From 1e663e8f396e26025309553459bc334e2d21fd0e Mon Sep 17 00:00:00 2001 From: David Benjamin Date: Thu, 22 Sep 2016 01:02:13 -0400 Subject: [PATCH] Document how to refresh the TLS corpora. Change-Id: I9165357ca6c20b964ed13dc4e1f336c7b747033e Reviewed-on: https://boringssl-review.googlesource.com/11223 Reviewed-by: Adam Langley --- FUZZING.md | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/FUZZING.md b/FUZZING.md index bf548295..954a4f7d 100644 --- a/FUZZING.md +++ b/FUZZING.md @@ -63,3 +63,26 @@ When `-DFUZZ=1` is passed into CMake, BoringSSL builds with `BORINGSSL_UNSAFE_FU * Use a hard-coded time instead of the actual time. This is to prevent the fuzzer from getting stuck at a cryptographic invariant in the protocol. + +## TLS transcripts + +The `client` and `server` corpora are seeded from the test suite. The test suite has a `-fuzzer` flag which mirrors the fuzzer mode changes above and a `-deterministic` flag which removes all non-determinism on the Go side. Not all tests pass, so `ssl/test/runner/fuzzer_mode.json` contains the necessary suppressions. To run the tests against a fuzzer-mode `bssl_shim`, run: + +``` +cd ssl/test/runner +go test -fuzzer -deterministic -shim-config fuzzer_mode.json +``` + +For a different build directory from `build/`, pass the appropriate `-shim-path` flag. If those tests pass, record a set of transcripts with: + +``` +go test -fuzzer -deterministic -transcript-dir /tmp/transcripts/ +``` + +Note the suppressions file is ignored so disabled tests record transcripts too. Then merge into the existing corpora: + +``` +cd build/ +./fuzz/client -max_len=50000 -merge=1 ../fuzz/client_corpus /tmp/transcripts/tls/client +./fuzz/server -max_len=50000 -merge=1 ../fuzz/server_corpus /tmp/transcripts/tls/server +```