gSwitch TLS to sslyze/nassl based reimplementation

internetstandards · May 7, 2024 · 80bc4ef · 80bc4ef
1 parent b9f06b6
commit 80bc4ef
Show file tree

Hide file tree

Showing 37 changed files with 5,454 additions and 43,786 deletions.
diff --git a/.gitmodules b/.gitmodules
@@ -1,12 +1,7 @@
 [submodule "vendor/unbound"]
 	path = vendor/unbound
 	url = https://github.com/internetstandards/unbound.git
-[submodule "vendor/nassl"]
-	path = vendor/nassl
-	url = https://github.com/internetstandards/nassl.git
-[submodule "vendor/openssl-1.0.2e"]
-	path = vendor/openssl-1.0.2e
-	url = https://github.com/PeterMosmans/openssl.git
-[submodule "vendor/openssl-master"]
-	path = vendor/openssl-master
-	url = https://github.com/openssl/openssl.git
+[submodule "vendor/nassl6"]
+	path = vendor/nassl6
+	url = https://github.com/mxsasha/nassl
+	branch = sigalg
diff --git a/checks/categories.py b/checks/categories.py
@@ -1073,24 +1073,9 @@ def result_good(self):
         self.verdict = "detail web tls cipher-order verdict good"
         self.tech_data = ""
 
-    def result_bad(self):
+    def result_bad(self, cipher_order_violation):
         self._status(STATUS_FAIL)
         self.verdict = "detail web tls cipher-order verdict bad"
-        self.tech_data = ""
-
-    def result_seclevel_bad(self, cipher_order_violation):
-        self._status(STATUS_FAIL)
-        self.verdict = "detail web tls cipher-order verdict seclevel-bad"
-        self.tech_data = cipher_order_violation
-
-    def result_score_warning(self, cipher_order_violation):
-        self._status(STATUS_NOTICE)
-        self.verdict = "detail web tls cipher-order verdict warning"
-        self.tech_data = cipher_order_violation
-
-    def result_score_info(self, cipher_order_violation):
-        self._status(STATUS_INFO)
-        self.verdict = "detail web tls cipher-order verdict warning"
         self.tech_data = cipher_order_violation
 
     def result_na(self):
@@ -1620,28 +1605,10 @@ def result_good(self):
         self.verdict = "detail mail tls cipher-order verdict good"
         self.tech_data = ""
 
-    def result_bad(self):
+    def result_bad(self, cipher_order_violation):
         self.was_tested()
         self._status(STATUS_FAIL)
         self.verdict = "detail mail tls cipher-order verdict bad"
-        self.tech_data = ""
-
-    def result_seclevel_bad(self, cipher_order_violation):
-        self.was_tested()
-        self._status(STATUS_FAIL)
-        self.verdict = "detail mail tls cipher-order verdict seclevel-bad"
-        self.tech_data = cipher_order_violation
-
-    def result_warning(self, cipher_order_violation):
-        self.was_tested()
-        self._status(STATUS_NOTICE)
-        self.verdict = "detail mail tls cipher-order verdict warning"
-        self.tech_data = cipher_order_violation
-
-    def result_info(self, cipher_order_violation):
-        self.was_tested()
-        self._status(STATUS_INFO)
-        self.verdict = "detail mail tls cipher-order verdict warning"
         self.tech_data = cipher_order_violation
 
     def result_na(self):

diff --git a/checks/http_client.py b/checks/http_client.py
@@ -10,8 +10,6 @@
 from forcediphttpsadapter.adapters import ForcedIPHTTPSAdapter
 
 from checks.tasks import SetupUnboundContext
-from checks.tasks.tls_connection import DEFAULT_TIMEOUT
-from checks.tasks.tls_connection_exceptions import NoIpError
 from django.conf import settings
 from interface.views.shared import ub_resolve_with_timeout
 from internetnl import log
@@ -20,6 +18,13 @@
 urllib3.disable_warnings()
 
 
+DEFAULT_TIMEOUT = 10
+
+
+class NoIpError(Exception):
+    pass
+
+
 def _do_request(args, headers, kwargs, session, url):
     """
     This small wrapper helps with handling of redirects.

diff --git a/checks/models.py b/checks/models.py
@@ -19,7 +19,10 @@ def __init__(self, *args, **kwargs):
     def from_db_value(self, value, expression, connection, context="Null"):
         if value is None:
             return value
-        return ast.literal_eval(value)
+        try:
+            return ast.literal_eval(value)
+        except ValueError:
+            raise ValueError(f"Failed literal_eval on value: {value}")
 
     def to_python(self, value):
         if not value:

diff --git a/checks/probes.py b/checks/probes.py
@@ -41,7 +41,7 @@
     from checks.tasks import mail
 
 if settings.INTERNET_NL_CHECK_SUPPORT_TLS:
-    from checks.tasks import tls
+    from checks.tasks.tls import tasks_reports as tls_tasks
 
 if settings.INTERNET_NL_CHECK_SUPPORT_APPSECPRIV:
     from checks.tasks import appsecpriv
@@ -410,7 +410,7 @@ def get_max_score(self, modelobj, maxscore):
     )
 
 if settings.INTERNET_NL_CHECK_SUPPORT_TLS:
-    web_probe_tls = Probe("tls", "site", model=WebTestTls, category=categories.WebTls, taskset=tls.web_registered)
+    web_probe_tls = Probe("tls", "site", model=WebTestTls, category=categories.WebTls, taskset=tls_tasks.web_registered)
 
 if settings.INTERNET_NL_CHECK_SUPPORT_APPSECPRIV:
     web_probe_appsecpriv = Probe(
@@ -442,7 +442,7 @@ def get_max_score(self, modelobj, maxscore):
 
 if settings.INTERNET_NL_CHECK_SUPPORT_TLS:
     batch_web_probe_tls = Probe(
-        "tls", "site", model=WebTestTls, category=categories.WebTls, taskset=tls.batch_web_registered
+        "tls", "site", model=WebTestTls, category=categories.WebTls, taskset=tls_tasks.batch_web_registered
     )
 
 if settings.INTERNET_NL_CHECK_SUPPORT_APPSECPRIV:
@@ -515,7 +515,9 @@ def get_max_score(self, modelobj, maxscore):
     )
 
 if settings.INTERNET_NL_CHECK_SUPPORT_TLS:
-    mail_probe_tls = Probe("tls", "mail", model=MailTestTls, category=categories.MailTls, taskset=tls.mail_registered)
+    mail_probe_tls = Probe(
+        "tls", "mail", model=MailTestTls, category=categories.MailTls, taskset=tls_tasks.mail_registered
+    )
 
 if settings.INTERNET_NL_CHECK_SUPPORT_RPKI:
     mail_probe_rpki = Probe(
@@ -539,7 +541,7 @@ def get_max_score(self, modelobj, maxscore):
 
 if settings.INTERNET_NL_CHECK_SUPPORT_TLS:
     batch_mail_probe_tls = Probe(
-        "tls", "mail", model=MailTestTls, category=categories.MailTls, taskset=tls.batch_mail_registered
+        "tls", "mail", model=MailTestTls, category=categories.MailTls, taskset=tls_tasks.batch_mail_registered
     )
 
 if settings.INTERNET_NL_CHECK_SUPPORT_RPKI:

diff --git a/checks/scoring.py b/checks/scoring.py
@@ -1,17 +1,22 @@
 # Copyright: 2022, ECP, NLnet Labs and the Internet.nl contributors
 # SPDX-License-Identifier: Apache-2.0
+from typing import NewType
+
+Status = NewType("Status", int)
+Score = NewType("Score", int)
 
 # --- STATUSES
 #
 # Do not change these values.
 # You can append statuses and then change the ORDERED_STATUSES below.
-STATUS_FAIL = 0
-STATUS_SUCCESS = 1
-STATUS_NOTICE = 2
-STATUS_GOOD_NOT_TESTED = 3
-STATUS_NOT_TESTED = 4
-STATUS_INFO = 5
-STATUS_ERROR = 6
+
+STATUS_FAIL = Status(0)
+STATUS_SUCCESS = Status(1)
+STATUS_NOTICE = Status(2)
+STATUS_GOOD_NOT_TESTED = Status(3)
+STATUS_NOT_TESTED = Status(4)
+STATUS_INFO = Status(5)
+STATUS_ERROR = Status(6)
 
 STATUS_MAX = STATUS_SUCCESS
 
@@ -42,10 +47,10 @@
 
 # --- SCORES
 #
-FULL_WEIGHT_POINTS = 10  # These are three levels of weighing results.
-HALF_WEIGHT_POINTS = 5  # All three can be used for passed tests, the
-LESS_WEIGHT_POINTS = 2  # difference is the effect on the overall score.
-NO_POINTS = 0
+FULL_WEIGHT_POINTS = Score(10)  # These are three levels of weighing results.
+HALF_WEIGHT_POINTS = Score(5)  # All three can be used for passed tests, the
+LESS_WEIGHT_POINTS = Score(2)  # difference is the effect on the overall score.
+NO_POINTS = Score(0)
 
 
 # You can edit the below values to change the scoring for the subtests.