1 files changed, 37 insertions, 32 deletions
diff --git a/lisp/net/nsm.el b/lisp/net/nsm.el
index da1fbf930a1..7ebd0c48727 100644
--- a/lisp/net/nsm.el
+++ b/lisp/net/nsm.el
@@ -46,10 +46,11 @@ connection should be handled.
 The following values are possible:
-`low': Check for problems known before Edward Snowden.
+`low': Only the most basic checks are performed -- very insecure.
 `medium': Default.  Suitable for most circumstances.
 `high': Warns about additional issues not enabled in `medium' due to
 compatibility concerns.
+`paranoid': On this level, the user is queried for most new connections.
 See the Emacs manual for a description of all things that are
 checked and warned against."
@@ -57,11 +58,8 @@ checked and warned against."
  :group 'nsm
  :type '(choice (const :tag "Low" low)
                 (const :tag "Medium" medium)
-                 (const :tag "High" high)))
+                 (const :tag "High" high)
+                 (const :tag "Paranoid" paranoid)))
-;; Backward compatibility
-(when (eq network-security-level 'paranoid)
-  (setq network-security-level 'high))
 (defcustom nsm-trust-local-network nil
  "Disable warnings when visiting trusted hosts on local networks.
@@ -141,7 +139,7 @@ unencrypted."
        process)))))
 (defcustom nsm-tls-checks
-  '(;; Pre-Snowden Known Weaknesses
+  '(;; Old Known Weaknesses.
    (nsm-tls-check-version                . low)
    (nsm-tls-check-compression            . low)
    (nsm-tls-check-renegotiation-info-ext . low)
@@ -152,7 +150,7 @@ unencrypted."
    (nsm-tls-check-anon-kx                . low)
    (nsm-tls-check-md5-sig                . low)
    (nsm-tls-check-rc4-cipher             . low)
-    ;; Post-Snowden Apocalypse
+    ;; Weaknesses made known after 2013.
    (nsm-tls-check-dhe-prime-kx           . medium)
    (nsm-tls-check-sha1-sig               . medium)
    (nsm-tls-check-ecdsa-cbc-cipher       . medium)
@@ -273,23 +271,32 @@ found, and nil otherwise.
 See also: `nsm-tls-checks' and `nsm-noninteractive'"
  (when (nsm-should-check host)
    (let* ((results
-            (cl-loop for check in nsm-tls-checks
+            (cl-loop
-                     for type = (intern (format ":%s"
+             for check in nsm-tls-checks
-                                                (string-remove-prefix
+             for type = (intern (format ":%s"
-                                                 "nsm-tls-check-"
+                                        (string-remove-prefix
-                                                 (symbol-name (car check))))
+                                         "nsm-tls-check-"
-                                        obarray)
+                                         (symbol-name (car check))))
-                     ;; Skip the check if the user has already said that this
+                                obarray)
-                     ;; host is OK for this type of "error".
+             ;; Skip the check if the user has already said that this
-                     for result = (and (not (memq type (plist-get settings :conditions)))
+             ;; host is OK for this type of "error".
-                                       (>= (nsm-level network-security-level)
+             for result = (and (not (memq type
-                                           (nsm-level (cdr check)))
+                                          (plist-get settings :conditions)))
-                                       (funcall (car check) host port status settings))
+                               (>= (nsm-level network-security-level)
-                     when result
+                                   (nsm-level (cdr check)))
-                     collect (cons type result)))
+                               (funcall (car check) host port status settings))
+             when result
+             collect (cons type result)))
           (problems (nconc (plist-get status :warnings) (map-keys results))))
+      ;; We haven't seen this before, and we're paranoid.
+      (when (and (eq network-security-level 'paranoid)
+                 (not (nsm-fingerprint-ok-p status settings)))
+        (push '(:not-seen . "Certificate not seen before") results))
      (when (and results
-                 (not (seq-set-equal-p (plist-get settings :conditions) problems))
+                 (not (seq-set-equal-p (plist-get settings :conditions)
+                                       problems))
                 (not (nsm-query host port status
                                 'conditions
                                 problems
@@ -653,7 +660,8 @@ the MD5 Message-Digest and the HMAC-MD5 Algorithms\",
 ;; Extension checks
-(defun nsm-tls-check-renegotiation-info-ext (host port status &optional settings)
+(defun nsm-tls-check-renegotiation-info-ext (host port status
+                                                  &optional settings)
  "Check for renegotiation_info TLS extension status.
 If this TLS extension is not used, the connection established is
@@ -739,18 +747,15 @@ protocol."
 (defun nsm-fingerprint-ok-p (status settings)
  (let ((saved-fingerprints (plist-get settings :fingerprints)))
-    ;; Haven't seen this host before or not pinning cert
+    ;; Haven't seen this host before or not pinning cert.
    (or (null saved-fingerprints)
-        ;; Plain connection allowed
+        ;; Plain connection allowed.
        (memq :none saved-fingerprints)
-        ;; We are pinning certs, and we have seen this host
+        ;; We are pinning certs, and we have seen this host before,
-        ;; before, but the credientials for this host differs
+        ;; but the credientials for this host differs from the last
-        ;; from the last times we saw it
+        ;; times we saw it.
        (member (nsm-fingerprint status) saved-fingerprints))))
-(set-advertised-calling-convention
- 'nsm-fingerprint-ok-p '(status settings) "27.1")
 (defun nsm-check-plain-connection (process host port settings warn-unencrypted)
  (if (nsm-should-check host)
      ;; If this connection used to be TLS, but is now plain, then it's

diff --git a/lisp/net/nsm.el b/lisp/net/nsm.el index da1fbf930a1..7ebd0c48727 100644 --- a/lisp/net/nsm.el +++ b/lisp/net/nsm.el
@@ -46,10 +46,11 @@ connection should be handled.
46		46
47	The following values are possible:	47	The following values are possible:
48		48
49	`low': Check for problems known before Edward Snowden.	49	`low': Only the most basic checks are performed -- very insecure.
50	`medium': Default. Suitable for most circumstances.	50	`medium': Default. Suitable for most circumstances.
51	`high': Warns about additional issues not enabled in `medium' due to	51	`high': Warns about additional issues not enabled in `medium' due to
52	compatibility concerns.	52	compatibility concerns.
		53	`paranoid': On this level, the user is queried for most new connections.
53		54
54	See the Emacs manual for a description of all things that are	55	See the Emacs manual for a description of all things that are
55	checked and warned against."	56	checked and warned against."
@@ -57,11 +58,8 @@ checked and warned against."
57	:group 'nsm	58	:group 'nsm
58	:type '(choice (const :tag "Low" low)	59	:type '(choice (const :tag "Low" low)
59	(const :tag "Medium" medium)	60	(const :tag "Medium" medium)
60	(const :tag "High" high)))	61	(const :tag "High" high)
61		62	(const :tag "Paranoid" paranoid)))
62	;; Backward compatibility
63	(when (eq network-security-level 'paranoid)
64	(setq network-security-level 'high))
65		63
66	(defcustom nsm-trust-local-network nil	64	(defcustom nsm-trust-local-network nil
67	"Disable warnings when visiting trusted hosts on local networks.	65	"Disable warnings when visiting trusted hosts on local networks.
@@ -141,7 +139,7 @@ unencrypted."
141	process)))))	139	process)))))
142		140
143	(defcustom nsm-tls-checks	141	(defcustom nsm-tls-checks
144	'(;; Pre-Snowden Known Weaknesses	142	'(;; Old Known Weaknesses.
145	(nsm-tls-check-version . low)	143	(nsm-tls-check-version . low)
146	(nsm-tls-check-compression . low)	144	(nsm-tls-check-compression . low)
147	(nsm-tls-check-renegotiation-info-ext . low)	145	(nsm-tls-check-renegotiation-info-ext . low)
@@ -152,7 +150,7 @@ unencrypted."
152	(nsm-tls-check-anon-kx . low)	150	(nsm-tls-check-anon-kx . low)
153	(nsm-tls-check-md5-sig . low)	151	(nsm-tls-check-md5-sig . low)
154	(nsm-tls-check-rc4-cipher . low)	152	(nsm-tls-check-rc4-cipher . low)
155	;; Post-Snowden Apocalypse	153	;; Weaknesses made known after 2013.
156	(nsm-tls-check-dhe-prime-kx . medium)	154	(nsm-tls-check-dhe-prime-kx . medium)
157	(nsm-tls-check-sha1-sig . medium)	155	(nsm-tls-check-sha1-sig . medium)
158	(nsm-tls-check-ecdsa-cbc-cipher . medium)	156	(nsm-tls-check-ecdsa-cbc-cipher . medium)
@@ -273,23 +271,32 @@ found, and nil otherwise.
273	See also: `nsm-tls-checks' and `nsm-noninteractive'"	271	See also: `nsm-tls-checks' and `nsm-noninteractive'"
274	(when (nsm-should-check host)	272	(when (nsm-should-check host)
275	(let* ((results	273	(let* ((results
276	(cl-loop for check in nsm-tls-checks	274	(cl-loop
277	for type = (intern (format ":%s"	275	for check in nsm-tls-checks
278	(string-remove-prefix	276	for type = (intern (format ":%s"
279	"nsm-tls-check-"	277	(string-remove-prefix
280	(symbol-name (car check))))	278	"nsm-tls-check-"
281	obarray)	279	(symbol-name (car check))))
282	;; Skip the check if the user has already said that this	280	obarray)
283	;; host is OK for this type of "error".	281	;; Skip the check if the user has already said that this
284	for result = (and (not (memq type (plist-get settings :conditions)))	282	;; host is OK for this type of "error".
285	(>= (nsm-level network-security-level)	283	for result = (and (not (memq type
286	(nsm-level (cdr check)))	284	(plist-get settings :conditions)))
287	(funcall (car check) host port status settings))	285	(>= (nsm-level network-security-level)
288	when result	286	(nsm-level (cdr check)))
289	collect (cons type result)))	287	(funcall (car check) host port status settings))
		288	when result
		289	collect (cons type result)))
290	(problems (nconc (plist-get status :warnings) (map-keys results))))	290	(problems (nconc (plist-get status :warnings) (map-keys results))))
		291
		292	;; We haven't seen this before, and we're paranoid.
		293	(when (and (eq network-security-level 'paranoid)
		294	(not (nsm-fingerprint-ok-p status settings)))
		295	(push '(:not-seen . "Certificate not seen before") results))
		296
291	(when (and results	297	(when (and results
292	(not (seq-set-equal-p (plist-get settings :conditions) problems))	298	(not (seq-set-equal-p (plist-get settings :conditions)
		299	problems))
293	(not (nsm-query host port status	300	(not (nsm-query host port status
294	'conditions	301	'conditions
295	problems	302	problems
@@ -653,7 +660,8 @@ the MD5 Message-Digest and the HMAC-MD5 Algorithms\",
653		660
654	;; Extension checks	661	;; Extension checks
655		662
656	(defun nsm-tls-check-renegotiation-info-ext (host port status &optional settings)	663	(defun nsm-tls-check-renegotiation-info-ext (host port status
		664	&optional settings)
657	"Check for renegotiation_info TLS extension status.	665	"Check for renegotiation_info TLS extension status.
658		666
659	If this TLS extension is not used, the connection established is	667	If this TLS extension is not used, the connection established is
@@ -739,18 +747,15 @@ protocol."
739		747
740	(defun nsm-fingerprint-ok-p (status settings)	748	(defun nsm-fingerprint-ok-p (status settings)
741	(let ((saved-fingerprints (plist-get settings :fingerprints)))	749	(let ((saved-fingerprints (plist-get settings :fingerprints)))
742	;; Haven't seen this host before or not pinning cert	750	;; Haven't seen this host before or not pinning cert.
743	(or (null saved-fingerprints)	751	(or (null saved-fingerprints)
744	;; Plain connection allowed	752	;; Plain connection allowed.
745	(memq :none saved-fingerprints)	753	(memq :none saved-fingerprints)
746	;; We are pinning certs, and we have seen this host	754	;; We are pinning certs, and we have seen this host before,
747	;; before, but the credientials for this host differs	755	;; but the credientials for this host differs from the last
748	;; from the last times we saw it	756	;; times we saw it.
749	(member (nsm-fingerprint status) saved-fingerprints))))	757	(member (nsm-fingerprint status) saved-fingerprints))))
750		758
751	(set-advertised-calling-convention
752	'nsm-fingerprint-ok-p '(status settings) "27.1")
753
754	(defun nsm-check-plain-connection (process host port settings warn-unencrypted)	759	(defun nsm-check-plain-connection (process host port settings warn-unencrypted)
755	(if (nsm-should-check host)	760	(if (nsm-should-check host)
756	;; If this connection used to be TLS, but is now plain, then it's	761	;; If this connection used to be TLS, but is now plain, then it's