krb5 commit: Add OSS-Fuzz targets and corpora

ghudson at mit.edu ghudson at mit.edu
Tue May 28 16:34:05 EDT 2024


https://github.com/krb5/krb5/commit/c3dccd348e3c557cbc34b3be0cbc13aff1bfa144
commit c3dccd348e3c557cbc34b3be0cbc13aff1bfa144
Author: Arjun <pkillarjun at protonmail.com>
Date:   Thu May 9 21:13:03 2024 +0530

    Add OSS-Fuzz targets and corpora
    
    [ghudson at mit.edu: style adjustments]
    
    bigredbutton: whitespace

 .gitignore                                         |  12 +++
 NOTICE                                             |  29 +++++
 doc/build/options2configure.rst                    |   3 +
 doc/notice.rst                                     |  31 ++++++
 src/config/pre.in                                  |   1 +
 src/configure.ac                                   |  19 ++++
 src/tests/Makefile.in                              |   3 +-
 src/tests/fuzzing/Makefile.in                      |  88 +++++++++++++++
 src/tests/fuzzing/README                           |  26 +++++
 src/tests/fuzzing/deps                             | 117 ++++++++++++++++++++
 src/tests/fuzzing/fuzz_chpw.c                      |  65 +++++++++++
 .../fuzz_chpw_seed_corpus/result_ad_age.bin        | Bin 0 -> 30 bytes
 .../fuzz_chpw_seed_corpus/result_ad_all.bin        | Bin 0 -> 30 bytes
 .../fuzz_chpw_seed_corpus/result_ad_complex.bin    | Bin 0 -> 30 bytes
 .../fuzz_chpw_seed_corpus/result_ad_history.bin    | Bin 0 -> 30 bytes
 .../fuzz_chpw_seed_corpus/result_ad_length.bin     | Bin 0 -> 30 bytes
 .../fuzz_chpw_seed_corpus/result_invalid_utf8.bin  | Bin 0 -> 19 bytes
 .../fuzzing/fuzz_chpw_seed_corpus/result_utf8.bin  |   1 +
 src/tests/fuzzing/fuzz_gss.c                       |  73 +++++++++++++
 .../fuzz_gss_seed_corpus/establish_contexts_ex.bin | Bin 0 -> 469 bytes
 .../gss_accept_sec_context_kerberos.bin            | Bin 0 -> 599 bytes
 .../gss_accept_sec_context_spnego.bin              | Bin 0 -> 664 bytes
 .../fuzz_gss_seed_corpus/start_accept_context.bin  | Bin 0 -> 212 bytes
 src/tests/fuzzing/fuzz_json.c                      |  67 ++++++++++++
 .../fuzzing/fuzz_json_seed_corpus/seed_1.json      |   1 +
 .../fuzzing/fuzz_json_seed_corpus/seed_2.json      |   1 +
 .../fuzzing/fuzz_json_seed_corpus/seed_3.json      |   1 +
 src/tests/fuzzing/fuzz_krad.c                      |  93 ++++++++++++++++
 .../fuzzing/fuzz_krad_seed_corpus/do_auth_1.bin    | Bin 0 -> 20 bytes
 src/tests/fuzzing/fuzz_krb5_ticket.c               |  67 ++++++++++++
 .../fuzzing/fuzz_krb5_ticket_seed_corpus/gcred.bin | Bin 0 -> 470 bytes
 .../fuzz_krb5_ticket_seed_corpus/s4u2proxy.bin     | Bin 0 -> 505 bytes
 src/tests/fuzzing/fuzz_marshal_cred.c              |  66 ++++++++++++
 .../cred_1_input_1.bin                             | Bin 0 -> 165 bytes
 .../cred_1_input_2.bin                             | Bin 0 -> 173 bytes
 .../cred_1_input_4.bin                             | Bin 0 -> 173 bytes
 .../cred_2_input_1.bin                             | Bin 0 -> 113 bytes
 .../cred_2_input_2.bin                             | Bin 0 -> 121 bytes
 .../cred_2_input_4.bin                             | Bin 0 -> 121 bytes
 src/tests/fuzzing/fuzz_marshal_princ.c             |  66 ++++++++++++
 .../princ_input_1.bin                              | Bin 0 -> 33 bytes
 .../princ_input_2.bin                              | Bin 0 -> 37 bytes
 .../princ_input_4.bin                              | Bin 0 -> 37 bytes
 src/tests/fuzzing/fuzz_ndr.c                       |  59 ++++++++++
 .../fuzzing/fuzz_ndr_seed_corpus/s4u_di_double.bin | Bin 0 -> 264 bytes
 .../fuzzing/fuzz_ndr_seed_corpus/s4u_di_long.bin   | Bin 0 -> 184 bytes
 src/tests/fuzzing/fuzz_pac.c                       |  62 +++++++++++
 .../fuzz_pac_seed_corpus/s4u_pac_regular.bin       | Bin 0 -> 624 bytes
 .../fuzzing/fuzz_pac_seed_corpus/saved_pac.bin     | Bin 0 -> 624 bytes
 src/tests/fuzzing/fuzz_profile.c                   |  81 ++++++++++++++
 .../fuzzing/fuzz_profile_seed_corpus/final2.ini    |   5 +
 .../fuzzing/fuzz_profile_seed_corpus/final3.ini    |   6 ++
 .../fuzzing/fuzz_profile_seed_corpus/final4.ini    |   6 ++
 .../fuzzing/fuzz_profile_seed_corpus/final5.ini    |   5 +
 .../fuzzing/fuzz_profile_seed_corpus/modtest.conf  |   1 +
 .../fuzzing/fuzz_profile_seed_corpus/test3.ini     |   3 +
 .../fuzzing/fuzz_profile_seed_corpus/testinc.ini   |   6 ++
 .../fuzzing/fuzz_profile_seed_corpus/testinc2.ini  |   2 +
 src/tests/fuzzing/fuzz_util.c                      | 120 +++++++++++++++++++++
 src/tests/fuzzing/fuzz_util_seed_corpus/base64.txt |   1 +
 src/tests/fuzzing/fuzz_util_seed_corpus/hax.txt    |   1 +
 src/tests/fuzzing/fuzz_util_seed_corpus/host.txt   |   1 +
 src/tests/fuzzing/fuzz_util_seed_corpus/name.txt   |   1 +
 src/tests/fuzzing/oss-fuzz.sh                      |  27 +++++
 64 files changed, 1216 insertions(+), 1 deletion(-)

diff --git a/.gitignore b/.gitignore
index bfbf45ab6..db1478fed 100644
--- a/.gitignore
+++ b/.gitignore
@@ -433,6 +433,18 @@ local.properties
 
 /src/tests/create/kdb5_mkdums
 
+/src/tests/fuzzing/fuzz_chpw
+/src/tests/fuzzing/fuzz_gss
+/src/tests/fuzzing/fuzz_json
+/src/tests/fuzzing/fuzz_krad
+/src/tests/fuzzing/fuzz_krb5_ticket
+/src/tests/fuzzing/fuzz_marshal_cred
+/src/tests/fuzzing/fuzz_marshal_princ
+/src/tests/fuzzing/fuzz_ndr
+/src/tests/fuzzing/fuzz_pac
+/src/tests/fuzzing/fuzz_profile
+/src/tests/fuzzing/fuzz_util
+
 /src/tests/gss-threads/gss-client
 /src/tests/gss-threads/gss-server
 
diff --git a/NOTICE b/NOTICE
index d67369ddb..9788c8e7b 100644
--- a/NOTICE
+++ b/NOTICE
@@ -1329,3 +1329,32 @@ DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
 PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER
 TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 PERFORMANCE OF THIS SOFTWARE.
+
+======================================================================
+
+The following notice applies to files in "src/tests/fuzzing":
+
+Copyright (C) 2024 by Arjun. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+* Redistributions of source code must retain the above copyright
+  notice, this list of conditions and the following disclaimer.
+
+* Redistributions in binary form must reproduce the above copyright
+  notice, this list of conditions and the following disclaimer in the
+  documentation and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/doc/build/options2configure.rst b/doc/build/options2configure.rst
index e879b18bd..98e02ba3e 100644
--- a/doc/build/options2configure.rst
+++ b/doc/build/options2configure.rst
@@ -284,6 +284,9 @@ Optional features
     given, it controls the -fsanitize compilation flag value (the
     default is "address").
 
