##// END OF EJS Templates
sslutil: further refactor sslkwargs...
Gregory Szorc -
r29106:fe7ebef8 default
parent child Browse files
Show More
@@ -1,330 +1,335
1 1 # sslutil.py - SSL handling for mercurial
2 2 #
3 3 # Copyright 2005, 2006, 2007, 2008 Matt Mackall <mpm@selenic.com>
4 4 # Copyright 2006, 2007 Alexis S. L. Carvalho <alexis@cecm.usp.br>
5 5 # Copyright 2006 Vadim Gelfer <vadim.gelfer@gmail.com>
6 6 #
7 7 # This software may be used and distributed according to the terms of the
8 8 # GNU General Public License version 2 or any later version.
9 9
10 10 from __future__ import absolute_import
11 11
12 12 import os
13 13 import ssl
14 14 import sys
15 15
16 16 from .i18n import _
17 17 from . import (
18 18 error,
19 19 util,
20 20 )
21 21
22 22 # Python 2.7.9+ overhauled the built-in SSL/TLS features of Python. It added
23 23 # support for TLS 1.1, TLS 1.2, SNI, system CA stores, etc. These features are
24 24 # all exposed via the "ssl" module.
25 25 #
26 26 # Depending on the version of Python being used, SSL/TLS support is either
27 27 # modern/secure or legacy/insecure. Many operations in this module have
28 28 # separate code paths depending on support in Python.
29 29
30 30 hassni = getattr(ssl, 'HAS_SNI', False)
31 31
32 32 try:
33 33 OP_NO_SSLv2 = ssl.OP_NO_SSLv2
34 34 OP_NO_SSLv3 = ssl.OP_NO_SSLv3
35 35 except AttributeError:
36 36 OP_NO_SSLv2 = 0x1000000
37 37 OP_NO_SSLv3 = 0x2000000
38 38
39 39 try:
40 40 # ssl.SSLContext was added in 2.7.9 and presence indicates modern
41 41 # SSL/TLS features are available.
42 42 SSLContext = ssl.SSLContext
43 43 modernssl = True
44 44 _canloaddefaultcerts = util.safehasattr(SSLContext, 'load_default_certs')
45 45 except AttributeError:
46 46 modernssl = False
47 47 _canloaddefaultcerts = False
48 48
49 49 # We implement SSLContext using the interface from the standard library.
50 50 class SSLContext(object):
51 51 # ssl.wrap_socket gained the "ciphers" named argument in 2.7.
52 52 _supportsciphers = sys.version_info >= (2, 7)
53 53
54 54 def __init__(self, protocol):
55 55 # From the public interface of SSLContext
56 56 self.protocol = protocol
57 57 self.check_hostname = False
58 58 self.options = 0
59 59 self.verify_mode = ssl.CERT_NONE
60 60
61 61 # Used by our implementation.
62 62 self._certfile = None
63 63 self._keyfile = None
64 64 self._certpassword = None
65 65 self._cacerts = None
66 66 self._ciphers = None
67 67
68 68 def load_cert_chain(self, certfile, keyfile=None, password=None):
69 69 self._certfile = certfile
70 70 self._keyfile = keyfile
71 71 self._certpassword = password
72 72
73 73 def load_default_certs(self, purpose=None):
74 74 pass
75 75
76 76 def load_verify_locations(self, cafile=None, capath=None, cadata=None):
77 77 if capath:
78 78 raise error.Abort('capath not supported')
79 79 if cadata:
80 80 raise error.Abort('cadata not supported')
81 81
82 82 self._cacerts = cafile
83 83
84 84 def set_ciphers(self, ciphers):
85 85 if not self._supportsciphers:
86 86 raise error.Abort('setting ciphers not supported')
87 87
88 88 self._ciphers = ciphers
89 89
90 90 def wrap_socket(self, socket, server_hostname=None, server_side=False):
91 91 # server_hostname is unique to SSLContext.wrap_socket and is used
92 92 # for SNI in that context. So there's nothing for us to do with it
93 93 # in this legacy code since we don't support SNI.
94 94
95 95 args = {
96 96 'keyfile': self._keyfile,
97 97 'certfile': self._certfile,
98 98 'server_side': server_side,
99 99 'cert_reqs': self.verify_mode,
100 100 'ssl_version': self.protocol,
101 101 'ca_certs': self._cacerts,
102 102 }
103 103
104 104 if self._supportsciphers:
105 105 args['ciphers'] = self._ciphers
106 106
107 107 return ssl.wrap_socket(socket, **args)
108 108
109 109 def wrapsocket(sock, keyfile, certfile, ui, cert_reqs=ssl.CERT_NONE,
110 110 ca_certs=None, serverhostname=None):
111 111 """Add SSL/TLS to a socket.
112 112
113 113 This is a glorified wrapper for ``ssl.wrap_socket()``. It makes sane
114 114 choices based on what security options are available.
