upstream/mercurial-mirror Commit - r29227:dffe78d8

sslutil: convert socket validation from a class to a function (API)...

Gregory Szorc -

r29227:dffe78d8 default

parent child

mercurial/httpconnection.py

0 +1 -1

             # httpconnection.py - urllib2 handler for new http support
             #
             # Copyright 2005, 2006, 2007, 2008 Matt Mackall <mpm@selenic.com>
             # Copyright 2006, 2007 Alexis S. L. Carvalho <alexis@cecm.usp.br>
             # Copyright 2006 Vadim Gelfer <vadim.gelfer@gmail.com>
             # Copyright 2011 Google, Inc.
             #
             # This software may be used and distributed according to the terms of the
             # GNU General Public License version 2 or any later version.
             from __future__ import absolute_import
             import logging
             import os
             import socket
             from .i18n import _
             from . import (
                 httpclient,
                 sslutil,
                 util,
             )
             urlerr = util.urlerr
             urlreq = util.urlreq
             # moved here from url.py to avoid a cycle
             class httpsendfile(object):
                 """This is a wrapper around the objects returned by python's "open".
                 Its purpose is to send file-like objects via HTTP.
                 It do however not define a __len__ attribute because the length
                 might be more than Py_ssize_t can handle.
                 """
                 def __init__(self, ui, *args, **kwargs):
                     self.ui = ui
                     self._data = open(*args, **kwargs)
                     self.seek = self._data.seek
                     self.close = self._data.close
                     self.write = self._data.write
                     self.length = os.fstat(self._data.fileno()).st_size
                     self._pos = 0
                     self._total = self.length // 1024 * 2
                 def read(self, *args, **kwargs):
                     try:
                         ret = self._data.read(*args, **kwargs)
                     except EOFError:
                         self.ui.progress(_('sending'), None)
                     self._pos += len(ret)
                     # We pass double the max for total because we currently have
                     # to send the bundle twice in the case of a server that
                     # requires authentication. Since we can't know until we try
                     # once whether authentication will be required, just lie to
                     # the user and maybe the push succeeds suddenly at 50%.
                     self.ui.progress(_('sending'), self._pos // 1024,
                                      unit=_('kb'), total=self._total)
                     return ret
             # moved here from url.py to avoid a cycle
             def readauthforuri(ui, uri, user):
                 # Read configuration
                 config = dict()
                 for key, val in ui.configitems('auth'):
                     if '.' not in key:
                         ui.warn(_("ignoring invalid [auth] key '%s'\n") % key)
                         continue
                     group, setting = key.rsplit('.', 1)
                     gdict = config.setdefault(group, dict())
                     if setting in ('username', 'cert', 'key'):
                         val = util.expandpath(val)
                     gdict[setting] = val
                 # Find the best match
                 scheme, hostpath = uri.split('://', 1)
                 bestuser = None
                 bestlen = 0
                 bestauth = None
                 for group, auth in config.iteritems():
                     if user and user != auth.get('username', user):
                         # If a username was set in the URI, the entry username
                         # must either match it or be unset
                         continue
                     prefix = auth.get('prefix')
                     if not prefix:
                         continue
                     p = prefix.split('://', 1)
                     if len(p) > 1:
                         schemes, prefix = [p[0]], p[1]
                     else:
                         schemes = (auth.get('schemes') or 'https').split()
                     if (prefix == '*' or hostpath.startswith(prefix)) and \
                         (len(prefix) > bestlen or (len(prefix) == bestlen and \
                             not bestuser and 'username' in auth)) \
                          and scheme in schemes:
                         bestlen = len(prefix)
                         bestauth = group, auth
                         bestuser = auth.get('username')
                         if user and not bestuser:
                             auth['username'] = user
                 return bestauth
             # Mercurial (at least until we can remove the old codepath) requires
             # that the http response object be sufficiently file-like, so we
             # provide a close() method here.
             class HTTPResponse(httpclient.HTTPResponse):
                 def close(self):
                     pass
             class HTTPConnection(httpclient.HTTPConnection):
                 response_class = HTTPResponse
                 def request(self, method, uri, body=None, headers=None):
                     if headers is None:
                         headers = {}
                     if isinstance(body, httpsendfile):
                         body.seek(0)
                     httpclient.HTTPConnection.request(self, method, uri, body=body,
                                                       headers=headers)
             _configuredlogging = False
             LOGFMT = '%(levelname)s:%(name)s:%(lineno)d:%(message)s'
             # Subclass BOTH of these because otherwise urllib2 "helpfully"
             # reinserts them since it notices we don't include any subclasses of
             # them.
             class http2handler(urlreq.httphandler, urlreq.httpshandler):
                 def __init__(self, ui, pwmgr):
                     global _configuredlogging
                     urlreq.abstracthttphandler.__init__(self)
                     self.ui = ui
                     self.pwmgr = pwmgr
                     self._connections = {}
                     # developer config: ui.http2debuglevel
                     loglevel = ui.config('ui', 'http2debuglevel', default=None)
                     if loglevel and not _configuredlogging:
                         _configuredlogging = True
                         logger = logging.getLogger('mercurial.httpclient')
                         logger.setLevel(getattr(logging, loglevel.upper()))
                         handler = logging.StreamHandler()
                         handler.setFormatter(logging.Formatter(LOGFMT))
                         logger.addHandler(handler)
                 def close_all(self):
                     """Close and remove all connection objects being kept for reuse."""
                     for openconns in self._connections.values():
                         for conn in openconns:
                             conn.close()
                     self._connections = {}
                 # shamelessly borrowed from urllib2.AbstractHTTPHandler
                 def do_open(self, http_class, req, use_ssl):
                     """Return an addinfourl object for the request, using http_class.
                     http_class must implement the HTTPConnection API from httplib.
                     The addinfourl return value is a file-like object.  It also
                     has methods and attributes including:
                         - info(): return a mimetools.Message object for the headers
                         - geturl(): return the original request URL
                         - code: HTTP status code
                     """
                     # If using a proxy, the host returned by get_host() is
                     # actually the proxy. On Python 2.6.1, the real destination
                     # hostname is encoded in the URI in the urllib2 request
                     # object. On Python 2.6.5, it's stored in the _tunnel_host
                     # attribute which has no accessor.
                     tunhost = getattr(req, '_tunnel_host', None)
                     host = req.get_host()
                     if tunhost:
                         proxyhost = host
                         host = tunhost
                     elif req.has_proxy():
                         proxyhost = req.get_host()
                         host = req.get_selector().split('://', 1)[1].split('/', 1)[0]
                     else:
                         proxyhost = None
                     if proxyhost:
                         if ':' in proxyhost:
                             # Note: this means we'll explode if we try and use an
                             # IPv6 http proxy. This isn't a regression, so we
                             # won't worry about it for now.
                             proxyhost, proxyport = proxyhost.rsplit(':', 1)
                         else:
                             proxyport = 3128 # squid default
                         proxy = (proxyhost, proxyport)
                     else:
                         proxy = None
                     if not host:
                         raise urlerr.urlerror('no host given')
                     connkey = use_ssl, host, proxy
                     allconns = self._connections.get(connkey, [])
                     conns = [c for c in allconns if not c.busy()]
                     if conns:
                         h = conns[0]
                     else:
                         if allconns:
                             self.ui.debug('all connections for %s busy, making a new '
                                           'one\n' % host)
                         timeout = None
                         if req.timeout is not socket._GLOBAL_DEFAULT_TIMEOUT:
                             timeout = req.timeout
                         h = http_class(host, timeout=timeout, proxy_hostport=proxy)
                         self._connections.setdefault(connkey, []).append(h)
                     headers = dict(req.headers)
                     headers.update(req.unredirected_hdrs)
                     headers = dict(
                         (name.title(), val) for name, val in headers.items())
                     try:
                         path = req.get_selector()
                         if '://' in path:
                             path = path.split('://', 1)[1].split('/', 1)[1]
                         if path[0] != '/':
                             path = '/' + path
                         h.request(req.get_method(), path, req.data, headers)
                         r = h.getresponse()
                     except socket.error as err: # XXX what error?
                         raise urlerr.urlerror(err)
                     # Pick apart the HTTPResponse object to get the addinfourl
                     # object initialized properly.
                     r.recv = r.read
                     resp = urlreq.addinfourl(r, r.headers, req.get_full_url())
                     resp.code = r.status
                     resp.msg = r.reason
                     return resp
                 # httplib always uses the given host/port as the socket connect
                 # target, and then allows full URIs in the request path, which it
                 # then observes and treats as a signal to do proxying instead.
                 def http_open(self, req):
                     if req.get_full_url().startswith('https'):
                         return self.https_open(req)
                     def makehttpcon(*args, **kwargs):
                         k2 = dict(kwargs)
                         k2['use_ssl'] = False
                         return HTTPConnection(*args, **k2)
                     return self.do_open(makehttpcon, req, False)
                 def https_open(self, req):
                     # req.get_full_url() does not contain credentials and we may
                     # need them to match the certificates.
                     url = req.get_full_url()
                     user, password = self.pwmgr.find_stored_password(url)
                     res = readauthforuri(self.ui, url, user)
                     if res:
                         group, auth = res
                         self.auth = auth
                         self.ui.debug("using auth.%s.* for authentication\n" % group)
                     else:
                         self.auth = None
                     return self.do_open(self._makesslconnection, req, True)
                 def _makesslconnection(self, host, port=443, *args, **kwargs):
                     keyfile = None
                     certfile = None
                     if args: # key_file
                         keyfile = args.pop(0)
                     if args: # cert_file
                         certfile = args.pop(0)
                     # if the user has specified different key/cert files in
                     # hgrc, we prefer these
                     if self.auth and 'key' in self.auth and 'cert' in self.auth:
                         keyfile = self.auth['key']
                         certfile = self.auth['cert']
                     # let host port take precedence
                     if ':' in host and '[' not in host or ']:' in host:
                         host, port = host.rsplit(':', 1)
                         port = int(port)
                         if '[' in host:
                             host = host[1:-1]
                     kwargs['keyfile'] = keyfile
                     kwargs['certfile'] = certfile
                     kwargs.update(sslutil.sslkwargs(self.ui, host))
                     con = HTTPConnection(host, port, use_ssl=True,
                                          ssl_wrap_socket=sslutil.wrapsocket,
-                                         ssl_validator=sslutil.validator(self.ui, host),
+                                         ssl_validator=sslutil.validatesocket,
                                          **kwargs)
                     return con

