Skip to content

Releases: wolfSSL/wolfssh

wolfSSH Release 1.4.19 (Nov. 1, 2024)

01 Nov 22:19
5305170
Compare
Choose a tag to compare

To download the release bundle of wolfSSH visit the download page at www.wolfssl.com/download/

New Features

  • Add DH Group 14 with SHA256 KEX support (PR 731)

Improvements

  • Use of the new SSH-KDF function in wolfCrypt (PR 729)
  • Adds macro guards to the non-POSIX value checks and updates with TTY modes (PR 739)
  • Add CI test against master and last two wolfSSL releases (PR 746)
  • Show version of wolfSSL linked to when application help messages are printed out (PR 741)
  • Purge OQS from wolfSSH and instead use Kyber implementation from wolfssl (PR 736)
  • Adjust Espressif wolfssl_echoserver example timehelper (PR 730)

Fixes

  • Remove Inline for function HashForId() to resolve clash with WOLFSSH_LOCAL declaration (PR 738)
  • Fix for wolfSSHd’s handling of re-key and window full when processing a command with lots of stdout text (PR 719)
  • Fix for wolfSSH client app to gracefully clean up on failure and added more WLOG debug messages (PR 732)
  • Minor static analysis report fixes (PR 740, 735)
  • Fix for handling SFTP transfer to non-existent folder (PR 743)

wolfSSH v1.4.18 (July 22, 2024)

22 Jul 18:18
bbba8ae
Compare
Choose a tag to compare

wolfSSH v1.4.18 (July 22, 2024)

New Features

  • Add wolfSSL style static memory pool allocation support.
  • Add Ed25519 public key support.
  • Add Banner option to wolfSSHd configuration.
  • Add non-blocking socket support to the example SCP client.

Improvements

  • Documentation updates.
  • Update the Zephyr test action.
  • Add a no-filesystem build to the Zephyr port.
  • Update the macOS test action.
  • Refactor certificate processing. Only verify certificates when a signature is present.
  • Update the Kyber test action.
  • Refactor the Curve25519 Key Agreement support.
  • Update the STM32Cube Pack.
  • Increase the memory that Zephyr uses for a heap for testing.
  • Add a macro wrapper to replace the ReadDir function.
  • Add callback hook for keying completion.
  • Add function to return strings for the names of algorithms.
  • Add asynchronous server side user authentication.
  • Add ssh-rsa (SHA-1) to the default user auth algorithm list when sha1-soft-disable is disabled.
  • Update Espressif examples using Managed Components.
  • Add SCP test case.
  • Refactor RSA sign and verify.
  • Refresh the example echoserver with updates from wolfSSHd.
  • Add callback hooks for most channel messages including open, close, success, fail, and requests.
  • Reduce the number of memory allocations SCP makes.
  • Improve wolfSSHd’s behavior on closing a connection. It closes channels and waits for the peer to close the channels.

Fixes

  • Refactor wolfSSHd service support for Windows to fix PowerShell Write-Progress.
  • Fix partial success case with public key user authentication.
  • Fix the build guards with respect to cannedKeyAlgoNames.
  • Error if unable to open the local file when doing a SCP send.
  • Fix some IPv6 related build issues.
  • Add better checks for SCP error returns for closed channels.
  • In the example SCP client, move the public key check context after the WOLFSSH object is created.
  • Fix error reporting for wolfSSH_SFTP_STAT.
  • In the example SCP client, fix error code checking on shutdown.
  • Change return from wolfSSH_shutdown() to WS_CHANNEL_CLOSED.
  • Fix SFTP symlink handling.
  • Fix variable initialization warnings for Zephyr builds.
  • Fix wolfSSHd case of non-console output handles.
  • Fix testsuite for single threaded builds. Add single threaded test action.
  • Fix wolfSSHd shutting down on fcntl() failure.
  • Fix wolfSSHd on Windows handling virtual terminal sequences using exec commands.
  • Fix possible null dereference when matching MAC algos during key exchange.

wolfSSH v1.4.17 (March 25, 2024)

25 Mar 19:03
9204ae7
Compare
Choose a tag to compare

Vulnerabilities

  • Fixes a vulnerability where a properly crafted SSH client can bypass user
    authentication in the wolfSSH server code. The added fix filters the
    messages that are allowed during different operational states.

Notes

  • When building wolfSSL/wolfCrypt versions before v5.6.6 with CMake,
    wolfSSH may have a problem with RSA keys. This is due to wolfSSH not
    checking on the size of ___uint128_t. wolfSSH sees the RSA structure
    as the wrong size. You will have to define HAVE___UINT128_T if you
    know you have it and are using it in wolfSSL. wolfSSL v5.6.6 exports that
    define in options.h when using CMake.
  • The example server in directory examples/server/server.c has been removed.
    It was never kept up to date, the echoserver did its job as an example and
    test server.

