hg-stable: mercurial/sslutil.py@19fa0cb71cd3 (annotated)

14204 5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	1	# sslutil.py - SSL handling for mercurial
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	2	#
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	3	# Copyright 2005, 2006, 2007, 2008 Matt Mackall <mpm@selenic.com>
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	4	# Copyright 2006, 2007 Alexis S. L. Carvalho <alexis@cecm.usp.br>
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	5	# Copyright 2006 Vadim Gelfer <vadim.gelfer@gmail.com>
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	6	#
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	7	# This software may be used and distributed according to the terms of the
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	8	# GNU General Public License version 2 or any later version.
25430 19fa0cb71cd3 ssl: drop support for Python < 2.6, require ssl module Yuya Nishihara <yuya@tcha.org> parents: 25429 diff changeset	9	import os, sys, ssl
14204 5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	10
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	11	from mercurial import util
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	12	from mercurial.i18n import _
24291 760a86865f80 ssl: load CA certificates from system's store by default on Python 2.7.9 Yuya Nishihara <yuya@tcha.org> parents: 24290 diff changeset	13
760a86865f80 ssl: load CA certificates from system's store by default on Python 2.7.9 Yuya Nishihara <yuya@tcha.org> parents: 24290 diff changeset	14	_canloaddefaultcerts = False
14204 5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	15	try:
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	16	CERT_REQUIRED = ssl.CERT_REQUIRED
23834 bf07c19b4c82 https: support tls sni (server name indication) for https urls (issue3090) Alex Orange <crazycasta@gmail.com> parents: 23069 diff changeset	17	try:
bf07c19b4c82 https: support tls sni (server name indication) for https urls (issue3090) Alex Orange <crazycasta@gmail.com> parents: 23069 diff changeset	18	ssl_context = ssl.SSLContext
24291 760a86865f80 ssl: load CA certificates from system's store by default on Python 2.7.9 Yuya Nishihara <yuya@tcha.org> parents: 24290 diff changeset	19	_canloaddefaultcerts = util.safehasattr(ssl_context,
760a86865f80 ssl: load CA certificates from system's store by default on Python 2.7.9 Yuya Nishihara <yuya@tcha.org> parents: 24290 diff changeset	20	'load_default_certs')
23834 bf07c19b4c82 https: support tls sni (server name indication) for https urls (issue3090) Alex Orange <crazycasta@gmail.com> parents: 23069 diff changeset	21
25429 9d1c61715939 ssl: rename ssl_wrap_socket() to conform to our naming convention Yuya Nishihara <yuya@tcha.org> parents: 25415 diff changeset	22	def wrapsocket(sock, keyfile, certfile, ui,
9d1c61715939 ssl: rename ssl_wrap_socket() to conform to our naming convention Yuya Nishihara <yuya@tcha.org> parents: 25415 diff changeset	23	cert_reqs=ssl.CERT_NONE,
9d1c61715939 ssl: rename ssl_wrap_socket() to conform to our naming convention Yuya Nishihara <yuya@tcha.org> parents: 25415 diff changeset	24	ca_certs=None, serverhostname=None):
23850 e1931f7cd977 sslutil: use saner TLS settings on Python 2.7.9 Augie Fackler <augie@google.com> parents: 23849 diff changeset	25	# Allow any version of SSL starting with TLSv1 and
e1931f7cd977 sslutil: use saner TLS settings on Python 2.7.9 Augie Fackler <augie@google.com> parents: 23849 diff changeset	26	# up. Note that specifying TLSv1 here prohibits use of
e1931f7cd977 sslutil: use saner TLS settings on Python 2.7.9 Augie Fackler <augie@google.com> parents: 23849 diff changeset	27	# newer standards (like TLSv1_2), so this is the right way
e1931f7cd977 sslutil: use saner TLS settings on Python 2.7.9 Augie Fackler <augie@google.com> parents: 23849 diff changeset	28	# to do this. Note that in the future it'd be better to
e1931f7cd977 sslutil: use saner TLS settings on Python 2.7.9 Augie Fackler <augie@google.com> parents: 23849 diff changeset	29	# support using ssl.create_default_context(), which sets
e1931f7cd977 sslutil: use saner TLS settings on Python 2.7.9 Augie Fackler <augie@google.com> parents: 23849 diff changeset	30	# up a bunch of things in smart ways (strong ciphers,
e1931f7cd977 sslutil: use saner TLS settings on Python 2.7.9 Augie Fackler <augie@google.com> parents: 23849 diff changeset	31	# protocol versions, etc) and is upgraded by Python
e1931f7cd977 sslutil: use saner TLS settings on Python 2.7.9 Augie Fackler <augie@google.com> parents: 23849 diff changeset	32	# maintainers for us, but that breaks too many things to
e1931f7cd977 sslutil: use saner TLS settings on Python 2.7.9 Augie Fackler <augie@google.com> parents: 23849 diff changeset	33	# do it in a hurry.
e1931f7cd977 sslutil: use saner TLS settings on Python 2.7.9 Augie Fackler <augie@google.com> parents: 23849 diff changeset	34	sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
e1931f7cd977 sslutil: use saner TLS settings on Python 2.7.9 Augie Fackler <augie@google.com> parents: 23849 diff changeset	35	sslcontext.options &= ssl.OP_NO_SSLv2 & ssl.OP_NO_SSLv3
23834 bf07c19b4c82 https: support tls sni (server name indication) for https urls (issue3090) Alex Orange <crazycasta@gmail.com> parents: 23069 diff changeset	36	if certfile is not None:
25415 21b536f01eda ssl: prompt passphrase of client key file via ui.getpass() (issue4648) Yuya Nishihara <yuya@tcha.org> parents: 24614 diff changeset	37	def password():
21b536f01eda ssl: prompt passphrase of client key file via ui.getpass() (issue4648) Yuya Nishihara <yuya@tcha.org> parents: 24614 diff changeset	38	f = keyfile or certfile
21b536f01eda ssl: prompt passphrase of client key file via ui.getpass() (issue4648) Yuya Nishihara <yuya@tcha.org> parents: 24614 diff changeset	39	return ui.getpass(_('passphrase for %s: ') % f, '')
21b536f01eda ssl: prompt passphrase of client key file via ui.getpass() (issue4648) Yuya Nishihara <yuya@tcha.org> parents: 24614 diff changeset	40	sslcontext.load_cert_chain(certfile, keyfile, password)
23834 bf07c19b4c82 https: support tls sni (server name indication) for https urls (issue3090) Alex Orange <crazycasta@gmail.com> parents: 23069 diff changeset	41	sslcontext.verify_mode = cert_reqs
bf07c19b4c82 https: support tls sni (server name indication) for https urls (issue3090) Alex Orange <crazycasta@gmail.com> parents: 23069 diff changeset	42	if ca_certs is not None:
bf07c19b4c82 https: support tls sni (server name indication) for https urls (issue3090) Alex Orange <crazycasta@gmail.com> parents: 23069 diff changeset	43	sslcontext.load_verify_locations(cafile=ca_certs)
24291 760a86865f80 ssl: load CA certificates from system's store by default on Python 2.7.9 Yuya Nishihara <yuya@tcha.org> parents: 24290 diff changeset	44	elif _canloaddefaultcerts:
760a86865f80 ssl: load CA certificates from system's store by default on Python 2.7.9 Yuya Nishihara <yuya@tcha.org> parents: 24290 diff changeset	45	sslcontext.load_default_certs()
23834 bf07c19b4c82 https: support tls sni (server name indication) for https urls (issue3090) Alex Orange <crazycasta@gmail.com> parents: 23069 diff changeset	46
bf07c19b4c82 https: support tls sni (server name indication) for https urls (issue3090) Alex Orange <crazycasta@gmail.com> parents: 23069 diff changeset	47	sslsocket = sslcontext.wrap_socket(sock,
bf07c19b4c82 https: support tls sni (server name indication) for https urls (issue3090) Alex Orange <crazycasta@gmail.com> parents: 23069 diff changeset	48	server_hostname=serverhostname)
bf07c19b4c82 https: support tls sni (server name indication) for https urls (issue3090) Alex Orange <crazycasta@gmail.com> parents: 23069 diff changeset	49	# check if wrap_socket failed silently because socket had been
bf07c19b4c82 https: support tls sni (server name indication) for https urls (issue3090) Alex Orange <crazycasta@gmail.com> parents: 23069 diff changeset	50	# closed
bf07c19b4c82 https: support tls sni (server name indication) for https urls (issue3090) Alex Orange <crazycasta@gmail.com> parents: 23069 diff changeset	51	# - see http://bugs.python.org/issue13721
bf07c19b4c82 https: support tls sni (server name indication) for https urls (issue3090) Alex Orange <crazycasta@gmail.com> parents: 23069 diff changeset	52	if not sslsocket.cipher():
bf07c19b4c82 https: support tls sni (server name indication) for https urls (issue3090) Alex Orange <crazycasta@gmail.com> parents: 23069 diff changeset	53	raise util.Abort(_('ssl connection failed'))
bf07c19b4c82 https: support tls sni (server name indication) for https urls (issue3090) Alex Orange <crazycasta@gmail.com> parents: 23069 diff changeset	54	return sslsocket
bf07c19b4c82 https: support tls sni (server name indication) for https urls (issue3090) Alex Orange <crazycasta@gmail.com> parents: 23069 diff changeset	55	except AttributeError:
25429 9d1c61715939 ssl: rename ssl_wrap_socket() to conform to our naming convention Yuya Nishihara <yuya@tcha.org> parents: 25415 diff changeset	56	def wrapsocket(sock, keyfile, certfile, ui,
9d1c61715939 ssl: rename ssl_wrap_socket() to conform to our naming convention Yuya Nishihara <yuya@tcha.org> parents: 25415 diff changeset	57	cert_reqs=ssl.CERT_NONE,
9d1c61715939 ssl: rename ssl_wrap_socket() to conform to our naming convention Yuya Nishihara <yuya@tcha.org> parents: 25415 diff changeset	58	ca_certs=None, serverhostname=None):
23834 bf07c19b4c82 https: support tls sni (server name indication) for https urls (issue3090) Alex Orange <crazycasta@gmail.com> parents: 23069 diff changeset	59	sslsocket = ssl.wrap_socket(sock, keyfile, certfile,
bf07c19b4c82 https: support tls sni (server name indication) for https urls (issue3090) Alex Orange <crazycasta@gmail.com> parents: 23069 diff changeset	60	cert_reqs=cert_reqs, ca_certs=ca_certs,
23851 948a8ca27152 sslutil: drop defunct ssl version constants Augie Fackler <augie@google.com> parents: 23850 diff changeset	61	ssl_version=ssl.PROTOCOL_TLSv1)
23834 bf07c19b4c82 https: support tls sni (server name indication) for https urls (issue3090) Alex Orange <crazycasta@gmail.com> parents: 23069 diff changeset	62	# check if wrap_socket failed silently because socket had been
bf07c19b4c82 https: support tls sni (server name indication) for https urls (issue3090) Alex Orange <crazycasta@gmail.com> parents: 23069 diff changeset	63	# closed
bf07c19b4c82 https: support tls sni (server name indication) for https urls (issue3090) Alex Orange <crazycasta@gmail.com> parents: 23069 diff changeset	64	# - see http://bugs.python.org/issue13721
bf07c19b4c82 https: support tls sni (server name indication) for https urls (issue3090) Alex Orange <crazycasta@gmail.com> parents: 23069 diff changeset	65	if not sslsocket.cipher():
bf07c19b4c82 https: support tls sni (server name indication) for https urls (issue3090) Alex Orange <crazycasta@gmail.com> parents: 23069 diff changeset	66	raise util.Abort(_('ssl connection failed'))
bf07c19b4c82 https: support tls sni (server name indication) for https urls (issue3090) Alex Orange <crazycasta@gmail.com> parents: 23069 diff changeset	67	return sslsocket
14204 5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	68	except ImportError:
25430 19fa0cb71cd3 ssl: drop support for Python < 2.6, require ssl module Yuya Nishihara <yuya@tcha.org> parents: 25429 diff changeset	69	raise
14204 5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	70
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	71	def _verifycert(cert, hostname):
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	72	'''Verify that cert (in socket.getpeercert() format) matches hostname.
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	73	CRLs is not handled.
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	74
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	75	Returns error message if any problems are found and None on success.
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	76	'''
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	77	if not cert:
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	78	return _('no certificate received')
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	79	dnsname = hostname.lower()
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	80	def matchdnsname(certname):
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	81	return (certname == dnsname or
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	82	'.' in dnsname and certname == '*.' + dnsname.split('.', 1)[1])
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	83
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	84	san = cert.get('subjectAltName', [])
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	85	if san:
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	86	certnames = [value.lower() for key, value in san if key == 'DNS']
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	87	for name in certnames:
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	88	if matchdnsname(name):
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	89	return None
14666 27b080aa880a sslutil: fall back to commonName when no dNSName in subjectAltName (issue2798) Nicolas Bareil <nico@chdir.org> parents: 14616 diff changeset	90	if certnames:
27b080aa880a sslutil: fall back to commonName when no dNSName in subjectAltName (issue2798) Nicolas Bareil <nico@chdir.org> parents: 14616 diff changeset	91	return _('certificate is for %s') % ', '.join(certnames)
14204 5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	92
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	93	# subject is only checked when subjectAltName is empty
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	94	for s in cert.get('subject', []):
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	95	key, value = s[0]
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	96	if key == 'commonName':
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	97	try:
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	98	# 'subject' entries are unicode
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	99	certname = value.lower().encode('ascii')
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	100	except UnicodeEncodeError:
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	101	return _('IDN in certificate not supported')
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	102	if matchdnsname(certname):
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	103	return None
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	104	return _('certificate is for %s') % certname
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	105	return _('no commonName or subjectAltName found in certificate')
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	106
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	107
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	108	# CERT_REQUIRED means fetch the cert from the server all the time AND
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	109	# validate it against the CA store provided in web.cacerts.
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	110
23042 2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410) Mads Kiilerich <madski@unity3d.com> parents: 22575 diff changeset	111	def _plainapplepython():
2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410) Mads Kiilerich <madski@unity3d.com> parents: 22575 diff changeset	112	"""return true if this seems to be a pure Apple Python that
2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410) Mads Kiilerich <madski@unity3d.com> parents: 22575 diff changeset	113	* is unfrozen and presumably has the whole mercurial module in the file
2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410) Mads Kiilerich <madski@unity3d.com> parents: 22575 diff changeset	114	system
2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410) Mads Kiilerich <madski@unity3d.com> parents: 22575 diff changeset	115	* presumably is an Apple Python that uses Apple OpenSSL which has patches
2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410) Mads Kiilerich <madski@unity3d.com> parents: 22575 diff changeset	116	for using system certificate store CAs in addition to the provided
2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410) Mads Kiilerich <madski@unity3d.com> parents: 22575 diff changeset	117	cacerts file
2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410) Mads Kiilerich <madski@unity3d.com> parents: 22575 diff changeset	118	"""
24614 241d98d84aed ssl: resolve symlink before checking for Apple python executable (issue4588) Yuya Nishihara <yuya@tcha.org> parents: 24291 diff changeset	119	if sys.platform != 'darwin' or util.mainfrozen() or not sys.executable:
23042 2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410) Mads Kiilerich <madski@unity3d.com> parents: 22575 diff changeset	120	return False
24614 241d98d84aed ssl: resolve symlink before checking for Apple python executable (issue4588) Yuya Nishihara <yuya@tcha.org> parents: 24291 diff changeset	121	exe = os.path.realpath(sys.executable).lower()
23042 2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410) Mads Kiilerich <madski@unity3d.com> parents: 22575 diff changeset	122	return (exe.startswith('/usr/bin/python') or
2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410) Mads Kiilerich <madski@unity3d.com> parents: 22575 diff changeset	123	exe.startswith('/system/library/frameworks/python.framework/'))
2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410) Mads Kiilerich <madski@unity3d.com> parents: 22575 diff changeset	124
24288 922e087ba158 ssl: extract function that returns dummycert path on Apple python Yuya Nishihara <yuya@tcha.org> parents: 23851 diff changeset	125	def _defaultcacerts():
24291 760a86865f80 ssl: load CA certificates from system's store by default on Python 2.7.9 Yuya Nishihara <yuya@tcha.org> parents: 24290 diff changeset	126	"""return path to CA certificates; None for system's store; ! to disable"""
24288 922e087ba158 ssl: extract function that returns dummycert path on Apple python Yuya Nishihara <yuya@tcha.org> parents: 23851 diff changeset	127	if _plainapplepython():
922e087ba158 ssl: extract function that returns dummycert path on Apple python Yuya Nishihara <yuya@tcha.org> parents: 23851 diff changeset	128	dummycert = os.path.join(os.path.dirname(__file__), 'dummycert.pem')
922e087ba158 ssl: extract function that returns dummycert path on Apple python Yuya Nishihara <yuya@tcha.org> parents: 23851 diff changeset	129	if os.path.exists(dummycert):
922e087ba158 ssl: extract function that returns dummycert path on Apple python Yuya Nishihara <yuya@tcha.org> parents: 23851 diff changeset	130	return dummycert
24291 760a86865f80 ssl: load CA certificates from system's store by default on Python 2.7.9 Yuya Nishihara <yuya@tcha.org> parents: 24290 diff changeset	131	if _canloaddefaultcerts:
760a86865f80 ssl: load CA certificates from system's store by default on Python 2.7.9 Yuya Nishihara <yuya@tcha.org> parents: 24290 diff changeset	132	return None
24290 b76d8c641746 ssl: set explicit symbol "!" to web.cacerts to disable SSL verification (BC) Yuya Nishihara <yuya@tcha.org> parents: 24288 diff changeset	133	return '!'
24288 922e087ba158 ssl: extract function that returns dummycert path on Apple python Yuya Nishihara <yuya@tcha.org> parents: 23851 diff changeset	134
14204 5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	135	def sslkwargs(ui, host):
25415 21b536f01eda ssl: prompt passphrase of client key file via ui.getpass() (issue4648) Yuya Nishihara <yuya@tcha.org> parents: 24614 diff changeset	136	kws = {'ui': ui}
22574 a00a7951b20c ssl: refactor sslkwargs - move things around a bit, preparing for next change Mads Kiilerich <madski@unity3d.com> parents: 19808 diff changeset	137	hostfingerprint = ui.config('hostfingerprints', host)
a00a7951b20c ssl: refactor sslkwargs - move things around a bit, preparing for next change Mads Kiilerich <madski@unity3d.com> parents: 19808 diff changeset	138	if hostfingerprint:
a00a7951b20c ssl: refactor sslkwargs - move things around a bit, preparing for next change Mads Kiilerich <madski@unity3d.com> parents: 19808 diff changeset	139	return kws
a00a7951b20c ssl: refactor sslkwargs - move things around a bit, preparing for next change Mads Kiilerich <madski@unity3d.com> parents: 19808 diff changeset	140	cacerts = ui.config('web', 'cacerts')
24290 b76d8c641746 ssl: set explicit symbol "!" to web.cacerts to disable SSL verification (BC) Yuya Nishihara <yuya@tcha.org> parents: 24288 diff changeset	141	if cacerts == '!':
b76d8c641746 ssl: set explicit symbol "!" to web.cacerts to disable SSL verification (BC) Yuya Nishihara <yuya@tcha.org> parents: 24288 diff changeset	142	pass
b76d8c641746 ssl: set explicit symbol "!" to web.cacerts to disable SSL verification (BC) Yuya Nishihara <yuya@tcha.org> parents: 24288 diff changeset	143	elif cacerts:
14204 5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	144	cacerts = util.expandpath(cacerts)
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	145	if not os.path.exists(cacerts):
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	146	raise util.Abort(_('could not find web.cacerts: %s') % cacerts)
24290 b76d8c641746 ssl: set explicit symbol "!" to web.cacerts to disable SSL verification (BC) Yuya Nishihara <yuya@tcha.org> parents: 24288 diff changeset	147	else:
b76d8c641746 ssl: set explicit symbol "!" to web.cacerts to disable SSL verification (BC) Yuya Nishihara <yuya@tcha.org> parents: 24288 diff changeset	148	cacerts = _defaultcacerts()
b76d8c641746 ssl: set explicit symbol "!" to web.cacerts to disable SSL verification (BC) Yuya Nishihara <yuya@tcha.org> parents: 24288 diff changeset	149	if cacerts and cacerts != '!':
b76d8c641746 ssl: set explicit symbol "!" to web.cacerts to disable SSL verification (BC) Yuya Nishihara <yuya@tcha.org> parents: 24288 diff changeset	150	ui.debug('using %s to enable OS X system CA\n' % cacerts)
b76d8c641746 ssl: set explicit symbol "!" to web.cacerts to disable SSL verification (BC) Yuya Nishihara <yuya@tcha.org> parents: 24288 diff changeset	151	ui.setconfig('web', 'cacerts', cacerts, 'defaultcacerts')
b76d8c641746 ssl: set explicit symbol "!" to web.cacerts to disable SSL verification (BC) Yuya Nishihara <yuya@tcha.org> parents: 24288 diff changeset	152	if cacerts != '!':
19806 47ff9d1abfa9 sslutil: add a config knob to support TLS (default) or SSLv23 (bc) (issue4038) Augie Fackler <raf@durin42.com> parents: 19749 diff changeset	153	kws.update({'ca_certs': cacerts,
47ff9d1abfa9 sslutil: add a config knob to support TLS (default) or SSLv23 (bc) (issue4038) Augie Fackler <raf@durin42.com> parents: 19749 diff changeset	154	'cert_reqs': CERT_REQUIRED,
47ff9d1abfa9 sslutil: add a config knob to support TLS (default) or SSLv23 (bc) (issue4038) Augie Fackler <raf@durin42.com> parents: 19749 diff changeset	155	})
47ff9d1abfa9 sslutil: add a config knob to support TLS (default) or SSLv23 (bc) (issue4038) Augie Fackler <raf@durin42.com> parents: 19749 diff changeset	156	return kws
14204 5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	157
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	158	class validator(object):
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	159	def __init__(self, ui, host):
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	160	self.ui = ui
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	161	self.host = host
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	162
18887 2d7fac049d3a sslutil: abort if peer certificate is not verified for secure use FUJIWARA Katsunori <foozy@lares.dti.ne.jp> parents: 18879 diff changeset	163	def __call__(self, sock, strict=False):
14204 5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	164	host = self.host
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	165	cacerts = self.ui.config('web', 'cacerts')
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	166	hostfingerprint = self.ui.config('hostfingerprints', host)
18879 93b03a222c3e sslutil: try harder to avoid getpeercert problems Matt Mackall <mpm@selenic.com> parents: 16391 diff changeset	167
15816 4bb59919c905 sslutil: work around validator crash getting certificate on failed sockets Mads Kiilerich <mads@kiilerich.com> parents: 15815 diff changeset	168	if not sock.cipher(): # work around http://bugs.python.org/issue13721
4bb59919c905 sslutil: work around validator crash getting certificate on failed sockets Mads Kiilerich <mads@kiilerich.com> parents: 15815 diff changeset	169	raise util.Abort(_('%s ssl connection error') % host)
18879 93b03a222c3e sslutil: try harder to avoid getpeercert problems Matt Mackall <mpm@selenic.com> parents: 16391 diff changeset	170	try:
93b03a222c3e sslutil: try harder to avoid getpeercert problems Matt Mackall <mpm@selenic.com> parents: 16391 diff changeset	171	peercert = sock.getpeercert(True)
93b03a222c3e sslutil: try harder to avoid getpeercert problems Matt Mackall <mpm@selenic.com> parents: 16391 diff changeset	172	peercert2 = sock.getpeercert()
93b03a222c3e sslutil: try harder to avoid getpeercert problems Matt Mackall <mpm@selenic.com> parents: 16391 diff changeset	173	except AttributeError:
93b03a222c3e sslutil: try harder to avoid getpeercert problems Matt Mackall <mpm@selenic.com> parents: 16391 diff changeset	174	raise util.Abort(_('%s ssl connection error') % host)
93b03a222c3e sslutil: try harder to avoid getpeercert problems Matt Mackall <mpm@selenic.com> parents: 16391 diff changeset	175
15817 8f377751b510 sslutil: abort properly if no certificate received for https connection Mads Kiilerich <mads@kiilerich.com> parents: 15816 diff changeset	176	if not peercert:
8f377751b510 sslutil: abort properly if no certificate received for https connection Mads Kiilerich <mads@kiilerich.com> parents: 15816 diff changeset	177	raise util.Abort(_('%s certificate error: '
8f377751b510 sslutil: abort properly if no certificate received for https connection Mads Kiilerich <mads@kiilerich.com> parents: 15816 diff changeset	178	'no certificate received') % host)
15814 c3e958b50a22 sslutil: show fingerprint when cacerts validation fails Mads Kiilerich <mads@kiilerich.com> parents: 15813 diff changeset	179	peerfingerprint = util.sha1(peercert).hexdigest()
c3e958b50a22 sslutil: show fingerprint when cacerts validation fails Mads Kiilerich <mads@kiilerich.com> parents: 15813 diff changeset	180	nicefingerprint = ":".join([peerfingerprint[x:x + 2]
c3e958b50a22 sslutil: show fingerprint when cacerts validation fails Mads Kiilerich <mads@kiilerich.com> parents: 15813 diff changeset	181	for x in xrange(0, len(peerfingerprint), 2)])
15815 edc3a901a63d sslutil: reorder validator code to make it more readable Mads Kiilerich <mads@kiilerich.com> parents: 15814 diff changeset	182	if hostfingerprint:
edc3a901a63d sslutil: reorder validator code to make it more readable Mads Kiilerich <mads@kiilerich.com> parents: 15814 diff changeset	183	if peerfingerprint.lower() != \
edc3a901a63d sslutil: reorder validator code to make it more readable Mads Kiilerich <mads@kiilerich.com> parents: 15814 diff changeset	184	hostfingerprint.replace(':', '').lower():
15997 a45516cb8d9f sslutil: more helpful fingerprint mismatch message Matt Mackall <mpm@selenic.com> parents: 15817 diff changeset	185	raise util.Abort(_('certificate for %s has unexpected '
a45516cb8d9f sslutil: more helpful fingerprint mismatch message Matt Mackall <mpm@selenic.com> parents: 15817 diff changeset	186	'fingerprint %s') % (host, nicefingerprint),
a45516cb8d9f sslutil: more helpful fingerprint mismatch message Matt Mackall <mpm@selenic.com> parents: 15817 diff changeset	187	hint=_('check hostfingerprint configuration'))
15815 edc3a901a63d sslutil: reorder validator code to make it more readable Mads Kiilerich <mads@kiilerich.com> parents: 15814 diff changeset	188	self.ui.debug('%s certificate matched fingerprint %s\n' %
edc3a901a63d sslutil: reorder validator code to make it more readable Mads Kiilerich <mads@kiilerich.com> parents: 15814 diff changeset	189	(host, nicefingerprint))
24290 b76d8c641746 ssl: set explicit symbol "!" to web.cacerts to disable SSL verification (BC) Yuya Nishihara <yuya@tcha.org> parents: 24288 diff changeset	190	elif cacerts != '!':
18879 93b03a222c3e sslutil: try harder to avoid getpeercert problems Matt Mackall <mpm@selenic.com> parents: 16391 diff changeset	191	msg = _verifycert(peercert2, host)
14204 5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	192	if msg:
15814 c3e958b50a22 sslutil: show fingerprint when cacerts validation fails Mads Kiilerich <mads@kiilerich.com> parents: 15813 diff changeset	193	raise util.Abort(_('%s certificate error: %s') % (host, msg),
c3e958b50a22 sslutil: show fingerprint when cacerts validation fails Mads Kiilerich <mads@kiilerich.com> parents: 15813 diff changeset	194	hint=_('configure hostfingerprint %s or use '
c3e958b50a22 sslutil: show fingerprint when cacerts validation fails Mads Kiilerich <mads@kiilerich.com> parents: 15813 diff changeset	195	'--insecure to connect insecurely') %
c3e958b50a22 sslutil: show fingerprint when cacerts validation fails Mads Kiilerich <mads@kiilerich.com> parents: 15813 diff changeset	196	nicefingerprint)
14204 5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	197	self.ui.debug('%s certificate successfully verified\n' % host)
18887 2d7fac049d3a sslutil: abort if peer certificate is not verified for secure use FUJIWARA Katsunori <foozy@lares.dti.ne.jp> parents: 18879 diff changeset	198	elif strict:
2d7fac049d3a sslutil: abort if peer certificate is not verified for secure use FUJIWARA Katsunori <foozy@lares.dti.ne.jp> parents: 18879 diff changeset	199	raise util.Abort(_('%s certificate with fingerprint %s not '
2d7fac049d3a sslutil: abort if peer certificate is not verified for secure use FUJIWARA Katsunori <foozy@lares.dti.ne.jp> parents: 18879 diff changeset	200	'verified') % (host, nicefingerprint),
2d7fac049d3a sslutil: abort if peer certificate is not verified for secure use FUJIWARA Katsunori <foozy@lares.dti.ne.jp> parents: 18879 diff changeset	201	hint=_('check hostfingerprints or web.cacerts '
2d7fac049d3a sslutil: abort if peer certificate is not verified for secure use FUJIWARA Katsunori <foozy@lares.dti.ne.jp> parents: 18879 diff changeset	202	'config setting'))
14204 5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	203	else:
15815 edc3a901a63d sslutil: reorder validator code to make it more readable Mads Kiilerich <mads@kiilerich.com> parents: 15814 diff changeset	204	self.ui.warn(_('warning: %s certificate with fingerprint %s not '
edc3a901a63d sslutil: reorder validator code to make it more readable Mads Kiilerich <mads@kiilerich.com> parents: 15814 diff changeset	205	'verified (check hostfingerprints or web.cacerts '
edc3a901a63d sslutil: reorder validator code to make it more readable Mads Kiilerich <mads@kiilerich.com> parents: 15814 diff changeset	206	'config setting)\n') %
edc3a901a63d sslutil: reorder validator code to make it more readable Mads Kiilerich <mads@kiilerich.com> parents: 15814 diff changeset	207	(host, nicefingerprint))

author	Yuya Nishihara <yuya@tcha.org>
	Fri, 05 Jun 2015 21:37:46 +0900
changeset 25430	19fa0cb71cd3
parent 25429	9d1c61715939
child 25431	96159068c506
permissions	-rw-r--r--