-
Notifications
You must be signed in to change notification settings - Fork 29
174 lines (151 loc) · 5.88 KB
/
openssh.yml
File metadata and controls
174 lines (151 loc) · 5.88 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
name: openssh Tests
# START OF COMMON SECTION
on:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
jobs:
build_wolfprovider:
uses: ./.github/workflows/build-wolfprovider.yml
with:
wolfssl_ref: ${{ matrix.wolfssl_ref }}
openssl_ref: ${{ matrix.openssl_ref }}
replace_default: ${{ matrix.replace_default }}
strategy:
matrix:
wolfssl_ref: [ 'v5.8.2-stable' ]
openssl_ref: [ 'openssl-3.5.2' ]
replace_default: [ true ]
test_openssh:
runs-on: ubuntu-22.04
container:
image: debian:bookworm
# Extra permissions needed for Debian Bookworm
options: >-
--privileged
--cap-add=SYS_ADMIN
--device=/dev/mapper/control
--device=/dev/loop-control
--device=/dev/loop0
--device=/dev/loop1
--device=/dev/loop2
-v /lib/modules:/lib/modules:ro
env:
DEBIAN_FRONTEND: noninteractive
needs: build_wolfprovider
# This should be a safe limit for the tests to run.
timeout-minutes: 20
strategy:
matrix:
openssh_ref: [ 'V_10_0_P2', 'V_9_9_P1' ]
wolfssl_ref: [ 'v5.8.2-stable' ]
openssl_ref: [ 'openssl-3.5.2' ]
force_fail: [ 'WOLFPROV_FORCE_FAIL=1', '' ]
replace_default: [ true ]
env:
WOLFSSL_PACKAGES_PATH: /tmp/wolfssl-packages
OPENSSL_PACKAGES_PATH: /tmp/openssl-packages
WOLFPROV_PACKAGES_PATH: /tmp/wolfprov-packages
steps:
- name: Checkout wolfProvider
uses: actions/checkout@v4
with:
fetch-depth: 1
- name: Checking OpenSSL/wolfProvider packages in cache
uses: actions/cache/restore@v4
id: wolfprov-cache
with:
path: |
${{ env.WOLFSSL_PACKAGES_PATH }}
${{ env.OPENSSL_PACKAGES_PATH }}
${{ env.WOLFPROV_PACKAGES_PATH }}
key: openssl-wolfprov-debian-packages-${{ github.sha }}${{ matrix.replace_default && '-replace-default' || '' }}
fail-on-cache-miss: true
- name: Install wolfSSL/OpenSSL/wolfprov packages
run: |
printf "Installing OpenSSL/wolfProvider packages:\n"
ls -la ${{ env.WOLFSSL_PACKAGES_PATH }}
ls -la ${{ env.OPENSSL_PACKAGES_PATH }}
ls -la ${{ env.WOLFPROV_PACKAGES_PATH }}
apt install --reinstall -y \
${{ env.WOLFSSL_PACKAGES_PATH }}/libwolfssl_*.deb
apt install --reinstall -y \
${{ env.OPENSSL_PACKAGES_PATH }}/openssl_*.deb \
${{ env.OPENSSL_PACKAGES_PATH }}/libssl3_*.deb \
${{ env.OPENSSL_PACKAGES_PATH }}/libssl-dev_*.deb
apt install --reinstall -y \
${{ env.WOLFPROV_PACKAGES_PATH }}/libwolfprov_*.deb
- name: Install dependencies
run: |
apt-get update
apt-get install -y build-essential autoconf automake libtool \
pkg-config patch zlib1g-dev
- name: Install test deps
run: |
apt-get update
apt-get install -y kmod util-linux cryptsetup-bin
- name: Ensure kernel modules are present
run: |
# loop + device-mapper (dm-crypt); scsi_debug is optional and may still be unavailable on the host kernel
modprobe loop || true
modprobe dm_mod || true
modprobe dm_crypt || true
modprobe scsi_debug || true
losetup -f || true
ls -l /dev/loop* /dev/mapper || true
- name: Checkout openssh
uses: actions/checkout@v4
with:
repository: openssh/openssh-portable
path: openssh-portable
ref: ${{ matrix.openssh_ref }}
fetch-depth: 1
- name: Checkout OSP
uses: actions/checkout@v4
with:
repository: wolfssl/osp
path: osp
fetch-depth: 1
- run: |
# Apply the patch for the correct version of OpenSSH
cd openssh-portable
patch -p1 < $GITHUB_WORKSPACE/osp/wolfProvider/openssh/openssh-${{ matrix.openssh_ref }}-wolfprov.patch
- name: Build and Test openssh-portable
working-directory: openssh-portable
shell: bash
run: |
set +o pipefail # ignore errors from make check
export ${{ matrix.force_fail }}
# Enable unsafe permissions for testing
export TEST_SSH_UNSAFE_PERMISSIONS=1
# Priv-sep user/group (idempotent)
getent group sshd >/dev/null || addgroup --system sshd
id -u sshd >/dev/null 2>&1 || adduser --system --no-create-home \
--ingroup sshd --home /nonexistent --shell /usr/sbin/nologin sshd
# Priv-sep runtime dirs
install -d -m 0755 /run/sshd
# The required chroot for privilege separation
# Must exist, be owned by root, and not be writable by group/world.
install -d -o root -g root -m 0755 /var/empty
# Ensure the privsep user/group exist (idempotent)
if ! getent group sshd >/dev/null; then
addgroup --system sshd
fi
if ! id -u sshd >/dev/null 2>&1; then
adduser --system --no-create-home --ingroup sshd \
--home /nonexistent --shell /usr/sbin/nologin sshd
fi
autoreconf -ivf
./configure --with-prngd-socket=/tmp/prngd \
--with-ldflags=-Wl,--export-dynamic
make -j
export LD_LIBRARY_PATH=".:openbsd-compat:$LD_LIBRARY_PATH" # Include build dirs for symbol resolution
# Run all the tests except (t-exec) as it takes too long
make file-tests interop-tests extra-tests unit 2>&1 | tee openssh-test.log
TEST_RESULT=${PIPESTATUS[0]}
$GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT ${{ matrix.force_fail }} openssh