##// END OF EJS Templates
interfaces: convert `imanifestrevisionwritable` to a Protocol class...
interfaces: convert `imanifestrevisionwritable` to a Protocol class Same as cdd4bc69bfc1 for `imanifestrevisionstored`.

File last commit:

r53209:a820a7a1 default
r53377:01818a59 default
Show More
sslutil.py
866 lines | 33.2 KiB | text/x-python | PythonLexer
Augie Fackler
sslutil: extracted ssl methods from httpsconnection in url.py...
r14204 # sslutil.py - SSL handling for mercurial
#
Raphaël Gomès
contributor: change mentions of mpm to olivia...
r47575 # Copyright 2005, 2006, 2007, 2008 Olivia Mackall <olivia@selenic.com>
Augie Fackler
sslutil: extracted ssl methods from httpsconnection in url.py...
r14204 # Copyright 2006, 2007 Alexis S. L. Carvalho <alexis@cecm.usp.br>
# Copyright 2006 Vadim Gelfer <vadim.gelfer@gmail.com>
#
# This software may be used and distributed according to the terms of the
# GNU General Public License version 2 or any later version.
Gregory Szorc
sslutil: use absolute_import
r25977
Matt Harbison
typing: add `from __future__ import annotations` to most files...
r52756 from __future__ import annotations
Augie Fackler
sslutil: extracted ssl methods from httpsconnection in url.py...
r14204
Augie Fackler
cleanup: replace uses of util.(md5|sha1|sha256|sha512) with hashlib.\1...
r29341 import hashlib
Gregory Szorc
sslutil: use absolute_import
r25977 import os
Gregory Szorc
sslutil: synchronize hostname matching logic with CPython...
r29452 import re
Gregory Szorc
sslutil: use absolute_import
r25977 import ssl
Julien Cristau
sslutil: avoid deprecation warnings from python 3.10's ssl module...
r49930 import warnings
Gregory Szorc
sslutil: use absolute_import
r25977
from .i18n import _
Joerg Sonnenberger
node: import symbols explicitly...
r46729 from .node import hex
Gregory Szorc
sslutil: use preferred formatting for import syntax
r28577 from . import (
Augie Fackler
sslutil: add support for SSLKEYLOGFILE to wrapsocket...
r42455 encoding,
Gregory Szorc
sslutil: use preferred formatting for import syntax
r28577 error,
Pulkit Goyal
py3: replace os.name with pycompat.osname (part 1 of 2)...
r30639 pycompat,
Gregory Szorc
sslutil: use preferred formatting for import syntax
r28577 util,
)
Yuya Nishihara
stringutil: bulk-replace call sites to point to new module...
r37102 from .utils import (
Augie Fackler
sslutil: migrate to hashutil.sha1 instead of hashlib.sha1...
r44518 hashutil,
Martin von Zweigbergk
procutil: move mainfrozen() to new resourceutil.py...
r44067 resourceutil,
Yuya Nishihara
stringutil: bulk-replace call sites to point to new module...
r37102 stringutil,
)
Yuya Nishihara
ssl: load CA certificates from system's store by default on Python 2.7.9...
r24291
Gregory Szorc
sslutil: better document state of security/ssl module...
r28647 # Python 2.7.9+ overhauled the built-in SSL/TLS features of Python. It added
# support for TLS 1.1, TLS 1.2, SNI, system CA stores, etc. These features are
# all exposed via the "ssl" module.
#
Manuel Jacob
sslutil: remove code checking for presence of ssl.SSLContext...
r45411 # We require in setup.py the presence of ssl.SSLContext, which indicates modern
# SSL/TLS support.
Gregory Szorc
sslutil: better document state of security/ssl module...
r28647
Martin von Zweigbergk
cleanup: use set literals...
r32291 configprotocols = {
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 b'tls1.0',
b'tls1.1',
b'tls1.2',
Matt Harbison
sslutil: add support for clients to set TLSv1.3 as the minimum protocol...
r53182 b'tls1.3',
Martin von Zweigbergk
cleanup: use set literals...
r32291 }
Gregory Szorc
sslutil: expose attribute indicating whether SNI is supported...
r26622
Gregory Szorc
sslutil: config option to specify TLS protocol version...
r29559 hassni = getattr(ssl, 'HAS_SNI', False)
Gregory Szorc
sslutil: store OP_NO_SSL* constants in module scope...
r28648
Manuel Jacob
sslutil: properly detect which TLS versions are supported by the ssl module...
r45434 # ssl.HAS_TLSv1* are preferred to check support but they were added in Python
# 3.7. Prior to CPython commit 6e8cda91d92da72800d891b2fc2073ecbc134d98
# (backported to the 3.7 branch), ssl.PROTOCOL_TLSv1_1 / ssl.PROTOCOL_TLSv1_2
# were defined only if compiled against a OpenSSL version with TLS 1.1 / 1.2
# support. At the mentioned commit, they were unconditionally defined.
supportedprotocols = set()
safehasattr: drop usage in favor of hasattr...
r51821 if getattr(ssl, 'HAS_TLSv1', hasattr(ssl, 'PROTOCOL_TLSv1')):
Manuel Jacob
sslutil: properly detect which TLS versions are supported by the ssl module...
r45434 supportedprotocols.add(b'tls1.0')
safehasattr: drop usage in favor of hasattr...
r51821 if getattr(ssl, 'HAS_TLSv1_1', hasattr(ssl, 'PROTOCOL_TLSv1_1')):
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 supportedprotocols.add(b'tls1.1')
safehasattr: drop usage in favor of hasattr...
r51821 if getattr(ssl, 'HAS_TLSv1_2', hasattr(ssl, 'PROTOCOL_TLSv1_2')):
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 supportedprotocols.add(b'tls1.2')
Matt Harbison
sslutil: add support for clients to set TLSv1.3 as the minimum protocol...
r53182 if getattr(ssl, 'HAS_TLSv1_3', False):
supportedprotocols.add(b'tls1.3')
Gregory Szorc
sslutil: more robustly detect protocol support...
r29601
Augie Fackler
formatting: blacken the codebase...
r43346
Gregory Szorc
sslutil: introduce a function for determining host-specific settings...
r29258 def _hostsettings(ui, hostname):
"""Obtain security settings for a hostname.
Returns a dict of settings relevant to that hostname.
"""
Augie Fackler
sslutil: lots of unicode/bytes cleanup...
r36760 bhostname = pycompat.bytesurl(hostname)
Gregory Szorc
sslutil: introduce a function for determining host-specific settings...
r29258 s = {
Gregory Szorc
sslutil: add devel.disableloaddefaultcerts to disable CA loading...
r29288 # Whether we should attempt to load default/available CA certs
# if an explicit ``cafile`` is not defined.
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 b'allowloaddefaultcerts': True,
Gregory Szorc
sslutil: introduce a function for determining host-specific settings...
r29258 # List of 2-tuple of (hash algorithm, hash).
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 b'certfingerprints': [],
Gregory Szorc
sslutil: move CA file processing into _hostsettings()...
r29260 # Path to file containing concatenated CA certs. Used by
# SSLContext.load_verify_locations().
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 b'cafile': None,
Gregory Szorc
sslutil: store flag for whether cert verification is disabled...
r29287 # Whether certificate verification should be disabled.
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 b'disablecertverification': False,
Gregory Szorc
sslutil: reference appropriate config section in messaging...
r29268 # Whether the legacy [hostfingerprints] section has data for this host.
