xref: /freebsd/crypto/openssh/.github/setup_ci.sh (revision aa1a8ff2d6dbc51ef058f46f3db5a8bb77967145)
1#!/bin/sh
2
3PACKAGES=""
4
5 . .github/configs $@
6
7host=`./config.guess`
8echo "config.guess: $host"
9case "$host" in
10*cygwin)
11	PACKAGER=setup
12	echo Setting CYGWIN system environment variable.
13	setx CYGWIN "binmode"
14	echo Removing extended ACLs so umask works as expected.
15	setfacl -b . regress
16	PACKAGES="$PACKAGES,autoconf,automake,cygwin-devel,gcc-core"
17	PACKAGES="$PACKAGES,make,openssl-devel,zlib-devel"
18	;;
19*-darwin*)
20	PACKAGER=brew
21	PACKAGES="automake"
22	;;
23*)
24	PACKAGER=apt
25esac
26
27TARGETS=$@
28
29INSTALL_FIDO_PPA="no"
30export DEBIAN_FRONTEND=noninteractive
31
32set -e
33
34if [ -x "`which lsb_release 2>&1`" ]; then
35	lsb_release -a
36fi
37
38if [ ! -z "$SUDO" ]; then
39	# Ubuntu 22.04 defaults to private home dirs which prevent the
40	# agent-getpeerid test from running ssh-add as nobody.  See
41	# https://github.com/actions/runner-images/issues/6106
42	if ! "$SUDO" -u nobody test -x ~; then
43		echo ~ is not executable by nobody, adding perms.
44		chmod go+x ~
45	fi
46	# Some of the Mac OS X runners don't have a nopasswd sudo rule. Regular
47	# sudo still works, but sudo -u doesn't.  Restore the sudo rule.
48	if ! "$SUDO" grep  -E 'runner.*NOPASSWD' /etc/passwd >/dev/null; then
49		echo "Restoring runner nopasswd rule to sudoers."
50		echo 'runner ALL=(ALL) NOPASSWD: ALL' |$SUDO tee -a /etc/sudoers
51	fi
52	if ! "$SUDO" -u nobody -S test -x ~ </dev/null; then
53		echo "Still can't sudo to nobody."
54		exit 1
55	fi
56fi
57
58if [ "${TARGETS}" = "kitchensink" ]; then
59	TARGETS="krb5 libedit pam sk selinux"
60fi
61
62for flag in $CONFIGFLAGS; do
63    case "$flag" in
64    --with-pam)		TARGETS="${TARGETS} pam" ;;
65    --with-libedit)	TARGETS="${TARGETS} libedit" ;;
66    esac
67done
68
69echo "Setting up for '$TARGETS'"
70for TARGET in $TARGETS; do
71    case $TARGET in
72    default|without-openssl|without-zlib|c89)
73        # nothing to do
74        ;;
75    clang-sanitize*)
76        PACKAGES="$PACKAGES clang-12"
77        ;;
78    cygwin-release)
79        PACKAGES="$PACKAGES libcrypt-devel libfido2-devel libkrb5-devel"
80        ;;
81    gcc-sanitize*)
82        ;;
83    clang-*|gcc-*)
84        compiler=$(echo $TARGET | sed 's/-Werror//')
85        PACKAGES="$PACKAGES $compiler"
86        ;;
87    krb5)
88        PACKAGES="$PACKAGES libkrb5-dev"
89	;;
90    heimdal)
91        PACKAGES="$PACKAGES heimdal-dev"
92        ;;
93    libedit)
94	case "$PACKAGER" in
95	setup)	PACKAGES="$PACKAGES libedit-devel" ;;
96	apt)	PACKAGES="$PACKAGES libedit-dev" ;;
97	esac
98        ;;
99    *pam)
100	case "$PACKAGER" in
101	apt)	PACKAGES="$PACKAGES libpam0g-dev" ;;
102	esac
103        ;;
104    sk)
105        INSTALL_FIDO_PPA="yes"
106        PACKAGES="$PACKAGES libfido2-dev libu2f-host-dev libcbor-dev"
107        ;;
108    selinux)
109        PACKAGES="$PACKAGES libselinux1-dev selinux-policy-dev"
110        ;;
111    hardenedmalloc)
112        INSTALL_HARDENED_MALLOC=yes
113        ;;
114    musl)
115	PACKAGES="$PACKAGES musl-tools"
116	;;
117    tcmalloc)
118        PACKAGES="$PACKAGES libgoogle-perftools-dev"
119        ;;
120    openssl-noec)
121	INSTALL_OPENSSL=OpenSSL_1_1_1k
122	SSLCONFOPTS="no-ec"
123	;;
124    openssl-*)
125        INSTALL_OPENSSL=$(echo ${TARGET} | cut -f2 -d-)
126        case ${INSTALL_OPENSSL} in
127          1.1.1_stable)	INSTALL_OPENSSL="OpenSSL_1_1_1-stable" ;;
128          1.*)	INSTALL_OPENSSL="OpenSSL_$(echo ${INSTALL_OPENSSL} | tr . _)" ;;
129          3.*)	INSTALL_OPENSSL="openssl-${INSTALL_OPENSSL}" ;;
130        esac
131        PACKAGES="${PACKAGES} putty-tools dropbear-bin"
132       ;;
133    libressl-*)
134        INSTALL_LIBRESSL=$(echo ${TARGET} | cut -f2 -d-)
135        case ${INSTALL_LIBRESSL} in
136          master) ;;
137          *) INSTALL_LIBRESSL="$(echo ${TARGET} | cut -f2 -d-)" ;;
138        esac
139        PACKAGES="${PACKAGES} putty-tools dropbear-bin"
