!53 add insecure algorithm log

From: @zppzhangpan 
Reviewed-by: @caodongxia 
Signed-off-by: @caodongxia

Remove-icecream-dep.patch

@@ -0,0 +1,26 @@
+--- a/dev-requirements.txt
++++ b/dev-requirements.txt
+@@ -17,7 +17,5 @@ coverage>=6.2,<7
+ alabaster==0.7.13
+ releases>=2.1
+ watchdog<2
+-# Debuggery
+-icecream>=2.1
+ # Self (sans GSS which is a pain to bother with most of the time)
+ -e ".[invoke]"
+--- a/tests/conftest.py
++++ b/tests/conftest.py
+@@ -22,13 +22,6 @@ from ._loop import LoopSocket
+ from ._stub_sftp import StubServer, StubSFTPServer
+ from ._util import _support
+ 
+-from icecream import ic, install as install_ic
+-
+-
+-# Better print() for debugging - use ic()!
+-install_ic()
+-ic.configureOutput(includeContext=True)
+-
+ 
+ # Perform logging by default; pytest will capture and thus hide it normally,
+ # presenting it on error/failure. (But also allow turning it off when doing

add-insecure-algorithm-log.patch

@@ -0,0 +1,133 @@
+From 6c4f54130d892f5034ac40d139ff27b8bb4d1927 Mon Sep 17 00:00:00 2001
+From: zhangpan <zhangpan103@h-partners.com>
+Date: Fri, 12 Apr 2024 12:47:45 +0800
+Subject: [PATCH] Add Insecure Algorithm Logs
+
+---
+ paramiko/auth_handler.py |  5 ++++
+ paramiko/transport.py    | 65 ++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 70 insertions(+)
+
+diff --git a/paramiko/auth_handler.py b/paramiko/auth_handler.py
+index db89670..0454358 100644
+--- a/paramiko/auth_handler.py
++++ b/paramiko/auth_handler.py
+@@ -384,6 +384,11 @@ class AuthHandler(object):
+                 m.add_boolean(True)
+                 key_type, bits = self._get_key_type_and_bits(self.private_key)
+                 algorithm = self._finalize_pubkey_algorithm(key_type)
++                if not list (
++                        filter(
++                            algorithm.__contains__,
++                            self.transport._whitelist_pubkeys)):
++                    self._log(WARNING, "Insecure PubKey algorithm may be used: {}".format(algorithm))
+                 m.add_string(algorithm)
+                 m.add_string(bits)
+                 blob = self._get_session_blob(
+diff --git a/paramiko/transport.py b/paramiko/transport.py
+index 5265e09..e8ff0e0 100644
+--- a/paramiko/transport.py
++++ b/paramiko/transport.py
+@@ -213,6 +213,43 @@ class Transport(threading.Thread, ClosingContextManager):
+     )
+     _preferred_compression = ("none",)
+ 
++    _whitelist_ciphers = (
++        "aes128-ctr",
++        "aes192-ctr",
++        "aes256-ctr",
++        "chacha20-poly1305@openssh.com",
++        "aes128-gcm@openssh.com",
++        "aes256-gcm@openssh.com",
++    )
++
++    _whitelist_macs = (
++        "hmac-sha2-512",
++        "hmac-sha2-512-etm@openssh.com",
++        "hmac-sha2-256",
++        "hmac-sha2-256-etm@openssh.com",
++    )
++
++    _whitelist_keys = (
++        "ssh-ed25519",
++        "ecdsa-sha2-nistp256",
++        "ssh-ed25519-cert-v01@openssh.com",
++        "rsa-sha2-256",
++        "rsa-sha2-512",
++    )
++
++    _whitelist_pubkeys = (
++        "ssh-ed25519",
++        "ssh-ed25519-cert-v01@openssh.com",
++        "rsa-sha2-256",
++        "rsa-sha2-512",
++    )
++
++    _whitelist_kex = (
++        "curve25519-sha256",
++        "curve25519-sha256@libssh.org",
++        "diffie-hellman-group-exchange-sha256",
++    )
++
+     _cipher_info = {
+         "aes128-ctr": {
+             "class": algorithms.AES,
+@@ -2507,6 +2544,13 @@ class Transport(threading.Thread, ClosingContextManager):
+                 "Incompatible ssh peer (no acceptable kex algorithm)"
+             )  # noqa
+         self.kex_engine = self._kex_info[agreed_kex[0]](self)
++
++        if not list (
++                filter(
++                    agreed_kex[0].__contains__,
++                    self._whitelist_kex)):
++            self._log(WARNING, "Insecure Kex algorithm may be used: {}".format(agreed_kex[0]))
++
+         self._log(DEBUG, "Kex: {}".format(agreed_kex[0]))
+ 
+         if self.server_mode:
+@@ -2534,6 +2578,13 @@ class Transport(threading.Thread, ClosingContextManager):
+             raise IncompatiblePeer(
+                 "Incompatible ssh peer (can't match requested host key type)"
+             )  # noqa
++
++        if not list (
++                filter(
++                    self.host_key_type.__contains__,
++                    self._whitelist_keys)):
++            self._log(WARNING, "Insecure HostKey algorithm may be used: {}".format(self.host_key_type))
++
+         self._log_agreement("HostKey", agreed_keys[0], agreed_keys[0])
+ 
+         if self.server_mode:
+@@ -2568,6 +2619,13 @@ class Transport(threading.Thread, ClosingContextManager):
+             )  # noqa
+         self.local_cipher = agreed_local_ciphers[0]
+         self.remote_cipher = agreed_remote_ciphers[0]
++
++        if not list (
++                filter(
++                    self.local_cipher.__contains__,
++                    self._whitelist_ciphers)):
++            self._log(WARNING, "Insecure Cipher algorithm may be used: {}".format(self.local_cipher))
++
+         self._log_agreement(
+             "Cipher", local=self.local_cipher, remote=self.remote_cipher
+         )
+@@ -2592,6 +2650,13 @@ class Transport(threading.Thread, ClosingContextManager):
+             )
+         self.local_mac = agreed_local_macs[0]
+         self.remote_mac = agreed_remote_macs[0]
++
++        if not list (
++                filter(
++                    self.local_mac.__contains__,
++                    self._whitelist_macs)):
++            self._log(WARNING, "Insecure Mac algorithm may be used: {}".format(self.local_mac))
++
+         self._log_agreement(
+             "MAC", local=self.local_mac, remote=self.remote_mac
+         )
+-- 
+2.33.0
+

