Show bad/phase out kex hash funcs in techtable

Author: mxsasha

checks/categories.py

@@ -1510,23 +1510,23 @@ def result_good(self):
         self.verdict = "detail web tls kex-hash-func verdict good"
         self.tech_data = "detail tech data good"
 
-    def result_bad(self):
+    def result_bad(self, tech_data):
         self.was_tested()
         self._status(STATUS_FAIL)
         self.verdict = "detail web tls kex-hash-func verdict bad"
-        self.tech_data = "detail tech data insufficient"
+        self.tech_data = tech_data
 
     def result_unknown(self):
         self.was_tested()
         self._status(STATUS_INFO)
         self.verdict = "detail web tls kex-hash-func verdict other"
         self.tech_data = "detail tech data not-applicable"
 
-    def result_phase_out(self):
+    def result_phase_out(self, tech_data):
         self.was_tested()
         self._status(STATUS_NOTICE)
         self.verdict = "detail web tls kex-hash-func verdict phase-out"
-        self.tech_data = "detail tech data phase-out"
+        self.tech_data = tech_data
 
 
 class WebTLSExtendedMasterSecret(Subtest):
@@ -2138,23 +2138,23 @@ def result_good(self):
         self.verdict = "detail mail tls kex-hash-func verdict good"
         self.tech_data = "detail tech data good"
 
-    def result_bad(self):
+    def result_bad(self, tech_data):
         self.was_tested()
         self._status(STATUS_FAIL)
         self.verdict = "detail mail tls kex-hash-func verdict bad"
-        self.tech_data = "detail tech data insufficient"
+        self.tech_data = tech_data
 
     def result_unknown(self):
         self.was_tested()
         self._status(STATUS_INFO)
         self.verdict = "detail mail tls kex-hash-func verdict other"
         self.tech_data = "detail tech data not-applicable"
 
-    def result_phase_out(self):
+    def result_phase_out(self, tech_data):
         self.was_tested()
         self._status(STATUS_NOTICE)
         self.verdict = "detail mail tls kex-hash-func verdict phase-out"
-        self.tech_data = "detail tech data phase-out"
+        self.tech_data = tech_data
 
 
 class MailTLSExtendedMasterSecret(Subtest):

checks/migrations/0021_domaintesttls_kex_hash_func_techtable.py

@@ -0,0 +1,15 @@
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("checks", "0020_domaintesttls_extended_master_secret_and_more"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="domaintesttls",
+            name="kex_hash_func_bad_hash",
+            field=models.CharField(default=None, max_length=255, null=True),
+        ),
+    ]

checks/models.py

@@ -542,6 +542,7 @@ class DomainTestTls(BaseTestModel):
 
     kex_hash_func = EnumField(KexHashFuncStatus, default=KexHashFuncStatus.bad)
     kex_hash_func_score = models.IntegerField(null=True)
+    kex_hash_func_bad_hash = models.CharField(max_length=255, null=True, default=None)
 
     extended_master_secret = EnumField(TLSExtendedMasterSecretStatus, default=TLSExtendedMasterSecretStatus.unknown)
     extended_master_secret_score = models.IntegerField(null=True)

checks/tasks/tls/evaluation.py

@@ -318,6 +318,7 @@ class KeyExchangeHashFunctionEvaluation:
 
     status: KexHashFuncStatus
     score: scoring.Score
+    found_hash: Optional[str] = None
 
 
 @dataclass(frozen=True)

checks/tasks/tls/scans.py

@@ -689,6 +689,7 @@ def check_mail_tls(
         ),
         kex_hash_func=key_exchange_hash_evaluation.status,
         kex_hash_func_score=key_exchange_hash_evaluation.score,
+        kex_hash_func_bad_hash=key_exchange_hash_evaluation.found_hash,
         extended_master_secret=extended_master_secret_evaluation.status,
         extended_master_secret_score=extended_master_secret_evaluation.score,
     )
@@ -813,6 +814,7 @@ def check_web_tls(url, af_ip_pair=None, *args, **kwargs):
         ocsp_stapling_score=ocsp_evaluation.score,
         kex_hash_func=key_exchange_hash_evaluation.status,
         kex_hash_func_score=key_exchange_hash_evaluation.score,
+        kex_hash_func_bad_hash=key_exchange_hash_evaluation.found_hash,
         extended_master_secret=extended_master_secret_evaluation.status,
         extended_master_secret_score=extended_master_secret_evaluation.score,
     )
@@ -888,6 +890,7 @@ def test_key_exchange_hash(
         return KeyExchangeHashFunctionEvaluation(
             status=KexHashFuncStatus.bad,
             score=scoring.WEB_TLS_KEX_HASH_FUNC_BAD,
+            found_hash=bad_hash_result.name,
         )
 
     phase_out_hash_result = _test_connection_with_limited_sigalgs(
@@ -898,6 +901,7 @@ def test_key_exchange_hash(
         return KeyExchangeHashFunctionEvaluation(
             status=KexHashFuncStatus.phase_out,
             score=scoring.WEB_TLS_KEX_HASH_FUNC_OK,
+            found_hash=phase_out_hash_result.name,
         )
 
     return KeyExchangeHashFunctionEvaluation(

checks/tasks/tls/tasks_reports.py

@@ -275,6 +275,7 @@ def save_results(model, results, addr, domain, category):
                     model.ocsp_stapling_score = result.get("ocsp_stapling_score")
                     model.kex_hash_func = result.get("kex_hash_func")
                     model.kex_hash_func_score = result.get("kex_hash_func_score")
+                    model.kex_hash_func_bad_hash = result.get("kex_hash_func_bad_hash")
                     model.extended_master_secret = result.get("extended_master_secret")
                     model.extended_master_secret_score = result.get("extended_master_secret_score")
 
@@ -352,6 +353,7 @@ def save_results(model, results, addr, domain, category):
                     # model.ocsp_stapling_score = result.get("ocsp_stapling_score")
                     model.kex_hash_func = result.get("kex_hash_func")
                     model.kex_hash_func_score = result.get("kex_hash_func_score")
+                    model.kex_hash_func_bad_hash = result.get("kex_hash_func_bad_hash")
                     model.extended_master_secret = result.get("extended_master_secret")
                     model.extended_master_secret_score = result.get("extended_master_secret_score")
                 if result.get("tls_cert"):
@@ -570,11 +572,11 @@ def annotate_and_combine_all(good_items, sufficient_items, bad_items, phaseout_i
             if dttls.kex_hash_func == KexHashFuncStatus.good:
                 category.subtests["kex_hash_func"].result_good()
             elif dttls.kex_hash_func == KexHashFuncStatus.bad:
-                category.subtests["kex_hash_func"].result_bad()
+                category.subtests["kex_hash_func"].result_bad(dttls.kex_hash_func_bad_hash)
             elif dttls.kex_hash_func == KexHashFuncStatus.unknown:
                 category.subtests["kex_hash_func"].result_unknown()
             elif dttls.kex_hash_func == KexHashFuncStatus.phase_out:
-                category.subtests["kex_hash_func"].result_phase_out()
+                category.subtests["kex_hash_func"].result_phase_out(dttls.kex_hash_func_bad_hash)
 
             category.subtests["extended_master_secret"].save_result(dttls.extended_master_secret)
 
@@ -732,11 +734,11 @@ def annotate_and_combine_all(good_items, sufficient_items, bad_items, phaseout_i
             if dttls.kex_hash_func == KexHashFuncStatus.good:
                 category.subtests["kex_hash_func"].result_good()
             elif dttls.kex_hash_func == KexHashFuncStatus.bad:
-                category.subtests["kex_hash_func"].result_bad()
+                category.subtests["kex_hash_func"].result_bad(dttls.kex_hash_func_bad_hash)
             elif dttls.kex_hash_func == KexHashFuncStatus.unknown:
                 category.subtests["kex_hash_func"].result_unknown()
             elif dttls.kex_hash_func == KexHashFuncStatus.phase_out:
-                category.subtests["kex_hash_func"].result_phase_out()
+                category.subtests["kex_hash_func"].result_phase_out(dttls.kex_hash_func_bad_hash)
 
             category.subtests["extended_master_secret"].save_result(dttls.extended_master_secret)