Mercurial: mercurial/sslutil.py annotate

annotate mercurial/sslutil.py @ 41410:0d226b2139df

sslutil: use raw strings for exception reason compare Otherwise we attempt to compare a bytes to a str on Python 3 and it always fails. Differential Revision: https://phab.mercurial-scm.org/D5721

author	Gregory Szorc <gregory.szorc@gmail.com>
date	Sat, 26 Jan 2019 13:58:58 -0800
parents	67dc32d4e790
children	f07aff7e8b5a

rev	line source
14204 5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	1 # sslutil.py - SSL handling for mercurial
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	2 #
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	3 # Copyright 2005, 2006, 2007, 2008 Matt Mackall <mpm@selenic.com>
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	4 # Copyright 2006, 2007 Alexis S. L. Carvalho <alexis@cecm.usp.br>
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	5 # Copyright 2006 Vadim Gelfer <vadim.gelfer@gmail.com>
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	6 #
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	7 # This software may be used and distributed according to the terms of the
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	8 # GNU General Public License version 2 or any later version.
25977 696f6e2be282 sslutil: use absolute_import Gregory Szorc <gregory.szorc@gmail.com> parents: 25432 diff changeset	9
696f6e2be282 sslutil: use absolute_import Gregory Szorc <gregory.szorc@gmail.com> parents: 25432 diff changeset	10 from __future__ import absolute_import
14204 5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	11
29341 0d83ad967bf8 cleanup: replace uses of util.(md5\|sha1\|sha256\|sha512) with hashlib.\1 Augie Fackler <raf@durin42.com> parents: 29334 diff changeset	12 import hashlib
25977 696f6e2be282 sslutil: use absolute_import Gregory Szorc <gregory.szorc@gmail.com> parents: 25432 diff changeset	13 import os
29452 26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	14 import re
25977 696f6e2be282 sslutil: use absolute_import Gregory Szorc <gregory.szorc@gmail.com> parents: 25432 diff changeset	15 import ssl
696f6e2be282 sslutil: use absolute_import Gregory Szorc <gregory.szorc@gmail.com> parents: 25432 diff changeset	16
696f6e2be282 sslutil: use absolute_import Gregory Szorc <gregory.szorc@gmail.com> parents: 25432 diff changeset	17 from .i18n import _
28577 7efff6ce9826 sslutil: use preferred formatting for import syntax Gregory Szorc <gregory.szorc@gmail.com> parents: 28525 diff changeset	18 from . import (
7efff6ce9826 sslutil: use preferred formatting for import syntax Gregory Szorc <gregory.szorc@gmail.com> parents: 28525 diff changeset	19 error,
35582 72b91f905065 py3: use node.hex(h.digest()) instead of h.hexdigest() Pulkit Goyal <7895pulkit@gmail.com> parents: 35369 diff changeset	20 node,
30639 d524c88511a7 py3: replace os.name with pycompat.osname (part 1 of 2) Pulkit Goyal <7895pulkit@gmail.com> parents: 30332 diff changeset	21 pycompat,
28577 7efff6ce9826 sslutil: use preferred formatting for import syntax Gregory Szorc <gregory.szorc@gmail.com> parents: 28525 diff changeset	22 util,
7efff6ce9826 sslutil: use preferred formatting for import syntax Gregory Szorc <gregory.szorc@gmail.com> parents: 28525 diff changeset	23 )
37084 f0b6fbea00cf stringutil: bulk-replace call sites to point to new module Yuya Nishihara <yuya@tcha.org> parents: 36747 diff changeset	24 from .utils import (
37120 a8a902d7176e procutil: bulk-replace function calls to point to new module Yuya Nishihara <yuya@tcha.org> parents: 37084 diff changeset	25 procutil,
37084 f0b6fbea00cf stringutil: bulk-replace call sites to point to new module Yuya Nishihara <yuya@tcha.org> parents: 36747 diff changeset	26 stringutil,
f0b6fbea00cf stringutil: bulk-replace call sites to point to new module Yuya Nishihara <yuya@tcha.org> parents: 36747 diff changeset	27 )
24291 760a86865f80 ssl: load CA certificates from system's store by default on Python 2.7.9 Yuya Nishihara <yuya@tcha.org> parents: 24290 diff changeset	28
28647 834d1c4ba749 sslutil: better document state of security/ssl module Gregory Szorc <gregory.szorc@gmail.com> parents: 28577 diff changeset	29 # Python 2.7.9+ overhauled the built-in SSL/TLS features of Python. It added
834d1c4ba749 sslutil: better document state of security/ssl module Gregory Szorc <gregory.szorc@gmail.com> parents: 28577 diff changeset	30 # support for TLS 1.1, TLS 1.2, SNI, system CA stores, etc. These features are
834d1c4ba749 sslutil: better document state of security/ssl module Gregory Szorc <gregory.szorc@gmail.com> parents: 28577 diff changeset	31 # all exposed via the "ssl" module.
834d1c4ba749 sslutil: better document state of security/ssl module Gregory Szorc <gregory.szorc@gmail.com> parents: 28577 diff changeset	32 #
834d1c4ba749 sslutil: better document state of security/ssl module Gregory Szorc <gregory.szorc@gmail.com> parents: 28577 diff changeset	33 # Depending on the version of Python being used, SSL/TLS support is either
834d1c4ba749 sslutil: better document state of security/ssl module Gregory Szorc <gregory.szorc@gmail.com> parents: 28577 diff changeset	34 # modern/secure or legacy/insecure. Many operations in this module have
834d1c4ba749 sslutil: better document state of security/ssl module Gregory Szorc <gregory.szorc@gmail.com> parents: 28577 diff changeset	35 # separate code paths depending on support in Python.
834d1c4ba749 sslutil: better document state of security/ssl module Gregory Szorc <gregory.szorc@gmail.com> parents: 28577 diff changeset	36
32291 bd872f64a8ba cleanup: use set literals Martin von Zweigbergk <martinvonz@google.com> parents: 32273 diff changeset	37 configprotocols = {
29559 7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	38 'tls1.0',
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	39 'tls1.1',
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	40 'tls1.2',
32291 bd872f64a8ba cleanup: use set literals Martin von Zweigbergk <martinvonz@google.com> parents: 32273 diff changeset	41 }
26622 9e15286609ae sslutil: expose attribute indicating whether SNI is supported Gregory Szorc <gregory.szorc@gmail.com> parents: 26587 diff changeset	42
29559 7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	43 hassni = getattr(ssl, 'HAS_SNI', False)
28648 7fc787e5d8ec sslutil: store OP_NO_SSL* constants in module scope Gregory Szorc <gregory.szorc@gmail.com> parents: 28647 diff changeset	44
29601 6cff2ac0ccb9 sslutil: more robustly detect protocol support Gregory Szorc <gregory.szorc@gmail.com> parents: 29578 diff changeset	45 # TLS 1.1 and 1.2 may not be supported if the OpenSSL Python is compiled
6cff2ac0ccb9 sslutil: more robustly detect protocol support Gregory Szorc <gregory.szorc@gmail.com> parents: 29578 diff changeset	46 # against doesn't support them.
32291 bd872f64a8ba cleanup: use set literals Martin von Zweigbergk <martinvonz@google.com> parents: 32273 diff changeset	47 supportedprotocols = {'tls1.0'}
29601 6cff2ac0ccb9 sslutil: more robustly detect protocol support Gregory Szorc <gregory.szorc@gmail.com> parents: 29578 diff changeset	48 if util.safehasattr(ssl, 'PROTOCOL_TLSv1_1'):
6cff2ac0ccb9 sslutil: more robustly detect protocol support Gregory Szorc <gregory.szorc@gmail.com> parents: 29578 diff changeset	49 supportedprotocols.add('tls1.1')
6cff2ac0ccb9 sslutil: more robustly detect protocol support Gregory Szorc <gregory.szorc@gmail.com> parents: 29578 diff changeset	50 if util.safehasattr(ssl, 'PROTOCOL_TLSv1_2'):
6cff2ac0ccb9 sslutil: more robustly detect protocol support Gregory Szorc <gregory.szorc@gmail.com> parents: 29578 diff changeset	51 supportedprotocols.add('tls1.2')
6cff2ac0ccb9 sslutil: more robustly detect protocol support Gregory Szorc <gregory.szorc@gmail.com> parents: 29578 diff changeset	52
28649 7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	53 try:
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	54 # ssl.SSLContext was added in 2.7.9 and presence indicates modern
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	55 # SSL/TLS features are available.
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	56 SSLContext = ssl.SSLContext
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	57 modernssl = True
28650 737863b01d9f sslutil: move _canloaddefaultcerts logic Gregory Szorc <gregory.szorc@gmail.com> parents: 28649 diff changeset	58 _canloaddefaultcerts = util.safehasattr(SSLContext, 'load_default_certs')
28649 7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	59 except AttributeError:
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	60 modernssl = False
28650 737863b01d9f sslutil: move _canloaddefaultcerts logic Gregory Szorc <gregory.szorc@gmail.com> parents: 28649 diff changeset	61 _canloaddefaultcerts = False
28649 7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	62
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	63 # We implement SSLContext using the interface from the standard library.
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	64 class SSLContext(object):
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	65 def __init__(self, protocol):
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	66 # From the public interface of SSLContext
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	67 self.protocol = protocol
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	68 self.check_hostname = False
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	69 self.options = 0
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	70 self.verify_mode = ssl.CERT_NONE
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	71
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	72 # Used by our implementation.
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	73 self._certfile = None
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	74 self._keyfile = None
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	75 self._certpassword = None
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	76 self._cacerts = None
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	77 self._ciphers = None
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	78
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	79 def load_cert_chain(self, certfile, keyfile=None, password=None):
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	80 self._certfile = certfile
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	81 self._keyfile = keyfile
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	82 self._certpassword = password
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	83
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	84 def load_default_certs(self, purpose=None):
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	85 pass
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	86
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	87 def load_verify_locations(self, cafile=None, capath=None, cadata=None):
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	88 if capath:
29389 98e8313dcd9e i18n: translate abort messages liscju <piotr.listkiewicz@gmail.com> parents: 29341 diff changeset	89 raise error.Abort(_('capath not supported'))
28649 7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	90 if cadata:
29389 98e8313dcd9e i18n: translate abort messages liscju <piotr.listkiewicz@gmail.com> parents: 29341 diff changeset	91 raise error.Abort(_('cadata not supported'))
28649 7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	92
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	93 self._cacerts = cafile
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	94
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	95 def set_ciphers(self, ciphers):
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	96 self._ciphers = ciphers
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	97
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	98 def wrap_socket(self, socket, server_hostname=None, server_side=False):
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	99 # server_hostname is unique to SSLContext.wrap_socket and is used
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	100 # for SNI in that context. So there's nothing for us to do with it
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	101 # in this legacy code since we don't support SNI.
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	102
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	103 args = {
35369 c8ecd96cc357 py3: handle keyword arguments correctly in sslutil.py Pulkit Goyal <7895pulkit@gmail.com> parents: 34775 diff changeset	104 r'keyfile': self._keyfile,
c8ecd96cc357 py3: handle keyword arguments correctly in sslutil.py Pulkit Goyal <7895pulkit@gmail.com> parents: 34775 diff changeset	105 r'certfile': self._certfile,
c8ecd96cc357 py3: handle keyword arguments correctly in sslutil.py Pulkit Goyal <7895pulkit@gmail.com> parents: 34775 diff changeset	106 r'server_side': server_side,
c8ecd96cc357 py3: handle keyword arguments correctly in sslutil.py Pulkit Goyal <7895pulkit@gmail.com> parents: 34775 diff changeset	107 r'cert_reqs': self.verify_mode,
c8ecd96cc357 py3: handle keyword arguments correctly in sslutil.py Pulkit Goyal <7895pulkit@gmail.com> parents: 34775 diff changeset	108 r'ssl_version': self.protocol,
c8ecd96cc357 py3: handle keyword arguments correctly in sslutil.py Pulkit Goyal <7895pulkit@gmail.com> parents: 34775 diff changeset	109 r'ca_certs': self._cacerts,
c8ecd96cc357 py3: handle keyword arguments correctly in sslutil.py Pulkit Goyal <7895pulkit@gmail.com> parents: 34775 diff changeset	110 r'ciphers': self._ciphers,
28649 7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	111 }
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	112
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	113 return ssl.wrap_socket(socket, **args)
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	114
29258 6315c1e14f75 sslutil: introduce a function for determining host-specific settings Gregory Szorc <gregory.szorc@gmail.com> parents: 29253 diff changeset	115 def _hostsettings(ui, hostname):
6315c1e14f75 sslutil: introduce a function for determining host-specific settings Gregory Szorc <gregory.szorc@gmail.com> parents: 29253 diff changeset	116 """Obtain security settings for a hostname.
6315c1e14f75 sslutil: introduce a function for determining host-specific settings Gregory Szorc <gregory.szorc@gmail.com> parents: 29253 diff changeset	117
6315c1e14f75 sslutil: introduce a function for determining host-specific settings Gregory Szorc <gregory.szorc@gmail.com> parents: 29253 diff changeset	118 Returns a dict of settings relevant to that hostname.
6315c1e14f75 sslutil: introduce a function for determining host-specific settings Gregory Szorc <gregory.szorc@gmail.com> parents: 29253 diff changeset	119 """
36745 424994a0adfd sslutil: lots of unicode/bytes cleanup Augie Fackler <augie@google.com> parents: 35582 diff changeset	120 bhostname = pycompat.bytesurl(hostname)
29258 6315c1e14f75 sslutil: introduce a function for determining host-specific settings Gregory Szorc <gregory.szorc@gmail.com> parents: 29253 diff changeset	121 s = {
29288 7dee15dee53c sslutil: add devel.disableloaddefaultcerts to disable CA loading Gregory Szorc <gregory.szorc@gmail.com> parents: 29287 diff changeset	122 # Whether we should attempt to load default/available CA certs
7dee15dee53c sslutil: add devel.disableloaddefaultcerts to disable CA loading Gregory Szorc <gregory.szorc@gmail.com> parents: 29287 diff changeset	123 # if an explicit ``cafile`` is not defined.
7dee15dee53c sslutil: add devel.disableloaddefaultcerts to disable CA loading Gregory Szorc <gregory.szorc@gmail.com> parents: 29287 diff changeset	124 'allowloaddefaultcerts': True,
29258 6315c1e14f75 sslutil: introduce a function for determining host-specific settings Gregory Szorc <gregory.szorc@gmail.com> parents: 29253 diff changeset	125 # List of 2-tuple of (hash algorithm, hash).
6315c1e14f75 sslutil: introduce a function for determining host-specific settings Gregory Szorc <gregory.szorc@gmail.com> parents: 29253 diff changeset	126 'certfingerprints': [],
29260 70bc9912d83d sslutil: move CA file processing into _hostsettings() Gregory Szorc <gregory.szorc@gmail.com> parents: 29259 diff changeset	127 # Path to file containing concatenated CA certs. Used by
70bc9912d83d sslutil: move CA file processing into _hostsettings() Gregory Szorc <gregory.szorc@gmail.com> parents: 29259 diff changeset	128 # SSLContext.load_verify_locations().
