wolfsshd: add StrictModes and secure loading of trust anchors #643
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Sanitizer Tests | |
| on: | |
| push: | |
| branches: [ 'master', 'main', 'release/**' ] | |
| pull_request: | |
| branches: [ '*' ] | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| build_wolfssl: | |
| name: Build wolfSSL (${{ matrix.name }}) | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 5 | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - name: spmath | |
| config: "--enable-wolfssh --enable-keygen --enable-pkcallbacks" | |
| # Heap math keeps big numbers (RSA/ECC key material) in heap | |
| # allocations. The default SP math keeps them in fixed buffers | |
| # inside the key struct, so a leaked key is invisible to | |
| # LeakSanitizer. This variant makes such leaks detectable. | |
| - name: heapmath | |
| config: "--enable-wolfssh --enable-keygen --enable-pkcallbacks --enable-heapmath" | |
| steps: | |
| - name: Checkout wolfSSL | |
| uses: actions/checkout@v6 | |
| with: | |
| repository: wolfssl/wolfssl | |
| path: wolfssl | |
| - name: Build wolfSSL | |
| working-directory: ./wolfssl | |
| run: | | |
| ./autogen.sh | |
| ./configure ${{ matrix.config }} | |
| make -j$(nproc) | |
| sudo make install | |
| sudo ldconfig | |
| - name: tar build-dir | |
| run: tar -zcf wolfssl-install.tgz /usr/local/lib/libwolfssl* /usr/local/include/wolfssl | |
| - name: Upload built lib | |
| uses: actions/upload-artifact@v7 | |
| with: | |
| name: wolfssl-sanitizer-${{ matrix.name }} | |
| path: wolfssl-install.tgz | |
| retention-days: 5 | |
| sanitizer_test: | |
| name: ${{ matrix.name }} | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 15 | |
| needs: build_wolfssl | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - name: "ASan" | |
| wolfssl: spmath | |
| cflags: "-fsanitize=address -fno-omit-frame-pointer -g -O1" | |
| ldflags: "-fsanitize=address" | |
| - name: "UBSan" | |
| wolfssl: spmath | |
| cflags: "-fsanitize=undefined -fno-sanitize-recover=all -fno-omit-frame-pointer -g" | |
| ldflags: "-fsanitize=undefined" | |
| # ASan against a heap-math wolfSSL so LeakSanitizer can see a | |
| # leaked key (see the build_wolfssl heapmath note above). | |
| - name: "ASan (heap math)" | |
| wolfssl: heapmath | |
| cflags: "-fsanitize=address -fno-omit-frame-pointer -g -O1" | |
| ldflags: "-fsanitize=address" | |
| steps: | |
| - name: Workaround high-entropy ASLR | |
| run: sudo sysctl vm.mmap_rnd_bits=28 | |
| - name: Checkout wolfSSH | |
| uses: actions/checkout@v6 | |
| - name: Download wolfSSL | |
| uses: actions/download-artifact@v8 | |
| with: | |
| name: wolfssl-sanitizer-${{ matrix.wolfssl }} | |
| - name: Install wolfSSL | |
| run: | | |
| sudo tar -xzf wolfssl-install.tgz -C / | |
| sudo ldconfig | |
| - name: Build wolfSSH with ${{ matrix.name }} | |
| run: | | |
| ./autogen.sh | |
| ./configure --enable-all \ | |
| CFLAGS="${{ matrix.cflags }}" LDFLAGS="${{ matrix.ldflags }}" | |
| make -j$(nproc) | |
| - name: Run tests | |
| run: make check | |
| - name: Show test logs on failure | |
| if: failure() | |
| run: | | |
| echo "=== test-suite.log ===" | |
| cat test-suite.log || true | |
| echo "" | |
| echo "=== tests/api.log ===" | |
| cat tests/api.log || true | |
| - name: Upload failure logs | |
| if: failure() | |
| uses: actions/upload-artifact@v7 | |
| with: | |
| name: wolfssh-${{ matrix.name }}-logs | |
| path: | | |
| test-suite.log | |
| config.log | |
| retention-days: 5 |