[people/ms/strongswan.git] / scripts / test.sh

#!/bin/sh
# Build script for CI

build_botan()
{
	# same revision used in the build recipe of the testing environment
	BOTAN_REV=2.17.1
	BOTAN_DIR=$DEPS_BUILD_DIR/botan

	if test -d "$BOTAN_DIR"; then
		return
	fi

	echo "$ build_botan()"

	# if the leak detective is enabled we have to disable threading support
	# (used for std::async) as that causes invalid frees somehow, the
	# locking allocator causes a static leak via the first function that
	# references it (e.g. crypter or hasher), so we disable that too
	if test "$LEAK_DETECTIVE" = "yes"; then
		BOTAN_CONFIG="--without-os-features=threads
					  --disable-modules=locking_allocator"
	fi
	# disable some larger modules we don't need for the tests
	BOTAN_CONFIG="$BOTAN_CONFIG --disable-modules=pkcs11,tls,x509,xmss
				  --prefix=$DEPS_PREFIX"

	git clone https://github.com/randombit/botan.git $BOTAN_DIR &&
	cd $BOTAN_DIR &&
	git checkout -qf $BOTAN_REV &&
	python ./configure.py --amalgamation $BOTAN_CONFIG &&
	make -j4 libs >/dev/null &&
	sudo make install >/dev/null &&
	sudo ldconfig || exit $?
	cd -
}

build_wolfssl()
{
	WOLFSSL_REV=v4.7.0-stable
	WOLFSSL_DIR=$DEPS_BUILD_DIR/wolfssl

	if test -d "$WOLFSSL_DIR"; then
		return
	fi

	echo "$ build_wolfssl()"

	WOLFSSL_CFLAGS="-DWOLFSSL_PUBLIC_MP -DWOLFSSL_DES_ECB -DHAVE_ECC_BRAINPOOL"
	WOLFSSL_CONFIG="--prefix=$DEPS_PREFIX
					--disable-crypttests --disable-examples
					--enable-keygen --enable-rsapss --enable-aesccm
					--enable-aesctr --enable-des3 --enable-camellia
					--enable-curve25519 --enable-ed25519
					--enable-curve448 --enable-ed448
					--enable-sha3 --enable-shake256 --enable-ecccustcurves"

	git clone https://github.com/wolfSSL/wolfssl.git $WOLFSSL_DIR &&
	cd $WOLFSSL_DIR &&
	git checkout -qf $WOLFSSL_REV &&
	./autogen.sh &&
	./configure C_EXTRA_FLAGS="$WOLFSSL_CFLAGS" $WOLFSSL_CONFIG &&
	make -j4 >/dev/null &&
	sudo make install >/dev/null &&
	sudo ldconfig || exit $?
	cd -
}

build_tss2()
{
	TSS2_REV=2.4.3
	TSS2_PKG=tpm2-tss-$TSS2_REV
	TSS2_DIR=$DEPS_BUILD_DIR/$TSS2_PKG
	TSS2_SRC=https://github.com/tpm2-software/tpm2-tss/releases/download/$TSS2_REV/$TSS2_PKG.tar.gz

	if test -d "$TSS2_DIR"; then
		return
	fi

	echo "$ build_tss2()"

	curl -L $TSS2_SRC | tar xz -C $DEPS_BUILD_DIR &&
	cd $TSS2_DIR &&
	./configure --prefix=$DEPS_PREFIX --disable-doxygen-doc &&
	make -j4 >/dev/null &&
	sudo make install >/dev/null &&
	sudo ldconfig || exit $?
	cd -
}

: ${BUILD_DIR=$PWD}
: ${DEPS_BUILD_DIR=$BUILD_DIR/..}
: ${DEPS_PREFIX=/usr/local}

if [ -e /etc/os-release ]; then
	. /etc/os-release
elif [ -e /usr/lib/os-release ]; then
	. /usr/lib/os-release
fi

TARGET=check

DEPS="libgmp-dev"

CFLAGS="-g -O2 -Wall -Wno-format -Wno-format-security -Wno-pointer-sign -Werror"

