Merge pull request #454 from aidangarske/add-ci-sanitizers

dgarske · web-flow · commit 529e02bd502b · 2026-02-16T12:28:13.000-08:00
Upgrade wolfTPM CI testing
diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml
@@ -0,0 +1,26 @@
+name: Codespell
+
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  codespell:
+    name: Check spelling
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      - name: Checkout wolfTPM
+        uses: actions/checkout@v4
+
+      - name: Run codespell
+        uses: codespell-project/actions-codespell@v2
+        with:
+          skip: .git,./IDE,./certs,./m4,*.der,*.pem
+          ignore_words_list: inh,inout,keypair,nd,parm,rcv,ser,loadIn,importIn,certifyIn,bu,fo
diff --git a/.github/workflows/multi-compiler.yml b/.github/workflows/multi-compiler.yml
@@ -0,0 +1,99 @@
+name: Multiple Compilers
+
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  build_wolfssl:
+    name: Build wolfSSL
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      - name: Checkout wolfSSL
+        uses: actions/checkout@v4
+        with:
+          repository: wolfssl/wolfssl
+          path: wolfssl
+
+      - name: Build wolfSSL
+        working-directory: ./wolfssl
+        run: |
+          ./autogen.sh
+          ./configure --enable-wolftpm --enable-pkcallbacks
+          make -j$(nproc)
+          sudo make install
+          sudo ldconfig
+
+      - name: tar build-dir
+        run: tar -zcf wolfssl-install.tgz /usr/local/lib/libwolfssl* /usr/local/include/wolfssl
+
+      - name: Upload built lib
+        uses: actions/upload-artifact@v4
+        with:
+          name: wolfssl-multi-compiler
+          path: wolfssl-install.tgz
+          retention-days: 5
+
+  compiler_test:
+    name: ${{ matrix.cc }}
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    needs: build_wolfssl
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - cc: gcc-11
+            cxx: g++-11
+          - cc: gcc-12
+            cxx: g++-12
+          - cc: gcc-13
+            cxx: g++-13
+          - cc: clang-14
+            cxx: clang++-14
+          - cc: clang-15
+            cxx: clang++-15
+          - cc: clang-17
+            cxx: clang++-17
+
+    steps:
+      - name: Install compiler
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y ${{ matrix.cc }}
+
+      - name: Checkout wolfTPM
+        uses: actions/checkout@v4
+
+      - name: Download wolfSSL
+        uses: actions/download-artifact@v4
+        with:
+          name: wolfssl-multi-compiler
+
+      - name: Install wolfSSL
+        run: |
+          sudo tar -xzf wolfssl-install.tgz -C /
+          sudo ldconfig
+
+      - name: Build wolfTPM with ${{ matrix.cc }}
+        env:
+          CC: ${{ matrix.cc }}
+          CXX: ${{ matrix.cxx }}
+        run: |
+          ./autogen.sh
+          ./configure CFLAGS="-Wall -Wextra -Wpedantic"
+          make -j$(nproc)
+
+      - name: Make dist
+        run: make dist
+
+      - name: Show log on errors
+        if: failure()
+        run: cat config.log
diff --git a/.github/workflows/sanitizer.yml b/.github/workflows/sanitizer.yml
@@ -0,0 +1,112 @@
+name: Sanitizer Tests
+
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  build_wolfssl:
+    name: Build wolfSSL
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      - name: Checkout wolfSSL
+        uses: actions/checkout@v4
+        with:
+          repository: wolfssl/wolfssl
+          path: wolfssl
+
+      - name: Build wolfSSL
+        working-directory: ./wolfssl
+        run: |
+          ./autogen.sh
+          ./configure --enable-wolftpm --enable-pkcallbacks
+          make -j$(nproc)
+          sudo make install
+          sudo ldconfig
+
+      - name: tar build-dir
+        run: tar -zcf wolfssl-install.tgz /usr/local/lib/libwolfssl* /usr/local/include/wolfssl
+
+      - name: Upload built lib
+        uses: actions/upload-artifact@v4
+        with:
+          name: wolfssl-install
+          path: wolfssl-install.tgz
+          retention-days: 5
+
+  sanitizer_test:
+    name: ${{ matrix.name }}
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    needs: build_wolfssl
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - name: "ASan"
+            cflags: "-fsanitize=address -fno-omit-frame-pointer -g -O1"
+            ldflags: "-fsanitize=address"
+          - name: "UBSan"
+            cflags: "-fsanitize=undefined -fno-sanitize-recover=all -fno-omit-frame-pointer -g"
+            ldflags: "-fsanitize=undefined"
+          - name: "LeakSan"
+            cflags: "-fsanitize=leak -fno-omit-frame-pointer -g"
+            ldflags: "-fsanitize=leak"
+
+    steps:
+      - name: Workaround high-entropy ASLR
+        run: sudo sysctl vm.mmap_rnd_bits=28
+
+      - name: Checkout wolfTPM
+        uses: actions/checkout@v4
+
+      - name: Download wolfSSL
+        uses: actions/download-artifact@v4
+        with:
+          name: wolfssl-install
+
+      - name: Install wolfSSL
+        run: |
+          sudo tar -xzf wolfssl-install.tgz -C /
+          sudo ldconfig
+
+      - name: Setup ibmswtpm2
+        uses: actions/checkout@v4
+        with:
+          repository: kgoldman/ibmswtpm2
+          path: ibmswtpm2
+
+      - name: Build and start TPM simulator
+        working-directory: ./ibmswtpm2/src
+        run: |
+          make -j$(nproc)
+          ./tpm_server &
+          sleep 2
+
+      - name: Build wolfTPM with ${{ matrix.name }}
+        run: |
+          ./autogen.sh
+          ./configure --enable-swtpm \
+            CFLAGS="${{ matrix.cflags }}" LDFLAGS="${{ matrix.ldflags }}"
+          make -j$(nproc)
+
+      - name: Run tests
+        run: make check
+
+      - name: Upload failure logs
+        if: failure()
+        uses: actions/upload-artifact@v4
+        with:
+          name: wolftpm-${{ matrix.name }}-logs
+          path: |
+            run.out
+            test-suite.log
+            config.log
+          retention-days: 5
diff --git a/README.md b/README.md
@@ -936,7 +936,7 @@ Firmware update: LMS format required
 
