Record a fuzzing corpus for the ClientHelloInner decoder. Also generate a corpus to unblock the Chromium roll. The build tools expect there to be a corresponding directory somewhere. Bug: 275 Change-Id: I7a061ba6625ec57c10b0ae17e68b6b0159c539d4 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46826 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com>
diff --git a/fuzz/decode_client_hello_inner_corpus/1801ac92348bd90de6d206ca01bd373272452e8e b/fuzz/decode_client_hello_inner_corpus/1801ac92348bd90de6d206ca01bd373272452e8e new file mode 100644 index 0000000..3e0e4fc --- /dev/null +++ b/fuzz/decode_client_hello_inner_corpus/1801ac92348bd90de6d206ca01bd373272452e8e Binary files differ
diff --git a/fuzz/decode_client_hello_inner_corpus/1bb5c0f4248499b759d8668e2c4efea8479fd1ee b/fuzz/decode_client_hello_inner_corpus/1bb5c0f4248499b759d8668e2c4efea8479fd1ee new file mode 100644 index 0000000..3feb7f7 --- /dev/null +++ b/fuzz/decode_client_hello_inner_corpus/1bb5c0f4248499b759d8668e2c4efea8479fd1ee Binary files differ
diff --git a/fuzz/decode_client_hello_inner_corpus/236b709b87a1f139b6006661ec14b4dbf74047c9 b/fuzz/decode_client_hello_inner_corpus/236b709b87a1f139b6006661ec14b4dbf74047c9 new file mode 100644 index 0000000..ec4cb85 --- /dev/null +++ b/fuzz/decode_client_hello_inner_corpus/236b709b87a1f139b6006661ec14b4dbf74047c9 Binary files differ
diff --git a/fuzz/decode_client_hello_inner_corpus/291b9c64c834a5b3d7f63bfde1a19b0980a002d3 b/fuzz/decode_client_hello_inner_corpus/291b9c64c834a5b3d7f63bfde1a19b0980a002d3 new file mode 100644 index 0000000..a0e32ae --- /dev/null +++ b/fuzz/decode_client_hello_inner_corpus/291b9c64c834a5b3d7f63bfde1a19b0980a002d3 Binary files differ
diff --git a/fuzz/decode_client_hello_inner_corpus/33c11b74f48ec7dc930428805ee06cda2b1239fe b/fuzz/decode_client_hello_inner_corpus/33c11b74f48ec7dc930428805ee06cda2b1239fe new file mode 100644 index 0000000..83ab46a --- /dev/null +++ b/fuzz/decode_client_hello_inner_corpus/33c11b74f48ec7dc930428805ee06cda2b1239fe Binary files differ
diff --git a/fuzz/decode_client_hello_inner_corpus/372c6a89144d282135d3a5f78fbadba2f729ae45 b/fuzz/decode_client_hello_inner_corpus/372c6a89144d282135d3a5f78fbadba2f729ae45 new file mode 100644 index 0000000..0572f3c --- /dev/null +++ b/fuzz/decode_client_hello_inner_corpus/372c6a89144d282135d3a5f78fbadba2f729ae45 Binary files differ
diff --git a/fuzz/decode_client_hello_inner_corpus/49831a9bb8cf8d480ee6348efc0348ac4923e7f2 b/fuzz/decode_client_hello_inner_corpus/49831a9bb8cf8d480ee6348efc0348ac4923e7f2 new file mode 100644 index 0000000..c7bdbfa --- /dev/null +++ b/fuzz/decode_client_hello_inner_corpus/49831a9bb8cf8d480ee6348efc0348ac4923e7f2 Binary files differ
diff --git a/fuzz/decode_client_hello_inner_corpus/5150ba3241ea4e68e0edc18852503482fc2b089f b/fuzz/decode_client_hello_inner_corpus/5150ba3241ea4e68e0edc18852503482fc2b089f new file mode 100644 index 0000000..ef025c3 --- /dev/null +++ b/fuzz/decode_client_hello_inner_corpus/5150ba3241ea4e68e0edc18852503482fc2b089f Binary files differ
diff --git a/fuzz/decode_client_hello_inner_corpus/6e768d7ebcfdf7ef78cd278c9f56cadb5c3aee2a b/fuzz/decode_client_hello_inner_corpus/6e768d7ebcfdf7ef78cd278c9f56cadb5c3aee2a new file mode 100644 index 0000000..d011946 --- /dev/null +++ b/fuzz/decode_client_hello_inner_corpus/6e768d7ebcfdf7ef78cd278c9f56cadb5c3aee2a Binary files differ
