##// END OF EJS Templates
sslutil: abort properly if no certificate received for https connection...
Mads Kiilerich -
r15817:8f377751 default
parent child Browse files
Show More
@@ -1,138 +1,141 b''
1 # sslutil.py - SSL handling for mercurial
1 # sslutil.py - SSL handling for mercurial
2 #
2 #
3 # Copyright 2005, 2006, 2007, 2008 Matt Mackall <mpm@selenic.com>
3 # Copyright 2005, 2006, 2007, 2008 Matt Mackall <mpm@selenic.com>
4 # Copyright 2006, 2007 Alexis S. L. Carvalho <alexis@cecm.usp.br>
4 # Copyright 2006, 2007 Alexis S. L. Carvalho <alexis@cecm.usp.br>
5 # Copyright 2006 Vadim Gelfer <vadim.gelfer@gmail.com>
5 # Copyright 2006 Vadim Gelfer <vadim.gelfer@gmail.com>
6 #
6 #
7 # This software may be used and distributed according to the terms of the
7 # This software may be used and distributed according to the terms of the
8 # GNU General Public License version 2 or any later version.
8 # GNU General Public License version 2 or any later version.
9 import os
9 import os
10
10
11 from mercurial import util
11 from mercurial import util
12 from mercurial.i18n import _
12 from mercurial.i18n import _
13 try:
13 try:
14 # avoid using deprecated/broken FakeSocket in python 2.6
14 # avoid using deprecated/broken FakeSocket in python 2.6
15 import ssl
15 import ssl
16 CERT_REQUIRED = ssl.CERT_REQUIRED
16 CERT_REQUIRED = ssl.CERT_REQUIRED
17 def ssl_wrap_socket(sock, keyfile, certfile,
17 def ssl_wrap_socket(sock, keyfile, certfile,
18 cert_reqs=ssl.CERT_NONE, ca_certs=None):
18 cert_reqs=ssl.CERT_NONE, ca_certs=None):
19 sslsocket = ssl.wrap_socket(sock, keyfile, certfile,
19 sslsocket = ssl.wrap_socket(sock, keyfile, certfile,
20 cert_reqs=cert_reqs, ca_certs=ca_certs)
20 cert_reqs=cert_reqs, ca_certs=ca_certs)
21 # check if wrap_socket failed silently because socket had been closed
21 # check if wrap_socket failed silently because socket had been closed
22 # - see http://bugs.python.org/issue13721
22 # - see http://bugs.python.org/issue13721
23 if not sslsocket.cipher():
23 if not sslsocket.cipher():
24 raise util.Abort(_('ssl connection failed'))
24 raise util.Abort(_('ssl connection failed'))
25 return sslsocket
25 return sslsocket
26 except ImportError:
26 except ImportError:
27 CERT_REQUIRED = 2
27 CERT_REQUIRED = 2
28
28
29 import socket, httplib
29 import socket, httplib
30
30
31 def ssl_wrap_socket(sock, key_file, cert_file,
31 def ssl_wrap_socket(sock, key_file, cert_file,
32 cert_reqs=CERT_REQUIRED, ca_certs=None):
32 cert_reqs=CERT_REQUIRED, ca_certs=None):
33 if not util.safehasattr(socket, 'ssl'):
33 if not util.safehasattr(socket, 'ssl'):
34 raise util.Abort(_('Python SSL support not found'))
34 raise util.Abort(_('Python SSL support not found'))
35 if ca_certs:
35 if ca_certs:
36 raise util.Abort(_(
36 raise util.Abort(_(
37 'certificate checking requires Python 2.6'))
37 'certificate checking requires Python 2.6'))
38
38
39 ssl = socket.ssl(sock, key_file, cert_file)
39 ssl = socket.ssl(sock, key_file, cert_file)
40 return httplib.FakeSocket(sock, ssl)
40 return httplib.FakeSocket(sock, ssl)
41
41
42 def _verifycert(cert, hostname):
42 def _verifycert(cert, hostname):
43 '''Verify that cert (in socket.getpeercert() format) matches hostname.
