Merge branch 'master' into add-debug-allocations

.github/python_matcher.json

@@ -0,0 +1,42 @@
+{
+    "problemMatcher": [
+        {
+            "owner": "yapf-diff",
+            "pattern": [
+                {
+                    "regexp": "^[+-]{3}\\s*([^\\s]*)\\s*\\((original|reformatted)\\)$",
+                    "file": 1
+                },
+                {
+                    "regexp": "^@@\\s*-(\\d+),(\\d+)\\s*\\+(\\d+),(\\d+)\\s*@@$",
+                    "line": 1,
+                    "column": 2
+                },
+                {
+                    "regexp": "^(\\s|\\+[^+]|\\-[^-]).*$",
+                    "loop": true,
+                    "message": 1
+                }
+            ]
+        },
+        {
+            "owner": "pylint",
+            "pattern": [
+                {
+                    "regexp": "^PYLINT:(.*)/.*$",
+                    "fromPath": 1
+                },
+                {
+                    "regexp": "^\\*{13}\\s*Module\\s+(.*)$",
+                    "file": 1
+                },
+                {
+                    "regexp": "^([CEFIRW]\\d{4}):\\s*(\\d+)\\s*:\\s*(.*)$",
+                    "code": 1,
+                    "line": 2,
+                    "message": 3
+                }
+            ]
+        }
+    ]
+}

.github/workflows/cargo_audit.yml

@@ -2,16 +2,16 @@ name: Security audit
 on:
   schedule:
     - cron: '0 0 * * *'
+
 jobs:
   audit:
     runs-on: ubuntu-18.04
+    if: env.GITHUB_HEAD_REF == 0
     steps:
       - uses: actions/checkout@v2
       - uses: actions-rs/toolchain@v1
         with:
-          toolchain: nightly
           target: thumbv7em-none-eabi
-          override: true
       - uses: actions/setup-python@v1
         with:
           python-version: 3.7

.github/workflows/cargo_check.yml

@@ -19,9 +19,7 @@ jobs:
       - uses: actions/checkout@v2
       - uses: actions-rs/toolchain@v1
         with:
-          toolchain: nightly
           target: thumbv7em-none-eabi
-          override: true
       - uses: actions/setup-python@v1
         with:
           python-version: 3.7

.github/workflows/cargo_fmt.yml

@@ -19,9 +19,7 @@ jobs:
       - uses: actions/checkout@v2
       - uses: actions-rs/toolchain@v1
         with:
-          toolchain: nightly
           target: thumbv7em-none-eabi
-          override: true
       - uses: actions/setup-python@v1
         with:
           python-version: 3.7

.github/workflows/cbor_test.yml

@@ -0,0 +1,36 @@
+---
+name: CBOR tests
+on:
+  push:
+    paths:
+      - 'libraries/cbor/**/*'
+  pull_request:
+    types: [opened, synchronize, reopened]
+
+jobs:
+  cbor_test:
+    runs-on: ubuntu-18.04
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions-rs/toolchain@v1
+        with:
+          target: thumbv7em-none-eabi
+      - uses: actions/setup-python@v1
+        with:
+          python-version: 3.7
+      - name: Install Python dependencies
+        run: python -m pip install --upgrade pip setuptools wheel
+      - name: Set up OpenSK
+        run: ./setup.sh
+
+      - name: Unit testing of CBOR library (release mode)
+        uses: actions-rs/cargo@v1
+        with:
+          command: test
+          args: --manifest-path libraries/cbor/Cargo.toml --release --features std
+
+      - name: Unit testing of CBOR library (debug mode)
+        uses: actions-rs/cargo@v1
+        with:
+          command: test
+          args: --manifest-path libraries/cbor/Cargo.toml --features std

.github/workflows/crypto_test.yml

@@ -0,0 +1,40 @@
+---
+name: Crypto library tests
+on:
+  push:
+    paths:
+      - 'libraries/crypto/**/*'
+  pull_request:
+    types: [opened, synchronize, reopened]
+    paths:
+      - 'libraries/crypto/**/*'
+
+jobs:
+  crypto_test:
+    runs-on: ubuntu-18.04
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions-rs/toolchain@v1
+        with:
+          target: thumbv7em-none-eabi
+      - uses: actions/setup-python@v1
+        with:
+          python-version: 3.7
+      - name: Install Python dependencies
+        run: python -m pip install --upgrade pip setuptools wheel
+      - name: Set up OpenSK
+        run: ./setup.sh
+
+      - run: echo "::set-env name=RUSTFLAGS::-C target-feature=+aes"
+
+      - name: Unit testing of crypto library (release mode)
+        uses: actions-rs/cargo@v1
+        with:
+          command: test
+          args: --manifest-path libraries/crypto/Cargo.toml --release --features std,derive_debug
+
+      - name: Unit testing of crypto library (debug mode)
+        uses: actions-rs/cargo@v1
+        with:
+          command: test
+          args: --manifest-path libraries/crypto/Cargo.toml --features std,derive_debug

