-
Notifications
You must be signed in to change notification settings - Fork 143
481 lines (468 loc) · 17.5 KB
/
test-core.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
name: Themis Core
on:
pull_request:
paths:
- '.github/workflows/test-core.yaml'
- 'benches/themis/**'
- 'docs/examples/c/**'
- 'src/soter/**'
- 'src/themis/**'
- 'tests/common/**'
- 'tests/soter/**'
- 'tests/themis/**'
- '!tests/themis/wrappers/android/**'
- 'third_party/boringssl/src/**'
- 'tools/afl/**'
- '**/*.mk'
- 'Makefile'
- '!**/README*'
push:
branches:
- master
- stable
- release/*
schedule:
- cron: '20 6 * * 1' # every Monday at 6:20 UTC
env:
WITH_FATAL_WARNINGS: yes
# RNG tests tend to fail in virtualized environment due to /dev/random
# not behaving properly. Disable them to avoid spurious failures.
NO_NIST_STS: 1
jobs:
unit-tests:
name: Unit tests
runs-on: ${{ matrix.os }}
env:
SOTER_KDF_RUN_LONG_TESTS: yes
MATRIX_OS: ${{ matrix.os }}
strategy:
matrix:
os: [ubuntu-20.04, ubuntu-22.04, macos-12]
fail-fast: false
steps:
- name: Install system dependencies
run: |
if [[ "$(uname)" = "Darwin" ]]
then
brew install cmake ninja [email protected] openssl@3
else
sudo sh -c 'echo "DEBIAN_FRONTEND=noninteractive" >> /etc/environment'
sudo apt update
sudo apt install --yes gcc make libssl-dev cmake ninja-build
fi
- name: Check out code
uses: actions/checkout@v2
with:
submodules: true
- name: Build Themis Core (OpenSSL)
run: make prepare_tests_basic ENGINE=openssl BUILD_PATH=build-openssl
- name: Build Themis Core (OpenSSL 3.0)
if: ${{ matrix.os != 'ubuntu-20.04' }}
run: |
export ENGINE=openssl
# macOS has both OpenSSL 1.1.1 and 3.0 installed, be specific.
if [[ "$MATRIX_OS" = "macos-12" ]]; then
openssl3="$(brew --prefix openssl@3)"
export ENGINE_INCLUDE_PATH="$openssl3/include"
export ENGINE_LIB_PATH="$openssl3/lib"
fi
make prepare_tests_basic BUILD_PATH=build-openssl-3.0
- name: Build Themis Core (BoringSSL)
if: always()
run: make prepare_tests_basic ENGINE=boringssl BUILD_PATH=build-boringssl
- name: Build Themis Core (WITH_SCELL_COMPAT)
run: make prepare_tests_basic WITH_SCELL_COMPAT=yes BUILD_PATH=build-compat
- name: Run test suite (OpenSSL)
run: make test ENGINE=openssl BUILD_PATH=build-openssl
- name: Run test suite (OpenSSL, uncompressed keys)
env:
THEMIS_GEN_EC_KEY_PAIR_UNCOMPRESSED: "1"
run: make test ENGINE=openssl BUILD_PATH=build-openssl
- name: Run test suite (OpenSSL 3.0)
if: ${{ matrix.os != 'ubuntu-20.04' }}
run: |
export ENGINE=openssl
# macOS has both OpenSSL 1.1.1 and 3.0 installed, be specific.
if [[ "$MATRIX_OS" = "macos-12" ]]; then
openssl3="$(brew --prefix openssl@3)"
export ENGINE_INCLUDE_PATH="$openssl3/include"
export ENGINE_LIB_PATH="$openssl3/lib"
fi
make test BUILD_PATH=build-openssl-3.0
- name: Run test suite (OpenSSL 3.0, uncompressed keys)
if: ${{ matrix.os != 'ubuntu-20.04' }}
env:
THEMIS_GEN_EC_KEY_PAIR_UNCOMPRESSED: "1"
