1# components-sanitizers.sh 2# 3# Copyright The Mbed TLS Contributors 4# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later 5 6# This file contains test components that are executed by all.sh 7 8################################################################ 9#### Sanitizer Testing 10################################################################ 11 12skip_suites_without_constant_flow () { 13 # Skip the test suites that don't have any constant-flow annotations. 14 # This will need to be adjusted if we ever start declaring things as 15 # secret from macros or functions inside tests/include or tests/src. 16 SKIP_TEST_SUITES=$( 17 git -C tests/suites grep -L TEST_CF_ 'test_suite_*.function' | 18 sed 's/test_suite_//; s/\.function$//' | 19 tr '\n' ,) 20 export SKIP_TEST_SUITES 21} 22 23skip_all_except_given_suite () { 24 # Skip all but the given test suite 25 SKIP_TEST_SUITES=$( 26 ls -1 tests/suites/test_suite_*.function | 27 grep -v $1.function | 28 sed 's/tests.suites.test_suite_//; s/\.function$//' | 29 tr '\n' ,) 30 export SKIP_TEST_SUITES 31} 32 33component_test_memsan_constant_flow () { 34 # This tests both (1) accesses to undefined memory, and (2) branches or 35 # memory access depending on secret values. To distinguish between those: 36 # - unset MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN - does the failure persist? 37 # - or alternatively, change the build type to MemSanDbg, which enables 38 # origin tracking and nicer stack traces (which are useful for debugging 39 # anyway), and check if the origin was TEST_CF_SECRET() or something else. 40 msg "build: cmake MSan (clang), full config minus MBEDTLS_USE_PSA_CRYPTO with constant flow testing" 41 scripts/config.py full 42 scripts/config.py set MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN 43 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO 44 scripts/config.py unset MBEDTLS_AESNI_C # memsan doesn't grok asm 45 CC=clang cmake -D CMAKE_BUILD_TYPE:String=MemSan . 46 make 47 48 msg "test: main suites (full minus MBEDTLS_USE_PSA_CRYPTO, Msan + constant flow)" 49 make test 50} 51 52component_test_memsan_constant_flow_psa () { 53 # This tests both (1) accesses to undefined memory, and (2) branches or 54 # memory access depending on secret values. To distinguish between those: 55 # - unset MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN - does the failure persist? 56 # - or alternatively, change the build type to MemSanDbg, which enables 57 # origin tracking and nicer stack traces (which are useful for debugging 58 # anyway), and check if the origin was TEST_CF_SECRET() or something else. 59 msg "build: cmake MSan (clang), full config with constant flow testing" 60 scripts/config.py full 61 scripts/config.py set MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN 62 scripts/config.py unset MBEDTLS_AESNI_C # memsan doesn't grok asm 63 CC=clang cmake -D CMAKE_BUILD_TYPE:String=MemSan . 64 make 65 66 msg "test: main suites (Msan + constant flow)" 67 make test 68} 69 70component_release_test_valgrind_constant_flow () { 71 # This tests both (1) everything that valgrind's memcheck usually checks 72 # (heap buffer overflows, use of uninitialized memory, use-after-free, 73 # etc.) and (2) branches or memory access depending on secret values, 74 # which will be reported as uninitialized memory. To distinguish between 75 # secret and actually uninitialized: 76 # - unset MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND - does the failure persist? 77 # - or alternatively, build with debug info and manually run the offending 78 # test suite with valgrind --track-origins=yes, then check if the origin 79 # was TEST_CF_SECRET() or something else. 80 msg "build: cmake release GCC, full config minus MBEDTLS_USE_PSA_CRYPTO with constant flow testing" 81 scripts/config.py full 82 scripts/config.py set MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND 83 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO 84 skip_suites_without_constant_flow 85 cmake -D CMAKE_BUILD_TYPE:String=Release . 86 make 87 88 # this only shows a summary of the results (how many of each type) 89 # details are left in Testing/<date>/DynamicAnalysis.xml 90 msg "test: some suites (full minus MBEDTLS_USE_PSA_CRYPTO, valgrind + constant flow)" 91 make memcheck 92 93 # Test asm path in constant time module - by default, it will test the plain C 94 # path under Valgrind or Memsan. Running only the constant_time tests is fast (<1s) 95 msg "test: valgrind asm constant_time" 96 scripts/config.py --force set MBEDTLS_TEST_CONSTANT_FLOW_ASM 97 skip_all_except_given_suite test_suite_constant_time 98 cmake -D CMAKE_BUILD_TYPE:String=Release . 99 make clean 100 make 101 make memcheck 102} 103 104component_release_test_valgrind_constant_flow_psa () { 105 # This tests both (1) everything that valgrind's memcheck usually checks 106 # (heap buffer overflows, use of uninitialized memory, use-after-free, 107 # etc.) and (2) branches or memory access depending on secret values, 108 # which will be reported as uninitialized memory. To distinguish between 109 # secret and actually uninitialized: 110 # - unset MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND - does the failure persist? 111 # - or alternatively, build with debug info and manually run the offending 112 # test suite with valgrind --track-origins=yes, then check if the origin 113 # was TEST_CF_SECRET() or something else. 114 msg "build: cmake release GCC, full config with constant flow testing" 115 scripts/config.py full 116 scripts/config.py set MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND 117 skip_suites_without_constant_flow 118 cmake -D CMAKE_BUILD_TYPE:String=Release . 119 make 120 121 # this only shows a summary of the results (how many of each type) 122 # details are left in Testing/<date>/DynamicAnalysis.xml 123 msg "test: some suites (valgrind + constant flow)" 124 make memcheck 125} 126 127component_test_tsan () { 128 msg "build: TSan (clang)" 129 scripts/config.py full 130 scripts/config.py set MBEDTLS_THREADING_C 131 scripts/config.py set MBEDTLS_THREADING_PTHREAD 132 # Self-tests do not currently use multiple threads. 133 scripts/config.py unset MBEDTLS_SELF_TEST 134 135 # The deprecated MBEDTLS_PSA_CRYPTO_SE_C interface is not thread safe. 136 scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C 137 138 CC=clang cmake -D CMAKE_BUILD_TYPE:String=TSan . 139 make 140 141 msg "test: main suites (TSan)" 142 make test 143} 144 145component_test_memsan () { 146 msg "build: MSan (clang)" # ~ 1 min 20s 147 scripts/config.py unset MBEDTLS_AESNI_C # memsan doesn't grok asm 148 CC=clang cmake -D CMAKE_BUILD_TYPE:String=MemSan . 149 make 150 151 msg "test: main suites (MSan)" # ~ 10s 152 make test 153 154 msg "test: metatests (MSan)" 155 tests/scripts/run-metatests.sh any msan 156 157 msg "program demos (MSan)" # ~20s 158 tests/scripts/run_demos.py 159 160 msg "test: ssl-opt.sh (MSan)" # ~ 1 min 161 tests/ssl-opt.sh 162 163 # Optional part(s) 164 165 if [ "$MEMORY" -gt 0 ]; then 166 msg "test: compat.sh (MSan)" # ~ 6 min 20s 167 tests/compat.sh 168 fi 169} 170 171component_release_test_valgrind () { 172 msg "build: Release (clang)" 173 # default config, in particular without MBEDTLS_USE_PSA_CRYPTO 174 CC=clang cmake -D CMAKE_BUILD_TYPE:String=Release . 175 make 176 177 msg "test: main suites, Valgrind (default config)" 178 make memcheck 179 180 # Optional parts (slow; currently broken on OS X because programs don't 181 # seem to receive signals under valgrind on OS X). 182 # These optional parts don't run on the CI. 183 if [ "$MEMORY" -gt 0 ]; then 184 msg "test: ssl-opt.sh --memcheck (default config)" 185 tests/ssl-opt.sh --memcheck 186 fi 187 188 if [ "$MEMORY" -gt 1 ]; then 189 msg "test: compat.sh --memcheck (default config)" 190 tests/compat.sh --memcheck 191 fi 192 193 if [ "$MEMORY" -gt 0 ]; then 194 msg "test: context-info.sh --memcheck (default config)" 195 tests/context-info.sh --memcheck 196 fi 197} 198 199component_release_test_valgrind_psa () { 200 msg "build: Release, full (clang)" 201 # full config, in particular with MBEDTLS_USE_PSA_CRYPTO 202 scripts/config.py full 203 CC=clang cmake -D CMAKE_BUILD_TYPE:String=Release . 204 make 205 206 msg "test: main suites, Valgrind (full config)" 207 make memcheck 208} 209
