1c0efd6d7c1ced4700401dca6abd98732a8ac0f3
[strongswan.git] / scripts / test.sh
1 #!/bin/sh
2 # Build script for CI
3
4 build_botan()
5 {
6 # same revision used in the build recipe of the testing environment
7 BOTAN_REV=2.18.0
8 BOTAN_DIR=$DEPS_BUILD_DIR/botan
9
10 if test -d "$BOTAN_DIR"; then
11 return
12 fi
13
14 echo "$ build_botan()"
15
16 # if the leak detective is enabled we have to disable threading support
17 # (used for std::async) as that causes invalid frees somehow, the
18 # locking allocator causes a static leak via the first function that
19 # references it (e.g. crypter or hasher), so we disable that too
20 if test "$LEAK_DETECTIVE" = "yes"; then
21 BOTAN_CONFIG="--without-os-features=threads
22 --disable-modules=locking_allocator"
23 fi
24 # disable some larger modules we don't need for the tests
25 BOTAN_CONFIG="$BOTAN_CONFIG --disable-modules=pkcs11,tls,x509,xmss
26 --prefix=$DEPS_PREFIX"
27
28 git clone https://github.com/randombit/botan.git $BOTAN_DIR &&
29 cd $BOTAN_DIR &&
30 git checkout -qf $BOTAN_REV &&
31 python ./configure.py --amalgamation $BOTAN_CONFIG &&
32 make -j4 libs >/dev/null &&
33 sudo make install >/dev/null &&
34 sudo ldconfig || exit $?
35 cd -
36 }
37
38 build_wolfssl()
39 {
40 WOLFSSL_REV=v4.8.0-stable
41 WOLFSSL_DIR=$DEPS_BUILD_DIR/wolfssl
42
43 if test -d "$WOLFSSL_DIR"; then
44 return
45 fi
46
47 echo "$ build_wolfssl()"
48
49 WOLFSSL_CFLAGS="-DWOLFSSL_PUBLIC_MP -DWOLFSSL_DES_ECB -DHAVE_AES_ECB \
50 -DHAVE_ECC_BRAINPOOL -DWOLFSSL_MIN_AUTH_TAG_SZ=8"
51 WOLFSSL_CONFIG="--prefix=$DEPS_PREFIX
52 --disable-crypttests --disable-examples
53 --enable-aesccm --enable-aesctr --enable-camellia
54 --enable-curve25519 --enable-curve448 --enable-des3
55 --enable-ecccustcurves --enable-ed25519 --enable-ed448
56 --enable-keygen --enable-md4 --enable-rsapss --enable-sha3
57 --enable-shake256"
58
59 git clone https://github.com/wolfSSL/wolfssl.git $WOLFSSL_DIR &&
60 cd $WOLFSSL_DIR &&
61 git checkout -qf $WOLFSSL_REV &&
62 ./autogen.sh &&
63 ./configure C_EXTRA_FLAGS="$WOLFSSL_CFLAGS" $WOLFSSL_CONFIG &&
64 make -j4 >/dev/null &&
65 sudo make install >/dev/null &&
66 sudo ldconfig || exit $?
67 cd -
68 }
69
70 build_tss2()
71 {
72 TSS2_REV=2.4.3
73 TSS2_PKG=tpm2-tss-$TSS2_REV
74 TSS2_DIR=$DEPS_BUILD_DIR/$TSS2_PKG
75 TSS2_SRC=https://github.com/tpm2-software/tpm2-tss/releases/download/$TSS2_REV/$TSS2_PKG.tar.gz
76
77 if test -d "$TSS2_DIR"; then
78 return
79 fi
80
81 echo "$ build_tss2()"
82
83 curl -L $TSS2_SRC | tar xz -C $DEPS_BUILD_DIR &&
84 cd $TSS2_DIR &&
85 ./configure --prefix=$DEPS_PREFIX --disable-doxygen-doc &&
86 make -j4 >/dev/null &&
87 sudo make install >/dev/null &&
88 sudo ldconfig || exit $?
89 cd -
90 }
91
92 : ${BUILD_DIR=$PWD}
93 : ${DEPS_BUILD_DIR=$BUILD_DIR/..}
94 : ${DEPS_PREFIX=/usr/local}
95
96 if [ -e /etc/os-release ]; then
97 . /etc/os-release
98 elif [ -e /usr/lib/os-release ]; then
99 . /usr/lib/os-release
100 fi
101
102 TARGET=check
103
104 DEPS="libgmp-dev"
105
106 CFLAGS="-g -O2 -Wall -Wno-format -Wno-format-security -Wno-pointer-sign -Werror"
107
108 case "$TEST" in
109 default)
110 # should be the default, but lets make sure
111 CONFIG="--with-printf-hooks=glibc"
112 ;;
113 openssl*)
114 CONFIG="--disable-defaults --enable-pki --enable-openssl --enable-pem"
115 export TESTS_PLUGINS="test-vectors pem openssl!"
116 DEPS="libssl-dev"
117 ;;
118 gcrypt)
119 CONFIG="--disable-defaults --enable-pki --enable-gcrypt --enable-pkcs1"
120 export TESTS_PLUGINS="test-vectors pkcs1 gcrypt!"
121 if [ "$ID" = "ubuntu" -a "$VERSION_ID" = "20.04" ]; then
122 DEPS="libgcrypt20-dev"
123 else
124 DEPS="libgcrypt11-dev"
125 fi
126 ;;
127 botan)
128 CONFIG="--disable-defaults --enable-pki --enable-botan --enable-pem"
129 export TESTS_PLUGINS="test-vectors pem botan!"
130 DEPS=""
131 if test "$1" = "build-deps"; then
132 build_botan
133 fi
134 ;;
135 wolfssl)
136 CONFIG="--disable-defaults --enable-pki --enable-wolfssl --enable-pem"
137 export TESTS_PLUGINS="test-vectors pem wolfssl!"
138 # build with custom options to enable all the features the plugin supports
139 DEPS=""
140 if test "$1" = "build-deps"; then
141 build_wolfssl
142 fi
143 ;;
144 printf-builtin)
145 CONFIG="--with-printf-hooks=builtin"
146 ;;
147 all|coverage|sonarcloud)
148 if [ "$TEST" = "sonarcloud" ]; then
149 if [ -z "$SONAR_PROJECT" -o -z "$SONAR_ORGANIZATION" -o -z "$SONAR_TOKEN" ]; then
150 echo "The SONAR_PROJECT, SONAR_ORGANIZATION and SONAR_TOKEN" \
151 "environment variables are required to run this test"
152 exit 1
153 fi
154 fi
155 CONFIG="--enable-all --disable-android-dns --disable-android-log
156 --disable-kernel-pfroute --disable-keychain
157 --disable-lock-profiler --disable-padlock --disable-fuzzing
158 --disable-osx-attr --disable-tkm --disable-uci
159 --disable-unwind-backtraces
160 --disable-svc --disable-dbghelp-backtraces --disable-socket-win
161 --disable-kernel-wfp --disable-kernel-iph --disable-winhttp
162 --disable-python-eggs-install"
163 # not enabled on the build server
164 CONFIG="$CONFIG --disable-af-alg"
165 if test "$TEST" != "coverage"; then
166 CONFIG="$CONFIG --disable-coverage"
167 else
168 # not actually required but configure checks for it
169 DEPS="$DEPS lcov"
170 fi
171 # Botan requires newer compilers, so disable it on Ubuntu 16.04
172 if [ "$ID" = "ubuntu" -a "$VERSION_ID" = "16.04" ]; then
173 CONFIG="$CONFIG --disable-botan"
174 fi
175 DEPS="$DEPS libcurl4-gnutls-dev libsoup2.4-dev libunbound-dev libldns-dev
176 libmysqlclient-dev libsqlite3-dev clearsilver-dev libfcgi-dev
177 libldap2-dev libpcsclite-dev libpam0g-dev binutils-dev libnm-dev
178 libgcrypt20-dev libjson-c-dev python3-pip libtspi-dev libsystemd-dev"
179 if [ "$ID" = "ubuntu" -a "$VERSION_ID" = "20.04" ]; then
180 DEPS="$DEPS libiptc-dev"
181 else
182 DEPS="$DEPS iptables-dev python3-setuptools"
183 fi
184 # tox has dependencies that can't be resolved on 16.04 (even with pip)
185 if [ "$ID" != "ubuntu" -o "$VERSION_ID" != "16.04" ]; then
186 PYDEPS="tox"
187 fi
188 if test "$1" = "build-deps"; then
189 if [ "$ID" != "ubuntu" -o "$VERSION_ID" != "16.04" ]; then
190 build_botan
191 fi
192 build_wolfssl
193 build_tss2
194 fi
195 ;;
196 win*)
197 CONFIG="--disable-defaults --enable-svc --enable-ikev2
198 --enable-ikev1 --enable-static --enable-test-vectors --enable-nonce
199 --enable-constraints --enable-revocation --enable-pem --enable-pkcs1
200 --enable-pkcs8 --enable-x509 --enable-pubkey --enable-acert
201 --enable-eap-tnc --enable-eap-ttls --enable-eap-identity
202 --enable-updown --enable-ext-auth --enable-libipsec --enable-pkcs11
203 --enable-tnccs-20 --enable-imc-attestation --enable-imv-attestation
204 --enable-imc-os --enable-imv-os --enable-tnc-imv --enable-tnc-imc
205 --enable-pki --enable-swanctl --enable-socket-win
206 --enable-kernel-iph --enable-kernel-wfp --enable-winhttp"
207 # no make check for Windows binaries unless we run on a windows host
208 if test "$APPVEYOR" != "True"; then
209 TARGET=
210 else
211 CONFIG="$CONFIG --enable-openssl"
212 CFLAGS="$CFLAGS -I$OPENSSL_DIR/include"
213 LDFLAGS="-L$OPENSSL_DIR"
214 export LDFLAGS
215 fi
216 CFLAGS="$CFLAGS -mno-ms-bitfields"
217 DEPS="gcc-mingw-w64-base"
218 case "$TEST" in
219 win64)
220 CONFIG="--host=x86_64-w64-mingw32 $CONFIG --enable-dbghelp-backtraces"
221 DEPS="gcc-mingw-w64-x86-64 binutils-mingw-w64-x86-64 mingw-w64-x86-64-dev $DEPS"
222 CC="x86_64-w64-mingw32-gcc"
223 ;;
224 win32)
225 CONFIG="--host=i686-w64-mingw32 $CONFIG"
226 DEPS="gcc-mingw-w64-i686 binutils-mingw-w64-i686 mingw-w64-i686-dev $DEPS"
227 CC="i686-w64-mingw32-gcc"
228 ;;
229 esac
230 ;;
231 android)
232 if test "$1" = "deps"; then
233 git clone git://git.strongswan.org/android-ndk-boringssl.git -b ndk-static \
234 src/frontends/android/app/src/main/jni/openssl
235 fi
236 TARGET=distdir
237 ;;
238 macos)
239 # this causes a false positive in ip-packet.c since Xcode 8.3
240 CFLAGS="$CFLAGS -Wno-address-of-packed-member"
241 # use the same options as in the Homebrew Formula
242 CONFIG="--disable-defaults --enable-charon --enable-cmd --enable-constraints
243 --enable-curl --enable-eap-gtc --enable-eap-identity
244 --enable-eap-md5 --enable-eap-mschapv2 --enable-farp --enable-ikev1
245 --enable-ikev2 --enable-kernel-libipsec --enable-kernel-pfkey
246 --enable-kernel-pfroute --enable-nonce --enable-openssl
247 --enable-osx-attr --enable-pem --enable-pgp --enable-pkcs1
248 --enable-pkcs8 --enable-pki --enable-pubkey --enable-revocation
249 --enable-scepclient --enable-socket-default --enable-sshkey
250 --enable-stroke --enable-swanctl --enable-unity --enable-updown
251 --enable-x509 --enable-xauth-generic"
252 DEPS="automake autoconf libtool bison gettext openssl curl"
253 BREW_PREFIX=$(brew --prefix)
254 export PATH=$BREW_PREFIX/opt/bison/bin:$PATH
255 export ACLOCAL_PATH=$BREW_PREFIX/opt/gettext/share/aclocal:$ACLOCAL_PATH
256 for pkg in openssl curl
257 do
258 PKG_CONFIG_PATH=$BREW_PREFIX/opt/$pkg/lib/pkgconfig:$PKG_CONFIG_PATH
259 CPPFLAGS="-I$BREW_PREFIX/opt/$pkg/include $CPPFLAGS"
260 LDFLAGS="-L$BREW_PREFIX/opt/$pkg/lib $LDFLAGS"
261 done
262 export PKG_CONFIG_PATH
263 export CPPFLAGS
264 export LDFLAGS
265 ;;
266 freebsd)
267 # use the options of the FreeBSD port (including options), except smp,
268 # which requires a patch but is deprecated anyway, only using the builtin
269 # printf hooks
270 CONFIG="--enable-kernel-pfkey --enable-kernel-pfroute --disable-scripts
271 --disable-kernel-netlink --enable-openssl --enable-eap-identity
272 --enable-eap-md5 --enable-eap-tls --enable-eap-mschapv2
273 --enable-eap-peap --enable-eap-ttls --enable-md4 --enable-blowfish
274 --enable-addrblock --enable-whitelist --enable-cmd --enable-curl
275 --enable-eap-aka --enable-eap-aka-3gpp2 --enable-eap-dynamic
276 --enable-eap-radius --enable-eap-sim --enable-eap-sim-file
277 --enable-gcm --enable-ipseckey --enable-kernel-libipsec
278 --enable-load-tester --enable-ldap --enable-mediation
279 --enable-mysql --enable-sqlite --enable-tpm --enable-tss-tss2
280 --enable-unbound --enable-unity --enable-xauth-eap --enable-xauth-pam
281 --with-printf-hooks=builtin --enable-attr-sql --enable-sql
282 --enable-farp"
283 DEPS="git gmp openldap-client libxml2 mysql80-client sqlite3 unbound ldns tpm2-tss"
284 export GPERF=/usr/local/bin/gperf
285 export LEX=/usr/local/bin/flex
286 ;;
287 fuzzing)
288 CFLAGS="$CFLAGS -DNO_CHECK_MEMWIPE"
289 CONFIG="--enable-fuzzing --enable-static --disable-shared --disable-scripts
290 --enable-imc-test --enable-tnccs-20"
291 # don't run any of the unit tests
292 export TESTS_RUNNERS=
293 # prepare corpora
294 if test -z "$1"; then
295 if test -z "$FUZZING_CORPORA"; then
296 git clone --depth 1 https://github.com/strongswan/fuzzing-corpora.git fuzzing-corpora
297 export FUZZING_CORPORA=$BUILD_DIR/fuzzing-corpora
298 fi
299 # these are about the same as those on OSS-Fuzz (except for the
300 # symbolize options and strip_path_prefix)
301 export ASAN_OPTIONS=redzone=16:handle_sigill=1:strict_string_check=1:\
302 allocator_release_to_os_interval_ms=500:strict_memcmp=1:detect_container_overflow=1:\
303 coverage=0:allocator_may_return_null=1:use_sigaltstack=1:detect_stack_use_after_return=1:\
304 alloc_dealloc_mismatch=0:detect_leaks=1:print_scariness=1:max_uar_stack_size_log=16:\
305 handle_abort=1:check_malloc_usable_size=0:quarantine_size_mb=10:detect_odr_violation=0:\
306 symbolize=1:handle_segv=1:fast_unwind_on_fatal=0:external_symbolizer_path=/usr/bin/llvm-symbolizer-3.5
307 fi
308 ;;
309 nm|nm-no-glib)
310 DEPS="gnome-common libsecret-1-dev libgtk-3-dev libnm-dev libnma-dev"
311 if test "$TEST" = "nm"; then
312 DEPS="$DEPS libnm-glib-vpn-dev libnm-gtk-dev"
313 else
314 CONFIG="$CONFIG --without-libnm-glib"
315 fi
316 cd src/frontends/gnome
317 # don't run ./configure with ./autogen.sh
318 export NOCONFIGURE=1
319 ;;
320 dist)
321 TARGET=distcheck
322 ;;
323 apidoc)
324 DEPS="doxygen"
325 CONFIG="--disable-defaults"
326 TARGET=apidoc
327 ;;
328 lgtm)
329 if [ -z "$LGTM_PROJECT" -o -z "$LGTM_TOKEN" ]; then
330 echo "The LGTM_PROJECT and LGTM_TOKEN environment variables" \
331 "are required to run this test"
332 exit 0
333 fi
334 DEPS="jq"
335 if test -z "$1"; then
336 base=$COMMIT_BASE
337 # after rebases or for new/duplicate branches, the passed base commit
338 # ID might not be valid
339 git rev-parse -q --verify $base^{commit}
340 if [ $? != 0 ]; then
341 # this will always compare against master, while via base we
342 # otherwise only contains "new" commits
343 base=$(git merge-base origin/master ${COMMIT_ID})
344 fi
345 base=$(git rev-parse $base)
346
347 echo "Starting code review for $COMMIT_ID (base $base) on lgtm.com"
348 git diff --binary $base > lgtm.patch || exit $?
349 curl -s -X POST --data-binary @lgtm.patch \
350 "https://lgtm.com/api/v1.0/codereviews/${LGTM_PROJECT}?base=${base}&external-id=${BUILD_NUMBER}" \
351 -H 'Content-Type: application/octet-stream' \
352 -H 'Accept: application/json' \
353 -H "Authorization: Bearer ${LGTM_TOKEN}" > lgtm.res || exit $?
354 lgtm_check_url=$(jq -r '."task-result-url"' lgtm.res)
355 if [ -z "$lgtm_check_url" -o "$lgtm_check_url" = "null" ]; then
356 cat lgtm.res
357 exit 1
358 fi
359 lgtm_url=$(jq -r '."task-result"."results-url"' lgtm.res)
360 echo "Progress and full results: ${lgtm_url}"
361
362 echo -n "Waiting for completion: "
363 lgtm_status=pending
364 while [ "$lgtm_status" = "pending" ]; do
365 sleep 15
366 curl -s -X GET "${lgtm_check_url}" \
367 -H 'Accept: application/json' \
368 -H "Authorization: Bearer ${LGTM_TOKEN}" > lgtm.res
369 if [ $? != 0 ]; then
370 echo -n "-"
371 continue
372 fi
373 echo -n "."
374 lgtm_status=$(jq -r '.status' lgtm.res)
375 done
376 echo ""
377
378 if [ "$lgtm_status" != "success" ]; then
379 lgtm_message=$(jq -r '.["status-message"]' lgtm.res)
380 echo "Code review failed: ${lgtm_message}"
381 exit 1
382 fi
383 lgtm_new=$(jq -r '.languages[].new' lgtm.res | awk '{t+=$1} END {print t}')
384 lgtm_fixed=$(jq -r '.languages[].fixed' lgtm.res | awk '{t+=$1} END {print t}')
385 echo -n "Code review complete: "
386 printf "%b\n" "\e[1;31m${lgtm_new}\e[0m new alerts, \e[1;32m${lgtm_fixed}\e[0m fixed"
387 exit $lgtm_new
388 fi
389 ;;
390 *)
391 echo "$0: unknown test $TEST" >&2
392 exit 1
393 ;;
394 esac
395
396 case "$1" in
397 deps)
398 case "$OS_NAME" in
399 linux)
400 sudo apt-get update -qq && \
401 sudo apt-get install -qq bison flex gperf gettext $DEPS
402 ;;
403 macos)
404 brew update && \
405 brew install $DEPS
406 ;;
407 freebsd)
408 pkg install -y automake autoconf libtool pkgconf && \
409 pkg install -y bison flex gperf gettext $DEPS
410 ;;
411 esac
412 exit $?
413 ;;
414 pydeps)
415 test -z "$PYDEPS" || pip3 -q install --user $PYDEPS
416 exit $?
417 ;;
418 build-deps)
419 exit
420 ;;
421 *)
422 ;;
423 esac
424
425 CONFIG="$CONFIG
426 --disable-dependency-tracking
427 --enable-silent-rules
428 --enable-test-vectors
429 --enable-monolithic=${MONOLITHIC-no}
430 --enable-leak-detective=${LEAK_DETECTIVE-no}"
431
432 echo "$ ./autogen.sh"
433 ./autogen.sh || exit $?
434 echo "$ CC=$CC CFLAGS=\"$CFLAGS\" ./configure $CONFIG"
435 CC="$CC" CFLAGS="$CFLAGS" ./configure $CONFIG || exit $?
436
437 case "$TEST" in
438 apidoc)
439 exec 2>make.warnings
440 ;;
441 *)
442 ;;
443 esac
444
445 echo "$ make $TARGET"
446 case "$TEST" in
447 sonarcloud)
448 # without target, coverage is currently not supported anyway because
449 # sonarqube only supports gcov, not lcov
450 build-wrapper-linux-x86-64 --out-dir bw-output make -j4 || exit $?
451 ;;
452 *)
453 make -j4 $TARGET || exit $?
454 ;;
455 esac
456
457 case "$TEST" in
458 apidoc)
459 if test -s make.warnings; then
460 cat make.warnings
461 exit 1
462 fi
463 rm make.warnings
464 ;;
465 sonarcloud)
466 sonar-scanner \
467 -Dsonar.host.url=https://sonarcloud.io \
468 -Dsonar.projectKey=${SONAR_PROJECT} \
469 -Dsonar.organization=${SONAR_ORGANIZATION} \
470 -Dsonar.login=${SONAR_TOKEN} \
471 -Dsonar.projectVersion=$(git describe --exclude 'android-*')+${BUILD_NUMBER} \
472 -Dsonar.sources=. \
473 -Dsonar.cfamily.threads=2 \
474 -Dsonar.cfamily.cache.enabled=true \
475 -Dsonar.cfamily.cache.path=$HOME/.sonar-cache \
476 -Dsonar.cfamily.build-wrapper-output=bw-output || exit $?
477 rm -r bw-output .scannerwork
478 ;;
479 android)
480 rm -r strongswan-*
481 cd src/frontends/android
482 echo "$ ./gradlew build"
483 NDK_CCACHE=ccache ./gradlew build || exit $?
484 ;;
485 *)
486 ;;
487 esac
488
489 # ensure there are no unignored build artifacts (or other changes) in the Git repo
490 unclean="$(git status --porcelain)"
491 if test -n "$unclean"; then
492 echo "Unignored build artifacts or other changes:"
493 echo "$unclean"
494 exit 1
495 fi