diff options
author | David Benjamin <davidben@google.com> | 2016-11-04 18:59:33 -0400 |
---|---|---|
committer | Adam Langley <agl@google.com> | 2016-11-09 16:53:37 +0000 |
commit | ec978dd8128750fcc70a51ebbc46e7b611baecc7 (patch) | |
tree | 3c72a1e95936bec59b7e578dbec6ce6a2e573420 /FUZZING.md | |
parent | da863608528c451b72d6ad3f1a330c38c0372f13 (diff) | |
download | boringssl-ec978dd8128750fcc70a51ebbc46e7b611baecc7.zip boringssl-ec978dd8128750fcc70a51ebbc46e7b611baecc7.tar.gz boringssl-ec978dd8128750fcc70a51ebbc46e7b611baecc7.tar.bz2 |
Add corpora for fuzzers with fuzzer mode disabled.
Fuzzer mode explores the handshake, but at the cost of losing coverage
on the record layer. Add a separate build flag and client/server
corpora for this mode.
Note this requires tweaks in consumers' fuzzer build definitions.
BUG=111
Change-Id: I1026dc7301645e165a761068a1daad6eedc9271e
Reviewed-on: https://boringssl-review.googlesource.com/12108
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Adam Langley <agl@google.com>
Diffstat (limited to 'FUZZING.md')
-rw-r--r-- | FUZZING.md | 10 |
1 files changed, 7 insertions, 3 deletions
@@ -53,16 +53,18 @@ In order to minimise all the corpuses, build for fuzzing and run `./fuzz/minimis ## Fuzzer mode -When `-DFUZZ=1` is passed into CMake, BoringSSL builds with `BORINGSSL_UNSAFE_FUZZER_MODE` defined. This modifies the library, particularly the TLS stack, to be more friendly to fuzzers. It will: +When `-DFUZZ=1` is passed into CMake, BoringSSL builds with `BORINGSSL_UNSAFE_FUZZER_MODE` and `BORINGSSL_UNSAFE_DETERMINISTIC_MODE` defined. This modifies the library to be more friendly to fuzzers. If `BORINGSSL_UNSAFE_DETERMINISTIC_MODE` is set, BoringSSL will: * Replace `RAND_bytes` with a deterministic PRNG. Call `RAND_reset_for_fuzzing()` at the start of fuzzers which use `RAND_bytes` to reset the PRNG state. +* Use a hard-coded time instead of the actual time. + +Additionally, if `BORINGSSL_UNSAFE_FUZZER_MODE` is set, BoringSSL will: + * Modify the TLS stack to perform all signature checks (CertificateVerify and ServerKeyExchange) and the Finished check, but always act as if the check succeeded. * Treat every cipher as the NULL cipher. -* Use a hard-coded time instead of the actual time. - * Tickets are unencrypted and the MAC check is performed but ignored. This is to prevent the fuzzer from getting stuck at a cryptographic invariant in the protocol. @@ -89,3 +91,5 @@ cd build/ ./fuzz/client -max_len=50000 -merge=1 ../fuzz/client_corpus /tmp/transcripts/tls/client ./fuzz/server -max_len=50000 -merge=1 ../fuzz/server_corpus /tmp/transcripts/tls/server ``` + +There are separate corpora, `fuzz/client_corpus_no_fuzzer_mode` and `fuzz/server_corpus_no_fuzzer_mode`. These are transcripts for fuzzers with only `BORINGSSL_UNSAFE_DETERMINISTIC_MODE` defined. To build in this mode, pass `-DNO_FUZZER_MODE=1` into CMake. These corpora are updated the same way, but without the `-fuzzer` and `-shim-config` flags. |