+**-**\ **-enable-ossfuzz**
+    Enable building fuzzing targets with OSS-Fuzz build support.
+
 
 Optional packages
 -----------------
diff --git a/doc/notice.rst b/doc/notice.rst
index 93e096ac4..dbb5a807d 100644
--- a/doc/notice.rst
+++ b/doc/notice.rst
@@ -1269,3 +1269,34 @@ SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
 OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
 CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+-------------------
+
+The following notice applies to files in ``src/tests/fuzzing``:
+
+Copyright (C) 2024 by Arjun. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+
+* Redistributions of source code must retain the above copyright
+  notice, this list of conditions and the following disclaimer.
+
+* Redistributions in binary form must reproduce the above copyright
+  notice, this list of conditions and the following disclaimer in
+  the documentation and/or other materials provided with the
+  distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/src/config/pre.in b/src/config/pre.in
index a0c60c70b..39c417e43 100644
--- a/src/config/pre.in
+++ b/src/config/pre.in
@@ -177,6 +177,7 @@ LD = $(PURE) @LD@
 KRB_INCLUDES = -I$(BUILDTOP)/include -I$(top_srcdir)/include
 LDFLAGS = @LDFLAGS@
 LIBS = @LIBS@
+FUZZ_LDFLAGS = @FUZZ_LDFLAGS@
 
 INSTALL=@INSTALL@
 INSTALL_STRIP=
diff --git a/src/configure.ac b/src/configure.ac
index 8c82fa487..464648079 100644
--- a/src/configure.ac
+++ b/src/configure.ac
@@ -439,6 +439,25 @@ fi
 AC_SUBST(ASAN_FLAGS)
 AC_SUBST(ASAN)
 
+# Build using OSS-Fuzz build processes for compiling fuzzing targets.
+# LIB_FUZZING_ENGINE is used for supporting various types of fuzzers.
+fuzz_dir=""
+FUZZ_LDFLAGS=
+AC_ARG_ENABLE([ossfuzz],
+  [AS_HELP_STRING([--enable-ossfuzz], [Build with fuzzing targets])],
+  [], [enable_ossfuzz=no])
+if test "$enable_ossfuzz" != no; then
+    # Check if LIB_FUZZING_ENGINE environment is not empty.
+    if test -z "$LIB_FUZZING_ENGINE"; then
+        AC_MSG_ERROR([LIB_FUZZING_ENGINE environment variable is not set])
+    fi
+    fuzz_dir="fuzzing"
+    FUZZ_LDFLAGS="$LIB_FUZZING_ENGINE"
+    K5_GEN_MAKEFILE(tests/fuzzing)
+fi
+AC_SUBST(fuzz_dir)
+AC_SUBST(FUZZ_LDFLAGS)
+
 # from old include/configure.in
 AH_TEMPLATE([HAVE_STRUCT_SOCKADDR_STORAGE],
 [Define if "struct sockaddr_storage" is available.])
diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in
index d4539627d..1c69dc7f9 100644
--- a/src/tests/Makefile.in
+++ b/src/tests/Makefile.in
@@ -1,6 +1,7 @@
 mydir=tests
 BUILDTOP=$(REL)..
-SUBDIRS = asn.1 create hammer verify gssapi shlib gss-threads misc threads
+SUBDIRS = asn.1 create hammer verify gssapi shlib gss-threads misc threads \
+	@fuzz_dir@
 
