xref: /freebsd/crypto/openssh/.github/configs (revision 535af610) 
1#!/bin/sh
2#
3# usage: configs vmname test_config (or '' for default)
4#
5# Sets the following variables:
6# CONFIGFLAGS           options to ./configure
7# SSHD_CONFOPTS         sshd_config options
8# TEST_TARGET           make target used when testing.  defaults to "tests".
9# LTESTS
10
11config=$1
12if [ "$config" = "" ]; then
13	config="default"
14fi
15
16unset CC CFLAGS CPPFLAGS LDFLAGS LTESTS SUDO
17
18TEST_TARGET="tests compat-tests"
19LTESTS=""
20SKIP_LTESTS=""
21SUDO=sudo	# run with sudo by default
22TEST_SSH_UNSAFE_PERMISSIONS=1
23# Stop on first test failure to minimize logs
24TEST_SSH_FAIL_FATAL=yes
25
26CONFIGFLAGS=""
27LIBCRYPTOFLAGS=""
28
29case "$config" in
30    default|sol64)
31	;;
32    c89)
33	CC="gcc"
34	CFLAGS="-Wall -std=c89 -pedantic -Werror=vla"
35	CONFIGFLAGS="--without-zlib"
36	LIBCRYPTOFLAGS="--without-openssl"
37	TEST_TARGET=t-exec
38	;;
39    cygwin-release)
40	# See https://cygwin.com/git/?p=git/cygwin-packages/openssh.git;a=blob;f=openssh.cygport;hb=HEAD
41	CONFIGFLAGS="--with-xauth=/usr/bin/xauth --with-security-key-builtin"
42	CONFIGFLAGS="$CONFIGFLAGS --with-kerberos5=/usr --with-libedit --disable-strip"
43	;;
44   clang-12-Werror)
45	CC="clang-12"
46	# clang's implicit-fallthrough requires that the code be annotated with
47	# __attribute__((fallthrough)) and does not understand /* FALLTHROUGH */
48	CFLAGS="-Wall -Wextra -O2 -Wno-error=implicit-fallthrough -Wno-error=unused-parameter"
49	CONFIGFLAGS="--with-pam --with-Werror"
50	;;
51    *-sanitize-*)
52	case "$config" in
53	gcc-*)
54		CC=gcc
55		;;
56	clang-*)
57		# Find the newest available version of clang
58		for i in `seq 10 99`; do
59		    clang="`which clang-$i 2>/dev/null`"
60		    [ -x "$clang" ] && CC="$clang"
61		done
62		;;
63	esac
64	# Put Sanitizer logs in regress dir.
65	SANLOGS=`pwd`/regress
66	# - We replace chroot with chdir so that the sanitizer in the preauth
67	#   privsep process can read /proc.
68	# - clang does not recognizes explicit_bzero so we use bzero
69	#   (see https://github.com/google/sanitizers/issues/1507
70	# - openssl and zlib trip ASAN.
71	# - sp_pwdp returned by getspnam trips ASAN, hence disabling shadow.
72	case "$config" in
73	*-sanitize-address)
74	    CFLAGS="-fsanitize=address -fno-omit-frame-pointer"
75	    LDFLAGS="-fsanitize=address"
76	    CPPFLAGS='-Dchroot=chdir -Dexplicit_bzero=bzero -D_FORTIFY_SOURCE=0 -DASAN_OPTIONS=\"detect_leaks=0:log_path='$SANLOGS'/asan.log\"'
77	    CONFIGFLAGS=""
78	    TEST_TARGET="t-exec"
79	    ;;
80	clang-sanitize-memory)
81	    CFLAGS="-fsanitize=memory -fsanitize-memory-track-origins -fno-omit-frame-pointer"
82	    LDFLAGS="-fsanitize=memory"
83	    CPPFLAGS='-Dchroot=chdir -Dexplicit_bzero=bzero -DMSAN_OPTIONS=\"log_path='$SANLOGS'/msan.log\"'
84	    CONFIGFLAGS="--without-zlib --without-shadow"
85	    LIBCRYPTOFLAGS="--without-openssl"
86	    TEST_TARGET="t-exec"
87	    ;;
88	*-sanitize-undefined)
89	    CFLAGS="-fsanitize=undefined"
90	    LDFLAGS="-fsanitize=undefined"
91	    ;;
92	*)
93	     echo unknown sanitize option;
94	     exit 1;;
95	esac
96	features="--disable-security-key --disable-pkcs11"
97	hardening="--without-sandbox --without-hardening --without-stackprotect"
98	privsep="--with-privsep-user=root"
99	CONFIGFLAGS="$CONFIGFLAGS $features $hardening $privsep"
100	# Because we hobble chroot we can't test it.
