Commit b4065de3 authored by Lars Ingebrigtsen's avatar Lars Ingebrigtsen

Rename renamed nsm.el variables and functions back

* doc/emacs/misc.texi (Network Security): Start working on
updating the NSM bits, but it's unclear how much of the new stuff
to document.

* lisp/net/nsm.el: Rename all nsm-tls-check-* functions to
nsm-protocol-check--* to bring them back into line with the
documentation.
(network-security-protocol-checks): Renamed back again from
`nsm-tls-checks', as this variable is documented and can't just go
away.
parent 7b0d4985
Pipeline #2957 failed with stage
in 3 minutes and 23 seconds
...@@ -302,7 +302,10 @@ the Transport Layer Security (@acronym{TLS}) features. ...@@ -302,7 +302,10 @@ the Transport Layer Security (@acronym{TLS}) features.
@vindex network-security-level @vindex network-security-level
The @code{network-security-level} variable determines the security The @code{network-security-level} variable determines the security
level that @acronym{NSM} enforces. If its value is @code{low}, no level that @acronym{NSM} enforces. If its value is @code{low}, no
security checks are performed. security checks are performed. This is not recommended, and will
basically mean that your network connections can't be trusted.
However, the setting can be useful in limited circumstances, as when
testing network issues.
If this variable is @code{medium} (which is the default), a number of If this variable is @code{medium} (which is the default), a number of
checks will be performed. If as result @acronym{NSM} determines that checks will be performed. If as result @acronym{NSM} determines that
...@@ -325,13 +328,12 @@ The protocol network checks is controlled via the ...@@ -325,13 +328,12 @@ The protocol network checks is controlled via the
@code{network-security-protocol-checks} variable. @code{network-security-protocol-checks} variable.
It's an alist where the first element of each association is the name It's an alist where the first element of each association is the name
of the check, the second element is the security level where the check of the check, and the second element is the security level where the
should be used, and the optional third element is a parameter supplied check should be used.
to the check.
An element like @code{(rc4 medium)} will result in the function An element like @code{(rc4 medium)} will result in the function
@code{nsm-protocol-check--rc4} being called like thus: @code{nsm-protocol-check--rc4} being called like thus:
@w{@code{(nsm-protocol-check--rc4 host port status optional-parameter)}}. @w{@code{(nsm-protocol-check--rc4 host port status settings)}}.
The function should return non-@code{nil} if the connection should The function should return non-@code{nil} if the connection should
proceed and @code{nil} otherwise. proceed and @code{nil} otherwise.
......
...@@ -138,27 +138,27 @@ unencrypted." ...@@ -138,27 +138,27 @@ unencrypted."
(nsm-save-host host port status 'fingerprint nil 'always)) (nsm-save-host host port status 'fingerprint nil 'always))
process))))) process)))))
(defcustom nsm-tls-checks (defcustom network-security-protocol-checks
'(;; Old Known Weaknesses. '(;; Old Known Weaknesses.
(nsm-tls-check-version . medium) (version medium)
(nsm-tls-check-compression . medium) (compression medium)
(nsm-tls-check-renegotiation-info-ext . medium) (renegotiation-info-ext medium)
(nsm-tls-check-verify-cert . medium) (verify-cert medium)
(nsm-tls-check-same-cert . medium) (same-cert medium)
(nsm-tls-check-null-suite . medium) (null-suite medium)
(nsm-tls-check-export-kx . medium) (export-kx medium)
(nsm-tls-check-anon-kx . medium) (anon-kx medium)
(nsm-tls-check-md5-sig . medium) (md5-sig medium)
(nsm-tls-check-rc4-cipher . medium) (rc4-cipher medium)
;; Weaknesses made known after 2013. ;; Weaknesses made known after 2013.
(nsm-tls-check-dhe-prime-kx . medium) (dhe-prime-kx medium)
(nsm-tls-check-sha1-sig . medium) (sha1-sig medium)
(nsm-tls-check-ecdsa-cbc-cipher . medium) (ecdsa-cbc-cipher medium)
;; Towards TLS 1.3 ;; Towards TLS 1.3
(nsm-tls-check-dhe-kx . high) (dhe-kx high)
(nsm-tls-check-rsa-kx . high) (rsa-kx high)
(nsm-tls-check-3des-cipher . high) (3des-cipher high)
(nsm-tls-check-cbc-cipher . high)) (cbc-cipher high))
"This variable specifies what TLS connection checks to perform. "This variable specifies what TLS connection checks to perform.
It's an alist where the key is the name of the check, and the It's an alist where the key is the name of the check, and the
value is the minimum security level the check should begin. value is the minimum security level the check should begin.
