summaryrefslogtreecommitdiffstats
path: root/.github/configs
blob: bdd5ddbdfaf0297555c0c9c68ff83fcfa6cf82fe (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
#!/bin/sh
#
# usage: configs vmname test_config (or '' for default)
#
# Sets the following variables:
# CONFIGFLAGS           options to ./configure
# SSHD_CONFOPTS         sshd_config options
# TEST_TARGET           make target used when testing.  defaults to "tests".
# LTESTS

config=$1
if [ "$config" = "" ]; then
	config="default"
fi

unset CC CFLAGS CPPFLAGS LDFLAGS LTESTS SUDO

TEST_TARGET="tests compat-tests"
LTESTS=""
SKIP_LTESTS=""
SUDO=sudo	# run with sudo by default
TEST_SSH_UNSAFE_PERMISSIONS=1
# Stop on first test failure to minimize logs
TEST_SSH_FAIL_FATAL=yes

CONFIGFLAGS=""
LIBCRYPTOFLAGS=""

case "$config" in
    default|sol64)
	;;
    c89)
	CC="gcc"
	CFLAGS="-Wall -std=c89 -pedantic -Werror=vla"
	CONFIGFLAGS="--without-zlib"
	LIBCRYPTOFLAGS="--without-openssl"
	TEST_TARGET=t-exec
	;;
    cygwin-release)
	# See https://cygwin.com/git/?p=git/cygwin-packages/openssh.git;a=blob;f=openssh.cygport;hb=HEAD
	CONFIGFLAGS="--with-xauth=/usr/bin/xauth --with-security-key-builtin"
	CONFIGFLAGS="$CONFIGFLAGS --with-kerberos5=/usr --with-libedit --disable-strip"
	;;
   clang-12-Werror)
	CC="clang-12"
	# clang's implicit-fallthrough requires that the code be annotated with
	# __attribute__((fallthrough)) and does not understand /* FALLTHROUGH */
	CFLAGS="-Wall -Wextra -O2 -Wno-error=implicit-fallthrough -Wno-error=unused-parameter"
	CONFIGFLAGS="--with-pam --with-Werror"
	;;
    *-sanitize-*)
	case "$config" in
	gcc-*)
		CC=gcc
		;;
	clang-*)
		# Find the newest available version of clang
		for i in `seq 10 99`; do
		    clang="`which clang-$i 2>/dev/null`"
		    [ -x "$clang" ] && CC="$clang"
		done
		;;
	esac
	# Put Sanitizer logs in regress dir.
	SANLOGS=`pwd`/regress
	# - We replace chroot with chdir so that the sanitizer in the preauth
	#   privsep process can read /proc.
	# - clang does not recognizes explicit_bzero so we use bzero
	#   (see https://github.com/google/sanitizers/issues/1507
	# - openssl and zlib trip ASAN.
	# - sp_pwdp returned by getspnam trips ASAN, hence disabling shadow.
	case "$config" in
	*-sanitize-address)
	    CFLAGS="-fsanitize=address -fno-omit-frame-pointer"
	    LDFLAGS="-fsanitize=address"
	    CPPFLAGS='-Dchroot=chdir -Dexplicit_bzero=bzero -D_FORTIFY_SOURCE=0 -DASAN_OPTIONS=\"detect_leaks=0:log_path='$SANLOGS'/asan.log\"'
	    CONFIGFLAGS=""
	    TEST_TARGET="t-exec"
	    ;;
	clang-sanitize-memory)
	    CFLAGS="-fsanitize=memory -fsanitize-memory-track-origins -fno-omit-frame-pointer"
	    LDFLAGS="-fsanitize=memory"
	    CPPFLAGS='-Dchroot=chdir -Dexplicit_bzero=bzero -DMSAN_OPTIONS=\"log_path='$SANLOGS'/msan.log\"'
	    CONFIGFLAGS="--without-openssl --without-zlib --without-shadow"
	    TEST_TARGET="t-exec"
	    ;;
	*-sanitize-undefined)
	    CFLAGS="-fsanitize=undefined"
	    LDFLAGS="-fsanitize=undefined"
	    ;;
	*)
	     echo unknown sanitize option;
	     exit 1;;
	esac
	features="--disable-security-key --disable-pkcs11"
	hardening="--without-sandbox --without-hardening --without-stackprotect"