101	SKIP_LTESTS=sftp-chroot
102	;;
103    gcc-11-Werror)
104	CC="gcc"
105	# -Wnoformat-truncation in gcc 7.3.1 20180130 fails on fmt_scaled
106	CFLAGS="-Wall -Wextra -O2 -Wno-format-truncation -Wimplicit-fallthrough=4 -Wno-unused-parameter"
107	CONFIGFLAGS="--with-pam --with-Werror"
108	;;
109    clang*|gcc*)
110	CC="$config"
111	;;
112    kitchensink)
113	CONFIGFLAGS="--with-kerberos5 --with-libedit --with-pam"
114	CONFIGFLAGS="${CONFIGFLAGS} --with-security-key-builtin --with-selinux"
115	CFLAGS="-DSK_DEBUG -DSANDBOX_SECCOMP_FILTER_DEBUG"
116	;;
117    hardenedmalloc)
118	CONFIGFLAGS="--with-ldflags=-lhardened_malloc"
119	;;
120    tcmalloc)
121	CONFIGFLAGS="--with-ldflags=-ltcmalloc"
122	;;
123    krb5|heimdal)
124	CONFIGFLAGS="--with-kerberos5"
125	;;
126    libedit)
127	CONFIGFLAGS="--with-libedit"
128	;;
129    musl)
130	CC="musl-gcc"
131	CONFIGFLAGS="--without-zlib"
132	LIBCRYPTOFLAGS="--without-openssl"
133	TEST_TARGET="t-exec"
134	;;
135    pam-krb5)
136	CONFIGFLAGS="--with-pam --with-kerberos5"
137	SSHD_CONFOPTS="UsePam yes"
138	;;
139    *pam)
140	CONFIGFLAGS="--with-pam"
141	SSHD_CONFOPTS="UsePam yes"
142	;;
143    boringssl)
144	CONFIGFLAGS="--disable-pkcs11"
145	LIBCRYPTOFLAGS="--with-ssl-dir=/opt/boringssl --with-rpath=-Wl,-rpath,"
146	;;
147    libressl-*)
148	LIBCRYPTOFLAGS="--with-ssl-dir=/opt/libressl --with-rpath=-Wl,-rpath,"
149	;;
150    openssl-*)
151	LIBCRYPTOFLAGS="--with-ssl-dir=/opt/openssl --with-rpath=-Wl,-rpath,"
152	# OpenSSL 1.1.1 specifically has a bug in its RNG that breaks reexec
153	# fallback.  See https://bugzilla.mindrot.org/show_bug.cgi?id=3483
154	if [ "$config" = "openssl-1.1.1" ]; then
155		SKIP_LTESTS="reexec"
156	fi
157	;;
158    selinux)
159	CONFIGFLAGS="--with-selinux"
160	;;
161    sk)
162	CONFIGFLAGS="--with-security-key-builtin"
163        ;;
164    without-openssl)
165	LIBCRYPTOFLAGS="--without-openssl"
166	TEST_TARGET=t-exec
167	;;
168    valgrind-[1-5]|valgrind-unit)
169	# rlimit sandbox and FORTIFY_SOURCE confuse Valgrind.
170	CONFIGFLAGS="--without-sandbox --without-hardening"
171	CONFIGFLAGS="$CONFIGFLAGS --with-cppflags=-D_FORTIFY_SOURCE=0"
172	TEST_TARGET="t-exec USE_VALGRIND=1"
173	TEST_SSH_ELAPSED_TIMES=1
174	export TEST_SSH_ELAPSED_TIMES
175	# Valgrind slows things down enough that the agent timeout test
176	# won't reliably pass, and the unit tests run longer than allowed
177	# by github so split into separate tests.
178	tests2="integrity try-ciphers"
179	tests3="krl forward-control sshsig agent-restrict kextype sftp"
180	tests4="cert-userkey cert-hostkey kextype sftp-perm keygen-comment percent"
181	tests5="rekey"
182	case "$config" in
183	    valgrind-1)
184		# All tests except agent-timeout (which is flaky under valgrind),
185		# connection-timeout (which doesn't work since it's so slow)
186		# and hostbased (since valgrind won't let ssh exec keysign).
187		# Slow ones are run separately to increase parallelism.
188		SKIP_LTESTS="agent-timeout connection-timeout hostbased"
189		SKIP_LTESTS="$SKIP_LTESTS ${tests2} ${tests3} ${tests4} ${tests5}"
190		;;
191	    valgrind-2)
192		LTESTS="${tests2}"
193		;;
194	    valgrind-3)
195		LTESTS="${tests3}"
196		;;
197	    valgrind-4)
198		LTESTS="${tests4}"
199		;;
200	    valgrind-5)
201		LTESTS="${tests5}"
202		;;
203	    valgrind-unit)
204		TEST_TARGET="unit USE_VALGRIND=1"
205		;;
206	esac
207	;;
208    *)
209	echo "Unknown configuration $config"
210	exit 1
211	;;
212esac
213
214# The Solaris 64bit targets are special since they need a non-flag arg.
215case "$config" in
216    sol64*)
217	CONFIGFLAGS="--target=x86_64 --with-cflags=-m64 --with-ldflags=-m64 ${CONFIGFLAGS}"
218	LIBCRYPTOFLAGS="--with-ssl-dir=/usr/local/ssl64 --with-rpath=-Wl,-rpath,"
219	;;
220esac
221
222case "${TARGET_HOST}" in
223    aix*)
224	CONFIGFLAGS="--disable-security-key"
225	LIBCRYPTOFLAGS="--without-openssl"
226	# These are slow real or virtual machines so skip the slowest tests
227	# (which tend to be thw ones that transfer lots of data) so that the
228	# test run does not time out.
229	# The agent-restrict test fails due to some quoting issue when run
230	# with sh or ksh so specify bash for now.
231	TEST_TARGET="t-exec unit TEST_SHELL=bash"
232	SKIP_LTESTS="rekey sftp"
233	;;
234    debian-riscv64)
235	# This machine is fairly slow, so skip the unit tests.
236	TEST_TARGET="t-exec"
237	;;
238    dfly58*|dfly60*)
239	# scp 3-way connection hangs on these so skip until sorted.
240	SKIP_LTESTS=scp3
241	;;
242    fbsd6)
243	# Native linker is not great with PIC so OpenSSL is built w/out.
244	CONFIGFLAGS="${CONFIGFLAGS} --disable-security-key"
245	;;
246    hurd)
247	SKIP_LTESTS="forwarding multiplex proxy-connect hostkey-agent agent-ptrace"
248	;;
249    minix3)
250	CONFIGFLAGS="${CONFIGFLAGS} --disable-security-key"
251	LIBCRYPTOFLAGS="--without-openssl"
252	# Minix does not have a loopback interface so we have to skip any
253	# test that relies on one.
