1. 23 Aug, 2019 5 commits
    • Paul Eggert's avatar
      Tweak gnutls-peer-status reporting · 80376945
      Paul Eggert authored
      * src/gnutls.c (Fgnutls_peer_status): Report :compression and
      :encrypt-then-mac only if the underlying GnuTLS library has
      the corresponding features.  This give the Elisp caller a bit
      more information about the peer status.
      * lisp/net/nsm.el (nsm-protocol-check--compression):
      Don’t worry about compression in newer GnuTLS versions
      that do not support compression.
      80376945
    • Lars Ingebrigtsen's avatar
      Rename renamed nsm.el variables and functions back · b4065de3
      Lars Ingebrigtsen authored
      * doc/emacs/misc.texi (Network Security): Start working on
      updating the NSM bits, but it's unclear how much of the new stuff
      to document.
      
      * lisp/net/nsm.el: Rename all nsm-tls-check-* functions to
      nsm-protocol-check--* to bring them back into line with the
      documentation.
      (network-security-protocol-checks): Renamed back again from
      `nsm-tls-checks', as this variable is documented and can't just go
      away.
      b4065de3
    • Lars Ingebrigtsen's avatar
      Move all NSM tests away from the `low' level · 7b0d4985
      Lars Ingebrigtsen authored
      * lisp/net/nsm.el (network-security-level, nsm-tls-checks): Make
      `low' a "check nothing" setting again, and move all the `low'
      checks back to `medium'.  This makes the test suite work again.
      7b0d4985
    • Lars Ingebrigtsen's avatar
      Fix too-long lines in nsm.el · 228ca5aa
      Lars Ingebrigtsen authored
      * lisp/net/nsm.el: Fix some too-long lines and some terminology in
      the doc strings/comments.
      228ca5aa
    • Lars Ingebrigtsen's avatar
      Tweak the warning display to be less like a TLS decoding page · 29d485fb
      Lars Ingebrigtsen authored
      * lisp/net/nsm.el (nsm-parse-subject, nsm-certificate-part):
      Restore functions for parsing subjects.
      (nsm-format-certificate): Use them to display more user-friendly
      data.  Also change the display to have fewer lines again so that
      the data of interest isn't pushed off the screen.
      29d485fb
  2. 07 Aug, 2019 1 commit
    • Robert Pluim's avatar
      Change nsm-should-check to look at local subnets · bc1cf28d
      Robert Pluim authored
      * lisp/net/nsm.el (nsm-network-same-subnet): New function.  Checks
      if an ip address is in the same subnet as another one.
      (nsm-should-check): Use nsm-network-same-subnet to see if we're
      connecting to a local subnet machine.  Remove checks for RFC1918 addresses.
      
      * test/lisp/net/nsm-tests.el: New file.  Test nsm-should-check functionality.
      bc1cf28d
  3. 15 Jul, 2019 1 commit
  4. 01 Jan, 2019 1 commit
  5. 17 Sep, 2018 1 commit
    • Allen Li's avatar
      Add choice to reshow certificate information (Bug#31877) · 3bbf21b9
      Allen Li authored
      In various situations, the window displaying the certificate
      information can be hidden (such as if the user accidentally presses ?,
      which causes the read-multiple-choice help window to replace it).
      Instead of leaving the user to make a choice blindly, add a choice to
      reshow the certification information.
      
      * lisp/net/nsm.el (nsm-query-user): Add reshow choice.
      3bbf21b9
  6. 10 Sep, 2018 1 commit
  7. 14 Jul, 2018 4 commits
    • Jimmy Yuen Ho Wong's avatar
      Show full issuer and subject distinguished names · fab6139b
      Jimmy Yuen Ho Wong authored
      CAs like Let's Encrypt do not put O and OU into the Subject's DN.
      Similarly, O and OU are often used to indicate Domain Validated or
      Organization Validation as opposed to the actual OU.
      
      Issuer CN often contains the issuer's server or as an indication of
      Extended Validation certificate as opposed to the actual issuer
      organization.
      
      The Hostname part as extracted from the Subject is also confusing, as
      in the case of a hostname mismatch, the Subject's CN, which
      `nsm-format-certificate' naively calls the Hostname, will not actually
      match the hostname in the problem preamble.
      
