Document how to refresh the TLS corpora.

Change-Id: I9165357ca6c20b964ed13dc4e1f336c7b747033e Reviewed-on: https://boringssl-review.googlesource.com/11223 Reviewed-by: Adam Langley <agl@google.com>
2016-09-22 01:02:13 -04:00 · 2016-09-22 01:02:13 -04:00 · 1e663e8f39
commit 1e663e8f39
parent 01a905717c
1 changed files with 23 additions and 0 deletions
--- a/FUZZING.md
+++ b/FUZZING.md
@ -63,3 +63,26 @@ When `-DFUZZ=1` is passed into CMake, BoringSSL builds with `BORINGSSL_UNSAFE_FU
 * Use a hard-coded time instead of the actual time.

 This is to prevent the fuzzer from getting stuck at a cryptographic invariant in the protocol.
+
+## TLS transcripts
+
+The `client` and `server` corpora are seeded from the test suite. The test suite has a `-fuzzer` flag which mirrors the fuzzer mode changes above and a `-deterministic` flag which removes all non-determinism on the Go side. Not all tests pass, so `ssl/test/runner/fuzzer_mode.json` contains the necessary suppressions. To run the tests against a fuzzer-mode `bssl_shim`, run:
+
+```
+cd ssl/test/runner
+go test -fuzzer -deterministic -shim-config fuzzer_mode.json
+```
+
+For a different build directory from `build/`, pass the appropriate `-shim-path` flag. If those tests pass, record a set of transcripts with:
+
+```
+go test -fuzzer -deterministic -transcript-dir /tmp/transcripts/
+```
+
+Note the suppressions file is ignored so disabled tests record transcripts too. Then merge into the existing corpora:
+
+```
+cd build/
+./fuzz/client -max_len=50000 -merge=1 ../fuzz/client_corpus /tmp/transcripts/tls/client
+./fuzz/server -max_len=50000 -merge=1 ../fuzz/server_corpus /tmp/transcripts/tls/server
+```