70bc9912d83d sslutil: move CA file processing into _hostsettings() Gregory Szorc <gregory.szorc@gmail.com> parents: 29259 diff changeset	129 'cafile': None,
29287 fbccb334efe7 sslutil: store flag for whether cert verification is disabled Gregory Szorc <gregory.szorc@gmail.com> parents: 29286 diff changeset	130 # Whether certificate verification should be disabled.
fbccb334efe7 sslutil: store flag for whether cert verification is disabled Gregory Szorc <gregory.szorc@gmail.com> parents: 29286 diff changeset	131 'disablecertverification': False,
29268 f200b58497f1 sslutil: reference appropriate config section in messaging Gregory Szorc <gregory.szorc@gmail.com> parents: 29267 diff changeset	132 # Whether the legacy [hostfingerprints] section has data for this host.
f200b58497f1 sslutil: reference appropriate config section in messaging Gregory Szorc <gregory.szorc@gmail.com> parents: 29267 diff changeset	133 'legacyfingerprint': False,
29507 97dcdcf75f4f sslutil: move protocol determination to _hostsettings Gregory Szorc <gregory.szorc@gmail.com> parents: 29501 diff changeset	134 # PROTOCOL_* constant to use for SSLContext.__init__.
97dcdcf75f4f sslutil: move protocol determination to _hostsettings Gregory Szorc <gregory.szorc@gmail.com> parents: 29501 diff changeset	135 'protocol': None,
29618 fbf4adc0d8f2 sslutil: capture string string representation of protocol Gregory Szorc <gregory.szorc@gmail.com> parents: 29617 diff changeset	136 # String representation of minimum protocol to be used for UI
fbf4adc0d8f2 sslutil: capture string string representation of protocol Gregory Szorc <gregory.szorc@gmail.com> parents: 29617 diff changeset	137 # presentation.
fbf4adc0d8f2 sslutil: capture string string representation of protocol Gregory Szorc <gregory.szorc@gmail.com> parents: 29617 diff changeset	138 'protocolui': None,
29259 ec247e8595f9 sslutil: move SSLContext.verify_mode value into _hostsettings Gregory Szorc <gregory.szorc@gmail.com> parents: 29258 diff changeset	139 # ssl.CERT_* constant used by SSLContext.verify_mode.
ec247e8595f9 sslutil: move SSLContext.verify_mode value into _hostsettings Gregory Szorc <gregory.szorc@gmail.com> parents: 29258 diff changeset	140 'verifymode': None,
29508 d65ec41b6384 sslutil: move context options flags to _hostsettings Gregory Szorc <gregory.szorc@gmail.com> parents: 29507 diff changeset	141 # Defines extra ssl.OP* bitwise options to set.
d65ec41b6384 sslutil: move context options flags to _hostsettings Gregory Szorc <gregory.szorc@gmail.com> parents: 29507 diff changeset	142 'ctxoptions': None,
29577 9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	143 # OpenSSL Cipher List to use (instead of default).
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	144 'ciphers': None,
29258 6315c1e14f75 sslutil: introduce a function for determining host-specific settings Gregory Szorc <gregory.szorc@gmail.com> parents: 29253 diff changeset	145 }
6315c1e14f75 sslutil: introduce a function for determining host-specific settings Gregory Szorc <gregory.szorc@gmail.com> parents: 29253 diff changeset	146
29559 7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	147 # Allow minimum TLS protocol to be specified in the config.
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	148 def validateprotocol(protocol, key):
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	149 if protocol not in configprotocols:
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	150 raise error.Abort(
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	151 _('unsupported protocol from hostsecurity.%s: %s') %
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	152 (key, protocol),
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	153 hint=_('valid protocols: %s') %
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	154 ' '.join(sorted(configprotocols)))
29507 97dcdcf75f4f sslutil: move protocol determination to _hostsettings Gregory Szorc <gregory.szorc@gmail.com> parents: 29501 diff changeset	155
29601 6cff2ac0ccb9 sslutil: more robustly detect protocol support Gregory Szorc <gregory.szorc@gmail.com> parents: 29578 diff changeset	156 # We default to TLS 1.1+ where we can because TLS 1.0 has known
6cff2ac0ccb9 sslutil: more robustly detect protocol support Gregory Szorc <gregory.szorc@gmail.com> parents: 29578 diff changeset	157 # vulnerabilities (like BEAST and POODLE). We allow users to downgrade to
6cff2ac0ccb9 sslutil: more robustly detect protocol support Gregory Szorc <gregory.szorc@gmail.com> parents: 29578 diff changeset	158 # TLS 1.0+ via config options in case a legacy server is encountered.
6cff2ac0ccb9 sslutil: more robustly detect protocol support Gregory Szorc <gregory.szorc@gmail.com> parents: 29578 diff changeset	159 if 'tls1.1' in supportedprotocols:
29560 303e9300772a sslutil: require TLS 1.1+ when supported Gregory Szorc <gregory.szorc@gmail.com> parents: 29559 diff changeset	160 defaultprotocol = 'tls1.1'
303e9300772a sslutil: require TLS 1.1+ when supported Gregory Szorc <gregory.szorc@gmail.com> parents: 29559 diff changeset	161 else:
29601 6cff2ac0ccb9 sslutil: more robustly detect protocol support Gregory Szorc <gregory.szorc@gmail.com> parents: 29578 diff changeset	162 # Let people know they are borderline secure.
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	163 # We don't document this config option because we want people to see
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	164 # the bold warnings on the web site.
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	165 # internal config: hostsecurity.disabletls10warning
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	166 if not ui.configbool('hostsecurity', 'disabletls10warning'):
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	167 ui.warn(_('warning: connecting to %s using legacy security '
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	168 'technology (TLS 1.0); see '
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	169 'https://mercurial-scm.org/wiki/SecureConnections for '
36745 424994a0adfd sslutil: lots of unicode/bytes cleanup Augie Fackler <augie@google.com> parents: 35582 diff changeset	170 'more info\n') % bhostname)
29560 303e9300772a sslutil: require TLS 1.1+ when supported Gregory Szorc <gregory.szorc@gmail.com> parents: 29559 diff changeset	171 defaultprotocol = 'tls1.0'
303e9300772a sslutil: require TLS 1.1+ when supported Gregory Szorc <gregory.szorc@gmail.com> parents: 29559 diff changeset	172
29559 7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	173 key = 'minimumprotocol'
29560 303e9300772a sslutil: require TLS 1.1+ when supported Gregory Szorc <gregory.szorc@gmail.com> parents: 29559 diff changeset	174 protocol = ui.config('hostsecurity', key, defaultprotocol)
29559 7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	175 validateprotocol(protocol, key)
29508 d65ec41b6384 sslutil: move context options flags to _hostsettings Gregory Szorc <gregory.szorc@gmail.com> parents: 29507 diff changeset	176
36745 424994a0adfd sslutil: lots of unicode/bytes cleanup Augie Fackler <augie@google.com> parents: 35582 diff changeset	177 key = '%s:minimumprotocol' % bhostname
29559 7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	178 protocol = ui.config('hostsecurity', key, protocol)
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	179 validateprotocol(protocol, key)
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	180
29617 2960ceee1948 sslutil: allow TLS 1.0 when --insecure is used Gregory Szorc <gregory.szorc@gmail.com> parents: 29601 diff changeset	181 # If --insecure is used, we allow the use of TLS 1.0 despite config options.
2960ceee1948 sslutil: allow TLS 1.0 when --insecure is used Gregory Szorc <gregory.szorc@gmail.com> parents: 29601 diff changeset	182 # We always print a "connection security to %s is disabled..." message when
2960ceee1948 sslutil: allow TLS 1.0 when --insecure is used Gregory Szorc <gregory.szorc@gmail.com> parents: 29601 diff changeset	183 # --insecure is used. So no need to print anything more here.
2960ceee1948 sslutil: allow TLS 1.0 when --insecure is used Gregory Szorc <gregory.szorc@gmail.com> parents: 29601 diff changeset	184 if ui.insecureconnections:
2960ceee1948 sslutil: allow TLS 1.0 when --insecure is used Gregory Szorc <gregory.szorc@gmail.com> parents: 29601 diff changeset	185 protocol = 'tls1.0'
2960ceee1948 sslutil: allow TLS 1.0 when --insecure is used Gregory Szorc <gregory.szorc@gmail.com> parents: 29601 diff changeset	186
29618 fbf4adc0d8f2 sslutil: capture string string representation of protocol Gregory Szorc <gregory.szorc@gmail.com> parents: 29617 diff changeset	187 s['protocol'], s['ctxoptions'], s['protocolui'] = protocolsettings(protocol)
29558 a935cd7d51a6 sslutil: prevent CRIME Gregory Szorc <gregory.szorc@gmail.com> parents: 29557 diff changeset	188
29577 9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	189 ciphers = ui.config('hostsecurity', 'ciphers')
36745 424994a0adfd sslutil: lots of unicode/bytes cleanup Augie Fackler <augie@google.com> parents: 35582 diff changeset	190 ciphers = ui.config('hostsecurity', '%s:ciphers' % bhostname, ciphers)
29577 9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	191 s['ciphers'] = ciphers
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	192
29267 f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity] Gregory Szorc <gregory.szorc@gmail.com> parents: 29262 diff changeset	193 # Look for fingerprints in [hostsecurity] section. Value is a list
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity] Gregory Szorc <gregory.szorc@gmail.com> parents: 29262 diff changeset	194 # of <alg>:<fingerprint> strings.
36745 424994a0adfd sslutil: lots of unicode/bytes cleanup Augie Fackler <augie@google.com> parents: 35582 diff changeset	195 fingerprints = ui.configlist('hostsecurity', '%s:fingerprints' % bhostname)
29267 f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity] Gregory Szorc <gregory.szorc@gmail.com> parents: 29262 diff changeset	196 for fingerprint in fingerprints:
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity] Gregory Szorc <gregory.szorc@gmail.com> parents: 29262 diff changeset	197 if not (fingerprint.startswith(('sha1:', 'sha256:', 'sha512:'))):
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity] Gregory Szorc <gregory.szorc@gmail.com> parents: 29262 diff changeset	198 raise error.Abort(_('invalid fingerprint for %s: %s') % (
36745 424994a0adfd sslutil: lots of unicode/bytes cleanup Augie Fackler <augie@google.com> parents: 35582 diff changeset	199 bhostname, fingerprint),
29267 f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity] Gregory Szorc <gregory.szorc@gmail.com> parents: 29262 diff changeset	200 hint=_('must begin with "sha1:", "sha256:", '
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity] Gregory Szorc <gregory.szorc@gmail.com> parents: 29262 diff changeset	201 'or "sha512:"'))
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity] Gregory Szorc <gregory.szorc@gmail.com> parents: 29262 diff changeset	202
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity] Gregory Szorc <gregory.szorc@gmail.com> parents: 29262 diff changeset	203 alg, fingerprint = fingerprint.split(':', 1)
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity] Gregory Szorc <gregory.szorc@gmail.com> parents: 29262 diff changeset	204 fingerprint = fingerprint.replace(':', '').lower()
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity] Gregory Szorc <gregory.szorc@gmail.com> parents: 29262 diff changeset	205 s['certfingerprints'].append((alg, fingerprint))
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity] Gregory Szorc <gregory.szorc@gmail.com> parents: 29262 diff changeset	206
29258 6315c1e14f75 sslutil: introduce a function for determining host-specific settings Gregory Szorc <gregory.szorc@gmail.com> parents: 29253 diff changeset	207 # Fingerprints from [hostfingerprints] are always SHA-1.
36745 424994a0adfd sslutil: lots of unicode/bytes cleanup Augie Fackler <augie@google.com> parents: 35582 diff changeset	208 for fingerprint in ui.configlist('hostfingerprints', bhostname):
29258 6315c1e14f75 sslutil: introduce a function for determining host-specific settings Gregory Szorc <gregory.szorc@gmail.com> parents: 29253 diff changeset	209 fingerprint = fingerprint.replace(':', '').lower()
6315c1e14f75 sslutil: introduce a function for determining host-specific settings Gregory Szorc <gregory.szorc@gmail.com> parents: 29253 diff changeset	210 s['certfingerprints'].append(('sha1', fingerprint))
29268 f200b58497f1 sslutil: reference appropriate config section in messaging Gregory Szorc <gregory.szorc@gmail.com> parents: 29267 diff changeset	211 s['legacyfingerprint'] = True
29258 6315c1e14f75 sslutil: introduce a function for determining host-specific settings Gregory Szorc <gregory.szorc@gmail.com> parents: 29253 diff changeset	212
29259 ec247e8595f9 sslutil: move SSLContext.verify_mode value into _hostsettings Gregory Szorc <gregory.szorc@gmail.com> parents: 29258 diff changeset	213 # If a host cert fingerprint is defined, it is the only thing that
ec247e8595f9 sslutil: move SSLContext.verify_mode value into _hostsettings Gregory Szorc <gregory.szorc@gmail.com> parents: 29258 diff changeset	214 # matters. No need to validate CA certs.
ec247e8595f9 sslutil: move SSLContext.verify_mode value into _hostsettings Gregory Szorc <gregory.szorc@gmail.com> parents: 29258 diff changeset	215 if s['certfingerprints']:
ec247e8595f9 sslutil: move SSLContext.verify_mode value into _hostsettings Gregory Szorc <gregory.szorc@gmail.com> parents: 29258 diff changeset	216 s['verifymode'] = ssl.CERT_NONE
29447 13edc11eb7b7 sslutil: don't load default certificates when they aren't relevant Gregory Szorc <gregory.szorc@gmail.com> parents: 29446 diff changeset	217 s['allowloaddefaultcerts'] = False
29259 ec247e8595f9 sslutil: move SSLContext.verify_mode value into _hostsettings Gregory Szorc <gregory.szorc@gmail.com> parents: 29258 diff changeset	218
ec247e8595f9 sslutil: move SSLContext.verify_mode value into _hostsettings Gregory Szorc <gregory.szorc@gmail.com> parents: 29258 diff changeset	219 # If --insecure is used, don't take CAs into consideration.
ec247e8595f9 sslutil: move SSLContext.verify_mode value into _hostsettings Gregory Szorc <gregory.szorc@gmail.com> parents: 29258 diff changeset	220 elif ui.insecureconnections:
29287 fbccb334efe7 sslutil: store flag for whether cert verification is disabled Gregory Szorc <gregory.szorc@gmail.com> parents: 29286 diff changeset	221 s['disablecertverification'] = True
29259 ec247e8595f9 sslutil: move SSLContext.verify_mode value into _hostsettings Gregory Szorc <gregory.szorc@gmail.com> parents: 29258 diff changeset	222 s['verifymode'] = ssl.CERT_NONE
29447 13edc11eb7b7 sslutil: don't load default certificates when they aren't relevant Gregory Szorc <gregory.szorc@gmail.com> parents: 29446 diff changeset	223 s['allowloaddefaultcerts'] = False
29259 ec247e8595f9 sslutil: move SSLContext.verify_mode value into _hostsettings Gregory Szorc <gregory.szorc@gmail.com> parents: 29258 diff changeset	224
29288 7dee15dee53c sslutil: add devel.disableloaddefaultcerts to disable CA loading Gregory Szorc <gregory.szorc@gmail.com> parents: 29287 diff changeset	225 if ui.configbool('devel', 'disableloaddefaultcerts'):
7dee15dee53c sslutil: add devel.disableloaddefaultcerts to disable CA loading Gregory Szorc <gregory.szorc@gmail.com> parents: 29287 diff changeset	226 s['allowloaddefaultcerts'] = False
7dee15dee53c sslutil: add devel.disableloaddefaultcerts to disable CA loading Gregory Szorc <gregory.szorc@gmail.com> parents: 29287 diff changeset	227
29334 ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29293 diff changeset	228 # If both fingerprints and a per-host ca file are specified, issue a warning
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29293 diff changeset	229 # because users should not be surprised about what security is or isn't
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29293 diff changeset	230 # being performed.
36745 424994a0adfd sslutil: lots of unicode/bytes cleanup Augie Fackler <augie@google.com> parents: 35582 diff changeset	231 cafile = ui.config('hostsecurity', '%s:verifycertsfile' % bhostname)
29334 ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29293 diff changeset	232 if s['certfingerprints'] and cafile:
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29293 diff changeset	233 ui.warn(_('(hostsecurity.%s:verifycertsfile ignored when host '
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29293 diff changeset	234 'fingerprints defined; using host fingerprints for '
36745 424994a0adfd sslutil: lots of unicode/bytes cleanup Augie Fackler <augie@google.com> parents: 35582 diff changeset	235 'verification)\n') % bhostname)
29334 ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29293 diff changeset	236
29260 70bc9912d83d sslutil: move CA file processing into _hostsettings() Gregory Szorc <gregory.szorc@gmail.com> parents: 29259 diff changeset	237 # Try to hook up CA certificate validation unless something above
70bc9912d83d sslutil: move CA file processing into _hostsettings() Gregory Szorc <gregory.szorc@gmail.com> parents: 29259 diff changeset	238 # makes it not necessary.
70bc9912d83d sslutil: move CA file processing into _hostsettings() Gregory Szorc <gregory.szorc@gmail.com> parents: 29259 diff changeset	239 if s['verifymode'] is None:
29334 ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29293 diff changeset	240 # Look at per-host ca file first.
29260 70bc9912d83d sslutil: move CA file processing into _hostsettings() Gregory Szorc <gregory.szorc@gmail.com> parents: 29259 diff changeset	241 if cafile:
70bc9912d83d sslutil: move CA file processing into _hostsettings() Gregory Szorc <gregory.szorc@gmail.com> parents: 29259 diff changeset	242 cafile = util.expandpath(cafile)
70bc9912d83d sslutil: move CA file processing into _hostsettings() Gregory Szorc <gregory.szorc@gmail.com> parents: 29259 diff changeset	243 if not os.path.exists(cafile):
29334 ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29293 diff changeset	244 raise error.Abort(_('path specified by %s does not exist: %s') %
36745 424994a0adfd sslutil: lots of unicode/bytes cleanup Augie Fackler <augie@google.com> parents: 35582 diff changeset	245 ('hostsecurity.%s:verifycertsfile' % (
424994a0adfd sslutil: lots of unicode/bytes cleanup Augie Fackler <augie@google.com> parents: 35582 diff changeset	246 bhostname,), cafile))
29334 ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29293 diff changeset	247 s['cafile'] = cafile
29260 70bc9912d83d sslutil: move CA file processing into _hostsettings() Gregory Szorc <gregory.szorc@gmail.com> parents: 29259 diff changeset	248 else:
29334 ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29293 diff changeset	249 # Find global certificates file in config.
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29293 diff changeset	250 cafile = ui.config('web', 'cacerts')
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29293 diff changeset	251
29260 70bc9912d83d sslutil: move CA file processing into _hostsettings() Gregory Szorc <gregory.szorc@gmail.com> parents: 29259 diff changeset	252 if cafile:
29334 ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29293 diff changeset	253 cafile = util.expandpath(cafile)
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29293 diff changeset	254 if not os.path.exists(cafile):
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29293 diff changeset	255 raise error.Abort(_('could not find web.cacerts: %s') %
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29293 diff changeset	256 cafile)
29484 53b7fc7cc2bb sslutil: don't attempt to find default CA certs file when told not to Gregory Szorc <gregory.szorc@gmail.com> parents: 29483 diff changeset	257 elif s['allowloaddefaultcerts']:
29482 4e72995f6c9c sslutil: change comment and logged message for found ca cert file Gregory Szorc <gregory.szorc@gmail.com> parents: 29459 diff changeset	258 # CAs not defined in config. Try to find system bundles.
29483 918dce4b8c26 sslutil: pass ui to _defaultcacerts Gregory Szorc <gregory.szorc@gmail.com> parents: 29482 diff changeset	259 cafile = _defaultcacerts(ui)
29334 ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29293 diff changeset	260 if cafile:
29482 4e72995f6c9c sslutil: change comment and logged message for found ca cert file Gregory Szorc <gregory.szorc@gmail.com> parents: 29459 diff changeset	261 ui.debug('using %s for CA file\n' % cafile)
29260 70bc9912d83d sslutil: move CA file processing into _hostsettings() Gregory Szorc <gregory.szorc@gmail.com> parents: 29259 diff changeset	262
29334 ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29293 diff changeset	263 s['cafile'] = cafile
29260 70bc9912d83d sslutil: move CA file processing into _hostsettings() Gregory Szorc <gregory.szorc@gmail.com> parents: 29259 diff changeset	264
70bc9912d83d sslutil: move CA file processing into _hostsettings() Gregory Szorc <gregory.szorc@gmail.com> parents: 29259 diff changeset	265 # Require certificate validation if CA certs are being loaded and
70bc9912d83d sslutil: move CA file processing into _hostsettings() Gregory Szorc <gregory.szorc@gmail.com> parents: 29259 diff changeset	266 # verification hasn't been disabled above.
29288 7dee15dee53c sslutil: add devel.disableloaddefaultcerts to disable CA loading Gregory Szorc <gregory.szorc@gmail.com> parents: 29287 diff changeset	267 if cafile or (_canloaddefaultcerts and s['allowloaddefaultcerts']):
29260 70bc9912d83d sslutil: move CA file processing into _hostsettings() Gregory Szorc <gregory.szorc@gmail.com> parents: 29259 diff changeset	268 s['verifymode'] = ssl.CERT_REQUIRED
70bc9912d83d sslutil: move CA file processing into _hostsettings() Gregory Szorc <gregory.szorc@gmail.com> parents: 29259 diff changeset	269 else:
70bc9912d83d sslutil: move CA file processing into _hostsettings() Gregory Szorc <gregory.szorc@gmail.com> parents: 29259 diff changeset	270 # At this point we don't have a fingerprint, aren't being
70bc9912d83d sslutil: move CA file processing into _hostsettings() Gregory Szorc <gregory.szorc@gmail.com> parents: 29259 diff changeset	271 # explicitly insecure, and can't load CA certs. Connecting
29411 e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC) Gregory Szorc <gregory.szorc@gmail.com> parents: 29410 diff changeset	272 # is insecure. We allow the connection and abort during
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC) Gregory Szorc <gregory.szorc@gmail.com> parents: 29410 diff changeset	273 # validation (once we have the fingerprint to print to the
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC) Gregory Szorc <gregory.szorc@gmail.com> parents: 29410 diff changeset	274 # user).
29260 70bc9912d83d sslutil: move CA file processing into _hostsettings() Gregory Szorc <gregory.szorc@gmail.com> parents: 29259 diff changeset	275 s['verifymode'] = ssl.CERT_NONE
70bc9912d83d sslutil: move CA file processing into _hostsettings() Gregory Szorc <gregory.szorc@gmail.com> parents: 29259 diff changeset	276
29507 97dcdcf75f4f sslutil: move protocol determination to _hostsettings Gregory Szorc <gregory.szorc@gmail.com> parents: 29501 diff changeset	277 assert s['protocol'] is not None
29508 d65ec41b6384 sslutil: move context options flags to _hostsettings Gregory Szorc <gregory.szorc@gmail.com> parents: 29507 diff changeset	278 assert s['ctxoptions'] is not None
29260 70bc9912d83d sslutil: move CA file processing into _hostsettings() Gregory Szorc <gregory.szorc@gmail.com> parents: 29259 diff changeset	279 assert s['verifymode'] is not None
29259 ec247e8595f9 sslutil: move SSLContext.verify_mode value into _hostsettings Gregory Szorc <gregory.szorc@gmail.com> parents: 29258 diff changeset	280
29258 6315c1e14f75 sslutil: introduce a function for determining host-specific settings Gregory Szorc <gregory.szorc@gmail.com> parents: 29253 diff changeset	281 return s
6315c1e14f75 sslutil: introduce a function for determining host-specific settings Gregory Szorc <gregory.szorc@gmail.com> parents: 29253 diff changeset	282
29559 7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	283 def protocolsettings(protocol):
29618 fbf4adc0d8f2 sslutil: capture string string representation of protocol Gregory Szorc <gregory.szorc@gmail.com> parents: 29617 diff changeset	284 """Resolve the protocol for a config value.
fbf4adc0d8f2 sslutil: capture string string representation of protocol Gregory Szorc <gregory.szorc@gmail.com> parents: 29617 diff changeset	285
fbf4adc0d8f2 sslutil: capture string string representation of protocol Gregory Szorc <gregory.szorc@gmail.com> parents: 29617 diff changeset	286 Returns a 3-tuple of (protocol, options, ui value) where the first
fbf4adc0d8f2 sslutil: capture string string representation of protocol Gregory Szorc <gregory.szorc@gmail.com> parents: 29617 diff changeset	287 2 items are values used by SSLContext and the last is a string value
fbf4adc0d8f2 sslutil: capture string string representation of protocol Gregory Szorc <gregory.szorc@gmail.com> parents: 29617 diff changeset	288 of the ``minimumprotocol`` config option equivalent.
fbf4adc0d8f2 sslutil: capture string string representation of protocol Gregory Szorc <gregory.szorc@gmail.com> parents: 29617 diff changeset	289 """
29559 7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	290 if protocol not in configprotocols:
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	291 raise ValueError('protocol value not supported: %s' % protocol)
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	292
29578 4a4b8d3b4e43 sslutil: move comment about protocol constants Gregory Szorc <gregory.szorc@gmail.com> parents: 29577 diff changeset	293 # Despite its name, PROTOCOL_SSLv23 selects the highest protocol
4a4b8d3b4e43 sslutil: move comment about protocol constants Gregory Szorc <gregory.szorc@gmail.com> parents: 29577 diff changeset	294 # that both ends support, including TLS protocols. On legacy stacks,
4a4b8d3b4e43 sslutil: move comment about protocol constants Gregory Szorc <gregory.szorc@gmail.com> parents: 29577 diff changeset	295 # the highest it likely goes is TLS 1.0. On modern stacks, it can
4a4b8d3b4e43 sslutil: move comment about protocol constants Gregory Szorc <gregory.szorc@gmail.com> parents: 29577 diff changeset	296 # support TLS 1.2.
4a4b8d3b4e43 sslutil: move comment about protocol constants Gregory Szorc <gregory.szorc@gmail.com> parents: 29577 diff changeset	297 #
4a4b8d3b4e43 sslutil: move comment about protocol constants Gregory Szorc <gregory.szorc@gmail.com> parents: 29577 diff changeset	298 # The PROTOCOL_TLSv* constants select a specific TLS version
4a4b8d3b4e43 sslutil: move comment about protocol constants Gregory Szorc <gregory.szorc@gmail.com> parents: 29577 diff changeset	299 # only (as opposed to multiple versions). So the method for
4a4b8d3b4e43 sslutil: move comment about protocol constants Gregory Szorc <gregory.szorc@gmail.com> parents: 29577 diff changeset	300 # supporting multiple TLS versions is to use PROTOCOL_SSLv23 and
4a4b8d3b4e43 sslutil: move comment about protocol constants Gregory Szorc <gregory.szorc@gmail.com> parents: 29577 diff changeset	301 # disable protocols via SSLContext.options and OP_NO_* constants.
4a4b8d3b4e43 sslutil: move comment about protocol constants Gregory Szorc <gregory.szorc@gmail.com> parents: 29577 diff changeset	302 # However, SSLContext.options doesn't work unless we have the
4a4b8d3b4e43 sslutil: move comment about protocol constants Gregory Szorc <gregory.szorc@gmail.com> parents: 29577 diff changeset	303 # full/real SSLContext available to us.
32291 bd872f64a8ba cleanup: use set literals Martin von Zweigbergk <martinvonz@google.com> parents: 32273 diff changeset	304 if supportedprotocols == {'tls1.0'}:
29559 7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	305 if protocol != 'tls1.0':
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	306 raise error.Abort(_('current Python does not support protocol '
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	307 'setting %s') % protocol,
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	308 hint=_('upgrade Python or disable setting since '
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	309 'only TLS 1.0 is supported'))
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	310
29618 fbf4adc0d8f2 sslutil: capture string string representation of protocol Gregory Szorc <gregory.szorc@gmail.com> parents: 29617 diff changeset	311 return ssl.PROTOCOL_TLSv1, 0, 'tls1.0'
29559 7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	312
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	313 # WARNING: returned options don't work unless the modern ssl module
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	314 # is available. Be careful when adding options here.
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	315
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	316 # SSLv2 and SSLv3 are broken. We ban them outright.
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	317 options = ssl.OP_NO_SSLv2 \| ssl.OP_NO_SSLv3
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	318
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	319 if protocol == 'tls1.0':
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	320 # Defaults above are to use TLS 1.0+
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	321 pass
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	322 elif protocol == 'tls1.1':
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	323 options \|= ssl.OP_NO_TLSv1
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	324 elif protocol == 'tls1.2':
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	325 options \|= ssl.OP_NO_TLSv1 \| ssl.OP_NO_TLSv1_1
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	326 else:
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	327 raise error.Abort(_('this should not happen'))
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	328
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	329 # Prevent CRIME.
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	330 # There is no guarantee this attribute is defined on the module.
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	331 options \|= getattr(ssl, 'OP_NO_COMPRESSION', 0)
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	332
29618 fbf4adc0d8f2 sslutil: capture string string representation of protocol Gregory Szorc <gregory.szorc@gmail.com> parents: 29617 diff changeset	333 return ssl.PROTOCOL_SSLv23, options, protocol
29559 7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	334
29249 cca59ef27e60 sslutil: move sslkwargs logic into internal function (API) Gregory Szorc <gregory.szorc@gmail.com> parents: 29248 diff changeset	335 def wrapsocket(sock, keyfile, certfile, ui, serverhostname=None):
28653 1eb0bd8adf39 sslutil: add docstring to wrapsocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 28652 diff changeset	336 """Add SSL/TLS to a socket.
