1#!/bin/sh 2# 3# usage: configs vmname test_config (or '' for default) 4# 5# Sets the following variables: 6# CONFIGFLAGS options to ./configure 7# SSHD_CONFOPTS sshd_config options 8# TEST_TARGET make target used when testing. defaults to "tests". 9# LTESTS 10 11config=$1 12if [ "$config" = "" ]; then 13 config="default" 14fi 15 16unset CC CFLAGS CPPFLAGS LDFLAGS LTESTS SUDO 17 18TEST_TARGET="tests compat-tests" 19LTESTS="" 20SKIP_LTESTS="" 21SUDO=sudo # run with sudo by default 22TEST_SSH_UNSAFE_PERMISSIONS=1 23# Stop on first test failure to minimize logs 24TEST_SSH_FAIL_FATAL=yes 25 26CONFIGFLAGS="" 27LIBCRYPTOFLAGS="" 28 29case "$config" in 30 default|sol64) 31 ;; 32 c89) 33 # If we don't have LLONG_MAX, configure will figure out that it can 34 # get it by setting -std=gnu99, at which point we won't be testing 35 # C89 any more. To avoid this, feed it in via CFLAGS. 36 llong_max=`gcc -E -dM - </dev/null | \ 37 awk '$2=="__LONG_LONG_MAX__"{print $3}'` 38 CPPFLAGS="-DLLONG_MAX=${llong_max}" 39 40 CC="gcc" 41 CFLAGS="-Wall -std=c89 -pedantic -Werror=vla" 42 CONFIGFLAGS="--without-zlib" 43 LIBCRYPTOFLAGS="--without-openssl" 44 TEST_TARGET=t-exec 45 ;; 46 cygwin-release) 47 # See https://cygwin.com/git/?p=git/cygwin-packages/openssh.git;a=blob;f=openssh.cygport;hb=HEAD 48 CONFIGFLAGS="--with-xauth=/usr/bin/xauth --with-security-key-builtin" 49 CONFIGFLAGS="$CONFIGFLAGS --with-kerberos5=/usr --with-libedit --disable-strip" 50 ;; 51 clang-12-Werror) 52 CC="clang-12" 53 # clang's implicit-fallthrough requires that the code be annotated with 54 # __attribute__((fallthrough)) and does not understand /* FALLTHROUGH */ 55 CFLAGS="-Wall -Wextra -O2 -Wno-error=implicit-fallthrough -Wno-error=unused-parameter" 56 CONFIGFLAGS="--with-pam --with-Werror" 57 ;; 58 *-sanitize-*) 59 case "$config" in 60 gcc-*) 61 CC=gcc 62 ;; 63 clang-*) 64 # Find the newest available version of clang 65 for i in `seq 10 99`; do 66 clang="`which clang-$i 2>/dev/null`" 67 [ -x "$clang" ] && CC="$clang" 68 done 69 ;; 70 esac 71 # Put Sanitizer logs in regress dir. 72 SANLOGS=`pwd`/regress 73 # - We replace chroot with chdir so that the sanitizer in the preauth 74 # privsep process can read /proc. 75 # - clang does not recognizes explicit_bzero so we use bzero 76 # (see https://github.com/google/sanitizers/issues/1507 77 # - openssl and zlib trip ASAN. 78 # - sp_pwdp returned by getspnam trips ASAN, hence disabling shadow. 79 case "$config" in 80 *-sanitize-address) 81 CFLAGS="-fsanitize=address -fno-omit-frame-pointer" 82 LDFLAGS="-fsanitize=address" 83 CPPFLAGS='-Dchroot=chdir -Dexplicit_bzero=bzero -D_FORTIFY_SOURCE=0 -DASAN_OPTIONS=\"detect_leaks=0:log_path='$SANLOGS'/asan.log\"' 84 CONFIGFLAGS="" 85 TEST_TARGET="t-exec" 86 ;; 87 clang-sanitize-memory) 88 CFLAGS="-fsanitize=memory -fsanitize-memory-track-origins -fno-omit-frame-pointer" 89 LDFLAGS="-fsanitize=memory" 90 CPPFLAGS='-Dchroot=chdir -Dexplicit_bzero=bzero -DMSAN_OPTIONS=\"log_path='$SANLOGS'/msan.log\"' 91 CONFIGFLAGS="--without-zlib --without-shadow" 92 