##// END OF EJS Templates
upstream » mercurial-mirror
RSS

Clone from https://www.mercurial-scm.org/repo/hg-all

sslutil: restore old behavior not requiring a hostname argument (issue5210)...
Gregory Szorc -
r29042:693b856a stable
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -1,320 +1,317 b''
1 # sslutil.py - SSL handling for mercurial
1 # sslutil.py - SSL handling for mercurial
2 #
2 #
3 # Copyright 2005, 2006, 2007, 2008 Matt Mackall <mpm@selenic.com>
3 # Copyright 2005, 2006, 2007, 2008 Matt Mackall <mpm@selenic.com>
4 # Copyright 2006, 2007 Alexis S. L. Carvalho <alexis@cecm.usp.br>
4 # Copyright 2006, 2007 Alexis S. L. Carvalho <alexis@cecm.usp.br>
5 # Copyright 2006 Vadim Gelfer <vadim.gelfer@gmail.com>
5 # Copyright 2006 Vadim Gelfer <vadim.gelfer@gmail.com>
6 #
6 #
7 # This software may be used and distributed according to the terms of the
7 # This software may be used and distributed according to the terms of the
8 # GNU General Public License version 2 or any later version.
8 # GNU General Public License version 2 or any later version.
9
9
10 from __future__ import absolute_import
10 from __future__ import absolute_import
11
11
12 import os
12 import os
13 import ssl
13 import ssl
14 import sys
14 import sys
15
15
16 from .i18n import _
16 from .i18n import _
17 from . import (
17 from . import (
18 error,
18 error,
19 util,
19 util,
20 )
20 )
21
21
22 # Python 2.7.9+ overhauled the built-in SSL/TLS features of Python. It added
22 # Python 2.7.9+ overhauled the built-in SSL/TLS features of Python. It added
23 # support for TLS 1.1, TLS 1.2, SNI, system CA stores, etc. These features are
23 # support for TLS 1.1, TLS 1.2, SNI, system CA stores, etc. These features are
24 # all exposed via the "ssl" module.
24 # all exposed via the "ssl" module.
25 #
25 #
26 # Depending on the version of Python being used, SSL/TLS support is either
26 # Depending on the version of Python being used, SSL/TLS support is either
27 # modern/secure or legacy/insecure. Many operations in this module have
27 # modern/secure or legacy/insecure. Many operations in this module have
28 # separate code paths depending on support in Python.
28 # separate code paths depending on support in Python.
29
29
30 hassni = getattr(ssl, 'HAS_SNI', False)
30 hassni = getattr(ssl, 'HAS_SNI', False)
31
31
32 try:
32 try:
33 OP_NO_SSLv2 = ssl.OP_NO_SSLv2
33 OP_NO_SSLv2 = ssl.OP_NO_SSLv2
34 OP_NO_SSLv3 = ssl.OP_NO_SSLv3
34 OP_NO_SSLv3 = ssl.OP_NO_SSLv3
35 except AttributeError:
35 except AttributeError:
36 OP_NO_SSLv2 = 0x1000000
36 OP_NO_SSLv2 = 0x1000000
37 OP_NO_SSLv3 = 0x2000000
37 OP_NO_SSLv3 = 0x2000000
38
38
39 try:
39 try:
40 # ssl.SSLContext was added in 2.7.9 and presence indicates modern
40 # ssl.SSLContext was added in 2.7.9 and presence indicates modern
41 # SSL/TLS features are available.
41 # SSL/TLS features are available.
42 SSLContext = ssl.SSLContext
42 SSLContext = ssl.SSLContext
43 modernssl = True
43 modernssl = True
44 _canloaddefaultcerts = util.safehasattr(SSLContext, 'load_default_certs')
44 _canloaddefaultcerts = util.safehasattr(SSLContext, 'load_default_certs')
45 except AttributeError:
45 except AttributeError:
46 modernssl = False
46 modernssl = False
47 _canloaddefaultcerts = False
47 _canloaddefaultcerts = False
48
48
49 # We implement SSLContext using the interface from the standard library.
49 # We implement SSLContext using the interface from the standard library.
