[ech] fuzzing ECH (Was: Re: ECH PR reviews...)
Stephen Farrell
stephen.farrell at cs.tcd.ie
Wed Dec 13 22:02:38 UTC 2023
Hiya,
On 13/12/2023 21:55, Salz, Rich wrote:
>> Does anyone have/know-of a published corpus that'd help the
> fuzzer explore the space of ClientHello messages better, or
> even code for a structure-aware thing (a la [1]) that knows TLS
> presentation syntax?
>
> Perhaps Juraj's TLS attacker[1] would be a good place to start. He has a paper[2] and has submitted bugs and fixes to OpenSSL in the past. Maybe he can get a grad student to do the work :)
>
> [1] https://github.com/tls-attacker/TLS-Attacker
> [2] https://www.nds.rub.de/research/publications/systematic-fuzzing-and-testing-tls-libraries/
Good idea. I'll try it out see if it finds anything.
That said, dunno if it's "the answer" here as it's in java and
I'm not sure there's any ECH or HPKE code likely to be there so
could be a pile of work to try use it for this. And then it'd
still not be suited for use in the OpenSSL build.
But will look and we'll see I guess,
Cheers,
S.
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE4D8E9F997A833DD.asc
Type: application/pgp-keys
Size: 1197 bytes
Desc: OpenPGP public key
URL: <https://mta.openssl.org/pipermail/ech/attachments/20231213/60f3e560/attachment-0001.asc>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <https://mta.openssl.org/pipermail/ech/attachments/20231213/60f3e560/attachment-0001.sig>
More information about the ech
mailing list