Merge pull request #369 from h2o/gfx/ci-asan
[CI] introduce GitHub Actions as CI with ASan & UBSan builds, retiring Travis CI
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
new file mode 100644
index 0000000..65c1e95
--- /dev/null
+++ b/.github/workflows/ci.yml
@@ -0,0 +1,76 @@
+name: CI
+
+on: [push, pull_request]
+
+jobs:
+ linux:
+ name: "${{ matrix.name }}"
+ runs-on: [ubuntu-20.04]
+
+ # We want to run on external PRs, but not on our own internal PRs as they'll be run
+ # by the push to the branch.
+ if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name != github.repository
+
+ strategy:
+ fail-fast: false
+ matrix:
+ include:
+ - name: "Linux / OpenSSL 1.1.0"
+ command: make -f misc/docker-ci.mk CMAKE_ARGS='-DOPENSSL_ROOT_DIR=-DOPENSSL_ROOT_DIR=/opt/openssl-1.1.0' CONTAINER_NAME='h2oserver/h2o-ci:ubuntu1604'
+ - name: "Linux / OpenSSL 1.1.1"
+ command: make -f misc/docker-ci.mk
+ - name: "Linux / OpenSSL 1.1.1 + ASan & UBSan"
+ command: make -f misc/docker-ci.mk CMAKE_ARGS='"-DCMAKE_C_COMPILER=clang;-fsanitize=address,undefined" "-DCMAKE_CXX_COMPILER=clang++;-fsanitize=address,undefined"' CHECK_ENVS="ASAN_OPTIONS=detect_leaks=0 UBSAN_OPTIONS=print_stacktrace=1:halt_on_error=1"
+
+ timeout-minutes: 10
+ steps:
+ - uses: actions/checkout@v2
+ with:
+ submodules: recursive
+ - name: Run with Docker
+ shell: 'script -q -e -c "bash -xe {0}"'
+ run: |
+ chmod -R ugo+w .
+ ${{ matrix.command }}
+ macos:
+ name: "${{ matrix.name }}"
+ runs-on: [macos-latest]
+ # We want to run on external PRs, but not on our own internal PRs as they'll be run
+ # by the push to the branch.
+ if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name != github.repository
+
+ strategy:
+ fail-fast: false
+ matrix:
+ include:
+ - name: "macOS / OpenSSL 3.x"
+ openssl: openssl@3
+ - name: "macOS / OpenSSL 1.1.x"
+ openssl: openssl@1.1
+ - name: "macOS / LibreSSL"
+ openssl: libressl
+
+ timeout-minutes: 20
+ steps:
+ - uses: actions/checkout@v2
+ with:
+ submodules: recursive
+
+ - name: Install Dependencies
+ env:
+ OPENSSL: ${{ matrix.openssl }}
+ run: |
+ brew install perl libfaketime ${OPENSSL}
+ perl -v
+ curl -sSfL https://cpanmin.us | perl - -v --notest Scope::Guard Test::TCP
+
+ - name: Build
+ env:
+ OPENSSL: ${{ matrix.openssl }}
+ run: |
+ set -xe
+ mkdir -p build
+ cd build
+ cmake .. -DOPENSSL_ROOT_DIR="$(brew --prefix ${OPENSSL})"
+ make all VERBOSE=1
+ make check
diff --git a/.travis.yml b/.travis.yml
deleted file mode 100644
index 2a9d1c6..0000000
--- a/.travis.yml
+++ /dev/null
@@ -1,71 +0,0 @@
-language: c
-dist: xenial
-sudo: required
-
-matrix:
- include:
- - name: Linux (gcc)
- os: linux
- dist: focal
- compiler: gcc
- before_install: &bs_linux
- - sudo apt-get install faketime libscope-guard-perl libtest-tcp-perl
- - name: Linux (clang)
- os: linux
- dist: focal
- compiler: clang
- before_install: *bs_linux
- - name: Linux (OpenSSL 1.1.0)
- os: linux
- before_install:
- - sudo apt-get install faketime libscope-guard-perl libtest-tcp-perl
- - curl https://www.openssl.org/source/old/1.1.0/openssl-1.1.0l.tar.gz | tar xzf -
- - cd openssl-1.1.0l
- - ./config --prefix=/usr/local/openssl-1.1.0
- - make
- - sudo make install
- - cd ..
- env:
- - PKG_CONFIG_PATH=/usr/local/openssl-1.1.0/lib/pkgconfig
- - name: Linux (OpenSSL 1.0.2)
- os: linux
- before_install:
- - sudo apt-get install faketime libscope-guard-perl libtest-tcp-perl
- - curl https://www.openssl.org/source/old/1.0.2/openssl-1.0.2u.tar.gz | tar xzf -
- - cd openssl-1.0.2u
- - ./config --prefix=/usr/local/openssl-1.0.2
- - make
- - sudo make install
- - cd ..
- env:
- - PKG_CONFIG_PATH=/usr/local/openssl-1.0.2/lib/pkgconfig
- - name: Linux (libressl 3.2)
- os: linux
- before_install:
- - sudo apt-get install faketime libscope-guard-perl libtest-tcp-perl
- - curl https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.2.5.tar.gz | tar xzf -
- - cd libressl-3.2.5
- - ./configure --prefix=/usr/local/libressl-3.2
- - make
- - sudo make install
- - cd ..
- env:
- - PKG_CONFIG_PATH=/usr/local/libressl-3.2/lib/pkgconfig
- - name: macOS (Xcode)
- os: osx
- addons: &addons_macos
- homebrew:
- packages:
- - libfaketime
- - openssl
- env:
- - CMAKE_OPTS=" -DOPENSSL_ROOT_DIR=/usr/local/opt/openssl/"
- before_install: &bs_macos
- - curl -L https://cpanmin.us | sudo perl - App::cpanminus
- - sudo cpanm --notest Scope::Guard
- - sudo cpanm --notest Test::TCP
-
-script:
- - cmake ${CMAKE_OPTS} .
- - make all
- - make check
diff --git a/CMakeLists.txt b/CMakeLists.txt
index d1d6c09..6ef9125 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -151,7 +151,7 @@
ADD_DEPENDENCIES(test-fusion.t generate-picotls-probes)
ENDIF ()
SET(TEST_EXES ${TEST_EXES} test-fusion.t)
-
+
LIST(APPEND PTLSBENCH_LIBS picotls-fusion)
ENDIF ()
diff --git a/README.md b/README.md
index d7c5dbc..c8e3ef8 100644
--- a/README.md
+++ b/README.md
@@ -1,7 +1,7 @@
picotls
===
-[](https://travis-ci.org/h2o/picotls)
+[](https://github.com/h2o/picotls/actions/workflows/ci.yml)
Picotls is a [TLS 1.3 (RFC 8446)](https://tools.ietf.org/html/rfc8446) protocol stack written in C, with the following features:
* support for three crypto engines
diff --git a/deps/cifra/src/bitops.h b/deps/cifra/src/bitops.h
index f2ca308..a1c1e7d 100644
--- a/deps/cifra/src/bitops.h
+++ b/deps/cifra/src/bitops.h
@@ -55,19 +55,19 @@
/** Read 4 bytes from buf, as a 32-bit big endian quantity. */
static inline uint32_t read32_be(const uint8_t buf[4])
{
- return (buf[0] << 24) |
- (buf[1] << 16) |
- (buf[2] << 8) |
- (buf[3]);
+ return ((uint32_t)buf[0] << 24) |
+ ((uint32_t)buf[1] << 16) |
+ ((uint32_t)buf[2] << 8) |
+ ((uint32_t)buf[3]);
}
/** Read 4 bytes from buf, as a 32-bit little endian quantity. */
static inline uint32_t read32_le(const uint8_t buf[4])
{
- return (buf[3] << 24) |
- (buf[2] << 16) |
- (buf[1] << 8) |
- (buf[0]);
+ return ((uint32_t)buf[3] << 24) |
+ ((uint32_t)buf[2] << 16) |
+ ((uint32_t)buf[1] << 8) |
+ ((uint32_t)buf[0]);
}
/** Read 8 bytes from buf, as a 64-bit big endian quantity. */
diff --git a/deps/cifra/src/curve25519.tweetnacl.c b/deps/cifra/src/curve25519.tweetnacl.c
index c98c107..f028f67 100644
--- a/deps/cifra/src/curve25519.tweetnacl.c
+++ b/deps/cifra/src/curve25519.tweetnacl.c
@@ -53,7 +53,7 @@
o[i] += (1LL << 16);
c = o[i] >> 16;
o[(i + 1) * (i < 15)] += c - 1 + 37 * (c - 1) * (i == 15);
- o[i] -= c << 16;
+ o[i] -= (int64_t)((uint64_t)c << 16);
}
}
@@ -78,7 +78,7 @@
car25519(t);
car25519(t);
car25519(t);
-
+
for(j = 0; j < 2; j++)
{
m[0] = t[0] - 0xffed;
@@ -157,7 +157,7 @@
int a;
for (a = 0; a < 16; a++)