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 b'legacyfingerprint': False,
Gregory Szorc
sslutil: capture string string representation of protocol...
r29618 # String representation of minimum protocol to be used for UI
# presentation.
Manuel Jacob
sslutil: rename 'minimumprotocolui' -> 'minimumprotocol'...
r45435 b'minimumprotocol': None,
Gregory Szorc
sslutil: move SSLContext.verify_mode value into _hostsettings...
r29259 # ssl.CERT_* constant used by SSLContext.verify_mode.
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 b'verifymode': None,
Gregory Szorc
sslutil: support defining cipher list...
r29577 # OpenSSL Cipher List to use (instead of default).
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 b'ciphers': None,
Gregory Szorc
sslutil: introduce a function for determining host-specific settings...
r29258 }
Gregory Szorc
sslutil: config option to specify TLS protocol version...
r29559 # Allow minimum TLS protocol to be specified in the config.
def validateprotocol(protocol, key):
if protocol not in configprotocols:
raise error.Abort(
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 _(b'unsupported protocol from hostsecurity.%s: %s')
Augie Fackler
formatting: blacken the codebase...
r43346 % (key, protocol),
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 hint=_(b'valid protocols: %s')
% b' '.join(sorted(configprotocols)),
Augie Fackler
formatting: blacken the codebase...
r43346 )
Gregory Szorc
sslutil: move protocol determination to _hostsettings...
r29507
Matt Harbison
sslutil: bump the default minimum TLS version of the client to 1.2 (BC)...
r53185 # We default to TLS 1.2+ because TLS 1.0 has known vulnerabilities (like
Manuel Jacob
sslutil: remove dead code (that downgraded default minimum TLS version)...
r45431 # BEAST and POODLE). We allow users to downgrade to TLS 1.0+ via config
# options in case a legacy server is encountered.
Matt Harbison
setup: require TLS 1.2 support from the Python interpreter (BC)...
r53209 # setup.py checks that TLS 1.2 is present, so the following assert should
# not fail.
Matt Harbison
sslutil: bump the default minimum TLS version of the client to 1.2 (BC)...
r53185 assert supportedprotocols - {b'tls1.0', b'tls1.1'}
defaultminimumprotocol = b'tls1.2'
Gregory Szorc
sslutil: require TLS 1.1+ when supported...
r29560
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 key = b'minimumprotocol'
Manuel Jacob
sslutil: fix names of variables containing minimum protocol strings...
r45425 minimumprotocol = ui.config(b'hostsecurity', key, defaultminimumprotocol)
validateprotocol(minimumprotocol, key)
Gregory Szorc
sslutil: move context options flags to _hostsettings...
r29508
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 key = b'%s:minimumprotocol' % bhostname
Manuel Jacob
sslutil: fix names of variables containing minimum protocol strings...
r45425 minimumprotocol = ui.config(b'hostsecurity', key, minimumprotocol)
validateprotocol(minimumprotocol, key)
Gregory Szorc
sslutil: config option to specify TLS protocol version...
r29559
Julien Cristau
sslutil: be less strict about which ciphers are allowed when using --insecure...
r49931 ciphers = ui.config(b'hostsecurity', b'ciphers')
ciphers = ui.config(b'hostsecurity', b'%s:ciphers' % bhostname, ciphers)
Gregory Szorc
sslutil: allow TLS 1.0 when --insecure is used...
r29617 # If --insecure is used, we allow the use of TLS 1.0 despite config options.
# We always print a "connection security to %s is disabled..." message when
# --insecure is used. So no need to print anything more here.
if ui.insecureconnections:
Manuel Jacob
sslutil: fix names of variables containing minimum protocol strings...
r45425 minimumprotocol = b'tls1.0'
Julien Cristau
sslutil: be less strict about which ciphers are allowed when using --insecure...
r49931 if not ciphers:
pacien
sslutil: set context security level for legacy tls testing (issue6760)...
r51294 ciphers = b'DEFAULT:@SECLEVEL=0'
Gregory Szorc
sslutil: prevent CRIME...
r29558
Manuel Jacob
sslutil: rename 'minimumprotocolui' -> 'minimumprotocol'...
r45435 s[b'minimumprotocol'] = minimumprotocol
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 s[b'ciphers'] = ciphers
Gregory Szorc
sslutil: support defining cipher list...
r29577
Gregory Szorc
sslutil: allow fingerprints to be specified in [hostsecurity]...
r29267 # Look for fingerprints in [hostsecurity] section. Value is a list
# of <alg>:<fingerprint> strings.
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 fingerprints = ui.configlist(
b'hostsecurity', b'%s:fingerprints' % bhostname
)
Gregory Szorc
sslutil: allow fingerprints to be specified in [hostsecurity]...
r29267 for fingerprint in fingerprints:
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 if not (fingerprint.startswith((b'sha1:', b'sha256:', b'sha512:'))):
Augie Fackler
formatting: blacken the codebase...
r43346 raise error.Abort(
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 _(b'invalid fingerprint for %s: %s') % (bhostname, fingerprint),
Martin von Zweigbergk
cleanup: join string literals that are already on one line...
r43387 hint=_(b'must begin with "sha1:", "sha256:", or "sha512:"'),
Augie Fackler
formatting: blacken the codebase...
r43346 )
Gregory Szorc
sslutil: allow fingerprints to be specified in [hostsecurity]...
r29267
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 alg, fingerprint = fingerprint.split(b':', 1)
fingerprint = fingerprint.replace(b':', b'').lower()
Matt Harbison
pytype: stop excluding ssutil.py...
r49322 # pytype: disable=attribute-error
# `s` is heterogeneous, but this entry is always a list of tuples
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 s[b'certfingerprints'].append((alg, fingerprint))
Matt Harbison
pytype: stop excluding ssutil.py...
r49322 # pytype: enable=attribute-error
Gregory Szorc
sslutil: allow fingerprints to be specified in [hostsecurity]...
r29267
Gregory Szorc
sslutil: introduce a function for determining host-specific settings...
r29258 # Fingerprints from [hostfingerprints] are always SHA-1.
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 for fingerprint in ui.configlist(b'hostfingerprints', bhostname):
fingerprint = fingerprint.replace(b':', b'').lower()
Matt Harbison
pytype: stop excluding ssutil.py...
r49322 # pytype: disable=attribute-error
# `s` is heterogeneous, but this entry is always a list of tuples
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 s[b'certfingerprints'].append((b'sha1', fingerprint))
Matt Harbison
pytype: stop excluding ssutil.py...
r49322 # pytype: enable=attribute-error
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 s[b'legacyfingerprint'] = True
Gregory Szorc
sslutil: introduce a function for determining host-specific settings...
r29258
Gregory Szorc
sslutil: move SSLContext.verify_mode value into _hostsettings...
r29259 # If a host cert fingerprint is defined, it is the only thing that
# matters. No need to validate CA certs.
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 if s[b'certfingerprints']:
s[b'verifymode'] = ssl.CERT_NONE
s[b'allowloaddefaultcerts'] = False
Gregory Szorc
sslutil: move SSLContext.verify_mode value into _hostsettings...
r29259
# If --insecure is used, don't take CAs into consideration.
elif ui.insecureconnections:
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 s[b'disablecertverification'] = True
s[b'verifymode'] = ssl.CERT_NONE
s[b'allowloaddefaultcerts'] = False
Gregory Szorc
sslutil: move SSLContext.verify_mode value into _hostsettings...
r29259
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 if ui.configbool(b'devel', b'disableloaddefaultcerts'):
s[b'allowloaddefaultcerts'] = False
Gregory Szorc
sslutil: add devel.disableloaddefaultcerts to disable CA loading...
r29288
Gregory Szorc
sslutil: per-host config option to define certificates...
r29334 # If both fingerprints and a per-host ca file are specified, issue a warning
# because users should not be surprised about what security is or isn't
# being performed.
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 cafile = ui.config(b'hostsecurity', b'%s:verifycertsfile' % bhostname)
if s[b'certfingerprints'] and cafile:
Augie Fackler
formatting: blacken the codebase...
r43346 ui.warn(
_(
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 b'(hostsecurity.%s:verifycertsfile ignored when host '
b'fingerprints defined; using host fingerprints for '
b'verification)\n'
Augie Fackler
formatting: blacken the codebase...
r43346 )
% bhostname
)
Gregory Szorc
sslutil: per-host config option to define certificates...
r29334
Gregory Szorc
sslutil: move CA file processing into _hostsettings()...
r29260 # Try to hook up CA certificate validation unless something above
# makes it not necessary.
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 if s[b'verifymode'] is None:
Gregory Szorc
sslutil: per-host config option to define certificates...
r29334 # Look at per-host ca file first.