...@@ -252,9 +252,10 @@ otherwise." ...@@ -252,9 +252,10 @@ otherwise."
(defun nsm-check-tls-connection (process host port status settings) (defun nsm-check-tls-connection (process host port status settings)
"Check TLS connection against potential security problems. "Check TLS connection against potential security problems.
This function runs each test defined in `nsm-tls-checks' in the This function runs each test defined in
order specified against the TLS connection's peer status STATUS `network-security-protocol-checks' in the order specified against
for the host HOST and port PORT. the TLS connection's peer status STATUS for the host HOST and
port PORT.
If one or more problems are found, this function will collect all If one or more problems are found, this function will collect all
the error messages returned by the check functions, and confirm the error messages returned by the check functions, and confirm
...@@ -268,23 +269,23 @@ terminating the connection. ...@@ -268,23 +269,23 @@ terminating the connection.
This function returns the process PROCESS if no problems are This function returns the process PROCESS if no problems are
found, and nil otherwise. found, and nil otherwise.
See also: `nsm-tls-checks' and `nsm-noninteractive'" See also: `network-security-protocol-checks' and `nsm-noninteractive'"
(when (nsm-should-check host) (when (nsm-should-check host)
(let* ((results (let* ((results
(cl-loop (cl-loop
for check in nsm-tls-checks for check in network-security-protocol-checks
for type = (intern (format ":%s" for type = (intern (format ":%s" (car check)) obarray)
(string-remove-prefix
"nsm-tls-check-"
(symbol-name (car check))))
obarray)
;; Skip the check if the user has already said that this ;; Skip the check if the user has already said that this
;; host is OK for this type of "error". ;; host is OK for this type of "error".
for result = (and (not (memq type for result = (and (not (memq type
(plist-get settings :conditions))) (plist-get settings :conditions)))
(>= (nsm-level network-security-level) (>= (nsm-level network-security-level)
(nsm-level (cdr check))) (nsm-level (cadr check)))
(funcall (car check) host port status settings)) (funcall
(intern (format "nsm-protocol-check--%s"
(car check))
obarray)
host port status settings))
when result when result
collect (cons type result))) collect (cons type result)))
(problems (nconc (plist-get status :warnings) (map-keys results)))) (problems (nconc (plist-get status :warnings) (map-keys results))))
...@@ -325,21 +326,18 @@ See also: `nsm-tls-checks' and `nsm-noninteractive'" ...@@ -325,21 +326,18 @@ See also: `nsm-tls-checks' and `nsm-noninteractive'"
(declare-function gnutls-peer-status-warning-describe "gnutls.c" (declare-function gnutls-peer-status-warning-describe "gnutls.c"
(status-symbol)) (status-symbol))
(defun nsm-tls-check-verify-cert (host port status settings) (defun nsm-protocol-check--verify-cert (host port status settings)
"Check for warnings from the certificate verification status. "Check for warnings from the certificate verification status.
This is the most basic security check for a TLS connection. If This is the most basic security check for a TLS connection. If
certificate verification fails, it means the server's identity certificate verification fails, it means the server's identity
cannot be verified by the credentials received. cannot be verified by the credentials received."
Think very carefully before removing this check from
`nsm-tls-checks'."
(let ((warnings (plist-get status :warnings))) (let ((warnings (plist-get status :warnings)))
(and warnings (and warnings
(not (nsm-warnings-ok-p status settings)) (not (nsm-warnings-ok-p status settings))
(mapconcat #'gnutls-peer-status-warning-describe warnings "\n")))) (mapconcat #'gnutls-peer-status-warning-describe warnings "\n"))))
(defun nsm-tls-check-same-cert (host port status settings) (defun nsm-protocol-check--same-cert (host port status settings)
"Check for certificate fingerprint mismatch. "Check for certificate fingerprint mismatch.
If the fingerprints saved do not match the fingerprint of the If the fingerprints saved do not match the fingerprint of the
...@@ -351,7 +349,7 @@ man-in-the-middle attack." ...@@ -351,7 +349,7 @@ man-in-the-middle attack."
;; Key exchange checks ;; Key exchange checks
(defun nsm-tls-check-rsa-kx (host port status &optional settings) (defun nsm-protocol-check--rsa-kx (host port status &optional settings)
"Check for static RSA key exchange. "Check for static RSA key exchange.
