Merge branch 'tmp-check-fuzz' into 'master'

UB+ASAN: Fail tests if UB detected

Closes #882 and #878

See merge request gnutls/gnutls!1136

18 files changed, 73 insertions, 99 deletions

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index d1f2a0e395..e75461f65a 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -226,39 +226,6 @@ valgrind.Fedora.x86_64:
       - tests/*/*.log
   retry: 1
 
-# Two runs, one with normal backend and another with pkcs11 trust store
-asan.Fedora.x86_64:
-  stage: stage1-testing
-  image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD
-  script:
-  - SUBMODULE_NOFETCH=1  ./bootstrap
-  - CFLAGS="-fsanitize=address -g -O2" CXXFLAGS=$CFLAGS LDFLAGS="-static-libasan"
-    dash ./configure --disable-gcc-warnings --disable-doc --cache-file cache/config.cache --disable-non-suiteb-curves --disable-guile
-  - make -j$(nproc)
-  - LSAN_OPTIONS="suppressions=$(pwd)/devel/lsan.supp" make check -j$(nproc)
-  - LSAN_OPTIONS="suppressions=$(pwd)/devel/lsan.supp" make -C fuzz check -j$(nproc) GNUTLS_CPUID_OVERRIDE=0x1
-  - LSAN_OPTIONS="suppressions=$(pwd)/devel/lsan.supp" make -C fuzz check -j$(nproc) GNUTLS_CPUID_OVERRIDE=0x2
-  - LSAN_OPTIONS="suppressions=$(pwd)/devel/lsan.supp" make -C fuzz check -j$(nproc) GNUTLS_CPUID_OVERRIDE=0x4
-  - LSAN_OPTIONS="suppressions=$(pwd)/devel/lsan.supp" make -C fuzz check -j$(nproc) GNUTLS_CPUID_OVERRIDE=0x8
-  - CFLAGS="-fsanitize=address -g -O2" CXXFLAGS=$CFLAGS LDFLAGS="-static-libasan"
-    dash ./configure --cache-file cache/config.cache --disable-doc --with-system-priority-file=/etc/crypto-policies/back-ends/gnutls.config --with-default-priority-string=@SYSTEM --with-default-trust-store-pkcs11="pkcs11:" --disable-guile
-  - make -j$(nproc)
-  - make -C tests check -j$(nproc) TESTS="trust-store p11-kit-load.sh priority-init2 set-default-prio" SUBDIRS=.
-  tags:
-  - shared
-  except:
-  - tags
-  artifacts:
-    expire_in: 1 week
-    when: on_failure
-    paths:
-      - ./*.log
-      - fuzz/*.log
-      - tests/*.log
-      - tests/*/*.log
-      - tests/suite/*/*.log
-  retry: 1
-
 threadsan.Fedora.x86_64:
   stage: stage1-testing
   image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD
@@ -475,26 +442,30 @@ FreeBSD.x86_64:
   retry: 1
 
