BUILDTOP=$(REL)..$(S)..
LOCALINCLUDES = -I$(srcdir)/../../lib/krb5/ccache -I$(srcdir)/../../kdc \
- -I$(srcdir)/../../util/profile
-NDROBJ = $(BUILDTOP)/kdc/ndr.o
+ -I$(srcdir)/../../util/profile -I$(srcdir)/../../util/support
OBJS = \
fuzz_chpw.o \
# OSS-Fuzz requires fuzz targets to be linked with the C++ linker,
# even if they are written in C.
-fuzz_chpw: fuzz_chpw.o $(SUPPORT_DEPLIB)
+fuzz_chpw: fuzz_chpw.o $(KRB5_BASE_DEPLIBS)
$(CXX_LINK) -o $@ fuzz_chpw.o $(KRB5_BASE_LIBS) $(FUZZ_LDFLAGS)
fuzz_gss: fuzz_gss.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS)
$(CXX_LINK) -o $@ fuzz_marshal_princ.o $(KRB5_BASE_LIBS) $(FUZZ_LDFLAGS)
fuzz_ndr: fuzz_ndr.o $(KRB5_BASE_DEPLIBS)
- $(CXX_LINK) -o $@ fuzz_ndr.o $(NDROBJ) $(KRB5_BASE_LIBS) $(FUZZ_LDFLAGS)
+ $(CXX_LINK) -o $@ fuzz_ndr.o $(KRB5_BASE_LIBS) $(FUZZ_LDFLAGS)
fuzz_pac: fuzz_pac.o $(KRB5_BASE_DEPLIBS)
$(CXX_LINK) -o $@ fuzz_pac.o $(KRB5_BASE_LIBS) $(FUZZ_LDFLAGS)
$(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
$(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
$(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(VERTO_DEPS) \
- $(srcdir)/../../kdc/kdc_util.h $(srcdir)/../../kdc/realm_data.h \
- $(srcdir)/../../kdc/reqstate.h $(top_srcdir)/include/gssrpc/auth.h \
- $(top_srcdir)/include/gssrpc/auth_gss.h $(top_srcdir)/include/gssrpc/auth_unix.h \
- $(top_srcdir)/include/gssrpc/clnt.h $(top_srcdir)/include/gssrpc/rename.h \
- $(top_srcdir)/include/gssrpc/rpc.h $(top_srcdir)/include/gssrpc/rpc_msg.h \
- $(top_srcdir)/include/gssrpc/svc.h $(top_srcdir)/include/gssrpc/svc_auth.h \
- $(top_srcdir)/include/gssrpc/xdr.h $(top_srcdir)/include/k5-buf.h \
- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
+ $(srcdir)/../../kdc/kdc_util.h $(srcdir)/../../kdc/ndr.c \
+ $(srcdir)/../../kdc/realm_data.h $(srcdir)/../../kdc/reqstate.h \
+ $(top_srcdir)/include/gssrpc/auth.h $(top_srcdir)/include/gssrpc/auth_gss.h \
+ $(top_srcdir)/include/gssrpc/auth_unix.h $(top_srcdir)/include/gssrpc/clnt.h \
+ $(top_srcdir)/include/gssrpc/rename.h $(top_srcdir)/include/gssrpc/rpc.h \
+ $(top_srcdir)/include/gssrpc/rpc_msg.h $(top_srcdir)/include/gssrpc/svc.h \
+ $(top_srcdir)/include/gssrpc/svc_auth.h $(top_srcdir)/include/gssrpc/xdr.h \
+ $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
+ $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-input.h \
$(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
$(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
$(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
- $(top_srcdir)/include/kdb.h $(top_srcdir)/include/krb5.h \
- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/kdcpreauth_plugin.h \
- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/net-server.h \
- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
- fuzz_ndr.c
+ $(top_srcdir)/include/k5-utf8.h $(top_srcdir)/include/kdb.h \
+ $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
+ $(top_srcdir)/include/krb5/kdcpreauth_plugin.h $(top_srcdir)/include/krb5/plugin.h \
+ $(top_srcdir)/include/net-server.h $(top_srcdir)/include/port-sockets.h \
+ $(top_srcdir)/include/socket-utils.h fuzz_ndr.c
$(OUTPRE)fuzz_pac.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
$(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
$(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
fuzz_profile.c
$(OUTPRE)fuzz_util.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
$(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-base64.h \
- $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-hex.h \
+ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../util/support/hashtab.c \
+ $(top_srcdir)/include/k5-base64.h $(top_srcdir)/include/k5-buf.h \
+ $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