Gregory Szorc
sslutil: move CA file processing into _hostsettings()...
r29260 if cafile:
cafile = util.expandpath(cafile)
if not os.path.exists(cafile):
Augie Fackler
formatting: blacken the codebase...
r43346 raise error.Abort(
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 _(b'path specified by %s does not exist: %s')
% (
b'hostsecurity.%s:verifycertsfile' % (bhostname,),
cafile,
)
Augie Fackler
formatting: blacken the codebase...
r43346 )
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 s[b'cafile'] = cafile
Gregory Szorc
sslutil: move CA file processing into _hostsettings()...
r29260 else:
Gregory Szorc
sslutil: per-host config option to define certificates...
r29334 # Find global certificates file in config.
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 cafile = ui.config(b'web', b'cacerts')
Gregory Szorc
sslutil: per-host config option to define certificates...
r29334
Gregory Szorc
sslutil: move CA file processing into _hostsettings()...
r29260 if cafile:
Gregory Szorc
sslutil: per-host config option to define certificates...
r29334 cafile = util.expandpath(cafile)
if not os.path.exists(cafile):
Augie Fackler
formatting: blacken the codebase...
r43346 raise error.Abort(
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 _(b'could not find web.cacerts: %s') % cafile
Augie Fackler
formatting: blacken the codebase...
r43346 )
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 elif s[b'allowloaddefaultcerts']:
Gregory Szorc
sslutil: change comment and logged message for found ca cert file...
r29482 # CAs not defined in config. Try to find system bundles.
Gregory Szorc
sslutil: pass ui to _defaultcacerts...
r29483 cafile = _defaultcacerts(ui)
Gregory Szorc
sslutil: per-host config option to define certificates...
r29334 if cafile:
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 ui.debug(b'using %s for CA file\n' % cafile)
Gregory Szorc
sslutil: move CA file processing into _hostsettings()...
r29260
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 s[b'cafile'] = cafile
Gregory Szorc
sslutil: move CA file processing into _hostsettings()...
r29260
# Require certificate validation if CA certs are being loaded and
# verification hasn't been disabled above.
Manuel Jacob
sslutil: eliminate `_canloaddefaultcerts` by constant-folding code using it
r45416 if cafile or s[b'allowloaddefaultcerts']:
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 s[b'verifymode'] = ssl.CERT_REQUIRED
Gregory Szorc
sslutil: move CA file processing into _hostsettings()...
r29260 else:
# At this point we don't have a fingerprint, aren't being
# explicitly insecure, and can't load CA certs. Connecting
Gregory Szorc
sslutil: abort when unable to verify peer connection (BC)...
r29411 # is insecure. We allow the connection and abort during
# validation (once we have the fingerprint to print to the
# user).
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 s[b'verifymode'] = ssl.CERT_NONE
Gregory Szorc
sslutil: move CA file processing into _hostsettings()...
r29260
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 assert s[b'verifymode'] is not None
Gregory Szorc
sslutil: move SSLContext.verify_mode value into _hostsettings...
r29259
Gregory Szorc
sslutil: introduce a function for determining host-specific settings...
r29258 return s
Augie Fackler
formatting: blacken the codebase...
r43346
Gregory Szorc
sslutil: move sslkwargs logic into internal function (API)...
r29249 def wrapsocket(sock, keyfile, certfile, ui, serverhostname=None):
Gregory Szorc
sslutil: add docstring to wrapsocket()...
r28653 """Add SSL/TLS to a socket.
This is a glorified wrapper for ``ssl.wrap_socket()``. It makes sane
choices based on what security options are available.
In addition to the arguments supported by ``ssl.wrap_socket``, we allow
the following additional arguments:
* serverhostname - The expected hostname of the remote server. If the
server (and client) support SNI, this tells the server which certificate
to use.
"""
Gregory Szorc
sslutil: require serverhostname argument (API)...
r29224 if not serverhostname:
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 raise error.Abort(_(b'serverhostname argument is required'))
Gregory Szorc
sslutil: require serverhostname argument (API)...
r29224
Augie Fackler
sslutil: add support for SSLKEYLOGFILE to wrapsocket...
r42455 if b'SSLKEYLOGFILE' in encoding.environ:
try:
Matt Harbison
typing: disable import error warnings that are already handled...
r47543 import sslkeylog # pytype: disable=import-error
Augie Fackler
formatting: blacken the codebase...
r43346
sslkeylog.set_keylog(
pycompat.fsdecode(encoding.environ[b'SSLKEYLOGFILE'])
)
Augie Fackler
cleanup: mark some ui.(status|note|warn|write) calls as not needing i18n...
r43350 ui.warnnoi18n(
Augie Fackler
formatting: blacken the codebase...
r43346 b'sslkeylog enabled by SSLKEYLOGFILE environment variable\n'
)
Augie Fackler
sslutil: add support for SSLKEYLOGFILE to wrapsocket...
r42455 except ImportError:
Augie Fackler
cleanup: mark some ui.(status|note|warn|write) calls as not needing i18n...
r43350 ui.warnnoi18n(
Augie Fackler
formatting: blacken the codebase...
r43346 b'sslkeylog module missing, '
b'but SSLKEYLOGFILE set in environment\n'
)
Augie Fackler
sslutil: add support for SSLKEYLOGFILE to wrapsocket...
r42455
Gregory Szorc
sslutil: check for missing certificate and key files (issue5598)...
r33381 for f in (keyfile, certfile):
if f and not os.path.exists(f):
Augie Fackler
sslutil: some more forcebytes() on some exception messages...
r36762 raise error.Abort(
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 _(b'certificate file (%s) does not exist; cannot connect to %s')
Augie Fackler
sslutil: some more forcebytes() on some exception messages...
r36762 % (f, pycompat.bytesurl(serverhostname)),
Augie Fackler
formatting: blacken the codebase...
r43346 hint=_(
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 b'restore missing file or fix references '
b'in Mercurial config'
Augie Fackler
formatting: blacken the codebase...
r43346 ),
)
Gregory Szorc
sslutil: check for missing certificate and key files (issue5598)...
r33381
Gregory Szorc
sslutil: move SSLContext.verify_mode value into _hostsettings...
r29259 settings = _hostsettings(ui, serverhostname)
Gregory Szorc
sslutil: move sslkwargs logic into internal function (API)...
r29249
Gregory Szorc
sslutil: update comment about create_default_context()...
r29557 # We can't use ssl.create_default_context() because it calls
# load_default_certs() unless CA arguments are passed to it. We want to
# have explicit control over CA loading because implicitly loading
# CAs may undermine the user's intent. For example, a user may define a CA
# bundle with a specific CA cert removed. If the system/default CA bundle
# is loaded and contains that removed CA, you've just undone the user's
# choice.
Julien Cristau
sslutil: avoid deprecation warnings from python 3.10's ssl module...
