1#!/bin/sh 2# 3# usage: configs vmname test_config (or '' for default) 4# 5# Sets the following variables: 6# CONFIGFLAGS options to ./configure 7# SSHD_CONFOPTS sshd_config options 8# TEST_TARGET make target used when testing. defaults to "tests". 9# LTESTS 10 11config=$1 12if [ "$config" = "" ]; then 13 config="default" 14fi 15 16unset CC CFLAGS CPPFLAGS LDFLAGS LTESTS SUDO 17 18TEST_TARGET="tests compat-tests" 19LTESTS="" 20SKIP_LTESTS="" 21SUDO=sudo # run with sudo by default 22TEST_SSH_UNSAFE_PERMISSIONS=1 23# Stop on first test failure to minimize logs 24TEST_SSH_FAIL_FATAL=yes 25 26CONFIGFLAGS="" 27LIBCRYPTOFLAGS="" 28 29case "$config" in 30 default|sol64) 31 ;; 32 c89) 33 # If we don't have LLONG_MAX, configure will figure out that it can 34 # get it by setting -std=gnu99, at which point we won't be testing 35 # C89 any more. To avoid this, feed it in via CFLAGS. 36 llong_max=`gcc -E -dM - </dev/null | \ 37 awk '$2=="__LONG_LONG_MAX__"{print $3}'` 38 CPPFLAGS="-DLLONG_MAX=${llong_max}" 39 40 CC="gcc" 41 CFLAGS="-Wall -std=c89 -pedantic -Werror=vla" 42 CONFIGFLAGS="--without-zlib" 43 LIBCRYPTOFLAGS="--without-openssl" 44 TEST_TARGET=t-exec 45 ;; 46 cygwin-release) 47 # See https://cygwin.com/git/?p=git/cygwin-packages/openssh.git;a=blob;f=openssh.cygport;hb=HEAD 48 CONFIGFLAGS="--with-xauth=/usr/bin/xauth --with-security-key-builtin" 49 CONFIGFLAGS="$CONFIGFLAGS --with-kerberos5=/usr --with-libedit --disable-strip" 50 ;; 51 clang-12-Werror) 52 CC="clang-12" 53 # clang's implicit-fallthrough requires that the code be annotated with 54 # __attribute__((fallthrough)) and does not understand /* FALLTHROUGH */ 55 CFLAGS="-Wall -Wextra -O2 -Wno-error=implicit-fallthrough -Wno-error=unused-parameter" 56 CONFIGFLAGS="--with-pam --with-Werror" 57 ;; 58 *-sanitize-*) 59 case "$config" in 60 gcc-*) 61 CC=gcc 62 ;; 63 clang-*) 64 # Find the newest available version of clang 65 for i in `seq 10 99`; do 66 clang="`which clang-$i 2>/dev/null`" 67 [ -x "$clang" ] && CC="$clang" 68 done 69 ;; 70 esac 71 # Put Sanitizer logs in regress dir. 72 SANLOGS=`pwd`/regress 73 # - We replace chroot with chdir so that the sanitizer in the preauth 74 # privsep process can read /proc. 75 # - clang does not recognizes explicit_bzero so we use bzero 76 # (see https://github.com/google/sanitizers/issues/1507 77 # - openssl and zlib trip ASAN. 78 # - sp_pwdp returned by getspnam trips ASAN, hence disabling shadow. 79 case "$config" in 80 *-sanitize-address) 81 CFLAGS="-fsanitize=address -fno-omit-frame-pointer" 82 LDFLAGS="-fsanitize=address" 83 CPPFLAGS='-Dchroot=chdir -Dexplicit_bzero=bzero -D_FORTIFY_SOURCE=0 -DASAN_OPTIONS=\"detect_leaks=0:log_path='$SANLOGS'/asan.log\"' 84 CONFIGFLAGS="" 85 TEST_TARGET="t-exec" 86 ;; 87 clang-sanitize-memory) 88 CFLAGS="-fsanitize=memory -fsanitize-memory-track-origins -fno-omit-frame-pointer" 89 LDFLAGS="-fsanitize=memory" 90 CPPFLAGS='-Dchroot=chdir -Dexplicit_bzero=bzero -DMSAN_OPTIONS=\"log_path='$SANLOGS'/msan.log\"' 91 CONFIGFLAGS="--without-zlib --without-shadow" 92 