New Features

  • Added functions to set algorithms lists for KEX at run-time, and some
    functions to inspect which algorithms are set or are available to use.
  • In v1.4.15, we had disabled SHA-1 in the build by default. SHA-1 has been
    re-enabled in the build and is now "soft" disabled, where algorithms using
    it can be configured for KEX.
  • Add Curve25519 KEX support for server/client key agreement.

Improvements

  • Clean up some issues when building for Nucleus.
  • Clean up some issues when building for Windows.
  • Clean up some issues when building for QNX.
  • Added more wolfSSHd testing.
  • Added more appropriate build option guard checking.
  • General improvements for the ESP32 builds.
  • Better terminal support in Windows.
  • Better I/O pipes and return codes when running commands or scripts over an
    SSH connection.

Fixes

  • Fix shell terminal window resizing and it sets up the environment better.
  • Fix some corner cases with the SFTP testing.
  • Fix some corner cases with SFTP in general.
  • Fix verifying RSA signatures.
  • Add masking of file mode bits for Zephyr.
  • Fix leak of terminal modes cache.

wolfSSH v1.4.15 (December 22, 2023)

23 Dec 01:32
60a2960
Compare
Choose a tag to compare

Vulnerabilities

  • Fixes a potential vulnerability described in the paper "Passive SSH Key Compromise via Lattices". While the misbehavior described hasn't been observed in wolfSSH, the fix is now implemented. The RSA signature is verified before sending to the peer.
    • Keegan Ryan, Kaiwen He, George Arnold Sullivan, and Nadia Heninger. 2023. Passive SSH Key Compromise via Lattices. Cryptology ePrint Archive, Report 2023/1711. https://eprint.iacr.org/2023/1711.

Notes

  • When building wolfSSL/wolfCrypt versions before v5.6.6 with CMake, wolfSSH may have a problem with RSA keys. This is due to wolfSSH not checking on the size of ___uint128_t. wolfSSH sees the RSA structure as the wrong size. You will have to define HAVE___UINT128_T if you know you have it and are using it in wolfSSL. wolfSSL v5.6.6 exports that define in options.h when using CMake.

New Features

  • Added wolfSSH client application.
  • Added support for OpenSSH-style private keys, like those made by ssh-keygen.
  • Added support for the Zephyr RTOS.
  • Added support for multiple authentication schemes in the userauth callback with the error response WOLFSSH_USERAUTH_PARTIAL_SUCCESS.

Improvements

  • Allow override of default sshd user name at build.
  • Do not attempt to copy device files. The client won't ask, and the server won't do it.
  • More wolfSSHd testing.
  • Portability updates.
  • Terminal updates for shell connections to wolfSSHd, including window size updates.
  • QNX support updates.
  • Windows file support updates for SFTP and SCP.
  • Allow for longer command strings in wolfSSHd.
  • Tweaked some select timeouts in the echoserver.
  • Add some type size checks to configure.
  • Update for changes in wolfSSL's threading wrappers.
  • Updates for Espressif support and testing.
  • Speed improvements for SFTP. (Fixed unnecessary waiting.)
  • Windows wolfSSHd improvements.
  • The functions wolfSSH_ReadKey_file() and wolfSSH_ReadKey_buffer() handle more encodings.
  • Add function to supply new protocol ID string.
  • Support larger RSA keys.
  • MinGW support updates.
  • Update file use W-macro wrappers with a filesystem parameter.

Fixes

  • When setting the file permissions for a file in Zephyr, use the correct permission constants.
  • Fix buffer issue in DoReceive() on some edge failure conditions.
  • Prevent wolfSSHd zombie processes.
  • Fixed a few references to the heap variable for user supplied memory allocation functions.
  • Fixed an index update when verifying the server's RSA signature during KEX.
  • Fixed some of the guards around optional code.
  • Fixed some would-block cases when using non-blocking sockets in the examples.
  • Fixed some compile issues with liboqs.
  • Fix for interop issue with OpenSSH when using AES-CTR.

wolfSSH v1.4.13 (Apr 3, 2023)

04 Apr 23:06
326a4bf
Compare
Choose a tag to compare

New Feature Additions and Improvements

  • Improvement to forking the wolfSSHd daemon.
  • Added an STM32Cube Expansion pack. See the file ide/STM32CUBE/README.md for more information. (https://www.wolfssl.com/files/ide/I-CUBE-wolfSSH.pack)
  • Improved test coverage for wolfSSHd.
  • X.509 style private key support.

Fixes

  • Fixed shadow password checking in wolfSSHd.
  • Building cleanups: warnings, types, 32-bit.
  • SFTP fixes for large files.
  • Testing and fixes with SFTP and LwIP.

Vulnerabilities

  • wolfSSHd would allow users without passwords to log in with any password. This is fixed as of this version. The return value of crypt() was not correctly checked. This issue was introduced in v1.4.11 and only affects wolfSSHd when using the default authentication callback provided with wolfSSHd. Anyone using wolfSSHd should upgrade to v1.4.13.

wolfSSH v1.4.12 (Dec 28, 2022)

28 Dec 18:24
834a03c
Compare
Choose a tag to compare

New Feature Additions and Improvements

  • Support for Green Hills Software's INTEGRITY
  • wolfSSHd Release (#453 rounds off testing and additions)
  • Support for RFC 6187, using X.509 Certificates as public keys
  • OCSP and CRL checking for X.509 Certificates (uses wolfSSL CertManager)
  • Add callback to the server for reporting userauth result
  • FPKI profile checking support
  • chroot jailing for SFTP in wolfSSHd
  • Permission level changes in wolfSSHd
  • Add Hybrid ECDH-P256 Kyber-Level1
  • Multiple server keys
  • Makefile updates
  • Remove dependency on wolfSSL being built with public math enabled

Fixes

  • Fixes for compiler complaints using GHS compiler
  • Fixes for compiler complaints using GCC 4.0.2
  • Fixes for the directory path cleanup function for SFTP
  • Fixes for SFTP directory listing when on Windows
  • Fixes for large file transfers with SFTP
  • Fixes for port forwarding
  • Fix for building with QNX
  • Fix for the wolfSSHd grace time alarm
  • Fixes for Yocto builds
  • Fixes for issues found with fuzzing

Vulnerabilities

  • The vulnerability fixed in wolfSSH v1.4.8 finally issued CVE-2022-32073

wolfSSH v1.4.11 (Aug 22, 2022)

23 Aug 19:53
d42230d
Compare
Choose a tag to compare

New Feature Additions and Improvements

  • Alpha version of SSHD implementation (--enable-sshd)
  • ECDSA key generation wrapper
  • Espressif port and component install
  • Improvements to detection of ECC RNG requirement

Fixes

  • Handle receiving extended data type with SCP connections
  • Multiple non blocking fixes in SSH and SFTP use cases
  • Fix for handling '.' character in file name with SFTP
  • Windows build fix for SFTP with log timestamps enabled
  • Fix to handle listing large directories with SFTP LS function
  • Fix for checking path length when cleaning it (SFTP/SCP)

wolfSSH v1.4.10 (May 13, 2022)

12 May 23:18
c05f6c7
Compare
Choose a tag to compare

New Feature Additions and Improvements

  • Additional small stack optimizations to reduce stack used farther
  • Update to Visual Studio paths for looking for wolfSSL library
  • SFTP example, reset timeout value with get/put command
  • Add support for flushing file IO using WOLFSCP_FLUSH
  • Add preprocessor guards for RSA/ECC to agent and the example and test applications
  • Initialization of variables to avoid warnings and use with ESP-IDF

Fixes

  • When scp receives a string in STDERR, print it out, rather than treating it as an error
  • Window adjustment refactor and fix
  • fix check on RSA import size
  • Fix for building with older GCC versions (tested with 4.0.2)
  • SFTP fix handling sent data sz when its size is greater than peer max packet size
  • SFTP add error return code for a bad header when sending a packet
  • KCAPI build fixes for macro guards needed
  • SCP fix for handling small and empty message sizes
  • SFTP update to handle WS_CHAN_RXD return values when reading
  • Fix for IPv6 with scpclient
  • Fixes for cross-compiling (don't force library path references)
  • Fix for FIPS 140-3 on ECC private key use

wolfSSH v1.4.8 (Nov 4, 2021)

04 Nov 22:32
ed97707
Compare
Choose a tag to compare

New Feature Additions and Improvements

  • Add remote port forwarding
  • Make loading user created keys into the examples easier
  • Add --with-wolfssl and use --prefix to look for wolfSSL
  • Updated the unsupported GlobalReq response

Fixes

  • Fix for RSA public key auth
  • When decoding SFTP messages, fix the size checks so they don't wrap
  • Fix an issue where the testsuite and echoserver a socket failure
  • SFTP fix for getting attribute header
  • Fix for possible null dereference in SendKexDhReply
  • Remove reference to udp from test.h
  • Fixes to local port forwarding

wolfSSH version 1.4.7

23 Jul 17:40
48a0e66
Compare
Choose a tag to compare

wolfSSH v1.4.7 (July 23, 2021)

New Feature Additions and Improvements

  • SCP improvements to run on embedded RTOS
  • For SFTP messages, check both minimum bound and maximum bound of the length value
  • Added option for --enable-small-stack
  • Added SFTP support for FatFs
  • Added 192 and 256 bit support for AES-CBC, AES-CTR, and AES-GCM
  • Added options to disable algorithms. (ie WOLFSSH_NO_ECDSA, WOLFSSH_NO_AES_CBC, etc)
  • Improved handling of builds without ECC

Fixes

  • When processing public key user auth, initialize the key earlier
  • When processing public key user auth, use GetSize() instead of GetUint32()
  • Fix for better handling rekey
  • Fix for build with NO_WOLFSSH_CLIENT macro and --enable-all
  • Fix configuration with WOLFSSH_NO_DH
  • To add internal function to purge a packet in case building one fails
  • Fix for cleanup in error case with SFTP read packet
  • Fix initialization of DH Size values