Merge aab105c398 into 8ee0deade1

Result:
```
REPOSITORY     TAG       IMAGE ID       CREATED              SIZE
ssh-audit      after     03e247aee0cc   About a minute ago   131MB
ssh-audit      before    609962ceafb1   About a minute ago   150MB
```

Dockerfile

@@ -3,7 +3,7 @@ FROM python:3-slim
 WORKDIR /
 
 # Update the image to remediate any vulnerabilities.
-RUN apt clean && apt update && apt -y dist-upgrade && apt clean && rm -rf /var/lib/apt/lists/*
+RUN apt update && apt -y upgrade && apt -y dist-upgrade && rm -rf /var/lib/apt/lists/*
 
 # Remove suid & sgid bits from all files.
 RUN find / -xdev -perm /6000 -exec chmod ug-s {} \; 2> /dev/null || true

LICENSE

@@ -1,6 +1,6 @@
 The MIT License (MIT)
 
-Copyright (C) 2017-2023 Joe Testa (jtesta@positronsecurity.com)
+Copyright (C) 2017-2024 Joe Testa (jtesta@positronsecurity.com)
 Copyright (C) 2017 Andris Raugulis (moo@arthepsy.eu)
 
 

README.md

@@ -57,7 +57,8 @@ usage: ssh-audit.py [options] <host>
    -L,  --list-policies    list all the official, built-in policies
         --lookup=<alg1,alg2,...>    looks up an algorithm(s) without
                                     connecting to a server
-   -m,  --manual           print the man page (Windows only)
+   -m,  --manual           print the man page (Docker, PyPI, Snap, and Windows
+                                    builds only)
    -M,  --make-policy=<policy.txt>  creates a policy based on the target server
                                     (i.e.: the target server has the ideal
                                     configuration that other servers should
@@ -183,6 +184,8 @@ For convenience, a web front-end on top of the command-line tool is available at
  - Color output is disabled if the `NO_COLOR` environment variable is set (see https://no-color.org/).
  - Fixed parsing of ecdsa-sha2-nistp* CA signatures on host keys.  Additionally, they are now flagged as potentially back-doored, just as standard host keys are.
  - The built-in man page (`-m`, `--manual`) is now available on Docker, PyPI, and Snap builds, in addition to the Windows build.
+ - Snap builds are now architecture-independent.
+ - Gracefully handle rare exceptions (i.e.: crashes) while performing GEX tests.
 
 ### v3.1.0 (2023-12-20)
  - Added test for the Terrapin message prefix truncation vulnerability ([CVE-2023-48795](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48795)).

snapcraft.yaml

@@ -8,6 +8,9 @@ description: |
 base: core22
 grade: stable
 confinement: strict
+architectures:
+  - build-on: [amd64]
+    build-for: [all]
 
 apps:
   ssh-audit:

src/ssh_audit/gextest.py

@@ -21,6 +21,7 @@
    OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
    THE SOFTWARE.
 """
+import struct
 import traceback
 
 # pylint: disable=unused-import
@@ -65,7 +66,7 @@ class GEXTest:
             # Parse the server's KEX.
             _, payload = s.read_packet(2)
             SSH2_Kex.parse(out, payload)
-        except KexDHException:
+        except (KexDHException, struct.error):
             out.v("Failed to parse server's kex.  Stack trace:\n%s" % str(traceback.format_exc()), write_now=True)
             return False
 

src/ssh_audit/policy.py

@@ -419,11 +419,11 @@ macs = %s
             hostkey_types = list(self._hostkey_sizes.keys())
             hostkey_types.sort()  # Sorted to make testing output repeatable.
             for hostkey_type in hostkey_types:
-                expected_hostkey_size = self._hostkey_sizes[hostkey_type]['hostkey_size']
+                expected_hostkey_size = cast(int, self._hostkey_sizes[hostkey_type]['hostkey_size'])
                 server_host_keys = kex.host_keys()
                 if hostkey_type in server_host_keys:
-                    actual_hostkey_size = server_host_keys[hostkey_type]['hostkey_size']
-                    if actual_hostkey_size != expected_hostkey_size:
+                    actual_hostkey_size = cast(int, server_host_keys[hostkey_type]['hostkey_size'])
+                    if actual_hostkey_size < expected_hostkey_size:
                         ret = False
                         self._append_error(errors, 'Host key (%s) sizes' % hostkey_type, [str(expected_hostkey_size)], None, [str(actual_hostkey_size)])
 
@@ -439,7 +439,7 @@ macs = %s
                             ret = False
                             self._append_error(errors, 'CA signature type', [expected_ca_key_type], None, [actual_ca_key_type])
                         # Ensure that the actual and expected signature sizes match.
-                        elif actual_ca_key_size != expected_ca_key_size:
+                        elif actual_ca_key_size < expected_ca_key_size:
                             ret = False
                             self._append_error(errors, 'CA signature size (%s)' % actual_ca_key_type, [str(expected_ca_key_size)], None, [str(actual_ca_key_size)])
 
@@ -462,7 +462,7 @@ macs = %s
                 expected_dh_modulus_size = self._dh_modulus_sizes[dh_modulus_type]
                 if dh_modulus_type in kex.dh_modulus_sizes():
                     actual_dh_modulus_size = kex.dh_modulus_sizes()[dh_modulus_type]
-                    if expected_dh_modulus_size != actual_dh_modulus_size:
+                    if expected_dh_modulus_size > actual_dh_modulus_size:
                         ret = False
                         self._append_error(errors, 'Group exchange (%s) modulus sizes' % dh_modulus_type, [str(expected_dh_modulus_size)], None, [str(actual_dh_modulus_size)])