##// END OF EJS Templates
cvsps: use commitids (when present) to detect changesets...
cvsps: use commitids (when present) to detect changesets Simplify core logic by no longer attempting to work around missing class attributes. Instead always generate the attributes and ignore the cache if the attributes are missing

File last commit:

r16391:9cf7c9d5 default
r18261:1b7b5975 default
Show More
sslutil.py
143 lines | 5.9 KiB | text/x-python | PythonLexer
Augie Fackler
sslutil: extracted ssl methods from httpsconnection in url.py...
r14204 # sslutil.py - SSL handling for mercurial
#
# Copyright 2005, 2006, 2007, 2008 Matt Mackall <mpm@selenic.com>
# Copyright 2006, 2007 Alexis S. L. Carvalho <alexis@cecm.usp.br>
# Copyright 2006 Vadim Gelfer <vadim.gelfer@gmail.com>
#
# This software may be used and distributed according to the terms of the
# GNU General Public License version 2 or any later version.
import os
from mercurial import util
from mercurial.i18n import _
try:
# avoid using deprecated/broken FakeSocket in python 2.6
import ssl
CERT_REQUIRED = ssl.CERT_REQUIRED
Mads Kiilerich
sslutil: verify that wrap_socket really wrapped the socket...
r15812 def ssl_wrap_socket(sock, keyfile, certfile,
cert_reqs=ssl.CERT_NONE, ca_certs=None):
sslsocket = ssl.wrap_socket(sock, keyfile, certfile,
cert_reqs=cert_reqs, ca_certs=ca_certs)
# check if wrap_socket failed silently because socket had been closed
# - see http://bugs.python.org/issue13721
if not sslsocket.cipher():
raise util.Abort(_('ssl connection failed'))
return sslsocket
Augie Fackler
sslutil: extracted ssl methods from httpsconnection in url.py...
r14204 except ImportError:
CERT_REQUIRED = 2
Stephen Thorne
sslutil: Restore missing imports of socket and httplib to sslutil...
r14616 import socket, httplib
Augie Fackler
sslutil: extracted ssl methods from httpsconnection in url.py...
r14204 def ssl_wrap_socket(sock, key_file, cert_file,
cert_reqs=CERT_REQUIRED, ca_certs=None):
Mads Kiilerich
sslutil: abort when ssl module is needed but not found...
r15160 if not util.safehasattr(socket, 'ssl'):
raise util.Abort(_('Python SSL support not found'))
Augie Fackler
sslutil: extracted ssl methods from httpsconnection in url.py...
r14204 if ca_certs:
raise util.Abort(_(
'certificate checking requires Python 2.6'))
ssl = socket.ssl(sock, key_file, cert_file)
return httplib.FakeSocket(sock, ssl)
def _verifycert(cert, hostname):
'''Verify that cert (in socket.getpeercert() format) matches hostname.
CRLs is not handled.
Returns error message if any problems are found and None on success.
'''
if not cert:
return _('no certificate received')
dnsname = hostname.lower()
def matchdnsname(certname):
return (certname == dnsname or
'.' in dnsname and certname == '*.' + dnsname.split('.', 1)[1])
san = cert.get('subjectAltName', [])
if san:
certnames = [value.lower() for key, value in san if key == 'DNS']
for name in certnames:
if matchdnsname(name):
return None
Nicolas Bareil
sslutil: fall back to commonName when no dNSName in subjectAltName (issue2798)...
r14666 if certnames:
return _('certificate is for %s') % ', '.join(certnames)
Augie Fackler
sslutil: extracted ssl methods from httpsconnection in url.py...
