Merge e6f747d into 13f7513

.clang-tidy

@@ -5,6 +5,7 @@ HeaderFilterRegex: ''
 AnalyzeTemporaryDtors: false
 FormatStyle:     none
 User:            rbost
+WarningsAsErrors:   '*'
 CheckOptions:    
   - key:             google-readability-braces-around-statements.ShortStatementLines
     value:           '1'

.travis.yml

@@ -8,33 +8,68 @@ language: cpp
 os: linux
 dist: trusty
 sudo: required
+
+
 addons:
    apt:
-     sources:
+     sources: &basic_sources
        - ubuntu-toolchain-r-test
-     packages:
-       - g++-4.9
+       - sourceline: 'deb http://apt.llvm.org/trusty/ llvm-toolchain-trusty-5.0 main'
+         key_url: 'http://llvm.org/apt/llvm-snapshot.gpg.key'
+     packages: &basic_deps
        - libssl-dev
        - libgmp-dev
        - lcov
 
 
-env:
-- MATRIX_EVAL="CC=gcc-4.9 && CXX=g++-4.9"
+env: MATRIX_EVAL="" 
 
-before_install:
-  - eval "${MATRIX_EVAL}"
-  # - if [ "$CXX" = "g++" ]; then export CXX="g++-4.9" CC="gcc-4.9"; fi
+install:  
   - cd install_dependencies
   - ./install_libsodium.sh
   - ./install_relic_ubuntu_14_easy.sh
   - cd ..
   - gem install coveralls-lcov
   - sudo ldconfig
+
+
+matrix:
+   include:
+      - env: 
+          - STATIC_ANALYSIS=false
+        addons:
+            apt:
+              sources: *basic_sources
+              packages:
+                 - *basic_deps
+                 - g++-4.9 
+        before_install:
+           - if [ "$CXX" = "g++" ]; then export CXX="g++-4.9" CC="gcc-4.9"; fi
+        after_success:
+           - ./coverage/gen_coverage.sh # get the code coverage
+           - ./coverage/upload_report.sh # upload the report to coveralls
+
+
+      - env: 
+          - STATIC_ANALYSIS=true
+          - CLANG_TIDY=clang-tidy-5.0
+        addons:
+           apt:
+              sources: *basic_sources
+              packages:
+                 - *basic_deps
+                 - cppcheck
+                 - libclang-common-5.0-dev # to get the headers right
+                 - clang-tidy-5.0
+        script:
+           - ./scripts/cppcheck.sh 
+           - ./scripts/cppcheck.sh 
+
 
 script:
-  - scons check debug=1 coverage=1 static_relic=1
+  - if [ "${STATIC_ANALYSIS}" == "false" ]; then
+      scons check debug=1 coverage=1 static_relic=1 sanitize_address=1 sanitize_undefined=1;
+    fi
+
 
-after_success:
-  - ./coverage/gen_coverage.sh # get the code coverage
-  - ./coverage/upload_report.sh # upload the report to coveralls
+

README.md

@@ -1,9 +1,15 @@
 # OpenSSE's Cryptographic Toolkit
 
-[![build status](https://travis-ci.org/OpenSSE/crypto-tk.svg?branch=master)](https://travis-ci.org/OpenSSE/crypto-tk) 
+[![build status](https://badges.herokuapp.com/travis/OpenSSE/crypto-tk?branch=master&label=build&env=STATIC_ANALYSIS=false)](https://travis-ci.org/OpenSSE/crypto-tk)
+[![static analysis](https://badges.herokuapp.com/travis/OpenSSE/crypto-tk?branch=master&label=static%20analysis&env=STATIC_ANALYSIS=true)](https://travis-ci.org/OpenSSE/crypto-tk)
 [![Coverage Status](https://coveralls.io/repos/github/OpenSSE/crypto-tk/badge.svg)](https://coveralls.io/github/OpenSSE/crypto-tk)
 [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/1412/badge)](https://bestpractices.coreinfrastructure.org/projects/1412)
 
+
+
+
+
+
 The SSE protocols rely on high level cryptographic features such as pseudo-random functions, hash functions, encryption schemes, or incremental set hashing. The cryptographic layer provides interfaces and implementations of these features. 
 
 For now, the hash function and encryption implementations rely on OpenSSL. This might (and probably will) in the future. However, this will have no influence on the code written using this library: the interfaces to the cryptographic services are *opaque*. It means that all implementation details are hidden. In particular, even if the implementation changes, the header files shouldn't.

scripts/cppcheck.sh

@@ -1,6 +1,6 @@
-#! /bin/sh
+#! /bin/bash
 if [[ -z $CPPCHECK ]]; then
 	CPPCHECK="cppcheck"
 fi
 
-eval "$CPPCHECK src --quiet --verbose --std=c++11 --force  --enable=warning,performance,portability,style --error-exitcode=1 --report-progress  --inline-suppr"
+eval "$CPPCHECK src -i src/mbedtls --quiet --verbose --std=c++11 --force  --enable=warning,performance,portability,style --error-exitcode=1 --report-progress  --inline-suppr --xml"

scripts/format.sh

@@ -1,4 +1,4 @@
-#! /bin/sh
+#! /bin/bash
 
 if [[ -z $CLANG_FORMAT ]]; then
 	CLANG_FORMAT="clang-format"

scripts/tidy.sh

@@ -1,4 +1,4 @@
-#! /bin/sh
+#! /bin/bash
 if [[ -z $CLANG_TIDY ]]; then
 	CLANG_TIDY="clang-tidy"
 fi

src/hmac.hpp

@@ -190,9 +190,6 @@ void HMac<H, N>::hmac(const unsigned char* in,
 
     key_.unlock();
 
-    // set the buffer to 0x00
-    memset(buffer, 0, kHMACKeySize);
-
     // copy the key to the buffer
     memcpy(buffer, key_.data(), kKeySize);
 

src/ppke/GMPpke.hpp

@@ -27,6 +27,7 @@ constexpr unsigned int  kPPKEStatisticalSecurity = 32;
 constexpr static size_t kPPKEPrfOutputSize
     = relicxx::PairingGroup::kPrfOutputSize;
 
+// cppcheck-suppress constStatement
 using PPKE_HKDF = sse::crypto::HMac<sse::crypto::Hash, 12 * FP_BYTES>;
 
 using tag_type = std::array<uint8_t, kTagSize>;

src/prg.hpp

@@ -214,7 +214,7 @@ class Prg
     ///
     static inline std::string derive(Key<kKeySize>&& k, const size_t len)
     {
-        return Prg::derive(std::move(k), 0, len);
+        return derive(std::move(k), 0, len);
     };
 
     ///

src/puncturable_enc.hpp

@@ -69,6 +69,7 @@ using master_key_type = Key<kMasterKeySize>;
 /// @relatesalso PuncturableEncryption
 const static size_t kCiphertextSize = 90;
 /// @brief Type of a ciphertext created using puncturable encryption
+// cppcheck-suppress constStatement
 using ciphertext_type = std::array<uint8_t, kCiphertextSize>;