MatrixSynapse/synapse/crypto/context_factory.py

# Copyright 2014-2016 OpenMarket Ltd
# Copyright 2019 New Vector Ltd
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

import logging

from zope.interface import implementer

from OpenSSL import SSL, crypto
from twisted.internet._sslverify import _defaultCurveName
from twisted.internet.abstract import isIPAddress, isIPv6Address
from twisted.internet.interfaces import IOpenSSLClientConnectionCreator
from twisted.internet.ssl import CertificateOptions, ContextFactory
from twisted.python.failure import Failure

logger = logging.getLogger(__name__)


class ServerContextFactory(ContextFactory):
    """Factory for PyOpenSSL SSL contexts that are used to handle incoming
    connections."""

    def __init__(self, config):
        self._context = SSL.Context(SSL.SSLv23_METHOD)
        self.configure_context(self._context, config)

    @staticmethod
    def configure_context(context, config):
        try:
            _ecCurve = crypto.get_elliptic_curve(_defaultCurveName)
            context.set_tmp_ecdh(_ecCurve)

        except Exception:
            logger.exception("Failed to enable elliptic curve for TLS")
        context.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3)
        context.use_certificate_chain_file(config.tls_certificate_file)
        context.use_privatekey(config.tls_private_key)

        # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
        context.set_cipher_list(
            "ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES256:ECDH+AES128:!aNULL:!SHA1"
        )

    def getContext(self):
        return self._context


def _idnaBytes(text):
    """
    Convert some text typed by a human into some ASCII bytes. This is a
    copy of twisted.internet._idna._idnaBytes. For documentation, see the
    twisted documentation.
    """
    try:
        import idna
    except ImportError:
        return text.encode("idna")
    else:
        return idna.encode(text)


def _tolerateErrors(wrapped):
    """
    Wrap up an info_callback for pyOpenSSL so that if something goes wrong
    the error is immediately logged and the connection is dropped if possible.
    This is a copy of twisted.internet._sslverify._tolerateErrors. For
    documentation, see the twisted documentation.
    """

    def infoCallback(connection, where, ret):
        try:
            return wrapped(connection, where, ret)
        except:  # noqa: E722, taken from the twisted implementation
            f = Failure()
            logger.exception("Error during info_callback")
            connection.get_app_data().failVerification(f)

    return infoCallback


@implementer(IOpenSSLClientConnectionCreator)
class ClientTLSOptions(object):
    """
    Client creator for TLS without certificate identity verification. This is a
    copy of twisted.internet._sslverify.ClientTLSOptions with the identity
    verification left out. For documentation, see the twisted documentation.
    """

    def __init__(self, hostname, ctx):
        self._ctx = ctx

        if isIPAddress(hostname) or isIPv6Address(hostname):
            self._hostnameBytes = hostname.encode('ascii')
            self._sendSNI = False
        else:
            self._hostnameBytes = _idnaBytes(hostname)
            self._sendSNI = True

        ctx.set_info_callback(_tolerateErrors(self._identityVerifyingInfoCallback))

    def clientConnectionForTLS(self, tlsProtocol):
        context = self._ctx
        connection = SSL.Connection(context, None)
        connection.set_app_data(tlsProtocol)
        return connection

    def _identityVerifyingInfoCallback(self, connection, where, ret):
        # Literal IPv4 and IPv6 addresses are not permitted
        # as host names according to the RFCs
        if where & SSL.SSL_CB_HANDSHAKE_START and self._sendSNI:
            connection.set_tlsext_host_name(self._hostnameBytes)


class ClientTLSOptionsFactory(object):
    """Factory for Twisted ClientTLSOptions that are used to make connections
    to remote servers for federation."""

    def __init__(self, config):
        # We don't use config options yet
        self._options = CertificateOptions(verify=False)

    def get_options(self, host):
        # Use _makeContext so that we get a fresh OpenSSL CTX each time.
        return ClientTLSOptions(host, self._options._makeContext())
copyrights 2016-01-07 05:26:29 +01:00			`# Copyright 2014-2016 OpenMarket Ltd`
fix to use makeContext so that we don't need to rebuild the certificateoptions each time 2019-02-19 06:18:05 +01:00			`# Copyright 2019 New Vector Ltd`
Add copyright notices and fix pyflakes errors 2014-09-03 10:43:11 +02:00			`#`
			`# Licensed under the Apache License, Version 2.0 (the "License");`
			`# you may not use this file except in compliance with the License.`
			`# You may obtain a copy of the License at`
			`#`
			`# http://www.apache.org/licenses/LICENSE-2.0`
			`#`
			`# Unless required by applicable law or agreed to in writing, software`
			`# distributed under the License is distributed on an "AS IS" BASIS,`
			`# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`# See the License for the specific language governing permissions and`
			`# limitations under the License.`
fix to use makeContext so that we don't need to rebuild the certificateoptions each time 2019-02-19 06:18:05 +01:00
allow self-signed certificates 2018-06-26 20:41:05 +02:00			`import logging`
Add copyright notices and fix pyflakes errors 2014-09-03 10:43:11 +02:00
fix isort 2018-07-29 19:47:08 +02:00			`from zope.interface import implementer`

