1#!/bin/sh 2# 3# usage: configs vmname test_config (or '' for default) 4# 5# Sets the following variables: 6# CONFIGFLAGS options to ./configure 7# SSHD_CONFOPTS sshd_config options 8# TEST_TARGET make target used when testing. defaults to "tests". 9# LTESTS 10 11config=$1 12if [ "$config" = "" ]; then 13 config="default" 14fi 15 16unset CC CFLAGS CPPFLAGS LDFLAGS LTESTS SUDO 17 18TEST_TARGET="tests compat-tests" 19LTESTS="" 20SKIP_LTESTS="" 21SUDO=sudo # run with sudo by default 22TEST_SSH_UNSAFE_PERMISSIONS=1 23# Stop on first test failure to minimize logs 24TEST_SSH_FAIL_FATAL=yes 25 26CONFIGFLAGS="" 27LIBCRYPTOFLAGS="" 28 29case "$config" in 30 default|sol64) 31 ;; 32 c89) 33 # If we don't have LLONG_MAX, configure will figure out that it can 34 # get it by setting -std=gnu99, at which point we won't be testing 35 # C89 any more. To avoid this, feed it in via CFLAGS. 36 llong_max=`gcc -E -dM - </dev/null | \ 37 awk '$2=="__LONG_LONG_MAX__"{print $3}'` 38 CPPFLAGS="-DLLONG_MAX=${llong_max}" 39 40 CC="gcc" 41 CFLAGS="-Wall -std=c89 -pedantic -Werror=vla" 42 CONFIGFLAGS="--without-zlib" 43 LIBCRYPTOFLAGS="--without-openssl" 44 TEST_TARGET=t-exec 45 ;; 46 cygwin-release) 47 # See https://cygwin.com/git/?p=git/cygwin-packages/openssh.git;a=blob;f=openssh.cygport;hb=HEAD 48 CONFIGFLAGS="--with-xauth=/usr/bin/xauth --with-security-key-builtin" 49 CONFIGFLAGS="$CONFIGFLAGS --with-kerberos5=/usr --with-libedit --disable-strip" 50 ;; 51 clang-12-Werror) 52 CC="clang-12" 53 # clang's implicit-fallthrough requires that the code be annotated with 54 # __attribute__((fallthrough)) and does not understand /* FALLTHROUGH */ 55 CFLAGS="-Wall -Wextra -O2 -Wno-error=implicit-fallthrough -Wno-error=unused-parameter" 56 CONFIGFLAGS="--with-pam --with-Werror" 57 ;; 58 *-sanitize-*) 59 case "$config" in 60 gcc-*) 61 CC=gcc 62 ;; 63 clang-*) 64 # Find the newest available version of clang 65 for i in `seq 10 99`; do 66 clang="`which clang-$i 2>/dev/null`" 67 [ -x "$clang" ] && CC="$clang" 68 done 69 ;; 70 esac 71 # Put Sanitizer logs in regress dir. 72 SANLOGS=`pwd`/regress 73 # - We replace chroot with chdir so that the sanitizer in the preauth 74 # privsep process can read /proc. 75 # - clang does not recognizes explicit_bzero so we use bzero 76 # (see https://github.com/google/sanitizers/issues/1507 77 # - openssl and zlib trip ASAN. 78 # - sp_pwdp returned by getspnam trips ASAN, hence disabling shadow. 