diff --git a/.github/workflows/infer.yml b/.github/workflows/infer.yml new file mode 100644 index 00000000..a0247172 --- /dev/null +++ b/.github/workflows/infer.yml @@ -0,0 +1,90 @@ +name: Facebook Infer static analysis + +on: + workflow_call: + inputs: + os: + required: true + type: string + jdk_distro: + required: true + type: string + jdk_version: + required: true + type: string + wolfssl_configure: + required: true + type: string + +jobs: + build_wolfssljni: + runs-on: ${{ inputs.os }} + steps: + - uses: actions/checkout@v4 + + # Download Facebook Infer + - name: Download Infer + run: wget https://github.com/facebook/infer/releases/download/v1.1.0/infer-linux64-v1.1.0.tar.xz + - name: Extract Infer + run: tar -xvf infer-linux64-v1.1.0.tar.xz + - name: Symlink Infer + run: ln -s "$GITHUB_WORKSPACE/infer-linux64-v1.1.0/bin/infer" /usr/local/bin/infer + - name: Test Infer get version + run: infer --version + + # Download Junit JARs + - name: Download junit-4.13.2.jar + run: wget --directory-prefix=$GITHUB_WORKSPACE/junit https://repo1.maven.org/maven2/junit/junit/4.13.2/junit-4.13.2.jar + - name: Download hamcrest-all-1.3.jar + run: wget --directory-prefix=$GITHUB_WORKSPACE/junit https://repo1.maven.org/maven2/org/hamcrest/hamcrest-all/1.3/hamcrest-all-1.3.jar + + # Build native wolfSSL + - name: Build native wolfSSL + uses: wolfSSL/actions-build-autotools-project@v1 + with: + repository: wolfSSL/wolfssl + ref: master + path: wolfssl + configure: ${{ inputs.wolfssl_configure }} + check: false + install: true + + # Setup Java + - name: Setup java + uses: actions/setup-java@v4 + with: + distribution: ${{ inputs.jdk_distro }} + java-version: ${{ inputs.jdk_version }} + + - name: Set JUNIT_HOME + run: | + echo "JUNIT_HOME=$GITHUB_WORKSPACE/junit" >> "$GITHUB_ENV" + - name: Set LD_LIBRARY_PATH + run: | + echo "LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$GITHUB_WORKSPACE/build-dir/lib" >> "$GITHUB_ENV" + + # Build wolfssljni JNI library (libwolfssljni.so) + - name: Build JNI library + run: ./java.sh $GITHUB_WORKSPACE/build-dir + + # Build wolfssljni JAR (wolfssljni.jar) + - name: Build JAR (ant) + run: ant + + # Run ant tests + - name: Run Java tests (ant test) + run: ant test + + - name: Show logs on failure + if: failure() || cancelled() + run: | + cat build/reports/*.txt + + # Run Facebook Infer + - name: Run Facebook Infer + run: ./scripts/infer.sh + + - name: Shows Infer report on failure + if: failure() + run: cat infer-out/report.txt + diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 53fb8dd8..983837d0 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -98,3 +98,21 @@ jobs: jdk_distro: "zulu" jdk_version: ${{ matrix.jdk_version }} wolfssl_configure: ${{ matrix.wolfssl_configure }} + + # ------------------ Facebook Infer static analysis ------------------- + # Run Facebook infer over PR code, only running on Linux with one + # JDK/version for now. + fb-infer: + strategy: + matrix: + os: [ 'ubuntu-latest' ] + jdk_version: [ '11' ] + wolfssl_configure: [ '--enable-jni --enable-all' ] + name: Facebook Infer (${{ matrix.os }} Zulu JDK ${{ matrix.jdk_version }}, ${{ matrix.wolfssl_configure }}) + uses: ./.github/workflows/infer.yml + with: + os: ${{ matrix.os }} + jdk_distro: "zulu" + jdk_version: ${{ matrix.jdk_version }} + wolfssl_configure: ${{ matrix.wolfssl_configure }} + diff --git a/scripts/infer.sh b/scripts/infer.sh index 46b3975f..c11057fd 100755 --- a/scripts/infer.sh +++ b/scripts/infer.sh @@ -13,10 +13,26 @@ # $ cd wolfssljni # $ ./scripts/infer.sh # -# wolfSSL Inc, May 2023 +# By default the generated output and logs from Infer will be deleted. To keep +# them, pass 'keep' to the script: # +# $ ./scripts/infer.sh keep +# +# wolfSSL Inc, April 2024 +# +# + +# These variables may be overridden on the command line. +KEEP="${KEEP:-no}" -infer run -- javac \ +while [ "$1" ]; do + if [ "$1" = 'keep' ]; then + KEEP='yes'; + fi + shift +done + +infer --fail-on-issue run -- javac \ src/java/com/wolfssl/WolfSSL.java \ src/java/com/wolfssl/WolfSSLALPNSelectCallback.java \ src/java/com/wolfssl/WolfSSLCertManager.java \ @@ -78,9 +94,18 @@ infer run -- javac \ src/java/com/wolfssl/provider/jsse/WolfSSLX509X.java \ src/java/com/wolfssl/provider/jsse/adapter/WolfSSLJDK8Helper.java +RETVAL=$? + # remove compiled class files rm -r ./com # remove infer out directory (comment this out to inspect logs if needed) -rm -r ./infer-out +if [ "$RETVAL" == '0' ] && [ "$KEEP" == 'no' ]; then + rm -r ./infer-out +fi + +if [ "$RETVAL" == '2' ]; then + # GitHub Actions expects return of 1 to mark step as failure + exit 1 +fi diff --git a/src/java/com/wolfssl/provider/jsse/WolfSSLEngineHelper.java b/src/java/com/wolfssl/provider/jsse/WolfSSLEngineHelper.java index 257eec22..497cac08 100644 --- a/src/java/com/wolfssl/provider/jsse/WolfSSLEngineHelper.java +++ b/src/java/com/wolfssl/provider/jsse/WolfSSLEngineHelper.java @@ -204,6 +204,11 @@ private String GetKeyAndCertChainAlias(X509KeyManager km, Socket sock, return null; } + /* If javaVersion is null, set to empty string */ + if (javaVersion == null) { + javaVersion = ""; + } + /* We only load keys from algorithms enabled in native wolfSSL, * and in the priority order of ECC first, then RSA. JDK 1.7.0_201 * and 1.7.0_171 have a bug that causes PrivateKey.getEncoded() to