Merge branch 'release/0.14' into stable

.github/workflows/code-style.yaml

@@ -24,7 +24,7 @@ on:
       - stable
       - release/*
   schedule:
-    - cron: '0 6 * * *' # every day at 6:00 UTC
+    - cron: '20 6 * * 1' # every Monday at 6:20 UTC
 
 env:
   WITH_FATAL_WARNINGS: yes

.github/workflows/integration.yaml

@@ -26,7 +26,7 @@ on:
       - stable
       - release/*
   schedule:
-    - cron: '0 6 * * *' # every day at 6:00 UTC
+    - cron: '20 6 * * 1' # every Monday at 6:20 UTC
 
 env:
   WITH_FATAL_WARNINGS: yes
@@ -35,8 +35,6 @@ jobs:
   cross-language:
     name: Cross-language tests
     runs-on: ubuntu-latest
-    env:
-      GOTHEMIS_IMPORT: github.com/cossacklabs/themis/gothemis
     steps:
       - name: Install system dependencies
         run: |
@@ -47,6 +45,10 @@ jobs:
             python3 python3-setuptools \
             ruby ruby-dev \
             pkg-config clang
+      - name: Check out code
+        uses: actions/checkout@v2
+        with:
+          submodules: true
       - name: Install RVM
         run: |
           sudo apt install --yes software-properties-common
@@ -70,21 +72,14 @@ jobs:
           node-version: 10.x
       - name: Install Emscripten
         run: |
+          version=$(cat src/wrappers/themis/wasm/emscripten/VERSION)
           # Install Emscripten toolchain as described in documentation:
           # https://emscripten.org/docs/getting_started/downloads.html
           cd $HOME
           git clone https://github.com/emscripten-core/emsdk.git
           cd $HOME/emsdk
-          # FIXME(ilammy, 2020-07-07): unpin emsdk version [T1698]
-          # Latest HEAD has a regression, we roll back to last good version.
-          git checkout 92d512faa832b3ff5d6b8bc991b6801e31d8e372
-          # FIXME(ilammy, 2020-06-07): migrate to "upstream" flavor
-          # LLVM flavor of Emscripten has some issues compiling our code,
-          # and latest versions of the fastcomp flavor started giving out
-          # compiler warnings (turned into errors by the build system).
-          # We need to migrate, but for the time being use the old version.
-          ./emsdk install  1.39.16-fastcomp
-          ./emsdk activate 1.39.16-fastcomp
+          ./emsdk install  "$version"
+          ./emsdk activate "$version"
       - name: Install PHP from PPA
         run: |
           sudo apt install --yes software-properties-common
@@ -95,10 +90,6 @@ jobs:
           sudo update-alternatives --set php        /usr/bin/php7.2
           sudo update-alternatives --set php-config /usr/bin/php-config7.2
           sudo update-alternatives --set phpize     /usr/bin/phpize7.2
-      - name: Check out code
-        uses: actions/checkout@v2
-        with:
-          submodules: true
       - name: Install Themis Core
         run: |
           make
@@ -109,10 +100,8 @@ jobs:
         run: sudo make pythemis_install
       - name: Install RubyThemis
         run: sudo make rbthemis_install
-      - name: Install GoThemis
-        run: |
-          mkdir -p $HOME/go/src/$GOTHEMIS_IMPORT
-          rsync -auv gothemis/ $HOME/go/src/$GOTHEMIS_IMPORT
+      - name: Install GoThemis (test tools)
+        run: make gothemis_integration_tools
       # Cargo pulls in quite a few stuff from the Internet and Rust always
       # (slowly) recompiles dependencies, so make heavy use of caching
       - name: Cache Cargo registry

.github/workflows/test-core.yaml

@@ -23,7 +23,7 @@ on:
       - stable
       - release/*
   schedule:
-    - cron: '0 6 * * *' # every day at 6:00 UTC
+    - cron: '20 6 * * 1' # every Monday at 6:20 UTC
 