50 class SSLContext(object):
50 class SSLContext(object):
51 # ssl.wrap_socket gained the "ciphers" named argument in 2.7.
51 # ssl.wrap_socket gained the "ciphers" named argument in 2.7.
52 _supportsciphers = sys.version_info >= (2, 7)
52 _supportsciphers = sys.version_info >= (2, 7)
53
53
54 def __init__(self, protocol):
54 def __init__(self, protocol):
55 # From the public interface of SSLContext
55 # From the public interface of SSLContext
56 self.protocol = protocol
56 self.protocol = protocol
57 self.check_hostname = False
57 self.check_hostname = False
58 self.options = 0
58 self.options = 0
59 self.verify_mode = ssl.CERT_NONE
59 self.verify_mode = ssl.CERT_NONE
60
60
61 # Used by our implementation.
61 # Used by our implementation.
62 self._certfile = None
62 self._certfile = None
63 self._keyfile = None
63 self._keyfile = None
64 self._certpassword = None
64 self._certpassword = None
65 self._cacerts = None
65 self._cacerts = None
66 self._ciphers = None
66 self._ciphers = None
67
67
68 def load_cert_chain(self, certfile, keyfile=None, password=None):
68 def load_cert_chain(self, certfile, keyfile=None, password=None):
69 self._certfile = certfile
69 self._certfile = certfile
70 self._keyfile = keyfile
70 self._keyfile = keyfile
71 self._certpassword = password
71 self._certpassword = password
72
72
73 def load_default_certs(self, purpose=None):
73 def load_default_certs(self, purpose=None):
74 pass
74 pass
75
75
76 def load_verify_locations(self, cafile=None, capath=None, cadata=None):
76 def load_verify_locations(self, cafile=None, capath=None, cadata=None):
77 if capath:
77 if capath:
78 raise error.Abort('capath not supported')
78 raise error.Abort('capath not supported')
79 if cadata:
79 if cadata:
80 raise error.Abort('cadata not supported')
80 raise error.Abort('cadata not supported')
81
81
82 self._cacerts = cafile
82 self._cacerts = cafile
83
83
84 def set_ciphers(self, ciphers):
84 def set_ciphers(self, ciphers):
85 if not self._supportsciphers:
85 if not self._supportsciphers:
86 raise error.Abort('setting ciphers not supported')
86 raise error.Abort('setting ciphers not supported')
87
87
88 self._ciphers = ciphers
88 self._ciphers = ciphers
89
89
90 def wrap_socket(self, socket, server_hostname=None, server_side=False):
90 def wrap_socket(self, socket, server_hostname=None, server_side=False):
91 # server_hostname is unique to SSLContext.wrap_socket and is used
91 # server_hostname is unique to SSLContext.wrap_socket and is used
92 # for SNI in that context. So there's nothing for us to do with it
92 # for SNI in that context. So there's nothing for us to do with it
93 # in this legacy code since we don't support SNI.
93 # in this legacy code since we don't support SNI.
94
94
95 args = {
95 args = {
96 'keyfile': self._keyfile,
96 'keyfile': self._keyfile,
97 'certfile': self._certfile,
97 'certfile': self._certfile,
98 'server_side': server_side,
98 'server_side': server_side,
99 'cert_reqs': self.verify_mode,
99 'cert_reqs': self.verify_mode,
100 'ssl_version': self.protocol,
100 'ssl_version': self.protocol,
101 'ca_certs': self._cacerts,
101 'ca_certs': self._cacerts,
102 }
102 }
103
103
104 if self._supportsciphers:
104 if self._supportsciphers:
105 args['ciphers'] = self._ciphers
105 args['ciphers'] = self._ciphers
106
106
107 return ssl.wrap_socket(socket, **args)
107 return ssl.wrap_socket(socket, **args)
108
108
109 def wrapsocket(sock, keyfile, certfile, ui, cert_reqs=ssl.CERT_NONE,
109 def wrapsocket(sock, keyfile, certfile, ui, cert_reqs=ssl.CERT_NONE,
110 ca_certs=None, serverhostname=None):
110 ca_certs=None, serverhostname=None):
111 """Add SSL/TLS to a socket.
111 """Add SSL/TLS to a socket.
112
112
113 This is a glorified wrapper for ``ssl.wrap_socket()``. It makes sane
113 This is a glorified wrapper for ``ssl.wrap_socket()``. It makes sane
114 choices based on what security options are available.
114 choices based on what security options are available.
115
115
116 In addition to the arguments supported by ``ssl.wrap_socket``, we allow
116 In addition to the arguments supported by ``ssl.wrap_socket``, we allow
117 the following additional arguments:
117 the following additional arguments:
118
118
119 * serverhostname - The expected hostname of the remote server. If the
119 * serverhostname - The expected hostname of the remote server. If the
120 server (and client) support SNI, this tells the server which certificate
120 server (and client) support SNI, this tells the server which certificate
121 to use.
121 to use.
122 """
122 """
123 if not serverhostname:
124 raise error.Abort('serverhostname argument required')
125
126 # Despite its name, PROTOCOL_SSLv23 selects the highest protocol
123 # Despite its name, PROTOCOL_SSLv23 selects the highest protocol
127 # that both ends support, including TLS protocols. On legacy stacks,
124 # that both ends support, including TLS protocols. On legacy stacks,
128 # the highest it likely goes in TLS 1.0. On modern stacks, it can
125 # the highest it likely goes in TLS 1.0. On modern stacks, it can
129 # support TLS 1.2.
126 # support TLS 1.2.
130 #
127 #
131 # The PROTOCOL_TLSv* constants select a specific TLS version
128 # The PROTOCOL_TLSv* constants select a specific TLS version
132 # only (as opposed to multiple versions). So the method for
129 # only (as opposed to multiple versions). So the method for
133 # supporting multiple TLS versions is to use PROTOCOL_SSLv23 and
130 # supporting multiple TLS versions is to use PROTOCOL_SSLv23 and
134 # disable protocols via SSLContext.options and OP_NO_* constants.
131 # disable protocols via SSLContext.options and OP_NO_* constants.
135 # However, SSLContext.options doesn't work unless we have the
132 # However, SSLContext.options doesn't work unless we have the
136 # full/real SSLContext available to us.
133 # full/real SSLContext available to us.
137 #
134 #
138 # SSLv2 and SSLv3 are broken. We ban them outright.
135 # SSLv2 and SSLv3 are broken. We ban them outright.
139 if modernssl:
136 if modernssl:
140 protocol = ssl.PROTOCOL_SSLv23
137 protocol = ssl.PROTOCOL_SSLv23
141 else:
138 else:
142 protocol = ssl.PROTOCOL_TLSv1
139 protocol = ssl.PROTOCOL_TLSv1
143
140
144 # TODO use ssl.create_default_context() on modernssl.
141 # TODO use ssl.create_default_context() on modernssl.
145 sslcontext = SSLContext(protocol)
142 sslcontext = SSLContext(protocol)
146
143
147 # This is a no-op on old Python.
144 # This is a no-op on old Python.
148 sslcontext.options |= OP_NO_SSLv2 | OP_NO_SSLv3
145 sslcontext.options |= OP_NO_SSLv2 | OP_NO_SSLv3
149
146
150 # This still works on our fake SSLContext.
147 # This still works on our fake SSLContext.
151 sslcontext.verify_mode = cert_reqs
148 sslcontext.verify_mode = cert_reqs
152
149
153 if certfile is not None:
150 if certfile is not None:
154 def password():
151 def password():
155 f = keyfile or certfile
152 f = keyfile or certfile
156 return ui.getpass(_('passphrase for %s: ') % f, '')
153 return ui.getpass(_('passphrase for %s: ') % f, '')
157 sslcontext.load_cert_chain(certfile, keyfile, password)
154 sslcontext.load_cert_chain(certfile, keyfile, password)
158
155
159 if ca_certs is not None:
156 if ca_certs is not None:
160 sslcontext.load_verify_locations(cafile=ca_certs)
157 sslcontext.load_verify_locations(cafile=ca_certs)
161 else:
158 else:
162 # This is a no-op on old Python.
159 # This is a no-op on old Python.
163 sslcontext.load_default_certs()
160 sslcontext.load_default_certs()
164
161
165 sslsocket = sslcontext.wrap_socket(sock, server_hostname=serverhostname)
162 sslsocket = sslcontext.wrap_socket(sock, server_hostname=serverhostname)
166 # check if wrap_socket failed silently because socket had been
163 # check if wrap_socket failed silently because socket had been
167 # closed
164 # closed
168 # - see http://bugs.python.org/issue13721
165 # - see http://bugs.python.org/issue13721
169 if not sslsocket.cipher():
166 if not sslsocket.cipher():
170 raise error.Abort(_('ssl connection failed'))
167 raise error.Abort(_('ssl connection failed'))
171 return sslsocket
168 return sslsocket
172
169
173 def _verifycert(cert, hostname):
170 def _verifycert(cert, hostname):
174 '''Verify that cert (in socket.getpeercert() format) matches hostname.
171 '''Verify that cert (in socket.getpeercert() format) matches hostname.
175 CRLs is not handled.
172 CRLs is not handled.
176
173
177 Returns error message if any problems are found and None on success.
174 Returns error message if any problems are found and None on success.
178 '''
175 '''
179 if not cert:
176 if not cert:
180 return _('no certificate received')
177 return _('no certificate received')
181 dnsname = hostname.lower()
178 dnsname = hostname.lower()
182 def matchdnsname(certname):
179 def matchdnsname(certname):
183 return (certname == dnsname or
180 return (certname == dnsname or
184 '.' in dnsname and certname == '*.' + dnsname.split('.', 1)[1])
181 '.' in dnsname and certname == '*.' + dnsname.split('.', 1)[1])
185
182
186 san = cert.get('subjectAltName', [])
183 san = cert.get('subjectAltName', [])
187 if san:
184 if san:
188 certnames = [value.lower() for key, value in san if key == 'DNS']
185 certnames = [value.lower() for key, value in san if key == 'DNS']
189 for name in certnames:
186 for name in certnames:
190 if matchdnsname(name):
187 if matchdnsname(name):
191 return None
188 return None
192 if certnames:
189 if certnames:
193 return _('certificate is for %s') % ', '.join(certnames)
190 return _('certificate is for %s') % ', '.join(certnames)
194
191
195 # subject is only checked when subjectAltName is empty
192 # subject is only checked when subjectAltName is empty
196 for s in cert.get('subject', []):
193 for s in cert.get('subject', []):
197 key, value = s[0]
194 key, value = s[0]
198 if key == 'commonName':
195 if key == 'commonName':
199 try:
196 try:
200 # 'subject' entries are unicode
197 # 'subject' entries are unicode
201 certname = value.lower().encode('ascii')
198 certname = value.lower().encode('ascii')
202 except UnicodeEncodeError:
199 except UnicodeEncodeError:
203 return _('IDN in certificate not supported')
200 return _('IDN in certificate not supported')
204 if matchdnsname(certname):
201 if matchdnsname(certname):
205 return None
202 return None
206 return _('certificate is for %s') % certname
203 return _('certificate is for %s') % certname
207 return _('no commonName or subjectAltName found in certificate')
204 return _('no commonName or subjectAltName found in certificate')
208
205
209
206
210 # CERT_REQUIRED means fetch the cert from the server all the time AND
207 # CERT_REQUIRED means fetch the cert from the server all the time AND
211 # validate it against the CA store provided in web.cacerts.
208 # validate it against the CA store provided in web.cacerts.
