Skip to content

CHANGELOG.md

Latest commit

 

History

History
183 lines (148 loc) · 7.88 KB

CHANGELOG.md

File metadata and controls

183 lines (148 loc) · 7.88 KB

Changelog

All notable changes to quantumvalidator are documented in this file.

Format follows Keep a Changelog. Version numbers follow Semantic Versioning.

Unreleased

0.5.2 — 2026-05-15

Added

  • info groups sub-command — lists all quantum-safe TLS and SSH key exchange groups with their IANA codepoint and governing standard.
  • pytest-mock>=3.12 added to dev extras.

Changed

  • assessor.assess(): parameters after target are now keyword-only (enforced by *,); timeout type corrected from int to float (default 10.0), consistent with all other platform modules.
  • All Optional[X] type hints replaced with X | None (PEP 604) throughout assessor.py, cli.py, models.py, and tls_utils.py.
  • cli: --version short flag changed from -v to -V (uppercase), consistent with all other platform modules.
  • reporter: print_report() renamed to print_full_report(); save_report() now raises ValueError for unsupported file extensions instead of silently falling back to plain text.

Removed

  • reporter.print_report deprecated alias removed; use print_full_report directly.

0.5.1 — 2026-05-15

Changed

  • pyproject.toml: corrected authors field to t0kubetsu (consistent with all other platform modules).
  • reporter: exposes a public console alias (Console(record=True)) and a save_report(path) function supporting .txt, .svg, and .html extensions (unknown extensions fall back to plain text).
  • CLI migrated to use reporter.console; print_report() now renders to the module-level console so save_report() captures the output correctly. The private _save_report() helper in cli.py has been removed.

0.5.0 — 2026-05-05

Changed

  • _probe_ftp greeting/response reads are now loop-safe — replaced single sock.recv(1024) calls with chunk-accumulation loops that read until \n or 1024 bytes, guarding against TCP segmentation on slow links.
  • _probe_ftp uses dataclasses.replace() instead of post-construction field mutation when stamping detected_starttls="ftp" onto the openssl result.
  • Empty AUTH TLS response now reports "(no response)" in the error message instead of a trailing bare colon.
  • _fingerprint_banner docstring documents the FTP keyword-detection limitation (FileZilla) and the NNTP 200/201 heuristic caveat.

Fixed

  • FTP probe no longer hangs on servers that reject AUTH TLSopenssl s_client -starttls ftp does not exit cleanly when the server replies with e.g. 500 AUTH not understood; it hangs until the subprocess timeout fires. A new _probe_ftp function now sends AUTH TLS over a raw socket first; if the server responds with anything other than 234, the error is returned immediately without invoking openssl.

Added

  • Extended STARTTLS protocol detection_fingerprint_banner now auto-detects FTP (220 … FTP …), LMTP (220 … LMTP …), NNTP (200 /201 ), and ManageSieve ("IMPLEMENTATION" / "SIEVE" / "STARTTLS" capability lines) from server banners, dispatching to the correct openssl -starttls mode automatically. Protocols that send no opening banner (XMPP, LDAP, MySQL, PostgreSQL) remain unsupported in auto-detect mode by design, keeping the probe protocol-agnostic.

0.4.0 — 2026-04-29

Added

  • SSH PQC probe — auto-detects SSH-2.0- banner via banner-first socket read and probes the server's RFC 4253 KEXINIT in pure Python (no openssl required). Checks whether the server advertises an ML-KEM hybrid KEX algorithm (mlkem768nistp256-sha256, mlkem1024nistp384-sha384, mlkem768x25519-sha256).
  • SSH constantsSSH_PQC_GROUPS and SSH_SAFE_GROUPS in constants.py covering the three ML-KEM hybrid KEX algorithms per NIST FIPS 203 / CNSA 2.0 / BSI TR-02102-4. sntrup761x25519-sha512@openssh.com (NTRU) intentionally excluded — not NIST-selected.
  • SSH verdict logicdetermine_verdict("SSHv2", ...) and _build_ssh_checks() in verdict.py; produces ssh_version + kex_algorithm checks per NIST SP 800-209 and NIST FIPS 203.
  • SSH report mode — terminal header shows [SSH]; verdict panel shows SSH-specific remediation text ("Upgrade to OpenSSH ≥ 9.9 …") and references BSI TR-02102-4 for SAFE results.
  • GroupInfo.iana_codepoint: str | None — field is now optional; SSH algorithms set it to None (no IANA codepoint assigned).

Changed

  • README: intro, PQC Groups Detected, Standards, and Verdict sections updated to cover SSH alongside TLS. Standards table gains NIST FIPS 203, BSI TR-02102-4, and NIST SP 800-209.

0.3.0 — 2026-04-29

Added

  • -p short flag for --port: quantumvalidator check host -p 587.
  • Banner-first probe — plain TCP socket reads the server's opening bytes before the TLS probe. Reduces connections for STARTTLS services from 3 to 2 and fixes STARTTLS detection (openssl -brief suppresses plaintext banners).
  • "Security Verdict" label in terminal report panel (was "Verdict").

Removed

  • probe_tls() starttls_smtp parameter — deprecated backward-compat kwarg removed. Call probe_tls(host, port) directly.
  • Standard column from the checks table in the terminal report.
  • TLSProbeResult.raw_output field — no longer needed since banner detection uses a direct socket read.

Fixed

  • assess(port=0) no longer silently uses port 443; raises RuntimeError instead.
  • openssl version parse failure now logged at DEBUG instead of silently ignored.

0.2.0 — 2026-04-28

Added

  • Protocol-agnostic probingquantumvalidator check host --port N auto-detects STARTTLS mode (SMTP/IMAP/POP3) via server banner fingerprinting. No protocol flag needed.
  • QuantumReport.detected_starttls: str | None — surfaces the auto-detected STARTTLS mode ("smtp" / "imap" / "pop3"), or None for raw TLS.
  • Report header — displays detected probe mode: [TLS], [SMTP/STARTTLS], etc.

Removed

  • assess() protocol= parameter — use port= directly.
  • QuantumReport.protocol field — replaced by detected_starttls.
  • check_https() / check_smtp() from checker.py — use check_tls(host, port).
  • --protocol / -p CLI flag — pass --port instead.
  • DEFAULT_PORT_SMTP constant from constants.py.

Changed

  • check_tls(host, port) is now the single probe entry point in checker.py, replacing the former check_https / check_smtp split.

0.1.0 — 2026-04-28

Added

  • Initial release of quantumvalidator.
  • HTTPS and SMTP/STARTTLS probing with explicit --protocol flag.
  • Post-quantum key-exchange detection: ML-KEM-768 / X25519MLKEM768 / hybrid groups flagged as SAFE; classical-only KEX flagged as UNSAFE.
  • TLS 1.3 requirement check — TLS ≤ 1.2 always yields UNSAFE verdict.
  • CLI: quantumvalidator check <target> with --port, --timeout, --json, --output, --version flags.
  • Exit codes: 0 SAFE, 1 UNSAFE, 2 error.
  • Report export to .txt, .svg, .html.
  • 100% test coverage via pytest.