Record a fuzzing corpus for the ClientHelloInner decoder.
Also generate a corpus to unblock the Chromium roll. The build tools
expect there to be a corresponding directory somewhere.
Bug: 275
Change-Id: I7a061ba6625ec57c10b0ae17e68b6b0159c539d4
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46826
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
diff --git a/fuzz/decode_client_hello_inner_corpus/1801ac92348bd90de6d206ca01bd373272452e8e b/fuzz/decode_client_hello_inner_corpus/1801ac92348bd90de6d206ca01bd373272452e8e
new file mode 100644
index 0000000..3e0e4fc
--- /dev/null
+++ b/fuzz/decode_client_hello_inner_corpus/1801ac92348bd90de6d206ca01bd373272452e8e
Binary files differ
diff --git a/fuzz/decode_client_hello_inner_corpus/1bb5c0f4248499b759d8668e2c4efea8479fd1ee b/fuzz/decode_client_hello_inner_corpus/1bb5c0f4248499b759d8668e2c4efea8479fd1ee
new file mode 100644
index 0000000..3feb7f7
--- /dev/null
+++ b/fuzz/decode_client_hello_inner_corpus/1bb5c0f4248499b759d8668e2c4efea8479fd1ee
Binary files differ
diff --git a/fuzz/decode_client_hello_inner_corpus/236b709b87a1f139b6006661ec14b4dbf74047c9 b/fuzz/decode_client_hello_inner_corpus/236b709b87a1f139b6006661ec14b4dbf74047c9
new file mode 100644
index 0000000..ec4cb85
--- /dev/null
+++ b/fuzz/decode_client_hello_inner_corpus/236b709b87a1f139b6006661ec14b4dbf74047c9
Binary files differ
diff --git a/fuzz/decode_client_hello_inner_corpus/291b9c64c834a5b3d7f63bfde1a19b0980a002d3 b/fuzz/decode_client_hello_inner_corpus/291b9c64c834a5b3d7f63bfde1a19b0980a002d3
new file mode 100644
index 0000000..a0e32ae
--- /dev/null
+++ b/fuzz/decode_client_hello_inner_corpus/291b9c64c834a5b3d7f63bfde1a19b0980a002d3
Binary files differ
diff --git a/fuzz/decode_client_hello_inner_corpus/33c11b74f48ec7dc930428805ee06cda2b1239fe b/fuzz/decode_client_hello_inner_corpus/33c11b74f48ec7dc930428805ee06cda2b1239fe
new file mode 100644
index 0000000..83ab46a
--- /dev/null
+++ b/fuzz/decode_client_hello_inner_corpus/33c11b74f48ec7dc930428805ee06cda2b1239fe
Binary files differ
diff --git a/fuzz/decode_client_hello_inner_corpus/372c6a89144d282135d3a5f78fbadba2f729ae45 b/fuzz/decode_client_hello_inner_corpus/372c6a89144d282135d3a5f78fbadba2f729ae45
new file mode 100644
index 0000000..0572f3c
--- /dev/null
+++ b/fuzz/decode_client_hello_inner_corpus/372c6a89144d282135d3a5f78fbadba2f729ae45
Binary files differ
diff --git a/fuzz/decode_client_hello_inner_corpus/49831a9bb8cf8d480ee6348efc0348ac4923e7f2 b/fuzz/decode_client_hello_inner_corpus/49831a9bb8cf8d480ee6348efc0348ac4923e7f2
new file mode 100644
index 0000000..c7bdbfa
--- /dev/null
+++ b/fuzz/decode_client_hello_inner_corpus/49831a9bb8cf8d480ee6348efc0348ac4923e7f2
Binary files differ
diff --git a/fuzz/decode_client_hello_inner_corpus/5150ba3241ea4e68e0edc18852503482fc2b089f b/fuzz/decode_client_hello_inner_corpus/5150ba3241ea4e68e0edc18852503482fc2b089f
new file mode 100644
index 0000000..ef025c3
--- /dev/null
+++ b/fuzz/decode_client_hello_inner_corpus/5150ba3241ea4e68e0edc18852503482fc2b089f
Binary files differ
diff --git a/fuzz/decode_client_hello_inner_corpus/6e768d7ebcfdf7ef78cd278c9f56cadb5c3aee2a b/fuzz/decode_client_hello_inner_corpus/6e768d7ebcfdf7ef78cd278c9f56cadb5c3aee2a
new file mode 100644
index 0000000..d011946
--- /dev/null
+++ b/fuzz/decode_client_hello_inner_corpus/6e768d7ebcfdf7ef78cd278c9f56cadb5c3aee2a
Binary files differ
diff --git a/fuzz/decode_client_hello_inner_corpus/6e7e101d38ae565ddda93bcb347ebe1732b8034b b/fuzz/decode_client_hello_inner_corpus/6e7e101d38ae565ddda93bcb347ebe1732b8034b
new file mode 100644
index 0000000..6ae43b6
--- /dev/null
+++ b/fuzz/decode_client_hello_inner_corpus/6e7e101d38ae565ddda93bcb347ebe1732b8034b
Binary files differ
diff --git a/fuzz/decode_client_hello_inner_corpus/94bb1431a65a63d11179f16b8f4fd149662353ff b/fuzz/decode_client_hello_inner_corpus/94bb1431a65a63d11179f16b8f4fd149662353ff
new file mode 100644
index 0000000..7e6850d
--- /dev/null
+++ b/fuzz/decode_client_hello_inner_corpus/94bb1431a65a63d11179f16b8f4fd149662353ff
Binary files differ
diff --git a/fuzz/decode_client_hello_inner_corpus/96329c2abe8341f38f48db8c980cd9b1949246f4 b/fuzz/decode_client_hello_inner_corpus/96329c2abe8341f38f48db8c980cd9b1949246f4
new file mode 100644
index 0000000..d9c1769
--- /dev/null
+++ b/fuzz/decode_client_hello_inner_corpus/96329c2abe8341f38f48db8c980cd9b1949246f4
Binary files differ
diff --git a/fuzz/decode_client_hello_inner_corpus/ae712740a68e8728c14fa97613e42440c937db6e b/fuzz/decode_client_hello_inner_corpus/ae712740a68e8728c14fa97613e42440c937db6e
new file mode 100644
index 0000000..ebb11b6
--- /dev/null
+++ b/fuzz/decode_client_hello_inner_corpus/ae712740a68e8728c14fa97613e42440c937db6e
Binary files differ
diff --git a/fuzz/decode_client_hello_inner_corpus/c2bb18319c8702195a0acc9a0f2151b35f6357a7 b/fuzz/decode_client_hello_inner_corpus/c2bb18319c8702195a0acc9a0f2151b35f6357a7
new file mode 100644
index 0000000..ccadfa8
--- /dev/null
+++ b/fuzz/decode_client_hello_inner_corpus/c2bb18319c8702195a0acc9a0f2151b35f6357a7
Binary files differ
diff --git a/fuzz/decode_client_hello_inner_corpus/de2d121cb0614d83d60ab3604aa12a85b53495cd b/fuzz/decode_client_hello_inner_corpus/de2d121cb0614d83d60ab3604aa12a85b53495cd
new file mode 100644
index 0000000..449f856
--- /dev/null
+++ b/fuzz/decode_client_hello_inner_corpus/de2d121cb0614d83d60ab3604aa12a85b53495cd
Binary files differ
diff --git a/fuzz/decode_client_hello_inner_corpus/e459531b7ab45bd032c1fc12d3f16479b1d2fe7a b/fuzz/decode_client_hello_inner_corpus/e459531b7ab45bd032c1fc12d3f16479b1d2fe7a
new file mode 100644
index 0000000..da0aaaa
--- /dev/null
+++ b/fuzz/decode_client_hello_inner_corpus/e459531b7ab45bd032c1fc12d3f16479b1d2fe7a
Binary files differ
diff --git a/fuzz/decode_client_hello_inner_corpus/e4a31c4c2a141aad3dd0ebe33cebc2b3394bba6b b/fuzz/decode_client_hello_inner_corpus/e4a31c4c2a141aad3dd0ebe33cebc2b3394bba6b
new file mode 100644
index 0000000..926dcda
--- /dev/null
+++ b/fuzz/decode_client_hello_inner_corpus/e4a31c4c2a141aad3dd0ebe33cebc2b3394bba6b
Binary files differ
diff --git a/fuzz/decode_client_hello_inner_corpus/eb55f46bb8041e0bdea984692bbc625ce2b3ae61 b/fuzz/decode_client_hello_inner_corpus/eb55f46bb8041e0bdea984692bbc625ce2b3ae61
new file mode 100644
index 0000000..c3a7c21
--- /dev/null
+++ b/fuzz/decode_client_hello_inner_corpus/eb55f46bb8041e0bdea984692bbc625ce2b3ae61
Binary files differ
diff --git a/fuzz/decode_client_hello_inner_corpus/f4165ec22d360f534a80e5538d206e8ea3e75074 b/fuzz/decode_client_hello_inner_corpus/f4165ec22d360f534a80e5538d206e8ea3e75074
new file mode 100644
index 0000000..3aab11f
--- /dev/null
+++ b/fuzz/decode_client_hello_inner_corpus/f4165ec22d360f534a80e5538d206e8ea3e75074
Binary files differ
diff --git a/fuzz/decode_client_hello_inner_corpus/f6d419ff34a20222303aa7b58f0025ca751fc2ad b/fuzz/decode_client_hello_inner_corpus/f6d419ff34a20222303aa7b58f0025ca751fc2ad
new file mode 100644
index 0000000..54b07f0
--- /dev/null
+++ b/fuzz/decode_client_hello_inner_corpus/f6d419ff34a20222303aa7b58f0025ca751fc2ad
Binary files differ
diff --git a/fuzz/refresh_ssl_corpora.sh b/fuzz/refresh_ssl_corpora.sh
index cbc5e87..d2601c2 100755
--- a/fuzz/refresh_ssl_corpora.sh
+++ b/fuzz/refresh_ssl_corpora.sh
@@ -113,6 +113,7 @@
minimize_corpus "$no_fuzzer_mode_build_dir/fuzz/server" server_corpus_no_fuzzer_mode
minimize_corpus "$fuzzer_mode_build_dir/fuzz/dtls_client" dtls_client_corpus
minimize_corpus "$fuzzer_mode_build_dir/fuzz/dtls_server" dtls_server_corpus
+minimize_corpus "$fuzzer_mode_build_dir/fuzz/decode_client_hello_inner" decode_client_hello_inner_corpus
