summaryrefslogtreecommitdiffstats
path: root/.github
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 14:40:04 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 14:40:04 +0000
commit25505898530a333011f4fd5cbc841ad6b26c089c (patch)
tree333a33fdd60930bcccc3f177ed9467d535e9bac6 /.github
parentInitial commit. (diff)
downloadopenssh-25505898530a333011f4fd5cbc841ad6b26c089c.tar.xz
openssh-25505898530a333011f4fd5cbc841ad6b26c089c.zip
Adding upstream version 1:9.2p1.upstream/1%9.2p1upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '.github')
-rw-r--r--.github/ci-status.md10
-rwxr-xr-x.github/configs313
-rwxr-xr-x.github/configure.sh21
-rwxr-xr-x.github/run_test.sh48
-rwxr-xr-x.github/setup_ci.sh201
-rw-r--r--.github/workflows/c-cpp.yml125
-rw-r--r--.github/workflows/cifuzz.yml32
-rw-r--r--.github/workflows/selfhosted.yml116
-rw-r--r--.github/workflows/upstream.yml52
9 files changed, 918 insertions, 0 deletions
diff --git a/.github/ci-status.md b/.github/ci-status.md
new file mode 100644
index 0000000..d13bbfa
--- /dev/null
+++ b/.github/ci-status.md
@@ -0,0 +1,10 @@
+master :
+[![C/C++ CI](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml/badge.svg)](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml?query=branch:master)
+[![C/C++ CI self-hosted](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml/badge.svg)](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml?query=branch:master)
+[![Upstream self-hosted](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/upstream.yml/badge.svg)](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/upstream.yml?query=branch:master)
+[![CIFuzz](https://github.com/openssh/openssh-portable/actions/workflows/cifuzz.yml/badge.svg)](https://github.com/openssh/openssh-portable/actions/workflows/cifuzz.yml)
+[![Fuzzing Status](https://oss-fuzz-build-logs.storage.googleapis.com/badges/openssh.svg)](https://bugs.chromium.org/p/oss-fuzz/issues/list?sort=-opened&can=1&q=proj:openssh)
+
+9.1 :
+[![C/C++ CI](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml/badge.svg?branch=V_9_1)](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml?query=branch:V_9_1)
+[![C/C++ CI self-hosted](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml/badge.svg?branch=V_9_1)](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml?query=branch:V_9_1)
diff --git a/.github/configs b/.github/configs
new file mode 100755
index 0000000..bdd5ddb
--- /dev/null
+++ b/.github/configs
@@ -0,0 +1,313 @@
+#!/bin/sh
+#
+# usage: configs vmname test_config (or '' for default)
+#
+# Sets the following variables:
+# CONFIGFLAGS options to ./configure
+# SSHD_CONFOPTS sshd_config options
+# TEST_TARGET make target used when testing. defaults to "tests".
+# LTESTS
+
+config=$1
+if [ "$config" = "" ]; then
+ config="default"
+fi
+
+unset CC CFLAGS CPPFLAGS LDFLAGS LTESTS SUDO
+
+TEST_TARGET="tests compat-tests"
+LTESTS=""
+SKIP_LTESTS=""
+SUDO=sudo # run with sudo by default
+TEST_SSH_UNSAFE_PERMISSIONS=1
+# Stop on first test failure to minimize logs
+TEST_SSH_FAIL_FATAL=yes
+
+CONFIGFLAGS=""
+LIBCRYPTOFLAGS=""
+
+case "$config" in
+ default|sol64)
+ ;;
+ c89)
+ CC="gcc"
+ CFLAGS="-Wall -std=c89 -pedantic -Werror=vla"
+ CONFIGFLAGS="--without-zlib"
+ LIBCRYPTOFLAGS="--without-openssl"
+ TEST_TARGET=t-exec
+ ;;
+ cygwin-release)
+ # See https://cygwin.com/git/?p=git/cygwin-packages/openssh.git;a=blob;f=openssh.cygport;hb=HEAD
+ CONFIGFLAGS="--with-xauth=/usr/bin/xauth --with-security-key-builtin"
+ CONFIGFLAGS="$CONFIGFLAGS --with-kerberos5=/usr --with-libedit --disable-strip"
+ ;;
+ clang-12-Werror)
+ CC="clang-12"
+ # clang's implicit-fallthrough requires that the code be annotated with
+ # __attribute__((fallthrough)) and does not understand /* FALLTHROUGH */
+ CFLAGS="-Wall -Wextra -O2 -Wno-error=implicit-fallthrough -Wno-error=unused-parameter"
+ CONFIGFLAGS="--with-pam --with-Werror"
+ ;;
+ *-sanitize-*)
+ case "$config" in
+ gcc-*)
+ CC=gcc
+ ;;
+ clang-*)
+ # Find the newest available version of clang
+ for i in `seq 10 99`; do
+ clang="`which clang-$i 2>/dev/null`"
+ [ -x "$clang" ] && CC="$clang"
+ done
+ ;;
+ esac
+ # Put Sanitizer logs in regress dir.
+ SANLOGS=`pwd`/regress
+ # - We replace chroot with chdir so that the sanitizer in the preauth
+ # privsep process can read /proc.
+ # - clang does not recognizes explicit_bzero so we use bzero
+ # (see https://github.com/google/sanitizers/issues/1507
+ # - openssl and zlib trip ASAN.
