From 77a4cef9b0108b96ba5e84427907497c77545f94 Mon Sep 17 00:00:00 2001 From: David Goodwin Date: Tue, 25 Jun 2024 15:29:56 +1200 Subject: [PATCH 01/12] Patch libssh to fix XP compatibility issue --- .github/workflows/build.yml | 31 +++++++++++++++++++++++++++++++ libssh/xp-fix.patch | 29 +++++++++++++++++++++++++++++ 2 files changed, 60 insertions(+) create mode 100644 libssh/xp-fix.patch diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 82dee6bd..78146753 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -376,6 +376,17 @@ jobs: cd libssh\${{env.LIBSSH_VERSION}}\build cmake .. -G "NMake Makefiles" -DCMAKE_BUILD_TYPE=Release -DOPENSSL_ROOT_DIR=${{github.workspace}}\openssl\${{env.OPENSSL_VERSION}}\ -DZLIB_ROOT:PATH=${{github.workspace}}\zlib\${{env.ZLIB_VERSION}}\ -DWITH_DSA=ON nmake + + if "${{env.LIBSSH_VERSION}} NEQ "0.10.6" goto :end + REM Build a patched version thats compatible with Windows XP + mv src\ssh.dll src\ssh-standard.dll + cd .. + patch -p1 < ..\xp-fix.patch + cd build + nmake + mv src\ssh.dll src\ssh-xp.dll + mv src\ssh-standard.dll src\ssh.dll + :end - name: Build GSSAPI-enabled libssh (x86/x86-64) if: steps.cache-optional-dependencies.outputs.cache-hit != 'true' && (matrix.arch == 'x86' || matrix.arch == 'x64') @@ -386,6 +397,18 @@ jobs: cd build cmake .. -G "NMake Makefiles" -DCMAKE_BUILD_TYPE=Release -DOPENSSL_ROOT_DIR=${{github.workspace}}\openssl\${{env.OPENSSL_VERSION}}\ -DZLIB_ROOT:PATH=${{github.workspace}}\zlib\${{env.ZLIB_VERSION}}\ -DWITH_DSA=ON -DGSSAPI_ROOT_DIR="${{github.workspace}}\kerberos\kfw\Kerberos" nmake + + if "${{env.LIBSSH_VERSION}} NEQ "0.10.6" goto :end + REM Build a patched version thats compatible with Windows XP + mv src\ssh.dll src\ssh-standard.dll + cd .. + patch -p1 < ..\xp-fix.patch + cd build + nmake + mv src\ssh.dll src\ssh-xp.dll + mv src\ssh-standard.dll src\ssh.dll + :end + # 32bit ARM doesn't get libssh as version 0.10.3 gets link errors there: # misc.c.obj : error LNK2019: unresolved external symbol __imp_GetUserNameA referenced in function ssh_get_local_username @@ -469,6 +492,14 @@ jobs: run: | copy ${{ github.workspace }}\libssh\${{env.LIBSSH_VERSION}}-gssapi\build\src\ssh.dll ssh-gssapi.dll + - name: Dist XP-patched libssh (x86/x86-64) + if: (matrix.arch == 'x86' || matrix.arch == 'x64') && (env.LIBSSH_VERSION == '0.10.6') + shell: cmd + working-directory: ${{ github.workspace }}\kermit\k95\dist + run: | + copy ${{ github.workspace }}\libssh\${{env.LIBSSH_VERSION}}-gssapi\build\src\ssh-xp.dll ssh-gssapi-xp.dll + copy ${{ github.workspace }}\libssh\${{env.LIBSSH_VERSION}}\build\src\ssh-xp.dll ssh-xp.dll + - name: Fetch CA Certs bundle uses: actions/download-artifact@v3 with: diff --git a/libssh/xp-fix.patch b/libssh/xp-fix.patch new file mode 100644 index 00000000..00bb4d4f --- /dev/null +++ b/libssh/xp-fix.patch @@ -0,0 +1,29 @@ +diff --git a/src/misc.c.old b/src/misc.c +index 7081f12..cd0e225 100644 +--- a/src/misc.c.old ++++ b/src/misc.c +@@ -221,6 +221,8 @@ int ssh_is_ipaddr_v4(const char *str) + return 0; + } + ++typedef NET_IFINDEX (NETIOAPI_API_ *if_nametoindex_t)(PCSTR); ++ + int ssh_is_ipaddr(const char *str) + { + int rc = SOCKET_ERROR; +@@ -233,10 +235,13 @@ int ssh_is_ipaddr(const char *str) + struct