# Incorporate the new transcripts.
@@ -123,3 +124,4 @@
"$no_fuzzer_mode_build_dir/fuzz/server" -max_len=50000 -merge=1 server_corpus_no_fuzzer_mode "${no_fuzzer_mode_transcripts}/tls/server"
"$fuzzer_mode_build_dir/fuzz/dtls_client" -max_len=50000 -merge=1 dtls_client_corpus "${fuzzer_mode_transcripts}/dtls/client"
"$fuzzer_mode_build_dir/fuzz/dtls_server" -max_len=50000 -merge=1 dtls_server_corpus "${fuzzer_mode_transcripts}/dtls/server"
+"$fuzzer_mode_build_dir/fuzz/decode_client_hello_inner" -max_len=50000 -merge=1 decode_client_hello_inner_corpus "${fuzzer_mode_transcripts}/decode_client_hello_inner"
diff --git a/ssl/test/runner/common.go b/ssl/test/runner/common.go
index 50d38d1..02a5a62 100644
--- a/ssl/test/runner/common.go
+++ b/ssl/test/runner/common.go
@@ -932,6 +932,11 @@
// success.
MinimalClientHelloOuter bool
+ // RecordClientHelloInner, when non-nil, is called whenever the client
+ // generates an encrypted ClientHello. The byte strings do not include the
+ // ClientHello header.
+ RecordClientHelloInner func(encodedInner, outer []byte) error
+
// SwapNPNAndALPN switches the relative order between NPN and ALPN in
// both ClientHello and ServerHello.
SwapNPNAndALPN bool
diff --git a/ssl/test/runner/handshake_client.go b/ssl/test/runner/handshake_client.go
index 74e9407..93a169b 100644
--- a/ssl/test/runner/handshake_client.go
+++ b/ssl/test/runner/handshake_client.go
@@ -882,7 +882,8 @@
aad.addU16LengthPrefixed().addBytes(enc)
hello.marshalForOuterAAD(aad.addU24LengthPrefixed())
- payload := hs.echHPKEContext.Seal(innerHello.marshalForEncodedInner(), aad.finish())
+ encodedInner := innerHello.marshalForEncodedInner()
+ payload := hs.echHPKEContext.Seal(encodedInner, aad.finish())
// Place the ECH extension in the outer CH.
hello.clientECH = &clientECH{
@@ -893,6 +894,15 @@
payload: payload,
}
+ if c.config.Bugs.RecordClientHelloInner != nil {
+ if err := c.config.Bugs.RecordClientHelloInner(encodedInner, hello.marshal()[4:]); err != nil {
+ return err
+ }
+ // ECH is normally the last extension added to |hello|, but, when
+ // OfferSessionInClientHelloOuter is enabled, we may modify it again.
+ hello.raw = nil
+ }
+
return nil
}
diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index e076e3c..be934fe 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -804,6 +804,21 @@
panic("transcripts are out of sync")
}
}()
+
+ // Record ClientHellos for the decode_client_hello_inner fuzzer.
+ var clientHelloCount int
+ config.Bugs.RecordClientHelloInner = func(encodedInner, outer []byte) error {
+ name := fmt.Sprintf("%s-%d-%d", test.name, num, clientHelloCount)
+ clientHelloCount++
+ dir := filepath.Join(*transcriptDir, "decode_client_hello_inner")
+ if err := os.MkdirAll(dir, 0755); err != nil {
+ return err
+ }
+ bb := newByteBuilder()
+ bb.addU24LengthPrefixed().addBytes(encodedInner)
+ bb.addBytes(outer)
+ return ioutil.WriteFile(filepath.Join(dir, name), bb.finish(), 0644)
+ }
}
if config.Bugs.PacketAdaptor != nil {