c[a] = i[a];
-
+
for (a = 253; a >= 0; a--)
{
sqr(c, c);
@@ -182,7 +182,7 @@
z[i] = n[i];
z[31] = (n[31] & 127) | 64;
z[0] &= 248;
-
+
unpack25519(x, p);
for(i = 0; i < 16; i++)
diff --git a/deps/cifra/src/gf128.c b/deps/cifra/src/gf128.c
index f7ea834..d438d13 100644
--- a/deps/cifra/src/gf128.c
+++ b/deps/cifra/src/gf128.c
@@ -45,7 +45,7 @@
inword = in[2]; out[2] = (inword << 1) | borrow; borrow = inword >> 31;
inword = in[1]; out[1] = (inword << 1) | borrow; borrow = inword >> 31;
inword = in[0]; out[0] = (inword << 1) | borrow; borrow = inword >> 31;
-
+
#if CF_CACHE_SIDE_CHANNEL_PROTECTION
out[3] ^= select_u8(borrow, table, 2);
#else
@@ -66,9 +66,9 @@
inword = in[3]; out[3] = (inword >> 1) | (borrow << 31); borrow = inword & 1;
#if CF_CACHE_SIDE_CHANNEL_PROTECTION
- out[0] ^= select_u8(borrow, table, 2) << 24;
+ out[0] ^= (uint32_t)select_u8(borrow, table, 2) << 24;
#else
- out[0] ^= table[borrow] << 24;
+ out[0] ^= (uint32_t)table[borrow] << 24;
#endif
}
@@ -87,9 +87,9 @@
#if CF_TIME_SIDE_CHANNEL_PROTECTION
cf_gf128 zero = { 0 };
#endif
-
+
/* Z_0 = 0^128
- * V_0 = Y */
+ * V_0 = Y */
cf_gf128 Z, V;
memset(Z, 0, sizeof Z);
memcpy(V, y, sizeof V);
diff --git a/lib/fusion.c b/lib/fusion.c
index d6562b4..e77e8ba 100644
--- a/lib/fusion.c
+++ b/lib/fusion.c
@@ -203,6 +203,13 @@
0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80,
0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80}; // latter 15 bytes map to zero
+#if defined(__clang__)
+#if __has_feature(address_sanitizer)
+__attribute__((no_sanitize("address")))
+#endif
+#elif __SANITIZE_ADDRESS__ /* gcc */
+__attribute__((no_sanitize_address))
+#endif
static inline __m128i loadn(const void *p, size_t l)
{
__m128i v, mask = _mm_loadu_si128((__m128i *)(loadn_mask + 16 - l));
diff --git a/misc/docker-ci.mk b/misc/docker-ci.mk
new file mode 100644
index 0000000..9c543f0
--- /dev/null
+++ b/misc/docker-ci.mk
@@ -0,0 +1,23 @@
+CONTAINER_NAME=h2oserver/h2o-ci:ubuntu2004
+SRC_DIR=/picotls
+CI_MK=$(SRC_DIR)/misc/docker-ci.mk
+CMAKE_ARGS=
+DOCKER_RUN_OPTS=--privileged \
+ -v `pwd`:$(SRC_DIR) \
+ -it
+
+ALL:
+ docker run $(DOCKER_RUN_OPTS) $(CONTAINER_NAME) make -f $(CI_MK) _check CMAKE_ARGS='$(CMAKE_ARGS)' CHECK_ENVS='$(CHECK_ENVS)'
+
+_check:
+ uname -a
+ mkdir -p build
+ sudo mount -t tmpfs tmpfs build -o size=3G
+ sudo chown -R ci:ci build
+ sudo chmod 0755 build
+ $(MAKE) -f $(CI_MK) -C build _do-check CMAKE_ARGS='$(CMAKE_ARGS)' CHECK_ENVS='$(CHECK_ENVS)'
+
+_do-check:
+ cmake $(CMAKE_ARGS) "-H$(SRC_DIR)" -B.
+ make all VERBOSE=1
+ env $(CHECK_ENVS) make check
diff --git a/t/e2e.t b/t/e2e.t
index ada3109..bb92c6d 100755
--- a/t/e2e.t
+++ b/t/e2e.t
@@ -1,4 +1,4 @@
-#! /usr/bin/perl
+#! /usr/bin/env perl
use strict;
use warnings;
diff --git a/t/fusion.c b/t/fusion.c
index f9c61bb..4c79153 100644
--- a/t/fusion.c
+++ b/t/fusion.c
@@ -338,4 +338,4 @@
subtest("generated-256-iv96", test_generated_aes256_iv96);
return done_testing();
-}
\ No newline at end of file
+}
