Dev minor

.github/ci-status.md

@@ -0,0 +1,22 @@
+master :
+[![C/C++ CI](../../../actions/workflows/c-cpp.yml/badge.svg)](../../../actions/workflows/c-cpp.yml?query=branch:master)
+[![VM CI](../../../actions/workflows/vm.yml/badge.svg)](../../../actions/workflows/vm.yml?query=branch:master)
+[![C/C++ CI self-hosted](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml/badge.svg)](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml?query=branch:master)
+[![Upstream self-hosted](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/upstream.yml/badge.svg)](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/upstream.yml?query=branch:master)
+[![CIFuzz](../../../actions/workflows/cifuzz.yml/badge.svg)](../../../actions/workflows/cifuzz.yml)
+[![Fuzzing Status](https://oss-fuzz-build-logs.storage.googleapis.com/badges/openssh.svg)](https://issues.oss-fuzz.com/issues?q="Project:+openssh"+is:open)
+[![Coverity Status](https://scan.coverity.com/projects/21341/badge.svg)](https://scan.coverity.com/projects/openssh-portable)
+<br>
+
+10.1 :
+[![C/C++ CI](../../../actions/workflows/c-cpp.yml/badge.svg?branch=V_10_1)](../../../actions/workflows/c-cpp.yml?query=branch:V_10_1)
+[![VM CI](../../../actions/workflows/vm.yml/badge.svg?branch=V_10_1)](../../../actions/workflows/vm.yml?query=branch:V_10_1)
+[![C/C++ CI self-hosted](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml/badge.svg?branch=V_10_1)](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml?query=branch:V_10_1)
+
+10.0 :
+[![C/C++ CI](../../../actions/workflows/c-cpp.yml/badge.svg?branch=V_10_0)](../../../actions/workflows/c-cpp.yml?query=branch:V_10_0)
+[![C/C++ CI self-hosted](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml/badge.svg?branch=V_10_0)](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml?query=branch:V_10_0)
+
+9.9 :
+[![C/C++ CI](../../../actions/workflows/c-cpp.yml/badge.svg?branch=V_9_9)](../../../actions/workflows/c-cpp.yml?query=branch:V_9_9)
+[![C/C++ CI self-hosted](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml/badge.svg?branch=V_9_9)](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml?query=branch:V_9_9)

.github/install_libcrypto.sh

@@ -0,0 +1,75 @@
+#!/bin/sh
+#
+# Install specified libcrypto.
+#  -a : install version for ABI compatibility test.
+#  -n : dry run, don't actually build and install.
+#
+# Usage: $0 [-a] [-n] openssl-$branch/tag destdir [config options]
+
+set -e
+
+bincompat_test=""
+dryrun=""
+while [ "$1" = "-a" ] || [ "$1" = "-n" ]; do
+	if [ "$1" = "-a" ]; then
+		abi_compat_test=y
+	elif [ "$1" = "-n" ]; then
+		dryrun="echo dryrun:"
+	fi
+	shift
+done
+
+ver="$1"
+destdir="$2"
+opts="$3"
+
+if [ -z "${ver}" ] || [ -z "${destdir}" ]; then
+	echo tag/branch and destdir required
+	exit 1
+fi
+
+set -x
+
+if [ ! -d ${HOME}/openssl ]; then
+	cd ${HOME}
+	git clone https://github.com/openssl/openssl.git
+	cd ${HOME}/openssl
+	git fetch --all
+fi
+cd ${HOME}/openssl
+
+if [ "${abi_compat_test}" = "y" ]; then
+	echo selecting ABI test release/branch for ${ver}
+	case "${ver}" in
+	openssl-3.6)
+		ver=openssl-3.0.0
+		echo "selecting older release ${ver}"
+		;;
+	openssl-3.[012345])
+		major=$(echo ${ver} | cut -f1 -d.)
+		minor=$(echo ${ver} | cut -f2 -d.)
+		ver="${major}.$((${minor} + 1))"
+		echo selecting next release branch ${ver}
+		;;
+	openssl-3.*.*)
+		major=$(echo ${ver} | cut -f1 -d.)
+		minor=$(echo ${ver} | cut -f2 -d.)
+		patch=$(echo ${ver} | cut -f3 -d.)
+		ver="${major}.${minor}.$((${patch} + 1))"
+		echo checking for release tag ${ver}
+		if git tag | grep -q "^${ver}\$"; then
+			echo selected next patch release ${ver}
+		else
+			ver="${major}.${minor}"
+			echo not found, selecting release branch ${ver}
+		fi
+		;;
+	esac
+fi
+
+git checkout ${ver}
+make clean >/dev/null 2>&1 || true
+${dryrun} ./config no-threads shared ${opts} --prefix=${destdir} \
+    -Wl,-rpath,${destdir}/lib64
+${dryrun} make -j4
+${dryrun} sudo make install_sw

.github/install_putty.sh

@@ -0,0 +1,37 @@
+#!/bin/sh
+
+ver="$1"
+
+echo
+echo --------------------------------------
+echo Installing PuTTY version ${ver}
+echo --------------------------------------
+
+cd /tmp
+
+case "${ver}" in
+snapshot)
+	tarball=putty.tar.gz
+	url=https://tartarus.org/~simon/putty-snapshots/${tarball}
+	;;
+*)
+	tarball=putty-${ver}.tar.gz
+	url=https://the.earth.li/~sgtatham/putty/${ver}/${tarball}
+	;;
+esac
+
+if [ ! -f ${tarball} ]; then
+	wget -q ${url}
+fi
+
+mkdir -p /tmp/puttybuild
+cd /tmp/puttybuild
+
+tar xfz /tmp/${tarball} && cd putty-*
+if [ -f CMakeLists.txt ]; then
+	cmake . && cmake --build . -j4 && sudo cmake --build . --target install
+else
+	./configure && make -j4 && sudo make install
+fi
+sudo rm -rf /tmp/puttybuild
+/usr/local/bin/plink -V

.github/run_test.sh

@@ -13,7 +13,6 @@ if [ ! -z "$SUDO" ] && [ ! -z "$TEST_SSH_HOSTBASED_AUTH" ]; then
     hostname | $SUDO tee $sshconf/shosts.equiv >/dev/null
     echo "EnableSSHKeysign yes" | $SUDO tee $sshconf/ssh_config >/dev/null
     $SUDO mkdir -p $sshconf
-    $SUDO cp -p /etc/ssh/ssh_host*key* $sshconf
     $SUDO make install
     for key in $sshconf/ssh_host*key*.pub; do
         echo `hostname` `cat $key` | \
@@ -35,6 +34,17 @@ if [ ! -z "${env}" ]; then
     env="env${env}"
 fi
 
+if [ "$1" = "putty-versions" ]; then
+	for ver in 0.71 0.72 0.73 0.74 0.75 0.76 0.77 0.78 0.79 0.80 \
+	    0.81 0.82 0.83 snapshot; do
+		.github/install_putty.sh "${ver}"
+		${env} make ${TEST_TARGET} \
+		    SKIP_LTESTS="${SKIP_LTESTS}" LTESTS="${LTESTS}"
+	done
+
+	exit 0
+fi
+
 if [ -z "${LTESTS}" ]; then
     ${env} make ${TEST_TARGET} SKIP_LTESTS="${SKIP_LTESTS}"
 else

.github/setup_ci.sh

@@ -164,7 +164,7 @@ for TARGET in $TARGETS; do
         PACKAGES="${PACKAGES} cmake ninja-build"
         ;;
     putty-*)
-	INSTALL_PUTTY=$(echo "${TARGET}" | cut -f2 -d-)
+	INSTALL_PUTTY=0.83
 	PACKAGES="${PACKAGES} cmake"
 	;;
     valgrind*)
@@ -225,13 +225,8 @@ if [ "${INSTALL_HARDENED_MALLOC}" = "yes" ]; then
 fi
 
 if [ ! -z "${INSTALL_OPENSSL}" ]; then
-    (cd ${HOME} &&
-     git clone https://github.com/openssl/openssl.git &&
-     cd ${HOME}/openssl &&
-     git checkout ${INSTALL_OPENSSL} &&
-     ./config no-threads shared ${SSLCONFOPTS} \
-         --prefix=/opt/openssl &&
-     make && sudo make install_sw)
+	.github/install_libcrypto.sh \
+	    "${INSTALL_OPENSSL}" /opt/openssl "${SSLCONFOPTS}"
 fi
 
 if [ ! -z "${INSTALL_LIBRESSL}" ]; then
@@ -278,25 +273,25 @@ if [ ! -z "${INSTALL_ZLIB}" ]; then
 fi
 
