upstream/mercurial-mirror Commit - r19808:3b82d412

1

# sslutil.py - SSL handling for mercurial

1

# sslutil.py - SSL handling for mercurial

2

#

2

#

3

4

5

6

#

6

#

7

# This software may be used and distributed according to the terms of the

7

# This software may be used and distributed according to the terms of the

8

# GNU General Public License version 2 or any later version.

8

# GNU General Public License version 2 or any later version.

9

import os

9

import os

10

11

from mercurial import util

11

from mercurial import util

12

from mercurial.i18n import _

12

from mercurial.i18n import _

13

try:

13

try:

14

# avoid using deprecated/broken FakeSocket in python 2.6

14

# avoid using deprecated/broken FakeSocket in python 2.6

15

import ssl

15

import ssl

16

CERT_REQUIRED = ssl.CERT_REQUIRED

16

CERT_REQUIRED = ssl.CERT_REQUIRED

17

PROTOCOL_SSLv23 = ssl.PROTOCOL_SSLv23

17

PROTOCOL_SSLv23 = ssl.PROTOCOL_SSLv23

18

PROTOCOL_TLSv1 = ssl.PROTOCOL_TLSv1

18

PROTOCOL_TLSv1 = ssl.PROTOCOL_TLSv1

19

def ssl_wrap_socket(sock, keyfile, certfile, ssl_version=PROTOCOL_TLSv1,

19

def ssl_wrap_socket(sock, keyfile, certfile, ssl_version=PROTOCOL_TLSv1,

20

cert_reqs=ssl.CERT_NONE, ca_certs=None):

20

cert_reqs=ssl.CERT_NONE, ca_certs=None):

21

sslsocket = ssl.wrap_socket(sock, keyfile, certfile,

21

sslsocket = ssl.wrap_socket(sock, keyfile, certfile,

22

cert_reqs=cert_reqs, ca_certs=ca_certs,

22

cert_reqs=cert_reqs, ca_certs=ca_certs,

23

ssl_version=ssl_version)

23

ssl_version=ssl_version)

24

# check if wrap_socket failed silently because socket had been closed

24

# check if wrap_socket failed silently because socket had been closed

25

# - see http://bugs.python.org/issue13721

25

# - see http://bugs.python.org/issue13721

26

if not sslsocket.cipher():

26

if not sslsocket.cipher():

27

raise util.Abort(_('ssl connection failed'))

27

raise util.Abort(_('ssl connection failed'))

28

return sslsocket

28

return sslsocket

29

except ImportError:

29

except ImportError:

30

CERT_REQUIRED = 2

30

CERT_REQUIRED = 2

31

32

PROTOCOL_SSLv23 = 2

32

PROTOCOL_SSLv23 = 2

33

PROTOCOL_TLSv1 = 3

33

PROTOCOL_TLSv1 = 3

34

35

import socket, httplib

35

import socket, httplib

36

37

def ssl_wrap_socket(sock, key_file, cert_file, ssl_version=PROTOCOL_TLSv1,

37

def ssl_wrap_socket(sock, keyfile, certfile, ssl_version=PROTOCOL_TLSv1,

38

cert_reqs=CERT_REQUIRED, ca_certs=None):

38

cert_reqs=CERT_REQUIRED, ca_certs=None):

39

if not util.safehasattr(socket, 'ssl'):

39

if not util.safehasattr(socket, 'ssl'):

40

raise util.Abort(_('Python SSL support not found'))

40

raise util.Abort(_('Python SSL support not found'))

41

if ca_certs:

41

if ca_certs:

42

raise util.Abort(_(

42

raise util.Abort(_(

43

'certificate checking requires Python 2.6'))

43

'certificate checking requires Python 2.6'))

44

45

ssl = socket.ssl(sock, key_file, cert_file)

45

ssl = socket.ssl(sock, keyfile, certfile)

46

return httplib.FakeSocket(sock, ssl)

46

return httplib.FakeSocket(sock, ssl)

47

48

def _verifycert(cert, hostname):

48

def _verifycert(cert, hostname):

49

'''Verify that cert (in socket.getpeercert() format) matches hostname.

49

'''Verify that cert (in socket.getpeercert() format) matches hostname.

50

CRLs is not handled.

50

CRLs is not handled.