case "$TEST" in
default)
	# should be the default, but lets make sure
	CONFIG="--with-printf-hooks=glibc"
	;;
openssl*)
	CONFIG="--disable-defaults --enable-pki --enable-openssl --enable-pem"
	export TESTS_PLUGINS="test-vectors pem openssl!"
	DEPS="libssl-dev"
	;;
gcrypt)
	CONFIG="--disable-defaults --enable-pki --enable-gcrypt --enable-pkcs1"
	export TESTS_PLUGINS="test-vectors pkcs1 gcrypt!"
	if [ "$ID" = "ubuntu" -a "$VERSION_ID" = "20.04" ]; then
		DEPS="libgcrypt20-dev"
	else
		DEPS="libgcrypt11-dev"
	fi
	;;
botan)
	CONFIG="--disable-defaults --enable-pki --enable-botan --enable-pem"
	export TESTS_PLUGINS="test-vectors pem botan!"
	DEPS=""
	if test "$1" = "build-deps"; then
		build_botan
	fi
	;;
wolfssl)
	CONFIG="--disable-defaults --enable-pki --enable-wolfssl --enable-pem"
	export TESTS_PLUGINS="test-vectors pem wolfssl!"
	# build with custom options to enable all the features the plugin supports
	DEPS=""
	if test "$1" = "build-deps"; then
		build_wolfssl
	fi
	;;
printf-builtin)
	CONFIG="--with-printf-hooks=builtin"
	;;
all|coverage|sonarcloud)
	if [ "$TEST" = "sonarcloud" ]; then
		if [ -z "$SONAR_PROJECT" -o -z "$SONAR_ORGANIZATION" -o -z "$SONAR_TOKEN" ]; then
			echo "The SONAR_PROJECT, SONAR_ORGANIZATION and SONAR_TOKEN" \
				 "environment variables are required to run this test"
			exit 1
		fi
	fi
	CONFIG="--enable-all --disable-android-dns --disable-android-log
			--disable-kernel-pfroute --disable-keychain
			--disable-lock-profiler --disable-padlock --disable-fuzzing
			--disable-osx-attr --disable-tkm --disable-uci
			--disable-unwind-backtraces
			--disable-svc --disable-dbghelp-backtraces --disable-socket-win
			--disable-kernel-wfp --disable-kernel-iph --disable-winhttp
			--disable-python-eggs-install"
	# not enabled on the build server
	CONFIG="$CONFIG --disable-af-alg"
	if test "$TEST" != "coverage"; then
		CONFIG="$CONFIG --disable-coverage"
	else
		# not actually required but configure checks for it
		DEPS="$DEPS lcov"
	fi
	# Botan requires newer compilers, so disable it on Ubuntu 16.04
	if [ "$ID" = "ubuntu" -a "$VERSION_ID" = "16.04" ]; then
		CONFIG="$CONFIG --disable-botan"
	fi
	DEPS="$DEPS libcurl4-gnutls-dev libsoup2.4-dev libunbound-dev libldns-dev
		  libmysqlclient-dev libsqlite3-dev clearsilver-dev libfcgi-dev
		  libldap2-dev libpcsclite-dev libpam0g-dev binutils-dev libnm-dev
		  libgcrypt20-dev libjson-c-dev python3-pip libtspi-dev libsystemd-dev"
	if [ "$ID" = "ubuntu" -a "$VERSION_ID" = "20.04" ]; then
		DEPS="$DEPS libiptc-dev"
	else
		DEPS="$DEPS iptables-dev"
	fi
	PYDEPS="tox"
	if test "$1" = "build-deps"; then
		if [ "$ID" != "ubuntu" -o "$VERSION_ID" != "16.04" ]; then
			build_botan
		fi
		build_wolfssl
		build_tss2
	fi
	;;
win*)
	CONFIG="--disable-defaults --enable-svc --enable-ikev2
			--enable-ikev1 --enable-static --enable-test-vectors --enable-nonce
			--enable-constraints --enable-revocation --enable-pem --enable-pkcs1
			--enable-pkcs8 --enable-x509 --enable-pubkey --enable-acert
			--enable-eap-tnc --enable-eap-ttls --enable-eap-identity
			--enable-updown --enable-ext-auth --enable-libipsec --enable-pkcs11
			--enable-tnccs-20 --enable-imc-attestation --enable-imv-attestation
			--enable-imc-os --enable-imv-os --enable-tnc-imv --enable-tnc-imc
			--enable-pki --enable-swanctl --enable-socket-win
			--enable-kernel-iph --enable-kernel-wfp --enable-winhttp"
	# no make check for Windows binaries unless we run on a windows host
	if test "$APPVEYOR" != "True"; then
		TARGET=
	else
		CONFIG="$CONFIG --enable-openssl"
		CFLAGS="$CFLAGS -I$OPENSSL_DIR/include"
		LDFLAGS="-L$OPENSSL_DIR"
		export LDFLAGS
	fi
	CFLAGS="$CFLAGS -mno-ms-bitfields"
	DEPS="gcc-mingw-w64-base"
	case "$TEST" in
	win64)
		CONFIG="--host=x86_64-w64-mingw32 $CONFIG --enable-dbghelp-backtraces"
		DEPS="gcc-mingw-w64-x86-64 binutils-mingw-w64-x86-64 mingw-w64-x86-64-dev $DEPS"
		CC="x86_64-w64-mingw32-gcc"
		;;
	win32)
		CONFIG="--host=i686-w64-mingw32 $CONFIG"
		DEPS="gcc-mingw-w64-i686 binutils-mingw-w64-i686 mingw-w64-i686-dev $DEPS"
		CC="i686-w64-mingw32-gcc"
		;;
	esac
	;;
android)
	if test "$1" = "deps"; then
		git clone git://git.strongswan.org/android-ndk-boringssl.git -b ndk-static \
			src/frontends/android/app/src/main/jni/openssl
	fi
	TARGET=distdir
	;;
macos)
	# this causes a false positive in ip-packet.c since Xcode 8.3
	CFLAGS="$CFLAGS -Wno-address-of-packed-member"
	# use the same options as in the Homebrew Formula
	CONFIG="--disable-defaults --enable-charon --enable-cmd --enable-constraints
			--enable-curl --enable-eap-gtc --enable-eap-identity
			--enable-eap-md5 --enable-eap-mschapv2 --enable-farp --enable-ikev1
			--enable-ikev2 --enable-kernel-libipsec --enable-kernel-pfkey
			--enable-kernel-pfroute --enable-nonce --enable-openssl
			--enable-osx-attr --enable-pem --enable-pgp --enable-pkcs1
			--enable-pkcs8 --enable-pki --enable-pubkey --enable-revocation
			--enable-scepclient --enable-socket-default --enable-sshkey
			--enable-stroke --enable-swanctl --enable-unity --enable-updown
			--enable-x509 --enable-xauth-generic"
	DEPS="automake autoconf libtool bison gettext openssl curl"
	BREW_PREFIX=$(brew --prefix)
	export PATH=$BREW_PREFIX/opt/bison/bin:$PATH
	export ACLOCAL_PATH=$BREW_PREFIX/opt/gettext/share/aclocal:$ACLOCAL_PATH
	for pkg in openssl curl
	do
		PKG_CONFIG_PATH=$BREW_PREFIX/opt/$pkg/lib/pkgconfig:$PKG_CONFIG_PATH
		CPPFLAGS="-I$BREW_PREFIX/opt/$pkg/include $CPPFLAGS"
		LDFLAGS="-L$BREW_PREFIX/opt/$pkg/lib $LDFLAGS"
	done
	export PKG_CONFIG_PATH
	export CPPFLAGS
	export LDFLAGS
	;;
freebsd)
	# use the options of the FreeBSD port (including options), except smp,
	# which requires a patch but is deprecated anyway, only using the builtin
	# printf hooks
	CONFIG="--enable-kernel-pfkey --enable-kernel-pfroute --disable-scripts
			--disable-kernel-netlink --enable-openssl --enable-eap-identity
			--enable-eap-md5 --enable-eap-tls --enable-eap-mschapv2
			--enable-eap-peap --enable-eap-ttls --enable-md4 --enable-blowfish
			--enable-addrblock --enable-whitelist --enable-cmd --enable-curl
			--enable-eap-aka --enable-eap-aka-3gpp2 --enable-eap-dynamic
			--enable-eap-radius --enable-eap-sim --enable-eap-sim-file
			--enable-gcm --enable-ipseckey --enable-kernel-libipsec
			--enable-load-tester --enable-ldap --enable-mediation
			--enable-mysql --enable-sqlite --enable-tpm --enable-tss-tss2
			--enable-unbound --enable-unity --enable-xauth-eap --enable-xauth-pam
			--with-printf-hooks=builtin --enable-attr-sql --enable-sql
			--enable-farp"
	DEPS="git gmp openldap-client libxml2 mysql80-client sqlite3 unbound ldns tpm2-tss"
	export GPERF=/usr/local/bin/gperf
	export LEX=/usr/local/bin/flex
	;;
fuzzing)
	CFLAGS="$CFLAGS -DNO_CHECK_MEMWIPE"
	CONFIG="--enable-fuzzing --enable-static --disable-shared --disable-scripts
			--enable-imc-test --enable-tnccs-20"
	# don't run any of the unit tests
	export TESTS_RUNNERS=
	# prepare corpora
	if test -z "$1"; then
		if test -z "$FUZZING_CORPORA"; then
			git clone --depth 1 https://github.com/strongswan/fuzzing-corpora.git fuzzing-corpora
			export FUZZING_CORPORA=$BUILD_DIR/fuzzing-corpora
		fi
		# these are about the same as those on OSS-Fuzz (except for the
		# symbolize options and strip_path_prefix)
		export ASAN_OPTIONS=redzone=16:handle_sigill=1:strict_string_check=1:\
			allocator_release_to_os_interval_ms=500:strict_memcmp=1:detect_container_overflow=1:\
			coverage=0:allocator_may_return_null=1:use_sigaltstack=1:detect_stack_use_after_return=1:\
			alloc_dealloc_mismatch=0:detect_leaks=1:print_scariness=1:max_uar_stack_size_log=16:\
			handle_abort=1:check_malloc_usable_size=0:quarantine_size_mb=10:detect_odr_violation=0:\
			symbolize=1:handle_segv=1:fast_unwind_on_fatal=0:external_symbolizer_path=/usr/bin/llvm-symbolizer-3.5
	fi
	;;
nm|nm-no-glib)
	DEPS="gnome-common libsecret-1-dev libgtk-3-dev libnm-dev libnma-dev"
	if test "$TEST" = "nm"; then
		DEPS="$DEPS libnm-glib-vpn-dev libnm-gtk-dev"
	else
		CONFIG="$CONFIG --without-libnm-glib"
	fi
	cd src/frontends/gnome
	# don't run ./configure with ./autogen.sh
	export NOCONFIGURE=1
	;;
dist)
	TARGET=distcheck
	;;
apidoc)
	DEPS="doxygen"
	CONFIG="--disable-defaults"
	TARGET=apidoc
	;;
lgtm)
	if [ -z "$LGTM_PROJECT" -o -z "$LGTM_TOKEN" ]; then
		echo "The LGTM_PROJECT and LGTM_TOKEN environment variables" \
			 "are required to run this test"
		exit 0
	fi
	DEPS="jq"
	if test -z "$1"; then
		base=$COMMIT_BASE
		# after rebases or for new/duplicate branches, the passed base commit
		# ID might not be valid
		git rev-parse -q --verify $base^{commit}
		if [ $? != 0 ]; then
			# this will always compare against master, while via base we
			# otherwise only contains "new" commits
			base=$(git merge-base origin/master ${COMMIT_ID})
		fi
		base=$(git rev-parse $base)

