7fe5108dec24341bf7a43a03e50b7addcd51facc
[strongswan.git] / scripts / test.sh
1 #!/bin/sh
2 # Build script for CI
3
4 build_botan()
5 {
6 # same revision used in the build recipe of the testing environment
7 BOTAN_REV=2.17.1
8 BOTAN_DIR=$DEPS_BUILD_DIR/botan
9
10 if test -d "$BOTAN_DIR"; then
11 return
12 fi
13
14 echo "$ build_botan()"
15
16 # if the leak detective is enabled we have to disable threading support
17 # (used for std::async) as that causes invalid frees somehow, the
18 # locking allocator causes a static leak via the first function that
19 # references it (e.g. crypter or hasher), so we disable that too
20 if test "$LEAK_DETECTIVE" = "yes"; then
21 BOTAN_CONFIG="--without-os-features=threads
22 --disable-modules=locking_allocator"
23 fi
24 # disable some larger modules we don't need for the tests
25 BOTAN_CONFIG="$BOTAN_CONFIG --disable-modules=pkcs11,tls,x509,xmss
26 --prefix=$DEPS_PREFIX"
27
28 git clone https://github.com/randombit/botan.git $BOTAN_DIR &&
29 cd $BOTAN_DIR &&
30 git checkout -qf $BOTAN_REV &&
31 python ./configure.py --amalgamation $BOTAN_CONFIG &&
32 make -j4 libs >/dev/null &&
33 sudo make install >/dev/null &&
34 sudo ldconfig || exit $?
35 cd -
36 }
37
38 build_wolfssl()
39 {
40 WOLFSSL_REV=v4.7.0-stable
41 WOLFSSL_DIR=$DEPS_BUILD_DIR/wolfssl
42
43 if test -d "$WOLFSSL_DIR"; then
44 return
45 fi
46
47 echo "$ build_wolfssl()"
48
49 WOLFSSL_CFLAGS="-DWOLFSSL_PUBLIC_MP -DWOLFSSL_DES_ECB -DHAVE_ECC_BRAINPOOL"
50 WOLFSSL_CONFIG="--prefix=$DEPS_PREFIX
51 --disable-crypttests --disable-examples
52 --enable-keygen --enable-rsapss --enable-aesccm
53 --enable-aesctr --enable-des3 --enable-camellia
54 --enable-curve25519 --enable-ed25519
55 --enable-curve448 --enable-ed448
56 --enable-sha3 --enable-shake256 --enable-ecccustcurves"
57
58 git clone https://github.com/wolfSSL/wolfssl.git $WOLFSSL_DIR &&
59 cd $WOLFSSL_DIR &&
60 git checkout -qf $WOLFSSL_REV &&
61 ./autogen.sh &&
62 ./configure C_EXTRA_FLAGS="$WOLFSSL_CFLAGS" $WOLFSSL_CONFIG &&
63 make -j4 >/dev/null &&
64 sudo make install >/dev/null &&
65 sudo ldconfig || exit $?
66 cd -
67 }
68
69 build_tss2()
70 {
71 TSS2_REV=2.4.3
72 TSS2_PKG=tpm2-tss-$TSS2_REV
73 TSS2_DIR=$DEPS_BUILD_DIR/$TSS2_PKG
74 TSS2_SRC=https://github.com/tpm2-software/tpm2-tss/releases/download/$TSS2_REV/$TSS2_PKG.tar.gz
75
76 if test -d "$TSS2_DIR"; then
77 return
78 fi
79
80 echo "$ build_tss2()"
81
82 curl -L $TSS2_SRC | tar xz -C $DEPS_BUILD_DIR &&
83 cd $TSS2_DIR &&
84 ./configure --prefix=$DEPS_PREFIX --disable-doxygen-doc &&
85 make -j4 >/dev/null &&
86 sudo make install >/dev/null &&
87 sudo ldconfig || exit $?
88 cd -
89 }
90
91 : ${BUILD_DIR=$PWD}
92 : ${DEPS_BUILD_DIR=$BUILD_DIR/..}
93 : ${DEPS_PREFIX=/usr/local}
94
95 TARGET=check
96
97 DEPS="libgmp-dev"
98
99 CFLAGS="-g -O2 -Wall -Wno-format -Wno-format-security -Wno-pointer-sign -Werror"
100
101 case "$TEST" in
102 default)
103 # should be the default, but lets make sure
104 CONFIG="--with-printf-hooks=glibc"
105 ;;
106 openssl*)
107 CONFIG="--disable-defaults --enable-pki --enable-openssl --enable-pem"
108 export TESTS_PLUGINS="test-vectors pem openssl!"