51

52

Returns error message if any problems are found and None on success.

52

Returns error message if any problems are found and None on success.

53

'''

53

'''

54

if not cert:

54

if not cert:

55

return _('no certificate received')

55

return _('no certificate received')

56

dnsname = hostname.lower()

56

dnsname = hostname.lower()

57

def matchdnsname(certname):

57

def matchdnsname(certname):

58

return (certname == dnsname or

58

return (certname == dnsname or

59

'.' in dnsname and certname == '*.' + dnsname.split('.', 1)[1])

59

'.' in dnsname and certname == '*.' + dnsname.split('.', 1)[1])

60

61

san = cert.get('subjectAltName', [])

61

san = cert.get('subjectAltName', [])

62

if san:

62

if san:

63

certnames = [value.lower() for key, value in san if key == 'DNS']

63

certnames = [value.lower() for key, value in san if key == 'DNS']

64

for name in certnames:

64

for name in certnames:

65

if matchdnsname(name):

65

if matchdnsname(name):

66

return None

66

return None

67

if certnames:

67

if certnames:

68

return _('certificate is for %s') % ', '.join(certnames)

68

return _('certificate is for %s') % ', '.join(certnames)

69

70

# subject is only checked when subjectAltName is empty

70

# subject is only checked when subjectAltName is empty

71

for s in cert.get('subject', []):

71

for s in cert.get('subject', []):

72

key, value = s[0]

72

key, value = s[0]

73

if key == 'commonName':

73

if key == 'commonName':

74

try:

74

try:

75

# 'subject' entries are unicode

75

# 'subject' entries are unicode

76

certname = value.lower().encode('ascii')

76

certname = value.lower().encode('ascii')

77

except UnicodeEncodeError:

77

except UnicodeEncodeError:

78

return _('IDN in certificate not supported')

78

return _('IDN in certificate not supported')

79

if matchdnsname(certname):

79

if matchdnsname(certname):

80

return None

80

return None

81

return _('certificate is for %s') % certname

81

return _('certificate is for %s') % certname

82

return _('no commonName or subjectAltName found in certificate')

82

return _('no commonName or subjectAltName found in certificate')

83

84

85

# CERT_REQUIRED means fetch the cert from the server all the time AND

85

# CERT_REQUIRED means fetch the cert from the server all the time AND

86

# validate it against the CA store provided in web.cacerts.

86

# validate it against the CA store provided in web.cacerts.

87

#

87

#

88

# We COMPLETELY ignore CERT_REQUIRED on Python <= 2.5, as it's totally

88

# We COMPLETELY ignore CERT_REQUIRED on Python <= 2.5, as it's totally

89

# busted on those versions.

89

# busted on those versions.

90

91

def sslkwargs(ui, host):

91

def sslkwargs(ui, host):

92

cacerts = ui.config('web', 'cacerts')

92

cacerts = ui.config('web', 'cacerts')

93

forcetls = ui.configbool('ui', 'tls', default=True)

93

forcetls = ui.configbool('ui', 'tls', default=True)

94

if forcetls:

94

if forcetls:

95

ssl_version = PROTOCOL_TLSv1

95

ssl_version = PROTOCOL_TLSv1

96

else:

96

else:

97

ssl_version = PROTOCOL_SSLv23

97

ssl_version = PROTOCOL_SSLv23

98

hostfingerprint = ui.config('hostfingerprints', host)

98

hostfingerprint = ui.config('hostfingerprints', host)

99

kws = {'ssl_version': ssl_version,

99

kws = {'ssl_version': ssl_version,

100

}

100

}

101

if cacerts and not hostfingerprint:

101

if cacerts and not hostfingerprint:

102

cacerts = util.expandpath(cacerts)

102

cacerts = util.expandpath(cacerts)

103

if not os.path.exists(cacerts):

103

if not os.path.exists(cacerts):

104

raise util.Abort(_('could not find web.cacerts: %s') % cacerts)

104

raise util.Abort(_('could not find web.cacerts: %s') % cacerts)

105

kws.update({'ca_certs': cacerts,

105

kws.update({'ca_certs': cacerts,

106

'cert_reqs': CERT_REQUIRED,

106

'cert_reqs': CERT_REQUIRED,

107

})

107

})

108

return kws

108

return kws

109

110

class validator(object):

110

class validator(object):

111

def __init__(self, ui, host):

111

def __init__(self, ui, host):

112

self.ui = ui

112

self.ui = ui

113

self.host = host

113

self.host = host

114

115

def __call__(self, sock, strict=False):

115

def __call__(self, sock, strict=False):

116

host = self.host

116

host = self.host

117

cacerts = self.ui.config('web', 'cacerts')

117

cacerts = self.ui.config('web', 'cacerts')

118

hostfingerprint = self.ui.config('hostfingerprints', host)

118

hostfingerprint = self.ui.config('hostfingerprints', host)

119

if not getattr(sock, 'getpeercert', False): # python 2.5 ?

119

if not getattr(sock, 'getpeercert', False): # python 2.5 ?

120

if hostfingerprint:

120

if hostfingerprint:

121

raise util.Abort(_("host fingerprint for %s can't be "

121

raise util.Abort(_("host fingerprint for %s can't be "

122

"verified (Python too old)") % host)

122

"verified (Python too old)") % host)

123

if strict:

123

if strict:

124

raise util.Abort(_("certificate for %s can't be verified "

124

raise util.Abort(_("certificate for %s can't be verified "

125

"(Python too old)") % host)

125

"(Python too old)") % host)

126

if self.ui.configbool('ui', 'reportoldssl', True):

126

if self.ui.configbool('ui', 'reportoldssl', True):

127

self.ui.warn(_("warning: certificate for %s can't be verified "

127

self.ui.warn(_("warning: certificate for %s can't be verified "

128

"(Python too old)\n") % host)

128

"(Python too old)\n") % host)

129

return

129

return

130

131

if not sock.cipher(): # work around http://bugs.python.org/issue13721

131

if not sock.cipher(): # work around http://bugs.python.org/issue13721

132

raise util.Abort(_('%s ssl connection error') % host)

132

raise util.Abort(_('%s ssl connection error') % host)

133

try:

133

try:

134

peercert = sock.getpeercert(True)

134

peercert = sock.getpeercert(True)

135

peercert2 = sock.getpeercert()

135

peercert2 = sock.getpeercert()

136

except AttributeError:

136

except AttributeError:

137

raise util.Abort(_('%s ssl connection error') % host)

137

raise util.Abort(_('%s ssl connection error') % host)

138

139

if not peercert:

139

if not peercert:

140

raise util.Abort(_('%s certificate error: '

140

raise util.Abort(_('%s certificate error: '

141

'no certificate received') % host)

141

'no certificate received') % host)

142

peerfingerprint = util.sha1(peercert).hexdigest()

142

peerfingerprint = util.sha1(peercert).hexdigest()

143

nicefingerprint = ":".join([peerfingerprint[x:x + 2]

143

nicefingerprint = ":".join([peerfingerprint[x:x + 2]

144

for x in xrange(0, len(peerfingerprint), 2)])

144

for x in xrange(0, len(peerfingerprint), 2)])

145

if hostfingerprint:

145

if hostfingerprint:

146

if peerfingerprint.lower() != \

146

if peerfingerprint.lower() != \

147

hostfingerprint.replace(':', '').lower():

147

hostfingerprint.replace(':', '').lower():

148

raise util.Abort(_('certificate for %s has unexpected '

148

raise util.Abort(_('certificate for %s has unexpected '

149

'fingerprint %s') % (host, nicefingerprint),

149

'fingerprint %s') % (host, nicefingerprint),

150

hint=_('check hostfingerprint configuration'))

150

hint=_('check hostfingerprint configuration'))

151

self.ui.debug('%s certificate matched fingerprint %s\n' %

151

self.ui.debug('%s certificate matched fingerprint %s\n' %

152

(host, nicefingerprint))

152

(host, nicefingerprint))

153

elif cacerts:

153

elif cacerts:

154

msg = _verifycert(peercert2, host)

154

msg = _verifycert(peercert2, host)

155

if msg:

155

if msg:

156

raise util.Abort(_('%s certificate error: %s') % (host, msg),

156

raise util.Abort(_('%s certificate error: %s') % (host, msg),

157

hint=_('configure hostfingerprint %s or use '

157

hint=_('configure hostfingerprint %s or use '

158

'--insecure to connect insecurely') %

158

'--insecure to connect insecurely') %

159

nicefingerprint)

159

nicefingerprint)

160

self.ui.debug('%s certificate successfully verified\n' % host)

160

self.ui.debug('%s certificate successfully verified\n' % host)

161

elif strict:

161

elif strict:

162

raise util.Abort(_('%s certificate with fingerprint %s not '

162

raise util.Abort(_('%s certificate with fingerprint %s not '

163

'verified') % (host, nicefingerprint),

163

'verified') % (host, nicefingerprint),

164

hint=_('check hostfingerprints or web.cacerts '

164

hint=_('check hostfingerprints or web.cacerts '

165

'config setting'))

165

'config setting'))

166

else:

166

else:

167

self.ui.warn(_('warning: %s certificate with fingerprint %s not '

167

self.ui.warn(_('warning: %s certificate with fingerprint %s not '

168

'verified (check hostfingerprints or web.cacerts '

168

'verified (check hostfingerprints or web.cacerts '

169

'config setting)\n') %

169

'config setting)\n') %

170

(host, nicefingerprint))

170

(host, nicefingerprint))

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

             # sslutil.py - SSL handling for mercurial
             #
             # Copyright 2005, 2006, 2007, 2008 Matt Mackall <mpm@selenic.com>
             # Copyright 2006, 2007 Alexis S. L. Carvalho <alexis@cecm.usp.br>
             # Copyright 2006 Vadim Gelfer <vadim.gelfer@gmail.com>
             #
             # This software may be used and distributed according to the terms of the
             # GNU General Public License version 2 or any later version.
             import os
             from mercurial import util
             from mercurial.i18n import _
             try:
                 # avoid using deprecated/broken FakeSocket in python 2.6
                 import ssl
                 CERT_REQUIRED = ssl.CERT_REQUIRED
                 PROTOCOL_SSLv23 = ssl.PROTOCOL_SSLv23
                 PROTOCOL_TLSv1 = ssl.PROTOCOL_TLSv1
                 def ssl_wrap_socket(sock, keyfile, certfile, ssl_version=PROTOCOL_TLSv1,
                             cert_reqs=ssl.CERT_NONE, ca_certs=None):
                     sslsocket = ssl.wrap_socket(sock, keyfile, certfile,
                                                 cert_reqs=cert_reqs, ca_certs=ca_certs,
                                                 ssl_version=ssl_version)
                     # check if wrap_socket failed silently because socket had been closed
                     # - see http://bugs.python.org/issue13721
                     if not sslsocket.cipher():
                         raise util.Abort(_('ssl connection failed'))
                     return sslsocket
             except ImportError:
                 CERT_REQUIRED = 2
                 PROTOCOL_SSLv23 = 2
                 PROTOCOL_TLSv1 = 3
                 import socket, httplib
-                def ssl_wrap_socket(sock, key_file, cert_file, ssl_version=PROTOCOL_TLSv1,
+                def ssl_wrap_socket(sock, keyfile, certfile, ssl_version=PROTOCOL_TLSv1,
                                     cert_reqs=CERT_REQUIRED, ca_certs=None):
                     if not util.safehasattr(socket, 'ssl'):
                         raise util.Abort(_('Python SSL support not found'))
                     if ca_certs:
                         raise util.Abort(_(
                             'certificate checking requires Python 2.6'))
-                    ssl = socket.ssl(sock, key_file, cert_file)
+                    ssl = socket.ssl(sock, keyfile, certfile)
                     return httplib.FakeSocket(sock, ssl)
             def _verifycert(cert, hostname):
                 '''Verify that cert (in socket.getpeercert() format) matches hostname.
                 CRLs is not handled.
                 Returns error message if any problems are found and None on success.
                 '''
                 if not cert:
                     return _('no certificate received')
                 dnsname = hostname.lower()
                 def matchdnsname(certname):
                     return (certname == dnsname or
                             '.' in dnsname and certname == '*.' + dnsname.split('.', 1)[1])
                 san = cert.get('subjectAltName', [])
                 if san:
                     certnames = [value.lower() for key, value in san if key == 'DNS']
                     for name in certnames:
                         if matchdnsname(name):
                             return None
                     if certnames:
                         return _('certificate is for %s') % ', '.join(certnames)
                 # subject is only checked when subjectAltName is empty
                 for s in cert.get('subject', []):
                     key, value = s[0]
                     if key == 'commonName':
                         try:
                             # 'subject' entries are unicode
                             certname = value.lower().encode('ascii')
                         except UnicodeEncodeError:
                             return _('IDN in certificate not supported')
                         if matchdnsname(certname):
                             return None
                         return _('certificate is for %s') % certname
                 return _('no commonName or subjectAltName found in certificate')
             # CERT_REQUIRED means fetch the cert from the server all the time AND
             # validate it against the CA store provided in web.cacerts.
             #
             # We COMPLETELY ignore CERT_REQUIRED on Python <= 2.5, as it's totally
             # busted on those versions.
             def sslkwargs(ui, host):
                 cacerts = ui.config('web', 'cacerts')
                 forcetls = ui.configbool('ui', 'tls', default=True)
                 if forcetls:
                     ssl_version = PROTOCOL_TLSv1
                 else:
                     ssl_version = PROTOCOL_SSLv23
                 hostfingerprint = ui.config('hostfingerprints', host)
                 kws = {'ssl_version': ssl_version,
                        }
                 if cacerts and not hostfingerprint:
                     cacerts = util.expandpath(cacerts)
                     if not os.path.exists(cacerts):
                         raise util.Abort(_('could not find web.cacerts: %s') % cacerts)
                     kws.update({'ca_certs': cacerts,
                                 'cert_reqs': CERT_REQUIRED,
                                 })
                 return kws
             class validator(object):
                 def __init__(self, ui, host):
                     self.ui = ui
                     self.host = host
                 def __call__(self, sock, strict=False):
                     host = self.host
                     cacerts = self.ui.config('web', 'cacerts')
                     hostfingerprint = self.ui.config('hostfingerprints', host)
                     if not getattr(sock, 'getpeercert', False): # python 2.5 ?
                         if hostfingerprint:
                             raise util.Abort(_("host fingerprint for %s can't be "
                                                "verified (Python too old)") % host)
                         if strict:
                             raise util.Abort(_("certificate for %s can't be verified "
                                                "(Python too old)") % host)
                         if self.ui.configbool('ui', 'reportoldssl', True):
                             self.ui.warn(_("warning: certificate for %s can't be verified "
                                            "(Python too old)\n") % host)
                         return
                     if not sock.cipher(): # work around http://bugs.python.org/issue13721
                         raise util.Abort(_('%s ssl connection error') % host)
                     try:
                         peercert = sock.getpeercert(True)
                         peercert2 = sock.getpeercert()
                     except AttributeError:
                         raise util.Abort(_('%s ssl connection error') % host)
                     if not peercert:
                         raise util.Abort(_('%s certificate error: '
                                            'no certificate received') % host)
                     peerfingerprint = util.sha1(peercert).hexdigest()
                     nicefingerprint = ":".join([peerfingerprint[x:x + 2]
                         for x in xrange(0, len(peerfingerprint), 2)])
                     if hostfingerprint:
                         if peerfingerprint.lower() != \
                                 hostfingerprint.replace(':', '').lower():
                             raise util.Abort(_('certificate for %s has unexpected '
                                                'fingerprint %s') % (host, nicefingerprint),
                                              hint=_('check hostfingerprint configuration'))
                         self.ui.debug('%s certificate matched fingerprint %s\n' %
                                       (host, nicefingerprint))
                     elif cacerts:
                         msg = _verifycert(peercert2, host)
                         if msg:
                             raise util.Abort(_('%s certificate error: %s') % (host, msg),
                                              hint=_('configure hostfingerprint %s or use '
                                                     '--insecure to connect insecurely') %
                                                   nicefingerprint)
                         self.ui.debug('%s certificate successfully verified\n' % host)
                     elif strict:
                         raise util.Abort(_('%s certificate with fingerprint %s not '
                                            'verified') % (host, nicefingerprint),
                                          hint=_('check hostfingerprints or web.cacerts '
                                                  'config setting'))
                     else:
                         self.ui.warn(_('warning: %s certificate with fingerprint %s not '
                                        'verified (check hostfingerprints or web.cacerts '
                                        'config setting)\n') %
                                      (host, nicefingerprint))