xref: /freebsd/crypto/openssh/.github/configs (revision 058ac3e8063366dafa634d9107642e12b038bf09)
1#!/bin/sh
2#
3# usage: configs vmname test_config (or '' for default)
4#
5# Sets the following variables:
6# CONFIGFLAGS           options to ./configure
7# SSHD_CONFOPTS         sshd_config options
8# TEST_TARGET           make target used when testing.  defaults to "tests".
9# LTESTS
10
11config=$1
12
13unset CC CFLAGS CPPFLAGS LDFLAGS LTESTS SUDO
14
15TEST_TARGET="tests"
16LTESTS=""
17SKIP_LTESTS=""
18SUDO=sudo	# run with sudo by default
19TEST_SSH_UNSAFE_PERMISSIONS=1
20# Stop on first test failure to minimize logs
21TEST_SSH_FAIL_FATAL=yes
22
23CONFIGFLAGS=""
24LIBCRYPTOFLAGS=""
25
26case "$config" in
27    default|sol64)
28	;;
29    c89)
30	CC="gcc"
31	CFLAGS="-Wall -std=c89 -pedantic -Werror=vla"
32	CONFIGFLAGS="--without-zlib"
33	LIBCRYPTOFLAGS="--without-openssl"
34	TEST_TARGET=t-exec
35	;;
36    cygwin-release)
37	# See https://cygwin.com/git/?p=git/cygwin-packages/openssh.git;a=blob;f=openssh.cygport;hb=HEAD
38	CONFIGFLAGS="--with-xauth=/usr/bin/xauth --with-security-key-builtin"
39	CONFIGFLAGS="$CONFIGFLAGS --with-kerberos5=/usr --with-libedit --disable-strip"
40	;;
41   clang-12-Werror)
42	CC="clang-12"
43	# clang's implicit-fallthrough requires that the code be annotated with
44	# __attribute__((fallthrough)) and does not understand /* FALLTHROUGH */
45	CFLAGS="-Wall -Wextra -O2 -Wno-error=implicit-fallthrough -Wno-error=unused-parameter"
46	CONFIGFLAGS="--with-pam --with-Werror"
47	;;
48    *-sanitize-*)
49	case "$config" in
50	gcc-*)
51		CC=gcc
52		;;
53	clang-*)
54		# Find the newest available version of clang
55		for i in `seq 10 99`; do
56		    clang="`which clang-$i 2>/dev/null`"
57		    [ -x "$clang" ] && CC="$clang"
58		done
59		;;
60	esac
61	# Put Sanitizer logs in regress dir.
62	SANLOGS=`pwd`/regress
63	# - We replace chroot with chdir so that the sanitizer in the preauth
64	#   privsep process can read /proc.
65	# - clang does not recognizes explicit_bzero so we use bzero
66	#   (see https://github.com/google/sanitizers/issues/1507
67	# - openssl and zlib trip ASAN.
68	# - sp_pwdp returned by getspnam trips ASAN, hence disabling shadow.
69	case "$config" in
70	*-sanitize-address)
71	    CFLAGS="-fsanitize=address -fno-omit-frame-pointer"
72	    LDFLAGS="-fsanitize=address"
73	    CPPFLAGS='-Dchroot=chdir -Dexplicit_bzero=bzero -D_FORTIFY_SOURCE=0 -DASAN_OPTIONS=\"detect_leaks=0:log_path='$SANLOGS'/asan.log\"'
74	    CONFIGFLAGS=""
75	    TEST_TARGET="t-exec"
76	    ;;
77	clang-sanitize-memory)
78	    CFLAGS="-fsanitize=memory -fsanitize-memory-track-origins -fno-omit-frame-pointer"
79	    LDFLAGS="-fsanitize=memory"
80	    CPPFLAGS='-Dchroot=chdir -Dexplicit_bzero=bzero -DMSAN_OPTIONS=\"log_path='$SANLOGS'/msan.log\"'
81	    CONFIGFLAGS="--without-openssl --without-zlib --without-shadow"
82	    TEST_TARGET="t-exec"
83	    ;;
84	*-sanitize-undefined)
85	    CFLAGS="-fsanitize=undefined"
86	    LDFLAGS="-fsanitize=undefined"
87	    ;;
88	*)
89	     echo unknown sanitize option;
90	     exit 1;;
91	esac
92	features="--disable-security-key --disable-pkcs11"
93	hardening="--without-sandbox --without-hardening --without-stackprotect"
94	privsep="--with-privsep-user=root"
95	CONFIGFLAGS="$CONFIGFLAGS $features $hardening $privsep"
96	# Because we hobble chroot we can't test it.