Fixes #3135 - Replace _OpenSSLECCurve with crypto.get_elliptic_curve (#3157) fixes #3135 Signed-off-by: Will Hunt will@half-shot.uk 2018-04-30 17:21:11 +02:00			`from OpenSSL import SSL, crypto`
include private functions from twisted 2018-08-09 21:04:22 +02:00			`from twisted.internet._sslverify import _defaultCurveName`
Don't send IP addresses as SNI (#4452) The problem here is that we have cut-and-pasted an impl from Twisted, and then failed to maintain it. It was fixed in Twisted in https://github.com/twisted/twisted/pull/1047/files; let's do the same here. 2019-01-24 10:34:44 +01:00			`from twisted.internet.abstract import isIPAddress, isIPv6Address`
allow self-signed certificates 2018-06-26 20:41:05 +02:00			`from twisted.internet.interfaces import IOpenSSLClientConnectionCreator`
fix isort 2018-07-29 19:47:08 +02:00			`from twisted.internet.ssl import CertificateOptions, ContextFactory`
include private functions from twisted 2018-08-09 21:04:22 +02:00			`from twisted.python.failure import Failure`
Add log message if we can't enable ECC. Require pyopenssl>=0.14 since 0.13 doesn't seem to have ECC 2014-10-24 20:27:12 +02:00
			`logger = logging.getLogger(__name__)`
Add server TLS context factory 2014-09-01 18:55:35 +02:00
Fix pep8 warnings 2014-10-30 12:10:17 +01:00
allow self-signed certificates 2018-06-26 20:41:05 +02:00			`class ServerContextFactory(ContextFactory):`
Add server TLS context factory 2014-09-01 18:55:35 +02:00			`"""Factory for PyOpenSSL SSL contexts that are used to handle incoming`
updated docstring for ServerContextFactory 2018-08-08 19:25:01 +02:00			`connections."""`
Add server TLS context factory 2014-09-01 18:55:35 +02:00
			`def __init__(self, config):`
			`self._context = SSL.Context(SSL.SSLv23_METHOD)`
			`self.configure_context(self._context, config)`

			`@staticmethod`
			`def configure_context(context, config):`
enable ECDHE ciphers 2014-09-01 23:29:31 +02:00			`try:`
Fixes #3135 - Replace _OpenSSLECCurve with crypto.get_elliptic_curve (#3157) fixes #3135 Signed-off-by: Will Hunt will@half-shot.uk 2018-04-30 17:21:11 +02:00			`_ecCurve = crypto.get_elliptic_curve(_defaultCurveName)`
			`context.set_tmp_ecdh(_ecCurve)`

replace 'except:' with 'except Exception:' what could possibly go wrong 2017-10-23 16:52:32 +02:00			`except Exception:`
typo 2015-07-08 19:53:41 +02:00			`logger.exception("Failed to enable elliptic curve for TLS")`
Add server TLS context factory 2014-09-01 18:55:35 +02:00			`context.set_options(SSL.OP_NO_SSLv2 \| SSL.OP_NO_SSLv3)`
remove the tls_certificate_chain_path param and simply support tls_certificate_path pointing to a file containing a chain of certificates 2015-07-09 01:45:41 +02:00			`context.use_certificate_chain_file(config.tls_certificate_file)`
Don't create server contexts when TLS is disabled we aren't going to use them anyway. 2019-02-11 22:30:59 +01:00			`context.use_privatekey(config.tls_private_key)`
Don't look for an TLS private key if we have set --no-tls 2015-03-06 12:34:06 +01:00
Require ECDH key exchange & remove dh_params (#4429) * remove dh_params and set better cipher string 2019-01-22 11:58:50 +01:00			`# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/`
			`context.set_cipher_list(`
			`"ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES256:ECDH+AES128:!aNULL:!SHA1"`
			`)`
Add server TLS context factory 2014-09-01 18:55:35 +02:00
			`def getContext(self):`
			`return self._context`
send SNI for federation requests 2018-06-24 22:38:43 +02:00

include private functions from twisted 2018-08-09 21:04:22 +02:00			`def _idnaBytes(text):`
			`"""`
			`Convert some text typed by a human into some ASCII bytes. This is a`
			`copy of twisted.internet._idna._idnaBytes. For documentation, see the`
			`twisted documentation.`
			`"""`
			`try:`
			`import idna`
			`except ImportError:`
			`return text.encode("idna")`
			`else:`
			`return idna.encode(text)`