+ # - sp_pwdp returned by getspnam trips ASAN, hence disabling shadow.
+ case "$config" in
+ *-sanitize-address)
+ CFLAGS="-fsanitize=address -fno-omit-frame-pointer"
+ LDFLAGS="-fsanitize=address"
+ CPPFLAGS='-Dchroot=chdir -Dexplicit_bzero=bzero -D_FORTIFY_SOURCE=0 -DASAN_OPTIONS=\"detect_leaks=0:log_path='$SANLOGS'/asan.log\"'
+ CONFIGFLAGS=""
+ TEST_TARGET="t-exec"
+ ;;
+ clang-sanitize-memory)
+ CFLAGS="-fsanitize=memory -fsanitize-memory-track-origins -fno-omit-frame-pointer"
+ LDFLAGS="-fsanitize=memory"
+ CPPFLAGS='-Dchroot=chdir -Dexplicit_bzero=bzero -DMSAN_OPTIONS=\"log_path='$SANLOGS'/msan.log\"'
+ CONFIGFLAGS="--without-openssl --without-zlib --without-shadow"
+ TEST_TARGET="t-exec"
+ ;;
+ *-sanitize-undefined)
+ CFLAGS="-fsanitize=undefined"
+ LDFLAGS="-fsanitize=undefined"
+ ;;
+ *)
+ echo unknown sanitize option;
+ exit 1;;
+ esac
+ features="--disable-security-key --disable-pkcs11"
+ hardening="--without-sandbox --without-hardening --without-stackprotect"
+ privsep="--with-privsep-user=root"
+ CONFIGFLAGS="$CONFIGFLAGS $features $hardening $privsep"
+ # Because we hobble chroot we can't test it.
+ SKIP_LTESTS=sftp-chroot
+ ;;
+ gcc-11-Werror)
+ CC="gcc"
+ # -Wnoformat-truncation in gcc 7.3.1 20180130 fails on fmt_scaled
+ CFLAGS="-Wall -Wextra -O2 -Wno-format-truncation -Wimplicit-fallthrough=4 -Wno-unused-parameter"
+ CONFIGFLAGS="--with-pam --with-Werror"
+ ;;
+ clang*|gcc*)
+ CC="$config"
+ ;;
+ kitchensink)
+ CONFIGFLAGS="--with-kerberos5 --with-libedit --with-pam"
+ CONFIGFLAGS="${CONFIGFLAGS} --with-security-key-builtin --with-selinux"
+ CFLAGS="-DSK_DEBUG -DSANDBOX_SECCOMP_FILTER_DEBUG"
+ ;;
+ hardenedmalloc)
+ CONFIGFLAGS="--with-ldflags=-lhardened_malloc"
+ ;;
+ tcmalloc)
+ CONFIGFLAGS="--with-ldflags=-ltcmalloc"
+ ;;
+ krb5|heimdal)
+ CONFIGFLAGS="--with-kerberos5"
+ ;;
+ libedit)
+ CONFIGFLAGS="--with-libedit"
+ ;;
+ musl)
+ CC="musl-gcc"
+ CONFIGFLAGS="--without-zlib"
+ LIBCRYPTOFLAGS="--without-openssl"
+ TEST_TARGET="t-exec"
+ ;;
+ pam-krb5)
+ CONFIGFLAGS="--with-pam --with-kerberos5"
+ SSHD_CONFOPTS="UsePam yes"
+ ;;
+ *pam)
+ CONFIGFLAGS="--with-pam"
+ SSHD_CONFOPTS="UsePam yes"
+ ;;
+ libressl-*)
+ LIBCRYPTOFLAGS="--with-ssl-dir=/opt/libressl --with-rpath=-Wl,-rpath,"
+ ;;
+ openssl-*)
+ LIBCRYPTOFLAGS="--with-ssl-dir=/opt/openssl --with-rpath=-Wl,-rpath,"
+ # OpenSSL 1.1.1 specifically has a bug in its RNG that breaks reexec
+ # fallback. See https://bugzilla.mindrot.org/show_bug.cgi?id=3483
+ if [ "$config" = "openssl-1.1.1" ]; then
+ SKIP_LTESTS="reexec"
+ fi
+ ;;
+ selinux)
+ CONFIGFLAGS="--with-selinux"
+ ;;
+ sk)
+ CONFIGFLAGS="--with-security-key-builtin"
+ ;;
+ without-openssl)
+ LIBCRYPTOFLAGS="--without-openssl"
+ TEST_TARGET=t-exec
+ ;;
+ valgrind-[1-5]|valgrind-unit)
+ # rlimit sandbox and FORTIFY_SOURCE confuse Valgrind.
+ CONFIGFLAGS="--without-sandbox --without-hardening"
+ CONFIGFLAGS="$CONFIGFLAGS --with-cppflags=-D_FORTIFY_SOURCE=0"
+ TEST_TARGET="t-exec USE_VALGRIND=1"
+ TEST_SSH_ELAPSED_TIMES=1
+ export TEST_SSH_ELAPSED_TIMES
+ # Valgrind slows things down enough that the agent timeout test
+ # won't reliably pass, and the unit tests run longer than allowed
+ # by github so split into separate tests.
