diff options
author | David Benjamin <davidben@google.com> | 2016-09-22 08:21:24 +0300 |
---|---|---|
committer | CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> | 2016-09-23 00:26:23 +0300 |
commit | fbc45d7228de54e227d61dcc60ee49ef0dfea4e8 (patch) | |
tree | 784e356d0597221e5872bc40d8bd28c5b3331a73 | |
parent | 1e663e8f396e26025309553459bc334e2d21fd0e (diff) |
No-op ticket encryption in fuzzer mode.
This allows the fuzzer to discover server-side resumption paths by
simply supplying what we'd like the ticket to decrypt to in the clear.
We also have a natural way to get transcripts out of runner. We record
the runner-side transcripts, so all resumption handshakes will replay
the shim-created unencrypted tickets.
BUG=104
Change-Id: Icf9cbf4af520077d38e2c8c2766b6f8bfa3c9ab5
Reviewed-on: https://boringssl-review.googlesource.com/11224
Commit-Queue: David Benjamin <davidben@google.com>
Commit-Queue: Adam Langley <agl@google.com>
Reviewed-by: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
-rw-r--r-- | FUZZING.md | 2 | ||||
-rw-r--r-- | ssl/ssl_session.c | 7 | ||||
-rw-r--r-- | ssl/t1_lib.c | 16 |
3 files changed, 22 insertions, 3 deletions
@@ -62,6 +62,8 @@ When `-DFUZZ=1` is passed into CMake, BoringSSL builds with `BORINGSSL_UNSAFE_FU * Use a hard-coded time instead of the actual time. +* Tickets are unencrypted and the MAC check is performed but ignored. + This is to prevent the fuzzer from getting stuck at a cryptographic invariant in the protocol. ## TLS transcripts diff --git a/ssl/ssl_session.c b/ssl/ssl_session.c index 1e7f432f..c081476b 100644 --- a/ssl/ssl_session.c +++ b/ssl/ssl_session.c @@ -548,8 +548,12 @@ int ssl_encrypt_ticket(SSL *ssl, CBB *out, const SSL_SESSION *session) { goto err; } - int len; size_t total = 0; +#if defined(BORINGSSL_UNSAFE_FUZZER_MODE) + memcpy(ptr, session_buf, session_len); + total = session_len; +#else + int len; if (!EVP_EncryptUpdate(&ctx, ptr + total, &len, session_buf, session_len)) { goto err; } @@ -558,6 +562,7 @@ int ssl_encrypt_ticket(SSL *ssl, CBB *out, const SSL_SESSION *session) { goto err; } total += len; +#endif if (!CBB_did_write(out, total)) { goto err; } diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 81dbdc4b..8db132f0 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -2963,7 +2963,12 @@ int tls_process_ticket(SSL *ssl, SSL_SESSION **out_session, } HMAC_Update(&hmac_ctx, ticket, ticket_len - mac_len); HMAC_Final(&hmac_ctx, mac, NULL); - if (CRYPTO_memcmp(mac, ticket + (ticket_len - mac_len), mac_len) != 0) { + int mac_ok = + CRYPTO_memcmp(mac, ticket + (ticket_len - mac_len), mac_len) == 0; +#if defined(BORINGSSL_UNSAFE_FUZZER_MODE) + mac_ok = 1; +#endif + if (!mac_ok) { goto done; } @@ -2976,6 +2981,11 @@ int tls_process_ticket(SSL *ssl, SSL_SESSION **out_session, ret = 0; goto done; } + size_t plaintext_len; +#if defined(BORINGSSL_UNSAFE_FUZZER_MODE) + memcpy(plaintext, ciphertext, ciphertext_len); + plaintext_len = ciphertext_len; +#else if (ciphertext_len >= INT_MAX) { goto done; } @@ -2986,9 +2996,11 @@ int tls_process_ticket(SSL *ssl, SSL_SESSION **out_session, ERR_clear_error(); /* Don't leave an error on the queue. */ goto done; } + plaintext_len = (size_t)(len1 + len2); +#endif /* Decode the session. */ - SSL_SESSION *session = SSL_SESSION_from_bytes(plaintext, len1 + len2); + SSL_SESSION *session = SSL_SESSION_from_bytes(plaintext, plaintext_len); if (session == NULL) { ERR_clear_error(); /* Don't leave an error on the queue. */ goto done; |