The color of all notes will be printed in green when the related algo…

…rithm is rated good.
jtesta · Sep 3, 2023 · 38f9c21 · 38f9c21
1 parent 4e6169d
commit 38f9c21
Show file tree

Hide file tree

Showing 7 changed files with 25 additions and 19 deletions.
diff --git a/README.md b/README.md
@@ -184,6 +184,7 @@ For convenience, a web front-end on top of the command-line tool is available at
  - Algorithm recommendations resulting from warnings are now printed in yellow instead of red; credit [Adam Russell](https://github.com/thecliguy).
  - Fixed crash during GEX tests.
  - Refined GEX testing against OpenSSH servers: when the fallback mechanism is suspected of being triggered, perform an additional test to obtain more accurate results.
+ - The color of all notes will be printed in green when the related algorithm is rated good.
  - Added built-in policy for OpenSSH 9.4.
  - Added 1 new key exchange: `[email protected]`.
 

diff --git a/src/ssh_audit/ssh_audit.py b/src/ssh_audit/ssh_audit.py
@@ -195,6 +195,7 @@ def output_algorithm(out: OutputBuffer, alg_db: Dict[str, Dict[str, List[List[Op
 
     alg_name = alg_name_with_size if alg_name_with_size is not None else alg_name
     first = True
+    use_good_for_all = False
     for level, text in texts:
         if level == 'fail':
             program_retval = exitcodes.FAILURE
@@ -203,9 +204,13 @@ def output_algorithm(out: OutputBuffer, alg_db: Dict[str, Dict[str, List[List[Op
 
         f = getattr(out, level)
         comment = (padding + ' -- [' + level + '] ' + text) if text != '' else ''
+
+        # If the first algorithm's comment is an 'info', this implies that it is rated good.  Hence, the out.good() function should be used to write all subsequent notes for this algorithm as well.
+        if (first and level == 'info') or use_good_for_all:
+            f = out.good
+            use_good_for_all = True
+
         if first:
-            if first and level == 'info':
-                f = out.good
             f(prefix + alg_name + comment)
             first = False
         else:  # pylint: disable=else-if-used

diff --git a/test/docker/expected_results/dropbear_2019.78_test1.txt b/test/docker/expected_results/dropbear_2019.78_test1.txt
@@ -6,9 +6,9 @@
 
 [0;36m# key exchange algorithms[0m
 [0;32m(kex) curve25519-sha256              -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76[0m
-                                     `- [info] default key exchange since OpenSSH 6.4
+[0;32m                                     `- [info] default key exchange since OpenSSH 6.4[0m
 [0;32m(kex) [email protected]   -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62[0m
-                                     `- [info] default key exchange since OpenSSH 6.4
+[0;32m                                     `- [info] default key exchange since OpenSSH 6.4[0m
 [0;31m(kex) ecdh-sha2-nistp521             -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency[0m
                                      `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
 [0;31m(kex) ecdh-sha2-nistp384             -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency[0m

diff --git a/test/docker/expected_results/openssh_8.0p1_test1.txt b/test/docker/expected_results/openssh_8.0p1_test1.txt
@@ -12,17 +12,17 @@
 
 [0;36m# key exchange algorithms[0m
 [0;32m(kex) curve25519-sha256                     -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76[0m
-                                            `- [info] default key exchange since OpenSSH 6.4
+[0;32m                                            `- [info] default key exchange since OpenSSH 6.4[0m
 [0;32m(kex) [email protected]          -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62[0m
-                                            `- [info] default key exchange since OpenSSH 6.4
+[0;32m                                            `- [info] default key exchange since OpenSSH 6.4[0m
 [0;31m(kex) ecdh-sha2-nistp256                    -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency[0m
                                             `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
 [0;31m(kex) ecdh-sha2-nistp384                    -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency[0m
                                             `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
 [0;31m(kex) ecdh-sha2-nistp521                    -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency[0m
                                             `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
 [0;32m(kex) diffie-hellman-group-exchange-sha256 (4096-bit) -- [info] available since OpenSSH 4.4[0m
-                                                      `- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).
+[0;32m                                                      `- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).[0m
 [0;32m(kex) diffie-hellman-group16-sha512         -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73[0m
 [0;32m(kex) diffie-hellman-group18-sha512         -- [info] available since OpenSSH 7.3[0m
 [0;33m(kex) diffie-hellman-group14-sha256         -- [warn] 2048-bit modulus only provides 112-bits of symmetric strength[0m
@@ -44,7 +44,7 @@
 
 [0;36m# encryption algorithms (ciphers)[0m
 [0;32m(enc) [email protected]         -- [info] available since OpenSSH 6.5[0m
-                                            `- [info] default cipher since OpenSSH 6.9
+[0;32m                                            `- [info] default cipher since OpenSSH 6.9[0m
 [0;32m(enc) aes128-ctr                            -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52[0m
 [0;32m(enc) aes192-ctr                            -- [info] available since OpenSSH 3.7[0m
 [0;32m(enc) aes256-ctr                            -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52[0m

diff --git a/test/docker/expected_results/openssh_8.0p1_test2.txt b/test/docker/expected_results/openssh_8.0p1_test2.txt
@@ -12,17 +12,17 @@
 