 # Two runs, one with normal backend and another with pkcs11 trust store
-ubsan-Werror.Fedora.x86_64:
+UB+ASAN-Werror.Fedora.x86_64.gcc:
   stage: stage1-testing
   image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD
   script:
   - ./bootstrap
-  - CFLAGS="-std=c99 -fsanitize=undefined -fsanitize=bool -fsanitize=alignment -fsanitize=null -fsanitize=bounds-strict -fsanitize=enum -fno-sanitize-recover -g -O2" CXXFLAGS=$CFLAGS LDFLAGS="-static-libubsan" dash ./configure
-     --cache-file cache/config.cache --disable-non-suiteb-curves --disable-guile --disable-full-test-suite --disable-doc
-  - grep "^LIBS=''" config.log || false
-  - make -j$(nproc) -C gl
-  - make -j$(nproc) -C lib CFLAGS="-Werror -O2 -g -Wimplicit-fallthrough=2"
-  - make -j$(nproc) -C libdane CFLAGS="-Werror -O2 -g -Wimplicit-fallthrough=2"
-  - make -j$(nproc) -C src/gl
-  - make -j$(nproc) -C src CFLAGS="-Werror -O2 -g -fsanitize=undefined -Wno-error=parentheses -Wno-error=unused-macros -Wimplicit-fallthrough=2 -Wno-duplicated-branches"
+  - export UBSAN_OPTIONS=print_stacktrace=1
+  - export LSAN_OPTIONS=suppressions=$(pwd)/devel/lsan.supp
+  - export CFLAGS="-std=c99 -O1 -g -Wno-cpp -Werror -fno-omit-frame-pointer -fsanitize=undefined,bool,alignment,null,enum,bounds-strict,address,leak,nonnull-attribute -fno-sanitize-recover=all -fsanitize-address-use-after-scope"
+  - export CXXFLAGS="$CFLAGS"
+  - dash ./configure --cache-file cache/config.cache --disable-guile --disable-doc --disable-hardware-acceleration
+  - sed -i 's/-Werror/-Wno-parentheses -Werror/g' src/Makefile
   - make -j$(nproc)
-  - make check -j$(nproc)
-  - CFLAGS="-std=c99 -fsanitize=undefined -fsanitize=bool -fsanitize=alignment -fsanitize=null -fsanitize=bounds-strict -fsanitize=enum -fno-sanitize-recover -g -O2" CXXFLAGS=$CFLAGS LDFLAGS="-static-libubsan" dash ./configure
-   --cache-file cache/config.cache --disable-non-suiteb-curves --disable-guile --disable-doc --disable-full-test-suite --with-default-trust-store-pkcs11="pkcs11:"
+  - make check -j$(nproc) -C fuzz
+  - make check -j$(nproc) -C fuzz GNUTLS_CPUID_OVERRIDE=0x1
+  - make check -j$(nproc) -C fuzz GNUTLS_CPUID_OVERRIDE=0x2
+  - make check -j$(nproc) -C fuzz GNUTLS_CPUID_OVERRIDE=0x4
+  - make check -j$(nproc) -C fuzz GNUTLS_CPUID_OVERRIDE=0x8
+  - make check -j$(nproc) -C fuzz GNUTLS_CPUID_OVERRIDE=0x20
+  - make check -j$(nproc) -C tests
+  - dash ./configure --cache-file cache/config.cache --disable-guile --disable-doc --disable-hardware-acceleration --with-default-trust-store-pkcs11="pkcs11:" --with-system-priority-file=/etc/crypto-policies/back-ends/gnutls.config --with-default-priority-string=@SYSTEM
   - make clean
+  - sed -i 's/-Werror/-Wno-parentheses -Werror/g' src/Makefile
   - make -j$(nproc)
-  - make -C tests check -j$(nproc) TESTS="trust-store p11-kit-load.sh" SUBDIRS=.
+  - make check -j$(nproc) -C tests TESTS="trust-store p11-kit-load.sh priority-init2 set-default-prio" SUBDIRS=.
   tags:
   - shared
   except:
@@ -505,6 +476,7 @@ ubsan-Werror.Fedora.x86_64:
     paths:
       - guile/tests/*.log
       - ./*.log
+      - fuzz/*.log
       - tests/*.log
       - tests/*/*.log
       - tests/suite/*/*.log
diff --git a/fuzz/gnutls_client_rawpk_fuzzer.c b/fuzz/gnutls_client_rawpk_fuzzer.c
index c7208b0d1c..af4336363a 100644
--- a/fuzz/gnutls_client_rawpk_fuzzer.c
+++ b/fuzz/gnutls_client_rawpk_fuzzer.c
@@ -54,6 +54,13 @@
 
 int LLVMFuzzerTestOneInput(const uint8_t * data, size_t size)
 {
+	(void) kEd25519PrivateKeyDER;
+	(void) kEd25519CertificateDER;
+	(void) kECDSAPrivateKeyDER;
+	(void) kECDSACertificateDER;
+	(void) kRSAPrivateKeyDER;
+	(void) kRSACertificateDER;
+
 	int res;
 	gnutls_session_t session;
 	gnutls_certificate_credentials_t rawpk_cred;
diff --git a/fuzz/gnutls_server_rawpk_fuzzer.c b/fuzz/gnutls_server_rawpk_fuzzer.c
index 12b6502e47..854f5872fe 100644
--- a/fuzz/gnutls_server_rawpk_fuzzer.c
+++ b/fuzz/gnutls_server_rawpk_fuzzer.c
@@ -50,6 +50,13 @@
 
 int LLVMFuzzerTestOneInput(const uint8_t * data, size_t size)
 {
+	(void) kEd25519PrivateKeyDER;
+	(void) kEd25519CertificateDER;
+	(void) kECDSAPrivateKeyDER;
+	(void) kECDSACertificateDER;
+	(void) kRSAPrivateKeyDER;
+	(void) kRSACertificateDER;
+
 	int res;
 	gnutls_session_t session;
 	gnutls_certificate_credentials_t rawpk_cred;
diff --git a/lib/ext/status_request.c b/lib/ext/status_request.c
index 2b36308b71..8053b3b4ba 100644
--- a/lib/ext/status_request.c
+++ b/lib/ext/status_request.c
@@ -114,7 +114,7 @@ server_recv(gnutls_session_t session,
 
