]> git.ipfire.org Git - thirdparty/strongswan.git/blob - scripts/test.sh
projects / thirdparty / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
configure: Add noyywrap option to AC_PROG_LEX for Autoconf 2.70+
[thirdparty/strongswan.git] / scripts / test.sh
1 #!/bin/sh
2 # Build script for CI
3
4 build_botan()
5 {
6 # same revision used in the build recipe of the testing environment
7 BOTAN_REV=2.19.1
8 BOTAN_DIR=$DEPS_BUILD_DIR/botan
9
10 if test -d "$BOTAN_DIR"; then
11 return
12 fi
13
14 echo "$ build_botan()"
15
16 # if the leak detective is enabled we have to disable threading support
17 # (used for std::async) as that causes invalid frees somehow, the
18 # locking allocator causes a static leak via the first function that
19 # references it (e.g. crypter or hasher), so we disable that too
20 if test "$LEAK_DETECTIVE" = "yes"; then
21 BOTAN_CONFIG="--without-os-features=threads
22 --disable-modules=locking_allocator"
23 fi
24 # disable some larger modules we don't need for the tests
25 BOTAN_CONFIG="$BOTAN_CONFIG --disable-modules=pkcs11,tls,x509,xmss
26 --prefix=$DEPS_PREFIX"
27
28 git clone https://github.com/randombit/botan.git $BOTAN_DIR &&
29 cd $BOTAN_DIR &&
30 git checkout -qf $BOTAN_REV &&
31 python ./configure.py --amalgamation $BOTAN_CONFIG &&
32 make -j4 libs >/dev/null &&
33 sudo make install >/dev/null &&
34 sudo ldconfig || exit $?
35 cd -
36 }
37
38 build_wolfssl()
39 {
40 WOLFSSL_REV=v5.4.0-stable
41 WOLFSSL_DIR=$DEPS_BUILD_DIR/wolfssl
42
43 if test -d "$WOLFSSL_DIR"; then
44 return
45 fi
46
47 echo "$ build_wolfssl()"
48
49 WOLFSSL_CFLAGS="-DWOLFSSL_PUBLIC_MP -DWOLFSSL_DES_ECB -DHAVE_AES_ECB \
50 -DHAVE_ECC_BRAINPOOL -DWOLFSSL_MIN_AUTH_TAG_SZ=8"
51 WOLFSSL_CONFIG="--prefix=$DEPS_PREFIX
52 --disable-crypttests --disable-examples
53 --enable-aesccm --enable-aesctr --enable-camellia
54 --enable-curve25519 --enable-curve448 --enable-des3
55 --enable-ecccustcurves --enable-ed25519 --enable-ed448
56 --enable-heapmath --enable-keygen --enable-md4
57 --enable-rsapss --enable-sha3 --enable-shake256"
58
59 git clone https://github.com/wolfSSL/wolfssl.git $WOLFSSL_DIR &&
60 cd $WOLFSSL_DIR &&
61 git checkout -qf $WOLFSSL_REV &&
62 ./autogen.sh &&
63 ./configure C_EXTRA_FLAGS="$WOLFSSL_CFLAGS" $WOLFSSL_CONFIG &&
64 make -j4 >/dev/null &&
65 sudo make install >/dev/null &&
66 sudo ldconfig || exit $?
67 cd -
68 }
69
70 build_tss2()
71 {
72 TSS2_REV=2.4.3
73 TSS2_PKG=tpm2-tss-$TSS2_REV
74 TSS2_DIR=$DEPS_BUILD_DIR/$TSS2_PKG
75 TSS2_SRC=https://github.com/tpm2-software/tpm2-tss/releases/download/$TSS2_REV/$TSS2_PKG.tar.gz
76
77 if test -d "$TSS2_DIR"; then
78 return
79 fi
80
81 echo "$ build_tss2()"
82
83 curl -L $TSS2_SRC | tar xz -C $DEPS_BUILD_DIR &&
84 cd $TSS2_DIR &&
85 ./configure --prefix=$DEPS_PREFIX --disable-doxygen-doc &&
86 make -j4 >/dev/null &&
87 sudo make install >/dev/null &&
88 sudo ldconfig || exit $?
89 cd -
90 }
91
92 build_openssl()
93 {
94 SSL_REV=3.0.2
95 SSL_PKG=openssl-$SSL_REV
96 SSL_DIR=$DEPS_BUILD_DIR/$SSL_PKG
97 SSL_SRC=https://www.openssl.org/source/$SSL_PKG.tar.gz
98 SSL_INS=$DEPS_PREFIX/ssl
99 SSL_OPT="shared no-tls no-dtls no-ssl3 no-zlib no-comp no-idea no-psk no-srp
100 no-stdio no-tests enable-rfc3779 enable-ec_nistp_64_gcc_128"
101
102 if test -d "$SSL_DIR"; then
103 return
104 fi
105
106 # insist on compiling with gcc and debug information as symbols are otherwise not found
107 if test "$LEAK_DETECTIVE" = "yes"; then
108 SSL_OPT="$SSL_OPT CC=gcc -d"
109 fi
110
111 echo "$ build_openssl()"
112
113 curl -L $SSL_SRC | tar xz -C $DEPS_BUILD_DIR &&
114 cd $SSL_DIR &&
115 ./config --prefix=$SSL_INS --openssldir=$SSL_INS --libdir=lib $SSL_OPT &&
116 make -j4 >/dev/null &&
117 sudo make install_sw >/dev/null &&
118 sudo ldconfig || exit $?
119 cd -
120 }
121
122 use_custom_openssl()
123 {
124 CFLAGS="$CFLAGS -I$DEPS_PREFIX/ssl/include"
125 export LDFLAGS="$LDFLAGS -L$DEPS_PREFIX/ssl/lib"
126 export LD_LIBRARY_PATH="$DEPS_PREFIX/ssl/lib:$LD_LIBRARY_PATH"
127 if test "$1" = "build-deps"; then
128 build_openssl
129 fi
130 }
131
132 : ${BUILD_DIR=$PWD}
133 : ${DEPS_BUILD_DIR=$BUILD_DIR/..}
134 : ${DEPS_PREFIX=/usr/local}
135
136 if [ -e /etc/os-release ]; then
137 . /etc/os-release
138 elif [ -e /usr/lib/os-release ]; then
139 . /usr/lib/os-release
140 fi
141
142 TARGET=check
143
144 DEPS="libgmp-dev"
145
146 CFLAGS="-g -O2 -Wall -Wno-format -Wno-format-security -Wno-pointer-sign -Werror"
147
148 case "$TEST" in
149 default)
150 # should be the default, but lets make sure
151 CONFIG="--with-printf-hooks=glibc"
152 ;;
153 openssl*)
154 CONFIG="--disable-defaults --enable-pki --enable-openssl --enable-pem"
155 export TESTS_PLUGINS="test-vectors pem openssl!"
156 DEPS="libssl-dev"
157 if test "$TEST" = "openssl-3"; then
158 DEPS=""
159 use_custom_openssl $1
160 fi
161 ;;
162 gcrypt)
163 CONFIG="--disable-defaults --enable-pki --enable-gcrypt --enable-pkcs1 --enable-pkcs8"
164 export TESTS_PLUGINS="test-vectors pkcs1 pkcs8 gcrypt!"
165 if [ "$ID" = "ubuntu" -a "$VERSION_ID" = "20.04" ]; then
166 DEPS="libgcrypt20-dev"
167 else
168 DEPS="libgcrypt11-dev"
169 fi
170 ;;
171 botan)
172 CONFIG="--disable-defaults --enable-pki --enable-botan --enable-pem"
173 export TESTS_PLUGINS="test-vectors pem botan!"
174 DEPS=""
175 if test "$1" = "build-deps"; then
176 build_botan
177 fi
178 ;;
179 wolfssl)
180 CONFIG="--disable-defaults --enable-pki --enable-wolfssl --enable-pem"
181 export TESTS_PLUGINS="test-vectors pem wolfssl!"
182 # build with custom options to enable all the features the plugin supports
183 DEPS=""
184 if test "$1" = "build-deps"; then
185 build_wolfssl
186 fi
187 ;;
188 printf-builtin)
189 CONFIG="--with-printf-hooks=builtin"
190 ;;
191 all|coverage|sonarcloud)
192 if [ "$TEST" = "sonarcloud" ]; then
193 if [ -z "$SONAR_PROJECT" -o -z "$SONAR_ORGANIZATION" -o -z "$SONAR_TOKEN" ]; then
194 echo "The SONAR_PROJECT, SONAR_ORGANIZATION and SONAR_TOKEN" \
195 "environment variables are required to run this test"
196 exit 1
197 fi
198 fi
199 CONFIG="--enable-all --disable-android-dns --disable-android-log
200 --disable-kernel-pfroute --disable-keychain
201 --disable-lock-profiler --disable-padlock --disable-fuzzing
202 --disable-osx-attr --disable-tkm --disable-uci
203 --disable-unwind-backtraces
204 --disable-svc --disable-dbghelp-backtraces --disable-socket-win
205 --disable-kernel-wfp --disable-kernel-iph --disable-winhttp
206 --disable-python-eggs-install"
207 # not enabled on the build server
208 CONFIG="$CONFIG --disable-af-alg"
209 if test "$TEST" != "coverage"; then
210 CONFIG="$CONFIG --disable-coverage"
211 else
212 # not actually required but configure checks for it
213 DEPS="$DEPS lcov"
214 fi
215 DEPS="$DEPS libcurl4-gnutls-dev libsoup2.4-dev libunbound-dev libldns-dev
216 libmysqlclient-dev libsqlite3-dev clearsilver-dev libfcgi-dev
217 libldap2-dev libpcsclite-dev libpam0g-dev binutils-dev libnm-dev
218 libgcrypt20-dev libjson-c-dev python3-pip libtspi-dev libsystemd-dev
219 libselinux1-dev"
220 if [ "$ID" = "ubuntu" -a "$VERSION_ID" = "20.04" ]; then
221 DEPS="$DEPS libiptc-dev"
222 else
223 DEPS="$DEPS iptables-dev python3-setuptools"
224 fi
225 PYDEPS="tox"
226 if test "$1" = "build-deps"; then
227 build_botan
228 build_wolfssl
229 build_tss2
230 fi
231 use_custom_openssl $1
232 ;;
233 win*)
234 CONFIG="--disable-defaults --enable-svc --enable-ikev2
235 --enable-ikev1 --enable-static --enable-test-vectors --enable-nonce
236 --enable-constraints --enable-revocation --enable-pem --enable-pkcs1
237 --enable-pkcs8 --enable-x509 --enable-pubkey --enable-acert
238 --enable-eap-tnc --enable-eap-ttls --enable-eap-identity
239 --enable-updown --enable-ext-auth --enable-libipsec --enable-pkcs11
240 --enable-tnccs-20 --enable-imc-attestation --enable-imv-attestation
241 --enable-imc-os --enable-imv-os --enable-tnc-imv --enable-tnc-imc
242 --enable-pki --enable-swanctl --enable-socket-win
243 --enable-kernel-iph --enable-kernel-wfp --enable-winhttp"
244 # no make check for Windows binaries unless we run on a windows host
245 if test "$APPVEYOR" != "True"; then
246 TARGET=
247 else
248 case "$IMG" in
249 2015|2017)
250 # old OpenSSL versions don't provide HKDF
251 CONFIG="$CONFIG --enable-kdf"
252 ;;
253 esac
254 CONFIG="$CONFIG --enable-openssl"
255 CFLAGS="$CFLAGS -I$OPENSSL_DIR/include"
256 LDFLAGS="-L$OPENSSL_DIR"
257 export LDFLAGS
258
259 fi
260 CFLAGS="$CFLAGS -mno-ms-bitfields"
261 DEPS="gcc-mingw-w64-base"
262 case "$TEST" in
263 win64)
264 CONFIG="--host=x86_64-w64-mingw32 $CONFIG --enable-dbghelp-backtraces"
265 DEPS="gcc-mingw-w64-x86-64 binutils-mingw-w64-x86-64 mingw-w64-x86-64-dev $DEPS"
266 CC="x86_64-w64-mingw32-gcc"
267 ;;
268 win32)
269 CONFIG="--host=i686-w64-mingw32 $CONFIG"
270 DEPS="gcc-mingw-w64-i686 binutils-mingw-w64-i686 mingw-w64-i686-dev $DEPS"
271 CC="i686-w64-mingw32-gcc"
272 ;;
273 esac
274 ;;
275 android)
276 if test "$1" = "deps"; then
277 git clone git://git.strongswan.org/android-ndk-boringssl.git -b ndk-static \
278 src/frontends/android/app/src/main/jni/openssl
279 fi
280 TARGET=distdir
281 ;;
282 macos)
283 # this causes a false positive in ip-packet.c since Xcode 8.3
284 CFLAGS="$CFLAGS -Wno-address-of-packed-member"
285 # use the same options as in the Homebrew Formula
286 CONFIG="--disable-defaults --enable-charon --enable-cmd --enable-constraints
287 --enable-curl --enable-eap-gtc --enable-eap-identity
288 --enable-eap-md5 --enable-eap-mschapv2 --enable-farp --enable-ikev1
289 --enable-ikev2 --enable-kernel-libipsec --enable-kernel-pfkey
290 --enable-kernel-pfroute --enable-nonce --enable-openssl
291 --enable-osx-attr --enable-pem --enable-pgp --enable-pkcs1
292 --enable-pkcs8 --enable-pki --enable-pubkey --enable-revocation
293 --enable-scepclient --enable-socket-default --enable-sshkey
294 --enable-stroke --enable-swanctl --enable-unity --enable-updown
295 --enable-x509 --enable-xauth-generic"
296 DEPS="automake autoconf libtool bison gettext openssl@1.1 curl"
297 BREW_PREFIX=$(brew --prefix)
298 export PATH=$BREW_PREFIX/opt/bison/bin:$PATH
299 export ACLOCAL_PATH=$BREW_PREFIX/opt/gettext/share/aclocal:$ACLOCAL_PATH
300 for pkg in openssl@1.1 curl
301 do
302 PKG_CONFIG_PATH=$BREW_PREFIX/opt/$pkg/lib/pkgconfig:$PKG_CONFIG_PATH
303 CPPFLAGS="-I$BREW_PREFIX/opt/$pkg/include $CPPFLAGS"
304 LDFLAGS="-L$BREW_PREFIX/opt/$pkg/lib $LDFLAGS"
305 done
306 export PKG_CONFIG_PATH
307 export CPPFLAGS
308 export LDFLAGS
309 ;;
310 freebsd)
311 # use the options of the FreeBSD port (including options), except smp,
312 # which requires a patch but is deprecated anyway, only using the builtin
313 # printf hooks
314 CONFIG="--enable-kernel-pfkey --enable-kernel-pfroute --disable-scripts
315 --disable-kernel-netlink --enable-openssl --enable-eap-identity
316 --enable-eap-md5 --enable-eap-tls --enable-eap-mschapv2
317 --enable-eap-peap --enable-eap-ttls --enable-md4 --enable-blowfish
318 --enable-addrblock --enable-whitelist --enable-cmd --enable-curl
319 --enable-eap-aka --enable-eap-aka-3gpp2 --enable-eap-dynamic
320 --enable-eap-radius --enable-eap-sim --enable-eap-sim-file
321 --enable-gcm --enable-ipseckey --enable-kernel-libipsec
322 --enable-load-tester --enable-ldap --enable-mediation
323 --enable-mysql --enable-sqlite --enable-tpm --enable-tss-tss2
324 --enable-unbound --enable-unity --enable-xauth-eap --enable-xauth-pam
325 --with-printf-hooks=builtin --enable-attr-sql --enable-sql
326 --enable-farp"
327 DEPS="git gmp openldap24-client libxml2 mysql80-client sqlite3 unbound ldns tpm2-tss"
328 ;;
329 fuzzing)
330 CFLAGS="$CFLAGS -DNO_CHECK_MEMWIPE"
331 CONFIG="--enable-fuzzing --enable-static --disable-shared --disable-scripts
332 --enable-imc-test --enable-tnccs-20"
333 # don't run any of the unit tests
334 export TESTS_RUNNERS=
335 # prepare corpora
336 if test -z "$1"; then
337 if test -z "$FUZZING_CORPORA"; then
338 git clone --depth 1 https://github.com/strongswan/fuzzing-corpora.git fuzzing-corpora
339 export FUZZING_CORPORA=$BUILD_DIR/fuzzing-corpora
340 fi
341 # these are about the same as those on OSS-Fuzz (except for the
342 # symbolize options and strip_path_prefix)
343 export ASAN_OPTIONS=redzone=16:handle_sigill=1:strict_string_check=1:\
344 allocator_release_to_os_interval_ms=500:strict_memcmp=1:detect_container_overflow=1:\
345 coverage=0:allocator_may_return_null=1:use_sigaltstack=1:detect_stack_use_after_return=1:\
346 alloc_dealloc_mismatch=0:detect_leaks=1:print_scariness=1:max_uar_stack_size_log=16:\
347 handle_abort=1:check_malloc_usable_size=0:quarantine_size_mb=10:detect_odr_violation=0:\
348 symbolize=1:handle_segv=1:fast_unwind_on_fatal=0:external_symbolizer_path=/usr/bin/llvm-symbolizer-3.5
349 fi
350 ;;
351 nm|nm-no-glib)
352 DEPS="gnome-common libsecret-1-dev libgtk-3-dev libnm-dev libnma-dev"
353 if test "$TEST" = "nm"; then
354 DEPS="$DEPS libnm-glib-vpn-dev libnm-gtk-dev"
355 else
356 CONFIG="$CONFIG --without-libnm-glib"
357 fi
358 cd src/frontends/gnome
359 # don't run ./configure with ./autogen.sh
360 export NOCONFIGURE=1
361 ;;
362 dist)
363 TARGET=distcheck
364 ;;
365 apidoc)
366 DEPS="doxygen"
367 CONFIG="--disable-defaults"
368 TARGET=apidoc
369 ;;
370 lgtm)
371 if [ -z "$LGTM_PROJECT" -o -z "$LGTM_TOKEN" ]; then
372 echo "The LGTM_PROJECT and LGTM_TOKEN environment variables" \
373 "are required to run this test"
374 exit 0
375 fi
376 DEPS="jq"
377 if test -z "$1"; then
378 base=$COMMIT_BASE
379 # after rebases or for new/duplicate branches, the passed base commit
380 # ID might not be valid
381 git rev-parse -q --verify $base^{commit}
382 if [ $? != 0 ]; then
383 # this will always compare against master, while via base we
384 # otherwise only contains "new" commits
385 base=$(git merge-base origin/master ${COMMIT_ID})
386 fi
387 base=$(git rev-parse $base)
388
389 echo "Starting code review for $COMMIT_ID (base $base) on lgtm.com"
390 git diff --binary $base > lgtm.patch || exit $?
391 curl -s -X POST --data-binary @lgtm.patch \
392 "https://lgtm.com/api/v1.0/codereviews/${LGTM_PROJECT}?base=${base}&external-id=${BUILD_NUMBER}" \
393 -H 'Content-Type: application/octet-stream' \
394 -H 'Accept: application/json' \
395 -H "Authorization: Bearer ${LGTM_TOKEN}" > lgtm.res || exit $?
396 lgtm_check_url=$(jq -r '."task-result-url"' lgtm.res)
397 if [ -z "$lgtm_check_url" -o "$lgtm_check_url" = "null" ]; then
398 cat lgtm.res
399 exit 1
400 fi
401 lgtm_url=$(jq -r '."task-result"."results-url"' lgtm.res)
402 echo "Progress and full results: ${lgtm_url}"
403
404 echo -n "Waiting for completion: "
405 lgtm_status=pending
406 while [ "$lgtm_status" = "pending" ]; do
407 sleep 15
408 curl -s -X GET "${lgtm_check_url}" \
409 -H 'Accept: application/json' \
410 -H "Authorization: Bearer ${LGTM_TOKEN}" > lgtm.res
411 if [ $? != 0 ]; then
412 echo -n "-"
413 continue
414 fi
415 echo -n "."
416 lgtm_status=$(jq -r '.status' lgtm.res)
417 done
418 echo ""
419
420 if [ "$lgtm_status" != "success" ]; then
421 lgtm_message=$(jq -r '.["status-message"]' lgtm.res)
422 echo "Code review failed: ${lgtm_message}"
423 exit 1
424 fi
425 lgtm_new=$(jq -r '.languages[].new' lgtm.res | awk '{t+=$1} END {print t}')
426 lgtm_fixed=$(jq -r '.languages[].fixed' lgtm.res | awk '{t+=$1} END {print t}')
427 echo -n "Code review complete: "
428 printf "%b\n" "\e[1;31m${lgtm_new}\e[0m new alerts, \e[1;32m${lgtm_fixed}\e[0m fixed"
429 exit $lgtm_new
430 fi
431 ;;
432 *)
433 echo "$0: unknown test $TEST" >&2
434 exit 1
435 ;;
436 esac
437
438 case "$1" in
439 deps)
440 case "$OS_NAME" in
441 linux)
442 sudo apt-get update -qq && \
443 sudo apt-get install -qq bison flex gperf gettext $DEPS
444 ;;
445 macos)
446 brew update && \
447 brew install $DEPS
448 ;;
449 freebsd)
450 pkg install -y automake autoconf libtool pkgconf && \
451 pkg install -y bison flex gperf gettext $DEPS
452 ;;
453 esac
454 exit $?
455 ;;
456 pydeps)
457 test -z "$PYDEPS" || pip3 -q install --user $PYDEPS
458 exit $?
459 ;;
460 build-deps)
461 exit
462 ;;
463 *)
464 ;;
465 esac
466
467 CONFIG="$CONFIG
468 --disable-dependency-tracking
469 --enable-silent-rules
470 --enable-test-vectors
471 --enable-monolithic=${MONOLITHIC-no}
472 --enable-leak-detective=${LEAK_DETECTIVE-no}"
473
474 echo "$ ./autogen.sh"
475 ./autogen.sh || exit $?
476 echo "$ CC=$CC CFLAGS=\"$CFLAGS\" ./configure $CONFIG"
477 CC="$CC" CFLAGS="$CFLAGS" ./configure $CONFIG || exit $?
478
479 case "$TEST" in
480 apidoc)
481 exec 2>make.warnings
482 ;;
483 *)
484 ;;
485 esac
486
487 echo "$ make $TARGET"
488 case "$TEST" in
489 sonarcloud)
490 # without target, coverage is currently not supported anyway because
491 # sonarqube only supports gcov, not lcov
492 build-wrapper-linux-x86-64 --out-dir bw-output make -j4 || exit $?
493 ;;
494 *)
495 make -j4 $TARGET || exit $?
496 ;;
497 esac
498
499 case "$TEST" in
500 apidoc)
501 if test -s make.warnings; then
502 cat make.warnings
503 exit 1
504 fi
505 rm make.warnings
506 ;;
507 sonarcloud)
508 sonar-scanner \
509 -Dsonar.host.url=https://sonarcloud.io \
510 -Dsonar.projectKey=${SONAR_PROJECT} \
511 -Dsonar.organization=${SONAR_ORGANIZATION} \
512 -Dsonar.login=${SONAR_TOKEN} \
513 -Dsonar.projectVersion=$(git describe --exclude 'android-*')+${BUILD_NUMBER} \
514 -Dsonar.sources=. \
515 -Dsonar.cfamily.threads=2 \
516 -Dsonar.cfamily.cache.enabled=true \
517 -Dsonar.cfamily.cache.path=$HOME/.sonar-cache \
518 -Dsonar.cfamily.build-wrapper-output=bw-output || exit $?
519 rm -r bw-output .scannerwork
520 ;;
521 android)
522 rm -r strongswan-*
523 cd src/frontends/android
524 echo "$ ./gradlew build"
525 NDK_CCACHE=ccache ./gradlew build || exit $?
526 ;;
527 *)
528 ;;
529 esac
530
531 # ensure there are no unignored build artifacts (or other changes) in the Git repo
532 unclean="$(git status --porcelain)"
533 if test -n "$unclean"; then
534 echo "Unignored build artifacts or other changes:"
535 echo "$unclean"
536 exit 1
537 fi
Unnamed repository; edit this file 'description' to name the repository.