      * lisp/net/nsm.el (nsm-format-certificate): Show full DN of Issuer and
        Subject.  Remove Hostname.
        (nsm-certificate-part, nsm-parse-subject): Removed.
      fab6139b
    • Jimmy Yuen Ho Wong's avatar
      Full certificate chain details for NSM · 87484dc2
      Jimmy Yuen Ho Wong authored
      * lisp/net/nsm.el (nsm-check-tls-connection): Fix issue with plural
        problems in message.  Prefix every problem with a bullet.
        (nsm-query-user): Add new view the full certificate chain by
        pressing d.
        (nsm-format-certificate): Improve basic certificate and session info
        formatting.
      
      * src/gnutls.c (emacs_gnutls_certificate_export_pem): New function.
        (gnutls_certificate_details): Rename to
        emacs_gnutls_certificate_details.  Add :pem to result list.
        (Fgnutls_format_certificate):  New function for formatting a PEM to
        human-readable text.
      87484dc2
    • Jimmy Yuen Ho Wong's avatar
      Add option to bypass NSM TLS checks on local networks · 682578fc
      Jimmy Yuen Ho Wong authored
      * lisp/net/net-utils.el (nslookup-host-ipv4, nslookup-host-ipv6,
        ipv6-expand): New functions to lookup IPv4 and IPv6 addresses from
        DNS.
      
      * lisp/net/nsm.el (nsm-trust-local-network, nsm-should-check,
        nsm-check-tls-connection, nsm-check-plain-connection): New defcustom
        `nsm-trust-local-network' lets users customize whether NSM should
        check for TLS problems when connecting to the hosts on their local
        networks.  `nsm-should-check' determines whether
        `nsm-check-tls-connection' and `nsm-check-plain-connection' should
        perform checks.  localhost is implicitly trusted, thus checks are
        never performed there.
      682578fc
    • Jimmy Yuen Ho Wong's avatar
      Revamp Network Security manager checks for TLS · 534a3d5d
      Jimmy Yuen Ho Wong authored
      * lisp/net/nsm.el (network-security-level, nsm-level,
        nsm-new-fingerprint-ok-p): Remove `paranoid' level and related code.
      
      * lisp/net/nsm.el (nsm-tls-checks, nsm-tls-check-version,
          nsm-tls-check-compression, nsm-tls-check-renegotiation-info-ext,
          nsm-tls-check-verify-cert, nsm-tls-check-same-cert,
          nsm-tls-check-null-suite, nsm-tls-check-export-kx,
          nsm-tls-check-anon-kx, nsm-tls-check-md5-sig,
          nsm-tls-check-rc4-cipher, nsm-tls-check-dhe-prime-kx,
          nsm-tls-check-sha1-sig, nsm-tls-check-ecdsa-cbc-cipher
          nsm-tls-check-dhe-kx, nsm-tls-check-rsa-kx,
          nsm-tls-check-3des-cipher, nsm-tls-check-cbc-cipher,
          nsm-save-fingerprint-maybe, nsm-tls-post-check-functions): New
          options and functions for checking TLS handshake problems.
      
      * lisp/net/nsm.el (nsm-check-certificate,
        network-security-protocol-checks,
        nsm-protocol-check--diffie-hellman-prime-bits,
        nsm-protocol-check--3des, nsm-protocol-check--rc4,
        nsm-protocol-check--signature-sha1,
        nsm-protocol-check--intermediate-sha1, nsm-protocol-check--ssl,
        nsm-check-protocol): Remove in favor of `nsm-tls-checks' and
        `nsm-tls-check-*' functions.
      
      * lisp/net/nsm.el (nsm-verify-connection): Ensure connection is
        checked even when `network-security-level' is `low'.
      
      * lisp/net/nsm.el (nsm-check-tls-connection): Batch all problems found
        before querying the user.
      
      * lisp/net/nsm.el (nsm--encryption): Renamed to `nsm-cipher-suite'.
      
      * lisp/net/nsm.el (nsm-fingerprint-ok-p): No longer prompt when
        certificate fingerprints mismatch.  Returns a boolean instead when
        the fingerprint of the certificate received matches the saved
        fingerprints.
      
      * lisp/net/nsm.el (nsm-query): Change signature.  Accepts a list of
        problems and a preformatted message instead of just a message format
        and the arguments for the message.
      
      * lisp/net/nsm.el (nsm-query-user): Change signature.  Accepts a
        preformatted message and the peer status of the handshake instead of
        a message format, its arguments and the certificate for the host.
      
      * lisp/net/nsm.el (nsm-save-host): Change signature.  Accepts a list of
        problems after the WHAT parameter.  Saves multiple fingerprints for
        the same host in case the host load balances a TLS server with more
        than one certificates signed with different keys.  Makes sure
        conditions are not removed when updating a fingerprint.
      