 if [ ! -z "${INSTALL_PUTTY}" ]; then
-    ver="${INSTALL_PUTTY}"
-    case "${INSTALL_PUTTY}" in
-    snapshot)
-	tarball=putty.tar.gz
-	(cd /tmp && wget https://tartarus.org/~simon/putty-snapshots/${tarball})
-	;;
-    *)
-	tarball=putty-${ver}.tar.gz
-	(cd /tmp && wget https://the.earth.li/~sgtatham/putty/${ver}/${tarball})
+	.github/install_putty.sh "${INSTALL_PUTTY}"
+fi
+
+# If we're running on an ephemeral VM, set a random password and set
+# up to run the password auth test.
+if [ ! -z "${EPHEMERAL_VM}" ]; then
+
+    # This is the github "target" as specified in the yml file.
+    # In particular, ubuntu-latest sets the password field to the locked
+    # value, so unless we reset it here most of the tests will fail.
+    case "${target}" in
+    ubuntu-*)
+	echo ${target} target: setting random password.
+	openssl rand -base64 9 >regress/password
+	pw=$(tr -d '\n' <regress/password | openssl passwd -6 -stdin)
+	sudo usermod --password "${pw}" runner
+	sudo usermod --unlock runner
 	;;
     esac
-    (cd ${HOME} && tar xfz /tmp/${tarball} && cd putty-*
-     if [ -f CMakeLists.txt ]; then
-	cmake . && cmake --build . && sudo cmake --build . --target install
-     else
-	./configure && make && sudo make install
-     fi
-    )
-    /usr/local/bin/plink -V
 fi
 
 # If we're running on an ephemeral VM, set a random password and set

.github/workflows/c-cpp.yml

@@ -1,4 +1,14 @@
-name: C/C++ CI
+name: CI
+
+# For testing, you can set variables in your repo (Repo -> Settings ->
+# Security -> Actions -> Variables) to restrict the tests that are run.
+# The supported variables are:
+#
+# RUN_ONLY_TARGET_CONFIG: Run only the single matching target and config,
+#   separated by spaces, eg "ubuntu-latest default".  All other tests will
+#   fail immediately.
+#
+# LTESTS: Override the set of tests run.
 
 # For testing, you can set variables in your repo (Repo -> Settings ->
 # Security -> Actions -> Variables) to restrict the tests that are run.
@@ -12,11 +22,11 @@ name: C/C++ CI
 
 on:
   push:
-    branches: [ master, dev_major, dev_minor ]
-    paths: [ '**.c', '**.h', '**.m4', '**.sh', '**/Makefile.in', 'configure.ac', '.github/configs', '.github/workflows/c-cpp.yml' ]
+    branches: [ master, dev_major, dev_minor, DynamicWindow ]
+#    paths: [ '**.c', '**.h', '**.m4', '**.sh', '**/Makefile.in', 'configure.ac', '.github/configs', '.github/*.sh', '.github/workflows/c-cpp.yml' ]
   pull_request:
-    branches: [ master, dev_major, dev_minor ]
-    paths: [ '**.c', '**.h', '**.m4', '**.sh', '**/Makefile.in', 'configure.ac', '.github/configs', '.github/workflows/c-cpp.yml' ]
+    branches: [ master, dev_major, dev_minor, DynamicWindow ]
+#    paths: [ '**.c', '**.h', '**.m4', '**.sh', '**/Makefile.in', 'configure.ac', '.github/configs', '.github/*.sh', '.github/workflows/c-cpp.yml' ]
 