97	SKIP_LTESTS=sftp-chroot
98	;;
99    gcc-11-Werror)
100	CC="gcc"
101	# -Wnoformat-truncation in gcc 7.3.1 20180130 fails on fmt_scaled
102	CFLAGS="-Wall -Wextra -O2 -Wno-format-truncation -Wimplicit-fallthrough=4 -Wno-unused-parameter"
103	CONFIGFLAGS="--with-pam --with-Werror"
104	;;
105    clang*|gcc*)
106	CC="$config"
107	;;
108    kitchensink)
109	CONFIGFLAGS="--with-kerberos5 --with-libedit --with-pam"
110	CONFIGFLAGS="${CONFIGFLAGS} --with-security-key-builtin --with-selinux"
111	CONFIGFLAGS="${CONFIGFLAGS} --with-cflags=-DSK_DEBUG"
112	;;
113    hardenedmalloc)
114	CONFIGFLAGS="--with-ldflags=-lhardened_malloc"
115	;;
116    tcmalloc)
117	CONFIGFLAGS="--with-ldflags=-ltcmalloc"
118	;;
119    krb5|heimdal)
120	CONFIGFLAGS="--with-kerberos5"
121	;;
122    libedit)
123	CONFIGFLAGS="--with-libedit"
124	;;
125    musl)
126	CC="musl-gcc"
127	CONFIGFLAGS="--without-zlib"
128	LIBCRYPTOFLAGS="--without-openssl"
129	TEST_TARGET="t-exec"
130	;;
131    pam-krb5)
132	CONFIGFLAGS="--with-pam --with-kerberos5"
133	SSHD_CONFOPTS="UsePam yes"
134	;;
135    *pam)
136	CONFIGFLAGS="--with-pam"
137	SSHD_CONFOPTS="UsePam yes"
138	;;
139    libressl-*)
140	LIBCRYPTOFLAGS="--with-ssl-dir=/opt/libressl --with-rpath=-Wl,-rpath,"
141	;;
142    openssl-*)
143	LIBCRYPTOFLAGS="--with-ssl-dir=/opt/openssl --with-rpath=-Wl,-rpath,"
144	;;
145    selinux)
146	CONFIGFLAGS="--with-selinux"
147	;;
148    sk)
149	CONFIGFLAGS="--with-security-key-builtin"
150        ;;
151    without-openssl)
152	LIBCRYPTOFLAGS="--without-openssl"
153	TEST_TARGET=t-exec
154	;;
155    valgrind-[1-4]|valgrind-unit)
156	# rlimit sandbox and FORTIFY_SOURCE confuse Valgrind.
157	CONFIGFLAGS="--without-sandbox --without-hardening"
158	CONFIGFLAGS="$CONFIGFLAGS --with-cppflags=-D_FORTIFY_SOURCE=0"
159	TEST_TARGET="t-exec USE_VALGRIND=1"
160	TEST_SSH_ELAPSED_TIMES=1
161	export TEST_SSH_ELAPSED_TIMES
162	# Valgrind slows things down enough that the agent timeout test
163	# won't reliably pass, and the unit tests run longer than allowed
164	# by github so split into three separate tests.
165	tests2="rekey integrity try-ciphers"
166	tests3="krl forward-control sshsig agent-restrict kextype sftp"
167	tests4="cert-userkey cert-hostkey kextype sftp-perm keygen-comment percent"
168	case "$config" in
169	    valgrind-1)
170		# All tests except agent-timeout (which is flaky under valgrind)
171		# and hostbased (since valgrind won't let ssh exec keysign).
172		# Slow ones are run separately to increase parallelism.
173		SKIP_LTESTS="agent-timeout hostbased ${tests2} ${tests3} ${tests4}"
174		;;
175	    valgrind-2)
176		LTESTS="${tests2}"
177		;;
178	    valgrind-3)
179		LTESTS="${tests3}"
180		;;
181	    valgrind-4)
182		LTESTS="${tests4}"
183		;;
184	    valgrind-unit)
185		TEST_TARGET="unit USE_VALGRIND=1"
186		;;
187	esac
188	;;
189    *)
190	echo "Unknown configuration $config"
191	exit 1
192	;;
193esac
194
195# The Solaris 64bit targets are special since they need a non-flag arg.
