Revert "Merge 9.1 (#626)"

This reverts commit 316ebdc.

Author: tgauth

.depend

@@ -10,8 +10,6 @@
 
 config=$1
 
-unset CC CFLAGS CPPFLAGS LDFLAGS LTESTS SUDO
-
 TEST_TARGET="tests"
 LTESTS=""
 SKIP_LTESTS=""
@@ -34,72 +32,19 @@ case "$config" in
 	TEST_TARGET=t-exec
 	;;
     cygwin-release)
-	# See https://cygwin.com/git/?p=git/cygwin-packages/openssh.git;a=blob;f=openssh.cygport;hb=HEAD
-	CONFIGFLAGS="--with-xauth=/usr/bin/xauth --with-security-key-builtin"
-	CONFIGFLAGS="$CONFIGFLAGS --with-kerberos5=/usr --with-libedit --disable-strip"
+	CONFIGFLAGS="--with-libedit --with-xauth=/usr/bin/xauth --disable-strip --with-security-key-builtin"
 	;;
    clang-12-Werror)
 	CC="clang-12"
 	# clang's implicit-fallthrough requires that the code be annotated with
 	# __attribute__((fallthrough)) and does not understand /* FALLTHROUGH */
-	CFLAGS="-Wall -Wextra -O2 -Wno-error=implicit-fallthrough -Wno-error=unused-parameter"
+	CFLAGS="-Wall -Wextra -O2 -Wno-error=implicit-fallthrough"
 	CONFIGFLAGS="--with-pam --with-Werror"
 	;;
-    *-sanitize-*)
-	case "$config" in
-	gcc-*)
-		CC=gcc
-		;;
-	clang-*)
-		# Find the newest available version of clang
-		for i in `seq 10 99`; do
-		    clang="`which clang-$i 2>/dev/null`"
-		    [ -x "$clang" ] && CC="$clang"
-		done
-		;;
-	esac
-	# Put Sanitizer logs in regress dir.
-	SANLOGS=`pwd`/regress
-	# - We replace chroot with chdir so that the sanitizer in the preauth
-	#   privsep process can read /proc.
-	# - clang does not recognizes explicit_bzero so we use bzero
-	#   (see https://github.com/google/sanitizers/issues/1507
-	# - openssl and zlib trip ASAN.
-	# - sp_pwdp returned by getspnam trips ASAN, hence disabling shadow.
-	case "$config" in
-	*-sanitize-address)
-	    CFLAGS="-fsanitize=address -fno-omit-frame-pointer"
-	    LDFLAGS="-fsanitize=address"
-	    CPPFLAGS='-Dchroot=chdir -Dexplicit_bzero=bzero -D_FORTIFY_SOURCE=0 -DASAN_OPTIONS=\"detect_leaks=0:log_path='$SANLOGS'/asan.log\"'
-	    CONFIGFLAGS=""
-	    TEST_TARGET="t-exec"
-	    ;;
-	clang-sanitize-memory)
-	    CFLAGS="-fsanitize=memory -fsanitize-memory-track-origins -fno-omit-frame-pointer"
-	    LDFLAGS="-fsanitize=memory"
-	    CPPFLAGS='-Dchroot=chdir -Dexplicit_bzero=bzero -DMSAN_OPTIONS=\"log_path='$SANLOGS'/msan.log\"'
-	    CONFIGFLAGS="--without-openssl --without-zlib --without-shadow"
-	    TEST_TARGET="t-exec"
-	    ;;
-	*-sanitize-undefined)
-	    CFLAGS="-fsanitize=undefined"
-	    LDFLAGS="-fsanitize=undefined"
-	    ;;
-	*)
-	     echo unknown sanitize option;
-	     exit 1;;
-	esac
-	features="--disable-security-key --disable-pkcs11"
-	hardening="--without-sandbox --without-hardening --without-stackprotect"
-	privsep="--with-privsep-user=root"
-	CONFIGFLAGS="$CONFIGFLAGS $features $hardening $privsep"
-	# Because we hobble chroot we can't test it.
-	SKIP_LTESTS=sftp-chroot
-	;;
     gcc-11-Werror)
 	CC="gcc"
 	# -Wnoformat-truncation in gcc 7.3.1 20180130 fails on fmt_scaled
-	CFLAGS="-Wall -Wextra -O2 -Wno-format-truncation -Wimplicit-fallthrough=4 -Wno-unused-parameter"
+	CFLAGS="-Wall -Wextra -Wno-format-truncation -O2 -Wimplicit-fallthrough=4"
 	CONFIGFLAGS="--with-pam --with-Werror"
 	;;
     clang*|gcc*)
@@ -162,15 +107,14 @@ case "$config" in
 	# Valgrind slows things down enough that the agent timeout test
 	# won't reliably pass, and the unit tests run longer than allowed
 	# by github so split into three separate tests.
-	tests2="rekey integrity try-ciphers"
-	tests3="krl forward-control sshsig agent-restrict kextype sftp"
+	tests2="rekey integrity try-ciphers sftp"
+	tests3="krl forward-control sshsig agent-restrict kextype"
 	tests4="cert-userkey cert-hostkey kextype sftp-perm keygen-comment percent"
 	case "$config" in
 	    valgrind-1)
 		# All tests except agent-timeout (which is flaky under valgrind)
-		# and hostbased (since valgrind won't let ssh exec keysign).
-		# Slow ones are run separately to increase parallelism.
-		SKIP_LTESTS="agent-timeout hostbased ${tests2} ${tests3} ${tests4}"
+		#) and slow ones that run separately to increase parallelism.
+		SKIP_LTESTS="agent-timeout ${tests2} ${tests3} ${tests4}"
 		;;
 	    valgrind-2)
 		LTESTS="${tests2}"
@@ -201,23 +145,10 @@ case "$config" in
 esac
 
