Sync with ssh-crypto

Notably does not deprecated `ssh-rsa` key type. Hopefully people use a good kex algorithm even if their key is the old type. I also sorted the crypto slightly differently so that suffixed items will match on the maximum length. Fixes robballou#15
michaelblyons · Dec 20, 2024 · 7e015fb · 7e015fb
1 parent e9594f9
commit 7e015fb
Show file tree

Hide file tree

Showing 7 changed files with 2,713 additions and 535 deletions.
diff --git a/SSH Crypto.sublime-syntax b/SSH Crypto.sublime-syntax
@@ -20,25 +20,25 @@ contexts:
     - include: SSH Common.sublime-syntax#pop-before-nl
     - include: ssh-mac-algorithms
   ssh-ciphers:
-  - match: \b(?:AEAD_AES_128_GCM|AEAD_AES_256_GCM|aes128\-ctr|aes128\-gcm|aes128\-gcm@openssh\.com|aes192\-ctr|aes256\-ctr|aes256\-gcm|aes256\-gcm@openssh\.com|camellia128\-cbc|camellia128\-ctr|camellia192\-cbc|camellia192\-ctr|camellia256\-cbc|camellia256\-ctr|chacha20\-poly1305|chacha20\-poly1305@openssh\.com|crypticore128@ssh\.com|seed\-cbc@ssh\.com|twofish\-ctr|twofish128\-ctr|twofish192\-ctr|twofish256\-ctr)(?=[,\s\"])
-    scope: support.function.cipher
-  - match: \b(?:3des|3des\-cbc|3des\-ctr|aes128\-cbc|aes192\-cbc|aes256\-cbc|arcfour|arcfour128|arcfour256|blowfish\-cbc|blowfish\-ctr|cast128\-cbc|cast128\-ctr|des|des\-cbc|des\-cbc\-ssh1|idea\-cbc|idea\-ctr|none|rijndael\-cbc@lysator\.liu\.se|rijndael128\-cbc|rijndael192\-cbc|rijndael256\-cbc|serpent128\-cbc|serpent128\-ctr|serpent192\-cbc|serpent192\-ctr|serpent256\-cbc|serpent256\-ctr|twofish128\-cbc|twofish192\-cbc|twofish256\-cbc)(?=[,\s\"])
-    scope: invalid.deprecated.cipher
+  - match: \b(?:AEAD_AES_128_GCM|AEAD_AES_256_GCM|aes128\-ctr|aes128\-gcm@openssh\.com|aes128\-gcm|aes192\-gcm@openssh\.com|aes192\-ctr|aes256\-ctr|aes256\-gcm@openssh\.com|aes256\-gcm|camellia128\-ctr@openssh\.org|camellia128\-ctr|camellia192\-ctr@openssh\.org|camellia192\-ctr|camellia256\-ctr@openssh\.org|camellia256\-ctr|chacha20\-poly1305@openssh\.com|chacha20\-poly1305|crypticore128@ssh\.com|twofish128\-ctr|twofish128\-gcm@libassh\.org|twofish192\-ctr|twofish256\-ctr|twofish256\-gcm@libassh\.org|twofish\-ctr)(?=[,\s\"])
+    scope: support.function.cipher.ssh.crypto
