[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: The netsec thread
From: |
Robert Pluim |
Subject: |
Re: The netsec thread |
Date: |
Mon, 29 Jul 2019 16:02:11 +0200 |
>>>>> On Mon, 29 Jul 2019 13:14:44 +0200, Lars Ingebrigtsen <address@hidden>
>>>>> said:
Lars> Robert Pluim <address@hidden> writes:
>> I had some issues with nsm-trust-local-network as a concept and also
>> the IP addresses it checked. And 0.0.0.0/8 is now a valid range (on
>> very recent Linux kernels anyway), so that test needs adjusting.
Lars> Oh, yeah, I had forgotten about that bit. Yes, I wasn't convinced
about
Lars> that bit, either.
>> Did I send a patch for that? I donʼt remember, and Monday morning
>> laziness is strong today.
Lars> Let's see... You didn't push it to the netsec branch, at least. If
you
Lars> manage to find the patch, please do.
I found the bottom half of the implementation, and just wrote the top
half. Iʼm wondering if 'network-lookup-address-info' should just
return 5/9 element vectors like 'network-interface-info' (for
IPv4/IPv6), so that remembering to chop the port off the end becomes
unnecessary.
Tested only on macOS so far. It covers the localhost case because
'network-interface-list' returns the loopback interface, which is true
on my GNU/Linux box as well. If thereʼs a platform where thatʼs not
true we'll have to adjust the test.
Robert
2019-07-29 Robert Pluim <address@hidden>
* lisp/net/nsm.el (nsm-network-same-subnet): New function. Checks
if an ip address is in the same subnet as another one.
(nsm-should-check): Use nsm-network-same-subnet to see if we're
connecting to a local subnet machine. Remove checks for RFC1918
addresses.
diff --git i/lisp/net/nsm.el w/lisp/net/nsm.el
index b59ea07d8a..3adc1b1dc5 100644
--- i/lisp/net/nsm.el
+++ w/lisp/net/nsm.el
@@ -204,54 +204,52 @@ nsm-tls-post-check-functions
RESULTS is an alist where the keys are the checks run and the
values the results of the checks.")
+(defun nsm-network-same-subnet (local-ip mask ip)
+ "Returns t if IP is in the same subnet as LOCAL-IP/MASK.
+LOCAL-IP, MASK, and IP are specified as vectors of integers, and
+are expected to have the same length. Works for both IPv4 and
+IPv6 addresses."
+ (let ((matches t)
+ (length (length local-ip)))
+ (unless (memq length '(4 5 8 9))
+ (error "Unexpected length of IP address %S" local-ip))
+ (dotimes (i length)
+ (setq matches (and matches
+ (=
+ (logand (aref local-ip i)
+ (aref mask i))
+ (logand (aref ip i)
+ (aref mask i))))))
+ matches))
+
+
(defun nsm-should-check (host)
"Determines whether NSM should check for TLS problems for HOST.
If `nsm-trust-local-network' is or returns non-nil, and if the
-host address is a localhost address, a machine address, a direct
-link or a private network address, this function returns
-nil. Non-nil otherwise."
- (let* ((address (or (nslookup-host-ipv4 host nil 'vector)
- (nslookup-host-ipv6 host nil 'vector)))
- (ipv4? (eq (length address) 4)))
- (not
- (or (if ipv4?
- (or
- ;; (0.x.x.x) this machine
- (eq (aref address 0) 0)
- ;; (127.x.x.x) localhost
- (eq (aref address 0) 0))
- (or
- ;; (::) IPv6 this machine
- (not (cl-mismatch address [0 0 0 0 0 0 0 0]))
- ;; (::1) IPv6 localhost
- (not (cl-mismatch address [0 0 0 0 0 0 0 1]))))
- (and (or (and (functionp nsm-trust-local-network)
- (funcall nsm-trust-local-network))
- nsm-trust-local-network)
- (if ipv4?
- (or
- ;; (10.x.x.x) private
- (eq (aref address 0) 10)
- ;; (172.16.x.x) private
- (and (eq (aref address 0) 172)
- (eq (aref address 0) 16))
- ;; (192.168.x.x) private
- (and (eq (aref address 0) 192)
- (eq (aref address 0) 168))
- ;; (198.18.x.x) private
- (and (eq (aref address 0) 198)
- (eq (aref address 0) 18))
- ;; (169.254.x.x) link-local
- (and (eq (aref address 0) 169)
- (eq (aref address 0) 254)))
- (memq (aref address 0)
- '(
- 64512 ;; (fc00::) IPv6 unique local address
- 64768 ;; (fd00::) IPv6 unique local address
- 65152 ;; (fe80::) IPv6 link-local
- )
- )))))))
+host address is a localhost address, or in the same subnet as one
+of the local interfaces, this function returns nil. Non-nil
+otherwise."
+ (let ((addresses (network-lookup-address-info host))
+ (network-interface-list (network-interface-list))
+ (off-net t))
+ (when
+ (or (and (functionp nsm-trust-local-network)
+ (funcall nsm-trust-local-network))
+ nsm-trust-local-network)
+ (mapc
+ (lambda (address)
+ (mapc
+ (lambda (iface)
+ (let ((info (network-interface-info (car iface))))
+ (when
+ (nsm-network-same-subnet (substring (car info) 0 -1)
+ (substring (car (cddr info)) 0 -1)
+ address)
+ (setq off-net nil))))
+ network-interface-list))
+ addresses))
+ off-net))
(defun nsm-check-tls-connection (process host port status settings)
"Check TLS connection against potential security problems.
- Re: The netsec thread, (continued)
- Re: The netsec thread, Eli Zaretskii, 2019/07/28
- Re: The netsec thread, Lars Ingebrigtsen, 2019/07/28
- Re: The netsec thread, Lars Ingebrigtsen, 2019/07/28
- Re: The netsec thread, Lars Ingebrigtsen, 2019/07/28
- Re: The netsec thread, Robert Pluim, 2019/07/29
- Re: The netsec thread, Robert Pluim, 2019/07/29
- Re: The netsec thread, Lars Ingebrigtsen, 2019/07/29
- Re: The netsec thread, Lars Ingebrigtsen, 2019/07/29
- Re: The netsec thread,
Robert Pluim <=
- Re: The netsec thread, Lars Ingebrigtsen, 2019/07/30
- Re: The netsec thread, Robert Pluim, 2019/07/30
- Re: The netsec thread, Lars Ingebrigtsen, 2019/07/30
- Re: The netsec thread, Robert Pluim, 2019/07/30