From 5e2adeed8a19bd5307758ae17c6e11e22c55a525 Mon Sep 17 00:00:00 2001 From: UnaPibaGeek Date: Sat, 14 Feb 2026 21:41:10 -0300 Subject: [PATCH 1/5] tls: add --enable-mlkem flag --- tls.go | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/tls.go b/tls.go index e89188fe2..b7ba91b75 100644 --- a/tls.go +++ b/tls.go @@ -63,6 +63,7 @@ type TLSFlags struct { MinVersion int `long:"min-version" description:"The minimum SSL/TLS version that is acceptable. 0 means that TLS1.0 is the minimum."` MaxVersion int `long:"max-version" description:"The maximum SSL/TLS version that is acceptable. 0 means use the highest supported value."` CurvePreferences string `long:"curve-preferences" description:"A list of elliptic curves used in an ECDHE handshake, in order of preference."` + EnableMLKEM bool `long:"enable-mlkem" description:"Advertise TLS 1.3 hybrid PQ group X25519MLKEM768 (ML-KEM + X25519) as first preference"` NoECDHE bool `long:"no-ecdhe" description:"Do not allow ECDHE handshakes"` // TODO: format? SignatureAlgorithms string `long:"signature-algorithms" description:"Signature and hash algorithms that are acceptable"` @@ -239,6 +240,16 @@ func (t *TLSFlags) GetTLSConfigForTarget(target *ScanTarget) (*tls.Config, error ret.MaxVersion = uint16(t.MaxVersion) } + if t.EnableMLKEM { + ret.CurvePreferences = []tls.CurveID{ + tls.X25519MLKEM768, + tls.X25519, + tls.CurveP256, + tls.CurveP384, + tls.CurveP521, + } + } + if t.CurvePreferences != "" { // TODO FIXME: Implement (how to map curveName to CurveID? Or are there standard 'suites' like we use for cipher suites?) log.Fatalf("--curve-preferences not implemented") From 26cbb7b50158631ca43840ae9cdb23cf3622f79e Mon Sep 17 00:00:00 2001 From: UnaPibaGeek Date: Wed, 18 Feb 2026 10:34:06 -0300 Subject: [PATCH 2/5] tests: bump zcrypto_schemas to include server_hello.key_share --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index e54552a6e..de5dd9010 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,3 +1,3 @@ zschema -git+https://github.com/zmap/zcrypto@4f0ea0eaccacc4e153ddbb2016afe9d7bb961efd#egg=zcrypto_schemas +git+https://github.com/zmap/zcrypto/commit/1e860df7ce028301834bb57cf935ea201b13766c#egg=zcrypto_schemas requests \ No newline at end of file From c3e9904078f7f7edc5a3924a3deb08c53251a1e0 Mon Sep 17 00:00:00 2001 From: UnaPibaGeek Date: Wed, 18 Feb 2026 10:41:52 -0300 Subject: [PATCH 3/5] tests: pin zcrypto_schemas to zcrypto commit 1e860df7 (fix url typo) --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index de5dd9010..6a5ea61d5 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,3 +1,3 @@ zschema -git+https://github.com/zmap/zcrypto/commit/1e860df7ce028301834bb57cf935ea201b13766c#egg=zcrypto_schemas +git+https://github.com/zmap/zcrypto.git@1e860df7ce028301834bb57cf935ea201b13766c#egg=zcrypto_schemas requests \ No newline at end of file From 47f9b3a07b19a7bb1cde8ce725163c6e0c425afc Mon Sep 17 00:00:00 2001 From: UnaPibaGeek Date: Wed, 18 Feb 2026 20:01:10 -0300 Subject: [PATCH 4/5] tests: pin zcrypto_schemas to zcrypto commit 89b5f80 (latest) --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 6a5ea61d5..61cac23b3 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,3 +1,3 @@ zschema -git+https://github.com/zmap/zcrypto.git@1e860df7ce028301834bb57cf935ea201b13766c#egg=zcrypto_schemas +git+https://github.com/zmap/zcrypto.git@89b5f803590888aac1a9f45a0b9adfa1734c673e#egg=zcrypto_schemas requests \ No newline at end of file From 403c6c79a544a952ee3efbc69f64eecff839e3a7 Mon Sep 17 00:00:00 2001 From: UnaPibaGeek Date: Thu, 19 Feb 2026 17:53:44 -0300 Subject: [PATCH 5/5] tests: pin zcrypto_schemas to zcrypto commit 6eed1af (latest) --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 61cac23b3..8bdbe6335 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,3 +1,3 @@ zschema -git+https://github.com/zmap/zcrypto.git@89b5f803590888aac1a9f45a0b9adfa1734c673e#egg=zcrypto_schemas +git+https://github.com/zmap/zcrypto.git@6eed1af189657a1b7ca86b1abd63983defe5a390#egg=zcrypto_schemas requests \ No newline at end of file