 	/* sanity check only, we don't use any of the data below */
 
-	if (data_size < (ssize_t)rid_bytes)
+	if (data_size < rid_bytes)
 		return
 		    gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
 
diff --git a/lib/handshake.c b/lib/handshake.c
index ea48c93b88..5739df213e 100644
--- a/lib/handshake.c
+++ b/lib/handshake.c
@@ -992,6 +992,7 @@ int _gnutls_recv_finished(gnutls_session_t session)
 #if defined(FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION)
 	/* When fuzzying allow to proceed without verifying the handshake
 	 * consistency */
+	(void) vrfy;
 # warning This is unsafe for production builds
 
 #else
diff --git a/lib/hello_ext.c b/lib/hello_ext.c
index 33eaa27b10..0c6c0dca01 100644
--- a/lib/hello_ext.c
+++ b/lib/hello_ext.c
@@ -520,7 +520,7 @@ int _gnutls_hello_ext_pack(gnutls_session_t session, gnutls_buffer_st *packed)
 	BUFFER_APPEND_NUM(packed, 0);
 
 	for (i = 0; i <= GNUTLS_EXTENSION_MAX_VALUE; i++) {
-		if (session->internals.used_exts & (1<<i)) {
+		if (session->internals.used_exts & (1U << i)) {
 
 			ext = gid_to_ext_entry(session, i);
 			if (ext == NULL)
diff --git a/lib/hello_ext.h b/lib/hello_ext.h
index f2dfd7ff6a..38b28ae069 100644
--- a/lib/hello_ext.h
+++ b/lib/hello_ext.h
@@ -160,7 +160,7 @@ typedef struct hello_ext_entry_st {
 inline static unsigned
 _gnutls_hello_ext_is_present(gnutls_session_t session, extensions_t id)
 {
-	if ((1 << id) & session->internals.used_exts)
+	if (session->internals.used_exts & (1U << id))
 		return 1;
 
 	return 0;
@@ -184,7 +184,7 @@ unsigned _gnutls_hello_ext_save(gnutls_session_t session,
 			return 0;
 	}
 
-	session->internals.used_exts |= (1 << id);
+	session->internals.used_exts |= (1U << id);
 
 	return 1;
 }
diff --git a/lib/iov.c b/lib/iov.c
index 1cd8d46dd7..d148ac97e4 100644
--- a/lib/iov.c
+++ b/lib/iov.c
@@ -77,6 +77,12 @@ _gnutls_iov_iter_next(struct iov_iter_st *iter, uint8_t **data)
 		size_t len = iov->iov_len;
 		size_t block_left;
 
+		if (!p) {
+			// skip NULL iov entries, else we run into issues below
+			iter->iov_index++;
+			continue;
+		}
+
 		if (unlikely(len < iter->iov_offset))
 			return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
 		len -= iter->iov_offset;
diff --git a/lib/nettle/rnd-fuzzer.c b/lib/nettle/rnd-fuzzer.c
index c5ab90fb43..821eebc4ba 100644
--- a/lib/nettle/rnd-fuzzer.c
+++ b/lib/nettle/rnd-fuzzer.c
@@ -77,6 +77,8 @@ __r48_rand_iterate(unsigned short int xsubi[3], struct r48_rand_data *buffer)
 
 #ifdef __clang__
 __attribute__((no_sanitize("integer")))
+#elif defined __GNUC__
+__attribute__((no_sanitize("shift-base")))
 #endif
 static int
 r48_r(unsigned short int xsubi[3], struct r48_rand_data *buffer,
diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c
index 5515d54ff9..b1421ef17a 100644
--- a/lib/x509/verify-high.c
+++ b/lib/x509/verify-high.c
@@ -274,7 +274,7 @@ gnutls_x509_trust_list_add_cas(gnutls_x509_trust_list_t list,
 			       unsigned clist_size, unsigned int flags)
 {
 	unsigned i, j;
-	uint32_t hash;
+	size_t hash;
 	int ret;
 	unsigned exists;
 
