1 ;;; nsm.el --- Network Security Manager
3 ;; Copyright (C) 2014-2015 Free Software Foundation, Inc.
5 ;; Author: Lars Magne Ingebrigtsen <larsi@gnus.org>
6 ;; Keywords: encryption, security, network
8 ;; This file is part of GNU Emacs.
10 ;; GNU Emacs is free software: you can redistribute it and/or modify
11 ;; it under the terms of the GNU General Public License as published by
12 ;; the Free Software Foundation, either version 3 of the License, or
13 ;; (at your option) any later version.
15 ;; GNU Emacs is distributed in the hope that it will be useful,
16 ;; but WITHOUT ANY WARRANTY; without even the implied warranty of
17 ;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 ;; GNU General Public License for more details.
20 ;; You should have received a copy of the GNU General Public License
21 ;; along with GNU Emacs. If not, see <http://www.gnu.org/licenses/>.
29 (defvar nsm-permanent-host-settings nil
)
30 (defvar nsm-temporary-host-settings nil
)
33 "Network Security Manager"
37 (defcustom network-security-level
'medium
38 "How secure the network should be.
39 If a potential problem with the security of the network
40 connection is found, the user is asked to give input into how the
41 connection should be handled.
43 The following values are possible:
45 `low': Absolutely no checks are performed.
46 `medium': This is the default level, should be reasonable for most usage.
47 `high': This warns about additional things that many people would
49 `paranoid': On this level, the user is queried for most new connections.
51 See the Emacs manual for a description of all things that are
52 checked and warned against."
55 :type
'(choice (const :tag
"Low" low
)
56 (const :tag
"Medium" medium
)
57 (const :tag
"High" high
)
58 (const :tag
"Paranoid" paranoid
)))
60 (defcustom nsm-settings-file
(expand-file-name "network-security.data"
62 "The file the security manager settings will be stored in."
67 (defcustom nsm-save-host-names nil
68 "If non-nil, always save host names in the structures in `nsm-settings-file'.
69 By default, only hosts that have exceptions have their names
70 stored in plain text."
75 (defvar nsm-noninteractive nil
76 "If non-nil, the connection is opened in a non-interactive context.
77 This means that no queries should be performed.")
79 (defun nsm-verify-connection (process host port
&optional
80 save-fingerprint warn-unencrypted
)
81 "Verify the security status of PROCESS that's connected to HOST:PORT.
82 If PROCESS is a gnutls connection, the certificate validity will
83 be examined. If it's a non-TLS connection, it may be compared
84 against previous connections. If the function determines that
85 there is something odd about the connection, the user will be
86 queried about what to do about it.
88 The process it returned if everything is OK, and otherwise, the
89 process will be deleted and nil is returned.
91 If SAVE-FINGERPRINT, always save the fingerprint of the
92 server (if the connection is a TLS connection). This is useful
93 to keep track of the TLS status of STARTTLS servers.
95 If WARN-UNENCRYPTED, query the user if the connection is
97 (if (eq network-security-level
'low
)
99 (let* ((status (gnutls-peer-status process
))
100 (id (nsm-id host port
))
101 (settings (nsm-host-settings id
)))
103 ((not (process-live-p process
))
106 ;; This is a non-TLS connection.
107 (nsm-check-plain-connection process host port settings
111 (nsm-check-tls-connection process host port status settings
)))
112 (when (and process save-fingerprint
113 (null (nsm-host-settings id
)))
114 (nsm-save-host host port status
'fingerprint
'always
))
117 (defun nsm-check-tls-connection (process host port status settings
)
118 (let ((process (nsm-check-certificate process host port status settings
)))
120 (>= (nsm-level network-security-level
) (nsm-level 'high
)))
121 ;; Do further protocol-level checks if the security is high.
122 (nsm-check-protocol process host port status settings
)
125 (defun nsm-check-certificate (process host port status settings
)
126 (let ((warnings (plist-get status
:warnings
)))
129 ;; The certificate validated, but perhaps we want to do
130 ;; certificate pinning.
133 ((< (nsm-level network-security-level
) (nsm-level 'high
))
135 ;; The certificate is fine, but if we're paranoid, we might
136 ;; want to check whether it's changed anyway.
137 ((and (>= (nsm-level network-security-level
) (nsm-level 'high
))
138 (not (nsm-fingerprint-ok-p host port status settings
)))
139 (delete-process process
)
141 ;; We haven't seen this before, and we're paranoid.
142 ((and (eq network-security-level
'paranoid
)
144 (not (nsm-new-fingerprint-ok-p host port status
)))
145 (delete-process process
)
147 ((>= (nsm-level network-security-level
) (nsm-level 'high
))
148 ;; Save the host fingerprint so that we can check it the
149 ;; next time we connect.
150 (nsm-save-host host port status
'fingerprint
'always
)
155 ;; The certificate did not validate.
156 ((not (equal network-security-level
'low
))
157 ;; We always want to pin the certificate of invalid connections
158 ;; to track man-in-the-middle or the like.
