-
Notifications
You must be signed in to change notification settings - Fork 114
198 lines (170 loc) · 9.47 KB
/
Copy pathwindows-check.yml
File metadata and controls
198 lines (170 loc) · 9.47 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
name: Windows Build Test
on:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
workflow_dispatch:
env:
WOLFSSL_SOLUTION_FILE_PATH: wolfssl64.sln
SOLUTION_FILE_PATH: wolfssh.sln
USER_SETTINGS_H_NEW: wolfssh/ide/winvs/user_settings.h
USER_SETTINGS_H: wolfssl/IDE/WIN/user_settings.h
INCLUDE_DIR: wolfssh
# Configuration type to build.
# You can convert this to a build matrix if you need coverage of multiple configuration types.
# https://docs.github.com/actions/learn-github-actions/managing-complex-workflows#using-a-build-matrix
WOLFSSL_BUILD_CONFIGURATION: Release
WOLFSSH_BUILD_CONFIGURATION: Release
BUILD_PLATFORM: x64
TARGET_PLATFORM: 10
jobs:
build:
runs-on: windows-latest
steps:
- uses: actions/checkout@v2
with:
repository: wolfssl/wolfssl
path: wolfssl
- uses: actions/checkout@master
with:
path: wolfssh
- name: Add MSBuild to PATH
uses: microsoft/setup-msbuild@v1
- name: Restore wolfSSL NuGet packages
working-directory: ${{env.GITHUB_WORKSPACE}}wolfssl
run: nuget restore ${{env.WOLFSSL_SOLUTION_FILE_PATH}}
- name: updated user_settings.h for sshd and x509
working-directory: ${{env.GITHUB_WORKSPACE}}
run: cp ${{env.USER_SETTINGS_H_NEW}} ${{env.USER_SETTINGS_H}}
- name: replace wolfSSL user_settings.h with wolfSSH user_settings.h
working-directory: ${{env.GITHUB_WORKSPACE}}
run: get-content ${{env.USER_SETTINGS_H_NEW}} | %{$_ -replace "if 0","if 1"}
- name: Build wolfssl library
working-directory: ${{env.GITHUB_WORKSPACE}}wolfssl
run: msbuild /m /p:PlatformToolset=v142 /p:Platform=${{env.BUILD_PLATFORM}} /p:Configuration=${{env.WOLFSSL_BUILD_CONFIGURATION}} /t:wolfssl ${{env.WOLFSSL_SOLUTION_FILE_PATH}}
- name: Restore NuGet packages
working-directory: ${{env.GITHUB_WORKSPACE}}wolfssh\ide\winvs
run: nuget restore ${{env.SOLUTION_FILE_PATH}}
- name: Build wolfssh
working-directory: ${{env.GITHUB_WORKSPACE}}wolfssh\ide\winvs
# Add additional options to the MSBuild command line here (like platform or verbosity level).
# See https://docs.microsoft.com/visualstudio/msbuild/msbuild-command-line-reference
run: msbuild /m /p:PlatformToolset=v142 /p:Platform=${{env.BUILD_PLATFORM}} /p:WindowsTargetPlatformVersion=${{env.TARGET_PLATFORM}} /p:Configuration=${{env.WOLFSSH_BUILD_CONFIGURATION}} ${{env.SOLUTION_FILE_PATH}}
# Build and run the self-contained unit tests with the MSVC AddressSanitizer.
# This is the only job that executes wolfSSH tests under a sanitizer on
# Windows, where the USE_WINDOWS_API console code (e.g. wolfSSH_DoOSC) is
# compiled, so it guards that path against out-of-bounds reads.
asan-tests:
runs-on: windows-latest
env:
# print_stats=1 emits allocator stats at exit, positive evidence that the
# ASan runtime was active in-process during each test run.
ASAN_OPTIONS: abort_on_error=1:print_stats=1
steps:
- uses: actions/checkout@v2
with:
repository: wolfssl/wolfssl
path: wolfssl
- uses: actions/checkout@master
with:
path: wolfssh
- name: Add MSBuild to PATH
uses: microsoft/setup-msbuild@v1
# The pinned v142 toolset does not ship the AddressSanitizer runtime libs on
# the runner. Find an installed MSVC toolset that does and build everything in
# this job with it, recording its lib/bin dirs for the link and run steps.
# wolfssl, wolfssh and the test projects must share one compiler version
# because /GL (whole program optimization) does code generation at link time.
- name: Locate MSVC AddressSanitizer runtime
shell: pwsh
run: |
$vs = & "C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe" -latest -property installationPath
$lib = Get-ChildItem "$vs\VC\Tools\MSVC\*\lib\x64\clang_rt.asan_dynamic_runtime_thunk-x86_64.lib" -ErrorAction SilentlyContinue |
Sort-Object { [version]($_.FullName -replace '.*\\MSVC\\([0-9.]+)\\.*','$1') } |
Select-Object -Last 1
if ($null -eq $lib) { throw "MSVC AddressSanitizer runtime not found in any installed toolset" }
$msvcDir = $lib.Directory.Parent.Parent.FullName
$ver = [version]($msvcDir.Split('\')[-1])
if ($ver.Minor -ge 30) { $toolset = "v143" } else { $toolset = "v142" }
"ASAN_TOOLSET=$toolset" | Out-File $env:GITHUB_ENV -Append
"ASAN_LIB_DIR=$($lib.Directory.FullName)" | Out-File $env:GITHUB_ENV -Append
"ASAN_BIN_DIR=$(Join-Path $msvcDir 'bin\Hostx64\x64')" | Out-File $env:GITHUB_ENV -Append
Write-Host "Using toolset $toolset (MSVC $ver)"
