No-op ticket encryption in fuzzer mode.
This allows the fuzzer to discover server-side resumption paths by
simply supplying what we'd like the ticket to decrypt to in the clear.
We also have a natural way to get transcripts out of runner. We record
the runner-side transcripts, so all resumption handshakes will replay
the shim-created unencrypted tickets.
BUG=104
Change-Id: Icf9cbf4af520077d38e2c8c2766b6f8bfa3c9ab5
Reviewed-on: https://boringssl-review.googlesource.com/11224
Commit-Queue: David Benjamin <davidben@google.com>
Commit-Queue: Adam Langley <agl@google.com>
Reviewed-by: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 81dbdc4..8db132f 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -2963,7 +2963,12 @@
}
HMAC_Update(&hmac_ctx, ticket, ticket_len - mac_len);
HMAC_Final(&hmac_ctx, mac, NULL);
- if (CRYPTO_memcmp(mac, ticket + (ticket_len - mac_len), mac_len) != 0) {
+ int mac_ok =
+ CRYPTO_memcmp(mac, ticket + (ticket_len - mac_len), mac_len) == 0;
+#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
+ mac_ok = 1;
+#endif
+ if (!mac_ok) {
goto done;
}
@@ -2976,6 +2981,11 @@
ret = 0;
goto done;
}
+ size_t plaintext_len;
+#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
+ memcpy(plaintext, ciphertext, ciphertext_len);
+ plaintext_len = ciphertext_len;
+#else
if (ciphertext_len >= INT_MAX) {
goto done;
}
@@ -2986,9 +2996,11 @@
ERR_clear_error(); /* Don't leave an error on the queue. */
goto done;
}
+ plaintext_len = (size_t)(len1 + len2);
+#endif
/* Decode the session. */
- SSL_SESSION *session = SSL_SESSION_from_bytes(plaintext, len1 + len2);
+ SSL_SESSION *session = SSL_SESSION_from_bytes(plaintext, plaintext_len);
if (session == NULL) {
ERR_clear_error(); /* Don't leave an error on the queue. */
goto done;