LIBCRYPTOFLAGS="--without-openssl" 93 TEST_TARGET="t-exec" 94 ;; 95 *-sanitize-undefined) 96 CFLAGS="-fsanitize=undefined" 97 LDFLAGS="-fsanitize=undefined" 98 ;; 99 *) 100 echo unknown sanitize option; 101 exit 1;; 102 esac 103 features="--disable-security-key --disable-pkcs11" 104 hardening="--without-sandbox --without-hardening --without-stackprotect" 105 privsep="--with-privsep-user=root" 106 CONFIGFLAGS="$CONFIGFLAGS $features $hardening $privsep" 107 # Because we hobble chroot we can't test it. 108 SKIP_LTESTS=sftp-chroot 109 ;; 110 gcc-11-Werror) 111 CC="gcc-11" 112 # -Wnoformat-truncation in gcc 7.3.1 20180130 fails on fmt_scaled 113 # -Wunused-result ignores (void) so is not useful. See 114 # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66425 115 CFLAGS="-O2 -Wno-format-truncation -Wimplicit-fallthrough=4 -Wno-unused-parameter -Wno-unused-result" 116 CONFIGFLAGS="--with-pam --with-Werror" 117 ;; 118 gcc-12-Werror) 119 CC="gcc-12" 120 # -Wnoformat-truncation in gcc 7.3.1 20180130 fails on fmt_scaled 121 # -Wunused-result ignores (void) so is not useful. See 122 # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66425 123 CFLAGS="-O2 -Wno-format-truncation -Wimplicit-fallthrough=4 -Wno-unused-parameter -Wno-unused-result" 124 CONFIGFLAGS="--with-pam --with-Werror" 125 ;; 126 clang*|gcc*) 127 CC="$config" 128 ;; 129 kitchensink) 130 CONFIGFLAGS="--with-kerberos5 --with-libedit --with-pam" 131 CONFIGFLAGS="${CONFIGFLAGS} --with-security-key-builtin --with-selinux" 132 CFLAGS="-DSK_DEBUG -DSANDBOX_SECCOMP_FILTER_DEBUG" 133 ;; 134 hardenedmalloc) 135 CONFIGFLAGS="--with-ldflags=-lhardened_malloc" 136 ;; 137 tcmalloc) 138 CONFIGFLAGS="--with-ldflags=-ltcmalloc" 139 ;; 140 krb5|heimdal) 141 CONFIGFLAGS="--with-kerberos5" 142 ;; 143 libedit) 144 CONFIGFLAGS="--with-libedit" 145 ;; 146 musl) 147 CC="musl-gcc" 148 CONFIGFLAGS="--without-zlib" 149 LIBCRYPTOFLAGS="--without-openssl" 150 TEST_TARGET="t-exec" 151 ;; 152 pam-krb5) 153 CONFIGFLAGS="--with-pam --with-kerberos5" 154 SSHD_CONFOPTS="UsePam yes" 155 ;; 156 *pam) 157 CONFIGFLAGS="--with-pam" 158 SSHD_CONFOPTS="UsePam yes" 159 ;; 160 boringssl) 161 CONFIGFLAGS="--disable-pkcs11" 162 LIBCRYPTOFLAGS="--with-ssl-dir=/opt/boringssl --with-rpath=-Wl,-rpath," 163 ;; 164 libressl-*) 165 LIBCRYPTOFLAGS="--with-ssl-dir=/opt/libressl --with-rpath=-Wl,-rpath," 166 ;; 167 putty-*) 168 CONFIGFLAGS="--with-plink=/usr/local/bin/plink --with-puttygen=/usr/local/bin/puttygen" 169 # We don't need to rerun the regular tests, just the interop ones. 170 TEST_TARGET=interop-tests 171 ;; 172 openssl-*) 173 LIBCRYPTOFLAGS="--with-ssl-dir=/opt/openssl --with-rpath=-Wl,-rpath," 174 # OpenSSL 1.1.1 specifically has a bug in its RNG that breaks reexec 175 # fallback. See https://bugzilla.mindrot.org/show_bug.cgi?id=3483 176 if [ "$config" = "openssl-1.1.1" ]; then 177 SKIP_LTESTS="reexec" 178 fi 179 ;; 180 selinux) 181 CONFIGFLAGS="--with-selinux" 182 ;; 183 sk) 184 CONFIGFLAGS="--with-security-key-builtin" 185 ;; 186 without-openssl) 187 LIBCRYPTOFLAGS="--without-openssl" 188 TEST_TARGET=t-exec 189 ;; 190 valgrind-[1-4]|valgrind-unit) 191 # rlimit sandbox and FORTIFY_SOURCE confuse Valgrind. 192 CONFIGFLAGS="--without-sandbox --without-hardening" 193 CONFIGFLAGS="$CONFIGFLAGS --with-cppflags=-D_FORTIFY_SOURCE=0" 194 TEST_TARGET="t-exec USE_VALGRIND=1" 195 TEST_SSH_ELAPSED_TIMES=1 196 export TEST_SSH_ELAPSED_TIMES 197 # Valgrind slows things down enough that the agent timeout test 198 # won't reliably pass, and the unit tests run longer than allowed 199 # by github so split into separate tests. 200 tests2="integrity try-ciphers rekey" 201 tests3="krl forward-control sshsig agent-restrict kextype sftp" 202 tests4="cert-userkey cert-hostkey kextype sftp-perm keygen-comment percent" 203 case "$config" in 204 valgrind-1) 205 # All tests except agent-timeout (which is flaky under valgrind), 206 # connection-timeout (which doesn't work since it's so slow) 207 # and hostbased (since valgrind won't let ssh exec keysign). 208 # Slow ones are run separately to increase parallelism. 209 SKIP_LTESTS="agent-timeout connection-timeout hostbased" 210 SKIP_LTESTS="$SKIP_LTESTS penalty-expire" 211 SKIP_LTESTS="$SKIP_LTESTS ${tests2} ${tests3} ${tests4} ${tests5}" 212 ;; 213 valgrind-2) 214 LTESTS="${tests2}" 215 ;; 216 valgrind-3) 217 LTESTS="${tests3}" 218 ;; 219 valgrind-4) 220 LTESTS="${tests4}" 221 ;; 222 valgrind-unit) 223 TEST_TARGET="unit USE_VALGRIND=1" 224 ;; 225 esac 226 ;; 227 zlib-develop) 228 INSTALL_ZLIB=develop 229 CONFIGFLAGS="--with-zlib=/opt/zlib --with-rpath=-Wl,-rpath," 230 ;; 231 *) 232 echo "Unknown configuration $config" 233 exit 1 234 ;; 235esac 236 237# The Solaris 64bit targets are special since they need a non-flag arg. 238case "$config" in 239 sol64*) 240 CONFIGFLAGS="--target=x86_64 --with-cflags=-m64 --with-ldflags=-m64 ${CONFIGFLAGS}" 241 LIBCRYPTOFLAGS="--with-ssl-dir=/usr/local/ssl64 --with-rpath=-Wl,-rpath," 242 ;; 243esac 244 245case "${TARGET_HOST}" in 246 aix*) 247 CONFIGFLAGS="--disable-security-key" 248 LIBCRYPTOFLAGS="--without-openssl" 249 # These are slow real or virtual machines so skip the slowest tests 250 # (which tend to be thw ones that transfer lots of data) so that the 251 # test run does not time out. 252 # The agent-restrict test fails due to some quoting issue when run 253 # with sh or ksh so specify bash for now. 254 TEST_TARGET="t-exec unit TEST_SHELL=bash" 255 SKIP_LTESTS="rekey sftp" 256 ;; 257 debian-riscv64) 258 # This machine is fairly slow, so skip the unit tests. 259 TEST_TARGET="t-exec" 260 ;; 261 dfly58*|dfly60*) 262 # scp 3-way connection hangs on these so skip until sorted. 263 SKIP_LTESTS=scp3 264 ;; 265 fbsd6) 266 # Native linker is not great with PIC so OpenSSL is built w/out. 267 CONFIGFLAGS="${CONFIGFLAGS} --disable-security-key" 268 ;; 269 hurd) 270 SKIP_LTESTS="forwarding multiplex proxy-connect hostkey-agent agent-ptrace" 271 ;; 272 minix3) 273 CONFIGFLAGS="${CONFIGFLAGS} --disable-security-key" 274 # Unix domain sockets don't work quite like we expect, so also 275 # disable FD passing (and thus multiplexing). 