xref: /freebsd/crypto/openssh/.github/configs (revision 8e28d84935f2f0ee081d44f9803f3052b960e50b) 
1#!/bin/sh
2#
3# usage: configs vmname test_config (or '' for default)
4#
5# Sets the following variables:
6# CONFIGFLAGS           options to ./configure
7# SSHD_CONFOPTS         sshd_config options
8# TEST_TARGET           make target used when testing.  defaults to "tests".
9# LTESTS
10
11config=$1
12if [ "$config" = "" ]; then
13	config="default"
14fi
15
16unset CC CFLAGS CPPFLAGS LDFLAGS LTESTS SUDO
17
18TEST_TARGET="tests compat-tests"
19LTESTS=""
20SKIP_LTESTS=""
21SUDO=sudo	# run with sudo by default
22TEST_SSH_UNSAFE_PERMISSIONS=1
23# Stop on first test failure to minimize logs
24TEST_SSH_FAIL_FATAL=yes
25
26CONFIGFLAGS=""
27LIBCRYPTOFLAGS=""
28
29case "$config" in
30    default|sol64)
31	;;
32    c89)
33	# If we don't have LLONG_MAX, configure will figure out that it can
34	# get it by setting -std=gnu99, at which point we won't be testing
35	# C89 any more.  To avoid this, feed it in via CFLAGS.
36	llong_max=`gcc -E -dM - </dev/null | \
37	    awk '$2=="__LONG_LONG_MAX__"{print $3}'`
38	CPPFLAGS="-DLLONG_MAX=${llong_max}"
39
40	CC="gcc"
41	CFLAGS="-Wall -std=c89 -pedantic -Werror=vla"
42	CONFIGFLAGS="--without-zlib"
43	LIBCRYPTOFLAGS="--without-openssl"
44	TEST_TARGET=t-exec
45	;;
46    cygwin-release)
47	# See https://cygwin.com/git/?p=git/cygwin-packages/openssh.git;a=blob;f=openssh.cygport;hb=HEAD
48	CONFIGFLAGS="--with-xauth=/usr/bin/xauth --with-security-key-builtin"
49	CONFIGFLAGS="$CONFIGFLAGS --with-kerberos5=/usr --with-libedit --disable-strip"
50	;;
51   clang-12-Werror)
52	CC="clang-12"
53	# clang's implicit-fallthrough requires that the code be annotated with
54	# __attribute__((fallthrough)) and does not understand /* FALLTHROUGH */
55	CFLAGS="-Wall -Wextra -O2 -Wno-error=implicit-fallthrough -Wno-error=unused-parameter"
56	CONFIGFLAGS="--with-pam --with-Werror"
57	;;
58    *-sanitize-*)
59	case "$config" in
60	gcc-*)
61		CC=gcc
62		;;
63	clang-*)
64		# Find the newest available version of clang
65		for i in `seq 10 99`; do
66		    clang="`which clang-$i 2>/dev/null`"
67		    [ -x "$clang" ] && CC="$clang"
68		done
69		;;
70	esac
71	# Put Sanitizer logs in regress dir.
72	SANLOGS=`pwd`/regress
73	# - We replace chroot with chdir so that the sanitizer in the preauth
74	#   privsep process can read /proc.
75	# - clang does not recognizes explicit_bzero so we use bzero
76	#   (see https://github.com/google/sanitizers/issues/1507
77	# - openssl and zlib trip ASAN.
78	# - sp_pwdp returned by getspnam trips ASAN, hence disabling shadow.
79	case "$config" in
80	*-sanitize-address)
81	    CFLAGS="-fsanitize=address -fno-omit-frame-pointer"
82	    LDFLAGS="-fsanitize=address"
83	    CPPFLAGS='-Dchroot=chdir -Dexplicit_bzero=bzero -D_FORTIFY_SOURCE=0 -DASAN_OPTIONS=\"detect_leaks=0:log_path='$SANLOGS'/asan.log\"'
84	    CONFIGFLAGS=""
85	    TEST_TARGET="t-exec"
86	    ;;
87	clang-sanitize-memory)
88	    CFLAGS="-fsanitize=memory -fsanitize-memory-track-origins -fno-omit-frame-pointer"
89	    LDFLAGS="-fsanitize=memory"
90	    CPPFLAGS='-Dchroot=chdir -Dexplicit_bzero=bzero -DMSAN_OPTIONS=\"log_path='$SANLOGS'/msan.log\"'
91	    CONFIGFLAGS="--without-zlib --without-shadow"
92	    LIBCRYPTOFLAGS="--without-openssl"
93	    TEST_TARGET="t-exec"
94	    ;;
95	*-sanitize-undefined)
96	    CFLAGS="-fsanitize=undefined"
97	    LDFLAGS="-fsanitize=undefined"
98	    ;;
99	*)
100	     echo unknown sanitize option;
101	     exit 1;;
102	esac
103	features="--disable-security-key --disable-pkcs11"
104	hardening="--without-sandbox --without-hardening --without-stackprotect"
105	privsep="--with-privsep-user=root"
106	CONFIGFLAGS="$CONFIGFLAGS $features $hardening $privsep"
107	# Because we hobble chroot we can't test it.
