##// END OF EJS Templates
upstream » mercurial-mirror
RSS

Clone from https://www.mercurial-scm.org/repo/hg-all

sslutil: handle setups without .getpeercert() early in the validator...
Mads Kiilerich -
r15813:3ae04eb5 default
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -1,138 +1,138 b''
1 # sslutil.py - SSL handling for mercurial
1 # sslutil.py - SSL handling for mercurial
2 #
2 #
3 # Copyright 2005, 2006, 2007, 2008 Matt Mackall <mpm@selenic.com>
3 # Copyright 2005, 2006, 2007, 2008 Matt Mackall <mpm@selenic.com>
4 # Copyright 2006, 2007 Alexis S. L. Carvalho <alexis@cecm.usp.br>
4 # Copyright 2006, 2007 Alexis S. L. Carvalho <alexis@cecm.usp.br>
5 # Copyright 2006 Vadim Gelfer <vadim.gelfer@gmail.com>
5 # Copyright 2006 Vadim Gelfer <vadim.gelfer@gmail.com>
6 #
6 #
7 # This software may be used and distributed according to the terms of the
7 # This software may be used and distributed according to the terms of the
8 # GNU General Public License version 2 or any later version.
8 # GNU General Public License version 2 or any later version.
9 import os
9 import os
10
10
11 from mercurial import util
11 from mercurial import util
12 from mercurial.i18n import _
12 from mercurial.i18n import _
13 try:
13 try:
14 # avoid using deprecated/broken FakeSocket in python 2.6
14 # avoid using deprecated/broken FakeSocket in python 2.6
15 import ssl
15 import ssl
16 CERT_REQUIRED = ssl.CERT_REQUIRED
16 CERT_REQUIRED = ssl.CERT_REQUIRED
17 def ssl_wrap_socket(sock, keyfile, certfile,
17 def ssl_wrap_socket(sock, keyfile, certfile,
18 cert_reqs=ssl.CERT_NONE, ca_certs=None):
18 cert_reqs=ssl.CERT_NONE, ca_certs=None):
19 sslsocket = ssl.wrap_socket(sock, keyfile, certfile,
19 sslsocket = ssl.wrap_socket(sock, keyfile, certfile,
20 cert_reqs=cert_reqs, ca_certs=ca_certs)
20 cert_reqs=cert_reqs, ca_certs=ca_certs)
21 # check if wrap_socket failed silently because socket had been closed
21 # check if wrap_socket failed silently because socket had been closed
22 # - see http://bugs.python.org/issue13721
22 # - see http://bugs.python.org/issue13721
23 if not sslsocket.cipher():
23 if not sslsocket.cipher():
24 raise util.Abort(_('ssl connection failed'))
24 raise util.Abort(_('ssl connection failed'))
25 return sslsocket
25 return sslsocket
26 except ImportError:
26 except ImportError:
27 CERT_REQUIRED = 2
27 CERT_REQUIRED = 2
28
28
29 import socket, httplib
29 import socket, httplib
30
30
31 def ssl_wrap_socket(sock, key_file, cert_file,
31 def ssl_wrap_socket(sock, key_file, cert_file,
32 cert_reqs=CERT_REQUIRED, ca_certs=None):
32 cert_reqs=CERT_REQUIRED, ca_certs=None):
33 if not util.safehasattr(socket, 'ssl'):
33 if not util.safehasattr(socket, 'ssl'):
34 raise util.Abort(_('Python SSL support not found'))
34 raise util.Abort(_('Python SSL support not found'))
35 if ca_certs:
35 if ca_certs:
36 raise util.Abort(_(
36 raise util.Abort(_(
37 'certificate checking requires Python 2.6'))
37 'certificate checking requires Python 2.6'))
38
38
39 ssl = socket.ssl(sock, key_file, cert_file)
39 ssl = socket.ssl(sock, key_file, cert_file)
40 return httplib.FakeSocket(sock, ssl)
40 return httplib.FakeSocket(sock, ssl)
41
41
42 def _verifycert(cert, hostname):
42 def _verifycert(cert, hostname):
43 '''Verify that cert (in socket.getpeercert() format) matches hostname.
43 '''Verify that cert (in socket.getpeercert() format) matches hostname.
44 CRLs is not handled.
44 CRLs is not handled.
45
45
46 Returns error message if any problems are found and None on success.
46 Returns error message if any problems are found and None on success.
47 '''
47 '''
48 if not cert:
48 if not cert:
49 return _('no certificate received')
49 return _('no certificate received')
50 dnsname = hostname.lower()
50 dnsname = hostname.lower()
51 def matchdnsname(certname):
51 def matchdnsname(certname):
52 return (certname == dnsname or
52 return (certname == dnsname or
53 '.' in dnsname and certname == '*.' + dnsname.split('.', 1)[1])
53 '.' in dnsname and certname == '*.' + dnsname.split('.', 1)[1])
54
54
55 san = cert.get('subjectAltName', [])
55 san = cert.get('subjectAltName', [])
56 if san:
56 if san:
57 certnames = [value.lower() for key, value in san if key == 'DNS']
57 certnames = [value.lower() for key, value in san if key == 'DNS']
58 for name in certnames:
58 for name in certnames:
59 if matchdnsname(name):
59 if matchdnsname(name):
60 return None
60 return None
61 if certnames:
61 if certnames:
62 return _('certificate is for %s') % ', '.join(certnames)
62 return _('certificate is for %s') % ', '.join(certnames)
63
63
64 # subject is only checked when subjectAltName is empty
64 # subject is only checked when subjectAltName is empty
65 for s in cert.get('subject', []):
65 for s in cert.get('subject', []):
66 key, value = s[0]
66 key, value = s[0]
67 if key == 'commonName':
67 if key == 'commonName':
68 try:
68 try:
69 # 'subject' entries are unicode
69 # 'subject' entries are unicode
70 certname = value.lower().encode('ascii')
70 certname = value.lower().encode('ascii')
71 except UnicodeEncodeError:
71 except UnicodeEncodeError:
72 return _('IDN in certificate not supported')
72 return _('IDN in certificate not supported')
73 if matchdnsname(certname):
73 if matchdnsname(certname):
74 return None
74 return None
75 return _('certificate is for %s') % certname
75 return _('certificate is for %s') % certname
76 return _('no commonName or subjectAltName found in certificate')
76 return _('no commonName or subjectAltName found in certificate')
77
77
78
78
79 # CERT_REQUIRED means fetch the cert from the server all the time AND
79 # CERT_REQUIRED means fetch the cert from the server all the time AND
80 # validate it against the CA store provided in web.cacerts.
80 # validate it against the CA store provided in web.cacerts.
81 #
81 #
82 # We COMPLETELY ignore CERT_REQUIRED on Python <= 2.5, as it's totally
82 # We COMPLETELY ignore CERT_REQUIRED on Python <= 2.5, as it's totally
83 # busted on those versions.
83 # busted on those versions.
84
84
85 def sslkwargs(ui, host):
85 def sslkwargs(ui, host):
86 cacerts = ui.config('web', 'cacerts')
86 cacerts = ui.config('web', 'cacerts')
87 hostfingerprint = ui.config('hostfingerprints', host)
87 hostfingerprint = ui.config('hostfingerprints', host)
88 if cacerts and not hostfingerprint:
88 if cacerts and not hostfingerprint:
89 cacerts = util.expandpath(cacerts)
89 cacerts = util.expandpath(cacerts)
90 if not os.path.exists(cacerts):
90 if not os.path.exists(cacerts):
91 raise util.Abort(_('could not find web.cacerts: %s') % cacerts)
91 raise util.Abort(_('could not find web.cacerts: %s') % cacerts)
92 return {'ca_certs': cacerts,
92 return {'ca_certs': cacerts,
93 'cert_reqs': CERT_REQUIRED,
93 'cert_reqs': CERT_REQUIRED,
94 }
94 }
95 return {}
95 return {}
96
96
97 class validator(object):
97 class validator(object):
98 def __init__(self, ui, host):
98 def __init__(self, ui, host):
99 self.ui = ui
99 self.ui = ui
100 self.host = host
100 self.host = host
101
101
102 def __call__(self, sock):
102 def __call__(self, sock):
103 host = self.host
103 host = self.host
104 cacerts = self.ui.config('web', 'cacerts')
104 cacerts = self.ui.config('web', 'cacerts')
105 hostfingerprint = self.ui.config('hostfingerprints', host)
105 hostfingerprint = self.ui.config('hostfingerprints', host)
106 if not getattr(sock, 'getpeercert', False): # python 2.5 ?
107 if hostfingerprint:
108 raise util.Abort(_("host fingerprint for %s can't be "
109 "verified (Python too old)") % host)
110 self.ui.warn(_("warning: certificate for %s can't be verified "
111 "(Python too old)\n") % host)
112 return
106 if cacerts and not hostfingerprint:
113 if cacerts and not hostfingerprint:
107 msg = _verifycert(sock.getpeercert(), host)
114 msg = _verifycert(sock.getpeercert(), host)
108 if msg:
115 if msg:
109 raise util.Abort(_('%s certificate error: %s '
116 raise util.Abort(_('%s certificate error: %s '
110 '(use --insecure to connect '
117 '(use --insecure to connect '
111 'insecurely)') % (host, msg))
118 'insecurely)') % (host, msg))
112 self.ui.debug('%s certificate successfully verified\n' % host)
119 self.ui.debug('%s certificate successfully verified\n' % host)
113 else:
120 else:
114 if getattr(sock, 'getpeercert', False):
121 peercert = sock.getpeercert(True)
115 peercert = sock.getpeercert(True)
122 peerfingerprint = util.sha1(peercert).hexdigest()
116 peerfingerprint = util.sha1(peercert).hexdigest()
123 nicefingerprint = ":".join([peerfingerprint[x:x + 2]
117 nicefingerprint = ":".join([peerfingerprint[x:x + 2]
124 for x in xrange(0, len(peerfingerprint), 2)])
118 for x in xrange(0, len(peerfingerprint), 2)])
125 if hostfingerprint:
119 if hostfingerprint:
126 if peerfingerprint.lower() != \
120 if peerfingerprint.lower() != \
127 hostfingerprint.replace(':', '').lower():
121 hostfingerprint.replace(':', '').lower():
128 raise util.Abort(_('invalid certificate for %s '
122 raise util.Abort(_('invalid certificate for %s '
129 'with fingerprint %s') %
123 'with fingerprint %s') %
130 (host, nicefingerprint))
124 (host, nicefingerprint))
131 self.ui.debug('%s certificate matched fingerprint %s\n' %
125 self.ui.debug('%s certificate matched fingerprint %s\n' %
132 (host, nicefingerprint))
126 (host, nicefingerprint))
133 else:
127 else:
134 self.ui.warn(_('warning: %s certificate '
128 self.ui.warn(_('warning: %s certificate '
135 'with fingerprint %s not verified '
129 'with fingerprint %s not verified '
136 '(check hostfingerprints or web.cacerts '
130 '(check hostfingerprints or web.cacerts '
137 'config setting)\n') %
131 'config setting)\n') %
138 (host, nicefingerprint))
132 (host, nicefingerprint))
133 else: # python 2.5 ?
134 if hostfingerprint:
135 raise util.Abort(_("host fingerprint for %s can't be "
136 "verified (Python too old)") % host)
137 self.ui.warn(_("warning: certificate for %s can't be "
138 "verified (Python too old)\n") % host)
General Comments 0
You need to be logged in to leave comments. Login now