+  - match: \b(?:3des\-cbc|3des\-cfb|3des\-ctr|3des\-ecb|3des\-ofb|3des|aes128\-cbc|aes192\-cbc|aes256\-cbc|aes128\-ocb@libassh\.org|arcfour128|arcfour256|arcfour|blowfish\-cbc|blowfish\-cfb|blowfish\-ctr|blowfish\-ecb|blowfish|camellia128\-cbc@openssh\.org|camellia128\-cbc|camellia192\-cbc@openssh\.org|camellia192\-cbc|camellia256\-cbc@openssh\.org|camellia256\-cbc|cast128\-12\-cbc|cast128\-12\-cfb|cast128\-12\-ctr|cast128\-12\-ecb|cast128\-12\-ofb|cast128\-cbc|cast128\-cfb|cast128\-ctr|cast128\-ecb|cast128\-ofb|des\-cbc\-ssh1|des\-cbc@ssh\.com|des\-cbc|des\-cfb|des\-ecb|des\-ofb|des|idea\-cbc|idea\-cfb|idea\-ctr|idea\-ecb|idea\-ofb|none|rijndael\-cbc@lysator\.liu\.se|rijndael\-cbc@ssh\.com|rijndael128\-cbc|rijndael192\-cbc|rijndael256\-cbc|seed\-cbc@ssh\.com|seed\-ctr@ssh\.com|serpent128\-cbc|serpent128\-ctr|serpent128\-gcm@libassh\.org|serpent192\-cbc|serpent192\-ctr|serpent256\-cbc|serpent256\-ctr|serpent256\-gcm@libassh\.org|twofish128\-cbc|twofish192\-cbc|twofish256\-cbc|twofish\-cbc|twofish\-cfb|twofish\-ecb|twofish\-ofb)(?=[,\s\"])
+    scope: invalid.deprecated.cipher.ssh.crypto
   ssh-kex-algorithms:
-  - match: \b(?:curve25519\-sha256|curve25519\-sha256@libssh\.org|Curve25519SHA256|curve448\-sha512|diffie\-hellman\-group\-exchange\-sha256|diffie\-hellman\-group\-exchange\-sha256@ssh\.com|diffie\-hellman\-group\-exchange\-sha512@ssh\.com|diffie\-hellman\-group1\-sha256|diffie\-hellman\-group14\-sha256|diffie\-hellman\-group14\-sha256@ssh\.com|diffie\-hellman\-group15\-sha256|diffie\-hellman\-group15\-sha256@ssh\.com|diffie\-hellman\-group15\-sha384@ssh\.com|diffie\-hellman\-group15\-sha512|diffie\-hellman\-group16\-sha256|diffie\-hellman\-group16\-sha384@ssh\.com|diffie\-hellman\-group16\-sha512|diffie\-hellman\-group16\-sha512@ssh\.com|diffie\-hellman\-group17\-sha512|diffie\-hellman\-group18\-sha512|diffie\-hellman\-group18\-sha512@ssh\.com|ecdh\-sha2\-1\.3\.132\.0\.10|ecdh\-sha2\-curve25519|ecdh\-sha2\-nistb233|ecdh\-sha2\-nistb409|ecdh\-sha2\-nistk163|ecdh\-sha2\-nistk233|ecdh\-sha2\-nistk283|ecdh\-sha2\-nistk409|ecdh\-sha2\-nistp192|ecdh\-sha2\-nistp224|ecdh\-sha2\-nistp256|ecdh\-sha2\-nistp384|ecdh\-sha2\-nistp521|ecdh\-sha2\-nistt571|ext\-info\-c|ext\-info\-s|gss\-curve25519\-sha256\-|gss\-group14\-sha256\-|gss\-group14\-sha256\-toWM5Slw5Ew8Mqkay\+al2g==|gss\-group15\-sha512\-|gss\-group15\-sha512\-toWM5Slw5Ew8Mqkay\+al2g==|gss\-group16\-sha512\-|gss\-nistp256\-sha256\-|kexAlgoCurve25519SHA256|kexguess2@matt\.ucc\.asn\.au|rsa1024\-sha1|rsa2048\-sha256|sntrup4591761x25519\-sha512@tinyssh\.org)(?=[,\s\"])
-    scope: support.function.kex-algorithm
-  - match: \b(?:diffie\-hellman\-group\-exchange\-sha1|diffie\-hellman\-group1\-sha1|diffie\-hellman\-group14\-sha1|gss\-gex\-sha1\-|gss\-gex\-sha1\-toWM5Slw5Ew8Mqkay\+al2g==|gss\-group1\-sha1\-|gss\-group1\-sha1\-toWM5Slw5Ew8Mqkay\+al2g==|gss\-group14\-sha1\-|gss\-group14\-sha1\-toWM5Slw5Ew8Mqkay\+al2g==)(?=[,\s\"])
