1. 23 Aug, 2019 1 commit
    • Lars Ingebrigtsen's avatar
      Tweak the warning display to be less like a TLS decoding page · 29d485fb
      Lars Ingebrigtsen authored
      * lisp/net/nsm.el (nsm-parse-subject, nsm-certificate-part):
      Restore functions for parsing subjects.
      (nsm-format-certificate): Use them to display more user-friendly
      data.  Also change the display to have fewer lines again so that
      the data of interest isn't pushed off the screen.
      29d485fb
  2. 07 Aug, 2019 2 commits
  3. 17 Jul, 2018 4 commits
    • Robert Pluim's avatar
      Don't check unibyte hostnames for pure-ASCII · 742c2344
      Robert Pluim authored
      * src/process.c (network_lookup_address_info_1): Only check multibyte
      hostnames for pure-ASCII.
      
      * test/src/process-tests.el (unibyte-domain-name): Test unibyte domain
      names with network-lookup-address-info.
      742c2344
    • Robert Pluim's avatar
      Add network-lookup-address-info description · 93638b06
      Robert Pluim authored
      * doc/lispref/processes.texi (Misc Network): Document
        network-lookup-address-info.
      93638b06
    • Robert Pluim's avatar
      Add tests for network-lookup-address-info · f8d9d00b
      Robert Pluim authored
      * test/src/process-tests.el (lookup-family-specification): Test
      network-lookup-address-info api.
      (lookup-unicode-domains): Test that unicode domains fail.
      (lookup-google): Test that normal lookups succeed.
      (non-existent-lookup-failure): Check that known non-existent
      domains fail.
      f8d9d00b
    • Robert Pluim's avatar
      Refactor getaddrinfo usage · adff0d5f
      Robert Pluim authored
      * src/process.c:
      (network_lookup_address_info_1): New function, does most of the
      work to call getaddrinfo.  Now checks hostname for pure-ASCII.
      (Fmake_network_process): Use it.
      (Fnetwork_lookup_address_info): Likewise.  Error check family
      argument.
      adff0d5f
  4. 16 Jul, 2018 1 commit
    • Robert Pluim's avatar
      Implement hostname->ip lookup function · e89c06e8
      Robert Pluim authored
      * src/process.c (conv_sockaddr_to_lisp): Add include_port
      argument.  Don't put a port in the result if this is false.
      (conv_addrinfo_to_lisp, Fprocess_datagram_address)
      (connect_network_socket, network_interface_list)
      (network_interface_info, server_accept_connection)
      (init_process_emacs): Update callers.
      (Fnetwork_lookup_address_info): New function.  Performs hostname to
      ip address lookups.
      
      * src/w32.c (network_interface_get_info): Update callers of
        conv_sockaddr_to_lisp
      
      * etc/NEWS : mention addition of 'network-lookup-address-info'
      e89c06e8
  5. 14 Jul, 2018 9 commits
    • Jimmy Yuen Ho Wong's avatar
      Show full issuer and subject distinguished names · fab6139b
      Jimmy Yuen Ho Wong authored
      CAs like Let's Encrypt do not put O and OU into the Subject's DN.
      Similarly, O and OU are often used to indicate Domain Validated or
      Organization Validation as opposed to the actual OU.
      
      Issuer CN often contains the issuer's server or as an indication of
      Extended Validation certificate as opposed to the actual issuer
      organization.
      
      The Hostname part as extracted from the Subject is also confusing, as
      in the case of a hostname mismatch, the Subject's CN, which
      `nsm-format-certificate' naively calls the Hostname, will not actually
      match the hostname in the problem preamble.
      
      * lisp/net/nsm.el (nsm-format-certificate): Show full DN of Issuer and
        Subject.  Remove Hostname.
        (nsm-certificate-part, nsm-parse-subject): Removed.
      fab6139b
    • Jimmy Yuen Ho Wong's avatar
      Full certificate chain details for NSM · 87484dc2
      Jimmy Yuen Ho Wong authored
      * lisp/net/nsm.el (nsm-check-tls-connection): Fix issue with plural
        problems in message.  Prefix every problem with a bullet.
        (nsm-query-user): Add new view the full certificate chain by
        pressing d.
        (nsm-format-certificate): Improve basic certificate and session info
        formatting.
      
      * src/gnutls.c (emacs_gnutls_certificate_export_pem): New function.
        (gnutls_certificate_details): Rename to
        emacs_gnutls_certificate_details.  Add :pem to result list.
        (Fgnutls_format_certificate):  New function for formatting a PEM to
        human-readable text.
      87484dc2
    • Jimmy Yuen Ho Wong's avatar
      Add option to bypass NSM TLS checks on local networks · 682578fc
      Jimmy Yuen Ho Wong authored
      * lisp/net/net-utils.el (nslookup-host-ipv4, nslookup-host-ipv6,
        ipv6-expand): New functions to lookup IPv4 and IPv6 addresses from
        DNS.
      
      * lisp/net/nsm.el (nsm-trust-local-network, nsm-should-check,
        nsm-check-tls-connection, nsm-check-plain-connection): New defcustom
        `nsm-trust-local-network' lets users customize whether NSM should
        check for TLS problems when connecting to the hosts on their local
        networks.  `nsm-should-check' determines whether
        `nsm-check-tls-connection' and `nsm-check-plain-connection' should
        perform checks.  localhost is implicitly trusted, thus checks are
        never performed there.
      682578fc
    • Jimmy Yuen Ho Wong's avatar
      Revamp Network Security manager checks for TLS · 534a3d5d
      Jimmy Yuen Ho Wong authored
      * lisp/net/nsm.el (network-security-level, nsm-level,
        nsm-new-fingerprint-ok-p): Remove `paranoid' level and related code.
      
      * lisp/net/nsm.el (nsm-tls-checks, nsm-tls-check-version,
          nsm-tls-check-compression, nsm-tls-check-renegotiation-info-ext,
          nsm-tls-check-verify-cert, nsm-tls-check-same-cert,
          nsm-tls-check-null-suite, nsm-tls-check-export-kx,
          nsm-tls-check-anon-kx, nsm-tls-check-md5-sig,
          nsm-tls-check-rc4-cipher, nsm-tls-check-dhe-prime-kx,
          nsm-tls-check-sha1-sig, nsm-tls-check-ecdsa-cbc-cipher
          nsm-tls-check-dhe-kx, nsm-tls-check-rsa-kx,
          nsm-tls-check-3des-cipher, nsm-tls-check-cbc-cipher,
          nsm-save-fingerprint-maybe, nsm-tls-post-check-functions): New
          options and functions for checking TLS handshake problems.
      
      * lisp/net/nsm.el (nsm-check-certificate,
        network-security-protocol-checks,
        nsm-protocol-check--diffie-hellman-prime-bits,
        nsm-protocol-check--3des, nsm-protocol-check--rc4,
        nsm-protocol-check--signature-sha1,
        nsm-protocol-check--intermediate-sha1, nsm-protocol-check--ssl,
        nsm-check-protocol): Remove in favor of `nsm-tls-checks' and
        `nsm-tls-check-*' functions.
      
      * lisp/net/nsm.el (nsm-verify-connection): Ensure connection is
        checked even when `network-security-level' is `low'.
      
      * lisp/net/nsm.el (nsm-check-tls-connection): Batch all problems found
        before querying the user.
      
      * lisp/net/nsm.el (nsm--encryption): Renamed to `nsm-cipher-suite'.
      
      * lisp/net/nsm.el (nsm-fingerprint-ok-p): No longer prompt when
        certificate fingerprints mismatch.  Returns a boolean instead when
        the fingerprint of the certificate received matches the saved
        fingerprints.
      
      * lisp/net/nsm.el (nsm-query): Change signature.  Accepts a list of
        problems and a preformatted message instead of just a message format
        and the arguments for the message.
      
      * lisp/net/nsm.el (nsm-query-user): Change signature.  Accepts a
        preformatted message and the peer status of the handshake instead of
        a message format, its arguments and the certificate for the host.
      
      * lisp/net/nsm.el (nsm-save-host): Change signature.  Accepts a list of
        problems after the WHAT parameter.  Saves multiple fingerprints for
        the same host in case the host load balances a TLS server with more
        than one certificates signed with different keys.  Makes sure
        conditions are not removed when updating a fingerprint.
      
      * lisp/net/nsm.el (nsm-format-certificate): Display the TLS handshake's
        renegotiation info extension, compression level, encrypt-then-MAC
        extension, and key exchange prime bit length.
      
      * src/gnutls.c (gnutls-peer-status-warning-describe,
        gnutls-peer-status): Check for certificate verification problems
        introduced since GnuTLS 3.1.
      
      * src/gnutls.c (gnutls-peer-status): `:compression', `:encrypt-then-mac'
        and `:safe-renegotiation' are now contained in the peer status
        result return value.
      534a3d5d
    • Jimmy Yuen Ho Wong's avatar
      Set standard value of `gnutls-min-primes-bits' to nil · 023f4c60
      Jimmy Yuen Ho Wong authored
      * lisp/net/gnutls.el (gnutls-min-prime-bits): Set standard value to
        nil in order to let GnuTLS manage the minimum DH prime bits
        accepted.
      023f4c60
    • Jimmy Yuen Ho Wong's avatar
      Check TLS certs against CRL · a9f09f72
      Jimmy Yuen Ho Wong authored
      * lisp/net/gnutls.el (gnutls-boot-parameters): Return
        `gnutls-crlfiles' in `:crlfiles'.
        (gnutls-crlfiles): New defcustom.
        (gnutls--get-files): New defun.
        (gnutls-trustfiles, gnutls-crlfiles): Delegate to
        `gnutls--get-files' to return a list of filenames, accepts glob pattern.
      a9f09f72
    • Charles A. Roelli's avatar
      Add to documentation of 'jump-to-register' · 155d7303
      Charles A. Roelli authored
      * lisp/register.el (jump-to-register):
      * doc/emacs/regs.texi (Position Registers): Document that
      jumping to a register can push the mark.
      155d7303
    • Noam Postavsky's avatar
      5936f6cd
    • Jonathan Kyle Mitchell's avatar
      Avoid infloop in redisplay due to faulty mode-line properties · 9f25231f
      Jonathan Kyle Mitchell authored
      * xdisp.c (safe_set_text_properties): New function.
      (display_mode_element): Call Fset_text_properties through
      internal_condition_case_n, using safe_set_text_properties as a
      wrapper.  (Bug#32038)
      9f25231f
  6. 13 Jul, 2018 16 commits
  7. 12 Jul, 2018 5 commits
  8. 11 Jul, 2018 2 commits
    • Basil L. Contovounesios's avatar
      ; Add commentary on location of zerop · 84e59869
      Basil L. Contovounesios authored
      * lisp/subr.el (zerop): Add commentary explaining why moving the
      function's location within the file broke bootstrap in
      2018-07-10T23:08:58-07:00!contovob@tcd.ie.
      84e59869
    • Glenn Morris's avatar
      Unbreak bootstrap · 78125f37
      Glenn Morris authored
      * lisp/subr.el (zerop): Revert previous change, which caused
      bootstrap to fail with void function cadr.
      78125f37