43 '''Verify that cert (in socket.getpeercert() format) matches hostname.
44 CRLs is not handled.
44 CRLs is not handled.
45
45
46 Returns error message if any problems are found and None on success.
46 Returns error message if any problems are found and None on success.
47 '''
47 '''
48 if not cert:
48 if not cert:
49 return _('no certificate received')
49 return _('no certificate received')
50 dnsname = hostname.lower()
50 dnsname = hostname.lower()
51 def matchdnsname(certname):
51 def matchdnsname(certname):
52 return (certname == dnsname or
52 return (certname == dnsname or
53 '.' in dnsname and certname == '*.' + dnsname.split('.', 1)[1])
53 '.' in dnsname and certname == '*.' + dnsname.split('.', 1)[1])
54
54
55 san = cert.get('subjectAltName', [])
55 san = cert.get('subjectAltName', [])
56 if san:
56 if san:
57 certnames = [value.lower() for key, value in san if key == 'DNS']
57 certnames = [value.lower() for key, value in san if key == 'DNS']
58 for name in certnames:
58 for name in certnames:
59 if matchdnsname(name):
59 if matchdnsname(name):
60 return None
60 return None
61 if certnames:
61 if certnames:
62 return _('certificate is for %s') % ', '.join(certnames)
62 return _('certificate is for %s') % ', '.join(certnames)
63
63
64 # subject is only checked when subjectAltName is empty
64 # subject is only checked when subjectAltName is empty
65 for s in cert.get('subject', []):
65 for s in cert.get('subject', []):
66 key, value = s[0]
66 key, value = s[0]
67 if key == 'commonName':
67 if key == 'commonName':
68 try:
68 try:
69 # 'subject' entries are unicode
69 # 'subject' entries are unicode
70 certname = value.lower().encode('ascii')
70 certname = value.lower().encode('ascii')
71 except UnicodeEncodeError:
71 except UnicodeEncodeError:
72 return _('IDN in certificate not supported')
72 return _('IDN in certificate not supported')
73 if matchdnsname(certname):
73 if matchdnsname(certname):
74 return None
74 return None
75 return _('certificate is for %s') % certname
75 return _('certificate is for %s') % certname
76 return _('no commonName or subjectAltName found in certificate')
76 return _('no commonName or subjectAltName found in certificate')
77
77
78
78
79 # CERT_REQUIRED means fetch the cert from the server all the time AND
79 # CERT_REQUIRED means fetch the cert from the server all the time AND
80 # validate it against the CA store provided in web.cacerts.
80 # validate it against the CA store provided in web.cacerts.
81 #
81 #
82 # We COMPLETELY ignore CERT_REQUIRED on Python <= 2.5, as it's totally
82 # We COMPLETELY ignore CERT_REQUIRED on Python <= 2.5, as it's totally
83 # busted on those versions.
83 # busted on those versions.
84
84
85 def sslkwargs(ui, host):
85 def sslkwargs(ui, host):
86 cacerts = ui.config('web', 'cacerts')
86 cacerts = ui.config('web', 'cacerts')
87 hostfingerprint = ui.config('hostfingerprints', host)
87 hostfingerprint = ui.config('hostfingerprints', host)
88 if cacerts and not hostfingerprint:
88 if cacerts and not hostfingerprint:
89 cacerts = util.expandpath(cacerts)
89 cacerts = util.expandpath(cacerts)
90 if not os.path.exists(cacerts):
90 if not os.path.exists(cacerts):
91 raise util.Abort(_('could not find web.cacerts: %s') % cacerts)
91 raise util.Abort(_('could not find web.cacerts: %s') % cacerts)
92 return {'ca_certs': cacerts,
92 return {'ca_certs': cacerts,
93 'cert_reqs': CERT_REQUIRED,
93 'cert_reqs': CERT_REQUIRED,
94 }
94 }
95 return {}
95 return {}
96
96
97 class validator(object):
97 class validator(object):
98 def __init__(self, ui, host):
98 def __init__(self, ui, host):
99 self.ui = ui
99 self.ui = ui
100 self.host = host
100 self.host = host
101
101
102 def __call__(self, sock):
102 def __call__(self, sock):
103 host = self.host
103 host = self.host
104 cacerts = self.ui.config('web', 'cacerts')
104 cacerts = self.ui.config('web', 'cacerts')
105 hostfingerprint = self.ui.config('hostfingerprints', host)
105 hostfingerprint = self.ui.config('hostfingerprints', host)
106 if not getattr(sock, 'getpeercert', False): # python 2.5 ?
