Skip to content

Testing suite

brycx edited this page Oct 19, 2019 · 34 revisions

Minimum Supported Rust Version (MSRV):

orion is always tested with the latest stable and nightly Rust versions.

Continuous Integration (CI):

The entire test suite is run with Travis CI using latest stable and nightly Rust. On nightly Rust (with the nightly feature both enabled and not), all tests (except for doctests) are run with AddressSanitizer(with ODR violation detection disabled) and LeakSanitizer.

For LeakSanitizer to be more effective, the opt-level for tests are set to 1 in Cargo.toml via. [profile.dev]. MemorySanitizer and ThreadSanitizer are not included when testing. See rust-san for more information.

orion is also tested with targets:

  • thumbv7em-none-eabihf (to ensure building as no_std works)
  • i686-unknown-linux-gnu (32-bit)
  • x86_64-apple-darwin (OSX)
  • mips64-unknown-linux-gnuabi64 (Big-endian)
  • i686-pc-windows-msvc (Windows, Visual Studio 2017)
  • x86_64-pc-windows-msvc (Windows, Visual Studio 2017)
  • wasm32-unknown-unknown (WebAssembly)

On stable Rust, cargo-audit is used to check for dependencies with reported vulnerabilities.

Automated code coverage is provided by tarpaulin and Codecov.

Official test vectors:

Custom test vectors:

  • PBKDF2: These test vectors have been generated with the cryptography.io Python package. More information here.
  • HKDF: Test vectors from here. Other test vectors from here.

Other test vectors:

Fuzzing

orion is fuzzed using honggfuzz-rs in orion-fuzz.

Fuzzing is done both to detect unwanted behavior but also verify results. Below is a list of other libraries that are used to cross-check the results that orion produces:

Testing for timing-based side-channel vulnerabilities

orion is tested in CI, to ensure that relevant parts execute in constant-time. These tests use dudect and can be found in orion-dudect. orion is also tested for constant-time execution with WASM at orion-sidefuzz.

Clone this wiki locally