79 case "$config" in 80 *-sanitize-address) 81 CFLAGS="-fsanitize=address -fno-omit-frame-pointer" 82 LDFLAGS="-fsanitize=address" 83 CPPFLAGS='-Dchroot=chdir -Dexplicit_bzero=bzero -D_FORTIFY_SOURCE=0 -DASAN_OPTIONS=\"detect_leaks=0:log_path='$SANLOGS'/asan.log\"' 84 CONFIGFLAGS="" 85 TEST_TARGET="t-exec" 86 ;; 87 clang-sanitize-memory) 88 CFLAGS="-fsanitize=memory -fsanitize-memory-track-origins -fno-omit-frame-pointer" 89 LDFLAGS="-fsanitize=memory" 90 CPPFLAGS='-Dchroot=chdir -Dexplicit_bzero=bzero -DMSAN_OPTIONS=\"log_path='$SANLOGS'/msan.log\"' 91 CONFIGFLAGS="--without-zlib --without-shadow" 92 LIBCRYPTOFLAGS="--without-openssl" 93 TEST_TARGET="t-exec" 94 ;; 95 *-sanitize-undefined) 96 CFLAGS="-fsanitize=undefined" 97 LDFLAGS="-fsanitize=undefined" 98 ;; 99 *) 100 echo unknown sanitize option; 101 exit 1;; 102 esac 103 features="--disable-security-key --disable-pkcs11" 104 hardening="--without-sandbox --without-hardening --without-stackprotect" 105 privsep="--with-privsep-user=root" 106 CONFIGFLAGS="$CONFIGFLAGS $features $hardening $privsep" 107 # Because we hobble chroot we can't test it. 108 SKIP_LTESTS=sftp-chroot 109 ;; 110 gcc-11-Werror) 111 CC="gcc" 112 # -Wnoformat-truncation in gcc 7.3.1 20180130 fails on fmt_scaled 113 CFLAGS="-Wall -Wextra -O2 -Wno-format-truncation -Wimplicit-fallthrough=4 -Wno-unused-parameter" 114 CONFIGFLAGS="--with-pam --with-Werror" 115 ;; 116 clang*|gcc*) 117 CC="$config" 118 ;; 119 kitchensink) 120 CONFIGFLAGS="--with-kerberos5 --with-libedit --with-pam" 121 CONFIGFLAGS="${CONFIGFLAGS} --with-security-key-builtin --with-selinux" 122 CFLAGS="-DSK_DEBUG -DSANDBOX_SECCOMP_FILTER_DEBUG" 123 ;; 124 hardenedmalloc) 125 CONFIGFLAGS="--with-ldflags=-lhardened_malloc" 126 ;; 127 tcmalloc) 128 CONFIGFLAGS="--with-ldflags=-ltcmalloc" 129 ;; 130 krb5|heimdal) 131 CONFIGFLAGS="--with-kerberos5" 132 ;; 133 libedit) 134 CONFIGFLAGS="--with-libedit" 135 ;; 136 musl) 137 CC="musl-gcc" 138 CONFIGFLAGS="--without-zlib" 139 LIBCRYPTOFLAGS="--without-openssl" 140 TEST_TARGET="t-exec" 141 ;; 142 pam-krb5) 143 CONFIGFLAGS="--with-pam --with-kerberos5" 144 SSHD_CONFOPTS="UsePam yes" 145 ;; 146 *pam) 147 CONFIGFLAGS="--with-pam" 148 SSHD_CONFOPTS="UsePam yes" 149 ;; 150 boringssl) 151 CONFIGFLAGS="--disable-pkcs11" 152 LIBCRYPTOFLAGS="--with-ssl-dir=/opt/boringssl --with-rpath=-Wl,-rpath," 153 ;; 154 libressl-*) 155 LIBCRYPTOFLAGS="--with-ssl-dir=/opt/libressl --with-rpath=-Wl,-rpath," 156 ;; 157 openssl-*) 158 LIBCRYPTOFLAGS="--with-ssl-dir=/opt/openssl --with-rpath=-Wl,-rpath," 159 # OpenSSL 1.1.1 specifically has a bug in its RNG that breaks reexec 160 # fallback. See https://bugzilla.mindrot.org/show_bug.cgi?id=3483 161 if [ "$config" = "openssl-1.1.1" ]; then 162 SKIP_LTESTS="reexec" 163 fi 164 ;; 165 selinux) 166 CONFIGFLAGS="--with-selinux" 167 ;; 168 sk) 169 CONFIGFLAGS="--with-security-key-builtin" 170 ;; 171 without-openssl) 172 LIBCRYPTOFLAGS="--without-openssl" 173 TEST_TARGET=t-exec 174 ;; 175 valgrind-[1-5]|valgrind-unit) 176 # rlimit sandbox and FORTIFY_SOURCE confuse Valgrind. 