LIBCRYPTOFLAGS="--without-openssl" 93 TEST_TARGET="t-exec" 94 ;; 95 *-sanitize-undefined) 96 CFLAGS="-fsanitize=undefined" 97 LDFLAGS="-fsanitize=undefined" 98 ;; 99 *) 100 echo unknown sanitize option; 101 exit 1;; 102 esac 103 features="--disable-security-key --disable-pkcs11" 104 hardening="--without-sandbox --without-hardening --without-stackprotect" 105 privsep="--with-privsep-user=root" 106 CONFIGFLAGS="$CONFIGFLAGS $features $hardening $privsep" 107 # Because we hobble chroot we can't test it. 108 SKIP_LTESTS=sftp-chroot 109 ;; 110 gcc-11-Werror) 111 CC="gcc-11" 112 # -Wnoformat-truncation in gcc 7.3.1 20180130 fails on fmt_scaled 113 # -Wunused-result ignores (void) so is not useful. See 114 # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66425 115 CFLAGS="-O2 -Wno-format-truncation -Wimplicit-fallthrough=4 -Wno-unused-parameter -Wno-unused-result" 116 CONFIGFLAGS="--with-pam --with-Werror" 117 ;; 118 gcc-12-Werror) 119 CC="gcc-12" 120 # -Wnoformat-truncation in gcc 7.3.1 20180130 fails on fmt_scaled 121 # -Wunused-result ignores (void) so is not useful. See 122 # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66425 123 CFLAGS="-O2 -Wno-format-truncation -Wimplicit-fallthrough=4 -Wno-unused-parameter -Wno-unused-result" 124 CONFIGFLAGS="--with-pam --with-Werror" 125 ;; 126 clang*|gcc*) 127 CC="$config" 128 ;; 129 kitchensink) 130 CONFIGFLAGS="--with-kerberos5 --with-libedit --with-pam" 131 CONFIGFLAGS="${CONFIGFLAGS} --with-security-key-builtin --with-selinux" 132 CFLAGS="-DSK_DEBUG -DSANDBOX_SECCOMP_FILTER_DEBUG" 133 ;; 134 hardenedmalloc) 135 CONFIGFLAGS="--with-ldflags=-lhardened_malloc" 136 ;; 137 tcmalloc) 138 CONFIGFLAGS="--with-ldflags=-ltcmalloc" 139 ;; 140 krb5|heimdal) 141 CONFIGFLAGS="--with-kerberos5" 142 ;; 143 libedit) 144 CONFIGFLAGS="--with-libedit" 145 ;; 146 musl) 147 CC="musl-gcc" 148 CONFIGFLAGS="--without-zlib" 149 LIBCRYPTOFLAGS="--without-openssl" 150 TEST_TARGET="t-exec" 151 ;; 152 pam-krb5) 153 CONFIGFLAGS="--with-pam --with-kerberos5" 154 SSHD_CONFOPTS="UsePam yes" 155 ;; 156 *pam) 157 CONFIGFLAGS="--with-pam" 158 SSHD_CONFOPTS="UsePam yes" 159 ;; 160 boringssl) 161 CONFIGFLAGS="--disable-pkcs11" 162 LIBCRYPTOFLAGS="--with-ssl-dir=/opt/boringssl --with-rpath=-Wl,-rpath," 163 ;; 164 libressl-*) 165 LIBCRYPTOFLAGS="--with-ssl-dir=/opt/libressl --with-rpath=-Wl,-rpath," 166 ;; 167 putty-*) 168 CONFIGFLAGS="--with-plink=/usr/local/bin/plink --with-puttygen=/usr/local/bin/puttygen" 169 # We don't need to rerun the regular tests, just the interop ones. 170 TEST_TARGET=interop-tests 171 ;; 172 openssl-*) 173 LIBCRYPTOFLAGS="--with-ssl-dir=/opt/openssl --with-rpath=-Wl,-rpath," 174 # OpenSSL 1.1.1 specifically has a bug in its RNG that breaks reexec 175 # fallback. See https://bugzilla.mindrot.org/show_bug.cgi?id=3483 176 if [ "$config" = "openssl-1.1.1" ]; then 177 SKIP_LTESTS="reexec" 178 fi 179 ;; 180 selinux) 181 CONFIGFLAGS="--with-selinux" 182 ;; 183 sk) 184 CONFIGFLAGS="--with-security-key-builtin" 185 ;; 186 without-openssl) 187 LIBCRYPTOFLAGS="--without-openssl" 188 TEST_TARGET=t-exec 189 ;; 190 valgrind-[1-5]|valgrind-unit) 191 # rlimit sandbox and FORTIFY_SOURCE confuse Valgrind. 