Merge branch 'develop' of github.com:matrix-org/synapse into anoa/dm_room_upgrade
This commit is contained in:
commit
117bc94cd2
|
@ -0,0 +1 @@
|
||||||
|
Remove redundant SynapseKeyClientProtocol magic
|
|
@ -1,149 +0,0 @@
|
||||||
# -*- coding: utf-8 -*-
|
|
||||||
# Copyright 2014-2016 OpenMarket Ltd
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
import logging
|
|
||||||
|
|
||||||
from six.moves import urllib
|
|
||||||
|
|
||||||
from canonicaljson import json
|
|
||||||
|
|
||||||
from twisted.internet import defer, reactor
|
|
||||||
from twisted.internet.error import ConnectError
|
|
||||||
from twisted.internet.protocol import Factory
|
|
||||||
from twisted.names.error import DomainError
|
|
||||||
from twisted.web.http import HTTPClient
|
|
||||||
|
|
||||||
from synapse.http.endpoint import matrix_federation_endpoint
|
|
||||||
from synapse.util import logcontext
|
|
||||||
|
|
||||||
logger = logging.getLogger(__name__)
|
|
||||||
|
|
||||||
KEY_API_V2 = "/_matrix/key/v2/server/%s"
|
|
||||||
|
|
||||||
|
|
||||||
@defer.inlineCallbacks
|
|
||||||
def fetch_server_key(server_name, tls_client_options_factory, key_id):
|
|
||||||
"""Fetch the keys for a remote server."""
|
|
||||||
|
|
||||||
factory = SynapseKeyClientFactory()
|
|
||||||
factory.path = KEY_API_V2 % (urllib.parse.quote(key_id), )
|
|
||||||
factory.host = server_name
|
|
||||||
endpoint = matrix_federation_endpoint(
|
|
||||||
reactor, server_name, tls_client_options_factory, timeout=30
|
|
||||||
)
|
|
||||||
|
|
||||||
for i in range(5):
|
|
||||||
try:
|
|
||||||
with logcontext.PreserveLoggingContext():
|
|
||||||
protocol = yield endpoint.connect(factory)
|
|
||||||
server_response, server_certificate = yield protocol.remote_key
|
|
||||||
defer.returnValue((server_response, server_certificate))
|
|
||||||
except SynapseKeyClientError as e:
|
|
||||||
logger.warn("Error getting key for %r: %s", server_name, e)
|
|
||||||
if e.status.startswith(b"4"):
|
|
||||||
# Don't retry for 4xx responses.
|
|
||||||
raise IOError("Cannot get key for %r" % server_name)
|
|
||||||
except (ConnectError, DomainError) as e:
|
|
||||||
logger.warn("Error getting key for %r: %s", server_name, e)
|
|
||||||
except Exception:
|
|
||||||
logger.exception("Error getting key for %r", server_name)
|
|
||||||
raise IOError("Cannot get key for %r" % server_name)
|
|
||||||
|
|
||||||
|
|
||||||
class SynapseKeyClientError(Exception):
|
|
||||||
"""The key wasn't retrieved from the remote server."""
|
|
||||||
status = None
|
|
||||||
pass
|
|
||||||
|
|
||||||
|
|
||||||
class SynapseKeyClientProtocol(HTTPClient):
|
|
||||||
"""Low level HTTPS client which retrieves an application/json response from
|
|
||||||
the server and extracts the X.509 certificate for the remote peer from the
|
|
||||||
SSL connection."""
|
|
||||||
|
|
||||||
timeout = 30
|
|
||||||
|
|
||||||
def __init__(self):
|
|
||||||
self.remote_key = defer.Deferred()
|
|
||||||
self.host = None
|
|
||||||
self._peer = None
|
|
||||||
|
|
||||||
def connectionMade(self):
|
|
||||||
self._peer = self.transport.getPeer()
|
|
||||||
logger.debug("Connected to %s", self._peer)
|
|
||||||
|
|
||||||
if not isinstance(self.path, bytes):
|
|
||||||
self.path = self.path.encode('ascii')
|
|
||||||
|
|
||||||
if not isinstance(self.host, bytes):
|
|
||||||
self.host = self.host.encode('ascii')
|
|
||||||
|
|
||||||
self.sendCommand(b"GET", self.path)
|
|
||||||
if self.host:
|
|
||||||
self.sendHeader(b"Host", self.host)
|
|
||||||
self.endHeaders()
|
|
||||||
self.timer = reactor.callLater(
|
|
||||||
self.timeout,
|
|
||||||
self.on_timeout
|
|
||||||
)
|
|
||||||
|
|
||||||
def errback(self, error):
|
|
||||||
if not self.remote_key.called:
|
|
||||||
self.remote_key.errback(error)
|
|
||||||
|
|
||||||
def callback(self, result):
|
|
||||||
if not self.remote_key.called:
|
|
||||||
self.remote_key.callback(result)
|
|
||||||
|
|
||||||
def handleStatus(self, version, status, message):
|
|
||||||
if status != b"200":
|
|
||||||
# logger.info("Non-200 response from %s: %s %s",
|
|
||||||
# self.transport.getHost(), status, message)
|
|
||||||
error = SynapseKeyClientError(
|
|
||||||
"Non-200 response %r from %r" % (status, self.host)
|
|
||||||
)
|
|
||||||
error.status = status
|
|
||||||
self.errback(error)
|
|
||||||
self.transport.abortConnection()
|
|
||||||
|
|
||||||
def handleResponse(self, response_body_bytes):
|
|
||||||
try:
|
|
||||||
json_response = json.loads(response_body_bytes)
|
|
||||||
except ValueError:
|
|
||||||
# logger.info("Invalid JSON response from %s",
|
|
||||||
# self.transport.getHost())
|
|
||||||
self.transport.abortConnection()
|
|
||||||
return
|
|
||||||
|
|
||||||
certificate = self.transport.getPeerCertificate()
|
|
||||||
self.callback((json_response, certificate))
|
|
||||||
self.transport.abortConnection()
|
|
||||||
self.timer.cancel()
|
|
||||||
|
|
||||||
def on_timeout(self):
|
|
||||||
logger.debug(
|
|
||||||
"Timeout waiting for response from %s: %s",
|
|
||||||
self.host, self._peer,
|
|
||||||
)
|
|
||||||
self.errback(IOError("Timeout waiting for response"))
|
|
||||||
self.transport.abortConnection()
|
|
||||||
|
|
||||||
|
|
||||||
class SynapseKeyClientFactory(Factory):
|
|
||||||
def protocol(self):
|
|
||||||
protocol = SynapseKeyClientProtocol()
|
|
||||||
protocol.path = self.path
|
|
||||||
protocol.host = self.host
|
|
||||||
return protocol
|
|
|
@ -14,10 +14,11 @@
|
||||||
# See the License for the specific language governing permissions and
|
# See the License for the specific language governing permissions and
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
import hashlib
|
|
||||||
import logging
|
import logging
|
||||||
from collections import namedtuple
|
from collections import namedtuple
|
||||||
|
|
||||||
|
from six.moves import urllib
|
||||||
|
|
||||||
from signedjson.key import (
|
from signedjson.key import (
|
||||||
decode_verify_key_bytes,
|
decode_verify_key_bytes,
|
||||||
encode_verify_key_base64,
|
encode_verify_key_base64,
|
||||||
|
@ -30,13 +31,11 @@ from signedjson.sign import (
|
||||||
signature_ids,
|
signature_ids,
|
||||||
verify_signed_json,
|
verify_signed_json,
|
||||||
)
|
)
|
||||||
from unpaddedbase64 import decode_base64, encode_base64
|
from unpaddedbase64 import decode_base64
|
||||||
|
|
||||||
from OpenSSL import crypto
|
|
||||||
from twisted.internet import defer
|
from twisted.internet import defer
|
||||||
|
|
||||||
from synapse.api.errors import Codes, SynapseError
|
from synapse.api.errors import Codes, SynapseError
|
||||||
from synapse.crypto.keyclient import fetch_server_key
|
|
||||||
from synapse.util import logcontext, unwrapFirstError
|
from synapse.util import logcontext, unwrapFirstError
|
||||||
from synapse.util.logcontext import (
|
from synapse.util.logcontext import (
|
||||||
LoggingContext,
|
LoggingContext,
|
||||||
|
@ -503,31 +502,16 @@ class Keyring(object):
|
||||||
if requested_key_id in keys:
|
if requested_key_id in keys:
|
||||||
continue
|
continue
|
||||||
|
|
||||||
(response, tls_certificate) = yield fetch_server_key(
|
response = yield self.client.get_json(
|
||||||
server_name, self.hs.tls_client_options_factory, requested_key_id
|
destination=server_name,
|
||||||
|
path="/_matrix/key/v2/server/" + urllib.parse.quote(requested_key_id),
|
||||||
|
ignore_backoff=True,
|
||||||
)
|
)
|
||||||
|
|
||||||
if (u"signatures" not in response
|
if (u"signatures" not in response
|
||||||
or server_name not in response[u"signatures"]):
|
or server_name not in response[u"signatures"]):
|
||||||
raise KeyLookupError("Key response not signed by remote server")
|
raise KeyLookupError("Key response not signed by remote server")
|
||||||
|
|
||||||
if "tls_fingerprints" not in response:
|
|
||||||
raise KeyLookupError("Key response missing TLS fingerprints")
|
|
||||||
|
|
||||||
certificate_bytes = crypto.dump_certificate(
|
|
||||||
crypto.FILETYPE_ASN1, tls_certificate
|
|
||||||
)
|
|
||||||
sha256_fingerprint = hashlib.sha256(certificate_bytes).digest()
|
|
||||||
sha256_fingerprint_b64 = encode_base64(sha256_fingerprint)
|
|
||||||
|
|
||||||
response_sha256_fingerprints = set()
|
|
||||||
for fingerprint in response[u"tls_fingerprints"]:
|
|
||||||
if u"sha256" in fingerprint:
|
|
||||||
response_sha256_fingerprints.add(fingerprint[u"sha256"])
|
|
||||||
|
|
||||||
if sha256_fingerprint_b64 not in response_sha256_fingerprints:
|
|
||||||
raise KeyLookupError("TLS certificate not allowed by fingerprints")
|
|
||||||
|
|
||||||
response_keys = yield self.process_v2_response(
|
response_keys = yield self.process_v2_response(
|
||||||
from_server=server_name,
|
from_server=server_name,
|
||||||
requested_ids=[requested_key_id],
|
requested_ids=[requested_key_id],
|
||||||
|
|
Loading…
Reference in New Issue