openssh/.github/configs

285 lines
8.2 KiB
Bash
Executable File

#!/bin/sh
#
# usage: configs vmname test_config (or '' for default)
#
# Sets the following variables:
# CONFIGFLAGS options to ./configure
# SSHD_CONFOPTS sshd_config options
# TEST_TARGET make target used when testing. defaults to "tests".
# LTESTS
config=$1
unset CC CFLAGS CPPFLAGS LDFLAGS LTESTS SUDO
TEST_TARGET="tests"
LTESTS=""
SKIP_LTESTS=""
SUDO=sudo # run with sudo by default
TEST_SSH_UNSAFE_PERMISSIONS=1
# Stop on first test failure to minimize logs
TEST_SSH_FAIL_FATAL=yes
CONFIGFLAGS=""
LIBCRYPTOFLAGS=""
case "$config" in
default|sol64)
;;
c89)
CC="gcc"
CFLAGS="-Wall -std=c89 -pedantic -Werror=vla"
CONFIGFLAGS="--without-zlib"
LIBCRYPTOFLAGS="--without-openssl"
TEST_TARGET=t-exec
;;
cygwin-release)
CONFIGFLAGS="--with-libedit --with-xauth=/usr/bin/xauth --disable-strip --with-security-key-builtin"
;;
clang-12-Werror)
CC="clang-12"
# clang's implicit-fallthrough requires that the code be annotated with
# __attribute__((fallthrough)) and does not understand /* FALLTHROUGH */
CFLAGS="-Wall -Wextra -O2 -Wno-error=implicit-fallthrough -Wno-error=unused-parameter"
CONFIGFLAGS="--with-pam --with-Werror"
;;
*-sanitize-*)
case "$config" in
gcc-*)
CC=gcc
;;
clang-*)
# Find the newest available version of clang
for i in `seq 10 99`; do
clang="`which clang-$i 2>/dev/null`"
[ -x "$clang" ] && CC="$clang"
done
;;
esac
# Put Sanitizer logs in regress dir.
SANLOGS=`pwd`/regress
# - We replace chroot with chdir so that the sanitizer in the preauth
# privsep process can read /proc.
# - clang does not recognizes explicit_bzero so we use bzero
# (see https://github.com/google/sanitizers/issues/1507
# - openssl and zlib trip ASAN.
# - sp_pwdp returned by getspnam trips ASAN, hence disabling shadow.
case "$config" in
*-sanitize-address)
CFLAGS="-fsanitize=address -fno-omit-frame-pointer"
LDFLAGS="-fsanitize=address"
CPPFLAGS='-Dchroot=chdir -Dexplicit_bzero=bzero -D_FORTIFY_SOURCE=0 -DASAN_OPTIONS=\"detect_leaks=0:log_path='$SANLOGS'/asan.log\"'
CONFIGFLAGS=""
TEST_TARGET="t-exec"
;;
clang-sanitize-memory)
CFLAGS="-fsanitize=memory -fsanitize-memory-track-origins -fno-omit-frame-pointer"
LDFLAGS="-fsanitize=memory"
CPPFLAGS='-Dchroot=chdir -Dexplicit_bzero=bzero -DMSAN_OPTIONS=\"log_path='$SANLOGS'/msan.log\"'
CONFIGFLAGS="--without-openssl --without-zlib --without-shadow"
TEST_TARGET="t-exec"
;;
*-sanitize-undefined)
CFLAGS="-fsanitize=undefined"
LDFLAGS="-fsanitize=undefined"
;;
*)
echo unknown sanitize option;
exit 1;;
esac
features="--disable-security-key --disable-pkcs11"
hardening="--without-sandbox --without-hardening --without-stackprotect"
privsep="--with-privsep-user=root"
CONFIGFLAGS="$CONFIGFLAGS $features $hardening $privsep"
# Because we hobble chroot we can't test it.
SKIP_LTESTS=sftp-chroot
;;
gcc-11-Werror)
CC="gcc"
# -Wnoformat-truncation in gcc 7.3.1 20180130 fails on fmt_scaled
CFLAGS="-Wall -Wextra -O2 -Wno-format-truncation -Wimplicit-fallthrough=4 -Wno-unused-parameter"
CONFIGFLAGS="--with-pam --with-Werror"
;;
clang*|gcc*)
CC="$config"
;;
kitchensink)
CONFIGFLAGS="--with-kerberos5 --with-libedit --with-pam"
CONFIGFLAGS="${CONFIGFLAGS} --with-security-key-builtin --with-selinux"
CONFIGFLAGS="${CONFIGFLAGS} --with-cflags=-DSK_DEBUG"
;;
hardenedmalloc)
CONFIGFLAGS="--with-ldflags=-lhardened_malloc"
;;
tcmalloc)
CONFIGFLAGS="--with-ldflags=-ltcmalloc"
;;
krb5|heimdal)
CONFIGFLAGS="--with-kerberos5"
;;
libedit)
CONFIGFLAGS="--with-libedit"
;;
musl)
CC="musl-gcc"
CONFIGFLAGS="--without-zlib"
LIBCRYPTOFLAGS="--without-openssl"
TEST_TARGET="t-exec"
;;
pam-krb5)
CONFIGFLAGS="--with-pam --with-kerberos5"
SSHD_CONFOPTS="UsePam yes"
;;
*pam)
CONFIGFLAGS="--with-pam"
SSHD_CONFOPTS="UsePam yes"
;;
libressl-*)
LIBCRYPTOFLAGS="--with-ssl-dir=/opt/libressl --with-rpath=-Wl,-rpath,"
;;
openssl-*)
LIBCRYPTOFLAGS="--with-ssl-dir=/opt/openssl --with-rpath=-Wl,-rpath,"
;;
selinux)
CONFIGFLAGS="--with-selinux"
;;
sk)
CONFIGFLAGS="--with-security-key-builtin"
;;
without-openssl)
LIBCRYPTOFLAGS="--without-openssl"
TEST_TARGET=t-exec
;;
valgrind-[1-4]|valgrind-unit)
