When installing in standalone mode, don't modify system config #1533
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: openssh Tests | |
| # START OF COMMON SECTION | |
| on: | |
| push: | |
| branches: [ 'master', 'main', 'release/**' ] | |
| pull_request: | |
| branches: [ '*' ] | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| # END OF COMMON SECTION | |
| jobs: | |
| build_wolfprovider: | |
| uses: ./.github/workflows/build-wolfprovider.yml | |
| with: | |
| wolfssl_ref: ${{ matrix.wolfssl_ref }} | |
| openssl_ref: ${{ matrix.openssl_ref }} | |
| fips_ref: ${{ matrix.fips_ref }} | |
| replace_default: ${{ matrix.replace_default }} | |
| strategy: | |
| matrix: | |
| wolfssl_ref: [ 'v5.8.2-stable' ] | |
| openssl_ref: [ 'openssl-3.5.2' ] | |
| fips_ref: [ 'FIPS', 'non-FIPS' ] | |
| replace_default: [ true ] | |
| test_openssh: | |
| runs-on: ubuntu-22.04 | |
| needs: build_wolfprovider | |
| container: | |
| image: debian:bookworm | |
| # Extra permissions needed for Debian Bookworm | |
| options: >- | |
| --privileged | |
| --cap-add=SYS_ADMIN | |
| --device=/dev/mapper/control | |
| --device=/dev/loop-control | |
| --device=/dev/loop0 | |
| --device=/dev/loop1 | |
| --device=/dev/loop2 | |
| -v /lib/modules:/lib/modules:ro | |
| env: | |
| DEBIAN_FRONTEND: noninteractive | |
| # This should be a safe limit for the tests to run. | |
| timeout-minutes: 20 | |
| strategy: | |
| matrix: | |
| openssh_ref: [ 'V_10_0_P2', 'V_9_9_P1' ] | |
| wolfssl_ref: [ 'v5.8.2-stable' ] | |
| openssl_ref: [ 'openssl-3.5.2' ] | |
| fips_ref: [ 'non-FIPS' ] # FIPS is not yet supported for OpenSSH | |
| force_fail: [ 'WOLFPROV_FORCE_FAIL=1', '' ] | |
| replace_default: [ true ] | |
| env: | |
| WOLFSSL_PACKAGES_PATH: /tmp/wolfssl-packages | |
| OPENSSL_PACKAGES_PATH: /tmp/openssl-packages | |
| WOLFPROV_PACKAGES_PATH: /tmp/wolfprov-packages | |
| steps: | |
| - name: Checkout wolfProvider | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 1 | |
| - name: Download packages from build job | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: debian-packages-${{ matrix.fips_ref }}${{ matrix.replace_default && '-replace-default' || '' }}-${{ matrix.wolfssl_ref }}-${{ matrix.openssl_ref }} | |
| path: /tmp | |
| - name: Install wolfSSL/OpenSSL/wolfprov packages | |
| run: | | |
| apt install --reinstall -y --allow-downgrades --allow-change-held-packages \ | |
| ${{ env.WOLFSSL_PACKAGES_PATH }}/libwolfssl_*.deb | |
| apt install --reinstall -y --allow-downgrades --allow-change-held-packages \ | |
| ${{ env.OPENSSL_PACKAGES_PATH }}/openssl_*.deb \ | |
| ${{ env.OPENSSL_PACKAGES_PATH }}/libssl3_*.deb \ | |
| ${{ env.OPENSSL_PACKAGES_PATH }}/libssl-dev_*.deb | |
| apt install --reinstall -y --allow-downgrades --allow-change-held-packages \ | |
| ${{ env.WOLFPROV_PACKAGES_PATH }}/libwolfprov_*.deb | |
| - name: Verify wolfProvider is properly installed | |
| run: | | |
| $GITHUB_WORKSPACE/scripts/verify-install.sh \ | |
| ${{ matrix.replace_default && '--replace-default' || '' }} \ | |
| ${{ matrix.fips_ref == 'FIPS' && '--fips' || '' }} | |
| - name: Install dependencies | |
| run: | | |
| apt-get update | |
| apt-get install -y build-essential autoconf automake libtool \ | |
| pkg-config patch zlib1g-dev kmod util-linux cryptsetup-bin | |
| - name: Ensure kernel modules are present | |
| run: | | |
| # loop + device-mapper (dm-crypt); scsi_debug is optional and may still be unavailable on the host kernel | |
| modprobe loop || true | |
| modprobe dm_mod || true | |
| modprobe dm_crypt || true | |
| modprobe scsi_debug || true | |
| losetup -f || true | |
| ls -l /dev/loop* /dev/mapper || true | |
| - name: Checkout openssh | |
| uses: actions/checkout@v4 | |
| with: | |
| repository: openssh/openssh-portable | |
| path: openssh-portable | |
| ref: ${{ matrix.openssh_ref }} | |
| fetch-depth: 1 | |
| - name: Checkout OSP | |
| uses: actions/checkout@v4 | |
| with: | |
| repository: wolfssl/osp | |
| path: osp | |
| fetch-depth: 1 | |
| - run: | | |
| # Apply the patch for the correct version of OpenSSH | |
| cd openssh-portable | |
| patch -p1 < $GITHUB_WORKSPACE/osp/wolfProvider/openssh/openssh-${{ matrix.openssh_ref }}-wolfprov.patch | |
| - name: Build and Test openssh-portable | |
| working-directory: openssh-portable | |
| shell: bash | |
| run: | | |
| set +o pipefail # ignore errors from make check | |
| export ${{ matrix.force_fail }} | |
| # Enable unsafe permissions for testing | |
| export TEST_SSH_UNSAFE_PERMISSIONS=1 | |
| # Priv-sep user/group (idempotent) | |
| getent group sshd >/dev/null || addgroup --system sshd | |
| id -u sshd >/dev/null 2>&1 || adduser --system --no-create-home \ | |
| --ingroup sshd --home /nonexistent --shell /usr/sbin/nologin sshd | |
| # Priv-sep runtime dirs | |
| install -d -m 0755 /run/sshd | |
| # The required chroot for privilege separation | |
| # Must exist, be owned by root, and not be writable by group/world. | |
| install -d -o root -g root -m 0755 /var/empty | |
| # Ensure the privsep user/group exist (idempotent) | |
| if ! getent group sshd >/dev/null; then | |
| addgroup --system sshd | |
| fi | |
| if ! id -u sshd >/dev/null 2>&1; then | |
| adduser --system --no-create-home --ingroup sshd \ | |
| --home /nonexistent --shell /usr/sbin/nologin sshd | |
| fi | |
| autoreconf -ivf | |
| ./configure --with-prngd-socket=/tmp/prngd \ | |
| --with-ldflags=-Wl,--export-dynamic | |
| make -j | |
| export LD_LIBRARY_PATH=".:openbsd-compat:$LD_LIBRARY_PATH" # Include build dirs for symbol resolution | |
| # Run all the tests except (t-exec) as it takes too long | |
| make file-tests interop-tests extra-tests unit 2>&1 | tee openssh-test.log | |
| TEST_RESULT=${PIPESTATUS[0]} | |
| $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT ${{ matrix.force_fail }} openssh |