diff options
Diffstat (limited to 'crypto/openssh/.github')
| -rwxr-xr-x | crypto/openssh/.github/configs | 75 | ||||
| -rwxr-xr-x | crypto/openssh/.github/configure.sh | 2 | ||||
| -rwxr-xr-x | crypto/openssh/.github/run_test.sh | 14 | ||||
| -rwxr-xr-x | crypto/openssh/.github/setup_ci.sh | 63 | ||||
| -rw-r--r-- | crypto/openssh/.github/workflows/c-cpp.yml | 60 | ||||
| -rw-r--r-- | crypto/openssh/.github/workflows/selfhosted.yml | 12 | ||||
| -rw-r--r-- | crypto/openssh/.github/workflows/upstream.yml | 13 |
7 files changed, 190 insertions, 49 deletions
diff --git a/crypto/openssh/.github/configs b/crypto/openssh/.github/configs index 871a3d414d94..6bf1ab27f0ca 100755 --- a/crypto/openssh/.github/configs +++ b/crypto/openssh/.github/configs @@ -10,6 +10,8 @@ config=$1 +unset CC CFLAGS CPPFLAGS LDFLAGS LTESTS SUDO + TEST_TARGET="tests" LTESTS="" SKIP_LTESTS="" @@ -32,7 +34,9 @@ case "$config" in TEST_TARGET=t-exec ;; cygwin-release) - CONFIGFLAGS="--with-libedit --with-xauth=/usr/bin/xauth --disable-strip --with-security-key-builtin" + # See https://cygwin.com/git/?p=git/cygwin-packages/openssh.git;a=blob;f=openssh.cygport;hb=HEAD + CONFIGFLAGS="--with-xauth=/usr/bin/xauth --with-security-key-builtin" + CONFIGFLAGS="$CONFIGFLAGS --with-kerberos5=/usr --with-libedit --disable-strip" ;; clang-12-Werror) CC="clang-12" @@ -41,6 +45,57 @@ case "$config" in CFLAGS="-Wall -Wextra -O2 -Wno-error=implicit-fallthrough -Wno-error=unused-parameter" CONFIGFLAGS="--with-pam --with-Werror" ;; + *-sanitize-*) + case "$config" in + gcc-*) + CC=gcc + ;; + clang-*) + # Find the newest available version of clang + for i in `seq 10 99`; do + clang="`which clang-$i 2>/dev/null`" + [ -x "$clang" ] && CC="$clang" + done + ;; + esac + # Put Sanitizer logs in regress dir. + SANLOGS=`pwd`/regress + # - We replace chroot with chdir so that the sanitizer in the preauth + # privsep process can read /proc. + # - clang does not recognizes explicit_bzero so we use bzero + # (see https://github.com/google/sanitizers/issues/1507 + # - openssl and zlib trip ASAN. + # - sp_pwdp returned by getspnam trips ASAN, hence disabling shadow. + case "$config" in + *-sanitize-address) + CFLAGS="-fsanitize=address -fno-omit-frame-pointer" + LDFLAGS="-fsanitize=address" + CPPFLAGS='-Dchroot=chdir -Dexplicit_bzero=bzero -D_FORTIFY_SOURCE=0 -DASAN_OPTIONS=\"detect_leaks=0:log_path='$SANLOGS'/asan.log\"' + CONFIGFLAGS="" + TEST_TARGET="t-exec" + ;; + clang-sanitize-memory) + CFLAGS="-fsanitize=memory -fsanitize-memory-track-origins -fno-omit-frame-pointer" + LDFLAGS="-fsanitize=memory" + CPPFLAGS='-Dchroot=chdir -Dexplicit_bzero=bzero -DMSAN_OPTIONS=\"log_path='$SANLOGS'/msan.log\"' + CONFIGFLAGS="--without-openssl --without-zlib --without-shadow" + TEST_TARGET="t-exec" + ;; + *-sanitize-undefined) + CFLAGS="-fsanitize=undefined" + LDFLAGS="-fsanitize=undefined" + ;; + *) + echo unknown sanitize option; + exit 1;; + esac + features="--disable-security-key --disable-pkcs11" + hardening="--without-sandbox --without-hardening --without-stackprotect" + privsep="--with-privsep-user=root" + CONFIGFLAGS="$CONFIGFLAGS $features $hardening $privsep" + # Because we hobble chroot we can't test it. + SKIP_LTESTS=sftp-chroot + ;; gcc-11-Werror) CC="gcc" # -Wnoformat-truncation in gcc 7.3.1 20180130 fails on fmt_scaled @@ -107,14 +162,15 @@ case "$config" in # Valgrind slows things down enough that the agent timeout test # won't reliably pass, and the unit tests run longer than allowed # by github so split into three separate tests. - tests2="rekey integrity try-ciphers sftp" - tests3="krl forward-control sshsig agent-restrict kextype" + tests2="rekey integrity try-ciphers" + tests3="krl forward-control sshsig agent-restrict kextype sftp" tests4="cert-userkey cert-hostkey kextype sftp-perm keygen-comment percent" case "$config" in valgrind-1) # All tests except agent-timeout (which is flaky under valgrind) - #) and slow ones that run separately to increase parallelism. - SKIP_LTESTS="agent-timeout ${tests2} ${tests3} ${tests4}" + # and hostbased (since valgrind won't let ssh exec keysign). + # Slow ones are run separately to increase parallelism. + SKIP_LTESTS="agent-timeout hostbased ${tests2} ${tests3} ${tests4}" ;; valgrind-2) LTESTS="${tests2}" @@ -201,10 +257,13 @@ case "${TARGET_HOST}" in ;; esac -# Unless specified otherwise, build without OpenSSL on Mac OS since -# modern versions don't ship with libcrypto. case "`./config.guess`" in +*cygwin) + SUDO="" + ;; *-darwin*) + # Unless specified otherwise, build without OpenSSL on Mac OS since + # modern versions don't ship with libcrypto. LIBCRYPTOFLAGS="--without-openssl" TEST_TARGET=t-exec ;; @@ -227,5 +286,5 @@ if [ -x "$(which plink 2>/dev/null)" ]; then export REGRESS_INTEROP_PUTTY fi -export CC CFLAGS LTESTS SUDO +export CC CFLAGS CPPFLAGS LDFLAGS LTESTS SUDO export TEST_TARGET TEST_SSH_UNSAFE_PERMISSIONS TEST_SSH_FAIL_FATAL diff --git a/crypto/openssh/.github/configure.sh b/crypto/openssh/.github/configure.sh index 502bf5f0d407..bd0037702d6a 100755 --- a/crypto/openssh/.github/configure.sh +++ b/crypto/openssh/.github/configure.sh @@ -18,4 +18,4 @@ if [ "x$LDFLAGS" != "x" ]; then fi echo ./configure ${CONFIGFLAGS} -./configure ${CONFIGFLAGS} +./configure ${CONFIGFLAGS} 2>&1 diff --git a/crypto/openssh/.github/run_test.sh b/crypto/openssh/.github/run_test.sh index adf2568ad1e2..8eeaf5e9b09d 100755 --- a/crypto/openssh/.github/run_test.sh +++ b/crypto/openssh/.github/run_test.sh @@ -6,6 +6,20 @@ set -ex +# If we want to test hostbased auth, set up the host for it. +if [ ! -z "$SUDO" ] && [ ! -z "$TEST_SSH_HOSTBASED_AUTH" ]; then + sshconf=/usr/local/etc + hostname | $SUDO tee $sshconf/shosts.equiv >/dev/null + echo "EnableSSHKeysign yes" | $SUDO tee $sshconf/ssh_config >/dev/null + $SUDO mkdir -p $sshconf + $SUDO cp -p /etc/ssh/ssh_host*key* $sshconf + $SUDO make install + for key in $sshconf/ssh_host*key*.pub; do + echo `hostname` `cat $key` | \ + $SUDO tee -a $sshconf/ssh_known_hosts >/dev/null + done +fi + output_failed_logs() { for i in regress/failed*; do if [ -f "$i" ]; then diff --git a/crypto/openssh/.github/setup_ci.sh b/crypto/openssh/.github/setup_ci.sh index a3bb8587eab1..044c4d1292b1 100755 --- a/crypto/openssh/.github/setup_ci.sh +++ b/crypto/openssh/.github/setup_ci.sh @@ -1,17 +1,30 @@ #!