diff options
author | Tim Rühsen <tim.ruehsen@gmx.de> | 2020-01-03 15:43:55 +0000 |
---|---|---|
committer | Tim Rühsen <tim.ruehsen@gmx.de> | 2020-01-03 15:43:55 +0000 |
commit | 804ad24633c74088d21c8b9aa40d210c0aabc9f5 (patch) | |
tree | 5fb36e18c157461cd2ac7dc0d444d85ff76abed4 | |
parent | 55cf9d1d0477378576c20a7f416a12826ed9694c (diff) | |
parent | 1abc198689eb645fddd1ffffe5e795d86b45825d (diff) | |
download | gnutls-804ad24633c74088d21c8b9aa40d210c0aabc9f5.tar.gz |
Merge branch 'tmp-check-fuzz' into 'master'
UB+ASAN: Fail tests if UB detected
Closes #882 and #878
See merge request gnutls/gnutls!1136
-rw-r--r-- | .gitlab-ci.yml | 64 | ||||
-rw-r--r-- | fuzz/gnutls_client_rawpk_fuzzer.c | 7 | ||||
-rw-r--r-- | fuzz/gnutls_server_rawpk_fuzzer.c | 7 | ||||
-rw-r--r-- | lib/ext/status_request.c | 2 | ||||
-rw-r--r-- | lib/handshake.c | 1 | ||||
-rw-r--r-- | lib/hello_ext.c | 2 | ||||
-rw-r--r-- | lib/hello_ext.h | 4 | ||||
-rw-r--r-- | lib/iov.c | 6 | ||||
-rw-r--r-- | lib/nettle/rnd-fuzzer.c | 2 | ||||
-rw-r--r-- | lib/x509/verify-high.c | 20 | ||||
-rw-r--r-- | src/certtool-cfg.c | 3 | ||||
-rwxr-xr-x | tests/cert-reencoding.sh | 10 | ||||
-rwxr-xr-x | tests/ocsp-tests/ocsp-load-chain | 10 | ||||
-rwxr-xr-x | tests/ocsp-tests/ocsp-must-staple-connection | 10 | ||||
-rwxr-xr-x | tests/ocsp-tests/ocsp-test | 10 | ||||
-rwxr-xr-x | tests/ocsp-tests/ocsp-tls-connection | 10 | ||||
-rw-r--r-- | tests/ssl30-cipher-neg.c | 2 | ||||
-rw-r--r-- | tests/ssl30-server-kx-neg.c | 2 |
18 files changed, 73 insertions, 99 deletions
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index d1f2a0e395..e75461f65a 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -226,39 +226,6 @@ valgrind.Fedora.x86_64: - tests/*/*.log retry: 1 -# Two runs, one with normal backend and another with pkcs11 trust store -asan.Fedora.x86_64: - stage: stage1-testing - image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD - script: - - SUBMODULE_NOFETCH=1 ./bootstrap - - CFLAGS="-fsanitize=address -g -O2" CXXFLAGS=$CFLAGS LDFLAGS="-static-libasan" - dash ./configure --disable-gcc-warnings --disable-doc --cache-file cache/config.cache --disable-non-suiteb-curves --disable-guile - - make -j$(nproc) - - LSAN_OPTIONS="suppressions=$(pwd)/devel/lsan.supp" make check -j$(nproc) - - LSAN_OPTIONS="suppressions=$(pwd)/devel/lsan.supp" make -C fuzz check -j$(nproc) GNUTLS_CPUID_OVERRIDE=0x1 - - LSAN_OPTIONS="suppressions=$(pwd)/devel/lsan.supp" make -C fuzz check -j$(nproc) GNUTLS_CPUID_OVERRIDE=0x2 - - LSAN_OPTIONS="suppressions=$(pwd)/devel/lsan.supp" make -C fuzz check -j$(nproc) GNUTLS_CPUID_OVERRIDE=0x4 - - LSAN_OPTIONS="suppressions=$(pwd)/devel/lsan.supp" make -C fuzz check -j$(nproc) GNUTLS_CPUID_OVERRIDE=0x8 - - CFLAGS="-fsanitize=address -g -O2" CXXFLAGS=$CFLAGS LDFLAGS="-static-libasan" - dash ./configure --cache-file cache/config.cache --disable-doc --with-system-priority-file=/etc/crypto-policies/back-ends/gnutls.config --with-default-priority-string=@SYSTEM --with-default-trust-store-pkcs11="pkcs11:" --disable-guile - - make -j$(nproc) - - make -C tests check -j$(nproc) TESTS="trust-store p11-kit-load.sh priority-init2 set-default-prio" SUBDIRS=. - tags: - - shared - except: - - tags - artifacts: - expire_in: 1 week - when: on_failure - paths: - - ./*.log - - fuzz/*.log - - tests/*.log - - tests/*/*.log - - tests/suite/*/*.log - retry: 1 - threadsan.Fedora.x86_64: stage: stage1-testing image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD @@ -475,26 +442,30 @@ FreeBSD.x86_64: retry: 1 # Two runs, one with normal backend and another with pkcs11 trust store -ubsan-Werror.Fedora.x86_64: +UB+ASAN-Werror.Fedora.x86_64.gcc: stage: stage1-testing image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD script: - ./bootstrap - - CFLAGS="-std=c99 -fsanitize=undefined -fsanitize=bool -fsanitize=alignment -fsanitize=null -fsanitize=bounds-strict -fsanitize=enum -fno-sanitize-recover -g -O2" CXXFLAGS=$CFLAGS LDFLAGS="-static-libubsan" dash ./configure - --cache-file cache/config.cache --disable-non-suiteb-curves --disable-guile --disable-full-test-suite --disable-doc - - grep "^LIBS=''" config.log || false - - make -j$(nproc) -C gl - - make -j$(nproc) -C lib CFLAGS="-Werror -O2 -g -Wimplicit-fallthrough=2" - - make -j$(nproc) -C libdane CFLAGS="-Werror -O2 -g -Wimplicit-fallthrough=2" - - make -j$(nproc) -C src/gl - - make -j$(nproc) -C src CFLAGS="-Werror -O2 -g -fsanitize=undefined -Wno-error=parentheses -Wno-error=unused-macros -Wimplicit-fallthrough=2 -Wno-duplicated-branches" + - export UBSAN_OPTIONS=print_stacktrace=1 + - export LSAN_OPTIONS=suppressions=$(pwd)/devel/lsan.supp + - export CFLAGS="-std=c99 -O1 -g -Wno-cpp -Werror -fno-omit-frame-pointer -fsanitize=undefined,bool,alignment,null,enum,bounds-strict,address,leak,nonnull-attribute -fno-sanitize-recover=all -fsanitize-address-use-after-scope" + - export CXXFLAGS="$CFLAGS" + - dash ./configure --cache-file cache/config.cache --disable-guile --disable-doc --disable-hardware-acceleration + - sed -i 's/-Werror/-Wno-parentheses -Werror/g' src/Makefile - make -j$(nproc) - - make check -j$(nproc) - - CFLAGS="-std=c99 -fsanitize=undefined -fsanitize=bool -fsanitize=alignment -fsanitize=null -fsanitize=bounds-strict -fsanitize=enum -fno-sanitize-recover -g -O2" CXXFLAGS=$CFLAGS LDFLAGS="-static-libubsan" dash ./configure - --cache-file cache/config.cache --disable-non-suiteb-curves --disable-guile --disable-doc --disable-full-test-suite --with-default-trust-store-pkcs11="pkcs11:" + - make check -j$(nproc) -C fuzz + - make check -j$(nproc) -C fuzz GNUTLS_CPUID_OVERRIDE=0x1 + - make check -j$(nproc) -C fuzz GNUTLS_CPUID_OVERRIDE=0x2 + - make check -j$(nproc) -C fuzz GNUTLS_CPUID_OVERRIDE=0x4 + - make check -j$(nproc) -C fuzz GNUTLS_CPUID_OVERRIDE=0x8 + - make check -j$(nproc) -C fuzz GNUTLS_CPUID_OVERRIDE=0x20 + - make check -j$(nproc) -C tests + - dash ./configure --cache-file cache/config.cache --disable-guile --disable-doc --disable-hardware-acceleration --with-default-trust-store-pkcs11="pkcs11:" --with-system-priority-file=/etc/crypto-policies/back-ends/gnutls.config --with-default-priority-string=@SYSTEM - make clean + - sed -i 's/-Werror/-Wno-parentheses -Werror/g' src/Makefile - make -j$(nproc) - - make -C tests check -j$(nproc) TESTS="trust-store p11-kit-load.sh" SUBDIRS=. + - make check -j$(nproc) -C tests TESTS="trust-store p11-kit-load.sh priority-init2 set-default-prio" SUBDIRS=. tags: - shared except: @@ -505,6 +476,7 @@ ubsan-Werror.Fedora.x86_64: paths: - guile/tests/*.log - ./*.log + - fuzz/*.log - tests/*.log - tests/*/*.log - tests/suite/*/*.log diff --git a/fuzz/gnutls_client_rawpk_fuzzer.c b/fuzz/gnutls_client_rawpk_fuzzer.c index c7208b0d1c..af4336363a 100644 --- a/fuzz/gnutls_client_rawpk_fuzzer.c +++ b/fuzz/gnutls_client_rawpk_fuzzer.c @@ -54,6 +54,13 @@ int LLVMFuzzerTestOneInput(const uint8_t * data, size_t size) { + (void) kEd25519PrivateKeyDER; + (void) kEd25519CertificateDER; + (void) kECDSAPrivateKeyDER; + (void) kECDSACertificateDER; + (void) kRSAPrivateKeyDER; + (void) kRSACertificateDER; + int res; gnutls_session_t session; gnutls_certificate_credentials_t rawpk_cred; diff --git a/fuzz/gnutls_server_rawpk_fuzzer.c b/fuzz/gnutls_server_rawpk_fuzzer.c index 12b6502e47..854f5872fe 100644 --- a/fuzz/gnutls_server_rawpk_fuzzer.c +++ b/fuzz/gnutls_server_rawpk_fuzzer.c @@ -50,6 +50,13 @@ int LLVMFuzzerTestOneInput(const uint8_t * data, size_t size) { + (void) kEd25519PrivateKeyDER; + (void) kEd25519CertificateDER; + (void) kECDSAPrivateKeyDER; + (void) kECDSACertificateDER; + (void) kRSAPrivateKeyDER; + (void) kRSACertificateDER; + int res; gnutls_session_t session; gnutls_certificate_credentials_t rawpk_cred; diff --git a/lib/ext/status_request.c b/lib/ext/status_request.c index 2b36308b71..8053b3b4ba 100644 --- a/lib/ext/status_request.c +++ b/lib/ext/status_request.c @@ -114,7 +114,7 @@ server_recv(gnutls_session_t session, /* sanity check only, we don't use any of the data below */ - if (data_size < (ssize_t)rid_bytes) + if (data_size < rid_bytes) return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); diff --git a/lib/handshake.c b/lib/handshake.c index ea48c93b88..5739df213e 100644 --- a/lib/handshake.c +++ b/lib/handshake.c @@ -992,6 +992,7 @@ int _gnutls_recv_finished(gnutls_session_t session) #if defined(FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION) /* When fuzzying allow to proceed without verifying the handshake * consistency */ + (void) vrfy; # warning This is unsafe for production builds #else diff --git a/lib/hello_ext.c b/lib/hello_ext.c index 33eaa27b10..0c6c0dca01 100644 --- a/lib/hello_ext.c +++ b/lib/hello_ext.c @@ -520,7 +520,7 @@ int _gnutls_hello_ext_pack(gnutls_session_t session, gnutls_buffer_st *packed) BUFFER_APPEND_NUM(packed, 0); for (i = 0; i <= GNUTLS_EXTENSION_MAX_VALUE; i++) { - if (session->internals.used_exts & (1<<i)) { + if (session->internals.used_exts & (1U << i)) { ext = gid_to_ext_entry(session, i); if (ext == NULL) diff --git a/lib/hello_ext.h b/lib/hello_ext.h index f2dfd7ff6a..38b28ae069 100644 --- a/lib/hello_ext.h +++ b/lib/hello_ext.h @@ -160,7 +160,7 @@ typedef struct hello_ext_entry_st { inline static unsigned _gnutls_hello_ext_is_present(gnutls_session_t session, extensions_t id) { - if ((1 << id) & session->internals.used_exts) + if (session->internals.used_exts & (1U << id)) return 1; return 0; @@ -184,7 +184,7 @@ unsigned _gnutls_hello_ext_save(gnutls_session_t session, return 0; } - session->internals.used_exts |= (1 << id); + session->internals.used_exts |= (1U << id); return 1; } @@ -77,6 +77,12 @@ _gnutls_iov_iter_next(struct iov_iter_st *iter, uint8_t **data) size_t len = iov->iov_len; size_t block_left; + if (!p) { + // skip NULL iov entries, else we run into issues below + iter->iov_index++; + continue; + } + if (unlikely(len < iter->iov_offset)) return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH); len -= iter->iov_offset; diff --git a/lib/nettle/rnd-fuzzer.c b/lib/nettle/rnd-fuzzer.c index c5ab90fb43..821eebc4ba 100644 --- a/lib/nettle/rnd-fuzzer.c +++ b/lib/nettle/rnd-fuzzer.c @@ -77,6 +77,8 @@ __r48_rand_iterate(unsigned short int xsubi[3], struct r48_rand_data *buffer) #ifdef __clang__ __attribute__((no_sanitize("integer"))) +#elif defined __GNUC__ +__attribute__((no_sanitize("shift-base"))) #endif static int r48_r(unsigned short int xsubi[3], struct r48_rand_data *buffer, diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c index 5515d54ff9..b1421ef17a 100644 --- a/lib/x509/verify-high.c +++ b/lib/x509/verify-high.c @@ -274,7 +274,7 @@ gnutls_x509_trust_list_add_cas(gnutls_x509_trust_list_t list, unsigned clist_size, unsigned int flags) { unsigned i, j; - uint32_t hash; + size_t hash; int ret; unsigned exists; @@ -565,7 +565,7 @@ gnutls_x509_trust_list_remove_cas(gnutls_x509_trust_list_t list, { int r = 0; unsigned j, i; - uint32_t hash; + size_t hash; for (i = 0; i < clist_size; i++) { hash = @@ -644,7 +644,7 @@ gnutls_x509_trust_list_add_named_crt(gnutls_x509_trust_list_t list, const void *name, size_t name_size, unsigned int flags) { - uint32_t hash; + size_t hash; if (name_size >= MAX_SERVER_NAME_SIZE) return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); @@ -712,7 +712,7 @@ gnutls_x509_trust_list_add_crls(gnutls_x509_trust_list_t list, int ret; unsigned x, i, j = 0; unsigned int vret = 0; - uint32_t hash; + size_t hash; gnutls_x509_crl_t *tmp; /* Probably we can optimize things such as removing duplicates @@ -806,7 +806,7 @@ static int shorten_clist(gnutls_x509_trust_list_t list, unsigned int clist_size) { unsigned int j, i; - uint32_t hash; + size_t hash; if (clist_size > 1) { /* Check if the last certificate in the path is self signed. @@ -859,7 +859,7 @@ int trust_list_get_issuer(gnutls_x509_trust_list_t list, { int ret; unsigned int i; - uint32_t hash; + size_t hash; hash = hash_pjw_bare(cert->raw_issuer_dn.data, @@ -893,7 +893,7 @@ int trust_list_get_issuer_by_dn(gnutls_x509_trust_list_t list, { int ret; unsigned int i, j; - uint32_t hash; + size_t hash; uint8_t tmp[256]; size_t tmp_size; @@ -1257,7 +1257,7 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, { int ret; unsigned int i; - uint32_t hash; + size_t hash; gnutls_x509_crt_t sorted[DEFAULT_MAX_VERIFY_DEPTH]; const char *hostname = NULL, *purpose = NULL, *email = NULL; unsigned hostname_size = 0; @@ -1501,7 +1501,7 @@ gnutls_x509_trust_list_verify_named_crt(gnutls_x509_trust_list_t list, { int ret; unsigned int i; - uint32_t hash; + size_t hash; hash = @@ -1558,7 +1558,7 @@ _gnutls_trustlist_inlist(gnutls_x509_trust_list_t list, { int ret; unsigned int i; - uint32_t hash; + size_t hash; hash = hash_pjw_bare(cert->raw_dn.data, cert->raw_dn.size); hash %= list->size; diff --git a/src/certtool-cfg.c b/src/certtool-cfg.c index 75e1e57c54..fbbb4c6ab9 100644 --- a/src/certtool-cfg.c +++ b/src/certtool-cfg.c @@ -1880,10 +1880,11 @@ int get_tls_server_status(void) /* convert a printable IP to binary */ static int string_to_ip(unsigned char *ip, const char *str) { - int len = strlen(str); int ret; #if HAVE_IPV6 + int len = strlen(str); + if (strchr(str, ':') != NULL || len > 16) { /* IPv6 */ ret = inet_pton(AF_INET6, str, ip); if (ret <= 0) { diff --git a/tests/cert-reencoding.sh b/tests/cert-reencoding.sh index d61ec74028..aadd6fd1bd 100755 --- a/tests/cert-reencoding.sh +++ b/tests/cert-reencoding.sh @@ -57,6 +57,8 @@ export TZ="UTC" . "${srcdir}/scripts/common.sh" +check_for_datefudge + eval "${GETPORT}" # Port for gnutls-serv TLS_SERVER_PORT=$PORT @@ -72,14 +74,6 @@ if ! test -x "${OPENSSL}"; then exit 77 fi -# Check for datefudge -TSTAMP=`datefudge "2006-09-23" date -u +%s || true` -if test "$TSTAMP" != "1158969600"; then - echo $TSTAMP - echo "You need datefudge to run this test." - exit 77 -fi - SERVER_PID="" TLS_SERVER_PID="" stop_servers () diff --git a/tests/ocsp-tests/ocsp-load-chain b/tests/ocsp-tests/ocsp-load-chain index 73bb4209d8..04de48f7ed 100755 --- a/tests/ocsp-tests/ocsp-load-chain +++ b/tests/ocsp-tests/ocsp-load-chain @@ -29,13 +29,9 @@ fi export TZ="UTC" -# Check for datefudge -TSTAMP=`datefudge "2006-09-23" date -u +%s || true` -if test "$TSTAMP" != "1158969600"; then - echo $TSTAMP - echo "You need datefudge to run this test" - exit 77 -fi +. "${srcdir}/scripts/common.sh" + +check_for_datefudge datefudge -s "2017-06-19" \ "${OCSPTOOL}" -e --load-chain "${srcdir}/ocsp-tests/certs/chain-amazon.com.pem" --infile "${srcdir}/ocsp-tests/certs/ocsp-amazon.com.der" --verify-allow-broken diff --git a/tests/ocsp-tests/ocsp-must-staple-connection b/tests/ocsp-tests/ocsp-must-staple-connection index 111c287a4c..490cc032f0 100755 --- a/tests/ocsp-tests/ocsp-must-staple-connection +++ b/tests/ocsp-tests/ocsp-must-staple-connection @@ -53,6 +53,8 @@ fi . "${srcdir}/scripts/common.sh" +check_for_datefudge + eval "${GETPORT}" # Port for gnutls-serv TLS_SERVER_PORT=$PORT @@ -72,14 +74,6 @@ if ! test -x "${OPENSSL}"; then exit 77 fi -# Check for datefudge -TSTAMP=`datefudge "2006-09-23" date -u +%s || true` -if test "$TSTAMP" != "1158969600"; then - echo $TSTAMP - echo "You need datefudge to run this test." - exit 77 -fi - CERTDATE="2016-04-28" TESTDATE="2016-04-29" EXP_OCSP_DATE="2016-03-27" diff --git a/tests/ocsp-tests/ocsp-test b/tests/ocsp-tests/ocsp-test index f481e13131..3730175208 100755 --- a/tests/ocsp-tests/ocsp-test +++ b/tests/ocsp-tests/ocsp-test @@ -30,13 +30,9 @@ fi export TZ="UTC" -# Check for datefudge -TSTAMP=`datefudge "2006-09-23" date -u +%s || true` -if test "$TSTAMP" != "1158969600"; then - echo $TSTAMP - echo "You need datefudge to run this test" - exit 77 -fi +. "${srcdir}/scripts/common.sh" + +check_for_datefudge # Note that in rare cases this test may fail because the # time set using datefudge could have changed since the generation diff --git a/tests/ocsp-tests/ocsp-tls-connection b/tests/ocsp-tests/ocsp-tls-connection index 4b1e3025c7..bcc77ec2d9 100755 --- a/tests/ocsp-tests/ocsp-tls-connection +++ b/tests/ocsp-tests/ocsp-tls-connection @@ -54,6 +54,8 @@ export TZ="UTC" . "${srcdir}/scripts/common.sh" +check_for_datefudge + eval "${GETPORT}" # Port for gnutls-serv TLS_SERVER_PORT=$PORT @@ -73,14 +75,6 @@ if ! test -x "${OPENSSL}"; then exit 77 fi -# Check for datefudge -TSTAMP=`datefudge "2006-09-23" date -u +%s || true` -if test "$TSTAMP" != "1158969600"; then - echo $TSTAMP - echo "You need datefudge to run this test." - exit 77 -fi - CERTDATE="2016-04-28" TESTDATE="2016-04-29" diff --git a/tests/ssl30-cipher-neg.c b/tests/ssl30-cipher-neg.c index a438f4b7ea..745be43e0c 100644 --- a/tests/ssl30-cipher-neg.c +++ b/tests/ssl30-cipher-neg.c @@ -118,6 +118,8 @@ test_case_st tests[] = { void doit(void) { + (void) try; + #ifdef ENABLE_SSL3 unsigned i; global_init(); diff --git a/tests/ssl30-server-kx-neg.c b/tests/ssl30-server-kx-neg.c index cdfc1e466c..357cf941ba 100644 --- a/tests/ssl30-server-kx-neg.c +++ b/tests/ssl30-server-kx-neg.c @@ -156,6 +156,8 @@ test_case_st tests[] = { void doit(void) { + (void) try; + #ifdef ENABLE_SSL3 unsigned i; global_init(); |