r49930
Matt Harbison
sslutil: de-indent the Python 3.7+ code from the previous commit
r53179 sslcontext = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
minimumprotocol = settings[b'minimumprotocol']
if minimumprotocol == b'tls1.0':
with warnings.catch_warnings():
warnings.filterwarnings(
'ignore',
'ssl.TLSVersion.TLSv1 is deprecated',
DeprecationWarning,
)
sslcontext.minimum_version = ssl.TLSVersion.TLSv1
elif minimumprotocol == b'tls1.1':
with warnings.catch_warnings():
warnings.filterwarnings(
'ignore',
'ssl.TLSVersion.TLSv1_1 is deprecated',
DeprecationWarning,
)
sslcontext.minimum_version = ssl.TLSVersion.TLSv1_1
elif minimumprotocol == b'tls1.2':
sslcontext.minimum_version = ssl.TLSVersion.TLSv1_2
Matt Harbison
sslutil: add support for clients to set TLSv1.3 as the minimum protocol...
r53182 elif minimumprotocol == b'tls1.3':
sslcontext.minimum_version = ssl.TLSVersion.TLSv1_3
Matt Harbison
sslutil: de-indent the Python 3.7+ code from the previous commit
r53179 else:
raise error.Abort(_(b'this should not happen'))
# Prevent CRIME.
# There is no guarantee this attribute is defined on the module.
sslcontext.options |= getattr(ssl, 'OP_NO_COMPRESSION', 0)
Julien Cristau
sslutil: avoid deprecation warnings from python 3.10's ssl module...
r49930
# We check the hostname ourselves in _verifycert
sslcontext.check_hostname = False
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 sslcontext.verify_mode = settings[b'verifymode']
Gregory Szorc
sslutil: move and document verify_mode assignment...
r28848
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 if settings[b'ciphers']:
Gregory Szorc
sslutil: support defining cipher list...
r29577 try:
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 sslcontext.set_ciphers(pycompat.sysstr(settings[b'ciphers']))
Gregory Szorc
sslutil: support defining cipher list...
r29577 except ssl.SSLError as e:
Augie Fackler
sslutil: some more forcebytes() on some exception messages...
r36762 raise error.Abort(
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 _(b'could not set ciphers: %s')
Yuya Nishihara
stringutil: bulk-replace call sites to point to new module...
r37102 % stringutil.forcebytestr(e.args[0]),
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 hint=_(b'change cipher string (%s) in config')
% settings[b'ciphers'],
Augie Fackler
formatting: blacken the codebase...
r43346 )
Gregory Szorc
sslutil: support defining cipher list...
r29577
Gregory Szorc
sslutil: remove indentation in wrapsocket declaration...
r28652 if certfile is not None:
Augie Fackler
formatting: blacken the codebase...
r43346
Gregory Szorc
sslutil: remove indentation in wrapsocket declaration...
r28652 def password():
f = keyfile or certfile
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 return ui.getpass(_(b'passphrase for %s: ') % f, b'')
Augie Fackler
formatting: blacken the codebase...
r43346
Gregory Szorc
sslutil: remove indentation in wrapsocket declaration...
r28652 sslcontext.load_cert_chain(certfile, keyfile, password)
Gregory Szorc
sslutil: move and document verify_mode assignment...
r28848
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 if settings[b'cafile'] is not None:
Gregory Szorc
sslutil: display a better error message when CA file loading fails...
r29446 try:
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 sslcontext.load_verify_locations(cafile=settings[b'cafile'])
Gregory Szorc
sslutil: display a better error message when CA file loading fails...
r29446 except ssl.SSLError as e:
Augie Fackler
formatting: blacken the codebase...
r43346 if len(e.args) == 1: # pypy has different SSLError args
Pierre-Yves David
ssl: handle a difference in SSLError with pypy (issue5348)...
r29927 msg = e.args[0]
else:
msg = e.args[1]
Augie Fackler
formatting: blacken the codebase...
r43346 raise error.Abort(
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 _(b'error loading CA file %s: %s')
% (settings[b'cafile'], stringutil.forcebytestr(msg)),
hint=_(b'file is empty or malformed?'),
Augie Fackler
formatting: blacken the codebase...
r43346 )
Gregory Szorc
sslutil: use CA loaded state to drive validation logic...
r29113 caloaded = True
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 elif settings[b'allowloaddefaultcerts']:
Gregory Szorc
sslutil: remove indentation in wrapsocket declaration...
r28652 # This is a no-op on old Python.
sslcontext.load_default_certs()
Gregory Szorc
sslutil: add devel.disableloaddefaultcerts to disable CA loading...
r29288 caloaded = True
else:
caloaded = False
Alex Orange
https: support tls sni (server name indication) for https urls (issue3090)...
r23834
Gregory Szorc
sslutil: emit warning when no CA certificates loaded...
r29449 try:
sslsocket = sslcontext.wrap_socket(sock, server_hostname=serverhostname)
Gregory Szorc
sslutil: config option to specify TLS protocol version...
r29559 except ssl.SSLError as e:
Gregory Szorc
sslutil: emit warning when no CA certificates loaded...
r29449 # If we're doing certificate verification and no CA certs are loaded,
# that is almost certainly the reason why verification failed. Provide
# a hint to the user.
Matt Harbison
sslutil: clarify internal documentation...
r31725 # The exception handler is here to handle bugs around cert attributes:
# https://bugs.python.org/issue20916#msg213479. (See issues5313.)
# When the main 20916 bug occurs, 'sslcontext.get_ca_certs()' is a
# non-empty list, but the following conditional is otherwise True.
Gregory Szorc
sslutil: work around SSLContext.get_ca_certs bug on Windows (issue5313)...
r29631 try:
Augie Fackler
formatting: blacken the codebase...
r43346 if (
caloaded
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 and settings[b'verifymode'] == ssl.CERT_REQUIRED
Augie Fackler
formatting: blacken the codebase...
r43346 and not sslcontext.get_ca_certs()
):
ui.warn(
_(
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 b'(an attempt was made to load CA certificates but '
b'none were loaded; see '
b'https://mercurial-scm.org/wiki/SecureConnections '
b'for how to configure Mercurial to avoid this '
b'error)\n'
Augie Fackler
formatting: blacken the codebase...
r43346 )
)
Gregory Szorc
sslutil: work around SSLContext.get_ca_certs bug on Windows (issue5313)...
r29631 except ssl.SSLError:
pass
Gregory Szorc
sslutil: use raw strings for exception reason compare...
r41455
Gregory Szorc
sslutil: config option to specify TLS protocol version...
r29559 # Try to print more helpful error messages for known failures.
safehasattr: drop usage in favor of hasattr...
r51821 if hasattr(e, 'reason'):
Gregory Szorc
sslutil: improve messaging around unsupported protocols (issue5303)...
r29619 # This error occurs when the client and server don't share a
# common/supported SSL/TLS protocol. We've disabled SSLv2 and SSLv3
# outright. Hopefully the reason for this error is that we require
# TLS 1.1+ and the server only supports TLS 1.0. Whatever the
# reason, try to emit an actionable warning.
Julien Cristau
sslutil: support TLSV1_ALERT_PROTOCOL_VERSION reason code...
r49933 if e.reason in (
'UNSUPPORTED_PROTOCOL',
'TLSV1_ALERT_PROTOCOL_VERSION',
):
Gregory Szorc
sslutil: improve messaging around unsupported protocols (issue5303)...
r29619 # We attempted TLS 1.0+.
Manuel Jacob
sslutil: rename 'minimumprotocolui' -> 'minimumprotocol'...
r45435 if settings[b'minimumprotocol'] == b'tls1.0':
Gregory Szorc
sslutil: improve messaging around unsupported protocols (issue5303)...
r29619 # We support more than just TLS 1.0+. If this happens,
# the likely scenario is either the client or the server
# is really old. (e.g. server doesn't support TLS 1.0+ or
# client doesn't support modern TLS versions introduced
# several years from when this comment was written).
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 if supportedprotocols != {b'tls1.0'}:
Augie Fackler
formatting: blacken the codebase...
r43346 ui.warn(
_(
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 b'(could not communicate with %s using security '
b'protocols %s; if you are using a modern Mercurial '
b'version, consider contacting the operator of this '
b'server; see '
b'https://mercurial-scm.org/wiki/SecureConnections '
b'for more info)\n'
Augie Fackler
formatting: blacken the codebase...
r43346 )
% (
Gregory Szorc
sslutil: ensure serverhostname is bytes when formatting...
r41456 pycompat.bytesurl(serverhostname),
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 b', '.join(sorted(supportedprotocols)),
Augie Fackler
formatting: blacken the codebase...
r43346 )
)
Gregory Szorc
sslutil: improve messaging around unsupported protocols (issue5303)...
r29619 else:
Augie Fackler
formatting: blacken the codebase...
r43346 ui.warn(
_(
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 b'(could not communicate with %s using TLS 1.0; the '
b'likely cause of this is the server no longer '
b'supports TLS 1.0 because it has known security '
b'vulnerabilities; see '
b'https://mercurial-scm.org/wiki/SecureConnections '
b'for more info)\n'
Augie Fackler
formatting: blacken the codebase...
r43346 )
% pycompat.bytesurl(serverhostname)
)
Gregory Szorc
sslutil: improve messaging around unsupported protocols (issue5303)...
r29619 else:
# We attempted TLS 1.1+. We can only get here if the client
# supports the configured protocol. So the likely reason is
# the client wants better security than the server can
# offer.
Augie Fackler
formatting: blacken the codebase...
r43346 ui.warn(
_(
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 b'(could not negotiate a common security protocol (%s+) '
b'with %s; the likely cause is Mercurial is configured '
b'to be more secure than the server can support)\n'
Augie Fackler
formatting: blacken the codebase...
r43346 )
% (
Manuel Jacob
sslutil: rename 'minimumprotocolui' -> 'minimumprotocol'...
r45435 settings[b'minimumprotocol'],
Augie Fackler
formatting: blacken the codebase...
r43346 pycompat.bytesurl(serverhostname),
)
)
ui.warn(
_(
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 b'(consider contacting the operator of this '
b'server and ask them to support modern TLS '
b'protocol versions; or, set '
b'hostsecurity.%s:minimumprotocol=tls1.0 to allow '
b'use of legacy, less secure protocols when '
b'communicating with this server)\n'
Augie Fackler
formatting: blacken the codebase...
r43346 )
% pycompat.bytesurl(serverhostname)
)
ui.warn(
_(
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 b'(see https://mercurial-scm.org/wiki/SecureConnections '
b'for more info)\n'
Augie Fackler
formatting: blacken the codebase...
r43346 )
)
Matt Harbison
sslutil: inform the user about how to fix an incomplete certificate chain...
r33494
Augie Fackler
cleanup: remove pointless r-prefixes on single-quoted strings...
r43906 elif e.reason == 'CERTIFICATE_VERIFY_FAILED' and pycompat.iswindows:
Augie Fackler
formatting: blacken the codebase...
r43346 ui.warn(
_(
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 b'(the full certificate chain may not be available '
b'locally; see "hg help debugssl")\n'
Augie Fackler
formatting: blacken the codebase...
r43346 )
)
Gregory Szorc
sslutil: emit warning when no CA certificates loaded...
r29449 raise
Gregory Szorc
sslutil: remove indentation in wrapsocket declaration...
r28652 # check if wrap_socket failed silently because socket had been
# closed
# - see http://bugs.python.org/issue13721
if not sslsocket.cipher():
Martin von Zweigbergk
errors: introduce SecurityError and use it in a few places...
r46527 raise error.SecurityError(_(b'ssl connection failed'))
Gregory Szorc
sslutil: use CA loaded state to drive validation logic...
r29113
Gregory Szorc
sslutil: use a dict for hanging hg state off the wrapped socket...
r29225 sslsocket._hgstate = {
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 b'caloaded': caloaded,
b'hostname': serverhostname,
b'settings': settings,
b'ui': ui,
Gregory Szorc
sslutil: use a dict for hanging hg state off the wrapped socket...
r29225 }
Gregory Szorc
sslutil: use CA loaded state to drive validation logic...
r29113
Gregory Szorc
sslutil: remove indentation in wrapsocket declaration...
r28652 return sslsocket
Augie Fackler
sslutil: extracted ssl methods from httpsconnection in url.py...
r14204
Augie Fackler
formatting: blacken the codebase...
r43346
def wrapserversocket(
sock, ui, certfile=None, keyfile=None, cafile=None, requireclientcert=False
):
Gregory Szorc
sslutil: implement wrapserversocket()...
r29554 """Wrap a socket for use by servers.
``certfile`` and ``keyfile`` specify the files containing the certificate's
public and private keys, respectively. Both keys can be defined in the same
file via ``certfile`` (the private key must come first in the file).
``cafile`` defines the path to certificate authorities.
``requireclientcert`` specifies whether to require client certificates.
Typically ``cafile`` is only defined if ``requireclientcert`` is true.
"""
Gregory Szorc
sslutil: check for missing certificate and key files (issue5598)...
r33381 # This function is not used much by core Mercurial, so the error messaging
# doesn't have to be as detailed as for wrapsocket().
for f in (certfile, keyfile, cafile):
if f and not os.path.exists(f):
Augie Fackler
formatting: blacken the codebase...
r43346 raise error.Abort(
Martin von Zweigbergk
cleanup: join string literals that are already on one line...
r43387 _(b'referenced certificate file (%s) does not exist') % f
Augie Fackler
formatting: blacken the codebase...
r43346 )
Gregory Szorc
sslutil: check for missing certificate and key files (issue5598)...
r33381
Matt Harbison
sslutil: de-indent the Python 3.7+ code from the previous commit
r53179 sslcontext = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
sslcontext.options |= getattr(ssl, 'OP_NO_COMPRESSION', 0)
Gregory Szorc
sslutil: config option to specify TLS protocol version...
r29559
Matt Harbison
sslutil: de-indent the Python 3.7+ code from the previous commit
r53179 # This config option is intended for use in tests only. It is a giant
# footgun to kill security. Don't define it.
exactprotocol = ui.config(b'devel', b'server-insecure-exact-protocol')
if exactprotocol == b'tls1.0':
if b'tls1.0' not in supportedprotocols:
raise error.Abort(_(b'TLS 1.0 not supported by this Python'))
with warnings.catch_warnings():
warnings.filterwarnings(
'ignore',
'ssl.TLSVersion.TLSv1 is deprecated',
DeprecationWarning,
Julien Cristau
sslutil: avoid deprecation warnings from python 3.10's ssl module...
r49930 )
Matt Harbison
sslutil: de-indent the Python 3.7+ code from the previous commit
r53179 sslcontext.minimum_version = ssl.TLSVersion.TLSv1
sslcontext.maximum_version = ssl.TLSVersion.TLSv1
elif exactprotocol == b'tls1.1':
if b'tls1.1' not in supportedprotocols:
raise error.Abort(_(b'TLS 1.1 not supported by this Python'))
with warnings.catch_warnings():
warnings.filterwarnings(
'ignore',
'ssl.TLSVersion.TLSv1_1 is deprecated',
DeprecationWarning,
)
sslcontext.minimum_version = ssl.TLSVersion.TLSv1_1
sslcontext.maximum_version = ssl.TLSVersion.TLSv1_1
elif exactprotocol == b'tls1.2':
if b'tls1.2' not in supportedprotocols:
raise error.Abort(_(b'TLS 1.2 not supported by this Python'))
sslcontext.minimum_version = ssl.TLSVersion.TLSv1_2
sslcontext.maximum_version = ssl.TLSVersion.TLSv1_2
Matt Harbison
sslutil: add support for clients to set TLSv1.3 as the minimum protocol...
r53182 elif exactprotocol == b'tls1.3':
if b'tls1.3' not in supportedprotocols:
raise error.Abort(_(b'TLS 1.3 not supported by this Python'))
sslcontext.minimum_version = ssl.TLSVersion.TLSv1_3
sslcontext.maximum_version = ssl.TLSVersion.TLSv1_3
Matt Harbison
sslutil: de-indent the Python 3.7+ code from the previous commit
r53179 elif exactprotocol:
raise error.Abort(
_(b'invalid value for server-insecure-exact-protocol: %s')
% exactprotocol
)
Gregory Szorc
sslutil: config option to specify TLS protocol version...
r29559
Manuel Jacob
sslutil: eliminate `modernssl` by constant-folding code using it
r45414 # Improve forward secrecy.
sslcontext.options |= getattr(ssl, 'OP_SINGLE_DH_USE', 0)
sslcontext.options |= getattr(ssl, 'OP_SINGLE_ECDH_USE', 0)
Gregory Szorc
sslutil: implement wrapserversocket()...
r29554
Julien Cristau
sslutil: be less strict about which ciphers are allowed when using --insecure...
r49931 # In tests, allow insecure ciphers
# Otherwise, use the list of more secure ciphers if found in the ssl module.
if exactprotocol:
pacien
sslutil: set context security level for legacy tls testing (issue6760)...
r51294 sslcontext.set_ciphers('DEFAULT:@SECLEVEL=0')
safehasattr: drop usage in favor of hasattr...
r51821 elif hasattr(ssl, '_RESTRICTED_SERVER_CIPHERS'):
Manuel Jacob
sslutil: eliminate `modernssl` by constant-folding code using it
r45414 sslcontext.options |= getattr(ssl, 'OP_CIPHER_SERVER_PREFERENCE', 0)
Matt Harbison
typing: disable module attribute warnings for properly conditionalized code...
r47544 # pytype: disable=module-attr
Manuel Jacob
sslutil: eliminate `modernssl` by constant-folding code using it
r45414 sslcontext.set_ciphers(ssl._RESTRICTED_SERVER_CIPHERS)
Matt Harbison
typing: disable module attribute warnings for properly conditionalized code...
r47544 # pytype: enable=module-attr
Gregory Szorc
sslutil: implement wrapserversocket()...
r29554
if requireclientcert:
sslcontext.verify_mode = ssl.CERT_REQUIRED
else:
sslcontext.verify_mode = ssl.CERT_NONE
if certfile or keyfile:
sslcontext.load_cert_chain(certfile=certfile, keyfile=keyfile)
if cafile:
sslcontext.load_verify_locations(cafile=cafile)
return sslcontext.wrap_socket(sock, server_side=True)
Augie Fackler
formatting: blacken the codebase...
r43346
Gregory Szorc
sslutil: synchronize hostname matching logic with CPython...
r29452 class wildcarderror(Exception):
"""Represents an error parsing wildcards in DNS name."""
Augie Fackler
formatting: blacken the codebase...
r43346
Gregory Szorc
sslutil: synchronize hostname matching logic with CPython...
r29452 def _dnsnamematch(dn, hostname, maxwildcards=1):
"""Match DNS names according RFC 6125 section 6.4.3.
This code is effectively copied from CPython's ssl._dnsname_match.
Returns a bool indicating whether the expected hostname matches
the value in ``dn``.
"""
pats = []
if not dn:
return False
Augie Fackler
sslutil: lots of unicode/bytes cleanup...
r36760 dn = pycompat.bytesurl(dn)
hostname = pycompat.bytesurl(hostname)
Gregory Szorc
sslutil: synchronize hostname matching logic with CPython...
r29452
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 pieces = dn.split(b'.')
Gregory Szorc
sslutil: synchronize hostname matching logic with CPython...
r29452 leftmost = pieces[0]
remainder = pieces[1:]
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 wildcards = leftmost.count(b'*')
Gregory Szorc
sslutil: synchronize hostname matching logic with CPython...
r29452 if wildcards > maxwildcards:
raise wildcarderror(
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 _(b'too many wildcards in certificate DNS name: %s') % dn
Augie Fackler
formatting: blacken the codebase...
r43346 )
Gregory Szorc
sslutil: synchronize hostname matching logic with CPython...
r29452
# speed up common case w/o wildcards
if not wildcards:
return dn.lower() == hostname.lower()
# RFC 6125, section 6.4.3, subitem 1.
# The client SHOULD NOT attempt to match a presented identifier in which
# the wildcard character comprises a label other than the left-most label.
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 if leftmost == b'*':
Gregory Szorc
sslutil: synchronize hostname matching logic with CPython...
r29452 # When '*' is a fragment by itself, it matches a non-empty dotless
# fragment.
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 pats.append(b'[^.]+')
elif leftmost.startswith(b'xn--') or hostname.startswith(b'xn--'):
Gregory Szorc
sslutil: synchronize hostname matching logic with CPython...
r29452 # RFC 6125, section 6.4.3, subitem 3.
# The client SHOULD NOT attempt to match a presented identifier
# where the wildcard character is embedded within an A-label or
# U-label of an internationalized domain name.
Augie Fackler
cleanup: migrate from re.escape to stringutil.reescape...
r38494 pats.append(stringutil.reescape(leftmost))
Gregory Szorc
sslutil: synchronize hostname matching logic with CPython...
r29452 else:
# Otherwise, '*' matches any dotless string, e.g. www*
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 pats.append(stringutil.reescape(leftmost).replace(br'\*', b'[^.]*'))
Gregory Szorc
sslutil: synchronize hostname matching logic with CPython...
r29452
# add the remaining fragments, ignore any wildcards
for frag in remainder:
Augie Fackler
cleanup: migrate from re.escape to stringutil.reescape...
r38494 pats.append(stringutil.reescape(frag))
Gregory Szorc
sslutil: synchronize hostname matching logic with CPython...
r29452
Pulkit Goyal
py3: add b'' prefixes to make values bytes...
r37684 pat = re.compile(br'\A' + br'\.'.join(pats) + br'\Z', re.IGNORECASE)
Gregory Szorc
sslutil: synchronize hostname matching logic with CPython...
r29452 return pat.match(hostname) is not None
Augie Fackler
formatting: blacken the codebase...
r43346
Augie Fackler
sslutil: extracted ssl methods from httpsconnection in url.py...
r14204 def _verifycert(cert, hostname):
Augie Fackler
formating: upgrade to black 20.8b1...
r46554 """Verify that cert (in socket.getpeercert() format) matches hostname.
Augie Fackler
sslutil: extracted ssl methods from httpsconnection in url.py...
r14204 CRLs is not handled.
Returns error message if any problems are found and None on success.
Augie Fackler
formating: upgrade to black 20.8b1...
r46554 """
Augie Fackler
sslutil: extracted ssl methods from httpsconnection in url.py...
r14204 if not cert:
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 return _(b'no certificate received')
Augie Fackler
sslutil: extracted ssl methods from httpsconnection in url.py...
r14204
Gregory Szorc
sslutil: synchronize hostname matching logic with CPython...
r29452 dnsnames = []
Augie Fackler
cleanup: remove pointless r-prefixes on single-quoted strings...
r43906 san = cert.get('subjectAltName', [])
Gregory Szorc
sslutil: synchronize hostname matching logic with CPython...
r29452 for key, value in san:
Augie Fackler
cleanup: remove pointless r-prefixes on single-quoted strings...
r43906 if key == 'DNS':
Gregory Szorc
sslutil: synchronize hostname matching logic with CPython...
r29452 try:
if _dnsnamematch(value, hostname):
return
except wildcarderror as e:
Yuya Nishihara
stringutil: bulk-replace call sites to point to new module...
r37102 return stringutil.forcebytestr(e.args[0])
Gregory Szorc
sslutil: synchronize hostname matching logic with CPython...
r29452
dnsnames.append(value)
Augie Fackler
sslutil: extracted ssl methods from httpsconnection in url.py...
r14204
Gregory Szorc
sslutil: synchronize hostname matching logic with CPython...
r29452 if not dnsnames:
# The subject is only checked when there is no DNS in subjectAltName.
Augie Fackler
cleanup: remove pointless r-prefixes on single-quoted strings...
r43906 for sub in cert.get('subject', []):
Gregory Szorc
sslutil: synchronize hostname matching logic with CPython...
r29452 for key, value in sub:
# According to RFC 2818 the most specific Common Name must
# be used.
Augie Fackler
cleanup: remove pointless r-prefixes on single-quoted strings...
r43906 if key == 'commonName':
Mads Kiilerich
spelling: fixes of non-dictionary words
r30332 # 'subject' entries are unicode.
Gregory Szorc
sslutil: synchronize hostname matching logic with CPython...
r29452 try:
value = value.encode('ascii')
except UnicodeEncodeError:
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 return _(b'IDN in certificate not supported')
Gregory Szorc
sslutil: synchronize hostname matching logic with CPython...
r29452
try:
if _dnsnamematch(value, hostname):
return
except wildcarderror as e:
Yuya Nishihara
stringutil: bulk-replace call sites to point to new module...
r37102 return stringutil.forcebytestr(e.args[0])
Gregory Szorc
sslutil: synchronize hostname matching logic with CPython...
r29452
dnsnames.append(value)
Augie Fackler
sslutil: fix some edge cases in Python 3 support...
r37889 dnsnames = [pycompat.bytesurl(d) for d in dnsnames]
Gregory Szorc
sslutil: synchronize hostname matching logic with CPython...
r29452 if len(dnsnames) > 1:
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 return _(b'certificate is for %s') % b', '.join(dnsnames)
Gregory Szorc
sslutil: synchronize hostname matching logic with CPython...
r29452 elif len(dnsnames) == 1:
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 return _(b'certificate is for %s') % dnsnames[0]
Gregory Szorc
sslutil: synchronize hostname matching logic with CPython...
r29452 else:
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 return _(b'no commonName or subjectAltName found in certificate')
Augie Fackler
sslutil: extracted ssl methods from httpsconnection in url.py...
r14204
Augie Fackler
formatting: blacken the codebase...
r43346
Mads Kiilerich
ssl: only use the dummy cert hack if using an Apple Python (issue4410)...
r23042 def _plainapplepython():
"""return true if this seems to be a pure Apple Python that
* is unfrozen and presumably has the whole mercurial module in the file
system
* presumably is an Apple Python that uses Apple OpenSSL which has patches
for using system certificate store CAs in addition to the provided
cacerts file
"""
Augie Fackler
formatting: blacken the codebase...
r43346 if (
not pycompat.isdarwin
Martin von Zweigbergk
procutil: move mainfrozen() to new resourceutil.py...
r44067 or resourceutil.mainfrozen()
Augie Fackler
formatting: blacken the codebase...
r43346 or not pycompat.sysexecutable
):
Mads Kiilerich
ssl: only use the dummy cert hack if using an Apple Python (issue4410)...
r23042 return False
Pulkit Goyal
py3: replace sys.executable with pycompat.sysexecutable...
r30669 exe = os.path.realpath(pycompat.sysexecutable).lower()
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 return exe.startswith(b'/usr/bin/python') or exe.startswith(
b'/system/library/frameworks/python.framework/'
Augie Fackler
formatting: blacken the codebase...
r43346 )
Mads Kiilerich
ssl: only use the dummy cert hack if using an Apple Python (issue4410)...
r23042
Gregory Szorc
sslutil: pass ui to _defaultcacerts...
r29483 def _defaultcacerts(ui):
Gregory Szorc
sslutil: expand _defaultcacerts docstring to note calling assumptions...
r29488 """return path to default CA certificates or None.
It is assumed this function is called when the returned certificates
file will actually be used to validate connections. Therefore this
function may print warnings or debug messages assuming this usage.
Gregory Szorc
sslutil: try to find CA certficates in well-known locations...
r29500
We don't print a message when the Python is able to load default
CA certs because this scenario is detected at socket connect time.
Gregory Szorc
sslutil: expand _defaultcacerts docstring to note calling assumptions...
r29488 """
Gábor Stefanik
sslutil: guard against broken certifi installations (issue5406)...
r30228 # The "certifi" Python package provides certificates. If it is installed
# and usable, assume the user intends it to be used and use it.
Gregory Szorc
sslutil: use certificates provided by certifi if available...
r29486 try:
pytype: ignore certifi import error...
r52186 import certifi # pytype: disable=import-error
Augie Fackler
formatting: blacken the codebase...
r43346
Gregory Szorc
sslutil: use certificates provided by certifi if available...
r29486 certs = certifi.where()
Gábor Stefanik
sslutil: guard against broken certifi installations (issue5406)...
r30228 if os.path.exists(certs):
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 ui.debug(b'using ca certificates from certifi\n')
Augie Fackler
sslutil: fsencode path returned by certifi (issue6132)...
r42450 return pycompat.fsencode(certs)
Gábor Stefanik
sslutil: guard against broken certifi installations (issue5406)...
r30228 except (ImportError, AttributeError):
Gregory Szorc
sslutil: use certificates provided by certifi if available...
r29486 pass
Gregory Szorc
sslutil: document the Apple OpenSSL cert trick...
r29487 # Apple's OpenSSL has patches that allow a specially constructed certificate
# to load the system CA store. If we're running on Apple Python, use this
# trick.
Yuya Nishihara
ssl: extract function that returns dummycert path on Apple python...
r24288 if _plainapplepython():
Pulkit Goyal
py3: use pycompat.fsencode() to convert __file__ to bytes...
r31074 dummycert = os.path.join(
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 os.path.dirname(pycompat.fsencode(__file__)), b'dummycert.pem'
Augie Fackler
formatting: blacken the codebase...
r43346 )
Yuya Nishihara
ssl: extract function that returns dummycert path on Apple python...
r24288 if os.path.exists(dummycert):
return dummycert
Gregory Szorc
sslutil: move code examining _canloaddefaultcerts out of _defaultcacerts...
r29107
return None
Yuya Nishihara
ssl: extract function that returns dummycert path on Apple python...
r24288
Augie Fackler
formatting: blacken the codebase...
r43346
Gregory Szorc
sslutil: remove "strict" argument from validatesocket()...
r29286 def validatesocket(sock):
Mads Kiilerich
spelling: fixes of non-dictionary words
r30332 """Validate a socket meets security requirements.
Matt Mackall
sslutil: try harder to avoid getpeercert problems...
r18879
Gregory Szorc
sslutil: convert socket validation from a class to a function (API)...
r29227 The passed socket must have been created with ``wrapsocket()``.
"""
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 shost = sock._hgstate[b'hostname']
Augie Fackler
sslutil: lots of unicode/bytes cleanup...
r36760 host = pycompat.bytesurl(shost)
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 ui = sock._hgstate[b'ui']
settings = sock._hgstate[b'settings']
Matt Mackall
sslutil: try harder to avoid getpeercert problems...
r18879
Gregory Szorc
sslutil: convert socket validation from a class to a function (API)...
r29227 try:
peercert = sock.getpeercert(True)
peercert2 = sock.getpeercert()
except AttributeError:
Martin von Zweigbergk
errors: introduce SecurityError and use it in a few places...
r46527 raise error.SecurityError(_(b'%s ssl connection error') % host)
Yuya Nishihara
ssl: extract function that returns dummycert path on Apple python...
r24288
Gregory Szorc
sslutil: convert socket validation from a class to a function (API)...
r29227 if not peercert:
Martin von Zweigbergk
errors: introduce SecurityError and use it in a few places...
r46527 raise error.SecurityError(
Martin von Zweigbergk
cleanup: join string literals that are already on one line...
r43387 _(b'%s certificate error: no certificate received') % host
Augie Fackler
formatting: blacken the codebase...
r43346 )
Matt Mackall
sslutil: try harder to avoid getpeercert problems...
r18879
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 if settings[b'disablecertverification']:
Gregory Szorc
sslutil: move and change warning when cert verification is disabled...
r29289 # We don't print the certificate fingerprint because it shouldn't
# be necessary: if the user requested certificate verification be
# disabled, they presumably already saw a message about the inability
# to verify the certificate and this message would have printed the
# fingerprint. So printing the fingerprint here adds little to no
# value.
Augie Fackler
formatting: blacken the codebase...
r43346 ui.warn(
_(
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 b'warning: connection security to %s is disabled per current '
b'settings; communication is susceptible to eavesdropping '
b'and tampering\n'
Augie Fackler
formatting: blacken the codebase...
r43346 )
% host
)
Gregory Szorc
sslutil: move and change warning when cert verification is disabled...
r29289 return
Matt Mackall
sslutil: try harder to avoid getpeercert problems...
r18879
Gregory Szorc
sslutil: convert socket validation from a class to a function (API)...
r29227 # If a certificate fingerprint is pinned, use it and only it to
# validate the remote cert.
Gregory Szorc
sslutil: calculate host fingerprints from additional algorithms...
r29262 peerfingerprints = {
Joerg Sonnenberger
node: import symbols explicitly...
r46729 b'sha1': hex(hashutil.sha1(peercert).digest()),
b'sha256': hex(hashlib.sha256(peercert).digest()),
b'sha512': hex(hashlib.sha512(peercert).digest()),
Gregory Szorc
sslutil: calculate host fingerprints from additional algorithms...
r29262 }
Matt Mackall
sslutil: try harder to avoid getpeercert problems...
r18879
Gregory Szorc
sslutil: print SHA-256 fingerprint by default...
r29290 def fmtfingerprint(s):
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 return b':'.join([s[x : x + 2] for x in range(0, len(s), 2)])
Gregory Szorc
sslutil: print SHA-256 fingerprint by default...
r29290
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 nicefingerprint = b'sha256:%s' % fmtfingerprint(peerfingerprints[b'sha256'])
Gregory Szorc
sslutil: document and slightly refactor validation logic...
r28850
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 if settings[b'certfingerprints']:
for hash, fingerprint in settings[b'certfingerprints']:
Gregory Szorc
sslutil: calculate host fingerprints from additional algorithms...
r29262 if peerfingerprints[hash].lower() == fingerprint:
Augie Fackler
formatting: blacken the codebase...
r43346 ui.debug(
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 b'%s certificate matched fingerprint %s:%s\n'
Augie Fackler
formatting: blacken the codebase...
r43346 % (host, hash, fmtfingerprint(fingerprint))
)
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 if settings[b'legacyfingerprint']:
Augie Fackler
formatting: blacken the codebase...
r43346 ui.warn(
_(
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 b'(SHA-1 fingerprint for %s found in legacy '
b'[hostfingerprints] section; '
b'if you trust this fingerprint, remove the old '
b'SHA-1 fingerprint from [hostfingerprints] and '
b'add the following entry to the new '
b'[hostsecurity] section: %s:fingerprints=%s)\n'
Augie Fackler
formatting: blacken the codebase...
r43346 )
% (host, host, nicefingerprint)
)
Gregory Szorc
sslutil: refactor code for fingerprint matching...
r29291 return
Gregory Szorc
sslutil: document and slightly refactor validation logic...
r28850
Gregory Szorc
sslutil: print the fingerprint from the last hash used...
r29293 # Pinned fingerprint didn't match. This is a fatal error.
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 if settings[b'legacyfingerprint']:
section = b'hostfingerprint'
nice = fmtfingerprint(peerfingerprints[b'sha1'])
Gregory Szorc
sslutil: print the fingerprint from the last hash used...
r29293 else:
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 section = b'hostsecurity'
nice = b'%s:%s' % (hash, fmtfingerprint(peerfingerprints[hash]))
Martin von Zweigbergk
errors: introduce SecurityError and use it in a few places...
r46527 raise error.SecurityError(
Martin von Zweigbergk
cleanup: join string literals that are already on one line...
r43387 _(b'certificate for %s has unexpected fingerprint %s')
Augie Fackler
formatting: blacken the codebase...
r43346 % (host, nice),
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 hint=_(b'check %s configuration') % section,
Augie Fackler
formatting: blacken the codebase...
r43346 )
Gregory Szorc
sslutil: document and slightly refactor validation logic...
r28850
Gregory Szorc
sslutil: abort when unable to verify peer connection (BC)...
r29411 # Security is enabled but no CAs are loaded. We can't establish trust
# for the cert so abort.
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 if not sock._hgstate[b'caloaded']:
Martin von Zweigbergk
errors: introduce SecurityError and use it in a few places...
r46527 raise error.SecurityError(
Augie Fackler
formatting: blacken the codebase...
r43346 _(
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 b'unable to verify security of %s (no loaded CA certificates); '
b'refusing to connect'
Augie Fackler
formatting: blacken the codebase...
r43346 )
% host,
hint=_(
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 b'see https://mercurial-scm.org/wiki/SecureConnections for '
b'how to configure Mercurial to avoid this error or set '
b'hostsecurity.%s:fingerprints=%s to trust this server'
Augie Fackler
formatting: blacken the codebase...
r43346 )
% (host, nicefingerprint),
)
Gregory Szorc
sslutil: use CA loaded state to drive validation logic...
r29113
Augie Fackler
sslutil: lots of unicode/bytes cleanup...
r36760 msg = _verifycert(peercert2, shost)
Gregory Szorc
sslutil: convert socket validation from a class to a function (API)...
r29227 if msg:
Martin von Zweigbergk
errors: introduce SecurityError and use it in a few places...
r46527 raise error.SecurityError(
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 _(b'%s certificate error: %s') % (host, msg),
Augie Fackler
formatting: blacken the codebase...
r43346 hint=_(
Augie Fackler
formatting: byteify all mercurial/ and hgext/ string literals...
r43347 b'set hostsecurity.%s:certfingerprints=%s '
b'config setting or use --insecure to connect '
b'insecurely'
Augie Fackler
formatting: blacken the codebase...
r43346 )
% (host, nicefingerprint),
)