Static RSA key exchange methods do not offer perfect forward Static RSA key exchange methods do not offer perfect forward
...@@ -381,7 +379,7 @@ Security (DTLS)\", \"(4.1. General Guidelines)\" ...@@ -381,7 +379,7 @@ Security (DTLS)\", \"(4.1. General Guidelines)\"
"RSA key exchange method (%s) does not offer perfect forward secrecy" "RSA key exchange method (%s) does not offer perfect forward secrecy"
kx)))) kx))))
(defun nsm-tls-check-dhe-prime-kx (host port status &optional settings) (defun nsm-protocol-check--dhe-prime-kx (host port status &optional settings)
"Check for the key strength of DH key exchange based on integer factorization. "Check for the key strength of DH key exchange based on integer factorization.
This check is a response to Logjam[1]. Logjam is an attack that This check is a response to Logjam[1]. Logjam is an attack that
...@@ -397,7 +395,7 @@ exchange in June 2018[2]. To provide a balance between ...@@ -397,7 +395,7 @@ exchange in June 2018[2]. To provide a balance between
compatibility and security, this function only checks for a compatibility and security, this function only checks for a
minimum key strength of 1024-bit. minimum key strength of 1024-bit.
See also: `nsm-tls-check-dhe-kx' See also: `nsm-protocol-check--dhe-kx'
Reference: Reference:
...@@ -412,7 +410,7 @@ Diffie-Hellman Fails in Practice\", `https://weakdh.org/' ...@@ -412,7 +410,7 @@ Diffie-Hellman Fails in Practice\", `https://weakdh.org/'
"Diffie-Hellman key strength (%s bits) too weak (%s bits)" "Diffie-Hellman key strength (%s bits) too weak (%s bits)"
prime-bits 1024)))) prime-bits 1024))))
(defun nsm-tls-check-dhe-kx (host port status &optional settings) (defun nsm-protocol-check--dhe-kx (host port status &optional settings)
"Check for existence of DH key exchange based on integer factorization. "Check for existence of DH key exchange based on integer factorization.
In the years since the discovery of Logjam, it was discovered In the years since the discovery of Logjam, it was discovered
...@@ -436,7 +434,7 @@ Diffie-Hellman Backdoors in TLS.\", ...@@ -436,7 +434,7 @@ Diffie-Hellman Backdoors in TLS.\",
"unable to verify Diffie-Hellman key exchange method (%s) parameters" "unable to verify Diffie-Hellman key exchange method (%s) parameters"
kx)))) kx))))
(defun nsm-tls-check-export-kx (host port status &optional settings) (defun nsm-protocol-check--export-kx (host port status &optional settings)
"Check for RSA-EXPORT key exchange. "Check for RSA-EXPORT key exchange.
EXPORT cipher suites are a family of 40-bit and 56-bit effective EXPORT cipher suites are a family of 40-bit and 56-bit effective
...@@ -461,7 +459,7 @@ of user-visible changes.\" Version 3.4.0, ...@@ -461,7 +459,7 @@ of user-visible changes.\" Version 3.4.0,
"EXPORT level key exchange (%s) is insecure" "EXPORT level key exchange (%s) is insecure"
kx))))) kx)))))
(defun nsm-tls-check-anon-kx (host port status &optional settings) (defun nsm-protocol-check--anon-kx (host port status &optional settings)
"Check for anonymous key exchange. "Check for anonymous key exchange.
Anonymous key exchange exposes the connection to Anonymous key exchange exposes the connection to
...@@ -480,7 +478,7 @@ authentication\", ...@@ -480,7 +478,7 @@ authentication\",
;; Cipher checks ;; Cipher checks
(defun nsm-tls-check-cbc-cipher (host port status &optional settings) (defun nsm-protocol-check--cbc-cipher (host port status &optional settings)
"Check for CBC mode ciphers. "Check for CBC mode ciphers.
CBC mode cipher in TLS versions earlier than 1.3 are problematic CBC mode cipher in TLS versions earlier than 1.3 are problematic
...@@ -509,7 +507,7 @@ Security (TLS) and Datagram Transport Layer Security (DTLS)\", ...@@ -509,7 +507,7 @@ Security (TLS) and Datagram Transport Layer Security (DTLS)\",
"CBC mode cipher (%s) can be insecure" "CBC mode cipher (%s) can be insecure"
cipher))))) cipher)))))
(defun nsm-tls-check-ecdsa-cbc-cipher (host port status &optional settings) (defun nsm-protocol-check--ecdsa-cbc-cipher (host port status &optional settings)
"Check for CBC mode cipher usage under ECDSA key exchange. "Check for CBC mode cipher usage under ECDSA key exchange.
