diff --git a/.github/workflows/scan-build.yml b/.github/workflows/scan-build.yml new file mode 100644 index 00000000..a76149b3 --- /dev/null +++ b/.github/workflows/scan-build.yml @@ -0,0 +1,278 @@ +# wolfPKCS11 Scan-Build Static Analysis Workflow +# +# This workflow performs comprehensive static analysis on the wolfPKCS11 codebase +# using Clang Static Analyzer (scan-build) to identify potential bugs, security +# vulnerabilities, and code quality issues across different build configurations. +# +# Features: +# - Matrix build testing both standard and TPM-enabled configurations +# - Comprehensive analysis using Clang Static Analyzer +# - HTML report generation for detailed issue review +# - Zero-tolerance policy: any bugs found will fail the build +# - Artifact upload for detailed review of analysis results +# +# Configurations tested: +# 1. Standard Build - Default wolfPKCS11 configuration +# 2. NSS Build - wolfPKCS11 with NSS support +# 3. TPM Build - wolfPKCS11 with TPM support via wolfTPM and IBM TPM simulator +# 4. NSS+TPM Build - wolfPKCS11 with both NSS and TPM support +# +# The workflow generates detailed HTML reports and summaries available as artifacts +# for each configuration, enabling developers to review and address identified issues. + +name: wolfPKCS11 Scan-Build Analysis + +on: + push: + branches: [ 'master', 'main', 'release/**' ] + pull_request: + branches: [ '*' ] + +jobs: + scan-build: + runs-on: ubuntu-latest + + strategy: + fail-fast: false + matrix: + config: + - name: "Standard Build" + configure_flags: "" + - name: "NSS Build" + configure_flags: "--enable-nss" + - name: "TPM Build" + configure_flags: "--enable-tpm" + - name: "NSS+TPM Build" + configure_flags: "--enable-nss --enable-tpm" + + steps: + # Checkout wolfPKCS11 + - uses: actions/checkout@v4 + + # Install build dependencies + - name: Install dependencies + run: | + sudo apt-get update + sudo apt-get install -y \ + build-essential \ + autoconf \ + automake \ + libtool \ + clang \ + clang-tools \ + pkg-config \ + git \ + libnss3-dev \ + libnspr4-dev + + # Build and install wolfSSL + - name: Build and install wolfSSL + run: | + git clone https://github.com/wolfSSL/wolfssl.git + cd wolfssl + ./autogen.sh + ./configure --enable-cryptocb --enable-aescfb --enable-rsapss --enable-keygen --enable-pwdbased --enable-scrypt --enable-md5 \ + C_EXTRA_FLAGS="-DWOLFSSL_PUBLIC_MP -DWC_RSA_DIRECT -DHAVE_AES_ECB -DHAVE_AES_KEYWRAP" + make -j$(nproc) + sudo make install + sudo ldconfig + cd .. + + # Setup IBM Software TPM (only if TPM enabled) + - name: Setup IBM Software TPM + if: contains(matrix.config.configure_flags, '--enable-tpm') + run: | + git clone https://github.com/kgoldman/ibmswtpm2.git + cd ibmswtpm2/src + make + ./tpm_server & + cd ../.. + + # Build and install wolfTPM (only if TPM enabled) + - name: Build and install wolfTPM + if: contains(matrix.config.configure_flags, '--enable-tpm') + run: | + git clone https://github.com/wolfSSL/wolftpm.git + cd wolftpm + ./autogen.sh + ./configure --enable-swtpm + make -j$(nproc) + sudo make install + sudo ldconfig + cd .. + + # Configure wolfPKCS11 + - name: Configure wolfPKCS11 (${{ matrix.config.name }}) + run: | + ./autogen.sh + if [ -n "${{ matrix.config.configure_flags }}" ]; then + CC=clang CXX=clang++ ./configure --enable-all --enable-debug ${{ matrix.config.configure_flags }} + else + CC=clang CXX=clang++ ./configure --enable-all --enable-debug + fi + + # Run scan-build analysis + - name: Run scan-build analysis (${{ matrix.config.name }}) + run: | + # Create output directory for scan-build reports + mkdir -p scan-build-reports + + # Run scan-build with comprehensive checkers and fail on any bugs + echo "Running scan-build analysis..." + echo "Working directory: $(pwd)" + echo "Environment variables:" + env | grep -E "(CC|CXX|CFLAGS|LDFLAGS|LD_LIBRARY_PATH)" || echo "No relevant env vars set" + + # Run scan-build and capture both stdout and stderr + scan-build -o scan-build-reports \ + --status-bugs \ + --use-cc=clang \ + --use-c++=clang++ \ + -enable-checker alpha.core.BoolAssignment \ + -enable-checker alpha.core.CallAndMessageUnInitRefArg \ + -enable-checker alpha.core.CastSize \ + -enable-checker alpha.core.CastToStruct \ + -enable-checker alpha.core.Conversion \ + -enable-checker alpha.core.DynamicTypeChecker \ + -enable-checker alpha.core.FixedAddr \ + -enable-checker alpha.core.IdenticalExpr \ + -enable-checker alpha.core.PointerArithm \ + -enable-checker alpha.core.PointerSub \ + -enable-checker alpha.core.SizeofPtr \ + -enable-checker alpha.core.TestAfterDivZero \ + -enable-checker alpha.security.ArrayBound \ + -enable-checker alpha.security.ArrayBoundV2 \ + -enable-checker alpha.security.MallocOverflow \ + -enable-checker alpha.security.ReturnPtrRange \ + -enable-checker alpha.unix.SimpleStream \ + -enable-checker alpha.unix.cstring.BufferOverlap \ + -enable-checker alpha.unix.cstring.NotNullTerminated \ + -enable-checker alpha.unix.cstring.OutOfBounds \ + -enable-checker security.FloatLoopCounter \ + -enable-checker security.insecureAPI.UncheckedReturn \ + make -j$(nproc) > scan-build-output.txt 2>&1 + + # Check if scan-build found any issues + SCAN_EXIT_CODE=$? + + # Count warnings and errors from the output + WARNINGS=0 + ERRORS=0 + BUGS_FOUND=0 + + if [ -s scan-build-output.txt ]; then + WARNINGS=$(grep -c "warning:" scan-build-output.txt 2>/dev/null || echo "0") + ERRORS=$(grep -c "error:" scan-build-output.txt 2>/dev/null || echo "0") + + # Check for "bugs found" message - scan-build uses this format + if grep -q "bugs found" scan-build-output.txt; then + BUGS_FOUND=$(grep -o "[0-9]\+ bugs found" scan-build-output.txt | head -1 | cut -d' ' -f1 2>/dev/null || echo "0") + fi + + # Also check for "No bugs found" message + if grep -q "No bugs found" scan-build-output.txt; then + BUGS_FOUND=0 + fi + fi + + # Display summary + echo "" + echo "=== Scan-Build Analysis Summary ===" + echo "Configuration: ${{ matrix.config.name }}" + echo "Warnings: $WARNINGS" + echo "Errors: $ERRORS" + echo "Bugs found: $BUGS_FOUND" + echo "Scan-build exit code: $SCAN_EXIT_CODE" + echo "Timestamp: $(date)" + + # Create summary file for artifacts + echo "Configuration: ${{ matrix.config.name }}" > scan-build-summary.txt + echo "Warnings: $WARNINGS" >> scan-build-summary.txt + echo "Errors: $ERRORS" >> scan-build-summary.txt + echo "Bugs found: $BUGS_FOUND" >> scan-build-summary.txt + echo "Scan-build exit code: $SCAN_EXIT_CODE" >> scan-build-summary.txt + echo "Timestamp: $(date)" >> scan-build-summary.txt + + # Display scan-build output (first 50 lines to avoid log overflow) + if [ -s scan-build-output.txt ]; then + echo "" + echo "=== Scan-Build Output (First 50 lines) ===" + head -50 scan-build-output.txt + TOTAL_LINES=$(wc -l < scan-build-output.txt) + if [ "$TOTAL_LINES" -gt 50 ]; then + echo "... (truncated, full output available in artifacts - $TOTAL_LINES total lines)" + fi + fi + + # List generated HTML reports + if [ -d "scan-build-reports" ]; then + REPORT_COUNT=$(find scan-build-reports -name "*.html" -type f 2>/dev/null | wc -l) + REPORT_DIRS=$(find scan-build-reports -mindepth 1 -maxdepth 1 -type d 2>/dev/null | wc -l) + echo "" + echo "Generated $REPORT_COUNT HTML report files in $REPORT_DIRS report directories" + if [ "$REPORT_COUNT" -gt 0 ]; then + echo "HTML reports available in artifacts for detailed analysis" + find scan-build-reports -name "*.html" -type f 2>/dev/null | head -10 | sed 's/^/ /' + fi + if [ "$REPORT_DIRS" -gt 0 ]; then + echo "Report directories:" + find scan-build-reports -mindepth 1 -maxdepth 1 -type d 2>/dev/null | head -5 | sed 's/^/ /' + fi + else + echo "" + echo "No scan-build-reports directory found" + fi + + # Fail the build if scan-build found bugs or returned non-zero exit code + if [ "$SCAN_EXIT_CODE" -ne 0 ] || [ "$BUGS_FOUND" -gt 0 ]; then + echo "" + echo "❌ Scan-build analysis failed" + echo "Exit code: $SCAN_EXIT_CODE" + echo "Bugs found: $BUGS_FOUND" + echo "Warnings: $WARNINGS" + echo "Errors: $ERRORS" + echo "" + echo "This indicates potential bugs or static analysis issues were found." + echo "Please review the detailed reports in the artifacts and fix the issues." + echo "" + echo "Recent scan-build output:" + if [ -s scan-build-output.txt ]; then + tail -20 scan-build-output.txt | sed 's/^/ /' + fi + exit 1 + else + echo "" + echo "✅ Scan-build analysis passed successfully" + echo "No static analysis issues detected in ${{ matrix.config.name }} configuration" + fi + + # Upload scan-build reports and logs + - name: Upload scan-build artifacts + if: failure() + uses: actions/upload-artifact@v4 + with: + name: scan-build-reports-${{ matrix.config.name }}-${{ github.run_number }} + path: | + scan-build-reports/ + scan-build-output.txt + scan-build-summary.txt + test-suite.log + config.log + retention-days: 14 + if-no-files-found: warn + + # Upload failure logs (additional step for easier debugging) + - name: Upload failure logs + if: failure() + uses: actions/upload-artifact@v4 + with: + name: scan-build-failure-logs-${{ matrix.config.name }}-${{ github.run_number }} + path: | + scan-build-output.txt + scan-build-summary.txt + config.log + test-suite.log + src/*.lo + src/*.o + retention-days: 7 + if-no-files-found: ignore diff --git a/examples/obj_list.c b/examples/obj_list.c index 1846aaa7..f73eff89 100644 --- a/examples/obj_list.c +++ b/examples/obj_list.c @@ -543,7 +543,7 @@ int obj_list(int argc, char* argv[]) int ret; CK_RV rv; const char* libName = WOLFPKCS11_DLL_FILENAME; - CK_SESSION_HANDLE session; + CK_SESSION_HANDLE session = CK_INVALID_HANDLE; #ifndef WOLFPKCS11_NO_ENV if (!XGETENV("WOLFPKCS11_TOKEN_PATH")) { diff --git a/src/internal.c b/src/internal.c index 350c8440..94a69f9b 100644 --- a/src/internal.c +++ b/src/internal.c @@ -2648,8 +2648,10 @@ static void wp11_Object_Decode_Cert(WP11_Object* object) */ static void wp11_Object_Decode_Trust(WP11_Object* object) { - XMEMCPY((unsigned char*)&object->data.trust, object->keyData, - object->keyDataLen); + if (object->keyData != NULL) { + XMEMCPY((unsigned char*)&object->data.trust, object->keyData, + object->keyDataLen); + } object->encoded = 0; } #endif @@ -7880,10 +7882,10 @@ int WP11_Object_SetTrust(WP11_Object* object, unsigned char** data, { WP11_Trust* trust; - if (data[0] == NULL && len[0] != WC_SHA_DIGEST_SIZE) + if (data[0] == NULL || len[0] != WC_SHA_DIGEST_SIZE) return BAD_FUNC_ARG; - if (data[1] == NULL && len[1] != WC_MD5_DIGEST_SIZE) + if (data[1] == NULL || len[1] != WC_MD5_DIGEST_SIZE) return BAD_FUNC_ARG; if (object->onToken) diff --git a/tests/debug_test.c b/tests/debug_test.c index 4ca316a5..6c22dfa4 100644 --- a/tests/debug_test.c +++ b/tests/debug_test.c @@ -23,6 +23,7 @@ #include #include #include +#include #ifdef HAVE_CONFIG_H #include @@ -70,15 +71,19 @@ static int check_debug_output(void) return 0; } + errno = 0; stdout = original_stdout; rewind(capture_file); - while (fgets(buffer, sizeof(buffer), capture_file)) { - if (strstr(buffer, "WOLFPKCS11 ENTER:") || - strstr(buffer, "WOLFPKCS11 LEAVE:") || - strstr(buffer, "WOLFPKCS11:")) { - found_debug = 1; - break; + if (!errno) + { + while (fgets(buffer, sizeof(buffer), capture_file) != NULL) { + if (strstr(buffer, "WOLFPKCS11 ENTER:") || + strstr(buffer, "WOLFPKCS11 LEAVE:") || + strstr(buffer, "WOLFPKCS11:")) { + found_debug = 1; + break; + } } }