Mercurial > libervia-backend
annotate sat/core/patches.py @ 2687:e9cd473a2f46
core (xmpp): server certificate validation:
XMPP server certificate is now checked, and connection is refused (by default) if it's not valid.
Certificate check can be disabled in the new parameter "Configuration/check_certificate".
If certificate checking is disabled, a warning note is sent on every new connection.
Twisted and Wokkel are temporarly monkey patched in sat.core.tls_patches module, until modifications are merged upstream.
| author | Goffi <goffi@goffi.org> |
|---|---|
| date | Sat, 10 Nov 2018 10:16:35 +0100 |
| parents | |
| children | 1ecceac3df96 |
| rev | line source |
|---|---|
|
2687
e9cd473a2f46
core (xmpp): server certificate validation:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
1 from twisted.words.protocols.jabber import xmlstream |
|
e9cd473a2f46
core (xmpp): server certificate validation:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
2 from twisted.internet import ssl |
|
e9cd473a2f46
core (xmpp): server certificate validation:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
3 from wokkel import client |
|
e9cd473a2f46
core (xmpp): server certificate validation:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
4 |
|
e9cd473a2f46
core (xmpp): server certificate validation:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
5 """This module apply monkey patches to Twisted and Wokkel to handle certificate validation |
|
e9cd473a2f46
core (xmpp): server certificate validation:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
6 during XMPP connection""" |
|
e9cd473a2f46
core (xmpp): server certificate validation:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
7 |
|
e9cd473a2f46
core (xmpp): server certificate validation:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
8 |
|
e9cd473a2f46
core (xmpp): server certificate validation:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
9 class TLSInitiatingInitializer(xmlstream.TLSInitiatingInitializer): |
|
e9cd473a2f46
core (xmpp): server certificate validation:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
10 check_certificate = True |
|
e9cd473a2f46
core (xmpp): server certificate validation:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
11 |
|
e9cd473a2f46
core (xmpp): server certificate validation:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
12 def onProceed(self, obj): |
|
e9cd473a2f46
core (xmpp): server certificate validation:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
13 self.xmlstream.removeObserver('/failure', self.onFailure) |
|
e9cd473a2f46
core (xmpp): server certificate validation:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
14 trustRoot = ssl.platformTrust() if self.check_certificate else None |
|
e9cd473a2f46
core (xmpp): server certificate validation:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
15 ctx = ssl.CertificateOptions(trustRoot=trustRoot) |
|
e9cd473a2f46
core (xmpp): server certificate validation:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
16 self.xmlstream.transport.startTLS(ctx) |
|
e9cd473a2f46
core (xmpp): server certificate validation:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
17 self.xmlstream.reset() |
|
e9cd473a2f46
core (xmpp): server certificate validation:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
18 self.xmlstream.sendHeader() |
|
e9cd473a2f46
core (xmpp): server certificate validation:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
19 self._deferred.callback(xmlstream.Reset) |
|
e9cd473a2f46
core (xmpp): server certificate validation:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
20 |
|
e9cd473a2f46
core (xmpp): server certificate validation:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
21 |
|
e9cd473a2f46
core (xmpp): server certificate validation:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
22 class XMPPClient(client.XMPPClient): |
|
e9cd473a2f46
core (xmpp): server certificate validation:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
23 |
|
e9cd473a2f46
core (xmpp): server certificate validation:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
24 def __init__(self, jid, password, host=None, port=5222, check_certificate=True): |
|
e9cd473a2f46
core (xmpp): server certificate validation:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
25 self.jid = jid |
|
e9cd473a2f46
core (xmpp): server certificate validation:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
26 self.domain = jid.host.encode('idna') |
|
e9cd473a2f46
core (xmpp): server certificate validation:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
27 self.host = host |
|
e9cd473a2f46
core (xmpp): server certificate validation:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
28 self.port = port |
|
e9cd473a2f46
core (xmpp): server certificate validation:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
29 |
|
e9cd473a2f46
core (xmpp): server certificate validation:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
30 factory = HybridClientFactory(jid, password, check_certificate) |
|
e9cd473a2f46
core (xmpp): server certificate validation:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
31 |
|
e9cd473a2f46
core (xmpp): server certificate validation:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
32 client.StreamManager.__init__(self, factory) |
|
e9cd473a2f46
core (xmpp): server certificate validation:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
33 |
|
e9cd473a2f46
core (xmpp): server certificate validation:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
34 |
|
e9cd473a2f46
core (xmpp): server certificate validation:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
35 def HybridClientFactory(jid, password, check_certificate=True): |
|
e9cd473a2f46
core (xmpp): server certificate validation:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
36 a = HybridAuthenticator(jid, password, check_certificate) |
|
e9cd473a2f46
core (xmpp): server certificate validation:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
37 |
|
e9cd473a2f46
core (xmpp): server certificate validation:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
38 return xmlstream.XmlStreamFactory(a) |
|
e9cd473a2f46
core (xmpp): server certificate validation:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
39 |
|
e9cd473a2f46
core (xmpp): server certificate validation:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
40 |
|
e9cd473a2f46
core (xmpp): server certificate validation:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
41 class HybridAuthenticator(client.HybridAuthenticator): |
|
e9cd473a2f46
core (xmpp): server certificate validation:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
42 |
|
e9cd473a2f46
core (xmpp): server certificate validation:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
43 def __init__(self, jid, password, check_certificate): |
|
e9cd473a2f46
core (xmpp): server certificate validation:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
44 xmlstream.ConnectAuthenticator.__init__(self, jid.host) |
|
e9cd473a2f46
core (xmpp): server certificate validation:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
45 self.jid = jid |
|
e9cd473a2f46
core (xmpp): server certificate validation:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
46 self.password = password |
|
e9cd473a2f46
core (xmpp): server certificate validation:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
47 self.check_certificate = check_certificate |
|
e9cd473a2f46
core (xmpp): server certificate validation:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
48 |
|
e9cd473a2f46
core (xmpp): server certificate validation:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
49 def associateWithStream(self, xs): |
|
e9cd473a2f46
core (xmpp): server certificate validation:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
50 xmlstream.ConnectAuthenticator.associateWithStream(self, xs) |
|
e9cd473a2f46
core (xmpp): server certificate validation:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
51 |
|
e9cd473a2f46
core (xmpp): server certificate validation:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
52 tlsInit = xmlstream.TLSInitiatingInitializer(xs) |
|
e9cd473a2f46
core (xmpp): server certificate validation:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
53 tlsInit.check_certificate = self.check_certificate |
|
e9cd473a2f46
core (xmpp): server certificate validation:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
54 xs.initializers = [client.client.CheckVersionInitializer(xs), |
|
e9cd473a2f46
core (xmpp): server certificate validation:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
55 tlsInit, |
|
e9cd473a2f46
core (xmpp): server certificate validation:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
56 client.CheckAuthInitializer(xs)] |
|
e9cd473a2f46
core (xmpp): server certificate validation:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
57 |
|
e9cd473a2f46
core (xmpp): server certificate validation:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
58 |
|
e9cd473a2f46
core (xmpp): server certificate validation:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
59 def apply(): |
|
e9cd473a2f46
core (xmpp): server certificate validation:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
60 xmlstream.TLSInitiatingInitializer = TLSInitiatingInitializer |
|
e9cd473a2f46
core (xmpp): server certificate validation:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
61 client.XMPPClient = XMPPClient |
|
e9cd473a2f46
core (xmpp): server certificate validation:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
62 client.HybridClientFactory = HybridClientFactory |
|
e9cd473a2f46
core (xmpp): server certificate validation:
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
63 client.HybridAuthenticator = HybridAuthenticator |