| Current File : //proc/thread-self/root/kunden/usr/share/emacs/27.2/lisp/net/nsm.elc |
;ELC����
;;; Compiled
;;; in Emacs version 27.2
;;; with all optimizations.
;;; This file contains utf-8 non-ASCII characters,
;;; and so cannot be loaded into Emacs 22 or earlier.
(and (boundp 'emacs-version)
(< (aref emacs-version (1- (length emacs-version))) ?A)
(string-lessp emacs-version "23")
(error "`%s' was compiled for Emacs 23 or later" #$))
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
(byte-code "\300\301!\210\300\302!\210\300\303!\210\300\304!\210\300\305!\207" [require cl-lib rmc subr-x seq map] 2)
(defvar nsm-permanent-host-settings nil)
(defvar nsm-temporary-host-settings nil)
(byte-code "\300\301\302\303\304\305\306\307&�\210\310\311\312\313\314DD\315\304\305\316\317&�\210\310\320\312\313\321DD\322\304\323\316\324&�\210\310\325\312\313\326DD\327\304\305\316\330&�\210\310\331\312\313\332DD\333\304\305\316\334&�\207" [custom-declare-group nsm nil "Network Security Manager" :version "25.1" :group comm custom-declare-variable network-security-level funcall function #[0 "\300\207" [medium] 1] "How secure the network should be.\nIf a potential problem with the security of the network\nconnection is found, the user is asked to give input into how the\nconnection should be handled.\n\nThe following values are possible:\n\n`low': No checks are performed: This is extremely insecure.\n`medium': Default. Suitable for most circumstances.\n`high': Warns about additional issues not enabled in `medium' due to\ncompatibility concerns.\n`paranoid': On this level, the user is queried for most new connections.\n\nSee the Emacs manual for a description of all things that are\nchecked and warned against." :type (choice (const :tag "Low" low) (const :tag "Medium" medium) (const :tag "High" high) (const :tag "Paranoid" paranoid)) nsm-trust-local-network #[0 "\300\207" [nil] 1] "Disable warnings when visiting trusted hosts on local networks.\n\nThe default suite of TLS checks in NSM is designed to follow the\nmost current security best practices. Under some situations,\nsuch as attempting to connect to an email server that do not\nfollow these practices inside a school or corporate network, NSM\nmay produce warnings for such occasions. Setting this option to\na non-nil value, or a zero-argument function that returns non-nil\ntells NSM to skip checking for potential TLS vulnerabilities when\nconnecting to hosts on a local network.\n\nMake sure you know what you are doing before enabling this\noption." "27.1" (choice (const :tag "On" t) (const :tag "Off" nil) (function :tag "Custom function")) nsm-settings-file #[0 "\301\302�\"\207" [user-emacs-directory expand-file-name "network-security.data"] 3] "The file the security manager settings will be stored in." file nsm-save-host-names #[0 "\300\207" [nil] 1] "If non-nil, always save host names in the structures in `nsm-settings-file'.\nBy default, only hosts that have exceptions have their names\nstored in plain text." boolean] 8)
#@116 If non-nil, the connection is opened in a non-interactive context.
This means that no queries should be performed.�
(defvar nsm-noninteractive nil (#$ . 2933))
#@781 Verify the security status of PROCESS that's connected to HOST:PORT.
If PROCESS is a gnutls connection, the certificate validity will
be examined. If it's a non-TLS connection, it may be compared
against previous connections. If the function determines that
there is something odd about the connection, the user will be
queried about what to do about it.
The process is returned if everything is OK, and otherwise, the
process will be deleted and nil is returned.
If SAVE-FINGERPRINT, always save the fingerprint of the
server (if the connection is a TLS connection). This is useful
to keep track of the TLS status of STARTTLS servers.
If WARN-UNENCRYPTED, query the user if the connection is
unencrypted.
(fn PROCESS HOST PORT &optional SAVE-FINGERPRINT WARN-UNENCRYPTED)�
(defalias 'nsm-verify-connection #[1283 "\300�!\301��\"\302�!\303��!\204��\304\202P��\204'�\305���������%\202P�\306���������%\211\203M��\203M�\302�!\204M�\307������\310\304\311&�\210\211\262�\207" [gnutls-peer-status nsm-id nsm-host-settings process-live-p nil nsm-check-plain-connection nsm-check-tls-connection nsm-save-host fingerprint always] 16 (#$ . 3099)])
(byte-code "\300\301\302\303\304DD\305\306\307\310\311&�\207" [custom-declare-variable network-security-protocol-checks funcall function #[0 "\300\207" [((version medium) (compression medium) (renegotiation-info-ext medium) (verify-cert medium) (same-cert medium) (null-suite medium) (export-kx medium) (anon-kx medium) (md5-sig medium) (rc4-cipher medium) (dhe-prime-kx medium) (sha1-sig medium) (ecdsa-cbc-cipher medium) (dhe-kx high) (rsa-kx high) (3des-cipher high) (cbc-cipher high))] 1] "This variable specifies what TLS connection checks to perform.\nIt's an alist where the key is the name of the check, and the\nvalue is the minimum security level the check should begin.\n\nEach check function is called with the parameters HOST PORT\nSTATUS SETTINGS. HOST is the host domain, PORT is a TCP port\nnumber, STATUS is the peer status returned by\n`gnutls-peer-status', and SETTINGS is the persistent and session\nsettings for the host HOST. Please refer to the contents of\n`nsm-settings-file' for details. If a problem is found, the check\nfunction is required to return an error message, and nil\notherwise.\n\nSee also: `nsm-check-tls-connection', `nsm-save-host-names',\n`nsm-settings-file'" :version "27.1" :type (repeat (list (symbol :tag "Check function") (choice :tag "Level" :value medium (const :tag "Low" low) (const :tag "Medium" medium) (const :tag "High" high))))] 8)
#@245 Save the certificate's fingerprint.
