xref: /freebsd/crypto/openssh/.github/setup_ci.sh (revision f73124b077d867990cbcb4d903b48be2ca55e4ca) 
1#!/bin/sh
2
3PACKAGES=""
4
5 . .github/configs $@
6
7host=`./config.guess`
8echo "config.guess: $host"
9case "$host" in
10*cygwin)
11	PACKAGER=setup
12	echo Setting CYGWIN system environment variable.
13	setx CYGWIN "binmode"
14	echo Removing extended ACLs so umask works as expected.
15	setfacl -b . regress
16	PACKAGES="$PACKAGES,autoconf,automake,cygwin-devel,gcc-core"
17	PACKAGES="$PACKAGES,make,openssl-devel,zlib-devel"
18	;;
19*-darwin*)
20	PACKAGER=brew
21	PACKAGES="automake"
22	;;
23*)
24	PACKAGER=apt
25esac
26
27TARGETS=$@
28
29INSTALL_FIDO_PPA="no"
30export DEBIAN_FRONTEND=noninteractive
31
32set -e
33
34if [ -x "`which lsb_release 2>&1`" ]; then
35	lsb_release -a
36fi
37
38if [ ! -z "$SUDO" ]; then
39	# Ubuntu 22.04 defaults to private home dirs which prevent the
40	# agent-getpeerid test from running ssh-add as nobody.  See
41	# https://github.com/actions/runner-images/issues/6106
42	if ! "$SUDO" -u nobody test -x ~; then
43		echo ~ is not executable by nobody, adding perms.
44		chmod go+x ~
45	fi
46	# Some of the Mac OS X runners don't have a nopasswd sudo rule. Regular
47	# sudo still works, but sudo -u doesn't.  Restore the sudo rule.
48	if ! "$SUDO" grep  -E 'runner.*NOPASSWD' /etc/passwd >/dev/null; then
49		echo "Restoring runner nopasswd rule to sudoers."
50		echo 'runner ALL=(ALL) NOPASSWD: ALL' |$SUDO tee -a /etc/sudoers
51	fi
52	if ! "$SUDO" -u nobody -S test -x ~ </dev/null; then
53		echo "Still can't sudo to nobody."
54		exit 1
55	fi
56fi
57
58if [ "${TARGETS}" = "kitchensink" ]; then
59	TARGETS="krb5 libedit pam sk selinux"
60fi
61
62for flag in $CONFIGFLAGS; do
63    case "$flag" in
64    --with-pam)		TARGETS="${TARGETS} pam" ;;
65    --with-libedit)	TARGETS="${TARGETS} libedit" ;;
66    esac
67done
68
69echo "Setting up for '$TARGETS'"
70for TARGET in $TARGETS; do
71    case $TARGET in
72    default|without-openssl|without-zlib|c89)
73        # nothing to do
74        ;;
75    clang-sanitize*)
76        PACKAGES="$PACKAGES clang-12"
77        ;;
78    cygwin-release)
79        PACKAGES="$PACKAGES libcrypt-devel libfido2-devel libkrb5-devel"
80        ;;
81    gcc-sanitize*)
82        ;;
83    clang-*|gcc-*)
84        compiler=$(echo $TARGET | sed 's/-Werror//')
85        PACKAGES="$PACKAGES $compiler"
86        ;;
87    krb5)
88        PACKAGES="$PACKAGES libkrb5-dev"
89	;;
90    heimdal)
91        PACKAGES="$PACKAGES heimdal-dev"
92        ;;
93    libedit)
94	case "$PACKAGER" in
95	setup)	PACKAGES="$PACKAGES libedit-devel" ;;
96	apt)	PACKAGES="$PACKAGES libedit-dev" ;;
97	esac
98        ;;
99    *pam)
100	case "$PACKAGER" in
101	apt)	PACKAGES="$PACKAGES libpam0g-dev" ;;
102	esac
103        ;;
104    sk)
105        INSTALL_FIDO_PPA="yes"
106        PACKAGES="$PACKAGES libfido2-dev libu2f-host-dev libcbor-dev"
107        ;;
108    selinux)
109        PACKAGES="$PACKAGES libselinux1-dev selinux-policy-dev"
110        ;;
111    hardenedmalloc)
112        INSTALL_HARDENED_MALLOC=yes
113        ;;
114    musl)
115	PACKAGES="$PACKAGES musl-tools"
116	;;
117    tcmalloc)
118        PACKAGES="$PACKAGES libgoogle-perftools-dev"
119        ;;
120    openssl-noec)
121	INSTALL_OPENSSL=OpenSSL_1_1_1k
122	SSLCONFOPTS="no-ec"
123	;;
124    openssl-*)
125        INSTALL_OPENSSL=$(echo ${TARGET} | cut -f2 -d-)
126        case ${INSTALL_OPENSSL} in
127          1.1.1_stable)	INSTALL_OPENSSL="OpenSSL_1_1_1-stable" ;;
128          1.*)	INSTALL_OPENSSL="OpenSSL_$(echo ${INSTALL_OPENSSL} | tr . _)" ;;
129          3.*)	INSTALL_OPENSSL="openssl-${INSTALL_OPENSSL}" ;;
130        esac
131        PACKAGES="${PACKAGES} putty-tools dropbear-bin"
132       ;;
133    libressl-*)
134        INSTALL_LIBRESSL=$(echo ${TARGET} | cut -f2 -d-)
135        case ${INSTALL_LIBRESSL} in
136          master) ;;
137          *) INSTALL_LIBRESSL="$(echo ${TARGET} | cut -f2 -d-)" ;;
138        esac
139        PACKAGES="${PACKAGES} putty-tools dropbear-bin"
140       ;;
141    boringssl)
142        INSTALL_BORINGSSL=1
143        PACKAGES="${PACKAGES} cmake ninja-build"
144       ;;
145    valgrind*)
146       PACKAGES="$PACKAGES valgrind"
147       ;;
148    zlib-*)
149       ;;
150    *) echo "Invalid option '${TARGET}'"
151        exit 1
152        ;;
153    esac
154done
155
156if [ "yes" = "$INSTALL_FIDO_PPA" ]; then
157    sudo apt update -qq
158    sudo apt install -qy software-properties-common
159    sudo apt-add-repository -y ppa:yubico/stable
160fi
161
162tries=3
163while [ ! -z "$PACKAGES" ] && [ "$tries" -gt "0" ]; do
164    case "$PACKAGER" in
165    apt)
166	sudo apt update -qq
167	if sudo apt install -qy $PACKAGES; then
168		PACKAGES=""
169	fi
170	;;
171    brew)
172	if [ ! -z "PACKAGES" ]; then
173		if brew install $PACKAGES; then
174			PACKAGES=""
175		fi
176	fi
177	;;
178    setup)
179	if /cygdrive/c/setup.exe -q -P `echo "$PACKAGES" | tr ' ' ,`; then
180		PACKAGES=""
181	fi
182	;;
183    esac
184    if [ ! -z "$PACKAGES" ]; then
185	sleep 90
186    fi
187    tries=$(($tries - 1))
188done
189if [ ! -z "$PACKAGES" ]; then
190	echo "Package installation failed."
191	exit 1
192fi
193
194if [ "${INSTALL_HARDENED_MALLOC}" = "yes" ]; then
195    (cd ${HOME} &&
196     git clone https://github.com/GrapheneOS/hardened_malloc.git &&
197     cd ${HOME}/hardened_malloc &&
198     make && sudo cp out/libhardened_malloc.so /usr/lib/)
199fi
200
201if [ ! -z "${INSTALL_OPENSSL}" ]; then
202    (cd ${HOME} &&
203     git clone https://github.com/openssl/openssl.git &&
204     cd ${HOME}/openssl &&
205     git checkout ${INSTALL_OPENSSL} &&
206     ./config no-threads shared ${SSLCONFOPTS} \
207         --prefix=/opt/openssl &&
208     make && sudo make install_sw)
209fi
210
211if [ ! -z "${INSTALL_LIBRESSL}" ]; then
212    if [ "${INSTALL_LIBRESSL}" = "master" ]; then
213        (mkdir -p ${HOME}/libressl && cd ${HOME}/libressl &&
214         git clone https://github.com/libressl-portable/portable.git &&
215         cd ${HOME}/libressl/portable &&
216         git checkout ${INSTALL_LIBRESSL} &&
217         sh update.sh && sh autogen.sh &&
218         ./configure --prefix=/opt/libressl &&
219         make && sudo make install)
220    else
221        LIBRESSL_URLBASE=https://cdn.openbsd.org/pub/OpenBSD/LibreSSL
222        (cd ${HOME} &&
223         wget ${LIBRESSL_URLBASE}/libressl-${INSTALL_LIBRESSL}.tar.gz &&
224         tar xfz libressl-${INSTALL_LIBRESSL}.tar.gz &&
225         cd libressl-${INSTALL_LIBRESSL} &&
226         ./configure --prefix=/opt/libressl && make && sudo make install)
227    fi
228fi
229
230if [ ! -z "${INSTALL_BORINGSSL}" ]; then
231    (cd ${HOME} && git clone https://boringssl.googlesource.com/boringssl &&
232     cd ${HOME}/boringssl && mkdir build && cd build &&
233     cmake -GNinja  -DCMAKE_POSITION_INDEPENDENT_CODE=ON .. && ninja &&
234     mkdir -p /opt/boringssl/lib &&
235     cp ${HOME}/boringssl/build/crypto/libcrypto.a /opt/boringssl/lib &&
236     cp -r ${HOME}/boringssl/include /opt/boringssl)
237fi
238
239if [ ! -z "${INSTALL_ZLIB}" ]; then
240    (cd ${HOME} && git clone https://github.com/madler/zlib.git &&
241     cd ${HOME}/zlib && ./configure && make &&
242     sudo make install prefix=/opt/zlib)
243fi
244