Fixed return value processing and mypy warning in algorithm_lookup(). Updated help listing, man page, and README.

2024-11-16 13:35:39 +01:00 · 2020-08-11 19:28:53 -04:00 · 2020-08-11 19:28:53 -04:00 · c7ad1828d8
commit c7ad1828d8
parent 86cb453928
3 changed files with 14 additions and 5 deletions
--- a/README.md
+++ b/README.md
@ -36,7 +36,8 @@ usage: ssh-audit.py [options] <host>
   -j,  --json             JSON output
   -l,  --level=<level>    minimum output level (info|warn|fail)
   -L,  --list-policies    list all the official, built-in policies
-        --lookup=<alg>     performs an algorithm lookup (accepts a comma separated list)
+        --lookup=<alg1,alg2,...>    looks up an algorithm(s) without
+                                    connecting to a server
   -M,  --make-policy=<policy.txt>  creates a policy based on the target server
                                    (i.e.: the target server has the ideal
                                    configuration that other servers should
@ -87,7 +88,8 @@ $ brew install ssh-audit
 ### v2.2.1-dev (???)
 - Created new man page (see ssh-audit.1 file).
 - 1024-bit moduli upgraded from warnings to failures.
- - Many Python 2 code clean-ups, testing framework improvements, pylint & flake8 fixes, and mypy type comments; credit [Jürgen Gmach](https://github.com/jugmac00)).
+ - Many Python 2 code clean-ups, testing framework improvements, pylint & flake8 fixes, and mypy type comments; credit [Jürgen Gmach](https://github.com/jugmac00).
+ - Added feature to look up algorithms in internal database (see `--lookup`); credit [Adam Russell](https://github.com/thecliguy).
 - Suppress recommendation of token host key types.
 - Added check for use-after-free vulnerability in PuTTY v0.73.
 - Added 5 new host key types: `ssh-rsa1`, `ssh-dss-sha256@ssh.com`, `ssh-gost2001`, `ssh-gost2012-256`, `ssh-gost2012-512`.
--- a/ssh-audit.1
+++ b/ssh-audit.1
@ -61,6 +61,11 @@ Specify the minimum output level.  Default is info.
 .br
 List all official, built-in policies for common systems.  Their file paths can then be provided using -P/--policy=<path/to/policy.txt>.

+.TP
+.B \-\-lookup=<alg1,alg2,...>
+.br
+Look up the security information of an algorithm(s) in the internal database.  Does not connect to a server.
+
 .TP
 .B -M, \-\-make-policy=<policy.txt>
 .br
--- a/ssh-audit.py
+++ b/ssh-audit.py
@ -79,7 +79,7 @@ def usage(err: Optional[str] = None) -> None:
    uout.info('   -j,  --json             JSON output')
    uout.info('   -l,  --level=<level>    minimum output level (info|warn|fail)')
    uout.info('   -L,  --list-policies    list all the official, built-in policies')
-    uout.info('        --lookup=<alg>     performs an algorithm lookup (accepts a comma separated list)')
+    uout.info('        --lookup=<alg1,alg2,...>    looks up an algorithm(s) without\n                                    connecting to a server')
    uout.info('   -M,  --make-policy=<policy.txt>  creates a policy based on the target server\n                                    (i.e.: the target server has the ideal\n                                    configuration that other servers should\n                                    adhere to)')
    uout.info('   -n,  --no-colors        disable colors')
    uout.info('   -p,  --port=<port>      port to connect')
@ -580,7 +580,7 @@ class AuditConf:
                aconf.target_file = a
            elif o in ('-L', '--list-policies'):
                aconf.list_policies = True
-            elif o in ('--lookup'):
+            elif o == '--lookup':
                aconf.lookup = a

        if len(args) == 0 and aconf.client_audit is False and aconf.target_file is None and aconf.list_policies is False and aconf.lookup == '':
@ -3722,6 +3722,8 @@ def audit(aconf: AuditConf, sshv: Optional[int] = None, print_target: bool = Fal


 def algorithm_lookup(alg_names: str) -> int:
+    '''Looks up a comma-separated list of algorithms and outputs their security properties.  Returns a PROGRAM_RETVAL_* flag.'''
+    retval = PROGRAM_RETVAL_GOOD
    alg_types = {
        'kex': 'key exchange algorithms',
        'key': 'host-key algorithms',
@ -3751,7 +3753,7 @@ def algorithm_lookup(alg_names: str) -> int:
    for alg_type in alg_types:
        if len(algorithms_dict[alg_type]) > 0:
            title = str(alg_types.get(alg_type))
-            retval = output_algorithms(title, adb, alg_type, algorithms_dict[alg_type], unknown_algorithms, False, PROGRAM_RETVAL_GOOD, padding)
+            retval = output_algorithms(title, adb, alg_type, list(algorithms_dict[alg_type]), unknown_algorithms, False, retval, padding)

    algorithms_dict_flattened = [
        alg_name