/bin/sh +PACKAGES="" + . .github/configs $@ case "`./config.guess`" in +*cygwin) + PACKAGER=setup + echo Setting CYGWIN sustem environment variable. + setx CYGWIN "binmode" + chmod -R go-rw /cygdrive/d/a + umask 077 + PACKAGES="$PACKAGES,autoconf,automake,cygwin-devel,gcc-core" + PACKAGES="$PACKAGES,make,openssl-devel,zlib-devel" + ;; *-darwin*) + PACKAGER=brew brew install automake exit 0 ;; +*) + PACKAGER=apt esac TARGETS=$@ -PACKAGES="" INSTALL_FIDO_PPA="no" export DEBIAN_FRONTEND=noninteractive @@ -19,7 +32,17 @@ export DEBIAN_FRONTEND=noninteractive set -ex -lsb_release -a +if [ -x "`which lsb_release 2>&1`" ]; then + lsb_release -a +fi + +# Ubuntu 22.04 defaults to private home dirs which prevent the +# agent-getpeerid test from running ssh-add as nobody. See +# https://github.com/actions/runner-images/issues/6106 +if [ ! -z "$SUDO" ] && ! "$SUDO" -u nobody test -x ~; then + echo ~ is not executable by nobody, adding perms. + chmod go+x ~ +fi if [ "${TARGETS}" = "kitchensink" ]; then TARGETS="krb5 libedit pam sk selinux" @@ -27,16 +50,24 @@ fi for flag in $CONFIGFLAGS; do case "$flag" in - --with-pam) PACKAGES="${PACKAGES} libpam0g-dev" ;; - --with-libedit) PACKAGES="${PACKAGES} libedit-dev" ;; + --with-pam) TARGETS="${TARGETS} pam" ;; + --with-libedit) TARGETS="${TARGETS} libedit" ;; esac done for TARGET in $TARGETS; do case $TARGET in - default|without-openssl|without-zlib|c89|libedit|*pam) + default|without-openssl|without-zlib|c89) # nothing to do ;; + clang-sanitize*) + PACKAGES="$PACKAGES clang-12" + ;; + cygwin-release) + PACKAGES="$PACKAGES libcrypt-devel libfido2-devel libkrb5-devel" + ;; + gcc-sanitize*) + ;; clang-*|gcc-*) compiler=$(echo $TARGET | sed 's/-Werror//') PACKAGES="$PACKAGES $compiler" @@ -47,6 +78,15 @@ for TARGET in $TARGETS; do heimdal) PACKAGES="$PACKAGES heimdal-dev" ;; + libedit) + case "$PACKAGER" in + setup) PACKAGES="$PACKAGES libedit-devel" ;; + apt) PACKAGES="$PACKAGES libedit-dev" ;; + esac + ;; + *pam) + PACKAGES="$PACKAGES libpam0g-dev" + ;; sk) INSTALL_FIDO_PPA="yes" PACKAGES="$PACKAGES libfido2-dev libu2f-host-dev libcbor-dev" @@ -99,9 +139,16 @@ if [ "yes" = "$INSTALL_FIDO_PPA" ]; then sudo apt-add-repository -y ppa:yubico/stable fi -if [ "x" != "x$PACKAGES" ]; then - sudo apt update -qq - sudo apt install -qy $PACKAGES +if [ "x" != "x$PACKAGES" ]; then + case "$PACKAGER" in + apt) + sudo apt update -qq + sudo apt install -qy $PACKAGES + ;; + setup) + /cygdrive/c/setup.exe -q -P `echo "$PACKAGES" | tr ' ' ,` + ;; + esac fi if [ "${INSTALL_HARDENED_MALLOC}" = "yes" ]; then diff --git a/crypto/openssh/.github/workflows/c-cpp.yml b/crypto/openssh/.github/workflows/c-cpp.yml index b778c9804203..3cd1188fc572 100644 --- a/crypto/openssh/.github/workflows/c-cpp.yml +++ b/crypto/openssh/.github/workflows/c-cpp.yml @@ -2,9 +2,11 @@ name: C/C++ CI on: push: - branches: [ master, ci ] + branches: [ master, ci, V_9_0 ] + paths: [ '**.c', '**.h', '**.m4', '**.sh', '.github/**', 'Makefile.in', 'configure.ac' ] pull_request: branches: [ master ] + paths: [ '**.c', '**.h', '**.m4', '**.sh', '.github/**', 'Makefile.in', 'configure.ac' ] jobs: ci: @@ -13,11 +15,13 @@ jobs: fail-fast: false matrix: # First we test all OSes in the default configuration. - os: [ubuntu-20.04, ubuntu-18.04, macos-10.15, macos-11.0] + os: [ubuntu-20.04, ubuntu-22.04, macos-11, macos-12, windows-2019, windows-2022] configs: [default] # Then we include any extra configs we want to test for specific VMs. # Valgrind slows things down quite a bit, so start them first. include: + - { os: windows-2019, configs: cygwin-release } + - { os: windows-2022, configs: cygwin-release } - { os: ubuntu-20.04, configs: valgrind-1 } - { os: ubuntu-20.04, configs: valgrind-2 } - { os: ubuntu-20.04, configs: valgrind-3 } @@ -30,6 +34,10 @@ jobs: - { os: ubuntu-20.04, configs: clang-10 } - { os: ubuntu-20.04, configs: clang-11 } - { os: ubuntu-20.04, configs: clang-12-Werror } + - { os: ubuntu-20.04, configs: clang-sanitize-address } + - { os: ubuntu-20.04, configs: clang-sanitize-undefined } + - { os: ubuntu-20.04, configs: gcc-sanitize-address } + - { os: ubuntu-20.04, configs: gcc-sanitize-undefined } - { os: ubuntu-20.04, configs: gcc-7 } - { os: ubuntu-20.04, configs: gcc-8 } - { os: ubuntu-20.04, configs: gcc-10 } @@ -44,9 +52,9 @@ jobs: - { os: ubuntu-latest, configs: libressl-2.8.3 } - { os: ubuntu-latest, configs: libressl-3.0.2 } - { os: ubuntu-latest, configs: libressl-3.2.6 } - - { os: ubuntu-latest, configs: libressl-3.3.4 } - - { os: ubuntu-latest, configs: libressl-3.4.1 } - - { os: ubuntu-latest, configs: libressl-3.5.0 } + - { os: ubuntu-latest, configs: libressl-3.3.6 } + - { os: ubuntu-latest, configs: libressl-3.4.3 } + - { os: ubuntu-latest, configs: libressl-3.5.3 } - { os: ubuntu-latest, configs: openssl-master } - { os: ubuntu-latest, configs: openssl-noec } - { os: ubuntu-latest, configs: openssl-1.0.1 } @@ -55,30 +63,37 @@ jobs: - { os: ubuntu-latest, configs: openssl-1.1.0h } - { os: ubuntu-latest, configs: openssl-1.1.1 } - { os: ubuntu-latest, configs: openssl-1.1.1k } - - { os: ubuntu-latest, configs: openssl-1.1.1m } + - { os: ubuntu-latest, configs: openssl-1.1.1n } + - { os: ubuntu-latest, configs: openssl-1.1.1p } - { os: ubuntu-latest, configs: openssl-3.0.0 } - - { os: ubuntu-latest, configs: openssl-3.0.1 } + - { os: ubuntu-latest, configs: openssl-3.0.5 } - { os: ubuntu-latest, configs: openssl-1.1.1_stable } # stable branch - { os: ubuntu-latest, configs: openssl-3.0 } # stable branch - - { os: ubuntu-18.04, configs: pam } - - { os: ubuntu-18.04, configs: krb5 } - - { os: ubuntu-18.04, configs: heimdal } - - { os: ubuntu-18.04, configs: libedit } - - { os: ubuntu-18.04, configs: sk } - - { os: ubuntu-18.04, configs: selinux } - - { os: ubuntu-18.04, configs: kitchensink } - - { os: ubuntu-18.04, configs: without-openssl } - - { os: macos-10.15, configs: pam } - - { os: macos-11.0, configs: pam } + - { os: ubuntu-22.04, configs: pam } + - { os: ubuntu-22.04, configs: krb5 } + - { os: ubuntu-22.04, configs: heimdal } + - { os: ubuntu-22.04, configs: libedit } + - { os: ubuntu-22.04, configs: sk } + - { os: ubuntu-22.04, configs: selinux } + - { os: ubuntu-22.04, configs: kitchensink } + - { os: ubuntu-22.04, configs: without-openssl } + - { os: macos-11, configs: pam } + - { os: macos-12, configs: pam } runs-on: ${{ matrix.os }} steps: + - name: set cygwin git params + if: ${{ startsWith(matrix.os, 'windows') }} + run: git config --global core.autocrlf input + - name: install cygwin + if: ${{ startsWith(matrix.os, 'windows') }} + uses: cygwin/cygwin-install-action@master - uses: actions/checkout@v2 - name: setup CI system - run: ./.github/setup_ci.sh ${{ matrix.configs }} + run: sh ./.github/setup_ci.sh ${{ matrix.configs }} - name: autoreconf - run: autoreconf + run: sh -c autoreconf - name: configure - run: ./.github/configure.sh ${{ matrix.configs }} + run: sh ./.github/configure.sh ${{ matrix.configs }} - name: save config uses: actions/upload-artifact@v2 with: @@ -89,9 +104,10 @@ jobs: - name: make run: make -j2 - name: make tests - run: ./.github/run_test.sh ${{ matrix.configs }} + run: sh ./.github/run_test.sh ${{ matrix.configs }} env: TEST_SSH_UNSAFE_PERMISSIONS: 1 + TEST_SSH_HOSTBASED_AUTH: yes - name: save logs if: failure() uses: actions/upload-artifact@v2 @@ -102,3 +118,5 @@ jobs: config.log regress/*.log regress/valgrind-out/ + regress/asan.log.* + regress/msan.log.* diff --git a/crypto/openssh/.github/workflows/selfhosted.yml b/crypto/openssh/.github/workflows/selfhosted.yml index ec2c29825c85..c4bd1d9b24f7 100644 --- a/crypto/openssh/.github/workflows/selfhosted.yml +++ b/crypto/openssh/.github/workflows/selfhosted.yml @@ -2,7 +2,8 @@ name: C/C++ CI self-hosted on: push: - branches: [ master, ci ] + branches: [ master, ci, V_9_0 ] + paths: [ '**.c', '**.h', '**.m4', '**.sh', '.github/**', 'Makefile.in', 'configure.ac' ] jobs: selfhosted: @@ -17,15 +18,15 @@ jobs: matrix: os: - aix51 + - ARM - ARM64 - alpine - - bbone - debian-i386 + - debian-riscv64 - dfly30 - dfly48 - dfly58 - dfly60 - - fbsd6 - fbsd10 - fbsd12 - fbsd13 @@ -58,7 +59,6 @@ jobs: - { os: dfly48, configs: pam } - { os: dfly58, configs: pam } - { os: dfly60, configs: pam } - - { os: fbsd6, configs: pam } - { os: fbsd10, configs: pam } - { os: fbsd12, configs: pam } - { os: fbsd13, configs: pam } @@ -72,11 +72,11 @@ jobs: # - { os: sol11, configs: sol64-pam } - { os: win10, configs: cygwin-release } steps: + - name: shutdown VM if running + run: vmshutdown - uses: actions/checkout@v2 - name: autoreconf run: autoreconf - - name: shutdown VM if running - run: vmshutdown - name: startup VM run: vmstartup - name: configure diff --git a/crypto/openssh/.github/workflows/upstream.yml b/crypto/openssh/.github/workflows/upstream.yml index b91083c65184..3cec069ede74 100644 --- a/crypto/openssh/.github/workflows/upstream.yml +++ b/crypto/openssh/.github/workflows/upstream.yml @@ -3,6 +3,7 @@ name: Upstream self-hosted on: push: branches: [ master, ci ] + paths: [ '**.c', '**.h', '.github/**' ] jobs: selfhosted: @@ -14,7 +15,7 @@ jobs: fail-fast: false matrix: os: [ obsdsnap, obsdsnap-i386 ] - configs: [ default, without-openssl ] + configs: [ default, without-openssl, ubsan ] steps: - uses: actions/checkout@v2 - name: shutdown VM if running @@ -24,13 +25,15 @@ jobs: - name: update source run: vmrun "cd /usr/src && cvs up -dPA usr.bin/ssh regress/usr.bin/ssh" - name: make clean - run: vmrun "cd /usr/src/usr.bin/ssh && make obj && make clean" + run: vmrun "cd /usr/src/usr.bin/ssh && make obj && make clean && cd /usr/src/regress/usr.bin/ssh && make obj && make clean" - name: make - run: vmrun "cd /usr/src/usr.bin/ssh && if test '${{ matrix.configs }}' = 'without-openssl'; then make OPENSSL=no; else make; fi" + run: vmrun "cd /usr/src/usr.bin/ssh && case ${{ matrix.configs }} in without-openssl) make OPENSSL=no;; ubsan) make DEBUG='-fsanitize-minimal-runtime -fsanitize=undefined';; *) make; esac" - name: make install run: vmrun "cd /usr/src/usr.bin/ssh && sudo make install" - - name: make tests - run: vmrun "cd /usr/src/regress/usr.bin/ssh && make obj && make clean && if test '${{ matrix.configs }}' = 'without-openssl'; then make SUDO=sudo OPENSSL=no; else make SUDO=sudo; fi" + - name: make tests` + run: vmrun "cd /usr/src/regress/usr.bin/ssh && case ${{ matrix.configs }} in without-openssl) make OPENSSL=no;; ubsan) make DEBUG='-fsanitize-minimal-runtime -fsanitize=undefined';; *) make; esac" + env: + SUDO: sudo timeout-minutes: 300 - name: save logs if: failure() |