+ tests2="integrity try-ciphers"
+ tests3="krl forward-control sshsig agent-restrict kextype sftp"
+ tests4="cert-userkey cert-hostkey kextype sftp-perm keygen-comment percent"
+ tests5="rekey"
+ case "$config" in
+ valgrind-1)
+ # All tests except agent-timeout (which is flaky under valgrind),
+ # connection-timeout (which doesn't work since it's so slow)
+ # and hostbased (since valgrind won't let ssh exec keysign).
+ # Slow ones are run separately to increase parallelism.
+ SKIP_LTESTS="agent-timeout connection-timeout hostbased"
+ SKIP_LTESTS="$SKIP_LTESTS ${tests2} ${tests3} ${tests4} ${tests5}"
+ ;;
+ valgrind-2)
+ LTESTS="${tests2}"
+ ;;
+ valgrind-3)
+ LTESTS="${tests3}"
+ ;;
+ valgrind-4)
+ LTESTS="${tests4}"
+ ;;
+ valgrind-5)
+ LTESTS="${tests5}"
+ ;;
+ valgrind-unit)
+ TEST_TARGET="unit USE_VALGRIND=1"
+ ;;
+ esac
+ ;;
+ *)
+ echo "Unknown configuration $config"
+ exit 1
+ ;;
+esac
+
+# The Solaris 64bit targets are special since they need a non-flag arg.
+case "$config" in
+ sol64*)
+ CONFIGFLAGS="x86_64 --with-cflags=-m64 --with-ldflags=-m64 ${CONFIGFLAGS}"
+ LIBCRYPTOFLAGS="--with-ssl-dir=/usr/local/ssl64"
+ ;;
+esac
+
+case "${TARGET_HOST}" in
+ aix*)
+ # These are slow real or virtual machines so skip the slowest tests
+ # (which tend to be thw ones that transfer lots of data) so that the
+ # test run does not time out.
+ # The agent-restrict test fails due to some quoting issue when run
+ # with sh or ksh so specify bash for now.
+ TEST_TARGET="t-exec TEST_SHELL=bash"
+ SKIP_LTESTS="rekey sftp"
+ ;;
+ debian-riscv64)
+ # This machine is fairly slow, so skip the unit tests.
+ TEST_TARGET="t-exec"
+ ;;
+ dfly58*|dfly60*)
+ # scp 3-way connection hangs on these so skip until sorted.
+ SKIP_LTESTS=scp3
+ ;;
+ fbsd6)
+ # Native linker is not great with PIC so OpenSSL is built w/out.
+ CONFIGFLAGS="${CONFIGFLAGS} --disable-security-key"
+ ;;
+ hurd)
+ SKIP_LTESTS="forwarding multiplex proxy-connect hostkey-agent agent-ptrace"
+ ;;
+ minix3)
+ LIBCRYPTOFLAGS="--without-openssl --disable-security-key"
+ # Minix does not have a loopback interface so we have to skip any
+ # test that relies on one.
+ # Also, Minix seems to be very limited in the number of select()
+ # calls that can be operating concurrently, so prune additional tests for that.
+ T="addrmatch agent-restrict brokenkeys cfgmatch cfgmatchlisten cfgparse
+ connect connect-uri exit-status forwarding hostkey-agent
+ key-options keyscan knownhosts-command login-timeout
+ reconfigure reexec rekey scp scp-uri scp3 sftp sftp-badcmds
+ sftp-batch sftp-cmds sftp-glob sftp-perm sftp-uri stderr-data
+ transfer"
+ # Unix domain sockets don't work quite like we expect, so also skip any tests
+ # that use multiplexing.
+ T="$T connection-timeout dynamic-forward forward-control multiplex"
+ SKIP_LTESTS="$(echo $T)"
+ TEST_TARGET=t-exec
+ SUDO=""
+ ;;
+ nbsd4)
+ # System compiler will ICE on some files with fstack-protector
+ # SHA256 functions in sha2.h conflict with OpenSSL's breaking sk-dummy
+ CONFIGFLAGS="${CONFIGFLAGS} --without-hardening --disable-security-key"
+ ;;
+ openwrt-*)
+ CONFIGFLAGS="${CONFIGFLAGS} --without-openssl --without-zlib"
+ TEST_TARGET="t-exec"
+ ;;
+ sol10|sol11)
+ # sol10 VM is 32bit and the unit tests are slow.
+ # sol11 has 4 test configs so skip unit tests to speed up.
+ TEST_TARGET="tests SKIP_UNIT=1"
+ ;;
+ win10)
+ # No sudo on Windows.
+ SUDO=""
+ ;;
+esac
+
+case "`./config.guess`" in
+*cygwin)
+ SUDO=""
+ # Don't run compat tests on cygwin as they don't currently compile.
+ TEST_TARGET="tests"
+ ;;
+*-darwin*)
+ # Unless specified otherwise, build without OpenSSL on Mac OS since
+ # modern versions don't ship with libcrypto.
+ LIBCRYPTOFLAGS="--without-openssl"
+ TEST_TARGET=t-exec
+ ;;
+esac
+
+# If we have a local openssl/libressl, use that.
