upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-06-17 12:41:39 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
opnsense-src/crypto/openssh/.github/workflows/c-cpp.yml
Ed Maste 802386cd37 openssh: Update to 9.9p1 
Highlights from the release notes are reproduced below.  Bug fixes and
improvements that were previously merged into FreeBSD have been elided.

See the upstream release notes for full details of the 9.9p1 release
(https://www.openssh.com/releasenotes.html).

---

Future deprecation notice
=========================

OpenSSH plans to remove support for the DSA signature algorithm in
early 2025.

Potentially-incompatible changes
--------------------------------

 * ssh(1): remove support for pre-authentication compression.

 * ssh(1), sshd(8): processing of the arguments to the "Match"
   configuration directive now follows more shell-like rules for
   quoted strings, including allowing nested quotes and \-escaped
   characters.

New features
------------

 * ssh(1), sshd(8): add support for a new hybrid post-quantum key
   exchange based on the FIPS 203 Module-Lattice Key Enapsulation
   mechanism (ML-KEM) combined with X25519 ECDH as described by
   https://datatracker.ietf.org/doc/html/draft-kampanakis-curdle-ssh-pq-ke-03
   This algorithm "mlkem768x25519-sha256" is available by default.

 * ssh(1), sshd(8), ssh-agent(1): prevent private keys from being
   included in core dump files for most of their lifespans. This is
   in addition to pre-existing controls in ssh-agent(1) and sshd(8)
   that prevented coredumps. This feature is supported on OpenBSD,
   Linux and FreeBSD.

 * All: convert key handling to use the libcrypto EVP_PKEY API, with
   the exception of DSA.

Bugfixes
--------

 * sshd(8): do not apply authorized_keys options when signature
   verification fails. Prevents more restrictive key options being
   incorrectly applied to subsequent keys in authorized_keys. bz3733

 * ssh-keygen(1): include pathname in some of ssh-keygen's passphrase
   prompts. Helps the user know what's going on when ssh-keygen is
   invoked via other tools. Requested in GHPR503

 * ssh(1), ssh-add(1): make parsing user@host consistently look for
   the last '@' in the string rather than the first. This makes it
   possible to more consistently use usernames that contain '@'
   characters.

 * ssh(1), sshd(8): be more strict in parsing key type names. Only
   allow short names (e.g "rsa") in user-interface code and require
   full SSH protocol names (e.g. "ssh-rsa") everywhere else. bz3725

 * ssh-keygen(1): clarify that ed25519 is the default key type
   generated and clarify that rsa-sha2-512 is the default signature
   scheme when RSA is in use. GHPR505

---

Reviewed by:	jlduran (build infrastructure)
Reviewed by:	cy (build infrastructure)
Sponsored by:	The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D48947

(cherry picked from commit 3d9fd9fcb4)

Approved by:	re (accelerated MFC)
2025-02-20 12:50:31 -05:00

147 lines
6.6 KiB
YAML
Raw Permalink Blame History

name: C/C++ CI
on:
push:
paths: [ '**.c', '**.h', '**.m4', '**.sh', '**/Makefile.in', 'configure.ac', '.github/configs', '.github/workflows/c-cpp.yaml' ]
pull_request:
paths: [ '**.c', '**.h', '**.m4', '**.sh', '**/Makefile.in', 'configure.ac', '.github/configs', '.github/workflows/c-cpp.yaml' ]
jobs:
ci:
name: "${{ matrix.target }} ${{ matrix.config }}"
if: github.repository != 'openssh/openssh-portable-selfhosted'
strategy:
fail-fast: false
matrix:
# First we test all OSes in the default configuration.
target:
- ubuntu-20.04
- ubuntu-22.04
- macos-12
- macos-13
- macos-14
- windows-2019
- windows-2022
config: [default]
# Then we include any extra configs we want to test for specific VMs.
# Valgrind slows things down quite a bit, so start them first.
include:
- { target: windows-2019, config: cygwin-release }
- { target: windows-2022, config: cygwin-release }
- { target: ubuntu-20.04, config: valgrind-1 }
- { target: ubuntu-20.04, config: valgrind-2 }
- { target: ubuntu-20.04, config: valgrind-3 }
- { target: ubuntu-20.04, config: valgrind-4 }
- { target: ubuntu-20.04, config: valgrind-unit }
- { target: ubuntu-20.04, config: c89 }
- { target: ubuntu-20.04, config: clang-6.0 }
- { target: ubuntu-20.04, config: clang-8 }
- { target: ubuntu-20.04, config: clang-9 }
- { target: ubuntu-20.04, config: clang-10 }
- { target: ubuntu-20.04, config: clang-11 }
- { target: ubuntu-20.04, config: clang-12-Werror }
- { target: ubuntu-20.04, config: clang-sanitize-address }
- { target: ubuntu-20.04, config: clang-sanitize-undefined }
- { target: ubuntu-20.04, config: gcc-sanitize-address }
- { target: ubuntu-20.04, config: gcc-sanitize-undefined }
- { target: ubuntu-20.04, config: gcc-7 }
- { target: ubuntu-20.04, config: gcc-8 }
- { target: ubuntu-20.04, config: gcc-10 }
- { target: ubuntu-22.04, config: gcc-11-Werror }
- { target: ubuntu-22.04, config: gcc-12-Werror }
- { target: ubuntu-20.04, config: pam }
- { target: ubuntu-20.04, config: kitchensink }
- { target: ubuntu-22.04, config: hardenedmalloc }
- { target: ubuntu-20.04, config: tcmalloc }
- { target: ubuntu-20.04, config: musl }
- { target: ubuntu-latest, config: boringssl }
- { target: ubuntu-latest, config: libressl-master }
- { target: ubuntu-latest, config: libressl-3.2.6 }
- { target: ubuntu-latest, config: libressl-3.3.6 }
- { target: ubuntu-latest, config: libressl-3.4.3 }
- { target: ubuntu-latest, config: libressl-3.5.3 }
- { target: ubuntu-latest, config: libressl-3.6.1 }
- { target: ubuntu-latest, config: libressl-3.7.2 }
- { target: ubuntu-latest, config: libressl-3.8.4 }
- { target: ubuntu-latest, config: libressl-3.9.1 }
- { target: ubuntu-latest, config: openssl-master }
- { target: ubuntu-latest, config: openssl-noec }
- { target: ubuntu-latest, config: openssl-1.1.1 }
- { target: ubuntu-latest, config: openssl-1.1.1t }
- { target: ubuntu-latest, config: openssl-1.1.1w }
- { target: ubuntu-latest, config: openssl-3.0.0 }
- { target: ubuntu-latest, config: openssl-3.0.13 }
- { target: ubuntu-latest, config: openssl-3.1.0 }
- { target: ubuntu-latest, config: openssl-3.1.5 }
- { target: ubuntu-latest, config: openssl-3.2.1 }
- { target: ubuntu-latest, config: openssl-3.3.0 }
- { target: ubuntu-latest, config: openssl-1.1.1_stable }
- { target: ubuntu-latest, config: openssl-3.0 } # stable branch
- { target: ubuntu-latest, config: openssl-3.1 } # stable branch
- { target: ubuntu-latest, config: openssl-3.2 } # stable branch
- { target: ubuntu-latest, config: openssl-3.3 } # stable branch
- { target: ubuntu-latest, config: putty-0.71 }
- { target: ubuntu-latest, config: putty-0.72 }
- { target: ubuntu-latest, config: putty-0.73 }
- { target: ubuntu-latest, config: putty-0.74 }
- { target: ubuntu-latest, config: putty-0.75 }
- { target: ubuntu-latest, config: putty-0.76 }
- { target: ubuntu-latest, config: putty-0.77 }
- { target: ubuntu-latest, config: putty-0.78 }
- { target: ubuntu-latest, config: putty-0.79 }
- { target: ubuntu-latest, config: putty-0.80 }
- { target: ubuntu-latest, config: putty-snapshot }
- { target: ubuntu-latest, config: zlib-develop }
- { target: ubuntu-22.04, config: pam }
- { target: ubuntu-22.04, config: krb5 }
- { target: ubuntu-22.04, config: heimdal }
- { target: ubuntu-22.04, config: libedit }
- { target: ubuntu-22.04, config: sk }
- { target: ubuntu-22.04, config: selinux }
- { target: ubuntu-22.04, config: kitchensink }
- { target: ubuntu-22.04, config: without-openssl }
- { target: macos-12, config: pam }
- { target: macos-13, config: pam }
- { target: macos-14, config: pam }
runs-on: ${{ matrix.target }}
steps:
- name: set cygwin git params
if: ${{ startsWith(matrix.target, 'windows') }}
run: git config --global core.autocrlf input
- name: install cygwin
if: ${{ startsWith(matrix.target, 'windows') }}
uses: cygwin/cygwin-install-action@master
- uses: actions/checkout@main
- name: setup CI system
run: sh ./.github/setup_ci.sh ${{ matrix.config }}
- name: autoreconf
run: sh -c autoreconf
- name: configure
run: sh ./.github/configure.sh ${{ matrix.config }}
- name: save config
uses: actions/upload-artifact@main
with:
name: ${{ matrix.target }}-${{ matrix.config }}-config
path: config.h
- name: make clean
run: make clean
- name: make
run: make
- name: make tests
run: sh ./.github/run_test.sh ${{ matrix.config }}
env:
TEST_SSH_UNSAFE_PERMISSIONS: 1
TEST_SSH_HOSTBASED_AUTH: yes
- name: save logs
if: failure()
uses: actions/upload-artifact@main
with:
name: ${{ matrix.target }}-${{ matrix.config }}-logs
path: |
config.h
config.log
regress/*.log
regress/valgrind-out/
regress/asan.log.*
regress/msan.log.*
regress/log/*
Reference in a new issue View git blame Copy permalink