[WIP] Test Merge v10.3P1

.github/ci-status.md

@@ -1,19 +1,27 @@
 master :
-[![C/C++ CI](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml/badge.svg)](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml?query=branch:master)
+[![C/C++ CI](../../../actions/workflows/c-cpp.yml/badge.svg)](../../../actions/workflows/c-cpp.yml?query=branch:master)
+[![VM CI](../../../actions/workflows/vm.yml/badge.svg)](../../../actions/workflows/vm.yml?query=branch:master)
 [![C/C++ CI self-hosted](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml/badge.svg)](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml?query=branch:master)
 [![Upstream self-hosted](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/upstream.yml/badge.svg)](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/upstream.yml?query=branch:master)
-[![CIFuzz](https://github.com/openssh/openssh-portable/actions/workflows/cifuzz.yml/badge.svg)](https://github.com/openssh/openssh-portable/actions/workflows/cifuzz.yml)
-[![Fuzzing Status](https://oss-fuzz-build-logs.storage.googleapis.com/badges/openssh.svg)](https://bugs.chromium.org/p/oss-fuzz/issues/list?sort=-opened&can=1&q=proj:openssh)
+[![CIFuzz](../../../actions/workflows/cifuzz.yml/badge.svg)](../../../actions/workflows/cifuzz.yml)
+[![Fuzzing Status](https://oss-fuzz-build-logs.storage.googleapis.com/badges/openssh.svg)](https://issues.oss-fuzz.com/issues?q="Project:+openssh"+is:open)
 [![Coverity Status](https://scan.coverity.com/projects/21341/badge.svg)](https://scan.coverity.com/projects/openssh-portable)
+<br>
 
-9.9 :
-[![C/C++ CI](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml/badge.svg?branch=V_9_9)](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml?query=branch:V_9_9)
-[![C/C++ CI self-hosted](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml/badge.svg?branch=V_9_9)](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml?query=branch:V_9_9)
+10.2 :
+[![C/C++ CI](../../../actions/workflows/c-cpp.yml/badge.svg?branch=V_10_2)](../../../actions/workflows/c-cpp.yml?query=branch:V_10_2)
+[![VM CI](../../../actions/workflows/vm.yml/badge.svg?branch=V_10_2)](../../../actions/workflows/vm.yml?query=branch:V_10_2)
+[![C/C++ CI self-hosted](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml/badge.svg?branch=V_10_2)](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml?query=branch:V_10_2)
+
+10.1 :
+[![C/C++ CI](../../../actions/workflows/c-cpp.yml/badge.svg?branch=V_10_1)](../../../actions/workflows/c-cpp.yml?query=branch:V_10_1)
+[![VM CI](../../../actions/workflows/vm.yml/badge.svg?branch=V_10_1)](../../../actions/workflows/vm.yml?query=branch:V_10_1)
+[![C/C++ CI self-hosted](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml/badge.svg?branch=V_10_1)](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml?query=branch:V_10_1)
 
-9.8 :
-[![C/C++ CI](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml/badge.svg?branch=V_9_8)](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml?query=branch:V_9_8)
-[![C/C++ CI self-hosted](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml/badge.svg?branch=V_9_8)](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml?query=branch:V_9_8)
+10.0 :
+[![C/C++ CI](../../../actions/workflows/c-cpp.yml/badge.svg?branch=V_10_0)](../../../actions/workflows/c-cpp.yml?query=branch:V_10_0)
+[![C/C++ CI self-hosted](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml/badge.svg?branch=V_10_0)](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml?query=branch:V_10_0)
 
-9.7 :
-[![C/C++ CI](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml/badge.svg?branch=V_9_7)](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml?query=branch:V_9_7)
-[![C/C++ CI self-hosted](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml/badge.svg?branch=V_9_7)](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml?query=branch:V_9_7)
+9.9 :
+[![C/C++ CI](../../../actions/workflows/c-cpp.yml/badge.svg?branch=V_9_9)](../../../actions/workflows/c-cpp.yml?query=branch:V_9_9)
+[![C/C++ CI self-hosted](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml/badge.svg?branch=V_9_9)](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml?query=branch:V_9_9)