- name: Restore wolfSSL NuGet packages
working-directory: wolfssl
run: nuget restore ${{env.WOLFSSL_SOLUTION_FILE_PATH}}
# These env paths already include the wolfssh/ and wolfssl/ checkout
# prefixes, so they must run from the workspace root (as the build job does).
- name: updated user_settings.h for sshd and x509
run: cp ${{env.USER_SETTINGS_H_NEW}} ${{env.USER_SETTINGS_H}}
- name: replace wolfSSL user_settings.h with wolfSSH user_settings.h
run: get-content ${{env.USER_SETTINGS_H_NEW}} | %{$_ -replace "if 0","if 1"}
# WholeProgramOptimization=false disables /GL so the v142-independent objects
# link without a cross-version code-generation requirement (C1047).
- name: Build wolfssl library
working-directory: wolfssl
shell: pwsh
run: |
msbuild /m /p:PlatformToolset=$env:ASAN_TOOLSET /p:Platform=${{env.BUILD_PLATFORM}} /p:Configuration=${{env.WOLFSSL_BUILD_CONFIGURATION}} /p:WholeProgramOptimization=false /t:wolfssl ${{env.WOLFSSL_SOLUTION_FILE_PATH}}
if ($LASTEXITCODE -ne 0) { throw "wolfssl build failed" }
- name: Restore NuGet packages
working-directory: wolfssh\ide\winvs
run: nuget restore ${{env.SOLUTION_FILE_PATH}}
# EnableASAN=true adds /fsanitize=address to each test project and to the
# referenced wolfssh library project, instrumenting src/wolfterm.c. The
# AddressSanitizer lib dir is added to LIB so the runtime thunk resolves.
- name: Build api-test and unit-test with AddressSanitizer
working-directory: wolfssh\ide\winvs
shell: pwsh
run: |
$env:LIB = "$env:ASAN_LIB_DIR;$env:LIB"
foreach ($p in @("api-test\api-test.vcxproj", "unit-test\unit-test.vcxproj")) {
msbuild /m /p:PlatformToolset=$env:ASAN_TOOLSET /p:Platform=${{env.BUILD_PLATFORM}} /p:WindowsTargetPlatformVersion=${{env.TARGET_PLATFORM}} /p:Configuration=${{env.WOLFSSH_BUILD_CONFIGURATION}} /p:EnableASAN=true /p:WholeProgramOptimization=false $p
if ($LASTEXITCODE -ne 0) { throw "build failed: $p" }
}
# Positive control: compile a deliberate heap overflow with the same toolset
# and confirm ASan aborts on it. This proves ASan detection actually works on
# this runner, so a clean test run is meaningful rather than a silent no-op.
- name: Verify AddressSanitizer detection (positive control)
shell: pwsh
run: |
$vs = & "C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe" -latest -property installationPath
Import-Module "$vs\Common7\Tools\Microsoft.VisualStudio.DevShell.dll"
Enter-VsDevShell -VsInstallPath $vs -SkipAutomaticLocation -DevCmdArguments "-arch=x64" | Out-Null
Set-Content canary.c 'int main(int argc, char** argv) { volatile char b[1]; (void)argv; return b[argc + 10]; }'
cl /nologo /fsanitize=address /MD canary.c
if ($LASTEXITCODE -ne 0) { throw "canary failed to compile" }
$out = & .\canary.exe 2>&1 | Out-String
$code = $LASTEXITCODE
Write-Host $out
if ($code -eq 0 -or $out -notmatch "AddressSanitizer") {
throw "Positive control FAILED: ASan did not detect the deliberate overflow"
}
Write-Host "Positive control OK: ASan detected the deliberate out-of-bounds access"
# canary.exe aborts with a non-zero code by design; reset so the step
# itself reports success.
exit 0
# Building a .vcxproj directly leaves $(SolutionDir) unset, so each project
# writes to its own <project>\Release\x64 dir. Run from the wolfssh repo root
# so the tests find keys/ and certs/, and copy the dynamic ASAN runtime next
# to each binary so it loads without a full developer-prompt environment.
- name: Run tests under AddressSanitizer
working-directory: wolfssh
shell: pwsh
run: |
$cfg = "${{env.WOLFSSH_BUILD_CONFIGURATION}}\${{env.BUILD_PLATFORM}}"
$dll = Join-Path $env:ASAN_BIN_DIR "clang_rt.asan_dynamic-x86_64.dll"
if (-not (Test-Path $dll)) { throw "ASAN runtime DLL not found: $dll" }
foreach ($t in @("api-test", "unit-test")) {
$dir = "ide\winvs\$t\$cfg"
# Static signal: confirm the binary really imports the ASan runtime, so
# we are exercising an instrumented build and not a stale one.
$deps = & "$env:ASAN_BIN_DIR\dumpbin.exe" /dependents "$dir\$t.exe" | Out-String
if ($deps -notmatch "clang_rt.asan") { throw "$t is not linked against the ASan runtime" }
Write-Host "$t links the ASan runtime:"
($deps -split "`n" | Select-String "asan").Line.Trim() | ForEach-Object { Write-Host " $_" }
Copy-Item $dll $dir
& "$dir\$t.exe"
if ($LASTEXITCODE -ne 0) { throw "$t failed under ASAN (exit $LASTEXITCODE)" }
}