		echo "Starting code review for $COMMIT_ID (base $base) on lgtm.com"
		git diff --binary $base > lgtm.patch || exit $?
		curl -s -X POST --data-binary @lgtm.patch \
			"https://lgtm.com/api/v1.0/codereviews/${LGTM_PROJECT}?base=${base}&external-id=${BUILD_NUMBER}" \
			-H 'Content-Type: application/octet-stream' \
			-H 'Accept: application/json' \
			-H "Authorization: Bearer ${LGTM_TOKEN}" > lgtm.res || exit $?
		lgtm_check_url=$(jq -r '."task-result-url"' lgtm.res)
		if [ -z "$lgtm_check_url" -o "$lgtm_check_url" = "null" ]; then
			cat lgtm.res
			exit 1
		fi
		lgtm_url=$(jq -r '."task-result"."results-url"' lgtm.res)
		echo "Progress and full results: ${lgtm_url}"

		echo -n "Waiting for completion: "
		lgtm_status=pending
		while [ "$lgtm_status" = "pending" ]; do
			sleep 15
			curl -s -X GET "${lgtm_check_url}" \
				-H 'Accept: application/json' \
				-H "Authorization: Bearer ${LGTM_TOKEN}" > lgtm.res
			if [ $? != 0 ]; then
				echo -n "-"
				continue
			fi
			echo -n "."
			lgtm_status=$(jq -r '.status' lgtm.res)
		done
		echo ""

		if [ "$lgtm_status" != "success" ]; then
			lgtm_message=$(jq -r '.["status-message"]' lgtm.res)
			echo "Code review failed: ${lgtm_message}"
			exit 1
		fi
		lgtm_new=$(jq -r '.languages[].new' lgtm.res | awk '{t+=$1} END {print t}')
		lgtm_fixed=$(jq -r '.languages[].fixed' lgtm.res | awk '{t+=$1} END {print t}')
		echo -n "Code review complete: "
		printf "%b\n" "\e[1;31m${lgtm_new}\e[0m new alerts, \e[1;32m${lgtm_fixed}\e[0m fixed"
		exit $lgtm_new
	fi
	;;
*)
	echo "$0: unknown test $TEST" >&2
	exit 1
	;;
esac

case "$1" in
deps)
	case "$OS_NAME" in
	linux)
		sudo apt-get update -qq && \
		sudo apt-get install -qq bison flex gperf gettext $DEPS
		;;
	macos)
		brew update && \
		brew install $DEPS
		;;
	freebsd)
		pkg install -y automake autoconf libtool pkgconf && \
		pkg install -y bison flex gperf gettext $DEPS
		;;
	esac
	exit $?
	;;
pydeps)
	test -z "$PYDEPS" || pip3 -q install --user $PYDEPS
	exit $?
	;;
build-deps)
	exit
	;;
*)
	;;
esac

