From 25505898530a333011f4fd5cbc841ad6b26c089c Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sun, 7 Apr 2024 16:40:04 +0200 Subject: Adding upstream version 1:9.2p1. Signed-off-by: Daniel Baumann --- .github/ci-status.md | 10 ++ .github/configs | 313 +++++++++++++++++++++++++++++++++++++++ .github/configure.sh | 21 +++ .github/run_test.sh | 48 ++++++ .github/setup_ci.sh | 201 +++++++++++++++++++++++++ .github/workflows/c-cpp.yml | 125 ++++++++++++++++ .github/workflows/cifuzz.yml | 32 ++++ .github/workflows/selfhosted.yml | 116 +++++++++++++++ .github/workflows/upstream.yml | 52 +++++++ 9 files changed, 918 insertions(+) create mode 100644 .github/ci-status.md create mode 100755 .github/configs create mode 100755 .github/configure.sh create mode 100755 .github/run_test.sh create mode 100755 .github/setup_ci.sh create mode 100644 .github/workflows/c-cpp.yml create mode 100644 .github/workflows/cifuzz.yml create mode 100644 .github/workflows/selfhosted.yml create mode 100644 .github/workflows/upstream.yml (limited to '.github') diff --git a/.github/ci-status.md b/.github/ci-status.md new file mode 100644 index 0000000..d13bbfa --- /dev/null +++ b/.github/ci-status.md @@ -0,0 +1,10 @@ +master : +[![C/C++ CI](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml/badge.svg)](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml?query=branch:master) +[![C/C++ CI self-hosted](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml/badge.svg)](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml?query=branch:master) +[![Upstream self-hosted](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/upstream.yml/badge.svg)](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/upstream.yml?query=branch:master) +[![CIFuzz](https://github.com/openssh/openssh-portable/actions/workflows/cifuzz.yml/badge.svg)](https://github.com/openssh/openssh-portable/actions/workflows/cifuzz.yml) +[![Fuzzing Status](https://oss-fuzz-build-logs.storage.googleapis.com/badges/openssh.svg)](https://bugs.chromium.org/p/oss-fuzz/issues/list?sort=-opened&can=1&q=proj:openssh) + +9.1 : +[![C/C++ CI](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml/badge.svg?branch=V_9_1)](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml?query=branch:V_9_1) +[![C/C++ CI self-hosted](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml/badge.svg?branch=V_9_1)](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml?query=branch:V_9_1) diff --git a/.github/configs b/.github/configs new file mode 100755 index 0000000..bdd5ddb --- /dev/null +++ b/.github/configs @@ -0,0 +1,313 @@ +#!/bin/sh +# +# usage: configs vmname test_config (or '' for default) +# +# Sets the following variables: +# CONFIGFLAGS options to ./configure +# SSHD_CONFOPTS sshd_config options +# TEST_TARGET make target used when testing. defaults to "tests". +# LTESTS + +config=$1 +if [ "$config" = "" ]; then + config="default" +fi + +unset CC CFLAGS CPPFLAGS LDFLAGS LTESTS SUDO + +TEST_TARGET="tests compat-tests" +LTESTS="" +SKIP_LTESTS="" +SUDO=sudo # run with sudo by default +TEST_SSH_UNSAFE_PERMISSIONS=1 +# Stop on first test failure to minimize logs +TEST_SSH_FAIL_FATAL=yes + +CONFIGFLAGS="" +LIBCRYPTOFLAGS="" + +case "$config" in + default|sol64) + ;; + c89) + CC="gcc" + CFLAGS="-Wall -std=c89 -pedantic -Werror=vla" + CONFIGFLAGS="--without-zlib" + LIBCRYPTOFLAGS="--without-openssl" + TEST_TARGET=t-exec + ;; + cygwin-release) + # See https://cygwin.com/git/?p=git/cygwin-packages/openssh.git;a=blob;f=openssh.cygport;hb=HEAD + CONFIGFLAGS="--with-xauth=/usr/bin/xauth --with-security-key-builtin" + CONFIGFLAGS="$CONFIGFLAGS --with-kerberos5=/usr --with-libedit --disable-strip" + ;; + clang-12-Werror) + CC="clang-12" + # clang's implicit-fallthrough requires that the code be annotated with + # __attribute__((fallthrough)) and does not understand /* FALLTHROUGH */ + CFLAGS="-Wall -Wextra -O2 -Wno-error=implicit-fallthrough -Wno-error=unused-parameter" + CONFIGFLAGS="--with-pam --with-Werror" + ;; + *-sanitize-*) + case "$config" in + gcc-*) + CC=gcc + ;; + clang-*) + # Find the newest available version of clang + for i in `seq 10 99`; do + clang="`which clang-$i 2>/dev/null`" + [ -x "$clang" ] && CC="$clang" + done + ;; + esac + # Put Sanitizer logs in regress dir. + SANLOGS=`pwd`/regress + # - We replace chroot with chdir so that the sanitizer in the preauth + # privsep process can read /proc. + # - clang does not recognizes explicit_bzero so we use bzero + # (see https://github.com/google/sanitizers/issues/1507 + # - openssl and zlib trip ASAN. + # - sp_pwdp returned by getspnam trips ASAN, hence disabling shadow. + case "$config" in + *-sanitize-address) + CFLAGS="-fsanitize=address -fno-omit-frame-pointer" + LDFLAGS="-fsanitize=address" + CPPFLAGS='-Dchroot=chdir -Dexplicit_bzero=bzero -D_FORTIFY_SOURCE=0 -DASAN_OPTIONS=\"detect_leaks=0:log_path='$SANLOGS'/asan.log\"' + CONFIGFLAGS="" + TEST_TARGET="t-exec" + ;; + clang-sanitize-memory) + CFLAGS="-fsanitize=memory -fsanitize-memory-track-origins -fno-omit-frame-pointer" + LDFLAGS="-fsanitize=memory" + CPPFLAGS='-Dchroot=chdir -Dexplicit_bzero=bzero -DMSAN_OPTIONS=\"log_path='$SANLOGS'/msan.log\"' + CONFIGFLAGS="--without-openssl --without-zlib --without-shadow" + TEST_TARGET="t-exec" + ;; + *-sanitize-undefined) + CFLAGS="-fsanitize=undefined" + LDFLAGS="-fsanitize=undefined" + ;; + *) + echo unknown sanitize option; + exit 1;; + esac + features="--disable-security-key --disable-pkcs11" + hardening="--without-sandbox --without-hardening --without-stackprotect" + privsep="--with-privsep-user=root" + CONFIGFLAGS="$CONFIGFLAGS $features $hardening $privsep" + # Because we hobble chroot we can't test it. + SKIP_LTESTS=sftp-chroot + ;; + gcc-11-Werror) + CC="gcc" + # -Wnoformat-truncation in gcc 7.3.1 20180130 fails on fmt_scaled + CFLAGS="-Wall -Wextra -O2 -Wno-format-truncation -Wimplicit-fallthrough=4 -Wno-unused-parameter" + CONFIGFLAGS="--with-pam --with-Werror" + ;; + clang*|gcc*) + CC="$config" + ;; + kitchensink) + CONFIGFLAGS="--with-kerberos5 --with-libedit --with-pam" + CONFIGFLAGS="${CONFIGFLAGS} --with-security-key-builtin --with-selinux" + CFLAGS="-DSK_DEBUG -DSANDBOX_SECCOMP_FILTER_DEBUG" + ;; + hardenedmalloc) + CONFIGFLAGS="--with-ldflags=-lhardened_malloc" + ;; + tcmalloc) + CONFIGFLAGS="--with-ldflags=-ltcmalloc" + ;; + krb5|heimdal) + CONFIGFLAGS="--with-kerberos5" + ;; + libedit) + CONFIGFLAGS="--with-libedit" + ;; + musl) + CC="musl-gcc" + CONFIGFLAGS="--without-zlib" + LIBCRYPTOFLAGS="--without-openssl" + TEST_TARGET="t-exec" + ;; + pam-krb5) + CONFIGFLAGS="--with-pam --with-kerberos5" + SSHD_CONFOPTS="UsePam yes" + ;; + *pam) + CONFIGFLAGS="--with-pam" + SSHD_CONFOPTS="UsePam yes" + ;; + libressl-*) + LIBCRYPTOFLAGS="--with-ssl-dir=/opt/libressl --with-rpath=-Wl,-rpath," + ;; + openssl-*) + LIBCRYPTOFLAGS="--with-ssl-dir=/opt/openssl --with-rpath=-Wl,-rpath," + # OpenSSL 1.1.1 specifically has a bug in its RNG that breaks reexec + # fallback. See https://bugzilla.mindrot.org/show_bug.cgi?id=3483 + if [ "$config" = "openssl-1.1.1" ]; then + SKIP_LTESTS="reexec" + fi + ;; + selinux) + CONFIGFLAGS="--with-selinux" + ;; + sk) + CONFIGFLAGS="--with-security-key-builtin" + ;; + without-openssl) + LIBCRYPTOFLAGS="--without-openssl" + TEST_TARGET=t-exec + ;; + valgrind-[1-5]|valgrind-unit) + # rlimit sandbox and FORTIFY_SOURCE confuse Valgrind. + CONFIGFLAGS="--without-sandbox --without-hardening" + CONFIGFLAGS="$CONFIGFLAGS --with-cppflags=-D_FORTIFY_SOURCE=0" + TEST_TARGET="t-exec USE_VALGRIND=1" + TEST_SSH_ELAPSED_TIMES=1 + export TEST_SSH_ELAPSED_TIMES + # Valgrind slows things down enough that the agent timeout test + # won't reliably pass, and the unit tests run longer than allowed + # by github so split into separate tests. + tests2="integrity try-ciphers" + tests3="krl forward-control sshsig agent-restrict kextype sftp" + tests4="cert-userkey cert-hostkey kextype sftp-perm keygen-comment percent" + tests5="rekey" + case "$config" in + valgrind-1) + # All tests except agent-timeout (which is flaky under valgrind), + # connection-timeout (which doesn't work since it's so slow) + # and hostbased (since valgrind won't let ssh exec keysign). + # Slow ones are run separately to increase parallelism. + SKIP_LTESTS="agent-timeout connection-timeout hostbased" + SKIP_LTESTS="$SKIP_LTESTS ${tests2} ${tests3} ${tests4} ${tests5}" + ;; + valgrind-2) + LTESTS="${tests2}" + ;; + valgrind-3) + LTESTS="${tests3}" + ;; + valgrind-4) + LTESTS="${tests4}" + ;; + valgrind-5) + LTESTS="${tests5}" + ;; + valgrind-unit) + TEST_TARGET="unit USE_VALGRIND=1" + ;; + esac + ;; + *) + echo "Unknown configuration $config" + exit 1 + ;; +esac + +# The Solaris 64bit targets are special since they need a non-flag arg. +case "$config" in + sol64*) + CONFIGFLAGS="x86_64 --with-cflags=-m64 --with-ldflags=-m64 ${CONFIGFLAGS}" + LIBCRYPTOFLAGS="--with-ssl-dir=/usr/local/ssl64" + ;; +esac + +case "${TARGET_HOST}" in + aix*) + # These are slow real or virtual machines so skip the slowest tests + # (which tend to be thw ones that transfer lots of data) so that the + # test run does not time out. + # The agent-restrict test fails due to some quoting issue when run + # with sh or ksh so specify bash for now. + TEST_TARGET="t-exec TEST_SHELL=bash" + SKIP_LTESTS="rekey sftp" + ;; + debian-riscv64) + # This machine is fairly slow, so skip the unit tests. + TEST_TARGET="t-exec" + ;; + dfly58*|dfly60*) + # scp 3-way connection hangs on these so skip until sorted. + SKIP_LTESTS=scp3 + ;; + fbsd6) + # Native linker is not great with PIC so OpenSSL is built w/out. + CONFIGFLAGS="${CONFIGFLAGS} --disable-security-key" + ;; + hurd) + SKIP_LTESTS="forwarding multiplex proxy-connect hostkey-agent agent-ptrace" + ;; + minix3) + LIBCRYPTOFLAGS="--without-openssl --disable-security-key" + # Minix does not have a loopback interface so we have to skip any + # test that relies on one. + # Also, Minix seems to be very limited in the number of select() + # calls that can be operating concurrently, so prune additional tests for that. + T="addrmatch agent-restrict brokenkeys cfgmatch cfgmatchlisten cfgparse + connect connect-uri exit-status forwarding hostkey-agent + key-options keyscan knownhosts-command login-timeout + reconfigure reexec rekey scp scp-uri scp3 sftp sftp-badcmds + sftp-batch sftp-cmds sftp-glob sftp-perm sftp-uri stderr-data + transfer" + # Unix domain sockets don't work quite like we expect, so also skip any tests + # that use multiplexing. + T="$T connection-timeout dynamic-forward forward-control multiplex" + SKIP_LTESTS="$(echo $T)" + TEST_TARGET=t-exec + SUDO="" + ;; + nbsd4) + # System compiler will ICE on some files with fstack-protector + # SHA256 functions in sha2.h conflict with OpenSSL's breaking sk-dummy + CONFIGFLAGS="${CONFIGFLAGS} --without-hardening --disable-security-key" + ;; + openwrt-*) + CONFIGFLAGS="${CONFIGFLAGS} --without-openssl --without-zlib" + TEST_TARGET="t-exec" + ;; + sol10|sol11) + # sol10 VM is 32bit and the unit tests are slow. + # sol11 has 4 test configs so skip unit tests to speed up. + TEST_TARGET="tests SKIP_UNIT=1" + ;; + win10) + # No sudo on Windows. + SUDO="" + ;; +esac + +case "`./config.guess`" in +*cygwin) + SUDO="" + # Don't run compat tests on cygwin as they don't currently compile. + TEST_TARGET="tests" + ;; +*-darwin*) + # Unless specified otherwise, build without OpenSSL on Mac OS since + # modern versions don't ship with libcrypto. + LIBCRYPTOFLAGS="--without-openssl" + TEST_TARGET=t-exec + ;; +esac + +# If we have a local openssl/libressl, use that. +if [ -z "${LIBCRYPTOFLAGS}" ]; then + # last-match + for i in /usr/local /usr/local/ssl /usr/local/opt/openssl; do + if [ -x ${i}/bin/openssl ]; then + LIBCRYPTOFLAGS="--with-ssl-dir=${i}" + fi + done +fi + +CONFIGFLAGS="${CONFIGFLAGS} ${LIBCRYPTOFLAGS}" + +if [ -x "$(which plink 2>/dev/null)" ]; then + REGRESS_INTEROP_PUTTY=yes + export REGRESS_INTEROP_PUTTY +fi + +export CC CFLAGS CPPFLAGS LDFLAGS LTESTS SUDO +export TEST_TARGET TEST_SSH_UNSAFE_PERMISSIONS TEST_SSH_FAIL_FATAL diff --git a/.github/configure.sh b/.github/configure.sh new file mode 100755 index 0000000..bd00377 --- /dev/null +++ b/.github/configure.sh @@ -0,0 +1,21 @@ +#!/bin/sh + +. .github/configs $1 + +printf "$ " + +if [ "x$CC" != "x" ]; then + printf "CC='$CC' " +fi +if [ "x$CFLAGS" != "x" ]; then + printf "CFLAGS='$CFLAGS' " +fi +if [ "x$CPPFLAGS" != "x" ]; then + printf "CPPFLAGS='$CPPFLAGS' " +fi +if [ "x$LDFLAGS" != "x" ]; then + printf "LDFLAGS='$LDFLAGS' " +fi + +echo ./configure ${CONFIGFLAGS} +./configure ${CONFIGFLAGS} 2>&1 diff --git a/.github/run_test.sh b/.github/run_test.sh new file mode 100755 index 0000000..8eeaf5e --- /dev/null +++ b/.github/run_test.sh @@ -0,0 +1,48 @@ +#!/bin/sh + +. .github/configs $1 + +[ -z "${SUDO}" ] || ${SUDO} mkdir -p /var/empty + +set -ex + +# If we want to test hostbased auth, set up the host for it. +if [ ! -z "$SUDO" ] && [ ! -z "$TEST_SSH_HOSTBASED_AUTH" ]; then + sshconf=/usr/local/etc + hostname | $SUDO tee $sshconf/shosts.equiv >/dev/null + echo "EnableSSHKeysign yes" | $SUDO tee $sshconf/ssh_config >/dev/null + $SUDO mkdir -p $sshconf + $SUDO cp -p /etc/ssh/ssh_host*key* $sshconf + $SUDO make install + for key in $sshconf/ssh_host*key*.pub; do + echo `hostname` `cat $key` | \ + $SUDO tee -a $sshconf/ssh_known_hosts >/dev/null + done +fi + +output_failed_logs() { + for i in regress/failed*; do + if [ -f "$i" ]; then + echo ------------------------------------------------------------------------- + echo LOGFILE $i + cat $i + echo ------------------------------------------------------------------------- + fi + done +} +trap output_failed_logs 0 + +if [ -z "${LTESTS}" ]; then + make ${TEST_TARGET} SKIP_LTESTS="${SKIP_LTESTS}" +else + make ${TEST_TARGET} SKIP_LTESTS="${SKIP_LTESTS}" LTESTS="${LTESTS}" +fi + +if [ ! -z "${SSHD_CONFOPTS}" ]; then + echo "rerunning t-exec with TEST_SSH_SSHD_CONFOPTS='${SSHD_CONFOPTS}'" + if [ -z "${LTESTS}" ]; then + make t-exec SKIP_LTESTS="${SKIP_LTESTS}" TEST_SSH_SSHD_CONFOPTS="${SSHD_CONFOPTS}" + else + make t-exec SKIP_LTESTS="${SKIP_LTESTS}" LTESTS="${LTESTS}" TEST_SSH_SSHD_CONFOPTS="${SSHD_CONFOPTS}" + fi +fi diff --git a/.github/setup_ci.sh b/.github/setup_ci.sh new file mode 100755 index 0000000..e4480e6 --- /dev/null +++ b/.github/setup_ci.sh @@ -0,0 +1,201 @@ +#!/bin/sh + +PACKAGES="" + + . .github/configs $@ + +case "`./config.guess`" in +*cygwin) + PACKAGER=setup + echo Setting CYGWIN sustem environment variable. + setx CYGWIN "binmode" + chmod -R go-rw /cygdrive/d/a + umask 077 + PACKAGES="$PACKAGES,autoconf,automake,cygwin-devel,gcc-core" + PACKAGES="$PACKAGES,make,openssl-devel,zlib-devel" + ;; +*-darwin*) + PACKAGER=brew + brew install automake + exit 0 + ;; +*) + PACKAGER=apt +esac + +TARGETS=$@ + +INSTALL_FIDO_PPA="no" +export DEBIAN_FRONTEND=noninteractive + +#echo "Setting up for '$TARGETS'" + +set -ex + +if [ -x "`which lsb_release 2>&1`" ]; then + lsb_release -a +fi + +# Ubuntu 22.04 defaults to private home dirs which prevent the +# agent-getpeerid test from running ssh-add as nobody. See +# https://github.com/actions/runner-images/issues/6106 +if [ ! -z "$SUDO" ] && ! "$SUDO" -u nobody test -x ~; then + echo ~ is not executable by nobody, adding perms. + chmod go+x ~ +fi + +if [ "${TARGETS}" = "kitchensink" ]; then + TARGETS="krb5 libedit pam sk selinux" +fi + +for flag in $CONFIGFLAGS; do + case "$flag" in + --with-pam) TARGETS="${TARGETS} pam" ;; + --with-libedit) TARGETS="${TARGETS} libedit" ;; + esac +done + +for TARGET in $TARGETS; do + case $TARGET in + default|without-openssl|without-zlib|c89) + # nothing to do + ;; + clang-sanitize*) + PACKAGES="$PACKAGES clang-12" + ;; + cygwin-release) + PACKAGES="$PACKAGES libcrypt-devel libfido2-devel libkrb5-devel" + ;; + gcc-sanitize*) + ;; + clang-*|gcc-*) + compiler=$(echo $TARGET | sed 's/-Werror//') + PACKAGES="$PACKAGES $compiler" + ;; + krb5) + PACKAGES="$PACKAGES libkrb5-dev" + ;; + heimdal) + PACKAGES="$PACKAGES heimdal-dev" + ;; + libedit) + case "$PACKAGER" in + setup) PACKAGES="$PACKAGES libedit-devel" ;; + apt) PACKAGES="$PACKAGES libedit-dev" ;; + esac + ;; + *pam) + PACKAGES="$PACKAGES libpam0g-dev" + ;; + sk) + INSTALL_FIDO_PPA="yes" + PACKAGES="$PACKAGES libfido2-dev libu2f-host-dev libcbor-dev" + ;; + selinux) + PACKAGES="$PACKAGES libselinux1-dev selinux-policy-dev" + ;; + hardenedmalloc) + INSTALL_HARDENED_MALLOC=yes + ;; + musl) + PACKAGES="$PACKAGES musl-tools" + ;; + tcmalloc) + PACKAGES="$PACKAGES libgoogle-perftools-dev" + ;; + openssl-noec) + INSTALL_OPENSSL=OpenSSL_1_1_1k + SSLCONFOPTS="no-ec" + ;; + openssl-*) + INSTALL_OPENSSL=$(echo ${TARGET} | cut -f2 -d-) + case ${INSTALL_OPENSSL} in + 1.1.1_stable) INSTALL_OPENSSL="OpenSSL_1_1_1-stable" ;; + 1.*) INSTALL_OPENSSL="OpenSSL_$(echo ${INSTALL_OPENSSL} | tr . _)" ;; + 3.*) INSTALL_OPENSSL="openssl-${INSTALL_OPENSSL}" ;; + esac + PACKAGES="${PACKAGES} putty-tools" + ;; + libressl-*) + INSTALL_LIBRESSL=$(echo ${TARGET} | cut -f2 -d-) + case ${INSTALL_LIBRESSL} in + master) ;; + *) INSTALL_LIBRESSL="$(echo ${TARGET} | cut -f2 -d-)" ;; + esac + PACKAGES="${PACKAGES} putty-tools" + ;; + valgrind*) + PACKAGES="$PACKAGES valgrind" + ;; + *) echo "Invalid option '${TARGET}'" + exit 1 + ;; + esac +done + +if [ "yes" = "$INSTALL_FIDO_PPA" ]; then + sudo apt update -qq + sudo apt install -qy software-properties-common + sudo apt-add-repository -y ppa:yubico/stable +fi + +tries=3 +while [ ! -z "$PACKAGES" ] && [ "$tries" -gt "0" ]; do + case "$PACKAGER" in + apt) + sudo apt update -qq + if sudo apt install -qy $PACKAGES; then + PACKAGES="" + fi + ;; + setup) + if /cygdrive/c/setup.exe -q -P `echo "$PACKAGES" | tr ' ' ,`; then + PACKAGES="" + fi + ;; + esac + if [ ! -z "$PACKAGES" ]; then + sleep 90 + fi + tries=$(($tries - 1)) +done +if [ ! -z "$PACKAGES" ]; then + echo "Package installation failed." + exit 1 +fi + +if [ "${INSTALL_HARDENED_MALLOC}" = "yes" ]; then + (cd ${HOME} && + git clone https://github.com/GrapheneOS/hardened_malloc.git && + cd ${HOME}/hardened_malloc && + make -j2 && sudo cp out/libhardened_malloc.so /usr/lib/) +fi + +if [ ! -z "${INSTALL_OPENSSL}" ]; then + (cd ${HOME} && + git clone https://github.com/openssl/openssl.git && + cd ${HOME}/openssl && + git checkout ${INSTALL_OPENSSL} && + ./config no-threads shared ${SSLCONFOPTS} \ + --prefix=/opt/openssl && + make && sudo make install_sw) +fi + +if [ ! -z "${INSTALL_LIBRESSL}" ]; then + if [ "${INSTALL_LIBRESSL}" = "master" ]; then + (mkdir -p ${HOME}/libressl && cd ${HOME}/libressl && + git clone https://github.com/libressl-portable/portable.git && + cd ${HOME}/libressl/portable && + git checkout ${INSTALL_LIBRESSL} && + sh update.sh && sh autogen.sh && + ./configure --prefix=/opt/libressl && + make -j2 && sudo make install) + else + LIBRESSL_URLBASE=https://cdn.openbsd.org/pub/OpenBSD/LibreSSL + (cd ${HOME} && + wget ${LIBRESSL_URLBASE}/libressl-${INSTALL_LIBRESSL}.tar.gz && + tar xfz libressl-${INSTALL_LIBRESSL}.tar.gz && + cd libressl-${INSTALL_LIBRESSL} && + ./configure --prefix=/opt/libressl && make -j2 && sudo make install) + fi +fi diff --git a/.github/workflows/c-cpp.yml b/.github/workflows/c-cpp.yml new file mode 100644 index 0000000..e6ea495 --- /dev/null +++ b/.github/workflows/c-cpp.yml @@ -0,0 +1,125 @@ +name: C/C++ CI + +on: + push: + paths: [ '**.c', '**.h', '**.m4', '**.sh', '.github/**', '**/Makefile.in', 'configure.ac' ] + pull_request: + paths: [ '**.c', '**.h', '**.m4', '**.sh', '.github/**', '**/Makefile.in', 'configure.ac' ] + +jobs: + ci: + if: github.repository != 'openssh/openssh-portable-selfhosted' + strategy: + fail-fast: false + matrix: + # First we test all OSes in the default configuration. + target: [ubuntu-20.04, ubuntu-22.04, macos-11, macos-12, windows-2019, windows-2022] + config: [default] + # Then we include any extra configs we want to test for specific VMs. + # Valgrind slows things down quite a bit, so start them first. + include: + - { target: windows-2019, config: cygwin-release } + - { target: windows-2022, config: cygwin-release } + - { target: ubuntu-20.04, config: valgrind-1 } + - { target: ubuntu-20.04, config: valgrind-2 } + - { target: ubuntu-20.04, config: valgrind-3 } + - { target: ubuntu-20.04, config: valgrind-4 } + - { target: ubuntu-20.04, config: valgrind-5 } + - { target: ubuntu-20.04, config: valgrind-unit } + - { target: ubuntu-20.04, config: c89 } + - { target: ubuntu-20.04, config: clang-6.0 } + - { target: ubuntu-20.04, config: clang-8 } + - { target: ubuntu-20.04, config: clang-9 } + - { target: ubuntu-20.04, config: clang-10 } + - { target: ubuntu-20.04, config: clang-11 } + - { target: ubuntu-20.04, config: clang-12-Werror } + - { target: ubuntu-20.04, config: clang-sanitize-address } + - { target: ubuntu-20.04, config: clang-sanitize-undefined } + - { target: ubuntu-20.04, config: gcc-sanitize-address } + - { target: ubuntu-20.04, config: gcc-sanitize-undefined } + - { target: ubuntu-20.04, config: gcc-7 } + - { target: ubuntu-20.04, config: gcc-8 } + - { target: ubuntu-20.04, config: gcc-10 } + - { target: ubuntu-20.04, config: gcc-11-Werror } + - { target: ubuntu-20.04, config: pam } + - { target: ubuntu-20.04, config: kitchensink } + - { target: ubuntu-20.04, config: hardenedmalloc } + - { target: ubuntu-20.04, config: tcmalloc } + - { target: ubuntu-20.04, config: musl } + - { target: ubuntu-latest, config: libressl-master } + - { target: ubuntu-latest, config: libressl-2.2.9 } + - { target: ubuntu-latest, config: libressl-2.8.3 } + - { target: ubuntu-latest, config: libressl-3.0.2 } + - { target: ubuntu-latest, config: libressl-3.2.6 } + - { target: ubuntu-latest, config: libressl-3.3.6 } + - { target: ubuntu-latest, config: libressl-3.4.3 } + - { target: ubuntu-latest, config: libressl-3.5.3 } + - { target: ubuntu-latest, config: libressl-3.6.1 } + - { target: ubuntu-latest, config: libressl-3.7.0 } + - { target: ubuntu-latest, config: openssl-master } + - { target: ubuntu-latest, config: openssl-noec } + - { target: ubuntu-latest, config: openssl-1.0.1 } + - { target: ubuntu-latest, config: openssl-1.0.1u } + - { target: ubuntu-latest, config: openssl-1.0.2u } + - { target: ubuntu-latest, config: openssl-1.1.0h } + - { target: ubuntu-latest, config: openssl-1.1.1 } + - { target: ubuntu-latest, config: openssl-1.1.1k } + - { target: ubuntu-latest, config: openssl-1.1.1n } + - { target: ubuntu-latest, config: openssl-1.1.1q } + - { target: ubuntu-latest, config: openssl-1.1.1s } + - { target: ubuntu-latest, config: openssl-3.0.0 } + - { target: ubuntu-latest, config: openssl-3.0.5 } + - { target: ubuntu-latest, config: openssl-3.0.7 } + - { target: ubuntu-latest, config: openssl-1.1.1_stable } + - { target: ubuntu-latest, config: openssl-3.0 } # stable branch + - { target: ubuntu-22.04, config: pam } + - { target: ubuntu-22.04, config: krb5 } + - { target: ubuntu-22.04, config: heimdal } + - { target: ubuntu-22.04, config: libedit } + - { target: ubuntu-22.04, config: sk } + - { target: ubuntu-22.04, config: selinux } + - { target: ubuntu-22.04, config: kitchensink } + - { target: ubuntu-22.04, config: without-openssl } + - { target: macos-11, config: pam } + - { target: macos-12, config: pam } + runs-on: ${{ matrix.target }} + steps: + - name: set cygwin git params + if: ${{ startsWith(matrix.target, 'windows') }} + run: git config --global core.autocrlf input + - name: install cygwin + if: ${{ startsWith(matrix.target, 'windows') }} + uses: cygwin/cygwin-install-action@master + - uses: actions/checkout@main + - name: setup CI system + run: sh ./.github/setup_ci.sh ${{ matrix.config }} + - name: autoreconf + run: sh -c autoreconf + - name: configure + run: sh ./.github/configure.sh ${{ matrix.config }} + - name: save config + uses: actions/upload-artifact@main + with: + name: ${{ matrix.target }}-${{ matrix.config }}-config + path: config.h + - name: make clean + run: make clean + - name: make + run: make -j2 + - name: make tests + run: sh ./.github/run_test.sh ${{ matrix.config }} + env: + TEST_SSH_UNSAFE_PERMISSIONS: 1 + TEST_SSH_HOSTBASED_AUTH: yes + - name: save logs + if: failure() + uses: actions/upload-artifact@main + with: + name: ${{ matrix.target }}-${{ matrix.config }}-logs + path: | + config.h + config.log + regress/*.log + regress/valgrind-out/ + regress/asan.log.* + regress/msan.log.* diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml new file mode 100644 index 0000000..7ca8c47 --- /dev/null +++ b/.github/workflows/cifuzz.yml @@ -0,0 +1,32 @@ +name: CIFuzz +on: + push: + paths: [ '**.c', '**.h', '**.m4', '**.sh', '.github/**', '**/Makefile.in', 'configure.ac' ] + pull_request: + paths: [ '**.c', '**.h', '**.m4', '**.sh', '.github/**', '**/Makefile.in', 'configure.ac' ] + +jobs: + Fuzzing: + if: github.repository != 'openssh/openssh-portable-selfhosted' + runs-on: ubuntu-latest + steps: + - name: Build Fuzzers + id: build + uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master + with: + oss-fuzz-project-name: 'openssh' + dry-run: false + language: c++ + - name: Run Fuzzers + uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master + with: + oss-fuzz-project-name: 'openssh' + fuzz-seconds: 600 + dry-run: false + language: c++ + - name: Upload Crash + uses: actions/upload-artifact@main + if: failure() && steps.build.outcome == 'success' + with: + name: artifacts + path: ./out/artifacts diff --git a/.github/workflows/selfhosted.yml b/.github/workflows/selfhosted.yml new file mode 100644 index 0000000..50bc9ff --- /dev/null +++ b/.github/workflows/selfhosted.yml @@ -0,0 +1,116 @@ +name: C/C++ CI self-hosted + +on: + push: + paths: [ '**.c', '**.h', '**.m4', '**.sh', '.github/**', '**/Makefile.in', 'configure.ac' ] + +jobs: + selfhosted: + if: github.repository == 'openssh/openssh-portable-selfhosted' + runs-on: ${{ matrix.host }} + timeout-minutes: 600 + env: + HOST: ${{ matrix.host }} + TARGET_HOST: ${{ matrix.target }} + TARGET_CONFIG: ${{ matrix.config }} + strategy: + fail-fast: false + # We use a matrix in two parts: firstly all of the VMs are tested with the + # default config. "target" corresponds to a label associated with the + # worker. The default is an ephemeral VM running under libvirt. + matrix: + target: + - alpine + - debian-i386 + - dfly30 + - dfly48 + - dfly58 + - dfly60 + - dfly62 + - fbsd10 + - fbsd12 + - fbsd13 + - minix3 + - nbsd3 + - nbsd4 + - nbsd8 + - nbsd9 + - obsd51 + - obsd67 + - obsd69 + - obsd70 + - obsdsnap + - obsdsnap-i386 + - openindiana + - sol10 + - sol11 + config: + - default + host: + - libvirt + include: + # Then we include extra libvirt test configs. + - { target: aix51, config: default, host: libvirt } + - { target: debian-i386, config: pam, host: libvirt } + - { target: dfly30, config: without-openssl, host: libvirt} + - { target: dfly48, config: pam ,host: libvirt } + - { target: dfly58, config: pam, host: libvirt } + - { target: dfly60, config: pam, host: libvirt } + - { target: dfly62, config: pam, host: libvirt } + - { target: fbsd10, config: pam, host: libvirt } + - { target: fbsd12, config: pam, host: libvirt } + - { target: fbsd13, config: pam, host: libvirt } + - { target: nbsd8, config: pam, host: libvirt } + - { target: nbsd9, config: pam, host: libvirt } + - { target: openindiana, config: pam, host: libvirt } + - { target: sol10, config: pam, host: libvirt } + - { target: sol11, config: pam-krb5, host: libvirt } + - { target: sol11, config: sol64, host: libvirt } + # VMs with persistent disks that have their own runner. + - { target: win10, config: default, host: win10 } + - { target: win10, config: cygwin-release, host: win10 } + # Physical hosts, with either native runners or remote via ssh. + - { target: ARM, config: default, host: ARM } + - { target: ARM64, config: default, host: ARM64 } + - { target: ARM64, config: pam, host: ARM64 } + - { target: debian-riscv64, config: default, host: debian-riscv64 } + - { target: openwrt-mips, config: default, host: openwrt-mips } + - { target: openwrt-mipsel, config: default, host: openwrt-mipsel } + steps: + - name: shutdown VM if running + run: vmshutdown + working-directory: ${{ runner.temp }} + - uses: actions/checkout@main + - name: autoreconf + run: autoreconf + - name: startup VM + run: vmstartup + working-directory: ${{ runner.temp }} + - name: configure + run: vmrun ./.github/configure.sh ${{ matrix.config }} + - name: save config + uses: actions/upload-artifact@main + with: + name: ${{ matrix.target }}-${{ matrix.config }}-config + path: config.h + - name: make clean + run: vmrun make clean + - name: make + run: vmrun make + - name: make tests + run: vmrun ./.github/run_test.sh ${{ matrix.config }} + timeout-minutes: 600 + - name: save logs + if: failure() + uses: actions/upload-artifact@main + with: + name: ${{ matrix.target }}-${{ matrix.config }}-logs + path: | + config.h + config.log + regress/*.log + regress/valgrind-out/ + - name: shutdown VM + if: always() + run: vmshutdown + working-directory: ${{ runner.temp }} diff --git a/.github/workflows/upstream.yml b/.github/workflows/upstream.yml new file mode 100644 index 0000000..1e2c2ac --- /dev/null +++ b/.github/workflows/upstream.yml @@ -0,0 +1,52 @@ +name: Upstream self-hosted + +on: + push: + branches: [ master ] + paths: [ '**.c', '**.h', '.github/**' ] + +jobs: + selfhosted: + if: github.repository == 'openssh/openssh-portable-selfhosted' + runs-on: 'libvirt' + env: + HOST: 'libvirt' + TARGET_HOST: ${{ matrix.target }} + TARGET_CONFIG: ${{ matrix.config }} + strategy: + fail-fast: false + matrix: + target: [ obsdsnap, obsdsnap-i386 ] + config: [ default, without-openssl, ubsan ] + steps: + - name: shutdown VM if running + run: vmshutdown + working-directory: ${{ runner.temp }} + - uses: actions/checkout@main + - name: startup VM + run: vmstartup + working-directory: ${{ runner.temp }} + - name: update source + run: vmrun "cd /usr/src && cvs up -dPA usr.bin/ssh regress/usr.bin/ssh" + - name: make clean + run: vmrun "cd /usr/src/usr.bin/ssh && make obj && make clean && cd /usr/src/regress/usr.bin/ssh && make obj && make clean && sudo chmod -R g-w /usr/src /usr/obj" + - name: make + run: vmrun "cd /usr/src/usr.bin/ssh && case ${{ matrix.config }} in without-openssl) make OPENSSL=no;; ubsan) make DEBUG='-fsanitize-minimal-runtime -fsanitize=undefined';; *) make; esac" + - name: make install + run: vmrun "cd /usr/src/usr.bin/ssh && sudo make install" + - name: make tests` + run: vmrun "cd /usr/src/regress/usr.bin/ssh && case ${{ matrix.config }} in without-openssl) make OPENSSL=no;; ubsan) make DEBUG='-fsanitize-minimal-runtime -fsanitize=undefined';; *) make; esac" + env: + SUDO: sudo + timeout-minutes: 300 + - name: save logs + if: failure() + uses: actions/upload-artifact@main + with: + name: ${{ matrix.target }}-${{ matrix.config }}-logs + path: | + /usr/obj/regress/usr.bin/ssh/obj/*.log + - name: shutdown VM + if: always() + run: vmshutdown + working-directory: ${{ runner.temp }} -- cgit v1.2.3