Fix Windows XP compatibility issue with libssh (#249)

davidrg · Jul 1, 2024 · 92dce0b · 92dce0b
1 parent 35b6d13
commit 92dce0b
Show file tree

Hide file tree

Showing 5 changed files with 116 additions and 6 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -212,7 +212,7 @@ jobs:
           ${{github.workspace}}\libdes\Debug
           ${{github.workspace}}\tools
           ${{github.workspace}}\kerberos\kfw
-        key: msvc-${{ matrix.toolset }}-${{ matrix.arch }}+zlib-${{env.ZLIB_VERSION}}+openssl-${{env.OPENSSL_VERSION}}+${{env.OPENSSL_MAKE}}+libssh-${{env.LIBSSH_VERSION}}+rel+nasm+xp+dsa+libdes+kfw+ver3
+        key: msvc-${{ matrix.toolset }}-${{ matrix.arch }}+zlib-${{env.ZLIB_VERSION}}+openssl-${{env.OPENSSL_VERSION}}+${{env.OPENSSL_MAKE}}+libssh-${{env.LIBSSH_VERSION}}+rel+nasm+xp+dsa+libdes+kfw+ver4
     - name: Get dependencies
       if: steps.cache-optional-dependencies.outputs.cache-hit != 'true'
       run: |
@@ -370,11 +370,24 @@ jobs:
 
     - name: Build libssh (x86/x86-64)
       if: steps.cache-optional-dependencies.outputs.cache-hit != 'true' && (matrix.arch == 'x86' || matrix.arch == 'x64')
-      shell: powershell
+      shell: cmd
       run: |
         cd libssh\${{env.LIBSSH_VERSION}}\build
         cmake .. -G "NMake Makefiles" -DCMAKE_BUILD_TYPE=Release -DOPENSSL_ROOT_DIR=${{github.workspace}}\openssl\${{env.OPENSSL_VERSION}}\ -DZLIB_ROOT:PATH=${{github.workspace}}\zlib\${{env.ZLIB_VERSION}}\ -DWITH_DSA=ON
         nmake
+        echo Libssh build done.
+        
+        if "${{env.LIBSSH_VERSION}}" NEQ "0.10.6" goto :end 
+        echo Build a patched version thats compatible with Windows XP
+        mv src\ssh.dll src\ssh-standard.dll
+        cd ..
+        patch -p1 < ..\xp-fix.patch
+        cd build
+        nmake
+        echo Build complete - renaming files
+        ren src\ssh.dll ssh-xp.dll
+        ren src\ssh-standard.dll ssh.dll
+        :end        
 
     - name: Build GSSAPI-enabled libssh (x86/x86-64)
       if: steps.cache-optional-dependencies.outputs.cache-hit != 'true' && (matrix.arch == 'x86' || matrix.arch == 'x64')
@@ -385,6 +398,18 @@ jobs:
         cd build
         cmake .. -G "NMake Makefiles" -DCMAKE_BUILD_TYPE=Release -DOPENSSL_ROOT_DIR=${{github.workspace}}\openssl\${{env.OPENSSL_VERSION}}\ -DZLIB_ROOT:PATH=${{github.workspace}}\zlib\${{env.ZLIB_VERSION}}\ -DWITH_DSA=ON -DGSSAPI_ROOT_DIR="${{github.workspace}}\kerberos\kfw\Kerberos"
         nmake
+        
+        if "${{env.LIBSSH_VERSION}}" NEQ "0.10.6" goto :end 
+        REM Build a patched version thats compatible with Windows XP
+        mv src\ssh.dll src\ssh-standard.dll
+        cd ..
+        patch -p1 < ..\xp-fix.patch
+        cd build
+        nmake
+        ren src\ssh.dll ssh-xp.dll
+        ren src\ssh-standard.dll ssh.dll
+        :end
+
 
       # 32bit ARM doesn't get libssh as version 0.10.3 gets link errors there:
       #   misc.c.obj : error LNK2019: unresolved external symbol __imp_GetUserNameA referenced in function ssh_get_local_username
@@ -468,6 +493,16 @@ jobs:
       run: |
         copy ${{ github.workspace }}\libssh\${{env.LIBSSH_VERSION}}-gssapi\build\src\ssh.dll ssh-gssapi.dll
 
+    - name: Dist XP-patched libssh (x86/x86-64)
+      if: (matrix.arch == 'x86' || matrix.arch == 'x64') && (env.LIBSSH_VERSION == '0.10.6')
+      shell: cmd
+      working-directory: ${{ github.workspace }}\kermit\k95\dist
+      run: |
+        mkdir ssh-xp
+        cd ssh-xp
+        copy ${{ github.workspace }}\libssh\${{env.LIBSSH_VERSION}}-gssapi\build\src\ssh-xp.dll ssh-gssapi.dll
+        copy ${{ github.workspace }}\libssh\${{env.LIBSSH_VERSION}}\build\src\ssh-xp.dll ssh.dll
+
     - name: Fetch CA Certs bundle
       uses: actions/download-artifact@v3
       with:

diff --git a/doc/changes.md b/doc/changes.md
@@ -6,14 +6,19 @@ check the git commit log.
 ## C-Kermit for Windows 10.0b10 beta 6 - coming soon
 
 This is a minor release focused on upgrading from OpenSSL 1.1.1 (which is
-now out of support) to OpenSSL 3.0.x. Also included are a selection of bug
-fixes and other minor enhancements. 
+now out of support) to OpenSSL 3.0.x, and libssh 0.10.5 to 0.10.6. Also 
+included are a selection of bug fixes and other minor enhancements. 
 
