3 # usage: configs vmname test_config (or '' for default)
5 # Sets the following variables:
6 # CONFIGFLAGS options to ./configure
7 # SSHD_CONFOPTS sshd_config options
8 # TEST_TARGET make target used when testing. defaults to "tests".
12 if [ "$config" = "" ]; then
16 unset CC CFLAGS CPPFLAGS LDFLAGS LTESTS SUDO
18 TEST_TARGET="tests compat-tests"
21 SUDO=sudo # run with sudo by default
22 TEST_SSH_UNSAFE_PERMISSIONS=1
23 # Stop on first test failure to minimize logs
24 TEST_SSH_FAIL_FATAL=yes
34 CFLAGS="-Wall -std=c89 -pedantic -Werror=vla"
35 CONFIGFLAGS="--without-zlib"
36 LIBCRYPTOFLAGS="--without-openssl"
40 # See https://cygwin.com/git/?p=git/cygwin-packages/openssh.git;a=blob;f=openssh.cygport;hb=HEAD
41 CONFIGFLAGS="--with-xauth=/usr/bin/xauth --with-security-key-builtin"
42 CONFIGFLAGS="$CONFIGFLAGS --with-kerberos5=/usr --with-libedit --disable-strip"
46 # clang's implicit-fallthrough requires that the code be annotated with
47 # __attribute__((fallthrough)) and does not understand /* FALLTHROUGH */
48 CFLAGS="-Wall -Wextra -O2 -Wno-error=implicit-fallthrough -Wno-error=unused-parameter"
49 CONFIGFLAGS="--with-pam --with-Werror"
57 # Find the newest available version of clang
58 for i in `seq 10 99`; do
59 clang="`which clang-$i 2>/dev/null`"
60 [ -x "$clang" ] && CC="$clang"
64 # Put Sanitizer logs in regress dir.
66 # - We replace chroot with chdir so that the sanitizer in the preauth
67 # privsep process can read /proc.
68 # - clang does not recognizes explicit_bzero so we use bzero
69 # (see https://github.com/google/sanitizers/issues/1507
70 # - openssl and zlib trip ASAN.
71 # - sp_pwdp returned by getspnam trips ASAN, hence disabling shadow.
74 CFLAGS="-fsanitize=address -fno-omit-frame-pointer"
75 LDFLAGS="-fsanitize=address"
76 CPPFLAGS='-Dchroot=chdir -Dexplicit_bzero=bzero -D_FORTIFY_SOURCE=0 -DASAN_OPTIONS=\"detect_leaks=0:log_path='$SANLOGS'/asan.log\"'
80 clang-sanitize-memory)
81 CFLAGS="-fsanitize=memory -fsanitize-memory-track-origins -fno-omit-frame-pointer"
82 LDFLAGS="-fsanitize=memory"
83 CPPFLAGS='-Dchroot=chdir -Dexplicit_bzero=bzero -DMSAN_OPTIONS=\"log_path='$SANLOGS'/msan.log\"'
84 CONFIGFLAGS="--without-openssl --without-zlib --without-shadow"
88 CFLAGS="-fsanitize=undefined"
89 LDFLAGS="-fsanitize=undefined"
92 echo unknown sanitize option;
95 features="--disable-security-key --disable-pkcs11"
96 hardening="--without-sandbox --without-hardening --without-stackprotect"
97 privsep="--with-privsep-user=root"
98 CONFIGFLAGS="$CONFIGFLAGS $features $hardening $privsep"
99 # Because we hobble chroot we can't test it.
100 SKIP_LTESTS=sftp-chroot
104 # -Wnoformat-truncation in gcc 7.3.1 20180130 fails on fmt_scaled
105 CFLAGS="-Wall -Wextra -O2 -Wno-format-truncation -Wimplicit-fallthrough=4 -Wno-unused-parameter"
106 CONFIGFLAGS="--with-pam --with-Werror"
112 CONFIGFLAGS="--with-kerberos5 --with-libedit --with-pam"
113 CONFIGFLAGS="${CONFIGFLAGS} --with-security-key-builtin --with-selinux"
114 CFLAGS="-DSK_DEBUG -DSANDBOX_SECCOMP_FILTER_DEBUG"
117 CONFIGFLAGS="--with-ldflags=-lhardened_malloc"
120 CONFIGFLAGS="--with-ldflags=-ltcmalloc"
123 CONFIGFLAGS="--with-kerberos5"
126 CONFIGFLAGS="--with-libedit"
130 CONFIGFLAGS="--without-zlib"
131 LIBCRYPTOFLAGS="--without-openssl"
135 CONFIGFLAGS="--with-pam --with-kerberos5"
136 SSHD_CONFOPTS="UsePam yes"
139 CONFIGFLAGS="--with-pam"
140 SSHD_CONFOPTS="UsePam yes"
143 LIBCRYPTOFLAGS="--with-ssl-dir=/opt/libressl --with-rpath=-Wl,-rpath,"
146 LIBCRYPTOFLAGS="--with-ssl-dir=/opt/openssl --with-rpath=-Wl,-rpath,"
147 # OpenSSL 1.1.1 specifically has a bug in its RNG that breaks reexec
148 # fallback. See https://bugzilla.mindrot.org/show_bug.cgi?id=3483
149 if [ "$config" = "openssl-1.1.1" ]; then
154 CONFIGFLAGS="--with-selinux"
157 CONFIGFLAGS="--with-security-key-builtin"
160 LIBCRYPTOFLAGS="--without-openssl"
163 valgrind-[1-5]|valgrind-unit)
164 # rlimit sandbox and FORTIFY_SOURCE confuse Valgrind.
165 CONFIGFLAGS="--without-sandbox --without-hardening"
166 CONFIGFLAGS="$CONFIGFLAGS --with-cppflags=-D_FORTIFY_SOURCE=0"
167 TEST_TARGET="t-exec USE_VALGRIND=1"
168 TEST_SSH_ELAPSED_TIMES=1
169 export TEST_SSH_ELAPSED_TIMES
170 # Valgrind slows things down enough that the agent timeout test
171 # won't reliably pass, and the unit tests run longer than allowed
172 # by github so split into separate tests.
173 tests2="integrity try-ciphers"
174 tests3="krl forward-control sshsig agent-restrict kextype sftp"
175 tests4="cert-userkey cert-hostkey kextype sftp-perm keygen-comment percent"
179 # All tests except agent-timeout (which is flaky under valgrind),
180 # connection-timeout (which doesn't work since it's so slow)
181 # and hostbased (since valgrind won't let ssh exec keysign).
182 # Slow ones are run separately to increase parallelism.
183 SKIP_LTESTS="agent-timeout connection-timeout hostbased"
184 SKIP_LTESTS="$SKIP_LTESTS ${tests2} ${tests3} ${tests4} ${tests5}"
199 TEST_TARGET="unit USE_VALGRIND=1"
204 echo "Unknown configuration $config"
209 # The Solaris 64bit targets are special since they need a non-flag arg.
212 CONFIGFLAGS="x86_64 --with-cflags=-m64 --with-ldflags=-m64 ${CONFIGFLAGS}"
213 LIBCRYPTOFLAGS="--with-ssl-dir=/usr/local/ssl64"
217 case "${TARGET_HOST}" in
219 # These are slow real or virtual machines so skip the slowest tests
220 # (which tend to be thw ones that transfer lots of data) so that the
221 # test run does not time out.
222 # The agent-restrict test fails due to some quoting issue when run
223 # with sh or ksh so specify bash for now.
224 TEST_TARGET="t-exec unit TEST_SHELL=bash"
225 SKIP_LTESTS="rekey sftp"
228 # This machine is fairly slow, so skip the unit tests.
232 # scp 3-way connection hangs on these so skip until sorted.
236 # Native linker is not great with PIC so OpenSSL is built w/out.
237 CONFIGFLAGS="${CONFIGFLAGS} --disable-security-key"
240 SKIP_LTESTS="forwarding multiplex proxy-connect hostkey-agent agent-ptrace"
243 LIBCRYPTOFLAGS="--without-openssl --disable-security-key"
244 # Minix does not have a loopback interface so we have to skip any
245 # test that relies on one.
246 # Also, Minix seems to be very limited in the number of select()
247 # calls that can be operating concurrently, so prune additional tests for that.
248 T="addrmatch agent-restrict brokenkeys cfgmatch cfgmatchlisten cfgparse
249 connect connect-uri exit-status forwarding hostkey-agent
250 key-options keyscan knownhosts-command login-timeout
251 reconfigure reexec rekey scp scp-uri scp3 sftp sftp-badcmds
252 sftp-batch sftp-cmds sftp-glob sftp-perm sftp-uri stderr-data
254 # Unix domain sockets don't work quite like we expect, so also skip any tests
255 # that use multiplexing.
256 T="$T connection-timeout dynamic-forward forward-control multiplex"
257 SKIP_LTESTS="$(echo $T)"
262 # System compiler will ICE on some files with fstack-protector
263 # SHA256 functions in sha2.h conflict with OpenSSL's breaking sk-dummy
264 CONFIGFLAGS="${CONFIGFLAGS} --without-hardening --disable-security-key"
267 CONFIGFLAGS="${CONFIGFLAGS} --without-openssl --without-zlib"
271 # sol10 VM is 32bit and the unit tests are slow.
272 # sol11 has 4 test configs so skip unit tests to speed up.
273 TEST_TARGET="tests SKIP_UNIT=1"
276 # No sudo on Windows.
281 case "`./config.guess`" in
284 # Don't run compat tests on cygwin as they don't currently compile.
288 # Unless specified otherwise, build without OpenSSL on Mac OS since
289 # modern versions don't ship with libcrypto.
290 LIBCRYPTOFLAGS="--without-openssl"
295 # If we have a local openssl/libressl, use that.
296 if [ -z "${LIBCRYPTOFLAGS}" ]; then
298 for i in /usr/local /usr/local/ssl /usr/local/opt/openssl; do
299 if [ -x ${i}/bin/openssl ]; then
300 LIBCRYPTOFLAGS="--with-ssl-dir=${i}"
305 CONFIGFLAGS="${CONFIGFLAGS} ${LIBCRYPTOFLAGS}"
307 if [ -x "$(which plink 2>/dev/null)" ]; then
308 REGRESS_INTEROP_PUTTY=yes
309 export REGRESS_INTEROP_PUTTY
312 export CC CFLAGS CPPFLAGS LDFLAGS LTESTS SUDO
313 export TEST_TARGET TEST_SSH_UNSAFE_PERMISSIONS TEST_SSH_FAIL_FATAL