backport-Skip-tests-requiring-invoke.patch

@@ -1,37 +0,0 @@
-From 2dc654a20c4f1908d587060809a9d67b31352497 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Micha=C5=82=20G=C3=B3rny?= <mgorny@gentoo.org>
-Date: Thu, 16 Apr 2020 09:46:39 +0200
-Subject: [PATCH] Skip tests requiring invoke if it's not installed
- 
-Since invoke is an optional dependency and only one group of tests
-require it, skip them gracefully rather than failing if it's not
-present.
----
- tests/test_config.py | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
- 
-diff --git a/tests/test_config.py b/tests/test_config.py
-index 5e9aa0592..2095061f2 100644
---- a/tests/test_config.py
-+++ b/tests/test_config.py
-@@ -6,7 +6,11 @@
- 
- from paramiko.py3compat import string_types
- 
--from invoke import Result
-+try:
-+    from invoke import Result
-+except ImportError:
-+    Result = None
-+
- from mock import patch
- from pytest import raises, mark, fixture
- 
-@@ -705,6 +709,7 @@ def inner(command, *args, **kwargs):
-     return inner
- 
- 
-+@mark.skipif(Result is None, reason="requires invoke package")
- class TestMatchExec(object):
-     @patch("paramiko.config.invoke", new=None)
-     @patch("paramiko.config.invoke_import_error", new=ImportError("meh"))

paramiko-2.7.2-drop-pytest-relaxed.patch

@@ -1,62 +0,0 @@
-From 953d9a1f1055de97e35c7060fcebc7283eff9e29 Mon Sep 17 00:00:00 2001
-From: zhaorenhai <zhaorenhai@hotmail.com>
-Date: Fri, 29 Jan 2021 06:48:10 +0000
-Subject: [PATCH] drop pytest-relaxed
-
----
- tests/test_client.py | 24 ++++++++++++------------
- 1 file changed, 12 insertions(+), 12 deletions(-)
-
-diff --git a/tests/test_client.py b/tests/test_client.py
-index 60ad310c..2d665cdd 100644
---- a/tests/test_client.py
-+++ b/tests/test_client.py
-@@ -33,7 +33,7 @@ import warnings
- import weakref
- from tempfile import mkstemp
- 
--from pytest_relaxed import raises
-+from pytest import raises
- from mock import patch, Mock
- 
- import paramiko
-@@ -684,10 +684,10 @@ class PasswordPassphraseTests(ClientTest):
- 
-     # TODO: more granular exception pending #387; should be signaling "no auth
-     # methods available" because no key and no password
--    @raises(SSHException)
-     def test_passphrase_kwarg_not_used_for_password_auth(self):
--        # Using the "right" password in the "wrong" field shouldn't work.
--        self._test_connection(passphrase="pygmalion")
-+        with raises(SSHException):
-+            # Using the "right" password in the "wrong" field shouldn't work.
-+            self._test_connection(passphrase='pygmalion')
- 
-     def test_passphrase_kwarg_used_for_key_passphrase(self):
-         # Straightforward again, with new passphrase kwarg.
-@@ -705,14 +705,14 @@ class PasswordPassphraseTests(ClientTest):
-             password="television",
-         )
- 
--    @raises(AuthenticationException)  # TODO: more granular
-     def test_password_kwarg_not_used_for_passphrase_when_passphrase_kwarg_given(  # noqa
-         self
-     ):
--        # Sanity: if we're given both fields, the password field is NOT used as
--        # a passphrase.
--        self._test_connection(
--            key_filename=_support("test_rsa_password.key"),
--            password="television",
--            passphrase="wat? lol no",
--        )
-+        with raises(AuthenticationException): # TODO: more granular
-+            # Sanity: if we're given both fields, the password field is NOT used as
-+            # a passphrase.
-+            self._test_connection(
-+                key_filename=_support('test_rsa_password.key'),
-+                password='television',
-+                passphrase='wat? lol no',
-+            )
--- 
-2.27.0
-