1eb0bd8adf39 sslutil: add docstring to wrapsocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 28652 diff changeset	337
1eb0bd8adf39 sslutil: add docstring to wrapsocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 28652 diff changeset	338 This is a glorified wrapper for ``ssl.wrap_socket()``. It makes sane
1eb0bd8adf39 sslutil: add docstring to wrapsocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 28652 diff changeset	339 choices based on what security options are available.
1eb0bd8adf39 sslutil: add docstring to wrapsocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 28652 diff changeset	340
1eb0bd8adf39 sslutil: add docstring to wrapsocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 28652 diff changeset	341 In addition to the arguments supported by ``ssl.wrap_socket``, we allow
1eb0bd8adf39 sslutil: add docstring to wrapsocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 28652 diff changeset	342 the following additional arguments:
1eb0bd8adf39 sslutil: add docstring to wrapsocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 28652 diff changeset	343
1eb0bd8adf39 sslutil: add docstring to wrapsocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 28652 diff changeset	344 * serverhostname - The expected hostname of the remote server. If the
1eb0bd8adf39 sslutil: add docstring to wrapsocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 28652 diff changeset	345 server (and client) support SNI, this tells the server which certificate
1eb0bd8adf39 sslutil: add docstring to wrapsocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 28652 diff changeset	346 to use.
1eb0bd8adf39 sslutil: add docstring to wrapsocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 28652 diff changeset	347 """
29224 7424f4294199 sslutil: require serverhostname argument (API) Gregory Szorc <gregory.szorc@gmail.com> parents: 29115 diff changeset	348 if not serverhostname:
29389 98e8313dcd9e i18n: translate abort messages liscju <piotr.listkiewicz@gmail.com> parents: 29341 diff changeset	349 raise error.Abort(_('serverhostname argument is required'))
29224 7424f4294199 sslutil: require serverhostname argument (API) Gregory Szorc <gregory.szorc@gmail.com> parents: 29115 diff changeset	350
33381 3bdbbadddecc sslutil: check for missing certificate and key files (issue5598) Gregory Szorc <gregory.szorc@gmail.com> parents: 32291 diff changeset	351 for f in (keyfile, certfile):
3bdbbadddecc sslutil: check for missing certificate and key files (issue5598) Gregory Szorc <gregory.szorc@gmail.com> parents: 32291 diff changeset	352 if f and not os.path.exists(f):
36747 4c71a26a4009 sslutil: some more forcebytes() on some exception messages Augie Fackler <augie@google.com> parents: 36746 diff changeset	353 raise error.Abort(
4c71a26a4009 sslutil: some more forcebytes() on some exception messages Augie Fackler <augie@google.com> parents: 36746 diff changeset	354 _('certificate file (%s) does not exist; cannot connect to %s')
4c71a26a4009 sslutil: some more forcebytes() on some exception messages Augie Fackler <augie@google.com> parents: 36746 diff changeset	355 % (f, pycompat.bytesurl(serverhostname)),
4c71a26a4009 sslutil: some more forcebytes() on some exception messages Augie Fackler <augie@google.com> parents: 36746 diff changeset	356 hint=_('restore missing file or fix references '
4c71a26a4009 sslutil: some more forcebytes() on some exception messages Augie Fackler <augie@google.com> parents: 36746 diff changeset	357 'in Mercurial config'))
33381 3bdbbadddecc sslutil: check for missing certificate and key files (issue5598) Gregory Szorc <gregory.szorc@gmail.com> parents: 32291 diff changeset	358
29259 ec247e8595f9 sslutil: move SSLContext.verify_mode value into _hostsettings Gregory Szorc <gregory.szorc@gmail.com> parents: 29258 diff changeset	359 settings = _hostsettings(ui, serverhostname)
29249 cca59ef27e60 sslutil: move sslkwargs logic into internal function (API) Gregory Szorc <gregory.szorc@gmail.com> parents: 29248 diff changeset	360
29557 53de8255ec4e sslutil: update comment about create_default_context() Gregory Szorc <gregory.szorc@gmail.com> parents: 29554 diff changeset	361 # We can't use ssl.create_default_context() because it calls
53de8255ec4e sslutil: update comment about create_default_context() Gregory Szorc <gregory.szorc@gmail.com> parents: 29554 diff changeset	362 # load_default_certs() unless CA arguments are passed to it. We want to
53de8255ec4e sslutil: update comment about create_default_context() Gregory Szorc <gregory.szorc@gmail.com> parents: 29554 diff changeset	363 # have explicit control over CA loading because implicitly loading
53de8255ec4e sslutil: update comment about create_default_context() Gregory Szorc <gregory.szorc@gmail.com> parents: 29554 diff changeset	364 # CAs may undermine the user's intent. For example, a user may define a CA
53de8255ec4e sslutil: update comment about create_default_context() Gregory Szorc <gregory.szorc@gmail.com> parents: 29554 diff changeset	365 # bundle with a specific CA cert removed. If the system/default CA bundle
53de8255ec4e sslutil: update comment about create_default_context() Gregory Szorc <gregory.szorc@gmail.com> parents: 29554 diff changeset	366 # is loaded and contains that removed CA, you've just undone the user's
53de8255ec4e sslutil: update comment about create_default_context() Gregory Szorc <gregory.szorc@gmail.com> parents: 29554 diff changeset	367 # choice.
29507 97dcdcf75f4f sslutil: move protocol determination to _hostsettings Gregory Szorc <gregory.szorc@gmail.com> parents: 29501 diff changeset	368 sslcontext = SSLContext(settings['protocol'])
97dcdcf75f4f sslutil: move protocol determination to _hostsettings Gregory Szorc <gregory.szorc@gmail.com> parents: 29501 diff changeset	369
29508 d65ec41b6384 sslutil: move context options flags to _hostsettings Gregory Szorc <gregory.szorc@gmail.com> parents: 29507 diff changeset	370 # This is a no-op unless using modern ssl.
d65ec41b6384 sslutil: move context options flags to _hostsettings Gregory Szorc <gregory.szorc@gmail.com> parents: 29507 diff changeset	371 sslcontext.options \|= settings['ctxoptions']
28651 4827d07073e6 sslutil: always use SSLContext Gregory Szorc <gregory.szorc@gmail.com> parents: 28650 diff changeset	372
28848 e330db205b20 sslutil: move and document verify_mode assignment Gregory Szorc <gregory.szorc@gmail.com> parents: 28653 diff changeset	373 # This still works on our fake SSLContext.
29260 70bc9912d83d sslutil: move CA file processing into _hostsettings() Gregory Szorc <gregory.szorc@gmail.com> parents: 29259 diff changeset	374 sslcontext.verify_mode = settings['verifymode']
28848 e330db205b20 sslutil: move and document verify_mode assignment Gregory Szorc <gregory.szorc@gmail.com> parents: 28653 diff changeset	375
29577 9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	376 if settings['ciphers']:
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	377 try:
36746 25798cf7dc9d sslutil: sslcontext needs the cipher name as a sysstr Augie Fackler <augie@google.com> parents: 36745 diff changeset	378 sslcontext.set_ciphers(pycompat.sysstr(settings['ciphers']))
29577 9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	379 except ssl.SSLError as e:
36747 4c71a26a4009 sslutil: some more forcebytes() on some exception messages Augie Fackler <augie@google.com> parents: 36746 diff changeset	380 raise error.Abort(
37084 f0b6fbea00cf stringutil: bulk-replace call sites to point to new module Yuya Nishihara <yuya@tcha.org> parents: 36747 diff changeset	381 _('could not set ciphers: %s')
f0b6fbea00cf stringutil: bulk-replace call sites to point to new module Yuya Nishihara <yuya@tcha.org> parents: 36747 diff changeset	382 % stringutil.forcebytestr(e.args[0]),
36747 4c71a26a4009 sslutil: some more forcebytes() on some exception messages Augie Fackler <augie@google.com> parents: 36746 diff changeset	383 hint=_('change cipher string (%s) in config') %
4c71a26a4009 sslutil: some more forcebytes() on some exception messages Augie Fackler <augie@google.com> parents: 36746 diff changeset	384 settings['ciphers'])
29577 9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	385
28652 c617614aefd2 sslutil: remove indentation in wrapsocket declaration Gregory Szorc <gregory.szorc@gmail.com> parents: 28651 diff changeset	386 if certfile is not None:
c617614aefd2 sslutil: remove indentation in wrapsocket declaration Gregory Szorc <gregory.szorc@gmail.com> parents: 28651 diff changeset	387 def password():
c617614aefd2 sslutil: remove indentation in wrapsocket declaration Gregory Szorc <gregory.szorc@gmail.com> parents: 28651 diff changeset	388 f = keyfile or certfile
c617614aefd2 sslutil: remove indentation in wrapsocket declaration Gregory Szorc <gregory.szorc@gmail.com> parents: 28651 diff changeset	389 return ui.getpass(_('passphrase for %s: ') % f, '')
c617614aefd2 sslutil: remove indentation in wrapsocket declaration Gregory Szorc <gregory.szorc@gmail.com> parents: 28651 diff changeset	390 sslcontext.load_cert_chain(certfile, keyfile, password)
28848 e330db205b20 sslutil: move and document verify_mode assignment Gregory Szorc <gregory.szorc@gmail.com> parents: 28653 diff changeset	391
29260 70bc9912d83d sslutil: move CA file processing into _hostsettings() Gregory Szorc <gregory.szorc@gmail.com> parents: 29259 diff changeset	392 if settings['cafile'] is not None:
29446 2f7f1e10f840 sslutil: display a better error message when CA file loading fails Gregory Szorc <gregory.szorc@gmail.com> parents: 29411 diff changeset	393 try:
2f7f1e10f840 sslutil: display a better error message when CA file loading fails Gregory Szorc <gregory.szorc@gmail.com> parents: 29411 diff changeset	394 sslcontext.load_verify_locations(cafile=settings['cafile'])
2f7f1e10f840 sslutil: display a better error message when CA file loading fails Gregory Szorc <gregory.szorc@gmail.com> parents: 29411 diff changeset	395 except ssl.SSLError as e:
29927 799e36749f1a ssl: handle a difference in SSLError with pypy (issue5348) Pierre-Yves David <pierre-yves.david@ens-lyon.org> parents: 29631 diff changeset	396 if len(e.args) == 1: # pypy has different SSLError args
799e36749f1a ssl: handle a difference in SSLError with pypy (issue5348) Pierre-Yves David <pierre-yves.david@ens-lyon.org> parents: 29631 diff changeset	397 msg = e.args[0]
799e36749f1a ssl: handle a difference in SSLError with pypy (issue5348) Pierre-Yves David <pierre-yves.david@ens-lyon.org> parents: 29631 diff changeset	398 else:
799e36749f1a ssl: handle a difference in SSLError with pypy (issue5348) Pierre-Yves David <pierre-yves.david@ens-lyon.org> parents: 29631 diff changeset	399 msg = e.args[1]
29446 2f7f1e10f840 sslutil: display a better error message when CA file loading fails Gregory Szorc <gregory.szorc@gmail.com> parents: 29411 diff changeset	400 raise error.Abort(_('error loading CA file %s: %s') % (
37084 f0b6fbea00cf stringutil: bulk-replace call sites to point to new module Yuya Nishihara <yuya@tcha.org> parents: 36747 diff changeset	401 settings['cafile'], stringutil.forcebytestr(msg)),
29446 2f7f1e10f840 sslutil: display a better error message when CA file loading fails Gregory Szorc <gregory.szorc@gmail.com> parents: 29411 diff changeset	402 hint=_('file is empty or malformed?'))
29113 5b9577edf745 sslutil: use CA loaded state to drive validation logic Gregory Szorc <gregory.szorc@gmail.com> parents: 29112 diff changeset	403 caloaded = True
29288 7dee15dee53c sslutil: add devel.disableloaddefaultcerts to disable CA loading Gregory Szorc <gregory.szorc@gmail.com> parents: 29287 diff changeset	404 elif settings['allowloaddefaultcerts']:
28652 c617614aefd2 sslutil: remove indentation in wrapsocket declaration Gregory Szorc <gregory.szorc@gmail.com> parents: 28651 diff changeset	405 # This is a no-op on old Python.
c617614aefd2 sslutil: remove indentation in wrapsocket declaration Gregory Szorc <gregory.szorc@gmail.com> parents: 28651 diff changeset	406 sslcontext.load_default_certs()
29288 7dee15dee53c sslutil: add devel.disableloaddefaultcerts to disable CA loading Gregory Szorc <gregory.szorc@gmail.com> parents: 29287 diff changeset	407 caloaded = True
7dee15dee53c sslutil: add devel.disableloaddefaultcerts to disable CA loading Gregory Szorc <gregory.szorc@gmail.com> parents: 29287 diff changeset	408 else:
7dee15dee53c sslutil: add devel.disableloaddefaultcerts to disable CA loading Gregory Szorc <gregory.szorc@gmail.com> parents: 29287 diff changeset	409 caloaded = False
23834 bf07c19b4c82 https: support tls sni (server name indication) for https urls (issue3090) Alex Orange <crazycasta@gmail.com> parents: 23069 diff changeset	410
29449 5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded Gregory Szorc <gregory.szorc@gmail.com> parents: 29447 diff changeset	411 try:
5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded Gregory Szorc <gregory.szorc@gmail.com> parents: 29447 diff changeset	412 sslsocket = sslcontext.wrap_socket(sock, server_hostname=serverhostname)
29559 7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	413 except ssl.SSLError as e:
29449 5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded Gregory Szorc <gregory.szorc@gmail.com> parents: 29447 diff changeset	414 # If we're doing certificate verification and no CA certs are loaded,
5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded Gregory Szorc <gregory.szorc@gmail.com> parents: 29447 diff changeset	415 # that is almost certainly the reason why verification failed. Provide
5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded Gregory Szorc <gregory.szorc@gmail.com> parents: 29447 diff changeset	416 # a hint to the user.
5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded Gregory Szorc <gregory.szorc@gmail.com> parents: 29447 diff changeset	417 # Only modern ssl module exposes SSLContext.get_ca_certs() so we can
5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded Gregory Szorc <gregory.szorc@gmail.com> parents: 29447 diff changeset	418 # only show this warning if modern ssl is available.
31725 c777b12cdc9b sslutil: clarify internal documentation Matt Harbison <matt_harbison@yahoo.com> parents: 31290 diff changeset	419 # The exception handler is here to handle bugs around cert attributes:
c777b12cdc9b sslutil: clarify internal documentation Matt Harbison <matt_harbison@yahoo.com> parents: 31290 diff changeset	420 # https://bugs.python.org/issue20916#msg213479. (See issues5313.)
c777b12cdc9b sslutil: clarify internal documentation Matt Harbison <matt_harbison@yahoo.com> parents: 31290 diff changeset	421 # When the main 20916 bug occurs, 'sslcontext.get_ca_certs()' is a
c777b12cdc9b sslutil: clarify internal documentation Matt Harbison <matt_harbison@yahoo.com> parents: 31290 diff changeset	422 # non-empty list, but the following conditional is otherwise True.
