From: Arjun Date: Fri, 11 Oct 2024 06:28:06 +0000 (+0530) Subject: Add new OSS-Fuzz targets X-Git-Tag: krb5-1.22-beta1~59 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F1366%2Fhead;p=thirdparty%2Fkrb5.git Add new OSS-Fuzz targets [ghudson@mit.edu: made minor style edits; edited commit message] bigredbutton: whitespace --- diff --git a/.gitignore b/.gitignore index 90bfa0e206..a7a217a6f3 100644 --- a/.gitignore +++ b/.gitignore @@ -433,14 +433,22 @@ local.properties /src/tests/create/kdb5_mkdums +/src/tests/fuzzing/fuzz_aes +/src/tests/fuzzing/fuzz_asn +/src/tests/fuzzing/fuzz_attrset /src/tests/fuzzing/fuzz_chpw +/src/tests/fuzzing/fuzz_crypto +/src/tests/fuzzing/fuzz_des /src/tests/fuzzing/fuzz_gss /src/tests/fuzzing/fuzz_json +/src/tests/fuzzing/fuzz_kdc /src/tests/fuzzing/fuzz_krad +/src/tests/fuzzing/fuzz_krb /src/tests/fuzzing/fuzz_krb5_ticket /src/tests/fuzzing/fuzz_marshal_cred /src/tests/fuzzing/fuzz_marshal_princ /src/tests/fuzzing/fuzz_ndr +/src/tests/fuzzing/fuzz_oid /src/tests/fuzzing/fuzz_pac /src/tests/fuzzing/fuzz_profile /src/tests/fuzzing/fuzz_util diff --git a/src/tests/fuzzing/Makefile.in b/src/tests/fuzzing/Makefile.in index 2ab3108b16..15bbbbf1a8 100644 --- a/src/tests/fuzzing/Makefile.in +++ b/src/tests/fuzzing/Makefile.in @@ -1,44 +1,71 @@ mydir=tests$(S)fuzzing BUILDTOP=$(REL)..$(S).. -LOCALINCLUDES = -I$(srcdir)/../../lib/krb5/ccache -I$(srcdir)/../../kdc \ - -I$(srcdir)/../../util/profile -I$(srcdir)/../../util/support - -OBJS = \ +LOCALINCLUDES= \ + -I$(srcdir)/../../lib/crypto/krb -I$(srcdir)/../../lib/krad \ + -I$(srcdir)/../../lib/crypto/builtin/des -I$(srcdir)/../../kdc \ + -I$(srcdir)/../../lib/krb5/ccache -I$(srcdir)/../../util/profile \ + -I$(srcdir)/../../util/support + +OBJS= \ + fuzz_aes.o \ + fuzz_asn.o \ + fuzz_attrset.o \ fuzz_chpw.o \ + fuzz_crypto.o \ + fuzz_des.o \ fuzz_gss.o \ fuzz_json.o \ + fuzz_kdc.o \ fuzz_krad.o \ + fuzz_krb.o \ fuzz_krb5_ticket.o \ fuzz_marshal_cred.o \ fuzz_marshal_princ.o \ fuzz_ndr.o \ + fuzz_oid.o \ fuzz_pac.o \ fuzz_profile.o \ fuzz_util.o -SRCS = \ +SRCS= \ + $(srcdir)/fuzz_aes.c \ + $(srcdir)/fuzz_asn.c \ + $(srcdir)/fuzz_attrset.c \ $(srcdir)/fuzz_chpw.c \ + $(srcdir)/fuzz_crypto.c \ + $(srcdir)/fuzz_des.c \ $(srcdir)/fuzz_gss.c \ $(srcdir)/fuzz_json.c \ + $(srcdir)/fuzz_kdc.c \ $(srcdir)/fuzz_krad.c \ + $(srcdir)/fuzz_krb.c \ $(srcdir)/fuzz_krb5_ticket.c \ $(srcdir)/fuzz_marshal_cred.c \ $(srcdir)/fuzz_marshal_princ.c \ $(srcdir)/fuzz_ndr.c \ + $(srcdir)/fuzz_oid.c \ $(srcdir)/fuzz_pac.c \ $(srcdir)/fuzz_profile.c \ $(srcdir)/fuzz_util.c FUZZ_TARGETS= \ + fuzz_aes \ + fuzz_asn \ + fuzz_attrset \ fuzz_chpw \ + fuzz_crypto \ + fuzz_des \ fuzz_gss \ fuzz_json \ + fuzz_kdc \ fuzz_krad \ + fuzz_krb \ fuzz_krb5_ticket \ fuzz_marshal_cred \ fuzz_marshal_princ \ fuzz_ndr \ + fuzz_oid \ fuzz_pac \ fuzz_profile \ fuzz_util @@ -48,18 +75,39 @@ all: $(FUZZ_TARGETS) # OSS-Fuzz requires fuzz targets to be linked with the C++ linker, # even if they are written in C. +fuzz_aes: fuzz_aes.o $(KRB5_BASE_DEPLIBS) + $(CXX_LINK) -o $@ fuzz_aes.o $(KRB5_BASE_LIBS) $(FUZZ_LDFLAGS) + +fuzz_asn: fuzz_asn.o $(KRB5_BASE_DEPLIBS) + $(CXX_LINK) -o $@ fuzz_asn.o $(KRB5_BASE_LIBS) $(FUZZ_LDFLAGS) + +fuzz_attrset: fuzz_attrset.o $(KRB5_BASE_DEPLIBS) + $(CXX_LINK) -o $@ fuzz_attrset.o -lkrad $(KRB5_BASE_LIBS) $(FUZZ_LDFLAGS) + fuzz_chpw: fuzz_chpw.o $(KRB5_BASE_DEPLIBS) $(CXX_LINK) -o $@ fuzz_chpw.o $(KRB5_BASE_LIBS) $(FUZZ_LDFLAGS) +fuzz_crypto: fuzz_crypto.o $(KRB5_BASE_DEPLIBS) + $(CXX_LINK) -o $@ fuzz_crypto.o $(KRB5_BASE_LIBS) $(FUZZ_LDFLAGS) + +fuzz_des: fuzz_des.o $(KRB5_BASE_DEPLIBS) + $(CXX_LINK) -o $@ fuzz_des.o $(KRB5_BASE_LIBS) $(FUZZ_LDFLAGS) + fuzz_gss: fuzz_gss.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS) $(CXX_LINK) -o $@ fuzz_gss.o $(GSS_LIBS) $(KRB5_BASE_LIBS) $(FUZZ_LDFLAGS) fuzz_json: fuzz_json.o $(KRB5_BASE_DEPLIBS) $(CXX_LINK) -o $@ fuzz_json.o $(KRB5_BASE_LIBS) $(FUZZ_LDFLAGS) +fuzz_kdc: fuzz_kdc.o $(KRB5_BASE_DEPLIBS) + $(CXX_LINK) -o $@ fuzz_kdc.o $(KRB5_BASE_LIBS) $(FUZZ_LDFLAGS) + fuzz_krad: fuzz_krad.o $(KRB5_BASE_DEPLIBS) $(CXX_LINK) -o $@ fuzz_krad.o -lkrad $(KRB5_BASE_LIBS) $(FUZZ_LDFLAGS) +fuzz_krb: fuzz_krb.o $(KRB5_BASE_DEPLIBS) + $(CXX_LINK) -o $@ fuzz_krb.o $(KRB5_BASE_LIBS) $(FUZZ_LDFLAGS) + fuzz_krb5_ticket: fuzz_krb5_ticket.o $(KRB5_BASE_DEPLIBS) $(CXX_LINK) -o $@ fuzz_krb5_ticket.o $(KRB5_BASE_LIBS) $(FUZZ_LDFLAGS) @@ -72,6 +120,9 @@ fuzz_marshal_princ: fuzz_marshal_princ.o $(KRB5_BASE_DEPLIBS) fuzz_ndr: fuzz_ndr.o $(KRB5_BASE_DEPLIBS) $(CXX_LINK) -o $@ fuzz_ndr.o $(KRB5_BASE_LIBS) $(FUZZ_LDFLAGS) +fuzz_oid: fuzz_oid.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS) + $(CXX_LINK) -o $@ fuzz_oid.o $(GSS_LIBS) $(KRB5_BASE_LIBS) $(FUZZ_LDFLAGS) + fuzz_pac: fuzz_pac.o $(KRB5_BASE_DEPLIBS) $(CXX_LINK) -o $@ fuzz_pac.o $(KRB5_BASE_LIBS) $(FUZZ_LDFLAGS) diff --git a/src/tests/fuzzing/deps b/src/tests/fuzzing/deps index 507645a48e..fbd77e8ea9 100644 --- a/src/tests/fuzzing/deps +++ b/src/tests/fuzzing/deps @@ -1,6 +1,40 @@ # # Generated makefile dependencies follow. # +$(OUTPRE)fuzz_aes.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../lib/crypto/krb/crypto_int.h \ + $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ + $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ + $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ + $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ + $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \ + $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ + $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ + fuzz_aes.c +$(OUTPRE)fuzz_asn.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ + $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ + $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ + $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ + $(top_srcdir)/include/k5-spake.h $(top_srcdir)/include/k5-thread.h \ + $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \ + $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ + $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ + fuzz_asn.c +$(OUTPRE)fuzz_attrset.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(VERTO_DEPS) \ + $(srcdir)/../../lib/krad/internal.h $(top_srcdir)/include/k5-buf.h \ + $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ + $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ + $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ + $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ + $(top_srcdir)/include/krad.h $(top_srcdir)/include/krb5.h \ + $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ + $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ + fuzz_attrset.c $(OUTPRE)fuzz_chpw.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ @@ -11,6 +45,29 @@ $(OUTPRE)fuzz_chpw.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ $(top_srcdir)/include/socket-utils.h fuzz_chpw.c +$(OUTPRE)fuzz_crypto.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../lib/crypto/krb/crypto_int.h \ + $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ + $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ + $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ + $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ + $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \ + $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ + $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ + fuzz_crypto.c +$(OUTPRE)fuzz_des.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../lib/crypto/builtin/des/des_int.h \ + $(srcdir)/../../lib/crypto/builtin/des/f_cbc.c $(srcdir)/../../lib/crypto/builtin/des/f_tables.h \ + $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ + $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ + $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ + $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ + $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \ + $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ + $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ + fuzz_des.c $(OUTPRE)fuzz_gss.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/krb5/krb5.h \ $(COM_ERR_DEPS) $(top_srcdir)/include/gssapi.h $(top_srcdir)/include/krb5.h \ @@ -26,6 +83,28 @@ $(OUTPRE)fuzz_json.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ fuzz_json.c +$(OUTPRE)fuzz_kdc.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(VERTO_DEPS) \ + $(srcdir)/../../kdc/extern.h $(srcdir)/../../kdc/kdc_util.h \ + $(srcdir)/../../kdc/realm_data.h $(srcdir)/../../kdc/replay.c \ + $(srcdir)/../../kdc/reqstate.h $(top_srcdir)/include/gssrpc/auth.h \ + $(top_srcdir)/include/gssrpc/auth_gss.h $(top_srcdir)/include/gssrpc/auth_unix.h \ + $(top_srcdir)/include/gssrpc/clnt.h $(top_srcdir)/include/gssrpc/rename.h \ + $(top_srcdir)/include/gssrpc/rpc.h $(top_srcdir)/include/gssrpc/rpc_msg.h \ + $(top_srcdir)/include/gssrpc/svc.h $(top_srcdir)/include/gssrpc/svc_auth.h \ + $(top_srcdir)/include/gssrpc/xdr.h $(top_srcdir)/include/k5-buf.h \ + $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ + $(top_srcdir)/include/k5-hashtab.h $(top_srcdir)/include/k5-int-pkinit.h \ + $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ + $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-queue.h \ + $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ + $(top_srcdir)/include/kdb.h $(top_srcdir)/include/krb5.h \ + $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/kdcpreauth_plugin.h \ + $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/net-server.h \ + $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ + fuzz_kdc.c $(OUTPRE)fuzz_krad.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(VERTO_DEPS) \ @@ -37,6 +116,17 @@ $(OUTPRE)fuzz_krad.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ $(top_srcdir)/include/socket-utils.h fuzz_krad.c +$(OUTPRE)fuzz_krb.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-base64.h \ + $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ + $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-hex.h \ + $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ + $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ + $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ + $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ + $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ + $(top_srcdir)/include/socket-utils.h fuzz_krb.c $(OUTPRE)fuzz_krb5_ticket.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ @@ -90,6 +180,18 @@ $(OUTPRE)fuzz_ndr.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(top_srcdir)/include/krb5/kdcpreauth_plugin.h $(top_srcdir)/include/krb5/plugin.h \ $(top_srcdir)/include/net-server.h $(top_srcdir)/include/port-sockets.h \ $(top_srcdir)/include/socket-utils.h fuzz_ndr.c +$(OUTPRE)fuzz_oid.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssapi/gssapi_ext.h \ + $(BUILDTOP)/include/gssapi/gssapi_krb5.h $(BUILDTOP)/include/krb5/krb5.h \ + $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ + $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ + $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ + $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ + $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ + $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \ + $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ + $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ + fuzz_oid.c $(OUTPRE)fuzz_pac.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ diff --git a/src/tests/fuzzing/fuzz_aes.c b/src/tests/fuzzing/fuzz_aes.c new file mode 100644 index 0000000000..ea4d8492ba --- /dev/null +++ b/src/tests/fuzzing/fuzz_aes.c @@ -0,0 +1,104 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* tests/fuzzing/fuzz_aes.c - fuzzing harness for AES encryption/decryption */ +/* + * Copyright (C) 2024 by Arjun. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "autoconf.h" +#include +#include + +#define kMinInputLength 48 +#define kMaxInputLength 512 + +extern int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size); + +static void +fuzz_aes(const uint8_t *data, size_t size, size_t key_size, krb5_enctype etype) +{ + krb5_error_code ret; + krb5_keyblock keyblock; + krb5_crypto_iov iov; + krb5_key key = NULL; + char *aeskey = NULL, *data_in = NULL; + char encivbuf[16] = { 0 }, decivbuf[16] = { 0 }; + krb5_data enciv = make_data(encivbuf, 16), deciv = make_data(decivbuf, 16); + + aeskey = k5memdup(data, key_size, &ret); + if (ret) + return; + + data_in = k5memdup(data + key_size, size - key_size, &ret); + if (ret) + goto cleanup; + + keyblock.contents = (krb5_octet *)aeskey; + keyblock.length = key_size; + keyblock.enctype = etype; + + ret = krb5_k_create_key(NULL, &keyblock, &key); + if (ret) + goto cleanup; + + iov.flags = KRB5_CRYPTO_TYPE_DATA; + iov.data = make_data(data_in, size - key_size); + + /* iov.data.data is input and output buffer */ + ret = krb5int_aes_encrypt(key, &enciv, &iov, 1); + if (ret) + goto cleanup; + + ret = krb5int_aes_decrypt(key, &deciv, &iov, 1); + if (ret) + goto cleanup; + + /* Check that decryption result matches original plaintext. */ + ret = memcmp(data_in, data + key_size, size - key_size); + if (ret) + abort(); + + (void)krb5int_aes_decrypt(key, &deciv, &iov, 1); + +cleanup: + free(aeskey); + free(data_in); + krb5_k_free_key(NULL, key); +} + +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) +{ + if (size < kMinInputLength || size > kMaxInputLength) + return 0; + + fuzz_aes(data, size, 16, ENCTYPE_AES128_CTS_HMAC_SHA1_96); + fuzz_aes(data, size, 16, ENCTYPE_AES256_CTS_HMAC_SHA1_96); + fuzz_aes(data, size, 32, ENCTYPE_AES128_CTS_HMAC_SHA1_96); + fuzz_aes(data, size, 32, ENCTYPE_AES256_CTS_HMAC_SHA1_96); + + return 0; +} diff --git a/src/tests/fuzzing/fuzz_aes_seed_corpus/input.bin b/src/tests/fuzzing/fuzz_aes_seed_corpus/input.bin new file mode 100644 index 0000000000..5e4c069476 --- /dev/null +++ b/src/tests/fuzzing/fuzz_aes_seed_corpus/input.bin @@ -0,0 +1 @@ +I would like the General Gau's Chicken, please, and wonton soup. \ No newline at end of file diff --git a/src/tests/fuzzing/fuzz_asn.c b/src/tests/fuzzing/fuzz_asn.c new file mode 100644 index 0000000000..be3fdb71de --- /dev/null +++ b/src/tests/fuzzing/fuzz_asn.c @@ -0,0 +1,188 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* tests/fuzzing/fuzz_asn.c - fuzzing harness for ASN.1 encoding/decoding */ +/* + * Copyright (C) 2024 by Arjun. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "autoconf.h" +#include + +#define kMinInputLength 2 +#define kMaxInputLength 2048 + +extern int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size); + +static void +free_cred_enc_part_whole(krb5_context ctx, krb5_cred_enc_part *val) +{ + krb5_free_cred_enc_part(ctx, val); + free(val); +} + +static void +free_kkdcp_message(krb5_context context, krb5_kkdcp_message *val) +{ + if (val == NULL) + return; + free(val->kerb_message.data); + free(val->target_domain.data); + free(val); +} + +#define FUZZ_ASAN(type, encoder, decoder, freefn) do { \ + type *v; \ + krb5_data *data_out = NULL; \ + \ + if ((*decoder)(&data_in, &v) != 0) \ + break; \ + \ + (*encoder)(v, &data_out); \ + krb5_free_data(context, data_out); \ + (*freefn)(context, v); \ + } while (0) + +int +LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) +{ + krb5_context context; + krb5_data data_in; + + if (size < kMinInputLength || size > kMaxInputLength) + return 0; + + if (krb5_init_context(&context)) + return 0; + + data_in = make_data((void *)data, size); + + /* Adapted from krb5_decode_leak.c */ + FUZZ_ASAN(krb5_authenticator, encode_krb5_authenticator, + decode_krb5_authenticator, krb5_free_authenticator); + FUZZ_ASAN(krb5_ticket, encode_krb5_ticket, decode_krb5_ticket, + krb5_free_ticket); + FUZZ_ASAN(krb5_keyblock, encode_krb5_encryption_key, + decode_krb5_encryption_key, krb5_free_keyblock); + FUZZ_ASAN(krb5_enc_tkt_part, encode_krb5_enc_tkt_part, + decode_krb5_enc_tkt_part, krb5_free_enc_tkt_part); + FUZZ_ASAN(krb5_enc_kdc_rep_part, encode_krb5_enc_kdc_rep_part, + decode_krb5_enc_kdc_rep_part, krb5_free_enc_kdc_rep_part); + FUZZ_ASAN(krb5_kdc_rep, encode_krb5_as_rep, decode_krb5_as_rep, + krb5_free_kdc_rep); + FUZZ_ASAN(krb5_kdc_rep, encode_krb5_tgs_rep, decode_krb5_tgs_rep, + krb5_free_kdc_rep); + FUZZ_ASAN(krb5_ap_req, encode_krb5_ap_req, decode_krb5_ap_req, + krb5_free_ap_req); + FUZZ_ASAN(krb5_ap_rep, encode_krb5_ap_rep, decode_krb5_ap_rep, + krb5_free_ap_rep); + FUZZ_ASAN(krb5_ap_rep_enc_part, encode_krb5_ap_rep_enc_part, + decode_krb5_ap_rep_enc_part, krb5_free_ap_rep_enc_part); + FUZZ_ASAN(krb5_kdc_req, encode_krb5_as_req, decode_krb5_as_req, + krb5_free_kdc_req); + FUZZ_ASAN(krb5_kdc_req, encode_krb5_tgs_req, decode_krb5_tgs_req, + krb5_free_kdc_req); + FUZZ_ASAN(krb5_kdc_req, encode_krb5_kdc_req_body, decode_krb5_kdc_req_body, + krb5_free_kdc_req); + FUZZ_ASAN(krb5_safe, encode_krb5_safe, decode_krb5_safe, krb5_free_safe); + FUZZ_ASAN(krb5_priv, encode_krb5_priv, decode_krb5_priv, krb5_free_priv); + FUZZ_ASAN(krb5_priv_enc_part, encode_krb5_enc_priv_part, + decode_krb5_enc_priv_part, krb5_free_priv_enc_part); + FUZZ_ASAN(krb5_cred, encode_krb5_cred, decode_krb5_cred, krb5_free_cred); + FUZZ_ASAN(krb5_cred_enc_part, encode_krb5_enc_cred_part, + decode_krb5_enc_cred_part, free_cred_enc_part_whole); + FUZZ_ASAN(krb5_error, encode_krb5_error, decode_krb5_error, + krb5_free_error); + FUZZ_ASAN(krb5_authdata *, encode_krb5_authdata, decode_krb5_authdata, + krb5_free_authdata); + FUZZ_ASAN(krb5_pa_data *, encode_krb5_padata_sequence, + decode_krb5_padata_sequence, krb5_free_pa_data); + FUZZ_ASAN(krb5_pa_data *, encode_krb5_typed_data, + decode_krb5_typed_data, krb5_free_pa_data); + FUZZ_ASAN(krb5_etype_info_entry *, encode_krb5_etype_info, + decode_krb5_etype_info, krb5_free_etype_info); + FUZZ_ASAN(krb5_etype_info_entry *, encode_krb5_etype_info2, + decode_krb5_etype_info2, krb5_free_etype_info); + FUZZ_ASAN(krb5_pa_enc_ts, encode_krb5_pa_enc_ts, decode_krb5_pa_enc_ts, + krb5_free_pa_enc_ts); + FUZZ_ASAN(krb5_enc_data, encode_krb5_enc_data, decode_krb5_enc_data, + krb5_free_enc_data); + FUZZ_ASAN(krb5_sam_challenge_2, encode_krb5_sam_challenge_2, + decode_krb5_sam_challenge_2, krb5_free_sam_challenge_2); + FUZZ_ASAN(krb5_sam_challenge_2_body, encode_krb5_sam_challenge_2_body, + decode_krb5_sam_challenge_2_body, + krb5_free_sam_challenge_2_body); + FUZZ_ASAN(krb5_sam_response_2, encode_krb5_sam_response_2, + decode_krb5_sam_response_2, krb5_free_sam_response_2); + FUZZ_ASAN(krb5_enc_sam_response_enc_2, encode_krb5_enc_sam_response_enc_2, + decode_krb5_enc_sam_response_enc_2, + krb5_free_enc_sam_response_enc_2); + FUZZ_ASAN(krb5_pa_for_user, encode_krb5_pa_for_user, + decode_krb5_pa_for_user, krb5_free_pa_for_user); + FUZZ_ASAN(krb5_pa_s4u_x509_user, encode_krb5_pa_s4u_x509_user, + decode_krb5_pa_s4u_x509_user, krb5_free_pa_s4u_x509_user); + FUZZ_ASAN(krb5_ad_kdcissued, encode_krb5_ad_kdcissued, + decode_krb5_ad_kdcissued, krb5_free_ad_kdcissued); + FUZZ_ASAN(krb5_iakerb_header, encode_krb5_iakerb_header, + decode_krb5_iakerb_header, krb5_free_iakerb_header); + FUZZ_ASAN(krb5_iakerb_finished, encode_krb5_iakerb_finished, + decode_krb5_iakerb_finished, krb5_free_iakerb_finished); + FUZZ_ASAN(krb5_fast_response, encode_krb5_fast_response, + decode_krb5_fast_response, krb5_free_fast_response); + FUZZ_ASAN(krb5_enc_data, encode_krb5_pa_fx_fast_reply, + decode_krb5_pa_fx_fast_reply, krb5_free_enc_data); + + /* Adapted from krb5_encode_test.c */ + FUZZ_ASAN(krb5_otp_tokeninfo, encode_krb5_otp_tokeninfo, + decode_krb5_otp_tokeninfo, k5_free_otp_tokeninfo); + FUZZ_ASAN(krb5_pa_otp_challenge, encode_krb5_pa_otp_challenge, + decode_krb5_pa_otp_challenge, k5_free_pa_otp_challenge); + FUZZ_ASAN(krb5_pa_otp_req, encode_krb5_pa_otp_req, decode_krb5_pa_otp_req, + k5_free_pa_otp_req); + FUZZ_ASAN(krb5_data, encode_krb5_pa_otp_enc_req, + decode_krb5_pa_otp_enc_req, krb5_free_data); + FUZZ_ASAN(krb5_kkdcp_message, encode_krb5_kkdcp_message, + decode_krb5_kkdcp_message, free_kkdcp_message); + FUZZ_ASAN(krb5_cammac, encode_krb5_cammac, decode_krb5_cammac, + k5_free_cammac); + FUZZ_ASAN(krb5_secure_cookie, encode_krb5_secure_cookie, + decode_krb5_secure_cookie, k5_free_secure_cookie); + FUZZ_ASAN(krb5_spake_factor, encode_krb5_spake_factor, + decode_krb5_spake_factor, k5_free_spake_factor); + FUZZ_ASAN(krb5_pa_spake, encode_krb5_pa_spake, decode_krb5_pa_spake, + k5_free_pa_spake); + + /* Adapted from krb5_decode_test.c */ + { + krb5_pa_pac_req *pa_pac_req = NULL; + + if (decode_krb5_pa_pac_req(&data_in, &pa_pac_req) == 0) + free(pa_pac_req); + } + + krb5_free_context(context); + return 0; +} diff --git a/src/tests/fuzzing/fuzz_asn_seed_corpus/decode_authenticator_3.bin b/src/tests/fuzzing/fuzz_asn_seed_corpus/decode_authenticator_3.bin new file mode 100644 index 0000000000..26c78993ed Binary files /dev/null and b/src/tests/fuzzing/fuzz_asn_seed_corpus/decode_authenticator_3.bin differ diff --git a/src/tests/fuzzing/fuzz_asn_seed_corpus/decode_authenticator_4.bin b/src/tests/fuzzing/fuzz_asn_seed_corpus/decode_authenticator_4.bin new file mode 100644 index 0000000000..6add5a8412 Binary files /dev/null and b/src/tests/fuzzing/fuzz_asn_seed_corpus/decode_authenticator_4.bin differ diff --git a/src/tests/fuzzing/fuzz_asn_seed_corpus/decode_authenticator_6.bin b/src/tests/fuzzing/fuzz_asn_seed_corpus/decode_authenticator_6.bin new file mode 100644 index 0000000000..dc2f08684e --- /dev/null +++ b/src/tests/fuzzing/fuzz_asn_seed_corpus/decode_authenticator_6.bin @@ -0,0 +1,2 @@ +b¤0¡ ¡ATHENA.MIT.EDU¢0 ¡0hftsaiextra£0  ¡1234¤â@¥19940610060317Z¦0 ¡ +12345678§ÿÿÿÿ¨$0"0 ¡foobar0 ¡foobar \ No newline at end of file diff --git a/src/tests/fuzzing/fuzz_asn_seed_corpus/decode_enc_tkt_part_30.bin b/src/tests/fuzzing/fuzz_asn_seed_corpus/decode_enc_tkt_part_30.bin new file mode 100644 index 0000000000..727a70f7db Binary files /dev/null and b/src/tests/fuzzing/fuzz_asn_seed_corpus/decode_enc_tkt_part_30.bin differ diff --git a/src/tests/fuzzing/fuzz_asn_seed_corpus/decode_encryption_key_15.bin b/src/tests/fuzzing/fuzz_asn_seed_corpus/decode_encryption_key_15.bin new file mode 100644 index 0000000000..842a99d1b7 --- /dev/null +++ b/src/tests/fuzzing/fuzz_asn_seed_corpus/decode_encryption_key_15.bin @@ -0,0 +1,2 @@ +0 ¡ +12345678¢0  \ No newline at end of file diff --git a/src/tests/fuzzing/fuzz_asn_seed_corpus/decode_encryption_key_21.bin b/src/tests/fuzzing/fuzz_asn_seed_corpus/decode_encryption_key_21.bin new file mode 100644 index 0000000000..ae4a8aa5d2 --- /dev/null +++ b/src/tests/fuzzing/fuzz_asn_seed_corpus/decode_encryption_key_21.bin @@ -0,0 +1,2 @@ +0 ÿ¡ +12345678 \ No newline at end of file diff --git a/src/tests/fuzzing/fuzz_asn_seed_corpus/decode_encryption_key_22.bin b/src/tests/fuzzing/fuzz_asn_seed_corpus/decode_encryption_key_22.bin new file mode 100644 index 0000000000..4bbedc1a50 Binary files /dev/null and b/src/tests/fuzzing/fuzz_asn_seed_corpus/decode_encryption_key_22.bin differ diff --git a/src/tests/fuzzing/fuzz_asn_seed_corpus/decode_encryption_key_24.bin b/src/tests/fuzzing/fuzz_asn_seed_corpus/decode_encryption_key_24.bin new file mode 100644 index 0000000000..c9ad2a5dc0 --- /dev/null +++ b/src/tests/fuzzing/fuzz_asn_seed_corpus/decode_encryption_key_24.bin @@ -0,0 +1,2 @@ +0 ÿÿÿ¡ +12345678 \ No newline at end of file diff --git a/src/tests/fuzzing/fuzz_asn_seed_corpus/decode_fail_encryption_key_16.bin b/src/tests/fuzzing/fuzz_asn_seed_corpus/decode_fail_encryption_key_16.bin new file mode 100644 index 0000000000..2b8b753838 Binary files /dev/null and b/src/tests/fuzzing/fuzz_asn_seed_corpus/decode_fail_encryption_key_16.bin differ diff --git a/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_auth_pack_80.bin b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_auth_pack_80.bin new file mode 100644 index 0000000000..ff246345f6 --- /dev/null +++ b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_auth_pack_80.bin @@ -0,0 +1,4 @@ +0… 503 â@¡19940610060317Z¢*£1234¤ +krb5data¡pvalue¢$0"0 *†H†÷params0  *†H†÷£ +krb5data¤00   +krb5data \ No newline at end of file diff --git a/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_cammac_68.bin b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_cammac_68.bin new file mode 100644 index 0000000000..cbd0fd3cb2 --- /dev/null +++ b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_cammac_68.bin @@ -0,0 +1 @@ +0 00  ¡ad1 \ No newline at end of file diff --git a/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_cammac_69.bin b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_cammac_69.bin new file mode 100644 index 0000000000..522634af28 --- /dev/null +++ b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_cammac_69.bin @@ -0,0 +1,3 @@ +0ò 00  ¡ad10  ¡ad2¡=0; 0 ¡0hftsaiextra¡¢£0 ¡ +cksumkdc¢=0; 0 ¡0hftsaiextra¡¢£0 ¡ +cksumsvc£R0P0£0 ¡cksum109 0 ¡0hftsaiextra¡¢£0 ¡cksum2 \ No newline at end of file diff --git a/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_enc_data_47.bin b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_enc_data_47.bin new file mode 100644 