192 CONFIGFLAGS="--without-sandbox --without-hardening" 193 CONFIGFLAGS="$CONFIGFLAGS --with-cppflags=-D_FORTIFY_SOURCE=0" 194 TEST_TARGET="t-exec USE_VALGRIND=1" 195 TEST_SSH_ELAPSED_TIMES=1 196 export TEST_SSH_ELAPSED_TIMES 197 # Valgrind slows things down enough that the agent timeout test 198 # won't reliably pass, and the unit tests run longer than allowed 199 # by github so split into separate tests. 200 tests2="integrity try-ciphers" 201 tests3="krl forward-control sshsig agent-restrict kextype sftp" 202 tests4="cert-userkey cert-hostkey kextype sftp-perm keygen-comment percent" 203 tests5="rekey" 204 case "$config" in 205 valgrind-1) 206 # All tests except agent-timeout (which is flaky under valgrind), 207 # connection-timeout (which doesn't work since it's so slow) 208 # and hostbased (since valgrind won't let ssh exec keysign). 209 # Slow ones are run separately to increase parallelism. 210 SKIP_LTESTS="agent-timeout connection-timeout hostbased" 211 SKIP_LTESTS="$SKIP_LTESTS ${tests2} ${tests3} ${tests4} ${tests5}" 212 ;; 213 valgrind-2) 214 LTESTS="${tests2}" 215 ;; 216 valgrind-3) 217 LTESTS="${tests3}" 218 ;; 219 valgrind-4) 220 LTESTS="${tests4}" 221 ;; 222 valgrind-5) 223 LTESTS="${tests5}" 224 ;; 225 valgrind-unit) 226 TEST_TARGET="unit USE_VALGRIND=1" 227 ;; 228 esac 229 ;; 230 zlib-develop) 231 INSTALL_ZLIB=develop 232 CONFIGFLAGS="--with-zlib=/opt/zlib --with-rpath=-Wl,-rpath," 233 ;; 234 *) 235 echo "Unknown configuration $config" 236 exit 1 237 ;; 238esac 239 240# The Solaris 64bit targets are special since they need a non-flag arg. 241case "$config" in 242 sol64*) 243 CONFIGFLAGS="--target=x86_64 --with-cflags=-m64 --with-ldflags=-m64 ${CONFIGFLAGS}" 244 LIBCRYPTOFLAGS="--with-ssl-dir=/usr/local/ssl64 --with-rpath=-Wl,-rpath," 245 ;; 246esac 247 248case "${TARGET_HOST}" in 249 aix*) 250 CONFIGFLAGS="--disable-security-key" 251 LIBCRYPTOFLAGS="--without-openssl" 252 # These are slow real or virtual machines so skip the slowest tests 253 # (which tend to be thw ones that transfer lots of data) so that the 254 # test run does not time out. 255 # The agent-restrict test fails due to some quoting issue when run 256 # with sh or ksh so specify bash for now. 257 TEST_TARGET="t-exec unit TEST_SHELL=bash" 258 SKIP_LTESTS="rekey sftp" 259 ;; 260 debian-riscv64) 261 # This machine is fairly slow, so skip the unit tests. 262 TEST_TARGET="t-exec" 263 ;; 264 dfly58*|dfly60*) 265 # scp 3-way connection hangs on these so skip until sorted. 266 SKIP_LTESTS=scp3 267 ;; 268 fbsd6) 269 # Native linker is not great with PIC so OpenSSL is built w/out. 270 CONFIGFLAGS="${CONFIGFLAGS} --disable-security-key" 271 ;; 272 hurd) 273 SKIP_LTESTS="forwarding multiplex proxy-connect hostkey-agent agent-ptrace" 274 ;; 275 minix3) 276 CONFIGFLAGS="${CONFIGFLAGS} --disable-security-key" 277 # Unix domain sockets don't work quite like we expect, so also 278 # disable FD passing (and thus multiplexing). 279 CONFIGFLAGS="${CONFIGFLAGS} --disable-fd-passing" 280 LIBCRYPTOFLAGS="--without-openssl" 281 282 # Minix does not have a loopback interface so we have to skip any 283 # test that relies on one. 284 # Also, Minix seems to be very limited in the number of select() 285 # calls that can be operating concurrently, so prune additional tests for that. 286 T="addrmatch agent-restrict brokenkeys cfgmatch cfgmatchlisten cfgparse 287 connect connect-uri dynamic-forward exit-status forwarding 288 forward-control 289 hostkey-agent key-options keyscan knownhosts-command login-timeout 290 reconfigure reexec rekey scp scp-uri scp3 sftp sftp-badcmds 291 sftp-batch sftp-cmds sftp-glob sftp-perm sftp-uri stderr-data 292 transfer" 293 SKIP_LTESTS="$(echo $T)" 294 TEST_TARGET=t-exec 295 SUDO="" 296 ;; 297 nbsd4) 298 # System compiler will ICE on some files with fstack-protector 299 # SHA256 functions in sha2.h conflict with OpenSSL's breaking sk-dummy 300 CONFIGFLAGS="${CONFIGFLAGS} --without-hardening --disable-security-key" 301 ;; 302 openwrt-*) 303 CONFIGFLAGS="${CONFIGFLAGS} --without-zlib" 304 LIBCRYPTOFLAGS="--without-openssl" 305 TEST_TARGET="t-exec" 306 ;; 307 sol10|sol11) 308 # sol10 VM is 32bit and the unit tests are slow. 309 # sol11 has 4 test configs so skip unit tests to speed up. 310 TEST_TARGET="tests SKIP_UNIT=1" 311 ;; 312 win10) 313 # No sudo on Windows. 314 SUDO="" 315 ;; 316esac 317 318host=`./config.guess` 319case "$host" in 320*cygwin) 321 SUDO="" 322 # Don't run compat tests on cygwin as they don't currently compile. 323 TEST_TARGET="tests" 324 ;; 325*-darwin*) 326 # Unless specified otherwise, build without OpenSSL on Mac OS since 327 # modern versions don't ship with libcrypto. 328 LIBCRYPTOFLAGS="--without-openssl" 329 TEST_TARGET=t-exec 330 331 # On some OS X runners we can't write to /var/empty. 332 CONFIGFLAGS="${CONFIGFLAGS} --with-privsep-path=/usr/local/empty" 333 334 case "$host" in 335 *-darwin22.*) 336 # sudo -S nobody doesn't work on macos 13 for some reason. 337 SKIP_LTESTS="agent-getpeereid" ;; 338 esac 339 ;; 340esac 341 342# Unless specifically configured, search for a suitable version of OpenSSL, 343# otherwise build without it. 344if [ -z "${LIBCRYPTOFLAGS}" ]; then 345 LIBCRYPTOFLAGS="--without-openssl" 346 # last-match 347 for i in /usr /usr/local /usr/local/ssl /usr/local/opt/openssl; do 348 ver="none" 349 if [ -x ${i}/bin/openssl ]; then 350 ver="$(${i}/bin/openssl version)" 351 fi 352 case "$ver" in 353 none) ;; 354 "OpenSSL 0."*|"OpenSSL 1.0."*|"OpenSSL 1.1.0"*) ;; 355 "LibreSSL 2."*|"LibreSSL 3.0."*) ;; 356 *) LIBCRYPTOFLAGS="--with-ssl-dir=${i}" ;; 357 esac 358 done 359 if [ "${LIBCRYPTOFLAGS}" = "--without-openssl" ]; then 360 TEST_TARGET="t-exec" 361 fi 362fi 363 364CONFIGFLAGS="${CONFIGFLAGS} ${LIBCRYPTOFLAGS}" 365 366if [ -x "$(which plink 2>/dev/null)" ]; then 367 REGRESS_INTEROP_PUTTY=yes 368 export REGRESS_INTEROP_PUTTY 369fi 370 371export CC CFLAGS CPPFLAGS LDFLAGS LTESTS SUDO 372export TEST_TARGET TEST_SSH_UNSAFE_PERMISSIONS TEST_SSH_FAIL_FATAL 373