.github/workflows/opensk_build.yml

@@ -0,0 +1,31 @@
+---
+name: OpenSK build
+on:
+  push:
+  pull_request:
+    types: [opened, synchronize, reopened]
+
+jobs:
+  build_ctap2:
+    strategy:
+      matrix:
+        os: [ubuntu-18.04, macos-10.15]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions-rs/toolchain@v1
+        with:
+          target: thumbv7em-none-eabi
+      - uses: actions/setup-python@v1
+        with:
+          python-version: 3.7
+      - name: Install Python dependencies
+        run: python -m pip install --upgrade pip setuptools wheel
+      - name: Set up OpenSK
+        run: ./setup.sh
+
+      - name: Building OpenSK
+        uses: actions-rs/cargo@v1
+        with:
+          command: build
+          args: --release --target=thumbv7em-none-eabi --features with_ctap1

.github/workflows/opensk_test.yml

@@ -0,0 +1,51 @@
+---
+name: OpenSK tests
+on:
+  push:
+    paths:
+      - 'src/**/*.rs'
+  pull_request:
+    types: [opened, synchronize, reopened]
+
+jobs:
+  ctap2_test:
+    name: CTAP2 unit tests
+    runs-on: ubuntu-18.04
+
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions-rs/toolchain@v1
+        with:
+          target: thumbv7em-none-eabi
+      - uses: actions/setup-python@v1
+        with:
+          python-version: 3.7
+      - name: Install Python dependencies
+        run: python -m pip install --upgrade pip setuptools wheel
+      - name: Set up OpenSK
+        run: ./setup.sh
+
+      - name: Unit testing of CTAP2 (release mode)
+        uses: actions-rs/cargo@v1
+        with:
+          command: test
+          args: --release --features std
+
+      - name: Unit testing of CTAP2 (debug mode)
+        uses: actions-rs/cargo@v1
+        with:
+          command: test
+          args: --features std
+
+      - name: Unit testing of CTAP2 (release mode + CTAP1)
+        uses: actions-rs/cargo@v1
+        with:
+          command: test
+          args: --release --features std,with_ctap1
+
+      - name: Unit testing of CTAP2 (debug mode + CTAP1)
+        uses: actions-rs/cargo@v1
+        with:
+          command: test
+          args: --features std,with_ctap1
+

.github/workflows/python.yml

@@ -22,11 +22,11 @@ jobs:
       - name: Install dependencies
         run: |
           python -m pip install --upgrade pip setuptools wheel
-          pip install tockloader
+          pip install tockloader pylint
+      - name: Register matcher
+        run: echo ::add-matcher::./.github/python_matcher.json
       - name: Test code with pylint
-        run: |
+        run: ./tools/run_pylint.sh
-          pip install pylint
-          pylint --rcfile=.pylintrc --score=n `find . ! -path "./third_party/*" -type f -name '*.py'`
 
   yapf:
     runs-on: ubuntu-18.04
@@ -39,6 +39,8 @@ jobs:
       - name: Install dependencies
         run: |
           python -m pip install --upgrade pip setuptools wheel
-          pip install yapf
+          pip install yapf tockloader
       - name: Test code formatting with yapf
-        run: yapf --style=chromium --recursive --exclude third_party --diff .
+        run: |
+          echo ::add-matcher::./.github/python_matcher.json
+          yapf --style=chromium --recursive --exclude third_party --diff .

build.rs

@@ -35,9 +35,8 @@ fn main() {
 
     // Load the OpenSSL PEM ECC key
     let ecc_data = include_bytes!("crypto_data/opensk.key");
-    let pkey = ec::EcKey::private_key_from_pem(ecc_data)
+    let pkey =
-        .ok()
+        ec::EcKey::private_key_from_pem(ecc_data).expect("Failed to load OpenSK private key file");
-        .expect("Failed to load OpenSK private key file");
 
     // Check key validity
     pkey.check_key().unwrap();
@@ -70,9 +69,7 @@ fn main() {
 
     // Convert the PEM certificate to DER and extract the serial for AAGUID
     let input_pem_cert = include_bytes!("crypto_data/opensk_cert.pem");
-    let cert = x509::X509::from_pem(input_pem_cert)
+    let cert = x509::X509::from_pem(input_pem_cert).expect("Failed to load OpenSK certificate");
-        .ok()
-        .expect("Failed to load OpenSK certificate");
 
     // Do some sanity check on the certificate
     assert!(cert

tools/run_pylint.sh

@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+# Copyright 2019 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+SUCCESS=0
+
+# Ensure we are at the project root directory
+cd $(readlink -f $(dirname $0))/..
+
+for file in `find . ! -path "./third_party/*" -type f -name '*.py'`
+do
+  # Output header for our custom matcher on Github workflow
+  echo "PYLINT:${file}"
+  if ! pylint --rcfile=.pylintrc --score=n "$file"
+  then
+    SUCCESS=1
+  fi
+done
+
+exit $SUCCESS