-    scope: invalid.deprecated.kex-algorithm
+  - match: \b(?:curve25519\-sha256@libssh\.org|curve25519\-sha256|Curve25519SHA256|curve448\-sha512@libssh\.org|curve448\-sha512|diffie\-hellman\-group\-exchange\-sha256@ssh\.com|diffie\-hellman\-group\-exchange\-sha256|diffie\-hellman\-group\-exchange\-sha512@ssh\.com|diffie\-hellman\-group1\-sha256|diffie\-hellman\-group14\-sha224@ssh\.com|diffie\-hellman\-group14\-sha256|diffie\-hellman\-group14\-sha256@ssh\.com|diffie\-hellman\-group15\-sha256@ssh\.com|diffie\-hellman\-group15\-sha256|diffie\-hellman\-group15\-sha384@ssh\.com|diffie\-hellman\-group15\-sha512|diffie\-hellman\-group16\-sha256|diffie\-hellman\-group16\-sha384@ssh\.com|diffie\-hellman\-group16\-sha512@ssh\.com|diffie\-hellman\-group16\-sha512|diffie\-hellman\-group17\-sha512|diffie\-hellman_group17\-sha512|diffie\-hellman\-group18\-sha512@ssh\.com|diffie\-hellman\-group18\-sha512|diffie\-hellman\-group\-exchange\-sha224@ssh\.com|diffie\-hellman\-group\-exchange\-sha256@ssh\.com|diffie\-hellman\-group\-exchange\-sha256|diffie\-hellman\-group\-exchange\-sha384@ssh\.com|diffie\-hellman\-group\-exchange\-sha512@ssh\.com|ecdh\-nistp256\-kyber\-512r3\-sha256\-d00@openquantumsafe\.org|ecdh\-nistp384\-kyber\-768r3\-sha384\-d00@openquantumsafe\.org|ecdh\-nistp521\-kyber\-1024r3\-sha512\-d00@openquantumsafe\.org|ecdh\-sha2\-1\.2\.840\.10045\.3\.1\.7|ecdh\-sha2\-1\.3\.132\.0\.10|ecdh\-sha2\-1\.3\.132\.0\.16|ecdh\-sha2\-1\.3\.132\.0\.34|ecdh\-sha2\-1\.3\.132\.0\.35|ecdh\-sha2\-1\.3\.132\.0\.36|ecdh\-sha2\-1\.3\.132\.0\.37|ecdh\-sha2\-1\.3\.132\.0\.38|ecdh\-sha2\-9UzNcgwTlEnSCECZa7V1mw==|ecdh\-sha2\-brainpoolp256r1@genua\.de|ecdh\-sha2\-brainpoolp384r1@genua\.de|ecdh\-sha2\-brainpoolp521r1@genua\.de|ecdh\-sha2\-curve25519|ecdh\-sha2\-D3FefCjYoJ/kfXgAyLddYA==|ecdh\-sha2\-h/SsxnLCtRBh7I9ATyeB3A==|ecdh\-sha2\-m/FtSAmrV4j/Wy6RVUaK7A==|ecdh\-sha2\-mNVwCXAoS1HGmHpLvBC94w==|ecdh\-sha2\-nistb409|ecdh\-sha2\-nistk283|ecdh\-sha2\-nistk409|ecdh\-sha2\-nistp192|ecdh\-sha2\-nistp224|ecdh\-sha2\-nistp256|ecdh\-sha2\-nistp384|ecdh\-sha2\-nistp521|ecdh\-sha2\-nistt571|ecdh\-sha2\-qcFQaMAMGhTziMT0z\+Tuzw==|ecdh\-sha2\-wiRIU8TKjMZ418sMqlqtvQ==|ecmqv\-sha2|ext\-info\-c|ext\-info\-s|gss\-13\.3\.132\.0\.10\-sha256\-|gss\-curve25519\-sha256\-|gss\-curve448\-sha512\-|gss\-gex\-sha256\-|gss\-group14\-sha256\-toWM5Slw5Ew8Mqkay\+al2g==|gss\-group14\-sha256\-|gss\-group15\-sha512\-toWM5Slw5Ew8Mqkay\+al2g==|gss\-group15\-sha512\-|gss\-group16\-sha512\-|gss\-group17\-sha512\-|gss\-group18\-sha512\-|gss\-nistp256\-sha256\-|gss\-nistp384\-sha256\-|gss\-nistp384\-sha384\-|gss\-nistp521\-sha512\-|kexAlgoCurve25519SHA256|kexAlgoECDH256|kexAlgoECDH384|kexAlgoECDH521|kexguess2@matt\.ucc\.asn\.au|kex\-strict\-c\-v00@openssh\.com|kex\-strict\-s\-v00@openssh\.com|m383\-sha384@libassh\.org|m511\-sha512@libassh\.org|rsa2048\-sha256|sm2kep\-sha2\-nistp256|sntrup4591761x25519\-sha512@tinyssh\.org|sntrup761x25519\-sha512@openssh\.com|x25519\-kyber\-512r3\-sha256\-d00@amazon\.com|x25519\-kyber512\-sha512@aws\.amazon\.com)(?=[,\s\"])
+    scope: support.function.kex-algorithm.ssh.crypto
+  - match: \b(?:diffie\-hellman\-group\-exchange\-sha1|diffie\-hellman\-group1\-sha1|diffie\-hellman\-group14\-sha1|ecdh\-sha2\-1\.2\.840\.10045\.3\.1\.1|ecdh\-sha2\-1\.3\.132\.0\.1|ecdh\-sha2\-1\.3\.132\.0\.26|ecdh\-sha2\-1\.3\.132\.0\.27|ecdh\-sha2\-1\.3\.132\.0\.33|ecdh\-sha2\-4MHB\+NBt3AlaSRQ7MnB4cg==|ecdh\-sha2\-5pPrSUQtIaTjUSt5VZNBjg==|ecdh\-sha2\-nistb233|ecdh\-sha2\-nistk163|ecdh\-sha2\-nistk233|ecdh\-sha2\-qCbG5Cn/jjsZ7nBeR7EnOA==|ecdh\-sha2\-VqBg4QRPjxx1EXZdV0GdWQ==|ecdh\-sha2\-zD/b3hu/71952ArpUG4OjQ==|gss\-gex\-sha1\-toWM5Slw5Ew8Mqkay\+al2g==|gss\-gex\-sha1\-|gss\-group1\-sha1\-toWM5Slw5Ew8Mqkay\+al2g==|gss\-group1\-sha1\-|gss\-group14\-sha1\-toWM5Slw5Ew8Mqkay\+al2g==|gss\-group14\-sha1\-|kexAlgoDH14SHA1|kexAlgoDH1SHA1|rsa1024\-sha1)(?=[,\s\"])
+    scope: invalid.deprecated.kex-algorithm.ssh.crypto
   ssh-key-types:
-  - match: \b(?:ecdsa\-sha2\-1\.3\.132\.0\.10|ecdsa\-sha2\-nistp256|ecdsa\-sha2\-nistp256\-cert\-v01@openssh\.com|ecdsa\-sha2\-nistp384|ecdsa\-sha2\-nistp384\-cert\-v01@openssh\.com|ecdsa\-sha2\-nistp521|ecdsa\-sha2\-nistp521\-cert\-v01@openssh\.com|rsa\-sha2\-256|rsa\-sha2\-256\-cert\-v01@openssh\.com|rsa\-sha2\-512|rsa\-sha2\-512\-cert\-v01@openssh\.com|sk\-ecdsa\-sha2\-nistp256\-cert\-v01@openssh\.com|sk\-ecdsa\-sha2\-nistp256@openssh\.com|spi\-sign\-rsa|ssh\-dss\-sha256@ssh\.com|ssh\-ed25519|ssh\-ed25519\-cert\-v01@openssh\.com|ssh\-ed448|ssh\-gost\-2001|ssh\-gost\-2012\-256|ssh\-gost\-2012\-512|ssh\-rsa|ssh\-rsa\-cert\-v01@openssh\.com|ssh\-rsa\-sha256@ssh\.com|x509v3\-ecdsa\-sha2\-nistp256|x509v3\-ecdsa\-sha2\-nistp384|x509v3\-ecdsa\-sha2\-nistp521|x509v3\-rsa2408\-sha256|x509v3\-sign\-rsa|x509v3\-sign\-rsa\-sha256@ssh\.com|x509v3\-ssh\-rs)(?=[,\s\"])
-    scope: support.type.key-type
-  - match: \b(?:ssh\-dss|ssh\-dss\-cert\-v00@openssh\.com|ssh\-dss\-cert\-v01@openssh\.com|ssh\-rsa\-cert\-v00@openssh\.com|ssh\-rsa1|x509v3\-sign\-dss)(?=[,\s\"])
-    scope: invalid.deprecated.key-type
+  - match: \b(?:dsa2048\-sha224@libassh\.org|dsa2048\-sha256@libassh\.org|dsa3072\-sha256@libassh\.org|ecdsa\-sha2\-1\.3\.132\.0\.10\-cert\-v01@openssh\.com|ecdsa\-sha2\-1\.3\.132\.0\.10|ecdsa\-sha2\-curve25519|ecdsa\-sha2\-nistb409|ecdsa\-sha2\-nistk163|ecdsa\-sha2\-nistk233|ecdsa\-sha2\-nistk283|ecdsa\-sha2\-nistk409|ecdsa\-sha2\-nistp256\-cert\-v01@openssh\.com|ecdsa\-sha2\-nistp256|ecdsa\-sha2\-nistp384\-cert\-v01@openssh\.com|ecdsa\-sha2\-nistp384|ecdsa\-sha2\-nistp521\-cert\-v01@openssh\.com|ecdsa\-sha2\-nistp521|ecdsa\-sha2\-nistt571|eddsa\-e382\-shake256@libassh\.org|eddsa\-e521\-shake256@libassh\.org|rsa\-sha2\-256\-cert\-v01@openssh\.com|rsa\-sha2\-256|rsa\-sha2\-512\-cert\-v01@openssh\.com|rsa\-sha2\-512|sk\-ecdsa\-sha2\-nistp256\-cert\-v01@openssh\.com|sk\-ecdsa\-sha2\-nistp256@openssh\.com|spi\-sign\-rsa|ssh\-ed25519\-cert\-v01@openssh\.com|ssh\-ed25519|ssh\-ed448|ssh\-gost\-2001|ssh\-gost\-2012\-256|ssh\-gost\-2012\-512|ssh\-rsa\-sha256@ssh\.com|ssh\-rsa\-sha2\-256|ssh\-rsa\-sha2\-512|ssh\-rsa\-sha256@ssh\.com|ssh\-rsa\-sha384@ssh\.com|ssh\-rsa\-sha512@ssh\.com|ssh\-rsa|ssh\-xmss\-cert\-v01@openssh\.com|ssh\-xmss@openssh\.com|webauthn\-sk\-ecdsa\-sha2\-nistp256@openssh\.com|x509v3\-ecdsa\-sha2\-1\.3\.132\.0\.10|x509v3\-ecdsa\-sha2\-nistp256|x509v3\-ecdsa\-sha2\-nistp384|x509v3\-ecdsa\-sha2\-nistp521|x509v3\-rsa2048\-sha256|x509v3\-sign\-rsa\-sha256@ssh\.com|x509v3\-sign\-dss\-sha224@ssh\.com|x509v3\-sign\-dss\-sha256@ssh\.com|x509v3\-sign\-dss\-sha384@ssh\.com|x509v3\-sign\-dss\-sha512@ssh\.com|x509v3\-sign\-rsa\-sha224@ssh\.com|x509v3\-sign\-rsa\-sha256|x509v3\-sign\-rsa\-sha256@ssh\.com|x509v3\-sign\-rsa\-sha384@ssh\.com|x509v3\-sign\-rsa\-sha512@ssh\.com)(?=[,\s\"])
+    scope: support.type.key-type.ssh.crypto
+  - match: \b(?:ecdsa\-sha2\-nistb233|ecdsa\-sha2\-nistp224|ecdsa\-sha2\-nistp192|null|pgp\-sign\-dss|pgp\-sign\-rsa|spki\-sign\-dss|spki\-sign\-rsa|ssh\-dsa|ssh\-dss|ssh\-dss\-cert\-v00@openssh\.com|ssh\-dss\-cert\-v01@openssh\.com|ssh\-dss\-sha224@ssh\.com|ssh\-dss\-sha256@ssh\.com|ssh\-dss\-sha384@ssh\.com|ssh\-dss\-sha512@ssh\.com|ssh\-rsa\-cert\-v00@openssh\.com|ssh\-rsa\-cert\-v01@openssh\.com|ssh\-rsa1|x509v3\-sign\-dss\-sha1|x509v3\-sign\-dss|x509v3\-sign\-rsa\-sha1|x509v3\-sign\-rsa|x509v3\-ssh\-dss|x509v3\-ssh\-rsa)(?=[,\s\"])