CONFIG="$CONFIG
	--disable-dependency-tracking
	--enable-silent-rules
	--enable-test-vectors
	--enable-monolithic=${MONOLITHIC-no}
	--enable-leak-detective=${LEAK_DETECTIVE-no}"

echo "$ ./autogen.sh"
./autogen.sh || exit $?
echo "$ CC=$CC CFLAGS=\"$CFLAGS\" ./configure $CONFIG"
CC="$CC" CFLAGS="$CFLAGS" ./configure $CONFIG || exit $?

case "$TEST" in
apidoc)
	exec 2>make.warnings
	;;
*)
	;;
esac

echo "$ make $TARGET"
case "$TEST" in
sonarcloud)
	# without target, coverage is currently not supported anyway because
	# sonarqube only supports gcov, not lcov
	build-wrapper-linux-x86-64 --out-dir bw-output make -j4 || exit $?
	;;
*)
	make -j4 $TARGET || exit $?
	;;
esac

case "$TEST" in
apidoc)
	if test -s make.warnings; then
		cat make.warnings
		exit 1
	fi
	rm make.warnings
	;;
sonarcloud)
	sonar-scanner \
		-Dsonar.host.url=https://sonarcloud.io \
		-Dsonar.projectKey=${SONAR_PROJECT} \
		-Dsonar.organization=${SONAR_ORGANIZATION} \
		-Dsonar.login=${SONAR_TOKEN} \
		-Dsonar.projectVersion=$(git describe)+${BUILD_NUMBER} \
		-Dsonar.sources=. \
		-Dsonar.cfamily.threads=2 \
		-Dsonar.cfamily.cache.enabled=true \
		-Dsonar.cfamily.cache.path=$HOME/.sonar-cache \
		-Dsonar.cfamily.build-wrapper-output=bw-output || exit $?
	rm -r bw-output .scannerwork
	;;
android)
	rm -r strongswan-*
	cd src/frontends/android
	echo "$ ./gradlew build"
	NDK_CCACHE=ccache ./gradlew build || exit $?
	;;
*)
	;;
esac