	privsep="--with-privsep-user=root"
	CONFIGFLAGS="$CONFIGFLAGS $features $hardening $privsep"
	# Because we hobble chroot we can't test it.
	SKIP_LTESTS=sftp-chroot
	;;
    gcc-11-Werror)
	CC="gcc"
	# -Wnoformat-truncation in gcc 7.3.1 20180130 fails on fmt_scaled
	CFLAGS="-Wall -Wextra -O2 -Wno-format-truncation -Wimplicit-fallthrough=4 -Wno-unused-parameter"
	CONFIGFLAGS="--with-pam --with-Werror"
	;;
    clang*|gcc*)
	CC="$config"
	;;
    kitchensink)
	CONFIGFLAGS="--with-kerberos5 --with-libedit --with-pam"
	CONFIGFLAGS="${CONFIGFLAGS} --with-security-key-builtin --with-selinux"
	CFLAGS="-DSK_DEBUG -DSANDBOX_SECCOMP_FILTER_DEBUG"
	;;
    hardenedmalloc)
	CONFIGFLAGS="--with-ldflags=-lhardened_malloc"
	;;
    tcmalloc)
	CONFIGFLAGS="--with-ldflags=-ltcmalloc"
	;;
    krb5|heimdal)
	CONFIGFLAGS="--with-kerberos5"
	;;
    libedit)
	CONFIGFLAGS="--with-libedit"
	;;
    musl)
	CC="musl-gcc"
	CONFIGFLAGS="--without-zlib"
	LIBCRYPTOFLAGS="--without-openssl"
	TEST_TARGET="t-exec"
	;;
    pam-krb5)
	CONFIGFLAGS="--with-pam --with-kerberos5"
	SSHD_CONFOPTS="UsePam yes"
	;;
    *pam)
	CONFIGFLAGS="--with-pam"
	SSHD_CONFOPTS="UsePam yes"
	;;
    libressl-*)
	LIBCRYPTOFLAGS="--with-ssl-dir=/opt/libressl --with-rpath=-Wl,-rpath,"
	;;
    openssl-*)
	LIBCRYPTOFLAGS="--with-ssl-dir=/opt/openssl --with-rpath=-Wl,-rpath,"
	# OpenSSL 1.1.1 specifically has a bug in its RNG that breaks reexec
	# fallback.  See https://bugzilla.mindrot.org/show_bug.cgi?id=3483
	if [ "$config" = "openssl-1.1.1" ]; then
		SKIP_LTESTS="reexec"
	fi
	;;
    selinux)
	CONFIGFLAGS="--with-selinux"
	;;
    sk)
	CONFIGFLAGS="--with-security-key-builtin"
        ;;
    without-openssl)
	LIBCRYPTOFLAGS="--without-openssl"
	TEST_TARGET=t-exec
	;;
    valgrind-[1-5]|valgrind-unit)
	# rlimit sandbox and FORTIFY_SOURCE confuse Valgrind.
	CONFIGFLAGS="--without-sandbox --without-hardening"
	CONFIGFLAGS="$CONFIGFLAGS --with-cppflags=-D_FORTIFY_SOURCE=0"
	TEST_TARGET="t-exec USE_VALGRIND=1"
	TEST_SSH_ELAPSED_TIMES=1
	export TEST_SSH_ELAPSED_TIMES
	# Valgrind slows things down enough that the agent timeout test
	# won't reliably pass, and the unit tests run longer than allowed
	# by github so split into separate tests.
	tests2="integrity try-ciphers"
	tests3="krl forward-control sshsig agent-restrict kextype sftp"
	tests4="cert-userkey cert-hostkey kextype sftp-perm keygen-comment percent"
	tests5="rekey"
	case "$config" in
	    valgrind-1)
		# All tests except agent-timeout (which is flaky under valgrind),
		# connection-timeout (which doesn't work since it's so slow)
		# and hostbased (since valgrind won't let ssh exec keysign).
		# Slow ones are run separately to increase parallelism.
		SKIP_LTESTS="agent-timeout connection-timeout hostbased"
		SKIP_LTESTS="$SKIP_LTESTS ${tests2} ${tests3} ${tests4} ${tests5}"
		;;
	    valgrind-2)
		LTESTS="${tests2}"
		;;
	    valgrind-3)
		LTESTS="${tests3}"
		;;
	    valgrind-4)
		LTESTS="${tests4}"
		;;
	    valgrind-5)
		LTESTS="${tests5}"
		;;
	    valgrind-unit)
		TEST_TARGET="unit USE_VALGRIND=1"
		;;
	esac
	;;
    *)
	echo "Unknown configuration $config"
	exit 1
	;;
esac

# The Solaris 64bit targets are special since they need a non-flag arg.
case "$config" in
    sol64*)
	CONFIGFLAGS="x86_64 --with-cflags=-m64 --with-ldflags=-m64 ${CONFIGFLAGS}"
	LIBCRYPTOFLAGS="--with-ssl-dir=/usr/local/ssl64"
	;;
esac

case "${TARGET_HOST}" in
    aix*)
	# These are slow real or virtual machines so skip the slowest tests
	# (which tend to be thw ones that transfer lots of data) so that the
	# test run does not time out.
	# The agent-restrict test fails due to some quoting issue when run
	# with sh or ksh so specify bash for now.
	TEST_TARGET="t-exec TEST_SHELL=bash"
	SKIP_LTESTS="rekey sftp"
	;;
    debian-riscv64)
	# This machine is fairly slow, so skip the unit tests.
	TEST_TARGET="t-exec"
	;;
    dfly58*|dfly60*)
	# scp 3-way connection hangs on these so skip until sorted.
	SKIP_LTESTS=scp3
	;;
    fbsd6)
	# Native linker is not great with PIC so OpenSSL is built w/out.
	CONFIGFLAGS="${CONFIGFLAGS} --disable-security-key"
	;;
    hurd)
	SKIP_LTESTS="forwarding multiplex proxy-connect hostkey-agent agent-ptrace"
	;;
    minix3)
	LIBCRYPTOFLAGS="--without-openssl --disable-security-key"
	# Minix does not have a loopback interface so we have to skip any
	# test that relies on one.
	# Also, Minix seems to be very limited in the number of select()
	# calls that can be operating concurrently, so prune additional tests for that.
	T="addrmatch agent-restrict brokenkeys cfgmatch cfgmatchlisten cfgparse
	    connect connect-uri exit-status forwarding hostkey-agent
	    key-options keyscan knownhosts-command login-timeout
	    reconfigure reexec rekey scp scp-uri scp3 sftp sftp-badcmds
	    sftp-batch sftp-cmds sftp-glob sftp-perm sftp-uri stderr-data
	    transfer"
	# Unix domain sockets don't work quite like we expect, so also skip any tests
	# that use multiplexing.
	T="$T connection-timeout dynamic-forward forward-control multiplex"
	SKIP_LTESTS="$(echo $T)"
	TEST_TARGET=t-exec
	SUDO=""
	;;
    nbsd4)
	# System compiler will ICE on some files with fstack-protector
	# SHA256 functions in sha2.h conflict with OpenSSL's breaking sk-dummy
	CONFIGFLAGS="${CONFIGFLAGS} --without-hardening --disable-security-key"
	;;
    openwrt-*)
	CONFIGFLAGS="${CONFIGFLAGS} --without-openssl --without-zlib"
	TEST_TARGET="t-exec"
	;;
    sol10|sol11)
	# sol10 VM is 32bit and the unit tests are slow.
	# sol11 has 4 test configs so skip unit tests to speed up.
	TEST_TARGET="tests SKIP_UNIT=1"
	;;
    win10)
	# No sudo on Windows.
	SUDO=""
	;;
esac

case "`./config.guess`" in
*cygwin)
	SUDO=""
	# Don't run compat tests on cygwin as they don't currently compile.
	TEST_TARGET="tests"
	;;
*-darwin*)
	# Unless specified otherwise, build without OpenSSL on Mac OS since
	# modern versions don't ship with libcrypto.
	LIBCRYPTOFLAGS="--without-openssl"
	TEST_TARGET=t-exec
	;;
esac

# If we have a local openssl/libressl, use that.
if [ -z "${LIBCRYPTOFLAGS}" ]; then
	# last-match
	for i in /usr/local /usr/local/ssl /usr/local/opt/openssl; do
		if [ -x ${i}/bin/openssl ]; then
			LIBCRYPTOFLAGS="--with-ssl-dir=${i}"
		fi
	done
fi

CONFIGFLAGS="${CONFIGFLAGS} ${LIBCRYPTOFLAGS}"

if [ -x "$(which plink 2>/dev/null)" ]; then
	REGRESS_INTEROP_PUTTY=yes
	export REGRESS_INTEROP_PUTTY
fi

export CC CFLAGS CPPFLAGS LDFLAGS LTESTS SUDO
export TEST_TARGET TEST_SSH_UNSAFE_PERMISSIONS TEST_SSH_FAIL_FATAL