In order to detect man-in-the-middle attacks, when
`network-security-level' is `high', this function will save the
fingerprint of the certificate for check functions to check.
(fn HOST PORT STATUS &rest _)�
(defalias 'nsm-save-fingerprint-maybe #[899 "\301�!\301\302!Y\205��\303���\304\305\306&�\207" [network-security-level nsm-level high nsm-save-host fingerprint nil always] 11 (#$ . 5642)])
#@331 Functions to run after checking a TLS session.
Each function will be run with the parameters HOST PORT STATUS
SETTINGS and RESULTS. The parameters HOST PORT STATUS and
SETTINGS are the same as those supplied to each check function.
RESULTS is an alist where the keys are the checks run and the
values the results of the checks.�
(defvar nsm-tls-post-check-functions '(nsm-save-fingerprint-maybe) (#$ . 6081))
#@223 Return t if IP is in the same subnet as LOCAL-IP/MASK.
LOCAL-IP, MASK, and IP are specified as vectors of integers, and
are expected to have the same length. Works for both IPv4 and
IPv6 addresses.
(fn LOCAL-IP MASK IP)�
(defalias 'nsm-network-same-subnet #[771 "\300�G�G�\301>\203��\211\302>\204��\303\304��\"\210��U\205L�\211\305\211�W\203I�\211�\205?�\306� �H� �H\"\306���H�\n�H\"U\262�\210\211T\262�\202��\266��\207" [t (4 5 8 9) (4 5 8 9) error "Unexpected length of IP address %S" 0 logand] 14 (#$ . 6498)])
#@276 Determine whether NSM should check for TLS problems for HOST.
If `nsm-trust-local-network' is or returns non-nil, and if the
host address is a localhost address, or in the same subnet as one
of the local interfaces, this function returns nil. Non-nil
otherwise.
(fn HOST)�
(defalias 'nsm-should-check #[257 "\301�!\302\303!\303C\304�!\203��� \204���\203*�\305\306\307\310\311\312����\"\313\"\314\315%�\"\210\211\242\207" [nsm-trust-local-network network-lookup-address-info network-interface-list t functionp mapc make-byte-code 257 "\302\303\304\305\306\307\301��\"\310\"\311\312%\300\"\207" vconcat vector [mapc make-byte-code 257 "\211A@\302�8\303\304�\305\306#\304�\305\306#\304\301\305\306##\205��\300\307\240\207" vconcat vector [2 nsm-network-same-subnet substring 0 -1 nil] 10 "\n\n(fn INFO)"] 9 "\n\n(fn IP)"] 12 (#$ . 7020)])
#@802 Check TLS connection against potential security problems.
This function runs each test defined in
`network-security-protocol-checks' in the order specified against
the TLS connection's peer status STATUS for the host HOST and
port PORT.
If one or more problems are found, this function will collect all
the error messages returned by the check functions, and confirm
with the user in interactive mode whether to continue with the
TLS session.
If the user declines to continue, or problem(s) are found under
non-interactive mode, the process PROCESS will be deleted, thus
terminating the connection.
This function returns the process PROCESS if no problems are
found, and nil otherwise.
See also: `network-security-protocol-checks' and `nsm-noninteractive'
(fn PROCESS HOST PORT STATUS SETTINGS)�
(defalias 'nsm-check-tls-connection #[1285 "\302�!\203\333��\303\211\211\211�:\203Z��@\262�\304\305\306��@\"!\262��\307��\310\">?\205F�\311 !\311�A@!Y\205F�\304\305\312��@\"!� � � � $\262��\203S���B�B\262��A\262�\202��\211\237\266\205\307�\313\"\314�!\244 \315=\203x�\316��\"\204x�\317�B\262��\203\313�\320\307�\310\"�\"\204\313�\321������\322�\323\324�
�
�\nG\325V\203\241�\326\202\242�\327\330\331\332��!\333\334\335��#\266\202\333\"\336\334\335��#\266\202P%&�\204\313�\337��!\203\313�\303\262�\340\341����������&�\266��\207" [network-security-protocol-checks network-security-level nsm-should-check nil intern format ":%s" plist-get :conditions nsm-level "nsm-protocol-check--%s" :warnings map-keys paranoid nsm-fingerprint-ok-p (:not-seen . "Certificate not seen before") seq-set-equal-p nsm-query conditions format-message "The TLS connection to %s:%s is insecure\nfor the following reason%s:\n\n%s" 1 "s" "" "* " split-string map-values "\n" mapconcat identity "\n* " delete-process run-hook-with-args nsm-tls-post-check-functions] 26 (#$ . 7865)])
#@272 Check for warnings from the certificate verification status.
This is the most basic security check for a TLS connection. If
certificate verification fails, it means the server's identity
cannot be verified by the credentials received.
(fn HOST PORT STATUS SETTINGS)�
(defalias 'nsm-protocol-check--verify-cert #[1028 "\300�\301\"\211\205��\302��\"?\205��\303\304�\305#\207" [plist-get :warnings nsm-warnings-ok-p mapconcat gnutls-peer-status-warning-describe "\n"] 9 (#$ . 9728)])
#@220 Check for certificate fingerprint mismatch.
If the fingerprints saved do not match the fingerprint of the
certificate presented, the TLS session may be under a
man-in-the-middle attack.
(fn HOST PORT STATUS SETTINGS)�
(defalias 'nsm-protocol-check--same-cert #[1028 "\300��\"?\205��\301\302!\207" [nsm-fingerprint-ok-p format-message "fingerprint has changed"] 7 (#$ . 10220)])
#@1029 Check for static RSA key exchange.
Static RSA key exchange methods do not offer perfect forward
secrecy, therefore, the security of a TLS session is only as
secure as the server's private key. Due to TLS' use of RSA key
exchange to create a session key (the key negotiated between the
client and the server to encrypt traffic), if the server's
private key had been compromised, the attacker will be able to
decrypt any past TLS session recorded, as opposed to just one TLS
session if the key exchange was conducted via a key exchange
method that offers perfect forward secrecy, such as ephemeral
Diffie-Hellman key exchange.
By default, this check is only enabled when
`network-security-level' is set to `high' for compatibility
reasons.
Reference:
Sheffer, Holz, Saint-Andre (May 2015). "Recommendations for Secure
Use of Transport Layer Security (TLS) and Datagram Transport Layer
Security (DTLS)", "(4.1. General Guidelines)"
`https://tools.ietf.org/html/rfc7525#section-4.1'
(fn HOST PORT STATUS &optional SETTINGS)�
(defalias 'nsm-protocol-check--rsa-kx #[1027 "\300�\301\"\302\303�\"\205��\304\305�\"\207" [plist-get :key-exchange string-match "^\\bRSA\\b" format-message "RSA key exchange method (%s) does not offer perfect forward secrecy"] 8 (#$ . 10607)])
#@1036 Check for the key strength of DH key exchange based on integer factorization.
This check is a response to Logjam[1]. Logjam is an attack that
allows an attacker with sufficient resource, and positioned
between the user and the server, to downgrade vulnerable TLS
connections to insecure 512-bit export grade cryptography.
The Logjam paper suggests using 1024-bit prime on the client to
mitigate some effects of this attack, and upgrade to 2048-bit as
soon as server configurations allow. According to SSLLabs' SSL
Pulse tracker, only about 75% of server support 2048-bit key
exchange in June 2018[2]. To provide a balance between
compatibility and security, this function only checks for a
minimum key strength of 1024-bit.
See also: `nsm-protocol-check--dhe-kx'
Reference:
[1]: Adrian et al (2014). "Imperfect Forward Secrecy: How
Diffie-Hellman Fails in Practice", `https://weakdh.org/'
[2]: SSL Pulse (June 03, 2018). "Key Exchange Strength",
`https://www.ssllabs.com/ssl-pulse/'
(fn HOST PORT STATUS &optional SETTINGS)�
(defalias 'nsm-protocol-check--dhe-prime-kx #[1027 "\300�\301\"\302\303\300�\304\"\"\205��\211\305W\205��\306\307�\305#\207" [plist-get :diffie-hellman-prime-bits string-match "^\\bDHE\\b" :key-exchange 1024 format-message "Diffie-Hellman key strength (%s bits) too weak (%s bits)"] 10 (#$ . 11888)])
#@829 Check for existence of DH key exchange based on integer factorization.
In the years since the discovery of Logjam, it was discovered
that there were rampant use of small subgroup prime or composite
number for DHE by many servers, and thus allowed themselves to be
vulnerable to backdoors[1]. Given the difficulty in validating
Diffie-Hellman parameters, major browser vendors had started to
remove DHE since 2016[2]. Emacs stops short of banning DHE and
terminating connection, but prompts the user instead.
References:
[1]: Dorey, Fong, and Essex (2016). "Indiscreet Logs: Persistent
Diffie-Hellman Backdoors in TLS.",
`https://eprint.iacr.org/2016/999.pdf'
[2]: Chrome Platform Status (2017). "Remove DHE-based ciphers",
`https://www.chromestatus.com/feature/5128908798164992'
(fn HOST PORT STATUS &optional SETTINGS)�
(defalias 'nsm-protocol-check--dhe-kx #[1027 "\300�\301\"\302\303�\"\205��\304\305�\"\207" [plist-get :key-exchange string-match "^\\bDHE\\b" format-message "unable to verify Diffie-Hellman key exchange method (%s) parameters"] 8 (#$ . 13231)])
#@718 Check for RSA-EXPORT key exchange.
EXPORT cipher suites are a family of 40-bit and 56-bit effective
security algorithms legally exportable by the United States in
the early 90s[1]. They can be broken in seconds on 2018 hardware.
Prior to 3.2.0, GnuTLS had only supported RSA-EXPORT key
exchange. Since 3.2.0, RSA-EXPORT had been removed, therefore,
this check has no effect on GnuTLS >= 3.2.0.
Reference:
[1]: Schneier, Bruce (1996). Applied Cryptography (Second ed.). John
Wiley & Sons. ISBN 0-471-11709-9.
[2]: N. Mavrogiannopoulos, FSF (Apr 2015). "GnuTLS NEWS -- History
of user-visible changes." Version 3.4.0,
`https://gitlab.com/gnutls/gnutls/blob/master/NEWS'
(fn HOST PORT STATUS &optional SETTINGS)�
(defalias 'nsm-protocol-check--export-kx #[1027 "�\301W\205��\302�\303\"\304\305�\"\205��\306\307�\"\262�\207" [libgnutls-version 30200 plist-get :key-exchange string-match "\\bEXPORT\\b" format-message "EXPORT level key exchange (%s) is insecure"] 8 (#$ . 14311)])
#@307 Check for anonymous key exchange.
Anonymous key exchange exposes the connection to
man-in-the-middle attacks.
Reference:
GnuTLS authors (2018). "GnuTLS Manual 4.3.3 Anonymous
authentication",
`https://www.gnutls.org/manual/gnutls.html#Anonymous-authentication'
(fn HOST PORT STATUS &optional SETTINGS)�
(defalias 'nsm-protocol-check--anon-kx #[1027 "\300�\301\"\302\303�\"\205��\304\305�\"\207" [plist-get :key-exchange string-match "\\bANON\\b" format-message "anonymous key exchange method (%s) can be unsafe"] 8 (#$ . 15301)])
#@877 Check for CBC mode ciphers.
CBC mode cipher in TLS versions earlier than 1.3 are problematic
because of MAC-then-encrypt. This construction is vulnerable to
padding oracle attacks[1].
Since GnuTLS 3.4.0, the TLS encrypt-then-MAC extension[2] has
been enabled by default[3]. If encrypt-then-MAC is negotiated,
this check has no effect.
Reference:
[1]: Sullivan (Feb 2016). "Padding oracles and the decline of
CBC-mode cipher suites",
`https://blog.cloudflare.com/padding-oracles-and-the-decline-of-cbc-mode-ciphersuites/'
[2]: P. Gutmann (Sept 2014). "Encrypt-then-MAC for Transport Layer
Security (TLS) and Datagram Transport Layer Security (DTLS)",
`https://tools.ietf.org/html/rfc7366'
[3]: N. Mavrogiannopoulos (Nov 2015). "An overview of GnuTLS
3.4.x",
`https://nikmav.blogspot.com/2015/11/an-overview-of-gnutls-34x.html'
(fn HOST PORT STATUS &optional SETTINGS)�
(defalias 'nsm-protocol-check--cbc-cipher #[1027 "\300�\301\"?\205��\300�\302\"\303\304�\"\205��\305\306�\"\262�\207" [plist-get :encrypt-then-mac :cipher string-match "\\bCBC\\b" format-message "CBC mode cipher (%s) can be insecure"] 8 (#$ . 15841)])
#@1231 Check for CBC mode cipher usage under ECDSA key exchange.
CBC mode cipher in TLS versions earlier than 1.3 are problematic
because of MAC-then-encrypt. This construction is vulnerable to
padding oracle attacks[1].
Due to current widespread use of CBC mode ciphers by servers,
this function only checks for CBC mode cipher usage in
combination with ECDSA key exchange, which is virtually
non-existent[2].
Since GnuTLS 3.4.0, the TLS encrypt-then-MAC extension[3] has
been enabled by default[4]. If encrypt-then-MAC is negotiated,
this check has no effect.
References:
[1]: Sullivan (Feb 2016). "Padding oracles and the decline of
CBC-mode cipher suites",
`https://blog.cloudflare.com/padding-oracles-and-the-decline-of-cbc-mode-ciphersuites/'
[2]: Chrome Platform Status (2017). "Remove CBC-mode ECDSA ciphers in
TLS", `https://www.chromestatus.com/feature/5740978103123968'
[3]: P. Gutmann (Sept 2014). "Encrypt-then-MAC for Transport Layer
Security (TLS) and Datagram Transport Layer Security (DTLS)",
`https://tools.ietf.org/html/rfc7366'
[4]: N. Mavrogiannopoulos (Nov 2015). "An overview of GnuTLS
3.4.x",
`https://nikmav.blogspot.com/2015/11/an-overview-of-gnutls-34x.html'
(fn HOST PORT STATUS &optional SETTINGS)�
(defalias 'nsm-protocol-check--ecdsa-cbc-cipher #[1027 "\300�\301\"?\205$�\300�\302\"\300�\303\"\304\305�\"\205\"�\304\306�\"\205\"�\307\310�\"\266\202\207" [plist-get :encrypt-then-mac :key-exchange :cipher string-match "\\bECDSA\\b" "\\bCBC\\b" format-message "CBC mode cipher (%s) can be insecure"] 9 (#$ . 16977)])
#@734 Check for 3DES ciphers.
Due to its use of 64-bit block size, it is known that a
ciphertext collision is highly likely when 2^32 blocks are
encrypted with the same key bundle under 3-key 3DES. Practical
birthday attacks of this kind have been demonstrated by Sweet32[1].
As such, NIST is in the process of disallowing its use in TLS[2].
[1]: Bhargavan, Leurent (2016). "On the Practical (In-)Security of
64-bit Block Ciphers — Collision Attacks on HTTP over TLS and
OpenVPN", `https://sweet32.info/'
[2]: NIST Information Technology Laboratory (Jul 2017). "Update to
Current Use and Deprecation of TDEA",
`https://csrc.nist.gov/News/2017/Update-to-Current-Use-and-Deprecation-of-TDEA'
(fn HOST PORT STATUS &optional SETTINGS)�
(defalias 'nsm-protocol-check--3des-cipher #[1027 "\300�\301\"\302\303�\"\205��\304\305�\"\207" [plist-get :cipher string-match "\\b3DES\\b" format-message "3DES cipher (%s) is weak"] 8 (#$ . 18533)])
#@534 Check for RC4 ciphers.
RC4 cipher has been prohibited by RFC 7465[1].
Since GnuTLS 3.4.0, RC4 is not enabled by default[2], but can be
enabled if requested. This check is mainly provided to secure
Emacs built with older version of GnuTLS.
Reference:
[1]: Popov A (Feb 2015). "Prohibiting RC4 Cipher Suites",
`https://tools.ietf.org/html/rfc7465'
[2]: N. Mavrogiannopoulos (Nov 2015). "An overview of GnuTLS
3.4.x",
`https://nikmav.blogspot.com/2015/11/an-overview-of-gnutls-34x.html'
(fn HOST PORT STATUS &optional SETTINGS)�
(defalias 'nsm-protocol-check--rc4-cipher #[1027 "\300�\301\"\302\303�\"\205��\304\305�\"\207" [plist-get :cipher string-match "\\bARCFOUR\\b" format-message "RC4 cipher (%s) is insecure"] 8 (#$ . 19474)])
#@1158 Check for SHA1 signatures on certificates.
The first SHA1 collision was found in 2017[1], as a precaution
against the events following the discovery of cheap collisions in
MD5, major browsers[2][3][4][5] have removed the use of SHA1
signatures in certificates.
References:
[1]: Stevens M, Karpman P et al (2017). "The first collision for
full SHA-1", `https://shattered.io/static/shattered.pdf'
[2]: Chromium Security Education TLS/SSL. "Deprecated and Removed
Features (SHA-1 Certificate Signatures)",
`https://www.chromium.org/Home/chromium-security/education/tls#TOC-SHA-1-Certificate-Signatures'
[3]: Jones J.C (2017). "The end of SHA-1 on the Public Web",
`https://blog.mozilla.org/security/2017/02/23/the-end-of-sha-1-on-the-public-web/'
[4]: Apple Support (2017). "Move to SHA-256 signed certificates to
avoid connection failures",
`https://support.apple.com/en-gb/HT207459'
[5]: Microsoft Security Advisory 4010323 (2017). "Deprecation of
SHA-1 for SSL/TLS Certificates in Microsoft Edge and Internet Explorer
11",
`https://docs.microsoft.com/en-us/security-updates/securityadvisories/2017/4010323'
(fn HOST PORT STATUS &optional SETTINGS)�
(defalias 'nsm-protocol-check--sha1-sig #[1027 "\300�\301\"\302\211\303\302�:\203B��@\262�\300�\304\"\262�\300�\305\"\300�\306\"\232\2047�\307\310�\"\2037�\311\312�\"\262�\302\211\262�\2028�\303\203B��A\262�\202��\207" [plist-get :certificates nil t :signature-algorithm :issuer :subject string-match "\\bSHA1\\b" format-message "SHA1 signature (%s) is prone to collisions"] 13 (#$ . 20221)])
#@756 Check for MD5 signatures on certificates.
In 2008, a group of researchers were able to forge an
intermediate CA certificate that appeared to be legitimate when
checked by MD5[1]. RFC 6151[2] has recommended against the usage
of MD5 for digital signatures, which includes TLS certificate
signatures.
Since GnuTLS 3.3.0, MD5 has been disabled by default, but can be
enabled if requested.
References:
[1]: Sotirov A, Stevens M et al (2008). "MD5 considered harmful today
- Creating a rogue CA certificate",
`http://www.win.tue.nl/hashclash/rogue-ca/'
[2]: Turner S, Chen L (2011). "Updated Security Considerations for
the MD5 Message-Digest and the HMAC-MD5 Algorithms",
`https://tools.ietf.org/html/rfc6151'
(fn HOST PORT STATUS &optional SETTINGS)�
(defalias 'nsm-protocol-check--md5-sig #[1027 "\300�\301\"\302\211\303\302�:\203B��@\262�\300�\304\"\262�\300�\305\"\300�\306\"\232\2047�\307\310�\"\2037�\311\312�\"\262�\302\211\262�\2028�\303\203B��A\262�\202��\207" [plist-get :certificates nil t :signature-algorithm :issuer :subject string-match "\\bMD5\\b" format-message "MD5 signature (%s) is very prone to collisions"] 13 (#$ . 21778)])
#@564 Check for renegotiation_info TLS extension status.
If this TLS extension is not used, the connection established is
vulnerable to an attack in which an impersonator can extract
sensitive information such as HTTP session ID cookies or login
passwords. Renegotiation was removed in TLS1.3, so this is only
checked for earlier protocol versions.
Reference:
E. Rescorla, M. Ray, S. Dispensa, N. Oskov (Feb 2010). "Transport
Layer Security (TLS) Renegotiation Indication Extension",
`https://tools.ietf.org/html/rfc5746'
(fn HOST PORT STATUS &optional SETTINGS)�
(defalias 'nsm-protocol-check--renegotiation-info-ext #[1027 "\300�\301\"\205��\302�\301\"?\211\205��\303\304!\262�\207" [plist-member :safe-renegotiation plist-get format-message "safe renegotiation is not supported, connection not protected from impersonators"] 7 (#$ . 22935)])
#@416 Check for TLS compression.
TLS compression attacks such as CRIME would allow an attacker to
decrypt ciphertext. As a result, RFC 7525 has recommended its
disablement.
Reference:
Sheffer, Holz, Saint-Andre (May 2015). "Recommendations for Secure
Use of Transport Layer Security (TLS) and Datagram Transport Layer
Security (DTLS)", `https://tools.ietf.org/html/rfc7525'
(fn HOST PORT STATUS &optional SETTINGS)�
(defalias 'nsm-protocol-check--compression #[1027 "\300�\301\"\211\205��\302\303�\"\205��\304\305�\"\207" [plist-get :compression string-match "^\\bDEFLATE\\b" format-message "compression method (%s) may lead to leakage of sensitive information"] 8 (#$ . 23786)])
#@550 Check for SSL/TLS protocol version.
This function guards against the usage of SSL3.0, which has been
deprecated by RFC7568[1], and TLS 1.0, which has been deprecated
by PCI DSS[2].
References:
[1]: Barnes, Thomson, Pironti, Langley (2015). "Deprecating Secure
Sockets Layer Version 3.0", `https://tools.ietf.org/html/rfc7568'
[2]: PCI Security Standards Council (2016). "Migrating from SSL and
Early TLS"
`https://www.pcisecuritystandards.org/documents/Migrating-from-SSL-Early-TLS-Info-Supp-v1_1.pdf'
(fn HOST PORT STATUS &optional SETTINGS)�
(defalias 'nsm-protocol-check--version #[1027 "\300�\301\"\211\205%�\302\303�\"\204!�\302\304�\"\205%�\305\306\307�\"!\307W\205%�\310\311�\"\207" [plist-get :protocol string-match "SSL" "TLS1.\\([0-9]+\\)" string-to-number match-string 1 format-message "%s protocol is deprecated by standard bodies"] 9 (#$ . 24472)])
#@327 Check for NULL cipher suites.
This function checks for NULL key exchange, cipher and message
authentication code key derivation function. As the name
suggests, a NULL assigned for any of the above disables an
integral part of the security properties that makes up the TLS
protocol.
(fn HOST PORT STATUS &optional SETTINGS)�
(defalias 'nsm-protocol-check--null-suite #[1027 "\300�!\301\302�\"\205��\303\304�\"\207" [nsm-cipher-suite string-match "\\bNULL\\b" format-message "NULL cipher suite (%s) violates authenticity, integrity, or confidentiality guarantees"] 8 (#$ . 25346)])
#@15
(fn STATUS)�
(defalias 'nsm-fingerprint #[257 "\300\211�\301\"\302\"\207" [plist-get :certificate :public-key-id] 5 (#$ . 25934)])
#@24
(fn STATUS SETTINGS)�
(defalias 'nsm-fingerprint-ok-p #[514 "\300�\301\"\211?\206��\302�>\206��\303�!�\235\207" [plist-get :fingerprints :none nsm-fingerprint] 5 (#$ . 26072)])
#@52
(fn PROCESS HOST PORT SETTINGS WARN-UNENCRYPTED)�
(defalias 'nsm-check-plain-connection #[1285 "\300�!\203Y�\301�\302\"\211\203/�\303�>\204/�\304��\305\306\307\310\311�\f�\f#&�\204/�\312��!\210\305\202X��\203W�\313\301�\314\">\204W�\304��\305\306\315\310\316�\f�\f#&�\204W�\312��!\210\305\202X��\207�\207" [nsm-should-check plist-get :fingerprints :none nsm-query nil conditions (:unencrypted) format-message "The connection to %s:%s used to be an encrypted connection, but is now unencrypted. This might mean that there's a man-in-the-middle tapping this connection." delete-process :unencrypted :conditions (:unencrypted) "The connection to %s:%s is unencrypted."] 16 (#$ . 26256)])
#@47
(fn HOST PORT STATUS WHAT PROBLEMS MESSAGE)�
(defalias 'nsm-query #[1542 "�\206�� ?\205_�\3021&�\3031 �\304\305\306���\"!@!00\202(�0\210\307\202(�\210\307\211\307=\203:�\310\311����#\210\312\202]�\310�\313=\203E�\314\202F�\315����#\210\316������������&�\210\317\262�\207" [noninteractive nsm-noninteractive (error) (quit) intern split-string nsm-query-user no message "Aborting connection to %s:%s" nil session "Accepting certificate for %s:%s this session only" "Permanently accepting certificate for %s:%s" nsm-save-host t] 14 (#$ . 26949)])
#@23
(fn MESSAGE STATUS)�
(defalias 'nsm-query-user #[514 "\301\302!\301\303!\304�\305\"\306\307\310\311 \312\313\314\315\316�!\317\"\320$\216\321��!\210\322 \210\323���\2030�\324��!c\210��c\210eb\210\325`\326 \"\210\327d!\330 V\203L�\331�\332\"\262�)\312\313\333\315\316����\"\334\"\320$\216�\310\211�:\203y��@\262�\335\304�\336\"!�B\262��A\262�\202_�\211\237\266\203\313\310\211\211��\204\243��\203\222�\337\340� \"\202\227�\337\341�\n\"\262��\203\242��\n\202\244���\262��@\211\342\267\202\237�\343\344�
!��\"\210\310\262�\202\237�\343\344��!�
\"\210r��q\210\345\346!\210���8c\210eb\210\345 \210)\323\262�\202\237�\347\344�!!r\312\313\314\315\316�!\350\"\320$\216\351�@\352\"\210r�q\210\3531��\354 0\202\f�\210\202
�\210+\210\202\237�\347\344�!!r\312\313\314\315\316�!\355\"\320$\216\351�@\352\"\210r�q\210\35618�\357 0\202<�\210\202=�\210+\210\202\237��\203k�r��q\210\345\346!\210\322 \210\360�T��G\"\262����8c\210eb\210\345 \210)\202\237�\323\262�\202\237�\323\262�\202\237�\323\262�\202\237�r��q\210\345\346!\210\322 \210\360�S��G\"\262����8c\210eb\210\345 \210)\210\202\201��A@\266\205*\262�\207" [inhibit-read-only get-buffer-create "*Network Security Manager*" "*Certificate Details*" plist-get :certificates ((97 "always" "Accept this certificate this session and for all future sessions.") (115 "session only" "Accept this certificate this session only.") (110 "no" "Refuse to use this certificate, and close the connection.") (100 "details" "See certificate details")) ((98 "backward page" "See previous page") (102 "forward page" "See next page") (110 "next" "Next certificate") (112 "previous" "Previous certificate") (113 "quit" "Quit details view")) nil current-window-configuration make-byte-code 0 "\301\300!\207" vconcat vector [set-window-configuration] 2 pop-to-buffer erase-buffer t nsm-format-certificate fill-region line-end-position line-number-at-pos window-height append ((98 "backward page" "See previous page") (102 "forward page" "See next page")) "\302\301!\210\302\300!\207" [kill-buffer] gnutls-format-certificate :pem read-multiple-choice "Viewing certificate:" "Continue connecting?" #s(hash-table size 8 test eql rehash-size 1.5 rehash-threshold 0.8125 purecopy t data (113 174 100 189 98 226 102 274 110 322 97 369 115 375 112 381)) set-window-buffer get-buffer-window read-only-mode -1 internal--before-with-selected-window [internal--after-with-selected-window] select-window norecord (error) scroll-down [internal--after-with-selected-window] (error) scroll-up mod] 22 (#$ . 27500)])
#@50
(fn HOST PORT STATUS WHAT PROBLEMS PERMANENCY)�
(defalias 'nsm-save-host #[1542 "\303����\"\304\305�!\306\"\307\310�\311� !\206��\312C\"\313\314#\315�\306�F��\316=\204,��\2038�\211\317\320\321�
�
#D\244\210��\322\267\202t�\323�\324��#\210\202t�\305�!\211\203S�\211\262�\304�\324\"\203l�\323�\324\307\304��\324\"��\244!#\210\202s�\323�\324� #\210\210�\325=\203\213�\326�!\210\327�!\210\211 B�\330 \202\224�\326�!\210\211\nB\211�\207" [nsm-save-host-names nsm-permanent-host-settings nsm-temporary-host-settings nsm-id plist-get nsm-host-settings :fingerprints cl-delete-duplicates append nsm-fingerprint :none :test string= :id conditions :host format "%s:%s" #s(hash-table size 2 test eq rehash-size 1.5 rehash-threshold 0.8125 purecopy t data (conditions 63 fingerprint 73)) plist-put :conditions always nsm-remove-temporary-setting nsm-remove-permanent-setting nsm-write-settings] 18 (#$ . 30025)])
(defalias 'nsm-write-settings #[0 "�\302\303!\304\305\306\307\310�!\311\"\312$\216r\211q\210\313c\210 \211\2030�\211@\314c\210\315�p\"\210\316c\210�A\266\202\202��\210\317c)r�q\210\320\321\211�\321\305%\210*\207" [nsm-settings-file nsm-permanent-host-settings generate-new-buffer " *temp file*" make-byte-code 0 "\301\300!\205 �\302\300!\207" vconcat vector [buffer-name kill-buffer] 2 "(\n" " " prin1 "\n" ")\n" write-region nil] 9])
(defalias 'nsm-read-settings #[0 "\302\303!r\211q\210\304\305\306\307\310�!\311\"\312$\216\313�!\210eb\210\3141%�\315p!0\202'�\210\316*\262�\211�\207" [nsm-settings-file nsm-permanent-host-settings generate-new-buffer " *temp*" make-byte-code 0 "\301\300!\205 �\302\300!\207" vconcat vector [buffer-name kill-buffer] 2 insert-file-contents (error) read nil] 7])
#@18
(fn HOST PORT)�
(defalias 'nsm-id #[514 "\300\301\302\303��#!P\207" ["sha1:" sha1 format "%s:%s"] 8 (#$ . 31730)])
#@11
(fn ID)�
(defalias 'nsm-host-settings #[257 "�\204
�\303 !\203
�\304 \210\305\306\n�\"\211\203/�\211@�\204(�\307�\310\"�\232\203(�\211\262��A\266\202\202��\210\211\207" [nsm-permanent-host-settings nsm-settings-file nsm-temporary-host-settings file-exists-p nsm-read-settings nil append plist-get :id] 7 (#$ . 31852)])
#@24
(fn STATUS SETTINGS)�
(defalias 'nsm-warnings-ok-p #[514 "\300\301�\302\"\301�\303\"\211\203��\211@\211�>\204��\304\262��A\266\202\202 �\210�\207" [t plist-get :conditions :warnings nil] 8 (#$ . 32178)])
#@11
(fn ID)�
(defalias 'nsm-remove-permanent-setting #[257 "\301\302\303\304\305\306��!\307\"\310\311%�\"\211�\207" [nsm-permanent-host-settings cl-delete-if make-byte-code 257 "\301�\302\"\300\232\207" vconcat vector [plist-get :id] 4 "\n\n(fn ELEM)"] 8 (#$ . 32389)])
#@11
(fn ID)�
(defalias 'nsm-remove-temporary-setting #[257 "\301\302\303\304\305\306��!\307\"\310\311%�\"\211�\207" [nsm-temporary-host-settings cl-delete-if make-byte-code 257 "\301�\302\"\300\232\207" vconcat vector [plist-get :id] 4 "\n\n(fn ELEM)"] 8 (#$ . 32662)])
#@15
(fn STATUS)�
(defalias 'nsm-format-certificate #[257 "\300�\301\"\211\205\343�\302\303!r\211q\210\304\305\306\307\310�!\311\"\312$\216\313\314\315\316#\317\320\321\300��\322\"\323\324#\317\325\321\300� \326\"\327\"\206A�\321\300� \326\"\330\324#\317\331\321\300�\f\326\"\323\324#\317\261�\210\300�\332\"\203l�\300�\333\"\203l�\334\300�\332\"\335\300�\333\"\317\261�\210\300�\336\"\203\243�\300�\337\"\203\243�\300�\340\"\203\243�\300�\341\"\203\243�\342\300�\341\"\343\300��\336\"\344\300��\337\"\345\300�\n\340\"\317\261 \210\300�\346\"\203\267�\347\313\300�\346\"\315\350#\317\261�\210\351\300�\352\"\353\300�\354\"\317\261�\210\317c\210eb\210\355\356\357\324#\203\336�\360\361iZ\362\"c\210\202\313�\363 *\262�\207" [plist-get :certificate generate-new-buffer " *temp*" make-byte-code 0 "\301\300!\205 �\302\300!\207" vconcat vector [buffer-name kill-buffer] 2 propertize "Certificate information" face underline "\n" " Issued by:" nsm-certificate-part :issuer "CN" t " Issued to:" :subject "O" "OU" " Hostname:" :public-key-algorithm :signature-algorithm " Public key:" ", signature: " :key-exchange :cipher :mac :protocol " Session:" ", key: " ", cipher: " ", mac: " :certificate-security-level " Security level:" bold " Valid:From " :valid-from " to " :valid-to re-search-forward "^[^:]+:" nil make-string 22 32 buffer-string] 16 (#$ . 32935)])
#@73 Return a numerical level for SYMBOL for easier comparison.
(fn SYMBOL)�
(defalias 'nsm-level #[257 "\211\300\267\202\n�\301\207\302\207\303\207" [#s(hash-table size 2 test eq rehash-size 1.5 rehash-threshold 0.8125 purecopy t data (low 6 medium 8)) 0 1 2] 3 (#$ . 34299)])
#@15
(fn STATUS)�
(defalias 'nsm-cipher-suite #[257 "\300\301\302�\303\"\302�\304\"\302�\305\"$\207" [format "%s-%s-%s" plist-get :key-exchange :cipher :mac] 8 (#$ . 34578)])
#@35
(fn STRING PART &optional FULL)�
(defalias 'nsm-certificate-part #[770 "\300�\301�!\"A@\211\203��\211\202���\203���\202��\302\207" [assoc nsm-parse-subject nil] 7 (#$ . 34755)])
#@15
(fn STRING)�
(defalias 'nsm-parse-subject #[257 "\300\301!r\211q\210\302\303\304\305\306�!\307\"\310$\216�c\210eb\210`\311m\204=�\312\313\314�\315\316\311\317#\2030�`S\2021�`{#�B\262�`\262�\202��\320\321�\237\"\266\202*\207" [generate-new-buffer " *temp*" make-byte-code 0 "\301\300!\205 �\302\300!\207" vconcat vector [buffer-name kill-buffer] 2 nil replace-regexp-in-string "[\\]\\(.\\)" "\\1" re-search-forward "[^\\]," move mapcar #[257 "\300\301�\"\211\203��\302�\303�#\302��T\"D\202���\207" [cl-position 61 substring 0] 6 "\n\n(fn ELEM)"]] 12 (#$ . 34940)])
(byte-code "\300\301\302\303#\210\304\301\302\305#\210\306\307!\207" [defalias nsm--encryption nsm-cipher-suite nil make-obsolete "27.1" provide nsm] 4)