diff --git a/fuzz/decode_client_hello_inner_corpus/6e7e101d38ae565ddda93bcb347ebe1732b8034b b/fuzz/decode_client_hello_inner_corpus/6e7e101d38ae565ddda93bcb347ebe1732b8034b new file mode 100644 index 0000000..6ae43b6 --- /dev/null +++ b/fuzz/decode_client_hello_inner_corpus/6e7e101d38ae565ddda93bcb347ebe1732b8034b Binary files differ
diff --git a/fuzz/decode_client_hello_inner_corpus/94bb1431a65a63d11179f16b8f4fd149662353ff b/fuzz/decode_client_hello_inner_corpus/94bb1431a65a63d11179f16b8f4fd149662353ff new file mode 100644 index 0000000..7e6850d --- /dev/null +++ b/fuzz/decode_client_hello_inner_corpus/94bb1431a65a63d11179f16b8f4fd149662353ff Binary files differ
diff --git a/fuzz/decode_client_hello_inner_corpus/96329c2abe8341f38f48db8c980cd9b1949246f4 b/fuzz/decode_client_hello_inner_corpus/96329c2abe8341f38f48db8c980cd9b1949246f4 new file mode 100644 index 0000000..d9c1769 --- /dev/null +++ b/fuzz/decode_client_hello_inner_corpus/96329c2abe8341f38f48db8c980cd9b1949246f4 Binary files differ
diff --git a/fuzz/decode_client_hello_inner_corpus/ae712740a68e8728c14fa97613e42440c937db6e b/fuzz/decode_client_hello_inner_corpus/ae712740a68e8728c14fa97613e42440c937db6e new file mode 100644 index 0000000..ebb11b6 --- /dev/null +++ b/fuzz/decode_client_hello_inner_corpus/ae712740a68e8728c14fa97613e42440c937db6e Binary files differ
diff --git a/fuzz/decode_client_hello_inner_corpus/c2bb18319c8702195a0acc9a0f2151b35f6357a7 b/fuzz/decode_client_hello_inner_corpus/c2bb18319c8702195a0acc9a0f2151b35f6357a7 new file mode 100644 index 0000000..ccadfa8 --- /dev/null +++ b/fuzz/decode_client_hello_inner_corpus/c2bb18319c8702195a0acc9a0f2151b35f6357a7 Binary files differ
diff --git a/fuzz/decode_client_hello_inner_corpus/de2d121cb0614d83d60ab3604aa12a85b53495cd b/fuzz/decode_client_hello_inner_corpus/de2d121cb0614d83d60ab3604aa12a85b53495cd new file mode 100644 index 0000000..449f856 --- /dev/null +++ b/fuzz/decode_client_hello_inner_corpus/de2d121cb0614d83d60ab3604aa12a85b53495cd Binary files differ
diff --git a/fuzz/decode_client_hello_inner_corpus/e459531b7ab45bd032c1fc12d3f16479b1d2fe7a b/fuzz/decode_client_hello_inner_corpus/e459531b7ab45bd032c1fc12d3f16479b1d2fe7a new file mode 100644 index 0000000..da0aaaa --- /dev/null +++ b/fuzz/decode_client_hello_inner_corpus/e459531b7ab45bd032c1fc12d3f16479b1d2fe7a Binary files differ
diff --git a/fuzz/decode_client_hello_inner_corpus/e4a31c4c2a141aad3dd0ebe33cebc2b3394bba6b b/fuzz/decode_client_hello_inner_corpus/e4a31c4c2a141aad3dd0ebe33cebc2b3394bba6b new file mode 100644 index 0000000..926dcda --- /dev/null +++ b/fuzz/decode_client_hello_inner_corpus/e4a31c4c2a141aad3dd0ebe33cebc2b3394bba6b Binary files differ
diff --git a/fuzz/decode_client_hello_inner_corpus/eb55f46bb8041e0bdea984692bbc625ce2b3ae61 b/fuzz/decode_client_hello_inner_corpus/eb55f46bb8041e0bdea984692bbc625ce2b3ae61 new file mode 100644 index 0000000..c3a7c21 --- /dev/null +++ b/fuzz/decode_client_hello_inner_corpus/eb55f46bb8041e0bdea984692bbc625ce2b3ae61 Binary files differ
diff --git a/fuzz/decode_client_hello_inner_corpus/f4165ec22d360f534a80e5538d206e8ea3e75074 b/fuzz/decode_client_hello_inner_corpus/f4165ec22d360f534a80e5538d206e8ea3e75074 new file mode 100644 index 0000000..3aab11f --- /dev/null +++ b/fuzz/decode_client_hello_inner_corpus/f4165ec22d360f534a80e5538d206e8ea3e75074 Binary files differ
diff --git a/fuzz/decode_client_hello_inner_corpus/f6d419ff34a20222303aa7b58f0025ca751fc2ad b/fuzz/decode_client_hello_inner_corpus/f6d419ff34a20222303aa7b58f0025ca751fc2ad new file mode 100644 index 0000000..54b07f0 --- /dev/null +++ b/fuzz/decode_client_hello_inner_corpus/f6d419ff34a20222303aa7b58f0025ca751fc2ad Binary files differ
diff --git a/fuzz/refresh_ssl_corpora.sh b/fuzz/refresh_ssl_corpora.sh index cbc5e87..d2601c2 100755 --- a/fuzz/refresh_ssl_corpora.sh +++ b/fuzz/refresh_ssl_corpora.sh
@@ -113,6 +113,7 @@ minimize_corpus "$no_fuzzer_mode_build_dir/fuzz/server" server_corpus_no_fuzzer_mode minimize_corpus "$fuzzer_mode_build_dir/fuzz/dtls_client" dtls_client_corpus minimize_corpus "$fuzzer_mode_build_dir/fuzz/dtls_server" dtls_server_corpus +minimize_corpus "$fuzzer_mode_build_dir/fuzz/decode_client_hello_inner" decode_client_hello_inner_corpus # Incorporate the new transcripts. @@ -123,3 +124,4 @@ "$no_fuzzer_mode_build_dir/fuzz/server" -max_len=50000 -merge=1 server_corpus_no_fuzzer_mode "${no_fuzzer_mode_transcripts}/tls/server" "$fuzzer_mode_build_dir/fuzz/dtls_client" -max_len=50000 -merge=1 dtls_client_corpus "${fuzzer_mode_transcripts}/dtls/client" "$fuzzer_mode_build_dir/fuzz/dtls_server" -max_len=50000 -merge=1 dtls_server_corpus "${fuzzer_mode_transcripts}/dtls/server" +"$fuzzer_mode_build_dir/fuzz/decode_client_hello_inner" -max_len=50000 -merge=1 decode_client_hello_inner_corpus "${fuzzer_mode_transcripts}/decode_client_hello_inner"
diff --git a/ssl/test/runner/common.go b/ssl/test/runner/common.go index 50d38d1..02a5a62 100644 --- a/ssl/test/runner/common.go +++ b/ssl/test/runner/common.go
@@ -932,6 +932,11 @@ // success. MinimalClientHelloOuter bool + // RecordClientHelloInner, when non-nil, is called whenever the client + // generates an encrypted ClientHello. The byte strings do not include the + // ClientHello header. + RecordClientHelloInner func(encodedInner, outer []byte) error + // SwapNPNAndALPN switches the relative order between NPN and ALPN in // both ClientHello and ServerHello. SwapNPNAndALPN bool
diff --git a/ssl/test/runner/handshake_client.go b/ssl/test/runner/handshake_client.go index 74e9407..93a169b 100644 --- a/ssl/test/runner/handshake_client.go +++ b/ssl/test/runner/handshake_client.go
@@ -882,7 +882,8 @@ aad.addU16LengthPrefixed().addBytes(enc) hello.marshalForOuterAAD(aad.addU24LengthPrefixed()) - payload := hs.echHPKEContext.Seal(innerHello.marshalForEncodedInner(), aad.finish()) + encodedInner := innerHello.marshalForEncodedInner() + payload := hs.echHPKEContext.Seal(encodedInner, aad.finish()) // Place the ECH extension in the outer CH. hello.clientECH = &clientECH{ @@ -893,6 +894,15 @@ payload: payload, } + if c.config.Bugs.RecordClientHelloInner != nil { + if err := c.config.Bugs.RecordClientHelloInner(encodedInner, hello.marshal()[4:]); err != nil { + return err + } + // ECH is normally the last extension added to |hello|, but, when + // OfferSessionInClientHelloOuter is enabled, we may modify it again. + hello.raw = nil + } + return nil }
diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go index e076e3c..be934fe 100644 --- a/ssl/test/runner/runner.go +++ b/ssl/test/runner/runner.go
@@ -804,6 +804,21 @@ panic("transcripts are out of sync") } }() + + // Record ClientHellos for the decode_client_hello_inner fuzzer. + var clientHelloCount int + config.Bugs.RecordClientHelloInner = func(encodedInner, outer []byte) error { + name := fmt.Sprintf("%s-%d-%d", test.name, num, clientHelloCount) + clientHelloCount++ + dir := filepath.Join(*transcriptDir, "decode_client_hello_inner") + if err := os.MkdirAll(dir, 0755); err != nil { + return err + } + bb := newByteBuilder() + bb.addU24LengthPrefixed().addBytes(encodedInner) + bb.addBytes(outer) + return ioutil.WriteFile(filepath.Join(dir, name), bb.finish(), 0644) + } } if config.Bugs.PacketAdaptor != nil {