+ $(top_srcdir)/include/k5-hashtab.h $(top_srcdir)/include/k5-hex.h \
$(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
$(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
+ $(top_srcdir)/include/k5-queue.h $(top_srcdir)/include/k5-thread.h \
+ $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/k5-utf8.h \
$(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
$(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
$(top_srcdir)/include/socket-utils.h fuzz_util.c
LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
{
krb5_error_code ret;
- char *data_in;
- k5_json_value decoded;
+ k5_json_value decoded = NULL;
+ char *data_in = NULL, *data_out;
if (size < kMinInputLength || size > kMaxInputLength)
return 0;
if (data_in == NULL)
return 0;
- k5_json_decode(data_in, &decoded);
+ ret = k5_json_decode(data_in, &decoded);
+ if (ret)
+ goto cleanup;
+ ret = k5_json_encode(decoded, &data_out);
+ if (!ret)
+ free(data_out);
+
+cleanup:
free(data_in);
k5_json_release(decoded);
int
LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
{
- krb5_data data_in;
- krb5_ticket *ticket;
- krb5_context context;
+ krb5_error_code ret;
+ krb5_context context = NULL;
+ krb5_keytab defkt = NULL;
+ krb5_data data_in, *data_out;
+ krb5_ticket *ticket = NULL;
if (size < kMinInputLength || size > kMaxInputLength)
return 0;
data_in = make_data((void *)data, size);
- if (krb5_init_context(&context) != 0)
+ ret = krb5_init_context(&context);
+ if (ret)
return 0;
- krb5_decode_ticket(&data_in, &ticket);
+ ret = krb5_kt_default(context, &defkt);
+ if (ret)
+ goto cleanup;
+ ret = krb5_decode_ticket(&data_in, &ticket);
+ if (ret)
+ goto cleanup;
+
+ ret = encode_krb5_ticket(ticket, &data_out);
+ if (!ret)
+ krb5_free_data(context, data_out);
+
+ krb5_server_decrypt_ticket_keytab(context, defkt, ticket);
+
+cleanup:
krb5_free_ticket(context, ticket);
+ if (defkt != NULL)
+ krb5_kt_close(context, defkt);
krb5_free_context(context);
return 0;
int
LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
{
+ krb5_error_code ret;
+ krb5_creds cred;
int version;
- krb5_creds cred = { 0 };
- krb5_context context;
+ struct k5buf buf;
if (size < kMinInputLength || size > kMaxInputLength)
return 0;
- if (krb5_init_context(&context) != 0)
- return 0;
-
for (version = FIRST_VERSION; version <= 4; version++) {
- k5_unmarshal_cred(data, size, version, &cred);
- krb5_free_cred_contents(context, &cred);
+ ret = k5_unmarshal_cred(data, size, version, &cred);
+ if (!ret) {
+ k5_buf_init_dynamic(&buf);
+ k5_marshal_cred(&buf, version, &cred);
+ k5_buf_free(&buf);
+ }
+
+ krb5_free_cred_contents(NULL, &cred);
}
- krb5_free_context(context);
return 0;
}
int
LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
{
- int version;
+ krb5_error_code ret;
krb5_principal princ;
- krb5_context context;
+ int version;
+ struct k5buf buf;
if (size < kMinInputLength || size > kMaxInputLength)
return 0;
- if (krb5_init_context(&context) != 0)
- return 0;
-
for (version = FIRST_VERSION; version <= 4; version++) {
- k5_unmarshal_princ(data, size, version, &princ);
- krb5_free_principal(context, princ);
+ ret = k5_unmarshal_princ(data, size, version, &princ);
+ if (!ret) {
+ k5_buf_init_dynamic(&buf);
+ k5_marshal_princ(&buf, version, princ);
+ k5_buf_free(&buf);
+ }
+
+ krb5_free_principal(NULL, princ);
}
- krb5_free_context(context);
return 0;
}
#include <k5-int.h>
#include <kdc_util.h>
+#include <ndr.c>
+
#define kMinInputLength 2
#define kMaxInputLength 1024
int
LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
{
- krb5_data data_in;
- struct pac_s4u_delegation_info *di = NULL;
+ krb5_error_code ret;
+ krb5_data data_in, data_out = empty_data();
+ struct pac_s4u_delegation_info *di;
if (size < kMinInputLength || size > kMaxInputLength)
return 0;
data_in = make_data((void *)data, size);
- ndr_dec_delegation_info(&data_in, &di);
+
+ ret = ndr_dec_delegation_info(&data_in, &di);
+ if (!ret)
+ (void)ndr_enc_delegation_info(di, &data_out);
+
ndr_free_delegation_info(di);
+ krb5_free_data_contents(NULL, &data_out);
return 0;
}
#include "autoconf.h"
#include <k5-int.h>
+#define U(x) (uint8_t *)x
#define kMinInputLength 2
#define kMaxInputLength 1024
+static const krb5_keyblock kdc_keyblock = {
+ 0, ENCTYPE_ARCFOUR_HMAC,
+ 16, U("\xB2\x86\x75\x71\x48\xAF\x7F\xD2\x52\xC5\x36\x03\xA1\x50\xB7\xE7")
+};
+
+static const krb5_keyblock member_keyblock = {
+ 0, ENCTYPE_ARCFOUR_HMAC,
+ 16, U("\xD2\x17\xFA\xEA\xE5\xE6\xB5\xF9\x5C\xCC\x94\x07\x7A\xB8\xA5\xFC")
+};
+
+static time_t authtime = 1120440609;
+static const char *user = "w2003final$@WIN2K3.THINKER.LOCAL";
+
extern int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
int
LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
{
+ krb5_error_code ret;
+ krb5_context context = NULL;
krb5_pac pac;
- krb5_context context;
+ krb5_principal princ = NULL;
if (size < kMinInputLength || size > kMaxInputLength)
return 0;
- if (krb5_init_context(&context) != 0)
+ ret = krb5_init_context(&context);
+ if (ret)
return 0;
- krb5_pac_parse(context, data, size, &pac);
+ ret = krb5_parse_name(context, user, &princ);
+ if (ret)
+ goto cleanup;
+
+ ret = krb5_pac_parse(context, data, size, &pac);
+ if (ret)
+ goto cleanup;
+
+ krb5_pac_verify(context, pac, authtime, princ, NULL, NULL);
+ krb5_pac_verify_ext(context, pac, authtime, princ, NULL, NULL, TRUE);
+ krb5_pac_verify(context, pac, authtime, princ, &member_keyblock,
+ &kdc_keyblock);
krb5_pac_free(context, pac);
+
+cleanup:
+ krb5_free_principal(context, princ);
krb5_free_context(context);
return 0;
int
LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
{
+ errcode_t ret;
FILE *fp_w, *fp_r;
- char file_name[256];
+ char file_name[256], *output;
struct profile_node *root;
if (size < kMinInputLength || size > kMaxInputLength)
snprintf(file_name, sizeof(file_name), "/tmp/libfuzzer.%d", getpid());
- /* Write data into the file.*/
+ /* Write data into the file. */
fp_w = fopen(file_name, "w");
if (!fp_w)
return 1;
initialize_prof_error_table();
- if (profile_parse_file(fp_r, &root, NULL) == 0) {
+ ret = profile_parse_file(fp_r, &root, NULL);
+ if (!ret) {
+ ret = profile_write_tree_to_buffer(root, &output);
+ if (!ret)
+ free(output);
+
profile_verify_node(root);
profile_free_node(root);
}
#include <k5-base64.h>
#include <k5-hex.h>
#include <string.h>
+#include <k5-utf8.h>
+
+#include <hashtab.c>
#define kMinInputLength 2
#define kMaxInputLength 256
free(k5_base64_decode(data_in, &len));
}
+static void
+fuzz_hashtab(const char *data_in, size_t size)
+{
+ int st;
+ struct k5_hashtab *ht;
+
+ k5_hashtab_create(NULL, 4, &ht);
+ if (ht == NULL)
+ return;
+
+ k5_hashtab_add(ht, data_in, size, &st);
+
+ k5_hashtab_free(ht);
+}
+
static void
fuzz_hex(const char *data_in, size_t size)
{
free(host_out);
}
+static void
+fuzz_utf8(const char *data_in, size_t size)
+{
+ krb5_ucs4 u = 0;
+ char *utf8;
+ uint8_t *utf16;
+ size_t utf16len;
+
+ krb5int_utf8_to_ucs4(data_in, &u);
+
+ k5_utf8_to_utf16le(data_in, &utf16, &utf16len);
+ if (utf16 != NULL)
+ free(utf16);
+
+ k5_utf16le_to_utf8((const uint8_t *)data_in, size, &utf8);
+ if (utf8 != NULL)
+ free(utf8);
+}
+
extern int
LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
{
return 0;
fuzz_base64(data_in, size);
+ fuzz_hashtab(data_in, size);
fuzz_hex(data_in, size);
fuzz_name(data_in, size);
fuzz_parse_host(data_in, size);
+ fuzz_utf8(data_in, size);
free(data_in);
projects / thirdparty / krb5.git / commitdiff
