!53 add insecure algorithm log

From: @zppzhangpan Reviewed-by: @caodongxia Signed-off-by: @caodongxia
2024-06-26 03:30:06 +00:00 · 2024-06-26 03:30:06 +00:00 · a5318a4698
commit a5318a4698
parent b6f08d3664 3b9a006022
2 changed files with 138 additions and 1 deletions
--- a/add-insecure-algorithm-log.patch
+++ b/add-insecure-algorithm-log.patch
@ -0,0 +1,133 @@
+From 6c4f54130d892f5034ac40d139ff27b8bb4d1927 Mon Sep 17 00:00:00 2001
+From: zhangpan <zhangpan103@h-partners.com>
+Date: Fri, 12 Apr 2024 12:47:45 +0800
+Subject: [PATCH] Add Insecure Algorithm Logs
+
+---
+ paramiko/auth_handler.py |  5 ++++
+ paramiko/transport.py    | 65 ++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 70 insertions(+)
+
+diff --git a/paramiko/auth_handler.py b/paramiko/auth_handler.py
+index db89670..0454358 100644
+--- a/paramiko/auth_handler.py
+++ b/paramiko/auth_handler.py
+@@ -384,6 +384,11 @@ class AuthHandler(object):
+                 m.add_boolean(True)
+                 key_type, bits = self._get_key_type_and_bits(self.private_key)
+                 algorithm = self._finalize_pubkey_algorithm(key_type)
+                if not list (
+                        filter(
+                            algorithm.__contains__,
+                            self.transport._whitelist_pubkeys)):
+                    self._log(WARNING, "Insecure PubKey algorithm may be used: {}".format(algorithm))
+                 m.add_string(algorithm)
+                 m.add_string(bits)
+                 blob = self._get_session_blob(
+diff --git a/paramiko/transport.py b/paramiko/transport.py
+index 5265e09..e8ff0e0 100644
+--- a/paramiko/transport.py
+++ b/paramiko/transport.py
+@@ -213,6 +213,43 @@ class Transport(threading.Thread, ClosingContextManager):
+     )
+     _preferred_compression = ("none",)
+ 
+    _whitelist_ciphers = (
+        "aes128-ctr",
+        "aes192-ctr",
+        "aes256-ctr",
+        "chacha20-poly1305@openssh.com",
+        "aes128-gcm@openssh.com",
+        "aes256-gcm@openssh.com",
+    )
+
+    _whitelist_macs = (
+        "hmac-sha2-512",
+        "hmac-sha2-512-etm@openssh.com",
+        "hmac-sha2-256",
+        "hmac-sha2-256-etm@openssh.com",
+    )
+
+    _whitelist_keys = (
+        "ssh-ed25519",
+        "ecdsa-sha2-nistp256",
+        "ssh-ed25519-cert-v01@openssh.com",
+        "rsa-sha2-256",
+        "rsa-sha2-512",
+    )
+
+    _whitelist_pubkeys = (
+        "ssh-ed25519",
+        "ssh-ed25519-cert-v01@openssh.com",
+        "rsa-sha2-256",
+        "rsa-sha2-512",
+    )
+
+    _whitelist_kex = (
+        "curve25519-sha256",
+        "curve25519-sha256@libssh.org",
+        "diffie-hellman-group-exchange-sha256",
+    )
+
+     _cipher_info = {
+         "aes128-ctr": {
+             "class": algorithms.AES,
+@@ -2507,6 +2544,13 @@ class Transport(threading.Thread, ClosingContextManager):
+                 "Incompatible ssh peer (no acceptable kex algorithm)"
+             )  # noqa
+         self.kex_engine = self._kex_info[agreed_kex[0]](self)
+
+        if not list (
+                filter(
+                    agreed_kex[0].__contains__,
+                    self._whitelist_kex)):
+            self._log(WARNING, "Insecure Kex algorithm may be used: {}".format(agreed_kex[0]))
+
+         self._log(DEBUG, "Kex: {}".format(agreed_kex[0]))
+ 
+         if self.server_mode:
+@@ -2534,6 +2578,13 @@ class Transport(threading.Thread, ClosingContextManager):
+             raise IncompatiblePeer(
+                 "Incompatible ssh peer (can't match requested host key type)"
+             )  # noqa
+
+        if not list (
+                filter(
+                    self.host_key_type.__contains__,
+                    self._whitelist_keys)):
+            self._log(WARNING, "Insecure HostKey algorithm may be used: {}".format(self.host_key_type))
+
+         self._log_agreement("HostKey", agreed_keys[0], agreed_keys[0])
+ 
+         if self.server_mode:
+@@ -2568,6 +2619,13 @@ class Transport(threading.Thread, ClosingContextManager):
+             )  # noqa
+         self.local_cipher = agreed_local_ciphers[0]
+         self.remote_cipher = agreed_remote_ciphers[0]
+
+        if not list (
+                filter(
+                    self.local_cipher.__contains__,
+                    self._whitelist_ciphers)):
+            self._log(WARNING, "Insecure Cipher algorithm may be used: {}".format(self.local_cipher))
+
+         self._log_agreement(
+             "Cipher", local=self.local_cipher, remote=self.remote_cipher
+         )
+@@ -2592,6 +2650,13 @@ class Transport(threading.Thread, ClosingContextManager):
+             )
+         self.local_mac = agreed_local_macs[0]
+         self.remote_mac = agreed_remote_macs[0]
+
+        if not list (
+                filter(
+                    self.local_mac.__contains__,
+                    self._whitelist_macs)):
+            self._log(WARNING, "Insecure Mac algorithm may be used: {}".format(self.local_mac))
+
+         self._log_agreement(
+             "MAC", local=self.local_mac, remote=self.remote_mac
+         )
+-- 
+2.33.0
+
--- a/python-paramiko.spec
+++ b/python-paramiko.spec
@ -1,12 +1,13 @@
 Name:          python-paramiko
 Version:       3.4.0
-Release:       1
+Release:       2
 Summary:       Python SSH module
 License:       LGPLv2+
 URL:           https://github.com/paramiko/paramiko
 Source0:       https://github.com/paramiko/paramiko/archive/%{version}/paramiko-%{version}.tar.gz

 Patch0:        Remove-icecream-dep.patch
+Patch9000:     add-insecure-algorithm-log.patch

 BuildArch:     noarch

@ -66,6 +67,9 @@ PYTHONPATH=%{buildroot}%{python3_sitelib} pytest-%{python3_version}
 %doc html/ demos/ README.rst

 %changelog
+* Tue Jun 25 2024 zhangpan <zhangpan103@h-partners.com> - 3.4.0-2
+- add insecure algorithm log
+
 * Tue Jan 09 2024 yaoxin <yao_xin001@hoperun.com> - 3.4.0-1
 - Upgrade to 3.4.0 for fix CVE-2023-48795