Show More
@@ -106,6 +106,23 b' except AttributeError:' | |||||
106 |
|
106 | |||
107 | return ssl.wrap_socket(socket, **args) |
|
107 | return ssl.wrap_socket(socket, **args) | |
108 |
|
108 | |||
|
109 | def _hostsettings(ui, hostname): | |||
|
110 | """Obtain security settings for a hostname. | |||
|
111 | ||||
|
112 | Returns a dict of settings relevant to that hostname. | |||
|
113 | """ | |||
|
114 | s = { | |||
|
115 | # List of 2-tuple of (hash algorithm, hash). | |||
|
116 | 'certfingerprints': [], | |||
|
117 | } | |||
|
118 | ||||
|
119 | # Fingerprints from [hostfingerprints] are always SHA-1. | |||
|
120 | for fingerprint in ui.configlist('hostfingerprints', hostname, []): | |||
|
121 | fingerprint = fingerprint.replace(':', '').lower() | |||
|
122 | s['certfingerprints'].append(('sha1', fingerprint)) | |||
|
123 | ||||
|
124 | return s | |||
|
125 | ||||
109 | def _determinecertoptions(ui, host): |
|
126 | def _determinecertoptions(ui, host): | |
110 | """Determine certificate options for a connections. |
|
127 | """Determine certificate options for a connections. | |
111 |
|
128 | |||
@@ -217,6 +234,7 b' def wrapsocket(sock, keyfile, certfile, ' | |||||
217 | sslsocket._hgstate = { |
|
234 | sslsocket._hgstate = { | |
218 | 'caloaded': caloaded, |
|
235 | 'caloaded': caloaded, | |
219 | 'hostname': serverhostname, |
|
236 | 'hostname': serverhostname, | |
|
237 | 'settings': _hostsettings(ui, serverhostname), | |||
220 | 'ui': ui, |
|
238 | 'ui': ui, | |
221 | } |
|
239 | } | |
222 |
|
240 | |||
@@ -292,6 +310,7 b' def validatesocket(sock, strict=False):' | |||||
292 | """ |
|
310 | """ | |
293 | host = sock._hgstate['hostname'] |
|
311 | host = sock._hgstate['hostname'] | |
294 | ui = sock._hgstate['ui'] |
|
312 | ui = sock._hgstate['ui'] | |
|
313 | settings = sock._hgstate['settings'] | |||
295 |
|
314 | |||
296 | try: |
|
315 | try: | |
297 | peercert = sock.getpeercert(True) |
|
316 | peercert = sock.getpeercert(True) | |
@@ -305,15 +324,13 b' def validatesocket(sock, strict=False):' | |||||
305 |
|
324 | |||
306 | # If a certificate fingerprint is pinned, use it and only it to |
|
325 | # If a certificate fingerprint is pinned, use it and only it to | |
307 | # validate the remote cert. |
|
326 | # validate the remote cert. | |
308 | hostfingerprints = ui.configlist('hostfingerprints', host) |
|
|||
309 | peerfingerprint = util.sha1(peercert).hexdigest() |
|
327 | peerfingerprint = util.sha1(peercert).hexdigest() | |
310 | nicefingerprint = ":".join([peerfingerprint[x:x + 2] |
|
328 | nicefingerprint = ":".join([peerfingerprint[x:x + 2] | |
311 | for x in xrange(0, len(peerfingerprint), 2)]) |
|
329 | for x in xrange(0, len(peerfingerprint), 2)]) | |
312 |
if |
|
330 | if settings['certfingerprints']: | |
313 | fingerprintmatch = False |
|
331 | fingerprintmatch = False | |
314 |
for h |
|
332 | for hash, fingerprint in settings['certfingerprints']: | |
315 |
if peerfingerprint.lower() == |
|
333 | if peerfingerprint.lower() == fingerprint: | |
316 | hostfingerprint.replace(':', '').lower(): |
|
|||
317 | fingerprintmatch = True |
|
334 | fingerprintmatch = True | |
318 | break |
|
335 | break | |
319 | if not fingerprintmatch: |
|
336 | if not fingerprintmatch: |
General Comments 0
You need to be logged in to leave comments.
Login now