Updated ext-info-c and ext-info-s key exchanges to include versions of OpenSSH they were first included in. (#291)

2024-11-16 13:35:39 +01:00 · 2024-10-07 17:41:39 -04:00 · 2024-10-07 17:41:39 -04:00 · d0628f6eb4
commit d0628f6eb4
parent 1e060a94c0
2 changed files with 7 additions and 4 deletions
--- a/src/ssh_audit/algorithms.py
+++ b/src/ssh_audit/algorithms.py
@ -172,8 +172,11 @@ class Algorithms:
                        if fc > 0:
                            faults += pow(10, 2 - i) * fc
                    if n not in alg_list:
-                        # Don't recommend certificate or token types; these will only appear in the server's list if they are fully configured & functional on the server.
-                        if faults > 0 or (alg_type == 'key' and (('-cert-' in n) or (n.startswith('sk-')))) or empty_version:
+                        # Don't recommend certificate or token types; these will only appear in the server's list if they are fully configured & functional on the server.  Also don't recommend 'ext-info-[cs]' nor 'kex-strict-[cs]-v00@openssh.com' key exchanges.
+                        if faults > 0 or \
+                           (alg_type == 'key' and (('-cert-' in n) or (n.startswith('sk-')))) or \
+                           (alg_type == 'kex' and (n.startswith('ext-info-') or n.startswith('kex-strict-'))) or \
+                           empty_version:
                            continue
                        rec[sshv][alg_type]['add'][n] = 0
                    else:
--- a/src/ssh_audit/ssh2_kexdb.py
+++ b/src/ssh_audit/ssh2_kexdb.py
@ -160,8 +160,8 @@ class SSH2_KexDB:  # pylint: disable=too-few-public-methods
            'ecdh-sha2-wiRIU8TKjMZ418sMqlqtvQ==': [[], [FAIL_UNPROVEN]],  # sect283k1
            'ecdh-sha2-zD/b3hu/71952ArpUG4OjQ==': [[], [FAIL_UNPROVEN, FAIL_SMALL_ECC_MODULUS]],  # sect233k1
            'ecmqv-sha2': [[], [FAIL_UNPROVEN]],
-            'ext-info-c': [[], [], [], [INFO_EXTENSION_NEGOTIATION]],  # Extension negotiation (RFC 8308)
-            'ext-info-s': [[], [], [], [INFO_EXTENSION_NEGOTIATION]],  # Extension negotiation (RFC 8308)
+            'ext-info-c': [['7.2'], [], [], [INFO_EXTENSION_NEGOTIATION]],  # Extension negotiation (RFC 8308)
+            'ext-info-s': [['9.6'], [], [], [INFO_EXTENSION_NEGOTIATION]],  # Extension negotiation (RFC 8308)
            'kex-strict-c-v00@openssh.com': [[], [], [], [INFO_STRICT_KEX]],  # Strict KEX marker (countermeasure for CVE-2023-48795).
            'kex-strict-s-v00@openssh.com': [[], [], [], [INFO_STRICT_KEX]],  # Strict KEX marker (countermeasure for CVE-2023-48795).