 Also in this release: official support for Windows NT on Alpha and PowerPC
 has returned after being discontinued in March 2000 and April 1998 
 respectively. And for the first time ever, C-Kermit is now supported on
 Windows NT for MIPS computers, though without TAPI support.
 
+### Things to be aware of when upgrading
+Windows XP users: current versions of libssh are no longer compatible with 
+Windows XP. See the included SSH Readme for a workaround if SSH support on
+Windows XP.
+
 ### Fixed Bugs
 
 * Fixed directory listings not reporting a size or modified time for files
@@ -44,6 +49,7 @@ Windows NT for MIPS computers, though without TAPI support.
 
 * Upgraded to OpenSSL 3.0.14, the current long term support release 
   (supported until 7 September 2026)
+* Updated to libssh 0.10.6
 * Help text for "set gui window position" updated: this command *is* supported
   and it does work.
 * The default k95custom.ini now displays a message the console-mode version

diff --git a/doc/ssh-readme.md b/doc/ssh-readme.md
@@ -144,7 +144,28 @@ C-Kermit for Windows will not start with the GSSAPI-supporting ssh.dll without
 this installed. If you later uninstall Kerberos for Windows you'll need to swap
 the SSH DLLs back around again.
 
-GSSAPI authenticatino is not currently supported on non-x86 builds of CKW as
-current versions of Kerberos for Windows are only availbale for x86.
+GSSAPI authentication is not currently supported on non-x86 builds of CKW as
+current versions of Kerberos for Windows are only available for x86.
+
+### Using SSH on Windows XP
+Libssh 0.10.6 includes a fix for the security vulnerability 
+[CVE-2023-6004](https://nvd.nist.gov/vuln/detail/CVE-2023-6004), but the fix 
+breaks compatibility with Windows XP. When starting C-Kermit with the included 
+ssh.dll or ssh-gssapi.dll, C-Kermit will fail to start with the error "The 
+procedure entry point if_nametoindex could not be located in the dynamic link 
+library IPHLPAPI.DLL."
+
+An alternative version of ssh.dll and ssh-gssapi.dll is provided for Windows XP
+users which removes the fix for CVE-2023-6004 restoring compatibility with
+Windows XP. These can be found in the ssh-xp subdirectory. Replacing the normal
+ssh.dll with the appropriate dll in the ssh-xp directory should prevent the
+error.
+
+CVE-2023-6004 has a low severity rating and impacts the ProxyCommand and 
+ProxyJump features which are not currently used by C-Kermit or supported on 
+Windows yet. So undoing the security fix is unlikely to cause any problems in
+practice, but still not a great idea. Where security is a concern you should
+consider upgrading to a supported version of Windows which is able to run the
+normal version of libssh.
 
 [^1]: https://libssh.org
diff --git a/libssh/README.md b/libssh/README.md
@@ -31,3 +31,22 @@ against the old versions configured by setenv.bat.
 
 Once you've built libssh you'll want to go and update setenv.bat to ensure the new
 version of libssh is used in the future.
+
+Windows XP Compatibility Fix
+----------------------------
+
+Libssh 0.10.6 includes a fix for 
+[CVE-2023-6004](https://nvd.nist.gov/vuln/detail/CVE-2023-6004) which introduces
+a dependency on if_nametoindex in iphlpapi.dll which is not available on 
+Windows XP. A patch is provided (`xp-fix.patch`) which corrects this issue by
+dynamically loading iphlpapi.dll and if that fails skipping the functionality
+that depends on this library. This will of course re-introduce the vulnerability
+on Windows XP which is not great.
+
+The vulnerability appears to only affect features that C-Kermit doesn't use and
+which libssh doesn't even support on Windows. So the effects of undoing the fix
+are likely not serious at the moment, but this may change in the future.
+
+If you wish to build libssh 0.10.6 with Windows XP compatibility, you can
+apply this patch by running `patch -p1 < ..\xp-fix.patch` from inside the
+libssh directory.
diff --git a/libssh/xp-fix.patch b/libssh/xp-fix.patch
@@ -0,0 +1,29 @@
+diff --git a/src/misc.c.old b/src/misc.c
+index 7081f12..cd0e225 100644
+--- a/src/misc.c.old
++++ b/src/misc.c
+@@ -221,6 +221,8 @@ int ssh_is_ipaddr_v4(const char *str)
+     return 0;
+ }
+
++typedef NET_IFINDEX (NETIOAPI_API_ *if_nametoindex_t)(PCSTR);
++
+ int ssh_is_ipaddr(const char *str)
+ {
+     int rc = SOCKET_ERROR;
+@@ -233,10 +235,13 @@ int ssh_is_ipaddr(const char *str)
+         struct sockaddr_storage ss;
+         int sslen = sizeof(ss);
+         char *network_interface = strchr(s, '%');
++		HINSTANCE hIPHLPAPI = LoadLibrary("IPHLPAPI"); 
++		if_nametoindex_t h_if_nametoindex = (if_nametoindex_t)GetProcAddress(hIPHLPAPI, "if_nametoindex");
++
+
+         /* link-local (IP:v6:addr%ifname). */
+-        if (network_interface != NULL) {
+-            rc = if_nametoindex(network_interface + 1);
++        if (network_interface != NULL && h_if_nametoindex != NULL) {
++            rc = h_if_nametoindex(network_interface + 1);
+             if (rc == 0) {
+                 free(s);
+                 return 0;