Document how to refresh the TLS corpora.

Change-Id: I9165357ca6c20b964ed13dc4e1f336c7b747033e
Reviewed-on: https://boringssl-review.googlesource.com/11223
Reviewed-by: Adam Langley <agl@google.com>

1 files changed, 23 insertions, 0 deletions

diff --git a/FUZZING.md b/FUZZING.md
index bf548295..954a4f7d 100644
--- a/FUZZING.md
+++ b/FUZZING.md
@@ -63,3 +63,26 @@ When `-DFUZZ=1` is passed into CMake, BoringSSL builds with `BORINGSSL_UNSAFE_FU
 * Use a hard-coded time instead of the actual time.
 
 This is to prevent the fuzzer from getting stuck at a cryptographic invariant in the protocol.
+
+## TLS transcripts
+
+The `client` and `server` corpora are seeded from the test suite. The test suite has a `-fuzzer` flag which mirrors the fuzzer mode changes above and a `-deterministic` flag which removes all non-determinism on the Go side. Not all tests pass, so `ssl/test/runner/fuzzer_mode.json` contains the necessary suppressions. To run the tests against a fuzzer-mode `bssl_shim`, run:
+
+```
+cd ssl/test/runner
+go test -fuzzer -deterministic -shim-config fuzzer_mode.json
+```
+
+For a different build directory from `build/`, pass the appropriate `-shim-path` flag. If those tests pass, record a set of transcripts with:
+
+```
+go test -fuzzer -deterministic -transcript-dir /tmp/transcripts/
+```
+
+Note the suppressions file is ignored so disabled tests record transcripts too. Then merge into the existing corpora:
+
+```
+cd build/
+./fuzz/client -max_len=50000 -merge=1 ../fuzz/client_corpus /tmp/transcripts/tls/client
+./fuzz/server -max_len=50000 -merge=1 ../fuzz/server_corpus /tmp/transcripts/tls/server
+```