 jobs:
   ci:
@@ -87,41 +97,36 @@ jobs:
 #          - { target: ubuntu-latest, config: libressl-3.4.3 }
 #          - { target: ubuntu-latest, config: libressl-3.5.3 }
 #          - { target: ubuntu-latest, config: libressl-3.6.1 }
-          - { target: ubuntu-latest, config: libressl-3.7.2 }
+          - { target: ubuntu-latest, config: libressl-3.7.3 }
           - { target: ubuntu-latest, config: libressl-3.8.4 }
           - { target: ubuntu-latest, config: libressl-3.9.2 }
           - { target: ubuntu-latest, config: libressl-4.0.0 }
+          - { target: ubuntu-latest, config: libressl-4.1.0 }
           - { target: ubuntu-latest, config: openssl-master }
           - { target: ubuntu-latest, config: openssl-noec }
           - { target: ubuntu-latest, config: openssl-1.1.1 }
           - { target: ubuntu-latest, config: openssl-1.1.1t }
           - { target: ubuntu-latest, config: openssl-1.1.1w }
           - { target: ubuntu-latest, config: openssl-3.0.0 }
-          - { target: ubuntu-latest, config: openssl-3.0.15 }
+          - { target: ubuntu-latest, config: openssl-3.0.18 }
           - { target: ubuntu-latest, config: openssl-3.1.0 }
-          - { target: ubuntu-latest, config: openssl-3.1.7 }
-          - { target: ubuntu-latest, config: openssl-3.2.3 }
-          - { target: ubuntu-latest, config: openssl-3.3.2 }
+          - { target: ubuntu-latest, config: openssl-3.1.8 }
+          - { target: ubuntu-latest, config: openssl-3.2.6 }
+          - { target: ubuntu-latest, config: openssl-3.3.5 }
           - { target: ubuntu-latest, config: openssl-3.4.0 }
+          - { target: ubuntu-latest, config: openssl-3.4.3 }
+          - { target: ubuntu-latest, config: openssl-3.5.0 }
+          - { target: ubuntu-latest, config: openssl-3.5.3 }  # keep
+          - { target: ubuntu-latest, config: openssl-3.5.4 }
           - { target: ubuntu-latest, config: openssl-1.1.1_stable }
           - { target: ubuntu-latest, config: openssl-3.0 }  # stable branch
           - { target: ubuntu-latest, config: openssl-3.1 }  # stable branch
           - { target: ubuntu-latest, config: openssl-3.2 }  # stable branch
           - { target: ubuntu-latest, config: openssl-3.3 }  # stable branch
-          - { target: ubuntu-latest, config: putty-0.71 }
-          - { target: ubuntu-latest, config: putty-0.72 }
-          - { target: ubuntu-latest, config: putty-0.73 }
-          - { target: ubuntu-latest, config: putty-0.74 }
-          - { target: ubuntu-latest, config: putty-0.75 }
-          - { target: ubuntu-latest, config: putty-0.76 }
-          - { target: ubuntu-latest, config: putty-0.77 }
-          - { target: ubuntu-latest, config: putty-0.78 }
-          - { target: ubuntu-latest, config: putty-0.79 }
-          - { target: ubuntu-latest, config: putty-0.80 }
-          - { target: ubuntu-latest, config: putty-0.81 }
-          - { target: ubuntu-latest, config: putty-0.82 }
-          - { target: ubuntu-latest, config: putty-0.83 }
-          - { target: ubuntu-latest, config: putty-snapshot }
+          - { target: ubuntu-latest, config: openssl-3.4 }  # stable branch
+          - { target: ubuntu-latest, config: openssl-3.5 }  # stable branch
+          - { target: ubuntu-latest, config: openssl-3.6 }  # stable branch
+          - { target: ubuntu-latest, config: putty-versions }
           - { target: ubuntu-latest, config: zlib-develop }
           - { target: ubuntu-latest, config: tcmalloc }
 #musl doens't know about linux/tcp.h so skip
@@ -173,6 +178,11 @@ jobs:
         TEST_SSH_UNSAFE_PERMISSIONS: 1
         TEST_SSH_HOSTBASED_AUTH: yes
         LTESTS: ${{ vars.LTESTS }}
+    - name: test OpenSSL3 ABI compatibility
+      if: ${{ startsWith(matrix.config, 'openssl-3') }}
+      run: |
+       sh .github/install_libcrypto.sh -a ${{ matrix.config }} /opt/openssl
+       sh .github/run_test.sh ${{ matrix.config }}
     - name: show logs
       if: failure()
       run: for i in regress/failed*.log; do echo ====; echo logfile $i; echo =====; cat $i; done

.github/workflows/selfhosted.yml

@@ -1,8 +1,8 @@
-name: C/C++ CI self-hosted
+name: CI self-hosted
 
 on:
   push:
-    paths: [ '**.c', '**.h', '**.m4', '**.sh', '**/Makefile.in', 'configure.ac', '.github/configs', '.github/workflows/selfhosted.yml' ]
+    paths: [ '**.c', '**.h', '**.m4', '**.sh', '**/Makefile.in', 'configure.ac', '.github/configs', '.github/run_tests.sh', '.github/workflows/selfhosted.yml' ]
 
 jobs:
   selfhosted: