diff options
| author | Andrew Morgan <andrew@amorgan.xyz> | 2019-04-03 11:34:37 +0100 |
|---|---|---|
| committer | Andrew Morgan <andrew@amorgan.xyz> | 2019-04-03 11:34:37 +0100 |
| commit | a5ab4afced2074daf3eafc33c6d42d85d7c8ccb5 (patch) | |
| tree | 77b3f4573d416ee8bce037bd41fb5c54094b7644 | |
| parent | Change test defaults (diff) | |
| download | synapse-a5ab4afced2074daf3eafc33c6d42d85d7c8ccb5.tar.xz | |
None is very different from []
| -rw-r--r-- | synapse/config/tls.py | 5 | ||||
| -rw-r--r-- | synapse/crypto/context_factory.py | 19 | ||||
| -rw-r--r-- | synapse/federation/transport/server.py | 3 | ||||
| -rw-r--r-- | synapse/http/matrixfederationclient.py | 3 | ||||
| -rw-r--r-- | synapse/rest/key/v2/remote_key_resource.py | 3 | ||||
| -rw-r--r-- | synapse/rest/media/v1/media_repository.py | 6 |
6 files changed, 25 insertions, 14 deletions
diff --git a/synapse/config/tls.py b/synapse/config/tls.py index e8d417d024..7dbf41887b 100644 --- a/synapse/config/tls.py +++ b/synapse/config/tls.py @@ -77,11 +77,14 @@ class TlsConfig(Config): ) # Whitelist of domains to not verify certificates for - self.federation_certificate_verification_whitelist = {} federation_certificate_verification_whitelist = config.get( "federation_certificate_verification_whitelist", [], ) + self.federation_certificate_verification_whitelist = None + if len(federation_certificate_verification_whitelist) > 0: + self.federation_certificate_verification_whitelist = {} + # Store whitelisted domains in a hash for fast lookup for domain in federation_certificate_verification_whitelist: self.federation_certificate_verification_whitelist[domain] = True diff --git a/synapse/crypto/context_factory.py b/synapse/crypto/context_factory.py index d566e1bf23..e2b5ce173b 100644 --- a/synapse/crypto/context_factory.py +++ b/synapse/crypto/context_factory.py @@ -132,18 +132,18 @@ class ClientTLSOptionsFactory(object): def __init__(self, config): self._config = config - self._options_novalidate = CertificateOptions() + self._options_noverify = CertificateOptions() # Check if we're using a custom list of a CA certificates if config.federation_custom_ca_list is not None: - self._options_validate = CertificateOptions( + self._options_verify = CertificateOptions( # Use custom CA trusted root certs trustRoot=config.federation_custom_ca_list, ) return # If not, verify using those provided by the operating environment - self._options_validate = CertificateOptions( + self._options_verify = CertificateOptions( # Use CA root certs provided by OpenSSL trustRoot=platformTrust(), ) @@ -152,10 +152,13 @@ class ClientTLSOptionsFactory(object): # Use _makeContext so that we get a fresh OpenSSL CTX each time. # Check if certificate verification has been enabled - if (self._config.federation_verify_certificates and - host not in self._config.federation_certificate_validation_whitelist): - # Require verification - return ClientTLSOptionsVerify(host, self._options_validate._makeContext()) + if (self._config.federation_verify_certificates): + # and if the host is whitelisted against it + if (self._config.federation_certificate_verification_whitelist and + host in self._config.federation_certificate_verification_whitelist): + return ClientTLSOptions(host, self._options_noverify._makeContext()) + + return ClientTLSOptionsVerify(host, self._options_verify._makeContext()) # Otherwise don't require verification - return ClientTLSOptions(host, self._options_novalidate._makeContext()) + return ClientTLSOptions(host, self._options_noverify._makeContext()) diff --git a/synapse/federation/transport/server.py b/synapse/federation/transport/server.py index f28672f7e2..1ddfbbd7f4 100644 --- a/synapse/federation/transport/server.py +++ b/synapse/federation/transport/server.py @@ -127,7 +127,8 @@ class Authenticator(object): json_request["origin"] = origin json_request["signatures"].setdefault(origin, {})[key] = sig - if (origin not in self.federation_domain_whitelist): + if (self.federation_domain_whitelist is not None and + origin not in self.federation_domain_whitelist): raise FederationDeniedError(origin) if not json_request["signatures"]: diff --git a/synapse/http/matrixfederationclient.py b/synapse/http/matrixfederationclient.py index c4fdcd0524..36d1015514 100644 --- a/synapse/http/matrixfederationclient.py +++ b/synapse/http/matrixfederationclient.py @@ -283,7 +283,8 @@ class MatrixFederationHttpClient(object): else: _sec_timeout = self.default_timeout - if (request.destination not in self.hs.config.federation_domain_whitelist): + if (self.hs.config.federation_domain_whitelist and + request.destination not in self.hs.config.federation_domain_whitelist): raise FederationDeniedError(request.destination) limiter = yield synapse.util.retryutils.get_retry_limiter( diff --git a/synapse/rest/key/v2/remote_key_resource.py b/synapse/rest/key/v2/remote_key_resource.py index dbd4512b74..426c05e79c 100644 --- a/synapse/rest/key/v2/remote_key_resource.py +++ b/synapse/rest/key/v2/remote_key_resource.py @@ -139,7 +139,8 @@ class RemoteKey(Resource): store_queries = [] for server_name, key_ids in query.items(): - if (server_name not in self.federation_domain_whitelist): + if (self.federation_domain_whitelist and + server_name not in self.federation_domain_whitelist): logger.debug("Federation denied with %s", server_name) continue diff --git a/synapse/rest/media/v1/media_repository.py b/synapse/rest/media/v1/media_repository.py index dec1206e39..8b16ceb3e9 100644 --- a/synapse/rest/media/v1/media_repository.py +++ b/synapse/rest/media/v1/media_repository.py @@ -231,7 +231,8 @@ class MediaRepository(object): Deferred: Resolves once a response has successfully been written to request """ - if (server_name not in self.federation_domain_whitelist): + if (self.federation_domain_whitelist is not None and + server_name not in self.federation_domain_whitelist): raise FederationDeniedError(server_name) self.mark_recently_accessed(server_name, media_id) @@ -268,7 +269,8 @@ class MediaRepository(object): Returns: Deferred[dict]: The media_info of the file """ - if (server_name not in self.federation_domain_whitelist): + if (self.federation_domain_whitelist and + server_name not in self.federation_domain_whitelist): raise FederationDeniedError(server_name) # We linearize here to ensure that we don't try and download remote |