From 04912c774831ba9f865e951ab939643042bbd430 Mon Sep 17 00:00:00 2001 From: zhangpan Date: Tue, 25 Jun 2024 06:51:57 +0000 Subject: [PATCH] add insecure algorithm log (cherry picked from commit 3b9a0060226800286d8d8ee8354b6e978f8c1a4c) --- add-insecure-algorithm-log.patch | 133 +++++++++++++++++++++++++++++++ python-paramiko.spec | 6 +- 2 files changed, 138 insertions(+), 1 deletion(-) create mode 100644 add-insecure-algorithm-log.patch diff --git a/add-insecure-algorithm-log.patch b/add-insecure-algorithm-log.patch new file mode 100644 index 0000000..9c112e5 --- /dev/null +++ b/add-insecure-algorithm-log.patch @@ -0,0 +1,133 @@ +From 6c4f54130d892f5034ac40d139ff27b8bb4d1927 Mon Sep 17 00:00:00 2001 +From: zhangpan +Date: Fri, 12 Apr 2024 12:47:45 +0800 +Subject: [PATCH] Add Insecure Algorithm Logs + +--- + paramiko/auth_handler.py | 5 ++++ + paramiko/transport.py | 65 ++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 70 insertions(+) + +diff --git a/paramiko/auth_handler.py b/paramiko/auth_handler.py +index db89670..0454358 100644 +--- a/paramiko/auth_handler.py ++++ b/paramiko/auth_handler.py +@@ -384,6 +384,11 @@ class AuthHandler(object): + m.add_boolean(True) + key_type, bits = self._get_key_type_and_bits(self.private_key) + algorithm = self._finalize_pubkey_algorithm(key_type) ++ if not list ( ++ filter( ++ algorithm.__contains__, ++ self.transport._whitelist_pubkeys)): ++ self._log(WARNING, "Insecure PubKey algorithm may be used: {}".format(algorithm)) + m.add_string(algorithm) + m.add_string(bits) + blob = self._get_session_blob( +diff --git a/paramiko/transport.py b/paramiko/transport.py +index 5265e09..e8ff0e0 100644 +--- a/paramiko/transport.py ++++ b/paramiko/transport.py +@@ -213,6 +213,43 @@ class Transport(threading.Thread, ClosingContextManager): + ) + _preferred_compression = ("none",) + ++ _whitelist_ciphers = ( ++ "aes128-ctr", ++ "aes192-ctr", ++ "aes256-ctr", ++ "chacha20-poly1305@openssh.com", ++ "aes128-gcm@openssh.com", ++ "aes256-gcm@openssh.com", ++ ) ++ ++ _whitelist_macs = ( ++ "hmac-sha2-512", ++ "hmac-sha2-512-etm@openssh.com", ++ "hmac-sha2-256", ++ "hmac-sha2-256-etm@openssh.com", ++ ) ++ ++ _whitelist_keys = ( ++ "ssh-ed25519", ++ "ecdsa-sha2-nistp256", ++ "ssh-ed25519-cert-v01@openssh.com", ++ "rsa-sha2-256", ++ "rsa-sha2-512", ++ ) ++ ++ _whitelist_pubkeys = ( ++ "ssh-ed25519", ++ "ssh-ed25519-cert-v01@openssh.com", ++ "rsa-sha2-256", ++ "rsa-sha2-512", ++ ) ++ ++ _whitelist_kex = ( ++ "curve25519-sha256", ++ "curve25519-sha256@libssh.org", ++ "diffie-hellman-group-exchange-sha256", ++ ) ++ + _cipher_info = { + "aes128-ctr": { + "class": algorithms.AES, +@@ -2507,6 +2544,13 @@ class Transport(threading.Thread, ClosingContextManager): + "Incompatible ssh peer (no acceptable kex algorithm)" + ) # noqa + self.kex_engine = self._kex_info[agreed_kex[0]](self) ++ ++ if not list ( ++ filter( ++ agreed_kex[0].__contains__, ++ self._whitelist_kex)): ++ self._log(WARNING, "Insecure Kex algorithm may be used: {}".format(agreed_kex[0])) ++ + self._log(DEBUG, "Kex: {}".format(agreed_kex[0])) + + if self.server_mode: +@@ -2534,6 +2578,13 @@ class Transport(threading.Thread, ClosingContextManager): + raise IncompatiblePeer( + "Incompatible ssh peer (can't match requested host key type)" + ) # noqa ++ ++ if not list ( ++ filter( ++ self.host_key_type.__contains__, ++ self._whitelist_keys)): ++ self._log(WARNING, "Insecure HostKey algorithm may be used: {}".format(self.host_key_type)) ++ + self._log_agreement("HostKey", agreed_keys[0], agreed_keys[0]) + + if self.server_mode: +@@ -2568,6 +2619,13 @@ class Transport(threading.Thread, ClosingContextManager): + ) # noqa + self.local_cipher = agreed_local_ciphers[0] + self.remote_cipher = agreed_remote_ciphers[0] ++ ++ if not list ( ++ filter( ++ self.local_cipher.__contains__, ++ self._whitelist_ciphers)): ++ self._log(WARNING, "Insecure Cipher algorithm may be used: {}".format(self.local_cipher)) ++ + self._log_agreement( + "Cipher", local=self.local_cipher, remote=self.remote_cipher + ) +@@ -2592,6 +2650,13 @@ class Transport(threading.Thread, ClosingContextManager): + ) + self.local_mac = agreed_local_macs[0] + self.remote_mac = agreed_remote_macs[0] ++ ++ if not list ( ++ filter( ++ self.local_mac.__contains__, ++ self._whitelist_macs)): ++ self._log(WARNING, "Insecure Mac algorithm may be used: {}".format(self.local_mac)) ++ + self._log_agreement( + "MAC", local=self.local_mac, remote=self.remote_mac + ) +-- +2.33.0 + diff --git a/python-paramiko.spec b/python-paramiko.spec index c4d80ac..6bc74ce 100644 --- a/python-paramiko.spec +++ b/python-paramiko.spec @@ -1,12 +1,13 @@ Name: python-paramiko Version: 3.4.0 -Release: 1 +Release: 2 Summary: Python SSH module License: LGPLv2+ URL: https://github.com/paramiko/paramiko Source0: https://github.com/paramiko/paramiko/archive/%{version}/paramiko-%{version}.tar.gz Patch0: Remove-icecream-dep.patch +Patch9000: add-insecure-algorithm-log.patch BuildArch: noarch @@ -66,6 +67,9 @@ PYTHONPATH=%{buildroot}%{python3_sitelib} pytest-%{python3_version} %doc html/ demos/ README.rst %changelog +* Tue Jun 25 2024 zhangpan - 3.4.0-2 +- add insecure algorithm log + * Tue Jan 09 2024 yaoxin - 3.4.0-1 - Upgrade to 3.4.0 for fix CVE-2023-48795 -- Gitee