106 if not getattr(sock, 'getpeercert', False): # python 2.5 ?
107 if hostfingerprint:
107 if hostfingerprint:
108 raise util.Abort(_("host fingerprint for %s can't be "
108 raise util.Abort(_("host fingerprint for %s can't be "
109 "verified (Python too old)") % host)
109 "verified (Python too old)") % host)
110 self.ui.warn(_("warning: certificate for %s can't be verified "
110 self.ui.warn(_("warning: certificate for %s can't be verified "
111 "(Python too old)\n") % host)
111 "(Python too old)\n") % host)
112 return
112 return
113 if not sock.cipher(): # work around http://bugs.python.org/issue13721
113 if not sock.cipher(): # work around http://bugs.python.org/issue13721
114 raise util.Abort(_('%s ssl connection error') % host)
114 raise util.Abort(_('%s ssl connection error') % host)
115 peercert = sock.getpeercert(True)
115 peercert = sock.getpeercert(True)
116 if not peercert:
117 raise util.Abort(_('%s certificate error: '
118 'no certificate received') % host)
116 peerfingerprint = util.sha1(peercert).hexdigest()
119 peerfingerprint = util.sha1(peercert).hexdigest()
117 nicefingerprint = ":".join([peerfingerprint[x:x + 2]
120 nicefingerprint = ":".join([peerfingerprint[x:x + 2]
118 for x in xrange(0, len(peerfingerprint), 2)])
121 for x in xrange(0, len(peerfingerprint), 2)])
119 if hostfingerprint:
122 if hostfingerprint:
120 if peerfingerprint.lower() != \
123 if peerfingerprint.lower() != \
121 hostfingerprint.replace(':', '').lower():
124 hostfingerprint.replace(':', '').lower():
122 raise util.Abort(_('invalid certificate for %s with '
125 raise util.Abort(_('invalid certificate for %s with '
123 'fingerprint %s') % (host, nicefingerprint))
126 'fingerprint %s') % (host, nicefingerprint))
124 self.ui.debug('%s certificate matched fingerprint %s\n' %
127 self.ui.debug('%s certificate matched fingerprint %s\n' %
125 (host, nicefingerprint))
128 (host, nicefingerprint))
126 elif cacerts:
129 elif cacerts:
127 msg = _verifycert(sock.getpeercert(), host)
130 msg = _verifycert(sock.getpeercert(), host)
128 if msg:
131 if msg:
129 raise util.Abort(_('%s certificate error: %s') % (host, msg),
132 raise util.Abort(_('%s certificate error: %s') % (host, msg),
130 hint=_('configure hostfingerprint %s or use '
133 hint=_('configure hostfingerprint %s or use '
131 '--insecure to connect insecurely') %
134 '--insecure to connect insecurely') %
132 nicefingerprint)
135 nicefingerprint)
133 self.ui.debug('%s certificate successfully verified\n' % host)
136 self.ui.debug('%s certificate successfully verified\n' % host)
134 else:
137 else:
135 self.ui.warn(_('warning: %s certificate with fingerprint %s not '
138 self.ui.warn(_('warning: %s certificate with fingerprint %s not '
136 'verified (check hostfingerprints or web.cacerts '
139 'verified (check hostfingerprints or web.cacerts '
137 'config setting)\n') %
140 'config setting)\n') %
138 (host, nicefingerprint))
141 (host, nicefingerprint))
General Comments 0
You need to be logged in to leave comments. Login now