mercurial/mail.py

0 +1 -1

             # mail.py - mail sending bits for mercurial
             #
             # Copyright 2006 Matt Mackall <mpm@selenic.com>
             #
             # This software may be used and distributed according to the terms of the
             # GNU General Public License version 2 or any later version.
             from __future__ import absolute_import, print_function
             import email
             import os
             import quopri
             import smtplib
             import socket
             import sys
             import time
             from .i18n import _
             from . import (
                 encoding,
                 error,
                 sslutil,
                 util,
             )
             _oldheaderinit = email.Header.Header.__init__
             def _unifiedheaderinit(self, *args, **kw):
                 """
                 Python 2.7 introduces a backwards incompatible change
                 (Python issue1974, r70772) in email.Generator.Generator code:
                 pre-2.7 code passed "continuation_ws='\t'" to the Header
                 constructor, and 2.7 removed this parameter.
                 Default argument is continuation_ws=' ', which means that the
                 behavior is different in <2.7 and 2.7
                 We consider the 2.7 behavior to be preferable, but need
                 to have an unified behavior for versions 2.4 to 2.7
                 """
                 # override continuation_ws
                 kw['continuation_ws'] = ' '
                 _oldheaderinit(self, *args, **kw)
             setattr(email.header.Header, '__init__', _unifiedheaderinit)
             class STARTTLS(smtplib.SMTP):
                 '''Derived class to verify the peer certificate for STARTTLS.
                 This class allows to pass any keyword arguments to SSL socket creation.
                 '''
                 def __init__(self, sslkwargs, host=None, **kwargs):
                     smtplib.SMTP.__init__(self, **kwargs)
                     self._sslkwargs = sslkwargs
                     self._host = host
                 def starttls(self, keyfile=None, certfile=None):
                     if not self.has_extn("starttls"):
                         msg = "STARTTLS extension not supported by server"
                         raise smtplib.SMTPException(msg)
                     (resp, reply) = self.docmd("STARTTLS")
                     if resp == 220:
                         self.sock = sslutil.wrapsocket(self.sock, keyfile, certfile,
                                                        serverhostname=self._host,
                                                        **self._sslkwargs)
                         self.file = smtplib.SSLFakeFile(self.sock)
                         self.helo_resp = None
                         self.ehlo_resp = None
                         self.esmtp_features = {}
                         self.does_esmtp = 0
                     return (resp, reply)
             class SMTPS(smtplib.SMTP):
                 '''Derived class to verify the peer certificate for SMTPS.
                 This class allows to pass any keyword arguments to SSL socket creation.
                 '''
                 def __init__(self, sslkwargs, keyfile=None, certfile=None, host=None,
                              **kwargs):
                     self.keyfile = keyfile
                     self.certfile = certfile
                     smtplib.SMTP.__init__(self, **kwargs)
                     self._host = host
                     self.default_port = smtplib.SMTP_SSL_PORT
                     self._sslkwargs = sslkwargs
                 def _get_socket(self, host, port, timeout):
                     if self.debuglevel > 0:
                         print('connect:', (host, port), file=sys.stderr)
                     new_socket = socket.create_connection((host, port), timeout)
                     new_socket = sslutil.wrapsocket(new_socket,
                                                     self.keyfile, self.certfile,
                                                     serverhostname=self._host,
                                                     **self._sslkwargs)
                     self.file = smtplib.SSLFakeFile(new_socket)
                     return new_socket
             def _smtp(ui):
                 '''build an smtp connection and return a function to send mail'''
                 local_hostname = ui.config('smtp', 'local_hostname')
                 tls = ui.config('smtp', 'tls', 'none')
                 # backward compatible: when tls = true, we use starttls.
                 starttls = tls == 'starttls' or util.parsebool(tls)
                 smtps = tls == 'smtps'
                 if (starttls or smtps) and not util.safehasattr(socket, 'ssl'):
                     raise error.Abort(_("can't use TLS: Python SSL support not installed"))
                 mailhost = ui.config('smtp', 'host')
                 if not mailhost:
                     raise error.Abort(_('smtp.host not configured - cannot send mail'))
                 verifycert = ui.config('smtp', 'verifycert', 'strict')
                 if verifycert not in ['strict', 'loose']:
                     if util.parsebool(verifycert) is not False:
                         raise error.Abort(_('invalid smtp.verifycert configuration: %s')
                                          % (verifycert))
                     verifycert = False
                 if (starttls or smtps) and verifycert:
                     sslkwargs = sslutil.sslkwargs(ui, mailhost)
                 else:
                     # 'ui' is required by sslutil.wrapsocket() and set by sslkwargs()
                     sslkwargs = {'ui': ui}
                 if smtps:
                     ui.note(_('(using smtps)\n'))
                     s = SMTPS(sslkwargs, local_hostname=local_hostname, host=mailhost)
                 elif starttls:
                     s = STARTTLS(sslkwargs, local_hostname=local_hostname, host=mailhost)
                 else:
                     s = smtplib.SMTP(local_hostname=local_hostname)
                 if smtps:
                     defaultport = 465
                 else:
                     defaultport = 25
                 mailport = util.getport(ui.config('smtp', 'port', defaultport))
                 ui.note(_('sending mail: smtp host %s, port %d\n') %
                         (mailhost, mailport))
                 s.connect(host=mailhost, port=mailport)
                 if starttls:
                     ui.note(_('(using starttls)\n'))
                     s.ehlo()
                     s.starttls()
                     s.ehlo()
                 if (starttls or smtps) and verifycert:
                     ui.note(_('(verifying remote certificate)\n'))
-                    sslutil.validator(ui, mailhost)(s.sock, verifycert == 'strict')
+                    sslutil.validatesocket(s.sock, verifycert == 'strict')
                 username = ui.config('smtp', 'username')
                 password = ui.config('smtp', 'password')
                 if username and not password:
                     password = ui.getpass()
                 if username and password:
                     ui.note(_('(authenticating to mail server as %s)\n') %
                               (username))
                     try:
                         s.login(username, password)
                     except smtplib.SMTPException as inst:
                         raise error.Abort(inst)
                 def send(sender, recipients, msg):
                     try:
                         return s.sendmail(sender, recipients, msg)
                     except smtplib.SMTPRecipientsRefused as inst:
                         recipients = [r[1] for r in inst.recipients.values()]
                         raise error.Abort('\n' + '\n'.join(recipients))
                     except smtplib.SMTPException as inst:
                         raise error.Abort(inst)
                 return send
             def _sendmail(ui, sender, recipients, msg):
                 '''send mail using sendmail.'''
                 program = ui.config('email', 'method', 'smtp')
                 cmdline = '%s -f %s %s' % (program, util.email(sender),
                                            ' '.join(map(util.email, recipients)))
                 ui.note(_('sending mail: %s\n') % cmdline)
                 fp = util.popen(cmdline, 'w')
                 fp.write(msg)
                 ret = fp.close()
                 if ret:
                     raise error.Abort('%s %s' % (