      * lisp/net/nsm.el (nsm-format-certificate): Display the TLS handshake's
        renegotiation info extension, compression level, encrypt-then-MAC
        extension, and key exchange prime bit length.
      
      * src/gnutls.c (gnutls-peer-status-warning-describe,
        gnutls-peer-status): Check for certificate verification problems
        introduced since GnuTLS 3.1.
      
      * src/gnutls.c (gnutls-peer-status): `:compression', `:encrypt-then-mac'
        and `:safe-renegotiation' are now contained in the peer status
        result return value.
      534a3d5d
  8. 08 Jul, 2018 1 commit
  9. 25 Jun, 2018 2 commits
  10. 24 Jun, 2018 3 commits
    • Lars Ingebrigtsen's avatar
      Make more TLS checks trigger on the default `medium' level · 5a285a4d
      Lars Ingebrigtsen authored
      * doc/emacs/misc.texi (Network Security): Update the doc to say
      what's on the different levels.
      
      * lisp/net/nsm.el (nsm-protocol-check--intermediary-sha1): Check
      intermediary certificates for SHA1.
      (nsm-protocol-check--3des): Check for 3DES ciphers.
      (network-security-protocol-checks): Put most of the checks on
      `medium'.
      5a285a4d
    • Lars Ingebrigtsen's avatar
      Fix reverse test in previous check-in · eaa054a9
      Lars Ingebrigtsen authored
      * lisp/net/nsm.el (nsm-check-protocol): Fix reverse test in
      previous check-in.
      eaa054a9
    • Lars Ingebrigtsen's avatar
      Refactor the protocol NSM checks for flexibility · 6584bc67
      Lars Ingebrigtsen authored
      * doc/emacs/misc.texi (Network Security): Mention
      network-security-protocol-checks.
      
      * lisp/net/nsm.el (network-security-protocol-checks): New variable.
      (nsm-check-protocol): Refactor the checks into separate functions
      for greater flexibility.
      (nsm-protocol-check--diffie-hellman-prime-bits)
      (nsm-protocol-check--rc4, nsm-protocol-check--ssl)
      (nsm-protocol-check--signature-sha1): Refactored out of the big
      function.
      6584bc67
  11. 01 Jan, 2018 1 commit
  12. 06 Oct, 2017 1 commit
  13. 13 Sep, 2017 1 commit
    • Paul Eggert's avatar
      Prefer HTTPS to FTP and HTTP in documentation · bc511a64
      Paul Eggert authored
      Most of this change is to boilerplate commentary such as license URLs.
      This change was prompted by ftp://ftp.gnu.org's going-away party,
      planned for November.  Change these FTP URLs to https://ftp.gnu.org
      instead.  Make similar changes for URLs to other organizations moving
      away from FTP.  Also, change HTTP to HTTPS for URLs to gnu.org and
      fsf.org when this works, as this will further help defend against
      man-in-the-middle attacks (for this part I omitted the MS-DOS and
      MS-Windows sources and the test tarballs to keep the workload down).
      HTTPS is not fully working to lists.gnu.org so I left those URLs alone
      for now.
      bc511a64
  14. 18 Apr, 2017 1 commit
    • Glenn Morris's avatar
      Avoid unnecessary loading of subr-x at run-time · 0f834339
      Glenn Morris authored
      * lisp/doc-view.el, lisp/filenotify.el, lisp/info-look.el:
      * lisp/svg.el, lisp/emacs-lisp/byte-opt.el, lisp/net/shr.el:
      * lisp/textmodes/sgml-mode.el, test/lisp/dom-tests.el:
      No need to load subr-x at run-time.
      * lisp/gnus/nnheader.el: No need to load subr-x.
      ; * lisp/emacs-lisp/subr-x.el, lisp/gnus/message.el, lisp/net/nsm.el:
      ; Comments.
      0f834339
  15. 01 Jan, 2017 1 commit
  16. 22 Jul, 2016 1 commit
    • Lars Ingebrigtsen's avatar
      Move read-multiple-choice to subr-x.el · ad90397c
      Lars Ingebrigtsen authored
      * lisp/faces.el (read-multiple-choice-face): Fix doc string.
      
      * lisp/emacs-lisp/subr-x.el (read-multiple-choice): Move here
      from subr.el.
      
      * lisp/gnus/message.el (subr-x): Ditto.
      
