upstream/mercurial-mirror Files · mercurial/sslutil.py

localrepository: use 'changectx.dirs()' in 'status()' for directory patterns...

localrepository: use 'changectx.dirs()' in 'status()' for directory patterns when pattern which does not match against any files in working context is specified, current implementation of 'localrepository.status()' decides whether warning message about it should be shown or not by 'f not in context' this works correctly for 'file pattern', but not for 'directory pattern', because 'f not in context' always returns True for directories, even if they are related to the context. this patch uses 'changectx.dirs()' to examine whether specified pattern is related to the context as a directory or not.

Matt Mackall - - Load All Authors

File last commit:

r15997:a45516cb stable


                r16144:4546a851

stable

Download file

             sslutil.py
        
                    142 lines
            
             | 5.8 KiB
            
                | text/x-python
            
             |
                PythonLexer
            
             / mercurial / sslutil.py
          
                    History
                
                 |
                  Source
                 | Raw
                 |Copy content
                 |Copy permalink

        Augie Fackler
    
sslutil: extracted ssl methods from httpsconnection in url.py...

              r14204
            
      # sslutil.py - SSL handling for mercurial

      #

      # Copyright 2005, 2006, 2007, 2008 Matt Mackall <mpm@selenic.com>

      # Copyright 2006, 2007 Alexis S. L. Carvalho <alexis@cecm.usp.br>

      # Copyright 2006 Vadim Gelfer <vadim.gelfer@gmail.com>

      #

      # This software may be used and distributed according to the terms of the

      # GNU General Public License version 2 or any later version.

      import os

      from mercurial import util

      from mercurial.i18n import _

      try:

          # avoid using deprecated/broken FakeSocket in python 2.6

          import ssl

          CERT_REQUIRED = ssl.CERT_REQUIRED

        Mads Kiilerich
    
sslutil: verify that wrap_socket really wrapped the socket...

              r15812
            
          def ssl_wrap_socket(sock, keyfile, certfile,

                      cert_reqs=ssl.CERT_NONE, ca_certs=None):

              sslsocket = ssl.wrap_socket(sock, keyfile, certfile,

                      cert_reqs=cert_reqs, ca_certs=ca_certs)

              # check if wrap_socket failed silently because socket had been closed

              # - see http://bugs.python.org/issue13721

              if not sslsocket.cipher():

                  raise util.Abort(_('ssl connection failed'))

              return sslsocket

        Augie Fackler
    
sslutil: extracted ssl methods from httpsconnection in url.py...

              r14204
            
      except ImportError:

          CERT_REQUIRED = 2

        Stephen Thorne
    
sslutil: Restore missing imports of socket and httplib to sslutil...

              r14616
            
          import socket, httplib

        Augie Fackler
    
sslutil: extracted ssl methods from httpsconnection in url.py...

              r14204
            
          def ssl_wrap_socket(sock, key_file, cert_file,

                              cert_reqs=CERT_REQUIRED, ca_certs=None):

        Mads Kiilerich
    
sslutil: abort when ssl module is needed but not found...

              r15160
            
              if not util.safehasattr(socket, 'ssl'):

                  raise util.Abort(_('Python SSL support not found'))

        Augie Fackler
    
sslutil: extracted ssl methods from httpsconnection in url.py...

              r14204
            
              if ca_certs:

                  raise util.Abort(_(

                      'certificate checking requires Python 2.6'))

              ssl = socket.ssl(sock, key_file, cert_file)

              return httplib.FakeSocket(sock, ssl)

      def _verifycert(cert, hostname):

          '''Verify that cert (in socket.getpeercert() format) matches hostname.

          CRLs is not handled.

          Returns error message if any problems are found and None on success.

          '''

          if not cert:

              return _('no certificate received')

          dnsname = hostname.lower()

          def matchdnsname(certname):

              return (certname == dnsname or

                      '.' in dnsname and certname == '*.' + dnsname.split('.', 1)[1])

          san = cert.get('subjectAltName', [])

          if san:

              certnames = [value.lower() for key, value in san if key == 'DNS']

              for name in certnames:

                  if matchdnsname(name):

                      return None

        Nicolas Bareil
    
sslutil: fall back to commonName when no dNSName in subjectAltName (issue2798)...

              r14666
            
              if certnames:

                  return _('certificate is for %s') % ', '.join(certnames)

        Augie Fackler
    
sslutil: extracted ssl methods from httpsconnection in url.py...

              r14204
            
          # subject is only checked when subjectAltName is empty

          for s in cert.get('subject', []):

              key, value = s[0]

              if key == 'commonName':

                  try:

                      # 'subject' entries are unicode

                      certname = value.lower().encode('ascii')

                  except UnicodeEncodeError:

                      return _('IDN in certificate not supported')

                  if matchdnsname(certname):

                      return None

                  return _('certificate is for %s') % certname

          return _('no commonName or subjectAltName found in certificate')

      # CERT_REQUIRED means fetch the cert from the server all the time AND

      # validate it against the CA store provided in web.cacerts.

      #

      # We COMPLETELY ignore CERT_REQUIRED on Python <= 2.5, as it's totally

      # busted on those versions.

      def sslkwargs(ui, host):

          cacerts = ui.config('web', 'cacerts')

          hostfingerprint = ui.config('hostfingerprints', host)

          if cacerts and not hostfingerprint:

              cacerts = util.expandpath(cacerts)

              if not os.path.exists(cacerts):

                  raise util.Abort(_('could not find web.cacerts: %s') % cacerts)

              return {'ca_certs': cacerts,

                      'cert_reqs': CERT_REQUIRED,

                      }

          return {}

      class validator(object):

          def __init__(self, ui, host):

              self.ui = ui

              self.host = host

          def __call__(self, sock):

              host = self.host

              cacerts = self.ui.config('web', 'cacerts')

              hostfingerprint = self.ui.config('hostfingerprints', host)

        Mads Kiilerich
    
sslutil: handle setups without .getpeercert() early in the validator...

              r15813
            
              if not getattr(sock, 'getpeercert', False): # python 2.5 ?

                  if hostfingerprint:

                      raise util.Abort(_("host fingerprint for %s can't be "

                                         "verified (Python too old)") % host)

                  self.ui.warn(_("warning: certificate for %s can't be verified "

                                 "(Python too old)\n") % host)

                  return

        Mads Kiilerich
    
sslutil: work around validator crash getting certificate on failed sockets...

              r15816
            
              if not sock.cipher(): # work around http://bugs.python.org/issue13721

                  raise util.Abort(_('%s ssl connection error') % host)

        Mads Kiilerich
    
sslutil: show fingerprint when cacerts validation fails

              r15814
            
              peercert = sock.getpeercert(True)

        Mads Kiilerich
    
sslutil: abort properly if no certificate received for https connection...

              r15817
            
              if not peercert:

                  raise util.Abort(_('%s certificate error: '

                                     'no certificate received') % host)

        Mads Kiilerich
    
sslutil: show fingerprint when cacerts validation fails

              r15814
            
              peerfingerprint = util.sha1(peercert).hexdigest()

              nicefingerprint = ":".join([peerfingerprint[x:x + 2]

                  for x in xrange(0, len(peerfingerprint), 2)])

        Mads Kiilerich
    
sslutil: reorder validator code to make it more readable

              r15815
            
              if hostfingerprint:

                  if peerfingerprint.lower() != \

                          hostfingerprint.replace(':', '').lower():

        Matt Mackall
    
sslutil: more helpful fingerprint mismatch message...

              r15997
            
                      raise util.Abort(_('certificate for %s has unexpected '

                                         'fingerprint %s') % (host, nicefingerprint),

                                       hint=_('check hostfingerprint configuration'))

        Mads Kiilerich
    
sslutil: reorder validator code to make it more readable

              r15815
            
                  self.ui.debug('%s certificate matched fingerprint %s\n' %

                                (host, nicefingerprint))

              elif cacerts:

        Augie Fackler
    
sslutil: extracted ssl methods from httpsconnection in url.py...

              r14204
            
                  msg = _verifycert(sock.getpeercert(), host)

                  if msg:

        Mads Kiilerich
    
sslutil: show fingerprint when cacerts validation fails

              r15814
            
                      raise util.Abort(_('%s certificate error: %s') % (host, msg),

                                       hint=_('configure hostfingerprint %s or use '

                                              '--insecure to connect insecurely') %

                                            nicefingerprint)

        Augie Fackler
    
sslutil: extracted ssl methods from httpsconnection in url.py...

              r14204
            
                  self.ui.debug('%s certificate successfully verified\n' % host)

              else:

        Mads Kiilerich
    
sslutil: reorder validator code to make it more readable

              r15815
            
                  self.ui.warn(_('warning: %s certificate with fingerprint %s not '

                                 'verified (check hostfingerprints or web.cacerts '

                                 'config setting)\n') %

                               (host, nicefingerprint))

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

Augie Fackler sslutil: extracted ssl methods from httpsconnection in url.py...	r14204	# sslutil.py - SSL handling for mercurial
		#
		# Copyright 2005, 2006, 2007, 2008 Matt Mackall <mpm@selenic.com>
		# Copyright 2006, 2007 Alexis S. L. Carvalho <alexis@cecm.usp.br>
		# Copyright 2006 Vadim Gelfer <vadim.gelfer@gmail.com>
		#
		# This software may be used and distributed according to the terms of the
		# GNU General Public License version 2 or any later version.
		import os

		from mercurial import util
		from mercurial.i18n import _
		try:
		# avoid using deprecated/broken FakeSocket in python 2.6
		import ssl
		CERT_REQUIRED = ssl.CERT_REQUIRED
Mads Kiilerich sslutil: verify that wrap_socket really wrapped the socket...	r15812	def ssl_wrap_socket(sock, keyfile, certfile,
		cert_reqs=ssl.CERT_NONE, ca_certs=None):
		sslsocket = ssl.wrap_socket(sock, keyfile, certfile,
		cert_reqs=cert_reqs, ca_certs=ca_certs)
		# check if wrap_socket failed silently because socket had been closed
		# - see http://bugs.python.org/issue13721
		if not sslsocket.cipher():
		raise util.Abort(_('ssl connection failed'))
		return sslsocket
Augie Fackler sslutil: extracted ssl methods from httpsconnection in url.py...	r14204	except ImportError:
		CERT_REQUIRED = 2

Stephen Thorne sslutil: Restore missing imports of socket and httplib to sslutil...	r14616	import socket, httplib

Augie Fackler sslutil: extracted ssl methods from httpsconnection in url.py...	r14204	def ssl_wrap_socket(sock, key_file, cert_file,
		cert_reqs=CERT_REQUIRED, ca_certs=None):
Mads Kiilerich sslutil: abort when ssl module is needed but not found...	r15160	if not util.safehasattr(socket, 'ssl'):
		raise util.Abort(_('Python SSL support not found'))
Augie Fackler sslutil: extracted ssl methods from httpsconnection in url.py...	r14204	if ca_certs:
		raise util.Abort(_(
		'certificate checking requires Python 2.6'))

		ssl = socket.ssl(sock, key_file, cert_file)
		return httplib.FakeSocket(sock, ssl)

		def _verifycert(cert, hostname):
		'''Verify that cert (in socket.getpeercert() format) matches hostname.
		CRLs is not handled.

		Returns error message if any problems are found and None on success.
		'''
		if not cert:
		return _('no certificate received')
		dnsname = hostname.lower()
		def matchdnsname(certname):
		return (certname == dnsname or
		'.' in dnsname and certname == '*.' + dnsname.split('.', 1)[1])

		san = cert.get('subjectAltName', [])
		if san:
		certnames = [value.lower() for key, value in san if key == 'DNS']
		for name in certnames:
		if matchdnsname(name):
		return None
Nicolas Bareil sslutil: fall back to commonName when no dNSName in subjectAltName (issue2798)...	r14666	if certnames:
		return _('certificate is for %s') % ', '.join(certnames)
Augie Fackler sslutil: extracted ssl methods from httpsconnection in url.py...	r14204
		# subject is only checked when subjectAltName is empty
		for s in cert.get('subject', []):
		key, value = s[0]
		if key == 'commonName':
		try:
		# 'subject' entries are unicode
		certname = value.lower().encode('ascii')
		except UnicodeEncodeError:
		return _('IDN in certificate not supported')
		if matchdnsname(certname):
		return None
		return _('certificate is for %s') % certname
		return _('no commonName or subjectAltName found in certificate')


		# CERT_REQUIRED means fetch the cert from the server all the time AND
		# validate it against the CA store provided in web.cacerts.
		#
		# We COMPLETELY ignore CERT_REQUIRED on Python <= 2.5, as it's totally
		# busted on those versions.

		def sslkwargs(ui, host):
		cacerts = ui.config('web', 'cacerts')
		hostfingerprint = ui.config('hostfingerprints', host)
		if cacerts and not hostfingerprint:
		cacerts = util.expandpath(cacerts)
		if not os.path.exists(cacerts):
		raise util.Abort(_('could not find web.cacerts: %s') % cacerts)
		return {'ca_certs': cacerts,
		'cert_reqs': CERT_REQUIRED,
		}
		return {}

		class validator(object):
		def __init__(self, ui, host):
		self.ui = ui
		self.host = host

		def __call__(self, sock):
		host = self.host
		cacerts = self.ui.config('web', 'cacerts')
		hostfingerprint = self.ui.config('hostfingerprints', host)
Mads Kiilerich sslutil: handle setups without .getpeercert() early in the validator...	r15813	if not getattr(sock, 'getpeercert', False): # python 2.5 ?
		if hostfingerprint:
		raise util.Abort(_("host fingerprint for %s can't be "
		"verified (Python too old)") % host)
		self.ui.warn(_("warning: certificate for %s can't be verified "
		"(Python too old)\n") % host)
		return
Mads Kiilerich sslutil: work around validator crash getting certificate on failed sockets...	r15816	if not sock.cipher(): # work around http://bugs.python.org/issue13721
		raise util.Abort(_('%s ssl connection error') % host)
Mads Kiilerich sslutil: show fingerprint when cacerts validation fails	r15814	peercert = sock.getpeercert(True)
Mads Kiilerich sslutil: abort properly if no certificate received for https connection...	r15817	if not peercert:
		raise util.Abort(_('%s certificate error: '
		'no certificate received') % host)
Mads Kiilerich sslutil: show fingerprint when cacerts validation fails	r15814	peerfingerprint = util.sha1(peercert).hexdigest()
		nicefingerprint = ":".join([peerfingerprint[x:x + 2]
		for x in xrange(0, len(peerfingerprint), 2)])
Mads Kiilerich sslutil: reorder validator code to make it more readable	r15815	if hostfingerprint:
		if peerfingerprint.lower() != \
		hostfingerprint.replace(':', '').lower():
Matt Mackall sslutil: more helpful fingerprint mismatch message...	r15997	raise util.Abort(_('certificate for %s has unexpected '
		'fingerprint %s') % (host, nicefingerprint),
		hint=_('check hostfingerprint configuration'))
Mads Kiilerich sslutil: reorder validator code to make it more readable	r15815	self.ui.debug('%s certificate matched fingerprint %s\n' %
		(host, nicefingerprint))
		elif cacerts:
Augie Fackler sslutil: extracted ssl methods from httpsconnection in url.py...	r14204	msg = _verifycert(sock.getpeercert(), host)
		if msg:
Mads Kiilerich sslutil: show fingerprint when cacerts validation fails	r15814	raise util.Abort(_('%s certificate error: %s') % (host, msg),
		hint=_('configure hostfingerprint %s or use '
		'--insecure to connect insecurely') %
		nicefingerprint)
Augie Fackler sslutil: extracted ssl methods from httpsconnection in url.py...	r14204	self.ui.debug('%s certificate successfully verified\n' % host)
		else:
Mads Kiilerich sslutil: reorder validator code to make it more readable	r15815	self.ui.warn(_('warning: %s certificate with fingerprint %s not '
		'verified (check hostfingerprints or web.cacerts '
		'config setting)\n') %
		(host, nicefingerprint))