##// END OF EJS Templates
upstream » mercurial-mirror
RSS

Clone from https://www.mercurial-scm.org/repo/hg-all

revset: add a predicate for finding converted changesets...
revset: add a predicate for finding converted changesets This selects changesets added because of repo conversions. For example hg log -r "converted()" # all csets created by a convertion hg log -r "converted(rev)" # the cset converted from rev in the src repo The converted(rev) form is analogous to remote(id), where the remote repo is the source of the conversion. This can be useful for cross referencing an old repository into the current one. The source revision may be the short changeset hash or the full hash from the source repository. The local identifier isn't useful. An interesting ramification of this is if a short revision is specified, it may cause more than one changeset to be selected. (e.g. converted(6) matches changesets with a convert_revision field of 6e..e and 67..0) The convert.hg.saverev option must have been specified when converting the hg source repository for this to work. The other sources automatically embed the converted marker.
Steven Stallion - - Load All Authors

File last commit:

r16391:9cf7c9d5 default
r17002:0eb52262 default
Show More
sslutil.py
143 lines | 5.9 KiB | text/x-python | PythonLexer
/ mercurial / sslutil.py
History | Source | Raw |Copy content |Copy permalink
Augie Fackler
sslutil: extracted ssl methods from httpsconnection in url.py...
 r14204 # sslutil.py - SSL handling for mercurial
#
# Copyright 2005, 2006, 2007, 2008 Matt Mackall <mpm@selenic.com>
# Copyright 2006, 2007 Alexis S. L. Carvalho <alexis@cecm.usp.br>
# Copyright 2006 Vadim Gelfer <vadim.gelfer@gmail.com>
#
# This software may be used and distributed according to the terms of the
# GNU General Public License version 2 or any later version.
import os
from mercurial import util
from mercurial.i18n import _
try:
# avoid using deprecated/broken FakeSocket in python 2.6
import ssl
CERT_REQUIRED = ssl.CERT_REQUIRED
Mads Kiilerich
sslutil: verify that wrap_socket really wrapped the socket...
 r15812 def ssl_wrap_socket(sock, keyfile, certfile,
cert_reqs=ssl.CERT_NONE, ca_certs=None):
sslsocket = ssl.wrap_socket(sock, keyfile, certfile,
cert_reqs=cert_reqs, ca_certs=ca_certs)
# check if wrap_socket failed silently because socket had been closed
# - see http://bugs.python.org/issue13721
if not sslsocket.cipher():
raise util.Abort(_('ssl connection failed'))
return sslsocket
Augie Fackler
sslutil: extracted ssl methods from httpsconnection in url.py...
 r14204 except ImportError:
CERT_REQUIRED = 2
Stephen Thorne
sslutil: Restore missing imports of socket and httplib to sslutil...
 r14616 import socket, httplib
Augie Fackler
sslutil: extracted ssl methods from httpsconnection in url.py...
 r14204 def ssl_wrap_socket(sock, key_file, cert_file,
cert_reqs=CERT_REQUIRED, ca_certs=None):
Mads Kiilerich
sslutil: abort when ssl module is needed but not found...
 r15160 if not util.safehasattr(socket, 'ssl'):
raise util.Abort(_('Python SSL support not found'))
Augie Fackler
sslutil: extracted ssl methods from httpsconnection in url.py...
 r14204 if ca_certs:
raise util.Abort(_(
'certificate checking requires Python 2.6'))
ssl = socket.ssl(sock, key_file, cert_file)
return httplib.FakeSocket(sock, ssl)
def _verifycert(cert, hostname):
'''Verify that cert (in socket.getpeercert() format) matches hostname.
CRLs is not handled.
Returns error message if any problems are found and None on success.
'''
if not cert:
return _('no certificate received')
dnsname = hostname.lower()
def matchdnsname(certname):
return (certname == dnsname or
'.' in dnsname and certname == '*.' + dnsname.split('.', 1)[1])
san = cert.get('subjectAltName', [])
if san:
certnames = [value.lower() for key, value in san if key == 'DNS']
for name in certnames:
if matchdnsname(name):
return None
Nicolas Bareil
sslutil: fall back to commonName when no dNSName in subjectAltName (issue2798)...
 r14666 if certnames:
return _('certificate is for %s') % ', '.join(certnames)
