github: Use tpm2-tss 3.2.3 for tests

[thirdparty/strongswan.git] / scripts / test.sh

#!/bin/sh
# Build script for CI

build_botan()
{
	# same revision used in the build recipe of the testing environment
	BOTAN_REV=3.3.0
	BOTAN_DIR=$DEPS_BUILD_DIR/botan

	if test -d "$BOTAN_DIR"; then
		return
	fi

	echo "$ build_botan()"

	# if the leak detective is enabled we have to disable threading support
	# (used for std::async) as that causes invalid frees somehow, the
	# locking allocator causes a static leak via the first function that
	# references it (e.g. crypter or hasher), so we disable that too
	if test "$LEAK_DETECTIVE" = "yes"; then
		BOTAN_CONFIG="--without-os-features=threads
					  --disable-modules=locking_allocator"
	fi
	# disable some larger modules we don't need for the tests
	BOTAN_CONFIG="$BOTAN_CONFIG --disable-modules=pkcs11,tls,x509,xmss
				  --prefix=$DEPS_PREFIX"

	git clone https://github.com/randombit/botan.git $BOTAN_DIR &&
	cd $BOTAN_DIR &&
	git checkout -qf $BOTAN_REV &&
	python ./configure.py --amalgamation $BOTAN_CONFIG &&
	make -j4 libs >/dev/null &&
	sudo make install >/dev/null &&
	sudo ldconfig || exit $?
	cd -
}

build_wolfssl()
{
	WOLFSSL_REV=v5.7.0-stable
	WOLFSSL_DIR=$DEPS_BUILD_DIR/wolfssl

	if test -d "$WOLFSSL_DIR"; then
		return
	fi

	echo "$ build_wolfssl()"

	WOLFSSL_CFLAGS="-DWOLFSSL_PUBLIC_MP -DWOLFSSL_DES_ECB -DHAVE_AES_ECB \
					-DHAVE_ECC_BRAINPOOL -DWOLFSSL_MIN_AUTH_TAG_SZ=8"
	WOLFSSL_CONFIG="--prefix=$DEPS_PREFIX
					--disable-crypttests --disable-examples
					--enable-aesccm --enable-aesctr --enable-camellia
					--enable-curve25519 --enable-curve448 --enable-des3
					--enable-ecccustcurves --enable-ed25519 --enable-ed448
					--enable-keygen --with-max-rsa-bits=8192 --enable-md4
					--enable-rsapss --enable-sha3 --enable-shake256"

	git clone https://github.com/wolfSSL/wolfssl.git $WOLFSSL_DIR &&
	cd $WOLFSSL_DIR &&
	git checkout -qf $WOLFSSL_REV &&
	./autogen.sh &&
	./configure C_EXTRA_FLAGS="$WOLFSSL_CFLAGS" $WOLFSSL_CONFIG &&
	make -j4 >/dev/null &&
	sudo make install >/dev/null &&
	sudo ldconfig || exit $?
	cd -
}

build_tss2()
{
	TSS2_REV=3.2.3
	TSS2_PKG=tpm2-tss-$TSS2_REV
	TSS2_DIR=$DEPS_BUILD_DIR/$TSS2_PKG
	TSS2_SRC=https://github.com/tpm2-software/tpm2-tss/releases/download/$TSS2_REV/$TSS2_PKG.tar.gz

	if test -d "$TSS2_DIR"; then
		return
	fi

	echo "$ build_tss2()"

	curl -L $TSS2_SRC | tar xz -C $DEPS_BUILD_DIR &&
	cd $TSS2_DIR &&
	./configure --prefix=$DEPS_PREFIX --disable-doxygen-doc &&
	make -j4 >/dev/null &&
	sudo make install >/dev/null &&
	sudo ldconfig || exit $?
	cd -
}

build_openssl()
{
	SSL_REV=3.1.1
	SSL_PKG=openssl-$SSL_REV
	SSL_DIR=$DEPS_BUILD_DIR/$SSL_PKG
	SSL_SRC=https://www.openssl.org/source/$SSL_PKG.tar.gz
	SSL_INS=$DEPS_PREFIX/ssl
	SSL_OPT="-d shared no-dtls no-ssl3 no-zlib no-idea no-psk no-srp
			 no-tests enable-rfc3779 enable-ec_nistp_64_gcc_128"

	if test -d "$SSL_DIR"; then
		return
	fi

	# insist on compiling with gcc and debug information as symbols are otherwise not found
	if test "$LEAK_DETECTIVE" = "yes"; then
		SSL_OPT="$SSL_OPT CC=gcc -d"
	fi

	echo "$ build_openssl()"

	curl -L $SSL_SRC | tar xz -C $DEPS_BUILD_DIR || exit $?

	if [ "$TEST" = "android" ]; then
		OPENSSL_SRC=${SSL_DIR} \
		NO_DOCKER=1 src/frontends/android/openssl/build.sh || exit $?
	else
		cd $SSL_DIR &&
		./config --prefix=$SSL_INS --openssldir=$SSL_INS --libdir=lib $SSL_OPT &&
		make -j4 >/dev/null &&
		sudo make install_sw >/dev/null &&
		sudo ldconfig || exit $?
		cd -
	fi
}

build_awslc()
{
	LC_REV=1.24.0
	LC_PKG=aws-lc-$LC_REV
	LC_DIR=$DEPS_BUILD_DIR/$LC_PKG
	LC_SRC=https://github.com/aws/aws-lc/archive/refs/tags/v${LC_REV}.tar.gz
	LC_BUILD=$LC_DIR/build
	LC_INS=$DEPS_PREFIX/ssl

	mkdir -p $LC_BUILD

	echo "$ build_awslc()"

	curl -L $LC_SRC | tar xz -C $DEPS_BUILD_DIR || exit $?

	cd $LC_BUILD &&
	cmake -GNinja -DCMAKE_INSTALL_PREFIX=$LC_INS .. &&
	ninja &&
	sudo ninja install || exit $?
	cd -
}

use_custom_openssl()
{
	CFLAGS="$CFLAGS -I$DEPS_PREFIX/ssl/include"
	export LDFLAGS="$LDFLAGS -L$DEPS_PREFIX/ssl/lib"
	export LD_LIBRARY_PATH="$DEPS_PREFIX/ssl/lib:$LD_LIBRARY_PATH"
	if test "$1" = "build-deps"; then
		case "$TEST" in
			openssl-awslc)
				build_awslc
				;;
			*)
				build_openssl
				;;
		esac
	fi
}

system_uses_openssl3()
{
	pkg-config --atleast-version=3.0.0 libcrypto
	return $?
}

prepare_system_openssl()
{
	# On systems that ship OpenSSL 3 (e.g. Ubuntu 22.04), we require debug
	# symbols to whitelist leaks
	if test "$1" = "deps"; then
		echo "deb http://ddebs.ubuntu.com $(lsb_release -cs) main restricted
			deb http://ddebs.ubuntu.com $(lsb_release -cs)-updates main restricted
			deb http://ddebs.ubuntu.com $(lsb_release -cs)-proposed main restricted" | \
			sudo tee -a /etc/apt/sources.list.d/ddebs.list
		sudo apt-get install -qq ubuntu-dbgsym-keyring
		DEPS="$DEPS libssl3-dbgsym"
	fi
	if test "$LEAK_DETECTIVE" = "yes"; then
		# make sure we can properly whitelist functions with leak detective
		DEPS="$DEPS binutils-dev"
		CONFIG="$CONFIG --enable-bfd-backtraces"
	else
		# with ASan we have to use the (extremely) slow stack unwind as the
		# shipped version of the library is built with -fomit-frame-pointer
		export ASAN_OPTIONS=fast_unwind_on_malloc=0
	fi
}

: ${BUILD_DIR=$PWD}
: ${DEPS_BUILD_DIR=$BUILD_DIR/..}
: ${DEPS_PREFIX=/usr/local}

if [ -e /etc/os-release ]; then
	. /etc/os-release
elif [ -e /usr/lib/os-release ]; then
	. /usr/lib/os-release
fi

TARGET=check

DEPS="libgmp-dev"

CFLAGS="-g -O2"

case "$TEST" in
default)
	# should be the default, but lets make sure
	CONFIG="--with-printf-hooks=glibc"
	;;
openssl*)
	CONFIG="--disable-defaults --enable-pki --enable-openssl --enable-pem"
	export TESTS_PLUGINS="test-vectors openssl! pem"
	DEPS="libssl-dev"
	if test "$TEST" = "openssl-3"; then
		DEPS=""
		use_custom_openssl $1
	elif test "$TEST" = "openssl-awslc"; then
		DEPS="cmake ninja-build golang"
		use_custom_openssl $1
	elif system_uses_openssl3; then
		prepare_system_openssl $1
	fi
	;;
gcrypt)
	CONFIG="--disable-defaults --enable-pki --enable-gcrypt --enable-random --enable-pem --enable-pkcs1 --enable-pkcs8 --enable-gcm --enable-hmac --enable-kdf -enable-curve25519 --enable-x509 --enable-constraints"
	export TESTS_PLUGINS="test-vectors gcrypt! random pem pkcs1 pkcs8 gcm hmac kdf curve25519 x509 constraints"
	DEPS="libgcrypt20-dev"
	;;
botan)
	CONFIG="--disable-defaults --enable-pki --enable-botan --enable-pem --enable-hmac --enable-x509 --enable-constraints"
	export TESTS_PLUGINS="test-vectors botan! pem hmac x509 constraints"
	DEPS=""
	if test "$1" = "build-deps"; then
		build_botan
	fi
	;;
wolfssl)
	CONFIG="--disable-defaults --enable-pki --enable-wolfssl --enable-pem --enable-pkcs1 --enable-pkcs8 --enable-x509 --enable-constraints"
	export TESTS_PLUGINS="test-vectors wolfssl! pem pkcs1 pkcs8 x509 constraints"
	# build with custom options to enable all the features the plugin supports
	DEPS=""
	if test "$1" = "build-deps"; then
		build_wolfssl
	fi
	;;
printf-builtin)
	CONFIG="--with-printf-hooks=builtin"
	;;
all|alpine|codeql|coverage|sonarcloud|no-dbg)
	if [ "$TEST" = "sonarcloud" ]; then
		if [ -z "$SONAR_PROJECT" -o -z "$SONAR_ORGANIZATION" -o -z "$SONAR_TOKEN" ]; then
			echo "The SONAR_PROJECT, SONAR_ORGANIZATION and SONAR_TOKEN" \
				 "environment variables are required to run this test"
			exit 1
		fi
	fi
	if [ "$TEST" = "codeql" ]; then
		# don't run tests, only analyze built code
		TARGET=
	fi
	if [ "$TEST" = "no-dbg" ]; then
		CFLAGS="$CFLAGS -DDEBUG_LEVEL=-1"
	fi
	CONFIG="--enable-all --disable-android-dns --disable-android-log
			--disable-kernel-pfroute --disable-keychain
			--disable-lock-profiler --disable-padlock --disable-fuzzing
			--disable-osx-attr --disable-tkm --disable-uci
			--disable-unwind-backtraces
			--disable-svc --disable-dbghelp-backtraces --disable-socket-win
			--disable-kernel-wfp --disable-kernel-iph --disable-winhttp
			--disable-python-eggs-install"
	# not enabled on the build server
	CONFIG="$CONFIG --disable-af-alg"
	# unable to build Botan on Ubuntu 20.04
	if [ "$ID" = "ubuntu" -a "$VERSION_ID" = "20.04" ]; then
		CONFIG="$CONFIG --disable-botan"
	fi
	if test "$TEST" != "coverage"; then
		CONFIG="$CONFIG --disable-coverage"
	else
		DEPS="$DEPS lcov"
		TARGET="coverage"
	fi
	DEPS="$DEPS libcurl4-gnutls-dev libsoup2.4-dev libunbound-dev libldns-dev
		  libmysqlclient-dev libsqlite3-dev clearsilver-dev libfcgi-dev
		  libldap2-dev libpcsclite-dev libpam0g-dev binutils-dev libnm-dev
		  libgcrypt20-dev libjson-c-dev python3-pip libtspi-dev libsystemd-dev
		  libselinux1-dev libiptc-dev"
	if [ "$TEST" = "alpine" ]; then
		# override the whole list for alpine
		DEPS="git gmp-dev openldap-dev curl-dev ldns-dev unbound-dev libsoup-dev
			  tpm2-tss-dev mariadb-dev wolfssl-dev libgcrypt-dev botan3-dev
			  pcsc-lite-dev networkmanager-dev linux-pam-dev iptables-dev
			  libselinux-dev binutils-dev libunwind-dev ruby py3-setuptools"
		# musl does not provide backtrace(), so use libunwind
		CONFIG="$CONFIG --enable-unwind-backtraces"
		# alpine doesn't have systemd
		CONFIG="$CONFIG --disable-systemd --disable-cert-enroll-timer"
		# no TrouSerS either
		CONFIG="$CONFIG --disable-tss-trousers --disable-aikgen"
		# and no Clearsilver
		CONFIG="$CONFIG --disable-fast --disable-manager --disable-medsrv"
	fi
	PYDEPS="tox"
	if test "$1" = "build-deps"; then
		if [ "$ID" = "ubuntu" -a "$VERSION_ID" != "20.04" ]; then
			build_botan
		fi
		build_wolfssl
		build_tss2
	fi
	use_custom_openssl $1
	;;
win*)
	CONFIG="--disable-defaults --enable-svc --enable-ikev2
			--enable-ikev1 --enable-static --enable-test-vectors --enable-nonce
			--enable-constraints --enable-revocation --enable-pem --enable-pkcs1
			--enable-pkcs8 --enable-x509 --enable-pubkey --enable-acert
			--enable-eap-tnc --enable-eap-ttls --enable-eap-identity
			--enable-eap-radius
			--enable-updown --enable-ext-auth --enable-libipsec --enable-pkcs11
			--enable-tnccs-20 --enable-imc-attestation --enable-imv-attestation
			--enable-imc-os --enable-imv-os --enable-tnc-imv --enable-tnc-imc
			--enable-pki --enable-swanctl --enable-socket-win
			--enable-kernel-iph --enable-kernel-wfp --enable-winhttp"
	# no make check for Windows binaries unless we run on a windows host
	if test "$APPVEYOR" != "True"; then
		TARGET=
	else
		CONFIG="$CONFIG --enable-openssl"
		case "$IMG" in
		2015|2017)
			# old OpenSSL versions don't provide HKDF
			CONFIG="$CONFIG --enable-kdf"
			;;
		esac

		CFLAGS="$CFLAGS -I$OPENSSL_DIR/include"
		LDFLAGS="-L$OPENSSL_DIR/lib"
		case "$IMG" in
		2015)
			# gcc/ld might be too old to find libeay32 via .lib instead of .dll
			LDFLAGS="-L$OPENSSL_DIR"
			;;
		esac
		export LDFLAGS
	fi
	CFLAGS="$CFLAGS -mno-ms-bitfields"
	DEPS="gcc-mingw-w64-base"
	case "$TEST" in
	win64)
		CONFIG="--host=x86_64-w64-mingw32 $CONFIG --enable-dbghelp-backtraces"
		DEPS="gcc-mingw-w64-x86-64 binutils-mingw-w64-x86-64 mingw-w64-x86-64-dev $DEPS"
		CC="x86_64-w64-mingw32-gcc"
		;;
	win32)
		CONFIG="--host=i686-w64-mingw32 $CONFIG"
		DEPS="gcc-mingw-w64-i686 binutils-mingw-w64-i686 mingw-w64-i686-dev $DEPS"
		CC="i686-w64-mingw32-gcc"
		;;
	esac
	;;
android)
	if test "$1" = "build-deps"; then
		build_openssl
	fi
	TARGET=distdir
	;;
macos)
	# this causes a false positive in ip-packet.c since Xcode 8.3
	CFLAGS="$CFLAGS -Wno-address-of-packed-member"
	# use the same options as in the Homebrew Formula
	CONFIG="--disable-defaults --enable-charon --enable-cmd --enable-constraints
			--enable-curl --enable-eap-gtc --enable-eap-identity
			--enable-eap-md5 --enable-eap-mschapv2 --enable-farp --enable-ikev1
			--enable-ikev2 --enable-kernel-libipsec --enable-kernel-pfkey
			--enable-kernel-pfroute --enable-nonce --enable-openssl
			--enable-osx-attr --enable-pem --enable-pgp --enable-pkcs1
			--enable-pkcs8 --enable-pki --enable-pubkey --enable-revocation
			--enable-socket-default --enable-sshkey --enable-stroke
			--enable-swanctl --enable-unity --enable-updown
			--enable-x509 --enable-xauth-generic"
	DEPS="automake autoconf libtool bison gettext gperf pkg-config openssl@1.1 curl"
	BREW_PREFIX=$(brew --prefix)
	export PATH=$BREW_PREFIX/opt/bison/bin:$PATH
	export ACLOCAL_PATH=$BREW_PREFIX/opt/gettext/share/aclocal:$ACLOCAL_PATH
	for pkg in openssl@1.1 curl
	do
		PKG_CONFIG_PATH=$BREW_PREFIX/opt/$pkg/lib/pkgconfig:$PKG_CONFIG_PATH
		CPPFLAGS="-I$BREW_PREFIX/opt/$pkg/include $CPPFLAGS"
		LDFLAGS="-L$BREW_PREFIX/opt/$pkg/lib $LDFLAGS"
	done
	export PKG_CONFIG_PATH
	export CPPFLAGS
	export LDFLAGS
	;;
freebsd)
	# use the options of the FreeBSD port (including options), except smp,
	# which requires a patch but is deprecated anyway, only using the builtin
	# printf hooks
	CONFIG="--enable-kernel-pfkey --enable-kernel-pfroute --disable-scripts
			--disable-kernel-netlink --enable-openssl --enable-eap-identity
			--enable-eap-md5 --enable-eap-tls --enable-eap-mschapv2
			--enable-eap-peap --enable-eap-ttls --enable-md4 --enable-blowfish
			--enable-addrblock --enable-whitelist --enable-cmd --enable-curl
			--enable-eap-aka --enable-eap-aka-3gpp2 --enable-eap-dynamic
			--enable-eap-radius --enable-eap-sim --enable-eap-sim-file
			--enable-gcm --enable-ipseckey --enable-kernel-libipsec
			--enable-load-tester --enable-ldap --enable-mediation
			--enable-mysql --enable-sqlite --enable-tpm --enable-tss-tss2
			--enable-unbound --enable-unity --enable-xauth-eap --enable-xauth-pam
			--with-printf-hooks=builtin --enable-attr-sql --enable-sql
			--enable-farp"
	DEPS="git gmp libxml2 mysql80-client sqlite3 unbound ldns tpm2-tss"
	;;
fuzzing)
	CFLAGS="$CFLAGS -DNO_CHECK_MEMWIPE"
	CONFIG="--enable-fuzzing --enable-static --disable-shared --disable-scripts
			--enable-imc-test --enable-tnccs-20"
	# don't run any of the unit tests
	export TESTS_RUNNERS=
	# prepare corpora
	if test -z "$1"; then
		if test -z "$FUZZING_CORPORA"; then
			git clone --depth 1 https://github.com/strongswan/fuzzing-corpora.git fuzzing-corpora
			export FUZZING_CORPORA=$BUILD_DIR/fuzzing-corpora
		fi
		# these are about the same as those on OSS-Fuzz (except for the
		# symbolize options and strip_path_prefix)
		export ASAN_OPTIONS=redzone=16:handle_sigill=1:strict_string_check=1:\
			allocator_release_to_os_interval_ms=500:strict_memcmp=1:detect_container_overflow=1:\
			coverage=0:allocator_may_return_null=1:use_sigaltstack=1:detect_stack_use_after_return=1:\
			alloc_dealloc_mismatch=0:detect_leaks=1:print_scariness=1:max_uar_stack_size_log=16:\
			handle_abort=1:check_malloc_usable_size=0:quarantine_size_mb=10:detect_odr_violation=0:\
			symbolize=1:handle_segv=1:fast_unwind_on_fatal=0:external_symbolizer_path=/usr/bin/llvm-symbolizer-3.5
	fi
	;;
nm)
	DEPS="gnome-common libsecret-1-dev libgtk-3-dev libnm-dev libnma-dev"
	cd src/frontends/gnome
	# don't run ./configure with ./autogen.sh
	export NOCONFIGURE=1
	;;
dist)
	TARGET=distcheck
	;;
apidoc)
	DEPS="doxygen"
	CONFIG="--disable-defaults"
	TARGET=apidoc
	;;
*)
	echo "$0: unknown test $TEST" >&2
	exit 1
	;;
esac

