forked-synapse/synapse/crypto/context_factory.py

# Copyright 2014-2016 OpenMarket Ltd
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
import logging

from OpenSSL import SSL, crypto
from twisted.internet._idna import _idnaBytes
from twisted.internet.ssl import ContextFactory, CertificateOptions
from twisted.internet._sslverify import _defaultCurveName, _tolerateErrors
from twisted.internet.interfaces import IOpenSSLClientConnectionCreator
from zope.interface import implementer

logger = logging.getLogger(__name__)


class ServerContextFactory(ContextFactory):
    """Factory for PyOpenSSL SSL contexts that are used to handle incoming
    connections and to make connections to remote servers."""

    def __init__(self, config):
        self._context = SSL.Context(SSL.SSLv23_METHOD)
        self.configure_context(self._context, config)

    @staticmethod
    def configure_context(context, config):
        try:
            _ecCurve = crypto.get_elliptic_curve(_defaultCurveName)
            context.set_tmp_ecdh(_ecCurve)

        except Exception:
            logger.exception("Failed to enable elliptic curve for TLS")
        context.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3)
        context.use_certificate_chain_file(config.tls_certificate_file)

        if not config.no_tls:
            context.use_privatekey(config.tls_private_key)

        context.load_tmp_dh(config.tls_dh_params_path)
        context.set_cipher_list("!ADH:HIGH+kEDH:!AECDH:HIGH+kEECDH")

    def getContext(self):
        return self._context


@implementer(IOpenSSLClientConnectionCreator)
class ClientTLSOptions(object):
    """
    Client creator for TLS without certificate identity verification. This is a
    copy of twisted.internet._sslverify.ClientTLSOptions with the identity
    verification left out. For documentation, see the twisted documentation.
    """

    def __init__(self, hostname, ctx):
        self._ctx = ctx
        self._hostname = hostname
        self._hostnameBytes = _idnaBytes(hostname)
        ctx.set_info_callback(
            _tolerateErrors(self._identityVerifyingInfoCallback)
        )

    def clientConnectionForTLS(self, tlsProtocol):
        context = self._ctx
        connection = SSL.Connection(context, None)
        connection.set_app_data(tlsProtocol)
        return connection

    def _identityVerifyingInfoCallback(self, connection, where, ret):
        if where & SSL.SSL_CB_HANDSHAKE_START:
            connection.set_tlsext_host_name(self._hostnameBytes)


class ClientTLSOptionsFactory(object):
    """Factory for Twisted ClientTLSOptions that are used to make connections
    to remote servers for federation."""

    def __init__(self, config):
        # We don't use config options yet
        pass

    def get_options(self, host):
        return ClientTLSOptions(
            unicode(host),
            CertificateOptions(verify=False).getContext()
        )
copyrights 2016-01-07 04:26:29 +00:00			`# Copyright 2014-2016 OpenMarket Ltd`
Add copyright notices and fix pyflakes errors 2014-09-03 08:43:11 +00:00			`#`
			`# Licensed under the Apache License, Version 2.0 (the "License");`
			`# you may not use this file except in compliance with the License.`
			`# You may obtain a copy of the License at`
			`#`
			`# http://www.apache.org/licenses/LICENSE-2.0`
			`#`
			`# Unless required by applicable law or agreed to in writing, software`
			`# distributed under the License is distributed on an "AS IS" BASIS,`
			`# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`# See the License for the specific language governing permissions and`
			`# limitations under the License.`
allow self-signed certificates 2018-06-26 18:41:05 +00:00			`import logging`
Add copyright notices and fix pyflakes errors 2014-09-03 08:43:11 +00:00
Fixes #3135 - Replace _OpenSSLECCurve with crypto.get_elliptic_curve (#3157) fixes #3135 Signed-off-by: Will Hunt will@half-shot.uk 2018-04-30 15:21:11 +00:00			`from OpenSSL import SSL, crypto`
take idna implementation from twisted 2018-06-26 19:15:14 +00:00			`from twisted.internet._idna import _idnaBytes`
allow self-signed certificates 2018-06-26 18:41:05 +00:00			`from twisted.internet.ssl import ContextFactory, CertificateOptions`
			`from twisted.internet._sslverify import _defaultCurveName, _tolerateErrors`
			`from twisted.internet.interfaces import IOpenSSLClientConnectionCreator`
			`from zope.interface import implementer`
Add log message if we can't enable ECC. Require pyopenssl>=0.14 since 0.13 doesn't seem to have ECC 2014-10-24 18:27:12 +00:00
			`logger = logging.getLogger(__name__)`
Add server TLS context factory 2014-09-01 16:55:35 +00:00
Fix pep8 warnings 2014-10-30 11:10:17 +00:00
allow self-signed certificates 2018-06-26 18:41:05 +00:00			`class ServerContextFactory(ContextFactory):`
Add server TLS context factory 2014-09-01 16:55:35 +00:00			`"""Factory for PyOpenSSL SSL contexts that are used to handle incoming`
			`connections and to make connections to remote servers."""`