109 DEPS="libssl-dev"
110 ;;
111 gcrypt)
112 CONFIG="--disable-defaults --enable-pki --enable-gcrypt --enable-pkcs1"
113 export TESTS_PLUGINS="test-vectors pkcs1 gcrypt!"
114 DEPS="libgcrypt11-dev"
115 ;;
116 botan)
117 CONFIG="--disable-defaults --enable-pki --enable-botan --enable-pem"
118 export TESTS_PLUGINS="test-vectors pem botan!"
119 DEPS=""
120 if test "$1" = "build-deps"; then
121 build_botan
122 fi
123 ;;
124 wolfssl)
125 CONFIG="--disable-defaults --enable-pki --enable-wolfssl --enable-pem"
126 export TESTS_PLUGINS="test-vectors pem wolfssl!"
127 # build with custom options to enable all the features the plugin supports
128 DEPS=""
129 if test "$1" = "build-deps"; then
130 build_wolfssl
131 fi
132 ;;
133 printf-builtin)
134 CONFIG="--with-printf-hooks=builtin"
135 ;;
136 all|coverage|sonarcloud)
137 CONFIG="--enable-all --disable-android-dns --disable-android-log
138 --disable-kernel-pfroute --disable-keychain
139 --disable-lock-profiler --disable-padlock --disable-fuzzing
140 --disable-osx-attr --disable-tkm --disable-uci
141 --disable-unwind-backtraces
142 --disable-svc --disable-dbghelp-backtraces --disable-socket-win
143 --disable-kernel-wfp --disable-kernel-iph --disable-winhttp
144 --disable-python-eggs-install"
145 # not enabled on the build server
146 CONFIG="$CONFIG --disable-af-alg"
147 if test "$TEST" != "coverage"; then
148 CONFIG="$CONFIG --disable-coverage"
149 else
150 # not actually required but configure checks for it
151 DEPS="$DEPS lcov"
152 fi
153 # Botan requires newer compilers, so disable it on Ubuntu 16.04
154 if test -n "$UBUNTU_XENIAL"; then
155 CONFIG="$CONFIG --disable-botan"
156 fi
157 DEPS="$DEPS libcurl4-gnutls-dev libsoup2.4-dev libunbound-dev libldns-dev
158 libmysqlclient-dev libsqlite3-dev clearsilver-dev libfcgi-dev
159 libldap2-dev libpcsclite-dev libpam0g-dev binutils-dev libnm-dev
160 libgcrypt20-dev libjson-c-dev iptables-dev python-pip libtspi-dev
161 libsystemd-dev"
162 PYDEPS="tox"
163 if test "$1" = "build-deps"; then
164 if test -z "$UBUNTU_XENIAL"; then
165 build_botan
166 fi
167 build_wolfssl
168 build_tss2
169 fi
170 ;;
171 win*)
172 CONFIG="--disable-defaults --enable-svc --enable-ikev2
173 --enable-ikev1 --enable-static --enable-test-vectors --enable-nonce
174 --enable-constraints --enable-revocation --enable-pem --enable-pkcs1
175 --enable-pkcs8 --enable-x509 --enable-pubkey --enable-acert
176 --enable-eap-tnc --enable-eap-ttls --enable-eap-identity
177 --enable-updown --enable-ext-auth --enable-libipsec --enable-pkcs11
178 --enable-tnccs-20 --enable-imc-attestation --enable-imv-attestation
179 --enable-imc-os --enable-imv-os --enable-tnc-imv --enable-tnc-imc
180 --enable-pki --enable-swanctl --enable-socket-win
181 --enable-kernel-iph --enable-kernel-wfp --enable-winhttp"
182 # no make check for Windows binaries unless we run on a windows host
183 if test "$APPVEYOR" != "True"; then
184 TARGET=
185 else
186 CONFIG="$CONFIG --enable-openssl"
187 CFLAGS="$CFLAGS -I$OPENSSL_DIR/include"
188 LDFLAGS="-L$OPENSSL_DIR"
189 export LDFLAGS
190 fi
191 CFLAGS="$CFLAGS -mno-ms-bitfields"
192 DEPS="gcc-mingw-w64-base"