# rlimit sandbox and FORTIFY_SOURCE confuse Valgrind.
CONFIGFLAGS="--without-sandbox --without-hardening"
CONFIGFLAGS="$CONFIGFLAGS --with-cppflags=-D_FORTIFY_SOURCE=0"
TEST_TARGET="t-exec USE_VALGRIND=1"
TEST_SSH_ELAPSED_TIMES=1
export TEST_SSH_ELAPSED_TIMES
# Valgrind slows things down enough that the agent timeout test
# won't reliably pass, and the unit tests run longer than allowed
# by github so split into three separate tests.
tests2="rekey integrity try-ciphers sftp"
tests3="krl forward-control sshsig agent-restrict kextype"
tests4="cert-userkey cert-hostkey kextype sftp-perm keygen-comment percent"
case "$config" in
valgrind-1)
# All tests except agent-timeout (which is flaky under valgrind)
#) and slow ones that run separately to increase parallelism.
SKIP_LTESTS="agent-timeout ${tests2} ${tests3} ${tests4}"
;;
valgrind-2)
LTESTS="${tests2}"
;;
valgrind-3)
LTESTS="${tests3}"
;;
valgrind-4)
LTESTS="${tests4}"
;;
valgrind-unit)
TEST_TARGET="unit USE_VALGRIND=1"
;;
esac
;;
*)
echo "Unknown configuration $config"
exit 1
;;
esac
# The Solaris 64bit targets are special since they need a non-flag arg.
case "$config" in
sol64*)
CONFIGFLAGS="x86_64 --with-cflags=-m64 --with-ldflags=-m64 ${CONFIGFLAGS}"
LIBCRYPTOFLAGS="--with-ssl-dir=/usr/local/ssl64"
;;
esac
case "${TARGET_HOST}" in
aix*)
# These are slow real or virtual machines so skip the slowest tests
# (which tend to be thw ones that transfer lots of data) so that the
# test run does not time out.
# The agent-restrict test fails due to some quoting issue when run
# with sh or ksh so specify bash for now.
TEST_TARGET="t-exec TEST_SHELL=bash"
SKIP_LTESTS="rekey sftp"
;;
dfly58*|dfly60*)
# scp 3-way connection hangs on these so skip until sorted.
SKIP_LTESTS=scp3
;;
fbsd6)
# Native linker is not great with PIC so OpenSSL is built w/out.
CONFIGFLAGS="${CONFIGFLAGS} --disable-security-key"
;;
hurd)
SKIP_LTESTS="forwarding multiplex proxy-connect hostkey-agent agent-ptrace"
;;
minix3)
LIBCRYPTOFLAGS="--without-openssl --disable-security-key"
# Minix does not have a loopback interface so we have to skip any
# test that relies on one.
# Also, Minix seems to be very limited in the number of select()
# calls that can be operating concurrently, so prune additional tests for that.
T="addrmatch agent-restrict brokenkeys cfgmatch cfgmatchlisten cfgparse connect
connect-uri exit-status forward-control forwarding hostkey-agent
key-options keyscan knownhosts-command login-timeout multiplex
reconfigure reexec rekey scp scp-uri scp3 sftp sftp-badcmds
sftp-batch sftp-cmds sftp-glob sftp-perm sftp-uri stderr-data
transfer"
SKIP_LTESTS="$(echo $T)"
TEST_TARGET=t-exec
SUDO=""
;;
nbsd4)
# System compiler will ICE on some files with fstack-protector
# SHA256 functions in sha2.h conflict with OpenSSL's breaking sk-dummy
CONFIGFLAGS="${CONFIGFLAGS} --without-hardening --disable-security-key"
;;
openwrt-*)
CONFIGFLAGS="${CONFIGFLAGS} --without-openssl --without-zlib"
TEST_TARGET="t-exec"
;;
sol10|sol11)
# sol10 VM is 32bit and the unit tests are slow.
# sol11 has 4 test configs so skip unit tests to speed up.
TEST_TARGET="tests SKIP_UNIT=1"
;;
win10)
# No sudo on Windows.
SUDO=""
;;
esac
# Unless specified otherwise, build without OpenSSL on Mac OS since
# modern versions don't ship with libcrypto.
case "`./config.guess`" in
*-darwin*)
LIBCRYPTOFLAGS="--without-openssl"
TEST_TARGET=t-exec
;;
esac
# If we have a local openssl/libressl, use that.
if [ -z "${LIBCRYPTOFLAGS}" ]; then
# last-match
for i in /usr/local /usr/local/ssl /usr/local/opt/openssl; do
if [ -x ${i}/bin/openssl ]; then
LIBCRYPTOFLAGS="--with-ssl-dir=${i}"
fi
done
fi
CONFIGFLAGS="${CONFIGFLAGS} ${LIBCRYPTOFLAGS}"
if [ -x "$(which plink 2>/dev/null)" ]; then
REGRESS_INTEROP_PUTTY=yes
export REGRESS_INTEROP_PUTTY
fi
export CC CFLAGS CPPFLAGS LDFLAGS LTESTS SUDO
export TEST_TARGET TEST_SSH_UNSAFE_PERMISSIONS TEST_SSH_FAIL_FATAL