xref: /freebsd/crypto/openssh/.github/configs (revision 86dc8398c9ca2283c5d6984992b7a585257b5adb)
1#!/bin/sh
2#
3# usage: configs vmname test_config (or '' for default)
4#
5# Sets the following variables:
6# CONFIGFLAGS           options to ./configure
7# SSHD_CONFOPTS         sshd_config options
8# TEST_TARGET           make target used when testing.  defaults to "tests".
9# LTESTS
10
11config=$1
12
13TEST_TARGET="tests"
14LTESTS=""
15SKIP_LTESTS=""
16SUDO=sudo	# run with sudo by default
17TEST_SSH_UNSAFE_PERMISSIONS=1
18# Stop on first test failure to minimize logs
19TEST_SSH_FAIL_FATAL=yes
20
21CONFIGFLAGS=""
22LIBCRYPTOFLAGS=""
23
24case "$config" in
25    default|sol64)
26	;;
27    c89)
28	CC="gcc"
29	CFLAGS="-Wall -std=c89 -pedantic -Werror=vla"
30	CONFIGFLAGS="--without-zlib"
31	LIBCRYPTOFLAGS="--without-openssl"
32	TEST_TARGET=t-exec
33	;;
34    cygwin-release)
35	CONFIGFLAGS="--with-libedit --with-xauth=/usr/bin/xauth --disable-strip --with-security-key-builtin"
36	;;
37   clang-12-Werror)
38	CC="clang-12"
39	# clang's implicit-fallthrough requires that the code be annotated with
40	# __attribute__((fallthrough)) and does not understand /* FALLTHROUGH */
41	CFLAGS="-Wall -Wextra -O2 -Wno-error=implicit-fallthrough -Wno-error=unused-parameter"
42	CONFIGFLAGS="--with-pam --with-Werror"
43	;;
44    gcc-11-Werror)
45	CC="gcc"
46	# -Wnoformat-truncation in gcc 7.3.1 20180130 fails on fmt_scaled
47	CFLAGS="-Wall -Wextra -O2 -Wno-format-truncation -Wimplicit-fallthrough=4 -Wno-unused-parameter"
48	CONFIGFLAGS="--with-pam --with-Werror"
49	;;
50    clang*|gcc*)
51	CC="$config"
52	;;
53    kitchensink)
54	CONFIGFLAGS="--with-kerberos5 --with-libedit --with-pam"
55	CONFIGFLAGS="${CONFIGFLAGS} --with-security-key-builtin --with-selinux"
56	CONFIGFLAGS="${CONFIGFLAGS} --with-cflags=-DSK_DEBUG"
57	;;
58    hardenedmalloc)
59	CONFIGFLAGS="--with-ldflags=-lhardened_malloc"
60	;;
61    tcmalloc)
62	CONFIGFLAGS="--with-ldflags=-ltcmalloc"
63	;;
64    krb5|heimdal)
65	CONFIGFLAGS="--with-kerberos5"
66	;;
67    libedit)
68	CONFIGFLAGS="--with-libedit"
69	;;
70    musl)
71	CC="musl-gcc"
72	CONFIGFLAGS="--without-zlib"
73	LIBCRYPTOFLAGS="--without-openssl"
74	TEST_TARGET="t-exec"
75	;;
76    pam-krb5)
77	CONFIGFLAGS="--with-pam --with-kerberos5"
78	SSHD_CONFOPTS="UsePam yes"
79	;;
80    *pam)
81	CONFIGFLAGS="--with-pam"
82	SSHD_CONFOPTS="UsePam yes"
83	;;
84    libressl-*)
85	LIBCRYPTOFLAGS="--with-ssl-dir=/opt/libressl --with-rpath=-Wl,-rpath,"
86	;;
87    openssl-*)
88	LIBCRYPTOFLAGS="--with-ssl-dir=/opt/openssl --with-rpath=-Wl,-rpath,"
89	;;
90    selinux)
91	CONFIGFLAGS="--with-selinux"
92	;;
93    sk)
94	CONFIGFLAGS="--with-security-key-builtin"
95        ;;
96    without-openssl)
97	LIBCRYPTOFLAGS="--without-openssl"
98	TEST_TARGET=t-exec
99	;;
100    valgrind-[1-4]|valgrind-unit)
101	# rlimit sandbox and FORTIFY_SOURCE confuse Valgrind.
102	CONFIGFLAGS="--without-sandbox --without-hardening"
103	CONFIGFLAGS="$CONFIGFLAGS --with-cppflags=-D_FORTIFY_SOURCE=0"
104	TEST_TARGET="t-exec USE_VALGRIND=1"
105	TEST_SSH_ELAPSED_TIMES=1
106	export TEST_SSH_ELAPSED_TIMES
107	# Valgrind slows things down enough that the agent timeout test
108	# won't reliably pass, and the unit tests run longer than allowed
109	# by github so split into three separate tests.
