From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: Robert Pluim Newsgroups: gmane.emacs.devel Subject: Re: The netsec thread Date: Mon, 23 Jul 2018 22:51:21 +0200 Message-ID: <877ell8yly.fsf@gmail.com> References: <83bmb214ez.fsf@gnu.org> <8736wamklr.fsf@gmail.com> <83effuvvqy.fsf@gnu.org> <8760169dao.fsf@gmail.com> <87sh49984j.fsf@gmail.com> <836015x2fs.fsf@gnu.org> NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Trace: blaine.gmane.org 1532382465 20451 195.159.176.226 (23 Jul 2018 21:47:45 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Mon, 23 Jul 2018 21:47:45 +0000 (UTC) Cc: emacs-devel@gnu.org To: Eli Zaretskii Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Mon Jul 23 23:47:41 2018 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fhig9-0005Cu-87 for ged-emacs-devel@m.gmane.org; Mon, 23 Jul 2018 23:47:41 +0200 Original-Received: from localhost ([::1]:36949 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fhiiG-0000UJ-24 for ged-emacs-devel@m.gmane.org; Mon, 23 Jul 2018 17:49:52 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:50794) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fhhnm-0004MH-4s for emacs-devel@gnu.org; Mon, 23 Jul 2018 16:51:31 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fhhnh-00083Q-90 for emacs-devel@gnu.org; Mon, 23 Jul 2018 16:51:30 -0400 Original-Received: from mail-wr1-x436.google.com ([2a00:1450:4864:20::436]:33545) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1fhhng-00083D-Ur; Mon, 23 Jul 2018 16:51:25 -0400 Original-Received: by mail-wr1-x436.google.com with SMTP id g6-v6so2018155wrp.0; Mon, 23 Jul 2018 13:51:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:references:mail-followup-to:mail-copies-to :gmane-reply-to-list:date:in-reply-to:message-id:mime-version :content-transfer-encoding; bh=nwZwX9NR9h7wPrfr6E/qdPgjKY7TEbxFeujD55EzY2g=; b=uaqM5T2Chg3CwF+QreU6ErkH7bNEe7qX/wb7TFqIuCidSu8k+PvHUT6WhRtEMr85Mc XOWyj3ihtRyeXhkH5/FEYOYG98pxSz+NcDukRD6EYJUqljCA7khJPjQFH8xxAsU+79Bd EUyxixx+suZRebb+J9EAam9nw/jgTHAeWRAdaoK3GftWoHA6LIbkvFpYDl/vuFYpO+Pi FqSpYiudYrBbx9EmT8e6V6VBsp90utc0w/v8w+Q5VxXpjPbonX1TZSF3WjsJwYtCAmgt SvfEZl0Bm3AVJuuy10YbRmkZTUxmvO9RFKVq53TwHFYk3wmc9tGmKM90l7KHtH6ypccA vYLw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:mail-followup-to :mail-copies-to:gmane-reply-to-list:date:in-reply-to:message-id :mime-version:content-transfer-encoding; bh=nwZwX9NR9h7wPrfr6E/qdPgjKY7TEbxFeujD55EzY2g=; b=NZ08TC7traEhHCge9heDeW6KpotqnlS3P2sPgoAfh57EuSljVJgJc9lKC55rplqUaM BATieqwdfiz2FZOCgYVDYiZmn+mJRiPn6Chqtj4a95dQbA7MJSxn8NAC6OtOa/lQScTz dLoPuao6BERNL37RamTKzy6cTnppcWh3Npei0hFxji8IV3T8CaCklfFmqgGKsjU+Yfyu dQmcrm1Bipfug715ti90wpwkN0ontor6oPZi2svaq5Y8GDwleg7iqs2W2jJ2NDpwClyn Kkdu285Jj+PTpn7nH/xpfvIlF06Ecv4XwevFEXyNiGE1mayePXPe7dOigMgciw8h44LU P9kw== X-Gm-Message-State: AOUpUlHr0pvM++UfIQdPljkGDxD9HRTiKRLUNmD3oiR1s3ppAyMlh2UD xM+UqpKZ0M33UVOCL2Rc0yzoxsMo X-Google-Smtp-Source: AAOMgpcs1XGc27uo4la0z0S4NcozXHUrn4MpMSaQaU8YygXYCK1XLKu+FUCZTbsJvtzZGG5d3XsObg== X-Received: by 2002:adf:ff49:: with SMTP id u9-v6mr10445802wrs.15.1532379083309; Mon, 23 Jul 2018 13:51:23 -0700 (PDT) Original-Received: from rpluim-ubuntu (vav06-1-78-207-202-134.fbx.proxad.net. [78.207.202.134]) by smtp.gmail.com with ESMTPSA id i15-v6sm4643004wrw.75.2018.07.23.13.51.22 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 23 Jul 2018 13:51:22 -0700 (PDT) Mail-Followup-To: emacs-devel@gnu.org Mail-Copies-To: never Gmane-Reply-To-List: yes In-Reply-To: <836015x2fs.fsf@gnu.org> (Eli Zaretskii's message of "Mon, 23 Jul 2018 20:54:47 +0300") X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2a00:1450:4864:20::436 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.org gmane.emacs.devel:227749 Archived-At: Eli Zaretskii writes: >> From: Robert Pluim >> Cc: Emacs-Devel devel , Eli Zaretskii >> Date: Mon, 23 Jul 2018 19:25:48 +0200 >>=20 >> I still fail to see the real need for it, but I guess Eli has a >> use-case. > > All the computers on my home network is my use case. You regularly make connections from one machine running emacs to a different machine on the same subnet using TLS? And you don=CA=BCt want to answer 'a' once per target machine? I=CA=BCll allow it, even if I don=CA=BCt understand it. :-) Trial implementation attached, based off the netsec branch. I got rid of all the RFC 1918 stuff, and it allows localhost connections regardless of the value of nsm-trust-local-network, which I=CA=BCm also not convinced about. I do wonder if checking all of the target host's addresses is overkill, but we can always take that out. diff --git i/lisp/net/nsm.el w/lisp/net/nsm.el index b59ea07d8a..682a238cc1 100644 --- i/lisp/net/nsm.el +++ w/lisp/net/nsm.el @@ -70,9 +70,15 @@ nsm-trust-local-network such as attempting to connect to an email server that do not follow these practices inside a school or corporate network, NSM may produce warnings for such occasions. Setting this option to -a non-nil value, or a zero-argument function that returns non-nil -tells NSM to skip checking for potential TLS vulnerabilities when -connecting to hosts on a local network. +a non-nil value tells NSM to skip checking for potential TLS +vulnerabilities when connecting to hosts on a local network, +which is determined by inspecting the network addresses of the +local machine. + +This option can be set to a function taking one argument, in +which case that function will be called once for each IP address +that is found for the target host. It should return t if TLS +checks should not be performed for that address. =20 Make sure you know what you are doing before enabling this option." @@ -204,54 +210,74 @@ nsm-tls-post-check-functions RESULTS is an alist where the keys are the checks run and the values the results of the checks.") =20 +(defun network-same-subnet-p (local-ip mask ip) + "Returns t if IP is in the same subnet as LOCAL-IP/MASK. +LOCAL-IP, MASK, and IP are specified as vectors of integers, and +are expected to have the same length. Works for both IPv4 and +IPv6 addresses." + (let ((matches t) + (length (length local-ip))) + (unless (memq length '(4 5 8 9)) + (error "Unexpected length of IP address %S" local-ip)) + (dotimes (i length) + (setq matches (and matches + (=3D + (logand (aref local-ip i) + (aref mask i)) + (logand (aref ip i) + (aref mask i)))))) + matches)) + (defun nsm-should-check (host) "Determines whether NSM should check for TLS problems for HOST. =20 -If `nsm-trust-local-network' is or returns non-nil, and if the -host address is a localhost address, a machine address, a direct -link or a private network address, this function returns -nil. Non-nil otherwise." - (let* ((address (or (nslookup-host-ipv4 host nil 'vector) - (nslookup-host-ipv6 host nil 'vector))) - (ipv4? (eq (length address) 4))) +If one of HOST's addresses is a localhost address this returns +nil. + +If `nsm-trust-local-network' is t this function will check if any +of HOST's addresses are in the same subnet as any directly +connected interfaces, and will return nil if so. + +If `nsm-trust-local-network' is a function it will be called once +for each address of HOST. If one of those calls returns t then +`nsm-should-check' will return nil immediately, and processing of +the HOST's addresses will stop. + +Otherwise returns t." + (let ((addresses (network-lookup-address-info host))) (not - (or (if ipv4? - (or - ;; (0.x.x.x) this machine - (eq (aref address 0) 0) - ;; (127.x.x.x) localhost - (eq (aref address 0) 0)) - (or - ;; (::) IPv6 this machine - (not (cl-mismatch address [0 0 0 0 0 0 0 0])) - ;; (::1) IPv6 localhost - (not (cl-mismatch address [0 0 0 0 0 0 0 1])))) - (and (or (and (functionp nsm-trust-local-network) - (funcall nsm-trust-local-network)) - nsm-trust-local-network) - (if ipv4? - (or - ;; (10.x.x.x) private - (eq (aref address 0) 10) - ;; (172.16.x.x) private - (and (eq (aref address 0) 172) - (eq (aref address 0) 16)) - ;; (192.168.x.x) private - (and (eq (aref address 0) 192) - (eq (aref address 0) 168)) - ;; (198.18.x.x) private - (and (eq (aref address 0) 198) - (eq (aref address 0) 18)) - ;; (169.254.x.x) link-local - (and (eq (aref address 0) 169) - (eq (aref address 0) 254))) - (memq (aref address 0) - '( - 64512 ;; (fc00::) IPv6 unique local address - 64768 ;; (fd00::) IPv6 unique local address - 65152 ;; (fe80::) IPv6 link-local - ) - ))))))) + (catch 'trust + (dolist (address addresses) + (let* ((length (length address)) + (ipv4? (eq length 4))) + (if ipv4? + ;; (127.x.x.x) localhost + (and (eq (aref address 0) 127) + (throw 'trust t)) + ;; (::) IPv6 this machine and (::1) IPv6 localhost + (and (or (not (cl-mismatch address [0 0 0 0 0 0 0 0])) + (not (cl-mismatch address [0 0 0 0 0 0 0 1])) + (memq (aref address 0) + '( + 64512 ;; (fc00::) IPv6 unique local address + 64768 ;; (fd00::) IPv6 unique local address + 65152 ;; (fe80::) IPv6 link-local + ))) + (throw 'trust t))) + (cond + ((functionp nsm-trust-local-network) + (and (funcall nsm-trust-local-network address) + (throw 'trust t))) + (nsm-trust-local-network + (and + (cl-find-if #'(lambda (x) + (network-same-subnet-p (subseq (car x) 0 len= gth) + (subseq (caddr x) 0 l= ength) + address)) + (map-apply (lambda (a b) + (network-interface-info a)) + (network-interface-list))) + (throw 'trust t)))))))))) =20 (defun nsm-check-tls-connection (process host port status settings) "Check TLS connection against potential security problems.