212
209
213 def _plainapplepython():
210 def _plainapplepython():
214 """return true if this seems to be a pure Apple Python that
211 """return true if this seems to be a pure Apple Python that
215 * is unfrozen and presumably has the whole mercurial module in the file
212 * is unfrozen and presumably has the whole mercurial module in the file
216 system
213 system
217 * presumably is an Apple Python that uses Apple OpenSSL which has patches
214 * presumably is an Apple Python that uses Apple OpenSSL which has patches
218 for using system certificate store CAs in addition to the provided
215 for using system certificate store CAs in addition to the provided
219 cacerts file
216 cacerts file
220 """
217 """
221 if sys.platform != 'darwin' or util.mainfrozen() or not sys.executable:
218 if sys.platform != 'darwin' or util.mainfrozen() or not sys.executable:
222 return False
219 return False
223 exe = os.path.realpath(sys.executable).lower()
220 exe = os.path.realpath(sys.executable).lower()
224 return (exe.startswith('/usr/bin/python') or
221 return (exe.startswith('/usr/bin/python') or
225 exe.startswith('/system/library/frameworks/python.framework/'))
222 exe.startswith('/system/library/frameworks/python.framework/'))
226
223
227 def _defaultcacerts():
224 def _defaultcacerts():
228 """return path to CA certificates; None for system's store; ! to disable"""
225 """return path to CA certificates; None for system's store; ! to disable"""
229 if _plainapplepython():
226 if _plainapplepython():
230 dummycert = os.path.join(os.path.dirname(__file__), 'dummycert.pem')
227 dummycert = os.path.join(os.path.dirname(__file__), 'dummycert.pem')
231 if os.path.exists(dummycert):
228 if os.path.exists(dummycert):
232 return dummycert
229 return dummycert
233 if _canloaddefaultcerts:
230 if _canloaddefaultcerts:
234 return None
231 return None
235 return '!'
232 return '!'
236
233
237 def sslkwargs(ui, host):
234 def sslkwargs(ui, host):
238 kws = {'ui': ui}
235 kws = {'ui': ui}
239 hostfingerprint = ui.config('hostfingerprints', host)
236 hostfingerprint = ui.config('hostfingerprints', host)
240 if hostfingerprint:
237 if hostfingerprint:
241 return kws
238 return kws
242 cacerts = ui.config('web', 'cacerts')
239 cacerts = ui.config('web', 'cacerts')
243 if cacerts == '!':
240 if cacerts == '!':
244 pass
241 pass
245 elif cacerts:
242 elif cacerts:
246 cacerts = util.expandpath(cacerts)
243 cacerts = util.expandpath(cacerts)
247 if not os.path.exists(cacerts):
244 if not os.path.exists(cacerts):
248 raise error.Abort(_('could not find web.cacerts: %s') % cacerts)
245 raise error.Abort(_('could not find web.cacerts: %s') % cacerts)
249 else:
246 else:
250 cacerts = _defaultcacerts()
247 cacerts = _defaultcacerts()
251 if cacerts and cacerts != '!':
248 if cacerts and cacerts != '!':
252 ui.debug('using %s to enable OS X system CA\n' % cacerts)
249 ui.debug('using %s to enable OS X system CA\n' % cacerts)
253 ui.setconfig('web', 'cacerts', cacerts, 'defaultcacerts')
250 ui.setconfig('web', 'cacerts', cacerts, 'defaultcacerts')
254 if cacerts != '!':
251 if cacerts != '!':
255 kws.update({'ca_certs': cacerts,
252 kws.update({'ca_certs': cacerts,
256 'cert_reqs': ssl.CERT_REQUIRED,
253 'cert_reqs': ssl.CERT_REQUIRED,
257 })
254 })
258 return kws
255 return kws
259
256
260 class validator(object):
257 class validator(object):
261 def __init__(self, ui, host):
258 def __init__(self, ui, host):
262 self.ui = ui
259 self.ui = ui
263 self.host = host
260 self.host = host
264
261
265 def __call__(self, sock, strict=False):
262 def __call__(self, sock, strict=False):
266 host = self.host
263 host = self.host
267
264
268 if not sock.cipher(): # work around http://bugs.python.org/issue13721
265 if not sock.cipher(): # work around http://bugs.python.org/issue13721
269 raise error.Abort(_('%s ssl connection error') % host)
266 raise error.Abort(_('%s ssl connection error') % host)
270 try:
267 try:
271 peercert = sock.getpeercert(True)
268 peercert = sock.getpeercert(True)
272 peercert2 = sock.getpeercert()
269 peercert2 = sock.getpeercert()
273 except AttributeError:
270 except AttributeError:
274 raise error.Abort(_('%s ssl connection error') % host)
271 raise error.Abort(_('%s ssl connection error') % host)
275
272
276 if not peercert:
273 if not peercert:
277 raise error.Abort(_('%s certificate error: '
274 raise error.Abort(_('%s certificate error: '
278 'no certificate received') % host)
275 'no certificate received') % host)
279
276
280 # If a certificate fingerprint is pinned, use it and only it to
277 # If a certificate fingerprint is pinned, use it and only it to
281 # validate the remote cert.
