From 3300c60aaa3603f1683fba9454e792e270672055 Mon Sep 17 00:00:00 2001
From: Joe Testa <jtesta@positronsecurity.com>
Date: Fri, 14 Oct 2022 23:21:09 -0400
Subject: [PATCH] Added 'ssh-xmss@openssh.com' and
 'ssh-xmss-cert-v01@openssh.com' experimental host keys (#146).

---
 README.md                   | 2 +-
 src/ssh_audit/ssh2_kexdb.py | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 196a099..fe1b449 100644
--- a/README.md
+++ b/README.md
@@ -180,7 +180,7 @@ For convenience, a web front-end on top of the command-line tool is available at
  - Added `-g` and `--gex-test` for granular GEX modulus size tests; credit [Adam Russell](https://github.com/thecliguy).
  - Snap packages now print more user-friendly error messages when permission errors are encountered.
  - JSON 'target' field now always includes port number; credit [tomatohater1337](https://github.com/tomatohater1337).
- - Added 1 new host key: `webauthn-sk-ecdsa-sha2-nistp256@openssh.com`.
+ - Added 3 new host keys: `ssh-xmss@openssh.com`, `ssh-xmss-cert-v01@openssh.com`, `webauthn-sk-ecdsa-sha2-nistp256@openssh.com`.
  - Added 24 new key exchanges: `ecdh-sha2-1.3.132.0.1`, `ecdh-sha2-1.2.840.10045.3.1.1`, `ecdh-sha2-1.3.132.0.33`, `ecdh-sha2-1.3.132.0.26`, `ecdh-sha2-1.3.132.0.27`, `ecdh-sha2-1.2.840.10045.3.1.7`, `ecdh-sha2-1.3.132.0.16`, `ecdh-sha2-1.3.132.0.34`, `ecdh-sha2-1.3.132.0.36`, `ecdh-sha2-1.3.132.0.37`, `ecdh-sha2-1.3.132.0.35`, `ecdh-sha2-1.3.132.0.38`, `ecdh-sha2-4MHB+NBt3AlaSRQ7MnB4cg==`, `ecdh-sha2-5pPrSUQtIaTjUSt5VZNBjg==`, `ecdh-sha2-VqBg4QRPjxx1EXZdV0GdWQ==`, `ecdh-sha2-zD/b3hu/71952ArpUG4OjQ==`, `ecdh-sha2-qCbG5Cn/jjsZ7nBeR7EnOA==`, `ecdh-sha2-9UzNcgwTlEnSCECZa7V1mw==`, `ecdh-sha2-wiRIU8TKjMZ418sMqlqtvQ==`, `ecdh-sha2-qcFQaMAMGhTziMT0z+Tuzw==`, `ecdh-sha2-m/FtSAmrV4j/Wy6RVUaK7A==`, `ecdh-sha2-D3FefCjYoJ/kfXgAyLddYA==`, `ecdh-sha2-h/SsxnLCtRBh7I9ATyeB3A==`, `ecdh-sha2-mNVwCXAoS1HGmHpLvBC94w==`.
  - Added 1 new MAC: `hmac-sha1-96@openssh.com`.
 
diff --git a/src/ssh_audit/ssh2_kexdb.py b/src/ssh_audit/ssh2_kexdb.py
index 047fbd7..536946b 100644
--- a/src/ssh_audit/ssh2_kexdb.py
+++ b/src/ssh_audit/ssh2_kexdb.py
@@ -197,6 +197,8 @@ class SSH2_KexDB:  # pylint: disable=too-few-public-methods
             'x509v3-ecdsa-sha2-nistp521': [[], [WARN_CURVES_WEAK]],
             'x509v3-rsa2048-sha256': [[]],
             'webauthn-sk-ecdsa-sha2-nistp256@openssh.com': [['8.3'], [WARN_CURVES_WEAK]],
+            'ssh-xmss@openssh.com': [['7.7'], [WARN_EXPERIMENTAL]],
+            'ssh-xmss-cert-v01@openssh.com': [['7.7'], [WARN_EXPERIMENTAL]],
         },
         'enc': {
             'none': [['1.2.2,d2013.56,l10.2'], [FAIL_PLAINTEXT]],