Merge 066dcf4899 into dcbc43acdf

Fixed crash when running with '-P' and '-T' options simultaneously. (#273 )
fix for https://github.com/jtesta/ssh-audit/issues/275
2026-05-25 15:31:23 +02:00 · 2024-07-02 20:59:20 -04:00 · 2024-07-02 20:56:11 -04:00 · 2024-06-22 17:38:08 +02:00
4 changed files with 41 additions and 8 deletions
@@ -216,6 +216,7 @@ For convenience, a web front-end on top of the command-line tool is available at
 ### v3.3.0-dev (???)
 - Added built-in policies for Ubuntu 24.04 LTS server and client.
 - Added IPv6 support for DHEat and connection rate tests.
+ - Fixed crash when running with `-P` and `-T` options simultaneously.

 ### v3.2.0 (2024-04-22)
 - Added implementation of the DHEat denial-of-service attack (see `--dheat` option; [CVE-2002-20001](https://nvd.nist.gov/vuln/detail/CVE-2002-20001)).
@@ -50,9 +50,19 @@ class HostKeyTest:
        'rsa-sha2-256-cert-v01@openssh.com': {'cert': True, 'variable_key_len': True},
        'rsa-sha2-512-cert-v01@openssh.com': {'cert': True, 'variable_key_len': True},

-        'ssh-ed25519':                      {'cert': False, 'variable_key_len': False},
-        'ssh-ed25519-cert-v01@openssh.com': {'cert': True, 'variable_key_len': False},
-    }
+        'ssh-ed25519':                      {'cert': False, 'variable_key_len': True},
+        'ssh-ed25519-cert-v01@openssh.com': {'cert': True, 'variable_key_len': True},
+
+        'ecdsa-sha2-nistp256':              {'cert': False, 'variable_key_len': True},
+        'ecdsa-sha2-nistp256-cert-v01@openssh.com': {'cert': True, 'variable_key_len': True},
+
+        'ecdsa-sha2-nistp384':              {'cert': False, 'variable_key_len': True},
+        'ecdsa-sha2-nistp384-cert-v01@openssh.com': {'cert': True, 'variable_key_len': True},
+
+        'ecdsa-sha2-nistp521':              {'cert': False, 'variable_key_len': True},
+        'ecdsa-sha2-nistp521-cert-v01@openssh.com': {'cert': True, 'variable_key_len': True}
+}
+

    TWO2K_MODULUS_WARNING = '2048-bit modulus only provides 112-bits of symmetric strength'
    SMALL_ECC_MODULUS_WARNING = '224-bit ECC modulus only provides 112-bits of symmetric strength'
@@ -605,3 +605,29 @@ macs = %s
            dh_modulus_sizes_str = str(self._dh_modulus_sizes)

        return "Name: %s\nVersion: %s\nAllow Algorithm Subset and/or Reordering: %r\nBanner: %s\nCompressions: %s\nHost Keys: %s\nOptional Host Keys: %s\nKey Exchanges: %s\nCiphers: %s\nMACs: %s\nHost Key Sizes: %s\nDH Modulus Sizes: %s\nServer Policy: %r" % (name, version, self._allow_algorithm_subset_and_reordering, banner, compressions_str, host_keys_str, optional_host_keys_str, kex_str, ciphers_str, macs_str, hostkey_sizes_str, dh_modulus_sizes_str, self._server_policy)
+
+
+    def __getstate__(self) -> Dict[str, Any]:
+        '''Called when pickling this object.  The file descriptor isn't serializable, so we'll remove it from the state and include a string representation.'''
+
+        state = self.__dict__.copy()
+
+        if state['_warning_target'] == sys.stdout:
+            state['_warning_target_type'] = 'stdout'
+        else:
+            state['_warning_target_type'] = 'stderr'
+
+        del state['_warning_target']
+        return state
+
+
+    def __setstate__(self, state: Dict[str, Any]) -> None:
+        '''Called when unpickling this object.  Based on the string representation of the file descriptor, we'll restore the right handle.'''
+
+        if state['_warning_target_type'] == 'stdout':
+            state['_warning_target'] = sys.stdout
+        else:
+            state['_warning_target'] = sys.stderr
+
+        del state['_warning_target_type']
+        self.__dict__.update(state)
@@ -1150,17 +1150,13 @@ def build_struct(target_host: str, banner: Optional['Banner'], cves: List[Dict[s
            }
            if algorithm in host_keys:
                hostkey_info = host_keys[algorithm]
-                hostkey_size = cast(int, hostkey_info['hostkey_size'])
-
+                entry['keysize'] = cast(int, hostkey_info['hostkey_size'])
                ca_type = ''
                ca_size = 0
                if 'ca_key_type' in hostkey_info:
                    ca_type = cast(str, hostkey_info['ca_key_type'])
                if 'ca_key_size' in hostkey_info:
                    ca_size = cast(int, hostkey_info['ca_key_size'])
-
-                if algorithm in HostKeyTest.RSA_FAMILY or algorithm.startswith('ssh-rsa-cert-v0'):
-                    entry['keysize'] = hostkey_size
                if ca_size > 0:
                    entry['ca_algorithm'] = ca_type
                    entry['casize'] = ca_size
Author	SHA1	Message	Date
dreizehnutters	2c4642235b	Merge `066dcf4899` into `dcbc43acdf`	2024-07-02 20:59:20 -04:00
Joe Testa	dcbc43acdf	Fixed crash when running with '-P' and '-T' options simultaneously. (#273 )	2024-07-02 20:56:11 -04:00
dreizehnutters	066dcf4899	fix for https://github.com/jtesta/ssh-audit/issues/275	2024-06-22 17:38:08 +02:00