Add testing in CI

justsmth · Jun 17, 2024 · 998f256 · 998f256
1 parent b228a7d
commit 998f256
Show file tree

Hide file tree

Showing 7 changed files with 61 additions and 21 deletions.
diff --git a/BUILDING.md b/BUILDING.md
@@ -223,10 +223,14 @@ produces a new target, `run_minimal_tests` in place of `run_tests`.
 
 More information on this can be found in [INCORPORATING.md](/INCORPORATING.md).
 
-# Snapsafe detection
+# Snapsafe Detection
 
 AWS-LC supports Snapsafe-type uniqueness breaking event (ube) detection 
-using SysGenID (https://lkml.org/lkml/2021/3/8/677). The SysGenID interface 
-is not yet finalised and has little support. Therefore, we only use this 
-as a hardening mechanism and fail open. This behaviour is similar to how 
-fork detection works in AWS-LC.
+on Linux using SysGenID (https://lkml.org/lkml/2021/3/8/677). This mechanism 
+is used for security hardening. If a SysGenID interface is not found, then the 
+mechanism is ignored. 
+
+## Snapsafety Prerequisites
+
+Snapshots taken on active hosts can potentially be unsafe to use. 
+See "Snapshot Safety Prerequisites" here: https://lkml.org/lkml/2021/3/8/677
diff --git a/crypto/fipsmodule/rand/rand.c b/crypto/fipsmodule/rand/rand.c
@@ -34,9 +34,10 @@
 #include <openssl/type_check.h>
 
 #include "snapsafe_detect.h"
-#include "../../internal.h"
-#include "fork_detect.h"
 #include "internal.h"
+#include "fork_detect.h"
+#include "../../internal.h"
+#include "../delocate.h"
 
 
 // It's assumed that the operating system always has an unfailing source of
@@ -574,7 +575,9 @@ int RAND_priv_bytes(uint8_t *out, size_t out_len) {
   return RAND_bytes(out, out_len);
 }
 
-int RAND_pseudo_bytes(uint8_t *buf, size_t len) { return RAND_bytes(buf, len); }
+int RAND_pseudo_bytes(uint8_t *buf, size_t len) {
+  return RAND_bytes(buf, len);
+}
 
 void RAND_get_system_entropy_for_custom_prng(uint8_t *buf, size_t len) {
   if (len > 256) {

diff --git a/crypto/fipsmodule/rand/snapsafe_detect.c b/crypto/fipsmodule/rand/snapsafe_detect.c
@@ -5,7 +5,6 @@
 
 #include "snapsafe_detect.h"
 
-
 #if defined(OPENSSL_LINUX)
 #include "../delocate.h"
 #include <fcntl.h>
@@ -126,6 +125,16 @@ int CRYPTO_get_snapsafe_active(void) {
   return 0;
 }
 
+int CRYPTO_get_snapsafe_supported(void) {
+  CRYPTO_once(aws_snapsafe_init_bss_get(), do_aws_snapsafe_init);
+
+  if (*snapsafety_state_bss_get() == SNAPSAFETY_STATE_NOT_SUPPORTED) {
+    return 0;
+  }
+
+  return 1;
+}
+
 #else  // !defined(OPENSSL_LINUX)
 
 int CRYPTO_get_snapsafe_generation(uint32_t *snapsafe_generation_number) {
@@ -137,5 +146,9 @@ int CRYPTO_get_snapsafe_active(void) {
   return 0;
 }
 
+int CRYPTO_get_snapsafe_supported(void) {
+  return 0;
+}
+
 #endif  // defined(OPENSSL_LINUX)
 
diff --git a/crypto/fipsmodule/rand/snapsafe_detect.h b/crypto/fipsmodule/rand/snapsafe_detect.h
@@ -10,7 +10,7 @@
 extern "C" {
 #endif
 
-// Snapsafe-type uniqueness breaking event (ube detection.
+// Snapsafe-type uniqueness breaking event (ube detection).
 //
 // CRYPTO_get_snapsafe_generation provides the snapsafe generation number for the
 // current process. The snapsafe generation number is a non-zero, strictly-monotonic
@@ -24,13 +24,17 @@ extern "C" {
 //
 // |CRYPTO_get_snapsafe_generation| returns 0 only when the filesystem
 // presents SysGenID interface (typically `/dev/sysgenid`) but the library
-// is unable to initialize its use.  In all other cases, it returns 1.
+// is unable to initialize its use.  Otherwise, it returns 1.
 OPENSSL_EXPORT int CRYPTO_get_snapsafe_generation(uint32_t *snapsafe_generation_number);
 
 // CRYPTO_get_snapsafe_active returns 1 if the file system presents the SysGenID interface
-// and the libraruy has successfully initialized its use.
+// and the libraruy has successfully initialized its use. Otherwise, it returns 0.
 OPENSSL_EXPORT int CRYPTO_get_snapsafe_active(void);
 