                         os.path.basename(program.split(None, 1)[0]),
                         util.explainexit(ret)[0]))
             def _mbox(mbox, sender, recipients, msg):
                 '''write mails to mbox'''
                 fp = open(mbox, 'ab+')
                 # Should be time.asctime(), but Windows prints 2-characters day
                 # of month instead of one. Make them print the same thing.
                 date = time.strftime('%a %b %d %H:%M:%S %Y', time.localtime())
                 fp.write('From %s %s\n' % (sender, date))
                 fp.write(msg)
                 fp.write('\n\n')
                 fp.close()
             def connect(ui, mbox=None):
                 '''make a mail connection. return a function to send mail.
                 call as sendmail(sender, list-of-recipients, msg).'''
                 if mbox:
                     open(mbox, 'wb').close()
                     return lambda s, r, m: _mbox(mbox, s, r, m)
                 if ui.config('email', 'method', 'smtp') == 'smtp':
                     return _smtp(ui)
                 return lambda s, r, m: _sendmail(ui, s, r, m)
             def sendmail(ui, sender, recipients, msg, mbox=None):
                 send = connect(ui, mbox=mbox)
                 return send(sender, recipients, msg)
             def validateconfig(ui):
                 '''determine if we have enough config data to try sending email.'''
                 method = ui.config('email', 'method', 'smtp')
                 if method == 'smtp':
                     if not ui.config('smtp', 'host'):
                         raise error.Abort(_('smtp specified as email transport, '
                                            'but no smtp host configured'))
                 else:
                     if not util.findexe(method):
                         raise error.Abort(_('%r specified as email transport, '
                                            'but not in PATH') % method)
             def mimetextpatch(s, subtype='plain', display=False):
                 '''Return MIME message suitable for a patch.
                 Charset will be detected as utf-8 or (possibly fake) us-ascii.
                 Transfer encodings will be used if necessary.'''
                 cs = 'us-ascii'
                 if not display:
                     try:
                         s.decode('us-ascii')
                     except UnicodeDecodeError:
                         try:
                             s.decode('utf-8')
                             cs = 'utf-8'
                         except UnicodeDecodeError:
                             # We'll go with us-ascii as a fallback.
                             pass
                 return mimetextqp(s, subtype, cs)
             def mimetextqp(body, subtype, charset):
                 '''Return MIME message.
                 Quoted-printable transfer encoding will be used if necessary.
                 '''
                 enc = None
                 for line in body.splitlines():
                     if len(line) > 950:
                         body = quopri.encodestring(body)
                         enc = "quoted-printable"
                         break
                 msg = email.MIMEText.MIMEText(body, subtype, charset)
                 if enc:
                     del msg['Content-Transfer-Encoding']
                     msg['Content-Transfer-Encoding'] = enc
                 return msg
             def _charsets(ui):
                 '''Obtains charsets to send mail parts not containing patches.'''
                 charsets = [cs.lower() for cs in ui.configlist('email', 'charsets')]
                 fallbacks = [encoding.fallbackencoding.lower(),
                              encoding.encoding.lower(), 'utf-8']
                 for cs in fallbacks: # find unique charsets while keeping order
                     if cs not in charsets:
                         charsets.append(cs)
                 return [cs for cs in charsets if not cs.endswith('ascii')]
             def _encode(ui, s, charsets):
                 '''Returns (converted) string, charset tuple.
                 Finds out best charset by cycling through sendcharsets in descending
                 order. Tries both encoding and fallbackencoding for input. Only as
                 last resort send as is in fake ascii.
                 Caveat: Do not use for mail parts containing patches!'''
                 try:
                     s.decode('ascii')
                 except UnicodeDecodeError:
                     sendcharsets = charsets or _charsets(ui)
                     for ics in (encoding.encoding, encoding.fallbackencoding):
                         try:
                             u = s.decode(ics)
                         except UnicodeDecodeError:
                             continue
                         for ocs in sendcharsets:
                             try:
                                 return u.encode(ocs), ocs
                             except UnicodeEncodeError:
                                 pass
                             except LookupError:
                                 ui.warn(_('ignoring invalid sendcharset: %s\n') % ocs)
                 # if ascii, or all conversion attempts fail, send (broken) ascii
                 return s, 'us-ascii'
             def headencode(ui, s, charsets=None, display=False):
                 '''Returns RFC-2047 compliant header from given string.'''
                 if not display:
                     # split into words?
                     s, cs = _encode(ui, s, charsets)
                     return str(email.Header.Header(s, cs))
                 return s
             def _addressencode(ui, name, addr, charsets=None):
                 name = headencode(ui, name, charsets)
                 try:
                     acc, dom = addr.split('@')
                     acc = acc.encode('ascii')
                     dom = dom.decode(encoding.encoding).encode('idna')
                     addr = '%s@%s' % (acc, dom)
                 except UnicodeDecodeError:
                     raise error.Abort(_('invalid email address: %s') % addr)
                 except ValueError:
                     try:
                         # too strict?
                         addr = addr.encode('ascii')
                     except UnicodeDecodeError:
                         raise error.Abort(_('invalid local address: %s') % addr)
                 return email.Utils.formataddr((name, addr))
             def addressencode(ui, address, charsets=None, display=False):
                 '''Turns address into RFC-2047 compliant header.'''
                 if display or not address:
                     return address or ''
                 name, addr = email.Utils.parseaddr(address)
                 return _addressencode(ui, name, addr, charsets)
             def addrlistencode(ui, addrs, charsets=None, display=False):
                 '''Turns a list of addresses into a list of RFC-2047 compliant headers.
                 A single element of input list may contain multiple addresses, but output
                 always has one address per item'''
                 if display:
                     return [a.strip() for a in addrs if a.strip()]
                 result = []
                 for name, addr in email.Utils.getaddresses(addrs):
                     if name or addr:
                         result.append(_addressencode(ui, name, addr, charsets))
                 return result
             def mimeencode(ui, s, charsets=None, display=False):
                 '''creates mime text object, encodes it if needed, and sets
                 charset and transfer-encoding accordingly.'''
                 cs = 'us-ascii'
                 if not display:
                     s, cs = _encode(ui, s, charsets)
                 return mimetextqp(s, 'plain', cs)
             def headdecode(s):
                 '''Decodes RFC-2047 header'''
                 uparts = []
                 for part, charset in email.Header.decode_header(s):
                     if charset is not None:
                         try:
                             uparts.append(part.decode(charset))
                             continue
                         except UnicodeDecodeError:
                             pass
                     try:
                         uparts.append(part.decode('UTF-8'))
                         continue
                     except UnicodeDecodeError:
                         pass
                     uparts.append(part.decode('ISO-8859-1'))
                 return encoding.tolocal(u' '.join(uparts).encode('UTF-8'))

