97f1a352dbf606492e625f3971261dc888882c96
[strongswan.git] / scripts / test.sh
1 #!/bin/sh
2 # Build script for CI
3
4 build_botan()
5 {
6 # same revision used in the build recipe of the testing environment
7 BOTAN_REV=2.17.1
8 BOTAN_DIR=$DEPS_BUILD_DIR/botan
9
10 if test -d "$BOTAN_DIR"; then
11 return
12 fi
13
14 echo "$ build_botan()"
15
16 # if the leak detective is enabled we have to disable threading support
17 # (used for std::async) as that causes invalid frees somehow, the
18 # locking allocator causes a static leak via the first function that
19 # references it (e.g. crypter or hasher), so we disable that too
20 if test "$LEAK_DETECTIVE" = "yes"; then
21 BOTAN_CONFIG="--without-os-features=threads
22 --disable-modules=locking_allocator"
23 fi
24 # disable some larger modules we don't need for the tests
25 BOTAN_CONFIG="$BOTAN_CONFIG --disable-modules=pkcs11,tls,x509,xmss
26 --prefix=$DEPS_PREFIX"
27
28 git clone https://github.com/randombit/botan.git $BOTAN_DIR &&
29 cd $BOTAN_DIR &&
30 git checkout -qf $BOTAN_REV &&
31 python ./configure.py --amalgamation $BOTAN_CONFIG &&
32 make -j4 libs >/dev/null &&
33 sudo make install >/dev/null &&
34 sudo ldconfig || exit $?
35 cd -
36 }
37
38 build_wolfssl()
39 {
40 WOLFSSL_REV=v4.7.0-stable
41 WOLFSSL_DIR=$DEPS_BUILD_DIR/wolfssl
42
43 if test -d "$WOLFSSL_DIR"; then
44 return
45 fi
46
47 echo "$ build_wolfssl()"
48
49 WOLFSSL_CFLAGS="-DWOLFSSL_PUBLIC_MP -DWOLFSSL_DES_ECB -DHAVE_ECC_BRAINPOOL"
50 WOLFSSL_CONFIG="--prefix=$DEPS_PREFIX
51 --disable-crypttests --disable-examples
52 --enable-keygen --enable-rsapss --enable-aesccm
53 --enable-aesctr --enable-des3 --enable-camellia
54 --enable-curve25519 --enable-ed25519
55 --enable-curve448 --enable-ed448
56 --enable-sha3 --enable-shake256 --enable-ecccustcurves"
57
58 git clone https://github.com/wolfSSL/wolfssl.git $WOLFSSL_DIR &&
59 cd $WOLFSSL_DIR &&
60 git checkout -qf $WOLFSSL_REV &&
61 ./autogen.sh &&
62 ./configure C_EXTRA_FLAGS="$WOLFSSL_CFLAGS" $WOLFSSL_CONFIG &&
63 make -j4 >/dev/null &&
64 sudo make install >/dev/null &&
65 sudo ldconfig || exit $?
66 cd -
67 }
68
69 build_tss2()
70 {
71 TSS2_REV=2.4.3
72 TSS2_PKG=tpm2-tss-$TSS2_REV
73 TSS2_DIR=$DEPS_BUILD_DIR/$TSS2_PKG
74 TSS2_SRC=https://github.com/tpm2-software/tpm2-tss/releases/download/$TSS2_REV/$TSS2_PKG.tar.gz
75
76 if test -d "$TSS2_DIR"; then
77 return
78 fi
79
80 echo "$ build_tss2()"
81
82 curl -L $TSS2_SRC | tar xz -C $DEPS_BUILD_DIR &&
83 cd $TSS2_DIR &&
84 ./configure --prefix=$DEPS_PREFIX --disable-doxygen-doc &&
85 make -j4 >/dev/null &&
86 sudo make install >/dev/null &&
87 sudo ldconfig || exit $?
88 cd -
89 }
90
91 : ${BUILD_DIR=$PWD}
92 : ${DEPS_BUILD_DIR=$BUILD_DIR/..}
93 : ${DEPS_PREFIX=/usr/local}
94
95 if [ -e /etc/os-release ]; then
96 . /etc/os-release
97 elif [ -e /usr/lib/os-release ]; then
98 . /usr/lib/os-release
99 fi
100
101 TARGET=check
102
103 DEPS="libgmp-dev"
104
105 CFLAGS="-g -O2 -Wall -Wno-format -Wno-format-security -Wno-pointer-sign -Werror"
106
107 case "$TEST" in
108 default)
109 # should be the default, but lets make sure
110 CONFIG="--with-printf-hooks=glibc"
111 ;;
112 openssl*)
113 CONFIG="--disable-defaults --enable-pki --enable-openssl --enable-pem"
114 export TESTS_PLUGINS="test-vectors pem openssl!"