+if [ -z "${LIBCRYPTOFLAGS}" ]; then
+ # last-match
+ for i in /usr/local /usr/local/ssl /usr/local/opt/openssl; do
+ if [ -x ${i}/bin/openssl ]; then
+ LIBCRYPTOFLAGS="--with-ssl-dir=${i}"
+ fi
+ done
+fi
+
+CONFIGFLAGS="${CONFIGFLAGS} ${LIBCRYPTOFLAGS}"
+
+if [ -x "$(which plink 2>/dev/null)" ]; then
+ REGRESS_INTEROP_PUTTY=yes
+ export REGRESS_INTEROP_PUTTY
+fi
+
+export CC CFLAGS CPPFLAGS LDFLAGS LTESTS SUDO
+export TEST_TARGET TEST_SSH_UNSAFE_PERMISSIONS TEST_SSH_FAIL_FATAL
diff --git a/.github/configure.sh b/.github/configure.sh
new file mode 100755
index 0000000..bd00377
--- /dev/null
+++ b/.github/configure.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+. .github/configs $1
+
+printf "$ "
+
+if [ "x$CC" != "x" ]; then
+ printf "CC='$CC' "
+fi
+if [ "x$CFLAGS" != "x" ]; then
+ printf "CFLAGS='$CFLAGS' "
+fi
+if [ "x$CPPFLAGS" != "x" ]; then
+ printf "CPPFLAGS='$CPPFLAGS' "
+fi
+if [ "x$LDFLAGS" != "x" ]; then
+ printf "LDFLAGS='$LDFLAGS' "
+fi
+
+echo ./configure ${CONFIGFLAGS}
+./configure ${CONFIGFLAGS} 2>&1
diff --git a/.github/run_test.sh b/.github/run_test.sh
new file mode 100755
index 0000000..8eeaf5e
--- /dev/null
+++ b/.github/run_test.sh
@@ -0,0 +1,48 @@
+#!/bin/sh
+
+. .github/configs $1
+
+[ -z "${SUDO}" ] || ${SUDO} mkdir -p /var/empty
+
+set -ex
+
+# If we want to test hostbased auth, set up the host for it.
+if [ ! -z "$SUDO" ] && [ ! -z "$TEST_SSH_HOSTBASED_AUTH" ]; then
+ sshconf=/usr/local/etc
+ hostname | $SUDO tee $sshconf/shosts.equiv >/dev/null
+ echo "EnableSSHKeysign yes" | $SUDO tee $sshconf/ssh_config >/dev/null
+ $SUDO mkdir -p $sshconf
+ $SUDO cp -p /etc/ssh/ssh_host*key* $sshconf
+ $SUDO make install
+ for key in $sshconf/ssh_host*key*.pub; do
+ echo `hostname` `cat $key` | \
+ $SUDO tee -a $sshconf/ssh_known_hosts >/dev/null
+ done
+fi
+
+output_failed_logs() {
+ for i in regress/failed*; do
+ if [ -f "$i" ]; then
+ echo -------------------------------------------------------------------------
+ echo LOGFILE $i
+ cat $i
+ echo -------------------------------------------------------------------------
+ fi
+ done
+}
+trap output_failed_logs 0
+
+if [ -z "${LTESTS}" ]; then
+ make ${TEST_TARGET} SKIP_LTESTS="${SKIP_LTESTS}"
+else
+ make ${TEST_TARGET} SKIP_LTESTS="${SKIP_LTESTS}" LTESTS="${LTESTS}"
+fi
+
+if [ ! -z "${SSHD_CONFOPTS}" ]; then
+ echo "rerunning t-exec with TEST_SSH_SSHD_CONFOPTS='${SSHD_CONFOPTS}'"
+ if [ -z "${LTESTS}" ]; then
+ make t-exec SKIP_LTESTS="${SKIP_LTESTS}" TEST_SSH_SSHD_CONFOPTS="${SSHD_CONFOPTS}"
+ else
+ make t-exec SKIP_LTESTS="${SKIP_LTESTS}" LTESTS="${LTESTS}" TEST_SSH_SSHD_CONFOPTS="${SSHD_CONFOPTS}"
+ fi
+fi
diff --git a/.github/setup_ci.sh b/.github/setup_ci.sh
new file mode 100755
index 0000000..e4480e6
--- /dev/null
+++ b/.github/setup_ci.sh
@@ -0,0 +1,201 @@
+#!/bin/sh
+
+PACKAGES=""
+
+ . .github/configs $@
+
+case "`./config.guess`" in
+*cygwin)
+ PACKAGER=setup
+ echo Setting CYGWIN sustem environment variable.
+ setx CYGWIN "binmode"
+ chmod -R go-rw /cygdrive/d/a
+ umask 077
+ PACKAGES="$PACKAGES,autoconf,automake,cygwin-devel,gcc-core"
+ PACKAGES="$PACKAGES,make,openssl-devel,zlib-devel"
+ ;;
+*-darwin*)
+ PACKAGER=brew
+ brew install automake
+ exit 0
+ ;;
+*)
+ PACKAGER=apt
+esac
+
+TARGETS=$@
+
+INSTALL_FIDO_PPA="no"
+export DEBIAN_FRONTEND=noninteractive
+
+#echo "Setting up for '$TARGETS'"
+
+set -ex
+
+if [ -x "`which lsb_release 2>&1`" ]; then
+ lsb_release -a
+fi
+
+# Ubuntu 22.04 defaults to private home dirs which prevent the
+# agent-getpeerid test from running ssh-add as nobody. See
+# https://github.com/actions/runner-images/issues/6106
+if [ ! -z "$SUDO" ] && ! "$SUDO" -u nobody test -x ~; then
+ echo ~ is not executable by nobody, adding perms.