159 (if (not (nsm-fingerprint-ok-p host port status settings
))
161 (delete-process process
)
163 ;; We have a warning, so query the user.
164 (if (and (not (nsm-warnings-ok-p status settings
))
166 host port status
'conditions
167 "The TLS connection to %s:%s is insecure for the following reason%s:\n\n%s"
169 (if (> (length warnings
) 1)
171 (mapconcat #'gnutls-peer-status-warning-describe
175 (delete-process process
)
179 (defun nsm-check-protocol (process host port status settings
)
180 (let ((prime-bits (plist-get status
:diffie-hellman-prime-bits
))
181 (encryption (format "%s-%s-%s"
182 (plist-get status
:key-exchange
)
183 (plist-get status
:cipher
)
184 (plist-get status
:mac
)))
185 (protocol (plist-get status
:protocol
)))
189 (not (memq :diffie-hellman-prime-bits
190 (plist-get settings
:conditions
)))
193 host port status
:diffie-hellman-prime-bits
194 "The Diffie-Hellman prime bits (%s) used for this connection to %s:%s is less than what is considered safe (%s)."
195 prime-bits host port
1024)))
196 (delete-process process
)
198 ((and (string-match "\\bRC4\\b" encryption
)
199 (not (memq :rc4
(plist-get settings
:conditions
)))
202 host port status
:rc4
203 "The connection to %s:%s uses the RC4 algorithm (%s), which is believed to be unsafe."
204 host port encryption
)))
205 (delete-process process
)
208 (string-match "SSL" protocol
)
209 (not (memq :ssl
(plist-get settings
:conditions
)))
212 host port status
:ssl
213 "The connection to %s:%s uses the %s protocol, which is believed to be unsafe."
214 host port protocol
)))
215 (delete-process process
)
220 (defun nsm-fingerprint (status)
221 (plist-get (plist-get status
:certificate
) :public-key-id
))
223 (defun nsm-fingerprint-ok-p (host port status settings
)
224 (let ((did-query nil
))
226 (not (eq (plist-get settings
:fingerprint
) :none
))
227 (not (equal (nsm-fingerprint status
)
228 (plist-get settings
:fingerprint
)))
232 host port status
'fingerprint
233 "The fingerprint for the connection to %s:%s has changed from %s to %s"
235 (plist-get settings
:fingerprint
)
236 (nsm-fingerprint status
)))))
240 ;; Remove any exceptions that have been set on the previous
242 (plist-put settings
:conditions nil
))
245 (defun nsm-new-fingerprint-ok-p (host port status
)
247 host port status
'fingerprint
248 "The fingerprint for the connection to %s:%s is new: %s"
250 (nsm-fingerprint status
)))
252 (defun nsm-check-plain-connection (process host port settings warn-unencrypted
)
253 ;; If this connection used to be TLS, but is now plain, then it's
254 ;; possible that we're being Man-In-The-Middled by a proxy that's
255 ;; stripping out STARTTLS announcements.
257 ((and (plist-get settings
:fingerprint
)
258 (not (eq (plist-get settings
:fingerprint
) :none
))
261 host port nil
'conditions
262 "The connection to %s:%s used to be an encrypted connection, but is now unencrypted. This might mean that there's a man-in-the-middle tapping this connection."
264 (delete-process process
)
266 ((and warn-unencrypted
267 (not (memq :unencrypted
(plist-get settings
:conditions
)))
269 host port nil
'conditions
270 "The connection to %s:%s is unencrypted."
272 (delete-process process
)
277 (defun nsm-query (host port status what message
&rest args
)
278 ;; If there is no user to answer queries, then say `no' to everything.
279 (if (or noninteractive
284 (nsm-query-user message args
(nsm-format-certificate status
))
285 ;; Make sure we manage to close the process if the user hits
289 (if (eq response
'no
)
291 (nsm-save-host host port status what response
)
294 (defun nsm-query-user (message args cert
)
295 (let ((buffer (get-buffer-create "*Network Security Manager*")))
296 (with-help-window buffer
297 (with-current-buffer buffer
299 (when (> (length cert
) 0)
301 (let ((start (point)))
302 (insert (apply 'format message args
))
304 ;; Fill the first line of the message, which usually
305 ;; contains lots of explanatory text.
306 (fill-region (point) (line-end-position)))))
307 (let ((responses '((?n . no
)
311 (cursor-in-echo-area t
)
313 (while (not response
)
319 "Continue connecting? (No, Session only, Always) ")))
323 (setq prefix
"Invalid choice. ")))
325 ;; If called from a callback, `read-char' will insert things
326 ;; into the pending input. Clear that.
327 (clear-this-command-keys)
330 (defun nsm-save-host (host port status what permanency
)
331 (let* ((id (nsm-id host port
))
334 :fingerprint
(or (nsm-fingerprint status
)
337 (when (or (eq what
'conditions
)
339 (nconc saved
(list :host
(format "%s:%s" host port
))))
340 ;; We either want to save/update the fingerprint or the conditions
341 ;; of the certificate/unencrypted connection.
343 ((eq what
'conditions
)
346 (nconc saved
'(:conditions
(:unencrypted
))))
347 ((plist-get status
:warnings
)
349 (list :conditions
(plist-get status
:warnings
))))))
350 ((not (eq what
'fingerprint
))
351 ;; Store additional protocol settings.
352 (let ((settings (nsm-host-settings id
)))
354 (setq saved settings
))
355 (if (plist-get saved
:conditions
)
356 (nconc (plist-get saved
:conditions
) (list what
))
357 (nconc saved
(list :conditions
(list what
)))))))
358 (if (eq permanency
'always
)
360 (nsm-remove-temporary-setting id
)
361 (nsm-remove-permanent-setting id
)
362 (push saved nsm-permanent-host-settings
)
363 (nsm-write-settings))
364 (nsm-remove-temporary-setting id
)
365 (push saved nsm-temporary-host-settings
))))
367 (defun nsm-write-settings ()
368 (with-temp-file nsm-settings-file
370 (dolist (setting nsm-permanent-host-settings
)
372 (prin1 setting
(current-buffer))
376 (defun nsm-read-settings ()
377 (setq nsm-permanent-host-settings
379 (insert-file-contents nsm-settings-file
)
380 (goto-char (point-min))
381 (ignore-errors (read (current-buffer))))))
383 (defun nsm-id (host port
)
384 (concat "sha1:" (sha1 (format "%s:%s" host port
))))
386 (defun nsm-host-settings (id)
387 (when (and (not nsm-permanent-host-settings
)
388 (file-exists-p nsm-settings-file
))
391 (dolist (elem (append nsm-temporary-host-settings
392 nsm-permanent-host-settings
))
393 (when (and (not result
)
394 (equal (plist-get elem
:id
) id
))
398 (defun nsm-warnings-ok-p (status settings
)
400 (conditions (plist-get settings
:conditions
)))
401 (dolist (warning (plist-get status
:warnings
))
402 (unless (memq warning conditions
)
406 (defun nsm-remove-permanent-setting (id)
407 (setq nsm-permanent-host-settings
410 (equal (plist-get elem
:id
) id
))
411 nsm-permanent-host-settings
)))
413 (defun nsm-remove-temporary-setting (id)
414 (setq nsm-temporary-host-settings
417 (equal (plist-get elem
:id
) id
))
418 nsm-temporary-host-settings
)))
420 (defun nsm-format-certificate (status)
421 (let ((cert (plist-get status
:certificate
)))
425 "Certificate information\n"
427 (nsm-certificate-part (plist-get cert
:issuer
) "CN" t
) "\n"
429 (or (nsm-certificate-part (plist-get cert
:subject
) "O")
430 (nsm-certificate-part (plist-get cert
:subject
) "OU" t
))
433 (nsm-certificate-part (plist-get cert
:subject
) "CN" t
) "\n")
434 (when (and (plist-get cert
:public-key-algorithm
)
435 (plist-get cert
:signature-algorithm
))
437 "Public key:" (plist-get cert
:public-key-algorithm
)
438 ", signature: " (plist-get cert
:signature-algorithm
) "\n"))
439 (when (and (plist-get status
:key-exchange
)
440 (plist-get status
:cipher
)
441 (plist-get status
:mac
)
442 (plist-get status
:protocol
))
444 "Protocol:" (plist-get status
:protocol
)
445 ", key: " (plist-get status
:key-exchange
)
446 ", cipher: " (plist-get status
:cipher
)
447 ", mac: " (plist-get status
:mac
) "\n"))
448 (when (plist-get cert
:certificate-security-level
)
451 (propertize (plist-get cert
:certificate-security-level
)
455 "Valid:From " (plist-get cert
:valid-from
)
456 " to " (plist-get cert
:valid-to
) "\n\n")
457 (goto-char (point-min))
458 (while (re-search-forward "^[^:]+:" nil t
)
459 (insert (make-string (- 20 (current-column)) ?
)))
462 (defun nsm-certificate-part (string part
&optional full
)
463 (let ((part (cadr (assoc part
(nsm-parse-subject string
)))))
469 (defun nsm-parse-subject (string)
472 (goto-char (point-min))
473 (let ((start (point))
476 (push (replace-regexp-in-string
478 (buffer-substring start
479 (if (re-search-forward "[^\\]," nil
'move
)
483 (setq start
(point)))
486 (let ((pos (cl-position ?
= elem
)))
488 (list (substring elem
0 pos
)
489 (substring elem
(1+ pos
)))
491 (nreverse result
)))))
493 (defun nsm-level (symbol)
494 "Return a numerical level for SYMBOL for easier comparison."
497 ((eq symbol
'medium
) 1)
498 ((eq symbol
'high
) 2)