mercurial/sslutil.py

0 +66 -66

             # sslutil.py - SSL handling for mercurial
             #
             # Copyright 2005, 2006, 2007, 2008 Matt Mackall <mpm@selenic.com>
             # Copyright 2006, 2007 Alexis S. L. Carvalho <alexis@cecm.usp.br>
             # Copyright 2006 Vadim Gelfer <vadim.gelfer@gmail.com>
             #
             # This software may be used and distributed according to the terms of the
             # GNU General Public License version 2 or any later version.
             from __future__ import absolute_import
             import os
             import ssl
             import sys
             from .i18n import _
             from . import (
                 error,
                 util,
             )
             # Python 2.7.9+ overhauled the built-in SSL/TLS features of Python. It added
             # support for TLS 1.1, TLS 1.2, SNI, system CA stores, etc. These features are
             # all exposed via the "ssl" module.
             #
             # Depending on the version of Python being used, SSL/TLS support is either
             # modern/secure or legacy/insecure. Many operations in this module have
             # separate code paths depending on support in Python.
             hassni = getattr(ssl, 'HAS_SNI', False)
             try:
                 OP_NO_SSLv2 = ssl.OP_NO_SSLv2
                 OP_NO_SSLv3 = ssl.OP_NO_SSLv3
             except AttributeError:
                 OP_NO_SSLv2 = 0x1000000
                 OP_NO_SSLv3 = 0x2000000
             try:
                 # ssl.SSLContext was added in 2.7.9 and presence indicates modern
                 # SSL/TLS features are available.
                 SSLContext = ssl.SSLContext
                 modernssl = True
                 _canloaddefaultcerts = util.safehasattr(SSLContext, 'load_default_certs')
             except AttributeError:
                 modernssl = False
                 _canloaddefaultcerts = False
                 # We implement SSLContext using the interface from the standard library.
                 class SSLContext(object):
                     # ssl.wrap_socket gained the "ciphers" named argument in 2.7.
                     _supportsciphers = sys.version_info >= (2, 7)
                     def __init__(self, protocol):
                         # From the public interface of SSLContext
                         self.protocol = protocol
                         self.check_hostname = False
                         self.options = 0
                         self.verify_mode = ssl.CERT_NONE
                         # Used by our implementation.
                         self._certfile = None
                         self._keyfile = None
                         self._certpassword = None
                         self._cacerts = None
                         self._ciphers = None
                     def load_cert_chain(self, certfile, keyfile=None, password=None):
                         self._certfile = certfile
                         self._keyfile = keyfile
                         self._certpassword = password
                     def load_default_certs(self, purpose=None):
                         pass
                     def load_verify_locations(self, cafile=None, capath=None, cadata=None):
                         if capath:
                             raise error.Abort('capath not supported')
                         if cadata:
                             raise error.Abort('cadata not supported')
                         self._cacerts = cafile
                     def set_ciphers(self, ciphers):
                         if not self._supportsciphers:
                             raise error.Abort('setting ciphers not supported')
                         self._ciphers = ciphers
                     def wrap_socket(self, socket, server_hostname=None, server_side=False):
                         # server_hostname is unique to SSLContext.wrap_socket and is used
                         # for SNI in that context. So there's nothing for us to do with it
                         # in this legacy code since we don't support SNI.
                         args = {
                             'keyfile': self._keyfile,
                             'certfile': self._certfile,
                             'server_side': server_side,
                             'cert_reqs': self.verify_mode,
                             'ssl_version': self.protocol,
                             'ca_certs': self._cacerts,
                         }
                         if self._supportsciphers:
                             args['ciphers'] = self._ciphers
                         return ssl.wrap_socket(socket, **args)
             def wrapsocket(sock, keyfile, certfile, ui, cert_reqs=ssl.CERT_NONE,
                            ca_certs=None, serverhostname=None):
                 """Add SSL/TLS to a socket.
                 This is a glorified wrapper for ``ssl.wrap_socket()``. It makes sane
                 choices based on what security options are available.
                 In addition to the arguments supported by ``ssl.wrap_socket``, we allow
                 the following additional arguments:
                 * serverhostname - The expected hostname of the remote server. If the
                   server (and client) support SNI, this tells the server which certificate
                   to use.
                 """
                 if not serverhostname:
                     raise error.Abort('serverhostname argument is required')
                 # Despite its name, PROTOCOL_SSLv23 selects the highest protocol
                 # that both ends support, including TLS protocols. On legacy stacks,
                 # the highest it likely goes in TLS 1.0. On modern stacks, it can
                 # support TLS 1.2.
                 #
                 # The PROTOCOL_TLSv* constants select a specific TLS version
                 # only (as opposed to multiple versions). So the method for
                 # supporting multiple TLS versions is to use PROTOCOL_SSLv23 and
                 # disable protocols via SSLContext.options and OP_NO_* constants.
                 # However, SSLContext.options doesn't work unless we have the
                 # full/real SSLContext available to us.
                 #
                 # SSLv2 and SSLv3 are broken. We ban them outright.
                 if modernssl:
                     protocol = ssl.PROTOCOL_SSLv23
                 else:
                     protocol = ssl.PROTOCOL_TLSv1
                 # TODO use ssl.create_default_context() on modernssl.
                 sslcontext = SSLContext(protocol)
                 # This is a no-op on old Python.
                 sslcontext.options |= OP_NO_SSLv2 | OP_NO_SSLv3
                 # This still works on our fake SSLContext.
                 sslcontext.verify_mode = cert_reqs
                 if certfile is not None:
                     def password():
                         f = keyfile or certfile
                         return ui.getpass(_('passphrase for %s: ') % f, '')
                     sslcontext.load_cert_chain(certfile, keyfile, password)
                 if ca_certs is not None:
                     sslcontext.load_verify_locations(cafile=ca_certs)
                     caloaded = True
                 else:
                     # This is a no-op on old Python.
                     sslcontext.load_default_certs()
                     caloaded = _canloaddefaultcerts
                 sslsocket = sslcontext.wrap_socket(sock, server_hostname=serverhostname)
                 # check if wrap_socket failed silently because socket had been
                 # closed
                 # - see http://bugs.python.org/issue13721
                 if not sslsocket.cipher():
                     raise error.Abort(_('ssl connection failed'))
                 sslsocket._hgstate = {
                     'caloaded': caloaded,
                     'hostname': serverhostname,
                     'ui': ui,
                 }
                 return sslsocket
             def _verifycert(cert, hostname):
                 '''Verify that cert (in socket.getpeercert() format) matches hostname.
                 CRLs is not handled.
                 Returns error message if any problems are found and None on success.
                 '''
                 if not cert:
                     return _('no certificate received')
                 dnsname = hostname.lower()
                 def matchdnsname(certname):
                     return (certname == dnsname or
                             '.' in dnsname and certname == '*.' + dnsname.split('.', 1)[1])
                 san = cert.get('subjectAltName', [])
                 if san:
                     certnames = [value.lower() for key, value in san if key == 'DNS']
                     for name in certnames:
                         if matchdnsname(name):
                             return None
                     if certnames:
                         return _('certificate is for %s') % ', '.join(certnames)
                 # subject is only checked when subjectAltName is empty
                 for s in cert.get('subject', []):
                     key, value = s[0]
                     if key == 'commonName':
                         try:
                             # 'subject' entries are unicode
                             certname = value.lower().encode('ascii')
                         except UnicodeEncodeError:
                             return _('IDN in certificate not supported')
                         if matchdnsname(certname):
                             return None
                         return _('certificate is for %s') % certname
                 return _('no commonName or subjectAltName found in certificate')
             # CERT_REQUIRED means fetch the cert from the server all the time AND
             # validate it against the CA store provided in web.cacerts.
             def _plainapplepython():
                 """return true if this seems to be a pure Apple Python that
                 * is unfrozen and presumably has the whole mercurial module in the file
                   system
                 * presumably is an Apple Python that uses Apple OpenSSL which has patches
                   for using system certificate store CAs in addition to the provided
                   cacerts file
                 """
                 if sys.platform != 'darwin' or util.mainfrozen() or not sys.executable:
                     return False
                 exe = os.path.realpath(sys.executable).lower()
                 return (exe.startswith('/usr/bin/python') or
                         exe.startswith('/system/library/frameworks/python.framework/'))
             def _defaultcacerts():
                 """return path to default CA certificates or None."""
                 if _plainapplepython():
                     dummycert = os.path.join(os.path.dirname(__file__), 'dummycert.pem')
                     if os.path.exists(dummycert):
                         return dummycert
                 return None
             def sslkwargs(ui, host):
                 """Determine arguments to pass to wrapsocket().
                 ``host`` is the hostname being connected to.
                 """
                 kws = {'ui': ui}
                 # If a host key fingerprint is on file, it is the only thing that matters
                 # and CA certs don't come into play.
                 hostfingerprint = ui.config('hostfingerprints', host)
                 if hostfingerprint:
                     return kws
                 # The code below sets up CA verification arguments. If --insecure is
                 # used, we don't take CAs into consideration, so return early.
                 if ui.insecureconnections:
                     return kws
                 cacerts = ui.config('web', 'cacerts')
                 # If a value is set in the config, validate against a path and load
                 # and require those certs.
                 if cacerts:
                     cacerts = util.expandpath(cacerts)
                     if not os.path.exists(cacerts):
                         raise error.Abort(_('could not find web.cacerts: %s') % cacerts)
                     kws.update({'ca_certs': cacerts,
                                 'cert_reqs': ssl.CERT_REQUIRED})
                     return kws
                 # No CAs in config. See if we can load defaults.
                 cacerts = _defaultcacerts()
                 # We found an alternate CA bundle to use. Load it.
                 if cacerts:
                     ui.debug('using %s to enable OS X system CA\n' % cacerts)
                     ui.setconfig('web', 'cacerts', cacerts, 'defaultcacerts')
                     kws.update({'ca_certs': cacerts,
                                 'cert_reqs': ssl.CERT_REQUIRED})
                     return kws
                 # FUTURE this can disappear once wrapsocket() is secure by default.
                 if _canloaddefaultcerts:
                     kws['cert_reqs'] = ssl.CERT_REQUIRED
                     return kws
                 return kws
-            class validator(object):
+            def validatesocket(sock, strict=False):
-                def __init__(self, ui=None, host=None):
+                """Validate a socket meets security requiremnets.
-                    pass
-                def __call__(self, sock, strict=False):
+                The passed socket must have been created with ``wrapsocket()``.
-                    host = sock._hgstate['hostname']
+                """
-                    ui = sock._hgstate['ui']
+                host = sock._hgstate['hostname']
+                ui = sock._hgstate['ui']
-                    if not sock.cipher(): # work around http://bugs.python.org/issue13721
+                if not sock.cipher(): # work around http://bugs.python.org/issue13721
-                        raise error.Abort(_('%s ssl connection error') % host)
+                    raise error.Abort(_('%s ssl connection error') % host)
-                    try:
+                try:
-                        peercert = sock.getpeercert(True)
+                    peercert = sock.getpeercert(True)
-                        peercert2 = sock.getpeercert()
+                    peercert2 = sock.getpeercert()
-                    except AttributeError:
+                except AttributeError:
-                        raise error.Abort(_('%s ssl connection error') % host)
+                    raise error.Abort(_('%s ssl connection error') % host)
-                    if not peercert:
+                if not peercert:
-                        raise error.Abort(_('%s certificate error: '
+                    raise error.Abort(_('%s certificate error: '
-                                           'no certificate received') % host)
+                                       'no certificate received') % host)
-                    # If a certificate fingerprint is pinned, use it and only it to
+                # If a certificate fingerprint is pinned, use it and only it to
-                    # validate the remote cert.
+                # validate the remote cert.
-                    hostfingerprints = ui.configlist('hostfingerprints', host)
+                hostfingerprints = ui.configlist('hostfingerprints', host)
-                    peerfingerprint = util.sha1(peercert).hexdigest()
+                peerfingerprint = util.sha1(peercert).hexdigest()
-                    nicefingerprint = ":".join([peerfingerprint[x:x + 2]
+                nicefingerprint = ":".join([peerfingerprint[x:x + 2]
-                        for x in xrange(0, len(peerfingerprint), 2)])
+                    for x in xrange(0, len(peerfingerprint), 2)])
-                    if hostfingerprints:
+                if hostfingerprints:
-                        fingerprintmatch = False
+                    fingerprintmatch = False
-                        for hostfingerprint in hostfingerprints:
+                    for hostfingerprint in hostfingerprints:
-                            if peerfingerprint.lower() == \
+                        if peerfingerprint.lower() == \
-                                    hostfingerprint.replace(':', '').lower():
+                                hostfingerprint.replace(':', '').lower():
-                                fingerprintmatch = True
+                            fingerprintmatch = True
-                                break
+                            break
-                        if not fingerprintmatch:
+                    if not fingerprintmatch:
-                            raise error.Abort(_('certificate for %s has unexpected '
+                        raise error.Abort(_('certificate for %s has unexpected '
-                                               'fingerprint %s') % (host, nicefingerprint),
+                                           'fingerprint %s') % (host, nicefingerprint),
-                                             hint=_('check hostfingerprint configuration'))
+                                         hint=_('check hostfingerprint configuration'))
-                        ui.debug('%s certificate matched fingerprint %s\n' %
+                    ui.debug('%s certificate matched fingerprint %s\n' %
-                                 (host, nicefingerprint))
+                             (host, nicefingerprint))
-                        return
+                    return
-                    # If insecure connections were explicitly requested via --insecure,
+                # If insecure connections were explicitly requested via --insecure,
-                    # print a warning and do no verification.
+                # print a warning and do no verification.
+                #
-                    # It may seem odd that this is checked *after* host fingerprint pinning.
+                # It may seem odd that this is checked *after* host fingerprint pinning.
-                    # This is for backwards compatibility (for now). The message is also
+                # This is for backwards compatibility (for now). The message is also
-                    # the same as below for BC.
+                # the same as below for BC.
-                    if ui.insecureconnections:
+                if ui.insecureconnections:
-                        ui.warn(_('warning: %s certificate with fingerprint %s not '
+                    ui.warn(_('warning: %s certificate with fingerprint %s not '
-                                  'verified (check hostfingerprints or web.cacerts '
+                              'verified (check hostfingerprints or web.cacerts '
-                                  'config setting)\n') %
+                              'config setting)\n') %
-                                (host, nicefingerprint))
+                            (host, nicefingerprint))
-                        return
+                    return
-                    if not sock._hgstate['caloaded']:
+                if not sock._hgstate['caloaded']:
-                        if strict:
+                    if strict:
-                            raise error.Abort(_('%s certificate with fingerprint %s not '
+                        raise error.Abort(_('%s certificate with fingerprint %s not '
-                                                'verified') % (host, nicefingerprint),
+                                            'verified') % (host, nicefingerprint),
-                                              hint=_('check hostfingerprints or '
+                                          hint=_('check hostfingerprints or '
-                                                     'web.cacerts config setting'))
+                                                 'web.cacerts config setting'))
-                        else:
+                    else:
-                            ui.warn(_('warning: %s certificate with fingerprint %s '
+                        ui.warn(_('warning: %s certificate with fingerprint %s '
-                                      'not verified (check hostfingerprints or '
+                                  'not verified (check hostfingerprints or '
-                                      'web.cacerts config setting)\n') %
+                                  'web.cacerts config setting)\n') %
-                                    (host, nicefingerprint))
+                                (host, nicefingerprint))
-                        return
+                    return
-                    msg = _verifycert(peercert2, host)
+                msg = _verifycert(peercert2, host)
-                    if msg:
+                if msg:
-                        raise error.Abort(_('%s certificate error: %s') % (host, msg),
+                    raise error.Abort(_('%s certificate error: %s') % (host, msg),
-                                         hint=_('configure hostfingerprint %s or use '
+                                     hint=_('configure hostfingerprint %s or use '
-                                                '--insecure to connect insecurely') %
+                                            '--insecure to connect insecurely') %
-                                              nicefingerprint)
+                                          nicefingerprint)

