From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: Jimmy Yuen Ho Wong Newsgroups: gmane.emacs.devel Subject: Re: A couple of questions and concerns about Emacs network security Date: Sun, 8 Jul 2018 00:03:03 +0100 Message-ID: References: <20180705093346.071e6970@jabberwock.cb.piermont.com> <83wou9n66t.fsf@gnu.org> <20180705112920.076265d5@jabberwock.cb.piermont.com> <83r2khms1j.fsf@gnu.org> <20180705164500.0bde16cd@jabberwock.cb.piermont.com> <83bmbknafs.fsf@gnu.org> <20180707081833.37561702@jabberwock.cb.piermont.com> <83zhz3i3o3.fsf@gnu.org> <20180707094622.6eff25bf@jabberwock.cb.piermont.com> <20180707111517.723e5cd9@jabberwock.cb.piermont.com> <2486b7b1-0636-ddf8-b1eb-2c090858e84b@cs.ucla.edu> NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" X-Trace: blaine.gmane.org 1531004485 20689 195.159.176.226 (7 Jul 2018 23:01:25 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Sat, 7 Jul 2018 23:01:25 +0000 (UTC) Cc: Lars Ingebrigtsen , Eli Zaretskii , Emacs-Devel devel , rms@gnu.org, "Perry E. Metzger" To: Paul Eggert Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Sun Jul 08 01:01:20 2018 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fbwCb-0005Cb-QS for ged-emacs-devel@m.gmane.org; Sun, 08 Jul 2018 01:01:17 +0200 Original-Received: from localhost ([::1]:35148 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fbwEj-0004Fk-42 for ged-emacs-devel@m.gmane.org; Sat, 07 Jul 2018 19:03:29 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:55270) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fbwEa-0004Ff-2Y for emacs-devel@gnu.org; Sat, 07 Jul 2018 19:03:21 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fbwEZ-0000qe-6T for emacs-devel@gnu.org; Sat, 07 Jul 2018 19:03:20 -0400 Original-Received: from mail-io0-x236.google.com ([2607:f8b0:4001:c06::236]:43264) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1fbwEW-0000oU-4F; Sat, 07 Jul 2018 19:03:16 -0400 Original-Received: by mail-io0-x236.google.com with SMTP id i23-v6so13942588iog.10; Sat, 07 Jul 2018 16:03:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=TMPLz0Y5T+nmqQ+sq7Gct5A8G0DikiN/jfnbGR2f0IU=; b=g8faBBgtDvGqnFxRNSNkQ1B3N++Mv+tojj7xrZSz7lWVgMG1xl+43l8nSfmZZX/QtB jqB376odNooYVhcggbkjXsEl60o1BIlkAHH/OvgW8Ys0IYOwftWEVfpuhaVzD22OYu0y ZtWHPmf4LQrhs12BKYbZUzicv0uT88waZ93g+lMiFQ6iXESh/8YfqhT/MmxmyjXaFWTo QmbRmTAHQtWe5Mca0Zkz1NICOPm3uSG6+45at/EJNRg4aXAfYGi0/oXby9oTqI338Wxj WnlvStaw/cNM6YXMTAuyIDf0lRY+OiVxbL4jJOWHBGBf22i9q6ZictiT/pQOp2qcR7CU 8Eqw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=TMPLz0Y5T+nmqQ+sq7Gct5A8G0DikiN/jfnbGR2f0IU=; b=PfNKBPwoPO3sb6yqWO/KpjzT1OuH4QRqUHH6mJPbIMX/F6QS933mWJ7Ma/qAJFToiR Hrydbeq10OgoBME1gOtID54Aqi3fBeBmrS1PuMCbYhIEymWa6aLTiDRqncGksDgAREPY v1ZPoXQ0jWMS6uij0beIfQGarU2La/XDBIIelOHE3FE8zkygigaowza8aKcb71yr0bfi M2Scqkfh6O35LA4lPuGNN80e608Le7OKa/6rPbcu9tEfsv+Y1IYxdDbwDt54ZNils6Qh e07YxhReKUasGw52aiyghWkL9lbLBnh5orCQCjneA3cvkneuB/XplH0a7sQTTz9kfFNq 2zKQ== X-Gm-Message-State: AOUpUlHuuC7aUkBnHf3EbOpb+YD1uRA5cZ9Y2aEbTJd8pcI4xfSjf3Xm ZD5HYWMG3cT5+cH2hfiLdPpaZRFJkEd8t5V/zHU= X-Google-Smtp-Source: AAOMgpcbR9sa2GJ/y6QYms0jgfpOMI86zn5SzKtb8+P32h6ZDWDBwJ57emd2CY+k4MHUR1HT46PdaZQJDD3SGNJ8tw8= X-Received: by 2002:a5e:9812:: with SMTP id s18-v6mr12702988ioj.117.1531004595356; Sat, 07 Jul 2018 16:03:15 -0700 (PDT) In-Reply-To: <2486b7b1-0636-ddf8-b1eb-2c090858e84b@cs.ucla.edu> X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2607:f8b0:4001:c06::236 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.org gmane.emacs.devel:227082 Archived-At: > > What C code do you need? You mentioned something earlier, but I didn't > understand the use case. I can easily write and debug C code, if that would help. > Whooo thanks for lending a hand. ATM, in order to implement `nsm-trust-local-network` properly for IPv6, I need some code to resolve a hostname to an IP address, preferrably in Emacs' internal format as documented in make-network-process. There's an ancient function called dnsResolve that delegates to url-gateway-nslookup-host. It shells out to the system's nslookup for an IPv4 address now, but I need to something that'll give me back an IPv6. I could modify url-gateway-nslookup-host, but the nastiest thing is translating a short-form IPv6 address into a vector of numbers. I don't really care if it's C code for this one. The one thing that I need help the most is implementing the client-side of RFC 6962. https://tools.ietf.org/html/rfc6962 . The general idea is you need to implement an X.509 certificate extension and a TLS extension called Signed Certificate Timestamp using GnuTLS's API. Once you can extract that from a handshake, just put the SCT data into the list returned by gnutls_certificate_details (I have renamed it to emacs_gnutls_certificate_details, but you might want to change it back). Once you have the SCT on the LISP side, you can write a check for `nsm-tls-checks` that opens up another connection to the auditor to validate the SCT. In addition, you may have to modify how GnutTLS deals with OCSP stapling as well because that's the third way SCT can be delivered. You can take your time on this one if you decide to help out, I understand this is a rather large project on its own. Thanks!