emacs-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: The netsec thread


From: Robert Pluim
Subject: Re: The netsec thread
Date: Mon, 29 Jul 2019 16:02:11 +0200

>>>>> On Mon, 29 Jul 2019 13:14:44 +0200, Lars Ingebrigtsen <address@hidden> 
>>>>> said:

    Lars> Robert Pluim <address@hidden> writes:
    >> I had some issues with nsm-trust-local-network as a concept and also
    >> the IP addresses it checked. And 0.0.0.0/8 is now a valid range (on
    >> very recent Linux kernels anyway), so that test needs adjusting.

    Lars> Oh, yeah, I had forgotten about that bit.  Yes, I wasn't convinced 
about
    Lars> that bit, either.

    >> Did I send a patch for that? I donʼt remember, and Monday morning
    >> laziness is strong today.

    Lars> Let's see...  You didn't push it to the netsec branch, at least.  If 
you
    Lars> manage to find the patch, please do.

I found the bottom half of the implementation, and just wrote the top
half.  Iʼm wondering if 'network-lookup-address-info' should just
return 5/9 element vectors like 'network-interface-info' (for
IPv4/IPv6), so that remembering to chop the port off the end becomes
unnecessary.

Tested only on macOS so far. It covers the localhost case because
'network-interface-list' returns the loopback interface, which is true
on my GNU/Linux box as well. If thereʼs a platform where thatʼs not
true we'll have to adjust the test.

Robert

2019-07-29  Robert Pluim  <address@hidden>

        * lisp/net/nsm.el (nsm-network-same-subnet): New function.  Checks
        if an ip address is in the same subnet as another one.
        (nsm-should-check): Use nsm-network-same-subnet to see if we're
        connecting to a local subnet machine.  Remove checks for RFC1918 
addresses.


diff --git i/lisp/net/nsm.el w/lisp/net/nsm.el
index b59ea07d8a..3adc1b1dc5 100644
--- i/lisp/net/nsm.el
+++ w/lisp/net/nsm.el
@@ -204,54 +204,52 @@ nsm-tls-post-check-functions
 RESULTS is an alist where the keys are the checks run and the
 values the results of the checks.")
 
+(defun nsm-network-same-subnet (local-ip mask ip)
+  "Returns t if IP is in the same subnet as LOCAL-IP/MASK.
+LOCAL-IP, MASK, and IP are specified as vectors of integers, and
+are expected to have the same length.  Works for both IPv4 and
+IPv6 addresses."
+  (let ((matches t)
+        (length (length local-ip)))
+    (unless (memq length '(4 5 8 9))
+      (error "Unexpected length of IP address %S" local-ip))
+    (dotimes (i length)
+      (setq matches (and matches
+                         (=
+                          (logand (aref local-ip i)
+                                  (aref mask i))
+                          (logand (aref ip i)
+                                  (aref mask i))))))
+    matches))
+
+
 (defun nsm-should-check (host)
   "Determines whether NSM should check for TLS problems for HOST.
 
 If `nsm-trust-local-network' is or returns non-nil, and if the
-host address is a localhost address, a machine address, a direct
-link or a private network address, this function returns
-nil.  Non-nil otherwise."
-  (let* ((address (or (nslookup-host-ipv4 host nil 'vector)
-                      (nslookup-host-ipv6 host nil 'vector)))
-         (ipv4? (eq (length address) 4)))
-    (not
-     (or (if ipv4?
-             (or
-              ;; (0.x.x.x) this machine
-              (eq (aref address 0) 0)
-              ;; (127.x.x.x) localhost
-              (eq (aref address 0) 0))
-           (or
-            ;; (::) IPv6 this machine
-            (not (cl-mismatch address [0 0 0 0 0 0 0 0]))
-            ;; (::1) IPv6 localhost
-            (not (cl-mismatch address [0 0 0 0 0 0 0 1]))))
-         (and (or (and (functionp nsm-trust-local-network)
-                       (funcall nsm-trust-local-network))
-                  nsm-trust-local-network)
-              (if ipv4?
-                  (or
-                   ;; (10.x.x.x) private
-                   (eq (aref address 0) 10)
-                   ;; (172.16.x.x) private
-                   (and (eq (aref address 0) 172)
-                        (eq (aref address 0) 16))
-                   ;; (192.168.x.x) private
-                   (and (eq (aref address 0) 192)
-                        (eq (aref address 0) 168))
-                   ;; (198.18.x.x) private
-                   (and (eq (aref address 0) 198)
-                        (eq (aref address 0) 18))
-                   ;; (169.254.x.x) link-local
-                   (and (eq (aref address 0) 169)
-                        (eq (aref address 0) 254)))
-                (memq (aref address 0)
-                      '(
-                        64512  ;; (fc00::) IPv6 unique local address
-                        64768  ;; (fd00::) IPv6 unique local address
-                        65152  ;; (fe80::) IPv6 link-local
-                        )
-                      )))))))
+host address is a localhost address, or in the same subnet as one
+of the local interfaces, this function returns nil.  Non-nil
+otherwise."
+  (let ((addresses (network-lookup-address-info host))
+        (network-interface-list (network-interface-list))
+        (off-net t))
+    (when
+     (or (and (functionp nsm-trust-local-network)
+              (funcall nsm-trust-local-network))
+         nsm-trust-local-network)
+     (mapc
+      (lambda (address)
+        (mapc
+         (lambda (iface)
+           (let ((info (network-interface-info (car iface))))
+             (when
+                 (nsm-network-same-subnet (substring (car info) 0 -1)
+                                          (substring (car (cddr info)) 0 -1)
+                                          address)
+               (setq off-net nil))))
+         network-interface-list))
+      addresses))
+     off-net))
 
 (defun nsm-check-tls-connection (process host port status settings)
   "Check TLS connection against potential security problems.




reply via email to

[Prev in Thread] Current Thread [Next in Thread]