ssh-audit/test/test_ssh2_kexdb.py

import pytest

from ssh_audit.ssh2_kexdb import SSH2_KexDB


class Test_SSH2_KexDB:

    @pytest.fixture(autouse=True)
    def init(self):
        self.db = SSH2_KexDB.get_db()
        self.pq_warning = SSH2_KexDB.WARN_NOT_PQ_SAFE

    def test_ssh2_kexdb(self):
        '''Ensures that the SSH2_KexDB.ALGORITHMS dictionary is in the right format.'''

        db_keys = list(self.db.keys())
        db_keys.sort()

        # Ensure only these keys exist in the database.
        assert db_keys == ['enc', 'kex', 'key', 'mac']

        # For 'enc', 'kex', etc...
        for alg_type in self.db:

            # Iterate over algorithms within this type (i.e.: all 'enc' algorithms, all 'kex' algorithms, etc).
            for alg_name in self.db[alg_type]:

                # Get the list of failures, warnings, etc., for this algorithm.
                alg_data = self.db[alg_type][alg_name]

                # This list must be between 1 and 4 entries long.
                assert 1 <= len(alg_data) <= 4

                # The first entry denotes the versions when this algorithm was added to OpenSSH, Dropbear, and/or libssh, followed by when it was deprecated, and finally when it was removed.  Hence it must have between 0 and 3 entries.
                added_entry = alg_data[0]
                assert 0 <= len(added_entry) <= 3


    def test_kex_pq_unsafe(self):
        '''Ensures that all key exchange algorithms are marked as post-quantum unsafe, unless they appear in a whitelist.'''

        # These algorithms include protections against quantum attacks.
        kex_pq_safe = [
            "ecdh-nistp256-kyber-512r3-sha256-d00@openquantumsafe.org",
            "ecdh-nistp384-kyber-768r3-sha384-d00@openquantumsafe.org",
            "ecdh-nistp521-kyber-1024r3-sha512-d00@openquantumsafe.org",
            "ext-info-c",
            "ext-info-s",
            "kex-strict-c-v00@openssh.com",
            "kex-strict-s-v00@openssh.com",
            "mlkem768x25519-sha256",
            "sntrup4591761x25519-sha512@tinyssh.org",
            "sntrup761x25519-sha512@openssh.com",
            "sntrup761x25519-sha512",
            "x25519-kyber-512r3-sha256-d00@amazon.com",
            "x25519-kyber512-sha512@aws.amazon.com"
        ]

        failures = []
        for kex_name in self.db['kex']:

            # Skip key exchanges that are PQ safe.
            if kex_name in kex_pq_safe:
                continue

            # Ensure all other kex exchanges have the proper PQ unsafe flag set in their warnings list.
            alg_data = self.db['kex'][kex_name]
            if len(alg_data) < 3 or self.pq_warning not in alg_data[2]:
                failures.append(kex_name)

        assert failures == []
Generic failure/warning messages replaced with more specific reasons. SHA-1 algorithms now cause failures. CBC mode ciphers are now warnings instead of failures. 2023-03-24 02:36:02 +01:00			`import pytest`

			`from ssh_audit.ssh2_kexdb import SSH2_KexDB`


			`class Test_SSH2_KexDB:`

			`@pytest.fixture(autouse=True)`
			`def init(self):`
Results from concurrent scans against multiple hosts are no longer improperly combined (#190). 2023-06-19 20:13:32 +02:00			`self.db = SSH2_KexDB.get_db()`
Added warnings to all key exchanges that do not provide protection against quantum attacks. 2024-11-25 21:56:51 +01:00			`self.pq_warning = SSH2_KexDB.WARN_NOT_PQ_SAFE`
Generic failure/warning messages replaced with more specific reasons. SHA-1 algorithms now cause failures. CBC mode ciphers are now warnings instead of failures. 2023-03-24 02:36:02 +01:00
			`def test_ssh2_kexdb(self):`
			`'''Ensures that the SSH2_KexDB.ALGORITHMS dictionary is in the right format.'''`

			`db_keys = list(self.db.keys())`
			`db_keys.sort()`

			`# Ensure only these keys exist in the database.`
			`assert db_keys == ['enc', 'kex', 'key', 'mac']`

			`# For 'enc', 'kex', etc...`
			`for alg_type in self.db:`

			`# Iterate over algorithms within this type (i.e.: all 'enc' algorithms, all 'kex' algorithms, etc).`
			`for alg_name in self.db[alg_type]:`

			`# Get the list of failures, warnings, etc., for this algorithm.`
			`alg_data = self.db[alg_type][alg_name]`

			`# This list must be between 1 and 4 entries long.`
			`assert 1 <= len(alg_data) <= 4`

			`# The first entry denotes the versions when this algorithm was added to OpenSSH, Dropbear, and/or libssh, followed by when it was deprecated, and finally when it was removed. Hence it must have between 0 and 3 entries.`
			`added_entry = alg_data[0]`
			`assert 0 <= len(added_entry) <= 3`
Added warnings to all key exchanges that do not provide protection against quantum attacks. 2024-11-25 21:56:51 +01:00

			`def test_kex_pq_unsafe(self):`
			`'''Ensures that all key exchange algorithms are marked as post-quantum unsafe, unless they appear in a whitelist.'''`

			`# These algorithms include protections against quantum attacks.`
			`kex_pq_safe = [`
			`"ecdh-nistp256-kyber-512r3-sha256-d00@openquantumsafe.org",`
			`"ecdh-nistp384-kyber-768r3-sha384-d00@openquantumsafe.org",`
			`"ecdh-nistp521-kyber-1024r3-sha512-d00@openquantumsafe.org",`
			`"ext-info-c",`
			`"ext-info-s",`
			`"kex-strict-c-v00@openssh.com",`
			`"kex-strict-s-v00@openssh.com",`
			`"mlkem768x25519-sha256",`
			`"sntrup4591761x25519-sha512@tinyssh.org",`
			`"sntrup761x25519-sha512@openssh.com",`
			`"sntrup761x25519-sha512",`
			`"x25519-kyber-512r3-sha256-d00@amazon.com",`
			`"x25519-kyber512-sha512@aws.amazon.com"`
			`]`

			`failures = []`
			`for kex_name in self.db['kex']:`

			`# Skip key exchanges that are PQ safe.`
			`if kex_name in kex_pq_safe:`
			`continue`

			`# Ensure all other kex exchanges have the proper PQ unsafe flag set in their warnings list.`
			`alg_data = self.db['kex'][kex_name]`
			`if len(alg_data) < 3 or self.pq_warning not in alg_data[2]:`
			`failures.append(kex_name)`

			`assert failures == []`