# ensure there are no unignored build artifacts (or other changes) in the Git repo
unclean="$(git status --porcelain)"
if test -n "$unclean"; then
	echo "Unignored build artifacts or other changes:"
	echo "$unclean"
	exit 1
fi
Commit	Line	Data
fdce492e	1	#!/bin/sh
de401e0e	2	# Build script for CI
d151cd28	3
e5d52774 TB	4	build_botan()
e5d52774 TB	5	{
1bbb736e	6	# same revision used in the build recipe of the testing environment
29c59885	7	BOTAN_REV=2.17.1
da9e4fa0	8	BOTAN_DIR=$DEPS_BUILD_DIR/botan
24af02b0	9
d4068a1d TB	10	if test -d "$BOTAN_DIR"; then
	11	return
	12	fi
	13
2a58030b TB	14	echo "$ build_botan()"
2a58030b TB	15
e5d52774 TB	16	# if the leak detective is enabled we have to disable threading support
	17	# (used for std::async) as that causes invalid frees somehow, the
	18	# locking allocator causes a static leak via the first function that
	19	# references it (e.g. crypter or hasher), so we disable that too
	20	if test "$LEAK_DETECTIVE" = "yes"; then
	21	BOTAN_CONFIG="--without-os-features=threads
	22	--disable-modules=locking_allocator"
	23	fi
	24	# disable some larger modules we don't need for the tests
da9e4fa0 TB	25	BOTAN_CONFIG="$BOTAN_CONFIG --disable-modules=pkcs11,tls,x509,xmss
da9e4fa0 TB	26	--prefix=$DEPS_PREFIX"
1bbb736e TB	27
1bbb736e TB	28	git clone https://github.com/randombit/botan.git $BOTAN_DIR &&
24af02b0	29	cd $BOTAN_DIR &&
bbe72f97	30	git checkout -qf $BOTAN_REV &&
24af02b0	31	python ./configure.py --amalgamation $BOTAN_CONFIG &&
e5d52774 TB	32	make -j4 libs >/dev/null &&
	33	sudo make install >/dev/null &&
	34	sudo ldconfig \|\| exit $?
24af02b0	35	cd -
e5d52774 TB	36	}
e5d52774 TB	37
d50bb81c TB	38	build_wolfssl()
d50bb81c TB	39	{
cb859676	40	WOLFSSL_REV=v4.7.0-stable
da9e4fa0	41	WOLFSSL_DIR=$DEPS_BUILD_DIR/wolfssl
d50bb81c TB	42
	43	if test -d "$WOLFSSL_DIR"; then
	44	return
	45	fi
	46
	47	echo "$ build_wolfssl()"
	48
839d6c8f	49	WOLFSSL_CFLAGS="-DWOLFSSL_PUBLIC_MP -DWOLFSSL_DES_ECB -DHAVE_ECC_BRAINPOOL"
da9e4fa0	50	WOLFSSL_CONFIG="--prefix=$DEPS_PREFIX
7ae4ced0	51	--disable-crypttests --disable-examples
da9e4fa0	52	--enable-keygen --enable-rsapss --enable-aesccm
d50bb81c	53	--enable-aesctr --enable-des3 --enable-camellia
7ae4ced0 TB	54	--enable-curve25519 --enable-ed25519
7ae4ced0 TB	55	--enable-curve448 --enable-ed448
839d6c8f	56	--enable-sha3 --enable-shake256 --enable-ecccustcurves"
d50bb81c TB	57
	58	git clone https://github.com/wolfSSL/wolfssl.git $WOLFSSL_DIR &&
	59	cd $WOLFSSL_DIR &&
	60	git checkout -qf $WOLFSSL_REV &&
	61	./autogen.sh &&
	62	./configure C_EXTRA_FLAGS="$WOLFSSL_CFLAGS" $WOLFSSL_CONFIG &&
	63	make -j4 >/dev/null &&
	64	sudo make install >/dev/null &&
	65	sudo ldconfig \|\| exit $?
	66	cd -
	67	}
	68
7b46089e TB	69	build_tss2()
7b46089e TB	70	{
ddc5b92d	71	TSS2_REV=2.4.3
7b46089e	72	TSS2_PKG=tpm2-tss-$TSS2_REV
da9e4fa0	73	TSS2_DIR=$DEPS_BUILD_DIR/$TSS2_PKG
7b46089e TB	74	TSS2_SRC=https://github.com/tpm2-software/tpm2-tss/releases/download/$TSS2_REV/$TSS2_PKG.tar.gz
	75
	76	if test -d "$TSS2_DIR"; then
	77	return
	78	fi
	79
2a58030b TB	80	echo "$ build_tss2()"
2a58030b TB	81
da9e4fa0	82	curl -L $TSS2_SRC \| tar xz -C $DEPS_BUILD_DIR &&
7b46089e	83	cd $TSS2_DIR &&
da9e4fa0	84	./configure --prefix=$DEPS_PREFIX --disable-doxygen-doc &&
248f3491 TB	85	make -j4 >/dev/null &&
248f3491 TB	86	sudo make install >/dev/null &&
7b46089e TB	87	sudo ldconfig \|\| exit $?
	88	cd -
	89	}
	90
de401e0e TB	91	: ${BUILD_DIR=$PWD}
de401e0e TB	92	: ${DEPS_BUILD_DIR=$BUILD_DIR/..}
da9e4fa0	93	: ${DEPS_PREFIX=/usr/local}
d151cd28	94
742e0f21 TB	95	if [ -e /etc/os-release ]; then
	96	. /etc/os-release
	97	elif [ -e /usr/lib/os-release ]; then
	98	. /usr/lib/os-release
	99	fi
	100
d151cd28 TB	101	TARGET=check
d151cd28 TB	102
60a0bb67 TB	103	DEPS="libgmp-dev"
60a0bb67 TB	104
95e67e8d MW	105	CFLAGS="-g -O2 -Wall -Wno-format -Wno-format-security -Wno-pointer-sign -Werror"
95e67e8d MW	106
d151cd28 TB	107	case "$TEST" in
d151cd28 TB	108	default)
316aa4b4 TB	109	# should be the default, but lets make sure
316aa4b4 TB	110	CONFIG="--with-printf-hooks=glibc"
d151cd28	111	;;
2a58030b TB	112	openssl*)
2a58030b TB	113	CONFIG="--disable-defaults --enable-pki --enable-openssl --enable-pem"
885c05b0	114	export TESTS_PLUGINS="test-vectors pem openssl!"
60a0bb67	115	DEPS="libssl-dev"
d151cd28 TB	116	;;
d151cd28 TB	117	gcrypt)
3986c1e3	118	CONFIG="--disable-defaults --enable-pki --enable-gcrypt --enable-pkcs1"
885c05b0	119	export TESTS_PLUGINS="test-vectors pkcs1 gcrypt!"
742e0f21 TB	120	if [ "$ID" = "ubuntu" -a "$VERSION_ID" = "20.04" ]; then
	121	DEPS="libgcrypt20-dev"
	122	else
	123	DEPS="libgcrypt11-dev"
	124	fi
d151cd28	125	;;
9ee23d5e	126	botan)
4bcc4bac	127	CONFIG="--disable-defaults --enable-pki --enable-botan --enable-pem"
885c05b0	128	export TESTS_PLUGINS="test-vectors pem botan!"
9ee23d5e	129	DEPS=""
0ff93958	130	if test "$1" = "build-deps"; then
e5d52774	131	build_botan
