From be3ffc18cc466e0b0a877d716721353c12561bcc Mon Sep 17 00:00:00 2001
From: Jeff Forcier <jeff@bitprophet.org>
Date: Fri, 15 Dec 2023 22:14:48 -0500
Subject: [PATCH] Make ext-info faux-KexAlgorithm detection more robust

Reference:https://github.com/paramiko/paramiko/commit/be3ffc18cc466e0b0a877d716721353c12561bcc
Conflict:The context of the changelog is adapted due to different versions

---
 paramiko/transport.py   | 5 +++--
 sites/www/changelog.rst | 3 +++
 tests/test_transport.py | 8 ++++++--
 3 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/paramiko/transport.py b/paramiko/transport.py
index 68cc195..fd26371 100644
--- a/paramiko/transport.py
+++ b/paramiko/transport.py
@@ -2429,8 +2429,9 @@ class Transport(threading.Thread, ClosingContextManager):
 
         # Strip out ext-info "kex algo"
         self._remote_ext_info = None
-        if kex_algo_list[-1].startswith("ext-info-"):
-            self._remote_ext_info = kex_algo_list.pop()
+        for i, algo in enumerate(kex_algo_list):
+            if algo.startswith("ext-info-"):
+                self._remote_ext_info = kex_algo_list.pop(i)
 
         # as a server, we pick the first item in the client's list that we
         # support.
diff --git a/sites/www/changelog.rst b/sites/www/changelog.rst
index 29754bc..f180e77 100644
--- a/sites/www/changelog.rst
+++ b/sites/www/changelog.rst
@@ -2,6 +2,9 @@
 Changelog
 =========
 
+- :bug:`-` Tweak ``ext-info-(c|s)`` detection during KEXINIT protocol phase;
+  the original implementation made assumptions based on an OpenSSH
+  implementation detail.
 - :release:`2.11.0 <2022-05-16>`
 - :release:`2.10.5 <2022-05-16>`
 - :release:`2.9.5 <2022-05-16>`
diff --git a/tests/test_transport.py b/tests/test_transport.py
index 98a7d30..6bc0be8 100644
--- a/tests/test_transport.py
+++ b/tests/test_transport.py
@@ -1350,10 +1350,14 @@ class TestSHA2SignatureKeyExchange(unittest.TestCase):
 
 
 class TestExtInfo(unittest.TestCase):
-    def test_ext_info_handshake(self):
+    def test_ext_info_handshake_exposed_in_client_kexinit(self):
         with server() as (tc, _):
+            # NOTE: this is latest KEXINIT /sent by us/ (Transport retains it)
             kex = tc._get_latest_kex_init()
-            assert kex["kex_algo_list"][-1] == "ext-info-c"
+            # flag in KexAlgorithms list
+            assert "ext-info-c" in kex["kex_algo_list"]
+            # data stored on Transport after hearing back from a compatible
+            # server (such as ourselves in server mode)
             assert tc.server_extensions == {
                 "server-sig-algs": b"ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss"  # noqa
             }
-- 
2.33.0