blob: f0f2761c71076646c91dee83bdb05a81c781f499 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
|
#!/bin/sh
PACKAGES=""
. .github/configs $@
host=`./config.guess`
echo "config.guess: $host"
case "$host" in
*cygwin)
PACKAGER=setup
echo Setting CYGWIN system environment variable.
setx CYGWIN "binmode"
echo Removing extended ACLs so umask works as expected.
setfacl -b . regress
PACKAGES="$PACKAGES,autoconf,automake,cygwin-devel,gcc-core"
PACKAGES="$PACKAGES,make,openssl-devel,zlib-devel"
;;
*-darwin*)
PACKAGER=brew
PACKAGES="automake"
;;
*)
PACKAGER=apt
esac
TARGETS=$@
INSTALL_FIDO_PPA="no"
export DEBIAN_FRONTEND=noninteractive
set -e
if [ -x "`which lsb_release 2>&1`" ]; then
lsb_release -a
fi
if [ ! -z "$SUDO" ]; then
# Ubuntu 22.04 defaults to private home dirs which prevent the
# agent-getpeerid test from running ssh-add as nobody. See
# https://github.com/actions/runner-images/issues/6106
if ! "$SUDO" -u nobody test -x ~; then
echo ~ is not executable by nobody, adding perms.
chmod go+x ~
fi
# Some of the Mac OS X runners don't have a nopasswd sudo rule. Regular
# sudo still works, but sudo -u doesn't. Restore the sudo rule.
if ! "$SUDO" grep -E 'runner.*NOPASSWD' /etc/passwd >/dev/null; then
echo "Restoring runner nopasswd rule to sudoers."
echo 'runner ALL=(ALL) NOPASSWD: ALL' |$SUDO tee -a /etc/sudoers
fi
if ! "$SUDO" -u nobody -S test -x ~ </dev/null; then
echo "Still can't sudo to nobody."
exit 1
fi
fi
if [ "${TARGETS}" = "kitchensink" ]; then
TARGETS="krb5 libedit pam sk selinux"
fi
for flag in $CONFIGFLAGS; do
case "$flag" in
--with-pam) TARGETS="${TARGETS} pam" ;;
--with-libedit) TARGETS="${TARGETS} libedit" ;;
esac
done
echo "Setting up for '$TARGETS'"
for TARGET in $TARGETS; do
case $TARGET in
default|without-openssl|without-zlib|c89)
# nothing to do
;;
clang-sanitize*)
PACKAGES="$PACKAGES clang-12"
;;
cygwin-release)
PACKAGES="$PACKAGES libcrypt-devel libfido2-devel libkrb5-devel"
;;
gcc-sanitize*)
;;
clang-*|gcc-*)
compiler=$(echo $TARGET | sed 's/-Werror//')
PACKAGES="$PACKAGES $compiler"
;;
krb5)
PACKAGES="$PACKAGES libkrb5-dev"
;;
heimdal)
PACKAGES="$PACKAGES heimdal-dev"
;;
libedit)
case "$PACKAGER" in
setup) PACKAGES="$PACKAGES libedit-devel" ;;
apt) PACKAGES="$PACKAGES libedit-dev" ;;
esac
;;
*pam)
case "$PACKAGER" in
apt) PACKAGES="$PACKAGES libpam0g-dev" ;;
esac
;;
sk)
INSTALL_FIDO_PPA="yes"
PACKAGES="$PACKAGES libfido2-dev libu2f-host-dev libcbor-dev"
;;
selinux)
PACKAGES="$PACKAGES libselinux1-dev selinux-policy-dev"
;;
hardenedmalloc)
INSTALL_HARDENED_MALLOC=yes
;;
musl)
PACKAGES="$PACKAGES musl-tools"
;;
tcmalloc)
PACKAGES="$PACKAGES libgoogle-perftools-dev"
;;
openssl-noec)
INSTALL_OPENSSL=OpenSSL_1_1_1k
SSLCONFOPTS="no-ec"
;;
openssl-*)
INSTALL_OPENSSL=$(echo ${TARGET} | cut -f2 -d-)
case ${INSTALL_OPENSSL} in
1.1.1_stable) INSTALL_OPENSSL="OpenSSL_1_1_1-stable" ;;
1.*) INSTALL_OPENSSL="OpenSSL_$(echo ${INSTALL_OPENSSL} | tr . _)" ;;
3.*) INSTALL_OPENSSL="openssl-${INSTALL_OPENSSL}" ;;
esac
PACKAGES="${PACKAGES} putty-tools dropbear-bin"
;;
libressl-*)
INSTALL_LIBRESSL=$(echo ${TARGET} | cut -f2 -d-)
case ${INSTALL_LIBRESSL} in
master) ;;
*) INSTALL_LIBRESSL="$(echo ${TARGET} | cut -f2 -d-)" ;;
esac
