travis: Trigger code review on lgtm.com
[strongswan.git] / scripts / test.sh
1 #!/bin/bash
2 # Build script for Travis CI
3
4 build_botan()
5 {
6 # same revision used in the build recipe of the testing environment
7 BOTAN_REV=0881f2c33ff7 # 2.13.0 + amalgamation patch
8 BOTAN_DIR=$TRAVIS_BUILD_DIR/../botan
9
10 if test -d "$BOTAN_DIR"; then
11 return
12 fi
13
14 echo "$ build_botan()"
15
16 # if the leak detective is enabled we have to disable threading support
17 # (used for std::async) as that causes invalid frees somehow, the
18 # locking allocator causes a static leak via the first function that
19 # references it (e.g. crypter or hasher), so we disable that too
20 if test "$LEAK_DETECTIVE" = "yes"; then
21 BOTAN_CONFIG="--without-os-features=threads
22 --disable-modules=locking_allocator"
23 fi
24 # disable some larger modules we don't need for the tests
25 BOTAN_CONFIG="$BOTAN_CONFIG --disable-modules=pkcs11,tls,x509,xmss"
26
27 git clone https://github.com/randombit/botan.git $BOTAN_DIR &&
28 cd $BOTAN_DIR &&
29 git checkout -qf $BOTAN_REV &&
30 python ./configure.py --amalgamation $BOTAN_CONFIG &&
31 make -j4 libs >/dev/null &&
32 sudo make install >/dev/null &&
33 sudo ldconfig || exit $?
34 cd -
35 }
36
37 build_wolfssl()
38 {
39 WOLFSSL_REV=87859f9e810b # v4.3.0-stable + IBM Z patch
40 WOLFSSL_DIR=$TRAVIS_BUILD_DIR/../wolfssl
41
42 if test -d "$WOLFSSL_DIR"; then
43 return
44 fi
45
46 echo "$ build_wolfssl()"
47
48 WOLFSSL_CFLAGS="-DWOLFSSL_PUBLIC_MP -DWOLFSSL_DES_ECB"
49 WOLFSSL_CONFIG="--enable-keygen --enable-rsapss --enable-aesccm
50 --enable-aesctr --enable-des3 --enable-camellia
51 --enable-curve25519 --enable-ed25519"
52
53 git clone https://github.com/wolfSSL/wolfssl.git $WOLFSSL_DIR &&
54 cd $WOLFSSL_DIR &&
55 git checkout -qf $WOLFSSL_REV &&
56 ./autogen.sh &&
57 ./configure C_EXTRA_FLAGS="$WOLFSSL_CFLAGS" $WOLFSSL_CONFIG &&
58 make -j4 >/dev/null &&
59 sudo make install >/dev/null &&
60 sudo ldconfig || exit $?
61 cd -
62 }
63
64 build_tss2()
65 {
66 TSS2_REV=2.3.1
67 TSS2_PKG=tpm2-tss-$TSS2_REV
68 TSS2_DIR=$TRAVIS_BUILD_DIR/../$TSS2_PKG
69 TSS2_SRC=https://github.com/tpm2-software/tpm2-tss/releases/download/$TSS2_REV/$TSS2_PKG.tar.gz
70
71 if test -d "$TSS2_DIR"; then
72 return
73 fi
74
75 echo "$ build_tss2()"
76
77 # the default version of libgcrypt in Ubuntu 16.04 is too old
78 sudo apt-get update -qq && \
79 sudo apt-get install -qq libgcrypt20-dev &&
80 curl -L $TSS2_SRC | tar xz -C $TRAVIS_BUILD_DIR/.. &&
81 cd $TSS2_DIR &&
82 ./configure --disable-doxygen-doc &&
83 make -j4 >/dev/null &&
84 sudo make install >/dev/null &&
85 sudo ldconfig || exit $?