run: |
export ENGINE=openssl
# macOS has both OpenSSL 1.1.1 and 3.0 installed, be specific.
if [[ "$MATRIX_OS" = "macos-12" ]]; then
openssl3="$(brew --prefix openssl@3)"
export ENGINE_INCLUDE_PATH="$openssl3/include"
export ENGINE_LIB_PATH="$openssl3/lib"
fi
make test BUILD_PATH=build-openssl-3.0
- name: Run test suite (BoringSSL)
if: always()
run: make test ENGINE=boringssl BUILD_PATH=build-boringssl
- name: Run test suite (BoringSSL, uncompressed keys)
if: always()
env:
THEMIS_GEN_EC_KEY_PAIR_UNCOMPRESSED: "1"
run: make test ENGINE=boringssl BUILD_PATH=build-boringssl
- name: Run test suite (WITH_SCELL_COMPAT)
run: make test WITH_SCELL_COMPAT=yes BUILD_PATH=build-compat
examples:
name: Code examples
runs-on: ubuntu-20.04
steps:
- name: Install system dependencies
run: |
sudo sh -c 'echo "DEBIAN_FRONTEND=noninteractive" >> /etc/environment'
sudo apt update
sudo apt install --yes gcc make libssl-dev
- name: Check out code
uses: actions/checkout@v2
- name: Install Themis Core
run: |
make
sudo make install
- name: Run examples
run: |
cd $GITHUB_WORKSPACE/docs/examples/c/session_buffer_test
echo "Secure Session: buffer interface"
cc -o session_buffer_test session_buffer_test.c -lthemis
./session_buffer_test
cd $GITHUB_WORKSPACE/docs/examples/c/ssession_test
echo "Secure Session: socket interface"
cc -o session_test client.c server.c session_test.c -lthemis -pthread
./session_test
sanitizers:
name: Unit tests (with sanitizers)
runs-on: ubuntu-20.04
env:
WITH_FATAL_SANITIZERS: yes
steps:
- name: Install system dependencies
run: |
sudo sh -c 'echo "DEBIAN_FRONTEND=noninteractive" >> /etc/environment'
sudo apt update
sudo apt install --yes gcc-8 clang-8 make libssl-dev
- name: Check out code
uses: actions/checkout@v2
# We test only OpenSSL flavor to not expand the testing matrix too much
# (rebuilding BoringSSL is not fun and takes much time)
- name: Check with GCC (ASan)
if: always()
run: make clean test CC=gcc-8 WITH_ASAN=1
- name: Check with GCC (TSan)
if: always()
run: make clean test CC=gcc-8 WITH_TSAN=1
- name: Check with GCC (UBSan)
if: always()
run: make clean test CC=gcc-8 WITH_UBSAN=1
- name: Check with Clang (ASan)
if: always()
run: make clean test CC=clang-8 WITH_ASAN=1
- name: Check with Clang (TSan)
if: always()
run: make clean test CC=clang-8 WITH_TSAN=1
- name: Check with Clang (UBSan)
if: always()
run: make clean test CC=clang-8 WITH_UBSAN=1
benchmarks:
name: Benchmarks
runs-on: ubuntu-20.04
steps:
- name: Install system dependencies
run: |
sudo sh -c 'echo "DEBIAN_FRONTEND=noninteractive" >> /etc/environment'
sudo apt update
sudo apt install --yes gcc make libssl-dev gnuplot zip
- name: Install Rust toolchain (stable)
uses: actions-rs/toolchain@v1
with:
toolchain: stable
profile: minimal
- name: Check out code
uses: actions/checkout@v2
- name: Install Themis Core
run: |
make
sudo make install
# Cargo pulls in quite a few stuff from the Internet and Rust always
# (slowly) recompiles dependencies, so make heavy use of caching
- name: Cache Cargo registry
uses: actions/cache@v1
with:
path: ~/.cargo/registry
key: ${{ runner.os }}-cargo-registry-${{ hashFiles('**/Cargo.toml') }}
restore-keys: ${{ runner.os }}-cargo-registry-
- name: Cache Cargo index
uses: actions/cache@v1
with:
path: ~/.cargo/git