+ chmod go+x ~
+fi
+
+if [ "${TARGETS}" = "kitchensink" ]; then
+ TARGETS="krb5 libedit pam sk selinux"
+fi
+
+for flag in $CONFIGFLAGS; do
+ case "$flag" in
+ --with-pam) TARGETS="${TARGETS} pam" ;;
+ --with-libedit) TARGETS="${TARGETS} libedit" ;;
+ esac
+done
+
+for TARGET in $TARGETS; do
+ case $TARGET in
+ default|without-openssl|without-zlib|c89)
+ # nothing to do
+ ;;
+ clang-sanitize*)
+ PACKAGES="$PACKAGES clang-12"
+ ;;
+ cygwin-release)
+ PACKAGES="$PACKAGES libcrypt-devel libfido2-devel libkrb5-devel"
+ ;;
+ gcc-sanitize*)
+ ;;
+ clang-*|gcc-*)
+ compiler=$(echo $TARGET | sed 's/-Werror//')
+ PACKAGES="$PACKAGES $compiler"
+ ;;
+ krb5)
+ PACKAGES="$PACKAGES libkrb5-dev"
+ ;;
+ heimdal)
+ PACKAGES="$PACKAGES heimdal-dev"
+ ;;
+ libedit)
+ case "$PACKAGER" in
+ setup) PACKAGES="$PACKAGES libedit-devel" ;;
+ apt) PACKAGES="$PACKAGES libedit-dev" ;;
+ esac
+ ;;
+ *pam)
+ PACKAGES="$PACKAGES libpam0g-dev"
+ ;;
+ sk)
+ INSTALL_FIDO_PPA="yes"
+ PACKAGES="$PACKAGES libfido2-dev libu2f-host-dev libcbor-dev"
+ ;;
+ selinux)
+ PACKAGES="$PACKAGES libselinux1-dev selinux-policy-dev"
+ ;;
+ hardenedmalloc)
+ INSTALL_HARDENED_MALLOC=yes
+ ;;
+ musl)
+ PACKAGES="$PACKAGES musl-tools"
+ ;;
+ tcmalloc)
+ PACKAGES="$PACKAGES libgoogle-perftools-dev"
+ ;;
+ openssl-noec)
+ INSTALL_OPENSSL=OpenSSL_1_1_1k
+ SSLCONFOPTS="no-ec"
+ ;;
+ openssl-*)
+ INSTALL_OPENSSL=$(echo ${TARGET} | cut -f2 -d-)
+ case ${INSTALL_OPENSSL} in
+ 1.1.1_stable) INSTALL_OPENSSL="OpenSSL_1_1_1-stable" ;;
+ 1.*) INSTALL_OPENSSL="OpenSSL_$(echo ${INSTALL_OPENSSL} | tr . _)" ;;
+ 3.*) INSTALL_OPENSSL="openssl-${INSTALL_OPENSSL}" ;;
+ esac
+ PACKAGES="${PACKAGES} putty-tools"
+ ;;
+ libressl-*)
+ INSTALL_LIBRESSL=$(echo ${TARGET} | cut -f2 -d-)
+ case ${INSTALL_LIBRESSL} in
+ master) ;;
+ *) INSTALL_LIBRESSL="$(echo ${TARGET} | cut -f2 -d-)" ;;
+ esac
+ PACKAGES="${PACKAGES} putty-tools"
+ ;;
+ valgrind*)
+ PACKAGES="$PACKAGES valgrind"
+ ;;
+ *) echo "Invalid option '${TARGET}'"
+ exit 1
+ ;;
+ esac
+done
+
+if [ "yes" = "$INSTALL_FIDO_PPA" ]; then
+ sudo apt update -qq
+ sudo apt install -qy software-properties-common
+ sudo apt-add-repository -y ppa:yubico/stable
+fi
+
+tries=3
+while [ ! -z "$PACKAGES" ] && [ "$tries" -gt "0" ]; do
+ case "$PACKAGER" in
+ apt)
+ sudo apt update -qq
+ if sudo apt install -qy $PACKAGES; then
+ PACKAGES=""
+ fi
+ ;;
+ setup)
+ if /cygdrive/c/setup.exe -q -P `echo "$PACKAGES" | tr ' ' ,`; then
+ PACKAGES=""
+ fi
+ ;;
+ esac
+ if [ ! -z "$PACKAGES" ]; then
+ sleep 90
+ fi
+ tries=$(($tries - 1))
+done
+if [ ! -z "$PACKAGES" ]; then
+ echo "Package installation failed."
