gitlord
/
synapse
mirror of https://github.com/matrix-org/synapse.git
1
0
Fork 0
Code Issues 0 Releases 671 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
23441 Commits
842 Branches
342 MiB
 
 
 
 
 
 
Branch: develop
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'develop'
${ noResults }
synapse/tests/config/test_tls.py

204 lines
7.6 KiB
Raw Permalink Blame History 

  1. # Copyright 2019 New Vector Ltd

  2. # Copyright 2019 Matrix.org Foundation C.I.C.

  3. #

  4. # Licensed under the Apache License, Version 2.0 (the "License");

  5. # you may not use this file except in compliance with the License.

  6. # You may obtain a copy of the License at

  7. #

  8. #     http://www.apache.org/licenses/LICENSE-2.0

  9. #

  10. # Unless required by applicable law or agreed to in writing, software

  11. # distributed under the License is distributed on an "AS IS" BASIS,

  12. # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  13. # See the License for the specific language governing permissions and

  14. # limitations under the License.

  15. 

  16. from typing import cast

  17. 

  18. import idna

  19. 

  20. from OpenSSL import SSL

  21. 

  22. from synapse.config._base import Config, RootConfig

  23. from synapse.config.homeserver import HomeServerConfig

  24. from synapse.config.tls import ConfigError, TlsConfig

  25. from synapse.crypto.context_factory import (

  26.     FederationPolicyForHTTPS,

  27.     SSLClientConnectionCreator,

  28. )

  29. from synapse.types import JsonDict

  30. 

  31. from tests.unittest import TestCase

  32. 

  33. 

  34. class FakeServer(Config):

  35.     section = "server"

  36. 

  37.     def has_tls_listener(self) -> bool:

  38.         return False

  39. 

  40. 

  41. class TestConfig(RootConfig):

  42.     config_classes = [FakeServer, TlsConfig]

  43. 

  44. 

  45. class TLSConfigTests(TestCase):

  46.     def test_tls_client_minimum_default(self) -> None:

  47.         """

  48.         The default client TLS version is 1.0.

  49.         """

  50.         config: JsonDict = {}

  51.         t = TestConfig()

  52.         t.tls.read_config(config, config_dir_path="", data_dir_path="")

  53. 

  54.         self.assertEqual(t.tls.federation_client_minimum_tls_version, "1")

  55. 

  56.     def test_tls_client_minimum_set(self) -> None:

  57.         """

  58.         The default client TLS version can be set to 1.0, 1.1, and 1.2.

  59.         """

  60.         config: JsonDict = {"federation_client_minimum_tls_version": 1}

  61.         t = TestConfig()

  62.         t.tls.read_config(config, config_dir_path="", data_dir_path="")

  63.         self.assertEqual(t.tls.federation_client_minimum_tls_version, "1")

  64. 

  65.         config = {"federation_client_minimum_tls_version": 1.1}

  66.         t = TestConfig()

  67.         t.tls.read_config(config, config_dir_path="", data_dir_path="")

  68.         self.assertEqual(t.tls.federation_client_minimum_tls_version, "1.1")

  69. 

  70.         config = {"federation_client_minimum_tls_version": 1.2}

  71.         t = TestConfig()

  72.         t.tls.read_config(config, config_dir_path="", data_dir_path="")

  73.         self.assertEqual(t.tls.federation_client_minimum_tls_version, "1.2")

  74. 

  75.         # Also test a string version

  76.         config = {"federation_client_minimum_tls_version": "1"}

  77.         t = TestConfig()

  78.         t.tls.read_config(config, config_dir_path="", data_dir_path="")

  79.         self.assertEqual(t.tls.federation_client_minimum_tls_version, "1")

  80. 

  81.         config = {"federation_client_minimum_tls_version": "1.2"}

  82.         t = TestConfig()

  83.         t.tls.read_config(config, config_dir_path="", data_dir_path="")

  84.         self.assertEqual(t.tls.federation_client_minimum_tls_version, "1.2")

  85. 

  86.     def test_tls_client_minimum_1_point_3_missing(self) -> None:

  87.         """

  88.         If TLS 1.3 support is missing and it's configured, it will raise a

  89.         ConfigError.

  90.         """

  91.         # thanks i hate it

  92.         if hasattr(SSL, "OP_NO_TLSv1_3"):

  93.             OP_NO_TLSv1_3 = SSL.OP_NO_TLSv1_3

  94.             delattr(SSL, "OP_NO_TLSv1_3")

  95.             self.addCleanup(setattr, SSL, "SSL.OP_NO_TLSv1_3", OP_NO_TLSv1_3)

  96.             assert not hasattr(SSL, "OP_NO_TLSv1_3")

  97. 

  98.         config: JsonDict = {"federation_client_minimum_tls_version": 1.3}

  99.         t = TestConfig()

  100.         with self.assertRaises(ConfigError) as e:

  101.             t.tls.read_config(config, config_dir_path="", data_dir_path="")

  102.         self.assertEqual(

  103.             e.exception.args[0],

  104.             (

  105.                 "federation_client_minimum_tls_version cannot be 1.3, "

  106.                 "your OpenSSL does not support it"

  107.             ),

  108.         )

  109. 

  110.     def test_tls_client_minimum_1_point_3_exists(self) -> None:

  111.         """

  112.         If TLS 1.3 support exists and it's configured, it will be settable.

  113.         """

  114.         # thanks i hate it, still

  115.         if not hasattr(SSL, "OP_NO_TLSv1_3"):

  116.             SSL.OP_NO_TLSv1_3 = 0x00

  117.             self.addCleanup(lambda: delattr(SSL, "OP_NO_TLSv1_3"))

  118.             assert hasattr(SSL, "OP_NO_TLSv1_3")

  119. 

  120.         config: JsonDict = {"federation_client_minimum_tls_version": 1.3}

  121.         t = TestConfig()

  122.         t.tls.read_config(config, config_dir_path="", data_dir_path="")

  123.         self.assertEqual(t.tls.federation_client_minimum_tls_version, "1.3")

  124. 

  125.     def test_tls_client_minimum_set_passed_through_1_2(self) -> None:

  126.         """

  127.         The configured TLS version is correctly configured by the ContextFactory.

  128.         """

  129.         config: JsonDict = {"federation_client_minimum_tls_version": 1.2}

  130.         t = TestConfig()

  131.         t.tls.read_config(config, config_dir_path="", data_dir_path="")

  132. 

  133.         cf = FederationPolicyForHTTPS(cast(HomeServerConfig, t))

  134.         options = _get_ssl_context_options(cf._verify_ssl_context)

  135. 

  136.         # The context has had NO_TLSv1_1 and NO_TLSv1_0 set, but not NO_TLSv1_2

  137.         self.assertNotEqual(options & SSL.OP_NO_TLSv1, 0)

  138.         self.assertNotEqual(options & SSL.OP_NO_TLSv1_1, 0)

  139.         self.assertEqual(options & SSL.OP_NO_TLSv1_2, 0)

  140. 

  141.     def test_tls_client_minimum_set_passed_through_1_0(self) -> None:

  142.         """

  143.         The configured TLS version is correctly configured by the ContextFactory.

  144.         """

  145.         config: JsonDict = {"federation_client_minimum_tls_version": 1}

  146.         t = TestConfig()

  147.         t.tls.read_config(config, config_dir_path="", data_dir_path="")

  148. 

  149.         cf = FederationPolicyForHTTPS(cast(HomeServerConfig, t))

  150.         options = _get_ssl_context_options(cf._verify_ssl_context)

  151. 

  152.         # The context has not had any of the NO_TLS set.

  153.         self.assertEqual(options & SSL.OP_NO_TLSv1, 0)

  154.         self.assertEqual(options & SSL.OP_NO_TLSv1_1, 0)

  155.         self.assertEqual(options & SSL.OP_NO_TLSv1_2, 0)

  156. 

  157.     def test_whitelist_idna_failure(self) -> None:

  158.         """

  159.         The federation certificate whitelist will not allow IDNA domain names.

  160.         """

  161.         config: JsonDict = {

  162.             "federation_certificate_verification_whitelist": [

  163.                 "example.com",

  164.                 "*.ドメイン.テスト",

  165.             ]

  166.         }

  167.         t = TestConfig()

  168.         e = self.assertRaises(

  169.             ConfigError, t.tls.read_config, config, config_dir_path="", data_dir_path=""

  170.         )

  171.         self.assertIn("IDNA domain names", str(e))

  172. 

  173.     def test_whitelist_idna_result(self) -> None:

  174.         """

  175.         The federation certificate whitelist will match on IDNA encoded names.

  176.         """

  177.         config: JsonDict = {

  178.             "federation_certificate_verification_whitelist": [

  179.                 "example.com",

  180.                 "*.xn--eckwd4c7c.xn--zckzah",

  181.             ]

  182.         }

  183.         t = TestConfig()

  184.         t.tls.read_config(config, config_dir_path="", data_dir_path="")

  185. 

  186.         cf = FederationPolicyForHTTPS(cast(HomeServerConfig, t))

  187. 

  188.         # Not in the whitelist

  189.         opts = cf.get_options(b"notexample.com")

  190.         assert isinstance(opts, SSLClientConnectionCreator)

  191.         self.assertTrue(opts._verifier._verify_certs)

  192. 

  193.         # Caught by the wildcard

  194.         opts = cf.get_options(idna.encode("テスト.ドメイン.テスト"))

  195.         assert isinstance(opts, SSLClientConnectionCreator)

  196.         self.assertFalse(opts._verifier._verify_certs)

  197. 

  198. 

  199. def _get_ssl_context_options(ssl_context: SSL.Context) -> int:

  200.     """get the options bits from an openssl context object"""

  201.     # the OpenSSL.SSL.Context wrapper doesn't expose get_options, so we have to

  202.     # use the low-level interface

  203.     return SSL._lib.SSL_CTX_get_options(ssl_context._context)  # type: ignore[attr-defined]