Merge pull request #128 from rapier1/dev_minor

Fixes to CI system

Author: rapier1

.github/configs

@@ -13,6 +13,10 @@ if [ "$config" = "" ]; then
 	config="default"
 fi
 
+if [ ! -z "${LTESTS}" ]; then
+	OVERRIDE_LTESTS="${LTESTS}"
+fi
+
 unset CC CFLAGS CPPFLAGS LDFLAGS LTESTS SUDO
 
 TEST_TARGET="tests compat-tests"
@@ -144,6 +148,8 @@ case "$config" in
 	TCMALLOC_STACKTRACE_METHOD=generic_fp
 	TEST_SSH_SSHD_ENV="TCMALLOC_STACKTRACE_METHOD=generic_fp"
 	export TCMALLOC_STACKTRACE_METHOD TEST_SSH_SSHD_ENV
+
+	SKIP_LTESTS="agent-restrict"
 	;;
     krb5|heimdal)
 	CONFIGFLAGS="--with-kerberos5"
@@ -165,6 +171,13 @@ case "$config" in
 	CONFIGFLAGS="--with-pam"
 	SSHD_CONFOPTS="UsePam yes"
 	;;
+    boringssl)
+	CONFIGFLAGS="--disable-pkcs11"
+	LIBCRYPTOFLAGS="--with-ssl-dir=/opt/boringssl --with-rpath=-Wl,-rpath,"
+	;;
+	aws-lc)
+	LIBCRYPTOFLAGS="--with-ssl-dir=/opt/aws-lc --with-rpath=-Wl,-rpath,"
+	;;
     libressl-*)
 	LIBCRYPTOFLAGS="--with-ssl-dir=/opt/libressl --with-rpath=-Wl,-rpath,"
 	;;
@@ -282,7 +295,7 @@ case "${TARGET_HOST}" in
 	# Native linker is not great with PIC so OpenSSL is built w/out.
 	CONFIGFLAGS="${CONFIGFLAGS} --disable-security-key"
 	;;
-    fbsd14-ppc64)
+    fbsd14-ppc64|nbsd-arm64be)
 	# Disable security key tests for bigendian interop test.
 	CONFIGFLAGS="${CONFIGFLAGS} --disable-security-key"
 	;;
@@ -342,9 +355,6 @@ case "${TARGET_HOST}" in
 	# No sudo on Windows.
 	SUDO=""
 	;;
-    windows*)
-	SUDO=""
-	;;
 esac
 
 host=`./config.guess`
@@ -400,5 +410,10 @@ if [ -x "$(which plink 2>/dev/null)" ]; then
 	export REGRESS_INTEROP_PUTTY
 fi
 
+if [ ! -z "${OVERRIDE_LTESTS}" ]; then
+	echo >&2 "Overriding LTESTS, was '${LTESTS}', now '${OVERRIDE_LTESTS}'"
+	LTESTS="${OVERRIDE_LTESTS}"
+fi
+
 export CC CFLAGS CPPFLAGS LDFLAGS LTESTS SUDO
 export TEST_TARGET TEST_SSH_UNSAFE_PERMISSIONS TEST_SSH_FAIL_FATAL

.github/configure.sh

@@ -18,4 +18,4 @@ if [ "x$LDFLAGS" != "x" ]; then
 fi
 
 echo ./configure ${CONFIGFLAGS} --with-privsep-user=sshd
-./configure ${CONFIGFLAGS} --with-privsep-user=sshd
+./configure ${CONFIGFLAGS} --with-privsep-user=sshd 2>&1

.github/run_test.sh

@@ -12,6 +12,7 @@ if [ ! -z "$SUDO" ] && [ ! -z "$TEST_SSH_HOSTBASED_AUTH" ]; then
     $SUDO mkdir -p "${sshconf}"
     hostname | $SUDO tee $sshconf/shosts.equiv >/dev/null
     echo "EnableSSHKeysign yes" | $SUDO tee $sshconf/ssh_config >/dev/null
+    $SUDO mkdir -p $sshconf
     $SUDO cp -p /etc/ssh/ssh_host*key* $sshconf
     $SUDO make install
     for key in $sshconf/ssh_host*key*.pub; do
@@ -20,18 +21,6 @@ if [ ! -z "$SUDO" ] && [ ! -z "$TEST_SSH_HOSTBASED_AUTH" ]; then
     done
 fi
 