29631 387bdd53c77e sslutil: work around SSLContext.get_ca_certs bug on Windows (issue5313) Gregory Szorc <gregory.szorc@gmail.com> parents: 29619 diff changeset	423 try:
387bdd53c77e sslutil: work around SSLContext.get_ca_certs bug on Windows (issue5313) Gregory Szorc <gregory.szorc@gmail.com> parents: 29619 diff changeset	424 if (caloaded and settings['verifymode'] == ssl.CERT_REQUIRED and
387bdd53c77e sslutil: work around SSLContext.get_ca_certs bug on Windows (issue5313) Gregory Szorc <gregory.szorc@gmail.com> parents: 29619 diff changeset	425 modernssl and not sslcontext.get_ca_certs()):
387bdd53c77e sslutil: work around SSLContext.get_ca_certs bug on Windows (issue5313) Gregory Szorc <gregory.szorc@gmail.com> parents: 29619 diff changeset	426 ui.warn(_('(an attempt was made to load CA certificates but '
387bdd53c77e sslutil: work around SSLContext.get_ca_certs bug on Windows (issue5313) Gregory Szorc <gregory.szorc@gmail.com> parents: 29619 diff changeset	427 'none were loaded; see '
387bdd53c77e sslutil: work around SSLContext.get_ca_certs bug on Windows (issue5313) Gregory Szorc <gregory.szorc@gmail.com> parents: 29619 diff changeset	428 'https://mercurial-scm.org/wiki/SecureConnections '
387bdd53c77e sslutil: work around SSLContext.get_ca_certs bug on Windows (issue5313) Gregory Szorc <gregory.szorc@gmail.com> parents: 29619 diff changeset	429 'for how to configure Mercurial to avoid this '
387bdd53c77e sslutil: work around SSLContext.get_ca_certs bug on Windows (issue5313) Gregory Szorc <gregory.szorc@gmail.com> parents: 29619 diff changeset	430 'error)\n'))
387bdd53c77e sslutil: work around SSLContext.get_ca_certs bug on Windows (issue5313) Gregory Szorc <gregory.szorc@gmail.com> parents: 29619 diff changeset	431 except ssl.SSLError:
387bdd53c77e sslutil: work around SSLContext.get_ca_certs bug on Windows (issue5313) Gregory Szorc <gregory.szorc@gmail.com> parents: 29619 diff changeset	432 pass
41410 0d226b2139df sslutil: use raw strings for exception reason compare Gregory Szorc <gregory.szorc@gmail.com> parents: 38475 diff changeset	433
29559 7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	434 # Try to print more helpful error messages for known failures.
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	435 if util.safehasattr(e, 'reason'):
29619 53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29618 diff changeset	436 # This error occurs when the client and server don't share a
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29618 diff changeset	437 # common/supported SSL/TLS protocol. We've disabled SSLv2 and SSLv3
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29618 diff changeset	438 # outright. Hopefully the reason for this error is that we require
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29618 diff changeset	439 # TLS 1.1+ and the server only supports TLS 1.0. Whatever the
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29618 diff changeset	440 # reason, try to emit an actionable warning.
41410 0d226b2139df sslutil: use raw strings for exception reason compare Gregory Szorc <gregory.szorc@gmail.com> parents: 38475 diff changeset	441 if e.reason == r'UNSUPPORTED_PROTOCOL':
29619 53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29618 diff changeset	442 # We attempted TLS 1.0+.
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29618 diff changeset	443 if settings['protocolui'] == 'tls1.0':
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29618 diff changeset	444 # We support more than just TLS 1.0+. If this happens,
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29618 diff changeset	445 # the likely scenario is either the client or the server
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29618 diff changeset	446 # is really old. (e.g. server doesn't support TLS 1.0+ or
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29618 diff changeset	447 # client doesn't support modern TLS versions introduced
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29618 diff changeset	448 # several years from when this comment was written).
32291 bd872f64a8ba cleanup: use set literals Martin von Zweigbergk <martinvonz@google.com> parents: 32273 diff changeset	449 if supportedprotocols != {'tls1.0'}:
29619 53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29618 diff changeset	450 ui.warn(_(
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29618 diff changeset	451 '(could not communicate with %s using security '
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29618 diff changeset	452 'protocols %s; if you are using a modern Mercurial '
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29618 diff changeset	453 'version, consider contacting the operator of this '
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29618 diff changeset	454 'server; see '
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29618 diff changeset	455 'https://mercurial-scm.org/wiki/SecureConnections '
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29618 diff changeset	456 'for more info)\n') % (
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29618 diff changeset	457 serverhostname,
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29618 diff changeset	458 ', '.join(sorted(supportedprotocols))))
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29618 diff changeset	459 else:
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29618 diff changeset	460 ui.warn(_(
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29618 diff changeset	461 '(could not communicate with %s using TLS 1.0; the '
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29618 diff changeset	462 'likely cause of this is the server no longer '
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29618 diff changeset	463 'supports TLS 1.0 because it has known security '
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29618 diff changeset	464 'vulnerabilities; see '
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29618 diff changeset	465 'https://mercurial-scm.org/wiki/SecureConnections '
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29618 diff changeset	466 'for more info)\n') % serverhostname)
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29618 diff changeset	467 else:
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29618 diff changeset	468 # We attempted TLS 1.1+. We can only get here if the client
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29618 diff changeset	469 # supports the configured protocol. So the likely reason is
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29618 diff changeset	470 # the client wants better security than the server can
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29618 diff changeset	471 # offer.
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29618 diff changeset	472 ui.warn(_(
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29618 diff changeset	473 '(could not negotiate a common security protocol (%s+) '
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29618 diff changeset	474 'with %s; the likely cause is Mercurial is configured '
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29618 diff changeset	475 'to be more secure than the server can support)\n') % (
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29618 diff changeset	476 settings['protocolui'], serverhostname))
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29618 diff changeset	477 ui.warn(_('(consider contacting the operator of this '
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29618 diff changeset	478 'server and ask them to support modern TLS '
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29618 diff changeset	479 'protocol versions; or, set '
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29618 diff changeset	480 'hostsecurity.%s:minimumprotocol=tls1.0 to allow '
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29618 diff changeset	481 'use of legacy, less secure protocols when '
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29618 diff changeset	482 'communicating with this server)\n') %
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29618 diff changeset	483 serverhostname)
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29618 diff changeset	484 ui.warn(_(
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29618 diff changeset	485 '(see https://mercurial-scm.org/wiki/SecureConnections '
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29618 diff changeset	486 'for more info)\n'))
33494 30f2715be123 sslutil: inform the user about how to fix an incomplete certificate chain Matt Harbison <matt_harbison@yahoo.com> parents: 33381 diff changeset	487
41410 0d226b2139df sslutil: use raw strings for exception reason compare Gregory Szorc <gregory.szorc@gmail.com> parents: 38475 diff changeset	488 elif (e.reason == r'CERTIFICATE_VERIFY_FAILED' and
34645 75979c8d4572 codemod: use pycompat.iswindows Jun Wu <quark@fb.com> parents: 33494 diff changeset	489 pycompat.iswindows):
33494 30f2715be123 sslutil: inform the user about how to fix an incomplete certificate chain Matt Harbison <matt_harbison@yahoo.com> parents: 33381 diff changeset	490
30f2715be123 sslutil: inform the user about how to fix an incomplete certificate chain Matt Harbison <matt_harbison@yahoo.com> parents: 33381 diff changeset	491 ui.warn(_('(the full certificate chain may not be available '
30f2715be123 sslutil: inform the user about how to fix an incomplete certificate chain Matt Harbison <matt_harbison@yahoo.com> parents: 33381 diff changeset	492 'locally; see "hg help debugssl")\n'))
29449 5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded Gregory Szorc <gregory.szorc@gmail.com> parents: 29447 diff changeset	493 raise
5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded Gregory Szorc <gregory.szorc@gmail.com> parents: 29447 diff changeset	494
28652 c617614aefd2 sslutil: remove indentation in wrapsocket declaration Gregory Szorc <gregory.szorc@gmail.com> parents: 28651 diff changeset	495 # check if wrap_socket failed silently because socket had been
c617614aefd2 sslutil: remove indentation in wrapsocket declaration Gregory Szorc <gregory.szorc@gmail.com> parents: 28651 diff changeset	496 # closed
c617614aefd2 sslutil: remove indentation in wrapsocket declaration Gregory Szorc <gregory.szorc@gmail.com> parents: 28651 diff changeset	497 # - see http://bugs.python.org/issue13721
c617614aefd2 sslutil: remove indentation in wrapsocket declaration Gregory Szorc <gregory.szorc@gmail.com> parents: 28651 diff changeset	498 if not sslsocket.cipher():
c617614aefd2 sslutil: remove indentation in wrapsocket declaration Gregory Szorc <gregory.szorc@gmail.com> parents: 28651 diff changeset	499 raise error.Abort(_('ssl connection failed'))
29113 5b9577edf745 sslutil: use CA loaded state to drive validation logic Gregory Szorc <gregory.szorc@gmail.com> parents: 29112 diff changeset	500
29225 b115eed11780 sslutil: use a dict for hanging hg state off the wrapped socket Gregory Szorc <gregory.szorc@gmail.com> parents: 29224 diff changeset	501 sslsocket._hgstate = {
b115eed11780 sslutil: use a dict for hanging hg state off the wrapped socket Gregory Szorc <gregory.szorc@gmail.com> parents: 29224 diff changeset	502 'caloaded': caloaded,
29226 33006bd6a1d7 sslutil: store and use hostname and ui in socket instance Gregory Szorc <gregory.szorc@gmail.com> parents: 29225 diff changeset	503 'hostname': serverhostname,
29259 ec247e8595f9 sslutil: move SSLContext.verify_mode value into _hostsettings Gregory Szorc <gregory.szorc@gmail.com> parents: 29258 diff changeset	504 'settings': settings,
29226 33006bd6a1d7 sslutil: store and use hostname and ui in socket instance Gregory Szorc <gregory.szorc@gmail.com> parents: 29225 diff changeset	505 'ui': ui,
29225 b115eed11780 sslutil: use a dict for hanging hg state off the wrapped socket Gregory Szorc <gregory.szorc@gmail.com> parents: 29224 diff changeset	506 }
29113 5b9577edf745 sslutil: use CA loaded state to drive validation logic Gregory Szorc <gregory.szorc@gmail.com> parents: 29112 diff changeset	507
28652 c617614aefd2 sslutil: remove indentation in wrapsocket declaration Gregory Szorc <gregory.szorc@gmail.com> parents: 28651 diff changeset	508 return sslsocket
14204 5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	509
29554 4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	510 def wrapserversocket(sock, ui, certfile=None, keyfile=None, cafile=None,
4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	511 requireclientcert=False):
4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	512 """Wrap a socket for use by servers.
4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	513
4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	514 ``certfile`` and ``keyfile`` specify the files containing the certificate's
4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	515 public and private keys, respectively. Both keys can be defined in the same
4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	516 file via ``certfile`` (the private key must come first in the file).
4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	517
4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	518 ``cafile`` defines the path to certificate authorities.
4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	519
4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	520 ``requireclientcert`` specifies whether to require client certificates.
4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	521
4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	522 Typically ``cafile`` is only defined if ``requireclientcert`` is true.
4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	523 """
33381 3bdbbadddecc sslutil: check for missing certificate and key files (issue5598) Gregory Szorc <gregory.szorc@gmail.com> parents: 32291 diff changeset	524 # This function is not used much by core Mercurial, so the error messaging
3bdbbadddecc sslutil: check for missing certificate and key files (issue5598) Gregory Szorc <gregory.szorc@gmail.com> parents: 32291 diff changeset	525 # doesn't have to be as detailed as for wrapsocket().
3bdbbadddecc sslutil: check for missing certificate and key files (issue5598) Gregory Szorc <gregory.szorc@gmail.com> parents: 32291 diff changeset	526 for f in (certfile, keyfile, cafile):
3bdbbadddecc sslutil: check for missing certificate and key files (issue5598) Gregory Szorc <gregory.szorc@gmail.com> parents: 32291 diff changeset	527 if f and not os.path.exists(f):
3bdbbadddecc sslutil: check for missing certificate and key files (issue5598) Gregory Szorc <gregory.szorc@gmail.com> parents: 32291 diff changeset	528 raise error.Abort(_('referenced certificate file (%s) does not '
3bdbbadddecc sslutil: check for missing certificate and key files (issue5598) Gregory Szorc <gregory.szorc@gmail.com> parents: 32291 diff changeset	529 'exist') % f)
3bdbbadddecc sslutil: check for missing certificate and key files (issue5598) Gregory Szorc <gregory.szorc@gmail.com> parents: 32291 diff changeset	530
29618 fbf4adc0d8f2 sslutil: capture string string representation of protocol Gregory Szorc <gregory.szorc@gmail.com> parents: 29617 diff changeset	531 protocol, options, _protocolui = protocolsettings('tls1.0')
29559 7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	532
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	533 # This config option is intended for use in tests only. It is a giant
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	534 # footgun to kill security. Don't define it.
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	535 exactprotocol = ui.config('devel', 'serverexactprotocol')
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	536 if exactprotocol == 'tls1.0':
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	537 protocol = ssl.PROTOCOL_TLSv1
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	538 elif exactprotocol == 'tls1.1':
29601 6cff2ac0ccb9 sslutil: more robustly detect protocol support Gregory Szorc <gregory.szorc@gmail.com> parents: 29578 diff changeset	539 if 'tls1.1' not in supportedprotocols:
6cff2ac0ccb9 sslutil: more robustly detect protocol support Gregory Szorc <gregory.szorc@gmail.com> parents: 29578 diff changeset	540 raise error.Abort(_('TLS 1.1 not supported by this Python'))
29559 7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	541 protocol = ssl.PROTOCOL_TLSv1_1
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	542 elif exactprotocol == 'tls1.2':
29601 6cff2ac0ccb9 sslutil: more robustly detect protocol support Gregory Szorc <gregory.szorc@gmail.com> parents: 29578 diff changeset	543 if 'tls1.2' not in supportedprotocols:
6cff2ac0ccb9 sslutil: more robustly detect protocol support Gregory Szorc <gregory.szorc@gmail.com> parents: 29578 diff changeset	544 raise error.Abort(_('TLS 1.2 not supported by this Python'))
29559 7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	545 protocol = ssl.PROTOCOL_TLSv1_2
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	546 elif exactprotocol:
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	547 raise error.Abort(_('invalid value for serverexactprotocol: %s') %
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	548 exactprotocol)
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	549
29554 4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	550 if modernssl:
4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	551 # We /could/ use create_default_context() here since it doesn't load
29559 7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	552 # CAs when configured for client auth. However, it is hard-coded to
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	553 # use ssl.PROTOCOL_SSLv23 which may not be appropriate here.
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	554 sslcontext = SSLContext(protocol)
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	555 sslcontext.options \|= options
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	556
29554 4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	557 # Improve forward secrecy.
4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	558 sslcontext.options \|= getattr(ssl, 'OP_SINGLE_DH_USE', 0)
4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	559 sslcontext.options \|= getattr(ssl, 'OP_SINGLE_ECDH_USE', 0)
4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	560
4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	561 # Use the list of more secure ciphers if found in the ssl module.
4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	562 if util.safehasattr(ssl, '_RESTRICTED_SERVER_CIPHERS'):
4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	563 sslcontext.options \|= getattr(ssl, 'OP_CIPHER_SERVER_PREFERENCE', 0)
4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	564 sslcontext.set_ciphers(ssl._RESTRICTED_SERVER_CIPHERS)
4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	565 else:
4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	566 sslcontext = SSLContext(ssl.PROTOCOL_TLSv1)
4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	567
4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	568 if requireclientcert:
4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	569 sslcontext.verify_mode = ssl.CERT_REQUIRED
4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	570 else:
4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	571 sslcontext.verify_mode = ssl.CERT_NONE
4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	572
4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	573 if certfile or keyfile:
4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	574 sslcontext.load_cert_chain(certfile=certfile, keyfile=keyfile)
4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	575
4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	576 if cafile:
4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	577 sslcontext.load_verify_locations(cafile=cafile)
4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	578
4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	579 return sslcontext.wrap_socket(sock, server_side=True)
4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	580
29452 26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	581 class wildcarderror(Exception):
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	582 """Represents an error parsing wildcards in DNS name."""
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	583
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	584 def _dnsnamematch(dn, hostname, maxwildcards=1):
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	585 """Match DNS names according RFC 6125 section 6.4.3.
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	586
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	587 This code is effectively copied from CPython's ssl._dnsname_match.
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	588
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	589 Returns a bool indicating whether the expected hostname matches
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	590 the value in ``dn``.
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	591 """
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	592 pats = []
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	593 if not dn:
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	594 return False
36745 424994a0adfd sslutil: lots of unicode/bytes cleanup Augie Fackler <augie@google.com> parents: 35582 diff changeset	595 dn = pycompat.bytesurl(dn)
424994a0adfd sslutil: lots of unicode/bytes cleanup Augie Fackler <augie@google.com> parents: 35582 diff changeset	596 hostname = pycompat.bytesurl(hostname)
29452 26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	597
36745 424994a0adfd sslutil: lots of unicode/bytes cleanup Augie Fackler <augie@google.com> parents: 35582 diff changeset	598 pieces = dn.split('.')
29452 26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	599 leftmost = pieces[0]
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	600 remainder = pieces[1:]
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	601 wildcards = leftmost.count('*')
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	602 if wildcards > maxwildcards:
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	603 raise wildcarderror(
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	604 _('too many wildcards in certificate DNS name: %s') % dn)
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	605
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	606 # speed up common case w/o wildcards
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	607 if not wildcards:
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	608 return dn.lower() == hostname.lower()
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	609
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	610 # RFC 6125, section 6.4.3, subitem 1.
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	611 # The client SHOULD NOT attempt to match a presented identifier in which
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	612 # the wildcard character comprises a label other than the left-most label.
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	613 if leftmost == '*':
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	614 # When '*' is a fragment by itself, it matches a non-empty dotless
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	615 # fragment.
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	616 pats.append('[^.]+')
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	617 elif leftmost.startswith('xn--') or hostname.startswith('xn--'):
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	618 # RFC 6125, section 6.4.3, subitem 3.
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	619 # The client SHOULD NOT attempt to match a presented identifier
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	620 # where the wildcard character is embedded within an A-label or
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	621 # U-label of an internationalized domain name.
38475 67dc32d4e790 cleanup: migrate from re.escape to stringutil.reescape Augie Fackler <augie@google.com> parents: 37872 diff changeset	622 pats.append(stringutil.reescape(leftmost))
29452 26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	623 else:
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	624 # Otherwise, '' matches any dotless string, e.g. www
38475 67dc32d4e790 cleanup: migrate from re.escape to stringutil.reescape Augie Fackler <augie@google.com> parents: 37872 diff changeset	625 pats.append(stringutil.reescape(leftmost).replace(br'\', '[^.]'))
29452 26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	626
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	627 # add the remaining fragments, ignore any wildcards
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	628 for frag in remainder:
38475 67dc32d4e790 cleanup: migrate from re.escape to stringutil.reescape Augie Fackler <augie@google.com> parents: 37872 diff changeset	629 pats.append(stringutil.reescape(frag))
29452 26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	630
37666 46e705b79323 py3: add b'' prefixes to make values bytes Pulkit Goyal <7895pulkit@gmail.com> parents: 37120 diff changeset	631 pat = re.compile(br'\A' + br'\.'.join(pats) + br'\Z', re.IGNORECASE)
29452 26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	632 return pat.match(hostname) is not None
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	633
14204 5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	634 def _verifycert(cert, hostname):
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	635 '''Verify that cert (in socket.getpeercert() format) matches hostname.
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	636 CRLs is not handled.
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	637
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	638 Returns error message if any problems are found and None on success.
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	639 '''
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	640 if not cert:
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	641 return _('no certificate received')
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	642
29452 26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	643 dnsnames = []
37872 51a2f8d199c7 sslutil: fix some edge cases in Python 3 support Augie Fackler <augie@google.com> parents: 37666 diff changeset	644 san = cert.get(r'subjectAltName', [])
29452 26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	645 for key, value in san:
37872 51a2f8d199c7 sslutil: fix some edge cases in Python 3 support Augie Fackler <augie@google.com> parents: 37666 diff changeset	646 if key == r'DNS':
29452 26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	647 try:
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	648 if _dnsnamematch(value, hostname):
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	649 return
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	650 except wildcarderror as e:
37084 f0b6fbea00cf stringutil: bulk-replace call sites to point to new module Yuya Nishihara <yuya@tcha.org> parents: 36747 diff changeset	651 return stringutil.forcebytestr(e.args[0])
29452 26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	652
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	653 dnsnames.append(value)
14204 5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	654
29452 26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	655 if not dnsnames:
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	656 # The subject is only checked when there is no DNS in subjectAltName.
36745 424994a0adfd sslutil: lots of unicode/bytes cleanup Augie Fackler <augie@google.com> parents: 35582 diff changeset	657 for sub in cert.get(r'subject', []):
29452 26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	658 for key, value in sub:
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	659 # According to RFC 2818 the most specific Common Name must
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	660 # be used.
36745 424994a0adfd sslutil: lots of unicode/bytes cleanup Augie Fackler <augie@google.com> parents: 35582 diff changeset	661 if key == r'commonName':
30332 318a24b52eeb spelling: fixes of non-dictionary words Mads Kiilerich <madski@unity3d.com> parents: 30228 diff changeset	662 # 'subject' entries are unicode.
29452 26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	663 try:
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	664 value = value.encode('ascii')
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	665 except UnicodeEncodeError:
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	666 return _('IDN in certificate not supported')
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	667
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	668 try:
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	669 if _dnsnamematch(value, hostname):
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	670 return
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	671 except wildcarderror as e:
37084 f0b6fbea00cf stringutil: bulk-replace call sites to point to new module Yuya Nishihara <yuya@tcha.org> parents: 36747 diff changeset	672 return stringutil.forcebytestr(e.args[0])
29452 26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	673
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	674 dnsnames.append(value)
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	675
37872 51a2f8d199c7 sslutil: fix some edge cases in Python 3 support Augie Fackler <augie@google.com> parents: 37666 diff changeset	676 dnsnames = [pycompat.bytesurl(d) for d in dnsnames]
29452 26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	677 if len(dnsnames) > 1:
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	678 return _('certificate is for %s') % ', '.join(dnsnames)
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	679 elif len(dnsnames) == 1:
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	680 return _('certificate is for %s') % dnsnames[0]
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	681 else:
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	682 return _('no commonName or subjectAltName found in certificate')
14204 5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	683
23042 2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410) Mads Kiilerich <madski@unity3d.com> parents: 22575 diff changeset	684 def _plainapplepython():
2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410) Mads Kiilerich <madski@unity3d.com> parents: 22575 diff changeset	685 """return true if this seems to be a pure Apple Python that
2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410) Mads Kiilerich <madski@unity3d.com> parents: 22575 diff changeset	686 * is unfrozen and presumably has the whole mercurial module in the file
2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410) Mads Kiilerich <madski@unity3d.com> parents: 22575 diff changeset	687 system
2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410) Mads Kiilerich <madski@unity3d.com> parents: 22575 diff changeset	688 * presumably is an Apple Python that uses Apple OpenSSL which has patches
2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410) Mads Kiilerich <madski@unity3d.com> parents: 22575 diff changeset	689 for using system certificate store CAs in addition to the provided
2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410) Mads Kiilerich <madski@unity3d.com> parents: 22575 diff changeset	690 cacerts file
2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410) Mads Kiilerich <madski@unity3d.com> parents: 22575 diff changeset	691 """
37120 a8a902d7176e procutil: bulk-replace function calls to point to new module Yuya Nishihara <yuya@tcha.org> parents: 37084 diff changeset	692 if (not pycompat.isdarwin or procutil.mainfrozen() or
34647 dacfcdd8b94e codemod: use pycompat.isdarwin Jun Wu <quark@fb.com> parents: 34645 diff changeset	693 not pycompat.sysexecutable):
23042 2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410) Mads Kiilerich <madski@unity3d.com> parents: 22575 diff changeset	694 return False
30669 10b17ed9b591 py3: replace sys.executable with pycompat.sysexecutable Pulkit Goyal <7895pulkit@gmail.com> parents: 30641 diff changeset	695 exe = os.path.realpath(pycompat.sysexecutable).lower()
23042 2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410) Mads Kiilerich <madski@unity3d.com> parents: 22575 diff changeset	696 return (exe.startswith('/usr/bin/python') or
2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410) Mads Kiilerich <madski@unity3d.com> parents: 22575 diff changeset	697 exe.startswith('/system/library/frameworks/python.framework/'))
2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410) Mads Kiilerich <madski@unity3d.com> parents: 22575 diff changeset	698
29500 4b16a5bd9948 sslutil: try to find CA certficates in well-known locations Gregory Szorc <gregory.szorc@gmail.com> parents: 29499 diff changeset	699 _systemcacertpaths = [
4b16a5bd9948 sslutil: try to find CA certficates in well-known locations Gregory Szorc <gregory.szorc@gmail.com> parents: 29499 diff changeset	700 # RHEL, CentOS, and Fedora
4b16a5bd9948 sslutil: try to find CA certficates in well-known locations Gregory Szorc <gregory.szorc@gmail.com> parents: 29499 diff changeset	701 '/etc/pki/tls/certs/ca-bundle.trust.crt',
4b16a5bd9948 sslutil: try to find CA certficates in well-known locations Gregory Szorc <gregory.szorc@gmail.com> parents: 29499 diff changeset	702 # Debian, Ubuntu, Gentoo
4b16a5bd9948 sslutil: try to find CA certficates in well-known locations Gregory Szorc <gregory.szorc@gmail.com> parents: 29499 diff changeset	703 '/etc/ssl/certs/ca-certificates.crt',
4b16a5bd9948 sslutil: try to find CA certficates in well-known locations Gregory Szorc <gregory.szorc@gmail.com> parents: 29499 diff changeset	704 ]
4b16a5bd9948 sslutil: try to find CA certficates in well-known locations Gregory Szorc <gregory.szorc@gmail.com> parents: 29499 diff changeset	705
29483 918dce4b8c26 sslutil: pass ui to _defaultcacerts Gregory Szorc <gregory.szorc@gmail.com> parents: 29482 diff changeset	706 def _defaultcacerts(ui):
29488 1c26b9ce66f8 sslutil: expand _defaultcacerts docstring to note calling assumptions Gregory Szorc <gregory.szorc@gmail.com> parents: 29487 diff changeset	707 """return path to default CA certificates or None.
1c26b9ce66f8 sslutil: expand _defaultcacerts docstring to note calling assumptions Gregory Szorc <gregory.szorc@gmail.com> parents: 29487 diff changeset	708
1c26b9ce66f8 sslutil: expand _defaultcacerts docstring to note calling assumptions Gregory Szorc <gregory.szorc@gmail.com> parents: 29487 diff changeset	709 It is assumed this function is called when the returned certificates
1c26b9ce66f8 sslutil: expand _defaultcacerts docstring to note calling assumptions Gregory Szorc <gregory.szorc@gmail.com> parents: 29487 diff changeset	710 file will actually be used to validate connections. Therefore this
1c26b9ce66f8 sslutil: expand _defaultcacerts docstring to note calling assumptions Gregory Szorc <gregory.szorc@gmail.com> parents: 29487 diff changeset	711 function may print warnings or debug messages assuming this usage.
29500 4b16a5bd9948 sslutil: try to find CA certficates in well-known locations Gregory Szorc <gregory.szorc@gmail.com> parents: 29499 diff changeset	712
4b16a5bd9948 sslutil: try to find CA certficates in well-known locations Gregory Szorc <gregory.szorc@gmail.com> parents: 29499 diff changeset	713 We don't print a message when the Python is able to load default
4b16a5bd9948 sslutil: try to find CA certficates in well-known locations Gregory Szorc <gregory.szorc@gmail.com> parents: 29499 diff changeset	714 CA certs because this scenario is detected at socket connect time.
29488 1c26b9ce66f8 sslutil: expand _defaultcacerts docstring to note calling assumptions Gregory Szorc <gregory.szorc@gmail.com> parents: 29487 diff changeset	715 """
30228 b9f7b0c10027 sslutil: guard against broken certifi installations (issue5406) Gábor Stefanik <gabor.stefanik@nng.com> parents: 29927 diff changeset	716 # The "certifi" Python package provides certificates. If it is installed
b9f7b0c10027 sslutil: guard against broken certifi installations (issue5406) Gábor Stefanik <gabor.stefanik@nng.com> parents: 29927 diff changeset	717 # and usable, assume the user intends it to be used and use it.
29486 a62c00f6dd04 sslutil: use certificates provided by certifi if available Gregory Szorc <gregory.szorc@gmail.com> parents: 29484 diff changeset	718 try:
a62c00f6dd04 sslutil: use certificates provided by certifi if available Gregory Szorc <gregory.szorc@gmail.com> parents: 29484 diff changeset	719 import certifi
a62c00f6dd04 sslutil: use certificates provided by certifi if available Gregory Szorc <gregory.szorc@gmail.com> parents: 29484 diff changeset	720 certs = certifi.where()
30228 b9f7b0c10027 sslutil: guard against broken certifi installations (issue5406) Gábor Stefanik <gabor.stefanik@nng.com> parents: 29927 diff changeset	721 if os.path.exists(certs):
b9f7b0c10027 sslutil: guard against broken certifi installations (issue5406) Gábor Stefanik <gabor.stefanik@nng.com> parents: 29927 diff changeset	722 ui.debug('using ca certificates from certifi\n')
b9f7b0c10027 sslutil: guard against broken certifi installations (issue5406) Gábor Stefanik <gabor.stefanik@nng.com> parents: 29927 diff changeset	723 return certs
b9f7b0c10027 sslutil: guard against broken certifi installations (issue5406) Gábor Stefanik <gabor.stefanik@nng.com> parents: 29927 diff changeset	724 except (ImportError, AttributeError):
29486 a62c00f6dd04 sslutil: use certificates provided by certifi if available Gregory Szorc <gregory.szorc@gmail.com> parents: 29484 diff changeset	725 pass
a62c00f6dd04 sslutil: use certificates provided by certifi if available Gregory Szorc <gregory.szorc@gmail.com> parents: 29484 diff changeset	726
29489 54ad81b0665f sslutil: handle default CA certificate loading on Windows Gregory Szorc <gregory.szorc@gmail.com> parents: 29488 diff changeset	727 # On Windows, only the modern ssl module is capable of loading the system
54ad81b0665f sslutil: handle default CA certificate loading on Windows Gregory Szorc <gregory.szorc@gmail.com> parents: 29488 diff changeset	728 # CA certificates. If we're not capable of doing that, emit a warning
54ad81b0665f sslutil: handle default CA certificate loading on Windows Gregory Szorc <gregory.szorc@gmail.com> parents: 29488 diff changeset	729 # because we'll get a certificate verification error later and the lack
54ad81b0665f sslutil: handle default CA certificate loading on Windows Gregory Szorc <gregory.szorc@gmail.com> parents: 29488 diff changeset	730 # of loaded CA certificates will be the reason why.
