Google Git
Sign in
boringssl / boringssl.git / 27a3328a37c320750398bebeaa02f84318811bf3^! / .
commit27a3328a37c320750398bebeaa02f84318811bf3[log] [tgz]
authorDavid Benjamin <davidben@google.com>Mon Sep 13 13:33:20 2021 -0400
committerAdam Langley <agl@google.com>Mon Sep 13 17:55:46 2021 +0000
tree05c4b9208d8bd5492b627951fdefa667044153be
parent62c4f15478c87ed88b25a8bf3f7c6c358af97e63 [diff]
Fix the TLS fuzzers for ECH draft-13.

Replace the hardcoded ECH config, which wasn't updated for draft-13,
with a call to SSL_marshal_ech_config.

Bug: 275, oss-fuzz:38054
Change-Id: I10c12b22015c9c0cb90dd6185eb375153a2531f4
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/49445
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Adam Langley <agl@google.com>

diff --git a/ssl/test/fuzzer.h b/ssl/test/fuzzer.h
index 509cfdb..00b5e84 100644
--- a/ssl/test/fuzzer.h
+++ b/ssl/test/fuzzer.h

@@ -231,16 +231,6 @@
     0x01, 'a', 0x02, 'a', 'a', 0x03, 'a', 'a', 'a',
 };
 
-const uint8_t kECHConfig[] = {
-    0xfe, 0x0a, 0x00, 0x47, 0x2a, 0x00, 0x20, 0x00, 0x20, 0x6c, 0x55,
-    0x96, 0x41, 0x3d, 0x12, 0x4e, 0x63, 0x3d, 0x39, 0x7a, 0xe9, 0xbc,
-    0xec, 0xb2, 0x55, 0xd0, 0xe6, 0xaa, 0xbd, 0xa9, 0x79, 0xb8, 0x86,
-    0x9a, 0x13, 0x61, 0xc6, 0x69, 0xac, 0xb4, 0x21, 0x00, 0x0c, 0x00,
-    0x01, 0x00, 0x01, 0x00, 0x01, 0x00, 0x02, 0x00, 0x01, 0x00, 0x03,
-    0x00, 0x10, 0x00, 0x0e, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x2e,
-    0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x00, 0x00,
-};
-
 const uint8_t kECHKey[] = {
     0x35, 0x6d, 0x45, 0x06, 0xb3, 0x88, 0x89, 0x2e, 0xd6, 0x87, 0x84,
     0xd2, 0x2d, 0x6f, 0x83, 0x48, 0xad, 0xf2, 0xfd, 0x08, 0x51, 0x73,
@@ -458,11 +448,20 @@
     if (role_ == kServer) {
       bssl::UniquePtr<SSL_ECH_KEYS> keys(SSL_ECH_KEYS_new());
       bssl::ScopedEVP_HPKE_KEY key;
+      uint8_t *ech_config;
+      size_t ech_config_len;
       if (!keys ||
           !EVP_HPKE_KEY_init(key.get(), EVP_hpke_x25519_hkdf_sha256(), kECHKey,
                              sizeof(kECHKey)) ||
-          !SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/true, kECHConfig,
-                            sizeof(kECHConfig), key.get()) ||
+          // Match |echConfig| in |addEncryptedClientHelloTests| from runner.go.
+          !SSL_marshal_ech_config(&ech_config, &ech_config_len,
+                                  /*config_id=*/42, key.get(), "public.example",
+                                  /*max_name_len=*/64)) {
+        return false;
+      }
+      bssl::UniquePtr<uint8_t> free_ech_config(ech_config);
+      if (!SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/true, ech_config,
+                            ech_config_len, key.get()) ||
           !SSL_CTX_set1_ech_keys(ctx_.get(), keys.get())) {
         return false;
       }