1#!/bin/sh 2# 3# usage: configs vmname test_config (or '' for default) 4# 5# Sets the following variables: 6# CONFIGFLAGS options to ./configure 7# SSHD_CONFOPTS sshd_config options 8# TEST_TARGET make target used when testing. defaults to "tests". 9# LTESTS 10 11config=$1 12if [ "$config" = "" ]; then 13 config="default" 14fi 15 16unset CC CFLAGS CPPFLAGS LDFLAGS LTESTS SUDO 17 18TEST_TARGET="tests compat-tests" 19LTESTS="" 20SKIP_LTESTS="" 21SUDO=sudo # run with sudo by default 22TEST_SSH_UNSAFE_PERMISSIONS=1 23# Stop on first test failure to minimize logs 24TEST_SSH_FAIL_FATAL=yes 25 26CONFIGFLAGS="" 27LIBCRYPTOFLAGS="" 28 29case "$config" in 30 default|sol64) 31 ;; 32 c89) 33 CC="gcc" 34 CFLAGS="-Wall -std=c89 -pedantic -Werror=vla" 35 CONFIGFLAGS="--without-zlib" 36 LIBCRYPTOFLAGS="--without-openssl" 37 TEST_TARGET=t-exec 38 ;; 39 cygwin-release) 40 # See https://cygwin.com/git/?p=git/cygwin-packages/openssh.git;a=blob;f=openssh.cygport;hb=HEAD 41 CONFIGFLAGS="--with-xauth=/usr/bin/xauth --with-security-key-builtin" 42 CONFIGFLAGS="$CONFIGFLAGS --with-kerberos5=/usr --with-libedit --disable-strip" 43 ;; 44 clang-12-Werror) 45 CC="clang-12" 46 # clang's implicit-fallthrough requires that the code be annotated with 47 # __attribute__((fallthrough)) and does not understand /* FALLTHROUGH */ 48 CFLAGS="-Wall -Wextra -O2 -Wno-error=implicit-fallthrough -Wno-error=unused-parameter" 49 CONFIGFLAGS="--with-pam --with-Werror" 50 ;; 51 *-sanitize-*) 52 case "$config" in 53 gcc-*) 54 CC=gcc 55 ;; 56 clang-*) 57 # Find the newest available version of clang 58 for i in `seq 10 99`; do 59 clang="`which clang-$i 2>/dev/null`" 60 [ -x "$clang" ] && CC="$clang" 61 done 62 ;; 63 esac 64 # Put Sanitizer logs in regress dir. 65 SANLOGS=`pwd`/regress 66 # - We replace chroot with chdir so that the sanitizer in the preauth 67 # privsep process can read /proc. 68 # - clang does not recognizes explicit_bzero so we use bzero 69 # (see https://github.com/google/sanitizers/issues/1507 70 # - openssl and zlib trip ASAN. 71 # - sp_pwdp returned by getspnam trips ASAN, hence disabling shadow. 72 case "$config" in 73 *-sanitize-address) 74 CFLAGS="-fsanitize=address -fno-omit-frame-pointer" 75 LDFLAGS="-fsanitize=address" 76 CPPFLAGS='-Dchroot=chdir -Dexplicit_bzero=bzero -D_FORTIFY_SOURCE=0 -DASAN_OPTIONS=\"detect_leaks=0:log_path='$SANLOGS'/asan.log\"' 77 CONFIGFLAGS="" 78 TEST_TARGET="t-exec" 79 ;; 80 clang-sanitize-memory) 81 CFLAGS="-fsanitize=memory -fsanitize-memory-track-origins -fno-omit-frame-pointer" 82 LDFLAGS="-fsanitize=memory" 83 CPPFLAGS='-Dchroot=chdir -Dexplicit_bzero=bzero -DMSAN_OPTIONS=\"log_path='$SANLOGS'/msan.log\"' 84 CONFIGFLAGS="--without-openssl --without-zlib --without-shadow" 85 TEST_TARGET="t-exec" 86 ;; 87 *-sanitize-undefined) 88 CFLAGS="-fsanitize=undefined" 89 LDFLAGS="-fsanitize=undefined" 90 ;; 91 *) 92 echo unknown sanitize option; 93 exit 1;; 94 esac 95 features="--disable-security-key --disable-pkcs11" 96 hardening="--without-sandbox --without-hardening --without-stackprotect" 97 privsep="--with-privsep-user=root" 98 CONFIGFLAGS="$CONFIGFLAGS $features $hardening $privsep" 99 # Because we hobble chroot we can't test it. 100 SKIP_LTESTS=sftp-chroot 101 ;; 102 gcc-11-Werror) 103 CC="gcc" 104 # -Wnoformat-truncation in gcc 7.3.1 20180130 fails on fmt_scaled 105 