1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
//! SSH handshake parser + HASSH fingerprint.
//!
//! Gated by the `ssh` feature. Parses the cleartext SSH-2
//! handshake (RFC 4253):
//!
//! 1. Version exchange ("SSH-2.0-..." banner lines).
//! 2. `SSH_MSG_KEXINIT` algorithm-negotiation packets from
//! client and server.
//!
//! Emits a strongly-typed [`SshMessage`] per protocol event,
//! plus the [HASSH](https://github.com/salesforce/hassh) MD5
//! fingerprint (client side) and HASSHServer (server side),
//! built from the KEXINIT algorithm lists per the Salesforce
//! specification. HASSH is the SSH analogue of JA3 / JA4 for
//! TLS — same use case: client / server classification by
//! library-default algorithm preferences.
//!
//! Once both sides exchange `SSH_MSG_NEWKEYS` (msg type 21)
//! the remainder of the connection is encrypted; this parser
//! stops emitting events after that point — there's no
//! cleartext to see.
//!
//! # Scope
//!
//! - Banner exchange — `SshMessage::Banner`.
//! - KEXINIT decode — `SshMessage::KexInit` with the
//! ten RFC 4253 §7.1 name-lists + HASSH/HASSHServer when
//! the side is identified.
//! - NEWKEYS marker — `SshMessage::Encrypted` (parser stops
//! advancing after).
//!
//! # Out of scope
//!
//! - Decryption (impossible passively).
//! - SSH-1 (deprecated; the parser rejects non-SSH-2 banners).
//! - DH key exchange messages, channel data, auth methods —
//! all post-KEXINIT and most are encrypted anyway.
//!
//! Issue #7 (0.18).
// JA4SSH — FoxIO-licensed JA4+ SSH-session fingerprint. Opt-in via the
// `ja4plus` feature (issue #77).
pub use ;
pub use ;
pub use messages_from_pcap;
pub use ;
pub use ;