108	SKIP_LTESTS=sftp-chroot
109	;;
110    gcc-11-Werror)
111	CC="gcc-11"
112	# -Wnoformat-truncation in gcc 7.3.1 20180130 fails on fmt_scaled
113	# -Wunused-result ignores (void) so is not useful.  See
114	# https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66425
115	CFLAGS="-O2 -Wno-format-truncation -Wimplicit-fallthrough=4 -Wno-unused-parameter -Wno-unused-result"
116	CONFIGFLAGS="--with-pam --with-Werror"
117	;;
118    gcc-12-Werror)
119	CC="gcc-12"
120	# -Wnoformat-truncation in gcc 7.3.1 20180130 fails on fmt_scaled
121	# -Wunused-result ignores (void) so is not useful.  See
122	# https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66425
123	CFLAGS="-O2 -Wno-format-truncation -Wimplicit-fallthrough=4 -Wno-unused-parameter -Wno-unused-result"
124	CONFIGFLAGS="--with-pam --with-Werror"
125	;;
126    clang*|gcc*)
127	CC="$config"
128	;;
129    kitchensink)
130	CONFIGFLAGS="--with-kerberos5 --with-libedit --with-pam"
131	CONFIGFLAGS="${CONFIGFLAGS} --with-security-key-builtin --with-selinux"
132	CONFIGFLAGS="${CONFIGFLAGS} --with-linux-memlock-onfault"
133	CFLAGS="-DSK_DEBUG -DSANDBOX_SECCOMP_FILTER_DEBUG"
134	;;
135    hardenedmalloc)
136	CONFIGFLAGS="--with-ldflags=-lhardened_malloc"
137	;;
138    tcmalloc)
139	CONFIGFLAGS="--with-ldflags=-ltcmalloc"
140	# tcmalloc may, depending on the stacktrace generator it uses, create
141	# pipe(2) fds during shared library initialisation. These will later
142	# get clobbered by ssh/sshd calling closefrom() and chaos will ensue.
143	# Tell tcmalloc to use an unwinder that doesn't pull this stuff.
144	TCMALLOC_STACKTRACE_METHOD=generic_fp
145	TEST_SSH_SSHD_ENV="TCMALLOC_STACKTRACE_METHOD=generic_fp"
146	export TCMALLOC_STACKTRACE_METHOD TEST_SSH_SSHD_ENV
147	;;
148    krb5|heimdal)
149	CONFIGFLAGS="--with-kerberos5"
150	;;
151    libedit)
152	CONFIGFLAGS="--with-libedit"
153	;;
154    musl)
155	CC="musl-gcc"
156	CONFIGFLAGS="--without-zlib"
157	LIBCRYPTOFLAGS="--without-openssl"
158	TEST_TARGET="t-exec"
159	;;
160    pam-krb5)
161	CONFIGFLAGS="--with-pam --with-kerberos5"
162	SSHD_CONFOPTS="UsePam yes"
163	;;
164    *pam)
165	CONFIGFLAGS="--with-pam"
166	SSHD_CONFOPTS="UsePam yes"
167	;;
168    boringssl)
169	CONFIGFLAGS="--disable-pkcs11"
170	LIBCRYPTOFLAGS="--with-ssl-dir=/opt/boringssl --with-rpath=-Wl,-rpath,"
171	;;
172	aws-lc)
173	LIBCRYPTOFLAGS="--with-ssl-dir=/opt/aws-lc --with-rpath=-Wl,-rpath,"
174	;;
175    libressl-*)
176	LIBCRYPTOFLAGS="--with-ssl-dir=/opt/libressl --with-rpath=-Wl,-rpath,"
177	;;
178    putty-*)
179	CONFIGFLAGS="--with-plink=/usr/local/bin/plink --with-puttygen=/usr/local/bin/puttygen"
180	# We don't need to rerun the regular tests, just the interop ones.
181	TEST_TARGET=interop-tests
182	;;
183    openssl-*)
184	LIBCRYPTOFLAGS="--with-ssl-dir=/opt/openssl --with-rpath=-Wl,-rpath,"
185	# OpenSSL 1.1.1 specifically has a bug in its RNG that breaks reexec
186	# fallback.  See https://bugzilla.mindrot.org/show_bug.cgi?id=3483
187	if [ "$config" = "openssl-1.1.1" ]; then
188		SKIP_LTESTS="reexec"
189	fi
190	;;
191    selinux)
192	CONFIGFLAGS="--with-selinux"
193	;;
194    sk)
195	CONFIGFLAGS="--with-security-key-builtin --with-security-key-standalone"
196        ;;
197    without-openssl)
198	LIBCRYPTOFLAGS="--without-openssl"
199	TEST_TARGET=t-exec
200	;;
201    valgrind-[1-4]|valgrind-unit)
202	# rlimit sandbox and FORTIFY_SOURCE confuse Valgrind.