      * lisp/net/nsm.el: Require subr-x for read-multiple-choice.
      
      read-multiple-choice doesn't need to be in the dumped Emacs, so move
      it to a less central file.
      ad90397c
  17. 06 Feb, 2016 1 commit
  18. 05 Feb, 2016 3 commits
  19. 25 Jan, 2016 1 commit
  20. 03 Jan, 2016 2 commits
  21. 01 Jan, 2016 1 commit
  22. 24 Aug, 2015 1 commit
    • Paul Eggert's avatar
      More-conservative ‘format’ quote restyling · fbb5531f
      Paul Eggert authored
      Instead of restyling curved quotes for every call to ‘format’,
      create a new function ‘format-message’ that does the restyling,
      and using the new function instead of ‘format’ only in contexts
      where this seems appropriate.
      Problem reported by Dmitry Gutov and Andreas Schwab in:
      http://lists.gnu.org/archive/html/emacs-devel/2015-08/msg00826.html
      http://lists.gnu.org/archive/html/emacs-devel/2015-08/msg00827.html
      * doc/lispref/commands.texi (Using Interactive):
      * doc/lispref/control.texi (Signaling Errors, Signaling Errors):
      * doc/lispref/display.texi (Displaying Messages, Progress):
      * doc/lispref/elisp.texi:
      * doc/lispref/help.texi (Keys in Documentation):
      * doc/lispref/minibuf.texi (Minibuffer Misc):
      * doc/lispref/strings.texi (Formatting Strings):
      * etc/NEWS:
      Document the changes.
      * lisp/abbrev.el (expand-region-abbrevs):
      * lisp/apropos.el (apropos-library):
      * lisp/calc/calc-ext.el (calc-record-message)
      (calc-user-function-list):
      * lisp/calc/calc-help.el (calc-describe-key, calc-full-help):
      * lisp/calc/calc-lang.el (math-read-big-balance):
      * lisp/calc/calc-store.el (calc-edit-variable):
      * lisp/calc/calc-units.el (math-build-units-table-buffer):
      * lisp/calc/calc-yank.el (calc-edit-mode):
      * lisp/calendar/icalendar.el (icalendar-export-region)
      (icalendar--add-diary-entry):
      * lisp/cedet/mode-local.el (mode-local-print-binding)
      (mode-local-describe-bindings-2):
      * lisp/cedet/semantic/complete.el (semantic-completion-message):
      * lisp/cedet/semantic/edit.el (semantic-parse-changes-failed):
      * lisp/cedet/semantic/wisent/comp.el (wisent-log):
      * lisp/cedet/srecode/insert.el (srecode-insert-show-error-report):
      * lisp/descr-text.el (describe-text-properties-1, describe-char):
      * lisp/dframe.el (dframe-message):
      * lisp/dired-aux.el (dired-query):
      * lisp/emacs-lisp/byte-opt.el (byte-compile-log-lap-1):
      * lisp/emacs-lisp/bytecomp.el (byte-compile-log)
      (byte-compile-log-file, byte-compile-warn, byte-compile-form):
      * lisp/emacs-lisp/cconv.el (cconv-convert, cconv--analyze-use)
      (cconv-analyze-form):
      * lisp/emacs-lisp/check-declare.el (check-declare-warn):
      * lisp/emacs-lisp/checkdoc.el (checkdoc-this-string-valid-engine):
      * lisp/emacs-lisp/cl-macs.el (cl-symbol-macrolet):
      * lisp/emacs-lisp/edebug.el (edebug-format):
      * lisp/emacs-lisp/eieio-core.el (eieio-oref):
      * lisp/emacs-lisp/eldoc.el (eldoc-minibuffer-message)
      (eldoc-message):
      * lisp/emacs-lisp/elint.el (elint-file, elint-log):
      * lisp/emacs-lisp/find-func.el (find-function-library):
      * lisp/emacs-lisp/macroexp.el (macroexp--obsolete-warning):
      * lisp/emacs-lisp/map-ynp.el (map-y-or-n-p):
      * lisp/emacs-lisp/nadvice.el (advice--make-docstring):
      * lisp/emacs-lisp/package.el (package-compute-transaction)
      (package-install-button-action, package-delete-button-action)
      (package-menu--list-to-prompt):
      * lisp/emacs-lisp/timer.el (timer-event-handler):
      * lisp/emacs-lisp/warnings.el (lwarn, warn):
      * lisp/emulation/viper-cmd.el:
      (viper-toggle-parse-sexp-ignore-comments)
      (viper-kill-buffer, viper-brac-function):
      * lisp/emulation/viper-macs.el (viper-record-kbd-macro):