54ad81b0665f sslutil: handle default CA certificate loading on Windows Gregory Szorc <gregory.szorc@gmail.com> parents: 29488 diff changeset	731 # Assertion: this code is only called if certificates are being verified.
34645 75979c8d4572 codemod: use pycompat.iswindows Jun Wu <quark@fb.com> parents: 33494 diff changeset	732 if pycompat.iswindows:
29489 54ad81b0665f sslutil: handle default CA certificate loading on Windows Gregory Szorc <gregory.szorc@gmail.com> parents: 29488 diff changeset	733 if not _canloaddefaultcerts:
54ad81b0665f sslutil: handle default CA certificate loading on Windows Gregory Szorc <gregory.szorc@gmail.com> parents: 29488 diff changeset	734 ui.warn(_('(unable to load Windows CA certificates; see '
54ad81b0665f sslutil: handle default CA certificate loading on Windows Gregory Szorc <gregory.szorc@gmail.com> parents: 29488 diff changeset	735 'https://mercurial-scm.org/wiki/SecureConnections for '
54ad81b0665f sslutil: handle default CA certificate loading on Windows Gregory Szorc <gregory.szorc@gmail.com> parents: 29488 diff changeset	736 'how to configure Mercurial to avoid this message)\n'))
54ad81b0665f sslutil: handle default CA certificate loading on Windows Gregory Szorc <gregory.szorc@gmail.com> parents: 29488 diff changeset	737
54ad81b0665f sslutil: handle default CA certificate loading on Windows Gregory Szorc <gregory.szorc@gmail.com> parents: 29488 diff changeset	738 return None
54ad81b0665f sslutil: handle default CA certificate loading on Windows Gregory Szorc <gregory.szorc@gmail.com> parents: 29488 diff changeset	739
29487 cdcb5747dc88 sslutil: document the Apple OpenSSL cert trick Gregory Szorc <gregory.szorc@gmail.com> parents: 29486 diff changeset	740 # Apple's OpenSSL has patches that allow a specially constructed certificate
cdcb5747dc88 sslutil: document the Apple OpenSSL cert trick Gregory Szorc <gregory.szorc@gmail.com> parents: 29486 diff changeset	741 # to load the system CA store. If we're running on Apple Python, use this
cdcb5747dc88 sslutil: document the Apple OpenSSL cert trick Gregory Szorc <gregory.szorc@gmail.com> parents: 29486 diff changeset	742 # trick.
24288 922e087ba158 ssl: extract function that returns dummycert path on Apple python Yuya Nishihara <yuya@tcha.org> parents: 23851 diff changeset	743 if _plainapplepython():
31074 2912b06905dc py3: use pycompat.fsencode() to convert __file__ to bytes Pulkit Goyal <7895pulkit@gmail.com> parents: 30669 diff changeset	744 dummycert = os.path.join(
2912b06905dc py3: use pycompat.fsencode() to convert __file__ to bytes Pulkit Goyal <7895pulkit@gmail.com> parents: 30669 diff changeset	745 os.path.dirname(pycompat.fsencode(__file__)), 'dummycert.pem')
24288 922e087ba158 ssl: extract function that returns dummycert path on Apple python Yuya Nishihara <yuya@tcha.org> parents: 23851 diff changeset	746 if os.path.exists(dummycert):
922e087ba158 ssl: extract function that returns dummycert path on Apple python Yuya Nishihara <yuya@tcha.org> parents: 23851 diff changeset	747 return dummycert
29107 c8fbfb9163ce sslutil: move code examining _canloaddefaultcerts out of _defaultcacerts Gregory Szorc <gregory.szorc@gmail.com> parents: 29106 diff changeset	748
29499 9c5325c79683 sslutil: issue warning when unable to load certificates on OS X Gregory Szorc <gregory.szorc@gmail.com> parents: 29489 diff changeset	749 # The Apple OpenSSL trick isn't available to us. If Python isn't able to
9c5325c79683 sslutil: issue warning when unable to load certificates on OS X Gregory Szorc <gregory.szorc@gmail.com> parents: 29489 diff changeset	750 # load system certs, we're out of luck.
34647 dacfcdd8b94e codemod: use pycompat.isdarwin Jun Wu <quark@fb.com> parents: 34645 diff changeset	751 if pycompat.isdarwin:
29499 9c5325c79683 sslutil: issue warning when unable to load certificates on OS X Gregory Szorc <gregory.szorc@gmail.com> parents: 29489 diff changeset	752 # FUTURE Consider looking for Homebrew or MacPorts installed certs
9c5325c79683 sslutil: issue warning when unable to load certificates on OS X Gregory Szorc <gregory.szorc@gmail.com> parents: 29489 diff changeset	753 # files. Also consider exporting the keychain certs to a file during
9c5325c79683 sslutil: issue warning when unable to load certificates on OS X Gregory Szorc <gregory.szorc@gmail.com> parents: 29489 diff changeset	754 # Mercurial install.
9c5325c79683 sslutil: issue warning when unable to load certificates on OS X Gregory Szorc <gregory.szorc@gmail.com> parents: 29489 diff changeset	755 if not _canloaddefaultcerts:
9c5325c79683 sslutil: issue warning when unable to load certificates on OS X Gregory Szorc <gregory.szorc@gmail.com> parents: 29489 diff changeset	756 ui.warn(_('(unable to load CA certificates; see '
9c5325c79683 sslutil: issue warning when unable to load certificates on OS X Gregory Szorc <gregory.szorc@gmail.com> parents: 29489 diff changeset	757 'https://mercurial-scm.org/wiki/SecureConnections for '
9c5325c79683 sslutil: issue warning when unable to load certificates on OS X Gregory Szorc <gregory.szorc@gmail.com> parents: 29489 diff changeset	758 'how to configure Mercurial to avoid this message)\n'))
24291 760a86865f80 ssl: load CA certificates from system's store by default on Python 2.7.9 Yuya Nishihara <yuya@tcha.org> parents: 24290 diff changeset	759 return None
24288 922e087ba158 ssl: extract function that returns dummycert path on Apple python Yuya Nishihara <yuya@tcha.org> parents: 23851 diff changeset	760
29537 5f8b36d5a6ec sslutil: add assertion to prevent accidental CA usage on Windows Gregory Szorc <gregory.szorc@gmail.com> parents: 29508 diff changeset	761 # / is writable on Windows. Out of an abundance of caution make sure
5f8b36d5a6ec sslutil: add assertion to prevent accidental CA usage on Windows Gregory Szorc <gregory.szorc@gmail.com> parents: 29508 diff changeset	762 # we're not on Windows because paths from _systemcacerts could be installed
5f8b36d5a6ec sslutil: add assertion to prevent accidental CA usage on Windows Gregory Szorc <gregory.szorc@gmail.com> parents: 29508 diff changeset	763 # by non-admin users.
34645 75979c8d4572 codemod: use pycompat.iswindows Jun Wu <quark@fb.com> parents: 33494 diff changeset	764 assert not pycompat.iswindows
29537 5f8b36d5a6ec sslutil: add assertion to prevent accidental CA usage on Windows Gregory Szorc <gregory.szorc@gmail.com> parents: 29508 diff changeset	765
29500 4b16a5bd9948 sslutil: try to find CA certficates in well-known locations Gregory Szorc <gregory.szorc@gmail.com> parents: 29499 diff changeset	766 # Try to find CA certificates in well-known locations. We print a warning
4b16a5bd9948 sslutil: try to find CA certficates in well-known locations Gregory Szorc <gregory.szorc@gmail.com> parents: 29499 diff changeset	767 # when using a found file because we don't want too much silent magic
4b16a5bd9948 sslutil: try to find CA certficates in well-known locations Gregory Szorc <gregory.szorc@gmail.com> parents: 29499 diff changeset	768 # for security settings. The expectation is that proper Mercurial
4b16a5bd9948 sslutil: try to find CA certficates in well-known locations Gregory Szorc <gregory.szorc@gmail.com> parents: 29499 diff changeset	769 # installs will have the CA certs path defined at install time and the
4b16a5bd9948 sslutil: try to find CA certficates in well-known locations Gregory Szorc <gregory.szorc@gmail.com> parents: 29499 diff changeset	770 # installer/packager will make an appropriate decision on the user's
4b16a5bd9948 sslutil: try to find CA certficates in well-known locations Gregory Szorc <gregory.szorc@gmail.com> parents: 29499 diff changeset	771 # behalf. We only get here and perform this setting as a feature of
4b16a5bd9948 sslutil: try to find CA certficates in well-known locations Gregory Szorc <gregory.szorc@gmail.com> parents: 29499 diff changeset	772 # last resort.
4b16a5bd9948 sslutil: try to find CA certficates in well-known locations Gregory Szorc <gregory.szorc@gmail.com> parents: 29499 diff changeset	773 if not _canloaddefaultcerts:
4b16a5bd9948 sslutil: try to find CA certficates in well-known locations Gregory Szorc <gregory.szorc@gmail.com> parents: 29499 diff changeset	774 for path in _systemcacertpaths:
4b16a5bd9948 sslutil: try to find CA certficates in well-known locations Gregory Szorc <gregory.szorc@gmail.com> parents: 29499 diff changeset	775 if os.path.isfile(path):
4b16a5bd9948 sslutil: try to find CA certficates in well-known locations Gregory Szorc <gregory.szorc@gmail.com> parents: 29499 diff changeset	776 ui.warn(_('(using CA certificates from %s; if you see this '
4b16a5bd9948 sslutil: try to find CA certficates in well-known locations Gregory Szorc <gregory.szorc@gmail.com> parents: 29499 diff changeset	777 'message, your Mercurial install is not properly '
4b16a5bd9948 sslutil: try to find CA certficates in well-known locations Gregory Szorc <gregory.szorc@gmail.com> parents: 29499 diff changeset	778 'configured; see '
4b16a5bd9948 sslutil: try to find CA certficates in well-known locations Gregory Szorc <gregory.szorc@gmail.com> parents: 29499 diff changeset	779 'https://mercurial-scm.org/wiki/SecureConnections '
4b16a5bd9948 sslutil: try to find CA certficates in well-known locations Gregory Szorc <gregory.szorc@gmail.com> parents: 29499 diff changeset	780 'for how to configure Mercurial to avoid this '
4b16a5bd9948 sslutil: try to find CA certficates in well-known locations Gregory Szorc <gregory.szorc@gmail.com> parents: 29499 diff changeset	781 'message)\n') % path)
4b16a5bd9948 sslutil: try to find CA certficates in well-known locations Gregory Szorc <gregory.szorc@gmail.com> parents: 29499 diff changeset	782 return path
14204 5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	783
29500 4b16a5bd9948 sslutil: try to find CA certficates in well-known locations Gregory Szorc <gregory.szorc@gmail.com> parents: 29499 diff changeset	784 ui.warn(_('(unable to load CA certificates; see '
4b16a5bd9948 sslutil: try to find CA certficates in well-known locations Gregory Szorc <gregory.szorc@gmail.com> parents: 29499 diff changeset	785 'https://mercurial-scm.org/wiki/SecureConnections for '
4b16a5bd9948 sslutil: try to find CA certficates in well-known locations Gregory Szorc <gregory.szorc@gmail.com> parents: 29499 diff changeset	786 'how to configure Mercurial to avoid this message)\n'))
14204 5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	787
29107 c8fbfb9163ce sslutil: move code examining _canloaddefaultcerts out of _defaultcacerts Gregory Szorc <gregory.szorc@gmail.com> parents: 29106 diff changeset	788 return None
24288 922e087ba158 ssl: extract function that returns dummycert path on Apple python Yuya Nishihara <yuya@tcha.org> parents: 23851 diff changeset	789
29286 a05a91a3f120 sslutil: remove "strict" argument from validatesocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29268 diff changeset	790 def validatesocket(sock):
30332 318a24b52eeb spelling: fixes of non-dictionary words Mads Kiilerich <madski@unity3d.com> parents: 30228 diff changeset	791 """Validate a socket meets security requirements.
