diff options
Diffstat (limited to 'crypto/openssh/.github')
| -rw-r--r-- | crypto/openssh/.github/ci-status.md | 17 | ||||
| -rwxr-xr-x | crypto/openssh/.github/configs | 195 | ||||
| -rwxr-xr-x | crypto/openssh/.github/configure.sh | 2 | ||||
| -rwxr-xr-x | crypto/openssh/.github/run_test.sh | 16 | ||||
| -rwxr-xr-x | crypto/openssh/.github/setup_ci.sh | 164 | ||||
| -rw-r--r-- | crypto/openssh/.github/workflows/c-cpp.yml | 174 | ||||
| -rw-r--r-- | crypto/openssh/.github/workflows/cifuzz.yml | 32 | ||||
| -rw-r--r-- | crypto/openssh/.github/workflows/selfhosted.yml | 118 | ||||
| -rw-r--r-- | crypto/openssh/.github/workflows/upstream.yml | 35 |
9 files changed, 573 insertions, 180 deletions
diff --git a/crypto/openssh/.github/ci-status.md b/crypto/openssh/.github/ci-status.md index 0ad8bf5aaf44..8d4cea10dba4 100644 --- a/crypto/openssh/.github/ci-status.md +++ b/crypto/openssh/.github/ci-status.md @@ -1,4 +1,15 @@ -[](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml) -[](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml) -[](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/upstream.yml) +master : +[](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml?query=branch:master) +[](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml?query=branch:master) +[](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/upstream.yml?query=branch:master) +[](https://github.com/openssh/openssh-portable/actions/workflows/cifuzz.yml) [](https://bugs.chromium.org/p/oss-fuzz/issues/list?sort=-opened&can=1&q=proj:openssh) +[](https://scan.coverity.com/projects/openssh-portable) + +9.4 : +[](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml?query=branch:V_9_4) +[](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml?query=branch:V_9_4) + +9.3 : +[](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml?query=branch:V_9_3) +[](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml?query=branch:V_9_3) diff --git a/crypto/openssh/.github/configs b/crypto/openssh/.github/configs index 871a3d414d94..370fe29a3ee4 100755 --- a/crypto/openssh/.github/configs +++ b/crypto/openssh/.github/configs @@ -9,8 +9,13 @@ # LTESTS config=$1 +if [ "$config" = "" ]; then + config="default" +fi + +unset CC CFLAGS CPPFLAGS LDFLAGS LTESTS SUDO -TEST_TARGET="tests" +TEST_TARGET="tests compat-tests" LTESTS="" SKIP_LTESTS="" SUDO=sudo # run with sudo by default @@ -25,6 +30,13 @@ case "$config" in default|sol64) ;; c89) + # If we don't have LLONG_MAX, configure will figure out that it can + # get it by setting -std=gnu99, at which point we won't be testing + # C89 any more. To avoid this, feed it in via CFLAGS. + llong_max=`gcc -E -dM - </dev/null | \ + awk '$2=="__LONG_LONG_MAX__"{print $3}'` + CPPFLAGS="-DLLONG_MAX=${llong_max}" + CC="gcc" CFLAGS="-Wall -std=c89 -pedantic -Werror=vla" CONFIGFLAGS="--without-zlib" @@ -32,7 +44,9 @@ case "$config" in TEST_TARGET=t-exec ;; cygwin-release) - CONFIGFLAGS="--with-libedit --with-xauth=/usr/bin/xauth --disable-strip --with-security-key-builtin" + # See https://cygwin.com/git/?p=git/cygwin-packages/openssh.git;a=blob;f=openssh.cygport;hb=HEAD + CONFIGFLAGS="--with-xauth=/usr/bin/xauth --with-security-key-builtin" + CONFIGFLAGS="$CONFIGFLAGS --with-kerberos5=/usr --with-libedit --disable-strip" ;; clang-12-Werror) CC="clang-12" @@ -41,10 +55,72 @@ case "$config" in CFLAGS="-Wall -Wextra -O2 -Wno-error=implicit-fallthrough -Wno-error=unused-parameter" CONFIGFLAGS="--with-pam --with-Werror" ;; + *-sanitize-*) + case "$config" in + gcc-*) + CC=gcc + ;; + clang-*) + # Find the newest available version of clang + for i in `seq 10 99`; do + clang="`which clang-$i 2>/dev/null`" + [ -x "$clang" ] && CC="$clang" + done + ;; + esac + # Put Sanitizer logs in regress dir. + SANLOGS=`pwd`/regress + # - We replace chroot with chdir so that the sanitizer in the preauth + # privsep process can read /proc. + # - clang does not recognizes explicit_bzero so we use bzero + # (see https://github.com/google/sanitizers/issues/1507 + # - openssl and zlib trip ASAN. + # - sp_pwdp returned by getspnam trips ASAN, hence disabling shadow. + case "$config" in + *-sanitize-address) + CFLAGS="-fsanitize=address -fno-omit-frame-pointer" + LDFLAGS="-fsanitize=address" + CPPFLAGS='-Dchroot=chdir -Dexplicit_bzero=bzero -D_FORTIFY_SOURCE=0 -DASAN_OPTIONS=\"detect_leaks=0:log_path='$SANLOGS'/asan.log\"' + CONFIGFLAGS="" + TEST_TARGET="t-exec" + ;; + clang-sanitize-memory) + CFLAGS="-fsanitize=memory -fsanitize-memory-track-origins -fno-omit-frame-pointer" + LDFLAGS="-fsanitize=memory" + CPPFLAGS='-Dchroot=chdir -Dexplicit_bzero=bzero -DMSAN_OPTIONS=\"log_path='$SANLOGS'/msan.log\"' + CONFIGFLAGS="--without-zlib --without-shadow" + LIBCRYPTOFLAGS="--without-openssl" + TEST_TARGET="t-exec" + ;; + *-sanitize-undefined) + CFLAGS="-fsanitize=undefined" + LDFLAGS="-fsanitize=undefined" + ;; + *) + echo unknown sanitize option; + exit 1;; + esac + features="--disable-security-key --disable-pkcs11" + hardening="--without-sandbox --without-hardening --without-stackprotect" + privsep="--with-privsep-user=root" + CONFIGFLAGS="$CONFIGFLAGS $features $hardening $privsep" + # Because we hobble chroot we can't test it. + SKIP_LTESTS=sftp-chroot + ;; gcc-11-Werror) - CC="gcc" + CC="gcc-11" + # -Wnoformat-truncation in gcc 7.3.1 20180130 fails on fmt_scaled + # -Wunused-result ignores (void) so is not useful. See + # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66425 + CFLAGS="-O2 -Wno-format-truncation -Wimplicit-fallthrough=4 -Wno-unused-parameter -Wno-unused-result" + CONFIGFLAGS="--with-pam --with-Werror" + ;; + gcc-12-Werror) + CC="gcc-12" # -Wnoformat-truncation in gcc 7.3.1 20180130 fails on fmt_scaled - CFLAGS="-Wall -Wextra -O2 -Wno-format-truncation -Wimplicit-fallthrough=4 -Wno-unused-parameter" + # -Wunused-result ignores (void) so is not useful. See + # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66425 + CFLAGS="-O2 -Wno-format-truncation -Wimplicit-fallthrough=4 -Wno-unused-parameter -Wno-unused-result" CONFIGFLAGS="--with-pam --with-Werror" ;; clang*|gcc*) @@ -53,7 +129,7 @@ case "$config" in kitchensink) CONFIGFLAGS="--with-kerberos5 --with-libedit --with-pam" CONFIGFLAGS="${CONFIGFLAGS} --with-security-key-builtin --with-selinux" - CONFIGFLAGS="${CONFIGFLAGS} --with-cflags=-DSK_DEBUG" + CFLAGS="-DSK_DEBUG -DSANDBOX_SECCOMP_FILTER_DEBUG" ;; hardenedmalloc) CONFIGFLAGS="--with-ldflags=-lhardened_malloc" @@ -81,11 +157,25 @@ case "$config" in CONFIGFLAGS="--with-pam" SSHD_CONFOPTS="UsePam yes" ;; + boringssl) + CONFIGFLAGS="--disable-pkcs11" + LIBCRYPTOFLAGS="--with-ssl-dir=/opt/boringssl --with-rpath=-Wl,-rpath," + ;; libressl-*) LIBCRYPTOFLAGS="--with-ssl-dir=/opt/libressl --with-rpath=-Wl,-rpath," ;; + putty-*) + CONFIGFLAGS="--with-plink=/usr/local/bin/plink --with-puttygen=/usr/local/bin/puttygen" + # We don't need to rerun the regular tests, just the interop ones. + TEST_TARGET=interop-tests + ;; openssl-*) LIBCRYPTOFLAGS="--with-ssl-dir=/opt/openssl --with-rpath=-Wl,-rpath," + # OpenSSL 1.1.1 specifically has a bug in its RNG that breaks reexec + # fallback. See https://bugzilla.mindrot.org/show_bug.cgi?id=3483 + if [ "$config" = "openssl-1.1.1" ]; then + SKIP_LTESTS="reexec" + fi ;; selinux) CONFIGFLAGS="--with-selinux" @@ -97,7 +187,7 @@ case "$config" in LIBCRYPTOFLAGS="--without-openssl" TEST_TARGET=t-exec ;; - valgrind-[1-4]|valgrind-unit) + valgrind-[1-5]|valgrind-unit) # rlimit sandbox and FORTIFY_SOURCE confuse Valgrind. CONFIGFLAGS="--without-sandbox --without-hardening" CONFIGFLAGS="$CONFIGFLAGS --with-cppflags=-D_FORTIFY_SOURCE=0" @@ -106,15 +196,19 @@ case "$config" in export TEST_SSH_ELAPSED_TIMES # Valgrind slows things down enough that the agent timeout test # won't reliably pass, and the unit tests run longer than allowed - # by github so split into three separate tests. - tests2="rekey integrity try-ciphers sftp" - tests3="krl forward-control sshsig agent-restrict kextype" + # by github so split into separate tests. + tests2="integrity try-ciphers" + tests3="krl forward-control sshsig agent-restrict kextype sftp" tests4="cert-userkey cert-hostkey kextype sftp-perm keygen-comment percent" + tests5="rekey" case "$config" in valgrind-1) - # All tests except agent-timeout (which is flaky under valgrind) - #) and slow ones that run separately to increase parallelism. - SKIP_LTESTS="agent-timeout ${tests2} ${tests3} ${tests4}" + # All tests except agent-timeout (which is flaky under valgrind), + # connection-timeout (which doesn't work since it's so slow) + # and hostbased (since valgrind won't let ssh exec keysign). + # Slow ones are run separately to increase parallelism. + SKIP_LTESTS="agent-timeout connection-timeout hostbased" + SKIP_LTESTS="$SKIP_LTESTS ${tests2} ${tests3} ${tests4} ${tests5}" ;; valgrind-2) LTESTS="${tests2}" @@ -125,11 +219,18 @@ case "$config" in valgrind-4) LTESTS="${tests4}" ;; + valgrind-5) + LTESTS="${tests5}" + ;; valgrind-unit) TEST_TARGET="unit USE_VALGRIND=1" ;; esac ;; + zlib-develop) + INSTALL_ZLIB=develop + CONFIGFLAGS="--with-zlib=/opt/zlib --with-rpath=-Wl,-rpath," + ;; *) echo "Unknown configuration $config" exit 1 @@ -139,21 +240,27 @@ esac # The Solaris 64bit targets are special since they need a non-flag arg. case "$config" in sol64*) - CONFIGFLAGS="x86_64 --with-cflags=-m64 --with-ldflags=-m64 ${CONFIGFLAGS}" - LIBCRYPTOFLAGS="--with-ssl-dir=/usr/local/ssl64" + CONFIGFLAGS="--target=x86_64 --with-cflags=-m64 --with-ldflags=-m64 ${CONFIGFLAGS}" + LIBCRYPTOFLAGS="--with-ssl-dir=/usr/local/ssl64 --with-rpath=-Wl,-rpath," ;; esac case "${TARGET_HOST}" in aix*) + CONFIGFLAGS="--disable-security-key" + LIBCRYPTOFLAGS="--without-openssl" # These are slow real or virtual machines so skip the slowest tests # (which tend to be thw ones that transfer lots of data) so that the # test run does not time out. # The agent-restrict test fails due to some quoting issue when run # with sh or