-output_failed_logs() {
-    for i in regress/failed*.log; do
-        if [ -f "$i" ]; then
-            echo -------------------------------------------------------------------------
-            echo LOGFILE $i
-            cat $i
-            echo -------------------------------------------------------------------------
-        fi
-    done
-}
-trap output_failed_logs 0
-
 env=""
 if [ ! -z "${SUDO}" ]; then
     env="${env} SUDO=${SUDO}"

.github/setup_ci.sh

@@ -1,18 +1,35 @@
 #!/bin/sh
 
+config="$1"
+target="$2"
+
 PACKAGES=""
 
- . .github/configs $@
+echo Running as:
+id
+
+echo Environment:
+set
+
+ . .github/configs ${config}
 
 host=`./config.guess`
 echo "config.guess: $host"
 case "$host" in
 *cygwin)
 	PACKAGER=setup
 	echo Setting CYGWIN system environment variable.
-	setx CYGWIN "binmode"
+	setx CYGWIN "winsymlinks:native"
 	echo Removing extended ACLs so umask works as expected.
+	set -x
 	setfacl -b . regress
+	icacls regress /c /t /q /Inheritance:d
+	icacls regress /c /t /q /Grant ${USERNAME}:F
+	icacls regress /c /t /q /Remove:g "Authenticated Users" \
+	     BUILTIN\\Administrators BUILTIN Everyone System Users
+	takeown /F regress
+	icacls regress
+	set +x
 	PACKAGES="$PACKAGES,autoconf,automake,cygwin-devel,gcc-core"
 	PACKAGES="$PACKAGES,make,openssl,libssl-devel,zlib-devel"
 	;;
@@ -24,10 +41,9 @@ case "$host" in
 	PACKAGER=apt
 esac
 
-TARGETS=$@
+TARGETS=${config}
 
 INSTALL_FIDO_PPA="no"
-#COPY_PAM_MODULE="no"
 export DEBIAN_FRONTEND=noninteractive
 
 set -e
@@ -139,6 +155,14 @@ for TARGET in $TARGETS; do
         esac
         PACKAGES="${PACKAGES} putty-tools dropbear-bin"
        ;;
+    boringssl)
+        INSTALL_BORINGSSL=1
+        PACKAGES="${PACKAGES} cmake ninja-build"
+       ;;
+    aws-lc)
+        INSTALL_AWSLC=1
+        PACKAGES="${PACKAGES} cmake ninja-build"
+        ;;
     putty-*)
 	INSTALL_PUTTY=$(echo "${TARGET}" | cut -f2 -d-)
 	PACKAGES="${PACKAGES} cmake"
@@ -160,14 +184,6 @@ if [ "yes" = "$INSTALL_FIDO_PPA" ]; then
     sudo apt-add-repository -y ppa:yubico/stable
 fi
 
-#need to copy the pam modules for sshd to hpnsshd on
-#macos with pam.
-#if [ "yes" = "$COPY_PAM_MODULE" ]; then
-#    if [ `uname` = "Darwin" }; then
-#	sudo cp /etc/pam.d/sshd /etc/pam.d/hpnsshd
-#    fi
-#fi
-
 tries=3
 while [ ! -z "$PACKAGES" ] && [ "$tries" -gt "0" ]; do
     case "$PACKAGER" in
@@ -185,7 +201,8 @@ while [ ! -z "$PACKAGES" ] && [ "$tries" -gt "0" ]; do
 	fi
 	;;
     setup)
-	if /cygdrive/c/setup.exe -q -P `echo "$PACKAGES" | tr ' ' ,`; then
+	setup="/cygdrive/$(echo "${CYGWIN_SETUP}" | tr -d : | tr '\' '/')"
+	if "${setup}" -q -P `echo "$PACKAGES" | tr ' ' ,`; then
 		PACKAGES=""
 	fi
 	;;
@@ -236,6 +253,24 @@ if [ ! -z "${INSTALL_LIBRESSL}" ]; then
     fi
 fi
 
+if [ ! -z "${INSTALL_BORINGSSL}" ]; then
+    (cd ${HOME} && git clone https://boringssl.googlesource.com/boringssl &&
+     cd ${HOME}/boringssl && mkdir build && cd build &&
+     cmake -GNinja  -DCMAKE_POSITION_INDEPENDENT_CODE=ON .. && ninja &&
+     mkdir -p /opt/boringssl/lib &&
+     cp ${HOME}/boringssl/build/libcrypto.a /opt/boringssl/lib &&
+     cp -r ${HOME}/boringssl/include /opt/boringssl)
+fi
+
+if [ ! -z "${INSTALL_AWSLC}" ]; then
+    (cd ${HOME} && git clone --depth 1 --branch v1.46.1 https://github.com/aws/aws-lc.git &&
+     cd ${HOME}/aws-lc && mkdir build && cd build &&
+     cmake -GNinja -DCMAKE_BUILD_TYPE=Release -DBUILD_TESTING=OFF .. && ninja &&
+     mkdir -p /opt/aws-lc/lib &&
+     cp ${HOME}/aws-lc/build/crypto/libcrypto.a /opt/aws-lc/lib &&
+     cp -r ${HOME}/aws-lc/include /opt/aws-lc)
+fi
+
 if [ ! -z "${INSTALL_ZLIB}" ]; then
     (cd ${HOME} && git clone https://github.com/madler/zlib.git &&
      cd ${HOME}/zlib && ./configure && make &&
@@ -263,3 +298,21 @@ if [ ! -z "${INSTALL_PUTTY}" ]; then
     )
     /usr/local/bin/plink -V
 fi
+
+# If we're running on an ephemeral VM, set a random password and set
+# up to run the password auth test.
+if [ ! -z "${EPHEMERAL_VM}" ]; then
+
+    # This is the github "target" as specified in the yml file.
+    # In particular, ubuntu-latest sets the password field to the locked
+    # value, so unless we reset it here most of the tests will fail.
+    case "${target}" in
+    ubuntu-*)
+	echo ${target} target: setting random password.
+	openssl rand -base64 9 >regress/password
+	pw=$(tr -d '\n' <regress/password | openssl passwd -6 -stdin)
+	sudo usermod --password "${pw}" runner
+	sudo usermod --unlock runner
+	;;
+    esac
+fi

.github/workflows/c-cpp.yml

@@ -1,11 +1,21 @@
 name: C/C++ CI
 
+# For testing, you can set variables in your repo (Repo -> Settings ->
+# Security -> Actions -> Variables) to restrict the tests that are run.
+# The supported variables are:
+#
+# RUN_ONLY_TARGET_CONFIG: Run only the single matching target and config,
+#   separated by spaces, eg "ubuntu-latest default".  All other tests will
+#   fail immediately.
+#
+# LTESTS: Override the set of tests run.
+
 on:
   push:
-    branches: [ master, pre-stage, release_candidates, dev_major, dev_minor ]
+    branches: [ master, dev_major, dev_minor ]
     paths: [ '**.c', '**.h', '**.m4', '**.sh', '**/Makefile.in', 'configure.ac', '.github/configs', '.github/workflows/c-cpp.yml' ]
   pull_request:
-    branches: [ master, release_candidates ]
+    branches: [ master, dev_major, dev_minor ]
     paths: [ '**.c', '**.h', '**.m4', '**.sh', '**/Makefile.in', 'configure.ac', '.github/configs', '.github/workflows/c-cpp.yml' ]
 
 jobs:
@@ -18,21 +28,22 @@ jobs:
         # First we test all OSes in the default configuration.
         target:
           - ubuntu-22.04
-          - ubuntu-24.04
+          - ubunut-24.04
           - ubuntu-latest
           - ubuntu-22.04-arm
           - ubuntu-24.04-arm
           - macos-13
           - macos-14
           - macos-15
-          - windows-2019
           - windows-2022
+          - windows-2025
         config: [default]
         # Then we include any extra configs we want to test for specific VMs.
+        # Valgrind slows things down quite a bit, so start them first.
         include:
-          - { target: windows-2019, config: cygwin-release }
           - { target: windows-2022, config: cygwin-release }
-# binn.c no longer works with c89 so remove this test.
+          - { target: windows-2025, config: cygwin-release }
+# binn no longer supports c89 so skip.
 #          - { target: ubuntu-22.04, config: c89 }
           - { target: ubuntu-22.04, config: clang-11 }
           - { target: ubuntu-22.04, config: clang-12-Werror }
@@ -56,15 +67,26 @@ jobs:
           - { target: ubuntu-22.04, config: valgrind-2 }
           - { target: ubuntu-22.04, config: valgrind-3 }
           - { target: ubuntu-22.04, config: valgrind-4 }
-#          - { target: ubuntu-22.04, config: valgrind-5 }
+          - { target: ubuntu-22.04, config: valgrind-5 }
           - { target: ubuntu-22.04, config: valgrind-6 }
           - { target: ubuntu-22.04, config: valgrind-7 }
           - { target: ubuntu-22.04, config: valgrind-unit }
           - { target: ubuntu-22.04, config: without-openssl }
           - { target: ubuntu-latest, config: gcc-14 }
           - { target: ubuntu-latest, config: clang-15 }
           - { target: ubuntu-latest, config: clang-19 }
+# these don't support our crypto methods
+#          - { target: ubuntu-latest, config: boringssl }
+#          - { target: ubuntu-latest, config: aws-lc }
           - { target: ubuntu-latest, config: libressl-master }
+# We don't support libreSSL earlier than 3.7 due to problems with
+# the structures used by the aes-ctr mt cipher that wasn't address
+# before 3.7
+#          - { target: ubuntu-latest, config: libressl-3.2.6 }
+#          - { target: ubuntu-latest, config: libressl-3.3.6 }
+#          - { target: ubuntu-latest, config: libressl-3.4.3 }
+#          - { target: ubuntu-latest, config: libressl-3.5.3 }
+#          - { target: ubuntu-latest, config: libressl-3.6.1 }
           - { target: ubuntu-latest, config: libressl-3.7.2 }
           - { target: ubuntu-latest, config: libressl-3.8.4 }
           - { target: ubuntu-latest, config: libressl-3.9.2 }
@@ -102,26 +124,36 @@ jobs:
           - { target: ubuntu-latest, config: putty-snapshot }
           - { target: ubuntu-latest, config: zlib-develop }
           - { target: ubuntu-latest, config: tcmalloc }
-#	  musl doesn't work because it doesn't know about linux/tcp.h
-#	  - { target: ubuntu-latest, config: musl }
+#musl doens't know about linux/tcp.h so skip
+#          - { target: ubuntu-latest, config: musl }
           - { target: ubuntu-22.04-arm, config: kitchensink }
           - { target: ubuntu-24.04-arm, config: kitchensink }
-# we know pam doesn't work because we can't install a new pam file
-# for hpnssh via the CI test methods
-#         - { target: macos-13, config: pam }
-#         - { target: macos-14, config: pam }
-#         - { target: macos-15, config: pam }
+# Can't copy the necessary pam file in darwin without
+# user interaction so skip these
+#          - { target: macos-13, config: pam }
+#          - { target: macos-14, config: pam }
+#          - { target: macos-15, config: pam }
     runs-on: ${{ matrix.target }}
+    env:
+      EPHEMERAL_VM: yes
     steps:
+    - name: check RUN_ONLY_TARGET_CONFIG
+      if: vars.RUN_ONLY_TARGET_CONFIG != ''
+      run: sh -c 'if [ "${{ vars.RUN_ONLY_TARGET_CONFIG }}" != "${{ matrix.target }} ${{matrix.config }}" ]; then exit 1; else exit 0; fi'
     - name: set cygwin git params
       if: ${{ startsWith(matrix.target, 'windows') }}
       run: git config --global core.autocrlf input
     - name: install cygwin
+      id: cygwin_install
       if: ${{ startsWith(matrix.target, 'windows') }}
       uses: cygwin/cygwin-install-action@master
+      env:
+        CYGWIN: "winsymlinks:native"
     - uses: actions/checkout@main
     - name: setup CI system
-      run: sh ./.github/setup_ci.sh ${{ matrix.config }}
+      run: sh ./.github/setup_ci.sh ${{ matrix.config }} ${{ matrix.target }}
+      env:
+        CYGWIN_SETUP: ${{ steps.cygwin_install.outputs.setup }}
     - name: autoreconf
       run: sh -c autoreconf
     - name: configure
@@ -140,6 +172,13 @@ jobs:
       env:
         TEST_SSH_UNSAFE_PERMISSIONS: 1
         TEST_SSH_HOSTBASED_AUTH: yes
+        LTESTS: ${{ vars.LTESTS }}
+    - name: show logs
+      if: failure()
+      run: for i in regress/failed*.log; do echo ====; echo logfile $i; echo =====; cat $i; done
+    - name: chown logs
+      if: failure()
+      run: test -x "$(which sudo 2>&1)" && sudo chown -R "${LOGNAME}" regress
     - name: save logs
       if: failure()
       uses: actions/upload-artifact@main
@@ -148,8 +187,4 @@ jobs:
         path: |
           config.h
           config.log
-          regress/*.log
-          regress/valgrind-out/
-          regress/asan.log.*
-          regress/msan.log.*
-          regress/log/*
+          regress/