86 cd -
87 }
88
89 if test -z $TRAVIS_BUILD_DIR; then
90 TRAVIS_BUILD_DIR=$PWD
91 fi
92
93 cd $TRAVIS_BUILD_DIR
94
95 TARGET=check
96
97 DEPS="libgmp-dev"
98
99 CFLAGS="-g -O2 -Wall -Wno-format -Wno-format-security -Wno-pointer-sign -Werror"
100
101 case "$TEST" in
102 default)
103 # should be the default, but lets make sure
104 CONFIG="--with-printf-hooks=glibc"
105 ;;
106 openssl*)
107 CONFIG="--disable-defaults --enable-pki --enable-openssl --enable-pem"
108 export TESTS_PLUGINS="test-vectors pem openssl!"
109 DEPS="libssl-dev"
110 ;;
111 gcrypt)
112 CONFIG="--disable-defaults --enable-pki --enable-gcrypt --enable-pkcs1"
113 export TESTS_PLUGINS="test-vectors pkcs1 gcrypt!"
114 DEPS="libgcrypt11-dev"
115 ;;
116 botan)
117 CONFIG="--disable-defaults --enable-pki --enable-botan --enable-pem"
118 export TESTS_PLUGINS="test-vectors pem botan!"
119 # we can't use the old package that comes with Ubuntu so we build from
120 # the current master until 2.8.0 is released and then probably switch to
121 # that unless we need newer features (at least 2.7.0 plus PKCS#1 patch is
122 # currently required)
123 DEPS=""
124 if test "$1" = "deps"; then
125 build_botan
126 fi
127 ;;
128 wolfssl)
129 CONFIG="--disable-defaults --enable-pki --enable-wolfssl --enable-pem"
130 export TESTS_PLUGINS="test-vectors pem wolfssl!"
131 # build with custom options to enable all the features the plugin supports
132 DEPS=""
133 if test "$1" = "deps"; then
134 build_wolfssl
135 fi
136 ;;
137 printf-builtin)
138 CONFIG="--with-printf-hooks=builtin"
139 ;;
140 all|coverage|sonarcloud)
141 CONFIG="--enable-all --disable-android-dns --disable-android-log
142 --disable-kernel-pfroute --disable-keychain
143 --disable-lock-profiler --disable-padlock --disable-fuzzing
144 --disable-osx-attr --disable-tkm --disable-uci
145 --disable-soup --disable-unwind-backtraces
146 --disable-svc --disable-dbghelp-backtraces --disable-socket-win
147 --disable-kernel-wfp --disable-kernel-iph --disable-winhttp"
148 # not enabled on the build server
149 CONFIG="$CONFIG --disable-af-alg"
150 if test "$TRAVIS_CPU_ARCH" != "amd64"; then
151 CONFIG="$CONFIG --disable-aesni --disable-rdrand"
152 fi
153 if test "$TEST" != "coverage"; then
154 CONFIG="$CONFIG --disable-coverage"
155 else
156 # not actually required but configure checks for it
157 DEPS="$DEPS lcov"
158 fi
159 DEPS="$DEPS libcurl4-gnutls-dev libsoup2.4-dev libunbound-dev libldns-dev
160 libmysqlclient-dev libsqlite3-dev clearsilver-dev libfcgi-dev
161 libpcsclite-dev libpam0g-dev binutils-dev libnm-dev
162 libjson-c-dev iptables-dev python-pip libtspi-dev libsystemd-dev"
163 PYDEPS="tox"
164 if test "$1" = "deps"; then
165 build_botan
166 build_wolfssl
167 build_tss2
168 fi
169 ;;
170 win*)
171 CONFIG="--disable-defaults --enable-svc --enable-ikev2
172 --enable-ikev1 --enable-static --enable-test-vectors --enable-nonce
173 --enable-constraints --enable-revocation --enable-pem --enable-pkcs1
174 --enable-pkcs8 --enable-x509 --enable-pubkey --enable-acert
175 --enable-eap-tnc --enable-eap-ttls --enable-eap-identity
176 --enable-updown --enable-ext-auth --enable-libipsec
177 --enable-tnccs-20 --enable-imc-attestation --enable-imv-attestation
178 --enable-imc-os --enable-imv-os --enable-tnc-imv --enable-tnc-imc
179 --enable-pki --enable-swanctl --enable-socket-win
180 --enable-kernel-iph --enable-kernel-wfp --enable-winhttp"
181 # no make check for Windows binaries unless we run on a windows host
182 if test "$APPVEYOR" != "True"; then
183 TARGET=
184 CCACHE=ccache
185 else
186 CONFIG="$CONFIG --enable-openssl"
187 CFLAGS="$CFLAGS -I/c/OpenSSL-$TEST/include"
188 LDFLAGS="-L/c/OpenSSL-$TEST"
189 export LDFLAGS
190 fi
191 CFLAGS="$CFLAGS -mno-ms-bitfields"
192 DEPS="gcc-mingw-w64-base"
193 case "$TEST" in
194 win64)
195 CONFIG="--host=x86_64-w64-mingw32 $CONFIG --enable-dbghelp-backtraces"
196 DEPS="gcc-mingw-w64-x86-64 binutils-mingw-w64-x86-64 mingw-w64-x86-64-dev $DEPS"
197 CC="$CCACHE x86_64-w64-mingw32-gcc"
198 ;;
199 win32)
200 CONFIG="--host=i686-w64-mingw32 $CONFIG"
201 DEPS="gcc-mingw-w64-i686 binutils-mingw-w64-i686 mingw-w64-i686-dev $DEPS"
202 CC="$CCACHE i686-w64-mingw32-gcc"
203 ;;
204 esac
205 ;;
206 osx)
207 # this causes a false positive in ip-packet.c since Xcode 8.3
208 CFLAGS="$CFLAGS -Wno-address-of-packed-member"
209 # use the same options as in the Homebrew Formula
210 CONFIG="--disable-defaults --enable-charon --enable-cmd --enable-constraints
211 --enable-curl --enable-eap-gtc --enable-eap-identity
212 --enable-eap-md5 --enable-eap-mschapv2 --enable-ikev1 --enable-ikev2
213 --enable-kernel-libipsec --enable-kernel-pfkey
214 --enable-kernel-pfroute --enable-nonce --enable-openssl
215 --enable-osx-attr --enable-pem --enable-pgp --enable-pkcs1
216 --enable-pkcs8 --enable-pki --enable-pubkey --enable-revocation
217 --enable-scepclient --enable-socket-default --enable-sshkey
218 --enable-stroke --enable-swanctl --enable-unity --enable-updown
219 --enable-x509 --enable-xauth-generic"
220 DEPS="bison gettext openssl curl"
221 BREW_PREFIX=$(brew --prefix)
222 export PATH=$BREW_PREFIX/opt/bison/bin:$PATH
223 export ACLOCAL_PATH=$BREW_PREFIX/opt/gettext/share/aclocal:$ACLOCAL_PATH
224 for pkg in openssl curl
225 do
226 PKG_CONFIG_PATH=$BREW_PREFIX/opt/$pkg/lib/pkgconfig:$PKG_CONFIG_PATH
227 CPPFLAGS="-I$BREW_PREFIX/opt/$pkg/include $CPPFLAGS"
228 LDFLAGS="-L$BREW_PREFIX/opt/$pkg/lib $LDFLAGS"
229 done
230 export PKG_CONFIG_PATH
231 export CPPFLAGS
232 export LDFLAGS
233 ;;
234 freebsd)
235 # use the options of the FreeBSD port (including options), except smp,
236 # which requires a patch but is deprecated anyway, only using the builtin
237 # printf hooks
238 CONFIG="--enable-kernel-pfkey --enable-kernel-pfroute --disable-scripts
239 --disable-kernel-netlink --enable-openssl --enable-eap-identity
240 --enable-eap-md5 --enable-eap-tls --enable-eap-mschapv2
241 --enable-eap-peap --enable-eap-ttls --enable-md4 --enable-blowfish
242 --enable-addrblock --enable-whitelist --enable-cmd --enable-curl
243 --enable-eap-aka --enable-eap-aka-3gpp2 --enable-eap-dynamic
244 --enable-eap-radius --enable-eap-sim --enable-eap-sim-file
245 --enable-gcm --enable-ipseckey --enable-kernel-libipsec
246 --enable-load-tester --enable-ldap --enable-mediation
247 --enable-mysql --enable-sqlite --enable-tpm --enable-unbound
248 --enable-unity --enable-xauth-eap --enable-xauth-pam
249 --with-printf-hooks=builtin --enable-attr-sql --enable-sql"
250 DEPS="gmp openldap-client libxml2 mysql80-client sqlite3 unbound ldns"
251 export GPERF=/usr/local/bin/gperf
252 export LEX=/usr/local/bin/flex
253 ;;
254 fuzzing)
255 CFLAGS="$CFLAGS -DNO_CHECK_MEMWIPE"
256 CONFIG="--enable-fuzzing --enable-static --disable-shared --disable-scripts
257 --enable-imc-test --enable-tnccs-20"
258 # don't run any of the unit tests
259 export TESTS_RUNNERS=
260 # prepare corpora
261 if test -z "$1"; then
262 if test -z "$FUZZING_CORPORA"; then
263 git clone --depth 1 https://github.com/strongswan/fuzzing-corpora.git fuzzing-corpora
264 export FUZZING_CORPORA=$TRAVIS_BUILD_DIR/fuzzing-corpora
265 fi
266 # these are about the same as those on OSS-Fuzz (except for the
267 # symbolize options and strip_path_prefix)
268 export ASAN_OPTIONS=redzone=16:handle_sigill=1:strict_string_check=1:\
269 allocator_release_to_os_interval_ms=500:strict_memcmp=1:detect_container_overflow=1:\
270 coverage=0:allocator_may_return_null=1:use_sigaltstack=1:detect_stack_use_after_return=1:\
271 alloc_dealloc_mismatch=0:detect_leaks=1:print_scariness=1:max_uar_stack_size_log=16:\
272 handle_abort=1:check_malloc_usable_size=0:quarantine_size_mb=10:detect_odr_violation=0:\
273 symbolize=1:handle_segv=1:fast_unwind_on_fatal=0:external_symbolizer_path=/usr/bin/llvm-symbolizer-3.5
274 fi
275 ;;
276 dist)
277 TARGET=distcheck
278 ;;
279 apidoc)
280 DEPS="doxygen"
281 CONFIG="--disable-defaults"
282 TARGET=apidoc
283 ;;
284 lgtm)
285 DEPS="jq"
286
287 if test -z "$1"; then
288 # fall back to the parent of the latest commit (on new branches we might
289 # not have a range, also on duplicate branches)
290 base="${TRAVIS_COMMIT}^"
291 if test -n "$TRAVIS_COMMIT_RANGE"; then
292 base="${TRAVIS_COMMIT_RANGE%...*}"
293 # after rebases, the first commit ID in the range might not be valid
294 git rev-parse -q --verify $base
295 if [ $? != 0 ]; then
296 # this will always compare against master, while the range
297 # otherwise only contains "new" commits
298 base=$(git merge-base origin/master ${TRAVIS_COMMIT})
299 fi
300 fi
301 base=$(git rev-parse $base)
302 project_id=1506185006272
303
304 echo "Starting code review for $TRAVIS_COMMIT (base $base) on lgtm.com"
305 git diff --binary $base > lgtm.patch || exit $?
306 curl -s -X POST --data-binary @lgtm.patch \
307 "https://lgtm.com/api/v1.0/codereviews/${project_id}?base=${base}&external-id=${TRAVIS_BUILD_NUMBER}" \
308 -H 'Content-Type: application/octet-stream' \
309 -H 'Accept: application/json' \
310 -H "Authorization: Bearer ${LGTM_TOKEN}" > lgtm.res || exit $?
311 lgtm_check_url=$(jq -r '."task-result-url"' lgtm.res)
312 if [ "$lgtm_check_url" == "null" ]; then
313 cat lgtm.res | jq
314 exit 1
315 fi
316 lgtm_url=$(jq -r '."task-result"."results-url"' lgtm.res)
317 echo "Progress and full results: ${lgtm_url}"
318
319 echo -n "Waiting for completion: "
320 lgtm_status=pending
321 while [ "$lgtm_status" = "pending" ]; do
322 sleep 15
323 curl -s -X GET "${lgtm_check_url}" \
324 -H 'Accept: application/json' \
325 -H "Authorization: Bearer ${LGTM_TOKEN}" > lgtm.res
326 if [ $? != 0 ]; then
327 echo -n "-"
328 continue
329 fi
330 echo -n "."
331 lgtm_status=$(jq -r '.status' lgtm.res)
332 done
333 echo ""
334
335 if [ "$lgtm_status" != "success" ]; then
336 lgtm_message=$(jq -r '.["status-message"]' lgtm.res)
337 echo "Code review failed: ${lgtm_message}"
338 exit 1
339 fi
340 lgtm_new=$(jq -r '.languages[].new' lgtm.res | awk '{t+=$1} END {print t}')
341 lgtm_fixed=$(jq -r '.languages[].fixed' lgtm.res | awk '{t+=$1} END {print t}')
342 echo -n "Code review complete: "
343 echo -e "\e[1;31m${lgtm_new}\e[0m new alerts, \e[1;32m${lgtm_fixed}\e[0m fixed"
344 exit $lgtm_new
345 fi
346 ;;
347 *)
348 echo "$0: unknown test $TEST" >&2
349 exit 1
350 ;;
351 esac
352
353 if test "$1" = "deps"; then
354 case "$TRAVIS_OS_NAME" in
355 linux)
356 sudo apt-get update -qq && \
357 sudo apt-get install -qq bison flex gperf gettext $DEPS
358 ;;
359 osx)
360 brew update && \
361 brew install $DEPS
362 ;;
363 freebsd)
364 pkg install -y automake autoconf libtool pkgconf && \
365 pkg install -y bison flex gperf gettext $DEPS
366 ;;
367 esac
368 exit $?
369 fi
370
371 if test "$1" = "pydeps"; then
372 test -z "$PYDEPS" || pip -q install --user $PYDEPS
373 exit $?
374 fi
375
376 CONFIG="$CONFIG
377 --disable-dependency-tracking
378 --enable-silent-rules
379 --enable-test-vectors
380 --enable-monolithic=${MONOLITHIC-no}
381 --enable-leak-detective=${LEAK_DETECTIVE-no}"
382
383 echo "$ ./autogen.sh"
384 ./autogen.sh || exit $?
385 echo "$ CC=$CC CFLAGS=\"$CFLAGS\" ./configure $CONFIG"
386 CC="$CC" CFLAGS="$CFLAGS" ./configure $CONFIG || exit $?
387
388 case "$TEST" in
389 apidoc)
390 exec 2>make.warnings
391 ;;
392 *)
393 ;;
394 esac
395
396 echo "$ make $TARGET"
397 case "$TEST" in
398 sonarcloud)
399 # there is an issue with the platform detection that causes sonarqube to
400 # fail on bionic with "ERROR: ld.so: object '...libinterceptor-${PLATFORM}.so'
401 # from LD_PRELOAD cannot be preloaded (cannot open shared object file)"
402 # https://jira.sonarsource.com/browse/CPP-2027
403 BW_PATH=$(dirname $(which build-wrapper-linux-x86-64))
404 cp $BW_PATH/libinterceptor-x86_64.so $BW_PATH/libinterceptor-haswell.so
405 # without target, coverage is currently not supported anyway because
406 # sonarqube only supports gcov, not lcov
407 build-wrapper-linux-x86-64 --out-dir bw-output make -j4 || exit $?
408 ;;
409 *)
410 make -j4 $TARGET || exit $?
411 ;;
412 esac
413
414 case "$TEST" in
415 apidoc)
416 if test -s make.warnings; then
417 cat make.warnings
418 exit 1
419 fi
420 rm make.warnings
421 ;;
422 sonarcloud)
423 sonar-scanner \
424 -Dsonar.projectKey=strongswan \
425 -Dsonar.projectVersion=$(git describe)+${TRAVIS_BUILD_NUMBER} \
426 -Dsonar.sources=. \
427 -Dsonar.cfamily.threads=2 \
428 -Dsonar.cfamily.build-wrapper-output=bw-output || exit $?
429 rm -r bw-output .scannerwork
430 ;;
431 *)
432 ;;
433 esac
434
435 # ensure there are no unignored build artifacts (or other changes) in the Git repo
436 unclean="$(git status --porcelain)"
437 if test -n "$unclean"; then
438 echo "Unignored build artifacts or other changes:"
439 echo "$unclean"
440 exit 1
441 fi