@@ -565,7 +565,7 @@ gnutls_x509_trust_list_remove_cas(gnutls_x509_trust_list_t list,
 {
 	int r = 0;
 	unsigned j, i;
-	uint32_t hash;
+	size_t hash;
 
 	for (i = 0; i < clist_size; i++) {
 		hash =
@@ -644,7 +644,7 @@ gnutls_x509_trust_list_add_named_crt(gnutls_x509_trust_list_t list,
 				     const void *name, size_t name_size,
 				     unsigned int flags)
 {
-	uint32_t hash;
+	size_t hash;
 
 	if (name_size >= MAX_SERVER_NAME_SIZE)
 		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
@@ -712,7 +712,7 @@ gnutls_x509_trust_list_add_crls(gnutls_x509_trust_list_t list,
 	int ret;
 	unsigned x, i, j = 0;
 	unsigned int vret = 0;
-	uint32_t hash;
+	size_t hash;
 	gnutls_x509_crl_t *tmp;
 
 	/* Probably we can optimize things such as removing duplicates
@@ -806,7 +806,7 @@ static int shorten_clist(gnutls_x509_trust_list_t list,
 			 unsigned int clist_size)
 {
 	unsigned int j, i;
-	uint32_t hash;
+	size_t hash;
 
 	if (clist_size > 1) {
 		/* Check if the last certificate in the path is self signed.
@@ -859,7 +859,7 @@ int trust_list_get_issuer(gnutls_x509_trust_list_t list,
 {
 	int ret;
 	unsigned int i;
-	uint32_t hash;
+	size_t hash;
 
 	hash =
 	    hash_pjw_bare(cert->raw_issuer_dn.data,
@@ -893,7 +893,7 @@ int trust_list_get_issuer_by_dn(gnutls_x509_trust_list_t list,
 {
 	int ret;
 	unsigned int i, j;
-	uint32_t hash;
+	size_t hash;
 	uint8_t tmp[256];
 	size_t tmp_size;
 
@@ -1257,7 +1257,7 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
 {
 	int ret;
 	unsigned int i;
-	uint32_t hash;
+	size_t hash;
 	gnutls_x509_crt_t sorted[DEFAULT_MAX_VERIFY_DEPTH];
 	const char *hostname = NULL, *purpose = NULL, *email = NULL;
 	unsigned hostname_size = 0;
@@ -1501,7 +1501,7 @@ gnutls_x509_trust_list_verify_named_crt(gnutls_x509_trust_list_t list,
 {
 	int ret;
 	unsigned int i;
-	uint32_t hash;
+	size_t hash;
 
 
 	hash =
@@ -1558,7 +1558,7 @@ _gnutls_trustlist_inlist(gnutls_x509_trust_list_t list,
 {
 	int ret;
 	unsigned int i;
-	uint32_t hash;
+	size_t hash;
 
 	hash = hash_pjw_bare(cert->raw_dn.data, cert->raw_dn.size);
 	hash %= list->size;
diff --git a/src/certtool-cfg.c b/src/certtool-cfg.c
index 75e1e57c54..fbbb4c6ab9 100644
--- a/src/certtool-cfg.c
+++ b/src/certtool-cfg.c
@@ -1880,10 +1880,11 @@ int get_tls_server_status(void)
 /* convert a printable IP to binary */
 static int string_to_ip(unsigned char *ip, const char *str)
 {
-	int len = strlen(str);
 	int ret;
 
 #if HAVE_IPV6
+	int len = strlen(str);
+
 	if (strchr(str, ':') != NULL || len > 16) {	/* IPv6 */
 		ret = inet_pton(AF_INET6, str, ip);
 		if (ret <= 0) {
diff --git a/tests/cert-reencoding.sh b/tests/cert-reencoding.sh
index d61ec74028..aadd6fd1bd 100755
--- a/tests/cert-reencoding.sh
+++ b/tests/cert-reencoding.sh
@@ -57,6 +57,8 @@ export TZ="UTC"
 
 . "${srcdir}/scripts/common.sh"
 
+check_for_datefudge
+
 eval "${GETPORT}"
 # Port for gnutls-serv
 TLS_SERVER_PORT=$PORT
@@ -72,14 +74,6 @@ if ! test -x "${OPENSSL}"; then
     exit 77
 fi
 
-# Check for datefudge
-TSTAMP=`datefudge "2006-09-23" date -u +%s || true`
-if test "$TSTAMP" != "1158969600"; then
-    echo $TSTAMP
-    echo "You need datefudge to run this test."
-    exit 77
-fi
-
 SERVER_PID=""
 TLS_SERVER_PID=""
 stop_servers ()
diff --git a/tests/ocsp-tests/ocsp-load-chain b/tests/ocsp-tests/ocsp-load-chain
index 73bb4209d8..04de48f7ed 100755
--- a/tests/ocsp-tests/ocsp-load-chain
+++ b/tests/ocsp-tests/ocsp-load-chain
@@ -29,13 +29,9 @@ fi
 
 export TZ="UTC"
 