ksh so specify bash for now. - TEST_TARGET="t-exec TEST_SHELL=bash" + TEST_TARGET="t-exec unit TEST_SHELL=bash" SKIP_LTESTS="rekey sftp" ;; + debian-riscv64) + # This machine is fairly slow, so skip the unit tests. + TEST_TARGET="t-exec" + ;; dfly58*|dfly60*) # scp 3-way connection hangs on these so skip until sorted. SKIP_LTESTS=scp3 @@ -166,14 +273,20 @@ case "${TARGET_HOST}" in SKIP_LTESTS="forwarding multiplex proxy-connect hostkey-agent agent-ptrace" ;; minix3) - LIBCRYPTOFLAGS="--without-openssl --disable-security-key" + CONFIGFLAGS="${CONFIGFLAGS} --disable-security-key" + # Unix domain sockets don't work quite like we expect, so also + # disable FD passing (and thus multiplexing). + CONFIGFLAGS="${CONFIGFLAGS} --disable-fd-passing" + LIBCRYPTOFLAGS="--without-openssl" + # Minix does not have a loopback interface so we have to skip any # test that relies on one. # Also, Minix seems to be very limited in the number of select() # calls that can be operating concurrently, so prune additional tests for that. - T="addrmatch agent-restrict brokenkeys cfgmatch cfgmatchlisten cfgparse connect - connect-uri exit-status forward-control forwarding hostkey-agent - key-options keyscan knownhosts-command login-timeout multiplex + T="addrmatch agent-restrict brokenkeys cfgmatch cfgmatchlisten cfgparse + connect connect-uri dynamic-forward exit-status forwarding + forward-control + hostkey-agent key-options keyscan knownhosts-command login-timeout reconfigure reexec rekey scp scp-uri scp3 sftp sftp-badcmds sftp-batch sftp-cmds sftp-glob sftp-perm sftp-uri stderr-data transfer" @@ -187,7 +300,8 @@ case "${TARGET_HOST}" in CONFIGFLAGS="${CONFIGFLAGS} --without-hardening --disable-security-key" ;; openwrt-*) - CONFIGFLAGS="${CONFIGFLAGS} --without-openssl --without-zlib" + CONFIGFLAGS="${CONFIGFLAGS} --without-zlib" + LIBCRYPTOFLAGS="--without-openssl" TEST_TARGET="t-exec" ;; sol10|sol11) @@ -201,23 +315,50 @@ case "${TARGET_HOST}" in ;; esac -# Unless specified otherwise, build without OpenSSL on Mac OS since -# modern versions don't ship with libcrypto. -case "`./config.guess`" in +host=`./config.guess` +case "$host" in +*cygwin) + SUDO="" + # Don't run compat tests on cygwin as they don't currently compile. + TEST_TARGET="tests" + ;; *-darwin*) + # Unless specified otherwise, build without OpenSSL on Mac OS since + # modern versions don't ship with libcrypto. LIBCRYPTOFLAGS="--without-openssl" TEST_TARGET=t-exec + + # On some OS X runners we can't write to /var/empty. + CONFIGFLAGS="${CONFIGFLAGS} --with-privsep-path=/usr/local/empty" + + case "$host" in + *-darwin22.*) + # sudo -S nobody doesn't work on macos 13 for some reason. + SKIP_LTESTS="agent-getpeereid" ;; + esac ;; esac -# If we have a local openssl/libressl, use that. +# Unless specifically configured, search for a suitable version of OpenSSL, +# otherwise build without it. if [ -z "${LIBCRYPTOFLAGS}" ]; then + LIBCRYPTOFLAGS="--without-openssl" # last-match - for i in /usr/local /usr/local/ssl /usr/local/opt/openssl; do + for i in /usr /usr/local /usr/local/ssl /usr/local/opt/openssl; do + ver="none" if [ -x ${i}/bin/openssl ]; then - LIBCRYPTOFLAGS="--with-ssl-dir=${i}" + ver="$(${i}/bin/openssl version)" fi + case "$ver" in + none) ;; + "OpenSSL 0."*|"OpenSSL 1.0."*|"OpenSSL 1.1.0"*) ;; + "LibreSSL 2."*|"LibreSSL 3.0."*) ;; + *) LIBCRYPTOFLAGS="--with-ssl-dir=${i}" ;; + esac done + if [ "${LIBCRYPTOFLAGS}" = "--without-openssl" ]; then + TEST_TARGET="t-exec" + fi fi CONFIGFLAGS="${CONFIGFLAGS} ${LIBCRYPTOFLAGS}" @@ -227,5 +368,5 @@ if [ -x "$(which plink 2>/dev/null)" ]; then export REGRESS_INTEROP_PUTTY fi -export CC CFLAGS LTESTS SUDO +export CC CFLAGS CPPFLAGS LDFLAGS LTESTS SUDO export TEST_TARGET TEST_SSH_UNSAFE_PERMISSIONS TEST_SSH_FAIL_FATAL diff --git a/crypto/openssh/.github/configure.sh b/crypto/openssh/.github/configure.sh index 502bf5f0d407..bd0037702d6a 100755 --- a/crypto/openssh/.github/configure.sh +++ b/crypto/openssh/.github/configure.sh @@ -18,4 +18,4 @@ if [ "x$LDFLAGS" != "x" ]; then fi echo ./configure ${CONFIGFLAGS} -./configure ${CONFIGFLAGS} +./configure ${CONFIGFLAGS} 2>&1 diff --git a/crypto/openssh/.github/run_test.sh b/crypto/openssh/.github/run_test.sh index adf2568ad1e2..d5fd487d9009 100755 --- a/crypto/openssh/.github/run_test.sh +++ b/crypto/openssh/.github/run_test.sh @@ -6,8 +6,22 @@ set -ex +# If we want to test hostbased auth, set up the host for it. +if [ ! -z "$SUDO" ] && [ ! -z "$TEST_SSH_HOSTBASED_AUTH" ]; then + sshconf=/usr/local/etc + hostname | $SUDO tee $sshconf/shosts.equiv >/dev/null + echo "EnableSSHKeysign yes" | $SUDO tee $sshconf/ssh_config >/dev/null + $SUDO mkdir -p $sshconf + $SUDO cp -p /etc/ssh/ssh_host*key* $sshconf + $SUDO make install + for key in $sshconf/ssh_host*key*.pub; do + echo `hostname` `cat $key` | \ + $SUDO tee -a $sshconf/ssh_known_hosts >/dev/null + done +fi + output_failed_logs() { - for i in regress/failed*; do + for i in regress/failed*.log; do if [ -f "$i" ]; then echo ------------------------------------------------------------------------- echo LOGFILE $i diff --git a/crypto/openssh/.github/setup_ci.sh b/crypto/openssh/.github/setup_ci.sh index a3bb8587eab1..f0f2761c7107 100755 --- a/crypto/openssh/.github/setup_ci.sh +++ b/crypto/openssh/.github/setup_ci.sh @@ -1,25 +1,59 @@ #!