 case "${TARGET_HOST}" in
-    aix*)
-	# These are slow real or virtual machines so skip the slowest tests
-	# (which tend to be thw ones that transfer lots of data) so that the
-	# test run does not time out.
-	# The agent-restrict test fails due to some quoting issue when run
-	# with sh or ksh so specify bash for now.
-	TEST_TARGET="t-exec TEST_SHELL=bash"
-	SKIP_LTESTS="rekey sftp"
-	;;
     dfly58*|dfly60*)
 	# scp 3-way connection hangs on these so skip until sorted.
 	SKIP_LTESTS=scp3
 	;;
-    fbsd6)
-	# Native linker is not great with PIC so OpenSSL is built w/out.
-	CONFIGFLAGS="${CONFIGFLAGS} --disable-security-key"
-	;;
     hurd)
 	SKIP_LTESTS="forwarding multiplex proxy-connect hostkey-agent agent-ptrace"
 	;;
@@ -242,10 +173,6 @@ case "${TARGET_HOST}" in
 	# SHA256 functions in sha2.h conflict with OpenSSL's breaking sk-dummy
 	CONFIGFLAGS="${CONFIGFLAGS} --without-hardening --disable-security-key"
 	;;
-    openwrt-*)
-	CONFIGFLAGS="${CONFIGFLAGS} --without-openssl --without-zlib"
-	TEST_TARGET="t-exec"
-	;;
     sol10|sol11)
 	# sol10 VM is 32bit and the unit tests are slow.
 	# sol11 has 4 test configs so skip unit tests to speed up.
@@ -257,13 +184,10 @@ case "${TARGET_HOST}" in
 	;;
 esac
 
+# Unless specified otherwise, build without OpenSSL on Mac OS since
+# modern versions don't ship with libcrypto.
 case "`./config.guess`" in
-*cygwin)
-	SUDO=""
-	;;
 *-darwin*)
-	# Unless specified otherwise, build without OpenSSL on Mac OS since
-	# modern versions don't ship with libcrypto.
 	LIBCRYPTOFLAGS="--without-openssl"
 	TEST_TARGET=t-exec
 	;;
@@ -286,5 +210,5 @@ if [ -x "$(which plink 2>/dev/null)" ]; then
 	export REGRESS_INTEROP_PUTTY
 fi
 
-export CC CFLAGS CPPFLAGS LDFLAGS LTESTS SUDO
+export CC CFLAGS LTESTS SUDO
 export TEST_TARGET TEST_SSH_UNSAFE_PERMISSIONS TEST_SSH_FAIL_FATAL

.git_allowed_signers

@@ -18,4 +18,4 @@ if [ "x$LDFLAGS" != "x" ]; then
 fi
 
 echo ./configure ${CONFIGFLAGS}
-./configure ${CONFIGFLAGS} 2>&1
+./configure ${CONFIGFLAGS}

.git_allowed_signers.asc

@@ -6,20 +6,6 @@
 
 set -ex
 
-# If we want to test hostbased auth, set up the host for it.
-if [ ! -z "$SUDO" ] && [ ! -z "$TEST_SSH_HOSTBASED_AUTH" ]; then
-    sshconf=/usr/local/etc
-    hostname | $SUDO tee $sshconf/shosts.equiv >/dev/null
-    echo "EnableSSHKeysign yes" | $SUDO tee $sshconf/ssh_config >/dev/null
-    $SUDO mkdir -p $sshconf
-    $SUDO cp -p /etc/ssh/ssh_host*key* $sshconf
-    $SUDO make install
-    for key in $sshconf/ssh_host*key*.pub; do
-        echo `hostname` `cat $key` | \
-            $SUDO tee -a $sshconf/ssh_known_hosts >/dev/null
-    done
-fi
-
 output_failed_logs() {
     for i in regress/failed*; do
         if [ -f "$i" ]; then

.github/configs

@@ -1,73 +1,42 @@
 #!/bin/sh
 
-PACKAGES=""
-
  . .github/configs $@
 
 case "`./config.guess`" in
-*cygwin)
-	PACKAGER=setup
-	echo Setting CYGWIN sustem environment variable.
-	setx CYGWIN "binmode"
-	chmod -R go-rw /cygdrive/d/a
-	umask 077
-	PACKAGES="$PACKAGES,autoconf,automake,cygwin-devel,gcc-core"
-	PACKAGES="$PACKAGES,make,openssl-devel,zlib-devel"
-	;;
 *-darwin*)
-	PACKAGER=brew
 	brew install automake
 	exit 0
 	;;
-*)
-	PACKAGER=apt
 esac
 
 TARGETS=$@
 
+PACKAGES=""
 INSTALL_FIDO_PPA="no"
 export DEBIAN_FRONTEND=noninteractive
 
 #echo "Setting up for '$TARGETS'"
 
 set -ex
 
-if [ -x "`which lsb_release 2>&1`" ]; then
-	lsb_release -a
-fi
-
-# Ubuntu 22.04 defaults to private home dirs which prevent the
-# agent-getpeerid test from running ssh-add as nobody.  See
-# https://github.com/actions/runner-images/issues/6106
-if [ ! -z "$SUDO" ] && ! "$SUDO" -u nobody test -x ~; then
-	echo ~ is not executable by nobody, adding perms.
-	chmod go+x ~
-fi
+lsb_release -a
 
 if [ "${TARGETS}" = "kitchensink" ]; then
 	TARGETS="krb5 libedit pam sk selinux"
 fi
 
 for flag in $CONFIGFLAGS; do
     case "$flag" in
-    --with-pam)		TARGETS="${TARGETS} pam" ;;
-    --with-libedit)	TARGETS="${TARGETS} libedit" ;;
+    --with-pam)		PACKAGES="${PACKAGES} libpam0g-dev" ;;
+    --with-libedit)	PACKAGES="${PACKAGES} libedit-dev" ;;
     esac
 done
 
 for TARGET in $TARGETS; do
     case $TARGET in
-    default|without-openssl|without-zlib|c89)
+    default|without-openssl|without-zlib|c89|libedit|*pam)
         # nothing to do
         ;;
-    clang-sanitize*)
-        PACKAGES="$PACKAGES clang-12"
-        ;;
-    cygwin-release)
-        PACKAGES="$PACKAGES libcrypt-devel libfido2-devel libkrb5-devel"
-        ;;
-    gcc-sanitize*)
-        ;;
     clang-*|gcc-*)
         compiler=$(echo $TARGET | sed 's/-Werror//')
         PACKAGES="$PACKAGES $compiler"
@@ -78,15 +47,6 @@ for TARGET in $TARGETS; do
     heimdal)
         PACKAGES="$PACKAGES heimdal-dev"
         ;;
-    libedit)
-	case "$PACKAGER" in
-	setup)	PACKAGES="$PACKAGES libedit-devel" ;;
-	apt)	PACKAGES="$PACKAGES libedit-dev" ;;
-	esac
-        ;;
-    *pam)
-        PACKAGES="$PACKAGES libpam0g-dev"
-        ;;
     sk)
         INSTALL_FIDO_PPA="yes"
         PACKAGES="$PACKAGES libfido2-dev libu2f-host-dev libcbor-dev"
@@ -120,7 +80,7 @@ for TARGET in $TARGETS; do
         INSTALL_LIBRESSL=$(echo ${TARGET} | cut -f2 -d-)
         case ${INSTALL_LIBRESSL} in
           master) ;;
-          *) INSTALL_LIBRESSL="$(echo ${TARGET} | cut -f2 -d-)" ;;
+          *) INSTALL_LIBRESSL="v$(echo ${TARGET} | cut -f2 -d-)" ;;
         esac
         PACKAGES="${PACKAGES} putty-tools"
        ;;
@@ -139,16 +99,9 @@ if [ "yes" = "$INSTALL_FIDO_PPA" ]; then
     sudo apt-add-repository -y ppa:yubico/stable
 fi
 
-if [ "x" != "x$PACKAGES" ]; then
-    case "$PACKAGER" in
-    apt)
-	sudo apt update -qq
-	sudo apt install -qy $PACKAGES
-	;;
-    setup)
-	/cygdrive/c/setup.exe -q -P `echo "$PACKAGES" | tr ' ' ,`
-	;;
-    esac
+if [ "x" != "x$PACKAGES" ]; then 
+    sudo apt update -qq
+    sudo apt install -qy $PACKAGES
 fi
 
 if [ "${INSTALL_HARDENED_MALLOC}" = "yes" ]; then
@@ -169,20 +122,11 @@ if [ ! -z "${INSTALL_OPENSSL}" ]; then
 fi
 
 if [ ! -z "${INSTALL_LIBRESSL}" ]; then
-    if [ "${INSTALL_LIBRESSL}" = "master" ]; then
-        (mkdir -p ${HOME}/libressl && cd ${HOME}/libressl &&
-         git clone https://github.com/libressl-portable/portable.git &&
-         cd ${HOME}/libressl/portable &&
-         git checkout ${INSTALL_LIBRESSL} &&
-         sh update.sh && sh autogen.sh &&
-         ./configure --prefix=/opt/libressl &&
-         make -j2 && sudo make install)
-    else
-        LIBRESSL_URLBASE=https://cdn.openbsd.org/pub/OpenBSD/LibreSSL
-        (cd ${HOME} &&
-         wget ${LIBRESSL_URLBASE}/libressl-${INSTALL_LIBRESSL}.tar.gz &&
-         tar xfz libressl-${INSTALL_LIBRESSL}.tar.gz &&
-         cd libressl-${INSTALL_LIBRESSL} &&
-         ./configure --prefix=/opt/libressl && make -j2 && sudo make install)
-    fi
+    (mkdir -p ${HOME}/libressl && cd ${HOME}/libressl &&
+     git clone https://github.com/libressl-portable/portable.git &&
+     cd ${HOME}/libressl/portable &&
+     git checkout ${INSTALL_LIBRESSL} &&
+     sh update.sh && sh autogen.sh &&
+     ./configure --prefix=/opt/libressl &&
+     make -j2 && sudo make install)
 fi