forked-synapse/synapse/crypto/context_factory.py

# Copyright 2014-2016 OpenMarket Ltd
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

from twisted.internet import ssl
from OpenSSL import SSL, crypto
from twisted.internet._sslverify import _defaultCurveName, ClientTLSOptions, \
    OpenSSLCertificateOptions, optionsForClientTLS

import logging

logger = logging.getLogger(__name__)


class ServerContextFactory(ssl.ContextFactory):
    """Factory for PyOpenSSL SSL contexts that are used to handle incoming
    connections and to make connections to remote servers."""

    def __init__(self, config):
        self._context = SSL.Context(SSL.SSLv23_METHOD)
        self.configure_context(self._context, config)

    @staticmethod
    def configure_context(context, config):
        try:
            _ecCurve = crypto.get_elliptic_curve(_defaultCurveName)
            context.set_tmp_ecdh(_ecCurve)

        except Exception:
            logger.exception("Failed to enable elliptic curve for TLS")
        context.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3)
        context.use_certificate_chain_file(config.tls_certificate_file)

        if not config.no_tls:
            context.use_privatekey(config.tls_private_key)

        context.load_tmp_dh(config.tls_dh_params_path)
        context.set_cipher_list("!ADH:HIGH+kEDH:!AECDH:HIGH+kEECDH")

    def getContext(self):
        return self._context


class ClientTLSOptionsNoCertVerification(ClientTLSOptions):
    """Redefinition of ClientTLSOptions to completely ignore certificate
    validation. Should be kept in sync with the original class in Twisted.
    This version of ClientTLSOptions is only intended for development use."""

    def __init__(self, *args, **kwargs):
        super(ClientTLSOptionsNoCertVerification, self).__init__(*args, **kwargs)

        def do_nothing(*_args, **_kwargs):
            pass

        self._ctx.set_info_callback(do_nothing)


class ClientTLSOptionsFactory(object):
    """Factory for Twisted ClientTLSOptions that are used to make connections
    to remote servers for federation."""

    def __init__(self, config):
        self._ignore_certificate_validation = config.tls_ignore_certificate_validation

    def get_options(self, host):
        if self._ignore_certificate_validation:
            return ClientTLSOptionsNoCertVerification(
                unicode(host),
                OpenSSLCertificateOptions(verify=False).getContext()
            )
        else:
            return optionsForClientTLS(unicode(host))
copyrights 2016-01-07 04:26:29 +00:00			`# Copyright 2014-2016 OpenMarket Ltd`
Add copyright notices and fix pyflakes errors 2014-09-03 08:43:11 +00:00			`#`
			`# Licensed under the Apache License, Version 2.0 (the "License");`
			`# you may not use this file except in compliance with the License.`
			`# You may obtain a copy of the License at`
			`#`
			`# http://www.apache.org/licenses/LICENSE-2.0`
			`#`
			`# Unless required by applicable law or agreed to in writing, software`
			`# distributed under the License is distributed on an "AS IS" BASIS,`
			`# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`# See the License for the specific language governing permissions and`
			`# limitations under the License.`

			`from twisted.internet import ssl`
Fixes #3135 - Replace _OpenSSLECCurve with crypto.get_elliptic_curve (#3157) fixes #3135 Signed-off-by: Will Hunt will@half-shot.uk 2018-04-30 15:21:11 +00:00			`from OpenSSL import SSL, crypto`
formatting changes for pep8 2018-06-25 10:31:16 +00:00			`from twisted.internet._sslverify import _defaultCurveName, ClientTLSOptions, \`
			`OpenSSLCertificateOptions, optionsForClientTLS`
Add server TLS context factory 2014-09-01 16:55:35 +00:00
Add log message if we can't enable ECC. Require pyopenssl>=0.14 since 0.13 doesn't seem to have ECC 2014-10-24 18:27:12 +00:00			`import logging`

			`logger = logging.getLogger(__name__)`
Add server TLS context factory 2014-09-01 16:55:35 +00:00
Fix pep8 warnings 2014-10-30 11:10:17 +00:00
Add server TLS context factory 2014-09-01 16:55:35 +00:00			`class ServerContextFactory(ssl.ContextFactory):`
			`"""Factory for PyOpenSSL SSL contexts that are used to handle incoming`
			`connections and to make connections to remote servers."""`

			`def __init__(self, config):`
			`self._context = SSL.Context(SSL.SSLv23_METHOD)`
			`self.configure_context(self._context, config)`

			`@staticmethod`
			`def configure_context(context, config):`
enable ECDHE ciphers 2014-09-01 21:29:31 +00:00			`try:`
Fixes #3135 - Replace _OpenSSLECCurve with crypto.get_elliptic_curve (#3157) fixes #3135 Signed-off-by: Will Hunt will@half-shot.uk 2018-04-30 15:21:11 +00:00			`_ecCurve = crypto.get_elliptic_curve(_defaultCurveName)`
			`context.set_tmp_ecdh(_ecCurve)`

replace 'except:' with 'except Exception:' what could possibly go wrong 2017-10-23 14:52:32 +00:00			`except Exception:`
typo 2015-07-08 17:53:41 +00:00			`logger.exception("Failed to enable elliptic curve for TLS")`
Add server TLS context factory 2014-09-01 16:55:35 +00:00			`context.set_options(SSL.OP_NO_SSLv2 \| SSL.OP_NO_SSLv3)`
remove the tls_certificate_chain_path param and simply support tls_certificate_path pointing to a file containing a chain of certificates 2015-07-08 23:45:41 +00:00			`context.use_certificate_chain_file(config.tls_certificate_file)`
Don't look for an TLS private key if we have set --no-tls 2015-03-06 11:34:06 +00:00
			`if not config.no_tls:`
			`context.use_privatekey(config.tls_private_key)`

Add server TLS context factory 2014-09-01 16:55:35 +00:00			`context.load_tmp_dh(config.tls_dh_params_path)`
			`context.set_cipher_list("!ADH:HIGH+kEDH:!AECDH:HIGH+kEECDH")`

			`def getContext(self):`
			`return self._context`
send SNI for federation requests 2018-06-24 20:38:43 +00:00

			`class ClientTLSOptionsNoCertVerification(ClientTLSOptions):`
			`"""Redefinition of ClientTLSOptions to completely ignore certificate`
			`validation. Should be kept in sync with the original class in Twisted.`
			`This version of ClientTLSOptions is only intended for development use."""`

			`def __init__(self, args, *kwargs):`
			`super(ClientTLSOptionsNoCertVerification, self).__init__(args, *kwargs)`

			`def do_nothing(_args, *_kwargs):`
			`pass`

			`self._ctx.set_info_callback(do_nothing)`


			`class ClientTLSOptionsFactory(object):`
			`"""Factory for Twisted ClientTLSOptions that are used to make connections`
			`to remote servers for federation."""`

			`def __init__(self, config):`
			`self._ignore_certificate_validation = config.tls_ignore_certificate_validation`

			`def get_options(self, host):`
			`if self._ignore_certificate_validation:`
			`return ClientTLSOptionsNoCertVerification(`
			`unicode(host),`
			`OpenSSLCertificateOptions(verify=False).getContext()`
			`)`
			`else:`
			`return optionsForClientTLS(unicode(host))`