fix duplications, fix cipher order tech table

Author: mxsasha

checks/categories.py

@@ -1073,24 +1073,9 @@ def result_good(self):
         self.verdict = "detail web tls cipher-order verdict good"
         self.tech_data = ""
 
-    def result_bad(self):
+    def result_bad(self, cipher_order_violation):
         self._status(STATUS_FAIL)
         self.verdict = "detail web tls cipher-order verdict bad"
-        self.tech_data = ""
-
-    def result_seclevel_bad(self, cipher_order_violation):
-        self._status(STATUS_FAIL)
-        self.verdict = "detail web tls cipher-order verdict seclevel-bad"
-        self.tech_data = cipher_order_violation
-
-    def result_score_warning(self, cipher_order_violation):
-        self._status(STATUS_NOTICE)
-        self.verdict = "detail web tls cipher-order verdict warning"
-        self.tech_data = cipher_order_violation
-
-    def result_score_info(self, cipher_order_violation):
-        self._status(STATUS_INFO)
-        self.verdict = "detail web tls cipher-order verdict warning"
         self.tech_data = cipher_order_violation
 
     def result_na(self):
@@ -1620,28 +1605,10 @@ def result_good(self):
         self.verdict = "detail mail tls cipher-order verdict good"
         self.tech_data = ""
 
-    def result_bad(self):
+    def result_bad(self, cipher_order_violation):
         self.was_tested()
         self._status(STATUS_FAIL)
         self.verdict = "detail mail tls cipher-order verdict bad"
-        self.tech_data = ""
-
-    def result_seclevel_bad(self, cipher_order_violation):
-        self.was_tested()
-        self._status(STATUS_FAIL)
-        self.verdict = "detail mail tls cipher-order verdict seclevel-bad"
-        self.tech_data = cipher_order_violation
-
-    def result_warning(self, cipher_order_violation):
-        self.was_tested()
-        self._status(STATUS_NOTICE)
-        self.verdict = "detail mail tls cipher-order verdict warning"
-        self.tech_data = cipher_order_violation
-
-    def result_info(self, cipher_order_violation):
-        self.was_tested()
-        self._status(STATUS_INFO)
-        self.verdict = "detail mail tls cipher-order verdict warning"
         self.tech_data = cipher_order_violation
 
     def result_na(self):

checks/tasks/tls/evaluation.py

@@ -1,5 +1,5 @@
 from dataclasses import dataclass
-from typing import List, Optional
+from typing import List, Optional, Any, Set
 
 from nassl.ephemeral_key_info import EcDhEphemeralKeyInfo, DhEphemeralKeyInfo, OpenSslEvpPkeyEnum
 from sslyze import TlsVersionEnum, CipherSuiteAcceptedByServer, CipherSuite
@@ -75,38 +75,38 @@ class TLSForwardSecrecyParameterEvaluation:
     max_dh_size: Optional[int]
     max_ec_size: Optional[int]
 
-    good_str: List[str]
-    phase_out_str: List[str]
-    bad_str: List[str]
+    good_str: Set[str]
+    phase_out_str: Set[str]
+    bad_str: Set[str]
 
     @classmethod
     def from_ciphers_accepted(cls, ciphers_accepted: List[CipherSuiteAcceptedByServer]):
-        good = []
-        phase_out = []
-        bad = []
+        good = set()
+        phase_out = set()
+        bad = set()
 
         # Evaluate according to NCSC table 4 and table 10
-        for suite in ciphers_accepted:
+        for suite in _unique_unhashable(ciphers_accepted):
             key = suite.ephemeral_key
             if not key:
                 continue
 
             if isinstance(key, EcDhEphemeralKeyInfo):
                 if key.size < FS_ECDH_MIN_KEY_SIZE:
-                    bad.append(f"ECDH-{key.size}")
+                    bad.add(f"ECDH-{key.size}")
                 if key.curve in FS_EC_PHASE_OUT:
-                    phase_out.append(f"ECDH-{key.curve_name}")
+                    phase_out.add(f"ECDH-{key.curve_name}")
                 elif key.curve not in FS_EC_GOOD:
-                    bad.append(f"ECDH-{key.curve_name}")
+                    bad.add(f"ECDH-{key.curve_name}")
 
             if isinstance(key, DhEphemeralKeyInfo):
                 if key.size < FS_DH_MIN_KEY_SIZE:
-                    bad.append(f"DH-{key.size}")
+                    bad.add(f"DH-{key.size}")
                 if key.generator == FFDHE_GENERATOR:
                     if key.prime == FFDHE2048_PRIME:
-                        phase_out.append("FFDHE-2048")
+                        phase_out.add("FFDHE-2048")
                     elif key.prime not in FFDHE_SUFFICIENT_PRIMES:
-                        bad.append(f"DH-{key.size}")
+                        bad.add(f"DH-{key.size}")
 