9ee23d5e TB	132	fi
9ee23d5e TB	133	;;
d50bb81c TB	134	wolfssl)
d50bb81c TB	135	CONFIG="--disable-defaults --enable-pki --enable-wolfssl --enable-pem"
885c05b0	136	export TESTS_PLUGINS="test-vectors pem wolfssl!"
d50bb81c TB	137	# build with custom options to enable all the features the plugin supports
d50bb81c TB	138	DEPS=""
0ff93958	139	if test "$1" = "build-deps"; then
d50bb81c TB	140	build_wolfssl
	141	fi
	142	;;
316aa4b4 TB	143	printf-builtin)
	144	CONFIG="--with-printf-hooks=builtin"
	145	;;
e2d8833f	146	all\|coverage\|sonarcloud)
f830e714 NK	147	if [ "$TEST" = "sonarcloud" ]; then
	148	if [ -z "$SONAR_PROJECT" -o -z "$SONAR_ORGANIZATION" -o -z "$SONAR_TOKEN" ]; then
	149	echo "The SONAR_PROJECT, SONAR_ORGANIZATION and SONAR_TOKEN" \
	150	"environment variables are required to run this test"
	151	exit 1
	152	fi
	153	fi
d151cd28	154	CONFIG="--enable-all --disable-android-dns --disable-android-log
66c4735f	155	--disable-kernel-pfroute --disable-keychain
157742be	156	--disable-lock-profiler --disable-padlock --disable-fuzzing
e4fd163a	157	--disable-osx-attr --disable-tkm --disable-uci
5833bc4b	158	--disable-unwind-backtraces
4732e29a	159	--disable-svc --disable-dbghelp-backtraces --disable-socket-win
de401e0e TB	160	--disable-kernel-wfp --disable-kernel-iph --disable-winhttp
de401e0e TB	161	--disable-python-eggs-install"
d151cd28 TB	162	# not enabled on the build server
d151cd28 TB	163	CONFIG="$CONFIG --disable-af-alg"
42f7c989 TB	164	if test "$TEST" != "coverage"; then
	165	CONFIG="$CONFIG --disable-coverage"
	166	else
	167	# not actually required but configure checks for it
	168	DEPS="$DEPS lcov"
	169	fi
de401e0e	170	# Botan requires newer compilers, so disable it on Ubuntu 16.04
742e0f21	171	if [ "$ID" = "ubuntu" -a "$VERSION_ID" = "16.04" ]; then
e0b1b120 TB	172	CONFIG="$CONFIG --disable-botan"
e0b1b120 TB	173	fi
60a0bb67 TB	174	DEPS="$DEPS libcurl4-gnutls-dev libsoup2.4-dev libunbound-dev libldns-dev
60a0bb67 TB	175	libmysqlclient-dev libsqlite3-dev clearsilver-dev libfcgi-dev
de401e0e	176	libldap2-dev libpcsclite-dev libpam0g-dev binutils-dev libnm-dev
742e0f21 TB	177	libgcrypt20-dev libjson-c-dev python3-pip libtspi-dev libsystemd-dev"
	178	if [ "$ID" = "ubuntu" -a "$VERSION_ID" = "20.04" ]; then
	179	DEPS="$DEPS libiptc-dev"
	180	else
	181	DEPS="$DEPS iptables-dev"
	182	fi
ead067e7	183	PYDEPS="tox"
0ff93958	184	if test "$1" = "build-deps"; then
742e0f21	185	if [ "$ID" != "ubuntu" -o "$VERSION_ID" != "16.04" ]; then
e0b1b120 TB	186	build_botan
e0b1b120 TB	187	fi
d50bb81c	188	build_wolfssl
7b46089e	189	build_tss2
e5d52774	190	fi
d151cd28	191	;;
fd372e13 MW	192	win*)
fd372e13 MW	193	CONFIG="--disable-defaults --enable-svc --enable-ikev2
d930d184 MW	194	--enable-ikev1 --enable-static --enable-test-vectors --enable-nonce
	195	--enable-constraints --enable-revocation --enable-pem --enable-pkcs1
	196	--enable-pkcs8 --enable-x509 --enable-pubkey --enable-acert
	197	--enable-eap-tnc --enable-eap-ttls --enable-eap-identity
14a0c082	198	--enable-updown --enable-ext-auth --enable-libipsec --enable-pkcs11
d930d184 MW	199	--enable-tnccs-20 --enable-imc-attestation --enable-imv-attestation
d930d184 MW	200	--enable-imc-os --enable-imv-os --enable-tnc-imv --enable-tnc-imc
cfdab423 TB	201	--enable-pki --enable-swanctl --enable-socket-win
cfdab423 TB	202	--enable-kernel-iph --enable-kernel-wfp --enable-winhttp"
6eb7dd11 TB	203	# no make check for Windows binaries unless we run on a windows host
	204	if test "$APPVEYOR" != "True"; then
	205	TARGET=
09662628 TB	206	else
09662628 TB	207	CONFIG="$CONFIG --enable-openssl"
a5f4b996 TB	208	CFLAGS="$CFLAGS -I$OPENSSL_DIR/include"
a5f4b996 TB	209	LDFLAGS="-L$OPENSSL_DIR"
09662628	210	export LDFLAGS
6eb7dd11	211	fi
d930d184	212	CFLAGS="$CFLAGS -mno-ms-bitfields"
94a69986	213	DEPS="gcc-mingw-w64-base"
fd372e13 MW	214	case "$TEST" in
fd372e13 MW	215	win64)
cfdab423	216	CONFIG="--host=x86_64-w64-mingw32 $CONFIG --enable-dbghelp-backtraces"
94a69986	217	DEPS="gcc-mingw-w64-x86-64 binutils-mingw-w64-x86-64 mingw-w64-x86-64-dev $DEPS"
de401e0e	218	CC="x86_64-w64-mingw32-gcc"
fd372e13 MW	219	;;
	220	win32)
	221	CONFIG="--host=i686-w64-mingw32 $CONFIG"
cfdab423	222	DEPS="gcc-mingw-w64-i686 binutils-mingw-w64-i686 mingw-w64-i686-dev $DEPS"
de401e0e	223	CC="i686-w64-mingw32-gcc"
fd372e13 MW	224	;;
fd372e13 MW	225	esac
d930d184	226	;;
763f07c5	227	android)
763f07c5 TB	228	if test "$1" = "deps"; then
	229	git clone git://git.strongswan.org/android-ndk-boringssl.git -b ndk-static \
	230	src/frontends/android/app/src/main/jni/openssl
	231	fi
	232	TARGET=distdir
	233	;;
de401e0e	234	macos)
fd9edf7f TB	235	# this causes a false positive in ip-packet.c since Xcode 8.3
fd9edf7f TB	236	CFLAGS="$CFLAGS -Wno-address-of-packed-member"
e36b1e2e TB	237	# use the same options as in the Homebrew Formula
	238	CONFIG="--disable-defaults --enable-charon --enable-cmd --enable-constraints
	239	--enable-curl --enable-eap-gtc --enable-eap-identity
8d8739ac TB	240	--enable-eap-md5 --enable-eap-mschapv2 --enable-farp --enable-ikev1
8d8739ac TB	241	--enable-ikev2 --enable-kernel-libipsec --enable-kernel-pfkey
e36b1e2e TB	242	--enable-kernel-pfroute --enable-nonce --enable-openssl
	243	--enable-osx-attr --enable-pem --enable-pgp --enable-pkcs1
	244	--enable-pkcs8 --enable-pki --enable-pubkey --enable-revocation
	245	--enable-scepclient --enable-socket-default --enable-sshkey
	246	--enable-stroke --enable-swanctl --enable-unity --enable-updown
	247	--enable-x509 --enable-xauth-generic"
de401e0e	248	DEPS="automake autoconf libtool bison gettext openssl curl"
e36b1e2e TB	249	BREW_PREFIX=$(brew --prefix)
	250	export PATH=$BREW_PREFIX/opt/bison/bin:$PATH
	251	export ACLOCAL_PATH=$BREW_PREFIX/opt/gettext/share/aclocal:$ACLOCAL_PATH
	252	for pkg in openssl curl
	253	do
8486b3b4	254	PKG_CONFIG_PATH=$BREW_PREFIX/opt/$pkg/lib/pkgconfig:$PKG_CONFIG_PATH
e36b1e2e TB	255	CPPFLAGS="-I$BREW_PREFIX/opt/$pkg/include $CPPFLAGS"
	256	LDFLAGS="-L$BREW_PREFIX/opt/$pkg/lib $LDFLAGS"
	257	done
	258	export PKG_CONFIG_PATH
	259	export CPPFLAGS
	260	export LDFLAGS
	261	;;
d6949b15 TB	262	freebsd)
	263	# use the options of the FreeBSD port (including options), except smp,
	264	# which requires a patch but is deprecated anyway, only using the builtin
	265	# printf hooks
	266	CONFIG="--enable-kernel-pfkey --enable-kernel-pfroute --disable-scripts
	267	--disable-kernel-netlink --enable-openssl --enable-eap-identity
	268	--enable-eap-md5 --enable-eap-tls --enable-eap-mschapv2
	269	--enable-eap-peap --enable-eap-ttls --enable-md4 --enable-blowfish
	270	--enable-addrblock --enable-whitelist --enable-cmd --enable-curl
	271	--enable-eap-aka --enable-eap-aka-3gpp2 --enable-eap-dynamic
	272	--enable-eap-radius --enable-eap-sim --enable-eap-sim-file
	273	--enable-gcm --enable-ipseckey --enable-kernel-libipsec
	274	--enable-load-tester --enable-ldap --enable-mediation
51f48376 TB	275	--enable-mysql --enable-sqlite --enable-tpm --enable-tss-tss2
51f48376 TB	276	--enable-unbound --enable-unity --enable-xauth-eap --enable-xauth-pam
1af4ae87 TB	277	--with-printf-hooks=builtin --enable-attr-sql --enable-sql
1af4ae87 TB	278	--enable-farp"
51f48376	279	DEPS="git gmp openldap-client libxml2 mysql80-client sqlite3 unbound ldns tpm2-tss"
d6949b15 TB	280	export GPERF=/usr/local/bin/gperf
	281	export LEX=/usr/local/bin/flex
	282	;;
1ce2721d TB	283	fuzzing)
1ce2721d TB	284	CFLAGS="$CFLAGS -DNO_CHECK_MEMWIPE"
508b3087	285	CONFIG="--enable-fuzzing --enable-static --disable-shared --disable-scripts
75181f48	286	--enable-imc-test --enable-tnccs-20"
1ce2721d TB	287	# don't run any of the unit tests
	288	export TESTS_RUNNERS=
	289	# prepare corpora
	290	if test -z "$1"; then
	291	if test -z "$FUZZING_CORPORA"; then
	292	git clone --depth 1 https://github.com/strongswan/fuzzing-corpora.git fuzzing-corpora
de401e0e	293	export FUZZING_CORPORA=$BUILD_DIR/fuzzing-corpora
1ce2721d	294	fi
7421884d TB	295	# these are about the same as those on OSS-Fuzz (except for the
	296	# symbolize options and strip_path_prefix)
	297	export ASAN_OPTIONS=redzone=16:handle_sigill=1:strict_string_check=1:\
	298	allocator_release_to_os_interval_ms=500:strict_memcmp=1:detect_container_overflow=1:\
	299	coverage=0:allocator_may_return_null=1:use_sigaltstack=1:detect_stack_use_after_return=1:\
	300	alloc_dealloc_mismatch=0:detect_leaks=1:print_scariness=1:max_uar_stack_size_log=16:\
	301	handle_abort=1:check_malloc_usable_size=0:quarantine_size_mb=10:detect_odr_violation=0:\
	302	symbolize=1:handle_segv=1:fast_unwind_on_fatal=0:external_symbolizer_path=/usr/bin/llvm-symbolizer-3.5
1ce2721d TB	303	fi
1ce2721d TB	304	;;
658b6df4 TB	305	nm\|nm-no-glib)
	306	DEPS="gnome-common libsecret-1-dev libgtk-3-dev libnm-dev libnma-dev"
	307	if test "$TEST" = "nm"; then
	308	DEPS="$DEPS libnm-glib-vpn-dev libnm-gtk-dev"
	309	else
	310	CONFIG="$CONFIG --without-libnm-glib"
	311	fi
	312	cd src/frontends/gnome
	313	# don't run ./configure with ./autogen.sh
	314	export NOCONFIGURE=1
	315	;;
d151cd28 TB	316	dist)
	317	TARGET=distcheck
	318	;;
4e8f5a18 TB	319	apidoc)
	320	DEPS="doxygen"
	321	CONFIG="--disable-defaults"
	322	TARGET=apidoc
	323	;;
c9a34303	324	lgtm)
260e7b55 NK	325	if [ -z "$LGTM_PROJECT" -o -z "$LGTM_TOKEN" ]; then
	326	echo "The LGTM_PROJECT and LGTM_TOKEN environment variables" \
	327	"are required to run this test"
2f650e08	328	exit 0
260e7b55	329	fi
c9a34303	330	DEPS="jq"
c9a34303	331	if test -z "$1"; then
de401e0e TB	332	base=$COMMIT_BASE
	333	# after rebases or for new/duplicate branches, the passed base commit
	334	# ID might not be valid
	335	git rev-parse -q --verify $base^{commit}
	336	if [ $? != 0 ]; then
	337	# this will always compare against master, while via base we
	338	# otherwise only contains "new" commits
	339	base=$(git merge-base origin/master ${COMMIT_ID})
c9a34303 TB	340	fi
c9a34303 TB	341	base=$(git rev-parse $base)
c9a34303	342
de401e0e	343	echo "Starting code review for $COMMIT_ID (base $base) on lgtm.com"
c9a34303 TB	344	git diff --binary $base > lgtm.patch \|\| exit $?
c9a34303 TB	345	curl -s -X POST --data-binary @lgtm.patch \
cd7b80e8	346	"https://lgtm.com/api/v1.0/codereviews/${LGTM_PROJECT}?base=${base}&external-id=${BUILD_NUMBER}" \
c9a34303 TB	347	-H 'Content-Type: application/octet-stream' \
	348	-H 'Accept: application/json' \
	349	-H "Authorization: Bearer ${LGTM_TOKEN}" > lgtm.res \|\| exit $?
	350	lgtm_check_url=$(jq -r '."task-result-url"' lgtm.res)
4b225bf8 TB	351	if [ -z "$lgtm_check_url" -o "$lgtm_check_url" = "null" ]; then
4b225bf8 TB	352	cat lgtm.res
c9a34303 TB	353	exit 1
	354	fi
	355	lgtm_url=$(jq -r '."task-result"."results-url"' lgtm.res)
	356	echo "Progress and full results: ${lgtm_url}"
	357
	358	echo -n "Waiting for completion: "
	359	lgtm_status=pending
	360	while [ "$lgtm_status" = "pending" ]; do
	361	sleep 15
	362	curl -s -X GET "${lgtm_check_url}" \
	363	-H 'Accept: application/json' \
	364	-H "Authorization: Bearer ${LGTM_TOKEN}" > lgtm.res
	365	if [ $? != 0 ]; then
	366	echo -n "-"
	367	continue
	368	fi
	369	echo -n "."
	370	lgtm_status=$(jq -r '.status' lgtm.res)
	371	done
	372	echo ""
	373
	374	if [ "$lgtm_status" != "success" ]; then
	375	lgtm_message=$(jq -r '.["status-message"]' lgtm.res)
	376	echo "Code review failed: ${lgtm_message}"
	377	exit 1
	378	fi
	379	lgtm_new=$(jq -r '.languages[].new' lgtm.res \| awk '{t+=$1} END {print t}')
	380	lgtm_fixed=$(jq -r '.languages[].fixed' lgtm.res \| awk '{t+=$1} END {print t}')
	381	echo -n "Code review complete: "
fdce492e	382	printf "%b\n" "\e[1;31m${lgtm_new}\e[0m new alerts, \e[1;32m${lgtm_fixed}\e[0m fixed"
c9a34303 TB	383	exit $lgtm_new
	384	fi
	385	;;
d151cd28 TB	386	*)
	387	echo "$0: unknown test $TEST" >&2
	388	exit 1
	389	;;
	390	esac
	391
0ff93958 TB	392	case "$1" in
0ff93958 TB	393	deps)
de401e0e	394	case "$OS_NAME" in
e36b1e2e TB	395	linux)
	396	sudo apt-get update -qq && \
	397	sudo apt-get install -qq bison flex gperf gettext $DEPS
	398	;;
de401e0e	399	macos)
e36b1e2e TB	400	brew update && \
	401	brew install $DEPS
	402	;;
d6949b15 TB	403	freebsd)
	404	pkg install -y automake autoconf libtool pkgconf && \
	405	pkg install -y bison flex gperf gettext $DEPS
	406	;;
e36b1e2e	407	esac
60a0bb67	408	exit $?
0ff93958 TB	409	;;
0ff93958 TB	410	pydeps)
742e0f21	411	test -z "$PYDEPS" \|\| pip3 -q install --user $PYDEPS
75a84579	412	exit $?
0ff93958 TB	413	;;
	414	build-deps)
	415	exit
	416	;;
	417	*)
	418	;;
	419	esac
75a84579	420
d151cd28	421	CONFIG="$CONFIG
e36b1e2e	422	--disable-dependency-tracking
d151cd28 TB	423	--enable-silent-rules
	424	--enable-test-vectors
	425	--enable-monolithic=${MONOLITHIC-no}
	426	--enable-leak-detective=${LEAK_DETECTIVE-no}"
	427
e36b1e2e TB	428	echo "$ ./autogen.sh"
e36b1e2e TB	429	./autogen.sh \|\| exit $?
4e8f5a18 TB	430	echo "$ CC=$CC CFLAGS=\"$CFLAGS\" ./configure $CONFIG"
	431	CC="$CC" CFLAGS="$CFLAGS" ./configure $CONFIG \|\| exit $?
	432
	433	case "$TEST" in
	434	apidoc)
	435	exec 2>make.warnings
	436	;;
	437	*)
	438	;;
	439	esac
	440
	441	echo "$ make $TARGET"
e2d8833f TB	442	case "$TEST" in
	443	sonarcloud)
	444	# without target, coverage is currently not supported anyway because
	445	# sonarqube only supports gcov, not lcov
	446	build-wrapper-linux-x86-64 --out-dir bw-output make -j4 \|\| exit $?
	447	;;
	448	*)
	449	make -j4 $TARGET \|\| exit $?
	450	;;
	451	esac
4e8f5a18 TB	452
	453	case "$TEST" in
	454	apidoc)
	455	if test -s make.warnings; then
	456	cat make.warnings
	457	exit 1
	458	fi
f36e3755	459	rm make.warnings
4e8f5a18	460	;;
e2d8833f TB	461	sonarcloud)
e2d8833f TB	462	sonar-scanner \
de401e0e	463	-Dsonar.host.url=https://sonarcloud.io \
fd5cf311 TB	464	-Dsonar.projectKey=${SONAR_PROJECT} \
fd5cf311 TB	465	-Dsonar.organization=${SONAR_ORGANIZATION} \
de401e0e TB	466	-Dsonar.login=${SONAR_TOKEN} \
de401e0e TB	467	-Dsonar.projectVersion=$(git describe)+${BUILD_NUMBER} \
e2d8833f	468	-Dsonar.sources=. \
187ab298	469	-Dsonar.cfamily.threads=2 \
1f2c83db TB	470	-Dsonar.cfamily.cache.enabled=true \
1f2c83db TB	471	-Dsonar.cfamily.cache.path=$HOME/.sonar-cache \
e2d8833f	472	-Dsonar.cfamily.build-wrapper-output=bw-output \|\| exit $?
f36e3755	473	rm -r bw-output .scannerwork
e2d8833f	474	;;
763f07c5 TB	475	android)
	476	rm -r strongswan-*
	477	cd src/frontends/android
	478	echo "$ ./gradlew build"
de401e0e	479	NDK_CCACHE=ccache ./gradlew build \|\| exit $?
763f07c5	480	;;
4e8f5a18 TB	481	*)
	482	;;
	483	esac
f36e3755 TB	484
	485	# ensure there are no unignored build artifacts (or other changes) in the Git repo
	486	unclean="$(git status --porcelain)"
	487	if test -n "$unclean"; then
	488	echo "Unignored build artifacts or other changes:"
	489	echo "$unclean"
	490	exit 1
	491	fi