.github/configs

@@ -13,6 +13,10 @@ if [ "$config" = "" ]; then
 	config="default"
 fi
 
+if [ ! -z "${LTESTS}" ]; then
+	OVERRIDE_LTESTS="${LTESTS}"
+fi
+
 unset CC CFLAGS CPPFLAGS LDFLAGS LTESTS SUDO
 
 TEST_TARGET="tests compat-tests"
@@ -48,7 +52,7 @@ case "$config" in
 	CONFIGFLAGS="--with-xauth=/usr/bin/xauth --with-security-key-builtin"
 	CONFIGFLAGS="$CONFIGFLAGS --with-kerberos5=/usr --with-libedit --disable-strip"
 	;;
-   clang-12-Werror)
+    clang-12-Werror)
 	CC="clang-12"
 	# clang's implicit-fallthrough requires that the code be annotated with
 	# __attribute__((fallthrough)) and does not understand /* FALLTHROUGH */
@@ -130,7 +134,9 @@ case "$config" in
 	CONFIGFLAGS="--with-kerberos5 --with-libedit --with-pam"
 	CONFIGFLAGS="${CONFIGFLAGS} --with-security-key-builtin --with-selinux"
 	CONFIGFLAGS="${CONFIGFLAGS} --with-linux-memlock-onfault"
+	CONFIGFLAGS="${CONFIGFLAGS} --with-audit=debug"
 	CFLAGS="-DSK_DEBUG -DSANDBOX_SECCOMP_FILTER_DEBUG"
+	EXTRA_TESTS="gss-auth"
 	;;
     hardenedmalloc)
 	CONFIGFLAGS="--with-ldflags=-lhardened_malloc"
@@ -144,9 +150,12 @@ case "$config" in
 	TCMALLOC_STACKTRACE_METHOD=generic_fp
 	TEST_SSH_SSHD_ENV="TCMALLOC_STACKTRACE_METHOD=generic_fp"
 	export TCMALLOC_STACKTRACE_METHOD TEST_SSH_SSHD_ENV
+
+	SKIP_LTESTS="agent-restrict"
 	;;
     krb5|heimdal)
 	CONFIGFLAGS="--with-kerberos5"
+	EXTRA_TESTS="gss-auth"
 	;;
     libedit)
 	CONFIGFLAGS="--with-libedit"
@@ -160,14 +169,15 @@ case "$config" in
     pam-krb5)
 	CONFIGFLAGS="--with-pam --with-kerberos5"
 	SSHD_CONFOPTS="UsePam yes"
+	EXTRA_TESTS="gss-auth"
 	;;
     *pam)
 	CONFIGFLAGS="--with-pam"
 	SSHD_CONFOPTS="UsePam yes"
 	;;
     boringssl)
 	CONFIGFLAGS="--disable-pkcs11"
-	LIBCRYPTOFLAGS="--with-ssl-dir=/opt/boringssl --with-rpath=-Wl,-rpath,"
+	LIBCRYPTOFLAGS="--with-ssl-dir=/opt/boringssl"
 	;;
 	aws-lc)
 	LIBCRYPTOFLAGS="--with-ssl-dir=/opt/aws-lc --with-rpath=-Wl,-rpath,"
@@ -189,7 +199,7 @@ case "$config" in
 	fi
 	;;
     selinux)
-	CONFIGFLAGS="--with-selinux"
+	CONFIGFLAGS="--with-selinux --with-audit=linux"
 	;;
     sk)
 	CONFIGFLAGS="--with-security-key-builtin --with-security-key-standalone"
@@ -198,10 +208,14 @@ case "$config" in
 	LIBCRYPTOFLAGS="--without-openssl"
 	TEST_TARGET=t-exec
 	;;
-    valgrind-[1-4]|valgrind-unit)
+    valgrind-[1-4]|valgrind-unit|valgrind-pam-1)
 	# rlimit sandbox and FORTIFY_SOURCE confuse Valgrind.
 	CONFIGFLAGS="--without-sandbox --without-hardening"
 	CONFIGFLAGS="$CONFIGFLAGS --with-cppflags=-D_FORTIFY_SOURCE=0"
+	if [ "${config}" = "valgrind-pam-1" ]; then
+		CONFIGFLAGS="$CONFIGFLAGS --with-pam"
+		SSHD_CONFOPTS="UsePam yes"
+	fi
 	TEST_TARGET="t-exec USE_VALGRIND=1"
 	TEST_SSH_ELAPSED_TIMES=1
 	export TEST_SSH_ELAPSED_TIMES
@@ -212,7 +226,7 @@ case "$config" in
 	tests3="krl forward-control sshsig agent-restrict kextype sftp"
 	tests4="cert-userkey cert-hostkey kextype sftp-perm keygen-comment percent"
 	case "$config" in
-	    valgrind-1)
+	    valgrind-1|valgrind-pam)
 		# All tests except agent-timeout (which is flaky under valgrind),
 		# connection-timeout (which doesn't work since it's so slow)
 		# and hostbased (since valgrind won't let ssh exec keysign).
@@ -265,10 +279,6 @@ case "${TARGET_HOST}" in
 	TEST_TARGET="t-exec unit TEST_SHELL=bash"
 	SKIP_LTESTS="rekey sftp"
 	;;
-    debian-riscv64)
-	# This machine is fairly slow, so skip the unit tests.
-	TEST_TARGET="t-exec"
-	;;
     dfly58*|dfly60*)
 	# scp 3-way connection hangs on these so skip until sorted.
 	SKIP_LTESTS=scp3
@@ -277,7 +287,7 @@ case "${TARGET_HOST}" in
 	# Native linker is not great with PIC so OpenSSL is built w/out.
 	CONFIGFLAGS="${CONFIGFLAGS} --disable-security-key"
 	;;
-    fbsd14-ppc64)
+    fbsd14-ppc64|nbsd-arm64be)
 	# Disable security key tests for bigendian interop test.
 	CONFIGFLAGS="${CONFIGFLAGS} --disable-security-key"
 	;;
@@ -361,6 +371,13 @@ case "$host" in
 		SKIP_LTESTS="agent-getpeereid" ;;
 	esac
 	;;
+*-solaris2.10)
+	# Only the sol10 VM has BSM libraries installed, so add that to
+	# the PAM test config.
+	if [ "${config}" = "pam" ]; then
+		CONFIGFLAGS="${CONFIGFLAGS} --with-audit=bsm"
+	fi
+	;;
 esac
 