         dh_sizes = [
             suite.ephemeral_key.size
@@ -150,7 +150,7 @@ def from_ciphers_accepted(cls, ciphers_accepted: List[CipherSuiteAcceptedByServe
         ciphers_sufficient = []
         ciphers_phase_out = []
         ciphers_bad = []
-        for suite in ciphers_accepted:
+        for suite in _unique_unhashable(ciphers_accepted):
             if suite.cipher_suite.name in CIPHERS_GOOD:
                 ciphers_good.append(suite.cipher_suite)
             elif suite.cipher_suite.name in CIPHERS_SUFFICIENT:
@@ -191,3 +191,13 @@ class TLSCipherOrderEvaluation:
     violation: List[str]
     status: CipherOrderStatus
     score: scoring.Score
+
+
+def _unique_unhashable(ciphers: List[Any]) -> List[Any]:
+    # CipherSuite is not hashable, so can't always use set()
+    result = []
+    for cipher in ciphers:
+        if cipher not in result:
+            result.append(cipher)
+    return result
+

checks/tasks/tls/scans.py

@@ -769,6 +769,7 @@ def test_cipher_order(
         # Sort CHACHA as later in the list, in case SSL_OP_PRIORITIZE_CHACHA is enabled #461
         expected_less_preferred.sort(key=lambda c: "CHACHA" in c.name)
         if cipher_order_violation:
+            print("break out, got bad")
             break
         for expected_more_preferred in expected_more_preferred_list:
             print(
@@ -781,8 +782,8 @@ def test_cipher_order(
                 server_connectivity_info, tls_version, expected_less_preferred + [expected_more_preferred]
             )
             if preferred_suite != expected_more_preferred:
-                # TODO: check which name to report
                 cipher_order_violation = [preferred_suite.name, expected_more_preferred.name]
+                print(f"break out, got bad inner: {cipher_order_violation}")
                 break
 
     return TLSCipherOrderEvaluation(

checks/tasks/tls/tasks_reports.py

@@ -436,27 +436,9 @@ def annotate_and_combine_all(good_items, sufficient_items, bad_items, phaseout_i
                 category.subtests["tls_ciphers"].result_good()
 
             if dttls.cipher_order == CipherOrderStatus.bad:
-                category.subtests["tls_cipher_order"].result_bad()
+                category.subtests["tls_cipher_order"].result_bad(dttls.cipher_order_violation)
             elif dttls.cipher_order == CipherOrderStatus.na:
                 category.subtests["tls_cipher_order"].result_na()
-            elif dttls.cipher_order == CipherOrderStatus.not_seclevel:
-                (cipher1, cipher2, violated_rule) = dttls.cipher_order_violation
-                category.subtests["tls_cipher_order"].result_seclevel_bad([[cipher1, cipher2]])
-            elif dttls.cipher_order == CipherOrderStatus.not_prescribed:
-                # Provide tech_data that supplies values for two rows each of
-                # two cells to fill in a table like so:
-                # Web server IP address | Ciphers | Rule #
-                # -------------------------------------------------------------
-                # 1.2.3.4               | cipher1 | ' '
-                # ...                   | cipher2 | violated_rule
-                (cipher1, cipher2, violated_rule) = dttls.cipher_order_violation
-                # The 5th rule is only informational.
-                if violated_rule == 5:
-                    category.subtests["tls_cipher_order"].result_score_info([[cipher1, cipher2], [" ", violated_rule]])
-                else:
-                    category.subtests["tls_cipher_order"].result_score_warning(
-                        [[cipher1, cipher2], [" ", violated_rule]]
-                    )
             else:
                 category.subtests["tls_cipher_order"].result_good()
 
@@ -585,29 +567,10 @@ def annotate_and_combine_all(good_items, sufficient_items, bad_items, phaseout_i
                 category.subtests["tls_ciphers"].result_phase_out(ciphers_all)
             else:
                 category.subtests["tls_ciphers"].result_good()
-
             if dttls.cipher_order == CipherOrderStatus.bad:
-                category.subtests["tls_cipher_order"].result_bad()
+                category.subtests["tls_cipher_order"].result_bad(dttls.cipher_order_violation)
             elif dttls.cipher_order == CipherOrderStatus.na:
                 category.subtests["tls_cipher_order"].result_na()
-            elif dttls.cipher_order == CipherOrderStatus.not_seclevel:
-                (cipher1, cipher2, violated_rule) = dttls.cipher_order_violation
-                category.subtests["tls_cipher_order"].result_seclevel_bad([[cipher1, cipher2]])
-            elif dttls.cipher_order == CipherOrderStatus.not_prescribed:
-                # Provide tech_data that supplies values for two rows each of
-                # two cells to fill in a table like so:
-                # Web server IP address | Ciphers | Rule #
-                # -------------------------------------------------------------
-                # 1.2.3.4               | cipher1 | ' '
-                # ...                   | cipher2 | violated_rule
-                (cipher1, cipher2, violated_rule) = dttls.cipher_order_violation
-                # The 5th rule is only informational.
-                if violated_rule == 5:
-                    category.subtests["tls_cipher_order"].result_score_info([[cipher1, cipher2], [" ", violated_rule]])
-                else:
-                    category.subtests["tls_cipher_order"].result_score_warning(
-                        [[cipher1, cipher2], [" ", violated_rule]]
-                    )
             else:
                 category.subtests["tls_cipher_order"].result_good()