(nsm-check-protocol): Check for weak Diffie-Hellman prime bits.

Fixes: debbugs:19153
author: Lars Magne Ingebrigtsen 2014-12-08 20:41:05 +0100
committer: Lars Magne Ingebrigtsen 2014-12-08 20:41:05 +0100
commit: b7768d785f1fb8a93619b926ddb56d59ef8b81a0 (patch)
tree: 4d41c8830b1bdbcbbc8c9e3433feeca05fa4f376
parent: 7c6750264774350e6182aef39793554d4342d439 (diff)
download: emacs-b7768d785f1fb8a93619b926ddb56d59ef8b81a0.tar.gz
emacs-b7768d785f1fb8a93619b926ddb56d59ef8b81a0.zip
2 files changed, 39 insertions, 3 deletions
diff --git a/lisp/ChangeLog b/lisp/ChangeLog
index d40b56f71e0..b9903ac2fd4 100644
--- a/lisp/ChangeLog
+++ b/lisp/ChangeLog
@@ -3,6 +3,8 @@
        * net/nsm.el (network-security-level): Remove the detailed
        description, which was already outdated, and refer the users to
        the manual.
+        (nsm-check-protocol): Check for weak Diffie-Hellman prime bits
+        (bug#19153).
 2014-12-06  Andrey Kotlarski  <m00naticus@gmail.com>
diff --git a/lisp/net/nsm.el b/lisp/net/nsm.el
index 5bc32b4f081..659f96922c5 100644
--- a/lisp/net/nsm.el
+++ b/lisp/net/nsm.el
@@ -115,6 +115,14 @@ unencrypted."
          process))))))
 (defun nsm-check-tls-connection (process host port status settings)
+  (let ((process (nsm-check-certificate process host port status settings)))
+    (if (and process
+             (>= (nsm-level network-security-level) (nsm-level 'high)))
+        ;; Do further protocol-level checks if the security is high.
+        (nsm-check-protocol process host port status settings)
+      process)))
+(defun nsm-check-certificate (process host port status settings)
  (let ((warnings (plist-get status :warnings)))
    (cond
@@ -168,6 +176,23 @@ unencrypted."
              nil)
          process))))))
+(defun nsm-check-protocol (process host port status settings)
+  (let ((prime-bits (plist-get status :diffie-hellman-prime-bits)))
+    (cond
+     ((and prime-bits
+           (< prime-bits 1024)
+           (not (memq :diffie-hellman-prime-bits
+                      (plist-get settings :conditions)))
+           (not
+            (nsm-query
+             host port status :diffie-hellman-prime-bits
+             "The Diffie-Hellman prime bits (%s) used for this connection to\n%s:%s\nis less than what is considerer safe (%s)."
+             prime-bits host port 1024)))
+      (delete-process process)
+      nil)
+     (t
+      process))))
 (defun nsm-fingerprint (status)
  (plist-get (plist-get status :certificate) :public-key-id))
@@ -284,14 +309,23 @@ unencrypted."
      (nconc saved (list :host (format "%s:%s" host port))))
    ;; We either want to save/update the fingerprint or the conditions
    ;; of the certificate/unencrypted connection.
-    (when (eq what 'conditions)
+    (cond
+     ((eq what 'conditions)
      (nconc saved (list :host (format "%s:%s" host port)))
      (cond
       ((not status)
-        (nconc saved `(:conditions (:unencrypted))))
+        (nconc saved '(:conditions (:unencrypted))))
       ((plist-get status :warnings)
        (nconc saved
-               `(:conditions ,(plist-get status :warnings))))))
+               (list :conditions (plist-get status :warnings))))))
+     ((not (eq what 'fingerprint))
+      ;; Store additional protocol settings.
+      (let ((settings (nsm-host-settings id)))
+        (when settings
+          (setq saved settings))
+        (if (plist-get saved :conditions)
+            (nconc (plist-get saved :conditions) (list what))
+          (nconc saved (list :conditions (list what)))))))
    (if (eq permanency 'always)
        (progn
          (nsm-remove-temporary-setting id)
author	Lars Magne Ingebrigtsen	2014-12-08 20:41:05 +0100
committer	Lars Magne Ingebrigtsen	2014-12-08 20:41:05 +0100
commit	b7768d785f1fb8a93619b926ddb56d59ef8b81a0 (patch)
tree	4d41c8830b1bdbcbbc8c9e3433feeca05fa4f376
parent	7c6750264774350e6182aef39793554d4342d439 (diff)
download	emacs-b7768d785f1fb8a93619b926ddb56d59ef8b81a0.tar.gz emacs-b7768d785f1fb8a93619b926ddb56d59ef8b81a0.zip

diff --git a/lisp/ChangeLog b/lisp/ChangeLog index d40b56f71e0..b9903ac2fd4 100644 --- a/lisp/ChangeLog +++ b/lisp/ChangeLog
@@ -3,6 +3,8 @@
3	* net/nsm.el (network-security-level): Remove the detailed	3	* net/nsm.el (network-security-level): Remove the detailed
4	description, which was already outdated, and refer the users to	4	description, which was already outdated, and refer the users to
5	the manual.	5	the manual.
		6	(nsm-check-protocol): Check for weak Diffie-Hellman prime bits
		7	(bug#19153).
6		8
7	2014-12-06 Andrey Kotlarski <m00naticus@gmail.com>	9	2014-12-06 Andrey Kotlarski <m00naticus@gmail.com>
8		10


diff --git a/lisp/net/nsm.el b/lisp/net/nsm.el index 5bc32b4f081..659f96922c5 100644 --- a/lisp/net/nsm.el +++ b/lisp/net/nsm.el
@@ -115,6 +115,14 @@ unencrypted."
115	process))))))	115	process))))))
116		116
117	(defun nsm-check-tls-connection (process host port status settings)	117	(defun nsm-check-tls-connection (process host port status settings)
		118	(let ((process (nsm-check-certificate process host port status settings)))
		119	(if (and process
		120	(>= (nsm-level network-security-level) (nsm-level 'high)))
		121	;; Do further protocol-level checks if the security is high.
		122	(nsm-check-protocol process host port status settings)
		123	process)))
		124
		125	(defun nsm-check-certificate (process host port status settings)
118	(let ((warnings (plist-get status :warnings)))	126	(let ((warnings (plist-get status :warnings)))
119	(cond	127	(cond
120		128
@@ -168,6 +176,23 @@ unencrypted."
168	nil)	176	nil)
169	process))))))	177	process))))))
170		178
		179	(defun nsm-check-protocol (process host port status settings)
		180	(let ((prime-bits (plist-get status :diffie-hellman-prime-bits)))
		181	(cond
		182	((and prime-bits
		183	(< prime-bits 1024)
		184	(not (memq :diffie-hellman-prime-bits
		185	(plist-get settings :conditions)))
		186	(not
		187	(nsm-query
		188	host port status :diffie-hellman-prime-bits
		189	"The Diffie-Hellman prime bits (%s) used for this connection to\n%s:%s\nis less than what is considerer safe (%s)."
		190	prime-bits host port 1024)))
		191	(delete-process process)
		192	nil)
		193	(t
		194	process))))
		195
171	(defun nsm-fingerprint (status)	196	(defun nsm-fingerprint (status)
172	(plist-get (plist-get status :certificate) :public-key-id))	197	(plist-get (plist-get status :certificate) :public-key-id))
173		198
@@ -284,14 +309,23 @@ unencrypted."
284	(nconc saved (list :host (format "%s:%s" host port))))	309	(nconc saved (list :host (format "%s:%s" host port))))
285	;; We either want to save/update the fingerprint or the conditions	310	;; We either want to save/update the fingerprint or the conditions
286	;; of the certificate/unencrypted connection.	311	;; of the certificate/unencrypted connection.
287	(when (eq what 'conditions)	312	(cond
		313	((eq what 'conditions)
288	(nconc saved (list :host (format "%s:%s" host port)))	314	(nconc saved (list :host (format "%s:%s" host port)))
289	(cond	315	(cond
290	((not status)	316	((not status)
291	(nconc saved `(:conditions (:unencrypted))))	317	(nconc saved '(:conditions (:unencrypted))))
292	((plist-get status :warnings)	318	((plist-get status :warnings)
293	(nconc saved	319	(nconc saved
294	`(:conditions ,(plist-get status :warnings))))))	320	(list :conditions (plist-get status :warnings))))))
		321	((not (eq what 'fingerprint))
		322	;; Store additional protocol settings.
		323	(let ((settings (nsm-host-settings id)))
		324	(when settings
		325	(setq saved settings))
		326	(if (plist-get saved :conditions)
		327	(nconc (plist-get saved :conditions) (list what))
		328	(nconc saved (list :conditions (list what)))))))
295	(if (eq permanency 'always)	329	(if (eq permanency 'always)
296	(progn	330	(progn
297	(nsm-remove-temporary-setting id)	331	(nsm-remove-temporary-setting id)