			`def _tolerateErrors(wrapped):`
			`"""`
			`Wrap up an info_callback for pyOpenSSL so that if something goes wrong`
			`the error is immediately logged and the connection is dropped if possible.`
			`This is a copy of twisted.internet._sslverify._tolerateErrors. For`
			`documentation, see the twisted documentation.`
			`"""`

			`def infoCallback(connection, where, ret):`
			`try:`
			`return wrapped(connection, where, ret)`
			`except: # noqa: E722, taken from the twisted implementation`
			`f = Failure()`
			`logger.exception("Error during info_callback")`
			`connection.get_app_data().failVerification(f)`

			`return infoCallback`


allow self-signed certificates 2018-06-26 20:41:05 +02:00			`@implementer(IOpenSSLClientConnectionCreator)`
			`class ClientTLSOptions(object):`
			`"""`
			`Client creator for TLS without certificate identity verification. This is a`
			`copy of twisted.internet._sslverify.ClientTLSOptions with the identity`
			`verification left out. For documentation, see the twisted documentation.`
			`"""`
send SNI for federation requests 2018-06-24 22:38:43 +02:00
allow self-signed certificates 2018-06-26 20:41:05 +02:00			`def __init__(self, hostname, ctx):`
			`self._ctx = ctx`
Don't send IP addresses as SNI (#4452) The problem here is that we have cut-and-pasted an impl from Twisted, and then failed to maintain it. It was fixed in Twisted in https://github.com/twisted/twisted/pull/1047/files; let's do the same here. 2019-01-24 10:34:44 +01:00
			`if isIPAddress(hostname) or isIPv6Address(hostname):`
			`self._hostnameBytes = hostname.encode('ascii')`
			`self._sendSNI = False`
			`else:`
			`self._hostnameBytes = _idnaBytes(hostname)`
			`self._sendSNI = True`

fix to use makeContext so that we don't need to rebuild the certificateoptions each time 2019-02-19 06:18:05 +01:00			`ctx.set_info_callback(_tolerateErrors(self._identityVerifyingInfoCallback))`
send SNI for federation requests 2018-06-24 22:38:43 +02:00
allow self-signed certificates 2018-06-26 20:41:05 +02:00			`def clientConnectionForTLS(self, tlsProtocol):`
			`context = self._ctx`
			`connection = SSL.Connection(context, None)`
			`connection.set_app_data(tlsProtocol)`
			`return connection`
send SNI for federation requests 2018-06-24 22:38:43 +02:00
allow self-signed certificates 2018-06-26 20:41:05 +02:00			`def _identityVerifyingInfoCallback(self, connection, where, ret):`
Don't send IP addresses as SNI (#4452) The problem here is that we have cut-and-pasted an impl from Twisted, and then failed to maintain it. It was fixed in Twisted in https://github.com/twisted/twisted/pull/1047/files; let's do the same here. 2019-01-24 10:34:44 +01:00			`# Literal IPv4 and IPv6 addresses are not permitted`
			`# as host names according to the RFCs`
			`if where & SSL.SSL_CB_HANDSHAKE_START and self._sendSNI:`
allow self-signed certificates 2018-06-26 20:41:05 +02:00			`connection.set_tlsext_host_name(self._hostnameBytes)`
send SNI for federation requests 2018-06-24 22:38:43 +02:00

			`class ClientTLSOptionsFactory(object):`
			`"""Factory for Twisted ClientTLSOptions that are used to make connections`
			`to remote servers for federation."""`

			`def __init__(self, config):`
allow self-signed certificates 2018-06-26 20:41:05 +02:00			`# We don't use config options yet`
fix to use makeContext so that we don't need to rebuild the certificateoptions each time 2019-02-19 06:18:05 +01:00			`self._options = CertificateOptions(verify=False)`
send SNI for federation requests 2018-06-24 22:38:43 +02:00
			`def get_options(self, host):`
fix to use makeContext so that we don't need to rebuild the certificateoptions each time 2019-02-19 06:18:05 +01:00			`# Use _makeContext so that we get a fresh OpenSSL CTX each time.`
			`return ClientTLSOptions(host, self._options._makeContext())`