+ exit 1
+fi
+
+if [ "${INSTALL_HARDENED_MALLOC}" = "yes" ]; then
+ (cd ${HOME} &&
+ git clone https://github.com/GrapheneOS/hardened_malloc.git &&
+ cd ${HOME}/hardened_malloc &&
+ make -j2 && sudo cp out/libhardened_malloc.so /usr/lib/)
+fi
+
+if [ ! -z "${INSTALL_OPENSSL}" ]; then
+ (cd ${HOME} &&
+ git clone https://github.com/openssl/openssl.git &&
+ cd ${HOME}/openssl &&
+ git checkout ${INSTALL_OPENSSL} &&
+ ./config no-threads shared ${SSLCONFOPTS} \
+ --prefix=/opt/openssl &&
+ make && sudo make install_sw)
+fi
+
+if [ ! -z "${INSTALL_LIBRESSL}" ]; then
+ if [ "${INSTALL_LIBRESSL}" = "master" ]; then
+ (mkdir -p ${HOME}/libressl && cd ${HOME}/libressl &&
+ git clone https://github.com/libressl-portable/portable.git &&
+ cd ${HOME}/libressl/portable &&
+ git checkout ${INSTALL_LIBRESSL} &&
+ sh update.sh && sh autogen.sh &&
+ ./configure --prefix=/opt/libressl &&
+ make -j2 && sudo make install)
+ else
+ LIBRESSL_URLBASE=https://cdn.openbsd.org/pub/OpenBSD/LibreSSL
+ (cd ${HOME} &&
+ wget ${LIBRESSL_URLBASE}/libressl-${INSTALL_LIBRESSL}.tar.gz &&
+ tar xfz libressl-${INSTALL_LIBRESSL}.tar.gz &&
+ cd libressl-${INSTALL_LIBRESSL} &&
+ ./configure --prefix=/opt/libressl && make -j2 && sudo make install)
+ fi
+fi
diff --git a/.github/workflows/c-cpp.yml b/.github/workflows/c-cpp.yml
new file mode 100644
index 0000000..e6ea495
--- /dev/null
+++ b/.github/workflows/c-cpp.yml
@@ -0,0 +1,125 @@
+name: C/C++ CI
+
+on:
+ push:
+ paths: [ '**.c', '**.h', '**.m4', '**.sh', '.github/**', '**/Makefile.in', 'configure.ac' ]
+ pull_request:
+ paths: [ '**.c', '**.h', '**.m4', '**.sh', '.github/**', '**/Makefile.in', 'configure.ac' ]
+
+jobs:
+ ci:
+ if: github.repository != 'openssh/openssh-portable-selfhosted'
+ strategy:
+ fail-fast: false
+ matrix:
+ # First we test all OSes in the default configuration.
+ target: [ubuntu-20.04, ubuntu-22.04, macos-11, macos-12, windows-2019, windows-2022]
+ config: [default]
+ # Then we include any extra configs we want to test for specific VMs.
+ # Valgrind slows things down quite a bit, so start them first.
+ include:
+ - { target: windows-2019, config: cygwin-release }
+ - { target: windows-2022, config: cygwin-release }
+ - { target: ubuntu-20.04, config: valgrind-1 }
+ - { target: ubuntu-20.04, config: valgrind-2 }
+ - { target: ubuntu-20.04, config: valgrind-3 }
+ - { target: ubuntu-20.04, config: valgrind-4 }
+ - { target: ubuntu-20.04, config: valgrind-5 }
+ - { target: ubuntu-20.04, config: valgrind-unit }
+ - { target: ubuntu-20.04, config: c89 }
+ - { target: ubuntu-20.04, config: clang-6.0 }
+ - { target: ubuntu-20.04, config: clang-8 }
+ - { target: ubuntu-20.04, config: clang-9 }
+ - { target: ubuntu-20.04, config: clang-10 }
+ - { target: ubuntu-20.04, config: clang-11 }
+ - { target: ubuntu-20.04, config: clang-12-Werror }
+ - { target: ubuntu-20.04, config: clang-sanitize-address }
+ - { target: ubuntu-20.04, config: clang-sanitize-undefined }
+ - { target: ubuntu-20.04, config: gcc-sanitize-address }
+ - { target: ubuntu-20.04, config: gcc-sanitize-undefined }
+ - { target: ubuntu-20.04, config: gcc-7 }
+ - { target: ubuntu-20.04, config: gcc-8 }
+ - { target: ubuntu-20.04, config: gcc-10 }
+ - { target: ubuntu-20.04, config: gcc-11-Werror }
+ - { target: ubuntu-20.04, config: pam }
+ - { target: ubuntu-20.04, config: kitchensink }
+ - { target: ubuntu-20.04, config: hardenedmalloc }
+ - { target: ubuntu-20.04, config: tcmalloc }
+ - { target: ubuntu-20.04, config: musl }
+ - { target: ubuntu-latest, config: libressl-master }
+ - { target: ubuntu-latest, config: libressl-2.2.9 }
+ - { target: ubuntu-latest, config: libressl-2.8.3 }
+ - { target: ubuntu-latest, config: libressl-3.0.2 }
+ - { target: ubuntu-latest, config: libressl-3.2.6 }
+ - { target: ubuntu-latest, config: libressl-3.3.6 }
+ - { target: ubuntu-latest, config: libressl-3.4.3 }
+ - { target: ubuntu-latest, config: libressl-3.5.3 }
+ - { target: ubuntu-latest, config: libressl-3.6.1 }
+ - { target: ubuntu-latest, config: libressl-3.7.0 }
+ - { target: ubuntu-latest, config: openssl-master }
+ - { target: ubuntu-latest, config: openssl-noec }
+ - { target: ubuntu-latest, config: openssl-1.0.1 }
+ - { target: ubuntu-latest, config: openssl-1.0.1u }
+ - { target: ubuntu-latest, config: openssl-1.0.2u }
+ - { target: ubuntu-latest, config: openssl-1.1.0h }
