| #!/bin/sh |
| # |
| # usage: configs vmname test_config (or '' for default) |
| # |
| # Sets the following variables: |
| # CONFIGFLAGS options to ./configure |
| # SSHD_CONFOPTS sshd_config options |
| # TEST_TARGET make target used when testing. defaults to "tests". |
| # LTESTS |
| |
| config=$1 |
| if [ "$config" = "" ]; then |
| config="default" |
| fi |
| |
| unset CC CFLAGS CPPFLAGS LDFLAGS LTESTS SUDO |
| |
| TEST_TARGET="tests compat-tests" |
| LTESTS="" |
| SKIP_LTESTS="" |
| SUDO=sudo # run with sudo by default |
| TEST_SSH_UNSAFE_PERMISSIONS=1 |
| # Stop on first test failure to minimize logs |
| TEST_SSH_FAIL_FATAL=yes |
| |
| CONFIGFLAGS="" |
| LIBCRYPTOFLAGS="" |
| |
| case "$config" in |
| default|sol64) |
| ;; |
| c89) |
| CC="gcc" |
| CFLAGS="-Wall -std=c89 -pedantic -Werror=vla" |
| CONFIGFLAGS="--without-zlib" |
| LIBCRYPTOFLAGS="--without-openssl" |
| TEST_TARGET=t-exec |
| ;; |
| cygwin-release) |
| # See https://cygwin.com/git/?p=git/cygwin-packages/openssh.git;a=blob;f=openssh.cygport;hb=HEAD |
| CONFIGFLAGS="--with-xauth=/usr/bin/xauth --with-security-key-builtin" |
| CONFIGFLAGS="$CONFIGFLAGS --with-kerberos5=/usr --with-libedit --disable-strip" |
| ;; |
| clang-12-Werror) |
| CC="clang-12" |
| # clang's implicit-fallthrough requires that the code be annotated with |
| # __attribute__((fallthrough)) and does not understand /* FALLTHROUGH */ |
| CFLAGS="-Wall -Wextra -O2 -Wno-error=implicit-fallthrough -Wno-error=unused-parameter" |
| CONFIGFLAGS="--with-pam --with-Werror" |
| ;; |
| *-sanitize-*) |
| case "$config" in |
| gcc-*) |
| CC=gcc |
| ;; |
| clang-*) |
| # Find the newest available version of clang |
| for i in `seq 10 99`; do |
| clang="`which clang-$i 2>/dev/null`" |
| [ -x "$clang" ] && CC="$clang" |
| done |
| ;; |
| esac |
| # Put Sanitizer logs in regress dir. |
| SANLOGS=`pwd`/regress |
| # - We replace chroot with chdir so that the sanitizer in the preauth |
| # privsep process can read /proc. |
| # - clang does not recognizes explicit_bzero so we use bzero |
| # (see https://github.com/google/sanitizers/issues/1507 |
| # - openssl and zlib trip ASAN. |
| # - sp_pwdp returned by getspnam trips ASAN, hence disabling shadow. |
| case "$config" in |
| *-sanitize-address) |
| CFLAGS="-fsanitize=address -fno-omit-frame-pointer" |
| LDFLAGS="-fsanitize=address" |
| CPPFLAGS='-Dchroot=chdir -Dexplicit_bzero=bzero -D_FORTIFY_SOURCE=0 -DASAN_OPTIONS=\"detect_leaks=0:log_path='$SANLOGS'/asan.log\"' |
| CONFIGFLAGS="" |
| TEST_TARGET="t-exec" |
| ;; |
| clang-sanitize-memory) |
| CFLAGS="-fsanitize=memory -fsanitize-memory-track-origins -fno-omit-frame-pointer" |
| LDFLAGS="-fsanitize=memory" |
| CPPFLAGS='-Dchroot=chdir -Dexplicit_bzero=bzero -DMSAN_OPTIONS=\"log_path='$SANLOGS'/msan.log\"' |
| CONFIGFLAGS="--without-openssl --without-zlib --without-shadow" |
| TEST_TARGET="t-exec" |
| ;; |
| *-sanitize-undefined) |
| CFLAGS="-fsanitize=undefined" |
| LDFLAGS="-fsanitize=undefined" |
| ;; |
| *) |
| echo unknown sanitize option; |
| exit 1;; |
| esac |
| features="--disable-security-key --disable-pkcs11" |
| hardening="--without-sandbox --without-hardening --without-stackprotect" |
| privsep="--with-privsep-user=root" |
| CONFIGFLAGS="$CONFIGFLAGS $features $hardening $privsep" |
| # Because we hobble chroot we can't test it. |
| SKIP_LTESTS=sftp-chroot |
| ;; |
| gcc-11-Werror) |