			`def __init__(self, config):`
			`self._context = SSL.Context(SSL.SSLv23_METHOD)`
			`self.configure_context(self._context, config)`

			`@staticmethod`
			`def configure_context(context, config):`
enable ECDHE ciphers 2014-09-01 21:29:31 +00:00			`try:`
Fixes #3135 - Replace _OpenSSLECCurve with crypto.get_elliptic_curve (#3157) fixes #3135 Signed-off-by: Will Hunt will@half-shot.uk 2018-04-30 15:21:11 +00:00			`_ecCurve = crypto.get_elliptic_curve(_defaultCurveName)`
			`context.set_tmp_ecdh(_ecCurve)`

replace 'except:' with 'except Exception:' what could possibly go wrong 2017-10-23 14:52:32 +00:00			`except Exception:`
typo 2015-07-08 17:53:41 +00:00			`logger.exception("Failed to enable elliptic curve for TLS")`
Add server TLS context factory 2014-09-01 16:55:35 +00:00			`context.set_options(SSL.OP_NO_SSLv2 \| SSL.OP_NO_SSLv3)`
remove the tls_certificate_chain_path param and simply support tls_certificate_path pointing to a file containing a chain of certificates 2015-07-08 23:45:41 +00:00			`context.use_certificate_chain_file(config.tls_certificate_file)`
Don't look for an TLS private key if we have set --no-tls 2015-03-06 11:34:06 +00:00
			`if not config.no_tls:`
			`context.use_privatekey(config.tls_private_key)`

Add server TLS context factory 2014-09-01 16:55:35 +00:00			`context.load_tmp_dh(config.tls_dh_params_path)`
			`context.set_cipher_list("!ADH:HIGH+kEDH:!AECDH:HIGH+kEECDH")`

			`def getContext(self):`
			`return self._context`
send SNI for federation requests 2018-06-24 20:38:43 +00:00

allow self-signed certificates 2018-06-26 18:41:05 +00:00			`@implementer(IOpenSSLClientConnectionCreator)`
			`class ClientTLSOptions(object):`
			`"""`
			`Client creator for TLS without certificate identity verification. This is a`
			`copy of twisted.internet._sslverify.ClientTLSOptions with the identity`
			`verification left out. For documentation, see the twisted documentation.`
			`"""`
send SNI for federation requests 2018-06-24 20:38:43 +00:00
allow self-signed certificates 2018-06-26 18:41:05 +00:00			`def __init__(self, hostname, ctx):`
			`self._ctx = ctx`
			`self._hostname = hostname`
take idna implementation from twisted 2018-06-26 19:15:14 +00:00			`self._hostnameBytes = _idnaBytes(hostname)`
allow self-signed certificates 2018-06-26 18:41:05 +00:00			`ctx.set_info_callback(`
			`_tolerateErrors(self._identityVerifyingInfoCallback)`
			`)`
send SNI for federation requests 2018-06-24 20:38:43 +00:00
allow self-signed certificates 2018-06-26 18:41:05 +00:00			`def clientConnectionForTLS(self, tlsProtocol):`
			`context = self._ctx`
			`connection = SSL.Connection(context, None)`
			`connection.set_app_data(tlsProtocol)`
			`return connection`
send SNI for federation requests 2018-06-24 20:38:43 +00:00
allow self-signed certificates 2018-06-26 18:41:05 +00:00			`def _identityVerifyingInfoCallback(self, connection, where, ret):`
			`if where & SSL.SSL_CB_HANDSHAKE_START:`
			`connection.set_tlsext_host_name(self._hostnameBytes)`
send SNI for federation requests 2018-06-24 20:38:43 +00:00

			`class ClientTLSOptionsFactory(object):`
			`"""Factory for Twisted ClientTLSOptions that are used to make connections`
			`to remote servers for federation."""`

			`def __init__(self, config):`
allow self-signed certificates 2018-06-26 18:41:05 +00:00			`# We don't use config options yet`
			`pass`
send SNI for federation requests 2018-06-24 20:38:43 +00:00
			`def get_options(self, host):`
allow self-signed certificates 2018-06-26 18:41:05 +00:00			`return ClientTLSOptions(`
			`unicode(host),`
			`CertificateOptions(verify=False).getContext()`
			`)`