-# Check for datefudge
-TSTAMP=`datefudge "2006-09-23" date -u +%s || true`
-if test "$TSTAMP" != "1158969600"; then
-	echo $TSTAMP
-	echo "You need datefudge to run this test"
-	exit 77
-fi
+. "${srcdir}/scripts/common.sh"
+
+check_for_datefudge
 
 datefudge -s "2017-06-19" \
 	"${OCSPTOOL}" -e --load-chain "${srcdir}/ocsp-tests/certs/chain-amazon.com.pem" --infile "${srcdir}/ocsp-tests/certs/ocsp-amazon.com.der" --verify-allow-broken
diff --git a/tests/ocsp-tests/ocsp-must-staple-connection b/tests/ocsp-tests/ocsp-must-staple-connection
index 111c287a4c..490cc032f0 100755
--- a/tests/ocsp-tests/ocsp-must-staple-connection
+++ b/tests/ocsp-tests/ocsp-must-staple-connection
@@ -53,6 +53,8 @@ fi
 
 . "${srcdir}/scripts/common.sh"
 
+check_for_datefudge
+
 eval "${GETPORT}"
 # Port for gnutls-serv
 TLS_SERVER_PORT=$PORT
@@ -72,14 +74,6 @@ if ! test -x "${OPENSSL}"; then
     exit 77
 fi
 
-# Check for datefudge
-TSTAMP=`datefudge "2006-09-23" date -u +%s || true`
-if test "$TSTAMP" != "1158969600"; then
-    echo $TSTAMP
-    echo "You need datefudge to run this test."
-    exit 77
-fi
-
 CERTDATE="2016-04-28"
 TESTDATE="2016-04-29"
 EXP_OCSP_DATE="2016-03-27"
diff --git a/tests/ocsp-tests/ocsp-test b/tests/ocsp-tests/ocsp-test
index f481e13131..3730175208 100755
--- a/tests/ocsp-tests/ocsp-test
+++ b/tests/ocsp-tests/ocsp-test
@@ -30,13 +30,9 @@ fi
 
 export TZ="UTC"
 
-# Check for datefudge
-TSTAMP=`datefudge "2006-09-23" date -u +%s || true`
-if test "$TSTAMP" != "1158969600"; then
-	echo $TSTAMP
-	echo "You need datefudge to run this test"
-	exit 77
-fi
+. "${srcdir}/scripts/common.sh"
+
+check_for_datefudge
 
 # Note that in rare cases this test may fail because the
 # time set using datefudge could have changed since the generation
diff --git a/tests/ocsp-tests/ocsp-tls-connection b/tests/ocsp-tests/ocsp-tls-connection
index 4b1e3025c7..bcc77ec2d9 100755
--- a/tests/ocsp-tests/ocsp-tls-connection
+++ b/tests/ocsp-tests/ocsp-tls-connection
@@ -54,6 +54,8 @@ export TZ="UTC"
 
 . "${srcdir}/scripts/common.sh"
 
+check_for_datefudge
+
 eval "${GETPORT}"
 # Port for gnutls-serv
 TLS_SERVER_PORT=$PORT
@@ -73,14 +75,6 @@ if ! test -x "${OPENSSL}"; then
     exit 77
 fi
 
-# Check for datefudge
-TSTAMP=`datefudge "2006-09-23" date -u +%s || true`
-if test "$TSTAMP" != "1158969600"; then
-    echo $TSTAMP
-    echo "You need datefudge to run this test."
-    exit 77
-fi
-
 CERTDATE="2016-04-28"
 TESTDATE="2016-04-29"
 
diff --git a/tests/ssl30-cipher-neg.c b/tests/ssl30-cipher-neg.c
index a438f4b7ea..745be43e0c 100644
--- a/tests/ssl30-cipher-neg.c
+++ b/tests/ssl30-cipher-neg.c
@@ -118,6 +118,8 @@ test_case_st tests[] = {
 
 void doit(void)
 {
+	(void) try;
+
 #ifdef ENABLE_SSL3
 	unsigned i;
 	global_init();
diff --git a/tests/ssl30-server-kx-neg.c b/tests/ssl30-server-kx-neg.c
index cdfc1e466c..357cf941ba 100644
--- a/tests/ssl30-server-kx-neg.c
+++ b/tests/ssl30-server-kx-neg.c
@@ -156,6 +156,8 @@ test_case_st tests[] = {
 
 void doit(void)
 {
+	(void) try;
+
 #ifdef ENABLE_SSL3
 	unsigned i;
 	global_init();