6 # same revision used in the build recipe of the testing environment
8 BOTAN_DIR
=$DEPS_BUILD_DIR/botan
10 if test -d "$BOTAN_DIR"; then
14 echo "$ build_botan()"
16 # if the leak detective is enabled we have to disable threading support
17 # (used for std::async) as that causes invalid frees somehow, the
18 # locking allocator causes a static leak via the first function that
19 # references it (e.g. crypter or hasher), so we disable that too
20 if test "$LEAK_DETECTIVE" = "yes"; then
21 BOTAN_CONFIG
="--without-os-features=threads
22 --disable-modules=locking_allocator"
24 # disable some larger modules we don't need for the tests
25 BOTAN_CONFIG
="$BOTAN_CONFIG --disable-modules=pkcs11,tls,x509,xmss
26 --prefix=$DEPS_PREFIX"
28 git clone https
://github.com
/randombit
/botan.git
$BOTAN_DIR &&
30 git checkout
-qf $BOTAN_REV &&
31 python .
/configure.py
--amalgamation $BOTAN_CONFIG &&
32 make -j4 libs
>/dev
/null
&&
33 sudo
make install >/dev
/null
&&
34 sudo ldconfig ||
exit $?
40 WOLFSSL_REV
=v5.4
.0-stable
41 WOLFSSL_DIR
=$DEPS_BUILD_DIR/wolfssl
43 if test -d "$WOLFSSL_DIR"; then
47 echo "$ build_wolfssl()"
49 WOLFSSL_CFLAGS
="-DWOLFSSL_PUBLIC_MP -DWOLFSSL_DES_ECB -DHAVE_AES_ECB \
50 -DHAVE_ECC_BRAINPOOL -DWOLFSSL_MIN_AUTH_TAG_SZ=8"
51 WOLFSSL_CONFIG
="--prefix=$DEPS_PREFIX
52 --disable-crypttests --disable-examples
53 --enable-aesccm --enable-aesctr --enable-camellia
54 --enable-curve25519 --enable-curve448 --enable-des3
55 --enable-ecccustcurves --enable-ed25519 --enable-ed448
56 --enable-heapmath --enable-keygen --enable-md4
57 --enable-rsapss --enable-sha3 --enable-shake256"
59 git clone https
://github.com
/wolfSSL
/wolfssl.git
$WOLFSSL_DIR &&
61 git checkout
-qf $WOLFSSL_REV &&
63 .
/configure C_EXTRA_FLAGS
="$WOLFSSL_CFLAGS" $WOLFSSL_CONFIG &&
64 make -j4 >/dev
/null
&&
65 sudo
make install >/dev
/null
&&
66 sudo ldconfig ||
exit $?
73 TSS2_PKG
=tpm2-tss-
$TSS2_REV
74 TSS2_DIR
=$DEPS_BUILD_DIR/$TSS2_PKG
75 TSS2_SRC
=https
://github.com
/tpm2-software
/tpm2-tss
/releases
/download
/$TSS2_REV/$TSS2_PKG.
tar.gz
77 if test -d "$TSS2_DIR"; then
83 curl
-L $TSS2_SRC |
tar xz
-C $DEPS_BUILD_DIR &&
85 .
/configure
--prefix=$DEPS_PREFIX --disable-doxygen-doc &&
86 make -j4 >/dev
/null
&&
87 sudo
make install >/dev
/null
&&
88 sudo ldconfig ||
exit $?
95 SSL_PKG
=openssl-
$SSL_REV
96 SSL_DIR
=$DEPS_BUILD_DIR/$SSL_PKG
97 SSL_SRC
=https
://www.openssl.org
/source
/$SSL_PKG.
tar.gz
98 SSL_INS
=$DEPS_PREFIX/ssl
99 SSL_OPT
="shared no-tls no-dtls no-ssl3 no-zlib no-comp no-idea no-psk no-srp
100 no-stdio no-tests enable-rfc3779 enable-ec_nistp_64_gcc_128"
102 if test -d "$SSL_DIR"; then
106 # insist on compiling with gcc and debug information as symbols are otherwise not found
107 if test "$LEAK_DETECTIVE" = "yes"; then
108 SSL_OPT
="$SSL_OPT CC=gcc -d"
111 echo "$ build_openssl()"
113 curl
-L $SSL_SRC |
tar xz
-C $DEPS_BUILD_DIR &&
115 .
/config
--prefix=$SSL_INS --openssldir=$SSL_INS --libdir=lib
$SSL_OPT &&
116 make -j4 >/dev
/null
&&
117 sudo
make install_sw
>/dev
/null
&&
118 sudo ldconfig ||
exit $?
124 CFLAGS
="$CFLAGS -I$DEPS_PREFIX/ssl/include"
125 export LDFLAGS
="$LDFLAGS -L$DEPS_PREFIX/ssl/lib"
126 export LD_LIBRARY_PATH
="$DEPS_PREFIX/ssl/lib:$LD_LIBRARY_PATH"
127 if test "$1" = "build-deps"; then
133 : ${DEPS_BUILD_DIR=$BUILD_DIR/..}
134 : ${DEPS_PREFIX=/usr/local}
136 if [ -e /etc
/os-release
]; then
138 elif [ -e /usr
/lib
/os-release
]; then
139 .
/usr
/lib
/os-release
146 CFLAGS
="-g -O2 -Wall -Wno-format -Wno-format-security -Wno-pointer-sign -Werror"
150 # should be the default, but lets make sure
151 CONFIG
="--with-printf-hooks=glibc"
154 CONFIG
="--disable-defaults --enable-pki --enable-openssl --enable-pem"
155 export TESTS_PLUGINS
="test-vectors pem openssl!"
157 if test "$TEST" = "openssl-3"; then
159 use_custom_openssl
$1
163 CONFIG
="--disable-defaults --enable-pki --enable-gcrypt --enable-pkcs1 --enable-pkcs8"
164 export TESTS_PLUGINS
="test-vectors pkcs1 pkcs8 gcrypt!"
165 if [ "$ID" = "ubuntu" -a "$VERSION_ID" = "20.04" ]; then
166 DEPS
="libgcrypt20-dev"
168 DEPS
="libgcrypt11-dev"
172 CONFIG
="--disable-defaults --enable-pki --enable-botan --enable-pem"
173 export TESTS_PLUGINS
="test-vectors pem botan!"
175 if test "$1" = "build-deps"; then
180 CONFIG
="--disable-defaults --enable-pki --enable-wolfssl --enable-pem"
181 export TESTS_PLUGINS
="test-vectors pem wolfssl!"
182 # build with custom options to enable all the features the plugin supports
184 if test "$1" = "build-deps"; then
189 CONFIG
="--with-printf-hooks=builtin"
191 all|coverage|sonarcloud
)
192 if [ "$TEST" = "sonarcloud" ]; then
193 if [ -z "$SONAR_PROJECT" -o -z "$SONAR_ORGANIZATION" -o -z "$SONAR_TOKEN" ]; then
194 echo "The SONAR_PROJECT, SONAR_ORGANIZATION and SONAR_TOKEN" \
195 "environment variables are required to run this test"
199 CONFIG
="--enable-all --disable-android-dns --disable-android-log
200 --disable-kernel-pfroute --disable-keychain
201 --disable-lock-profiler --disable-padlock --disable-fuzzing
202 --disable-osx-attr --disable-tkm --disable-uci
203 --disable-unwind-backtraces
204 --disable-svc --disable-dbghelp-backtraces --disable-socket-win
205 --disable-kernel-wfp --disable-kernel-iph --disable-winhttp
206 --disable-python-eggs-install"
207 # not enabled on the build server
208 CONFIG
="$CONFIG --disable-af-alg"
209 if test "$TEST" != "coverage"; then
210 CONFIG
="$CONFIG --disable-coverage"
212 # not actually required but configure checks for it
215 DEPS
="$DEPS libcurl4-gnutls-dev libsoup2.4-dev libunbound-dev libldns-dev
216 libmysqlclient-dev libsqlite3-dev clearsilver-dev libfcgi-dev
217 libldap2-dev libpcsclite-dev libpam0g-dev binutils-dev libnm-dev
218 libgcrypt20-dev libjson-c-dev python3-pip libtspi-dev libsystemd-dev
220 if [ "$ID" = "ubuntu" -a "$VERSION_ID" = "20.04" ]; then
221 DEPS
="$DEPS libiptc-dev"
223 DEPS
="$DEPS iptables-dev python3-setuptools"
226 if test "$1" = "build-deps"; then
231 use_custom_openssl
$1
234 CONFIG
="--disable-defaults --enable-svc --enable-ikev2
235 --enable-ikev1 --enable-static --enable-test-vectors --enable-nonce
236 --enable-constraints --enable-revocation --enable-pem --enable-pkcs1
237 --enable-pkcs8 --enable-x509 --enable-pubkey --enable-acert
238 --enable-eap-tnc --enable-eap-ttls --enable-eap-identity
239 --enable-updown --enable-ext-auth --enable-libipsec --enable-pkcs11
240 --enable-tnccs-20 --enable-imc-attestation --enable-imv-attestation
241 --enable-imc-os --enable-imv-os --enable-tnc-imv --enable-tnc-imc
242 --enable-pki --enable-swanctl --enable-socket-win
243 --enable-kernel-iph --enable-kernel-wfp --enable-winhttp"
244 # no make check for Windows binaries unless we run on a windows host
245 if test "$APPVEYOR" != "True"; then
250 # old OpenSSL versions don't provide HKDF
251 CONFIG
="$CONFIG --enable-kdf"
254 CONFIG
="$CONFIG --enable-openssl"
255 CFLAGS
="$CFLAGS -I$OPENSSL_DIR/include"
256 LDFLAGS
="-L$OPENSSL_DIR"
260 CFLAGS
="$CFLAGS -mno-ms-bitfields"
261 DEPS
="gcc-mingw-w64-base"
264 CONFIG
="--host=x86_64-w64-mingw32 $CONFIG --enable-dbghelp-backtraces"
265 DEPS
="gcc-mingw-w64-x86-64 binutils-mingw-w64-x86-64 mingw-w64-x86-64-dev $DEPS"
266 CC
="x86_64-w64-mingw32-gcc"
269 CONFIG
="--host=i686-w64-mingw32 $CONFIG"
270 DEPS
="gcc-mingw-w64-i686 binutils-mingw-w64-i686 mingw-w64-i686-dev $DEPS"
271 CC
="i686-w64-mingw32-gcc"
276 if test "$1" = "deps"; then
277 git clone git
://git.strongswan.org
/android-ndk-boringssl.git
-b ndk-static \
278 src
/frontends
/android
/app
/src
/main
/jni
/openssl
283 # this causes a false positive in ip-packet.c since Xcode 8.3
284 CFLAGS
="$CFLAGS -Wno-address-of-packed-member"
285 # use the same options as in the Homebrew Formula
286 CONFIG
="--disable-defaults --enable-charon --enable-cmd --enable-constraints
287 --enable-curl --enable-eap-gtc --enable-eap-identity
288 --enable-eap-md5 --enable-eap-mschapv2 --enable-farp --enable-ikev1
289 --enable-ikev2 --enable-kernel-libipsec --enable-kernel-pfkey
290 --enable-kernel-pfroute --enable-nonce --enable-openssl
291 --enable-osx-attr --enable-pem --enable-pgp --enable-pkcs1
292 --enable-pkcs8 --enable-pki --enable-pubkey --enable-revocation
293 --enable-scepclient --enable-socket-default --enable-sshkey
294 --enable-stroke --enable-swanctl --enable-unity --enable-updown
295 --enable-x509 --enable-xauth-generic"
296 DEPS
="automake autoconf libtool bison gettext openssl@1.1 curl"
297 BREW_PREFIX
=$
(brew
--prefix)
298 export PATH
=$BREW_PREFIX/opt
/bison
/bin
:$PATH
299 export ACLOCAL_PATH
=$BREW_PREFIX/opt
/gettext
/share
/aclocal
:$ACLOCAL_PATH
300 for pkg
in openssl@
1.1 curl
302 PKG_CONFIG_PATH
=$BREW_PREFIX/opt
/$pkg/lib
/pkgconfig
:$PKG_CONFIG_PATH
303 CPPFLAGS
="-I$BREW_PREFIX/opt/$pkg/include $CPPFLAGS"
304 LDFLAGS
="-L$BREW_PREFIX/opt/$pkg/lib $LDFLAGS"
306 export PKG_CONFIG_PATH
311 # use the options of the FreeBSD port (including options), except smp,
312 # which requires a patch but is deprecated anyway, only using the builtin
314 CONFIG
="--enable-kernel-pfkey --enable-kernel-pfroute --disable-scripts
315 --disable-kernel-netlink --enable-openssl --enable-eap-identity
316 --enable-eap-md5 --enable-eap-tls --enable-eap-mschapv2
317 --enable-eap-peap --enable-eap-ttls --enable-md4 --enable-blowfish
318 --enable-addrblock --enable-whitelist --enable-cmd --enable-curl
319 --enable-eap-aka --enable-eap-aka-3gpp2 --enable-eap-dynamic
320 --enable-eap-radius --enable-eap-sim --enable-eap-sim-file
321 --enable-gcm --enable-ipseckey --enable-kernel-libipsec
322 --enable-load-tester --enable-ldap --enable-mediation
323 --enable-mysql --enable-sqlite --enable-tpm --enable-tss-tss2
324 --enable-unbound --enable-unity --enable-xauth-eap --enable-xauth-pam
325 --with-printf-hooks=builtin --enable-attr-sql --enable-sql
327 DEPS
="git gmp openldap24-client libxml2 mysql80-client sqlite3 unbound ldns tpm2-tss"
330 CFLAGS
="$CFLAGS -DNO_CHECK_MEMWIPE"
331 CONFIG
="--enable-fuzzing --enable-static --disable-shared --disable-scripts
332 --enable-imc-test --enable-tnccs-20"
333 # don't run any of the unit tests
334 export TESTS_RUNNERS
=
336 if test -z "$1"; then
337 if test -z "$FUZZING_CORPORA"; then
338 git clone
--depth 1 https
://github.com
/strongswan
/fuzzing-corpora.git fuzzing-corpora
339 export FUZZING_CORPORA
=$BUILD_DIR/fuzzing-corpora
341 # these are about the same as those on OSS-Fuzz (except for the
342 # symbolize options and strip_path_prefix)
343 export ASAN_OPTIONS
=redzone
=16:handle_sigill
=1:strict_string_check
=1:\
344 allocator_release_to_os_interval_ms
=500:strict_memcmp
=1:detect_container_overflow
=1:\
345 coverage
=0:allocator_may_return_null
=1:use_sigaltstack
=1:detect_stack_use_after_return
=1:\
346 alloc_dealloc_mismatch
=0:detect_leaks
=1:print_scariness
=1:max_uar_stack_size_log
=16:\
347 handle_abort
=1:check_malloc_usable_size
=0:quarantine_size_mb
=10:detect_odr_violation
=0:\
348 symbolize
=1:handle_segv
=1:fast_unwind_on_fatal
=0:external_symbolizer_path
=/usr
/bin
/llvm-symbolizer-3.5
352 DEPS
="gnome-common libsecret-1-dev libgtk-3-dev libnm-dev libnma-dev"
353 if test "$TEST" = "nm"; then
354 DEPS
="$DEPS libnm-glib-vpn-dev libnm-gtk-dev"
356 CONFIG
="$CONFIG --without-libnm-glib"
358 cd src
/frontends
/gnome
359 # don't run ./configure with ./autogen.sh
367 CONFIG
="--disable-defaults"
371 if [ -z "$LGTM_PROJECT" -o -z "$LGTM_TOKEN" ]; then
372 echo "The LGTM_PROJECT and LGTM_TOKEN environment variables" \
373 "are required to run this test"
377 if test -z "$1"; then
379 # after rebases or for new/duplicate branches, the passed base commit
380 # ID might not be valid
381 git rev-parse
-q --verify $base^
{commit
}
383 # this will always compare against master, while via base we
384 # otherwise only contains "new" commits
385 base
=$
(git merge-base origin
/master
${COMMIT_ID})
387 base
=$
(git rev-parse
$base)
389 echo "Starting code review for $COMMIT_ID (base $base) on lgtm.com"
390 git
diff --binary $base > lgtm.
patch ||
exit $?
391 curl
-s -X POST
--data-binary @lgtm.
patch \
392 "https://lgtm.com/api/v1.0/codereviews/${LGTM_PROJECT}?base=${base}&external-id=${BUILD_NUMBER}" \
393 -H 'Content-Type: application/octet-stream' \
394 -H 'Accept: application/json' \
395 -H "Authorization: Bearer ${LGTM_TOKEN}" > lgtm.res ||
exit $?
396 lgtm_check_url
=$
(jq
-r '."task-result-url"' lgtm.res
)
397 if [ -z "$lgtm_check_url" -o "$lgtm_check_url" = "null" ]; then
401 lgtm_url
=$
(jq
-r '."task-result"."results-url"' lgtm.res
)
402 echo "Progress and full results: ${lgtm_url}"
404 echo -n "Waiting for completion: "
406 while [ "$lgtm_status" = "pending" ]; do
408 curl
-s -X GET
"${lgtm_check_url}" \
409 -H 'Accept: application/json' \
410 -H "Authorization: Bearer ${LGTM_TOKEN}" > lgtm.res
416 lgtm_status
=$
(jq
-r '.status' lgtm.res
)
420 if [ "$lgtm_status" != "success" ]; then
421 lgtm_message
=$
(jq
-r '.["status-message"]' lgtm.res
)
422 echo "Code review failed: ${lgtm_message}"
425 lgtm_new
=$
(jq
-r '.languages[].new' lgtm.res |
awk '{t+=$1} END {print t}')
426 lgtm_fixed
=$
(jq
-r '.languages[].fixed' lgtm.res |
awk '{t+=$1} END {print t}')
427 echo -n "Code review complete: "
428 printf "%b\n" "\e[1;31m${lgtm_new}\e[0m new alerts, \e[1;32m${lgtm_fixed}\e[0m fixed"
433 echo "$0: unknown test $TEST" >&2
442 sudo apt-get update
-qq && \
443 sudo apt-get
install -qq bison flex gperf
gettext $DEPS
450 pkg
install -y automake autoconf libtool pkgconf
&& \
451 pkg
install -y bison flex gperf
gettext $DEPS
457 test -z "$PYDEPS" || pip3
-q install --user $PYDEPS
468 --disable-dependency-tracking
469 --enable-silent-rules
470 --enable-test-vectors
471 --enable-monolithic=${MONOLITHIC-no}
472 --enable-leak-detective=${LEAK_DETECTIVE-no}"
474 echo "$ ./autogen.sh"
475 .
/autogen.sh ||
exit $?
476 echo "$ CC=$CC CFLAGS=\"$CFLAGS\" ./configure $CONFIG"
477 CC
="$CC" CFLAGS
="$CFLAGS" .
/configure
$CONFIG ||
exit $?
487 echo "$ make $TARGET"
490 # without target, coverage is currently not supported anyway because
491 # sonarqube only supports gcov, not lcov
492 build-wrapper-linux-x86-64
--out-dir bw-output
make -j4 ||
exit $?
495 make -j4 $TARGET ||
exit $?
501 if test -s make.warnings
; then
509 -Dsonar.
host.url
=https
://sonarcloud.io \
510 -Dsonar.projectKey
=${SONAR_PROJECT} \
511 -Dsonar.organization
=${SONAR_ORGANIZATION} \
512 -Dsonar.login
=${SONAR_TOKEN} \
513 -Dsonar.projectVersion
=$
(git describe
--exclude 'android-*')+${BUILD_NUMBER} \
515 -Dsonar.cfamily.threads
=2 \
516 -Dsonar.cfamily.cache.enabled
=true \
517 -Dsonar.cfamily.cache.path
=$HOME/.sonar-cache \
518 -Dsonar.cfamily.build-wrapper-output
=bw-output ||
exit $?
519 rm -r bw-output .scannerwork
523 cd src
/frontends
/android
524 echo "$ ./gradlew build"
525 NDK_CCACHE
=ccache .
/gradlew build ||
exit $?
531 # ensure there are no unignored build artifacts (or other changes) in the Git repo
532 unclean
="$(git status --porcelain)"
533 if test -n "$unclean"; then
534 echo "Unignored build artifacts or other changes:"