Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Fixes #3135 - Replace _OpenSSLECCurve with crypto.get_elliptic_curve #3157

Merged
merged 6 commits into from
Apr 30, 2018
Merged

Fixes #3135 - Replace _OpenSSLECCurve with crypto.get_elliptic_curve #3157

Changes from 1 commit
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
f692538
Replace _OpenSSLECCurve with crypto.get_elliptic_curve
Half-Shot Apr 29, 2018
7ae89bb
_evCurve > _ecCurve
Half-Shot Apr 29, 2018
24bfcaf
Remove tombstone comment
Half-Shot Apr 29, 2018
55bd158
Remove pin on Twisted 18.4
Half-Shot Apr 30, 2018
fff7c33
pyopenssl>=0.15
Half-Shot Apr 30, 2018
952d0ba
Remove whitespace in python_dep
Half-Shot Apr 30, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 7 additions & 4 deletions synapse/crypto/context_factory.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,8 +13,8 @@
# limitations under the License.

from twisted.internet import ssl
from OpenSSL import SSL
from twisted.internet._sslverify import _OpenSSLECCurve, _defaultCurveName
from OpenSSL import SSL, crypto
from twisted.internet._sslverify import _defaultCurveName
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if there is any way we can fix this gut-wrenching at the same time.


import logging

Expand All @@ -32,8 +32,11 @@ def __init__(self, config):
@staticmethod
def configure_context(context, config):
try:
_ecCurve = _OpenSSLECCurve(_defaultCurveName)
_ecCurve.addECKeyToContext(context)
# This was removed in https://github.com/twisted/twisted/pull/928
# _ecCurve = _OpenSSLECCurve()
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not much point in leaving it here as a comment, then.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left here mainly as a tombstone since it's a drop in replacement mostly, but to be fair git serves that purpose.

_evCurve = crypto.get_elliptic_curve(_defaultCurveName)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this appears to have been introduced in pyopenssl 0.15 - so at the very least we need to bump the requirement in python_dependencies.py.

However, there is a problem in that debian jessie has 0.14. There is a newer version in backports though - @erikjohnston is it ok to rely on things in backports?

Otherwise we might have to do some hackery dependent on the Twisted version.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

However, there is a problem in that debian jessie has 0.14. There is a newer version in backports though - @erikjohnston is it ok to rely on things in backports?

It is, though I think we do some foo to host the backported packages we need on our repo. I've just had a look at it seems that we're already hosting v0.16, so this is fine.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why is it called _evCurve now?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Brain corrected EC to EV (work product is called EV, my bad)

context.set_tmp_ecdh(_evCurve)

except Exception:
logger.exception("Failed to enable elliptic curve for TLS")
context.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3)
Expand Down