r14204
# subject is only checked when subjectAltName is empty
for s in cert.get('subject', []):
key, value = s[0]
if key == 'commonName':
try:
# 'subject' entries are unicode
certname = value.lower().encode('ascii')
except UnicodeEncodeError:
return _('IDN in certificate not supported')
if matchdnsname(certname):
return None
return _('certificate is for %s') % certname
return _('no commonName or subjectAltName found in certificate')
# CERT_REQUIRED means fetch the cert from the server all the time AND
# validate it against the CA store provided in web.cacerts.
#
# We COMPLETELY ignore CERT_REQUIRED on Python <= 2.5, as it's totally
# busted on those versions.
def sslkwargs(ui, host):
cacerts = ui.config('web', 'cacerts')
hostfingerprint = ui.config('hostfingerprints', host)
if cacerts and not hostfingerprint:
cacerts = util.expandpath(cacerts)
if not os.path.exists(cacerts):
raise util.Abort(_('could not find web.cacerts: %s') % cacerts)
return {'ca_certs': cacerts,
'cert_reqs': CERT_REQUIRED,
}
return {}
class validator(object):
def __init__(self, ui, host):
self.ui = ui
self.host = host
def __call__(self, sock):
host = self.host
cacerts = self.ui.config('web', 'cacerts')
hostfingerprint = self.ui.config('hostfingerprints', host)
Mads Kiilerich
sslutil: handle setups without .getpeercert() early in the validator...
r15813 if not getattr(sock, 'getpeercert', False): # python 2.5 ?
if hostfingerprint:
raise util.Abort(_("host fingerprint for %s can't be "
"verified (Python too old)") % host)
Steven Stallion
ui: optionally quiesce ssl verification warnings on python 2.5...
r16391 if self.ui.configbool('ui', 'reportoldssl', True):
self.ui.warn(_("warning: certificate for %s can't be verified "
"(Python too old)\n") % host)
Mads Kiilerich
sslutil: handle setups without .getpeercert() early in the validator...
r15813 return
Mads Kiilerich
sslutil: work around validator crash getting certificate on failed sockets...
r15816 if not sock.cipher(): # work around http://bugs.python.org/issue13721
raise util.Abort(_('%s ssl connection error') % host)
Mads Kiilerich
sslutil: show fingerprint when cacerts validation fails
r15814 peercert = sock.getpeercert(True)
Mads Kiilerich
sslutil: abort properly if no certificate received for https connection...
r15817 if not peercert:
raise util.Abort(_('%s certificate error: '
'no certificate received') % host)
Mads Kiilerich
sslutil: show fingerprint when cacerts validation fails
r15814 peerfingerprint = util.sha1(peercert).hexdigest()
nicefingerprint = ":".join([peerfingerprint[x:x + 2]
for x in xrange(0, len(peerfingerprint), 2)])
Mads Kiilerich
sslutil: reorder validator code to make it more readable
r15815 if hostfingerprint:
if peerfingerprint.lower() != \
hostfingerprint.replace(':', '').lower():
Matt Mackall
sslutil: more helpful fingerprint mismatch message...
r15997 raise util.Abort(_('certificate for %s has unexpected '
'fingerprint %s') % (host, nicefingerprint),
hint=_('check hostfingerprint configuration'))
Mads Kiilerich
sslutil: reorder validator code to make it more readable
r15815 self.ui.debug('%s certificate matched fingerprint %s\n' %
(host, nicefingerprint))
elif cacerts:
Augie Fackler
sslutil: extracted ssl methods from httpsconnection in url.py...
r14204 msg = _verifycert(sock.getpeercert(), host)
if msg:
Mads Kiilerich
sslutil: show fingerprint when cacerts validation fails
r15814 raise util.Abort(_('%s certificate error: %s') % (host, msg),
hint=_('configure hostfingerprint %s or use '
'--insecure to connect insecurely') %
nicefingerprint)
Augie Fackler
sslutil: extracted ssl methods from httpsconnection in url.py...
r14204 self.ui.debug('%s certificate successfully verified\n' % host)
else:
Mads Kiilerich
sslutil: reorder validator code to make it more readable
r15815 self.ui.warn(_('warning: %s certificate with fingerprint %s not '
'verified (check hostfingerprints or web.cacerts '
'config setting)\n') %
(host, nicefingerprint))