115 DEPS="libssl-dev"
116 ;;
117 gcrypt)
118 CONFIG="--disable-defaults --enable-pki --enable-gcrypt --enable-pkcs1"
119 export TESTS_PLUGINS="test-vectors pkcs1 gcrypt!"
120 if [ "$ID" = "ubuntu" -a "$VERSION_ID" = "20.04" ]; then
121 DEPS="libgcrypt20-dev"
122 else
123 DEPS="libgcrypt11-dev"
124 fi
125 ;;
126 botan)
127 CONFIG="--disable-defaults --enable-pki --enable-botan --enable-pem"
128 export TESTS_PLUGINS="test-vectors pem botan!"
129 DEPS=""
130 if test "$1" = "build-deps"; then
131 build_botan
132 fi
133 ;;
134 wolfssl)
135 CONFIG="--disable-defaults --enable-pki --enable-wolfssl --enable-pem"
136 export TESTS_PLUGINS="test-vectors pem wolfssl!"
137 # build with custom options to enable all the features the plugin supports
138 DEPS=""
139 if test "$1" = "build-deps"; then
140 build_wolfssl
141 fi
142 ;;
143 printf-builtin)
144 CONFIG="--with-printf-hooks=builtin"
145 ;;
146 all|coverage|sonarcloud)
147 if [ "$TEST" = "sonarcloud" ]; then
148 if [ -z "$SONAR_PROJECT" -o -z "$SONAR_ORGANIZATION" -o -z "$SONAR_TOKEN" ]; then
149 echo "The SONAR_PROJECT, SONAR_ORGANIZATION and SONAR_TOKEN" \
150 "environment variables are required to run this test"
151 exit 1
152 fi
153 fi
154 CONFIG="--enable-all --disable-android-dns --disable-android-log
155 --disable-kernel-pfroute --disable-keychain
156 --disable-lock-profiler --disable-padlock --disable-fuzzing
157 --disable-osx-attr --disable-tkm --disable-uci
158 --disable-unwind-backtraces
159 --disable-svc --disable-dbghelp-backtraces --disable-socket-win
160 --disable-kernel-wfp --disable-kernel-iph --disable-winhttp
161 --disable-python-eggs-install"
162 # not enabled on the build server
163 CONFIG="$CONFIG --disable-af-alg"
164 if test "$TEST" != "coverage"; then
165 CONFIG="$CONFIG --disable-coverage"
166 else
167 # not actually required but configure checks for it
168 DEPS="$DEPS lcov"
169 fi
170 # Botan requires newer compilers, so disable it on Ubuntu 16.04
171 if [ "$ID" = "ubuntu" -a "$VERSION_ID" = "16.04" ]; then
172 CONFIG="$CONFIG --disable-botan"
173 fi
174 DEPS="$DEPS libcurl4-gnutls-dev libsoup2.4-dev libunbound-dev libldns-dev
175 libmysqlclient-dev libsqlite3-dev clearsilver-dev libfcgi-dev
176 libldap2-dev libpcsclite-dev libpam0g-dev binutils-dev libnm-dev
177 libgcrypt20-dev libjson-c-dev python3-pip libtspi-dev libsystemd-dev"
178 if [ "$ID" = "ubuntu" -a "$VERSION_ID" = "20.04" ]; then
179 DEPS="$DEPS libiptc-dev"
180 else
181 DEPS="$DEPS iptables-dev"
182 fi
183 PYDEPS="tox"
184 if test "$1" = "build-deps"; then
185 if [ "$ID" != "ubuntu" -o "$VERSION_ID" != "16.04" ]; then
186 build_botan
187 fi
188 build_wolfssl
189 build_tss2
190 fi
191 ;;
192 win*)
193 CONFIG="--disable-defaults --enable-svc --enable-ikev2
194 --enable-ikev1 --enable-static --enable-test-vectors --enable-nonce
195 --enable-constraints --enable-revocation --enable-pem --enable-pkcs1
196 --enable-pkcs8 --enable-x509 --enable-pubkey --enable-acert
197 --enable-eap-tnc --enable-eap-ttls --enable-eap-identity
198 --enable-updown --enable-ext-auth --enable-libipsec --enable-pkcs11
199 --enable-tnccs-20 --enable-imc-attestation --enable-imv-attestation
200 --enable-imc-os --enable-imv-os --enable-tnc-imv --enable-tnc-imc
201 --enable-pki --enable-swanctl --enable-socket-win
202 --enable-kernel-iph --enable-kernel-wfp --enable-winhttp"