196case "$config" in
197    sol64*)
198	CONFIGFLAGS="x86_64 --with-cflags=-m64 --with-ldflags=-m64 ${CONFIGFLAGS}"
199	LIBCRYPTOFLAGS="--with-ssl-dir=/usr/local/ssl64"
200	;;
201esac
202
203case "${TARGET_HOST}" in
204    aix*)
205	# These are slow real or virtual machines so skip the slowest tests
206	# (which tend to be thw ones that transfer lots of data) so that the
207	# test run does not time out.
208	# The agent-restrict test fails due to some quoting issue when run
209	# with sh or ksh so specify bash for now.
210	TEST_TARGET="t-exec TEST_SHELL=bash"
211	SKIP_LTESTS="rekey sftp"
212	;;
213    dfly58*|dfly60*)
214	# scp 3-way connection hangs on these so skip until sorted.
215	SKIP_LTESTS=scp3
216	;;
217    fbsd6)
218	# Native linker is not great with PIC so OpenSSL is built w/out.
219	CONFIGFLAGS="${CONFIGFLAGS} --disable-security-key"
220	;;
221    hurd)
222	SKIP_LTESTS="forwarding multiplex proxy-connect hostkey-agent agent-ptrace"
223	;;
224    minix3)
225	LIBCRYPTOFLAGS="--without-openssl --disable-security-key"
226	# Minix does not have a loopback interface so we have to skip any
227	# test that relies on one.
228	# Also, Minix seems to be very limited in the number of select()
229	# calls that can be operating concurrently, so prune additional tests for that.
230	T="addrmatch agent-restrict brokenkeys cfgmatch cfgmatchlisten cfgparse connect
231	    connect-uri exit-status forward-control forwarding hostkey-agent
232	    key-options keyscan knownhosts-command login-timeout multiplex
233	    reconfigure reexec rekey scp scp-uri scp3 sftp sftp-badcmds
234	    sftp-batch sftp-cmds sftp-glob sftp-perm sftp-uri stderr-data
235	    transfer"
236	SKIP_LTESTS="$(echo $T)"
237	TEST_TARGET=t-exec
238	SUDO=""
239	;;
240    nbsd4)
241	# System compiler will ICE on some files with fstack-protector
242	# SHA256 functions in sha2.h conflict with OpenSSL's breaking sk-dummy
243	CONFIGFLAGS="${CONFIGFLAGS} --without-hardening --disable-security-key"
244	;;
245    openwrt-*)
246	CONFIGFLAGS="${CONFIGFLAGS} --without-openssl --without-zlib"
247	TEST_TARGET="t-exec"
248	;;
249    sol10|sol11)
250	# sol10 VM is 32bit and the unit tests are slow.
251	# sol11 has 4 test configs so skip unit tests to speed up.
252	TEST_TARGET="tests SKIP_UNIT=1"
253	;;
254    win10)
255	# No sudo on Windows.
256	SUDO=""
257	;;
258esac
259
260case "`./config.guess`" in
261*cygwin)
262	SUDO=""
263	;;
264*-darwin*)
265	# Unless specified otherwise, build without OpenSSL on Mac OS since
266	# modern versions don't ship with libcrypto.
267	LIBCRYPTOFLAGS="--without-openssl"
268	TEST_TARGET=t-exec
269	;;
270esac
271
272# If we have a local openssl/libressl, use that.
273if [ -z "${LIBCRYPTOFLAGS}" ]; then
274	# last-match
275	for i in /usr/local /usr/local/ssl /usr/local/opt/openssl; do
276		if [ -x ${i}/bin/openssl ]; then
277			LIBCRYPTOFLAGS="--with-ssl-dir=${i}"
278		fi
279	done
280fi
281
282CONFIGFLAGS="${CONFIGFLAGS} ${LIBCRYPTOFLAGS}"
283
284if [ -x "$(which plink 2>/dev/null)" ]; then
285	REGRESS_INTEROP_PUTTY=yes
286	export REGRESS_INTEROP_PUTTY
287fi
288
289export CC CFLAGS CPPFLAGS LDFLAGS LTESTS SUDO
290export TEST_TARGET TEST_SSH_UNSAFE_PERMISSIONS TEST_SSH_FAIL_FATAL
291