+ - { target: ubuntu-latest, config: openssl-1.1.1 }
+ - { target: ubuntu-latest, config: openssl-1.1.1k }
+ - { target: ubuntu-latest, config: openssl-1.1.1n }
+ - { target: ubuntu-latest, config: openssl-1.1.1q }
+ - { target: ubuntu-latest, config: openssl-1.1.1s }
+ - { target: ubuntu-latest, config: openssl-3.0.0 }
+ - { target: ubuntu-latest, config: openssl-3.0.5 }
+ - { target: ubuntu-latest, config: openssl-3.0.7 }
+ - { target: ubuntu-latest, config: openssl-1.1.1_stable }
+ - { target: ubuntu-latest, config: openssl-3.0 } # stable branch
+ - { target: ubuntu-22.04, config: pam }
+ - { target: ubuntu-22.04, config: krb5 }
+ - { target: ubuntu-22.04, config: heimdal }
+ - { target: ubuntu-22.04, config: libedit }
+ - { target: ubuntu-22.04, config: sk }
+ - { target: ubuntu-22.04, config: selinux }
+ - { target: ubuntu-22.04, config: kitchensink }
+ - { target: ubuntu-22.04, config: without-openssl }
+ - { target: macos-11, config: pam }
+ - { target: macos-12, config: pam }
+ runs-on: ${{ matrix.target }}
+ steps:
+ - name: set cygwin git params
+ if: ${{ startsWith(matrix.target, 'windows') }}
+ run: git config --global core.autocrlf input
+ - name: install cygwin
+ if: ${{ startsWith(matrix.target, 'windows') }}
+ uses: cygwin/cygwin-install-action@master
+ - uses: actions/checkout@main
+ - name: setup CI system
+ run: sh ./.github/setup_ci.sh ${{ matrix.config }}
+ - name: autoreconf
+ run: sh -c autoreconf
+ - name: configure
+ run: sh ./.github/configure.sh ${{ matrix.config }}
+ - name: save config
+ uses: actions/upload-artifact@main
+ with:
+ name: ${{ matrix.target }}-${{ matrix.config }}-config
+ path: config.h
+ - name: make clean
+ run: make clean
+ - name: make
+ run: make -j2
+ - name: make tests
+ run: sh ./.github/run_test.sh ${{ matrix.config }}
+ env:
+ TEST_SSH_UNSAFE_PERMISSIONS: 1
+ TEST_SSH_HOSTBASED_AUTH: yes
+ - name: save logs
+ if: failure()
+ uses: actions/upload-artifact@main
+ with:
+ name: ${{ matrix.target }}-${{ matrix.config }}-logs
+ path: |
+ config.h
+ config.log
+ regress/*.log
+ regress/valgrind-out/
+ regress/asan.log.*
+ regress/msan.log.*
diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml
new file mode 100644
index 0000000..7ca8c47
--- /dev/null
+++ b/.github/workflows/cifuzz.yml
@@ -0,0 +1,32 @@
+name: CIFuzz
+on:
+ push:
+ paths: [ '**.c', '**.h', '**.m4', '**.sh', '.github/**', '**/Makefile.in', 'configure.ac' ]
+ pull_request:
+ paths: [ '**.c', '**.h', '**.m4', '**.sh', '.github/**', '**/Makefile.in', 'configure.ac' ]
+
+jobs:
+ Fuzzing:
+ if: github.repository != 'openssh/openssh-portable-selfhosted'
+ runs-on: ubuntu-latest
+ steps:
+ - name: Build Fuzzers
+ id: build
+ uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master
+ with:
+ oss-fuzz-project-name: 'openssh'
+ dry-run: false
+ language: c++
+ - name: Run Fuzzers
+ uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
+ with:
+ oss-fuzz-project-name: 'openssh'
+ fuzz-seconds: 600
+ dry-run: false
+ language: c++
+ - name: Upload Crash
+ uses: actions/upload-artifact@main
+ if: failure() && steps.build.outcome == 'success'
+ with:
+ name: artifacts
+ path: ./out/artifacts
diff --git a/.github/workflows/selfhosted.yml b/.github/workflows/selfhosted.yml
new file mode 100644
index 0000000..50bc9ff
--- /dev/null
+++ b/.github/workflows/selfhosted.yml
@@ -0,0 +1,116 @@
+name: C/C++ CI self-hosted
+
+on:
+ push:
+ paths: [ '**.c', '**.h', '**.m4', '**.sh', '.github/**', '**/Makefile.in', 'configure.ac' ]
+
+jobs:
+ selfhosted:
+ if: github.repository == 'openssh/openssh-portable-selfhosted'
+ runs-on: ${{ matrix.host }}
+ timeout-minutes: 600
+ env:
+ HOST: ${{ matrix.host }}
+ TARGET_HOST: ${{ matrix.target }}
+ TARGET_CONFIG: ${{ matrix.config }}
+ strategy:
+ fail-fast: false
+ # We use a matrix in two parts: firstly all of the VMs are tested with the
+ # default config. "target" corresponds to a label associated with the
+ # worker. The default is an ephemeral VM running under libvirt.
+ matrix:
+ target:
+ - alpine
+ - debian-i386
+ - dfly30
+ - dfly48
+ - dfly58
+ - dfly60
+ - dfly62
+ - fbsd10
+ - fbsd12
+ - fbsd13
+ - minix3
+ - nbsd3
+ - nbsd4
+ - nbsd8
+ - nbsd9
+ - obsd51
+ - obsd67
+ - obsd69
+ - obsd70
+ - obsdsnap
+ - obsdsnap-i386
+ - openindiana
+ - sol10
+ - sol11
+ config:
+ - default
+ host:
+ - libvirt
+ include:
+ # Then we include extra libvirt test configs.