254	# Also, Minix seems to be very limited in the number of select()
255	# calls that can be operating concurrently, so prune additional tests for that.
256	T="addrmatch agent-restrict brokenkeys cfgmatch cfgmatchlisten cfgparse
257	    connect connect-uri exit-status forwarding hostkey-agent
258	    key-options keyscan knownhosts-command login-timeout
259	    reconfigure reexec rekey scp scp-uri scp3 sftp sftp-badcmds
260	    sftp-batch sftp-cmds sftp-glob sftp-perm sftp-uri stderr-data
261	    transfer"
262	# Unix domain sockets don't work quite like we expect, so also skip any tests
263	# that use multiplexing.
264	T="$T connection-timeout dynamic-forward forward-control multiplex"
265	SKIP_LTESTS="$(echo $T)"
266	TEST_TARGET=t-exec
267	SUDO=""
268	;;
269    nbsd4)
270	# System compiler will ICE on some files with fstack-protector
271	# SHA256 functions in sha2.h conflict with OpenSSL's breaking sk-dummy
272	CONFIGFLAGS="${CONFIGFLAGS} --without-hardening --disable-security-key"
273	;;
274    openwrt-*)
275	CONFIGFLAGS="${CONFIGFLAGS} --without-zlib"
276	LIBCRYPTOFLAGS="--without-openssl"
277	TEST_TARGET="t-exec"
278	;;
279    sol10|sol11)
280	# sol10 VM is 32bit and the unit tests are slow.
281	# sol11 has 4 test configs so skip unit tests to speed up.
282	TEST_TARGET="tests SKIP_UNIT=1"
283	;;
284    win10)
285	# No sudo on Windows.
286	SUDO=""
287	;;
288esac
289
290host=`./config.guess`
291case "$host" in
292*cygwin)
293	SUDO=""
294	# Don't run compat tests on cygwin as they don't currently compile.
295	TEST_TARGET="tests"
296	;;
297*-darwin*)
298	# Unless specified otherwise, build without OpenSSL on Mac OS since
299	# modern versions don't ship with libcrypto.
300	LIBCRYPTOFLAGS="--without-openssl"
301	TEST_TARGET=t-exec
302	case "$host" in
303	*-darwin22.*)
304		# sudo -S nobody doesn't work on macos 13 for some reason.
305		SKIP_LTESTS="agent-getpeereid" ;;
306	esac
307	;;
308esac
309
310# Unless specifically configured, search for a suitable version of OpenSSL,
311# otherwise build without it.
312if [ -z "${LIBCRYPTOFLAGS}" ]; then
313	LIBCRYPTOFLAGS="--without-openssl"
314	# last-match
315	for i in /usr /usr/local /usr/local/ssl /usr/local/opt/openssl; do
316		ver="none"
317		if [ -x ${i}/bin/openssl ]; then
318			ver="$(${i}/bin/openssl version)"
319		fi
320		case "$ver" in
321			none) ;;
322			"OpenSSL 0."*|"OpenSSL 1.0."*|"OpenSSL 1.1.0"*) ;;
323			"LibreSSL 2."*|"LibreSSL 3.0."*) ;;
324			*) LIBCRYPTOFLAGS="--with-ssl-dir=${i}" ;;
325		esac
326	done
327	if [ "${LIBCRYPTOFLAGS}" = "--without-openssl" ]; then
328		TEST_TARGET="t-exec"
329	fi
330fi
331
332CONFIGFLAGS="${CONFIGFLAGS} ${LIBCRYPTOFLAGS}"
333
334if [ -x "$(which plink 2>/dev/null)" ]; then
335	REGRESS_INTEROP_PUTTY=yes
336	export REGRESS_INTEROP_PUTTY
337fi
338
339export CC CFLAGS CPPFLAGS LDFLAGS LTESTS SUDO
340export TEST_TARGET TEST_SSH_UNSAFE_PERMISSIONS TEST_SSH_FAIL_FATAL
341