193 case "$TEST" in
194 win64)
195 CONFIG="--host=x86_64-w64-mingw32 $CONFIG --enable-dbghelp-backtraces"
196 DEPS="gcc-mingw-w64-x86-64 binutils-mingw-w64-x86-64 mingw-w64-x86-64-dev $DEPS"
197 CC="x86_64-w64-mingw32-gcc"
198 ;;
199 win32)
200 CONFIG="--host=i686-w64-mingw32 $CONFIG"
201 DEPS="gcc-mingw-w64-i686 binutils-mingw-w64-i686 mingw-w64-i686-dev $DEPS"
202 CC="i686-w64-mingw32-gcc"
203 ;;
204 esac
205 ;;
206 android)
207 if test "$1" = "deps"; then
208 git clone git://git.strongswan.org/android-ndk-boringssl.git -b ndk-static \
209 src/frontends/android/app/src/main/jni/openssl
210 fi
211 TARGET=distdir
212 ;;
213 macos)
214 # this causes a false positive in ip-packet.c since Xcode 8.3
215 CFLAGS="$CFLAGS -Wno-address-of-packed-member"
216 # use the same options as in the Homebrew Formula
217 CONFIG="--disable-defaults --enable-charon --enable-cmd --enable-constraints
218 --enable-curl --enable-eap-gtc --enable-eap-identity
219 --enable-eap-md5 --enable-eap-mschapv2 --enable-farp --enable-ikev1
220 --enable-ikev2 --enable-kernel-libipsec --enable-kernel-pfkey
221 --enable-kernel-pfroute --enable-nonce --enable-openssl
222 --enable-osx-attr --enable-pem --enable-pgp --enable-pkcs1
223 --enable-pkcs8 --enable-pki --enable-pubkey --enable-revocation
224 --enable-scepclient --enable-socket-default --enable-sshkey
225 --enable-stroke --enable-swanctl --enable-unity --enable-updown
226 --enable-x509 --enable-xauth-generic"
227 DEPS="automake autoconf libtool bison gettext openssl curl"
228 BREW_PREFIX=$(brew --prefix)
229 export PATH=$BREW_PREFIX/opt/bison/bin:$PATH
230 export ACLOCAL_PATH=$BREW_PREFIX/opt/gettext/share/aclocal:$ACLOCAL_PATH
231 for pkg in openssl curl
232 do
233 PKG_CONFIG_PATH=$BREW_PREFIX/opt/$pkg/lib/pkgconfig:$PKG_CONFIG_PATH
234 CPPFLAGS="-I$BREW_PREFIX/opt/$pkg/include $CPPFLAGS"
235 LDFLAGS="-L$BREW_PREFIX/opt/$pkg/lib $LDFLAGS"
236 done
237 export PKG_CONFIG_PATH
238 export CPPFLAGS
239 export LDFLAGS
240 ;;
241 freebsd)
242 # use the options of the FreeBSD port (including options), except smp,
243 # which requires a patch but is deprecated anyway, only using the builtin
244 # printf hooks
245 CONFIG="--enable-kernel-pfkey --enable-kernel-pfroute --disable-scripts
246 --disable-kernel-netlink --enable-openssl --enable-eap-identity
247 --enable-eap-md5 --enable-eap-tls --enable-eap-mschapv2
248 --enable-eap-peap --enable-eap-ttls --enable-md4 --enable-blowfish
249 --enable-addrblock --enable-whitelist --enable-cmd --enable-curl
250 --enable-eap-aka --enable-eap-aka-3gpp2 --enable-eap-dynamic
251 --enable-eap-radius --enable-eap-sim --enable-eap-sim-file
252 --enable-gcm --enable-ipseckey --enable-kernel-libipsec
253 --enable-load-tester --enable-ldap --enable-mediation
254 --enable-mysql --enable-sqlite --enable-tpm --enable-tss-tss2
255 --enable-unbound --enable-unity --enable-xauth-eap --enable-xauth-pam
256 --with-printf-hooks=builtin --enable-attr-sql --enable-sql
257 --enable-farp"
258 DEPS="git gmp openldap-client libxml2 mysql80-client sqlite3 unbound ldns tpm2-tss"
259 export GPERF=/usr/local/bin/gperf
260 export LEX=/usr/local/bin/flex
261 ;;
