v) - size); + return v; + } +@@ -93,6 +96,7 @@ std::string Mutator::MutateString(const std::string& value, + result.resize(std::max(1, new_size)); + result.resize(LLVMFuzzerMutate(reinterpret_cast(&result[0]), + value.size(), result.size())); ++ __msan_unpoison(reinterpret_cast(&result[0]), result.size()); + return result; + } + -- cgit v1.2.3