diff options
| author | Robert Pluim | 2019-08-07 14:07:07 +0200 |
|---|---|---|
| committer | Robert Pluim | 2019-08-07 14:07:07 +0200 |
| commit | bc1cf28da5532c6052eade7b5d19bb59e7e1f7bf (patch) | |
| tree | fbfebc7b64482a7836d46662645836dfecf02b07 /lisp | |
| parent | 76662cc47d0dd1482442914d0b1f5011f0c86c5e (diff) | |
| download | emacs-bc1cf28da5532c6052eade7b5d19bb59e7e1f7bf.tar.gz emacs-bc1cf28da5532c6052eade7b5d19bb59e7e1f7bf.zip | |
Change nsm-should-check to look at local subnets
* lisp/net/nsm.el (nsm-network-same-subnet): New function. Checks
if an ip address is in the same subnet as another one.
(nsm-should-check): Use nsm-network-same-subnet to see if we're
connecting to a local subnet machine. Remove checks for RFC1918 addresses.
* test/lisp/net/nsm-tests.el: New file. Test nsm-should-check functionality.
Diffstat (limited to 'lisp')
| -rw-r--r-- | lisp/net/nsm.el | 85 |
1 files changed, 41 insertions, 44 deletions
diff --git a/lisp/net/nsm.el b/lisp/net/nsm.el index b59ea07d8a1..b0eff811617 100644 --- a/lisp/net/nsm.el +++ b/lisp/net/nsm.el | |||
| @@ -204,54 +204,51 @@ SETTINGS are the same as those supplied to each check function. | |||
| 204 | RESULTS is an alist where the keys are the checks run and the | 204 | RESULTS is an alist where the keys are the checks run and the |
| 205 | values the results of the checks.") | 205 | values the results of the checks.") |
| 206 | 206 | ||
| 207 | (defun nsm-network-same-subnet (local-ip mask ip) | ||
| 208 | "Returns t if IP is in the same subnet as LOCAL-IP/MASK. | ||
| 209 | LOCAL-IP, MASK, and IP are specified as vectors of integers, and | ||
| 210 | are expected to have the same length. Works for both IPv4 and | ||
| 211 | IPv6 addresses." | ||
| 212 | (let ((matches t) | ||
| 213 | (length (length local-ip))) | ||
| 214 | (unless (memq length '(4 5 8 9)) | ||
| 215 | (error "Unexpected length of IP address %S" local-ip)) | ||
| 216 | (dotimes (i length) | ||
| 217 | (setq matches (and matches | ||
| 218 | (= | ||
| 219 | (logand (aref local-ip i) | ||
| 220 | (aref mask i)) | ||
| 221 | (logand (aref ip i) | ||
| 222 | (aref mask i)))))) | ||
| 223 | matches)) | ||
| 224 | |||
| 207 | (defun nsm-should-check (host) | 225 | (defun nsm-should-check (host) |
| 208 | "Determines whether NSM should check for TLS problems for HOST. | 226 | "Determines whether NSM should check for TLS problems for HOST. |
| 209 | 227 | ||
| 210 | If `nsm-trust-local-network' is or returns non-nil, and if the | 228 | If `nsm-trust-local-network' is or returns non-nil, and if the |
| 211 | host address is a localhost address, a machine address, a direct | 229 | host address is a localhost address, or in the same subnet as one |
| 212 | link or a private network address, this function returns | 230 | of the local interfaces, this function returns nil. Non-nil |
| 213 | nil. Non-nil otherwise." | 231 | otherwise." |
| 214 | (let* ((address (or (nslookup-host-ipv4 host nil 'vector) | 232 | (let ((addresses (network-lookup-address-info host)) |
| 215 | (nslookup-host-ipv6 host nil 'vector))) | 233 | (network-interface-list (network-interface-list)) |
| 216 | (ipv4? (eq (length address) 4))) | 234 | (off-net t)) |
| 217 | (not | 235 | (when |
| 218 | (or (if ipv4? | 236 | (or (and (functionp nsm-trust-local-network) |
| 219 | (or | 237 | (funcall nsm-trust-local-network)) |
| 220 | ;; (0.x.x.x) this machine | 238 | nsm-trust-local-network) |
| 221 | (eq (aref address 0) 0) | 239 | (mapc |
| 222 | ;; (127.x.x.x) localhost | 240 | (lambda (address) |
| 223 | (eq (aref address 0) 0)) | 241 | (mapc |
| 224 | (or | 242 | (lambda (iface) |
| 225 | ;; (::) IPv6 this machine | 243 | (let ((info (network-interface-info (car iface)))) |
| 226 | (not (cl-mismatch address [0 0 0 0 0 0 0 0])) | 244 | (when |
| 227 | ;; (::1) IPv6 localhost | 245 | (nsm-network-same-subnet (substring (car info) 0 -1) |
| 228 | (not (cl-mismatch address [0 0 0 0 0 0 0 1])))) | 246 | (substring (car (cddr info)) 0 -1) |
| 229 | (and (or (and (functionp nsm-trust-local-network) | 247 | address) |
| 230 | (funcall nsm-trust-local-network)) | 248 | (setq off-net nil)))) |
| 231 | nsm-trust-local-network) | 249 | network-interface-list)) |
| 232 | (if ipv4? | 250 | addresses)) |
| 233 | (or | 251 | off-net)) |
| 234 | ;; (10.x.x.x) private | ||
| 235 | (eq (aref address 0) 10) | ||
| 236 | ;; (172.16.x.x) private | ||
| 237 | (and (eq (aref address 0) 172) | ||
| 238 | (eq (aref address 0) 16)) | ||
| 239 | ;; (192.168.x.x) private | ||
| 240 | (and (eq (aref address 0) 192) | ||
| 241 | (eq (aref address 0) 168)) | ||
| 242 | ;; (198.18.x.x) private | ||
| 243 | (and (eq (aref address 0) 198) | ||
| 244 | (eq (aref address 0) 18)) | ||
| 245 | ;; (169.254.x.x) link-local | ||
| 246 | (and (eq (aref address 0) 169) | ||
| 247 | (eq (aref address 0) 254))) | ||
| 248 | (memq (aref address 0) | ||
| 249 | '( | ||
| 250 | 64512 ;; (fc00::) IPv6 unique local address | ||
| 251 | 64768 ;; (fd00::) IPv6 unique local address | ||
| 252 | 65152 ;; (fe80::) IPv6 link-local | ||
| 253 | ) | ||
| 254 | ))))))) | ||
| 255 | 252 | ||
| 256 | (defun nsm-check-tls-connection (process host port status settings) | 253 | (defun nsm-check-tls-connection (process host port status settings) |
| 257 | "Check TLS connection against potential security problems. | 254 | "Check TLS connection against potential security problems. |