summaryrefslogtreecommitdiffstats
path: root/.github/configs
diff options
context:
space:
mode:
Diffstat (limited to '')
-rwxr-xr-x.github/configs313
1 files changed, 313 insertions, 0 deletions
diff --git a/.github/configs b/.github/configs
new file mode 100755
index 0000000..bdd5ddb
--- /dev/null
+++ b/.github/configs
@@ -0,0 +1,313 @@
+#!/bin/sh
+#
+# usage: configs vmname test_config (or '' for default)
+#
+# Sets the following variables:
+# CONFIGFLAGS options to ./configure
+# SSHD_CONFOPTS sshd_config options
+# TEST_TARGET make target used when testing. defaults to "tests".
+# LTESTS
+
+config=$1
+if [ "$config" = "" ]; then
+ config="default"
+fi
+
+unset CC CFLAGS CPPFLAGS LDFLAGS LTESTS SUDO
+
+TEST_TARGET="tests compat-tests"
+LTESTS=""
+SKIP_LTESTS=""
+SUDO=sudo # run with sudo by default
+TEST_SSH_UNSAFE_PERMISSIONS=1
+# Stop on first test failure to minimize logs
+TEST_SSH_FAIL_FATAL=yes
+
+CONFIGFLAGS=""
+LIBCRYPTOFLAGS=""
+
+case "$config" in
+ default|sol64)
+ ;;
+ c89)
+ CC="gcc"
+ CFLAGS="-Wall -std=c89 -pedantic -Werror=vla"
+ CONFIGFLAGS="--without-zlib"
+ LIBCRYPTOFLAGS="--without-openssl"
+ TEST_TARGET=t-exec
+ ;;
+ cygwin-release)
+ # See https://cygwin.com/git/?p=git/cygwin-packages/openssh.git;a=blob;f=openssh.cygport;hb=HEAD
+ CONFIGFLAGS="--with-xauth=/usr/bin/xauth --with-security-key-builtin"
+ CONFIGFLAGS="$CONFIGFLAGS --with-kerberos5=/usr --with-libedit --disable-strip"
+ ;;
+ clang-12-Werror)
+ CC="clang-12"
+ # clang's implicit-fallthrough requires that the code be annotated with
+ # __attribute__((fallthrough)) and does not understand /* FALLTHROUGH */
+ CFLAGS="-Wall -Wextra -O2 -Wno-error=implicit-fallthrough -Wno-error=unused-parameter"
+ CONFIGFLAGS="--with-pam --with-Werror"
+ ;;
+ *-sanitize-*)
+ case "$config" in
+ gcc-*)
+ CC=gcc
+ ;;
+ clang-*)
+ # Find the newest available version of clang
+ for i in `seq 10 99`; do
+ clang="`which clang-$i 2>/dev/null`"
+ [ -x "$clang" ] && CC="$clang"
+ done
+ ;;
+ esac
+ # Put Sanitizer logs in regress dir.
+ SANLOGS=`pwd`/regress
+ # - We replace chroot with chdir so that the sanitizer in the preauth
+ # privsep process can read /proc.
+ # - clang does not recognizes explicit_bzero so we use bzero
+ # (see https://github.com/google/sanitizers/issues/1507
+ # - openssl and zlib trip ASAN.
+ # - sp_pwdp returned by getspnam trips ASAN, hence disabling shadow.
+ case "$config" in
+ *-sanitize-address)
+ CFLAGS="-fsanitize=address -fno-omit-frame-pointer"
+ LDFLAGS="-fsanitize=address"
+ CPPFLAGS='-Dchroot=chdir -Dexplicit_bzero=bzero -D_FORTIFY_SOURCE=0 -DASAN_OPTIONS=\"detect_leaks=0:log_path='$SANLOGS'/asan.log\"'
+ CONFIGFLAGS=""
+ TEST_TARGET="t-exec"
+ ;;
+ clang-sanitize-memory)
+ CFLAGS="-fsanitize=memory -fsanitize-memory-track-origins -fno-omit-frame-pointer"
+ LDFLAGS="-fsanitize=memory"
+ CPPFLAGS='-Dchroot=chdir -Dexplicit_bzero=bzero -DMSAN_OPTIONS=\"log_path='$SANLOGS'/msan.log\"'
+ CONFIGFLAGS="--without-openssl --without-zlib --without-shadow"
+ TEST_TARGET="t-exec"
+ ;;
+ *-sanitize-undefined)
+ CFLAGS="-fsanitize=undefined"
+ LDFLAGS="-fsanitize=undefined"
+ ;;
+ *)
+ echo unknown sanitize option;
+ exit 1;;
+ esac
+ features="--disable-security-key --disable-pkcs11"
+ hardening="--without-sandbox --without-hardening --without-stackprotect"
+ privsep="--with-privsep-user=root"
+ CONFIGFLAGS="$CONFIGFLAGS $features $hardening $privsep"
+ # Because we hobble chroot we can't test it.
+ SKIP_LTESTS=sftp-chroot
+ ;;
+ gcc-11-Werror)
+ CC="gcc"
+ # -Wnoformat-truncation in gcc 7.3.1 20180130 fails on fmt_scaled
+ CFLAGS="-Wall -Wextra -O2 -Wno-format-truncation -Wimplicit-fallthrough=4 -Wno-unused-parameter"
+ CONFIGFLAGS="--with-pam --with-Werror"
+ ;;
+ clang*|gcc*)
+ CC="$config"
+ ;;
+ kitchensink)
+ CONFIGFLAGS="--with-kerberos5 --with-libedit --with-pam"
+ CONFIGFLAGS="${CONFIGFLAGS} --with-security-key-builtin --with-selinux"
+ CFLAGS="-DSK_DEBUG -DSANDBOX_SECCOMP_FILTER_DEBUG"
+ ;;
+ hardenedmalloc)
+ CONFIGFLAGS="--with-ldflags=-lhardened_malloc"
+ ;;
+ tcmalloc)
+ CONFIGFLAGS="--with-ldflags=-ltcmalloc"
+ ;;
+ krb5|heimdal)
+ CONFIGFLAGS="--with-kerberos5"
+ ;;
+ libedit)
+ CONFIGFLAGS="--with-libedit"
+ ;;
+ musl)
+ CC="musl-gcc"
+ CONFIGFLAGS="--without-zlib"
+ LIBCRYPTOFLAGS="--without-openssl"
+ TEST_TARGET="t-exec"
+ ;;
+ pam-krb5)
+ CONFIGFLAGS="--with-pam --with-kerberos5"
+ SSHD_CONFOPTS="UsePam yes"
+ ;;
+ *pam)
+ CONFIGFLAGS="--with-pam"
+ SSHD_CONFOPTS="UsePam yes"
+ ;;
+ libressl-*)
+ LIBCRYPTOFLAGS="--with-ssl-dir=/opt/libressl --with-rpath=-Wl,-rpath,"
+ ;;
+ openssl-*)
+ LIBCRYPTOFLAGS="--with-ssl-dir=/opt/openssl --with-rpath=-Wl,-rpath,"
+ # OpenSSL 1.1.1 specifically has a bug in its RNG that breaks reexec
+ # fallback. See https://bugzilla.mindrot.org/show_bug.cgi?id=3483
+ if [ "$config" = "openssl-1.1.1" ]; then
+ SKIP_LTESTS="reexec"
+ fi
+ ;;
+ selinux)
+ CONFIGFLAGS="--with-selinux"
+ ;;
+ sk)
+ CONFIGFLAGS="--with-security-key-builtin"
+ ;;
+ without-openssl)
+ LIBCRYPTOFLAGS="--without-openssl"
+ TEST_TARGET=t-exec
+ ;;
+ valgrind-[1-5]|valgrind-unit)
+ # rlimit sandbox and FORTIFY_SOURCE confuse Valgrind.
+ CONFIGFLAGS="--without-sandbox --without-hardening"
+ CONFIGFLAGS="$CONFIGFLAGS --with-cppflags=-D_FORTIFY_SOURCE=0"
+ TEST_TARGET="t-exec USE_VALGRIND=1"
+ TEST_SSH_ELAPSED_TIMES=1
+ export TEST_SSH_ELAPSED_TIMES
+ # Valgrind slows things down enough that the agent timeout test
+ # won't reliably pass, and the unit tests run longer than allowed
+ # by github so split into separate tests.
+ tests2="integrity try-ciphers"
+ tests3="krl forward-control sshsig agent-restrict kextype sftp"
+ tests4="cert-userkey cert-hostkey kextype sftp-perm keygen-comment percent"
+ tests5="rekey"
+ case "$config" in
+ valgrind-1)
+ # All tests except agent-timeout (which is flaky under valgrind),
+ # connection-timeout (which doesn't work since it's so slow)
+ # and hostbased (since valgrind won't let ssh exec keysign).
+ # Slow ones are run separately to increase parallelism.
+ SKIP_LTESTS="agent-timeout connection-timeout hostbased"
+ SKIP_LTESTS="$SKIP_LTESTS ${tests2} ${tests3} ${tests4} ${tests5}"
+ ;;
+ valgrind-2)
+ LTESTS="${tests2}"
+ ;;
+ valgrind-3)
+ LTESTS="${tests3}"
+ ;;
+ valgrind-4)
+ LTESTS="${tests4}"
+ ;;
+ valgrind-5)
+ LTESTS="${tests5}"
+ ;;
+ valgrind-unit)
+ TEST_TARGET="unit USE_VALGRIND=1"
+ ;;
+ esac
+ ;;
+ *)
+ echo "Unknown configuration $config"
+ exit 1
+ ;;
+esac
+
+# The Solaris 64bit targets are special since they need a non-flag arg.
+case "$config" in
+ sol64*)
+ CONFIGFLAGS="x86_64 --with-cflags=-m64 --with-ldflags=-m64 ${CONFIGFLAGS}"
+ LIBCRYPTOFLAGS="--with-ssl-dir=/usr/local/ssl64"
+ ;;
+esac
+
+case "${TARGET_HOST}" in
+ aix*)
+ # These are slow real or virtual machines so skip the slowest tests
+ # (which tend to be thw ones that transfer lots of data) so that the
+ # test run does not time out.
+ # The agent-restrict test fails due to some quoting issue when run
+ # with sh or ksh so specify bash for now.
+ TEST_TARGET="t-exec TEST_SHELL=bash"
+ SKIP_LTESTS="rekey sftp"
+ ;;
+ debian-riscv64)
+ # This machine is fairly slow, so skip the unit tests.
+ TEST_TARGET="t-exec"
+ ;;
+ dfly58*|dfly60*)
+ # scp 3-way connection hangs on these so skip until sorted.
+ SKIP_LTESTS=scp3
+ ;;
+ fbsd6)
+ # Native linker is not great with PIC so OpenSSL is built w/out.
+ CONFIGFLAGS="${CONFIGFLAGS} --disable-security-key"
+ ;;
+ hurd)
+ SKIP_LTESTS="forwarding multiplex proxy-connect hostkey-agent agent-ptrace"
+ ;;
+ minix3)
+ LIBCRYPTOFLAGS="--without-openssl --disable-security-key"
+ # Minix does not have a loopback interface so we have to skip any
+ # test that relies on one.
+ # Also, Minix seems to be very limited in the number of select()
+ # calls that can be operating concurrently, so prune additional tests for that.
+ T="addrmatch agent-restrict brokenkeys cfgmatch cfgmatchlisten cfgparse
+ connect connect-uri exit-status forwarding hostkey-agent
+ key-options keyscan knownhosts-command login-timeout
+ reconfigure reexec rekey scp scp-uri scp3 sftp sftp-badcmds
+ sftp-batch sftp-cmds sftp-glob sftp-perm sftp-uri stderr-data
+ transfer"
+ # Unix domain sockets don't work quite like we expect, so also skip any tests
+ # that use multiplexing.
+ T="$T connection-timeout dynamic-forward forward-control multiplex"
+ SKIP_LTESTS="$(echo $T)"
+ TEST_TARGET=t-exec
+ SUDO=""
+ ;;
+ nbsd4)
+ # System compiler will ICE on some files with fstack-protector
+ # SHA256 functions in sha2.h conflict with OpenSSL's breaking sk-dummy
+ CONFIGFLAGS="${CONFIGFLAGS} --without-hardening --disable-security-key"
+ ;;
+ openwrt-*)
+ CONFIGFLAGS="${CONFIGFLAGS} --without-openssl --without-zlib"
+ TEST_TARGET="t-exec"
+ ;;
+ sol10|sol11)
+ # sol10 VM is 32bit and the unit tests are slow.
+ # sol11 has 4 test configs so skip unit tests to speed up.
+ TEST_TARGET="tests SKIP_UNIT=1"
+ ;;
+ win10)
+ # No sudo on Windows.
+ SUDO=""
+ ;;
+esac
+
+case "`./config.guess`" in
+*cygwin)
+ SUDO=""
+ # Don't run compat tests on cygwin as they don't currently compile.
+ TEST_TARGET="tests"
+ ;;
+*-darwin*)
+ # Unless specified otherwise, build without OpenSSL on Mac OS since
+ # modern versions don't ship with libcrypto.
+ LIBCRYPTOFLAGS="--without-openssl"
+ TEST_TARGET=t-exec
+ ;;
+esac
+
+# If we have a local openssl/libressl, use that.
+if [ -z "${LIBCRYPTOFLAGS}" ]; then
+ # last-match
+ for i in /usr/local /usr/local/ssl /usr/local/opt/openssl; do
+ if [ -x ${i}/bin/openssl ]; then
+ LIBCRYPTOFLAGS="--with-ssl-dir=${i}"
+ fi
+ done
+fi
+
+CONFIGFLAGS="${CONFIGFLAGS} ${LIBCRYPTOFLAGS}"
+
+if [ -x "$(which plink 2>/dev/null)" ]; then
+ REGRESS_INTEROP_PUTTY=yes
+ export REGRESS_INTEROP_PUTTY
+fi
+
+export CC CFLAGS CPPFLAGS LDFLAGS LTESTS SUDO
+export TEST_TARGET TEST_SSH_UNSAFE_PERMISSIONS TEST_SSH_FAIL_FATAL