 RUN_DB_TEST = $(RUN_SETUP) KRB5_KDC_PROFILE=kdc.conf KRB5_CONFIG=krb5.conf \
 	GSS_MECH_CONFIG=mech.conf LC_ALL=C $(VALGRIND)
diff --git a/src/tests/fuzzing/Makefile.in b/src/tests/fuzzing/Makefile.in
new file mode 100644
index 000000000..05dea371e
--- /dev/null
+++ b/src/tests/fuzzing/Makefile.in
@@ -0,0 +1,88 @@
+mydir=tests$(S)fuzzing
+BUILDTOP=$(REL)..$(S)..
+
+LOCALINCLUDES = -I$(srcdir)/../../lib/krb5/ccache -I$(srcdir)/../../kdc \
+	-I$(srcdir)/../../util/profile
+NDROBJ = $(BUILDTOP)/kdc/ndr.o
+
+OBJS = \
+	fuzz_chpw.o \
+	fuzz_gss.o \
+	fuzz_json.o \
+	fuzz_krad.o \
+	fuzz_krb5_ticket.o \
+	fuzz_marshal_cred.o \
+	fuzz_marshal_princ.o \
+	fuzz_ndr.o \
+	fuzz_pac.o \
+	fuzz_profile.o \
+	fuzz_util.o
+
+SRCS = \
+	$(srcdir)/fuzz_chpw.c \
+	$(srcdir)/fuzz_gss.c \
+	$(srcdir)/fuzz_json.c \
+	$(srcdir)/fuzz_krad.c \
+	$(srcdir)/fuzz_krb5_ticket.c \
+	$(srcdir)/fuzz_marshal_cred.c \
+	$(srcdir)/fuzz_marshal_princ.c \
+	$(srcdir)/fuzz_ndr.c \
+	$(srcdir)/fuzz_pac.c \
+	$(srcdir)/fuzz_profile.c \
+	$(srcdir)/fuzz_util.c
+
+FUZZ_TARGETS= \
+	fuzz_chpw \
+	fuzz_gss \
+	fuzz_json \
+	fuzz_krad \
+	fuzz_krb5_ticket \
+	fuzz_marshal_cred \
+	fuzz_marshal_princ \
+	fuzz_ndr \
+	fuzz_pac \
+	fuzz_profile \
+	fuzz_util
+
+all: $(FUZZ_TARGETS)
+
+# OSS-Fuzz requires fuzz targets to be linked with the C++ linker,
+# even if they are written in C.
+
+fuzz_chpw: fuzz_chpw.o $(SUPPORT_DEPLIB)
+	$(CXX_LINK) -o $@ fuzz_chpw.o $(KRB5_BASE_LIBS) $(FUZZ_LDFLAGS)
+
+fuzz_gss: fuzz_gss.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS)
+	$(CXX_LINK) -o $@ fuzz_gss.o $(GSS_LIBS) $(KRB5_BASE_LIBS) $(FUZZ_LDFLAGS)
+
+fuzz_json: fuzz_json.o $(KRB5_BASE_DEPLIBS)
+	$(CXX_LINK) -o $@ fuzz_json.o $(KRB5_BASE_LIBS) $(FUZZ_LDFLAGS)
+
+fuzz_krad: fuzz_krad.o $(KRB5_BASE_DEPLIBS)
+	$(CXX_LINK) -o $@ fuzz_krad.o -lkrad $(KRB5_BASE_LIBS) $(FUZZ_LDFLAGS)
+
+fuzz_krb5_ticket: fuzz_krb5_ticket.o $(KRB5_BASE_DEPLIBS)
+	$(CXX_LINK) -o $@ fuzz_krb5_ticket.o $(KRB5_BASE_LIBS) $(FUZZ_LDFLAGS)
+
+fuzz_marshal_cred: fuzz_marshal_cred.o $(KRB5_BASE_DEPLIBS)
+	$(CXX_LINK) -o $@ fuzz_marshal_cred.o $(KRB5_BASE_LIBS) $(FUZZ_LDFLAGS)
+
+fuzz_marshal_princ: fuzz_marshal_princ.o $(KRB5_BASE_DEPLIBS)
+	$(CXX_LINK) -o $@ fuzz_marshal_princ.o $(KRB5_BASE_LIBS) $(FUZZ_LDFLAGS)
+
+fuzz_ndr: fuzz_ndr.o $(KRB5_BASE_DEPLIBS)
+	$(CXX_LINK) -o $@ fuzz_ndr.o $(NDROBJ) $(KRB5_BASE_LIBS) $(FUZZ_LDFLAGS)
+
+fuzz_pac: fuzz_pac.o $(KRB5_BASE_DEPLIBS)
+	$(CXX_LINK) -o $@ fuzz_pac.o $(KRB5_BASE_LIBS) $(FUZZ_LDFLAGS)
+
+fuzz_profile: fuzz_profile.o $(KRB5_BASE_DEPLIBS)
+	$(CXX_LINK) -o $@ fuzz_profile.o $(KRB5_BASE_LIBS) $(FUZZ_LDFLAGS)
+
+fuzz_util: fuzz_util.o $(KRB5_BASE_DEPLIBS)
+	$(CXX_LINK) -o $@ fuzz_util.o $(KRB5_BASE_LIBS) $(FUZZ_LDFLAGS)
+
+install:
+
+clean:
+	$(RM) $(FUZZ_TARGETS)
diff --git a/src/tests/fuzzing/README b/src/tests/fuzzing/README
new file mode 100644
index 000000000..d1338249c
--- /dev/null
+++ b/src/tests/fuzzing/README
@@ -0,0 +1,26 @@
+This directory builds fuzzing targets for oss-fuzz compatibility.
+ If you wish to build it locally, you can do so by using the given
+ guide below. Note that it only works on GNU/Linux.
+
+Export flags required for building fuzzing targets.
+```bash
+export CC=clang
+export CXX=clang++
+export CFLAGS="-g -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=address -fsanitize=fuzzer-no-link"
+export CXXFLAGS="-g -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=address -fsanitize=fuzzer-no-link"
+export LIB_FUZZING_ENGINE="-fsanitize=fuzzer"
+```
+
+Compilation of the fuzzing targets.
+```bash
+autoreconf
+./configure CFLAGS="-fcommon $CFLAGS" CXXFLAGS="-fcommon $CXXFLAGS" \
+    --enable-static --disable-shared --enable-ossfuzz
+make
+```
+
+Running fuzzing targets.
+```bash
+mkdir fuzz_${TARGET}_corpus
+./fuzz_${TARGET} fuzz_${TARGET}_corpus/ fuzz_${TARGET}_seed_corpus
+```
diff --git a/src/tests/fuzzing/deps b/src/tests/fuzzing/deps
new file mode 100644
index 000000000..018fb4ed0
--- /dev/null
+++ b/src/tests/fuzzing/deps
@@ -0,0 +1,117 @@
+#
+# Generated makefile dependencies follow.
+#
+$(OUTPRE)fuzz_chpw.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
+  $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
+  $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
+  $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
+  $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
+  $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
+  $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
+  $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
+  $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
+  $(top_srcdir)/include/socket-utils.h fuzz_chpw.c
+$(OUTPRE)fuzz_gss.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
+  $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/krb5/krb5.h \
+  $(COM_ERR_DEPS) $(top_srcdir)/include/gssapi.h $(top_srcdir)/include/krb5.h \
+  fuzz_gss.c
+$(OUTPRE)fuzz_json.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
+  $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
+  $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
+  $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
+  $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
+  $(top_srcdir)/include/k5-json.h $(top_srcdir)/include/k5-platform.h \
+  $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
+  $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \
+  $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \
+  $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
+  fuzz_json.c
+$(OUTPRE)fuzz_krad.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
+  $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
+  $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(VERTO_DEPS) \
+  $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
+  $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
+  $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
+  $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
+  $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krad.h \
+  $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
+  $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
+  $(top_srcdir)/include/socket-utils.h fuzz_krad.c
+$(OUTPRE)fuzz_krb5_ticket.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
+  $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
+  $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
+  $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
+  $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
+  $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
+  $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
+  $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
+  $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
+  $(top_srcdir)/include/socket-utils.h fuzz_krb5_ticket.c
+$(OUTPRE)fuzz_marshal_cred.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
+  $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
+  $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../lib/krb5/ccache/cc-int.h \