PACKAGES="${PACKAGES} putty-tools dropbear-bin"
;;
boringssl)
INSTALL_BORINGSSL=1
PACKAGES="${PACKAGES} cmake ninja-build"
;;
putty-*)
INSTALL_PUTTY=$(echo "${TARGET}" | cut -f2 -d-)
PACKAGES="${PACKAGES} cmake"
;;
valgrind*)
PACKAGES="$PACKAGES valgrind"
;;
zlib-*)
;;
*) echo "Invalid option '${TARGET}'"
exit 1
;;
esac
done
if [ "yes" = "$INSTALL_FIDO_PPA" ]; then
sudo apt update -qq
sudo apt install -qy software-properties-common
sudo apt-add-repository -y ppa:yubico/stable
fi
tries=3
while [ ! -z "$PACKAGES" ] && [ "$tries" -gt "0" ]; do
case "$PACKAGER" in
apt)
sudo apt update -qq
if sudo apt install -qy $PACKAGES; then
PACKAGES=""
fi
;;
brew)
if [ ! -z "PACKAGES" ]; then
if brew install $PACKAGES; then
PACKAGES=""
fi
fi
;;
setup)
if /cygdrive/c/setup.exe -q -P `echo "$PACKAGES" | tr ' ' ,`; then
PACKAGES=""
fi
;;
esac
if [ ! -z "$PACKAGES" ]; then
sleep 90
fi
tries=$(($tries - 1))
done
if [ ! -z "$PACKAGES" ]; then
echo "Package installation failed."
exit 1
fi
if [ "${INSTALL_HARDENED_MALLOC}" = "yes" ]; then
(cd ${HOME} &&
git clone https://github.com/GrapheneOS/hardened_malloc.git &&
cd ${HOME}/hardened_malloc &&
make && sudo cp out/libhardened_malloc.so /usr/lib/)
fi
if [ ! -z "${INSTALL_OPENSSL}" ]; then
(cd ${HOME} &&
git clone https://github.com/openssl/openssl.git &&
cd ${HOME}/openssl &&
git checkout ${INSTALL_OPENSSL} &&
./config no-threads shared ${SSLCONFOPTS} \
--prefix=/opt/openssl &&
make && sudo make install_sw)
fi
if [ ! -z "${INSTALL_LIBRESSL}" ]; then
if [ "${INSTALL_LIBRESSL}" = "master" ]; then
(mkdir -p ${HOME}/libressl && cd ${HOME}/libressl &&
git clone https://github.com/libressl-portable/portable.git &&
cd ${HOME}/libressl/portable &&
git checkout ${INSTALL_LIBRESSL} &&
sh update.sh && sh autogen.sh &&
./configure --prefix=/opt/libressl &&
make && sudo make install)
else
LIBRESSL_URLBASE=https://cdn.openbsd.org/pub/OpenBSD/LibreSSL
(cd ${HOME} &&
wget ${LIBRESSL_URLBASE}/libressl-${INSTALL_LIBRESSL}.tar.gz &&
tar xfz libressl-${INSTALL_LIBRESSL}.tar.gz &&
cd libressl-${INSTALL_LIBRESSL} &&
./configure --prefix=/opt/libressl && make && sudo make install)
fi
fi
if [ ! -z "${INSTALL_BORINGSSL}" ]; then
(cd ${HOME} && git clone https://boringssl.googlesource.com/boringssl &&
cd ${HOME}/boringssl && mkdir build && cd build &&
cmake -GNinja -DCMAKE_POSITION_INDEPENDENT_CODE=ON .. && ninja &&
mkdir -p /opt/boringssl/lib &&
cp ${HOME}/boringssl/build/crypto/libcrypto.a /opt/boringssl/lib &&
cp -r ${HOME}/boringssl/include /opt/boringssl)
fi
if [ ! -z "${INSTALL_ZLIB}" ]; then
(cd ${HOME} && git clone https://github.com/madler/zlib.git &&
cd ${HOME}/zlib && ./configure && make &&
sudo make install prefix=/opt/zlib)
fi
if [ ! -z "${INSTALL_PUTTY}" ]; then
ver="${INSTALL_PUTTY}"
case "${INSTALL_PUTTY}" in
snapshot)
tarball=putty.tar.gz
(cd /tmp && wget https://tartarus.org/~simon/putty-snapshots/${tarball})
;;
*)
tarball=putty-${ver}.tar.gz
(cd /tmp && wget https://the.earth.li/~sgtatham/putty/${ver}/${tarball})
;;
esac
(cd ${HOME} && tar xfz /tmp/${tarball} && cd putty-*
if [ -f CMakeLists.txt ]; then
cmake . && cmake --build . && sudo cmake --build . --target install
else
./configure && make && sudo make install
fi
)
/usr/local/bin/plink -V
fi
|