 env:
   WITH_FATAL_WARNINGS: yes
@@ -46,7 +46,7 @@ jobs:
         run: |
           if [[ "$(uname)" = "Darwin" ]]
           then
-            brew install cmake ninja openssl
+            brew install cmake ninja openssl@1.1 openssl@3
           else
             sudo sh -c 'echo "DEBIAN_FRONTEND=noninteractive" >> /etc/environment'
             sudo apt update
@@ -59,6 +59,18 @@ jobs:
       - name: Build Themis Core (OpenSSL)
         if: always()
         run: make prepare_tests_basic ENGINE=openssl BUILD_PATH=build-openssl
+      - name: Build Themis Core (OpenSSL 3.0)
+        # TODO: expand this to Linux systems when OpenSSL 3.0 system library is available there
+        if: ${{ matrix.os == 'macos-latest' }}
+        run: |
+          openssl3="$(brew --prefix openssl@3)"
+          export ENGINE=openssl
+          export ENGINE_INCLUDE_PATH="$openssl3/include"
+          export ENGINE_LIB_PATH="$openssl3/lib"
+          # TODO: stop using deprecated API so that warnings can be errors again
+          export WITH_EXPERIMENTAL_OPENSSL_3_SUPPORT=yes
+          export WITH_FATAL_WARNINGS=no
+          make prepare_tests_basic BUILD_PATH=build-openssl-3.0
       - name: Build Themis Core (BoringSSL)
         if: always()
         run: make prepare_tests_basic ENGINE=boringssl BUILD_PATH=build-boringssl
@@ -67,13 +79,39 @@ jobs:
         run: make prepare_tests_basic WITH_SCELL_COMPAT=yes BUILD_PATH=build-compat
       - name: Run test suite (OpenSSL)
         if: always()
-        run: make test BUILD_PATH=build-openssl
+        run: make test ENGINE=openssl BUILD_PATH=build-openssl
+      - name: Run test suite (OpenSSL 3.0)
+        if: ${{ matrix.os == 'macos-latest' }}
+        run: |
+          openssl3="$(brew --prefix openssl@3)"
+          export ENGINE=openssl
+          export ENGINE_INCLUDE_PATH="$openssl3/include"
+          export ENGINE_LIB_PATH="$openssl3/lib"
+          export WITH_EXPERIMENTAL_OPENSSL_3_SUPPORT=yes
+          export WITH_FATAL_WARNINGS=no
+          make test BUILD_PATH=build-openssl-3.0
       - name: Run test suite (BoringSSL)
         if: always()
-        run: make test BUILD_PATH=build-boringssl
+        run: make test ENGINE=boringssl BUILD_PATH=build-boringssl
       - name: Run test suite (WITH_SCELL_COMPAT)
         if: always()
-        run: make test BUILD_PATH=build-compat
+        run: make test WITH_SCELL_COMPAT=yes BUILD_PATH=build-compat
+      - name: Ensure OpenSSL 3.0 fails (macOS only)
+        if: ${{ matrix.os == 'macos-latest' }}
+        run: |
+          # Themis uses OpenSSL 1.1 by default if installed.
+          # Explicitly request OpenSSL 3.0 by pointing the build into OpenSSL 3.0's paths.
+          openssl3=$(brew --prefix openssl@3)
+          export ENGINE=openssl
+          export ENGINE_INCLUDE_PATH="$openssl3/include"
+          export ENGINE_LIB_PATH="$openssl3/lib"
+          if ! make BUILD_PATH=build-openssl-3.0-without-magic-word
+          then
+            true
+          else
+            echo "Build with OpenSSL 3.0 did not fail when it should have"
+            exit 1
+          fi
 
   examples:
     name: Code examples
@@ -185,12 +223,20 @@ jobs:
       - name: Benchmark Secure Cell (master key)
         run: |
           cd benches/themis
-          cargo bench -- 'Secure Cell .* master key/4 KB'
+          cargo bench -- '^Secure Cell .* master key/4 KB'
       - name: Benchmark Secure Cell (passphrase)
         run: |
           cd benches/themis
           # These are awfully slow due to KDF
-          cargo bench -- 'Secure Cell .* passphrase/4 KB' --sample-size 10
+          cargo bench -- '^Secure Cell .* passphrase/4 KB' --sample-size 10
+      - name: Benchmark Secure Message (RSA)
+        run: |
+          cd benches/themis
+          cargo bench -- '^Secure Message .* - RSA/4 KB'
+      - name: Benchmark Secure Message (ECDSA)
+        run: |
+          cd benches/themis
+          cargo bench -- '^Secure Message .* - ECDSA/4 KB'
       - name: Upload benchmark report
         uses: actions/upload-artifact@v1
         with:
@@ -199,14 +245,7 @@ jobs:
 
   fuzzing:
     name: AFL fuzzing
-    # TODO(ilammy, 2021-01-28): use "ubuntu-latest" once it works
-    # Currently "ubuntu-latest" means "ubuntu-18.04" but for some inexplicable
-    # reasons GitHub runners in the main repo treat it as "ubuntu-20.04" which
-    # does not seem to work yet (for this job). Pin the Ubuntu 18.04 version
-    # for now, but don't forget to update this once "ubuntu-latest" changes
-    # its meaning or starts working for this job.
-    # See: https://docs.github.com/en/actions/reference/specifications-for-github-hosted-runners
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-20.04
     env:
       FUZZ_TIMEOUT: 30s
       THEMIS_DEFAULT_PBKDF2_ITERATIONS: 10
@@ -296,7 +335,7 @@ jobs:
         run: |
           sudo sh -c 'echo "DEBIAN_FRONTEND=noninteractive" >> /etc/environment'
           sudo apt update
-          sudo apt install --yes gcc make libssl-dev valgrind
+          sudo apt install --yes gcc make libssl-dev valgrind ninja-build
       - name: Check out code
         uses: actions/checkout@v2
         with:
@@ -325,3 +364,110 @@ jobs:
             /ERROR SUMMARY|(definitely|indirectly|possibly) lost/ { sum += $4 }
             END { if (sum > 0) { exit 1 } }
           ' valgrind-report.txt
+
+  coverage:
+    name: Unit test coverage
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install system dependencies
+        run: |
+          sudo sh -c 'echo "DEBIAN_FRONTEND=noninteractive" >> /etc/environment'
+          sudo apt update
+          sudo apt install --yes gcc make libssl-dev lcov
+      - name: Check out code
+        uses: actions/checkout@v2
+      - name: Build Themis Core
+        run: make prepare_tests_basic COVERAGE=y
+      - name: Reset lcov counters
+        run: lcov --directory . --zerocounters
+      - name: Run test suite
+        run: make test COVERAGE=y
+      - name: Prepare lcov data
+        run: |
+          lcov --output-file coverage.info --directory . --capture
+          # Do not include tests themselves as well as system headers
+          lcov --output-file coverage.info --remove coverage.info '*/tests/*' '/usr/*'
+          lcov --list coverage.info
+      - name: Submit results to Coveralls
+        uses: coverallsapp/github-action@master
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          path-to-lcov: ./coverage.info
+
+  msys2:
+    name: MSYS2 environment
+    runs-on: windows-latest
+    env:
+      SOTER_KDF_RUN_LONG_TESTS: yes
+    defaults:
+      run:
+        shell: msys2 {0}
+    steps:
+      - name: Install MSYS2
+        uses: msys2/setup-msys2@v2
+        with:
+          install: >-
+            base-devel tar git gcc make
+            libopenssl>=1.1.1
+            openssl-devel>=1.1.1
+            mingw-w64-x86_64-nsis
+      # Git, I know you're only trying to help, but MSYS can work with
+      # UNIX line endings just fine. In fact, "makepkg" *requires* them.
+      # So don't be smart: just fetch the files as they are.
+      - name: Use UNIX line endings
+        shell: bash
+        run: git config --global core.autocrlf input
+      - name: Check out code
+        uses: actions/checkout@v2
+      # TODO: if there are users of the BoringSSL flavor on Windows,
+      # we should be testing that one as well
+      - name: Build Themis Core
+        run: make prepare_tests_basic
+      - name: Run test suite
+        run: make test
+      # TODO: it would be nice to test the installer too
+      - name: Build Themis installer
+        run: make nsis_installer
+      - name: Build Themis packages
+        run: makepkg -p PKGBUILD.MSYS2
+      - name: Install Themis packages
+        run: pacman -U --noconfirm themis-*.pkg.*
+      - name: Try building examples
+        run: |
+          cd $GITHUB_WORKSPACE/docs/examples/c/session_buffer_test
+          echo "Secure Session: buffer interface"
+          cc -o session_buffer_test session_buffer_test.c -lthemis
+          ./session_buffer_test
+
+          cd $GITHUB_WORKSPACE/docs/examples/c/ssession_test
+          echo "Secure Session: socket interface"
+          cc -o session_test client.c server.c session_test.c -lthemis -pthread
+          ./session_test
+
+  macos-cross-compile:
+    name: macOS cross toolchain
+    runs-on: macos-10.15
+    steps:
+      - name: Install system dependencies
+        run: |
+          brew install cmake ninja
+      - name: Check out code
+        uses: actions/checkout@v2
+        with:
+          submodules: true
+      # We can't test OpenSSL builds since this requires OpenSSL libraries
+      # built for the target architecture (and Homebrew doesn't have any).
+      #
+      # GitHub's virtual environemnts can change the default version of Xcode
+      # and that changes the available SDKs. Check the combinations here:
+      # https://github.com/actions/virtual-environments/blob/main/images/macos/macos-10.15-Readme.md#xcode
+      - name: Build Themis Core (BoringSSL, arm64)
+        run: make SDK=macosx11.1 ARCH=arm64 ENGINE=boringssl
+      # Of course we can't run unit tests either because there is no emulator.
+      # So I will be satisifed to see the build succeed and produce binaries
+      # with expected architecture.
+      - name: Check binary architecture
+        run: |
+          set -x
+          test $(lipo -archs build/libsoter.0.dylib) = arm64
+          test $(lipo -archs build/libthemis.0.dylib) = arm64

.github/workflows/test-cpp.yaml

@@ -20,7 +20,7 @@ on:
       - stable
       - release/*
   schedule:
-    - cron: '0 6 * * *' # every day at 6:00 UTC
+    - cron: '20 6 * * 1' # every Monday at 6:20 UTC
 
 env:
   WITH_FATAL_WARNINGS: yes