case "$1" in
deps)
	case "$OS_NAME" in
	linux)
		sudo apt-get update -qq && \
		sudo apt-get install -qq bison flex gperf gettext $DEPS
		;;
	alpine)
		apk add --no-cache build-base automake autoconf libtool pkgconfig && \
		apk add --no-cache bison flex gperf gettext-dev tzdata $DEPS
		;;
	macos)
		brew update && \
		brew install $DEPS
		;;
	freebsd)
		pkg install -y automake autoconf libtool pkgconf && \
		pkg install -y bison flex gperf gettext $DEPS
		;;
	esac
	exit $?
	;;
pydeps)
	test -z "$PYDEPS" || pip3 -q install --user $PYDEPS
	exit $?
	;;
build-deps)
	exit
	;;
*)
	;;
esac

CONFIG="$CONFIG
	--disable-dependency-tracking
	--enable-silent-rules
	--enable-test-vectors
	--enable-monolithic=${MONOLITHIC-no}
	--enable-leak-detective=${LEAK_DETECTIVE-no}"

case "$TEST" in
	alpine|codeql|coverage|freebsd|fuzzing|sonarcloud|win*)
		# don't use AddressSanitizer if it's not available or causes conflicts
		CONFIG="$CONFIG --disable-asan"
		;;
	*)
		if [ "$LEAK_DETECTIVE" != "yes" ]; then
			CONFIG="$CONFIG --enable-asan"
		fi
		;;
esac

echo "$ ./autogen.sh"
./autogen.sh || exit $?
echo "$ CC=$CC CFLAGS=\"$CFLAGS\" ./configure $CONFIG"
CC="$CC" CFLAGS="$CFLAGS" ./configure $CONFIG || exit $?

case "$TEST" in
apidoc)
	exec 2>make.warnings
	;;
*)
	;;
esac

echo "$ make $TARGET"
case "$TEST" in
sonarcloud)
	# without target, coverage is currently not supported anyway because
	# sonarqube only supports gcov, not lcov
	build-wrapper-linux-x86-64 --out-dir bw-output make -j4 || exit $?
	;;
*)
	make -j4 $TARGET || exit $?
	;;
esac

case "$TEST" in
apidoc)
	if test -s make.warnings; then
		cat make.warnings
		exit 1
	fi
	rm make.warnings
	;;
sonarcloud)
	sonar-scanner \
		-Dsonar.host.url=https://sonarcloud.io \
		-Dsonar.projectKey=${SONAR_PROJECT} \
		-Dsonar.organization=${SONAR_ORGANIZATION} \
		-Dsonar.token=${SONAR_TOKEN} \
		-Dsonar.projectVersion=$(git describe --exclude 'android-*')+${BUILD_NUMBER} \
		-Dsonar.sources=. \
		-Dsonar.cfamily.threads=2 \
		-Dsonar.cfamily.analysisCache.mode=fs \
		-Dsonar.cfamily.analysisCache.path=$HOME/.sonar-cache \
		-Dsonar.cfamily.build-wrapper-output=bw-output || exit $?
	rm -r bw-output .scannerwork
	;;
android)
	rm -r strongswan-*
	cd src/frontends/android
	echo "$ ./gradlew build"
	NDK_CCACHE=ccache ./gradlew build --info || exit $?
	;;
*)
	;;
esac

# ensure there are no unignored build artifacts (or other changes) in the Git repo
unclean="$(git status --porcelain)"
if test -n "$unclean"; then
	echo "Unignored build artifacts or other changes:"
	echo "$unclean"
	exit 1
fi