276 CONFIGFLAGS="${CONFIGFLAGS} --disable-fd-passing" 277 LIBCRYPTOFLAGS="--without-openssl" 278 279 # Minix does not have a loopback interface so we have to skip any 280 # test that relies on one. 281 # Also, Minix seems to be very limited in the number of select() 282 # calls that can be operating concurrently, so prune additional tests for that. 283 T="addrmatch agent-restrict brokenkeys cfgmatch cfgmatchlisten cfgparse 284 connect connect-uri dynamic-forward exit-status forwarding 285 forward-control 286 hostkey-agent key-options keyscan knownhosts-command login-timeout 287 reconfigure reexec rekey scp scp-uri scp3 sftp sftp-badcmds 288 sftp-batch sftp-cmds sftp-glob sftp-perm sftp-uri stderr-data 289 transfer penalty penalty-expire" 290 SKIP_LTESTS="$(echo $T)" 291 TEST_TARGET=t-exec 292 SUDO="" 293 ;; 294 nbsd4) 295 # System compiler will ICE on some files with fstack-protector 296 # SHA256 functions in sha2.h conflict with OpenSSL's breaking sk-dummy 297 CONFIGFLAGS="${CONFIGFLAGS} --without-hardening --disable-security-key" 298 ;; 299 openwrt-*) 300 CONFIGFLAGS="${CONFIGFLAGS} --without-zlib" 301 LIBCRYPTOFLAGS="--without-openssl" 302 TEST_TARGET="t-exec" 303 ;; 304 sol10|sol11) 305 # sol10 VM is 32bit and the unit tests are slow. 306 # sol11 has 4 test configs so skip unit tests to speed up. 307 TEST_TARGET="tests SKIP_UNIT=1" 308 ;; 309 win10) 310 # No sudo on Windows. 311 SUDO="" 312 ;; 313esac 314 315host=`./config.guess` 316case "$host" in 317*cygwin) 318 SUDO="" 319 # Don't run compat tests on cygwin as they don't currently compile. 320 TEST_TARGET="tests" 321 ;; 322*-darwin*) 323 # Unless specified otherwise, build without OpenSSL on Mac OS since 324 # modern versions don't ship with libcrypto. 325 LIBCRYPTOFLAGS="--without-openssl" 326 TEST_TARGET=t-exec 327 328 # On some OS X runners we can't write to /var/empty. 329 CONFIGFLAGS="${CONFIGFLAGS} --with-privsep-path=/usr/local/empty" 330 331 case "$host" in 332 *-darwin22.*) 333 # sudo -S nobody doesn't work on macos 13 for some reason. 334 SKIP_LTESTS="agent-getpeereid" ;; 335 esac 336 ;; 337esac 338 339# Unless specifically configured, search for a suitable version of OpenSSL, 340# otherwise build without it. 341if [ -z "${LIBCRYPTOFLAGS}" ]; then 342 LIBCRYPTOFLAGS="--without-openssl" 343 # last-match 344 for i in /usr /usr/local /usr/local/ssl /usr/local/opt/openssl; do 345 ver="none" 346 if [ -x ${i}/bin/openssl ]; then 347 ver="$(${i}/bin/openssl version)" 348 fi 349 case "$ver" in 350 none) ;; 351 "OpenSSL 0."*|"OpenSSL 1.0."*|"OpenSSL 1.1.0"*) ;; 352 "LibreSSL 2."*|"LibreSSL 3.0."*) ;; 353 *) LIBCRYPTOFLAGS="--with-ssl-dir=${i}" ;; 354 esac 355 done 356 if [ "${LIBCRYPTOFLAGS}" = "--without-openssl" ]; then 357 TEST_TARGET="t-exec" 358 fi 359fi 360 361CONFIGFLAGS="${CONFIGFLAGS} ${LIBCRYPTOFLAGS}" 362 363if [ -x "$(which plink 2>/dev/null)" ]; then 364 REGRESS_INTEROP_PUTTY=yes 365 export REGRESS_INTEROP_PUTTY 366fi 367 368export CC CFLAGS CPPFLAGS LDFLAGS LTESTS SUDO 369export TEST_TARGET TEST_SSH_UNSAFE_PERMISSIONS TEST_SSH_FAIL_FATAL 370