mercurial/url.py

0 +1 -1

             # url.py - HTTP handling for mercurial
             #
             # Copyright 2005, 2006, 2007, 2008 Matt Mackall <mpm@selenic.com>
             # Copyright 2006, 2007 Alexis S. L. Carvalho <alexis@cecm.usp.br>
             # Copyright 2006 Vadim Gelfer <vadim.gelfer@gmail.com>
             #
             # This software may be used and distributed according to the terms of the
             # GNU General Public License version 2 or any later version.
             from __future__ import absolute_import
             import base64
             import httplib
             import os
             import socket
             from .i18n import _
             from . import (
                 error,
                 httpconnection as httpconnectionmod,
                 keepalive,
                 sslutil,
                 util,
             )
             stringio = util.stringio
             urlerr = util.urlerr
             urlreq = util.urlreq
             class passwordmgr(urlreq.httppasswordmgrwithdefaultrealm):
                 def __init__(self, ui):
                     urlreq.httppasswordmgrwithdefaultrealm.__init__(self)
                     self.ui = ui
                 def find_user_password(self, realm, authuri):
                     authinfo = urlreq.httppasswordmgrwithdefaultrealm.find_user_password(
                         self, realm, authuri)
                     user, passwd = authinfo
                     if user and passwd:
                         self._writedebug(user, passwd)
                         return (user, passwd)
                     if not user or not passwd:
                         res = httpconnectionmod.readauthforuri(self.ui, authuri, user)
                         if res:
                             group, auth = res
                             user, passwd = auth.get('username'), auth.get('password')
                             self.ui.debug("using auth.%s.* for authentication\n" % group)
                     if not user or not passwd:
                         u = util.url(authuri)
                         u.query = None
                         if not self.ui.interactive():
                             raise error.Abort(_('http authorization required for %s') %
                                              util.hidepassword(str(u)))
                         self.ui.write(_("http authorization required for %s\n") %
                                       util.hidepassword(str(u)))
                         self.ui.write(_("realm: %s\n") % realm)
                         if user:
                             self.ui.write(_("user: %s\n") % user)
                         else:
                             user = self.ui.prompt(_("user:"), default=None)
                         if not passwd:
                             passwd = self.ui.getpass()
                     self.add_password(realm, authuri, user, passwd)
                     self._writedebug(user, passwd)
                     return (user, passwd)
                 def _writedebug(self, user, passwd):
                     msg = _('http auth: user %s, password %s\n')
                     self.ui.debug(msg % (user, passwd and '*' * len(passwd) or 'not set'))
                 def find_stored_password(self, authuri):
                     return urlreq.httppasswordmgrwithdefaultrealm.find_user_password(
                         self, None, authuri)
             class proxyhandler(urlreq.proxyhandler):
                 def __init__(self, ui):
                     proxyurl = ui.config("http_proxy", "host") or os.getenv('http_proxy')
                     # XXX proxyauthinfo = None
                     if proxyurl:
                         # proxy can be proper url or host[:port]
                         if not (proxyurl.startswith('http:') or
                                 proxyurl.startswith('https:')):
                             proxyurl = 'http://' + proxyurl + '/'
                         proxy = util.url(proxyurl)
                         if not proxy.user:
                             proxy.user = ui.config("http_proxy", "user")
                             proxy.passwd = ui.config("http_proxy", "passwd")
                         # see if we should use a proxy for this url
                         no_list = ["localhost", "127.0.0.1"]
                         no_list.extend([p.lower() for
                                         p in ui.configlist("http_proxy", "no")])
                         no_list.extend([p.strip().lower() for
                                         p in os.getenv("no_proxy", '').split(',')
                                         if p.strip()])
                         # "http_proxy.always" config is for running tests on localhost
                         if ui.configbool("http_proxy", "always"):
                             self.no_list = []
                         else:
                             self.no_list = no_list
                         proxyurl = str(proxy)
                         proxies = {'http': proxyurl, 'https': proxyurl}
                         ui.debug('proxying through http://%s:%s\n' %
                                   (proxy.host, proxy.port))
                     else:
                         proxies = {}
                     # urllib2 takes proxy values from the environment and those
                     # will take precedence if found. So, if there's a config entry
                     # defining a proxy, drop the environment ones
                     if ui.config("http_proxy", "host"):
                         for env in ["HTTP_PROXY", "http_proxy", "no_proxy"]:
                             try:
                                 if env in os.environ:
                                     del os.environ[env]
                             except OSError:
                                 pass
                     urlreq.proxyhandler.__init__(self, proxies)
                     self.ui = ui
                 def proxy_open(self, req, proxy, type_):
                     host = req.get_host().split(':')[0]
                     for e in self.no_list:
                         if host == e:
                             return None
                         if e.startswith('*.') and host.endswith(e[2:]):
                             return None
                         if e.startswith('.') and host.endswith(e[1:]):
                             return None
                     return urlreq.proxyhandler.proxy_open(self, req, proxy, type_)
             def _gen_sendfile(orgsend):
                 def _sendfile(self, data):
                     # send a file
                     if isinstance(data, httpconnectionmod.httpsendfile):
                         # if auth required, some data sent twice, so rewind here
                         data.seek(0)
                         for chunk in util.filechunkiter(data):
                             orgsend(self, chunk)
                     else:
                         orgsend(self, data)
                 return _sendfile
             has_https = util.safehasattr(urlreq, 'httpshandler')
             if has_https:
                 try:
                     _create_connection = socket.create_connection
                 except AttributeError:
                     _GLOBAL_DEFAULT_TIMEOUT = object()
                     def _create_connection(address, timeout=_GLOBAL_DEFAULT_TIMEOUT,
                                            source_address=None):
                         # lifted from Python 2.6
                         msg = "getaddrinfo returns an empty list"
                         host, port = address
                         for res in socket.getaddrinfo(host, port, 0, socket.SOCK_STREAM):
                             af, socktype, proto, canonname, sa = res
                             sock = None
                             try:
                                 sock = socket.socket(af, socktype, proto)
                                 if timeout is not _GLOBAL_DEFAULT_TIMEOUT:
