Re: A couple of questions and concerns about Emacs network security

[Jimmy Yuen Ho Wong]

>
> What C code do you need? You mentioned something earlier, but I didn't
> understand the use case. I can easily write and debug C code, if that would 
> help.
>

Whooo thanks for lending a hand. ATM, in order to implement
`nsm-trust-local-network` properly for IPv6, I need some code to
resolve a hostname to an IP address, preferrably in Emacs' internal
format as documented in make-network-process. There's an ancient
function called dnsResolve that delegates to
url-gateway-nslookup-host. It shells out to the system's nslookup for
an IPv4 address now, but I need to something that'll give me back an
IPv6. I could modify url-gateway-nslookup-host, but the nastiest thing
is translating a short-form IPv6 address into a vector of numbers. I
don't really care if it's C code for this one.

The one thing that I need help the most is implementing the
client-side of RFC 6962. https://tools.ietf.org/html/rfc6962 .

The general idea is you need to implement an X.509 certificate
extension and a TLS extension called Signed Certificate Timestamp
using GnuTLS's API. Once you can extract that from a handshake, just
put the SCT data into the list returned by gnutls_certificate_details
(I have renamed it to emacs_gnutls_certificate_details, but you might
want to change it back). Once you have the SCT on the LISP side, you
can write a check for `nsm-tls-checks` that opens up another
connection to the auditor to validate the SCT. In addition, you may
have to modify how GnutTLS deals with OCSP stapling as well because
that's the third way SCT can be delivered. You can take your time on
this one if you decide to help out, I understand this is a rather
large project on its own.

Thanks!