+ - { target: aix51, config: default, host: libvirt }
+ - { target: debian-i386, config: pam, host: libvirt }
+ - { target: dfly30, config: without-openssl, host: libvirt}
+ - { target: dfly48, config: pam ,host: libvirt }
+ - { target: dfly58, config: pam, host: libvirt }
+ - { target: dfly60, config: pam, host: libvirt }
+ - { target: dfly62, config: pam, host: libvirt }
+ - { target: fbsd10, config: pam, host: libvirt }
+ - { target: fbsd12, config: pam, host: libvirt }
+ - { target: fbsd13, config: pam, host: libvirt }
+ - { target: nbsd8, config: pam, host: libvirt }
+ - { target: nbsd9, config: pam, host: libvirt }
+ - { target: openindiana, config: pam, host: libvirt }
+ - { target: sol10, config: pam, host: libvirt }
+ - { target: sol11, config: pam-krb5, host: libvirt }
+ - { target: sol11, config: sol64, host: libvirt }
+ # VMs with persistent disks that have their own runner.
+ - { target: win10, config: default, host: win10 }
+ - { target: win10, config: cygwin-release, host: win10 }
+ # Physical hosts, with either native runners or remote via ssh.
+ - { target: ARM, config: default, host: ARM }
+ - { target: ARM64, config: default, host: ARM64 }
+ - { target: ARM64, config: pam, host: ARM64 }
+ - { target: debian-riscv64, config: default, host: debian-riscv64 }
+ - { target: openwrt-mips, config: default, host: openwrt-mips }
+ - { target: openwrt-mipsel, config: default, host: openwrt-mipsel }
+ steps:
+ - name: shutdown VM if running
+ run: vmshutdown
+ working-directory: ${{ runner.temp }}
+ - uses: actions/checkout@main
+ - name: autoreconf
+ run: autoreconf
+ - name: startup VM
+ run: vmstartup
+ working-directory: ${{ runner.temp }}
+ - name: configure
+ run: vmrun ./.github/configure.sh ${{ matrix.config }}
+ - name: save config
+ uses: actions/upload-artifact@main
+ with:
+ name: ${{ matrix.target }}-${{ matrix.config }}-config
+ path: config.h
+ - name: make clean
+ run: vmrun make clean
+ - name: make
+ run: vmrun make
+ - name: make tests
+ run: vmrun ./.github/run_test.sh ${{ matrix.config }}
+ timeout-minutes: 600
+ - name: save logs
+ if: failure()
+ uses: actions/upload-artifact@main
+ with:
+ name: ${{ matrix.target }}-${{ matrix.config }}-logs
+ path: |
+ config.h
+ config.log
+ regress/*.log
+ regress/valgrind-out/
+ - name: shutdown VM
+ if: always()
+ run: vmshutdown
+ working-directory: ${{ runner.temp }}
diff --git a/.github/workflows/upstream.yml b/.github/workflows/upstream.yml
new file mode 100644
index 0000000..1e2c2ac
--- /dev/null
+++ b/.github/workflows/upstream.yml
@@ -0,0 +1,52 @@
+name: Upstream self-hosted
+
+on:
+ push:
+ branches: [ master ]
+ paths: [ '**.c', '**.h', '.github/**' ]
+
+jobs:
+ selfhosted:
+ if: github.repository == 'openssh/openssh-portable-selfhosted'
+ runs-on: 'libvirt'
+ env:
+ HOST: 'libvirt'
+ TARGET_HOST: ${{ matrix.target }}
+ TARGET_CONFIG: ${{ matrix.config }}
+ strategy:
+ fail-fast: false
+ matrix:
+ target: [ obsdsnap, obsdsnap-i386 ]
+ config: [ default, without-openssl, ubsan ]
+ steps:
+ - name: shutdown VM if running
+ run: vmshutdown
+ working-directory: ${{ runner.temp }}
+ - uses: actions/checkout@main
+ - name: startup VM
+ run: vmstartup
+ working-directory: ${{ runner.temp }}
+ - name: update source
+ run: vmrun "cd /usr/src && cvs up -dPA usr.bin/ssh regress/usr.bin/ssh"
+ - name: make clean
+ run: vmrun "cd /usr/src/usr.bin/ssh && make obj && make clean && cd /usr/src/regress/usr.bin/ssh && make obj && make clean && sudo chmod -R g-w /usr/src /usr/obj"
+ - name: make
+ run: vmrun "cd /usr/src/usr.bin/ssh && case ${{ matrix.config }} in without-openssl) make OPENSSL=no;; ubsan) make DEBUG='-fsanitize-minimal-runtime -fsanitize=undefined';; *) make; esac"
+ - name: make install
+ run: vmrun "cd /usr/src/usr.bin/ssh && sudo make install"
+ - name: make tests`
+ run: vmrun "cd /usr/src/regress/usr.bin/ssh && case ${{ matrix.config }} in without-openssl) make OPENSSL=no;; ubsan) make DEBUG='-fsanitize-minimal-runtime -fsanitize=undefined';; *) make; esac"
+ env:
+ SUDO: sudo
+ timeout-minutes: 300
+ - name: save logs
+ if: failure()
+ uses: actions/upload-artifact@main
+ with:
+ name: ${{ matrix.target }}-${{ matrix.config }}-logs
+ path: |
+ /usr/obj/regress/usr.bin/ssh/obj/*.log
+ - name: shutdown VM
+ if: always()
+ run: vmshutdown
+ working-directory: ${{ runner.temp }}