Merge pull request #672 from ejohnstown/release-v1.4.17

Prepare Release v1.4.17

Author: douzzer

ChangeLog.md

@@ -1,3 +1,55 @@
+# wolfSSH v1.4.17 (March 25, 2024)
+
+## Vulnerabilities
+
+* Fixes a vulnerability where a properly crafted SSH client can bypass user
+  authentication in the wolfSSH server code. The added fix filters the
+  messages that are allowed during different operational states.
+
+## Notes
+
+* When building wolfSSL/wolfCrypt versions before v5.6.6 with CMake,
+  wolfSSH may have a problem with RSA keys. This is due to wolfSSH not
+  checking on the size of `___uint128_t`. wolfSSH sees the RSA structure
+  as the wrong size. You will have to define `HAVE___UINT128_T` if you
+  know you have it and are using it in wolfSSL. wolfSSL v5.6.6 exports that
+  define in options.h when using CMake.
+* The example server in directory examples/server/server.c has been removed.
+  It was never kept up to date, the echoserver did its job as an example and
+  test server.
+
+## New Features
+
+* Added functions to set algorithms lists for KEX at run-time, and some
+  functions to inspect which algorithms are set or are available to use.
+* In v1.4.15, we had disabled SHA-1 in the build by default. SHA-1 has been
+  re-enabled in the build and is now "soft" disabled, where algorithms using
+  it can be configured for KEX.
+* Add Curve25519 KEX support for server/client key agreement.
+
+## Improvements
+
+* Clean up some issues when building for Nucleus.
+* Clean up some issues when building for Windows.
+* Clean up some issues when building for QNX.
+* Added more wolfSSHd testing.
+* Added more appropriate build option guard checking.
+* General improvements for the ESP32 builds.
+* Better terminal support in Windows.
+* Better I/O pipes and return codes when running commands or scripts over an
+  SSH connection.
+
+## Fixes
+
+* Fix shell terminal window resizing and it sets up the environment better.
+* Fix some corner cases with the SFTP testing.
+* Fix some corner cases with SFTP in general.
+* Fix verifying RSA signatures.
+* Add masking of file mode bits for Zephyr.
+* Fix leak of terminal modes cache.
+
+---
+
 # wolfSSH v1.4.15 (December 22, 2023)
 
 ## Vulnerabilities

apps/wolfssh/common.c

@@ -1,6 +1,6 @@
 /* common.c
  *
- * Copyright (C) 2014-2023 wolfSSL Inc.
+ * Copyright (C) 2014-2024 wolfSSL Inc.
  *
  * This file is part of wolfSSH.
  *
@@ -451,7 +451,8 @@ int ClientPublicKeyCheck(const byte* pubKey, word32 pubKeySz, void* ctx)
                                 current->ipString);
                             WLOG(WS_LOG_DEBUG,
                                 "\texpecting host IP : %s", (char*)ctx);
-                            if (XSTRCMP(ctx, current->ipString) == 0) {
+                            if (XSTRCMP((const char*)ctx,
+                                        current->ipString) == 0) {
                                 WLOG(WS_LOG_DEBUG, "\tmatched!");
                                 ipMatch = 1;
                             }

apps/wolfssh/common.h

@@ -1,6 +1,6 @@
 /* common.h
  *
- * Copyright (C) 2014-2023 wolfSSL Inc.
+ * Copyright (C) 2014-2024 wolfSSL Inc.
  *
  * This file is part of wolfSSH.
  *

apps/wolfssh/wolfssh.c

@@ -1,6 +1,6 @@
 /* wolfssh.c
  *
- * Copyright (C) 2014-2023 wolfSSL Inc.
+ * Copyright (C) 2014-2024 wolfSSL Inc.
  *
  * This file is part of wolfSSH.
  *
@@ -794,7 +794,7 @@ static int config_parse_command_line(struct config* config,
                 free(config->user);
             }
             sz = WSTRLEN(cursor);
-            config->user = WMALLOC(sz + 1, NULL, 0);
+            config->user = (char*)WMALLOC(sz + 1, NULL, 0);
             strcpy(config->user, cursor);
             cursor = found + 1;
         }

apps/wolfsshd/auth.c

@@ -1,6 +1,6 @@
 /* auth.c
  *
- * Copyright (C) 2014-2023 wolfSSL Inc.
+ * Copyright (C) 2014-2024 wolfSSL Inc.
  *
  * This file is part of wolfSSH.
  *

apps/wolfsshd/auth.h

@@ -1,6 +1,6 @@
 /* auth.h
  *
- * Copyright (C) 2014-2023 wolfSSL Inc.
+ * Copyright (C) 2014-2024 wolfSSL Inc.
  *
  * This file is part of wolfSSH.
  *

apps/wolfsshd/configuration.c

@@ -1,6 +1,6 @@
 /* configuration.c
  *
- * Copyright (C) 2014-2023 wolfSSL Inc.
+ * Copyright (C) 2014-2024 wolfSSL Inc.
  *
  * This file is part of wolfSSH.
  *

apps/wolfsshd/configuration.h

@@ -1,6 +1,6 @@
 /* configuration.h
  *
- * Copyright (C) 2014-2023 wolfSSL Inc.
+ * Copyright (C) 2014-2024 wolfSSL Inc.
  *
  * This file is part of wolfSSH.
  *

apps/wolfsshd/wolfsshd.c

@@ -1,6 +1,6 @@
 /* wolfsshd.c
  *
- * Copyright (C) 2014-2023 wolfSSL Inc.
+ * Copyright (C) 2014-2024 wolfSSL Inc.
  *
  * This file is part of wolfSSH.
  *
@@ -1391,8 +1391,9 @@ static int SHELL_Subsystem(WOLFSSHD_CONNECTION* conn, WOLFSSH* ssh,
 #if defined(HAVE_SYS_IOCTL_H)
     wolfSSH_DoModes(ssh->modes, ssh->modesSz, childFd);
     {
-        struct winsize s = {0};
+        struct winsize s;
 
+        WMEMSET(&s, 0, sizeof(s));
         s.ws_col = ssh->widthChar;
         s.ws_row = ssh->heightRows;
         s.ws_xpixel = ssh->widthPixels;

configure.ac

@@ -1,9 +1,9 @@
 # wolfssh
-# Copyright (C) 2014-2023 wolfSSL Inc.
+# Copyright (C) 2014-2024 wolfSSL Inc.
 # All right reserved.
 
-AC_COPYRIGHT([Copyright (C) 2014-2023 wolfSSL Inc.])
-AC_INIT([wolfssh],[1.4.16],[[email protected]],[wolfssh],[https://www.wolfssl.com])
+AC_COPYRIGHT([Copyright (C) 2014-2024 wolfSSL Inc.])
+AC_INIT([wolfssh],[1.4.17],[[email protected]],[wolfssh],[https://www.wolfssl.com])
 AC_PREREQ([2.63])
 AC_CONFIG_AUX_DIR([build-aux])
 
@@ -18,18 +18,19 @@ AC_ARG_PROGRAM
 AC_CONFIG_MACRO_DIR([m4])
 AC_CONFIG_HEADERS([config.h])
 
-WOLFSSH_LIBRARY_VERSION=15:3:8
-#                       | | |
-#                +------+ | +---+
-#                |        |     |
+WOLFSSH_LIBRARY_VERSION=16:0:9
+#                        | | |
+#                  +-----+ | +----+
+#                  |       |      |
 #               current:revision:age
-#                |        |     |
-#                |        |     +- increment if interfaces have been added
-#                |        |        set to zero if interfaces have been removed
-#                |        |        or changed
-#                |        +- increment if source code has changed
-#                |           set to zero if current is incremented
-#                +- increment if interfaces have been added, removed or changed
+#                  |       |      |
+#                  |       |      +- increment if interfaces have been added
+#                  |       |      +- set to zero if interfaces have been
+#                  |       |           removed or changed
+#                  |       +- increment if source code has changed
+#                  |       +- set to zero if current is incremented
+#                  +- increment if interfaces have been added, removed
+#                       or changed
 AC_SUBST([WOLFSSH_LIBRARY_VERSION])
 
 LT_PREREQ([2.2])