CFLAGS="-Wall -Wextra -O2 -Wno-format-truncation -Wimplicit-fallthrough=4 -Wno-unused-parameter" 106 CONFIGFLAGS="--with-pam --with-Werror" 107 ;; 108 clang*|gcc*) 109 CC="$config" 110 ;; 111 kitchensink) 112 CONFIGFLAGS="--with-kerberos5 --with-libedit --with-pam" 113 CONFIGFLAGS="${CONFIGFLAGS} --with-security-key-builtin --with-selinux" 114 CFLAGS="-DSK_DEBUG -DSANDBOX_SECCOMP_FILTER_DEBUG" 115 ;; 116 hardenedmalloc) 117 CONFIGFLAGS="--with-ldflags=-lhardened_malloc" 118 ;; 119 tcmalloc) 120 CONFIGFLAGS="--with-ldflags=-ltcmalloc" 121 ;; 122 krb5|heimdal) 123 CONFIGFLAGS="--with-kerberos5" 124 ;; 125 libedit) 126 CONFIGFLAGS="--with-libedit" 127 ;; 128 musl) 129 CC="musl-gcc" 130 CONFIGFLAGS="--without-zlib" 131 LIBCRYPTOFLAGS="--without-openssl" 132 TEST_TARGET="t-exec" 133 ;; 134 pam-krb5) 135 CONFIGFLAGS="--with-pam --with-kerberos5" 136 SSHD_CONFOPTS="UsePam yes" 137 ;; 138 *pam) 139 CONFIGFLAGS="--with-pam" 140 SSHD_CONFOPTS="UsePam yes" 141 ;; 142 libressl-*) 143 LIBCRYPTOFLAGS="--with-ssl-dir=/opt/libressl --with-rpath=-Wl,-rpath," 144 ;; 145 openssl-*) 146 LIBCRYPTOFLAGS="--with-ssl-dir=/opt/openssl --with-rpath=-Wl,-rpath," 147 # OpenSSL 1.1.1 specifically has a bug in its RNG that breaks reexec 148 # fallback. See https://bugzilla.mindrot.org/show_bug.cgi?id=3483 149 if [ "$config" = "openssl-1.1.1" ]; then 150 SKIP_LTESTS="reexec" 151 fi 152 ;; 153 selinux) 154 CONFIGFLAGS="--with-selinux" 155 ;; 156 sk) 157 CONFIGFLAGS="--with-security-key-builtin" 158 ;; 159 without-openssl) 160 LIBCRYPTOFLAGS="--without-openssl" 161 TEST_TARGET=t-exec 162 ;; 163 valgrind-[1-5]|valgrind-unit) 164 # rlimit sandbox and FORTIFY_SOURCE confuse Valgrind. 165 CONFIGFLAGS="--without-sandbox --without-hardening" 166 CONFIGFLAGS="$CONFIGFLAGS --with-cppflags=-D_FORTIFY_SOURCE=0" 167 TEST_TARGET="t-exec USE_VALGRIND=1" 168 TEST_SSH_ELAPSED_TIMES=1 169 export TEST_SSH_ELAPSED_TIMES 170 # Valgrind slows things down enough that the agent timeout test 171 # won't reliably pass, and the unit tests run longer than allowed 172 # by github so split into separate tests. 173 tests2="integrity try-ciphers" 174 tests3="krl forward-control sshsig agent-restrict kextype sftp" 175 tests4="cert-userkey cert-hostkey kextype sftp-perm keygen-comment percent" 176 tests5="rekey" 177 case "$config" in 178 valgrind-1) 179 # All tests except agent-timeout (which is flaky under valgrind), 180 # connection-timeout (which doesn't work since it's so slow) 181 # and hostbased (since valgrind won't let ssh exec keysign). 182 # Slow ones are run separately to increase parallelism. 183 SKIP_LTESTS="agent-timeout connection-timeout hostbased" 184 SKIP_LTESTS="$SKIP_LTESTS ${tests2} ${tests3} ${tests4} ${tests5}" 185 ;; 186 valgrind-2) 187 LTESTS="${tests2}" 188 ;; 189 valgrind-3) 190 LTESTS="${tests3}" 191 ;; 192 valgrind-4) 193 LTESTS="${tests4}" 194 ;; 195 valgrind-5) 196 LTESTS="${tests5}" 197 ;; 198 valgrind-unit) 199 TEST_TARGET="unit USE_VALGRIND=1" 200 ;; 201 esac 202 ;; 203 *) 204 echo "Unknown configuration $config" 205 exit 1 206 ;; 207esac 208 209# The Solaris 64bit targets are special since they need a non-flag arg. 210case "$config" in 211 sol64*) 212 CONFIGFLAGS="x86_64 --with-cflags=-m64 --with-ldflags=-m64 ${CONFIGFLAGS}" 213 LIBCRYPTOFLAGS="--with-ssl-dir=/usr/local/ssl64" 214 ;; 215esac 216 217case "${TARGET_HOST}" in 218 aix*) 219 # These are slow real or virtual machines so skip the slowest tests 220 # (which tend to be thw ones that transfer lots of data) so that the 221 # test run does not time out. 222 # The agent-restrict test fails due to some quoting issue when run 223 # with sh or ksh so specify bash for now. 224 TEST_TARGET="t-exec TEST_SHELL=bash" 225 SKIP_LTESTS="rekey sftp" 226 ;; 227 debian-riscv64) 228 # This machine is fairly slow, so skip the unit tests. 229 TEST_TARGET="t-exec" 230 ;; 231 dfly58*|dfly60*) 232 # scp 3-way connection hangs on these so skip until sorted. 233 SKIP_LTESTS=scp3 234 ;; 235 fbsd6) 236 # Native linker is not great with PIC so OpenSSL is built w/out. 237 CONFIGFLAGS="${CONFIGFLAGS} --disable-security-key" 238 ;; 239 hurd) 240 SKIP_LTESTS="forwarding multiplex proxy-connect hostkey-agent agent-ptrace" 241 ;; 242 minix3) 243 LIBCRYPTOFLAGS="--without-openssl --disable-security-key" 244 # Minix does not have a loopback interface so we have to skip any 245 # test that relies on one. 246 # Also, Minix seems to be very limited in the number of select() 247 # calls that can be operating concurrently, so prune additional tests for that. 248 T="addrmatch agent-restrict brokenkeys cfgmatch cfgmatchlisten cfgparse 249 connect connect-uri exit-status forwarding hostkey-agent 250 key-options keyscan knownhosts-command login-timeout 251 reconfigure reexec rekey scp scp-uri scp3 sftp sftp-badcmds 252 sftp-batch sftp-cmds sftp-glob sftp-perm sftp-uri stderr-data 253 transfer" 254 # Unix domain sockets don't work quite like we expect, so also skip any tests 255 # that use multiplexing. 256 T="$T connection-timeout dynamic-forward forward-control multiplex" 257 SKIP_LTESTS="$(echo $T)" 258 TEST_TARGET=t-exec 259 SUDO="" 260 ;; 261 nbsd4) 262 # System compiler will ICE on some files with fstack-protector 263 # SHA256 functions in sha2.h conflict with OpenSSL's breaking sk-dummy 264 CONFIGFLAGS="${CONFIGFLAGS} --without-hardening --disable-security-key" 265 ;; 266 openwrt-*) 267 CONFIGFLAGS="${CONFIGFLAGS} --without-openssl --without-zlib" 268 TEST_TARGET="t-exec" 269 ;; 270 sol10|sol11) 271 # sol10 VM is 32bit and the unit tests are slow. 272 # sol11 has 4 test configs so skip unit tests to speed up. 273 TEST_TARGET="tests SKIP_UNIT=1" 274 ;; 275 win10) 276 # No sudo on Windows. 277 SUDO="" 278 ;; 279esac 280 281case "`./config.guess`" in 282*cygwin) 283 SUDO="" 284 # Don't run compat tests on cygwin as they don't currently compile. 285 TEST_TARGET="tests" 286 ;; 287*-darwin*) 288 # Unless specified otherwise, build without OpenSSL on Mac OS since 289 # modern versions don't ship with libcrypto. 290 LIBCRYPTOFLAGS="--without-openssl" 291 TEST_TARGET=t-exec 292 ;; 293esac 294 295# If we have a local openssl/libressl, use that. 296if [ -z "${LIBCRYPTOFLAGS}" ]; then 297 # last-match 298 for i in /usr/local /usr/local/ssl /usr/local/opt/openssl; do 299 if [ -x ${i}/bin/openssl ]; then 300 LIBCRYPTOFLAGS="--with-ssl-dir=${i}" 301 fi 302 done 303fi 304 305CONFIGFLAGS="${CONFIGFLAGS} ${LIBCRYPTOFLAGS}" 306 307if [ -x "$(which plink 2>/dev/null)" ]; then 308 REGRESS_INTEROP_PUTTY=yes 309 export REGRESS_INTEROP_PUTTY 310fi 311 312export CC CFLAGS CPPFLAGS LDFLAGS LTESTS SUDO 313export TEST_TARGET TEST_SSH_UNSAFE_PERMISSIONS TEST_SSH_FAIL_FATAL 314