262 fuzzing)
263 CFLAGS="$CFLAGS -DNO_CHECK_MEMWIPE"
264 CONFIG="--enable-fuzzing --enable-static --disable-shared --disable-scripts
265 --enable-imc-test --enable-tnccs-20"
266 # don't run any of the unit tests
267 export TESTS_RUNNERS=
268 # prepare corpora
269 if test -z "$1"; then
270 if test -z "$FUZZING_CORPORA"; then
271 git clone --depth 1 https://github.com/strongswan/fuzzing-corpora.git fuzzing-corpora
272 export FUZZING_CORPORA=$BUILD_DIR/fuzzing-corpora
273 fi
274 # these are about the same as those on OSS-Fuzz (except for the
275 # symbolize options and strip_path_prefix)
276 export ASAN_OPTIONS=redzone=16:handle_sigill=1:strict_string_check=1:\
277 allocator_release_to_os_interval_ms=500:strict_memcmp=1:detect_container_overflow=1:\
278 coverage=0:allocator_may_return_null=1:use_sigaltstack=1:detect_stack_use_after_return=1:\
279 alloc_dealloc_mismatch=0:detect_leaks=1:print_scariness=1:max_uar_stack_size_log=16:\
280 handle_abort=1:check_malloc_usable_size=0:quarantine_size_mb=10:detect_odr_violation=0:\
281 symbolize=1:handle_segv=1:fast_unwind_on_fatal=0:external_symbolizer_path=/usr/bin/llvm-symbolizer-3.5
282 fi
283 ;;
284 nm|nm-no-glib)
285 DEPS="gnome-common libsecret-1-dev libgtk-3-dev libnm-dev libnma-dev"
286 if test "$TEST" = "nm"; then
287 DEPS="$DEPS libnm-glib-vpn-dev libnm-gtk-dev"
288 else
289 CONFIG="$CONFIG --without-libnm-glib"
290 fi
291 cd src/frontends/gnome
292 # don't run ./configure with ./autogen.sh
293 export NOCONFIGURE=1
294 ;;
295 dist)
296 TARGET=distcheck
297 ;;
298 apidoc)
299 DEPS="doxygen"
300 CONFIG="--disable-defaults"
301 TARGET=apidoc
302 ;;
303 lgtm)
304 DEPS="jq"
305
306 if test -z "$1"; then
307 base=$COMMIT_BASE
308 # after rebases or for new/duplicate branches, the passed base commit
309 # ID might not be valid
310 git rev-parse -q --verify $base^{commit}
311 if [ $? != 0 ]; then
312 # this will always compare against master, while via base we
313 # otherwise only contains "new" commits
314 base=$(git merge-base origin/master ${COMMIT_ID})
315 fi
316 base=$(git rev-parse $base)
317 project_id=1506185006272
318
319 echo "Starting code review for $COMMIT_ID (base $base) on lgtm.com"
320 git diff --binary $base > lgtm.patch || exit $?
321 curl -s -X POST --data-binary @lgtm.patch \
322 "https://lgtm.com/api/v1.0/codereviews/${project_id}?base=${base}&external-id=${BUILD_NUMBER}" \
323 -H 'Content-Type: application/octet-stream' \
324 -H 'Accept: application/json' \
325 -H "Authorization: Bearer ${LGTM_TOKEN}" > lgtm.res || exit $?
326 lgtm_check_url=$(jq -r '."task-result-url"' lgtm.res)
327 if [ -z "$lgtm_check_url" -o "$lgtm_check_url" = "null" ]; then
328 cat lgtm.res
329 exit 1
330 fi
331 lgtm_url=$(jq -r '."task-result"."results-url"' lgtm.res)
332 echo "Progress and full results: ${lgtm_url}"
333
334 echo -n "Waiting for completion: "
335 lgtm_status=pending
336 while [ "$lgtm_status" = "pending" ]; do
337 sleep 15
338 curl -s -X GET "${lgtm_check_url}" \
339 -H 'Accept: application/json' \
340 -H "Authorization: Bearer ${LGTM_TOKEN}" > lgtm.res
341 if [ $? != 0 ]; then
342 echo -n "-"
343 continue
344 fi
345 echo -n "."
346 lgtm_status=$(jq -r '.status' lgtm.res)
347 done
348 echo ""
349
350 if [ "$lgtm_status" != "success" ]; then
351 lgtm_message=$(jq -r '.["status-message"]' lgtm.res)
352 echo "Code review failed: ${lgtm_message}"
353 exit 1
354 fi
355 lgtm_new=$(jq -r '.languages[].new' lgtm.res | awk '{t+=$1} END {print t}')
356 lgtm_fixed=$(jq -r '.languages[].fixed' lgtm.res | awk '{t+=$1} END {print t}')
357 echo -n "Code review complete: "
358 printf "%b\n" "\e[1;31m${lgtm_new}\e[0m new alerts, \e[1;32m${lgtm_fixed}\e[0m fixed"
359 exit $lgtm_new
360 fi
361 ;;
362 *)
363 echo "$0: unknown test $TEST" >&2
364 exit 1
365 ;;
366 esac
367
368 case "$1" in
369 deps)
370 case "$OS_NAME" in
371 linux)
372 sudo apt-get update -qq && \
373 sudo apt-get install -qq bison flex gperf gettext $DEPS
374 ;;
375 macos)
376 brew update && \
377 brew install $DEPS
378 ;;
379 freebsd)
380 pkg install -y automake autoconf libtool pkgconf && \
381 pkg install -y bison flex gperf gettext $DEPS
382 ;;
383 esac
384 exit $?
385 ;;
386 pydeps)
387 test -z "$PYDEPS" || pip -q install --user $PYDEPS
388 exit $?
389 ;;
390 build-deps)
391 exit
392 ;;
393 *)
394 ;;
395 esac
396
397 CONFIG="$CONFIG
398 --disable-dependency-tracking
399 --enable-silent-rules
400 --enable-test-vectors
401 --enable-monolithic=${MONOLITHIC-no}
402 --enable-leak-detective=${LEAK_DETECTIVE-no}"
403
404 echo "$ ./autogen.sh"
405 ./autogen.sh || exit $?
406 echo "$ CC=$CC CFLAGS=\"$CFLAGS\" ./configure $CONFIG"
407 CC="$CC" CFLAGS="$CFLAGS" ./configure $CONFIG || exit $?
408
409 case "$TEST" in
410 apidoc)
411 exec 2>make.warnings
412 ;;
413 *)
414 ;;
415 esac
416
417 echo "$ make $TARGET"
418 case "$TEST" in
419 sonarcloud)
420 # without target, coverage is currently not supported anyway because
421 # sonarqube only supports gcov, not lcov
422 build-wrapper-linux-x86-64 --out-dir bw-output make -j4 || exit $?
423 ;;
424 *)
425 make -j4 $TARGET || exit $?
426 ;;
427 esac
428
429 case "$TEST" in
430 apidoc)
431 if test -s make.warnings; then
432 cat make.warnings
433 exit 1
434 fi
435 rm make.warnings
436 ;;
437 sonarcloud)
438 sonar-scanner \
439 -Dsonar.host.url=https://sonarcloud.io \
440 -Dsonar.projectKey=${SONAR_PROJECT} \
441 -Dsonar.organization=${SONAR_ORGANIZATION} \
442 -Dsonar.login=${SONAR_TOKEN} \
443 -Dsonar.projectVersion=$(git describe)+${BUILD_NUMBER} \
444 -Dsonar.sources=. \
445 -Dsonar.cfamily.threads=2 \
446 -Dsonar.cfamily.cache.enabled=true \
447 -Dsonar.cfamily.cache.path=$HOME/.sonar-cache \
448 -Dsonar.cfamily.build-wrapper-output=bw-output || exit $?
449 rm -r bw-output .scannerwork
450 ;;
451 android)
452 rm -r strongswan-*
453 cd src/frontends/android
454 echo "$ ./gradlew build"
455 NDK_CCACHE=ccache ./gradlew build || exit $?
456 ;;
457 *)
458 ;;
459 esac
460
461 # ensure there are no unignored build artifacts (or other changes) in the Git repo
462 unclean="$(git status --porcelain)"
463 if test -n "$unclean"; then
464 echo "Unignored build artifacts or other changes:"
465 echo "$unclean"
466 exit 1
467 fi