140       ;;
141    boringssl)
142        INSTALL_BORINGSSL=1
143        PACKAGES="${PACKAGES} cmake ninja-build"
144       ;;
145    putty-*)
146	INSTALL_PUTTY=$(echo "${TARGET}" | cut -f2 -d-)
147	PACKAGES="${PACKAGES} cmake"
148	;;
149    valgrind*)
150       PACKAGES="$PACKAGES valgrind"
151       ;;
152    zlib-*)
153       ;;
154    *) echo "Invalid option '${TARGET}'"
155        exit 1
156        ;;
157    esac
158done
159
160if [ "yes" = "$INSTALL_FIDO_PPA" ]; then
161    sudo apt update -qq
162    sudo apt install -qy software-properties-common
163    sudo apt-add-repository -y ppa:yubico/stable
164fi
165
166tries=3
167while [ ! -z "$PACKAGES" ] && [ "$tries" -gt "0" ]; do
168    case "$PACKAGER" in
169    apt)
170	sudo apt update -qq
171	if sudo apt install -qy $PACKAGES; then
172		PACKAGES=""
173	fi
174	;;
175    brew)
176	if [ ! -z "PACKAGES" ]; then
177		if brew install $PACKAGES; then
178			PACKAGES=""
179		fi
180	fi
181	;;
182    setup)
183	if /cygdrive/c/setup.exe -q -P `echo "$PACKAGES" | tr ' ' ,`; then
184		PACKAGES=""
185	fi
186	;;
187    esac
188    if [ ! -z "$PACKAGES" ]; then
189	sleep 90
190    fi
191    tries=$(($tries - 1))
192done
193if [ ! -z "$PACKAGES" ]; then
194	echo "Package installation failed."
195	exit 1
196fi
197
198if [ "${INSTALL_HARDENED_MALLOC}" = "yes" ]; then
199    (cd ${HOME} &&
200     git clone https://github.com/GrapheneOS/hardened_malloc.git &&
201     cd ${HOME}/hardened_malloc &&
202     make && sudo cp out/libhardened_malloc.so /usr/lib/)
203fi
204
205if [ ! -z "${INSTALL_OPENSSL}" ]; then
206    (cd ${HOME} &&
207     git clone https://github.com/openssl/openssl.git &&
208     cd ${HOME}/openssl &&
209     git checkout ${INSTALL_OPENSSL} &&
210     ./config no-threads shared ${SSLCONFOPTS} \
211         --prefix=/opt/openssl &&
212     make && sudo make install_sw)
213fi
214
215if [ ! -z "${INSTALL_LIBRESSL}" ]; then
216    if [ "${INSTALL_LIBRESSL}" = "master" ]; then
217        (mkdir -p ${HOME}/libressl && cd ${HOME}/libressl &&
218         git clone https://github.com/libressl-portable/portable.git &&
219         cd ${HOME}/libressl/portable &&
220         git checkout ${INSTALL_LIBRESSL} &&
221         sh update.sh && sh autogen.sh &&
222         ./configure --prefix=/opt/libressl &&
223         make && sudo make install)
224    else
225        LIBRESSL_URLBASE=https://cdn.openbsd.org/pub/OpenBSD/LibreSSL
226        (cd ${HOME} &&
227         wget ${LIBRESSL_URLBASE}/libressl-${INSTALL_LIBRESSL}.tar.gz &&
228         tar xfz libressl-${INSTALL_LIBRESSL}.tar.gz &&
229         cd libressl-${INSTALL_LIBRESSL} &&
230         ./configure --prefix=/opt/libressl && make && sudo make install)
231    fi
232fi
233
234if [ ! -z "${INSTALL_BORINGSSL}" ]; then
235    (cd ${HOME} && git clone https://boringssl.googlesource.com/boringssl &&
236     cd ${HOME}/boringssl && mkdir build && cd build &&
237     cmake -GNinja  -DCMAKE_POSITION_INDEPENDENT_CODE=ON .. && ninja &&
238     mkdir -p /opt/boringssl/lib &&
239     cp ${HOME}/boringssl/build/crypto/libcrypto.a /opt/boringssl/lib &&
240     cp -r ${HOME}/boringssl/include /opt/boringssl)
241fi
242
243if [ ! -z "${INSTALL_ZLIB}" ]; then
244    (cd ${HOME} && git clone https://github.com/madler/zlib.git &&
245     cd ${HOME}/zlib && ./configure && make &&
246     sudo make install prefix=/opt/zlib)
247fi
248
249if [ ! -z "${INSTALL_PUTTY}" ]; then
250    ver="${INSTALL_PUTTY}"
251    case "${INSTALL_PUTTY}" in
252    snapshot)
253	tarball=putty.tar.gz
254	(cd /tmp && wget https://tartarus.org/~simon/putty-snapshots/${tarball})
255	;;
256    *)
257	tarball=putty-${ver}.tar.gz
258	(cd /tmp && wget https://the.earth.li/~sgtatham/putty/${ver}/${tarball})
259	;;
260    esac
261    (cd ${HOME} && tar xfz /tmp/${tarball} && cd putty-*
262     if [ -f CMakeLists.txt ]; then
263	cmake . && cmake --build . && sudo cmake --build . --target install
264     else
265	./configure && make && sudo make install
266     fi
267    )
268    /usr/local/bin/plink -V
269fi
270