 # Unless specifically configured, search for a suitable version of OpenSSL,
@@ -392,5 +409,10 @@ if [ -x "$(which plink 2>/dev/null)" ]; then
 	export REGRESS_INTEROP_PUTTY
 fi
 
+if [ ! -z "${OVERRIDE_LTESTS}" ]; then
+	echo >&2 "Overriding LTESTS, was '${LTESTS}', now '${OVERRIDE_LTESTS}'"
+	LTESTS="${OVERRIDE_LTESTS}"
+fi
+
 export CC CFLAGS CPPFLAGS LDFLAGS LTESTS SUDO
 export TEST_TARGET TEST_SSH_UNSAFE_PERMISSIONS TEST_SSH_FAIL_FATAL

.github/install_libcrypto.sh

@@ -0,0 +1,75 @@
+#!/bin/sh
+#
+# Install specified libcrypto.
+#  -a : install version for ABI compatibility test.
+#  -n : dry run, don't actually build and install.
+#
+# Usage: $0 [-a] [-n] openssl-$branch/tag destdir [config options]
+
+set -e
+
+bincompat_test=""
+dryrun=""
+while [ "$1" = "-a" ] || [ "$1" = "-n" ]; do
+	if [ "$1" = "-a" ]; then
+		abi_compat_test=y
+	elif [ "$1" = "-n" ]; then
+		dryrun="echo dryrun:"
+	fi
+	shift
+done
+
+ver="$1"
+destdir="$2"
+opts="$3"
+
+if [ -z "${ver}" ] || [ -z "${destdir}" ]; then
+	echo tag/branch and destdir required
+	exit 1
+fi
+
+set -x
+
+if [ ! -d ${HOME}/openssl ]; then
+	cd ${HOME}
+	git clone https://github.com/openssl/openssl.git
+	cd ${HOME}/openssl
+	git fetch --all
+fi
+cd ${HOME}/openssl
+
+if [ "${abi_compat_test}" = "y" ]; then
+	echo selecting ABI test release/branch for ${ver}
+	case "${ver}" in
+	openssl-3.6)
+		ver=openssl-3.0.0
+		echo "selecting older release ${ver}"
+		;;
+	openssl-3.[012345])
+		major=$(echo ${ver} | cut -f1 -d.)
+		minor=$(echo ${ver} | cut -f2 -d.)
+		ver="${major}.$((${minor} + 1))"
+		echo selecting next release branch ${ver}
+		;;
+	openssl-3.*.*)
+		major=$(echo ${ver} | cut -f1 -d.)
+		minor=$(echo ${ver} | cut -f2 -d.)
+		patch=$(echo ${ver} | cut -f3 -d.)
+		ver="${major}.${minor}.$((${patch} + 1))"
+		echo checking for release tag ${ver}
+		if git tag | grep -q "^${ver}\$"; then
+			echo selected next patch release ${ver}
+		else
+			ver="${major}.${minor}"
+			echo not found, selecting release branch ${ver}
+		fi
+		;;
+	esac
+fi
+
+git checkout ${ver}
+make clean >/dev/null 2>&1 || true
+${dryrun} ./config no-threads shared ${opts} --prefix=${destdir} \
+    -Wl,-rpath,${destdir}/lib64
+${dryrun} make -j4
+${dryrun} sudo make install_sw

.github/install_putty.sh

@@ -0,0 +1,37 @@
+#!/bin/sh
+
+ver="$1"
+
+echo
+echo --------------------------------------
+echo Installing PuTTY version ${ver}
+echo --------------------------------------
+
+cd /tmp
+
+case "${ver}" in
+snapshot)
+	tarball=putty.tar.gz
+	url=https://tartarus.org/~simon/putty-snapshots/${tarball}
+	;;
+*)
+	tarball=putty-${ver}.tar.gz
+	url=https://the.earth.li/~sgtatham/putty/${ver}/${tarball}
+	;;
+esac
+
+if [ ! -f ${tarball} ]; then
+	wget -q ${url}
+fi
+
+mkdir -p /tmp/puttybuild
+cd /tmp/puttybuild
+
+tar xfz /tmp/${tarball} && cd putty-*
+if [ -f CMakeLists.txt ]; then
+	cmake . && cmake --build . -j4 && sudo cmake --build . --target install
+else
+	./configure && make -j4 && sudo make install
+fi
+sudo rm -rf /tmp/puttybuild
+/usr/local/bin/plink -V