From bda62c787f76f97ab8db913613223362656181fd Mon Sep 17 00:00:00 2001 From: Stefan Monnier Date: Fri, 27 Sep 2019 08:01:04 -0400 Subject: [PATCH] * lisp/net/nsm.el: Use lexical-binding (nsm-check-tls-connection, nsm-query): Don't pass explicitly `obarray` since it's the default anyway. (nsm-query, nsm-query-user, nsm-save-host): Remove redundant advertised-calling-convention. --- lisp/net/nsm.el | 56 +++++++++++++++++++------------------------------ 1 file changed, 22 insertions(+), 34 deletions(-) diff --git a/lisp/net/nsm.el b/lisp/net/nsm.el index b8c84d5fdea..4ca770fd7e1 100644 --- a/lisp/net/nsm.el +++ b/lisp/net/nsm.el @@ -1,4 +1,4 @@ -;;; nsm.el --- Network Security Manager +;;; nsm.el --- Network Security Manager -*- lexical-binding:t -*- ;; Copyright (C) 2014-2019 Free Software Foundation, Inc. @@ -269,7 +269,7 @@ See also: `network-security-protocol-checks' and `nsm-noninteractive'" (let* ((results (cl-loop for check in network-security-protocol-checks - for type = (intern (format ":%s" (car check)) obarray) + for type = (intern (format ":%s" (car check))) ;; Skip the check if the user has already said that this ;; host is OK for this type of "error". for result = (and (not (memq type @@ -278,8 +278,7 @@ See also: `network-security-protocol-checks' and `nsm-noninteractive'" (nsm-level (cadr check))) (funcall (intern (format "nsm-protocol-check--%s" - (car check)) - obarray) + (car check))) host port status settings)) when result collect (cons type result))) @@ -321,7 +320,7 @@ See also: `network-security-protocol-checks' and `nsm-noninteractive'" (declare-function gnutls-peer-status-warning-describe "gnutls.c" (status-symbol)) -(defun nsm-protocol-check--verify-cert (host port status settings) +(defun nsm-protocol-check--verify-cert (_host _port status settings) "Check for warnings from the certificate verification status. This is the most basic security check for a TLS connection. If @@ -332,7 +331,7 @@ This is the most basic security check for a TLS connection. If (not (nsm-warnings-ok-p status settings)) (mapconcat #'gnutls-peer-status-warning-describe warnings "\n")))) -(defun nsm-protocol-check--same-cert (host port status settings) +(defun nsm-protocol-check--same-cert (_host _port status settings) "Check for certificate fingerprint mismatch. If the fingerprints saved do not match the fingerprint of the @@ -344,7 +343,7 @@ man-in-the-middle attack." ;; Key exchange checks -(defun nsm-protocol-check--rsa-kx (host port status &optional settings) +(defun nsm-protocol-check--rsa-kx (_host _port status &optional _settings) "Check for static RSA key exchange. Static RSA key exchange methods do not offer perfect forward @@ -374,7 +373,7 @@ Security (DTLS)\", \"(4.1. General Guidelines)\" "RSA key exchange method (%s) does not offer perfect forward secrecy" kx)))) -(defun nsm-protocol-check--dhe-prime-kx (host port status &optional settings) +(defun nsm-protocol-check--dhe-prime-kx (_host _port status &optional _settings) "Check for the key strength of DH key exchange based on integer factorization. This check is a response to Logjam[1]. Logjam is an attack that @@ -405,7 +404,7 @@ Diffie-Hellman Fails in Practice\", `https://weakdh.org/' "Diffie-Hellman key strength (%s bits) too weak (%s bits)" prime-bits 1024)))) -(defun nsm-protocol-check--dhe-kx (host port status &optional settings) +(defun nsm-protocol-check--dhe-kx (_host _port status &optional _settings) "Check for existence of DH key exchange based on integer factorization. In the years since the discovery of Logjam, it was discovered @@ -429,7 +428,7 @@ Diffie-Hellman Backdoors in TLS.\", "unable to verify Diffie-Hellman key exchange method (%s) parameters" kx)))) -(defun nsm-protocol-check--export-kx (host port status &optional settings) +(defun nsm-protocol-check--export-kx (_host _port status &optional _settings) "Check for RSA-EXPORT key exchange. EXPORT cipher suites are a family of 40-bit and 56-bit effective @@ -454,7 +453,7 @@ of user-visible changes.\" Version 3.4.0, "EXPORT level key exchange (%s) is insecure" kx))))) -(defun nsm-protocol-check--anon-kx (host port status &optional settings) +(defun nsm-protocol-check--anon-kx (_host _port status &optional _settings) "Check for anonymous key exchange. Anonymous key exchange exposes the connection to @@ -473,7 +472,7 @@ authentication\", ;; Cipher checks -(defun nsm-protocol-check--cbc-cipher (host port status &optional settings) +(defun nsm-protocol-check--cbc-cipher (_host _port status &optional _settings) "Check for CBC mode ciphers. CBC mode cipher in TLS versions earlier than 1.3 are problematic @@ -502,7 +501,7 @@ Security (TLS) and Datagram Transport Layer Security (DTLS)\", "CBC mode cipher (%s) can be insecure" cipher))))) -(defun nsm-protocol-check--ecdsa-cbc-cipher (host port status &optional settings) +(defun nsm-protocol-check--ecdsa-cbc-cipher (_host _port status &optional _settings) "Check for CBC mode cipher usage under ECDSA key exchange. CBC mode cipher in TLS versions earlier than 1.3 are problematic @@ -540,7 +539,7 @@ Security (TLS) and Datagram Transport Layer Security (DTLS)\", "CBC mode cipher (%s) can be insecure" cipher))))) -(defun nsm-protocol-check--3des-cipher (host port status &optional settings) +(defun nsm-protocol-check--3des-cipher (_host _port status &optional _settings) "Check for 3DES ciphers. Due to its use of 64-bit block size, it is known that a @@ -561,7 +560,7 @@ Current Use and Deprecation of TDEA\", "3DES cipher (%s) is weak" cipher)))) -(defun nsm-protocol-check--rc4-cipher (host port status &optional settings) +(defun nsm-protocol-check--rc4-cipher (_host _port status &optional _settings) "Check for RC4 ciphers. RC4 cipher has been prohibited by RFC 7465[1]. @@ -585,7 +584,7 @@ Reference: ;; Signature checks -(defun nsm-protocol-check--sha1-sig (host port status &optional settings) +(defun nsm-protocol-check--sha1-sig (_host _port status &optional _settings) "Check for SHA1 signatures on certificates. The first SHA1 collision was found in 2017[1], as a precaution @@ -620,7 +619,7 @@ SHA-1 for SSL/TLS Certificates in Microsoft Edge and Internet Explorer algo) end)) -(defun nsm-protocol-check--md5-sig (host port status &optional settings) +(defun nsm-protocol-check--md5-sig (_host _port status &optional _settings) "Check for MD5 signatures on certificates. In 2008, a group of researchers were able to forge an @@ -653,8 +652,8 @@ the MD5 Message-Digest and the HMAC-MD5 Algorithms\", ;; Extension checks -(defun nsm-protocol-check--renegotiation-info-ext (host port status - &optional settings) +(defun nsm-protocol-check--renegotiation-info-ext (_host _port status + &optional _settings) "Check for renegotiation_info TLS extension status. If this TLS extension is not used, the connection established is @@ -676,7 +675,7 @@ Layer Security (TLS) Renegotiation Indication Extension\", ;; Compression checks -(defun nsm-protocol-check--compression (host port status &optional settings) +(defun nsm-protocol-check--compression (_host _port status &optional _settings) "Check for TLS compression. TLS compression attacks such as CRIME would allow an attacker to @@ -697,7 +696,7 @@ Security (DTLS)\", `https://tools.ietf.org/html/rfc7525'" ;; Protocol version checks -(defun nsm-protocol-check--version (host port status &optional settings) +(defun nsm-protocol-check--version (_host _port status &optional _settings) "Check for SSL/TLS protocol version. This function guards against the usage of SSL3.0, which has been @@ -722,7 +721,7 @@ Early TLS\" ;; Full suite checks -(defun nsm-protocol-check--null-suite (host port status &optional settings) +(defun nsm-protocol-check--null-suite (_host _port status &optional _settings) "Check for NULL cipher suites. This function checks for NULL key exchange, cipher and message @@ -790,8 +789,7 @@ protocol." (let ((response (condition-case nil (intern - (car (split-string (nsm-query-user message status))) - obarray) + (car (split-string (nsm-query-user message status)))) ;; Make sure we manage to close the process if the user hits ;; `C-g'. (quit 'no) @@ -807,9 +805,6 @@ protocol." (nsm-save-host host port status what problems response) t)))) -(set-advertised-calling-convention - 'nsm-query '(host port status what problems message) "27.1") - (declare-function gnutls-format-certificate "gnutls.c" (cert)) (defun nsm-query-user (message status) @@ -923,8 +918,6 @@ protocol." (kill-buffer cert-buffer) (kill-buffer buffer))))) -(set-advertised-calling-convention 'nsm-query-user '(message status) "27.1") - (defun nsm-save-host (host port status what problems permanency) (let* ((id (nsm-id host port)) (saved-fingerprints (plist-get (nsm-host-settings id) :fingerprints)) @@ -964,11 +957,6 @@ protocol." (nsm-remove-temporary-setting id) (push saved nsm-temporary-host-settings)))) -(set-advertised-calling-convention - 'nsm-save-host - '(host port status what problems permanency) - "27.1") - (defun nsm-write-settings () (with-temp-file nsm-settings-file (insert "(\n") -- 2.39.2