Git/ssh-audit
1
0
Fork 0
mirror of https://github.com/jtesta/ssh-audit.git synced 2025-01-24 17:09:32 +01:00
Code Issues Packages Projects Releases Wiki Activity

MLKEM768NISTP256-SHA256 | MLKEM1024NISTP384-SHA384 | Add new KEX

Browse Source
This commit is contained in:
JoottunAtish 2025-01-17 11:21:48 +04:00
parent e318787a5c
commit 199cb4d76a
1 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/ssh_audit/ssh2_kexdb.py
View File

@ -62,6 +62,8 @@ class SSH2_KexDB: # pylint: disable=too-few-public-methods
WARN_TAG_SIZE = 'using small 64-bit tag size'
WARN_TAG_SIZE_96 = 'using small 96-bit tag size'
WARN_DEPRICATED_MLKEM_768_NISTP = 'algorithm with limited support beyond 2030'
INFO_DEFAULT_OPENSSH_CIPHER = 'default cipher since OpenSSH 6.9'
INFO_DEFAULT_OPENSSH_KEX_65_TO_73 = 'default key exchange from OpenSSH 6.5 to 7.3'
INFO_DEFAULT_OPENSSH_KEX_74_TO_89 = 'default key exchange from OpenSSH 7.4 to 8.9'
@ -72,6 +74,8 @@ class SSH2_KexDB: # pylint: disable=too-few-public-methods
INFO_DISABLED_IN_OPENSSH70 = 'disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0'
INFO_NEVER_IMPLEMENTED_IN_OPENSSH = 'despite the @openssh.com tag, this was never implemented in OpenSSH'
INFO_HYBRID_PQ_X25519_KEX = 'hybrid key exchange based on post-quantum resistant algorithm and proven conventional X25519 algorithm'
INFO_HYBRID_PQ_NISTP256_KEX = 'Hybrid key exchange based on post-quantum resistant algorithm using NISTP-256 Curve'
INFO_HYBRID_PQ_NISTP384_KEX = 'Hybrid key exchange based on post-quantum resistant algorithm using NISTP-384 Curve'
INFO_REMOVED_IN_OPENSSH61 = 'removed since OpenSSH 6.1, removed from specification'
INFO_REMOVED_IN_OPENSSH69 = 'removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9'
INFO_REMOVED_IN_OPENSSH70 = 'removed in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0'
@ -193,6 +197,9 @@ class SSH2_KexDB: # pylint: disable=too-few-public-methods
'm383-sha384@libassh.org': [[], [FAIL_UNPROVEN], [WARN_NOT_PQ_SAFE]],
'm511-sha512@libassh.org': [[], [FAIL_UNPROVEN], [WARN_NOT_PQ_SAFE]],
'mlkem768x25519-sha256': [['9.9'], [], [], [INFO_HYBRID_PQ_X25519_KEX]],
'mlkem768nistp256-sha256': [[], [], [WARN_DEPRICATED_MLKEM_768_NISTP], [INFO_HYBRID_PQ_NISTP256_KEX]],
'mlkem1024nistp384-sha384': [[], [], [], [INFO_HYBRID_PQ_NISTP384_KEX]],
'rsa1024-sha1': [[], [FAIL_1024BIT_MODULUS, FAIL_SHA1], [WARN_NOT_PQ_SAFE]],
'rsa2048-sha256': [[], [], [WARN_2048BIT_MODULUS, WARN_NOT_PQ_SAFE]],
'sm2kep-sha2-nistp256': [[], [FAIL_NSA_BACKDOORED_CURVE, FAIL_UNTRUSTED], [WARN_NOT_PQ_SAFE]],