177 CONFIGFLAGS="--without-sandbox --without-hardening" 178 CONFIGFLAGS="$CONFIGFLAGS --with-cppflags=-D_FORTIFY_SOURCE=0" 179 TEST_TARGET="t-exec USE_VALGRIND=1" 180 TEST_SSH_ELAPSED_TIMES=1 181 export TEST_SSH_ELAPSED_TIMES 182 # Valgrind slows things down enough that the agent timeout test 183 # won't reliably pass, and the unit tests run longer than allowed 184 # by github so split into separate tests. 185 tests2="integrity try-ciphers" 186 tests3="krl forward-control sshsig agent-restrict kextype sftp" 187 tests4="cert-userkey cert-hostkey kextype sftp-perm keygen-comment percent" 188 tests5="rekey" 189 case "$config" in 190 valgrind-1) 191 # All tests except agent-timeout (which is flaky under valgrind), 192 # connection-timeout (which doesn't work since it's so slow) 193 # and hostbased (since valgrind won't let ssh exec keysign). 194 # Slow ones are run separately to increase parallelism. 195 SKIP_LTESTS="agent-timeout connection-timeout hostbased" 196 SKIP_LTESTS="$SKIP_LTESTS ${tests2} ${tests3} ${tests4} ${tests5}" 197 ;; 198 valgrind-2) 199 LTESTS="${tests2}" 200 ;; 201 valgrind-3) 202 LTESTS="${tests3}" 203 ;; 204 valgrind-4) 205 LTESTS="${tests4}" 206 ;; 207 valgrind-5) 208 LTESTS="${tests5}" 209 ;; 210 valgrind-unit) 211 TEST_TARGET="unit USE_VALGRIND=1" 212 ;; 213 esac 214 ;; 215 zlib-develop) 216 INSTALL_ZLIB=develop 217 CONFIGFLAGS="--with-zlib=/opt/zlib --with-rpath=-Wl,-rpath," 218 ;; 219 *) 220 echo "Unknown configuration $config" 221 exit 1 222 ;; 223esac 224 225# The Solaris 64bit targets are special since they need a non-flag arg. 226case "$config" in 227 sol64*) 228 CONFIGFLAGS="--target=x86_64 --with-cflags=-m64 --with-ldflags=-m64 ${CONFIGFLAGS}" 229 LIBCRYPTOFLAGS="--with-ssl-dir=/usr/local/ssl64 --with-rpath=-Wl,-rpath," 230 ;; 231esac 232 233case "${TARGET_HOST}" in 234 aix*) 235 CONFIGFLAGS="--disable-security-key" 236 LIBCRYPTOFLAGS="--without-openssl" 237 # These are slow real or virtual machines so skip the slowest tests 238 # (which tend to be thw ones that transfer lots of data) so that the 239 # test run does not time out. 240 # The agent-restrict test fails due to some quoting issue when run 241 # with sh or ksh so specify bash for now. 242 TEST_TARGET="t-exec unit TEST_SHELL=bash" 243 SKIP_LTESTS="rekey sftp" 244 ;; 245 debian-riscv64) 246 # This machine is fairly slow, so skip the unit tests. 247 TEST_TARGET="t-exec" 248 ;; 249 dfly58*|dfly60*) 250 # scp 3-way connection hangs on these so skip until sorted. 251 SKIP_LTESTS=scp3 252 ;; 253 fbsd6) 254 # Native linker is not great with PIC so OpenSSL is built w/out. 255 CONFIGFLAGS="${CONFIGFLAGS} --disable-security-key" 256 ;; 257 hurd) 258 SKIP_LTESTS="forwarding multiplex proxy-connect hostkey-agent agent-ptrace" 259 ;; 260 minix3) 261 CONFIGFLAGS="${CONFIGFLAGS} --disable-security-key" 262 LIBCRYPTOFLAGS="--without-openssl" 263 # Minix does not have a loopback interface so we have to skip any 264 # test that relies on one. 265 # Also, Minix seems to be very limited in the number of select() 266 # calls that can be operating concurrently, so prune additional tests for that. 267 T="addrmatch agent-restrict brokenkeys cfgmatch cfgmatchlisten cfgparse 268 connect connect-uri exit-status forwarding hostkey-agent 269 key-options keyscan knownhosts-command login-timeout 270 reconfigure reexec rekey scp scp-uri scp3 sftp sftp-badcmds 271 sftp-batch sftp-cmds sftp-glob sftp-perm sftp-uri stderr-data 272 transfer" 273 # Unix domain sockets don't work quite like we expect, so also skip any tests 274 # that use multiplexing. 275 T="$T connection-timeout dynamic-forward forward-control multiplex" 276 SKIP_LTESTS="$(echo $T)" 277 TEST_TARGET=t-exec 278 SUDO="" 279 ;; 280 nbsd4) 281 # System compiler will ICE on some files with fstack-protector 282 # SHA256 functions in sha2.h conflict with OpenSSL's breaking sk-dummy 283 CONFIGFLAGS="${CONFIGFLAGS} --without-hardening --disable-security-key" 284 ;; 285 openwrt-*) 286 CONFIGFLAGS="${CONFIGFLAGS} --without-zlib" 287 LIBCRYPTOFLAGS="--without-openssl" 288 TEST_TARGET="t-exec" 289 ;; 290 sol10|sol11) 291 # sol10 VM is 32bit and the unit tests are slow. 292 # sol11 has 4 test configs so skip unit tests to speed up. 293 TEST_TARGET="tests SKIP_UNIT=1" 294 ;; 295 win10) 296 # No sudo on Windows. 297 SUDO="" 298 ;; 299esac 300 301host=`./config.guess` 302case "$host" in 303*cygwin) 304 SUDO="" 305 # Don't run compat tests on cygwin as they don't currently compile. 306 TEST_TARGET="tests" 307 ;; 308*-darwin*) 309 # Unless specified otherwise, build without OpenSSL on Mac OS since 310 # modern versions don't ship with libcrypto. 311 LIBCRYPTOFLAGS="--without-openssl" 312 TEST_TARGET=t-exec 313 case "$host" in 314 *-darwin22.*) 315 # sudo -S nobody doesn't work on macos 13 for some reason. 316 SKIP_LTESTS="agent-getpeereid" ;; 317 esac 318 ;; 319esac 320 321# Unless specifically configured, search for a suitable version of OpenSSL, 322# otherwise build without it. 323if [ -z "${LIBCRYPTOFLAGS}" ]; then 324 LIBCRYPTOFLAGS="--without-openssl" 325 # last-match 326 for i in /usr /usr/local /usr/local/ssl /usr/local/opt/openssl; do 327 ver="none" 328 if [ -x ${i}/bin/openssl ]; then 329 ver="$(${i}/bin/openssl version)" 330 fi 331 case "$ver" in 332 none) ;; 333 "OpenSSL 0."*|"OpenSSL 1.0."*|"OpenSSL 1.1.0"*) ;; 334 "LibreSSL 2."*|"LibreSSL 3.0."*) ;; 335 *) LIBCRYPTOFLAGS="--with-ssl-dir=${i}" ;; 336 esac 337 done 338 if [ "${LIBCRYPTOFLAGS}" = "--without-openssl" ]; then 339 TEST_TARGET="t-exec" 340 fi 341fi 342 343CONFIGFLAGS="${CONFIGFLAGS} ${LIBCRYPTOFLAGS}" 344 345if [ -x "$(which plink 2>/dev/null)" ]; then 346 REGRESS_INTEROP_PUTTY=yes 347 export REGRESS_INTEROP_PUTTY 348fi 349 350export CC CFLAGS CPPFLAGS LDFLAGS LTESTS SUDO 351export TEST_TARGET TEST_SSH_UNSAFE_PERMISSIONS TEST_SSH_FAIL_FATAL 352