diff options
Diffstat (limited to 'src/tests')
58 files changed, 1121 insertions, 1 deletions
diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in index d453962..1c69dc7 100644 --- a/src/tests/Makefile.in +++ b/src/tests/Makefile.in @@ -1,6 +1,7 @@ mydir=tests BUILDTOP=$(REL).. -SUBDIRS = asn.1 create hammer verify gssapi shlib gss-threads misc threads +SUBDIRS = asn.1 create hammer verify gssapi shlib gss-threads misc threads \ + @fuzz_dir@ RUN_DB_TEST = $(RUN_SETUP) KRB5_KDC_PROFILE=kdc.conf KRB5_CONFIG=krb5.conf \ GSS_MECH_CONFIG=mech.conf LC_ALL=C $(VALGRIND) diff --git a/src/tests/fuzzing/Makefile.in b/src/tests/fuzzing/Makefile.in new file mode 100644 index 0000000..05dea37 --- /dev/null +++ b/src/tests/fuzzing/Makefile.in @@ -0,0 +1,88 @@ +mydir=tests$(S)fuzzing +BUILDTOP=$(REL)..$(S).. + +LOCALINCLUDES = -I$(srcdir)/../../lib/krb5/ccache -I$(srcdir)/../../kdc \ + -I$(srcdir)/../../util/profile +NDROBJ = $(BUILDTOP)/kdc/ndr.o + +OBJS = \ + fuzz_chpw.o \ + fuzz_gss.o \ + fuzz_json.o \ + fuzz_krad.o \ + fuzz_krb5_ticket.o \ + fuzz_marshal_cred.o \ + fuzz_marshal_princ.o \ + fuzz_ndr.o \ + fuzz_pac.o \ + fuzz_profile.o \ + fuzz_util.o + +SRCS = \ + $(srcdir)/fuzz_chpw.c \ + $(srcdir)/fuzz_gss.c \ + $(srcdir)/fuzz_json.c \ + $(srcdir)/fuzz_krad.c \ + $(srcdir)/fuzz_krb5_ticket.c \ + $(srcdir)/fuzz_marshal_cred.c \ + $(srcdir)/fuzz_marshal_princ.c \ + $(srcdir)/fuzz_ndr.c \ + $(srcdir)/fuzz_pac.c \ + $(srcdir)/fuzz_profile.c \ + $(srcdir)/fuzz_util.c + +FUZZ_TARGETS= \ + fuzz_chpw \ + fuzz_gss \ + fuzz_json \ + fuzz_krad \ + fuzz_krb5_ticket \ + fuzz_marshal_cred \ + fuzz_marshal_princ \ + fuzz_ndr \ + fuzz_pac \ + fuzz_profile \ + fuzz_util + +all: $(FUZZ_TARGETS) + +# OSS-Fuzz requires fuzz targets to be linked with the C++ linker, +# even if they are written in C. + +fuzz_chpw: fuzz_chpw.o $(SUPPORT_DEPLIB) + $(CXX_LINK) -o $@ fuzz_chpw.o $(KRB5_BASE_LIBS) $(FUZZ_LDFLAGS) + +fuzz_gss: fuzz_gss.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS) + $(CXX_LINK) -o $@ fuzz_gss.o $(GSS_LIBS) $(KRB5_BASE_LIBS) $(FUZZ_LDFLAGS) + +fuzz_json: fuzz_json.o $(KRB5_BASE_DEPLIBS) + $(CXX_LINK) -o $@ fuzz_json.o $(KRB5_BASE_LIBS) $(FUZZ_LDFLAGS) + +fuzz_krad: fuzz_krad.o $(KRB5_BASE_DEPLIBS) + $(CXX_LINK) -o $@ fuzz_krad.o -lkrad $(KRB5_BASE_LIBS) $(FUZZ_LDFLAGS) + +fuzz_krb5_ticket: fuzz_krb5_ticket.o $(KRB5_BASE_DEPLIBS) + $(CXX_LINK) -o $@ fuzz_krb5_ticket.o $(KRB5_BASE_LIBS) $(FUZZ_LDFLAGS) + +fuzz_marshal_cred: fuzz_marshal_cred.o $(KRB5_BASE_DEPLIBS) + $(CXX_LINK) -o $@ fuzz_marshal_cred.o $(KRB5_BASE_LIBS) $(FUZZ_LDFLAGS) + +fuzz_marshal_princ: fuzz_marshal_princ.o $(KRB5_BASE_DEPLIBS) + $(CXX_LINK) -o $@ fuzz_marshal_princ.o $(KRB5_BASE_LIBS) $(FUZZ_LDFLAGS) + +fuzz_ndr: fuzz_ndr.o $(KRB5_BASE_DEPLIBS) + $(CXX_LINK) -o $@ fuzz_ndr.o $(NDROBJ) $(KRB5_BASE_LIBS) $(FUZZ_LDFLAGS) + +fuzz_pac: fuzz_pac.o $(KRB5_BASE_DEPLIBS) + $(CXX_LINK) -o $@ fuzz_pac.o $(KRB5_BASE_LIBS) $(FUZZ_LDFLAGS) + +fuzz_profile: fuzz_profile.o $(KRB5_BASE_DEPLIBS) + $(CXX_LINK) -o $@ fuzz_profile.o $(KRB5_BASE_LIBS) $(FUZZ_LDFLAGS) + +fuzz_util: fuzz_util.o $(KRB5_BASE_DEPLIBS) + $(CXX_LINK) -o $@ fuzz_util.o $(KRB5_BASE_LIBS) $(FUZZ_LDFLAGS) + +install: + +clean: + $(RM) $(FUZZ_TARGETS) diff --git a/src/tests/fuzzing/README b/src/tests/fuzzing/README new file mode 100644 index 0000000..d133824 --- /dev/null +++ b/src/tests/fuzzing/README @@ -0,0 +1,26 @@ +This directory builds fuzzing targets for oss-fuzz compatibility. + If you wish to build it locally, you can do so by using the given + guide below. Note that it only works on GNU/Linux. + +Export flags required for building fuzzing targets. +```bash +export CC=clang +export CXX=clang++ +export CFLAGS="-g -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=address -fsanitize=fuzzer-no-link" +export CXXFLAGS="-g -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=address -fsanitize=fuzzer-no-link" +export LIB_FUZZING_ENGINE="-fsanitize=fuzzer" +``` + +Compilation of the fuzzing targets. +```bash +autoreconf +./configure CFLAGS="-fcommon $CFLAGS" CXXFLAGS="-fcommon $CXXFLAGS" \ + --enable-static --disable-shared --enable-ossfuzz +make +``` + +Running fuzzing targets. +```bash +mkdir fuzz_${TARGET}_corpus +./fuzz_${TARGET} fuzz_${TARGET}_corpus/ fuzz_${TARGET}_seed_corpus +``` diff --git a/src/tests/fuzzing/deps b/src/tests/fuzzing/deps new file mode 100644 index 0000000..018fb4e --- /dev/null +++ b/src/tests/fuzzing/deps @@ -0,0 +1,117 @@ +# +# Generated makefile dependencies follow. +# +$(OUTPRE)fuzz_chpw.