203	CONFIGFLAGS="--without-sandbox --without-hardening"
204	CONFIGFLAGS="$CONFIGFLAGS --with-cppflags=-D_FORTIFY_SOURCE=0"
205	TEST_TARGET="t-exec USE_VALGRIND=1"
206	TEST_SSH_ELAPSED_TIMES=1
207	export TEST_SSH_ELAPSED_TIMES
208	# Valgrind slows things down enough that the agent timeout test
209	# won't reliably pass, and the unit tests run longer than allowed
210	# by github so split into separate tests.
211	tests2="integrity try-ciphers rekey"
212	tests3="krl forward-control sshsig agent-restrict kextype sftp"
213	tests4="cert-userkey cert-hostkey kextype sftp-perm keygen-comment percent"
214	case "$config" in
215	    valgrind-1)
216		# All tests except agent-timeout (which is flaky under valgrind),
217		# connection-timeout (which doesn't work since it's so slow)
218		# and hostbased (since valgrind won't let ssh exec keysign).
219		# Slow ones are run separately to increase parallelism.
220		SKIP_LTESTS="agent-timeout connection-timeout hostbased"
221		SKIP_LTESTS="$SKIP_LTESTS penalty-expire"
222		SKIP_LTESTS="$SKIP_LTESTS ${tests2} ${tests3} ${tests4} ${tests5}"
223		;;
224	    valgrind-2)
225		LTESTS="${tests2}"
226		;;
227	    valgrind-3)
228		LTESTS="${tests3}"
229		;;
230	    valgrind-4)
231		LTESTS="${tests4}"
232		;;
233	    valgrind-unit)
234		TEST_TARGET="unit USE_VALGRIND=1"
235		;;
236	esac
237	;;
238    zlib-develop)
239	INSTALL_ZLIB=develop
240	CONFIGFLAGS="--with-zlib=/opt/zlib --with-rpath=-Wl,-rpath,"
241	;;
242    *)
243	echo "Unknown configuration $config"
244	exit 1
245	;;
246esac
247
248# The Solaris 64bit targets are special since they need a non-flag arg.
249case "$config" in
250    sol64*)
251	CONFIGFLAGS="--target=x86_64 --with-cflags=-m64 --with-ldflags=-m64 ${CONFIGFLAGS}"
252	LIBCRYPTOFLAGS="--with-ssl-dir=/usr/local/ssl64 --with-rpath=-Wl,-rpath,"
253	;;
254esac
255
256case "${TARGET_HOST}" in
257    aix*)
258	CONFIGFLAGS="--disable-security-key"
259	LIBCRYPTOFLAGS="--without-openssl"
260	# These are slow real or virtual machines so skip the slowest tests
261	# (which tend to be thw ones that transfer lots of data) so that the
262	# test run does not time out.
263	# The agent-restrict test fails due to some quoting issue when run
264	# with sh or ksh so specify bash for now.
265	TEST_TARGET="t-exec unit TEST_SHELL=bash"
266	SKIP_LTESTS="rekey sftp"
267	;;
268    debian-riscv64)
269	# This machine is fairly slow, so skip the unit tests.
270	TEST_TARGET="t-exec"
271	;;
272    dfly58*|dfly60*)
273	# scp 3-way connection hangs on these so skip until sorted.
274	SKIP_LTESTS=scp3
275	;;
276    fbsd6)
277	# Native linker is not great with PIC so OpenSSL is built w/out.
278	CONFIGFLAGS="${CONFIGFLAGS} --disable-security-key"
279	;;
280    fbsd14-ppc64)
281	# Disable security key tests for bigendian interop test.
282	CONFIGFLAGS="${CONFIGFLAGS} --disable-security-key"
283	;;
284    hurd)
285	SKIP_LTESTS="forwarding multiplex proxy-connect hostkey-agent agent-ptrace"
286	;;
287    minix3)
288	CONFIGFLAGS="${CONFIGFLAGS} --disable-security-key"
289	# Unix domain sockets don't work quite like we expect, so also
290	# disable FD passing (and thus multiplexing).
291	CONFIGFLAGS="${CONFIGFLAGS} --disable-fd-passing"
292	LIBCRYPTOFLAGS="--without-openssl"
293
294	# Minix does not have a loopback interface so we have to skip any
295	# test that relies on one.