python-paramiko.spec

@@ -1,15 +1,13 @@
 Name:          python-paramiko
-Version:       2.8.1
+Version:       3.4.0
 Release:       2
 Summary:       Python SSH module
 License:       LGPLv2+
 URL:           https://github.com/paramiko/paramiko
 Source0:       https://github.com/paramiko/paramiko/archive/%{version}/paramiko-%{version}.tar.gz
 
-Patch0:        paramiko-2.7.2-drop-pytest-relaxed.patch
-# Skip tests requiring invoke if it's not installed
-# Can be removed when https://github.com/paramiko/paramiko/pull/1667/ is released
-Patch6000:      backport-Skip-tests-requiring-invoke.patch
+Patch0:        Remove-icecream-dep.patch
+Patch9000:     add-insecure-algorithm-log.patch
 
 BuildArch:     noarch
 
@@ -20,11 +18,12 @@ connections to remote machines.
 
 %package       -n python3-paramiko
 Summary:       Python SSH module
-BuildRequires: python3-devel python3-setuptools python3-bcrypt >= 3.1.3 python3-pytest
-BuildRequires: python3-cryptography >= 2.5 python3-pyasn1 >= 0.1.7 python3-pynacl >= 1.0.1
+BuildRequires: python3-devel python3-setuptools python3-bcrypt >= 3.2 python3-pytest
+BuildRequires: python3-cryptography >= 3.3 python3-pyasn1 >= 0.1.7 python3-pynacl >= 1.5
 BuildRequires: python3-mock >= 2.0
-Requires:      python3-bcrypt >= 3.1.3 python3-cryptography >= 1.5
-Requires:      python3-pyasn1 >= 0.1.7 python3-pynacl >= 1.0.1
+BuildRequires: python3-lexicon >= 2.0.1 python3-invoke python3-pytest-relaxed
+Requires:      python3-bcrypt >= 3.2 python3-cryptography >= 3.3
+Requires:      python3-pyasn1 >= 0.1.7 python3-pynacl >= 1.5
 %{?python_provide:%python_provide python3-paramiko}
 
 %description   -n python3-paramiko
@@ -57,7 +56,6 @@ sphinx-build -b html sites/docs/ html/
 rm -f html/.buildinfo
 
 %check
-rm -f tests/test_sftp*.py
 PYTHONPATH=%{buildroot}%{python3_sitelib} pytest-%{python3_version}
 
 %files -n python3-paramiko
@@ -66,9 +64,24 @@ PYTHONPATH=%{buildroot}%{python3_sitelib} pytest-%{python3_version}
 %{python3_sitelib}/paramiko/
 
 %files help
-%doc html/ demos/ NEWS README.rst
+%doc html/ demos/ README.rst
 
 %changelog
+* Tue Jun 25 2024 zhangpan <zhangpan103@h-partners.com> - 3.4.0-2
+- add insecure algorithm log
+
+* Tue Jan 09 2024 yaoxin <yao_xin001@hoperun.com> - 3.4.0-1
+- Upgrade to 3.4.0 for fix CVE-2023-48795
+
+* Thu Jun 15 2023 yaoxin <yao_xin001@hoperun.com> - 3.2.0-1
+- Update to 3.2.0
+
+* Thu Jun 23 2022 houyingchao <houyingchao@h-partners.com> - 2.11.0-1
+- Upgrade to version 2.11.0
+
+* Mon Mar 28 2022 dongyuzhen <dongyuzhen@h-partners.com> - 2.8.1-3
+- fix CVE-2022-24302 and the rear patch of CVE-2022-24302
+
 * Sat Feb 26 2022 zhanzhimin <zhanzhimin@h-partners.com> - 2.8.1-2
 - drop invoke dependencies as it requires ancient pytest