| CC="gcc" |
| # -Wnoformat-truncation in gcc 7.3.1 20180130 fails on fmt_scaled |
| CFLAGS="-Wall -Wextra -O2 -Wno-format-truncation -Wimplicit-fallthrough=4 -Wno-unused-parameter" |
| CONFIGFLAGS="--with-pam --with-Werror" |
| ;; |
| clang*|gcc*) |
| CC="$config" |
| ;; |
| kitchensink) |
| CONFIGFLAGS="--with-kerberos5 --with-libedit --with-pam" |
| CONFIGFLAGS="${CONFIGFLAGS} --with-security-key-builtin --with-selinux" |
| CFLAGS="-DSK_DEBUG -DSANDBOX_SECCOMP_FILTER_DEBUG" |
| ;; |
| hardenedmalloc) |
| CONFIGFLAGS="--with-ldflags=-lhardened_malloc" |
| ;; |
| tcmalloc) |
| CONFIGFLAGS="--with-ldflags=-ltcmalloc" |
| ;; |
| krb5|heimdal) |
| CONFIGFLAGS="--with-kerberos5" |
| ;; |
| libedit) |
| CONFIGFLAGS="--with-libedit" |
| ;; |
| musl) |
| CC="musl-gcc" |
| CONFIGFLAGS="--without-zlib" |
| LIBCRYPTOFLAGS="--without-openssl" |
| TEST_TARGET="t-exec" |
| ;; |
| pam-krb5) |
| CONFIGFLAGS="--with-pam --with-kerberos5" |
| SSHD_CONFOPTS="UsePam yes" |
| ;; |
| *pam) |
| CONFIGFLAGS="--with-pam" |
| SSHD_CONFOPTS="UsePam yes" |
| ;; |
| libressl-*) |
| LIBCRYPTOFLAGS="--with-ssl-dir=/opt/libressl --with-rpath=-Wl,-rpath," |
| ;; |
| openssl-*) |
| LIBCRYPTOFLAGS="--with-ssl-dir=/opt/openssl --with-rpath=-Wl,-rpath," |
| # OpenSSL 1.1.1 specifically has a bug in its RNG that breaks reexec |
| # fallback. See https://bugzilla.mindrot.org/show_bug.cgi?id=3483 |
| if [ "$config" = "openssl-1.1.1" ]; then |
| SKIP_LTESTS="reexec" |
| fi |
| ;; |
| selinux) |
| CONFIGFLAGS="--with-selinux" |
| ;; |
| sk) |
| CONFIGFLAGS="--with-security-key-builtin" |
| ;; |
| without-openssl) |
| LIBCRYPTOFLAGS="--without-openssl" |
| TEST_TARGET=t-exec |
| ;; |
| valgrind-[1-5]|valgrind-unit) |
| # rlimit sandbox and FORTIFY_SOURCE confuse Valgrind. |
| CONFIGFLAGS="--without-sandbox --without-hardening" |
| CONFIGFLAGS="$CONFIGFLAGS --with-cppflags=-D_FORTIFY_SOURCE=0" |
| TEST_TARGET="t-exec USE_VALGRIND=1" |
| TEST_SSH_ELAPSED_TIMES=1 |
| export TEST_SSH_ELAPSED_TIMES |
| # Valgrind slows things down enough that the agent timeout test |
| # won't reliably pass, and the unit tests run longer than allowed |
| # by github so split into separate tests. |
| tests2="integrity try-ciphers" |
| tests3="krl forward-control sshsig agent-restrict kextype sftp" |
| tests4="cert-userkey cert-hostkey kextype sftp-perm keygen-comment percent" |
| tests5="rekey" |
| case "$config" in |
| valgrind-1) |
| # All tests except agent-timeout (which is flaky under valgrind), |
| # connection-timeout (which doesn't work since it's so slow) |
| # and hostbased (since valgrind won't let ssh exec keysign). |
| # Slow ones are run separately to increase parallelism. |
| SKIP_LTESTS="agent-timeout connection-timeout hostbased" |
| SKIP_LTESTS="$SKIP_LTESTS ${tests2} ${tests3} ${tests4} ${tests5}" |
| ;; |
| valgrind-2) |
| LTESTS="${tests2}" |
| ;; |
| valgrind-3) |
| LTESTS="${tests3}" |
| ;; |
| valgrind-4) |
| LTESTS="${tests4}" |
| ;; |
| valgrind-5) |
| LTESTS="${tests5}" |
| ;; |
| valgrind-unit) |
| TEST_TARGET="unit USE_VALGRIND=1" |
| ;; |
| esac |
| ;; |
| *) |
| echo "Unknown configuration $config" |
| exit 1 |
| ;; |
| esac |
| |
| # The Solaris 64bit targets are special since they need a non-flag arg. |
| case "$config" in |
| sol64*) |
| CONFIGFLAGS="x86_64 --with-cflags=-m64 --with-ldflags=-m64 ${CONFIGFLAGS}" |
| LIBCRYPTOFLAGS="--with-ssl-dir=/usr/local/ssl64" |