CBC mode cipher in TLS versions earlier than 1.3 are problematic CBC mode cipher in TLS versions earlier than 1.3 are problematic
...@@ -547,7 +545,7 @@ Security (TLS) and Datagram Transport Layer Security (DTLS)\", ...@@ -547,7 +545,7 @@ Security (TLS) and Datagram Transport Layer Security (DTLS)\",
"CBC mode cipher (%s) can be insecure" "CBC mode cipher (%s) can be insecure"
cipher))))) cipher)))))
(defun nsm-tls-check-3des-cipher (host port status &optional settings) (defun nsm-protocol-check--3des-cipher (host port status &optional settings)
"Check for 3DES ciphers. "Check for 3DES ciphers.
Due to its use of 64-bit block size, it is known that a Due to its use of 64-bit block size, it is known that a
...@@ -568,7 +566,7 @@ Current Use and Deprecation of TDEA\", ...@@ -568,7 +566,7 @@ Current Use and Deprecation of TDEA\",
"3DES cipher (%s) is weak" "3DES cipher (%s) is weak"
cipher)))) cipher))))
(defun nsm-tls-check-rc4-cipher (host port status &optional settings) (defun nsm-protocol-check--rc4-cipher (host port status &optional settings)
"Check for RC4 ciphers. "Check for RC4 ciphers.
RC4 cipher has been prohibited by RFC 7465[1]. RC4 cipher has been prohibited by RFC 7465[1].
...@@ -592,7 +590,7 @@ Reference: ...@@ -592,7 +590,7 @@ Reference:
;; Signature checks ;; Signature checks
(defun nsm-tls-check-sha1-sig (host port status &optional settings) (defun nsm-protocol-check--sha1-sig (host port status &optional settings)
"Check for SHA1 signatures on certificates. "Check for SHA1 signatures on certificates.
The first SHA1 collision was found in 2017[1], as a precaution The first SHA1 collision was found in 2017[1], as a precaution
...@@ -627,7 +625,7 @@ SHA-1 for SSL/TLS Certificates in Microsoft Edge and Internet Explorer ...@@ -627,7 +625,7 @@ SHA-1 for SSL/TLS Certificates in Microsoft Edge and Internet Explorer
algo) algo)
end)) end))
(defun nsm-tls-check-md5-sig (host port status &optional settings) (defun nsm-protocol-check--md5-sig (host port status &optional settings)
"Check for MD5 signatures on certificates. "Check for MD5 signatures on certificates.
In 2008, a group of researchers were able to forge an In 2008, a group of researchers were able to forge an
...@@ -660,7 +658,7 @@ the MD5 Message-Digest and the HMAC-MD5 Algorithms\", ...@@ -660,7 +658,7 @@ the MD5 Message-Digest and the HMAC-MD5 Algorithms\",
;; Extension checks ;; Extension checks
(defun nsm-tls-check-renegotiation-info-ext (host port status (defun nsm-protocol-check--renegotiation-info-ext (host port status
&optional settings) &optional settings)
"Check for renegotiation_info TLS extension status. "Check for renegotiation_info TLS extension status.
...@@ -681,7 +679,7 @@ Layer Security (TLS) Renegotiation Indication Extension\", ...@@ -681,7 +679,7 @@ Layer Security (TLS) Renegotiation Indication Extension\",
;; Compression checks ;; Compression checks
(defun nsm-tls-check-compression (host port status &optional settings) (defun nsm-protocol-check--compression (host port status &optional settings)
"Check for TLS compression. "Check for TLS compression.
TLS compression attacks such as CRIME would allow an attacker to TLS compression attacks such as CRIME would allow an attacker to
...@@ -701,7 +699,7 @@ Security (DTLS)\", `https://tools.ietf.org/html/rfc7525'" ...@@ -701,7 +699,7 @@ Security (DTLS)\", `https://tools.ietf.org/html/rfc7525'"
;; Protocol version checks ;; Protocol version checks
(defun nsm-tls-check-version (host port status &optional settings) (defun nsm-protocol-check--version (host port status &optional settings)
"Check for SSL/TLS protocol version. "Check for SSL/TLS protocol version.
This function guards against the usage of SSL3.0, which has been This function guards against the usage of SSL3.0, which has been
...@@ -726,7 +724,7 @@ Early TLS\" ...@@ -726,7 +724,7 @@ Early TLS\"
;; Full suite checks ;; Full suite checks
(defun nsm-tls-check-null-suite (host port status &optional settings) (defun nsm-protocol-check--null-suite (host port status &optional settings)
"Check for NULL cipher suites. "Check for NULL cipher suites.
This function checks for NULL key exchange, cipher and message This function checks for NULL key exchange, cipher and message
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment