upstream/mercurial-mirror Commit - r18879:93b03a22

1

# sslutil.py - SSL handling for mercurial

1

# sslutil.py - SSL handling for mercurial

2

#

2

#

3

4

5

6

#

6

#

7

# This software may be used and distributed according to the terms of the

7

# This software may be used and distributed according to the terms of the

8

# GNU General Public License version 2 or any later version.

8

# GNU General Public License version 2 or any later version.

9

import os

9

import os

10

11

from mercurial import util

11

from mercurial import util

12

from mercurial.i18n import _

12

from mercurial.i18n import _

13

try:

13

try:

14

# avoid using deprecated/broken FakeSocket in python 2.6

14

# avoid using deprecated/broken FakeSocket in python 2.6

15

import ssl

15

import ssl

16

CERT_REQUIRED = ssl.CERT_REQUIRED

16

CERT_REQUIRED = ssl.CERT_REQUIRED

17

def ssl_wrap_socket(sock, keyfile, certfile,

17

def ssl_wrap_socket(sock, keyfile, certfile,

18

cert_reqs=ssl.CERT_NONE, ca_certs=None):

18

cert_reqs=ssl.CERT_NONE, ca_certs=None):

19

sslsocket = ssl.wrap_socket(sock, keyfile, certfile,

19

sslsocket = ssl.wrap_socket(sock, keyfile, certfile,

20

cert_reqs=cert_reqs, ca_certs=ca_certs)

20

cert_reqs=cert_reqs, ca_certs=ca_certs)

21

# check if wrap_socket failed silently because socket had been closed

21

# check if wrap_socket failed silently because socket had been closed

22

# - see http://bugs.python.org/issue13721

22

# - see http://bugs.python.org/issue13721

23

if not sslsocket.cipher():

23

if not sslsocket.cipher():

24

raise util.Abort(_('ssl connection failed'))

24

raise util.Abort(_('ssl connection failed'))

25

return sslsocket

25

return sslsocket

26

except ImportError:

26

except ImportError:

27

CERT_REQUIRED = 2

27

CERT_REQUIRED = 2

28

29

import socket, httplib

29

import socket, httplib

30

31

def ssl_wrap_socket(sock, key_file, cert_file,

31

def ssl_wrap_socket(sock, key_file, cert_file,

32

cert_reqs=CERT_REQUIRED, ca_certs=None):

32

cert_reqs=CERT_REQUIRED, ca_certs=None):

33

if not util.safehasattr(socket, 'ssl'):

33

if not util.safehasattr(socket, 'ssl'):

34

raise util.Abort(_('Python SSL support not found'))

34

raise util.Abort(_('Python SSL support not found'))

35

if ca_certs:

35

if ca_certs:

36

raise util.Abort(_(

36

raise util.Abort(_(

37

'certificate checking requires Python 2.6'))

37

'certificate checking requires Python 2.6'))

38

39

ssl = socket.ssl(sock, key_file, cert_file)

39

ssl = socket.ssl(sock, key_file, cert_file)

40

return httplib.FakeSocket(sock, ssl)

40

return httplib.FakeSocket(sock, ssl)

41

42

def _verifycert(cert, hostname):

42

def _verifycert(cert, hostname):

43

'''Verify that cert (in socket.getpeercert() format) matches hostname.

43

'''Verify that cert (in socket.getpeercert() format) matches hostname.

44

CRLs is not handled.

44

CRLs is not handled.

45

46

Returns error message if any problems are found and None on success.

46

Returns error message if any problems are found and None on success.

47

'''

47

'''

48

if not cert:

48

if not cert:

49

return _('no certificate received')

49

return _('no certificate received')

50

dnsname = hostname.lower()

50

dnsname = hostname.lower()

51

def matchdnsname(certname):

51

def matchdnsname(certname):

52

return (certname == dnsname or

52

return (certname == dnsname or

53

'.' in dnsname and certname == '*.' + dnsname.split('.', 1)[1])

53

'.' in dnsname and certname == '*.' + dnsname.split('.', 1)[1])

54

55

san = cert.get('subjectAltName', [])

55

san = cert.get('subjectAltName', [])

56

if san:

56

if san:

57

certnames = [value.lower() for key, value in san if key == 'DNS']

57

certnames = [value.lower() for key, value in san if key == 'DNS']

58

for name in certnames:

58

for name in certnames:

59

if matchdnsname(name):

59

if matchdnsname(name):

60

return None

60

return None

61

if certnames:

61

if certnames:

62

return _('certificate is for %s') % ', '.join(certnames)

62

return _('certificate is for %s') % ', '.join(certnames)

63

64

# subject is only checked when subjectAltName is empty

64

# subject is only checked when subjectAltName is empty

65

for s in cert.get('subject', []):

65

for s in cert.get('subject', []):

66

key, value = s[0]

66

key, value = s[0]

67

if key == 'commonName':

67

if key == 'commonName':

68

try:

68

try:

69

# 'subject' entries are unicode

69

# 'subject' entries are unicode

70

certname = value.lower().encode('ascii')

70

certname = value.lower().encode('ascii')

71

except UnicodeEncodeError:

71

except UnicodeEncodeError:

72

return _('IDN in certificate not supported')

72

return _('IDN in certificate not supported')

73

if matchdnsname(certname):

73

if matchdnsname(certname):

74

return None

74

return None

75

return _('certificate is for %s') % certname

75

return _('certificate is for %s') % certname

76

return _('no commonName or subjectAltName found in certificate')

76

return _('no commonName or subjectAltName found in certificate')

77

78

79

# CERT_REQUIRED means fetch the cert from the server all the time AND

79

# CERT_REQUIRED means fetch the cert from the server all the time AND

80

# validate it against the CA store provided in web.cacerts.

80

# validate it against the CA store provided in web.cacerts.

81

#

81

#

82

# We COMPLETELY ignore CERT_REQUIRED on Python <= 2.5, as it's totally

82

# We COMPLETELY ignore CERT_REQUIRED on Python <= 2.5, as it's totally

83

# busted on those versions.

83

# busted on those versions.

84

85

def sslkwargs(ui, host):

85

def sslkwargs(ui, host):

86

cacerts = ui.config('web', 'cacerts')

86

cacerts = ui.config('web', 'cacerts')

87

hostfingerprint = ui.config('hostfingerprints', host)

87

hostfingerprint = ui.config('hostfingerprints', host)

88

if cacerts and not hostfingerprint:

88

if cacerts and not hostfingerprint:

89

cacerts = util.expandpath(cacerts)

89

cacerts = util.expandpath(cacerts)

90

if not os.path.exists(cacerts):

90

if not os.path.exists(cacerts):

91

raise util.Abort(_('could not find web.cacerts: %s') % cacerts)

91

raise util.Abort(_('could not find web.cacerts: %s') % cacerts)

92

return {'ca_certs': cacerts,

92

return {'ca_certs': cacerts,

93

'cert_reqs': CERT_REQUIRED,

93

'cert_reqs': CERT_REQUIRED,

94

}

94

}

95

return {}

95

return {}

96

97

class validator(object):

97

class validator(object):

98

def __init__(self, ui, host):

98

def __init__(self, ui, host):

99

self.ui = ui

99

self.ui = ui

100

self.host = host

100

self.host = host

101

102

def __call__(self, sock):

102

def __call__(self, sock):

103

host = self.host

103

host = self.host

104

cacerts = self.ui.config('web', 'cacerts')

104

cacerts = self.ui.config('web', 'cacerts')

105

hostfingerprint = self.ui.config('hostfingerprints', host)

105

hostfingerprint = self.ui.config('hostfingerprints', host)

106

if not getattr(sock, 'getpeercert', False): # python 2.5 ?

106

if not getattr(sock, 'getpeercert', False): # python 2.5 ?

107

if hostfingerprint:

107

if hostfingerprint:

108

raise util.Abort(_("host fingerprint for %s can't be "

108

raise util.Abort(_("host fingerprint for %s can't be "

109

"verified (Python too old)") % host)

109

"verified (Python too old)") % host)

110

if self.ui.configbool('ui', 'reportoldssl', True):

110

if self.ui.configbool('ui', 'reportoldssl', True):

111

self.ui.warn(_("warning: certificate for %s can't be verified "

111

self.ui.warn(_("warning: certificate for %s can't be verified "

112

"(Python too old)\n") % host)

112

"(Python too old)\n") % host)

113

return

113

return

114

if not sock.cipher(): # work around http://bugs.python.org/issue13721

115

if not sock.cipher(): # work around http://bugs.python.org/issue13721

115

raise util.Abort(_('%s ssl connection error') % host)

116

raise util.Abort(_('%s ssl connection error') % host)

117

try:

116

peercert = sock.getpeercert(True)

118

peercert = sock.getpeercert(True)

119

peercert2 = sock.getpeercert()

120

except AttributeError:

121

raise util.Abort(_('%s ssl connection error') % host)

122

117

if not peercert:

123

if not peercert:

118

raise util.Abort(_('%s certificate error: '

124

raise util.Abort(_('%s certificate error: '

119

'no certificate received') % host)

125

'no certificate received') % host)

120

peerfingerprint = util.sha1(peercert).hexdigest()

126

peerfingerprint = util.sha1(peercert).hexdigest()

121

nicefingerprint = ":".join([peerfingerprint[x:x + 2]

127

nicefingerprint = ":".join([peerfingerprint[x:x + 2]

122

for x in xrange(0, len(peerfingerprint), 2)])

128

for x in xrange(0, len(peerfingerprint), 2)])

123

if hostfingerprint:

129

if hostfingerprint:

124

if peerfingerprint.lower() != \

130

if peerfingerprint.lower() != \

125

hostfingerprint.replace(':', '').lower():

131

hostfingerprint.replace(':', '').lower():

126

raise util.Abort(_('certificate for %s has unexpected '

132

raise util.Abort(_('certificate for %s has unexpected '

127

'fingerprint %s') % (host, nicefingerprint),

133

'fingerprint %s') % (host, nicefingerprint),

128

hint=_('check hostfingerprint configuration'))

134

hint=_('check hostfingerprint configuration'))

129

self.ui.debug('%s certificate matched fingerprint %s\n' %

135

self.ui.debug('%s certificate matched fingerprint %s\n' %

130

(host, nicefingerprint))

136

(host, nicefingerprint))

131

elif cacerts:

137

elif cacerts:

132

msg = _verifycert(~~sock~~.~~get~~peercert(), host)

138

msg = _verifycert(peercert2, host)

133

if msg:

139

if msg:

134

raise util.Abort(_('%s certificate error: %s') % (host, msg),

140

raise util.Abort(_('%s certificate error: %s') % (host, msg),

135

hint=_('configure hostfingerprint %s or use '

141

hint=_('configure hostfingerprint %s or use '

136

'--insecure to connect insecurely') %

142

'--insecure to connect insecurely') %

137

nicefingerprint)

143

nicefingerprint)

138

self.ui.debug('%s certificate successfully verified\n' % host)

144

self.ui.debug('%s certificate successfully verified\n' % host)

139

else:

145

else:

140

self.ui.warn(_('warning: %s certificate with fingerprint %s not '

146

self.ui.warn(_('warning: %s certificate with fingerprint %s not '

141

'verified (check hostfingerprints or web.cacerts '

147

'verified (check hostfingerprints or web.cacerts '

142

'config setting)\n') %

148

'config setting)\n') %

143

(host, nicefingerprint))

149

(host, nicefingerprint))