                                     sock.settimeout(timeout)
                                 if source_address:
                                     sock.bind(source_address)
                                 sock.connect(sa)
                                 return sock
                             except socket.error as msg:
                                 if sock is not None:
                                     sock.close()
                         raise socket.error(msg)
             class httpconnection(keepalive.HTTPConnection):
                 # must be able to send big bundle as stream.
                 send = _gen_sendfile(keepalive.HTTPConnection.send)
                 def connect(self):
                     if has_https and self.realhostport: # use CONNECT proxy
                         self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
                         self.sock.connect((self.host, self.port))
                         if _generic_proxytunnel(self):
                             # we do not support client X.509 certificates
                             self.sock = sslutil.wrapsocket(self.sock, None, None, None,
                                                            serverhostname=self.host)
                     else:
                         keepalive.HTTPConnection.connect(self)
                 def getresponse(self):
                     proxyres = getattr(self, 'proxyres', None)
                     if proxyres:
                         if proxyres.will_close:
                             self.close()
                         self.proxyres = None
                         return proxyres
                     return keepalive.HTTPConnection.getresponse(self)
             # general transaction handler to support different ways to handle
             # HTTPS proxying before and after Python 2.6.3.
             def _generic_start_transaction(handler, h, req):
                 tunnel_host = getattr(req, '_tunnel_host', None)
                 if tunnel_host:
                     if tunnel_host[:7] not in ['http://', 'https:/']:
                         tunnel_host = 'https://' + tunnel_host
                     new_tunnel = True
                 else:
                     tunnel_host = req.get_selector()
                     new_tunnel = False
                 if new_tunnel or tunnel_host == req.get_full_url(): # has proxy
                     u = util.url(tunnel_host)
                     if new_tunnel or u.scheme == 'https': # only use CONNECT for HTTPS
                         h.realhostport = ':'.join([u.host, (u.port or '443')])
                         h.headers = req.headers.copy()
                         h.headers.update(handler.parent.addheaders)
                         return
                 h.realhostport = None
                 h.headers = None
             def _generic_proxytunnel(self):
                 proxyheaders = dict(
                         [(x, self.headers[x]) for x in self.headers
                          if x.lower().startswith('proxy-')])
                 self.send('CONNECT %s HTTP/1.0\r\n' % self.realhostport)
                 for header in proxyheaders.iteritems():
                     self.send('%s: %s\r\n' % header)
                 self.send('\r\n')
                 # majority of the following code is duplicated from
                 # httplib.HTTPConnection as there are no adequate places to
                 # override functions to provide the needed functionality
                 res = self.response_class(self.sock,
                                           strict=self.strict,
                                           method=self._method)
                 while True:
                     version, status, reason = res._read_status()
                     if status != httplib.CONTINUE:
                         break
                     while True:
                         skip = res.fp.readline().strip()
                         if not skip:
                             break
                 res.status = status
                 res.reason = reason.strip()
                 if res.status == 200:
                     while True:
                         line = res.fp.readline()
                         if line == '\r\n':
                             break
                     return True
                 if version == 'HTTP/1.0':
                     res.version = 10
                 elif version.startswith('HTTP/1.'):
                     res.version = 11
                 elif version == 'HTTP/0.9':
                     res.version = 9
                 else:
                     raise httplib.UnknownProtocol(version)
                 if res.version == 9:
                     res.length = None
                     res.chunked = 0
                     res.will_close = 1
                     res.msg = httplib.HTTPMessage(stringio())
                     return False
                 res.msg = httplib.HTTPMessage(res.fp)
                 res.msg.fp = None
                 # are we using the chunked-style of transfer encoding?
                 trenc = res.msg.getheader('transfer-encoding')
                 if trenc and trenc.lower() == "chunked":
                     res.chunked = 1
                     res.chunk_left = None
                 else:
                     res.chunked = 0
                 # will the connection close at the end of the response?
                 res.will_close = res._check_close()
                 # do we have a Content-Length?
                 # NOTE: RFC 2616, section 4.4, #3 says we ignore this if
                 # transfer-encoding is "chunked"
                 length = res.msg.getheader('content-length')
                 if length and not res.chunked:
                     try:
                         res.length = int(length)
                     except ValueError:
                         res.length = None
                     else:
                         if res.length < 0:  # ignore nonsensical negative lengths
                             res.length = None
                 else:
                     res.length = None
                 # does the body have a fixed length? (of zero)
                 if (status == httplib.NO_CONTENT or status == httplib.NOT_MODIFIED or
 <= status < 200 or # 1xx codes
                     res._method == 'HEAD'):
                     res.length = 0
                 # if the connection remains open, and we aren't using chunked, and
                 # a content-length was not provided, then assume that the connection
                 # WILL close.
                 if (not res.will_close and
                    not res.chunked and
                    res.length is None):
                     res.will_close = 1
                 self.proxyres = res
                 return False
             class httphandler(keepalive.HTTPHandler):
                 def http_open(self, req):
                     return self.do_open(httpconnection, req)
                 def _start_transaction(self, h, req):
                     _generic_start_transaction(self, h, req)
                     return keepalive.HTTPHandler._start_transaction(self, h, req)
             if has_https:
                 class httpsconnection(httplib.HTTPConnection):
                     response_class = keepalive.HTTPResponse
                     default_port = httplib.HTTPS_PORT
                     # must be able to send big bundle as stream.
                     send = _gen_sendfile(keepalive.safesend)
                     getresponse = keepalive.wrapgetresponse(httplib.HTTPConnection)
                     def __init__(self, host, port=None, key_file=None, cert_file=None,
                                  *args, **kwargs):
                         httplib.HTTPConnection.__init__(self, host, port, *args, **kwargs)
                         self.key_file = key_file
                         self.cert_file = cert_file
                     def connect(self):
                         self.sock = _create_connection((self.host, self.port))