110	tests2="rekey integrity try-ciphers sftp"
111	tests3="krl forward-control sshsig agent-restrict kextype"
112	tests4="cert-userkey cert-hostkey kextype sftp-perm keygen-comment percent"
113	case "$config" in
114	    valgrind-1)
115		# All tests except agent-timeout (which is flaky under valgrind)
116		#) and slow ones that run separately to increase parallelism.
117		SKIP_LTESTS="agent-timeout ${tests2} ${tests3} ${tests4}"
118		;;
119	    valgrind-2)
120		LTESTS="${tests2}"
121		;;
122	    valgrind-3)
123		LTESTS="${tests3}"
124		;;
125	    valgrind-4)
126		LTESTS="${tests4}"
127		;;
128	    valgrind-unit)
129		TEST_TARGET="unit USE_VALGRIND=1"
130		;;
131	esac
132	;;
133    *)
134	echo "Unknown configuration $config"
135	exit 1
136	;;
137esac
138
139# The Solaris 64bit targets are special since they need a non-flag arg.
140case "$config" in
141    sol64*)
142	CONFIGFLAGS="x86_64 --with-cflags=-m64 --with-ldflags=-m64 ${CONFIGFLAGS}"
143	LIBCRYPTOFLAGS="--with-ssl-dir=/usr/local/ssl64"
144	;;
145esac
146
147case "${TARGET_HOST}" in
148    aix*)
149	# These are slow real or virtual machines so skip the slowest tests
150	# (which tend to be thw ones that transfer lots of data) so that the
151	# test run does not time out.
152	# The agent-restrict test fails due to some quoting issue when run
153	# with sh or ksh so specify bash for now.
154	TEST_TARGET="t-exec TEST_SHELL=bash"
155	SKIP_LTESTS="rekey sftp"
156	;;
157    dfly58*|dfly60*)
158	# scp 3-way connection hangs on these so skip until sorted.
159	SKIP_LTESTS=scp3
160	;;
161    fbsd6)
162	# Native linker is not great with PIC so OpenSSL is built w/out.
163	CONFIGFLAGS="${CONFIGFLAGS} --disable-security-key"
164	;;
165    hurd)
166	SKIP_LTESTS="forwarding multiplex proxy-connect hostkey-agent agent-ptrace"
167	;;
168    minix3)
169	LIBCRYPTOFLAGS="--without-openssl --disable-security-key"
170	# Minix does not have a loopback interface so we have to skip any
171	# test that relies on one.
172	# Also, Minix seems to be very limited in the number of select()
173	# calls that can be operating concurrently, so prune additional tests for that.
174	T="addrmatch agent-restrict brokenkeys cfgmatch cfgmatchlisten cfgparse connect
175	    connect-uri exit-status forward-control forwarding hostkey-agent
176	    key-options keyscan knownhosts-command login-timeout multiplex
177	    reconfigure reexec rekey scp scp-uri scp3 sftp sftp-badcmds
178	    sftp-batch sftp-cmds sftp-glob sftp-perm sftp-uri stderr-data
179	    transfer"
180	SKIP_LTESTS="$(echo $T)"
181	TEST_TARGET=t-exec
182	SUDO=""
183	;;
184    nbsd4)
185	# System compiler will ICE on some files with fstack-protector
186	# SHA256 functions in sha2.h conflict with OpenSSL's breaking sk-dummy
187	CONFIGFLAGS="${CONFIGFLAGS} --without-hardening --disable-security-key"
188	;;
189    openwrt-*)
190	CONFIGFLAGS="${CONFIGFLAGS} --without-openssl --without-zlib"
191	TEST_TARGET="t-exec"
192	;;
193    sol10|sol11)
194	# sol10 VM is 32bit and the unit tests are slow.
195	# sol11 has 4 test configs so skip unit tests to speed up.
196	TEST_TARGET="tests SKIP_UNIT=1"
197	;;
198    win10)
199	# No sudo on Windows.
200	SUDO=""
201	;;
202esac
203
204# Unless specified otherwise, build without OpenSSL on Mac OS since
205# modern versions don't ship with libcrypto.
206case "`./config.guess`" in
207*-darwin*)
208	LIBCRYPTOFLAGS="--without-openssl"
209	TEST_TARGET=t-exec
210	;;
211esac
212
213# If we have a local openssl/libressl, use that.
214if [ -z "${LIBCRYPTOFLAGS}" ]; then
215	# last-match
216	for i in /usr/local /usr/local/ssl /usr/local/opt/openssl; do
217		if [ -x ${i}/bin/openssl ]; then
218			LIBCRYPTOFLAGS="--with-ssl-dir=${i}"
219		fi
220	done
221fi
222
223CONFIGFLAGS="${CONFIGFLAGS} ${LIBCRYPTOFLAGS}"
224
225if [ -x "$(which plink 2>/dev/null)" ]; then
226	REGRESS_INTEROP_PUTTY=yes
227	export REGRESS_INTEROP_PUTTY
228fi
229
230export CC CFLAGS LTESTS SUDO
231export TEST_TARGET TEST_SSH_UNSAFE_PERMISSIONS TEST_SSH_FAIL_FATAL
232