From a0a1328e02f4a7ad385e601141461b9ffe1c66f1 Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Tue, 17 Oct 2023 11:56:27 -0700
Subject: [PATCH] Add new SSH key exchange algorithms reported by OpenSSH 9.0

---
 src/analyzer/protocol/ssh/ssh-protocol.pac | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/src/analyzer/protocol/ssh/ssh-protocol.pac b/src/analyzer/protocol/ssh/ssh-protocol.pac
index 5a770e4af5..c343466ca3 100644
--- a/src/analyzer/protocol/ssh/ssh-protocol.pac
+++ b/src/analyzer/protocol/ssh/ssh-protocol.pac
@@ -475,6 +475,15 @@ refine connection SSH_Conn += {
 					// UNTESTED
 					if ( update_kex_state_if_equal("diffie-hellman-group14-sha1", KEX_DH) )
 						return true;
+					// UNTESTED
+					if ( update_kex_state_if_equal("diffie-hellman-group14-sha256", KEX_DH) )
+						return true;
+					// UNTESTED
+					if ( update_kex_state_if_equal("diffie-hellman-group16-sha512", KEX_DH) )
+						return true;
+					// UNTESTED
+					if ( update_kex_state_if_equal("diffie-hellman-group16-sha512", KEX_DH) )
+						return true;
 
 					if ( update_kex_state_if_equal("diffie-hellman-group-exchange-sha1", KEX_DH_GEX) )
 						return true;
@@ -496,7 +505,9 @@ refine connection SSH_Conn += {
 						return true;
 					if ( update_kex_state_if_startswith("curve25519-sha256", KEX_ECC) )
 						return true;
-
+					// UNTESTED
+					if ( update_kex_state_if_startswith("sntrup761x25519-sha512", KEX_ECC) )
+						return true;
 
 					zeek_analyzer()->Weird("ssh_unknown_kex_algorithm", c_str(kex_algorithm_));
 					return true;