wolfsshd: reject unsafe ownership/symlink on trust-anchor file loads #1665
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: wolfSSHd Test | |
| on: | |
| push: | |
| branches: [ 'master', 'main', 'release/**' ] | |
| pull_request: | |
| branches: [ '*' ] | |
| workflow_dispatch: | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| create_matrix: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| versions: ${{ steps.json.outputs.versions }} | |
| steps: | |
| - name: Create wolfSSL version matrix | |
| id: json | |
| run: | | |
| current=`curl -s https://api.github.com/repos/wolfssl/wolfssl/releases | grep tag_name | cut -d : -f 2,3 | tr -d \" | tr -d , | tr -d ' ' | head -1` | |
| last=`curl -s https://api.github.com/repos/wolfssl/wolfssl/releases | grep tag_name | cut -d : -f 2,3 | tr -d \" | tr -d , | tr -d ' ' | head -2 | tail -1` | |
| VERSIONS=$(echo "[ \"master\", \"$current\", \"$last\" ]") | |
| echo "wolfSSL versions found: $VERSIONS" | |
| echo "versions=$VERSIONS" >> $GITHUB_OUTPUT | |
| build_wolfssl: | |
| needs: create_matrix | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| os: [ ubuntu-latest ] | |
| wolfssl: ${{ fromJson(needs.create_matrix.outputs['versions']) }} | |
| name: Build wolfssl | |
| runs-on: ${{ matrix.os }} | |
| timeout-minutes: 4 | |
| steps: | |
| - name: Checking cache for wolfssl | |
| uses: actions/cache@v5 | |
| id: cache-wolfssl | |
| with: | |
| path: build-dir/ | |
| key: wolfssh-sshd-wolfssl-${{ matrix.wolfssl }}-${{ matrix.os }} | |
| lookup-only: true | |
| - name: Checkout, build, and install wolfssl | |
| if: steps.cache-wolfssl.outputs.cache-hit != 'true' | |
| uses: wolfSSL/actions-build-autotools-project@v1 | |
| with: | |
| repository: wolfssl/wolfssl | |
| ref: ${{ matrix.wolfssl }} | |
| path: wolfssl | |
| configure: --enable-all | |
| check: false | |
| install: true | |
| build_wolfssh: | |
| needs: | |
| - build_wolfssl | |
| - create_matrix | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| os: [ ubuntu-latest ] | |
| wolfssl: ${{ fromJson(needs.create_matrix.outputs['versions']) }} | |
| name: Build and test wolfsshd | |
| runs-on: ${{ matrix.os }} | |
| timeout-minutes: 10 | |
| steps: | |
| - name: Checking cache for wolfssl | |
| uses: actions/cache@v5 | |
| with: | |
| path: build-dir/ | |
| key: wolfssh-sshd-wolfssl-${{ matrix.wolfssl }}-${{ matrix.os }} | |
| fail-on-cache-miss: true | |
| - uses: actions/checkout@v6 | |
| with: | |
| path: wolfssh/ | |
| - name: autogen | |
| working-directory: ./wolfssh/ | |
| run: ./autogen.sh | |
| - name: configure | |
| working-directory: ./wolfssh/ | |
| run : | | |
| ./configure --enable-all LDFLAGS="-L${{ github.workspace }}/build-dir/lib" CPPFLAGS="-I${{ github.workspace }}/build-dir/include -DWOLFSSH_NO_FPKI -DWOLFSSH_NO_SFTP_TIMEOUT -DWOLFSSH_MAX_SFTP_RW=4000000 -DMAX_PATH_SZ=120" | |
| - name: make check | |
| working-directory: ./wolfssh/ | |
| run: make check | |
| - name: Run wolfSSHd tests | |
| working-directory: ./wolfssh/apps/wolfsshd/test | |
| run: | | |
| git log -3 | |
| sudo ./run_all_sshd_tests.sh | |
| # could use optimization with caching | |
| - name: Test memory after close down | |
| working-directory: ./wolfssh/ | |
| run: | | |
| sudo apt-get -y update | |
| sudo apt-get -y install valgrind | |
| touch sshd_config.txt | |
| ./configure --enable-all LDFLAGS="-L${{ github.workspace }}/build-dir/lib" CPPFLAGS="-I${{ github.workspace }}/build-dir/include -DWOLFSSH_NO_FPKI -DWOLFSSH_NO_SFTP_TIMEOUT -DWOLFSSH_MAX_SFTP_RW=4000000 -DMAX_PATH_SZ=120" --enable-static --disable-shared && make | |
| # wolfSSHd refuses a host key not owned by root or the daemon's user. | |
| # The daemon runs under sudo (euid 0), so make the key root-owned. Mode | |
| # stays 644 (not group/world writable) so other steps can still read it. | |
| sudo chown 0:0 ./keys/server-key.pem | |
| sudo timeout --preserve-status -s 2 5 valgrind --error-exitcode=1 --leak-check=full ./apps/wolfsshd/wolfsshd -D -f sshd_config -h ./keys/server-key.pem -d -p 22222 | |
| # regression test, check that cat command does not hang | |
| - name: Test cat command for hanging | |
| working-directory: ./wolfssh/ | |
| timeout-minutes: 1 | |
| run: | | |
| touch sshd_config.txt | |
| echo "AuthorizedKeysFile $PWD/authorized_keys_test" >> sshd_config.txt | |
| cat ./keys/hansel-*.pub > authorized_keys_test | |
| sed -i.bak "s/hansel/$USER/" ./authorized_keys_test | |
| ./configure --enable-all LDFLAGS="-L${{ github.workspace }}/build-dir/lib" CPPFLAGS="-I${{ github.workspace }}/build-dir/include -DWOLFSSH_NO_FPKI -DWOLFSSH_NO_SFTP_TIMEOUT -DWOLFSSH_MAX_SFTP_RW=4000000 -DMAX_PATH_SZ=120" --enable-static --disable-shared && make | |
| # Host key must be root-owned for the sudo-launched daemon to load it. | |
| sudo chown 0:0 ./keys/server-key.pem | |
| sudo ./apps/wolfsshd/wolfsshd -f sshd_config.txt -h ./keys/server-key.pem -p 22225 | |
| chmod 600 ./keys/hansel-key-rsa.pem | |
| tail -c 50000 /dev/urandom > test | |
| while ! nc -z 127.0.0.1 22225; do echo "waiting for wolfSSHd"; sleep 0.2; done | |
| cat test | ssh -vvv -T -i ./keys/hansel-key-rsa.pem -oStrictHostKeyChecking=no 127.0.0.1 -p 22225 'cat > test-file' | |
| diff test ~/test-file | |
| sudo pkill wolfsshd | |
| - name: configure with debug | |
| working-directory: ./wolfssh/ | |
| run : | | |
| ./configure --enable-all --enable-debug LDFLAGS="-L${{ github.workspace }}/build-dir/lib" CPPFLAGS="-I${{ github.workspace }}/build-dir/include -DWOLFSSH_NO_FPKI -DWOLFSSH_NO_SFTP_TIMEOUT -DWOLFSSH_MAX_SFTP_RW=4000000 -DMAX_PATH_SZ=120" | |
| - name: make | |
| working-directory: ./wolfssh/ | |
| run: make | |
| # ssh_kex_algos.sh requires debug output otherwise it is skipped | |
| - name: Run wolfSSHd tests with debug | |
| working-directory: ./wolfssh/apps/wolfsshd/test | |
| run: | | |
| git log -3 | |
| sudo ./run_all_sshd_tests.sh --match ssh_kex_algos.sh | |