sockaddr_storage ss; + int sslen = sizeof(ss); + char *network_interface = strchr(s, '%'); ++ HINSTANCE hIPHLPAPI = LoadLibrary("IPHLPAPI"); ++ if_nametoindex_t h_if_nametoindex = (if_nametoindex_t)GetProcAddress(hIPHLPAPI, "if_nametoindex"); ++ + + /* link-local (IP:v6:addr%ifname). */ +- if (network_interface != NULL) { +- rc = if_nametoindex(network_interface + 1); ++ if (network_interface != NULL && h_if_nametoindex != NULL) { ++ rc = h_if_nametoindex(network_interface + 1); + if (rc == 0) { + free(s); + return 0; From d9834fabd64094a353fb0d80fd11fce59ec683bf Mon Sep 17 00:00:00 2001 From: David Goodwin Date: Sun, 30 Jun 2024 20:49:42 +1200 Subject: [PATCH 02/12] Bump key version to force full rebuild --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 61e44bc8..720442d6 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -212,7 +212,7 @@ jobs: ${{github.workspace}}\libdes\Debug ${{github.workspace}}\tools ${{github.workspace}}\kerberos\kfw - key: msvc-${{ matrix.toolset }}-${{ matrix.arch }}+zlib-${{env.ZLIB_VERSION}}+openssl-${{env.OPENSSL_VERSION}}+${{env.OPENSSL_MAKE}}+libssh-${{env.LIBSSH_VERSION}}+rel+nasm+xp+dsa+libdes+kfw+ver3 + key: msvc-${{ matrix.toolset }}-${{ matrix.arch }}+zlib-${{env.ZLIB_VERSION}}+openssl-${{env.OPENSSL_VERSION}}+${{env.OPENSSL_MAKE}}+libssh-${{env.LIBSSH_VERSION}}+rel+nasm+xp+dsa+libdes+kfw+ver4 - name: Get dependencies if: steps.cache-optional-dependencies.outputs.cache-hit != 'true' run: | From 924fe42176def1d9252375413c67d3449d5ea3dc Mon Sep 17 00:00:00 2001 From: David Goodwin Date: Sun, 30 Jun 2024 21:03:28 +1200 Subject: [PATCH 03/12] Use CMD for libssh build, not powershell --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 720442d6..9d89fcc1 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -370,7 +370,7 @@ jobs: - name: Build libssh (x86/x86-64) if: steps.cache-optional-dependencies.outputs.cache-hit != 'true' && (matrix.arch == 'x86' || matrix.arch == 'x64') - shell: powershell + shell: cmd run: | cd libssh\${{env.LIBSSH_VERSION}}\build cmake .. -G "NMake Makefiles" -DCMAKE_BUILD_TYPE=Release -DOPENSSL_ROOT_DIR=${{github.workspace}}\openssl\${{env.OPENSSL_VERSION}}\ -DZLIB_ROOT:PATH=${{github.workspace}}\zlib\${{env.ZLIB_VERSION}}\ -DWITH_DSA=ON From 5e62ca2af2d487d931fa603c7dc98b09d470f646 Mon Sep 17 00:00:00 2001 From: David Goodwin Date: Mon, 1 Jul 2024 08:17:39 +1200 Subject: [PATCH 04/12] ps->cmd --- .github/workflows/build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 9d89fcc1..04cde676 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -383,8 +383,8 @@ jobs: patch -p1 < ..\xp-fix.patch cd build nmake - mv src\ssh.dll src\ssh-xp.dll - mv src\ssh-standard.dll src\ssh.dll + move src\ssh.dll src\ssh-xp.dll + move src\ssh-standard.dll src\ssh.dll :end - name: Build GSSAPI-enabled libssh (x86/x86-64) From 7a5ad35872f9501842ab860e086f3583cedc5e6d Mon Sep 17 00:00:00 2001 From: David Goodwin Date: Mon, 1 Jul 2024 12:32:40 +1200 Subject: [PATCH 05/12] Update build.yml --- .github/workflows/build.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 04cde676..f03e32cf 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -383,8 +383,9 @@ jobs: patch -p1 < ..\xp-fix.patch cd build nmake - move src\ssh.dll src\ssh-xp.dll - move src\ssh-standard.dll src\ssh.dll + echo Build complete - renaming files + ren src\ssh.dll src\ssh-xp.dll + ren src\ssh-standard.dll src\ssh.dll :end - name: Build GSSAPI-enabled libssh (x86/x86-64) From 94de226de2f33d2a18bc22758fabf03e9180b87e Mon Sep 17 00:00:00 2001 From: David Goodwin Date: Mon, 1 Jul 2024 12:46:49 +1200 Subject: [PATCH 06/12] Update build.yml --- .github/workflows/build.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index f03e32cf..9696215a 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -375,9 +375,10 @@ jobs: cd libssh\${{env.LIBSSH_VERSION}}\build cmake .. -G "NMake Makefiles" -DCMAKE_BUILD_TYPE=Release -DOPENSSL_ROOT_DIR=${{github.workspace}}\openssl\${{env.OPENSSL_VERSION}}\ -DZLIB_ROOT:PATH=${{github.workspace}}\zlib\${{env.ZLIB_VERSION}}\ -DWITH_DSA=ON nmake + echo Libssh build done. if "${{env.LIBSSH_VERSION}} NEQ "0.10.6" goto :end - REM Build a patched version thats compatible with Windows XP + echo Build a patched version thats compatible with Windows XP mv src\ssh.dll src\ssh-standard.dll cd .. patch -p1 < ..\xp-fix.patch From 7d8ab61a0363a19aec1f14f99a3d77e8d84eef3c Mon Sep 17 00:00:00 2001 From: David Goodwin Date: Mon, 1 Jul 2024 13:00:57 +1200 Subject: [PATCH 07/12] Update build.yml --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 9696215a..bcdf401b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -377,7 +377,7 @@ jobs: nmake echo Libssh build done. - if "${{env.LIBSSH_VERSION}} NEQ "0.10.6" goto :end + if "${{env.LIBSSH_VERSION}}" NEQ "0.10.6" goto :end echo Build a patched version thats compatible with Windows XP mv src\ssh.dll src\ssh-standard.dll cd .. From d372555877001cfbffa95839ce46707c61dc723a Mon Sep 17 00:00:00 2001 From: David Goodwin Date: Mon, 1 Jul 2024 19:09:54 +1200 Subject: [PATCH 08/12] Update build.yml --- .github/workflows/build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index bcdf401b..f743c0fb 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -385,8 +385,8 @@ jobs: cd build nmake echo Build complete - renaming files - ren src\ssh.dll src\ssh-xp.dll - ren src\ssh-standard.dll src\ssh.dll + ren src\ssh.dll ssh-xp.dll + ren src\ssh-standard.dll ssh.dll :end - name: Build GSSAPI-enabled libssh (x86/x86-64) From 538da334f341dd0ade2e8bda54e838d69bfcd154 Mon Sep 17 00:00:00 2001 From: David Goodwin Date: Mon, 1 Jul 2024 19:24:55 +1200 Subject: [PATCH 09/12] Update build.yml --- .github/workflows/build.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index f743c0fb..2b1d1d3f 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -399,15 +399,15 @@ jobs: cmake .. -G "NMake Makefiles" -DCMAKE_BUILD_TYPE=Release -DOPENSSL_ROOT_DIR=${{github.workspace}}\openssl\${{env.OPENSSL_VERSION}}\ -DZLIB_ROOT:PATH=${{github.workspace}}\zlib\${{env.ZLIB_VERSION}}\ -DWITH_DSA=ON -DGSSAPI_ROOT_DIR="${{github.workspace}}\kerberos\kfw\Kerberos" nmake - if "${{env.LIBSSH_VERSION}} NEQ "0.10.6" goto :end + if "${{env.LIBSSH_VERSION}}" NEQ "0.10.6" goto :end REM Build a patched version thats compatible with Windows XP mv src\ssh.dll src\ssh-standard.dll cd .. patch -p1 < ..\xp-fix.patch cd build nmake - mv src\ssh.dll src\ssh-xp.dll - mv src\ssh-standard.dll src\ssh.dll + ren src\ssh.dll ssh-xp.dll + ren src\ssh-standard.dll ssh.dll :end From 131bc9fb4cdbbfe1610b21bb8a92a5038caa91b6 Mon Sep 17 00:00:00 2001 From: David Goodwin Date: Mon, 1 Jul 2024 22:31:41 +1200 Subject: [PATCH 10/12] Update build.yml --- .github/workflows/build.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 2b1d1d3f..68e04187 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -498,6 +498,8 @@ jobs: shell: cmd working-directory: ${{ github.workspace }}\kermit\k95\dist run: | + mkdir ssh-xp + cd ssh-xp copy ${{ github.workspace }}\libssh\${{env.LIBSSH_VERSION}}-gssapi\build\src\ssh-xp.dll ssh-gssapi-xp.dll copy ${{ github.workspace }}\libssh\${{env.LIBSSH_VERSION}}\build\src\ssh-xp.dll ssh-xp.dll From b71aae00e916e53f0cc6e5ec008ba50797c36a9b Mon Sep 17 00:00:00 2001 From: David Goodwin Date: Mon, 1 Jul 2024 22:42:17 +1200 Subject: [PATCH 11/12] Update build.yml --- .github/workflows/build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 68e04187..8bbe2017 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -500,8 +500,8 @@ jobs: run: | mkdir ssh-xp cd ssh-xp - copy ${{ github.workspace }}\libssh\${{env.LIBSSH_VERSION}}-gssapi\build\src\ssh-xp.dll ssh-gssapi-xp.dll - copy ${{ github.workspace }}\libssh\${{env.LIBSSH_VERSION}}\build\src\ssh-xp.dll ssh-xp.dll + copy ${{ github.workspace }}\libssh\${{env.LIBSSH_VERSION}}-gssapi\build\src\ssh-xp.dll ssh-gssapi.dll + copy ${{ github.workspace }}\libssh\${{env.LIBSSH_VERSION}}\build\src\ssh-xp.dll ssh.dll - name: Fetch CA Certs bundle uses: actions/download-artifact@v3 From e90208a338eb0d4918942ff82c67dc63dd0a5222 Mon Sep 17 00:00:00 2001 From: David Goodwin Date: Mon, 1 Jul 2024 23:06:35 +1200 Subject: [PATCH 12/12] Documentation updates --- doc/changes.md | 10 ++++++++-- doc/ssh-readme.md | 25 +++++++++++++++++++++++-- libssh/README.md | 19 +++++++++++++++++++ 3 files changed, 50 insertions(+), 4 deletions(-) diff --git a/doc/changes.md b/doc/changes.md index 8c4a77d6..3ed3a0b2 100644 --- a/doc/changes.md +++ b/doc/changes.md @@ -6,14 +6,19 @@ check the git commit log. ## C-Kermit for Windows 10.0b10 beta 6 - coming soon This is a minor release focused on upgrading from OpenSSL 1.1.1 (which is -now out of support) to OpenSSL 3.0.x. Also included are a selection of bug -fixes and other minor enhancements. +now out of support) to OpenSSL 3.0.x, and libssh 0.10.5 to 0.10.6. Also +included are a selection of bug fixes and other minor enhancements. Also in this release: official support for Windows NT on Alpha and PowerPC has returned after being discontinued in March 2000 and April 1998 respectively. And for the first time ever, C-Kermit is now supported on Windows NT for MIPS computers, though without TAPI support. +### Things to be aware of when upgrading +Windows XP users: current versions of libssh are no longer compatible with +Windows XP. See the included SSH Readme for a workaround if SSH support on +Windows XP. + ### Fixed Bugs * Fixed directory listings not reporting a size or modified time for files @@ -44,6 +49,7 @@ Windows NT for MIPS computers, though without TAPI support. * Upgraded to OpenSSL 3.0.14, the current long term support release (supported until 7 September 2026) +* Updated to libssh 0.10.6 * Help text for "set gui window position" updated: this command *is* supported and it does work. * The default k95custom.ini now displays a message the console-mode version diff --git a/doc/ssh-readme.md b/doc/ssh-readme.md index 7b5684c9..8328602c 100644 --- a/doc/ssh-readme.md +++ b/doc/ssh-readme.md @@ -144,7 +144,28 @@ C-Kermit for Windows will not start with the GSSAPI-supporting ssh.dll without this installed. If you later uninstall Kerberos for Windows you'll need to swap the SSH DLLs back around again. -GSSAPI authenticatino is not currently supported on non-x86 builds of CKW as -current versions of Kerberos for Windows are only availbale for x86. +GSSAPI authentication is not currently supported on non-x86 builds of CKW as +current versions of Kerberos for Windows are only available for x86. + +### Using SSH on Windows XP +Libssh 0.10.6 includes a fix for the security vulnerability +[CVE-2023-6004](https://nvd.nist.gov/vuln/detail/CVE-2023-6004), but the fix +breaks compatibility with Windows XP. When starting C-Kermit with the included +ssh.dll or ssh-gssapi.dll, C-Kermit will fail to start with the error "The +procedure entry point if_nametoindex could not be located in the dynamic link +library IPHLPAPI.DLL." + +An alternative version of ssh.dll and ssh-gssapi.dll is provided for Windows XP +users which removes the fix for CVE-2023-6004 restoring compatibility with +Windows XP. These can be found in the ssh-xp subdirectory. Replacing the normal +ssh.dll with the appropriate dll in the ssh-xp directory should prevent the +error. + +CVE-2023-6004 has a low severity rating and impacts the ProxyCommand and +ProxyJump features which are not currently used by C-Kermit or supported on +Windows yet. So undoing the security fix is unlikely to cause any problems in +practice, but still not a great idea. Where security is a concern you should +consider upgrading to a supported version of Windows which is able to run the +normal version of libssh. [^1]: https://libssh.org \ No newline at end of file diff --git a/libssh/README.md b/libssh/README.md index f5e4e3aa..02c97b6d 100644 --- a/libssh/README.md +++ b/libssh/README.md @@ -31,3 +31,22 @@ against the old versions configured by setenv.bat. Once you've built libssh you'll want to go and update setenv.bat to ensure the new version of libssh is used in the future. + +Windows XP Compatibility Fix +---------------------------- + +Libssh 0.10.6 includes a fix for +[CVE-2023-6004](https://nvd.nist.gov/vuln/detail/CVE-2023-6004) which introduces +a dependency on if_nametoindex in iphlpapi.dll which is not available on +Windows XP. A patch is provided (`xp-fix.patch`) which corrects this issue by +dynamically loading iphlpapi.dll and if that fails skipping the functionality +that depends on this library. This will of course re-introduce the vulnerability +on Windows XP which is not great. + +The vulnerability appears to only affect features that C-Kermit doesn't use and +which libssh doesn't even support on Windows. So the effects of undoing the fix +are likely not serious at the moment, but this may change in the future. + +If you wish to build libssh 0.10.6 with Windows XP compatibility, you can +apply this patch by running `patch -p1 < ..\xp-fix.patch` from inside the +libssh directory. \ No newline at end of file