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

             # sslutil.py - SSL handling for mercurial
             #
             # Copyright 2005, 2006, 2007, 2008 Matt Mackall <mpm@selenic.com>
             # Copyright 2006, 2007 Alexis S. L. Carvalho <alexis@cecm.usp.br>
             # Copyright 2006 Vadim Gelfer <vadim.gelfer@gmail.com>
             #
             # This software may be used and distributed according to the terms of the
             # GNU General Public License version 2 or any later version.
             import os
             from mercurial import util
             from mercurial.i18n import _
             try:
                 # avoid using deprecated/broken FakeSocket in python 2.6
                 import ssl
                 CERT_REQUIRED = ssl.CERT_REQUIRED
                 def ssl_wrap_socket(sock, keyfile, certfile,
                             cert_reqs=ssl.CERT_NONE, ca_certs=None):
                     sslsocket = ssl.wrap_socket(sock, keyfile, certfile,
                             cert_reqs=cert_reqs, ca_certs=ca_certs)
                     # check if wrap_socket failed silently because socket had been closed
                     # - see http://bugs.python.org/issue13721
                     if not sslsocket.cipher():
                         raise util.Abort(_('ssl connection failed'))
                     return sslsocket
             except ImportError:
                 CERT_REQUIRED = 2
                 import socket, httplib
                 def ssl_wrap_socket(sock, key_file, cert_file,
                                     cert_reqs=CERT_REQUIRED, ca_certs=None):
                     if not util.safehasattr(socket, 'ssl'):
                         raise util.Abort(_('Python SSL support not found'))
                     if ca_certs:
                         raise util.Abort(_(
                             'certificate checking requires Python 2.6'))
                     ssl = socket.ssl(sock, key_file, cert_file)
                     return httplib.FakeSocket(sock, ssl)
             def _verifycert(cert, hostname):
                 '''Verify that cert (in socket.getpeercert() format) matches hostname.
                 CRLs is not handled.
                 Returns error message if any problems are found and None on success.
                 '''
                 if not cert:
                     return _('no certificate received')
                 dnsname = hostname.lower()
                 def matchdnsname(certname):
                     return (certname == dnsname or
                             '.' in dnsname and certname == '*.' + dnsname.split('.', 1)[1])
                 san = cert.get('subjectAltName', [])
                 if san:
                     certnames = [value.lower() for key, value in san if key == 'DNS']
                     for name in certnames:
                         if matchdnsname(name):
                             return None
                     if certnames:
                         return _('certificate is for %s') % ', '.join(certnames)
                 # subject is only checked when subjectAltName is empty
                 for s in cert.get('subject', []):
                     key, value = s[0]
                     if key == 'commonName':
                         try:
                             # 'subject' entries are unicode
                             certname = value.lower().encode('ascii')
                         except UnicodeEncodeError:
                             return _('IDN in certificate not supported')
                         if matchdnsname(certname):
                             return None
                         return _('certificate is for %s') % certname
                 return _('no commonName or subjectAltName found in certificate')
             # CERT_REQUIRED means fetch the cert from the server all the time AND
             # validate it against the CA store provided in web.cacerts.
             #
             # We COMPLETELY ignore CERT_REQUIRED on Python <= 2.5, as it's totally
             # busted on those versions.
             def sslkwargs(ui, host):
                 cacerts = ui.config('web', 'cacerts')
                 hostfingerprint = ui.config('hostfingerprints', host)
                 if cacerts and not hostfingerprint:
                     cacerts = util.expandpath(cacerts)
                     if not os.path.exists(cacerts):
                         raise util.Abort(_('could not find web.cacerts: %s') % cacerts)
                     return {'ca_certs': cacerts,
                             'cert_reqs': CERT_REQUIRED,
                             }
                 return {}
             class validator(object):
                 def __init__(self, ui, host):
                     self.ui = ui
                     self.host = host
                 def __call__(self, sock):
                     host = self.host
                     cacerts = self.ui.config('web', 'cacerts')
                     hostfingerprint = self.ui.config('hostfingerprints', host)
                     if not getattr(sock, 'getpeercert', False): # python 2.5 ?
                         if hostfingerprint:
                             raise util.Abort(_("host fingerprint for %s can't be "
                                                "verified (Python too old)") % host)
                         if self.ui.configbool('ui', 'reportoldssl', True):
                             self.ui.warn(_("warning: certificate for %s can't be verified "
                                            "(Python too old)\n") % host)
                         return
                     if not sock.cipher(): # work around http://bugs.python.org/issue13721
                         raise util.Abort(_('%s ssl connection error') % host)
+                    try:
                         peercert = sock.getpeercert(True)
+                        peercert2 = sock.getpeercert()
+                    except AttributeError:
+                        raise util.Abort(_('%s ssl connection error') % host)
                     if not peercert:
                         raise util.Abort(_('%s certificate error: '
                                            'no certificate received') % host)
                     peerfingerprint = util.sha1(peercert).hexdigest()
                     nicefingerprint = ":".join([peerfingerprint[x:x + 2]
                         for x in xrange(0, len(peerfingerprint), 2)])
                     if hostfingerprint:
                         if peerfingerprint.lower() != \
                                 hostfingerprint.replace(':', '').lower():
                             raise util.Abort(_('certificate for %s has unexpected '
                                                'fingerprint %s') % (host, nicefingerprint),
                                              hint=_('check hostfingerprint configuration'))
                         self.ui.debug('%s certificate matched fingerprint %s\n' %
                                       (host, nicefingerprint))
                     elif cacerts:
-                        msg = _verifycert(sock.getpeercert(), host)
+                        msg = _verifycert(peercert2, host)
                         if msg:
                             raise util.Abort(_('%s certificate error: %s') % (host, msg),
                                              hint=_('configure hostfingerprint %s or use '
                                                     '--insecure to connect insecurely') %
                                                   nicefingerprint)
                         self.ui.debug('%s certificate successfully verified\n' % host)
                     else:
                         self.ui.warn(_('warning: %s certificate with fingerprint %s not '
                                        'verified (check hostfingerprints or web.cacerts '
                                        'config setting)\n') %
                                      (host, nicefingerprint))