index 0000000000..2cec584d9f Binary files /dev/null and b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_enc_data_47.bin differ diff --git a/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_kdc_dh_key_info_81.bin b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_kdc_dh_key_info_81.bin new file mode 100644 index 0000000000..a3427389f3 Binary files /dev/null and b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_kdc_dh_key_info_81.bin differ diff --git a/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_kkdcp_message_67.bin b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_kkdcp_message_67.bin new file mode 100644 index 0000000000..5c52c94176 Binary files /dev/null and b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_kkdcp_message_67.bin differ diff --git a/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_ad_kdcissued_54.bin b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_ad_kdcissued_54.bin new file mode 100644 index 0000000000..973cd47bfd --- /dev/null +++ b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_ad_kdcissued_54.bin @@ -0,0 +1 @@ +0e 0  ¡1234¡ATHENA.MIT.EDU¢0 ¡0hftsaiextra£$0"0 ¡foobar0 ¡foobar \ No newline at end of file diff --git a/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_ap_rep_enc_part_16.bin b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_ap_rep_enc_part_16.bin new file mode 100644 index 0000000000..3a7dcd135f --- /dev/null +++ b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_ap_rep_enc_part_16.bin @@ -0,0 +1 @@ +{0 19940610060317Z¡â@ \ No newline at end of file diff --git a/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_ap_req_14.bin b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_ap_req_14.bin new file mode 100644 index 0000000000..1e1861dd72 Binary files /dev/null and b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_ap_req_14.bin differ diff --git a/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_as_rep_10.bin b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_as_rep_10.bin new file mode 100644 index 0000000000..6cb6811438 Binary files /dev/null and b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_as_rep_10.bin differ diff --git a/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_as_req_19.bin b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_as_req_19.bin new file mode 100644 index 0000000000..63f41f884c Binary files /dev/null and b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_as_req_19.bin differ diff --git a/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_authdata_36.bin b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_authdata_36.bin new file mode 100644 index 0000000000..ff84a122e0 --- /dev/null +++ b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_authdata_36.bin @@ -0,0 +1 @@ +0"0 ¡foobar0 ¡foobar \ No newline at end of file diff --git a/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_authenticator_2.bin b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_authenticator_2.bin new file mode 100644 index 0000000000..7eb31e6e23 --- /dev/null +++ b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_authenticator_2.bin @@ -0,0 +1 @@ +bO0M ¡ATHENA.MIT.EDU¢0 ¡0hftsaiextra¤â@¥19940610060317Z \ No newline at end of file diff --git a/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_cred_31.bin b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_cred_31.bin new file mode 100644 index 0000000000..33f21c8627 Binary files /dev/null and b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_cred_31.bin differ diff --git a/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_enc_cred_part_32.bin b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_enc_cred_part_32.bin new file mode 100644 index 0000000000..968faa53ee Binary files /dev/null and b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_enc_cred_part_32.bin differ diff --git a/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_enc_cred_part_33.bin b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_enc_cred_part_33.bin new file mode 100644 index 0000000000..e7d4d821db Binary files /dev/null and b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_enc_cred_part_33.bin differ diff --git a/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_enc_kdc_rep_part_8.bin b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_enc_kdc_rep_part_8.bin new file mode 100644 index 0000000000..3184156386 Binary files /dev/null and b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_enc_kdc_rep_part_8.bin differ diff --git a/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_enc_priv_part_29.bin b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_enc_priv_part_29.bin new file mode 100644 index 0000000000..9e2574c1c9 Binary files /dev/null and b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_enc_priv_part_29.bin differ diff --git a/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_enc_priv_part_30.bin b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_enc_priv_part_30.bin new file mode 100644 index 0000000000..3c6f5d549c Binary files /dev/null and b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_enc_priv_part_30.bin differ diff --git a/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_enc_tkt_part_5.bin b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_enc_tkt_part_5.bin new file mode 100644 index 0000000000..5f74aeb23d Binary files /dev/null and b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_enc_tkt_part_5.bin differ diff --git a/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_enc_tkt_part_7.bin b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_enc_tkt_part_7.bin new file mode 100644 index 0000000000..a674aadb77 Binary files /dev/null and b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_enc_tkt_part_7.bin differ diff --git a/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_error_34.bin b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_error_34.bin new file mode 100644 index 0000000000..439eb171ce --- /dev/null +++ b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_error_34.bin @@ -0,0 +1,3 @@ +~º0· ¡¢19940610060317Z£â@¤19940610060317Z¥â@¦<§ATHENA.MIT.EDU¨0 ¡0hftsaiextra©ATHENA.MIT.EDUª0 ¡0hftsaiextra« +krb5data¬ +krb5data \ No newline at end of file diff --git a/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_error_35.bin b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_error_35.bin new file mode 100644 index 0000000000..588e77546a --- /dev/null +++ b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_error_35.bin @@ -0,0 +1 @@ +~`0^ ¡£â@¤19940610060317Z¥â@¦<©ATHENA.MIT.EDUª0 ¡0hftsaiextra \ No newline at end of file diff --git a/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_etype_info2_43.bin b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_etype_info2_43.bin new file mode 100644 index 0000000000..c1bacbb859 Binary files /dev/null and b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_etype_info2_43.bin differ diff --git a/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_etype_info2_44.bin b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_etype_info2_44.bin new file mode 100644 index 0000000000..14f1ad05f3 Binary files /dev/null and b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_etype_info2_44.bin differ diff --git a/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_etype_info_40.bin b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_etype_info_40.bin new file mode 100644 index 0000000000..c34f5bc03b Binary files /dev/null and b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_etype_info_40.bin differ diff --git a/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_etype_info_41.bin b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_etype_info_41.bin new file mode 100644 index 0000000000..5672958b5c Binary files /dev/null and b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_etype_info_41.bin differ diff --git a/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_fast_response_57.bin b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_fast_response_57.bin new file mode 100644 index 0000000000..e4ff58a7f5 --- /dev/null +++ b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_fast_response_57.bin @@ -0,0 +1,2 @@ +0Ÿ &0$0¡ ¢ pa-data0¡ ¢ pa-data¡0 ¡ +12345678¢[0Y 19940610060317Z¡â@¢ATHENA.MIT.EDU£0 ¡0hftsaiextra¤0  ¡1234£* \ No newline at end of file diff --git a/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_iakerb_finished_56.bin b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_iakerb_finished_56.bin new file mode 100644 index 0000000000..1ef561f501 --- /dev/null +++ b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_iakerb_finished_56.bin @@ -0,0 +1 @@ +0¡0  ¡1234 \ No newline at end of file diff --git a/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_iakerb_header_55.bin b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_iakerb_header_55.bin new file mode 100644 index 0000000000..9d70978294 --- /dev/null +++ b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_iakerb_header_55.bin @@ -0,0 +1,3 @@ +0¡ + krb5data¢ +krb5data \ No newline at end of file diff --git a/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_kdc_req_body_24.bin b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_kdc_req_body_24.bin new file mode 100644 index 0000000000..1f274fa969 Binary files /dev/null and b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_kdc_req_body_24.bin differ diff --git a/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_tgs_rep_13.bin b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_tgs_rep_13.bin new file mode 100644 index 0000000000..b46dd44b06 Binary files /dev/null and b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_tgs_rep_13.bin differ diff --git a/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_tgs_req_23.bin b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_tgs_req_23.bin new file mode 100644 index 0000000000..e925ec4d70 Binary files /dev/null and b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_krb5_tgs_req_23.bin differ diff --git a/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_otp_tokeninfo_61.bin b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_otp_tokeninfo_61.bin new file mode 100644 index 0000000000..61a1d1dfb0 Binary files /dev/null and b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_otp_tokeninfo_61.bin differ diff --git a/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_enc_ts (no usec)_45.bin b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_enc_ts (no usec)_45.bin new file mode 100644 index 0000000000..127099627f --- /dev/null +++ b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_enc_ts (no usec)_45.bin @@ -0,0 +1 @@ +0 19940610060317Z \ No newline at end of file diff --git a/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_for_user_53.bin b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_for_user_53.bin new file mode 100644 index 0000000000..c1249ff700 --- /dev/null +++ b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_for_user_53.bin @@ -0,0 +1,2 @@ +0K 0 ¡0hftsaiextra¡ATHENA.MIT.EDU¢0  ¡1234£ +krb5data \ No newline at end of file diff --git a/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_fx_fast_reply_59.bin b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_fx_fast_reply_59.bin new file mode 100644 index 0000000000..2218e2bbe1 Binary files /dev/null and b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_fx_fast_reply_59.bin differ diff --git a/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_otp_challenge_63.bin b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_otp_challenge_63.bin new file mode 100644 index 0000000000..119997b008 Binary files /dev/null and b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_otp_challenge_63.bin differ diff --git a/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_otp_req_64.bin b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_otp_req_64.bin new file mode 100644 index 0000000000..b5b27f372c Binary files /dev/null and b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_otp_req_64.bin differ diff --git a/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_otp_req_65.bin b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_otp_req_65.bin new file mode 100644 index 0000000000..3490a8d66d Binary files /dev/null and b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_otp_req_65.bin differ diff --git a/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_pk_as_rep_78.bin b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_pk_as_rep_78.bin new file mode 100644 index 0000000000..52bff24122 --- /dev/null +++ b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_pk_as_rep_78.bin @@ -0,0 +1,3 @@ + (0&€krb5data¡ +krb5data¢0   +krb5data \ No newline at end of file diff --git a/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_pk_as_rep_79.bin b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_pk_as_rep_79.bin new file mode 100644 index 0000000000..35d75453df --- /dev/null +++ b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_pk_as_rep_79.bin @@ -0,0 +1 @@ +krb5data \ No newline at end of file diff --git a/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_s4u_x509_user_54.bin b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_s4u_x509_user_54.bin new file mode 100644 index 0000000000..595a37cde0 Binary files /dev/null and b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_s4u_x509_user_54.bin differ diff --git a/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_spake_73.bin b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_spake_73.bin new file mode 100644 index 0000000000..d394484aad --- /dev/null +++ b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_spake_73.bin @@ -0,0 +1,2 @@ +  0 + 0 \ No newline at end of file diff --git a/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_spake_74.bin b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_spake_74.bin new file mode 100644 index 0000000000..d2e4cb2a41 --- /dev/null +++ b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_spake_74.bin @@ -0,0 +1 @@ +¡-0+ ¡ T value¢00 0 ¡fdata \ No newline at end of file diff --git a/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_spake_75.bin b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_spake_75.bin new file mode 100644 index 0000000000..51dcdc0ad8 Binary files /dev/null and b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_spake_75.bin differ diff --git a/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_spake_76.bin b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_spake_76.bin new file mode 100644 index 0000000000..1b9a8f8615 Binary files /dev/null and b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_pa_spake_76.bin differ diff --git a/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_padata_sequence_38.bin b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_padata_sequence_38.bin new file mode 100644 index 0000000000..def7fcb589 Binary files /dev/null and b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_padata_sequence_38.bin differ diff --git a/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_priv_28.bin b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_priv_28.bin new file mode 100644 index 0000000000..178ba44881 Binary files /dev/null and b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_priv_28.bin differ diff --git a/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_reply_key_pack_82.bin b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_reply_key_pack_82.bin new file mode 100644 index 0000000000..8657c7c56c --- /dev/null +++ b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_reply_key_pack_82.bin @@ -0,0 +1,2 @@ +0& 0 ¡ +12345678¡0  ¡1234 \ No newline at end of file diff --git a/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_safe_26.bin b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_safe_26.bin new file mode 100644 index 0000000000..71f6ab3cba Binary files /dev/null and b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_safe_26.bin differ diff --git a/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_safe_27.bin b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_safe_27.bin new file mode 100644 index 0000000000..736c6f0b38 Binary files /dev/null and b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_safe_27.bin differ diff --git a/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_sam_challenge_2_49.bin b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_sam_challenge_2_49.bin new file mode 100644 index 0000000000..62942bd8ac --- /dev/null +++ b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_sam_challenge_2_49.bin @@ -0,0 +1 @@ +0"  0  challenge¡00  ¡1234 \ No newline at end of file diff --git a/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_sam_challenge_2_body_50.bin b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_sam_challenge_2_body_50.bin new file mode 100644 index 0000000000..dd624bb4a9 Binary files /dev/null and b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_sam_challenge_2_body_50.bin differ diff --git a/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_sam_response_2_51.bin b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_sam_response_2_51.bin new file mode 100644 index 0000000000..430f6f0e2d Binary files /dev/null and b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_sam_response_2_51.bin differ diff --git a/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_secure_cookie_70.bin b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_secure_cookie_70.bin new file mode 100644 index 0000000000..00a4f477bb --- /dev/null +++ b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_secure_cookie_70.bin @@ -0,0 +1 @@ +0,-ø%0$0¡ ¢ pa-data0¡ ¢ pa-data \ No newline at end of file diff --git a/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_sp80056a_other_info_83.bin b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_sp80056a_other_info_83.bin new file mode 100644 index 0000000000..3639de9e63 --- /dev/null +++ b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_sp80056a_other_info_83.bin @@ -0,0 +1,2 @@ +00  *†H†÷ 200. ATHENA.MIT.EDU¡0 ¡0hftsaiextra¡200. ATHENA.MIT.EDU¡0 ¡0hftsaiextra¢ +krb5data \ No newline at end of file diff --git a/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_spake_factor_71.bin b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_spake_factor_71.bin new file mode 100644 index 0000000000..6dfd6ad0b0 --- /dev/null +++ b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_spake_factor_71.bin @@ -0,0 +1 @@ +0  \ No newline at end of file diff --git a/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_tgs_rep_11.bin b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_tgs_rep_11.bin new file mode 100644 index 0000000000..0ca8532f63 Binary files /dev/null and b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_tgs_rep_11.bin differ diff --git a/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_tgs_rep_12.bin b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_tgs_rep_12.bin new file mode 100644 index 0000000000..cd2ac54155 Binary files /dev/null and b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_tgs_rep_12.bin differ diff --git a/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_tgs_req_20.bin b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_tgs_req_20.bin new file mode 100644 index 0000000000..b56f57d514 Binary files /dev/null and b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_tgs_req_20.bin differ diff --git a/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_tgs_req_21.bin b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_tgs_req_21.bin new file mode 100644 index 0000000000..eb8a40ff78 Binary files /dev/null and b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_tgs_req_21.bin differ diff --git a/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_ticket_3.bin b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_ticket_3.bin new file mode 100644 index 0000000000..68efbe14af Binary files /dev/null and b/src/tests/fuzzing/fuzz_asn_seed_corpus/encode_ticket_3.bin differ diff --git a/src/tests/fuzzing/fuzz_attrset.c b/src/tests/fuzzing/fuzz_attrset.c new file mode 100644 index 0000000000..5c1a8d6041 --- /dev/null +++ b/src/tests/fuzzing/fuzz_attrset.c @@ -0,0 +1,68 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* tests/fuzzing/fuzz_attrset.c - fuzzing harness for kr_attrset functions */ +/* + * Copyright (C) 2024 by Arjun. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "autoconf.h" +#include +#include + +#define kMinInputLength 2 +#define kMaxInputLength 1024 + +extern int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size); + +int +LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) +{ + krb5_error_code ret; + krb5_context context; + krad_attrset *set; + krb5_data data_in; + uint8_t buffer[KRAD_PACKET_SIZE_MAX], auth[MD5_DIGEST_SIZE] = { 0 }; + size_t encode_len; + + if (size < kMinInputLength || size > kMaxInputLength) + return 0; + + data_in = make_data((void *)data, size); + + ret = krb5_init_context(&context); + if (ret) + return 0; + + ret = kr_attrset_decode(context, &data_in, "f", auth, &set); + if (!ret) + kr_attrset_encode(set, "f", auth, FALSE, buffer, &encode_len); + + krad_attrset_free(set); + krb5_free_context(context); + + return 0; +} diff --git a/src/tests/fuzzing/fuzz_attrset_seed_corpus/t_attrset.bin b/src/tests/fuzzing/fuzz_attrset_seed_corpus/t_attrset.bin new file mode 100644 index 0000000000..aceceefa7a --- /dev/null +++ b/src/tests/fuzzing/fuzz_attrset_seed_corpus/t_attrset.bin @@ -0,0 +1,2 @@ + +testUserXÿÚ7ùäÊ®I·mX' \ No newline at end of file diff --git a/src/tests/fuzzing/fuzz_crypto.c b/src/tests/fuzzing/fuzz_crypto.c new file mode 100644 index 0000000000..2bd52e6297 --- /dev/null +++ b/src/tests/fuzzing/fuzz_crypto.c @@ -0,0 +1,171 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* tests/fuzzing/fuzz_crypto.c - fuzzing harness for general crypto */ +/* + * Copyright (C) 2024 by Arjun. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "autoconf.h" +#include +#include + +#define kMinInputLength 2 +#define kMaxInputLength 512 + +extern int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size); + +static void +fuzz_checksum(krb5_cksumtype sumtype, krb5_keyblock keyblock, + krb5_keyusage usage, krb5_data data) +{ + krb5_error_code ret; + krb5_checksum cksum; + krb5_boolean valid; + + ret = krb5_c_make_checksum(NULL, sumtype, &keyblock, usage, &data, &cksum); + if (ret) + return; + + ret = krb5_c_verify_checksum(NULL, &keyblock, usage, &data, &cksum, + &valid); + if (ret || !valid) + abort(); + + krb5_free_checksum_contents(NULL, &cksum); +} + +static void +fuzz_crypt(krb5_keyblock keyblock, krb5_enctype enctype, + krb5_keyusage usage, krb5_data data) +{ + krb5_error_code ret; + krb5_enc_data encoded = { 0 }; + krb5_data decoded = empty_data(); + size_t enclen; + + ret = krb5_c_encrypt_length(NULL, enctype, data.length, &enclen); + if (ret) + return; + + encoded.magic = KV5M_ENC_DATA; + encoded.enctype = enctype; + + ret = alloc_data(&encoded.ciphertext, enclen); + if (ret) + return; + + ret = alloc_data(&decoded, data.length); + if (ret) { + krb5_free_data_contents(NULL, &encoded.ciphertext); + return; + } + + ret = krb5_c_encrypt(NULL, &keyblock, usage, NULL, &data, &encoded); + if (ret) + goto cleanup; + + ret = krb5_c_decrypt(NULL, &keyblock, usage, NULL, &encoded, &decoded); + if (ret) + goto cleanup; + + if (memcmp(data.data, decoded.data, data.length) != 0) + abort(); + +cleanup: + krb5_free_data_contents(NULL, &encoded.ciphertext); + krb5_free_data_contents(NULL, &decoded); +} + +static void +fuzz_prf(krb5_keyblock keyblock, krb5_enctype enctype, krb5_data data) +{ + krb5_error_code ret; + krb5_data output; + size_t prfsz; + + ret = krb5_c_prf_length(NULL, enctype, &prfsz); + if (ret) + return; + + ret = alloc_data(&output, prfsz); + if (ret) + return; + + krb5_c_prf(NULL, &keyblock, &data, &output); + + krb5_free_data_contents(NULL, &output); +} + +static void +fuzz_setup(krb5_enctype enctype, krb5_cksumtype sumtype, + krb5_keyusage usage, krb5_data data) +{ + krb5_error_code ret; + krb5_keyblock keyblock; + + ret = krb5_c_make_random_key(NULL, enctype, &keyblock); + if (ret) + return; + + fuzz_checksum(sumtype, keyblock, usage, data); + fuzz_crypt(keyblock, enctype, usage, data); + fuzz_prf(keyblock, enctype, data); + + krb5_free_keyblock_contents(NULL, &keyblock); +} + +int +LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) +{ + krb5_data data_in; + + if (size < kMinInputLength || size > kMaxInputLength) + return 0; + + data_in = make_data((void *)data, size); + + fuzz_setup(ENCTYPE_DES3_CBC_SHA1, CKSUMTYPE_HMAC_SHA1_DES3, 0, data_in); + fuzz_setup(ENCTYPE_ARCFOUR_HMAC, CKSUMTYPE_MD5_HMAC_ARCFOUR, 1, data_in); + fuzz_setup(ENCTYPE_ARCFOUR_HMAC, CKSUMTYPE_HMAC_MD5_ARCFOUR, 2, data_in); + fuzz_setup(ENCTYPE_ARCFOUR_HMAC_EXP, CKSUMTYPE_RSA_MD4, 3, data_in); + fuzz_setup(ENCTYPE_ARCFOUR_HMAC_EXP, CKSUMTYPE_RSA_MD5, 4, data_in); + fuzz_setup(ENCTYPE_ARCFOUR_HMAC_EXP, CKSUMTYPE_SHA1, 5, data_in); + fuzz_setup(ENCTYPE_AES128_CTS_HMAC_SHA1_96, CKSUMTYPE_HMAC_SHA1_96_AES128, + 6, data_in); + fuzz_setup(ENCTYPE_AES256_CTS_HMAC_SHA1_96, CKSUMTYPE_HMAC_SHA1_96_AES256, + 7, data_in); + fuzz_setup(ENCTYPE_CAMELLIA128_CTS_CMAC, CKSUMTYPE_CMAC_CAMELLIA128, + 8, data_in); + fuzz_setup(ENCTYPE_CAMELLIA256_CTS_CMAC, CKSUMTYPE_CMAC_CAMELLIA256, + 9, data_in); + fuzz_setup(ENCTYPE_AES128_CTS_HMAC_SHA256_128, + CKSUMTYPE_HMAC_SHA256_128_AES128, 10, data_in); + fuzz_setup(ENCTYPE_AES256_CTS_HMAC_SHA384_192, + CKSUMTYPE_HMAC_SHA384_192_AES256, 11, data_in); + + return 0; +} diff --git a/src/tests/fuzzing/fuzz_crypto_seed_corpus/input.bin b/src/tests/fuzzing/fuzz_crypto_seed_corpus/input.bin new file mode 100644 index 0000000000..13f3fcbe05 --- /dev/null +++ b/src/tests/fuzzing/fuzz_crypto_seed_corpus/input.bin @@ -0,0 +1 @@ +brrr \ No newline at end of file diff --git a/src/tests/fuzzing/fuzz_des.c b/src/tests/fuzzing/fuzz_des.c new file mode 100644 index 0000000000..08efb38b29 --- /dev/null +++ b/src/tests/fuzzing/fuzz_des.c @@ -0,0 +1,109 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* tests/fuzzing/fuzz_des.c - fuzzing harness for DES functions */ +/* + * Copyright (C) 2024 by Arjun. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "autoconf.h" +#include +#include + +#include + +#define kMinInputLength 32 +#define kMaxInputLength 128 + +extern int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size); + +uint8_t default_ivec[8] = { 0x12, 0x34, 0x56, 0x78, 0x90, 0xAB, 0xCD, 0xEF }; + +static void +fuzz_des(uint8_t *input, mit_des_key_schedule sched) +{ + uint8_t encrypt[8], decrypt[8]; + + mit_des_cbc_encrypt((const mit_des_cblock *)input, + (mit_des_cblock *)encrypt, 8, + sched, default_ivec, MIT_DES_ENCRYPT); + + mit_des_cbc_encrypt((const mit_des_cblock *)encrypt, + (mit_des_cblock *)decrypt, 8, + sched, default_ivec, MIT_DES_DECRYPT); + + if (memcmp(input, decrypt, 8) != 0) + abort(); +} + +static void +fuzz_decrypt(uint8_t *input, mit_des_key_schedule sched) +{ + uint8_t output[8]; + + mit_des_cbc_encrypt((const mit_des_cblock *)input, + (mit_des_cblock *)output, 8, + sched, default_ivec, MIT_DES_DECRYPT); +} + +static void +fuzz_cksum(uint8_t *input, mit_des_key_schedule sched) +{ + uint8_t output[8]; + + mit_des_cbc_cksum(input, output, 8, sched, default_ivec); +} + +int +LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) +{ + krb5_error_code ret; + mit_des_key_schedule sched; + uint8_t *data_in, input[8]; + + if (size < kMinInputLength || size > kMaxInputLength) + return 0; + + memcpy(input, data, 8); + ret = mit_des_key_sched(input, sched); + if (ret) + return 0; + + memcpy(input, data + 8, 8); + fuzz_des(input, sched); + + memcpy(input, data + 16, 8); + fuzz_decrypt(input, sched); + + data_in = k5memdup(data + 24, size - 24, &ret); + if (ret) + return 0; + + fuzz_cksum(data_in, sched); + free(data_in); + + return 0; +} diff --git a/src/tests/fuzzing/fuzz_des_seed_corpus/input.bin b/src/tests/fuzzing/fuzz_des_seed_corpus/input.bin new file mode 100644 index 0000000000..6607c59ab3 --- /dev/null +++ b/src/tests/fuzzing/fuzz_des_seed_corpus/input.bin @@ -0,0 +1 @@ +brrrrrrrrrrrrrrrrrrrrrrrrrrrrrr \ No newline at end of file diff --git a/src/tests/fuzzing/fuzz_kdc.c b/src/tests/fuzzing/fuzz_kdc.c new file mode 100644 index 0000000000..59457e282c --- /dev/null +++ b/src/tests/fuzzing/fuzz_kdc.c @@ -0,0 +1,72 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* tests/fuzzing/fuzz_kdc.c - fuzzing harness for KDC replay cache */ +/* + * Copyright (C) 2024 by Arjun. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "autoconf.h" + +#include + +#define kMinInputLength 2 +#define kMaxInputLength 256 + +extern int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size); + +int +LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) +{ + krb5_error_code ret; + krb5_context context = NULL; + krb5_data req, rep; + struct entry *e; + + if (size < kMinInputLength || size > kMaxInputLength) + return 0; + + ret = krb5_init_context(&context); + if (ret) + return 0; + + ret = kdc_init_lookaside(context); + if (ret) + goto cleanup; + + req = make_data((void *)data, size); + rep = make_data((void *)data, size - 1); + + e = insert_entry(context, &req, &rep, 0); + discard_entry(context, e); + + kdc_free_lookaside(context); + +cleanup: + krb5_free_context(context); + + return 0; +} diff --git a/src/tests/fuzzing/fuzz_kdc_seed_corpus/input.bin b/src/tests/fuzzing/fuzz_kdc_seed_corpus/input.bin new file mode 100644 index 0000000000..6605099dcb --- /dev/null +++ b/src/tests/fuzzing/fuzz_kdc_seed_corpus/input.bin @@ -0,0 +1 @@ +I Had Strings, But now i'm free. \ No newline at end of file diff --git a/src/tests/fuzzing/fuzz_krb.c b/src/tests/fuzzing/fuzz_krb.c new file mode 100644 index 0000000000..61f16765db --- /dev/null +++ b/src/tests/fuzzing/fuzz_krb.c @@ -0,0 +1,170 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* tests/fuzzing/krb.c - fuzzing harness for miscellaneous libkrb5 functions */ +/* + * Copyright (C) 2024 by Arjun. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "autoconf.h" +#include + +#define kMinInputLength 2 +#define kMaxInputLength 512 + +#define ANAME_SZ 40 +#define INST_SZ 40 +#define REALM_SZ 40 + +extern int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size); + +static void +fuzz_deltat(char *data_in) +{ + krb5_deltat result; + krb5_string_to_deltat(data_in, &result); +} + +static void +fuzz_host_string(char *data_in) +{ + krb5_error_code ret; + char *host; + int port = -1; + + ret = k5_parse_host_string(data_in, 0, &host, &port); + if (!ret) + free(host); +} + +static void +fuzz_princ(krb5_context context, char *data_in) +{ + krb5_error_code ret; + krb5_principal p; + char *princ; + + ret = krb5_parse_name(context, data_in, &p); + if (ret) + return; + + ret = krb5_unparse_name(context, p, &princ); + if (!ret) + free(princ); + + krb5_free_principal(context, p); +} + +static void +fuzz_principal_425(krb5_context context, char *data_in) +{ + krb5_principal princ; + krb5_425_conv_principal(context, data_in, data_in, data_in, &princ); + krb5_free_principal(context, princ); +} + +static void +fuzz_principal_524(krb5_context context, char *data_in) +{ + krb5_error_code ret; + krb5_principal princ = 0; + char aname[ANAME_SZ + 1], inst[INST_SZ + 1], realm[REALM_SZ + 1]; + + aname[ANAME_SZ] = inst[INST_SZ] = realm[REALM_SZ] = 0; + + ret = krb5_parse_name(context, data_in, &princ); + if (ret) + return; + + krb5_524_conv_principal(context, princ, aname, inst, realm); + krb5_free_principal(context, princ); +} + +static void +fuzz_timestamp(char *data_in) +{ + krb5_error_code ret; + krb5_timestamp timestamp; + + ret = krb5_string_to_timestamp(data_in, ×tamp); + if (!ret) + ts2tt(timestamp); +} + +/* + * data_in is going to be modified during parsing. + */ +static void +fuzz_enctype_list(char *data_in) +{ + krb5_error_code ret; + krb5_context context; + krb5_enctype *ienc, zero = 0; + + ret = krb5_init_context(&context); + if (ret) + return; + + ret = krb5int_parse_enctype_list(context, "", data_in, &zero, &ienc); + if (!ret) + free(ienc); + + krb5_free_context(context); +} + +extern int +LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) +{ + krb5_error_code ret; + krb5_context context = NULL; + char *data_in; + + if (size < kMinInputLength || size > kMaxInputLength) + return 0; + + ret = krb5_init_context(&context); + if (ret) + return 0; + + data_in = k5memdup0(data, size, &ret); + if (ret) + goto cleanup; + + fuzz_deltat(data_in); + fuzz_host_string(data_in); + fuzz_princ(context, data_in); + fuzz_principal_425(context, data_in); + fuzz_principal_524(context, data_in); + fuzz_timestamp(data_in); + fuzz_enctype_list(data_in); + + free(data_in); + +cleanup: + krb5_free_context(context); + + return 0; +} diff --git a/src/tests/fuzzing/fuzz_krb_seed_corpus/deltat.bin b/src/tests/fuzzing/fuzz_krb_seed_corpus/deltat.bin new file mode 100644 index 0000000000..eaca6be22c --- /dev/null +++ b/src/tests/fuzzing/fuzz_krb_seed_corpus/deltat.bin @@ -0,0 +1 @@ +-35791394m-9s \ No newline at end of file diff --git a/src/tests/fuzzing/fuzz_krb_seed_corpus/enctype_1.bin b/src/tests/fuzzing/fuzz_krb_seed_corpus/enctype_1.bin new file mode 100644 index 0000000000..47fb41b9bf --- /dev/null +++ b/src/tests/fuzzing/fuzz_krb_seed_corpus/enctype_1.bin @@ -0,0 +1 @@ +default -aes128-cts -des-hmac-sha1 \ No newline at end of file diff --git a/src/tests/fuzzing/fuzz_krb_seed_corpus/enctype_2.bin b/src/tests/fuzzing/fuzz_krb_seed_corpus/enctype_2.bin new file mode 100644 index 0000000000..8c5071abdf --- /dev/null +++ b/src/tests/fuzzing/fuzz_krb_seed_corpus/enctype_2.bin @@ -0,0 +1 @@ +aes des3-cbc-sha1-kd \ No newline at end of file diff --git a/src/tests/fuzzing/fuzz_krb_seed_corpus/enctype_3.bin b/src/tests/fuzzing/fuzz_krb_seed_corpus/enctype_3.bin new file mode 100644 index 0000000000..ac635ee6a3 --- /dev/null +++ b/src/tests/fuzzing/fuzz_krb_seed_corpus/enctype_3.bin @@ -0,0 +1 @@ +camellia -camellia256-cts-cmac \ No newline at end of file diff --git a/src/tests/fuzzing/fuzz_krb_seed_corpus/enctype_4.bin b/src/tests/fuzzing/fuzz_krb_seed_corpus/enctype_4.bin new file mode 100644 index 0000000000..4ddee4c530 --- /dev/null +++ b/src/tests/fuzzing/fuzz_krb_seed_corpus/enctype_4.bin @@ -0,0 +1 @@ +DEFAULT +aes -arcfour-hmac-md5 \ No newline at end of file diff --git a/src/tests/fuzzing/fuzz_krb_seed_corpus/enctype_5.bin b/src/tests/fuzzing/fuzz_krb_seed_corpus/enctype_5.bin new file mode 100644 index 0000000000..5892bca7f4 --- /dev/null +++ b/src/tests/fuzzing/fuzz_krb_seed_corpus/enctype_5.bin @@ -0,0 +1 @@ +DEFAULT -des3 rc4-hmac rc4-hmac-exp \ No newline at end of file diff --git a/src/tests/fuzzing/fuzz_krb_seed_corpus/enctype_6.bin b/src/tests/fuzzing/fuzz_krb_seed_corpus/enctype_6.bin new file mode 100644 index 0000000000..6501ba6fef --- /dev/null +++ b/src/tests/fuzzing/fuzz_krb_seed_corpus/enctype_6.bin @@ -0,0 +1 @@ +des3 +DEFAULT \ No newline at end of file diff --git a/src/tests/fuzzing/fuzz_krb_seed_corpus/enctype_7.bin b/src/tests/fuzzing/fuzz_krb_seed_corpus/enctype_7.bin new file mode 100644 index 0000000000..09d89bf33e --- /dev/null +++ b/src/tests/fuzzing/fuzz_krb_seed_corpus/enctype_7.bin @@ -0,0 +1 @@ +aes +rc4 -DEFaulT des3-hmac-sha1 \ No newline at end of file diff --git a/src/tests/fuzzing/fuzz_krb_seed_corpus/host_string_11.bin b/src/tests/fuzzing/fuzz_krb_seed_corpus/host_string_11.bin new file mode 100644 index 0000000000..6a1a02e570 --- /dev/null +++ b/src/tests/fuzzing/fuzz_krb_seed_corpus/host_string_11.bin @@ -0,0 +1 @@ +70000 \ No newline at end of file diff --git a/src/tests/fuzzing/fuzz_krb_seed_corpus/host_string_12.bin b/src/tests/fuzzing/fuzz_krb_seed_corpus/host_string_12.bin new file mode 100644 index 0000000000..fe9049d246 --- /dev/null +++ b/src/tests/fuzzing/fuzz_krb_seed_corpus/host_string_12.bin @@ -0,0 +1 @@ +test.example:F101 \ No newline at end of file diff --git a/src/tests/fuzzing/fuzz_krb_seed_corpus/host_string_2.bin b/src/tests/fuzzing/fuzz_krb_seed_corpus/host_string_2.bin new file mode 100644 index 0000000000..3fc5c1775c --- /dev/null +++ b/src/tests/fuzzing/fuzz_krb_seed_corpus/host_string_2.bin @@ -0,0 +1 @@ +192.168.1.1 \ No newline at end of file diff --git a/src/tests/fuzzing/fuzz_krb_seed_corpus/host_string_4.bin b/src/tests/fuzzing/fuzz_krb_seed_corpus/host_string_4.bin new file mode 100644 index 0000000000..9ca257a84a --- /dev/null +++ b/src/tests/fuzzing/fuzz_krb_seed_corpus/host_string_4.bin @@ -0,0 +1 @@ +[BEEF:CAFE:FEED:FACE:DEAD:BEEF:DEAF:BABE] \ No newline at end of file diff --git a/src/tests/fuzzing/fuzz_krb_seed_corpus/host_string_5.bin b/src/tests/fuzzing/fuzz_krb_seed_corpus/host_string_5.bin new file mode 100644 index 0000000000..3081d9b01a --- /dev/null +++ b/src/tests/fuzzing/fuzz_krb_seed_corpus/host_string_5.bin @@ -0,0 +1 @@ +[BEEF:CAFE:FEED:FACE:DEAD:BEEF:DEAF:BABE]:250 \ No newline at end of file diff --git a/src/tests/fuzzing/fuzz_krb_seed_corpus/host_string_8.bin b/src/tests/fuzzing/fuzz_krb_seed_corpus/host_string_8.bin new file mode 100644 index 0000000000..4fef47ce34 --- /dev/null +++ b/src/tests/fuzzing/fuzz_krb_seed_corpus/host_string_8.bin @@ -0,0 +1 @@ +:300 \ No newline at end of file diff --git a/src/tests/fuzzing/fuzz_krb_seed_corpus/host_string_9.bin b/src/tests/fuzzing/fuzz_krb_seed_corpus/host_string_9.bin new file mode 100644 index 0000000000..0dbf139f8d --- /dev/null +++ b/src/tests/fuzzing/fuzz_krb_seed_corpus/host_string_9.bin @@ -0,0 +1 @@ +350 \ No newline at end of file diff --git a/src/tests/fuzzing/fuzz_krb_seed_corpus/parse_name.bin b/src/tests/fuzzing/fuzz_krb_seed_corpus/parse_name.bin new file mode 100644 index 0000000000..2cfb7c29b5 --- /dev/null +++ b/src/tests/fuzzing/fuzz_krb_seed_corpus/parse_name.bin @@ -0,0 +1 @@ +lha@SU.SE \ No newline at end of file diff --git a/src/tests/fuzzing/fuzz_krb_seed_corpus/principal_425_name.bin b/src/tests/fuzzing/fuzz_krb_seed_corpus/principal_425_name.bin new file mode 100644 index 0000000000..1f0e72453f --- /dev/null +++ b/src/tests/fuzzing/fuzz_krb_seed_corpus/principal_425_name.bin @@ -0,0 +1 @@ +kadmin \ No newline at end of file diff --git a/src/tests/fuzzing/fuzz_oid.c b/src/tests/fuzzing/fuzz_oid.c new file mode 100644 index 0000000000..d397d48610 --- /dev/null +++ b/src/tests/fuzzing/fuzz_oid.c @@ -0,0 +1,65 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* tests/fuzzing/fuzz_oid.c - fuzzing harness for GSS OID conversions */ +/* + * Copyright (C) 2024 by Arjun. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "autoconf.h" +#include +#include + +#define kMinInputLength 2 +#define kMaxInputLength 1024 + +extern int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size); + +int +LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) +{ + OM_uint32 minor; + gss_buffer_desc buf; + gss_OID oid; + gss_OID_desc oid_desc; + + if (size < kMinInputLength || size > kMaxInputLength) + return 0; + + oid_desc.elements = (void *)data; + oid_desc.length = size; + + gss_oid_to_str(&minor, &oid_desc, &buf); + gss_release_buffer(&minor, &buf); + + buf.value = (void *)data; + buf.length = size; + + gss_str_to_oid(&minor, &buf, &oid); + gss_release_oid(&minor, &oid); + + return 0; +} diff --git a/src/tests/fuzzing/fuzz_oid_seed_corpus/oid_19.bin b/src/tests/fuzzing/fuzz_oid_seed_corpus/oid_19.bin new file mode 100644 index 0000000000..16e0e90df0 --- /dev/null +++ b/src/tests/fuzzing/fuzz_oid_seed_corpus/oid_19.bin @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/src/tests/fuzzing/fuzz_oid_seed_corpus/oid_20.bin b/src/tests/fuzzing/fuzz_oid_seed_corpus/oid_20.bin new file mode 100644 index 0000000000..8b040ead36 Binary files /dev/null and b/src/tests/fuzzing/fuzz_oid_seed_corpus/oid_20.bin differ diff --git a/src/tests/fuzzing/fuzz_oid_seed_corpus/oid_21.bin b/src/tests/fuzzing/fuzz_oid_seed_corpus/oid_21.bin new file mode 100644 index 0000000000..6b58abecd6 Binary files /dev/null and b/src/tests/fuzzing/fuzz_oid_seed_corpus/oid_21.bin differ diff --git a/src/tests/fuzzing/fuzz_oid_seed_corpus/oid_22.bin b/src/tests/fuzzing/fuzz_oid_seed_corpus/oid_22.bin new file mode 100644 index 0000000000..09f370e38f Binary files /dev/null and b/src/tests/fuzzing/fuzz_oid_seed_corpus/oid_22.bin differ diff --git a/src/tests/fuzzing/fuzz_oid_seed_corpus/oid_24.bin b/src/tests/fuzzing/fuzz_oid_seed_corpus/oid_24.bin new file mode 100644 index 0000000000..8fdfd1779b Binary files /dev/null and b/src/tests/fuzzing/fuzz_oid_seed_corpus/oid_24.bin differ diff --git a/src/tests/fuzzing/fuzz_oid_seed_corpus/oid_8.bin b/src/tests/fuzzing/fuzz_oid_seed_corpus/oid_8.bin new file mode 100644 index 0000000000..091299428a --- /dev/null +++ b/src/tests/fuzzing/fuzz_oid_seed_corpus/oid_8.bin @@ -0,0 +1 @@ +*†H†÷ \ No newline at end of file diff --git a/src/tests/fuzzing/oss-fuzz.sh b/src/tests/fuzzing/oss-fuzz.sh index 868d0db1f3..b01d4bcbd2 100644 --- a/src/tests/fuzzing/oss-fuzz.sh +++ b/src/tests/fuzzing/oss-fuzz.sh @@ -15,9 +15,10 @@ popd # Copy fuzz targets and seed corpus to $OUT. pushd src/tests/fuzzing -fuzzers=("fuzz_chpw" "fuzz_gss" "fuzz_json" "fuzz_krad" "fuzz_krb5_ticket" - "fuzz_marshal_cred" "fuzz_marshal_princ" "fuzz_ndr" "fuzz_pac" - "fuzz_profile" "fuzz_util") +fuzzers=("fuzz_aes" "fuzz_asn" "fuzz_attrset" "fuzz_chpw" "fuzz_crypto" + "fuzz_des" "fuzz_gss" "fuzz_json" "fuzz_kdc" "fuzz_krad" "fuzz_krb" + "fuzz_krb5_ticket" "fuzz_marshal_cred" "fuzz_marshal_princ" + "fuzz_ndr" "fuzz_oid" "fuzz_pac" "fuzz_profile" "fuzz_util") for fuzzer in "${fuzzers[@]}"; do cp "$fuzzer" "$OUT/$fuzzer"