                         host = self.host
                         if self.realhostport: # use CONNECT proxy
                             _generic_proxytunnel(self)
                             host = self.realhostport.rsplit(':', 1)[0]
                         self.sock = sslutil.wrapsocket(
                             self.sock, self.key_file, self.cert_file, serverhostname=host,
                             **sslutil.sslkwargs(self.ui, host))
-                        sslutil.validator(self.ui, host)(self.sock)
+                        sslutil.validatesocket(self.sock)
                 class httpshandler(keepalive.KeepAliveHandler, urlreq.httpshandler):
                     def __init__(self, ui):
                         keepalive.KeepAliveHandler.__init__(self)
                         urlreq.httpshandler.__init__(self)
                         self.ui = ui
                         self.pwmgr = passwordmgr(self.ui)
                     def _start_transaction(self, h, req):
                         _generic_start_transaction(self, h, req)
                         return keepalive.KeepAliveHandler._start_transaction(self, h, req)
                     def https_open(self, req):
                         # req.get_full_url() does not contain credentials and we may
                         # need them to match the certificates.
                         url = req.get_full_url()
                         user, password = self.pwmgr.find_stored_password(url)
                         res = httpconnectionmod.readauthforuri(self.ui, url, user)
                         if res:
                             group, auth = res
                             self.auth = auth
                             self.ui.debug("using auth.%s.* for authentication\n" % group)
                         else:
                             self.auth = None
                         return self.do_open(self._makeconnection, req)
                     def _makeconnection(self, host, port=None, *args, **kwargs):
                         keyfile = None
                         certfile = None
                         if len(args) >= 1: # key_file
                             keyfile = args[0]
                         if len(args) >= 2: # cert_file
                             certfile = args[1]
                         args = args[2:]
                         # if the user has specified different key/cert files in
                         # hgrc, we prefer these
                         if self.auth and 'key' in self.auth and 'cert' in self.auth:
                             keyfile = self.auth['key']
                             certfile = self.auth['cert']
                         conn = httpsconnection(host, port, keyfile, certfile, *args,
                                                **kwargs)
                         conn.ui = self.ui
                         return conn
             class httpdigestauthhandler(urlreq.httpdigestauthhandler):
                 def __init__(self, *args, **kwargs):
                     urlreq.httpdigestauthhandler.__init__(self, *args, **kwargs)
                     self.retried_req = None
                 def reset_retry_count(self):
                     # Python 2.6.5 will call this on 401 or 407 errors and thus loop
                     # forever. We disable reset_retry_count completely and reset in
                     # http_error_auth_reqed instead.
                     pass
                 def http_error_auth_reqed(self, auth_header, host, req, headers):
                     # Reset the retry counter once for each request.
                     if req is not self.retried_req:
                         self.retried_req = req
                         self.retried = 0
                     return urlreq.httpdigestauthhandler.http_error_auth_reqed(
                                 self, auth_header, host, req, headers)
             class httpbasicauthhandler(urlreq.httpbasicauthhandler):
                 def __init__(self, *args, **kwargs):
                     self.auth = None
                     urlreq.httpbasicauthhandler.__init__(self, *args, **kwargs)
                     self.retried_req = None
                 def http_request(self, request):
                     if self.auth:
                         request.add_unredirected_header(self.auth_header, self.auth)
                     return request
                 def https_request(self, request):
                     if self.auth:
                         request.add_unredirected_header(self.auth_header, self.auth)
                     return request
                 def reset_retry_count(self):
                     # Python 2.6.5 will call this on 401 or 407 errors and thus loop
                     # forever. We disable reset_retry_count completely and reset in
                     # http_error_auth_reqed instead.
                     pass
                 def http_error_auth_reqed(self, auth_header, host, req, headers):
                     # Reset the retry counter once for each request.
                     if req is not self.retried_req:
                         self.retried_req = req
                         self.retried = 0
                     return urlreq.httpbasicauthhandler.http_error_auth_reqed(
                                     self, auth_header, host, req, headers)
                 def retry_http_basic_auth(self, host, req, realm):
                     user, pw = self.passwd.find_user_password(realm, req.get_full_url())
                     if pw is not None:
                         raw = "%s:%s" % (user, pw)
                         auth = 'Basic %s' % base64.b64encode(raw).strip()
                         if req.headers.get(self.auth_header, None) == auth:
                             return None
                         self.auth = auth
                         req.add_unredirected_header(self.auth_header, auth)
                         return self.parent.open(req)
                     else:
                         return None
             handlerfuncs = []
             def opener(ui, authinfo=None):
                 '''
                 construct an opener suitable for urllib2
                 authinfo will be added to the password manager
                 '''
                 # experimental config: ui.usehttp2
                 if ui.configbool('ui', 'usehttp2', False):
                     handlers = [httpconnectionmod.http2handler(ui, passwordmgr(ui))]
                 else:
                     handlers = [httphandler()]
                     if has_https:
                         handlers.append(httpshandler(ui))
                 handlers.append(proxyhandler(ui))
                 passmgr = passwordmgr(ui)
                 if authinfo is not None:
                     passmgr.add_password(*authinfo)
                     user, passwd = authinfo[2:4]
                     ui.debug('http auth: user %s, password %s\n' %
                              (user, passwd and '*' * len(passwd) or 'not set'))
                 handlers.extend((httpbasicauthhandler(passmgr),
                                  httpdigestauthhandler(passmgr)))
                 handlers.extend([h(ui, passmgr) for h in handlerfuncs])
                 opener = urlreq.buildopener(*handlers)
                 # 1.0 here is the _protocol_ version
                 opener.addheaders = [('User-agent', 'mercurial/proto-1.0')]
                 opener.addheaders.append(('Accept', 'application/mercurial-0.1'))
                 return opener
             def open(ui, url_, data=None):
                 u = util.url(url_)
                 if u.scheme:
                     u.scheme = u.scheme.lower()
                     url_, authinfo = u.authinfo()
                 else:
                     path = util.normpath(os.path.abspath(url_))
                     url_ = 'file://' + urlreq.pathname2url(path)
                     authinfo = None
                 return opener(ui, authinfo).open(url_, data)

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages