Extend the fuzzing harnesses for broader coverage

[tc-agent]

Summary

This extends the in-tree OSS-Fuzz harnesses under src/tests/fuzzing so
that they reach security-relevant code the current harnesses do not. Per
the Fuzz Introspector report
the project's line coverage is roughly 22%, with the GSS-API mechanism
code and the client ticket-acquisition code largely unreached.

fuzz_gss (reworked)

The previous version called gss_accept_sec_context() with no acceptor
credential, so every input stopped at the first credential lookup. The
reworked harness forges a self-contained krb5 service ticket (a fixed
service key in an in-memory keytab, a matching ticket encrypted with it
in an in-memory credential cache) and establishes one krb5 security
context at startup; no KDC is required. With both an initiator and an
acceptor credential available, the per-input function then drives the
attacker-controlled GSS-API surfaces: the acceptor token decoder
(gss_accept_sec_context), the initiator's reply-token handling
(gss_init_sec_context continuation), the per-message decoders on the
established context (gss_unwrap, gss_verify_mic,
gss_process_context_token) and the deserialization routines
(gss_import_sec_context, gss_import_cred, gss_import_name).
The input is copied to a private buffer first because some GSS decoders
rewrite the token buffer in place.

fuzz_initcreds (new)

Drives the client side of the AS and TGS exchanges
(krb5_get_init_creds_password, krb5_get_init_creds_keytab,
krb5_get_credentials). A KDC send hook installed with
krb5_set_kdc_send_hook() answers every request with the fuzz input, so
the input drives the AS-REP / TGS-REP / KRB-ERROR decoders and the
preauthentication response handling in lib/krb5/krb — the code that
processes replies from a potentially malicious or spoofed KDC — without
contacting a real KDC.

fuzz_ccache (new)

Exercises the FILE credential cache parser (lib/krb5/ccache/cc_file.c).
A credential cache path is commonly taken from the KRB5CCNAME
environment variable, so the parser routinely reads attacker-influenced
files.

Seed corpora

fuzz_initcreds reuses three encoded KDC-reply structures already present
in the repository's fuzz_asn seed corpus (an AS-REP, a TGS-REP and an
encrypted KDC-reply part). fuzz_ccache ships one seed produced by
emitting the documented version-4 FILE credential cache layout: the
two-byte version, a tagged header, a default principal and a single
credential with a 32-byte key.

Coverage

A local five-minute run of the full harness set raises measured line
coverage from the ~22% Fuzz Introspector baseline to ~32%. The gain is
concentrated in lib/gssapi and lib/krb5/krb.

These changes belong upstream rather than in the OSS-Fuzz repository
because krb5 hosts its own fuzz harnesses in src/tests/fuzzing and builds
them via src/tests/fuzzing/oss-fuzz.sh.

[github-actions]

Fuzzing Coverage Report

Tested: project krb5 · base 4ae75cd → head 9148880 · 300s total fuzz budget · updated 2026-05-27 13:30 UTC · workflow run

Metric	Before	After	Delta
Static reachability	3.1% (279/9105)	>45m	build failed
Line coverage	22.1% (13636/61594)	32.4% (20197/62322)	+48.1%
Branch coverage	19.8% (7242/36633)	25.1% (9233/36853)	+27.5%
Function coverage	31.2% (911/2918)	44.3% (1306/2949)	+43.4%

Per-harness

Harness	Lines before	Lines after	Δ
fuzz_aes	9.1% (483/5285)	9.1% (483/5285)	+0.0%
fuzz_asn	7.7% (2780/35987)	7.7% (2777/35987)	-0.1%
fuzz_attrset	3.7% (1348/36200)	3.7% (1348/36200)	+0.0%
fuzz_ccache	0%	4.9% (1745/35904)	new
fuzz_chpw	3.1% (1127/35883)	3.1% (1127/35883)	+0.0%
fuzz_crypto	23.8% (3971/16661)	23.8% (3971/16661)	+0.0%
fuzz_des	30.1% (254/843)	30.1% (254/843)	+0.0%
fuzz_gss	5.3% (3173/59465)	16.2% (9688/59971)	+205.3%
fuzz_initcreds	0%	19.8% (7200/36380)	new
fuzz_json	46.0% (659/1432)	46.1% (660/1432)	+0.2%
fuzz_kdc	3.1% (1117/35993)	3.1% (1117/35993)	+0.0%
fuzz_krad	3.1% (1119/36556)	3.8% (1373/36556)	+22.7%
fuzz_krb	6.2% (2251/36154)	6.2% (2254/36154)	+0.1%
fuzz_krb5_ticket	5.2% (1877/36298)	5.2% (1882/36298)	+0.3%
fuzz_marshal_cred	2.6% (432/16729)	2.6% (432/16729)	+0.0%
fuzz_marshal_princ	1.4% (234/16729)	1.4% (234/16729)	+0.0%
fuzz_ndr	2.5% (415/16578)	2.5% (410/16578)	-1.2%
fuzz_oid	1.2% (687/59462)	1.2% (687/59462)	+0.0%
fuzz_pac	5.3% (1904/35895)	5.3% (1904/35895)	+0.0%
fuzz_profile	28.7% (635/2210)	28.7% (635/2210)	+0.0%
fuzz_util	5.4% (1932/35999)	5.4% (1933/35999)	+0.1%

_{Same harness config applied to both sides (baseline = base source + PR harness).
Δ = (after − before) / before, to accommodate that denominators may change. "new" when before is 0; "deleted" when after is 0.}