From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: Noam Postavsky Newsgroups: gmane.emacs.bugs Subject: bug#31946: 27.0.50; The NSM should warn about more TLS problems Date: Sat, 30 Jun 2018 16:30:40 -0400 Message-ID: <87lgawm2z3.fsf@gmail.com> References: <87fu1apchn.fsf@gmail.com> <83in65r4n9.fsf@gnu.org> <87y3f1njku.fsf@gmail.com> <87tvpnojgt.fsf@gmail.com> NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: blaine.gmane.org 1530390552 593 195.159.176.226 (30 Jun 2018 20:29:12 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Sat, 30 Jun 2018 20:29:12 +0000 (UTC) User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) Cc: Lars Ingebrigtsen , 31946@debbugs.gnu.org To: Jimmy Yuen Ho Wong Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Sat Jun 30 22:29:07 2018 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fZMUV-000059-9j for geb-bug-gnu-emacs@m.gmane.org; Sat, 30 Jun 2018 22:29:07 +0200 Original-Received: from localhost ([::1]:47926 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fZMWc-0008Rl-7d for geb-bug-gnu-emacs@m.gmane.org; Sat, 30 Jun 2018 16:31:18 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:55519) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fZMWP-0008RU-VQ for bug-gnu-emacs@gnu.org; Sat, 30 Jun 2018 16:31:07 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fZMWM-0001uN-Oj for bug-gnu-emacs@gnu.org; Sat, 30 Jun 2018 16:31:05 -0400 Original-Received: from debbugs.gnu.org ([208.118.235.43]:33587) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1fZMWM-0001uE-KO for bug-gnu-emacs@gnu.org; Sat, 30 Jun 2018 16:31:02 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1fZMWM-0003by-CF for bug-gnu-emacs@gnu.org; Sat, 30 Jun 2018 16:31:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Noam Postavsky Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sat, 30 Jun 2018 20:31:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 31946 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security Original-Received: via spool by 31946-submit@debbugs.gnu.org id=B31946.153039065013862 (code B ref 31946); Sat, 30 Jun 2018 20:31:02 +0000 Original-Received: (at 31946) by debbugs.gnu.org; 30 Jun 2018 20:30:50 +0000 Original-Received: from localhost ([127.0.0.1]:41484 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fZMW9-0003bV-H2 for submit@debbugs.gnu.org; Sat, 30 Jun 2018 16:30:49 -0400 Original-Received: from mail-io0-f177.google.com ([209.85.223.177]:40859) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fZMW8-0003bH-Br for 31946@debbugs.gnu.org; Sat, 30 Jun 2018 16:30:48 -0400 Original-Received: by mail-io0-f177.google.com with SMTP id t135-v6so11465115iof.7 for <31946@debbugs.gnu.org>; Sat, 30 Jun 2018 13:30:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version; bh=T3PbVkvvZXG6BKPDMyr6S/8C08zY+ILgVZhPEtPPHm0=; b=mMIyliwPEO37cm1u3BtncGUEMTNVeoFBSdgBkeYKSDW313hBWeiu7J2h87DgzAP3GT MRP1PwSpLtapXxVfGiNvcs2fPWwoEfRF0NOqEPZ0gFujBSU+7eVlJ2kDzKKLCEQXhYEA VO9CxzaqgusIeaNT++FO7nNzgrVhKGoiipuhw+7MsQbHBAaRMyGNUoUwhR2+mp0KF8md Kc/J4y0RcJDFn7o76Rixk5stLx4Z0XL2QBx1mRxWVKxUor5SMkJacQ9sPMRcSHfMDLKy ZfzTDSkG44chLBk96XCtCYABoDyfBpKRtuZXjle5T1J0DhiH984Nj9+g9Ouv9lQqnlRS 3UwQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version; bh=T3PbVkvvZXG6BKPDMyr6S/8C08zY+ILgVZhPEtPPHm0=; b=hXRxGaHHPAl7HB8T7KQLC3NahrGVEZW1j7AYybELdz5Y7V6xywXgSyWCzhactk0rL8 AwwkGrWeheB88buq97DnBuJ/1WC9XdEvWZ5+mfKmKgJffqPSGd9L86/RSfGKZQXT0/K4 CJSXef+82ko9xzr+JS6r6iaGrUOD8z3sUdkFjN/Mhg58ignoEA9QyBgFWFb8XdSBLOSF DwagA21KP1onE3Spn4aPHsKeeK3T8S1ex4G1zAkMd+cGDFittDgmELRkGx7KED1vdqE3 hphOH7F0KPLfPWj4NYGflAyqyqoLhgJlIZavgIMeT8kfx8A9l3oV7bIiTrtmShYAmTu+ N0dw== X-Gm-Message-State: APt69E0EFVFbrC9LYhjOz0eP5ha3bIZUCcOHKhR3/N5QCYwnlIic2vYh rmIhwTZ+EF3+fGuZlqxQfmjK0w== X-Google-Smtp-Source: AAOMgpeEmM4ItuhfmJk4Rk+5pqjI4Z/bVpBXam3b2G4uefp2z4WK0+zRWOhmm4YslufsySgRUezR7w== X-Received: by 2002:a6b:5112:: with SMTP id f18-v6mr16375885iob.245.1530390642537; Sat, 30 Jun 2018 13:30:42 -0700 (PDT) Original-Received: from zebian (cbl-45-2-119-34.yyz.frontiernetworks.ca. [45.2.119.34]) by smtp.googlemail.com with ESMTPSA id l19-v6sm5532557ioh.27.2018.06.30.13.30.41 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Sat, 30 Jun 2018 13:30:41 -0700 (PDT) In-Reply-To: (Jimmy Yuen Ho Wong's message of "Sat, 30 Jun 2018 18:28:41 +0100") X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 208.118.235.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.org gmane.emacs.bugs:148028 Archived-At: Jimmy Yuen Ho Wong writes: > I've manually tested this patch a bit, but please give this patch a > look and see if I've missed anything. I need all the feedbacks I can > get for this. Overall, I'd say this looks pretty good. Some (mostly minor) comments on the details below. > * lisp/net/nsm.el > (nsm-check-certificate, nsm-fingerprint-ok-p, > nsm-check-plain-connection): Pre-format query messages before passing It should be formatted as (nsm-check-certificate, nsm-fingerprint-ok-p) (nsm-check-plain-connection): Pre-format query messages before passing > (nsm-protocol-check--diffie-hellman-prime-bits): Rename to > nsm-protocol-check--dhe-kx. Checks for prime bits < 1024 for 'medium ^ Periods should be double spaced, this applies in docstrings as well. > nsm-protocol-check--rc4-cipher. Fix bug where it was previously > checking for non-existent cipher name RC4 in GnuTLS instead of > ARCFOUR. Yikes, that's a good catch. > (defvar network-security-protocol-checks > + '((rsa-kx high) > + (dhe-kx medium) > + (anon-kx medium) > + (export-kx medium) > + (cbc-cipher high) > + (ecdsa-cbc-cipher medium) > + (3des-cipher medium) > + (des-cipher medium) > + (rc4-cipher medium) > + (rc2-cipher medium) > + (null-cipher medium) > + (sha1-sig medium) > + (md5-sig medium) > (ssl medium)) > @@ -198,87 +207,370 @@ network-security-protocol-checks > HOST PORT STATUS OPTIONAL-PARAMETER.") > > (defun nsm-check-protocol (process host port status settings) > + (let ((results > + (cl-remove-if-not > + #'cdr > + (cl-loop for check in network-security-protocol-checks This cl-remove-if-not over a cl-loop collect seems a bit awkward. How about (cl-loop for (name level . _) in network-security-protocol-checks for type = (intern (format ":%s" name)) ;; Skip the check if the user has already said that this ;; host is OK for this type of "error". for result = (and (not (memq type (plist-get settings :conditions))) (>= (nsm-level network-security-level) (nsm-level level)) (funcall (intern (format "nsm-protocol-check--%s" name)) host port status)) when result collect (cons type result)) > +(defun nsm-protocol-check--dhe-kx (host port status) > + "Check for finite field ephemeral Diffie-Hellman key exchange. > + > +If `network-security-level' is 'medium, and a DHE key exchange > +method was used, this function queries the user if the prime bit > +length is < 1024. > + > +If `network-security-level' is 'high or above, and a DHE key > +exchange method was used, this function queries the user even if > +the prime bit length is >= 1024. It's kind of inconvenient that this function hardcodes the security levels; it also makes reading the current settings more difficult (e.g., when I saw (dhe-kx medium) at first, I thought you were going to warn about DHE on level medium). Can we do better here? Maybe split in two? (By the way, the network-security-level values in docstrings should be formatted as `medium' and `high', not single quoted.) > +In 2014, the discovery of Logjam[1] had proven non-elliptic-curve > +Diffie-Hellman key exchange with < 1024 prime bit length to be > +unsafe. I'd actually say, DH smaller than 1024 bits was known to be unsafe before that, the logjam attack allows a man-in-the-middle to downgrade what would have been a >= 1024 bit connection to "export" grade (e.g., 512 bits). > + (if (and (>= (nsm-level network-security-level) (nsm-level 'medium)) > + (< prime-bits 1024)) > + (setq msg (format-message > + "Diffie-Hellman prime bits (%s) too low (%s)" I would phrase this as "Diffie-Hellman prime bits (%d) lower than `gnutls-min-prime-bits' (%d)" > + prime-bits gnutls-min-prime-bits))) > + (if (>= (nsm-level network-security-level) (nsm-level 'high)) > + (setq msg (concat > + msg > + (format-message > + "non-elliptic-curve ephemeral Diffie-Hellman key exchange method (%s) maybe using an unsafe prime" I would phrase this as "non-standardized Diffie-Hellman parameters cannot be validated" (this covers the non-elliptic-curveness as well; the reason elliptic curves are safe is that they're standardized and pre-validated.) And you're missing a space between the messages, in the case where you hit both of them. > +(defun nsm-protocol-check--anon-kx (host port status) > + "Check for anonymous key exchange. > + > +Anonymouse key exchange exposes the connection to MITM attacks. > + > +Reference: > + > +GnuTLS authors (2018). \"GnuTLS Manual 4.3.3 Anonymous > +authentication\", > +`https://www.gnutls.org/manual/gnutls.html\#Anonymous-authentication'" ^ typo? > +(defun nsm-protocol-check--export-kx (host port status) > + "Check for EXPORT key exchange. > + > +EXPORT cipher suites are a family of 40-bit effective security > +algorithms legally exportable by the United States in the early 90s. > +They can be broken in seconds on 2018 hardware. > + > +Recent version of GnuTLS does not enable this key exchange by default, This should be "Recent versions of GnuTLS do not..." > +but can be enabled if requested. This check is mainly provided to ^ it > +;; Cipher checks > + > +(defun nsm-protocol-check--cbc-cipher (host port status) > + "Check for CBC mode ciphers. > + > +CBC mode cipher in TLS versions earlier than 1.3 are problematic > +because of MAC-then-encrypt. This construction is vulnerable to > +padding oracle attacks[1]. I think the TLS version reference should be dropped, unless TLS 1.3 uses CBC with encrypt-then-MAC? I understood it just deprecates CBC altogether. > +(defun nsm-protocol-check--3des-cipher (host port status) > + "Check for 3DES ciphers. > + > +3DES is considered a weak cipher by NIST as it only has 80 bits Is it possible to distinguish between 3DES 2-key and 3DES 3-key? (the latter giving 112 bit security, which is still a bit low, but probably acceptable for medium level)