| ;; |
| esac |
| |
| case "${TARGET_HOST}" in |
| aix*) |
| # These are slow real or virtual machines so skip the slowest tests |
| # (which tend to be thw ones that transfer lots of data) so that the |
| # test run does not time out. |
| # The agent-restrict test fails due to some quoting issue when run |
| # with sh or ksh so specify bash for now. |
| TEST_TARGET="t-exec unit TEST_SHELL=bash" |
| SKIP_LTESTS="rekey sftp" |
| ;; |
| debian-riscv64) |
| # This machine is fairly slow, so skip the unit tests. |
| TEST_TARGET="t-exec" |
| ;; |
| dfly58*|dfly60*) |
| # scp 3-way connection hangs on these so skip until sorted. |
| SKIP_LTESTS=scp3 |
| ;; |
| fbsd6) |
| # Native linker is not great with PIC so OpenSSL is built w/out. |
| CONFIGFLAGS="${CONFIGFLAGS} --disable-security-key" |
| ;; |
| hurd) |
| SKIP_LTESTS="forwarding multiplex proxy-connect hostkey-agent agent-ptrace" |
| ;; |
| minix3) |
| LIBCRYPTOFLAGS="--without-openssl --disable-security-key" |
| # Minix does not have a loopback interface so we have to skip any |
| # test that relies on one. |
| # Also, Minix seems to be very limited in the number of select() |
| # calls that can be operating concurrently, so prune additional tests for that. |
| T="addrmatch agent-restrict brokenkeys cfgmatch cfgmatchlisten cfgparse |
| connect connect-uri exit-status forwarding hostkey-agent |
| key-options keyscan knownhosts-command login-timeout |
| reconfigure reexec rekey scp scp-uri scp3 sftp sftp-badcmds |
| sftp-batch sftp-cmds sftp-glob sftp-perm sftp-uri stderr-data |
| transfer" |
| # Unix domain sockets don't work quite like we expect, so also skip any tests |
| # that use multiplexing. |
| T="$T connection-timeout dynamic-forward forward-control multiplex" |
| SKIP_LTESTS="$(echo $T)" |
| TEST_TARGET=t-exec |
| SUDO="" |
| ;; |
| nbsd4) |
| # System compiler will ICE on some files with fstack-protector |
| # SHA256 functions in sha2.h conflict with OpenSSL's breaking sk-dummy |
| CONFIGFLAGS="${CONFIGFLAGS} --without-hardening --disable-security-key" |
| ;; |
| openwrt-*) |
| CONFIGFLAGS="${CONFIGFLAGS} --without-openssl --without-zlib" |
| TEST_TARGET="t-exec" |
| ;; |
| sol10|sol11) |
| # sol10 VM is 32bit and the unit tests are slow. |
| # sol11 has 4 test configs so skip unit tests to speed up. |
| TEST_TARGET="tests SKIP_UNIT=1" |
| ;; |
| win10) |
| # No sudo on Windows. |
| SUDO="" |
| ;; |
| esac |
| |
| case "`./config.guess`" in |
| *cygwin) |
| SUDO="" |
| # Don't run compat tests on cygwin as they don't currently compile. |
| TEST_TARGET="tests" |
| ;; |
| *-darwin*) |
| # Unless specified otherwise, build without OpenSSL on Mac OS since |
| # modern versions don't ship with libcrypto. |
| LIBCRYPTOFLAGS="--without-openssl" |
| TEST_TARGET=t-exec |
| ;; |
| esac |
| |
| # If we have a local openssl/libressl, use that. |
| if [ -z "${LIBCRYPTOFLAGS}" ]; then |
| # last-match |
| for i in /usr/local /usr/local/ssl /usr/local/opt/openssl; do |
| if [ -x ${i}/bin/openssl ]; then |
| LIBCRYPTOFLAGS="--with-ssl-dir=${i}" |
| fi |
| done |
| fi |
| |
| CONFIGFLAGS="${CONFIGFLAGS} ${LIBCRYPTOFLAGS}" |
| |
| if [ -x "$(which plink 2>/dev/null)" ]; then |
| REGRESS_INTEROP_PUTTY=yes |
| export REGRESS_INTEROP_PUTTY |
| fi |
| |
| export CC CFLAGS CPPFLAGS LDFLAGS LTESTS SUDO |
| export TEST_TARGET TEST_SSH_UNSAFE_PERMISSIONS TEST_SSH_FAIL_FATAL |