278 # validate the remote cert.
282 hostfingerprints = self.ui.configlist('hostfingerprints', host)
279 hostfingerprints = self.ui.configlist('hostfingerprints', host)
283 peerfingerprint = util.sha1(peercert).hexdigest()
280 peerfingerprint = util.sha1(peercert).hexdigest()
284 nicefingerprint = ":".join([peerfingerprint[x:x + 2]
281 nicefingerprint = ":".join([peerfingerprint[x:x + 2]
285 for x in xrange(0, len(peerfingerprint), 2)])
282 for x in xrange(0, len(peerfingerprint), 2)])
286 if hostfingerprints:
283 if hostfingerprints:
287 fingerprintmatch = False
284 fingerprintmatch = False
288 for hostfingerprint in hostfingerprints:
285 for hostfingerprint in hostfingerprints:
289 if peerfingerprint.lower() == \
286 if peerfingerprint.lower() == \
290 hostfingerprint.replace(':', '').lower():
287 hostfingerprint.replace(':', '').lower():
291 fingerprintmatch = True
288 fingerprintmatch = True
292 break
289 break
293 if not fingerprintmatch:
290 if not fingerprintmatch:
294 raise error.Abort(_('certificate for %s has unexpected '
291 raise error.Abort(_('certificate for %s has unexpected '
295 'fingerprint %s') % (host, nicefingerprint),
292 'fingerprint %s') % (host, nicefingerprint),
296 hint=_('check hostfingerprint configuration'))
293 hint=_('check hostfingerprint configuration'))
297 self.ui.debug('%s certificate matched fingerprint %s\n' %
294 self.ui.debug('%s certificate matched fingerprint %s\n' %
298 (host, nicefingerprint))
295 (host, nicefingerprint))
299 return
296 return
300
297
301 # No pinned fingerprint. Establish trust by looking at the CAs.
298 # No pinned fingerprint. Establish trust by looking at the CAs.
302 cacerts = self.ui.config('web', 'cacerts')
299 cacerts = self.ui.config('web', 'cacerts')
303 if cacerts != '!':
300 if cacerts != '!':
304 msg = _verifycert(peercert2, host)
301 msg = _verifycert(peercert2, host)
305 if msg:
302 if msg:
306 raise error.Abort(_('%s certificate error: %s') % (host, msg),
303 raise error.Abort(_('%s certificate error: %s') % (host, msg),
307 hint=_('configure hostfingerprint %s or use '
304 hint=_('configure hostfingerprint %s or use '
308 '--insecure to connect insecurely') %
305 '--insecure to connect insecurely') %
309 nicefingerprint)
306 nicefingerprint)
310 self.ui.debug('%s certificate successfully verified\n' % host)
307 self.ui.debug('%s certificate successfully verified\n' % host)
311 elif strict:
308 elif strict:
312 raise error.Abort(_('%s certificate with fingerprint %s not '
309 raise error.Abort(_('%s certificate with fingerprint %s not '
313 'verified') % (host, nicefingerprint),
310 'verified') % (host, nicefingerprint),
314 hint=_('check hostfingerprints or web.cacerts '
311 hint=_('check hostfingerprints or web.cacerts '
315 'config setting'))
312 'config setting'))
316 else:
313 else:
317 self.ui.warn(_('warning: %s certificate with fingerprint %s not '
314 self.ui.warn(_('warning: %s certificate with fingerprint %s not '
318 'verified (check hostfingerprints or web.cacerts '
315 'verified (check hostfingerprints or web.cacerts '
319 'config setting)\n') %
316 'config setting)\n') %
320 (host, nicefingerprint))
317 (host, nicefingerprint))
General Comments 0
You need to be logged in to leave comments. Login now