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ + $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ + $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ + $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ + $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ + $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ + $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ + $(top_srcdir)/include/socket-utils.h fuzz_chpw.c +$(OUTPRE)fuzz_gss.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/krb5/krb5.h \ + $(COM_ERR_DEPS) $(top_srcdir)/include/gssapi.h $(top_srcdir)/include/krb5.h \ + fuzz_gss.c +$(OUTPRE)fuzz_json.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ + $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ + $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ + $(top_srcdir)/include/k5-json.h $(top_srcdir)/include/k5-platform.h \ + $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ + $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \ + $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ + $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ + fuzz_json.c +$(OUTPRE)fuzz_krad.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(VERTO_DEPS) \ + $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ + $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ + $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ + $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ + $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krad.h \ + $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ + $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ + $(top_srcdir)/include/socket-utils.h fuzz_krad.c +$(OUTPRE)fuzz_krb5_ticket.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ + $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ + $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ + $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ + $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ + $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ + $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ + $(top_srcdir)/include/socket-utils.h fuzz_krb5_ticket.c +$(OUTPRE)fuzz_marshal_cred.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../lib/krb5/ccache/cc-int.h \ + $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ + $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ + $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ + $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ + $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \ + $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ + $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ + fuzz_marshal_cred.c +$(OUTPRE)fuzz_marshal_princ.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../lib/krb5/ccache/cc-int.h \ + $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ + $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ + $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ + $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ + $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \ + $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ + $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ + fuzz_marshal_princ.c +$(OUTPRE)fuzz_ndr.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(VERTO_DEPS) \ + $(srcdir)/../../kdc/kdc_util.h $(srcdir)/../../kdc/realm_data.h \ + $(srcdir)/../../kdc/reqstate.h $(top_srcdir)/include/gssrpc/auth.h \ + $(top_srcdir)/include/gssrpc/auth_gss.h $(top_srcdir)/include/gssrpc/auth_unix.h \ + $(top_srcdir)/include/gssrpc/clnt.h $(top_srcdir)/include/gssrpc/rename.h \ + $(top_srcdir)/include/gssrpc/rpc.h $(top_srcdir)/include/gssrpc/rpc_msg.h \ + $(top_srcdir)/include/gssrpc/svc.h $(top_srcdir)/include/gssrpc/svc_auth.h \ + $(top_srcdir)/include/gssrpc/xdr.h $(top_srcdir)/include/k5-buf.h \ + $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ + $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ + $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ + $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ + $(top_srcdir)/include/kdb.h $(top_srcdir)/include/krb5.h \ + $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/kdcpreauth_plugin.h \ + $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/net-server.h \ + $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ + fuzz_ndr.c +$(OUTPRE)fuzz_pac.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ + $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ + $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ + $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ + $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ + $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ + $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ + $(top_srcdir)/include/socket-utils.h fuzz_pac.c +$(OUTPRE)fuzz_profile.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../util/profile/prof_int.h \ + $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-platform.h \ + $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ + fuzz_profile.c +$(OUTPRE)fuzz_util.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-base64.h \ + $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ + $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-hex.h \ + $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ + $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ + $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ + $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ + $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ + $(top_srcdir)/include/socket-utils.h fuzz_util.c diff --git a/src/tests/fuzzing/fuzz_chpw.c b/src/tests/fuzzing/fuzz_chpw.c new file mode 100644 index 0000000..dfa6dfd --- /dev/null +++ b/src/tests/fuzzing/fuzz_chpw.c @@ -0,0 +1,65 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* tests/fuzzing/fuzz_chpw.c */ +/* + * Copyright (C) 2024 by Arjun. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * Fuzzing harness implementation for krb5_chpw_message. + */ + +#include "autoconf.h" +#include <k5-int.h> + +#define kMinInputLength 2 +#define kMaxInputLength 512 + +extern int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size); + +int +LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) +{ + char *msg; + krb5_data data_in; + krb5_context context; + + if (size < kMinInputLength || size > kMaxInputLength) + return 0; + + data_in = make_data((void *)data, size); + + if (krb5_init_context(&context) != 0) + return 0; + + if (krb5_chpw_message(context, &data_in, &msg) == 0) + free(msg); + + krb5_free_context(context); + + return 0; +} diff --git a/src/tests/fuzzing/fuzz_chpw_seed_corpus/result_ad_age.bin b/src/tests/fuzzing/fuzz_chpw_seed_corpus/result_ad_age.bin Binary files differnew file mode 100644 index 0000000..cf3ccef --- /dev/null +++ b/src/tests/fuzzing/fuzz_chpw_seed_corpus/result_ad_age.bin diff --git a/src/tests/fuzzing/fuzz_chpw_seed_corpus/result_ad_all.bin b/src/tests/fuzzing/fuzz_chpw_seed_corpus/result_ad_all.bin Binary files differnew file mode 100644 index 0000000..77f9336 --- /dev/null +++ b/src/tests/fuzzing/fuzz_chpw_seed_corpus/result_ad_all.bin diff --git a/src/tests/fuzzing/fuzz_chpw_seed_corpus/result_ad_complex.bin b/src/tests/fuzzing/fuzz_chpw_seed_corpus/result_ad_complex.bin Binary files differnew file mode 100644 index 0000000..7e9a56f --- /dev/null +++ b/src/tests/fuzzing/fuzz_chpw_seed_corpus/result_ad_complex.bin diff --git a/src/tests/fuzzing/fuzz_chpw_seed_corpus/result_ad_history.bin b/src/tests/fuzzing/fuzz_chpw_seed_corpus/result_ad_history.bin Binary files differnew file mode 100644 index 0000000..5682bd7 --- /dev/null +++ b/src/tests/fuzzing/fuzz_chpw_seed_corpus/result_ad_history.bin diff --git a/src/tests/fuzzing/fuzz_chpw_seed_corpus/result_ad_length.bin b/src/tests/fuzzing/fuzz_chpw_seed_corpus/result_ad_length.bin Binary files differnew file mode 100644 index 0000000..dda723c --- /dev/null +++ b/src/tests/fuzzing/fuzz_chpw_seed_corpus/result_ad_length.bin diff --git a/src/tests/fuzzing/fuzz_chpw_seed_corpus/result_invalid_utf8.bin b/src/tests/fuzzing/fuzz_chpw_seed_corpus/result_invalid_utf8.bin Binary files differnew file mode 100644 index 0000000..f1f4ef5 --- /dev/null +++ b/src/tests/fuzzing/fuzz_chpw_seed_corpus/result_invalid_utf8.bin diff --git a/src/tests/fuzzing/fuzz_chpw_seed_corpus/result_utf8.bin b/src/tests/fuzzing/fuzz_chpw_seed_corpus/result_utf8.bin new file mode 100644 index 0000000..3a20212 --- /dev/null +++ b/src/tests/fuzzing/fuzz_chpw_seed_corpus/result_utf8.bin @@ -0,0 +1 @@ +This is a valid string.
\ No newline at end of file diff --git a/src/tests/fuzzing/fuzz_gss.c b/src/tests/fuzzing/fuzz_gss.c new file mode 100644 index 0000000..3c65f34 --- /dev/null +++ b/src/tests/fuzzing/fuzz_gss.c @@ -0,0 +1,73 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* tests/fuzzing/fuzz_gss.c */ +/* + * Copyright (C) 2024 by Arjun. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * Fuzzing harness implementation for gss_accept_sec_context. + */ + +#include "autoconf.h" +#include <krb5.h> +#include <gssapi.h> +#include <string.h> + +#define kMinInputLength 2 +#define kMaxInputLength 1024 + +extern int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size); + +int +LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) +{ + gss_OID doid; + OM_uint32 minor, ret_flags, time_rec; + gss_name_t client = GSS_C_NO_NAME; + gss_ctx_id_t context = GSS_C_NO_CONTEXT; + gss_cred_id_t deleg_cred = GSS_C_NO_CREDENTIAL; + gss_buffer_desc data_in, data_out = GSS_C_EMPTY_BUFFER; + + if (size < kMinInputLength || size > kMaxInputLength) + return 0; + + data_in.length = size; + data_in.value = (void *)data; + + gss_accept_sec_context(&minor, &context, GSS_C_NO_CREDENTIAL, + &data_in, GSS_C_NO_CHANNEL_BINDINGS, &client, + &doid, &data_out, &ret_flags, &time_rec, + &deleg_cred); + + gss_release_buffer(&minor, &data_out); + + if (context != GSS_C_NO_CONTEXT) + gss_delete_sec_context(&minor, &context, GSS_C_NO_BUFFER); + + return 0; +} diff --git a/src/tests/fuzzing/fuzz_gss_seed_corpus/establish_contexts_ex.bin b/src/tests/fuzzing/fuzz_gss_seed_corpus/establish_contexts_ex.bin Binary files differnew file mode 100644 index 0000000..9e2a8d7 --- /dev/null +++ b/src/tests/fuzzing/fuzz_gss_seed_corpus/establish_contexts_ex.bin diff --git a/src/tests/fuzzing/fuzz_gss_seed_corpus/gss_accept_sec_context_kerberos.bin b/src/tests/fuzzing/fuzz_gss_seed_corpus/gss_accept_sec_context_kerberos.bin Binary files differnew file mode 100644 index 0000000..9bc9afd --- /dev/null +++ b/src/tests/fuzzing/fuzz_gss_seed_corpus/gss_accept_sec_context_kerberos.bin diff --git a/src/tests/fuzzing/fuzz_gss_seed_corpus/gss_accept_sec_context_spnego.bin b/src/tests/fuzzing/fuzz_gss_seed_corpus/gss_accept_sec_context_spnego.bin Binary files differnew file mode 100644 index 0000000..a191e0a --- /dev/null +++ b/src/tests/fuzzing/fuzz_gss_seed_corpus/gss_accept_sec_context_spnego.bin diff --git a/src/tests/fuzzing/fuzz_gss_seed_corpus/start_accept_context.bin b/src/tests/fuzzing/fuzz_gss_seed_corpus/start_accept_context.bin Binary files differnew file mode 100644 index 0000000..980b648 --- /dev/null +++ b/src/tests/fuzzing/fuzz_gss_seed_corpus/start_accept_context.bin diff --git a/src/tests/fuzzing/fuzz_json.c b/src/tests/fuzzing/fuzz_json.c new file mode 100644 index 0000000..0d97012 --- /dev/null +++ b/src/tests/fuzzing/fuzz_json.c @@ -0,0 +1,67 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* tests/fuzzing/fuzz_json.c */ +/* + * Copyright (C) 2024 by Arjun. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * Fuzzing harness implementation for k5_json_decode. + */ + +#include "autoconf.h" +#include <k5-int.h> +#include <krb5.h> +#include <k5-json.h> +#include <string.h> + +#define kMinInputLength 2 +#define kMaxInputLength 1024 + +extern int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size); + +int +LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) +{ + krb5_error_code ret; + char *data_in; + k5_json_value decoded; + + if (size < kMinInputLength || size > kMaxInputLength) + return 0; + + data_in = k5memdup0(data, size, &ret); + if (data_in == NULL) + return 0; + + k5_json_decode(data_in, &decoded); + + free(data_in); + k5_json_release(decoded); + + return 0; +} diff --git a/src/tests/fuzzing/fuzz_json_seed_corpus/seed_1.json b/src/tests/fuzzing/fuzz_json_seed_corpus/seed_1.json new file mode 100644 index 0000000..ece1b84 --- /dev/null +++ b/src/tests/fuzzing/fuzz_json_seed_corpus/seed_1.json @@ -0,0 +1 @@ + "foo\"bar"
\ No newline at end of file diff --git a/src/tests/fuzzing/fuzz_json_seed_corpus/seed_2.json b/src/tests/fuzzing/fuzz_json_seed_corpus/seed_2.json new file mode 100644 index 0000000..f0bd59c --- /dev/null +++ b/src/tests/fuzzing/fuzz_json_seed_corpus/seed_2.json @@ -0,0 +1 @@ +{ "k1" : { "k2" : "s2", "k3" : "s3" }, "k4" : "s4" }
\ No newline at end of file diff --git a/src/tests/fuzzing/fuzz_json_seed_corpus/seed_3.json b/src/tests/fuzzing/fuzz_json_seed_corpus/seed_3.json new file mode 100644 index 0000000..9c4eec7 --- /dev/null +++ b/src/tests/fuzzing/fuzz_json_seed_corpus/seed_3.json @@ -0,0 +1 @@ + [ -1 ]
\ No newline at end of file diff --git a/src/tests/fuzzing/fuzz_krad.c b/src/tests/fuzzing/fuzz_krad.c new file mode 100644 index 0000000..dbafbf1 --- /dev/null +++ b/src/tests/fuzzing/fuzz_krad.c @@ -0,0 +1,93 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* tests/fuzzing/fuzz_krad.c */ +/* + * Copyright (C) 2024 by Arjun. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * Fuzzing harness implementation for krad_packet_decode_response, + * krad_packet_decode_request. + */ + +#include "autoconf.h" +#include <k5-int.h> +#include <krad.h> + +#define kMinInputLength 2 +#define kMaxInputLength 1024 + +static krad_packet *packets[3]; + +static const krad_packet * +iterator(void *data, krb5_boolean cancel) +{ + krad_packet *tmp; + int *i = data; + + if (cancel || packets[*i] == NULL) + return NULL; + + tmp = packets[*i]; + *i += 1; + return tmp; +} + +extern int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size); + +int +LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) +{ + int i; + krb5_context ctx; + krb5_data data_in; + const char *secret = "f"; + const krad_packet *req_1 = NULL, *req_2 = NULL; + krad_packet *rsp_1 = NULL, *rsp_2 = NULL; + + if (size < kMinInputLength || size > kMaxInputLength) + return 0; + + if (krb5_init_context(&ctx) != 0) + return 0; + + data_in = make_data((void *)data, size); + + i = 0; + krad_packet_decode_response(ctx, secret, &data_in, iterator, &i, + &req_1, &rsp_1); + + i = 0; + krad_packet_decode_request(ctx, secret, &data_in, iterator, &i, + &req_2, &rsp_2); + + krad_packet_free(rsp_1); + krad_packet_free(rsp_2); + krb5_free_context(ctx); + + return 0; +} diff --git a/src/tests/fuzzing/fuzz_krad_seed_corpus/do_auth_1.bin b/src/tests/fuzzing/fuzz_krad_seed_corpus/do_auth_1.bin Binary files differnew file mode 100644 index 0000000..02eb9a1 --- /dev/null +++ b/src/tests/fuzzing/fuzz_krad_seed_corpus/do_auth_1.bin diff --git a/src/tests/fuzzing/fuzz_krb5_ticket.c b/src/tests/fuzzing/fuzz_krb5_ticket.c new file mode 100644 index 0000000..a88f753 --- /dev/null +++ b/src/tests/fuzzing/fuzz_krb5_ticket.c @@ -0,0 +1,67 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* tests/fuzzing/fuzz_krb5_ticket.c */ +/* + * Copyright (C) 2024 by Arjun. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * Fuzzing harness implementation for krb5_decode_ticket. + */ + +#include "autoconf.h" +#include <k5-int.h> +#include <krb5.h> +#include <string.h> + +#define kMinInputLength 2 +#define kMaxInputLength 2048 + +extern int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size); + +int +LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) +{ + krb5_data data_in; + krb5_ticket *ticket; + krb5_context context; + + if (size < kMinInputLength || size > kMaxInputLength) + return 0; + + data_in = make_data((void *)data, size); + + if (krb5_init_context(&context) != 0) + return 0; + + krb5_decode_ticket(&data_in, &ticket); + + krb5_free_ticket(context, ticket); + krb5_free_context(context); + + return 0; +} diff --git a/src/tests/fuzzing/fuzz_krb5_ticket_seed_corpus/gcred.bin b/src/tests/fuzzing/fuzz_krb5_ticket_seed_corpus/gcred.bin Binary files differnew file mode 100644 index 0000000..645576f --- /dev/null +++ b/src/tests/fuzzing/fuzz_krb5_ticket_seed_corpus/gcred.bin diff --git a/src/tests/fuzzing/fuzz_krb5_ticket_seed_corpus/s4u2proxy.bin b/src/tests/fuzzing/fuzz_krb5_ticket_seed_corpus/s4u2proxy.bin Binary files differnew file mode 100644 index 0000000..1987764 --- /dev/null +++ b/src/tests/fuzzing/fuzz_krb5_ticket_seed_corpus/s4u2proxy.bin diff --git a/src/tests/fuzzing/fuzz_marshal_cred.c b/src/tests/fuzzing/fuzz_marshal_cred.c new file mode 100644 index 0000000..7181ab9 --- /dev/null +++ b/src/tests/fuzzing/fuzz_marshal_cred.c @@ -0,0 +1,66 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* tests/fuzzing/fuzz_marshal_cred.c */ +/* + * Copyright (C) 2024 by Arjun. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * Fuzzing harness implementation for k5_unmarshal_cred. + */ + +#include "autoconf.h" +#include <cc-int.h> + +#define FIRST_VERSION 1 + +#define kMinInputLength 2 +#define kMaxInputLength 1024 + +extern int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size); + +int +LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) +{ + int version; + krb5_creds cred = { 0 }; + krb5_context context; + + if (size < kMinInputLength || size > kMaxInputLength) + return 0; + + if (krb5_init_context(&context) != 0) + return 0; + + for (version = FIRST_VERSION; version <= 4; version++) { + k5_unmarshal_cred(data, size, version, &cred); + krb5_free_cred_contents(context, &cred); + } + + krb5_free_context(context); + return 0; +} diff --git a/src/tests/fuzzing/fuzz_marshal_cred_seed_corpus/cred_1_input_1.bin b/src/tests/fuzzing/fuzz_marshal_cred_seed_corpus/cred_1_input_1.bin Binary files differnew file mode 100644 index 0000000..829e71f --- /dev/null +++ b/src/tests/fuzzing/fuzz_marshal_cred_seed_corpus/cred_1_input_1.bin diff --git a/src/tests/fuzzing/fuzz_marshal_cred_seed_corpus/cred_1_input_2.bin b/src/tests/fuzzing/fuzz_marshal_cred_seed_corpus/cred_1_input_2.bin Binary files differnew file mode 100644 index 0000000..194215e --- /dev/null +++ b/src/tests/fuzzing/fuzz_marshal_cred_seed_corpus/cred_1_input_2.bin diff --git a/src/tests/fuzzing/fuzz_marshal_cred_seed_corpus/cred_1_input_4.bin b/src/tests/fuzzing/fuzz_marshal_cred_seed_corpus/cred_1_input_4.bin Binary files differnew file mode 100644 index 0000000..2c9a95c --- /dev/null +++ b/src/tests/fuzzing/fuzz_marshal_cred_seed_corpus/cred_1_input_4.bin diff --git a/src/tests/fuzzing/fuzz_marshal_cred_seed_corpus/cred_2_input_1.bin b/src/tests/fuzzing/fuzz_marshal_cred_seed_corpus/cred_2_input_1.bin Binary files differnew file mode 100644 index 0000000..f2c350d --- /dev/null +++ b/src/tests/fuzzing/fuzz_marshal_cred_seed_corpus/cred_2_input_1.bin diff --git a/src/tests/fuzzing/fuzz_marshal_cred_seed_corpus/cred_2_input_2.bin b/src/tests/fuzzing/fuzz_marshal_cred_seed_corpus/cred_2_input_2.bin Binary files differnew file mode 100644 index 0000000..7e4a9da --- /dev/null +++ b/src/tests/fuzzing/fuzz_marshal_cred_seed_corpus/cred_2_input_2.bin diff --git a/src/tests/fuzzing/fuzz_marshal_cred_seed_corpus/cred_2_input_4.bin b/src/tests/fuzzing/fuzz_marshal_cred_seed_corpus/cred_2_input_4.bin Binary files differnew file mode 100644 index 0000000..e1fc4df --- /dev/null +++ b/src/tests/fuzzing/fuzz_marshal_cred_seed_corpus/cred_2_input_4.bin diff --git a/src/tests/fuzzing/fuzz_marshal_princ.c b/src/tests/fuzzing/fuzz_marshal_princ.c new file mode 100644 index 0000000..e421ff3 --- /dev/null +++ b/src/tests/fuzzing/fuzz_marshal_princ.c @@ -0,0 +1,66 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* tests/fuzzing/fuzz_marshal_princ.c */ +/* + * Copyright (C) 2024 by Arjun. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * Fuzzing harness implementation for k5_unmarshal_princ. + */ + +#include "autoconf.h" +#include <cc-int.h> + +#define FIRST_VERSION 1 + +#define kMinInputLength 2 +#define kMaxInputLength 1024 + +extern int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size); + +int +LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) +{ + int version; + krb5_principal princ; + krb5_context context; + + if (size < kMinInputLength || size > kMaxInputLength) + return 0; + + if (krb5_init_context(&context) != 0) + return 0; + + for (version = FIRST_VERSION; version <= 4; version++) { + k5_unmarshal_princ(data, size, version, &princ); + krb5_free_principal(context, princ); + } + + krb5_free_context(context); + return 0; +} diff --git a/src/tests/fuzzing/fuzz_marshal_princ_seed_corpus/princ_input_1.bin b/src/tests/fuzzing/fuzz_marshal_princ_seed_corpus/princ_input_1.bin Binary files differnew file mode 100644 index 0000000..f6f1af0 --- /dev/null +++ b/src/tests/fuzzing/fuzz_marshal_princ_seed_corpus/princ_input_1.bin diff --git a/src/tests/fuzzing/fuzz_marshal_princ_seed_corpus/princ_input_2.bin b/src/tests/fuzzing/fuzz_marshal_princ_seed_corpus/princ_input_2.bin Binary files differnew file mode 100644 index 0000000..fb55f77 --- /dev/null +++ b/src/tests/fuzzing/fuzz_marshal_princ_seed_corpus/princ_input_2.bin diff --git a/src/tests/fuzzing/fuzz_marshal_princ_seed_corpus/princ_input_4.bin b/src/tests/fuzzing/fuzz_marshal_princ_seed_corpus/princ_input_4.bin Binary files differnew file mode 100644 index 0000000..0259f34 --- /dev/null +++ b/src/tests/fuzzing/fuzz_marshal_princ_seed_corpus/princ_input_4.bin diff --git a/src/tests/fuzzing/fuzz_ndr.c b/src/tests/fuzzing/fuzz_ndr.c new file mode 100644 index 0000000..4cc6daa --- /dev/null +++ b/src/tests/fuzzing/fuzz_ndr.c @@ -0,0 +1,59 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* tests/fuzzing/fuzz_ndr.c */ +/* + * Copyright (C) 2024 by Arjun. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * Fuzzing harness implementation for ndr_dec_delegation_info. + */ + +#include "autoconf.h" +#include <k5-int.h> +#include <kdc_util.h> + +#define kMinInputLength 2 +#define kMaxInputLength 1024 + +extern int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size); + +int +LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) +{ + krb5_data data_in; + struct pac_s4u_delegation_info *di = NULL; + + if (size < kMinInputLength || size > kMaxInputLength) + return 0; + + data_in = make_data((void *)data, size); + ndr_dec_delegation_info(&data_in, &di); + ndr_free_delegation_info(di); + + return 0; +} diff --git a/src/tests/fuzzing/fuzz_ndr_seed_corpus/s4u_di_double.bin b/src/tests/fuzzing/fuzz_ndr_seed_corpus/s4u_di_double.bin Binary files differnew file mode 100644 index 0000000..9c0e718 --- /dev/null +++ b/src/tests/fuzzing/fuzz_ndr_seed_corpus/s4u_di_double.bin diff --git a/src/tests/fuzzing/fuzz_ndr_seed_corpus/s4u_di_long.bin b/src/tests/fuzzing/fuzz_ndr_seed_corpus/s4u_di_long.bin Binary files differnew file mode 100644 index 0000000..444bc46 --- /dev/null +++ b/src/tests/fuzzing/fuzz_ndr_seed_corpus/s4u_di_long.bin diff --git a/src/tests/fuzzing/fuzz_pac.c b/src/tests/fuzzing/fuzz_pac.c new file mode 100644 index 0000000..f9f5635 --- /dev/null +++ b/src/tests/fuzzing/fuzz_pac.c @@ -0,0 +1,62 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* tests/fuzzing/fuzz_pac.c */ +/* + * Copyright (C) 2024 by Arjun. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * Fuzzing harness implementation for krb5_pac_parse. + */ + +#include "autoconf.h" +#include <k5-int.h> + +#define kMinInputLength 2 +#define kMaxInputLength 1024 + +extern int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size); + +int +LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) +{ + krb5_pac pac; + krb5_context context; + + if (size < kMinInputLength || size > kMaxInputLength) + return 0; + + if (krb5_init_context(&context) != 0) + return 0; + + krb5_pac_parse(context, data, size, &pac); + + krb5_pac_free(context, pac); + krb5_free_context(context); + + return 0; +} diff --git a/src/tests/fuzzing/fuzz_pac_seed_corpus/s4u_pac_regular.bin b/src/tests/fuzzing/fuzz_pac_seed_corpus/s4u_pac_regular.bin Binary files differnew file mode 100644 index 0000000..c163194 --- /dev/null +++ b/src/tests/fuzzing/fuzz_pac_seed_corpus/s4u_pac_regular.bin diff --git a/src/tests/fuzzing/fuzz_pac_seed_corpus/saved_pac.bin b/src/tests/fuzzing/fuzz_pac_seed_corpus/saved_pac.bin Binary files differnew file mode 100644 index 0000000..6336bef --- /dev/null +++ b/src/tests/fuzzing/fuzz_pac_seed_corpus/saved_pac.bin diff --git a/src/tests/fuzzing/fuzz_profile.c b/src/tests/fuzzing/fuzz_profile.c new file mode 100644 index 0000000..95a5b48 --- /dev/null +++ b/src/tests/fuzzing/fuzz_profile.c @@ -0,0 +1,81 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* tests/fuzzing/fuzz_profile.c */ +/* + * Copyright (C) 2024 by Arjun. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * Fuzzing harness implementation for profile_parse_file. + */ + +#include "autoconf.h" +#include <prof_int.h> + +void dump_profile(struct profile_node *root, int level); + +#define kMinInputLength 2 +#define kMaxInputLength 1024 + +extern int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size); + +int +LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) +{ + FILE *fp_w, *fp_r; + char file_name[256]; + struct profile_node *root; + + if (size < kMinInputLength || size > kMaxInputLength) + return 0; + + snprintf(file_name, sizeof(file_name), "/tmp/libfuzzer.%d", getpid()); + + /* Write data into the file.*/ + fp_w = fopen(file_name, "w"); + if (!fp_w) + return 1; + fwrite(data, 1, size, fp_w); + fclose(fp_w); + + /* Provide the file pointer to the parser. */ + fp_r = fopen(file_name, "r"); + if (!fp_r) + return 1; + + initialize_prof_error_table(); + + if (profile_parse_file(fp_r, &root, NULL) == 0) { + profile_verify_node(root); + profile_free_node(root); + } + + fclose(fp_r); + unlink(file_name); + + return 0; +} diff --git a/src/tests/fuzzing/fuzz_profile_seed_corpus/final2.ini b/src/tests/fuzzing/fuzz_profile_seed_corpus/final2.ini new file mode 100644 index 0000000..827ec25 --- /dev/null +++ b/src/tests/fuzzing/fuzz_profile_seed_corpus/final2.ini @@ -0,0 +1,5 @@ +# In this variant the relation is marked final. +[section] + subsection = { + key* = value2 + } diff --git a/src/tests/fuzzing/fuzz_profile_seed_corpus/final3.ini b/src/tests/fuzzing/fuzz_profile_seed_corpus/final3.ini new file mode 100644 index 0000000..dcf0ca9 --- /dev/null +++ b/src/tests/fuzzing/fuzz_profile_seed_corpus/final3.ini @@ -0,0 +1,6 @@ +# In this variant the subsection is marked final via a '*' at the end +# of the tag name. +[section] + subsection* = { + key = value3 + } diff --git a/src/tests/fuzzing/fuzz_profile_seed_corpus/final4.ini b/src/tests/fuzzing/fuzz_profile_seed_corpus/final4.ini new file mode 100644 index 0000000..dcba078 --- /dev/null +++ b/src/tests/fuzzing/fuzz_profile_seed_corpus/final4.ini @@ -0,0 +1,6 @@ +# In this variant the subsection is marked final via a '*' after the +# closing brace. +[section] + subsection = { + key = value4 + }* diff --git a/src/tests/fuzzing/fuzz_profile_seed_corpus/final5.ini b/src/tests/fuzzing/fuzz_profile_seed_corpus/final5.ini new file mode 100644 index 0000000..58cd57d --- /dev/null +++ b/src/tests/fuzzing/fuzz_profile_seed_corpus/final5.ini @@ -0,0 +1,5 @@ +# In this variant the top-level section is marked final. +[section]* + subsection = { + key = value5 + } diff --git a/src/tests/fuzzing/fuzz_profile_seed_corpus/modtest.conf b/src/tests/fuzzing/fuzz_profile_seed_corpus/modtest.conf new file mode 100644 index 0000000..7ef0971 --- /dev/null +++ b/src/tests/fuzzing/fuzz_profile_seed_corpus/modtest.conf @@ -0,0 +1 @@ +module /home/dark/Desktop/krb5/src/util/profile/testmod/proftest.so-nobuild:teststring diff --git a/src/tests/fuzzing/fuzz_profile_seed_corpus/test3.ini b/src/tests/fuzzing/fuzz_profile_seed_corpus/test3.ini new file mode 100644 index 0000000..97f524a --- /dev/null +++ b/src/tests/fuzzing/fuzz_profile_seed_corpus/test3.ini @@ -0,0 +1,3 @@ +[section] + var = value + diff --git a/src/tests/fuzzing/fuzz_profile_seed_corpus/testinc.ini b/src/tests/fuzzing/fuzz_profile_seed_corpus/testinc.ini new file mode 100644 index 0000000..31136f3 --- /dev/null +++ b/src/tests/fuzzing/fuzz_profile_seed_corpus/testinc.ini @@ -0,0 +1,6 @@ +[sec1] +var = { +a = 1 +include testinc2.ini +c = 3 +} diff --git a/src/tests/fuzzing/fuzz_profile_seed_corpus/testinc2.ini b/src/tests/fuzzing/fuzz_profile_seed_corpus/testinc2.ini new file mode 100644 index 0000000..35ea95f --- /dev/null +++ b/src/tests/fuzzing/fuzz_profile_seed_corpus/testinc2.ini @@ -0,0 +1,2 @@ +[sec2] +b = 2 diff --git a/src/tests/fuzzing/fuzz_util.c b/src/tests/fuzzing/fuzz_util.c new file mode 100644 index 0000000..8779b4c --- /dev/null +++ b/src/tests/fuzzing/fuzz_util.c @@ -0,0 +1,120 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* tests/fuzzing/fuzz_util.c */ +/* + * Copyright (C) 2024 by Arjun. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * Fuzzing harness implementation for k5_base64_decode, k5_hex_decode + * krb5_parse_name and k5_parse_host_string. + */ + +#include "autoconf.h" +#include <k5-int.h> +#include <k5-base64.h> +#include <k5-hex.h> +#include <string.h> + +#define kMinInputLength 2 +#define kMaxInputLength 256 + +extern int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size); + +static void +fuzz_base64(const char *data_in, size_t size) +{ + size_t len; + + free(k5_base64_encode(data_in, size)); + free(k5_base64_decode(data_in, &len)); +} + +static void +fuzz_hex(const char *data_in, size_t size) +{ + char *hex; + uint8_t *bytes; + size_t len; + + if (k5_hex_encode(data_in, size, 0, &hex) == 0) + free(hex); + + if (k5_hex_encode(data_in, size, 1, &hex) == 0) + free(hex); + + if (k5_hex_decode(data_in, &bytes, &len) == 0) + free(bytes); +} + +static void +fuzz_name(const char *data_in, size_t size) +{ + krb5_context context; + krb5_principal fuzzing; + + if (krb5_init_context(&context) != 0) + return; + + krb5_parse_name(context, data_in, &fuzzing); + + krb5_free_principal(context, fuzzing); + krb5_free_context(context); +} + +static void +fuzz_parse_host(const char *data_in, size_t size) +{ + char *host_out = NULL; + int port_out = -1; + + if (k5_parse_host_string(data_in, 1, &host_out, &port_out) == 0) + free(host_out); +} + +extern int +LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) +{ + krb5_error_code ret; + char *data_in; + + if (size < kMinInputLength || size > kMaxInputLength) + return 0; + + data_in = k5memdup0(data, size, &ret); + if (data_in == NULL) + return 0; + + fuzz_base64(data_in, size); + fuzz_hex(data_in, size); + fuzz_name(data_in, size); + fuzz_parse_host(data_in, size); + + free(data_in); + + return 0; +} diff --git a/src/tests/fuzzing/fuzz_util_seed_corpus/base64.txt b/src/tests/fuzzing/fuzz_util_seed_corpus/base64.txt new file mode 100644 index 0000000..68c422c --- /dev/null +++ b/src/tests/fuzzing/fuzz_util_seed_corpus/base64.txt @@ -0,0 +1 @@ +YWJjOmRlZg== diff --git a/src/tests/fuzzing/fuzz_util_seed_corpus/hax.txt b/src/tests/fuzzing/fuzz_util_seed_corpus/hax.txt new file mode 100644 index 0000000..c747d34 --- /dev/null +++ b/src/tests/fuzzing/fuzz_util_seed_corpus/hax.txt @@ -0,0 +1 @@ +3031323334353637 diff --git a/src/tests/fuzzing/fuzz_util_seed_corpus/host.txt b/src/tests/fuzzing/fuzz_util_seed_corpus/host.txt new file mode 100644 index 0000000..b396832 --- /dev/null +++ b/src/tests/fuzzing/fuzz_util_seed_corpus/host.txt @@ -0,0 +1 @@ +test.example:75 diff --git a/src/tests/fuzzing/fuzz_util_seed_corpus/name.txt b/src/tests/fuzzing/fuzz_util_seed_corpus/name.txt new file mode 100644 index 0000000..db95221 --- /dev/null +++ b/src/tests/fuzzing/fuzz_util_seed_corpus/name.txt @@ -0,0 +1 @@ +/b@R diff --git a/src/tests/fuzzing/oss-fuzz.sh b/src/tests/fuzzing/oss-fuzz.sh new file mode 100644 index 0000000..868d0db --- /dev/null +++ b/src/tests/fuzzing/oss-fuzz.sh @@ -0,0 +1,27 @@ +#!/bin/bash -eu + +# This script plays the role of build.sh in OSS-Fuzz. If only minor +# changes are required such as changing the fuzzing targets, a PR in +# the OSS-Fuzz repository is not needed and they can be done here. + +# Compile krb5 for oss-fuzz. +pushd src/ +autoreconf +./configure CFLAGS="-fcommon $CFLAGS" CXXFLAGS="-fcommon $CXXFLAGS" \ + --enable-static --disable-shared --enable-ossfuzz +make +popd + +# Copy fuzz targets and seed corpus to $OUT. +pushd src/tests/fuzzing + +fuzzers=("fuzz_chpw" "fuzz_gss" "fuzz_json" "fuzz_krad" "fuzz_krb5_ticket" + "fuzz_marshal_cred" "fuzz_marshal_princ" "fuzz_ndr" "fuzz_pac" + "fuzz_profile" "fuzz_util") + +for fuzzer in "${fuzzers[@]}"; do + cp "$fuzzer" "$OUT/$fuzzer" + zip -r "${OUT}/${fuzzer}_seed_corpus.zip" "${fuzzer}_seed_corpus" +done + +popd |