!53 add insecure algorithm log

From: @zppzhangpan Reviewed-by: @caodongxia Signed-off-by: @caodongxia
2024-06-26 03:30:06 +00:00 · 2024-06-26 03:30:06 +00:00 · a5318a4698
commit a5318a4698
parent b6f08d3664 3b9a006022
2 changed files with 138 additions and 1 deletions
--- a/add-insecure-algorithm-log.patch
+++ b/add-insecure-algorithm-log.patch
@ -0,0 +1,133 @@
 From 6c4f54130d892f5034ac40d139ff27b8bb4d1927 Mon Sep 17 00:00:00 2001
 From: zhangpan <zhangpan103@h-partners.com>
 Date: Fri, 12 Apr 2024 12:47:45 +0800
 Subject: [PATCH] Add Insecure Algorithm Logs
 ---
 paramiko/auth_handler.py |  5 ++++
 paramiko/transport.py    | 65 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 70 insertions(+)
 diff --git a/paramiko/auth_handler.py b/paramiko/auth_handler.py
 index db89670..0454358 100644
 --- a/paramiko/auth_handler.py
 +++ b/paramiko/auth_handler.py
@@ -384,6 +384,11 @@ class AuthHandler(object):
                 m.add_boolean(True)
                 key_type, bits = self._get_key_type_and_bits(self.private_key)
                 algorithm = self._finalize_pubkey_algorithm(key_type)
 +                if not list (
 +                        filter(
 +                            algorithm.__contains__,
 +                            self.transport._whitelist_pubkeys)):
 +                    self._log(WARNING, "Insecure PubKey algorithm may be used: {}".format(algorithm))
                 m.add_string(algorithm)
                 m.add_string(bits)
                 blob = self._get_session_blob(
 diff --git a/paramiko/transport.py b/paramiko/transport.py
 index 5265e09..e8ff0e0 100644
 --- a/paramiko/transport.py
 +++ b/paramiko/transport.py
@@ -213,6 +213,43 @@ class Transport(threading.Thread, ClosingContextManager):
     )
     _preferred_compression = ("none",)
 +    _whitelist_ciphers = (
 +        "aes128-ctr",
 +        "aes192-ctr",
 +        "aes256-ctr",
 +        "chacha20-poly1305@openssh.com",
 +        "aes128-gcm@openssh.com",
 +        "aes256-gcm@openssh.com",
 +    )
 +
 +    _whitelist_macs = (
 +        "hmac-sha2-512",
 +        "hmac-sha2-512-etm@openssh.com",
 +        "hmac-sha2-256",
 +        "hmac-sha2-256-etm@openssh.com",
 +    )
 +
 +    _whitelist_keys = (
 +        "ssh-ed25519",
 +        "ecdsa-sha2-nistp256",
 +        "ssh-ed25519-cert-v01@openssh.com",
 +        "rsa-sha2-256",
 +        "rsa-sha2-512",
 +    )
 +
 +    _whitelist_pubkeys = (
 +        "ssh-ed25519",
 +        "ssh-ed25519-cert-v01@openssh.com",
 +        "rsa-sha2-256",
 +        "rsa-sha2-512",
 +    )
 +
 +    _whitelist_kex = (
 +        "curve25519-sha256",
 +        "curve25519-sha256@libssh.org",
 +        "diffie-hellman-group-exchange-sha256",
 +    )
 +
     _cipher_info = {
         "aes128-ctr": {
             "class": algorithms.AES,
@@ -2507,6 +2544,13 @@ class Transport(threading.Thread, ClosingContextManager):
                 "Incompatible ssh peer (no acceptable kex algorithm)"
             )  # noqa
         self.kex_engine = self._kex_info[agreed_kex[0]](self)
 +
 +        if not list (
 +                filter(
 +                    agreed_kex[0].__contains__,
 +                    self._whitelist_kex)):
 +            self._log(WARNING, "Insecure Kex algorithm may be used: {}".format(agreed_kex[0]))
 +
         self._log(DEBUG, "Kex: {}".format(agreed_kex[0]))
         if self.server_mode:
@@ -2534,6 +2578,13 @@ class Transport(threading.Thread, ClosingContextManager):
             raise IncompatiblePeer(
                 "Incompatible ssh peer (can't match requested host key type)"
             )  # noqa
 +
 +        if not list (
 +                filter(
 +                    self.host_key_type.__contains__,
 +                    self._whitelist_keys)):
 +            self._log(WARNING, "Insecure HostKey algorithm may be used: {}".format(self.host_key_type))
 +
         self._log_agreement("HostKey", agreed_keys[0], agreed_keys[0])
         if self.server_mode:
@@ -2568,6 +2619,13 @@ class Transport(threading.Thread, ClosingContextManager):
             )  # noqa
         self.local_cipher = agreed_local_ciphers[0]
         self.remote_cipher = agreed_remote_ciphers[0]
 +
 +        if not list (
 +                filter(
 +                    self.local_cipher.__contains__,
 +                    self._whitelist_ciphers)):
 +            self._log(WARNING, "Insecure Cipher algorithm may be used: {}".format(self.local_cipher))
 +
         self._log_agreement(
             "Cipher", local=self.local_cipher, remote=self.remote_cipher
         )
@@ -2592,6 +2650,13 @@ class Transport(threading.Thread, ClosingContextManager):
             )
         self.local_mac = agreed_local_macs[0]
         self.remote_mac = agreed_remote_macs[0]
 +
 +        if not list (
 +                filter(
 +                    self.local_mac.__contains__,
 +                    self._whitelist_macs)):
 +            self._log(WARNING, "Insecure Mac algorithm may be used: {}".format(self.local_mac))
 +
         self._log_agreement(
             "MAC", local=self.local_mac, remote=self.remote_mac
         )
 -- 
 2.33.0
--- a/python-paramiko.spec
+++ b/python-paramiko.spec
@ -1,12 +1,13 @@
 Name:          python-paramiko
 Version:       3.4.0
-Release:       1
+Release:       2
 Summary:       Python SSH module
 License:       LGPLv2+
 URL:           https://github.com/paramiko/paramiko
 Source0:       https://github.com/paramiko/paramiko/archive/%{version}/paramiko-%{version}.tar.gz
 Patch0:        Remove-icecream-dep.patch
 Patch9000:     add-insecure-algorithm-log.patch
 BuildArch:     noarch
@ -66,6 +67,9 @@ PYTHONPATH=%{buildroot}%{python3_sitelib} pytest-%{python3_version}
 %doc html/ demos/ README.rst
 %changelog
 * Tue Jun 25 2024 zhangpan <zhangpan103@h-partners.com> - 3.4.0-2
 - add insecure algorithm log
 * Tue Jan 09 2024 yaoxin <yao_xin001@hoperun.com> - 3.4.0-1
 - Upgrade to 3.4.0 for fix CVE-2023-48795