18879 93b03a222c3e sslutil: try harder to avoid getpeercert problems Matt Mackall <mpm@selenic.com> parents: 16391 diff changeset	792
29227 dffe78d80a6c sslutil: convert socket validation from a class to a function (API) Gregory Szorc <gregory.szorc@gmail.com> parents: 29226 diff changeset	793 The passed socket must have been created with ``wrapsocket()``.
dffe78d80a6c sslutil: convert socket validation from a class to a function (API) Gregory Szorc <gregory.szorc@gmail.com> parents: 29226 diff changeset	794 """
36745 424994a0adfd sslutil: lots of unicode/bytes cleanup Augie Fackler <augie@google.com> parents: 35582 diff changeset	795 shost = sock._hgstate['hostname']
424994a0adfd sslutil: lots of unicode/bytes cleanup Augie Fackler <augie@google.com> parents: 35582 diff changeset	796 host = pycompat.bytesurl(shost)
29227 dffe78d80a6c sslutil: convert socket validation from a class to a function (API) Gregory Szorc <gregory.szorc@gmail.com> parents: 29226 diff changeset	797 ui = sock._hgstate['ui']
29258 6315c1e14f75 sslutil: introduce a function for determining host-specific settings Gregory Szorc <gregory.szorc@gmail.com> parents: 29253 diff changeset	798 settings = sock._hgstate['settings']
18879 93b03a222c3e sslutil: try harder to avoid getpeercert problems Matt Mackall <mpm@selenic.com> parents: 16391 diff changeset	799
29227 dffe78d80a6c sslutil: convert socket validation from a class to a function (API) Gregory Szorc <gregory.szorc@gmail.com> parents: 29226 diff changeset	800 try:
dffe78d80a6c sslutil: convert socket validation from a class to a function (API) Gregory Szorc <gregory.szorc@gmail.com> parents: 29226 diff changeset	801 peercert = sock.getpeercert(True)
dffe78d80a6c sslutil: convert socket validation from a class to a function (API) Gregory Szorc <gregory.szorc@gmail.com> parents: 29226 diff changeset	802 peercert2 = sock.getpeercert()
dffe78d80a6c sslutil: convert socket validation from a class to a function (API) Gregory Szorc <gregory.szorc@gmail.com> parents: 29226 diff changeset	803 except AttributeError:
dffe78d80a6c sslutil: convert socket validation from a class to a function (API) Gregory Szorc <gregory.szorc@gmail.com> parents: 29226 diff changeset	804 raise error.Abort(_('%s ssl connection error') % host)
24288 922e087ba158 ssl: extract function that returns dummycert path on Apple python Yuya Nishihara <yuya@tcha.org> parents: 23851 diff changeset	805
29227 dffe78d80a6c sslutil: convert socket validation from a class to a function (API) Gregory Szorc <gregory.szorc@gmail.com> parents: 29226 diff changeset	806 if not peercert:
dffe78d80a6c sslutil: convert socket validation from a class to a function (API) Gregory Szorc <gregory.szorc@gmail.com> parents: 29226 diff changeset	807 raise error.Abort(_('%s certificate error: '
dffe78d80a6c sslutil: convert socket validation from a class to a function (API) Gregory Szorc <gregory.szorc@gmail.com> parents: 29226 diff changeset	808 'no certificate received') % host)
18879 93b03a222c3e sslutil: try harder to avoid getpeercert problems Matt Mackall <mpm@selenic.com> parents: 16391 diff changeset	809
29289 3536673a25ae sslutil: move and change warning when cert verification is disabled Gregory Szorc <gregory.szorc@gmail.com> parents: 29288 diff changeset	810 if settings['disablecertverification']:
3536673a25ae sslutil: move and change warning when cert verification is disabled Gregory Szorc <gregory.szorc@gmail.com> parents: 29288 diff changeset	811 # We don't print the certificate fingerprint because it shouldn't
3536673a25ae sslutil: move and change warning when cert verification is disabled Gregory Szorc <gregory.szorc@gmail.com> parents: 29288 diff changeset	812 # be necessary: if the user requested certificate verification be
3536673a25ae sslutil: move and change warning when cert verification is disabled Gregory Szorc <gregory.szorc@gmail.com> parents: 29288 diff changeset	813 # disabled, they presumably already saw a message about the inability
3536673a25ae sslutil: move and change warning when cert verification is disabled Gregory Szorc <gregory.szorc@gmail.com> parents: 29288 diff changeset	814 # to verify the certificate and this message would have printed the
3536673a25ae sslutil: move and change warning when cert verification is disabled Gregory Szorc <gregory.szorc@gmail.com> parents: 29288 diff changeset	815 # fingerprint. So printing the fingerprint here adds little to no
3536673a25ae sslutil: move and change warning when cert verification is disabled Gregory Szorc <gregory.szorc@gmail.com> parents: 29288 diff changeset	816 # value.
3536673a25ae sslutil: move and change warning when cert verification is disabled Gregory Szorc <gregory.szorc@gmail.com> parents: 29288 diff changeset	817 ui.warn(_('warning: connection security to %s is disabled per current '
3536673a25ae sslutil: move and change warning when cert verification is disabled Gregory Szorc <gregory.szorc@gmail.com> parents: 29288 diff changeset	818 'settings; communication is susceptible to eavesdropping '
3536673a25ae sslutil: move and change warning when cert verification is disabled Gregory Szorc <gregory.szorc@gmail.com> parents: 29288 diff changeset	819 'and tampering\n') % host)
3536673a25ae sslutil: move and change warning when cert verification is disabled Gregory Szorc <gregory.szorc@gmail.com> parents: 29288 diff changeset	820 return
18879 93b03a222c3e sslutil: try harder to avoid getpeercert problems Matt Mackall <mpm@selenic.com> parents: 16391 diff changeset	821
29227 dffe78d80a6c sslutil: convert socket validation from a class to a function (API) Gregory Szorc <gregory.szorc@gmail.com> parents: 29226 diff changeset	822 # If a certificate fingerprint is pinned, use it and only it to
dffe78d80a6c sslutil: convert socket validation from a class to a function (API) Gregory Szorc <gregory.szorc@gmail.com> parents: 29226 diff changeset	823 # validate the remote cert.
29262 dfc4f08aa160 sslutil: calculate host fingerprints from additional algorithms Gregory Szorc <gregory.szorc@gmail.com> parents: 29260 diff changeset	824 peerfingerprints = {
35582 72b91f905065 py3: use node.hex(h.digest()) instead of h.hexdigest() Pulkit Goyal <7895pulkit@gmail.com> parents: 35369 diff changeset	825 'sha1': node.hex(hashlib.sha1(peercert).digest()),
72b91f905065 py3: use node.hex(h.digest()) instead of h.hexdigest() Pulkit Goyal <7895pulkit@gmail.com> parents: 35369 diff changeset	826 'sha256': node.hex(hashlib.sha256(peercert).digest()),
72b91f905065 py3: use node.hex(h.digest()) instead of h.hexdigest() Pulkit Goyal <7895pulkit@gmail.com> parents: 35369 diff changeset	827 'sha512': node.hex(hashlib.sha512(peercert).digest()),
29262 dfc4f08aa160 sslutil: calculate host fingerprints from additional algorithms Gregory Szorc <gregory.szorc@gmail.com> parents: 29260 diff changeset	828 }
18879 93b03a222c3e sslutil: try harder to avoid getpeercert problems Matt Mackall <mpm@selenic.com> parents: 16391 diff changeset	829
29290 01248c37a68e sslutil: print SHA-256 fingerprint by default Gregory Szorc <gregory.szorc@gmail.com> parents: 29289 diff changeset	830 def fmtfingerprint(s):
01248c37a68e sslutil: print SHA-256 fingerprint by default Gregory Szorc <gregory.szorc@gmail.com> parents: 29289 diff changeset	831 return ':'.join([s[x:x + 2] for x in range(0, len(s), 2)])
01248c37a68e sslutil: print SHA-256 fingerprint by default Gregory Szorc <gregory.szorc@gmail.com> parents: 29289 diff changeset	832
01248c37a68e sslutil: print SHA-256 fingerprint by default Gregory Szorc <gregory.szorc@gmail.com> parents: 29289 diff changeset	833 nicefingerprint = 'sha256:%s' % fmtfingerprint(peerfingerprints['sha256'])
28850 3819c349b194 sslutil: document and slightly refactor validation logic Gregory Szorc <gregory.szorc@gmail.com> parents: 28849 diff changeset	834
29258 6315c1e14f75 sslutil: introduce a function for determining host-specific settings Gregory Szorc <gregory.szorc@gmail.com> parents: 29253 diff changeset	835 if settings['certfingerprints']:
6315c1e14f75 sslutil: introduce a function for determining host-specific settings Gregory Szorc <gregory.szorc@gmail.com> parents: 29253 diff changeset	836 for hash, fingerprint in settings['certfingerprints']:
29262 dfc4f08aa160 sslutil: calculate host fingerprints from additional algorithms Gregory Szorc <gregory.szorc@gmail.com> parents: 29260 diff changeset	837 if peerfingerprints[hash].lower() == fingerprint:
29291 15e533b7909c sslutil: refactor code for fingerprint matching Gregory Szorc <gregory.szorc@gmail.com> parents: 29290 diff changeset	838 ui.debug('%s certificate matched fingerprint %s:%s\n' %
15e533b7909c sslutil: refactor code for fingerprint matching Gregory Szorc <gregory.szorc@gmail.com> parents: 29290 diff changeset	839 (host, hash, fmtfingerprint(fingerprint)))
31290 f819aa9dbbf9 sslutil: issue warning when [hostfingerprint] is used Gregory Szorc <gregory.szorc@gmail.com> parents: 31074 diff changeset	840 if settings['legacyfingerprint']:
f819aa9dbbf9 sslutil: issue warning when [hostfingerprint] is used Gregory Szorc <gregory.szorc@gmail.com> parents: 31074 diff changeset	841 ui.warn(_('(SHA-1 fingerprint for %s found in legacy '
f819aa9dbbf9 sslutil: issue warning when [hostfingerprint] is used Gregory Szorc <gregory.szorc@gmail.com> parents: 31074 diff changeset	842 '[hostfingerprints] section; '
32273 2e455cbeac50 sslutil: tweak the legacy [hostfingerprints] warning message Gregory Szorc <gregory.szorc@gmail.com> parents: 32247 diff changeset	843 'if you trust this fingerprint, remove the old '
2e455cbeac50 sslutil: tweak the legacy [hostfingerprints] warning message Gregory Szorc <gregory.szorc@gmail.com> parents: 32247 diff changeset	844 'SHA-1 fingerprint from [hostfingerprints] and '
2e455cbeac50 sslutil: tweak the legacy [hostfingerprints] warning message Gregory Szorc <gregory.szorc@gmail.com> parents: 32247 diff changeset	845 'add the following entry to the new '
2e455cbeac50 sslutil: tweak the legacy [hostfingerprints] warning message Gregory Szorc <gregory.szorc@gmail.com> parents: 32247 diff changeset	846 '[hostsecurity] section: %s:fingerprints=%s)\n') %
2e455cbeac50 sslutil: tweak the legacy [hostfingerprints] warning message Gregory Szorc <gregory.szorc@gmail.com> parents: 32247 diff changeset	847 (host, host, nicefingerprint))
29291 15e533b7909c sslutil: refactor code for fingerprint matching Gregory Szorc <gregory.szorc@gmail.com> parents: 29290 diff changeset	848 return
28850 3819c349b194 sslutil: document and slightly refactor validation logic Gregory Szorc <gregory.szorc@gmail.com> parents: 28849 diff changeset	849
29293 1b3a0b0c414f sslutil: print the fingerprint from the last hash used Gregory Szorc <gregory.szorc@gmail.com> parents: 29292 diff changeset	850 # Pinned fingerprint didn't match. This is a fatal error.
1b3a0b0c414f sslutil: print the fingerprint from the last hash used Gregory Szorc <gregory.szorc@gmail.com> parents: 29292 diff changeset	851 if settings['legacyfingerprint']:
1b3a0b0c414f sslutil: print the fingerprint from the last hash used Gregory Szorc <gregory.szorc@gmail.com> parents: 29292 diff changeset	852 section = 'hostfingerprint'
1b3a0b0c414f sslutil: print the fingerprint from the last hash used Gregory Szorc <gregory.szorc@gmail.com> parents: 29292 diff changeset	853 nice = fmtfingerprint(peerfingerprints['sha1'])
1b3a0b0c414f sslutil: print the fingerprint from the last hash used Gregory Szorc <gregory.szorc@gmail.com> parents: 29292 diff changeset	854 else:
1b3a0b0c414f sslutil: print the fingerprint from the last hash used Gregory Szorc <gregory.szorc@gmail.com> parents: 29292 diff changeset	855 section = 'hostsecurity'
1b3a0b0c414f sslutil: print the fingerprint from the last hash used Gregory Szorc <gregory.szorc@gmail.com> parents: 29292 diff changeset	856 nice = '%s:%s' % (hash, fmtfingerprint(peerfingerprints[hash]))
29291 15e533b7909c sslutil: refactor code for fingerprint matching Gregory Szorc <gregory.szorc@gmail.com> parents: 29290 diff changeset	857 raise error.Abort(_('certificate for %s has unexpected '
29293 1b3a0b0c414f sslutil: print the fingerprint from the last hash used Gregory Szorc <gregory.szorc@gmail.com> parents: 29292 diff changeset	858 'fingerprint %s') % (host, nice),
29291 15e533b7909c sslutil: refactor code for fingerprint matching Gregory Szorc <gregory.szorc@gmail.com> parents: 29290 diff changeset	859 hint=_('check %s configuration') % section)
28850 3819c349b194 sslutil: document and slightly refactor validation logic Gregory Szorc <gregory.szorc@gmail.com> parents: 28849 diff changeset	860
29411 e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC) Gregory Szorc <gregory.szorc@gmail.com> parents: 29410 diff changeset	861 # Security is enabled but no CAs are loaded. We can't establish trust
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC) Gregory Szorc <gregory.szorc@gmail.com> parents: 29410 diff changeset	862 # for the cert so abort.
29227 dffe78d80a6c sslutil: convert socket validation from a class to a function (API) Gregory Szorc <gregory.szorc@gmail.com> parents: 29226 diff changeset	863 if not sock._hgstate['caloaded']:
29411 e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC) Gregory Szorc <gregory.szorc@gmail.com> parents: 29410 diff changeset	864 raise error.Abort(
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC) Gregory Szorc <gregory.szorc@gmail.com> parents: 29410 diff changeset	865 _('unable to verify security of %s (no loaded CA certificates); '
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC) Gregory Szorc <gregory.szorc@gmail.com> parents: 29410 diff changeset	866 'refusing to connect') % host,
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC) Gregory Szorc <gregory.szorc@gmail.com> parents: 29410 diff changeset	867 hint=_('see https://mercurial-scm.org/wiki/SecureConnections for '
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC) Gregory Szorc <gregory.szorc@gmail.com> parents: 29410 diff changeset	868 'how to configure Mercurial to avoid this error or set '
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC) Gregory Szorc <gregory.szorc@gmail.com> parents: 29410 diff changeset	869 'hostsecurity.%s:fingerprints=%s to trust this server') %
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC) Gregory Szorc <gregory.szorc@gmail.com> parents: 29410 diff changeset	870 (host, nicefingerprint))
29113 5b9577edf745 sslutil: use CA loaded state to drive validation logic Gregory Szorc <gregory.szorc@gmail.com> parents: 29112 diff changeset	871
36745 424994a0adfd sslutil: lots of unicode/bytes cleanup Augie Fackler <augie@google.com> parents: 35582 diff changeset	872 msg = _verifycert(peercert2, shost)
29227 dffe78d80a6c sslutil: convert socket validation from a class to a function (API) Gregory Szorc <gregory.szorc@gmail.com> parents: 29226 diff changeset	873 if msg:
dffe78d80a6c sslutil: convert socket validation from a class to a function (API) Gregory Szorc <gregory.szorc@gmail.com> parents: 29226 diff changeset	874 raise error.Abort(_('%s certificate error: %s') % (host, msg),
29292 bc5f55493397 sslutil: make cert fingerprints messages more actionable Gregory Szorc <gregory.szorc@gmail.com> parents: 29291 diff changeset	875 hint=_('set hostsecurity.%s:certfingerprints=%s '
bc5f55493397 sslutil: make cert fingerprints messages more actionable Gregory Szorc <gregory.szorc@gmail.com> parents: 29291 diff changeset	876 'config setting or use --insecure to connect '
bc5f55493397 sslutil: make cert fingerprints messages more actionable Gregory Szorc <gregory.szorc@gmail.com> parents: 29291 diff changeset	877 'insecurely') %
bc5f55493397 sslutil: make cert fingerprints messages more actionable Gregory Szorc <gregory.szorc@gmail.com> parents: 29291 diff changeset	878 (host, nicefingerprint))

Mercurial > hg

annotate mercurial/sslutil.py @ 41410:0d226b2139df