/bin/sh +PACKAGES="" + . .github/configs $@ -case "`./config.guess`" in +host=`./config.guess` +echo "config.guess: $host" +case "$host" in +*cygwin) + PACKAGER=setup + echo Setting CYGWIN system environment variable. + setx CYGWIN "binmode" + echo Removing extended ACLs so umask works as expected. + setfacl -b . regress + PACKAGES="$PACKAGES,autoconf,automake,cygwin-devel,gcc-core" + PACKAGES="$PACKAGES,make,openssl-devel,zlib-devel" + ;; *-darwin*) - brew install automake - exit 0 + PACKAGER=brew + PACKAGES="automake" ;; +*) + PACKAGER=apt esac TARGETS=$@ -PACKAGES="" INSTALL_FIDO_PPA="no" export DEBIAN_FRONTEND=noninteractive -#echo "Setting up for '$TARGETS'" +set -e -set -ex +if [ -x "`which lsb_release 2>&1`" ]; then + lsb_release -a +fi -lsb_release -a +if [ ! -z "$SUDO" ]; then + # Ubuntu 22.04 defaults to private home dirs which prevent the + # agent-getpeerid test from running ssh-add as nobody. See + # https://github.com/actions/runner-images/issues/6106 + if ! "$SUDO" -u nobody test -x ~; then + echo ~ is not executable by nobody, adding perms. + chmod go+x ~ + fi + # Some of the Mac OS X runners don't have a nopasswd sudo rule. Regular + # sudo still works, but sudo -u doesn't. Restore the sudo rule. + if ! "$SUDO" grep -E 'runner.*NOPASSWD' /etc/passwd >/dev/null; then + echo "Restoring runner nopasswd rule to sudoers." + echo 'runner ALL=(ALL) NOPASSWD: ALL' |$SUDO tee -a /etc/sudoers + fi + if ! "$SUDO" -u nobody -S test -x ~ </dev/null; then + echo "Still can't sudo to nobody." + exit 1 + fi +fi if [ "${TARGETS}" = "kitchensink" ]; then TARGETS="krb5 libedit pam sk selinux" @@ -27,16 +61,25 @@ fi for flag in $CONFIGFLAGS; do case "$flag" in - --with-pam) PACKAGES="${PACKAGES} libpam0g-dev" ;; - --with-libedit) PACKAGES="${PACKAGES} libedit-dev" ;; + --with-pam) TARGETS="${TARGETS} pam" ;; + --with-libedit) TARGETS="${TARGETS} libedit" ;; esac done +echo "Setting up for '$TARGETS'" for TARGET in $TARGETS; do case $TARGET in - default|without-openssl|without-zlib|c89|libedit|*pam) + default|without-openssl|without-zlib|c89) # nothing to do ;; + clang-sanitize*) + PACKAGES="$PACKAGES clang-12" + ;; + cygwin-release) + PACKAGES="$PACKAGES libcrypt-devel libfido2-devel libkrb5-devel" + ;; + gcc-sanitize*) + ;; clang-*|gcc-*) compiler=$(echo $TARGET | sed 's/-Werror//') PACKAGES="$PACKAGES $compiler" @@ -47,6 +90,17 @@ for TARGET in $TARGETS; do heimdal) PACKAGES="$PACKAGES heimdal-dev" ;; + libedit) + case "$PACKAGER" in + setup) PACKAGES="$PACKAGES libedit-devel" ;; + apt) PACKAGES="$PACKAGES libedit-dev" ;; + esac + ;; + *pam) + case "$PACKAGER" in + apt) PACKAGES="$PACKAGES libpam0g-dev" ;; + esac + ;; sk) INSTALL_FIDO_PPA="yes" PACKAGES="$PACKAGES libfido2-dev libu2f-host-dev libcbor-dev" @@ -74,7 +128,7 @@ for TARGET in $TARGETS; do 1.*) INSTALL_OPENSSL="OpenSSL_$(echo ${INSTALL_OPENSSL} | tr . _)" ;; 3.*) INSTALL_OPENSSL="openssl-${INSTALL_OPENSSL}" ;; esac - PACKAGES="${PACKAGES} putty-tools" + PACKAGES="${PACKAGES} putty-tools dropbear-bin" ;; libressl-*) INSTALL_LIBRESSL=$(echo ${TARGET} | cut -f2 -d-) @@ -82,11 +136,21 @@ for TARGET in $TARGETS; do master) ;; *) INSTALL_LIBRESSL="$(echo ${TARGET} | cut -f2 -d-)" ;; esac - PACKAGES="${PACKAGES} putty-tools" + PACKAGES="${PACKAGES} putty-tools dropbear-bin" + ;; + boringssl) + INSTALL_BORINGSSL=1 + PACKAGES="${PACKAGES} cmake ninja-build" ;; + putty-*) + INSTALL_PUTTY=$(echo "${TARGET}" | cut -f2 -d-) + PACKAGES="${PACKAGES} cmake" + ;; valgrind*) PACKAGES="$PACKAGES valgrind" ;; + zlib-*) + ;; *) echo "Invalid option '${TARGET}'" exit 1 ;; @@ -99,16 +163,43 @@ if [ "yes" = "$INSTALL_FIDO_PPA" ]; then sudo apt-add-repository -y ppa:yubico/stable fi -if [ "x" != "x$PACKAGES" ]; then - sudo apt update -qq - sudo apt install -qy $PACKAGES +tries=3 +while [ ! -z "$PACKAGES" ] && [ "$tries" -gt "0" ]; do + case "$PACKAGER" in + apt) + sudo apt update -qq + if sudo apt install -qy $PACKAGES; then + PACKAGES="" + fi + ;; + brew) + if [ ! -z "PACKAGES" ]; then + if brew install $PACKAGES; then + PACKAGES="" + fi + fi + ;; + setup) + if /cygdrive/c/setup.exe -q -P `echo "$PACKAGES" | tr ' ' ,`; then + PACKAGES="" + fi + ;; + esac + if [ ! -z "$PACKAGES" ]; then + sleep 90 + fi + tries=$(($tries - 1)) +done +if [ ! -z "$PACKAGES" ]; then + echo "Package installation failed." + exit 1 fi if [ "${INSTALL_HARDENED_MALLOC}" = "yes" ]; then (cd ${HOME} && git clone https://github.com/GrapheneOS/hardened_malloc.git && cd ${HOME}/hardened_malloc && - make -j2 && sudo cp out/libhardened_malloc.so /usr/lib/) + make && sudo cp out/libhardened_malloc.so /usr/lib/) fi if [ ! -z "${INSTALL_OPENSSL}" ]; then @@ -129,13 +220,50 @@ if [ ! -z "${INSTALL_LIBRESSL}" ]; then git checkout ${INSTALL_LIBRESSL} && sh update.sh && sh autogen.sh && ./configure --prefix=/opt/libressl && - make -j2 && sudo make install) + make && sudo make install) else LIBRESSL_URLBASE=https://cdn.openbsd.org/pub/OpenBSD/LibreSSL (cd ${HOME} && wget ${LIBRESSL_URLBASE}/libressl-${INSTALL_LIBRESSL}.tar.gz && tar xfz libressl-${INSTALL_LIBRESSL}.tar.gz && cd libressl-${INSTALL_LIBRESSL} && - ./configure --prefix=/opt/libressl && make -j2 && sudo make install) + ./configure --prefix=/opt/libressl && make && sudo make install) fi fi + +if [ ! -z "${INSTALL_BORINGSSL}" ]; then + (cd ${HOME} && git clone https://boringssl.googlesource.com/boringssl && + cd ${HOME}/boringssl && mkdir build && cd build && + cmake -GNinja -DCMAKE_POSITION_INDEPENDENT_CODE=ON .. && ninja && + mkdir -p /opt/boringssl/lib && + cp ${HOME}/boringssl/build/crypto/libcrypto.a /opt/boringssl/lib && + cp -r ${HOME}/boringssl/include /opt/boringssl) +fi + +if [ ! -z "${INSTALL_ZLIB}" ]; then + (cd ${HOME} && git clone https://github.com/madler/zlib.git && + cd ${HOME}/zlib && ./configure && make && + sudo make install prefix=/opt/zlib) +fi + +if [ ! -z "${INSTALL_PUTTY}" ]; then + ver="${INSTALL_PUTTY}" + case "${INSTALL_PUTTY}" in + snapshot) + tarball=putty.tar.gz + (cd /tmp && wget https://tartarus.org/~simon/putty-snapshots/${tarball}) + ;; + *) + tarball=putty-${ver}.tar.gz + (cd /tmp && wget https://the.earth.li/~sgtatham/putty/${ver}/${tarball}) + ;; + esac + (cd ${HOME} && tar xfz /tmp/${tarball} && cd putty-* + if [ -f CMakeLists.txt ]; then + cmake . && cmake --build . && sudo cmake --build . --target install + else + ./configure && make && sudo make install + fi + ) + /usr/local/bin/plink -V +fi diff --git a/crypto/openssh/.github/workflows/c-cpp.yml b/crypto/openssh/.github/workflows/c-cpp.yml index b778c9804203..edb88f23c0fb 100644 --- a/crypto/openssh/.github/workflows/c-cpp.yml +++ b/crypto/openssh/.github/workflows/c-cpp.yml @@ -2,9 +2,9 @@ name: C/C++ CI on: push: - branches: [ master, ci ] + paths: [ '**.c', '**.h', '**.m4', '**.sh', '.github/**', '**/Makefile.in', 'configure.ac' ] pull_request: - branches: [ master ] + paths: [ '**.c', '**.h', '**.m4', '**.sh', '.github/**', '**/Makefile.in', 'configure.ac' ] jobs: ci: @@ -13,92 +13,132 @@ jobs: fail-fast: false matrix: # First we test all OSes in the default configuration. - os: [ubuntu-20.04, ubuntu-18.04, macos-10.15, macos-11.0] - configs: [default] + target: + - ubuntu-20.04 + - ubuntu-22.04 + - macos-11 + - macos-12 + - macos-13 + - windows-2019 + - windows-2022 + config: [default] # Then we include any extra configs we want to test for specific VMs. # Valgrind slows things down quite a bit, so start them first. include: - - { os: ubuntu-20.04, configs: valgrind-1 } - - { os: ubuntu-20.04, configs: valgrind-2 } - - { os: ubuntu-20.04, configs: valgrind-3 } - - { os: ubuntu-20.04, configs: valgrind-4 } - - { os: ubuntu-20.04, configs: valgrind-unit } - - { os: ubuntu-20.04, configs: c89 } - - { os: ubuntu-20.04, configs: clang-6.0 } - - { os: ubuntu-20.04, configs: clang-8 } - - { os: ubuntu-20.04, configs: clang-9 } - - { os: ubuntu-20.04, configs: clang-10 } - - { os: ubuntu-20.04, configs: clang-11 } - - { os: ubuntu-20.04, configs: clang-12-Werror } - - { os: ubuntu-20.04, configs: gcc-7 } - - { os: ubuntu-20.04, configs: gcc-8 } - - { os: ubuntu-20.04, configs: gcc-10 } - - { os: ubuntu-20.04, configs: gcc-11-Werror } - - { os: ubuntu-20.04, configs: pam } - - { os: ubuntu-20.04, configs: kitchensink } - - { os: ubuntu-20.04, configs: hardenedmalloc } - - { os: ubuntu-20.04, configs: tcmalloc } - - { os: ubuntu-20.04, configs: musl } - - { os: ubuntu-latest, configs: libressl-master } - - { os: ubuntu-latest, configs: libressl-2.2.9 } - - { os: ubuntu-latest, configs: libressl-2.8.3 } - - { os: ubuntu-latest, configs: libressl-3.0.2 } - - { os: ubuntu-latest, configs: libressl-3.2.6 } - - { os: ubuntu-latest, configs: libressl-3.3.4 } - - { os: ubuntu-latest, configs: libressl-3.4.1 } - - { os: ubuntu-latest, configs: libressl-3.5.0 } - - { os: ubuntu-latest, configs: openssl-master } - - { os: ubuntu-latest, configs: openssl-noec } - - { os: ubuntu-latest, configs: openssl-1.0.1 } - - { os: ubuntu-latest, configs: openssl-1.0.1u } - - { os: ubuntu-latest, configs: openssl-1.0.2u } - - { os: ubuntu-latest, configs: openssl-1.1.0h } - - { os: ubuntu-latest, configs: openssl-1.1.1 } - - { os: ubuntu-latest, configs: openssl-1.1.1k } - - { os: ubuntu-latest, configs: openssl-1.1.1m } - - { os: ubuntu-latest, configs: openssl-3.0.0 } - - { os: ubuntu-latest, configs: openssl-3.0.1 } - - { os: ubuntu-latest, configs: openssl-1.1.1_stable } # stable branch - - { os: ubuntu-latest, configs: openssl-3.0 } # stable branch - - { os: ubuntu-18.04, configs: pam } - - { os: ubuntu-18.04, configs: krb5 } - - { os: ubuntu-18.04, configs: heimdal } - - { os: ubuntu-18.04, configs: libedit } - - { os: ubuntu-18.04, configs: sk } - - { os: ubuntu-18.04, configs: selinux } - - { os: ubuntu-18.04, configs: kitchensink } - - { os: ubuntu-18.04, configs: without-openssl } - - { os: macos-10.15, configs: pam } - - { os: macos-11.0, configs: pam } - runs-on: ${{ matrix.os }} + - { target: windows-2019, config: cygwin-release } + - { target: windows-2022, config: cygwin-release } + - { target: ubuntu-20.04, config: valgrind-1 } + - { target: ubuntu-20.04, config: valgrind-2 } + - { target: ubuntu-20.04, config: valgrind-3 } + - { target: ubuntu-20.04, config: valgrind-4 } + - { target: ubuntu-20.04, config: valgrind-5 } + - { target: ubuntu-20.04, config: valgrind-unit } + - { target: ubuntu-20.04, config: c89 } + - { target: ubuntu-20.04, config: clang-6.0 } + - { target: ubuntu-20.04, config: clang-8 } + - { target: ubuntu-20.04, config: clang-9 } + - { target: ubuntu-20.04, config: clang-10 } + - { target: ubuntu-20.04, config: clang-11 } + - { target: ubuntu-20.04, config: clang-12-Werror } + - { target: ubuntu-20.04, config: clang-sanitize-address } + - { target: ubuntu-20.04, config: clang-sanitize-undefined } + - { target: ubuntu-20.04, config: gcc-sanitize-address } + - { target: ubuntu-20.04, config: gcc-sanitize-undefined } + - { target: ubuntu-20.04, config: gcc-7 } + - { target: ubuntu-20.04, config: gcc-8 } + - { target: ubuntu-20.04, config: gcc-10 } + - { target: ubuntu-22.04, config: gcc-11-Werror } + - { target: ubuntu-22.04, config: gcc-12-Werror } + - { target: ubuntu-20.04, config: pam } + - { target: ubuntu-20.04, config: kitchensink } + - { target: ubuntu-22.04, config: hardenedmalloc } + - { target: ubuntu-20.04, config: tcmalloc } + - { target: ubuntu-20.04, config: musl } + - { target: ubuntu-latest, config: boringssl } + - { target: ubuntu-latest, config: libressl-master } + - { target: ubuntu-latest, config: libressl-3.2.6 } + - { target: ubuntu-latest, config: libressl-3.3.6 } + - { target: ubuntu-latest, config: libressl-3.4.3 } + - { target: ubuntu-latest, config: libressl-3.5.3 } + - { target: ubuntu-latest, config: libressl-3.6.1 } + - { target: ubuntu-latest, config: libressl-3.7.2 } + - { target: ubuntu-latest, config: libressl-3.8.3 } + - { target: ubuntu-latest, config: libressl-3.9.0 } + - { target: ubuntu-latest, config: openssl-master } + - { target: ubuntu-latest, config: openssl-noec } + - { target: ubuntu-latest, config: openssl-1.1.1 } + - { target: ubuntu-latest, config: openssl-1.1.1t } + - { target: ubuntu-latest, config: openssl-1.1.1w } + - { target: ubuntu-latest, config: openssl-3.0.0 } + - { target: ubuntu-latest, config: openssl-3.0.13 } + - { target: ubuntu-latest, config: openssl-3.1.0 } + - { target: ubuntu-latest, config: openssl-3.1.5 } + - { target: ubuntu-latest, config: openssl-3.2.1 } + - { target: ubuntu-latest, config: openssl-1.1.1_stable } + - { target: ubuntu-latest, config: openssl-3.0 } # stable branch + - { target: ubuntu-latest, config: openssl-3.2 } # stable branch + - { target: ubuntu-latest, config: putty-0.71 } + - { target: ubuntu-latest, config: putty-0.72 } + - { target: ubuntu-latest, config: putty-0.73 } + - { target: ubuntu-latest, config: putty-0.74 } + - { target: ubuntu-latest, config: putty-0.75 } + - { target: ubuntu-latest, config: putty-0.76 } + - { target: ubuntu-latest, config: putty-0.77 } + - { target: ubuntu-latest, config: putty-0.78 } + - { target: ubuntu-latest, config: putty-0.79 } + - { target: ubuntu-latest, config: putty-0.80 } + - { target: ubuntu-latest, config: putty-snapshot } + - { target: ubuntu-latest, config: zlib-develop } + - { target: ubuntu-22.04, config: pam } + - { target: ubuntu-22.04, config: krb5 } + - { target: ubuntu-22.04, config: heimdal } + - { target: ubuntu-22.04, config: libedit } + - { target: ubuntu-22.04, config: sk } + - { target: ubuntu-22.04, config: selinux } + - { target: ubuntu-22.04, config: kitchensink } + - { target: ubuntu-22.04, config: without-openssl } + - { target: macos-11, config: pam } + - { target: macos-12, config: pam } + - { target: macos-13, config: pam } + runs-on: ${{ matrix.target }} steps: - - uses: actions/checkout@v2 + - name: set cygwin git params + if: ${{ startsWith(matrix.target, 'windows') }} + run: git config --global core.autocrlf input + - name: install cygwin + if: ${{ startsWith(matrix.target, 'windows') }} + uses: cygwin/cygwin-install-action@master + - uses: actions/checkout@main - name: setup CI system - run: ./.github/setup_ci.sh ${{ matrix.configs }} + run: sh ./.github/setup_ci.sh ${{ matrix.config }} - name: autoreconf - run: autoreconf + run: sh -c autoreconf - name: configure - run: ./.github/configure.sh ${{ matrix.configs }} + run: sh ./.github/configure.sh ${{ matrix.config }} - name: save config - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@main with: - name: ${{ matrix.os }}-${{ matrix.configs }}-config + name: ${{ matrix.target }}-${{ matrix.config }}-config path: config.h - name: make clean run: make clean - name: make - run: make -j2 + run: make - name: make tests - run: ./.github/run_test.sh ${{ matrix.configs }} + run: sh ./.github/run_test.sh ${{ matrix.config }} env: TEST_SSH_UNSAFE_PERMISSIONS: 1 + TEST_SSH_HOSTBASED_AUTH: yes - name: save logs if: failure() - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@main with: - name: ${{ matrix.os }}-${{ matrix.configs }}-logs + name: ${{ matrix.target }}-${{ matrix.config }}-logs path: | config.h config.log regress/*.log regress/valgrind-out/ + regress/asan.log.* + regress/msan.log.* + regress/log/* diff --git a/crypto/openssh/.github/workflows/cifuzz.yml b/crypto/openssh/.github/workflows/cifuzz.yml new file mode 100644 index 000000000000..7ca8c4719b61 --- /dev/null +++ b/crypto/openssh/.github/workflows/cifuzz.yml @@ -0,0 +1,32 @@ +name: CIFuzz +on: + push: + paths: [ '**.c', '**.h', '**.m4', '**.sh', '.github/**', '**/Makefile.in', 'configure.ac' ] + pull_request: + paths: [ '**.c', '**.h', '**.m4', '**.sh', '.github/**', '**/Makefile.in', 'configure.ac' ] + +jobs: + Fuzzing: + if: github.repository != 'openssh/openssh-portable-selfhosted' + runs-on: ubuntu-latest + steps: + - name: Build Fuzzers + id: build + uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master + with: + oss-fuzz-project-name: 'openssh' + dry-run: false + language: c++ + - name: Run Fuzzers + uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master + with: + oss-fuzz-project-name: 'openssh' + fuzz-seconds: 600 + dry-run: false + language: c++ + - name: Upload Crash + uses: actions/upload-artifact@main + if: failure() && steps.build.outcome == 'success' + with: + name: artifacts + path: ./out/artifacts diff --git a/crypto/openssh/.github/workflows/selfhosted.yml b/crypto/openssh/.github/workflows/selfhosted.yml index ec2c29825c85..4f1c587a5779 100644 --- a/crypto/openssh/.github/workflows/selfhosted.yml +++ b/crypto/openssh/.github/workflows/selfhosted.yml @@ -2,107 +2,125 @@ name: C/C++ CI self-hosted on: push: - branches: [ master, ci ] + paths: [ '**.c', '**.h', '**.m4', '**.sh', '.github/**', '**/Makefile.in', 'configure.ac' ] jobs: selfhosted: if: github.repository == 'openssh/openssh-portable-selfhosted' - runs-on: ${{ matrix.os }} + runs-on: ${{ matrix.host }} + timeout-minutes: 600 env: - TARGET_HOST: ${{ matrix.os }} + HOST: ${{ matrix.host }} + TARGET_HOST: ${{ matrix.target }} + TARGET_CONFIG: ${{ matrix.config }} strategy: fail-fast: false # We use a matrix in two parts: firstly all of the VMs are tested with the - # default config. "os" corresponds to a label associated with the worker. + # default config. "target" corresponds to a label associated with the + # worker. The default is an ephemeral VM running under libvirt. matrix: - os: - - aix51 - - ARM64 + target: - alpine - - bbone + - centos7 - debian-i386 - dfly30 - dfly48 - - dfly58 - dfly60 - - fbsd6 + - dfly62 + - dfly64 - fbsd10 - fbsd12 - fbsd13 - # - hurd + - fbsd14 - minix3 - # - nbsd2 - nbsd3 - nbsd4 - nbsd8 - nbsd9 - obsd51 - obsd67 - - obsd69 - - obsd70 + - obsd72 + - obsd73 + - obsd74 - obsdsnap + - obsdsnap-i386 - openindiana - - openwrt-mips - - openwrt-mipsel - # - rocky84 - - sol10 - - sol11 - - win10 - configs: + - ubuntu-2204 + config: - default - # Then we include any extra configs we want to test for specific VMs. + host: + - libvirt include: - - { os: ARM64, configs: pam } - - { os: debian-i386, configs: pam } - - { os: dfly30, configs: without-openssl} - - { os: dfly48, configs: pam } - - { os: dfly58, configs: pam } - - { os: dfly60, configs: pam } - - { os: fbsd6, configs: pam } - - { os: fbsd10, configs: pam } - - { os: fbsd12, configs: pam } - - { os: fbsd13, configs: pam } - - { os: nbsd8, configs: pam } - - { os: nbsd9, configs: pam } - - { os: openindiana, configs: pam } - # - { os: rocky84, configs: pam } - - { os: sol10, configs: pam } - - { os: sol11, configs: pam-krb5 } - - { os: sol11, configs: sol64 } - # - { os: sol11, configs: sol64-pam } - - { os: win10, configs: cygwin-release } + # Long-running/slow tests have access to high priority runners. + - { target: aix51, config: default, host: libvirt-hipri } + - { target: openindiana, config: pam, host: libvirt-hipri } + - { target: sol10, config: default, host: libvirt-hipri } + - { target: sol10, config: pam, host: libvirt-hipri } + - { target: sol11, config: default, host: libvirt-hipri } + - { target: sol11, config: pam-krb5, host: libvirt-hipri } + - { target: sol11, config: sol64, host: libvirt-hipri } + # Then we include extra libvirt test configs. + - { target: centos7, config: pam, host: libvirt } + - { target: debian-i386, config: pam, host: libvirt } + - { target: dfly30, config: without-openssl, host: libvirt} + - { target: dfly48, config: pam ,host: libvirt } + - { target: dfly58, config: pam, host: libvirt } + - { target: dfly60, config: pam, host: libvirt } + - { target: dfly62, config: pam, host: libvirt } + - { target: fbsd10, config: pam, host: libvirt } + - { target: fbsd12, config: pam, host: libvirt } + - { target: fbsd13, config: pam, host: libvirt } + - { target: fbsd14, config: pam, host: libvirt } + - { target: nbsd8, config: pam, host: libvirt } + - { target: nbsd9, config: pam, host: libvirt } + - { target: nbsd10, config: pam, host: libvirt } + # VMs with persistent disks that have their own runner. + - { target: win10, config: default, host: win10 } + - { target: win10, config: cygwin-release, host: win10 } + # Physical hosts, with either native runners or remote via ssh. + - { target: ARM, config: default, host: ARM } + - { target: ARM64, config: default, host: ARM64 } + - { target: ARM64, config: pam, host: ARM64 } + - { target: debian-riscv64, config: default, host: debian-riscv64 } + - { target: obsd-arm64, config: default, host: obsd-arm64 } + - { target: openwrt-mips, config: default, host: openwrt-mips } + - { target: openwrt-mipsel, config: default, host: openwrt-mipsel } steps: - - uses: actions/checkout@v2 - - name: autoreconf - run: autoreconf - name: shutdown VM if running run: vmshutdown + working-directory: ${{ runner.temp }} + - uses: actions/checkout@main + - name: autoreconf + run: autoreconf - name: startup VM run: vmstartup + working-directory: ${{ runner.temp }} - name: configure - run: vmrun ./.github/configure.sh ${{ matrix.configs }} + run: vmrun ./.github/configure.sh ${{ matrix.config }} - name: save config - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@main with: - name: ${{ matrix.os }}-${{ matrix.configs }}-config + name: ${{ matrix.target }}-${{ matrix.config }}-config path: config.h - name: make clean run: vmrun make clean - name: make run: vmrun make - name: make tests - run: vmrun ./.github/run_test.sh ${{ matrix.configs }} + run: vmrun ./.github/run_test.sh ${{ matrix.config }} timeout-minutes: 600 - name: save logs if: failure() - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@main with: - name: ${{ matrix.os }}-${{ matrix.configs }}-logs + name: ${{ matrix.target }}-${{ matrix.config }}-logs path: | config.h config.log regress/*.log + regress/log/* regress/valgrind-out/ - name: shutdown VM if: always() run: vmshutdown + working-directory: ${{ runner.temp }} diff --git a/crypto/openssh/.github/workflows/upstream.yml b/crypto/openssh/.github/workflows/upstream.yml index b91083c65184..b280793d31f3 100644 --- a/crypto/openssh/.github/workflows/upstream.yml +++ b/crypto/openssh/.github/workflows/upstream.yml @@ -2,43 +2,52 @@ name: Upstream self-hosted on: push: - branches: [ master, ci ] + branches: [ master ] + paths: [ '**.c', '**.h', '.github/**' ] jobs: selfhosted: if: github.repository == 'openssh/openssh-portable-selfhosted' - runs-on: ${{ matrix.os }} + runs-on: 'libvirt' env: - TARGET_HOST: ${{ matrix.os }} + HOST: 'libvirt' + TARGET_HOST: ${{ matrix.target }} + TARGET_CONFIG: ${{ matrix.config }} strategy: fail-fast: false matrix: - os: [ obsdsnap, obsdsnap-i386 ] - configs: [ default, without-openssl ] + target: [ obsdsnap, obsdsnap-i386 ] + config: [ default, without-openssl, ubsan ] steps: - - uses: actions/checkout@v2 - name: shutdown VM if running run: vmshutdown + working-directory: ${{ runner.temp }} + - uses: actions/checkout@main - name: startup VM run: vmstartup + working-directory: ${{ runner.temp }} - name: update source run: vmrun "cd /usr/src && cvs up -dPA usr.bin/ssh regress/usr.bin/ssh" - name: make clean - run: vmrun "cd /usr/src/usr.bin/ssh && make obj && make clean" + run: vmrun "cd /usr/src/usr.bin/ssh && make obj && make clean && cd /usr/src/regress/usr.bin/ssh && make obj && make clean && sudo chmod -R g-w /usr/src /usr/obj" - name: make - run: vmrun "cd /usr/src/usr.bin/ssh && if test '${{ matrix.configs }}' = 'without-openssl'; then make OPENSSL=no; else make; fi" + run: vmrun "cd /usr/src/usr.bin/ssh && case ${{ matrix.config }} in without-openssl) make OPENSSL=no;; ubsan) make DEBUG='-fsanitize-minimal-runtime -fsanitize=undefined';; *) make; esac" - name: make install run: vmrun "cd /usr/src/usr.bin/ssh && sudo make install" - - name: make tests - run: vmrun "cd /usr/src/regress/usr.bin/ssh && make obj && make clean && if test '${{ matrix.configs }}' = 'without-openssl'; then make SUDO=sudo OPENSSL=no; else make SUDO=sudo; fi" + - name: make tests` + run: vmrun "cd /usr/src/regress/usr.bin/ssh && case ${{ matrix.config }} in without-openssl) make OPENSSL=no;; ubsan) make DEBUG='-fsanitize-minimal-runtime -fsanitize=undefined';; *) make; esac" + env: + SUDO: sudo timeout-minutes: 300 - name: save logs if: failure() - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@main with: - name: ${{ matrix.os }}-${{ matrix.configs }}-logs + name: ${{ matrix.target }}-${{ matrix.config }}-logs path: | - /usr/obj/regress/usr.bin/ssh/*.log + /usr/obj/regress/usr.bin/ssh/obj/*.log + /usr/obj/regress/usr.bin/ssh/obj/log/* - name: shutdown VM if: always() run: vmshutdown + working-directory: ${{ runner.temp }} |