2016-01-07 05:26:29 +01:00
|
|
|
# Copyright 2014-2016 OpenMarket Ltd
|
2019-02-19 06:18:05 +01:00
|
|
|
# Copyright 2019 New Vector Ltd
|
2014-09-03 10:43:11 +02:00
|
|
|
#
|
|
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
# you may not use this file except in compliance with the License.
|
|
|
|
# You may obtain a copy of the License at
|
|
|
|
#
|
|
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
#
|
|
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
# See the License for the specific language governing permissions and
|
|
|
|
# limitations under the License.
|
2019-02-19 06:18:05 +01:00
|
|
|
|
2018-06-26 20:41:05 +02:00
|
|
|
import logging
|
2014-09-03 10:43:11 +02:00
|
|
|
|
2019-06-10 16:55:12 +02:00
|
|
|
import idna
|
2019-06-09 15:01:32 +02:00
|
|
|
from service_identity import VerificationError
|
2019-06-10 16:58:35 +02:00
|
|
|
from service_identity.pyopenssl import verify_hostname, verify_ip_address
|
2018-07-29 19:47:08 +02:00
|
|
|
from zope.interface import implementer
|
|
|
|
|
2018-04-30 17:21:11 +02:00
|
|
|
from OpenSSL import SSL, crypto
|
2019-06-09 15:01:32 +02:00
|
|
|
from twisted.internet._sslverify import _defaultCurveName
|
2019-01-24 10:34:44 +01:00
|
|
|
from twisted.internet.abstract import isIPAddress, isIPv6Address
|
2018-06-26 20:41:05 +02:00
|
|
|
from twisted.internet.interfaces import IOpenSSLClientConnectionCreator
|
2019-04-25 15:22:49 +02:00
|
|
|
from twisted.internet.ssl import CertificateOptions, ContextFactory, platformTrust
|
2018-08-09 21:04:22 +02:00
|
|
|
from twisted.python.failure import Failure
|
2014-10-24 20:27:12 +02:00
|
|
|
|
|
|
|
logger = logging.getLogger(__name__)
|
2014-09-01 18:55:35 +02:00
|
|
|
|
2014-10-30 12:10:17 +01:00
|
|
|
|
2018-06-26 20:41:05 +02:00
|
|
|
class ServerContextFactory(ContextFactory):
|
2014-09-01 18:55:35 +02:00
|
|
|
"""Factory for PyOpenSSL SSL contexts that are used to handle incoming
|
2018-08-08 19:25:01 +02:00
|
|
|
connections."""
|
2014-09-01 18:55:35 +02:00
|
|
|
|
|
|
|
def __init__(self, config):
|
|
|
|
self._context = SSL.Context(SSL.SSLv23_METHOD)
|
|
|
|
self.configure_context(self._context, config)
|
|
|
|
|
|
|
|
@staticmethod
|
|
|
|
def configure_context(context, config):
|
2014-09-01 23:29:31 +02:00
|
|
|
try:
|
2018-04-30 17:21:11 +02:00
|
|
|
_ecCurve = crypto.get_elliptic_curve(_defaultCurveName)
|
|
|
|
context.set_tmp_ecdh(_ecCurve)
|
|
|
|
|
2017-10-23 16:52:32 +02:00
|
|
|
except Exception:
|
2015-07-08 19:53:41 +02:00
|
|
|
logger.exception("Failed to enable elliptic curve for TLS")
|
2014-09-01 18:55:35 +02:00
|
|
|
context.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3)
|
2015-07-09 01:45:41 +02:00
|
|
|
context.use_certificate_chain_file(config.tls_certificate_file)
|
2019-02-11 22:30:59 +01:00
|
|
|
context.use_privatekey(config.tls_private_key)
|
2015-03-06 12:34:06 +01:00
|
|
|
|
2019-01-22 11:58:50 +01:00
|
|
|
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
|
|
|
|
context.set_cipher_list(
|
|
|
|
"ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES256:ECDH+AES128:!aNULL:!SHA1"
|
|
|
|
)
|
2014-09-01 18:55:35 +02:00
|
|
|
|
|
|
|
def getContext(self):
|
|
|
|
return self._context
|
2018-06-24 22:38:43 +02:00
|
|
|
|
|
|
|
|
2019-06-09 15:01:32 +02:00
|
|
|
class ClientTLSOptionsFactory(object):
|
|
|
|
"""Factory for Twisted SSLClientConnectionCreators that are used to make connections
|
|
|
|
to remote servers for federation.
|
2018-08-09 21:04:22 +02:00
|
|
|
|
2019-06-09 15:01:32 +02:00
|
|
|
Uses one of two OpenSSL context objects for all connections, depending on whether
|
|
|
|
we should do SSL certificate verification.
|
2018-08-09 21:04:22 +02:00
|
|
|
|
2019-06-09 15:01:32 +02:00
|
|
|
get_options decides whether we should do SSL certificate verification and
|
|
|
|
constructs an SSLClientConnectionCreator factory accordingly.
|
2018-06-26 20:41:05 +02:00
|
|
|
"""
|
2018-06-24 22:38:43 +02:00
|
|
|
|
|
|
|
def __init__(self, config):
|
2019-04-25 15:22:49 +02:00
|
|
|
self._config = config
|
|
|
|
|
|
|
|
# Check if we're using a custom list of a CA certificates
|
|
|
|
trust_root = config.federation_ca_trust_root
|
|
|
|
if trust_root is None:
|
|
|
|
# Use CA root certs provided by OpenSSL
|
|
|
|
trust_root = platformTrust()
|
|
|
|
|
2019-06-09 15:01:32 +02:00
|
|
|
self._verify_ssl_context = CertificateOptions(trustRoot=trust_root).getContext()
|
|
|
|
self._verify_ssl_context.set_info_callback(self._context_info_cb)
|
2018-06-24 22:38:43 +02:00
|
|
|
|
2019-06-09 15:01:32 +02:00
|
|
|
self._no_verify_ssl_context = CertificateOptions().getContext()
|
|
|
|
self._no_verify_ssl_context.set_info_callback(self._context_info_cb)
|
2019-04-25 15:22:49 +02:00
|
|
|
|
2019-06-09 15:01:32 +02:00
|
|
|
def get_options(self, host):
|
2019-04-25 15:22:49 +02:00
|
|
|
# Check if certificate verification has been enabled
|
|
|
|
should_verify = self._config.federation_verify_certificates
|
|
|
|
|
|
|
|
# Check if we've disabled certificate verification for this host
|
|
|
|
if should_verify:
|
|
|
|
for regex in self._config.federation_certificate_verification_whitelist:
|
|
|
|
if regex.match(host):
|
|
|
|
should_verify = False
|
|
|
|
break
|
|
|
|
|
2019-06-09 15:01:32 +02:00
|
|
|
ssl_context = (
|
|
|
|
self._verify_ssl_context if should_verify else self._no_verify_ssl_context
|
|
|
|
)
|
|
|
|
|
|
|
|
return SSLClientConnectionCreator(host, ssl_context, should_verify)
|
|
|
|
|
|
|
|
@staticmethod
|
|
|
|
def _context_info_cb(ssl_connection, where, ret):
|
|
|
|
"""The 'information callback' for our openssl context object."""
|
|
|
|
# we assume that the app_data on the connection object has been set to
|
|
|
|
# a TLSMemoryBIOProtocol object. (This is done by SSLClientConnectionCreator)
|
|
|
|
tls_protocol = ssl_connection.get_app_data()
|
|
|
|
try:
|
|
|
|
# ... we further assume that SSLClientConnectionCreator has set the
|
2019-06-10 18:51:11 +02:00
|
|
|
# '_synapse_tls_verifier' attribute to a ConnectionVerifier object.
|
|
|
|
tls_protocol._synapse_tls_verifier.verify_context_info_cb(
|
|
|
|
ssl_connection, where
|
|
|
|
)
|
2019-06-09 15:01:32 +02:00
|
|
|
except: # noqa: E722, taken from the twisted implementation
|
|
|
|
logger.exception("Error during info_callback")
|
|
|
|
f = Failure()
|
|
|
|
tls_protocol.failVerification(f)
|
|
|
|
|
|
|
|
|
|
|
|
@implementer(IOpenSSLClientConnectionCreator)
|
|
|
|
class SSLClientConnectionCreator(object):
|
|
|
|
"""Creates openssl connection objects for client connections.
|
|
|
|
|
|
|
|
Replaces twisted.internet.ssl.ClientTLSOptions
|
|
|
|
"""
|
2019-06-10 18:51:11 +02:00
|
|
|
|
2019-06-09 15:01:32 +02:00
|
|
|
def __init__(self, hostname, ctx, verify_certs):
|
|
|
|
self._ctx = ctx
|
|
|
|
self._verifier = ConnectionVerifier(hostname, verify_certs)
|
|
|
|
|
|
|
|
def clientConnectionForTLS(self, tls_protocol):
|
|
|
|
context = self._ctx
|
|
|
|
connection = SSL.Connection(context, None)
|
|
|
|
|
|
|
|
# as per twisted.internet.ssl.ClientTLSOptions, we set the application
|
|
|
|
# data to our TLSMemoryBIOProtocol...
|
|
|
|
connection.set_app_data(tls_protocol)
|
|
|
|
|
2019-06-10 18:51:11 +02:00
|
|
|
# ... and we also gut-wrench a '_synapse_tls_verifier' attribute into the
|
2019-06-09 15:01:32 +02:00
|
|
|
# tls_protocol so that the SSL context's info callback has something to
|
|
|
|
# call to do the cert verification.
|
2019-06-10 18:51:11 +02:00
|
|
|
setattr(tls_protocol, "_synapse_tls_verifier", self._verifier)
|
2019-06-09 15:01:32 +02:00
|
|
|
return connection
|
|
|
|
|
|
|
|
|
|
|
|
class ConnectionVerifier(object):
|
|
|
|
"""Set the SNI, and do cert verification
|
|
|
|
|
|
|
|
This is a thing which is attached to the TLSMemoryBIOProtocol, and is called by
|
|
|
|
the ssl context's info callback.
|
|
|
|
"""
|
2019-06-10 18:51:11 +02:00
|
|
|
|
2019-06-10 16:55:12 +02:00
|
|
|
# This code is based on twisted.internet.ssl.ClientTLSOptions.
|
|
|
|
|
2019-06-09 15:01:32 +02:00
|
|
|
def __init__(self, hostname, verify_certs):
|
|
|
|
self._verify_certs = verify_certs
|
2019-06-10 16:55:12 +02:00
|
|
|
|
2019-06-09 15:01:32 +02:00
|
|
|
if isIPAddress(hostname) or isIPv6Address(hostname):
|
2019-06-10 18:51:11 +02:00
|
|
|
self._hostnameBytes = hostname.encode("ascii")
|
2019-06-10 16:58:35 +02:00
|
|
|
self._is_ip_address = True
|
2019-06-09 15:01:32 +02:00
|
|
|
else:
|
2019-06-10 16:55:12 +02:00
|
|
|
# twisted's ClientTLSOptions falls back to the stdlib impl here if
|
|
|
|
# idna is not installed, but points out that lacks support for
|
|
|
|
# IDNA2008 (http://bugs.python.org/issue17305).
|
|
|
|
#
|
|
|
|
# We can rely on having idna.
|
|
|
|
self._hostnameBytes = idna.encode(hostname)
|
2019-06-10 16:58:35 +02:00
|
|
|
self._is_ip_address = False
|
2019-06-09 15:01:32 +02:00
|
|
|
|
|
|
|
self._hostnameASCII = self._hostnameBytes.decode("ascii")
|
|
|
|
|
|
|
|
def verify_context_info_cb(self, ssl_connection, where):
|
2019-06-10 16:58:35 +02:00
|
|
|
if where & SSL.SSL_CB_HANDSHAKE_START and not self._is_ip_address:
|
2019-06-09 15:01:32 +02:00
|
|
|
ssl_connection.set_tlsext_host_name(self._hostnameBytes)
|
2019-06-10 16:55:12 +02:00
|
|
|
|
2019-06-09 15:01:32 +02:00
|
|
|
if where & SSL.SSL_CB_HANDSHAKE_DONE and self._verify_certs:
|
|
|
|
try:
|
2019-06-10 16:58:35 +02:00
|
|
|
if self._is_ip_address:
|
|
|
|
verify_ip_address(ssl_connection, self._hostnameASCII)
|
|
|
|
else:
|
|
|
|
verify_hostname(ssl_connection, self._hostnameASCII)
|
2019-06-09 15:01:32 +02:00
|
|
|
except VerificationError:
|
|
|
|
f = Failure()
|
|
|
|
tls_protocol = ssl_connection.get_app_data()
|
|
|
|
tls_protocol.failVerification(f)
|