+// CRYPTO_get_snapsafe_supported returns 1 if the file system presents the SysGenID
+// interface. Otherwise, it returns 0.
+OPENSSL_EXPORT int CRYPTO_get_snapsafe_supported(void);
+
 #ifdef __cplusplus
 }
 #endif

diff --git a/crypto/fipsmodule/rand/snapsafe_detect_test.cc b/crypto/fipsmodule/rand/snapsafe_detect_test.cc
@@ -9,7 +9,7 @@
 
 #if defined(OPENSSL_LINUX) && defined(AWSLC_SNAPSAFE_TESTING)
 #include <fcntl.h>
-#include <string.h>
+#include <cstring>
 #include <sys/mman.h>
 
 #define NUMBER_OF_TEST_VALUES 5
@@ -72,6 +72,7 @@ TEST(SnapsafeGenerationTest, SysGenIDretrievalTesting) {
     FAIL();
   }
 
+  ASSERT_TRUE(CRYPTO_get_snapsafe_supported());
   ASSERT_TRUE(CRYPTO_get_snapsafe_active());
 
   unsigned int current_snapsafe_gen_num = 0;
@@ -97,20 +98,21 @@ TEST(SnapsafeGenerationTest, SysGenIDretrievalTesting) {
 }
 #elif defined(OPENSSL_LINUX)
 TEST(SnapsafeGenerationTest, SysGenIDretrievalLinux) {
-  if(CRYPTO_get_snapsafe_active()) {
-    // If we're on a system possible where the SysGenId is available, we will
-    // assume that current sgn is not 0xffffffff
-    unsigned int current_snapsafe_gen_num = 0xffffffff;
-    ASSERT_TRUE(CRYPTO_get_snapsafe_generation(&current_snapsafe_gen_num));
+  unsigned int current_snapsafe_gen_num = 0xffffffff;
+  ASSERT_TRUE(CRYPTO_get_snapsafe_generation(&current_snapsafe_gen_num));
+  if(CRYPTO_get_snapsafe_supported()) {
+    ASSERT_TRUE(CRYPTO_get_snapsafe_active());
+    // If we're on a system possible where the SysGenId is available, we won't
+    // know what sgn value to expect, but we assume it's not 0xffffffff
     ASSERT_NE(0xffffffff, current_snapsafe_gen_num);
   } else {
-    unsigned int current_snapsafe_gen_num = 76;
-    ASSERT_TRUE(CRYPTO_get_snapsafe_generation(&current_snapsafe_gen_num));
+    ASSERT_FALSE(CRYPTO_get_snapsafe_active());
     ASSERT_EQ((unsigned int)0, current_snapsafe_gen_num);
   }
 }
 #else
 TEST(SnapsafeGenerationTest, SysGenIDretrievalNonLinux) {
+  ASSERT_FALSE(CRYPTO_get_snapsafe_supported());
   ASSERT_FALSE(CRYPTO_get_snapsafe_active());
   unsigned int current_snapsafe_gen_num = 0xffffffff;
   ASSERT_TRUE(CRYPTO_get_snapsafe_generation(&current_snapsafe_gen_num));

diff --git a/tests/ci/run_posix_tests.sh b/tests/ci/run_posix_tests.sh
@@ -39,7 +39,14 @@ fi
 
 # Lightly verify that uncommon build options does not break the build. Fist
 # define a list of typical build options to verify the special build option with
-build_options_to_test=("" "-DBUILD_SHARED_LIBS=1" "-DCMAKE_BUILD_TYPE=Release" "-DBUILD_SHARED_LIBS=1 -DCMAKE_BUILD_TYPE=Release")
+TEST_SYSGENID_PATH=$(mktemp)
+build_options_to_test=(
+    ""
+    "-DBUILD_SHARED_LIBS=1"
+    "-DCMAKE_BUILD_TYPE=Release"
+    "-DBUILD_SHARED_LIBS=1 -DCMAKE_BUILD_TYPE=Release"
+    "-DTEST_SYSGENID_PATH='${TEST_SYSGENID_PATH}'"
+  )
 
 ## Build option: MY_ASSEMBLER_IS_TOO_OLD_FOR_AVX
 for build_option in "${build_options_to_test[@]}"; do

diff --git a/util/all_tests.json b/util/all_tests.json
@@ -51,6 +51,13 @@
     "skip_valgrind": true,
     "target_arch": "x86"
   },
+  {
+    "comment": "Run snapsafe detection test suite with fork detection disabled and without Intel RDRAND",
+    "cmd": ["crypto/crypto_test", "--fork_unsafe_buffering", "--gtest_filter=SnapsafeGenerationTest.*"],
+    "env": ["OPENSSL_ia32cap=~0x4000000000000000"],
+    "skip_valgrind": true,
+    "target_arch": "x86"
+  },
   {
     "comment": "Potentially with RDRAND, but not Intel",
     "cmd": ["crypto/urandom_test"],