296	# Also, Minix seems to be very limited in the number of select()
297	# calls that can be operating concurrently, so prune additional tests for that.
298	T="addrmatch agent-restrict brokenkeys cfgmatch cfgmatchlisten cfgparse
299	    connect connect-uri dynamic-forward exit-status forwarding
300	    forward-control
301	    hostkey-agent key-options keyscan knownhosts-command login-timeout
302	    reconfigure reexec rekey scp scp-uri scp3 sftp sftp-badcmds
303	    sftp-batch sftp-cmds sftp-glob sftp-perm sftp-uri stderr-data
304	    transfer penalty penalty-expire"
305	SKIP_LTESTS="$(echo $T)"
306	TEST_TARGET=t-exec
307	SUDO=""
308	;;
309    nbsd4)
310	# System compiler will ICE on some files with fstack-protector
311	# SHA256 functions in sha2.h conflict with OpenSSL's breaking sk-dummy
312	CONFIGFLAGS="${CONFIGFLAGS} --without-hardening --disable-security-key"
313	;;
314    openwrt-mipsel)
315	# Test most of the flags that OpenWRT sets for their package build.
316	# We only do this on one OpenWRT target for better coverage.
317	# The installed shared libraries installed by default are stripped and
318	# can't be linked to on the target systems.
319	OPENWRT_FLAGS="--disable-strip --disable-lastlog
320	   --disable-utmp --disable-utmpx --disable-wtmp --disable-wtmpx
321	   --with-stackprotect --with-cflags-after=-fzero-call-used-regs=skip"
322	CONFIGFLAGS="${CONFIGFLAGS} $(echo ${OPENWRT_FLAGS}) --without-zlib --disable-security-key"
323	LIBCRYPTOFLAGS="--without-openssl"
324	TEST_TARGET="t-exec"
325	;;
326    openwrt-*)
327	CONFIGFLAGS="${CONFIGFLAGS} --without-zlib --disable-security-key"
328	LIBCRYPTOFLAGS="--without-openssl"
329	TEST_TARGET="t-exec"
330	;;
331    sol10|sol11)
332	# sol10 VM is 32bit and the unit tests are slow.
333	# sol11 has 4 test configs so skip unit tests to speed up.
334	TEST_TARGET="tests SKIP_UNIT=1"
335	;;
336    win10)
337	# No sudo on Windows.
338	SUDO=""
339	;;
340esac
341
342host=`./config.guess`
343case "$host" in
344*cygwin)
345	SUDO=""
346	# Don't run compat tests on cygwin as they don't currently compile.
347	TEST_TARGET="tests"
348	;;
349*-darwin*)
350	# Unless specified otherwise, build without OpenSSL on Mac OS since
351	# modern versions don't ship with libcrypto.
352	LIBCRYPTOFLAGS="--without-openssl"
353	TEST_TARGET=t-exec
354
355	# On some OS X runners we can't write to /var/empty.
356	CONFIGFLAGS="${CONFIGFLAGS} --with-privsep-path=/usr/local/empty"
357
358	case "$host" in
359	*-darwin22.*)
360		# sudo -S nobody doesn't work on macos 13 for some reason.
361		SKIP_LTESTS="agent-getpeereid" ;;
362	esac
363	;;
364esac
365
366# Unless specifically configured, search for a suitable version of OpenSSL,
367# otherwise build without it.
368if [ -z "${LIBCRYPTOFLAGS}" ]; then
369	LIBCRYPTOFLAGS="--without-openssl"
370	# last-match
371	for i in /usr /usr/local /usr/local/ssl /usr/local/opt/openssl; do
372		ver="none"
373		if [ -x ${i}/bin/openssl ]; then
374			ver="$(${i}/bin/openssl version)"
375		fi
376		case "$ver" in
377			none) ;;
378			"OpenSSL 0."*|"OpenSSL 1.0."*|"OpenSSL 1.1.0"*) ;;
379			"LibreSSL 2."*|"LibreSSL 3.0."*) ;;
380			*) LIBCRYPTOFLAGS="--with-ssl-dir=${i}" ;;
381		esac
382	done
383	if [ "${LIBCRYPTOFLAGS}" = "--without-openssl" ]; then
384		TEST_TARGET="t-exec"
385	fi
386fi
387
388CONFIGFLAGS="${CONFIGFLAGS} ${LIBCRYPTOFLAGS}"
389
390if [ -x "$(which plink 2>/dev/null)" ]; then
391	REGRESS_INTEROP_PUTTY=yes
392	export REGRESS_INTEROP_PUTTY
393fi
394
395export CC CFLAGS CPPFLAGS LDFLAGS LTESTS SUDO
396export TEST_TARGET TEST_SSH_UNSAFE_PERMISSIONS TEST_SSH_FAIL_FATAL
397