115 115
116 116 In addition to the arguments supported by ``ssl.wrap_socket``, we allow
117 117 the following additional arguments:
118 118
119 119 * serverhostname - The expected hostname of the remote server. If the
120 120 server (and client) support SNI, this tells the server which certificate
121 121 to use.
122 122 """
123 123 # Despite its name, PROTOCOL_SSLv23 selects the highest protocol
124 124 # that both ends support, including TLS protocols. On legacy stacks,
125 125 # the highest it likely goes in TLS 1.0. On modern stacks, it can
126 126 # support TLS 1.2.
127 127 #
128 128 # The PROTOCOL_TLSv* constants select a specific TLS version
129 129 # only (as opposed to multiple versions). So the method for
130 130 # supporting multiple TLS versions is to use PROTOCOL_SSLv23 and
131 131 # disable protocols via SSLContext.options and OP_NO_* constants.
132 132 # However, SSLContext.options doesn't work unless we have the
133 133 # full/real SSLContext available to us.
134 134 #
135 135 # SSLv2 and SSLv3 are broken. We ban them outright.
136 136 if modernssl:
137 137 protocol = ssl.PROTOCOL_SSLv23
138 138 else:
139 139 protocol = ssl.PROTOCOL_TLSv1
140 140
141 141 # TODO use ssl.create_default_context() on modernssl.
142 142 sslcontext = SSLContext(protocol)
143 143
144 144 # This is a no-op on old Python.
145 145 sslcontext.options |= OP_NO_SSLv2 | OP_NO_SSLv3
146 146
147 147 # This still works on our fake SSLContext.
148 148 sslcontext.verify_mode = cert_reqs
149 149
150 150 if certfile is not None:
151 151 def password():
152 152 f = keyfile or certfile
153 153 return ui.getpass(_('passphrase for %s: ') % f, '')
154 154 sslcontext.load_cert_chain(certfile, keyfile, password)
155 155
156 156 if ca_certs is not None:
157 157 sslcontext.load_verify_locations(cafile=ca_certs)
158 158 else:
159 159 # This is a no-op on old Python.
160 160 sslcontext.load_default_certs()
161 161
162 162 sslsocket = sslcontext.wrap_socket(sock, server_hostname=serverhostname)
163 163 # check if wrap_socket failed silently because socket had been
164 164 # closed
165 165 # - see http://bugs.python.org/issue13721
166 166 if not sslsocket.cipher():
167 167 raise error.Abort(_('ssl connection failed'))
168 168 return sslsocket
169 169
170 170 def _verifycert(cert, hostname):
171 171 '''Verify that cert (in socket.getpeercert() format) matches hostname.
172 172 CRLs is not handled.
173 173
174 174 Returns error message if any problems are found and None on success.
175 175 '''
176 176 if not cert:
177 177 return _('no certificate received')
178 178 dnsname = hostname.lower()
179 179 def matchdnsname(certname):
180 180 return (certname == dnsname or
181 181 '.' in dnsname and certname == '*.' + dnsname.split('.', 1)[1])
182 182
183 183 san = cert.get('subjectAltName', [])
184 184 if san:
185 185 certnames = [value.lower() for key, value in san if key == 'DNS']
186 186 for name in certnames:
187 187 if matchdnsname(name):
188 188 return None
189 189 if certnames:
190 190 return _('certificate is for %s') % ', '.join(certnames)
191 191
192 192 # subject is only checked when subjectAltName is empty
193 193 for s in cert.get('subject', []):
194 194 key, value = s[0]
195 195 if key == 'commonName':
196 196 try:
197 197 # 'subject' entries are unicode
198 198 certname = value.lower().encode('ascii')
199 199 except UnicodeEncodeError:
200 200 return _('IDN in certificate not supported')
201 201 if matchdnsname(certname):
202 202 return None
203 203 return _('certificate is for %s') % certname
204 204 return _('no commonName or subjectAltName found in certificate')
205 205
206 206
207 207 # CERT_REQUIRED means fetch the cert from the server all the time AND
208 208 # validate it against the CA store provided in web.cacerts.
209 209
210 210 def _plainapplepython():
211 211 """return true if this seems to be a pure Apple Python that
212 212 * is unfrozen and presumably has the whole mercurial module in the file
213 213 system
214 214 * presumably is an Apple Python that uses Apple OpenSSL which has patches
215 215 for using system certificate store CAs in addition to the provided
216 216 cacerts file
217 217 """
218 218 if sys.platform != 'darwin' or util.mainfrozen() or not sys.executable:
219 219 return False
220 220 exe = os.path.realpath(sys.executable).lower()
221 221 return (exe.startswith('/usr/bin/python') or
222 222 exe.startswith('/system/library/frameworks/python.framework/'))
223 223
224 224 def _defaultcacerts():
225 225 """return path to CA certificates; None for system's store; ! to disable"""
226 226 if _plainapplepython():
227 227 dummycert = os.path.join(os.path.dirname(__file__), 'dummycert.pem')
228 228 if os.path.exists(dummycert):
229 229 return dummycert
230 230 if _canloaddefaultcerts:
231 231 return None
232 232 return '!'
233 233
234 234 def sslkwargs(ui, host):
235 235 """Determine arguments to pass to wrapsocket().
236 236
237 237 ``host`` is the hostname being connected to.
238 238 """
239 239 kws = {'ui': ui}
240 240
241 241 # If a host key fingerprint is on file, it is the only thing that matters
242 242 # and CA certs don't come into play.
243 243 hostfingerprint = ui.config('hostfingerprints', host)
244 244 if hostfingerprint:
245 245 return kws
246 246
247 247 # dispatch sets web.cacerts=! when --insecure is used.
248 248 cacerts = ui.config('web', 'cacerts')
249 249 if cacerts == '!':
250 250 return kws
251 251
252 # If a value is set in the config, validate against a path and load
253 # and require those certs.
252 254 if cacerts:
253 255 cacerts = util.expandpath(cacerts)
254 256 if not os.path.exists(cacerts):
255 257 raise error.Abort(_('could not find web.cacerts: %s') % cacerts)
256 else:
257 # CA certs aren't explicitly listed in the config. See if we can load
258 # defaults.
259 cacerts = _defaultcacerts()
260 if cacerts and cacerts != '!':
261 ui.debug('using %s to enable OS X system CA\n' % cacerts)
262 ui.setconfig('web', 'cacerts', cacerts, 'defaultcacerts')
258
259 kws.update({'ca_certs': cacerts,
260 'cert_reqs': ssl.CERT_REQUIRED})
261 return kws
262
263 # No CAs in config. See if we can load defaults.
264 cacerts = _defaultcacerts()
265 if cacerts and cacerts != '!':
266 ui.debug('using %s to enable OS X system CA\n' % cacerts)
267 ui.setconfig('web', 'cacerts', cacerts, 'defaultcacerts')
263 268
264 269 if cacerts != '!':
265 270 kws.update({'ca_certs': cacerts,
266 271 'cert_reqs': ssl.CERT_REQUIRED,
267 272 })
268 273 return kws
269 274
270 275 class validator(object):
271 276 def __init__(self, ui, host):
272 277 self.ui = ui
273 278 self.host = host
274 279
275 280 def __call__(self, sock, strict=False):
276 281 host = self.host
277 282
278 283 if not sock.cipher(): # work around http://bugs.python.org/issue13721
279 284 raise error.Abort(_('%s ssl connection error') % host)
280 285 try:
281 286 peercert = sock.getpeercert(True)
282 287 peercert2 = sock.getpeercert()
283 288 except AttributeError:
284 289 raise error.Abort(_('%s ssl connection error') % host)
285 290
286 291 if not peercert:
287 292 raise error.Abort(_('%s certificate error: '
288 293 'no certificate received') % host)
289 294
290 295 # If a certificate fingerprint is pinned, use it and only it to
291 296 # validate the remote cert.
292 297 hostfingerprints = self.ui.configlist('hostfingerprints', host)
293 298 peerfingerprint = util.sha1(peercert).hexdigest()
294 299 nicefingerprint = ":".join([peerfingerprint[x:x + 2]
295 300 for x in xrange(0, len(peerfingerprint), 2)])
296 301 if hostfingerprints:
297 302 fingerprintmatch = False
298 303 for hostfingerprint in hostfingerprints:
299 304 if peerfingerprint.lower() == \
300 305 hostfingerprint.replace(':', '').lower():
301 306 fingerprintmatch = True
302 307 break
303 308 if not fingerprintmatch:
304 309 raise error.Abort(_('certificate for %s has unexpected '
305 310 'fingerprint %s') % (host, nicefingerprint),
306 311 hint=_('check hostfingerprint configuration'))
307 312 self.ui.debug('%s certificate matched fingerprint %s\n' %
308 313 (host, nicefingerprint))
309 314 return
310 315
311 316 # No pinned fingerprint. Establish trust by looking at the CAs.
312 317 cacerts = self.ui.config('web', 'cacerts')
313 318 if cacerts != '!':
314 319 msg = _verifycert(peercert2, host)
315 320 if msg:
316 321 raise error.Abort(_('%s certificate error: %s') % (host, msg),
317 322 hint=_('configure hostfingerprint %s or use '
318 323 '--insecure to connect insecurely') %
319 324 nicefingerprint)
320 325 self.ui.debug('%s certificate successfully verified\n' % host)
321 326 elif strict:
322 327 raise error.Abort(_('%s certificate with fingerprint %s not '
323 328 'verified') % (host, nicefingerprint),
324 329 hint=_('check hostfingerprints or web.cacerts '
325 330 'config setting'))
326 331 else:
327 332 self.ui.warn(_('warning: %s certificate with fingerprint %s not '
328 333 'verified (check hostfingerprints or web.cacerts '
329 334 'config setting)\n') %
330 335 (host, nicefingerprint))
General Comments 0
You need to be logged in to leave comments. Login now