203 # no make check for Windows binaries unless we run on a windows host
204 if test "$APPVEYOR" != "True"; then
205 TARGET=
206 else
207 CONFIG="$CONFIG --enable-openssl"
208 CFLAGS="$CFLAGS -I$OPENSSL_DIR/include"
209 LDFLAGS="-L$OPENSSL_DIR"
210 export LDFLAGS
211 fi
212 CFLAGS="$CFLAGS -mno-ms-bitfields"
213 DEPS="gcc-mingw-w64-base"
214 case "$TEST" in
215 win64)
216 CONFIG="--host=x86_64-w64-mingw32 $CONFIG --enable-dbghelp-backtraces"
217 DEPS="gcc-mingw-w64-x86-64 binutils-mingw-w64-x86-64 mingw-w64-x86-64-dev $DEPS"
218 CC="x86_64-w64-mingw32-gcc"
219 ;;
220 win32)
221 CONFIG="--host=i686-w64-mingw32 $CONFIG"
222 DEPS="gcc-mingw-w64-i686 binutils-mingw-w64-i686 mingw-w64-i686-dev $DEPS"
223 CC="i686-w64-mingw32-gcc"
224 ;;
225 esac
226 ;;
227 android)
228 if test "$1" = "deps"; then
229 git clone git://git.strongswan.org/android-ndk-boringssl.git -b ndk-static \
230 src/frontends/android/app/src/main/jni/openssl
231 fi
232 TARGET=distdir
233 ;;
234 macos)
235 # this causes a false positive in ip-packet.c since Xcode 8.3
236 CFLAGS="$CFLAGS -Wno-address-of-packed-member"
237 # use the same options as in the Homebrew Formula
238 CONFIG="--disable-defaults --enable-charon --enable-cmd --enable-constraints
239 --enable-curl --enable-eap-gtc --enable-eap-identity
240 --enable-eap-md5 --enable-eap-mschapv2 --enable-farp --enable-ikev1
241 --enable-ikev2 --enable-kernel-libipsec --enable-kernel-pfkey
242 --enable-kernel-pfroute --enable-nonce --enable-openssl
243 --enable-osx-attr --enable-pem --enable-pgp --enable-pkcs1
244 --enable-pkcs8 --enable-pki --enable-pubkey --enable-revocation
245 --enable-scepclient --enable-socket-default --enable-sshkey
246 --enable-stroke --enable-swanctl --enable-unity --enable-updown
247 --enable-x509 --enable-xauth-generic"
248 DEPS="automake autoconf libtool bison gettext openssl curl"
249 BREW_PREFIX=$(brew --prefix)
250 export PATH=$BREW_PREFIX/opt/bison/bin:$PATH
251 export ACLOCAL_PATH=$BREW_PREFIX/opt/gettext/share/aclocal:$ACLOCAL_PATH
252 for pkg in openssl curl
253 do
254 PKG_CONFIG_PATH=$BREW_PREFIX/opt/$pkg/lib/pkgconfig:$PKG_CONFIG_PATH
255 CPPFLAGS="-I$BREW_PREFIX/opt/$pkg/include $CPPFLAGS"
256 LDFLAGS="-L$BREW_PREFIX/opt/$pkg/lib $LDFLAGS"
257 done
258 export PKG_CONFIG_PATH
259 export CPPFLAGS
260 export LDFLAGS
261 ;;
262 freebsd)
263 # use the options of the FreeBSD port (including options), except smp,
264 # which requires a patch but is deprecated anyway, only using the builtin
265 # printf hooks
266 CONFIG="--enable-kernel-pfkey --enable-kernel-pfroute --disable-scripts
267 --disable-kernel-netlink --enable-openssl --enable-eap-identity
268 --enable-eap-md5 --enable-eap-tls --enable-eap-mschapv2
269 --enable-eap-peap --enable-eap-ttls --enable-md4 --enable-blowfish
270 --enable-addrblock --enable-whitelist --enable-cmd --enable-curl
271 --enable-eap-aka --enable-eap-aka-3gpp2 --enable-eap-dynamic
272 --enable-eap-radius --enable-eap-sim --enable-eap-sim-file
273 --enable-gcm --enable-ipseckey --enable-kernel-libipsec
274 --enable-load-tester --enable-ldap --enable-mediation
275 --enable-mysql --enable-sqlite --enable-tpm --enable-tss-tss2
276 --enable-unbound --enable-unity --enable-xauth-eap --enable-xauth-pam
277 --with-printf-hooks=builtin --enable-attr-sql --enable-sql
278 --enable-farp"
279 DEPS="git gmp openldap-client libxml2 mysql80-client sqlite3 unbound ldns tpm2-tss"
280 export GPERF=/usr/local/bin/gperf
281 export LEX=/usr/local/bin/flex
282 ;;
283 fuzzing)
284 CFLAGS="$CFLAGS -DNO_CHECK_MEMWIPE"
285 CONFIG="--enable-fuzzing --enable-static --disable-shared --disable-scripts
286 --enable-imc-test --enable-tnccs-20"
287 # don't run any of the unit tests
288 export TESTS_RUNNERS=
289 # prepare corpora
290 if test -z "$1"; then
291 if test -z "$FUZZING_CORPORA"; then
292 git clone --depth 1 https://github.com/strongswan/fuzzing-corpora.git fuzzing-corpora
293 export FUZZING_CORPORA=$BUILD_DIR/fuzzing-corpora
294 fi
295 # these are about the same as those on OSS-Fuzz (except for the
296 # symbolize options and strip_path_prefix)
297 export ASAN_OPTIONS=redzone=16:handle_sigill=1:strict_string_check=1:\
298 allocator_release_to_os_interval_ms=500:strict_memcmp=1:detect_container_overflow=1:\
299 coverage=0:allocator_may_return_null=1:use_sigaltstack=1:detect_stack_use_after_return=1:\
300 alloc_dealloc_mismatch=0:detect_leaks=1:print_scariness=1:max_uar_stack_size_log=16:\
301 handle_abort=1:check_malloc_usable_size=0:quarantine_size_mb=10:detect_odr_violation=0:\
302 symbolize=1:handle_segv=1:fast_unwind_on_fatal=0:external_symbolizer_path=/usr/bin/llvm-symbolizer-3.5
303 fi
304 ;;
305 nm|nm-no-glib)
306 DEPS="gnome-common libsecret-1-dev libgtk-3-dev libnm-dev libnma-dev"
307 if test "$TEST" = "nm"; then
308 DEPS="$DEPS libnm-glib-vpn-dev libnm-gtk-dev"
309 else
310 CONFIG="$CONFIG --without-libnm-glib"
311 fi
312 cd src/frontends/gnome
313 # don't run ./configure with ./autogen.sh
314 export NOCONFIGURE=1
315 ;;
316 dist)
317 TARGET=distcheck
318 ;;
319 apidoc)
320 DEPS="doxygen"
321 CONFIG="--disable-defaults"
322 TARGET=apidoc
323 ;;
324 lgtm)
325 DEPS="jq"
326
327 if test -z "$1"; then
328 base=$COMMIT_BASE
329 # after rebases or for new/duplicate branches, the passed base commit
330 # ID might not be valid
331 git rev-parse -q --verify $base^{commit}
332 if [ $? != 0 ]; then
333 # this will always compare against master, while via base we
334 # otherwise only contains "new" commits
335 base=$(git merge-base origin/master ${COMMIT_ID})
336 fi
337 base=$(git rev-parse $base)
338 project_id=1506185006272
339
340 echo "Starting code review for $COMMIT_ID (base $base) on lgtm.com"
341 git diff --binary $base > lgtm.patch || exit $?
342 curl -s -X POST --data-binary @lgtm.patch \
343 "https://lgtm.com/api/v1.0/codereviews/${project_id}?base=${base}&external-id=${BUILD_NUMBER}" \
344 -H 'Content-Type: application/octet-stream' \
345 -H 'Accept: application/json' \
346 -H "Authorization: Bearer ${LGTM_TOKEN}" > lgtm.res || exit $?
347 lgtm_check_url=$(jq -r '."task-result-url"' lgtm.res)
348 if [ -z "$lgtm_check_url" -o "$lgtm_check_url" = "null" ]; then
349 cat lgtm.res
350 exit 1
351 fi
352 lgtm_url=$(jq -r '."task-result"."results-url"' lgtm.res)
353 echo "Progress and full results: ${lgtm_url}"
354
355 echo -n "Waiting for completion: "
356 lgtm_status=pending
357 while [ "$lgtm_status" = "pending" ]; do
358 sleep 15
359 curl -s -X GET "${lgtm_check_url}" \
360 -H 'Accept: application/json' \
361 -H "Authorization: Bearer ${LGTM_TOKEN}" > lgtm.res
362 if [ $? != 0 ]; then
363 echo -n "-"
364 continue
365 fi
366 echo -n "."
367 lgtm_status=$(jq -r '.status' lgtm.res)
368 done
369 echo ""
370
371 if [ "$lgtm_status" != "success" ]; then
372 lgtm_message=$(jq -r '.["status-message"]' lgtm.res)
373 echo "Code review failed: ${lgtm_message}"
374 exit 1
375 fi
376 lgtm_new=$(jq -r '.languages[].new' lgtm.res | awk '{t+=$1} END {print t}')
377 lgtm_fixed=$(jq -r '.languages[].fixed' lgtm.res | awk '{t+=$1} END {print t}')
378 echo -n "Code review complete: "
379 printf "%b\n" "\e[1;31m${lgtm_new}\e[0m new alerts, \e[1;32m${lgtm_fixed}\e[0m fixed"
380 exit $lgtm_new
381 fi
382 ;;
383 *)
384 echo "$0: unknown test $TEST" >&2
385 exit 1
386 ;;
387 esac
388
389 case "$1" in
390 deps)
391 case "$OS_NAME" in
392 linux)
393 sudo apt-get update -qq && \
394 sudo apt-get install -qq bison flex gperf gettext $DEPS
395 ;;
396 macos)
397 brew update && \
398 brew install $DEPS
399 ;;
400 freebsd)
401 pkg install -y automake autoconf libtool pkgconf && \
402 pkg install -y bison flex gperf gettext $DEPS
403 ;;
404 esac
405 exit $?
406 ;;
407 pydeps)
408 test -z "$PYDEPS" || pip3 -q install --user $PYDEPS
409 exit $?
410 ;;
411 build-deps)
412 exit
413 ;;
414 *)
415 ;;
416 esac
417
418 CONFIG="$CONFIG
419 --disable-dependency-tracking
420 --enable-silent-rules
421 --enable-test-vectors
422 --enable-monolithic=${MONOLITHIC-no}
423 --enable-leak-detective=${LEAK_DETECTIVE-no}"
424
425 echo "$ ./autogen.sh"
426 ./autogen.sh || exit $?
427 echo "$ CC=$CC CFLAGS=\"$CFLAGS\" ./configure $CONFIG"
428 CC="$CC" CFLAGS="$CFLAGS" ./configure $CONFIG || exit $?
429
430 case "$TEST" in
431 apidoc)
432 exec 2>make.warnings
433 ;;
434 *)
435 ;;
436 esac
437
438 echo "$ make $TARGET"
439 case "$TEST" in
440 sonarcloud)
441 # without target, coverage is currently not supported anyway because
442 # sonarqube only supports gcov, not lcov
443 build-wrapper-linux-x86-64 --out-dir bw-output make -j4 || exit $?
444 ;;
445 *)
446 make -j4 $TARGET || exit $?
447 ;;
448 esac
449
450 case "$TEST" in
451 apidoc)
452 if test -s make.warnings; then
453 cat make.warnings
454 exit 1
455 fi
456 rm make.warnings
457 ;;
458 sonarcloud)
459 sonar-scanner \
460 -Dsonar.host.url=https://sonarcloud.io \
461 -Dsonar.projectKey=${SONAR_PROJECT} \
462 -Dsonar.organization=${SONAR_ORGANIZATION} \
463 -Dsonar.login=${SONAR_TOKEN} \
464 -Dsonar.projectVersion=$(git describe)+${BUILD_NUMBER} \
465 -Dsonar.sources=. \
466 -Dsonar.cfamily.threads=2 \
467 -Dsonar.cfamily.cache.enabled=true \
468 -Dsonar.cfamily.cache.path=$HOME/.sonar-cache \
469 -Dsonar.cfamily.build-wrapper-output=bw-output || exit $?
470 rm -r bw-output .scannerwork
471 ;;
472 android)
473 rm -r strongswan-*
474 cd src/frontends/android
475 echo "$ ./gradlew build"
476 NDK_CCACHE=ccache ./gradlew build || exit $?
477 ;;
478 *)
479 ;;
480 esac
481
482 # ensure there are no unignored build artifacts (or other changes) in the Git repo
483 unclean="$(git status --porcelain)"
484 if test -n "$unclean"; then
485 echo "Unignored build artifacts or other changes:"
486 echo "$unclean"
487 exit 1
488 fi