ci: Update dependency wolfSSL/wolfssh to v1.4.17

[renovate]

This PR contains the following updates:

Package	Update	Change
wolfSSL/wolfssh	patch	1.4.12 -> 1.4.17

---

Release Notes

wolfSSL/wolfssh (wolfSSL/wolfssh)

v1.4.17

Compare Source

Vulnerabilities

• Fixes a vulnerability where a properly crafted SSH client can bypass user
  authentication in the wolfSSH server code. The added fix filters the
  messages that are allowed during different operational states.

Notes

• When building wolfSSL/wolfCrypt versions before v5.6.6 with CMake,
  wolfSSH may have a problem with RSA keys. This is due to wolfSSH not
  checking on the size of ___uint128_t. wolfSSH sees the RSA structure
  as the wrong size. You will have to define HAVE___UINT128_T if you
  know you have it and are using it in wolfSSL. wolfSSL v5.6.6 exports that
  define in options.h when using CMake.
• The example server in directory examples/server/server.c has been removed.
  It was never kept up to date, the echoserver did its job as an example and
  test server.

New Features

• Added functions to set algorithms lists for KEX at run-time, and some
  functions to inspect which algorithms are set or are available to use.
• In v1.4.15, we had disabled SHA-1 in the build by default. SHA-1 has been
  re-enabled in the build and is now "soft" disabled, where algorithms using
  it can be configured for KEX.
• Add Curve25519 KEX support for server/client key agreement.

Improvements

• Clean up some issues when building for Nucleus.
• Clean up some issues when building for Windows.
• Clean up some issues when building for QNX.
• Added more wolfSSHd testing.
• Added more appropriate build option guard checking.
• General improvements for the ESP32 builds.
• Better terminal support in Windows.
• Better I/O pipes and return codes when running commands or scripts over an
  SSH connection.

Fixes

• Fix shell terminal window resizing and it sets up the environment better.
• Fix some corner cases with the SFTP testing.
• Fix some corner cases with SFTP in general.
• Fix verifying RSA signatures.
• Add masking of file mode bits for Zephyr.
• Fix leak of terminal modes cache.

---

v1.4.15

Compare Source

Vulnerabilities

• Fixes a potential vulnerability described in the paper "Passive SSH Key
  Compromise via Lattices". While the misbehavior described hasn't
  been observed in wolfSSH, the fix is now implemented. The RSA signature
  is verified before sending to the peer.
  • Keegan Ryan, Kaiwen He, George Arnold Sullivan, and Nadia Heninger. 2023.
    Passive SSH Key Compromise via Lattices. Cryptology ePrint Archive,
    Report 2023/1711. https://eprint.iacr.org/2023/1711.

Notes

• When building wolfSSL/wolfCrypt versions before v5.6.6 with CMake,
  wolfSSH may have a problem with RSA keys. This is due to wolfSSH not
  checking on the size of ___uint128_t. wolfSSH sees the RSA structure
  as the wrong size. You will have to define HAVE___UINT128_T if you
  know you have it and are using it in wolfSSL. wolfSSL v5.6.6 exports that
  define in options.h when using CMake.

New Features

• Added wolfSSH client application.
• Added support for OpenSSH-style private keys, like those made by ssh-keygen.
• Added support for the Zephyr RTOS.
• Added support for multiple authentication schemes in the userauth callback
  with the error response WOLFSSH_USERAUTH_PARTIAL_SUCCESS.

Improvements

• Allow override of default sshd user name at build.
• Do not attempt to copy device files. The client won't ask, and the server
  won't do it.
• More wolfSSHd testing.
• Portability updates.
• Terminal updates for shell connections to wolfSSHd, including window size
  updates.
• QNX support updates.
• Windows file support updates for SFTP and SCP.
• Allow for longer command strings in wolfSSHd.
• Tweaked some select timeouts in the echoserver.
• Add some type size checks to configure.
• Update for changes in wolfSSL's threading wrappers.
• Updates for Espressif support and testing.
• Speed improvements for SFTP. (Fixed unnecessary waiting.)
• Windows wolfSSHd improvements.
• The functions wolfSSH_ReadKey_file() and wolfSSH_ReadKey_buffer()
  handle more encodings.
• Add function to supply new protocol ID string.
• Support larger RSA keys.
• MinGW support updates.
• Update file use W-macro wrappers with a filesystem parameter.

Fixes

• When setting the file permissions for a file in Zephyr, use the correct
  permission constants.
• Fix buffer issue in DoReceive() on some edge failure conditions.
• Prevent wolfSSHd zombie processes.
• Fixed a few references to the heap variable for user supplied memory
  allocation functions.
• Fixed an index update when verifying the server's RSA signature during KEX.
• Fixed some of the guards around optional code.
• Fixed some would-block cases when using non-blocking sockets in the
  examples.
• Fixed some compile issues with liboqs.
• Fix for interop issue with OpenSSH when using AES-CTR.

---

v1.4.14

Compare Source

New Feature Additions and Improvements

• Add user authentication support for RSA signing with SHA2-256 and SHA2-512 (Following RFC 8332)
• Support for FATFS on Xilinx targets
• ecc_p256-kyber_level1 interop with OQS OpenSSH following the RFC https://www.ietf.org/id/draft-kampanakis-curdle-ssh-pq-ke-01.html
• Internal refactor of client apps to simplify them and added X509 support to scpclient
• wolfSSH_accept now returns WS_SCP_INIT and needs called again to complete the SCP operation
• Update to document Cube Pack dependencies
• Add carriage return for ‘enter’ key in the example client with shell connections to windows server
• Stack usage improvement to limit the scope of variables
• Echoserver example SFTP non blocking improvement for want read cases
• Increase SFTP performance with throughput

Fixes

• Fix for calling chdir after chroot with wolfSSHd when jailing connections on unix environments
• Better handling on the server side for when the client’s window is filled up
• Fix for building the client project on windows when shell support is enabled
• Sanity check improvements for handling memory management with non blocking connections
• Fix for support with secondary groups with wolfSSHd
• Fixes for SFTP edge cases when used with LWiP

---

v1.4.13

Compare Source

New Feature Additions and Improvements

• Improvement to forking the wolfSSHd daemon.
• Added an STM32Cube Expansion pack. See the file ide/STM32CUBE/README.md
  for more information. (https://www.wolfssl.com/files/ide/I-CUBE-wolfSSH.pack)
• Improved test coverage for wolfSSHd.
• X.509 style private key support.

Fixes

• Fixed shadow password checking in wolfSSHd.
• Building cleanups: warnings, types, 32-bit.
• SFTP fixes for large files.
• Testing and fixes with SFTP and LwIP.

Vulnerabilities

• wolfSSHd would allow users without passwords to log in with any password.
  This is fixed as of this version. The return value of crypt() was not
  correctly checked. This issue was introduced in v1.4.11 and only affects
  wolfSSHd when using the default authentication callback provided with
  wolfSSHd. Anyone using wolfSSHd should upgrade to v1.4.13.

---

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[cmeister2]

Aha. This looks like actually the tagging scheme here is wrong and the extractVersionTemplate should be v<semver>-stable to match the tagging scheme over at https://github.com/wolfSSL/wolfssh/tags

[cmeister2]

Added code in #13644 to handle this, after which this should be rebased.