key: ${{ runner.os }}-cargo-index-${{ hashFiles('**/Cargo.toml') }}
restore-keys: ${{ runner.os }}-cargo-index-
- name: Cache Cargo build
uses: actions/cache@v1
with:
path: target
key: ${{ runner.os }}-cargo-build-target-${{ hashFiles('**/Cargo.toml') }}
restore-keys: ${{ runner.os }}-cargo-build-target-
# This can take a while on the first run, it's better with caches
- name: Build benchmarks
run: |
cd benches/themis
cargo bench --no-run
# TODO: if building a pull request, compare base with updates
- name: Benchmark Secure Cell (master key)
run: |
cd benches/themis
cargo bench -- '^Secure Cell .* master key/4 KB'
- name: Benchmark Secure Cell (passphrase)
run: |
cd benches/themis
# These are awfully slow due to KDF
cargo bench -- '^Secure Cell .* passphrase/4 KB' --sample-size 10
- name: Benchmark Secure Message (RSA)
run: |
cd benches/themis
cargo bench -- '^Secure Message .* - RSA/4 KB'
- name: Benchmark Secure Message (ECDSA)
run: |
cd benches/themis
cargo bench -- '^Secure Message .* - ECDSA/4 KB'
- name: Upload benchmark report
uses: actions/upload-artifact@v1
with:
name: Criterion report
path: target/criterion
fuzzing:
name: AFL fuzzing
runs-on: ubuntu-20.04
env:
FUZZ_TIMEOUT: 30s
THEMIS_DEFAULT_PBKDF2_ITERATIONS: 10
WITH_FATAL_SANITIZERS: yes
steps:
- name: Install system dependencies
run: |
sudo sh -c 'echo "DEBIAN_FRONTEND=noninteractive" >> /etc/environment'
# 32-bit toolchain is required to run AFL with some sanitizers
sudo dpkg --add-architecture i386
sudo apt update
sudo apt install --yes gcc make zip \
afl++ gcc-multilib libc6-dev:i386 \
libssl-dev:amd64 libssl-dev:i386
# AFL needs proper core dumps to be available, write them to files
sudo sh -c 'echo core > /proc/sys/kernel/core_pattern'
- name: Check out code
uses: actions/checkout@v2
- name: Build fuzzing framework (Clang)
if: always()
run: make clean fuzz AFL_CC=afl-clang
- name: Build fuzzing framework (GCC)
if: always()
run: make clean fuzz AFL_CC=afl-gcc
# Don't run them for too long, we aim for low-hanging fruit here.
# Ideally we'd like to wait for AFL to make one cycle and stop.
- name: Fuzzing with Address Sanitizer
if: always()
run: |
make clean fuzz AFL_CC=afl-gcc WITH_ASAN=1
for tool in tools/afl/input/*
do
timeout -s INT "$FUZZ_TIMEOUT" \
make fuzz AFL_CC=afl-gcc WITH_ASAN=1 \
AFL_FUZZ="afl-fuzz -m 1024" \
FUZZ_BIN=$(basename $tool) \
| cat -u || true
done
# actions/upload-artifact cannot handle ":" in paths used by AFL,
# archive the report manually to prevent massive stalls
cd build/afl
zip -r results-asan.zip output
cd -
echo
echo Analyzing results...
echo
./tools/afl/analyze_crashes.sh --no-debugger
- name: Upload ASan results
if: always()
uses: actions/upload-artifact@v1
with:
name: Core fuzzer report (ASan)
path: build/afl/results-asan.zip
- name: Fuzzing with Undefined Behavior Sanitizer
if: always()
run: |
make clean fuzz AFL_CC=afl-clang WITH_UBSAN=1
for tool in tools/afl/input/*
do
timeout -s INT "$FUZZ_TIMEOUT" \
make fuzz AFL_CC=afl-clang WITH_UBSAN=1 \
FUZZ_BIN=$(basename $tool) \
| cat -u || true
done
# actions/upload-artifact cannot handle ":" in paths used by AFL,
# archive the report manually to prevent massive stalls
cd build/afl
zip -r results-ubsan.zip output
cd -
echo
echo Analyzing results...
echo
./tools/afl/analyze_crashes.sh --no-debugger
- name: Upload UBSan results
if: always()
uses: actions/upload-artifact@v1
with:
name: Core fuzzer report (UBSan)
path: build/afl/results-ubsan.zip
# TODO: 32-bit builds WITH_UBSAN=1
leak-check:
name: Memory leaks
runs-on: ubuntu-20.04
steps:
- name: Install system dependencies
run: |
sudo sh -c 'echo "DEBIAN_FRONTEND=noninteractive" >> /etc/environment'
sudo apt update
sudo apt install --yes gcc make libssl-dev valgrind ninja-build
- name: Check out code
uses: actions/checkout@v2
with:
submodules: true
- name: Build Themis Core
run: |
make prepare_tests_basic ENGINE=openssl BUILD_PATH=build_openssl
make prepare_tests_basic ENGINE=boringssl BUILD_PATH=build_boringssl
- name: Check for leaks (OpenSSL)
if: always()
run: |
cd build_openssl
valgrind tests/soter_test 2>&1 | tee -a valgrind-report.txt
valgrind tests/themis_test 2>&1 | tee -a valgrind-report.txt
awk '
/ERROR SUMMARY|(definitely|indirectly|possibly) lost/ { sum += $4 }
END { if (sum > 0) { exit 1 } }
' valgrind-report.txt
- name: Check for leaks (BoringSSL)
if: always()
run: |
cd build_boringssl
valgrind tests/soter_test 2>&1 | tee -a valgrind-report.txt
valgrind tests/themis_test 2>&1 | tee -a valgrind-report.txt
awk '
/ERROR SUMMARY|(definitely|indirectly|possibly) lost/ { sum += $4 }
END { if (sum > 0) { exit 1 } }
' valgrind-report.txt
coverage:
name: Unit test coverage
runs-on: ubuntu-20.04
steps:
- name: Install system dependencies
run: |
sudo sh -c 'echo "DEBIAN_FRONTEND=noninteractive" >> /etc/environment'
sudo apt update
sudo apt install --yes gcc make libssl-dev lcov
- name: Check out code
uses: actions/checkout@v2
- name: Build Themis Core
run: make prepare_tests_basic COVERAGE=y
- name: Reset lcov counters
run: lcov --directory . --zerocounters
- name: Run test suite
run: make test COVERAGE=y
- name: Prepare lcov data
run: |
lcov --output-file coverage.info --directory . --capture
# Do not include tests themselves as well as system headers
lcov --output-file coverage.info --remove coverage.info '*/tests/*' '/usr/*'
lcov --list coverage.info
- name: Submit results to Coveralls
uses: coverallsapp/github-action@master
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
path-to-lcov: ./coverage.info
msys2:
name: MSYS2 environment
runs-on: windows-2022
env:
SOTER_KDF_RUN_LONG_TESTS: yes
# TODO: remove these two options when MSYS2 build issues are solved,
# because now PKGBUILD.MSYS2 just downloads latest release archive
# from GitHub instead of using checked out files
WITH_EXPERIMENTAL_OPENSSL_3_SUPPORT: yes
WITH_FATAL_WARNINGS: "no" # YAML :trollface:
defaults:
run:
shell: msys2 {0}
steps:
- name: Install MSYS2
uses: msys2/setup-msys2@v2
with:
install: >-
base-devel tar git gcc make
libopenssl>=3.0.0
openssl-devel>=3.0.0
mingw-w64-x86_64-nsis
# Git, I know you're only trying to help, but MSYS can work with
# UNIX line endings just fine. In fact, "makepkg" *requires* them.
# So don't be smart: just fetch the files as they are.
- name: Use UNIX line endings
shell: bash
run: git config --global core.autocrlf input
- name: Check out code
uses: actions/checkout@v2
# TODO: if there are users of the BoringSSL flavor on Windows,
# we should be testing that one as well
- name: Build Themis Core
run: make prepare_tests_basic
- name: Run test suite
run: make test
# TODO: it would be nice to test the installer too
- name: Build Themis installer
run: make nsis_installer
- name: Build Themis packages
run: makepkg -p PKGBUILD.MSYS2
- name: Install Themis packages
run: pacman -U --noconfirm themis-*.pkg.*
- name: Try building examples
run: |
cd $GITHUB_WORKSPACE/docs/examples/c/session_buffer_test
echo "Secure Session: buffer interface"
cc -o session_buffer_test session_buffer_test.c -lthemis
./session_buffer_test
cd $GITHUB_WORKSPACE/docs/examples/c/ssession_test
echo "Secure Session: socket interface"
cc -o session_test client.c server.c session_test.c -lthemis -pthread
./session_test
macos-cross-compile:
name: macOS cross toolchain
runs-on: macos-12
steps:
- name: Install system dependencies
run: |
brew install cmake ninja
- name: Check out code
uses: actions/checkout@v2
with:
submodules: true
# We can't test OpenSSL builds since this requires OpenSSL libraries
# built for the target architecture (and Homebrew doesn't have any).
#
# GitHub's virtual environemnts can change the default version of Xcode
# and that changes the available SDKs. Check the combinations here:
# https://github.com/actions/virtual-environments/blob/main/images/macos/macos-10.15-Readme.md#xcode
- name: Build Themis Core (BoringSSL, arm64)
run: make SDK=macosx13.1 ARCH=arm64 ENGINE=boringssl
# Of course we can't run unit tests either because there is no emulator.
# So I will be satisifed to see the build succeed and produce binaries
# with expected architecture.
- name: Check binary architecture
run: |
set -x
test $(lipo -archs build/libsoter.0.dylib) = arm64
test $(lipo -archs build/libthemis.0.dylib) = arm64