+  $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
+  $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
+  $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
+  $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
+  $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \
+  $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \
+  $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
+  fuzz_marshal_cred.c
+$(OUTPRE)fuzz_marshal_princ.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
+  $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
+  $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../lib/krb5/ccache/cc-int.h \
+  $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
+  $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
+  $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
+  $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
+  $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \
+  $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \
+  $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
+  fuzz_marshal_princ.c
+$(OUTPRE)fuzz_ndr.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
+  $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
+  $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
+  $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(VERTO_DEPS) \
+  $(srcdir)/../../kdc/kdc_util.h $(srcdir)/../../kdc/realm_data.h \
+  $(srcdir)/../../kdc/reqstate.h $(top_srcdir)/include/gssrpc/auth.h \
+  $(top_srcdir)/include/gssrpc/auth_gss.h $(top_srcdir)/include/gssrpc/auth_unix.h \
+  $(top_srcdir)/include/gssrpc/clnt.h $(top_srcdir)/include/gssrpc/rename.h \
+  $(top_srcdir)/include/gssrpc/rpc.h $(top_srcdir)/include/gssrpc/rpc_msg.h \
+  $(top_srcdir)/include/gssrpc/svc.h $(top_srcdir)/include/gssrpc/svc_auth.h \
+  $(top_srcdir)/include/gssrpc/xdr.h $(top_srcdir)/include/k5-buf.h \
+  $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
+  $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
+  $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
+  $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
+  $(top_srcdir)/include/kdb.h $(top_srcdir)/include/krb5.h \
+  $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/kdcpreauth_plugin.h \
+  $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/net-server.h \
+  $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
+  fuzz_ndr.c
+$(OUTPRE)fuzz_pac.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
+  $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
+  $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
+  $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
+  $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
+  $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
+  $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
+  $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
+  $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
+  $(top_srcdir)/include/socket-utils.h fuzz_pac.c
+$(OUTPRE)fuzz_profile.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
+  $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../util/profile/prof_int.h \
+  $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-platform.h \
+  $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
+  fuzz_profile.c
+$(OUTPRE)fuzz_util.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
+  $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
+  $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-base64.h \
+  $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
+  $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-hex.h \
+  $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
+  $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
+  $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
+  $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
+  $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
+  $(top_srcdir)/include/socket-utils.h fuzz_util.c
diff --git a/src/tests/fuzzing/fuzz_chpw.c b/src/tests/fuzzing/fuzz_chpw.c
new file mode 100644
index 000000000..dfa6dfda6
--- /dev/null
+++ b/src/tests/fuzzing/fuzz_chpw.c
@@ -0,0 +1,65 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/* tests/fuzzing/fuzz_chpw.c */
+/*
+ * Copyright (C) 2024 by Arjun. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ * * Redistributions in binary form must reproduce the above copyright
+ *   notice, this list of conditions and the following disclaimer in
+ *   the documentation and/or other materials provided with the
+ *   distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * Fuzzing harness implementation for krb5_chpw_message.
+ */
+
+#include "autoconf.h"
+#include <k5-int.h>
+
+#define kMinInputLength 2
+#define kMaxInputLength 512
+
+extern int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
+
+int
+LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+    char *msg;
+    krb5_data data_in;
+    krb5_context context;
+
+    if (size < kMinInputLength || size > kMaxInputLength)
+        return 0;
+
+    data_in = make_data((void *)data, size);
+
+    if (krb5_init_context(&context) != 0)
+        return 0;
+
+    if (krb5_chpw_message(context, &data_in, &msg) == 0)
+        free(msg);
+
+    krb5_free_context(context);
+
+    return 0;
+}
diff --git a/src/tests/fuzzing/fuzz_chpw_seed_corpus/result_ad_age.bin b/src/tests/fuzzing/fuzz_chpw_seed_corpus/result_ad_age.bin
new file mode 100644
index 000000000..cf3ccef42
Binary files /dev/null and b/src/tests/fuzzing/fuzz_chpw_seed_corpus/result_ad_age.bin differ
diff --git a/src/tests/fuzzing/fuzz_chpw_seed_corpus/result_ad_all.bin b/src/tests/fuzzing/fuzz_chpw_seed_corpus/result_ad_all.bin
new file mode 100644
index 000000000..77f9336fd
Binary files /dev/null and b/src/tests/fuzzing/fuzz_chpw_seed_corpus/result_ad_all.bin differ
diff --git a/src/tests/fuzzing/fuzz_chpw_seed_corpus/result_ad_complex.bin b/src/tests/fuzzing/fuzz_chpw_seed_corpus/result_ad_complex.bin
new file mode 100644
index 000000000..7e9a56f99
Binary files /dev/null and b/src/tests/fuzzing/fuzz_chpw_seed_corpus/result_ad_complex.bin differ
diff --git a/src/tests/fuzzing/fuzz_chpw_seed_corpus/result_ad_history.bin b/src/tests/fuzzing/fuzz_chpw_seed_corpus/result_ad_history.bin
new file mode 100644
index 000000000..5682bd708
Binary files /dev/null and b/src/tests/fuzzing/fuzz_chpw_seed_corpus/result_ad_history.bin differ
diff --git a/src/tests/fuzzing/fuzz_chpw_seed_corpus/result_ad_length.bin b/src/tests/fuzzing/fuzz_chpw_seed_corpus/result_ad_length.bin
new file mode 100644
index 000000000..dda723cc1
Binary files /dev/null and b/src/tests/fuzzing/fuzz_chpw_seed_corpus/result_ad_length.bin differ
diff --git a/src/tests/fuzzing/fuzz_chpw_seed_corpus/result_invalid_utf8.bin b/src/tests/fuzzing/fuzz_chpw_seed_corpus/result_invalid_utf8.bin
new file mode 100644
index 000000000..f1f4ef55f
Binary files /dev/null and b/src/tests/fuzzing/fuzz_chpw_seed_corpus/result_invalid_utf8.bin differ
diff --git a/src/tests/fuzzing/fuzz_chpw_seed_corpus/result_utf8.bin b/src/tests/fuzzing/fuzz_chpw_seed_corpus/result_utf8.bin
new file mode 100644
index 000000000..3a20212ae
--- /dev/null
+++ b/src/tests/fuzzing/fuzz_chpw_seed_corpus/result_utf8.bin
@@ -0,0 +1 @@
+This is a valid string.
\ No newline at end of file
diff --git a/src/tests/fuzzing/fuzz_gss.c b/src/tests/fuzzing/fuzz_gss.c
new file mode 100644
index 000000000..3c65f34fd
--- /dev/null
+++ b/src/tests/fuzzing/fuzz_gss.c
@@ -0,0 +1,73 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/* tests/fuzzing/fuzz_gss.c */
+/*
+ * Copyright (C) 2024 by Arjun. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ * * Redistributions in binary form must reproduce the above copyright
+ *   notice, this list of conditions and the following disclaimer in
+ *   the documentation and/or other materials provided with the
+ *   distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * Fuzzing harness implementation for gss_accept_sec_context.
+ */
+
+#include "autoconf.h"
+#include <krb5.h>
+#include <gssapi.h>
+#include <string.h>
+
+#define kMinInputLength 2
+#define kMaxInputLength 1024
+
+extern int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
+
+int
+LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+    gss_OID doid;
+    OM_uint32 minor, ret_flags, time_rec;
+    gss_name_t client = GSS_C_NO_NAME;
+    gss_ctx_id_t context = GSS_C_NO_CONTEXT;
+    gss_cred_id_t deleg_cred = GSS_C_NO_CREDENTIAL;
+    gss_buffer_desc data_in, data_out = GSS_C_EMPTY_BUFFER;
+
+    if (size < kMinInputLength || size > kMaxInputLength)
+        return 0;
+
+    data_in.length = size;
+    data_in.value = (void *)data;
+
+    gss_accept_sec_context(&minor, &context, GSS_C_NO_CREDENTIAL,
+                           &data_in, GSS_C_NO_CHANNEL_BINDINGS, &client,
+                           &doid, &data_out, &ret_flags, &time_rec,
+                           &deleg_cred);
+
+    gss_release_buffer(&minor, &data_out);
+
+    if (context != GSS_C_NO_CONTEXT)
+        gss_delete_sec_context(&minor, &context, GSS_C_NO_BUFFER);
+
+    return 0;
+}
diff --git a/src/tests/fuzzing/fuzz_gss_seed_corpus/establish_contexts_ex.bin b/src/tests/fuzzing/fuzz_gss_seed_corpus/establish_contexts_ex.bin
new file mode 100644
index 000000000..9e2a8d765
Binary files /dev/null and b/src/tests/fuzzing/fuzz_gss_seed_corpus/establish_contexts_ex.bin differ
diff --git a/src/tests/fuzzing/fuzz_gss_seed_corpus/gss_accept_sec_context_kerberos.bin b/src/tests/fuzzing/fuzz_gss_seed_corpus/gss_accept_sec_context_kerberos.bin
new file mode 100644
index 000000000..9bc9afdd7
Binary files /dev/null and b/src/tests/fuzzing/fuzz_gss_seed_corpus/gss_accept_sec_context_kerberos.bin differ
diff --git a/src/tests/fuzzing/fuzz_gss_seed_corpus/gss_accept_sec_context_spnego.bin b/src/tests/fuzzing/fuzz_gss_seed_corpus/gss_accept_sec_context_spnego.bin
new file mode 100644
index 000000000..a191e0a59
Binary files /dev/null and b/src/tests/fuzzing/fuzz_gss_seed_corpus/gss_accept_sec_context_spnego.bin differ
diff --git a/src/tests/fuzzing/fuzz_gss_seed_corpus/start_accept_context.bin b/src/tests/fuzzing/fuzz_gss_seed_corpus/start_accept_context.bin
new file mode 100644
index 000000000..980b6484d
Binary files /dev/null and b/src/tests/fuzzing/fuzz_gss_seed_corpus/start_accept_context.bin differ
diff --git a/src/tests/fuzzing/fuzz_json.c b/src/tests/fuzzing/fuzz_json.c
new file mode 100644
index 000000000..0d970125e
--- /dev/null
+++ b/src/tests/fuzzing/fuzz_json.c
@@ -0,0 +1,67 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/* tests/fuzzing/fuzz_json.c */
+/*
+ * Copyright (C) 2024 by Arjun. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ * * Redistributions in binary form must reproduce the above copyright
+ *   notice, this list of conditions and the following disclaimer in
+ *   the documentation and/or other materials provided with the
+ *   distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * Fuzzing harness implementation for k5_json_decode.
+ */
+
+#include "autoconf.h"
+#include <k5-int.h>
+#include <krb5.h>
+#include <k5-json.h>
+#include <string.h>
+
+#define kMinInputLength 2
+#define kMaxInputLength 1024
+
+extern int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
+
+int
+LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+    krb5_error_code ret;
+    char *data_in;
+    k5_json_value decoded;
+
+    if (size < kMinInputLength || size > kMaxInputLength)
+        return 0;
+
+    data_in = k5memdup0(data, size, &ret);
+    if (data_in == NULL)
+        return 0;
+
+    k5_json_decode(data_in, &decoded);
+
+    free(data_in);
+    k5_json_release(decoded);
+
+    return 0;
+}
diff --git a/src/tests/fuzzing/fuzz_json_seed_corpus/seed_1.json b/src/tests/fuzzing/fuzz_json_seed_corpus/seed_1.json
new file mode 100644
index 000000000..ece1b849b
--- /dev/null
+++ b/src/tests/fuzzing/fuzz_json_seed_corpus/seed_1.json
@@ -0,0 +1 @@
+	 "foo\"bar" 
\ No newline at end of file
diff --git a/src/tests/fuzzing/fuzz_json_seed_corpus/seed_2.json b/src/tests/fuzzing/fuzz_json_seed_corpus/seed_2.json
new file mode 100644
index 000000000..f0bd59cb5
--- /dev/null
+++ b/src/tests/fuzzing/fuzz_json_seed_corpus/seed_2.json
@@ -0,0 +1 @@
+{ "k1" : { "k2" : "s2", "k3" : "s3" }, "k4" : "s4" }
\ No newline at end of file
diff --git a/src/tests/fuzzing/fuzz_json_seed_corpus/seed_3.json b/src/tests/fuzzing/fuzz_json_seed_corpus/seed_3.json
new file mode 100644
index 000000000..9c4eec71e
--- /dev/null
+++ b/src/tests/fuzzing/fuzz_json_seed_corpus/seed_3.json
@@ -0,0 +1 @@
+ [ -1 ]
\ No newline at end of file
diff --git a/src/tests/fuzzing/fuzz_krad.c b/src/tests/fuzzing/fuzz_krad.c
new file mode 100644
index 000000000..dbafbf164
--- /dev/null
+++ b/src/tests/fuzzing/fuzz_krad.c
@@ -0,0 +1,93 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/* tests/fuzzing/fuzz_krad.c */
+/*
+ * Copyright (C) 2024 by Arjun. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ * * Redistributions in binary form must reproduce the above copyright
+ *   notice, this list of conditions and the following disclaimer in
+ *   the documentation and/or other materials provided with the
+ *   distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * Fuzzing harness implementation for krad_packet_decode_response,
+ * krad_packet_decode_request.
+ */
+
+#include "autoconf.h"
+#include <k5-int.h>
+#include <krad.h>
+
+#define kMinInputLength 2
+#define kMaxInputLength 1024
+
+static krad_packet *packets[3];
+
+static const krad_packet *
+iterator(void *data, krb5_boolean cancel)
+{
+    krad_packet *tmp;
+    int *i = data;
+
+    if (cancel || packets[*i] == NULL)
+        return NULL;
+
+    tmp = packets[*i];
+    *i += 1;
+    return tmp;
+}
+
+extern int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
+
+int
+LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+    int i;
+    krb5_context ctx;
+    krb5_data data_in;
+    const char *secret = "f";
+    const krad_packet *req_1 = NULL, *req_2 = NULL;
+    krad_packet *rsp_1 = NULL, *rsp_2 = NULL;
+
+    if (size < kMinInputLength || size > kMaxInputLength)
+        return 0;
+
+    if (krb5_init_context(&ctx) != 0)
+        return 0;
+
+    data_in = make_data((void *)data, size);
+
+    i = 0;
+    krad_packet_decode_response(ctx, secret, &data_in, iterator, &i,
+                                &req_1, &rsp_1);
+
+    i = 0;
+    krad_packet_decode_request(ctx, secret, &data_in, iterator, &i,
+                               &req_2, &rsp_2);
+
+    krad_packet_free(rsp_1);
+    krad_packet_free(rsp_2);
+    krb5_free_context(ctx);
+
+    return 0;
+}
diff --git a/src/tests/fuzzing/fuzz_krad_seed_corpus/do_auth_1.bin b/src/tests/fuzzing/fuzz_krad_seed_corpus/do_auth_1.bin
new file mode 100644
index 000000000..02eb9a1cb
Binary files /dev/null and b/src/tests/fuzzing/fuzz_krad_seed_corpus/do_auth_1.bin differ
diff --git a/src/tests/fuzzing/fuzz_krb5_ticket.c b/src/tests/fuzzing/fuzz_krb5_ticket.c
new file mode 100644
index 000000000..a88f75314
--- /dev/null
+++ b/src/tests/fuzzing/fuzz_krb5_ticket.c
@@ -0,0 +1,67 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/* tests/fuzzing/fuzz_krb5_ticket.c */
+/*
+ * Copyright (C) 2024 by Arjun. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ * * Redistributions in binary form must reproduce the above copyright
+ *   notice, this list of conditions and the following disclaimer in
+ *   the documentation and/or other materials provided with the
+ *   distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * Fuzzing harness implementation for krb5_decode_ticket.
+ */
+
+#include "autoconf.h"
+#include <k5-int.h>
+#include <krb5.h>
+#include <string.h>
+
+#define kMinInputLength 2
+#define kMaxInputLength 2048
+
+extern int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
+
+int
+LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+    krb5_data data_in;
+    krb5_ticket *ticket;
+    krb5_context context;
+
+    if (size < kMinInputLength || size > kMaxInputLength)
+        return 0;
+
+    data_in = make_data((void *)data, size);
+
+    if (krb5_init_context(&context) != 0)
+        return 0;
+
+    krb5_decode_ticket(&data_in, &ticket);
+
+    krb5_free_ticket(context, ticket);
+    krb5_free_context(context);
+
+    return 0;
+}
diff --git a/src/tests/fuzzing/fuzz_krb5_ticket_seed_corpus/gcred.bin b/src/tests/fuzzing/fuzz_krb5_ticket_seed_corpus/gcred.bin
new file mode 100644
index 000000000..645576f00
Binary files /dev/null and b/src/tests/fuzzing/fuzz_krb5_ticket_seed_corpus/gcred.bin differ
diff --git a/src/tests/fuzzing/fuzz_krb5_ticket_seed_corpus/s4u2proxy.bin b/src/tests/fuzzing/fuzz_krb5_ticket_seed_corpus/s4u2proxy.bin
new file mode 100644
index 000000000..19877645f
Binary files /dev/null and b/src/tests/fuzzing/fuzz_krb5_ticket_seed_corpus/s4u2proxy.bin differ
diff --git a/src/tests/fuzzing/fuzz_marshal_cred.c b/src/tests/fuzzing/fuzz_marshal_cred.c
new file mode 100644
index 000000000..7181ab9a7
--- /dev/null
+++ b/src/tests/fuzzing/fuzz_marshal_cred.c
@@ -0,0 +1,66 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/* tests/fuzzing/fuzz_marshal_cred.c */
+/*
+ * Copyright (C) 2024 by Arjun. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ * * Redistributions in binary form must reproduce the above copyright
+ *   notice, this list of conditions and the following disclaimer in
+ *   the documentation and/or other materials provided with the
+ *   distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * Fuzzing harness implementation for k5_unmarshal_cred.
+ */
+
+#include "autoconf.h"
+#include <cc-int.h>
+
+#define FIRST_VERSION 1
+
+#define kMinInputLength 2
+#define kMaxInputLength 1024
+
+extern int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
+
+int
+LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+    int version;
+    krb5_creds cred = { 0 };
+    krb5_context context;
+
+    if (size < kMinInputLength || size > kMaxInputLength)
+        return 0;
+
+    if (krb5_init_context(&context) != 0)
+        return 0;
+
+    for (version = FIRST_VERSION; version <= 4; version++) {
+        k5_unmarshal_cred(data, size, version, &cred);
+        krb5_free_cred_contents(context, &cred);
+    }
+
+    krb5_free_context(context);
+    return 0;
+}
diff --git a/src/tests/fuzzing/fuzz_marshal_cred_seed_corpus/cred_1_input_1.bin b/src/tests/fuzzing/fuzz_marshal_cred_seed_corpus/cred_1_input_1.bin
new file mode 100644
index 000000000..829e71fdc
Binary files /dev/null and b/src/tests/fuzzing/fuzz_marshal_cred_seed_corpus/cred_1_input_1.bin differ
diff --git a/src/tests/fuzzing/fuzz_marshal_cred_seed_corpus/cred_1_input_2.bin b/src/tests/fuzzing/fuzz_marshal_cred_seed_corpus/cred_1_input_2.bin
new file mode 100644
index 000000000..194215ee3
Binary files /dev/null and b/src/tests/fuzzing/fuzz_marshal_cred_seed_corpus/cred_1_input_2.bin differ
diff --git a/src/tests/fuzzing/fuzz_marshal_cred_seed_corpus/cred_1_input_4.bin b/src/tests/fuzzing/fuzz_marshal_cred_seed_corpus/cred_1_input_4.bin
new file mode 100644
index 000000000..2c9a95cfd
Binary files /dev/null and b/src/tests/fuzzing/fuzz_marshal_cred_seed_corpus/cred_1_input_4.bin differ
diff --git a/src/tests/fuzzing/fuzz_marshal_cred_seed_corpus/cred_2_input_1.bin b/src/tests/fuzzing/fuzz_marshal_cred_seed_corpus/cred_2_input_1.bin
new file mode 100644
index 000000000..f2c350d7b
Binary files /dev/null and b/src/tests/fuzzing/fuzz_marshal_cred_seed_corpus/cred_2_input_1.bin differ
diff --git a/src/tests/fuzzing/fuzz_marshal_cred_seed_corpus/cred_2_input_2.bin b/src/tests/fuzzing/fuzz_marshal_cred_seed_corpus/cred_2_input_2.bin
new file mode 100644
index 000000000..7e4a9da15
Binary files /dev/null and b/src/tests/fuzzing/fuzz_marshal_cred_seed_corpus/cred_2_input_2.bin differ
diff --git a/src/tests/fuzzing/fuzz_marshal_cred_seed_corpus/cred_2_input_4.bin b/src/tests/fuzzing/fuzz_marshal_cred_seed_corpus/cred_2_input_4.bin
new file mode 100644
index 000000000..e1fc4dfbb
Binary files /dev/null and b/src/tests/fuzzing/fuzz_marshal_cred_seed_corpus/cred_2_input_4.bin differ
diff --git a/src/tests/fuzzing/fuzz_marshal_princ.c b/src/tests/fuzzing/fuzz_marshal_princ.c
new file mode 100644
index 000000000..e421ff305
--- /dev/null
+++ b/src/tests/fuzzing/fuzz_marshal_princ.c
@@ -0,0 +1,66 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/* tests/fuzzing/fuzz_marshal_princ.c */
+/*
+ * Copyright (C) 2024 by Arjun. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ * * Redistributions in binary form must reproduce the above copyright
+ *   notice, this list of conditions and the following disclaimer in
+ *   the documentation and/or other materials provided with the
+ *   distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * Fuzzing harness implementation for k5_unmarshal_princ.
+ */
+
+#include "autoconf.h"
+#include <cc-int.h>
+
+#define FIRST_VERSION 1
+
+#define kMinInputLength 2
+#define kMaxInputLength 1024
+
+extern int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
+
+int
+LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+    int version;
+    krb5_principal princ;
+    krb5_context context;
+
+    if (size < kMinInputLength || size > kMaxInputLength)
+        return 0;
+
+    if (krb5_init_context(&context) != 0)
+        return 0;
+
+    for (version = FIRST_VERSION; version <= 4; version++) {
+        k5_unmarshal_princ(data, size, version, &princ);
+        krb5_free_principal(context, princ);
+    }
+
+    krb5_free_context(context);
+    return 0;
+}
diff --git a/src/tests/fuzzing/fuzz_marshal_princ_seed_corpus/princ_input_1.bin b/src/tests/fuzzing/fuzz_marshal_princ_seed_corpus/princ_input_1.bin
new file mode 100644
index 000000000..f6f1af038
Binary files /dev/null and b/src/tests/fuzzing/fuzz_marshal_princ_seed_corpus/princ_input_1.bin differ
diff --git a/src/tests/fuzzing/fuzz_marshal_princ_seed_corpus/princ_input_2.bin b/src/tests/fuzzing/fuzz_marshal_princ_seed_corpus/princ_input_2.bin
new file mode 100644
index 000000000..fb55f77d0
Binary files /dev/null and b/src/tests/fuzzing/fuzz_marshal_princ_seed_corpus/princ_input_2.bin differ
diff --git a/src/tests/fuzzing/fuzz_marshal_princ_seed_corpus/princ_input_4.bin b/src/tests/fuzzing/fuzz_marshal_princ_seed_corpus/princ_input_4.bin
new file mode 100644
index 000000000..0259f34c7
Binary files /dev/null and b/src/tests/fuzzing/fuzz_marshal_princ_seed_corpus/princ_input_4.bin differ
diff --git a/src/tests/fuzzing/fuzz_ndr.c b/src/tests/fuzzing/fuzz_ndr.c
new file mode 100644
index 000000000..4cc6daa1c
--- /dev/null
+++ b/src/tests/fuzzing/fuzz_ndr.c
@@ -0,0 +1,59 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/* tests/fuzzing/fuzz_ndr.c */
+/*
+ * Copyright (C) 2024 by Arjun. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ * * Redistributions in binary form must reproduce the above copyright
+ *   notice, this list of conditions and the following disclaimer in
+ *   the documentation and/or other materials provided with the
+ *   distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * Fuzzing harness implementation for ndr_dec_delegation_info.
+ */
+
+#include "autoconf.h"
+#include <k5-int.h>
+#include <kdc_util.h>
+
+#define kMinInputLength 2
+#define kMaxInputLength 1024
+
+extern int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
+
+int
+LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+    krb5_data data_in;
+    struct pac_s4u_delegation_info *di = NULL;
+
+    if (size < kMinInputLength || size > kMaxInputLength)
+        return 0;
+
+    data_in = make_data((void *)data, size);
+    ndr_dec_delegation_info(&data_in, &di);
+    ndr_free_delegation_info(di);
+
+    return 0;
+}
diff --git a/src/tests/fuzzing/fuzz_ndr_seed_corpus/s4u_di_double.bin b/src/tests/fuzzing/fuzz_ndr_seed_corpus/s4u_di_double.bin
new file mode 100644
index 000000000..9c0e718f0
Binary files /dev/null and b/src/tests/fuzzing/fuzz_ndr_seed_corpus/s4u_di_double.bin differ
diff --git a/src/tests/fuzzing/fuzz_ndr_seed_corpus/s4u_di_long.bin b/src/tests/fuzzing/fuzz_ndr_seed_corpus/s4u_di_long.bin
new file mode 100644
index 000000000..444bc46ba
Binary files /dev/null and b/src/tests/fuzzing/fuzz_ndr_seed_corpus/s4u_di_long.bin differ
diff --git a/src/tests/fuzzing/fuzz_pac.c b/src/tests/fuzzing/fuzz_pac.c
new file mode 100644
index 000000000..f9f5635f4
--- /dev/null
+++ b/src/tests/fuzzing/fuzz_pac.c
@@ -0,0 +1,62 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/* tests/fuzzing/fuzz_pac.c */
+/*
+ * Copyright (C) 2024 by Arjun. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ * * Redistributions in binary form must reproduce the above copyright
+ *   notice, this list of conditions and the following disclaimer in
+ *   the documentation and/or other materials provided with the
+ *   distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * Fuzzing harness implementation for krb5_pac_parse.
+ */
+
+#include "autoconf.h"
+#include <k5-int.h>
+
+#define kMinInputLength 2
+#define kMaxInputLength 1024
+
+extern int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
+
+int
+LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+    krb5_pac pac;
+    krb5_context context;
+
+    if (size < kMinInputLength || size > kMaxInputLength)
+        return 0;
+
+    if (krb5_init_context(&context) != 0)
+        return 0;
+
+    krb5_pac_parse(context, data, size, &pac);
+
+    krb5_pac_free(context, pac);
+    krb5_free_context(context);
+
+    return 0;
+}
diff --git a/src/tests/fuzzing/fuzz_pac_seed_corpus/s4u_pac_regular.bin b/src/tests/fuzzing/fuzz_pac_seed_corpus/s4u_pac_regular.bin
new file mode 100644
index 000000000..c16319417
Binary files /dev/null and b/src/tests/fuzzing/fuzz_pac_seed_corpus/s4u_pac_regular.bin differ
diff --git a/src/tests/fuzzing/fuzz_pac_seed_corpus/saved_pac.bin b/src/tests/fuzzing/fuzz_pac_seed_corpus/saved_pac.bin
new file mode 100644
index 000000000..6336bef5f
Binary files /dev/null and b/src/tests/fuzzing/fuzz_pac_seed_corpus/saved_pac.bin differ
diff --git a/src/tests/fuzzing/fuzz_profile.c b/src/tests/fuzzing/fuzz_profile.c
new file mode 100644
index 000000000..95a5b488d
--- /dev/null
+++ b/src/tests/fuzzing/fuzz_profile.c
@@ -0,0 +1,81 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/* tests/fuzzing/fuzz_profile.c */
+/*
+ * Copyright (C) 2024 by Arjun. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ * * Redistributions in binary form must reproduce the above copyright
+ *   notice, this list of conditions and the following disclaimer in
+ *   the documentation and/or other materials provided with the
+ *   distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * Fuzzing harness implementation for profile_parse_file.
+ */
+
+#include "autoconf.h"
+#include <prof_int.h>
+
+void dump_profile(struct profile_node *root, int level);
+
+#define kMinInputLength 2
+#define kMaxInputLength 1024
+
+extern int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
+
+int
+LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+    FILE *fp_w, *fp_r;
+    char file_name[256];
+    struct profile_node *root;
+
+    if (size < kMinInputLength || size > kMaxInputLength)
+        return 0;
+
+    snprintf(file_name, sizeof(file_name), "/tmp/libfuzzer.%d", getpid());
+
+    /* Write data into the file.*/
+    fp_w = fopen(file_name, "w");
+    if (!fp_w)
+        return 1;
+    fwrite(data, 1, size, fp_w);
+    fclose(fp_w);
+
+    /* Provide the file pointer to the parser. */
+    fp_r = fopen(file_name, "r");
+    if (!fp_r)
+        return 1;
+
+    initialize_prof_error_table();
+
+    if (profile_parse_file(fp_r, &root, NULL) == 0) {
+        profile_verify_node(root);
+        profile_free_node(root);
+    }
+
+    fclose(fp_r);
+    unlink(file_name);
+
+    return 0;
+}
diff --git a/src/tests/fuzzing/fuzz_profile_seed_corpus/final2.ini b/src/tests/fuzzing/fuzz_profile_seed_corpus/final2.ini
new file mode 100644
index 000000000..827ec25dc
--- /dev/null
+++ b/src/tests/fuzzing/fuzz_profile_seed_corpus/final2.ini
@@ -0,0 +1,5 @@
+# In this variant the relation is marked final.
+[section]
+	subsection = {
+		key* = value2
+	}
diff --git a/src/tests/fuzzing/fuzz_profile_seed_corpus/final3.ini b/src/tests/fuzzing/fuzz_profile_seed_corpus/final3.ini
new file mode 100644
index 000000000..dcf0ca96a
--- /dev/null
+++ b/src/tests/fuzzing/fuzz_profile_seed_corpus/final3.ini
@@ -0,0 +1,6 @@
+# In this variant the subsection is marked final via a '*' at the end
+# of the tag name.
+[section]
+	subsection* = {
+		key = value3
+	}
diff --git a/src/tests/fuzzing/fuzz_profile_seed_corpus/final4.ini b/src/tests/fuzzing/fuzz_profile_seed_corpus/final4.ini
new file mode 100644
index 000000000..dcba07845
--- /dev/null
+++ b/src/tests/fuzzing/fuzz_profile_seed_corpus/final4.ini
@@ -0,0 +1,6 @@
+# In this variant the subsection is marked final via a '*' after the
+# closing brace.
+[section]
+	subsection = {
+		key = value4
+	}*
diff --git a/src/tests/fuzzing/fuzz_profile_seed_corpus/final5.ini b/src/tests/fuzzing/fuzz_profile_seed_corpus/final5.ini
new file mode 100644
index 000000000..58cd57d3f
--- /dev/null
+++ b/src/tests/fuzzing/fuzz_profile_seed_corpus/final5.ini
@@ -0,0 +1,5 @@
+# In this variant the top-level section is marked final.
+[section]*
+	subsection = {
+		key = value5
+	}
diff --git a/src/tests/fuzzing/fuzz_profile_seed_corpus/modtest.conf b/src/tests/fuzzing/fuzz_profile_seed_corpus/modtest.conf
new file mode 100644
index 000000000..7ef0971d6
--- /dev/null
+++ b/src/tests/fuzzing/fuzz_profile_seed_corpus/modtest.conf
@@ -0,0 +1 @@
+module /home/dark/Desktop/krb5/src/util/profile/testmod/proftest.so-nobuild:teststring
diff --git a/src/tests/fuzzing/fuzz_profile_seed_corpus/test3.ini b/src/tests/fuzzing/fuzz_profile_seed_corpus/test3.ini
new file mode 100644
index 000000000..97f524a95
--- /dev/null
+++ b/src/tests/fuzzing/fuzz_profile_seed_corpus/test3.ini
@@ -0,0 +1,3 @@
+[section]
+	var = value
+
diff --git a/src/tests/fuzzing/fuzz_profile_seed_corpus/testinc.ini b/src/tests/fuzzing/fuzz_profile_seed_corpus/testinc.ini
new file mode 100644
index 000000000..31136f369
--- /dev/null
+++ b/src/tests/fuzzing/fuzz_profile_seed_corpus/testinc.ini
@@ -0,0 +1,6 @@
+[sec1]
+var = {
+a = 1
+include testinc2.ini
+c = 3
+}
diff --git a/src/tests/fuzzing/fuzz_profile_seed_corpus/testinc2.ini b/src/tests/fuzzing/fuzz_profile_seed_corpus/testinc2.ini
new file mode 100644
index 000000000..35ea95fa5
--- /dev/null
+++ b/src/tests/fuzzing/fuzz_profile_seed_corpus/testinc2.ini
@@ -0,0 +1,2 @@
+[sec2]
+b = 2
diff --git a/src/tests/fuzzing/fuzz_util.c b/src/tests/fuzzing/fuzz_util.c
new file mode 100644
index 000000000..8779b4c61
--- /dev/null
+++ b/src/tests/fuzzing/fuzz_util.c
@@ -0,0 +1,120 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/* tests/fuzzing/fuzz_util.c */
+/*
+ * Copyright (C) 2024 by Arjun. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ * * Redistributions in binary form must reproduce the above copyright
+ *   notice, this list of conditions and the following disclaimer in
+ *   the documentation and/or other materials provided with the
+ *   distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * Fuzzing harness implementation for k5_base64_decode, k5_hex_decode
+ * krb5_parse_name and k5_parse_host_string.
+ */
+
+#include "autoconf.h"
+#include <k5-int.h>
+#include <k5-base64.h>
+#include <k5-hex.h>
+#include <string.h>
+
+#define kMinInputLength 2
+#define kMaxInputLength 256
+
+extern int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
+
+static void
+fuzz_base64(const char *data_in, size_t size)
+{
+    size_t len;
+
+    free(k5_base64_encode(data_in, size));
+    free(k5_base64_decode(data_in, &len));
+}
+
+static void
+fuzz_hex(const char *data_in, size_t size)
+{
+    char *hex;
+    uint8_t *bytes;
+    size_t len;
+
+    if (k5_hex_encode(data_in, size, 0, &hex) == 0)
+        free(hex);
+
+    if (k5_hex_encode(data_in, size, 1, &hex) == 0)
+        free(hex);
+
+    if (k5_hex_decode(data_in, &bytes, &len) == 0)
+        free(bytes);
+}
+
+static void
+fuzz_name(const char *data_in, size_t size)
+{
+    krb5_context context;
+    krb5_principal fuzzing;
+
+    if (krb5_init_context(&context) != 0)
+        return;
+
+    krb5_parse_name(context, data_in, &fuzzing);
+
+    krb5_free_principal(context, fuzzing);
+    krb5_free_context(context);
+}
+
+static void
+fuzz_parse_host(const char *data_in, size_t size)
+{
+    char *host_out = NULL;
+    int port_out = -1;
+
+    if (k5_parse_host_string(data_in, 1, &host_out, &port_out) == 0)
+        free(host_out);
+}
+
+extern int
+LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+    krb5_error_code ret;
+    char *data_in;
+
+    if (size < kMinInputLength || size > kMaxInputLength)
+        return 0;
+
+    data_in = k5memdup0(data, size, &ret);
+    if (data_in == NULL)
+        return 0;
+
+    fuzz_base64(data_in, size);
+    fuzz_hex(data_in, size);
+    fuzz_name(data_in, size);
+    fuzz_parse_host(data_in, size);
+
+    free(data_in);
+
+    return 0;
+}
diff --git a/src/tests/fuzzing/fuzz_util_seed_corpus/base64.txt b/src/tests/fuzzing/fuzz_util_seed_corpus/base64.txt
new file mode 100644
index 000000000..68c422c56
--- /dev/null
+++ b/src/tests/fuzzing/fuzz_util_seed_corpus/base64.txt
@@ -0,0 +1 @@
+YWJjOmRlZg==
diff --git a/src/tests/fuzzing/fuzz_util_seed_corpus/hax.txt b/src/tests/fuzzing/fuzz_util_seed_corpus/hax.txt
new file mode 100644
index 000000000..c747d34aa
--- /dev/null
+++ b/src/tests/fuzzing/fuzz_util_seed_corpus/hax.txt
@@ -0,0 +1 @@
+3031323334353637
diff --git a/src/tests/fuzzing/fuzz_util_seed_corpus/host.txt b/src/tests/fuzzing/fuzz_util_seed_corpus/host.txt
new file mode 100644
index 000000000..b3968327c
--- /dev/null
+++ b/src/tests/fuzzing/fuzz_util_seed_corpus/host.txt
@@ -0,0 +1 @@
+test.example:75
diff --git a/src/tests/fuzzing/fuzz_util_seed_corpus/name.txt b/src/tests/fuzzing/fuzz_util_seed_corpus/name.txt
new file mode 100644
index 000000000..db95221bd
--- /dev/null
+++ b/src/tests/fuzzing/fuzz_util_seed_corpus/name.txt
@@ -0,0 +1 @@
+/b at R
diff --git a/src/tests/fuzzing/oss-fuzz.sh b/src/tests/fuzzing/oss-fuzz.sh
new file mode 100644
index 000000000..868d0db1f
--- /dev/null
+++ b/src/tests/fuzzing/oss-fuzz.sh
@@ -0,0 +1,27 @@
+#!/bin/bash -eu
+
+# This script plays the role of build.sh in OSS-Fuzz.  If only minor
+# changes are required such as changing the fuzzing targets, a PR in
+# the OSS-Fuzz repository is not needed and they can be done here.
+
+# Compile krb5 for oss-fuzz.
+pushd src/
+autoreconf
+./configure CFLAGS="-fcommon $CFLAGS" CXXFLAGS="-fcommon $CXXFLAGS" \
+    --enable-static --disable-shared --enable-ossfuzz
+make
+popd
+
+# Copy fuzz targets and seed corpus to $OUT.
+pushd src/tests/fuzzing
+
+fuzzers=("fuzz_chpw" "fuzz_gss" "fuzz_json" "fuzz_krad" "fuzz_krb5_ticket"
+        "fuzz_marshal_cred" "fuzz_marshal_princ" "fuzz_ndr" "fuzz_pac"
+        "fuzz_profile" "fuzz_util")
+
+for fuzzer in "${fuzzers[@]}"; do
+    cp "$fuzzer" "$OUT/$fuzzer"
+    zip -r "${OUT}/${fuzzer}_seed_corpus.zip" "${fuzzer}_seed_corpus"
+done
+
+popd


More information about the cvs-krb5 mailing list