 [0;36m# key exchange algorithms[0m
 [0;32m(kex) curve25519-sha256                     -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76[0m
-                                            `- [info] default key exchange since OpenSSH 6.4
+[0;32m                                            `- [info] default key exchange since OpenSSH 6.4[0m
 [0;32m(kex) [email protected]          -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62[0m
-                                            `- [info] default key exchange since OpenSSH 6.4
+[0;32m                                            `- [info] default key exchange since OpenSSH 6.4[0m
 [0;31m(kex) ecdh-sha2-nistp256                    -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency[0m
                                             `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
 [0;31m(kex) ecdh-sha2-nistp384                    -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency[0m
                                             `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
 [0;31m(kex) ecdh-sha2-nistp521                    -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency[0m
                                             `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
 [0;32m(kex) diffie-hellman-group-exchange-sha256 (4096-bit) -- [info] available since OpenSSH 4.4[0m
-                                                      `- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).
+[0;32m                                                      `- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).[0m
 [0;32m(kex) diffie-hellman-group16-sha512         -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73[0m
 [0;32m(kex) diffie-hellman-group18-sha512         -- [info] available since OpenSSH 7.3[0m
 [0;33m(kex) diffie-hellman-group14-sha256         -- [warn] 2048-bit modulus only provides 112-bits of symmetric strength[0m
@@ -37,7 +37,7 @@
 
 [0;36m# encryption algorithms (ciphers)[0m
 [0;32m(enc) [email protected]         -- [info] available since OpenSSH 6.5[0m
-                                            `- [info] default cipher since OpenSSH 6.9
+[0;32m                                            `- [info] default cipher since OpenSSH 6.9[0m
 [0;32m(enc) aes128-ctr                            -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52[0m
 [0;32m(enc) aes192-ctr                            -- [info] available since OpenSSH 3.7[0m
 [0;32m(enc) aes256-ctr                            -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52[0m

diff --git a/test/docker/expected_results/openssh_8.0p1_test3.txt b/test/docker/expected_results/openssh_8.0p1_test3.txt
@@ -12,18 +12,18 @@
 
 [0;36m# key exchange algorithms[0m
 [0;32m(kex) curve25519-sha256                     -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76[0m
-                                            `- [info] default key exchange since OpenSSH 6.4
+[0;32m                                            `- [info] default key exchange since OpenSSH 6.4[0m
 [0;32m(kex) [email protected]          -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62[0m
-                                            `- [info] default key exchange since OpenSSH 6.4
+[0;32m                                            `- [info] default key exchange since OpenSSH 6.4[0m
 [0;32m(kex) diffie-hellman-group-exchange-sha256 (4096-bit) -- [info] available since OpenSSH 4.4[0m
-                                                      `- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).
+[0;32m                                                      `- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).[0m
 
 [0;36m# host-key algorithms[0m
 [0;32m(key) ssh-ed25519                           -- [info] available since OpenSSH 6.5[0m
 
 [0;36m# encryption algorithms (ciphers)[0m
 [0;32m(enc) [email protected]         -- [info] available since OpenSSH 6.5[0m
-                                            `- [info] default cipher since OpenSSH 6.9
+[0;32m                                            `- [info] default cipher since OpenSSH 6.9[0m
 [0;32m(enc) [email protected]                -- [info] available since OpenSSH 6.2[0m
 [0;32m(enc) [email protected]                -- [info] available since OpenSSH 6.2[0m
 [0;32m(enc) aes256-ctr                            -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52[0m

diff --git a/test/docker/expected_results/tinyssh_20190101_test1.txt b/test/docker/expected_results/tinyssh_20190101_test1.txt
@@ -5,9 +5,9 @@
 
 [0;36m# key exchange algorithms[0m
 [0;32m(kex) curve25519-sha256                       -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76[0m
-                                              `- [info] default key exchange since OpenSSH 6.4
+[0;32m                                              `- [info] default key exchange since OpenSSH 6.4[0m
 [0;32m(kex) [email protected]            -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62[0m
-                                              `- [info] default key exchange since OpenSSH 6.4
+[0;32m                                              `- [info] default key exchange since OpenSSH 6.4[0m
 [0;33m(kex) [email protected]  -- [warn] using experimental algorithm[0m
                                               `- [info] available since OpenSSH 8.0
                                               `- [info] the sntrup4591761 algorithm was withdrawn, as it may not provide strong post-quantum security
@@ -17,7 +17,7 @@
 
 [0;36m# encryption algorithms (ciphers)[0m
 [0;32m(enc) [email protected]           -- [info] available since OpenSSH 6.5[0m
-                                              `- [info] default cipher since OpenSSH 6.9
+[0;32m                                              `- [info] default cipher since OpenSSH 6.9[0m
 
 [0;36m# message authentication code algorithms[0m
 [0;33m(mac) hmac-sha2-256                           -- [warn] using encrypt-and-MAC mode[0m