diff options
author | David Benjamin <davidben@google.com> | 2016-09-22 08:02:13 +0300 |
---|---|---|
committer | Adam Langley <agl@google.com> | 2016-09-23 00:18:16 +0300 |
commit | 1e663e8f396e26025309553459bc334e2d21fd0e (patch) | |
tree | f5cc9d0f9d1451d9de9760054d24e6ea73486ed3 | |
parent | 01a905717c39d155ccb3f3d568f6817badea30a6 (diff) |
Document how to refresh the TLS corpora.
Change-Id: I9165357ca6c20b964ed13dc4e1f336c7b747033e
Reviewed-on: https://boringssl-review.googlesource.com/11223
Reviewed-by: Adam Langley <agl@google.com>
-rw-r--r-- | FUZZING.md | 23 |
1 files changed, 23 insertions, 0 deletions
@@ -63,3 +63,26 @@ When `-DFUZZ=1` is passed into CMake, BoringSSL builds with `BORINGSSL_UNSAFE_FU * Use a hard-coded time instead of the actual time. This is to prevent the fuzzer from getting stuck at a cryptographic invariant in the protocol. + +## TLS transcripts + +The `client` and `server` corpora are seeded from the test suite. The test suite has a `-fuzzer` flag which mirrors the fuzzer mode changes above and a `-deterministic` flag which removes all non-determinism on the Go side. Not all tests pass, so `ssl/test/runner/fuzzer_mode.json` contains the necessary suppressions. To run the tests against a fuzzer-mode `bssl_shim`, run: + +``` +cd ssl/test/runner +go test -fuzzer -deterministic -shim-config fuzzer_mode.json +``` + +For a different build directory from `build/`, pass the appropriate `-shim-path` flag. If those tests pass, record a set of transcripts with: + +``` +go test -fuzzer -deterministic -transcript-dir /tmp/transcripts/ +``` + +Note the suppressions file is ignored so disabled tests record transcripts too. Then merge into the existing corpora: + +``` +cd build/ +./fuzz/client -max_len=50000 -merge=1 ../fuzz/client_corpus /tmp/transcripts/tls/client +./fuzz/server -max_len=50000 -merge=1 ../fuzz/server_corpus /tmp/transcripts/tls/server +``` |