From 6974352b3891188858a2c0cc1a0919066d53d2e1 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Fri, 21 Oct 2022 09:07:38 +0200 Subject: [PATCH] simplify crypto library Signed-off-by: Sebastian Gumprich --- libraries/ssh_crypto.rb | 256 ++++++---------------------------------- 1 file changed, 36 insertions(+), 220 deletions(-) diff --git a/libraries/ssh_crypto.rb b/libraries/ssh_crypto.rb index f4430c2..17d21e5 100644 --- a/libraries/ssh_crypto.rb +++ b/libraries/ssh_crypto.rb @@ -17,6 +17,7 @@ # author: Christoph Hartmann # author: Dominik Richter # author: Patrick Muench +# author: Sebastian Gumprich class SshCrypto < Inspec.resource(1) name 'ssh_crypto' @@ -26,253 +27,68 @@ def ssh_version end def valid_ciphers - # define a set of default ciphers - ciphers53 = 'aes256-ctr,aes192-ctr,aes128-ctr' ciphers66 = 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' - ciphers = ciphers53 + ciphers53 = 'aes256-ctr,aes192-ctr,aes128-ctr' - # adjust ciphers based on OS + release - case inspec.os[:name] - when 'ubuntu' - ciphers = ciphers66 if inspec.os[:release][0, 2] > '12' - when 'debian' - case inspec.os[:release] - when /^6\./, /^7\./ - ciphers = ciphers53 - when /^8\./, /^9\./, /^10\./, /^11\./ - ciphers = ciphers66 - end - when 'redhat', 'centos', 'oracle', 'rocky', 'almalinux' - case inspec.os[:release] - when /^6\./ - ciphers = ciphers53 - when /^7.*/, /^8.*/, /^9.*/ - ciphers = ciphers66 - end - when 'amazon', 'fedora', 'alpine', 'arch' - ciphers = ciphers66 - when 'opensuse' - case inspec.os[:release] - when /^13\.2/ - ciphers = ciphers66 - when /^42\./ - ciphers = ciphers66 - end - when 'mac_os_x' - case inspec.os[:release] - when /^10.9\./ - ciphers = ciphers53 - when /^10.10\./, /^10.11\./, /^10.12\./ - ciphers = ciphers66 - end + if ssh_version >= 6.6 + ciphers66 + else + ciphers53 end - - ciphers end def valid_kexs - # define a set of default KEXs kex85 = 'sntrup761x25519-sha512@openssh.com,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256' kex80 = 'sntrup4591761x25519-sha512@tinyssh.org,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256' kex66 = 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256' kex59 = 'diffie-hellman-group-exchange-sha256' - kex = kex59 - - # adjust KEXs based on OS + release - case inspec.os[:name] - # https://packages.ubuntu.com/search?keywords=openssh-server - when 'ubuntu' - kex = if inspec.os[:release][0, 2] >= '22' - kex85 - elsif inspec.os[:release][0, 2] >= '19' - kex80 - else - kex66 - end - # https://packages.debian.org/search?keywords=openssh-server - when 'debian' - case inspec.os[:release] - when /^6\./ - kex = nil - when /^7\./ - kex = kex59 - when /^8\./, /^9\./, /^10\./ - kex = kex66 - when /^11\./ - kex = kex80 - end - when 'redhat', 'centos', 'oracle', 'rocky', 'almalinux' - case inspec.os[:release] - when /^6\./ - kex = nil - when /^7\./ - kex = kex66 - when /^8.*/, /^9.*/ - kex = kex80 - end - # https://pkgs.alpinelinux.org/packages?name=openssh - # https://src.fedoraproject.org/rpms/openssh - # https://software.opensuse.org/package/openssh - when 'alpine', 'arch', 'fedora', 'opensuse' - kex = if ssh_version >= 8.5 - kex85 - elsif ssh_version >= 8.0 - kex80 - elsif ssh_version >= 6.6 - kex66 - end - when 'amazon' - kex = kex66 - when 'mac_os_x' - case inspec.os[:release] - when /^10.9\./ - kex = kex59 - when /^10.10\./, /^10.11\./, /^10.12\./ - kex = kex66 - when /^10.15\./ - kex = kex80 - end + if ssh_version >= 8.5 + kex85 + elsif ssh_version >= 8.0 + kex80 + elsif