+    scope: invalid.deprecated.key-type.ssh.crypto
   ssh-mac-algorithms:
-  - match: \b(?:aes128\-gcm|aes256\-gcm|chacha20\-poly1305@openssh\.com|crypticore\-mac@ssh\.com|hmac\-sha1|hmac\-sha1\-etm@openssh\.com|hmac\-sha2\-224|hmac\-sha2\-256|hmac\-sha2\-256\-96\-etm@openssh\.com|hmac\-sha2\-256\-etm@openssh\.com|hmac\-sha2\-384|hmac\-sha2\-512|hmac\-sha2\-512\-96\-etm@openssh\.com|hmac\-sha2\-512\-etm@openssh\.com|hmac\-sha2\-56|hmac\-sha256|hmac\-sha256\-96@ssh\.com|hmac\-sha256@ssh\.com|hmac\-sha3\-224|hmac\-sha3\-256|hmac\-sha3\-384|hmac\-sha3\-512|hmac\-sha512|hmac\-sha512@ssh\.com|umac\-128\-etm@openssh\.com|umac\-128@openssh\.com|umac\-32@openssh\.com|umac\-64\-etm@openssh\.com|umac\-64@openssh\.com|umac\-96@openssh\.com)(?=[,\s\"])
-    scope: support.function.mac-algorithm
-  - match: \b(?:hmac\-md5|hmac\-md5\-96|hmac\-md5\-96\-etm@openssh\.com|hmac\-md5\-etm@openssh\.com|hmac\-ripemd|hmac\-ripemd160|hmac\-ripemd160\-etm@openssh\.com|hmac\-ripemd160@openssh\.com|hmac\-sha1\-96|hmac\-sha1\-96\-etm@openssh\.com|hmac\-sha2\-256\-96|hmac\-sha2\-512\-96|none)(?=[,\s\"])
-    scope: invalid.deprecated.mac-algorithm
+  - match: \b(?:AEAD_AES_128_GCM|AEAD_AES_256_GCM|aes128\-gcm|aes256\-gcm|cbcmac\-aes|cbcmac\-twofish|chacha20\-poly1305@openssh\.com|crypticore\-mac@ssh\.com|hmac\-sha2\-224|hmac\-sha2\-256\-96\-etm@openssh\.com|hmac\-sha2\-256\-etm@openssh\.com|hmac\-sha2\-256|hmac\-sha2\-384|hmac\-sha2\-512\-96\-etm@openssh\.com|hmac\-sha2\-512\-etm@openssh\.com|hmac\-sha2\-512|hmac\-sha2\-56|hmac\-sha256\-96@ssh\.com|hmac\-sha256@ssh\.com|hmac\-sha256|hmac\-sha3\-224|hmac\-sha3\-256|hmac\-sha3\-384|hmac\-sha3\-512|hmac\-sha512@ssh\.com|hmac\-sha512|umac\-128\-etm@openssh\.com|umac\-128@openssh\.com|umac\-128|umac\-32@openssh\.com|umac\-64\-etm@openssh\.com|umac\-64@openssh\.com|umac\-96@openssh\.com)(?=[,\s\"])
+    scope: support.function.mac-algorithm.ssh.crypto
+  - match: \b(?:cbcmac\-3des|cbcmac\-blowfish|cbcmac\-des|cbcmac\-rijndael|hmac\-md5\-96|hmac\-md5\-96\-etm@openssh\.com|hmac\-md5\-etm@openssh\.com|hmac\-md5|hmac\-ripemd160\-etm@openssh\.com|hmac\-ripemd160@openssh\.com|hmac\-ripemd160\-96|hmac\-ripemd160|hmac\-ripemd|hmac\-sha1\-96\-etm@openssh\.com|hmac\-sha1\-96|hmac\-sha1\-etm@openssh\.com|hmac\-sha1|hmac\-sha2\-256\-96|hmac\-sha2\-512\-96|none|md5\-8|md5|ripemd160\-8|ripemd160|sha1\-8|sha1)(?=[,\s\"])
+    scope: invalid.deprecated.mac-algorithm.ssh.crypto
 hidden: true
 name: SSH Crypto
 scope: text.ssh.crypto