Augie Fackler
sslutil: extracted ssl methods from httpsconnection in url.py...
 r14204
# subject is only checked when subjectAltName is empty
for s in cert.get('subject', []):
key, value = s[0]
if key == 'commonName':
try:
# 'subject' entries are unicode
certname = value.lower().encode('ascii')
except UnicodeEncodeError:
return _('IDN in certificate not supported')
if matchdnsname(certname):
return None
return _('certificate is for %s') % certname
return _('no commonName or subjectAltName found in certificate')
# CERT_REQUIRED means fetch the cert from the server all the time AND
# validate it against the CA store provided in web.cacerts.
#
# We COMPLETELY ignore CERT_REQUIRED on Python <= 2.5, as it's totally
# busted on those versions.
def sslkwargs(ui, host):
cacerts = ui.config('web', 'cacerts')
hostfingerprint = ui.config('hostfingerprints', host)
if cacerts and not hostfingerprint:
cacerts = util.expandpath(cacerts)
if not os.path.exists(cacerts):
raise util.Abort(_('could not find web.cacerts: %s') % cacerts)
return {'ca_certs': cacerts,
'cert_reqs': CERT_REQUIRED,
}
return {}
class validator(object):
def __init__(self, ui, host):
self.ui = ui
self.host = host
def __call__(self, sock):
host = self.host
cacerts = self.ui.config('web', 'cacerts')
hostfingerprint = self.ui.config('hostfingerprints', host)
Mads Kiilerich
sslutil: handle setups without .getpeercert() early in the validator...
 r15813 if not getattr(sock, 'getpeercert', False): # python 2.5 ?
if hostfingerprint:
raise util.Abort(_("host fingerprint for %s can't be "
"verified (Python too old)") % host)
Steven Stallion
ui: optionally quiesce ssl verification warnings on python 2.5...
 r16391 if self.ui.configbool('ui', 'reportoldssl', True):
self.ui.warn(_("warning: certificate for %s can't be verified "
"(Python too old)\n") % host)
Mads Kiilerich
sslutil: handle setups without .getpeercert() early in the validator...
 r15813 return
Mads Kiilerich
sslutil: work around validator crash getting certificate on failed sockets...
 r15816 if not sock.cipher(): # work around http://bugs.python.org/issue13721
raise util.Abort(_('%s ssl connection error') % host)
Mads Kiilerich
sslutil: show fingerprint when cacerts validation fails
 r15814 peercert = sock.getpeercert(True)
Mads Kiilerich
sslutil: abort properly if no certificate received for https connection...
 r15817 if not peercert:
raise util.Abort(_('%s certificate error: '
'no certificate received') % host)
Mads Kiilerich
sslutil: show fingerprint when cacerts validation fails
 r15814 peerfingerprint = util.sha1(peercert).hexdigest()
nicefingerprint = ":".join([peerfingerprint[x:x + 2]
for x in xrange(0, len(peerfingerprint), 2)])
Mads Kiilerich
sslutil: reorder validator code to make it more readable
 r15815 if hostfingerprint:
if peerfingerprint.lower() != \
hostfingerprint.replace(':', '').lower():
Matt Mackall
sslutil: more helpful fingerprint mismatch message...
 r15997 raise util.Abort(_('certificate for %s has unexpected '
'fingerprint %s') % (host, nicefingerprint),
hint=_('check hostfingerprint configuration'))
Mads Kiilerich
sslutil: reorder validator code to make it more readable
 r15815 self.ui.debug('%s certificate matched fingerprint %s\n' %
(host, nicefingerprint))
elif cacerts:
Augie Fackler
sslutil: extracted ssl methods from httpsconnection in url.py...
 r14204 msg = _verifycert(sock.getpeercert(), host)
if msg:
Mads Kiilerich
sslutil: show fingerprint when cacerts validation fails
 r15814 raise util.Abort(_('%s certificate error: %s') % (host, msg),
hint=_('configure hostfingerprint %s or use '
'--insecure to connect insecurely') %
nicefingerprint)
Augie Fackler
sslutil: extracted ssl methods from httpsconnection in url.py...
 r14204 self.ui.debug('%s certificate successfully verified\n' % host)
else:
Mads Kiilerich
sslutil: reorder validator code to make it more readable
 r15815 self.ui.warn(_('warning: %s certificate with fingerprint %s not '
'verified (check hostfingerprints or web.cacerts '
'config setting)\n') %
(host, nicefingerprint))