ssh_version >= 6.6 + kex66 + else + kex59 end - - kex end def valid_macs - # define a set of default MACs macs66 = 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256' macs59 = 'hmac-sha2-512,hmac-sha2-256,hmac-ripemd160' macs53 = 'hmac-ripemd160,hmac-sha1' - macs53_el65 = 'hmac-sha2-512,hmac-sha2-256' - macs = macs59 - - # adjust MACs based on OS + release - case inspec.os[:name] - when 'ubuntu' - macs = macs66 if inspec.os[:release][0, 2] > '12' - when 'debian' - case inspec.os[:release] - when /^6\./ - macs = macs53 - when /^7\./ - macs = macs59 - when /^8\./, /^9\./, /^10\./, /^11\./ - macs = macs66 - end - when 'redhat', 'centos', 'oracle', 'rocky', 'almalinux' - case inspec.os[:release] - when /^6\./ - # RedHat Enterprise Linux (and family) backported SHA2 support to their fork of OpenSSH 5.3 in RHEL 6.5. - # See BZ#969565 at: - # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html-single/6.5_technical_notes/index#openssh - # Because extended support (EUS) updates for 6.x minor releases is no longer available, - # only the settings available for the supported (latest) 6.x release are recommended. - macs = macs53_el65 - when /^7.*/, /^8.*/, /^9.*/ - macs = macs66 - end - when 'amazon', 'fedora', 'alpine', 'arch' - macs = macs66 - when 'opensuse' - case inspec.os[:release] - when /^13\.2/ - macs = macs66 - when /^42\./ - macs = macs66 - end - when 'mac_os_x' - case inspec.os[:release] - when /^10.9\./ - macs = macs59 - when /^10.10\./, /^10.11\./, /^10.12\./ - macs = macs66 - end + if ssh_version >= 6.6 + macs66 + elsif ssh_version >= 5.9 + macs59 + else + macs53 end - - macs end def valid_privseparation - # define privilege separation set - ps53 = 'yes' - ps59 = 'sandbox' ps75 = nil - ps = ps59 - - # debian 7.x and newer has ssh 5.9+ - # ubuntu 12.04 and newer has ssh 5.9+ - - case inspec.os[:name] - when 'debian' - case inspec.os[:release] - when /^6\./ - ps = ps53 - when /^10\./, /^11\./ - ps = ps75 - end - when 'redhat', 'centos', 'oracle', 'rocky', 'almalinux' - case inspec.os[:release] - # redhat/centos/oracle 6.x has ssh 5.3 - when /^6\./ - ps = ps53 - when /^7\./ - ps = ps59 - when /^8.*/, /^9.*/ - ps = ps75 - end - when 'ubuntu' - case inspec.os[:release] - when /^18\./, /^20\./, /^22\./ - ps = ps75 - end - when 'fedora', 'alpine', 'arch' - ps = ps75 + ps59 = 'sandbox' + ps53 = 'yes' + if ssh_version >= 7.5 + ps75 + elsif ssh_version >= 5.9 + ps59 + elsif ssh_version >= 5.3 + ps53 end - - ps end - # return a list of valid algoriths for a current platform def valid_algorithms - alg53 = %w(rsa) - alg60 = %w(rsa ecdsa) alg66 = %w(rsa ecdsa ed25519) - alg = alg66 # probably its a best suitable set for everything unknown - - case inspec.os[:name] - when 'ubuntu' - alg = alg53 if inspec.os[:release][0, 2] < '14' - when 'debian' - case inspec.os[:release] - when /^7\./ - alg = alg60 - when /^8\./, /^9\./, /^10\./, /^11\./ - alg = alg66 - end - when 'redhat', 'centos', 'oracle', 'rocky', 'almalinux' - case inspec.os[:release] - when /^6\./ - alg = alg53 - when /^7.*/, /^8.*/, /^9.*/ - alg = alg66 - end - when 'amazon', 'fedora', 'alpine', 'arch' - alg = alg66 - when 'opensuse' - case inspec.os[:release] - when /^13\.2/ - alg = alg66 - when /^42\./ - alg = alg66 - end - when 'mac_os_x' - case inspec.os[:release] - when /^10.9\./ - alg53 - when /^10.10\./, /^10.11\./, /^10.12\./ - alg66 - end + alg60 = %w(rsa ecdsa) + alg53 = %w(rsa) + if ssh_version >= 6.6 + alg66 + elsif ssh_version >= 6.0 + alg60 + else + alg53 end - - alg end end