Perform post-processing on scan results before reporting them to the user. Returns a list of algorithms that should not be recommended and a list of notes.
(banner: Optional[Banner], algs: Algorithms, client_audit: bool, dh_rate_test_notes: str)
| 407 | |
| 408 | |
| 409 | def post_process_findings(banner: Optional[Banner], algs: Algorithms, client_audit: bool, dh_rate_test_notes: str) -> Tuple[List[str], List[str]]: |
| 410 | '''Perform post-processing on scan results before reporting them to the user. Returns a list of algorithms that should not be recommended and a list of notes.''' |
| 411 | |
| 412 | def _add_terrapin_warning(db: Dict[str, Dict[str, List[List[Optional[str]]]]], category: str, algorithm_name: str) -> None: |
| 413 | '''Adds a warning regarding the Terrapin vulnerability for the specified algorithm.''' |
| 414 | # Ensure that a slot for warnings exists for this algorithm. |
| 415 | while len(db[category][algorithm_name]) < 3: |
| 416 | db[category][algorithm_name].append([]) |
| 417 | |
| 418 | db[category][algorithm_name][2].append("vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation") |
| 419 | |
| 420 | def _get_chacha_ciphers_enabled(algs: Algorithms) -> List[str]: |
| 421 | '''Returns a list of chacha20-poly1305 ciphers that the peer supports.''' |
| 422 | ret = [] |
| 423 | |
| 424 | if algs.ssh2kex is not None: |
| 425 | ciphers_supported = algs.ssh2kex.client.encryption if client_audit else algs.ssh2kex.server.encryption |
| 426 | for cipher in ciphers_supported: |
| 427 | if cipher.startswith("chacha20-poly1305"): |
| 428 | ret.append(cipher) |
| 429 | |
| 430 | return ret |
| 431 | |
| 432 | def _get_chacha_ciphers_not_enabled(db: Dict[str, Dict[str, List[List[Optional[str]]]]], algs: Algorithms) -> List[str]: |
| 433 | '''Returns a list of all chacha20-poly1305 in our algorithm database.''' |
| 434 | ret = [] |
| 435 | |
| 436 | for cipher in db["enc"]: |
| 437 | if cipher.startswith("chacha20-poly1305") and cipher not in _get_chacha_ciphers_enabled(algs): |
| 438 | ret.append(cipher) |
| 439 | |
| 440 | return ret |
| 441 | |
| 442 | def _get_cbc_ciphers_enabled(algs: Algorithms) -> List[str]: |
| 443 | '''Returns a list of CBC ciphers that the peer supports.''' |
| 444 | ret = [] |
| 445 | |
| 446 | if algs.ssh2kex is not None: |
| 447 | ciphers_supported = algs.ssh2kex.client.encryption if client_audit else algs.ssh2kex.server.encryption |
| 448 | for cipher in ciphers_supported: |
| 449 | if cipher.endswith("-cbc") or cipher.endswith("-cbc@openssh.org") or cipher.endswith("-cbc@ssh.com") or cipher == "rijndael-cbc@lysator.liu.se": |
| 450 | ret.append(cipher) |
| 451 | |
| 452 | return ret |
| 453 | |
| 454 | def _get_cbc_ciphers_not_enabled(db: Dict[str, Dict[str, List[List[Optional[str]]]]], algs: Algorithms) -> List[str]: |
| 455 | '''Returns a list of all CBC ciphers in our algorithm database.''' |
| 456 | ret = [] |
| 457 | |
| 458 | for cipher in db["enc"]: |
| 459 | if (cipher.endswith("-cbc") or cipher.endswith("-cbc@openssh.org") or cipher.endswith("-cbc@ssh.com") or cipher == "rijndael-cbc@lysator.liu.se") and cipher not in _get_cbc_ciphers_enabled(algs): |
| 460 | ret.append(cipher) |
| 461 | |
| 462 | return ret |
| 463 | |
| 464 | def _get_etm_macs_enabled(algs: Algorithms) -> List[str]: |
| 465 | '''Returns a list of ETM MACs that the peer supports.''' |
| 466 | ret = [] |
no test coverage detected