1#!/bin/sh 2# 3# usage: configs vmname test_config (or '' for default) 4# 5# Sets the following variables: 6# CONFIGFLAGS options to ./configure 7# SSHD_CONFOPTS sshd_config options 8# TEST_TARGET make target used when testing. defaults to "tests". 9# LTESTS 10 11config=$1 12 13unset CC CFLAGS CPPFLAGS LDFLAGS LTESTS SUDO 14 15TEST_TARGET="tests" 16LTESTS="" 17SKIP_LTESTS="" 18SUDO=sudo # run with sudo by default 19TEST_SSH_UNSAFE_PERMISSIONS=1 20# Stop on first test failure to minimize logs 21TEST_SSH_FAIL_FATAL=yes 22 23CONFIGFLAGS="" 24LIBCRYPTOFLAGS="" 25 26case "$config" in 27 default|sol64) 28 ;; 29 c89) 30 CC="gcc" 31 CFLAGS="-Wall -std=c89 -pedantic -Werror=vla" 32 CONFIGFLAGS="--without-zlib" 33 LIBCRYPTOFLAGS="--without-openssl" 34 TEST_TARGET=t-exec 35 ;; 36 cygwin-release) 37 # See https://cygwin.com/git/?p=git/cygwin-packages/openssh.git;a=blob;f=openssh.cygport;hb=HEAD 38 CONFIGFLAGS="--with-xauth=/usr/bin/xauth --with-security-key-builtin" 39 CONFIGFLAGS="$CONFIGFLAGS --with-kerberos5=/usr --with-libedit --disable-strip" 40 ;; 41 clang-12-Werror) 42 CC="clang-12" 43 # clang's implicit-fallthrough requires that the code be annotated with 44 # __attribute__((fallthrough)) and does not understand /* FALLTHROUGH */ 45 CFLAGS="-Wall -Wextra -O2 -Wno-error=implicit-fallthrough -Wno-error=unused-parameter" 46 CONFIGFLAGS="--with-pam --with-Werror" 47 ;; 48 *-sanitize-*) 49 case "$config" in 50 gcc-*) 51 CC=gcc 52 ;; 53 clang-*) 54 # Find the newest available version of clang 55 for i in `seq 10 99`; do 56 clang="`which clang-$i 2>/dev/null`" 57 [ -x "$clang" ] && CC="$clang" 58 done 59 ;; 60 esac 61 # Put Sanitizer logs in regress dir. 62 SANLOGS=`pwd`/regress 63 # - We replace chroot with chdir so that the sanitizer in the preauth 64 # privsep process can read /proc. 65 # - clang does not recognizes explicit_bzero so we use bzero 66 # (see https://github.com/google/sanitizers/issues/1507 67 # - openssl and zlib trip ASAN. 68 # - sp_pwdp returned by getspnam trips ASAN, hence disabling shadow. 69 case "$config" in 70 *-sanitize-address) 71 CFLAGS="-fsanitize=address -fno-omit-frame-pointer" 72 LDFLAGS="-fsanitize=address" 73 CPPFLAGS='-Dchroot=chdir -Dexplicit_bzero=bzero -D_FORTIFY_SOURCE=0 -DASAN_OPTIONS=\"detect_leaks=0:log_path='$SANLOGS'/asan.log\"' 74 CONFIGFLAGS="" 75 TEST_TARGET="t-exec" 76 ;; 77 clang-sanitize-memory) 78 CFLAGS="-fsanitize=memory -fsanitize-memory-track-origins -fno-omit-frame-pointer" 79 LDFLAGS="-fsanitize=memory" 80 CPPFLAGS='-Dchroot=chdir -Dexplicit_bzero=bzero -DMSAN_OPTIONS=\"log_path='$SANLOGS'/msan.log\"' 81 CONFIGFLAGS="--without-openssl --without-zlib --without-shadow" 82 TEST_TARGET="t-exec" 83 ;; 84 *-sanitize-undefined) 85 CFLAGS="-fsanitize=undefined" 86 LDFLAGS="-fsanitize=undefined" 87 ;; 88 *) 89 echo unknown sanitize option; 90 exit 1;; 91 esac 92 features="--disable-security-key --disable-pkcs11" 93 hardening="--without-sandbox --without-hardening --without-stackprotect" 94 privsep="--with-privsep-user=root" 95 CONFIGFLAGS="$CONFIGFLAGS $features $hardening $privsep" 96 # Because we hobble chroot we can't test it. 97 SKIP_LTESTS=sftp-chroot 98 ;; 99 gcc-11-Werror) 100 CC="gcc" 101 # -Wnoformat-truncation in gcc 7.3.1 20180130 fails on fmt_scaled 102 CFLAGS="-Wall -Wextra -O2 -Wno-format-truncation -Wimplicit-fallthrough=4 -Wno-unused-parameter" 103 CONFIGFLAGS="--with-pam --with-Werror" 104 ;; 105 clang*|gcc*) 106 CC="$config" 107 ;; 108 kitchensink) 109 CONFIGFLAGS="--with-kerberos5 --with-libedit --with-pam" 110 CONFIGFLAGS="${CONFIGFLAGS} --with-security-key-builtin --with-selinux" 111 CONFIGFLAGS="${CONFIGFLAGS} --with-cflags=-DSK_DEBUG" 112 ;; 113 hardenedmalloc) 114 CONFIGFLAGS="--with-ldflags=-lhardened_malloc" 115 ;; 116 tcmalloc) 117 CONFIGFLAGS="--with-ldflags=-ltcmalloc" 118 ;; 119 krb5|heimdal) 120 CONFIGFLAGS="--with-kerberos5" 121 ;; 122 libedit) 123 CONFIGFLAGS="--with-libedit" 124 ;; 125 musl) 126 CC="musl-gcc" 127 CONFIGFLAGS="--without-zlib" 128 LIBCRYPTOFLAGS="--without-openssl" 129 TEST_TARGET="t-exec" 130 ;; 131 pam-krb5) 132 CONFIGFLAGS="--with-pam --with-kerberos5" 133 SSHD_CONFOPTS="UsePam yes" 134 ;; 135 *pam) 136 CONFIGFLAGS="--with-pam" 137 SSHD_CONFOPTS="UsePam yes" 138 ;; 139 libressl-*) 140 LIBCRYPTOFLAGS="--with-ssl-dir=/opt/libressl --with-rpath=-Wl,-rpath," 141 ;; 142 openssl-*) 143 LIBCRYPTOFLAGS="--with-ssl-dir=/opt/openssl --with-rpath=-Wl,-rpath," 144 ;; 145 selinux) 146 CONFIGFLAGS="--with-selinux" 147 ;; 148 sk) 149 CONFIGFLAGS="--with-security-key-builtin" 150 ;; 151 without-openssl) 152 LIBCRYPTOFLAGS="--without-openssl" 153 TEST_TARGET=t-exec 154 ;; 155 valgrind-[1-4]|valgrind-unit) 156 # rlimit sandbox and FORTIFY_SOURCE confuse Valgrind. 157 CONFIGFLAGS="--without-sandbox --without-hardening" 158 CONFIGFLAGS="$CONFIGFLAGS --with-cppflags=-D_FORTIFY_SOURCE=0" 159 TEST_TARGET="t-exec USE_VALGRIND=1" 160 TEST_SSH_ELAPSED_TIMES=1 161 export TEST_SSH_ELAPSED_TIMES 162 # Valgrind slows things down enough that the agent timeout test 163 # won't reliably pass, and the unit tests run longer than allowed 164 # by github so split into three separate tests. 165 tests2="rekey integrity try-ciphers" 166 tests3="krl forward-control sshsig agent-restrict kextype sftp" 167 tests4="cert-userkey cert-hostkey kextype sftp-perm keygen-comment percent" 168 case "$config" in 169 valgrind-1) 170 # All tests except agent-timeout (which is flaky under valgrind) 171 # and hostbased (since valgrind won't let ssh exec keysign). 172 # Slow ones are run separately to increase parallelism. 173 SKIP_LTESTS="agent-timeout hostbased ${tests2} ${tests3} ${tests4}" 174 ;; 175 valgrind-2) 176 LTESTS="${tests2}" 177 ;; 178 valgrind-3) 179 LTESTS="${tests3}" 180 ;; 181 valgrind-4) 182 LTESTS="${tests4}" 183 ;; 184 valgrind-unit) 185 TEST_TARGET="unit USE_VALGRIND=1" 186 ;; 187 esac 188 ;; 189 *) 190 echo "Unknown configuration $config" 191 exit 1 192 ;; 193esac 194 195# The Solaris 64bit targets are special since they need a non-flag arg. 196case "$config" in 197 sol64*) 198 CONFIGFLAGS="x86_64 --with-cflags=-m64 --with-ldflags=-m64 ${CONFIGFLAGS}" 199 LIBCRYPTOFLAGS="--with-ssl-dir=/usr/local/ssl64" 200 ;; 201esac 202 203case "${TARGET_HOST}" in 204 aix*) 205 # These are slow real or virtual machines so skip the slowest tests 206 # (which tend to be thw ones that transfer lots of data) so that the 207 # test run does not time out. 208 # The agent-restrict test fails due to some quoting issue when run 209 # with sh or ksh so specify bash for now. 210 TEST_TARGET="t-exec TEST_SHELL=bash" 211 SKIP_LTESTS="rekey sftp" 212 ;; 213 dfly58*|dfly60*) 214 # scp 3-way connection hangs on these so skip until sorted. 215 SKIP_LTESTS=scp3 216 ;; 217 fbsd6) 218 # Native linker is not great with PIC so OpenSSL is built w/out. 219 CONFIGFLAGS="${CONFIGFLAGS} --disable-security-key" 220 ;; 221 hurd) 222 SKIP_LTESTS="forwarding multiplex proxy-connect hostkey-agent agent-ptrace" 223 ;; 224 minix3) 225 LIBCRYPTOFLAGS="--without-openssl --disable-security-key" 226 # Minix does not have a loopback interface so we have to skip any 227 # test that relies on one. 228 # Also, Minix seems to be very limited in the number of select() 229 # calls that can be operating concurrently, so prune additional tests for that. 230 T="addrmatch agent-restrict brokenkeys cfgmatch cfgmatchlisten cfgparse connect 231 connect-uri exit-status forward-control forwarding hostkey-agent 232 key-options keyscan knownhosts-command login-timeout multiplex 233 reconfigure reexec rekey scp scp-uri scp3 sftp sftp-badcmds 234 sftp-batch sftp-cmds sftp-glob sftp-perm sftp-uri stderr-data 235 transfer" 236 SKIP_LTESTS="$(echo $T)" 237 TEST_TARGET=t-exec 238 SUDO="" 239 ;; 240 nbsd4) 241 # System compiler will ICE on some files with fstack-protector 242 # SHA256 functions in sha2.h conflict with OpenSSL's breaking sk-dummy 243 CONFIGFLAGS="${CONFIGFLAGS} --without-hardening --disable-security-key" 244 ;; 245 openwrt-*) 246 CONFIGFLAGS="${CONFIGFLAGS} --without-openssl --without-zlib" 247 TEST_TARGET="t-exec" 248 ;; 249 sol10|sol11) 250 # sol10 VM is 32bit and the unit tests are slow. 251 # sol11 has 4 test configs so skip unit tests to speed up. 252 TEST_TARGET="tests SKIP_UNIT=1" 253 ;; 254 win10) 255 # No sudo on Windows. 256 SUDO="" 257 ;; 258esac 259 260case "`./config.guess`" in 261*cygwin) 262 SUDO="" 263 ;; 264*-darwin*) 265 # Unless specified otherwise, build without OpenSSL on Mac OS since 266 # modern versions don't ship with libcrypto. 267 LIBCRYPTOFLAGS="--without-openssl" 268 TEST_TARGET=t-exec 269 ;; 270esac 271 272# If we have a local openssl/libressl, use that. 273if [ -z "${LIBCRYPTOFLAGS}" ]; then 274 # last-match 275 for i in /usr/local /usr/local/ssl /usr/local/opt/openssl; do 276 if [ -x ${i}/bin/openssl ]; then 277 LIBCRYPTOFLAGS="--with-ssl-dir=${i}" 278 fi 279 done 280fi 281 282CONFIGFLAGS="${CONFIGFLAGS} ${LIBCRYPTOFLAGS}" 283 284if [ -x "$(which plink 2>/dev/null)" ]; then 285 REGRESS_INTEROP_PUTTY=yes 286 export REGRESS_INTEROP_PUTTY 287fi 288 289export CC CFLAGS CPPFLAGS LDFLAGS LTESTS SUDO 290export TEST_TARGET TEST_SSH_UNSAFE_PERMISSIONS TEST_SSH_FAIL_FATAL 291