 ## Device Identity and Attestation Keys
 
-The TCG published a specification for TPM manufacture guidance on setting up keys that can be used for device identiy and attestation.
+The TCG published a specification for TPM manufacture guidance on setting up keys that can be used for device identity and attestation.
 
 This feature has been tested with the ST33KTPM and is enabled with `WOLFTPM_MFG_IDENTITY`. The ST33KTPM samples are provisioned with a default master password enabled with `TEST_SAMPLE`. To define your own master password use `TPM2_IAK_SAMPLE_MASTER_PASSWORD`. The master password is hashed along with the device serial number to produce authentication for accessing these keys.
 
@@ -946,7 +946,7 @@ The default keys are ECDSA SECP384R1 with SHA2-384 and stored in NV Index define
 ### TPM Endorsement Key Certificates
 
 The TCG EK Credential Profile defines how manufacturers provision endorsement certificates in the TCG NV index range (see TPM_20_TCG_NV_SPACE).
-The `get_ek_certs` example shows how to retrieve those EK cerificates, validate them and create a primary EK handle for signing.
+The `get_ek_certs` example shows how to retrieve those EK certificates, validate them and create a primary EK handle for signing.
 See `./examples/endorsement/get_ek_certs`.
 
 
diff --git a/configure.ac b/configure.ac
@@ -555,7 +555,7 @@ for option in $OPTION_FLAGS; do
             continue
         fi
 
-        # allow user to igonore system options
+        # allow user to ignore system options
         ignoresys=no
         if [[[ $noequalsign == _* ]]] ;
         then
diff --git a/docs/Doxyfile b/docs/Doxyfile
@@ -794,7 +794,7 @@ CITE_BIB_FILES         =
 # messages are off.
 # The default value is: NO.
 
-# TODO set to YES for upsteaming
+# TODO set to YES for upstreaming
 QUIET                  = NO
 
 # The WARNINGS tag can be used to turn on/off the warning messages that are
diff --git a/examples/attestation/README.md b/examples/attestation/README.md
@@ -104,7 +104,7 @@ The transfer of the challenge response containing the secret in plain (or used a
 
 The certify example shows how to use the `TPM2_Certify` API to sign the attestation info for another key. This can be used to prove that an object with a specific name is loaded into the TPM. A common example of this is using the restricted IAK to sign the attestation information for the IDevID.
 
-The create_primary example support creating RSA or ECC initial device identity (IDevID) and attestation identity (IAK) keys. These are created under the endorsement hierarchy and follow the "TPM 2.0 Keys for Device Identity and Attestation" TCG specification for setting up the primary key policies. Figures 10 and 11 fom this specification shows the IAK/IDevID policy.
+The create_primary example support creating RSA or ECC initial device identity (IDevID) and attestation identity (IAK) keys. These are created under the endorsement hierarchy and follow the "TPM 2.0 Keys for Device Identity and Attestation" TCG specification for setting up the primary key policies. Figures 10 and 11 from this specification shows the IAK/IDevID policy.
 
 ![Figure 10: Example IDevID Key Delegation Policy](tpm_idevid_policy.png)
 
diff --git a/examples/endorsement/README.md b/examples/endorsement/README.md
@@ -17,7 +17,7 @@ We have loaded some of the root and intermediate CA's into the trusted_certs.h f
 7) The URI for the CA issuer certificate can be obtained in `extAuthInfoCaIssuer`.
 8) Import the certificate public key and compare it against the primary EK public unique area.
 9) Use the wolfSSL Certificate Manager to validate the EK certificate. Trusted certificates are loaded using `wolfSSL_CertManagerLoadCABuffer` and the EK certificate is validated using `wolfSSL_CertManagerVerifyBuffer`.
-10) Optionally covert to PEM and export using `wc_DerToPem`.
+10) Optionally convert to PEM and export using `wc_DerToPem`.
 
 ## Example certificate chains
 
diff --git a/examples/firmware/ifx_fw_extract.c b/examples/firmware/ifx_fw_extract.c
@@ -36,7 +36,7 @@
 #include <unistd.h>
 #include <stdint.h>
 
-/* Endianess helpers */
+/* Endianness helpers */
 #if defined(__MACH__) || defined(__APPLE__)
     #include <machine/endian.h>
     #include <libkern/OSByteOrder.h>
diff --git a/examples/gpio/gpio_config.c b/examples/gpio/gpio_config.c
@@ -242,7 +242,7 @@ int TPM2_GPIO_Config_Example(void* userCtx, int argc, char *argv[])
     rc = wolfTPM2_NVCreateAuth(&dev, &parent, &nv, nvIndex, nvAttributes,
                                sizeof(BYTE), (byte*)gNvAuth, sizeof(gNvAuth)-1);
     if (rc != 0 && rc != TPM_RC_NV_DEFINED) {
-        printf("Creating NV Index for GPIO acccess failed\n");
+        printf("Creating NV Index for GPIO access failed\n");
         goto exit;
     }
     wolfTPM2_SetAuthHandle(&dev, 0, &nv.handle);
diff --git a/examples/management/flush.c b/examples/management/flush.c
@@ -19,7 +19,7 @@
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
-/* This is a helper tool for reseting the value of a TPM2.0 PCR */
+/* This is a helper tool for resetting the value of a TPM2.0 PCR */
 
 #ifdef HAVE_CONFIG_H
     #include <config.h>
diff --git a/examples/nvram/read.c b/examples/nvram/read.c
@@ -52,7 +52,7 @@ static void usage(void)
     printf("Expected usage:\n");
     printf("./examples/nvram/read [-nvindex] [-priv] [-pub] [-aes/-xor] [-delete]\n");
     printf("* -nvindex=[handle] (default 0x%x)\n", TPM2_DEMO_NVRAM_STORE_INDEX);
-    printf("* -priv: Read ony the private part\n");
+    printf("* -priv: Read only the private part\n");
     printf("* -pub: Read only the public part\n");
     printf("* -aes/xor: Use Parameter Encryption\n");
     printf("* -endorsement/platform/owner: Auth hierarchy\n");
diff --git a/examples/pcr/reset.c b/examples/pcr/reset.c
@@ -19,7 +19,7 @@
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
-/* This is a helper tool for reseting the value of a TPM2.0 PCR */
+/* This is a helper tool for resetting the value of a TPM2.0 PCR */
 
 #ifdef HAVE_CONFIG_H
     #include <config.h>
diff --git a/examples/timestamp/clock_set.c b/examples/timestamp/clock_set.c
@@ -43,7 +43,7 @@ static void usage(void)
 {
     printf("Expected usage:\n");
     printf("./examples/timestamp/clock_set [time]\n");
-    printf("* time is a value in miliseconds used as increment (optional)\n");
+    printf("* time is a value in milliseconds used as increment (optional)\n");
     printf("* Default time value is 50000 ms (50 seconds)\n");
     printf("\tThe TPM clock can be set only forward.\n");
     printf("\tThe TPM clock can be set only forward.\n");
diff --git a/examples/tls/tls_client.c b/examples/tls/tls_client.c
@@ -63,7 +63,7 @@
  * Result is: ./certs/client-rsa-cert.pem and ./certs/client-ecc-cert.pem
  *
  * This example client connects to localhost on on port 11111 by default.
- * These can be overriden using `TLS_HOST` and `TLS_PORT`.
+ * These can be overridden using `TLS_HOST` and `TLS_PORT`.
  *
  * By default this example will load RSA keys unless RSA is disabled (NO_RSA)
  * or the TLS_USE_ECC build option is used.
diff --git a/examples/tls/tls_client_notpm.c b/examples/tls/tls_client_notpm.c
@@ -52,7 +52,7 @@
 
 /*
  * This example client connects to localhost on on port 11111 by default.
- * These can be overriden using `TLS_HOST` and `TLS_PORT`.
+ * These can be overridden using `TLS_HOST` and `TLS_PORT`.
  *
  * You can validate using the wolfSSL example server this like:
  *   ./examples/server/server -b -p 11111 -g
diff --git a/examples/tpm_test.h b/examples/tpm_test.h
@@ -366,7 +366,7 @@ static const byte kEccKeyPrivDer[] = {
 
 /* [P-256,SHA-1] vector from FIPS 186-3 NIST vectors */
 static const byte kEccTestMsg[] =   {
-    /* Test messsage */
+    /* Test message */
     0xa3, 0xf9, 0x1a, 0xe2, 0x1b, 0xa6, 0xb3, 0x03, 0x98, 0x64, 0x47,
     0x2f, 0x18, 0x41, 0x44, 0xc6, 0xaf, 0x62, 0xcd, 0x0e
 };
diff --git a/examples/wrap/wrap_test.c b/examples/wrap/wrap_test.c
@@ -282,7 +282,7 @@ int TPM2_Wrapper_TestArgs(void* userCtx, int argc, char *argv[])
         wolfTPM2_UnloadHandle(&dev, &testKey.handle);
     }
     else if (WOLFTPM_IS_COMMAND_UNAVAILABLE(rc)) {
-        printf("CreateLoadedKey: Feature is not suppored on this hardware\n");
+        printf("CreateLoadedKey: Feature is not supported on this hardware\n");
     }
     else {
         goto exit;
diff --git a/hal/tpm_io_espressif.c b/hal/tpm_io_espressif.c
@@ -566,7 +566,7 @@ static int esp_spi_master_init(void)
     return 0;
 }
 
-/* Aquire SPI bus and keep pulling CS */
+/* Acquire SPI bus and keep pulling CS */
 static int tpm_spi_acquire(void)
 {
     int ret;
diff --git a/pre-commit.sh b/pre-commit.sh
diff --git a/scripts/swtpm_sim.test b/scripts/swtpm_sim.test
diff --git a/src/tpm2_param_enc.c b/src/tpm2_param_enc.c
diff --git a/src/tpm2_swtpm.c b/src/tpm2_swtpm.c
diff --git a/wolftpm/tpm2_packet.h b/wolftpm/tpm2_packet.h
diff --git a/wolftpm/tpm2_types.h b/wolftpm/tpm2_types.h

Original file line number	Diff line number	Diff line change
`@@ -242,7 +242,7 @@ int TPM2_GPIO_Config_Example(void* userCtx, int argc, char *argv[])`
`242`	`242`	`rc = wolfTPM2_NVCreateAuth(&dev, &parent, &nv, nvIndex, nvAttributes,`
`243`	`243`	`sizeof(BYTE), (byte*)gNvAuth, sizeof(gNvAuth)-1);`
`244`	`244`	`if (rc != 0 && rc != TPM_RC_NV_DEFINED) {`
`245`		`- printf("Creating NV Index for GPIO acccess failed\n");`
	`245`	`+ printf("Creating NV Index for GPIO access failed\n");`
`246`	`246`	`goto exit;`
`247`	`247`	`}`
`248`	`248`	`wolfTPM2_SetAuthHandle(&dev, 0, &nv.handle);`