      * lisp/facemenu.el (facemenu-add-new-face):
      * lisp/faces.el (face-documentation, read-face-name)
      (face-read-string, read-face-font, describe-face):
      * lisp/files.el (find-alternate-file, hack-local-variables)
      (hack-one-local-variable--obsolete, write-file)
      (basic-save-buffer, delete-directory):
      * lisp/format.el (format-write-file, format-find-file)
      (format-insert-file):
      * lisp/help-fns.el (help-fns--key-bindings)
      (help-fns--compiler-macro, help-fns--obsolete)
      (help-fns--interactive-only, describe-function-1)
      (describe-variable):
      * lisp/help.el (describe-mode):
      * lisp/info-xref.el (info-xref-output):
      * lisp/info.el (Info-virtual-index-find-node)
      (Info-virtual-index, info-apropos):
      * lisp/international/kkc.el (kkc-error):
      * lisp/international/mule-cmds.el:
      (select-safe-coding-system-interactively)
      (select-safe-coding-system, describe-input-method):
      * lisp/international/mule-conf.el (code-offset):
      * lisp/international/mule-diag.el (describe-character-set)
      (list-input-methods-1):
      * lisp/international/quail.el (quail-error):
      * lisp/minibuffer.el (minibuffer-message):
      * lisp/mpc.el (mpc--debug):
      * lisp/msb.el (msb--choose-menu):
      * lisp/net/ange-ftp.el (ange-ftp-message):
      * lisp/net/gnutls.el (gnutls-message-maybe):
      * lisp/net/newst-backend.el (newsticker--sentinel-work):
      * lisp/net/newst-treeview.el (newsticker--treeview-load):
      * lisp/net/nsm.el (nsm-query-user):
      * lisp/net/rlogin.el (rlogin):
      * lisp/net/soap-client.el (soap-warning):
      * lisp/net/tramp.el (tramp-debug-message):
      * lisp/nxml/nxml-outln.el (nxml-report-outline-error):
      * lisp/nxml/nxml-parse.el (nxml-parse-error):
      * lisp/nxml/rng-cmpct.el (rng-c-error):
      * lisp/nxml/rng-match.el (rng-compile-error):
      * lisp/nxml/rng-uri.el (rng-uri-error):
      * lisp/obsolete/iswitchb.el (iswitchb-possible-new-buffer):
      * lisp/org/org-ctags.el:
      (org-ctags-ask-rebuild-tags-file-then-find-tag):
      * lisp/proced.el (proced-log):
      * lisp/progmodes/ebnf2ps.el (ebnf-log):
      * lisp/progmodes/flymake.el (flymake-log):
      * lisp/progmodes/vhdl-mode.el (vhdl-warning-when-idle):
      * lisp/replace.el (occur-1):
      * lisp/simple.el (execute-extended-command)
      (undo-outer-limit-truncate, define-alternatives):
      * lisp/startup.el (command-line):
      * lisp/subr.el (error, user-error, add-to-list):
      * lisp/tutorial.el (tutorial--describe-nonstandard-key)
      (tutorial--find-changed-keys):
      * src/callint.c (Fcall_interactively):
      * src/editfns.c (Fmessage, Fmessage_box):
      Restyle the quotes of format strings intended for use as a
      diagnostic, when restyling seems appropriate.
      * lisp/subr.el (format-message): New function.
      * src/doc.c (Finternal__text_restyle): New function.
      (syms_of_doc): Define it.
      fbb5531f
  23. 09 May, 2015 1 commit
    • Glenn Morris's avatar
      Quieten compilation, eg in --without-x builds. · 5b0af214
      Glenn Morris authored
      * lisp/dired-aux.el (lpr-printer-switch):
      * lisp/frame.el (tool-bar-height):
      * lisp/linum.el (font-info):
      * lisp/window.el (font-info, overflow-newline-into-fringe)
      (tool-bar-height):
      * lisp/emacs-lisp/package-x.el (tar-data-buffer):
      * lisp/gnus/gnus-util.el (iswitchb-mode):
      * lisp/mail/rmailmm.el (libxml-parse-html-region):
      * lisp/net/nsm.el (gnutls-peer-status)
      (gnutls-peer-status-warning-describe):
      * lisp/net/shr.el (libxml-parse-xml-region):
      * lisp/url/url-http.el (gnutls-peer-status): Declare.
      5b0af214
  24. 12 Apr, 2015 1 commit
  25. 01 Jan, 2015 1 commit
  26. 21 Dec, 2014 1 commit
  27. 08 Dec, 2014 1 commit