# sslutil.py - SSL handling for mercurial

#

# Copyright 2005, 2006, 2007, 2008 Matt Mackall <mpm@selenic.com>

# Copyright 2006, 2007 Alexis S. L. Carvalho <alexis@cecm.usp.br>

# Copyright 2006 Vadim Gelfer <vadim.gelfer@gmail.com>

#

# This software may be used and distributed according to the terms of the

# GNU General Public License version 2 or any later version.

from __future__ import absolute_import

import hashlib

import os

import re

import ssl

from .i18n import _

from . import (

    encoding,

    error,

    node,

    pycompat,

    util,

)

from .utils import (

    procutil,

    stringutil,

)

# Python 2.7.9+ overhauled the built-in SSL/TLS features of Python. It added

# support for TLS 1.1, TLS 1.2, SNI, system CA stores, etc. These features are

# all exposed via the "ssl" module.

#

# Depending on the version of Python being used, SSL/TLS support is either

# modern/secure or legacy/insecure. Many operations in this module have

# separate code paths depending on support in Python.

configprotocols = {

    'tls1.0',

    'tls1.1',

    'tls1.2',

}

hassni = getattr(ssl, 'HAS_SNI', False)

# TLS 1.1 and 1.2 may not be supported if the OpenSSL Python is compiled

# against doesn't support them.

supportedprotocols = {'tls1.0'}

if util.safehasattr(ssl, 'PROTOCOL_TLSv1_1'):

    supportedprotocols.add('tls1.1')

if util.safehasattr(ssl, 'PROTOCOL_TLSv1_2'):

    supportedprotocols.add('tls1.2')

try:

    # ssl.SSLContext was added in 2.7.9 and presence indicates modern

    # SSL/TLS features are available.

    SSLContext = ssl.SSLContext

    modernssl = True

    _canloaddefaultcerts = util.safehasattr(SSLContext, 'load_default_certs')

except AttributeError:

    modernssl = False

    _canloaddefaultcerts = False

    # We implement SSLContext using the interface from the standard library.

    class SSLContext(object):

        def __init__(self, protocol):

            # From the public interface of SSLContext

            self.protocol = protocol

            self.check_hostname = False

            self.options = 0

            self.verify_mode = ssl.CERT_NONE

            # Used by our implementation.

            self._certfile = None

            self._keyfile = None

            self._certpassword = None

            self._cacerts = None

            self._ciphers = None

        def load_cert_chain(self, certfile, keyfile=None, password=None):

            self._certfile = certfile

            self._keyfile = keyfile

            self._certpassword = password

        def load_default_certs(self, purpose=None):

            pass

        def load_verify_locations(self, cafile=None, capath=None, cadata=None):

            if capath:

                raise error.Abort(_('capath not supported'))

            if cadata:

                raise error.Abort(_('cadata not supported'))

            self._cacerts = cafile

        def set_ciphers(self, ciphers):

            self._ciphers = ciphers

        def wrap_socket(self, socket, server_hostname=None, server_side=False):

            # server_hostname is unique to SSLContext.wrap_socket and is used

            # for SNI in that context. So there's nothing for us to do with it

            # in this legacy code since we don't support SNI.

            args = {

                r'keyfile': self._keyfile,

                r'certfile': self._certfile,

                r'server_side': server_side,

                r'cert_reqs': self.verify_mode,

                r'ssl_version': self.protocol,

                r'ca_certs': self._cacerts,

                r'ciphers': self._ciphers,

            }

            return ssl.wrap_socket(socket, **args)

def _hostsettings(ui, hostname):

    """Obtain security settings for a hostname.

    Returns a dict of settings relevant to that hostname.

    """

    bhostname = pycompat.bytesurl(hostname)

    s = {

        # Whether we should attempt to load default/available CA certs

        # if an explicit ``cafile`` is not defined.

        'allowloaddefaultcerts': True,

        # List of 2-tuple of (hash algorithm, hash).

        'certfingerprints': [],

        # Path to file containing concatenated CA certs. Used by

        # SSLContext.load_verify_locations().

        'cafile': None,

        # Whether certificate verification should be disabled.

        'disablecertverification': False,

        # Whether the legacy [hostfingerprints] section has data for this host.

        'legacyfingerprint': False,

        # PROTOCOL_* constant to use for SSLContext.__init__.

        'protocol': None,

        # String representation of minimum protocol to be used for UI

        # presentation.

        'protocolui': None,

        # ssl.CERT_* constant used by SSLContext.verify_mode.

        'verifymode': None,

        # Defines extra ssl.OP* bitwise options to set.

        'ctxoptions': None,

        # OpenSSL Cipher List to use (instead of default).

        'ciphers': None,

    }

    # Allow minimum TLS protocol to be specified in the config.

    def validateprotocol(protocol, key):

        if protocol not in configprotocols:

            raise error.Abort(

    # We default to TLS 1.1+ where we can because TLS 1.0 has known

    # vulnerabilities (like BEAST and POODLE). We allow users to downgrade to

    # TLS 1.0+ via config options in case a legacy server is encountered.

    if 'tls1.1' in supportedprotocols:

        defaultprotocol = 'tls1.1'

    else:

        # Let people know they are borderline secure.

        # We don't document this config option because we want people to see

        # the bold warnings on the web site.

        # internal config: hostsecurity.disabletls10warning

        if not ui.configbool('hostsecurity', 'disabletls10warning'):

        defaultprotocol = 'tls1.0'

    key = 'minimumprotocol'

    protocol = ui.config('hostsecurity', key, defaultprotocol)

    validateprotocol(protocol, key)

    key = '%s:minimumprotocol' % bhostname

    protocol = ui.config('hostsecurity', key, protocol)

    validateprotocol(protocol, key)

    # If --insecure is used, we allow the use of TLS 1.0 despite config options.

    # We always print a "connection security to %s is disabled..." message when

    # --insecure is used. So no need to print anything more here.

    if ui.insecureconnections:

        protocol = 'tls1.0'

    s['protocol'], s['ctxoptions'], s['protocolui'] = protocolsettings(protocol)

    ciphers = ui.config('hostsecurity', 'ciphers')

    ciphers = ui.config('hostsecurity', '%s:ciphers' % bhostname, ciphers)

    s['ciphers'] = ciphers

    # Look for fingerprints in [hostsecurity] section. Value is a list

    # of <alg>:<fingerprint> strings.

    fingerprints = ui.configlist('hostsecurity', '%s:fingerprints' % bhostname)

    for fingerprint in fingerprints:

        if not (fingerprint.startswith(('sha1:', 'sha256:', 'sha512:'))):

        alg, fingerprint = fingerprint.split(':', 1)

        fingerprint = fingerprint.replace(':', '').lower()

        s['certfingerprints'].append((alg, fingerprint))

    # Fingerprints from [hostfingerprints] are always SHA-1.

    for fingerprint in ui.configlist('hostfingerprints', bhostname):

        fingerprint = fingerprint.replace(':', '').lower()

        s['certfingerprints'].append(('sha1', fingerprint))

        s['legacyfingerprint'] = True

    # If a host cert fingerprint is defined, it is the only thing that

    # matters. No need to validate CA certs.

    if s['certfingerprints']:

        s['verifymode'] = ssl.CERT_NONE

        s['allowloaddefaultcerts'] = False

    # If --insecure is used, don't take CAs into consideration.

    elif ui.insecureconnections:

        s['disablecertverification'] = True

        s['verifymode'] = ssl.CERT_NONE

        s['allowloaddefaultcerts'] = False

    if ui.configbool('devel', 'disableloaddefaultcerts'):

        s['allowloaddefaultcerts'] = False

    # If both fingerprints and a per-host ca file are specified, issue a warning

    # because users should not be surprised about what security is or isn't

    # being performed.

    cafile = ui.config('hostsecurity', '%s:verifycertsfile' % bhostname)

    if s['certfingerprints'] and cafile:

    # Try to hook up CA certificate validation unless something above

    # makes it not necessary.

    if s['verifymode'] is None:

        # Look at per-host ca file first.

        if cafile:

            cafile = util.expandpath(cafile)

            if not os.path.exists(cafile):

            s['cafile'] = cafile

        else:

            # Find global certificates file in config.

            cafile = ui.config('web', 'cacerts')

            if cafile:

                cafile = util.expandpath(cafile)

                if not os.path.exists(cafile):

            elif s['allowloaddefaultcerts']:

                # CAs not defined in config. Try to find system bundles.

                cafile = _defaultcacerts(ui)

                if cafile:

                    ui.debug('using %s for CA file\n' % cafile)

            s['cafile'] = cafile

        # Require certificate validation if CA certs are being loaded and

        # verification hasn't been disabled above.

        if cafile or (_canloaddefaultcerts and s['allowloaddefaultcerts']):

            s['verifymode'] = ssl.CERT_REQUIRED

        else:

            # At this point we don't have a fingerprint, aren't being

            # explicitly insecure, and can't load CA certs. Connecting

            # is insecure. We allow the connection and abort during

            # validation (once we have the fingerprint to print to the

            # user).

            s['verifymode'] = ssl.CERT_NONE

    assert s['protocol'] is not None

    assert s['ctxoptions'] is not None

    assert s['verifymode'] is not None

    return s

def protocolsettings(protocol):

    """Resolve the protocol for a config value.

    Returns a 3-tuple of (protocol, options, ui value) where the first

    2 items are values used by SSLContext and the last is a string value

    of the ``minimumprotocol`` config option equivalent.

    """

    if protocol not in configprotocols:

        raise ValueError('protocol value not supported: %s' % protocol)

    # Despite its name, PROTOCOL_SSLv23 selects the highest protocol

    # that both ends support, including TLS protocols. On legacy stacks,

    # the highest it likely goes is TLS 1.0. On modern stacks, it can

    # support TLS 1.2.

    #

    # The PROTOCOL_TLSv* constants select a specific TLS version

    # only (as opposed to multiple versions). So the method for

    # supporting multiple TLS versions is to use PROTOCOL_SSLv23 and

    # disable protocols via SSLContext.options and OP_NO_* constants.

    # However, SSLContext.options doesn't work unless we have the

    # full/real SSLContext available to us.

    if supportedprotocols == {'tls1.0'}:

        if protocol != 'tls1.0':

        return ssl.PROTOCOL_TLSv1, 0, 'tls1.0'

    # WARNING: returned options don't work unless the modern ssl module

    # is available. Be careful when adding options here.

    # SSLv2 and SSLv3 are broken. We ban them outright.

    options = ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3

    if protocol == 'tls1.0':

        # Defaults above are to use TLS 1.0+

        pass

    elif protocol == 'tls1.1':

        options |= ssl.OP_NO_TLSv1

    elif protocol == 'tls1.2':

        options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1

    else:

        raise error.Abort(_('this should not happen'))

    # Prevent CRIME.

    # There is no guarantee this attribute is defined on the module.

    options |= getattr(ssl, 'OP_NO_COMPRESSION', 0)

    return ssl.PROTOCOL_SSLv23, options, protocol

def wrapsocket(sock, keyfile, certfile, ui, serverhostname=None):

    """Add SSL/TLS to a socket.

    This is a glorified wrapper for ``ssl.wrap_socket()``. It makes sane

    choices based on what security options are available.

    In addition to the arguments supported by ``ssl.wrap_socket``, we allow

    the following additional arguments:

    * serverhostname - The expected hostname of the remote server. If the

      server (and client) support SNI, this tells the server which certificate

      to use.

    """

    if not serverhostname:

        raise error.Abort(_('serverhostname argument is required'))

    if b'SSLKEYLOGFILE' in encoding.environ:

        try:

            import sslkeylog

            ui.warn(

        except ImportError:

    for f in (keyfile, certfile):

        if f and not os.path.exists(f):

            raise error.Abort(

                _('certificate file (%s) does not exist; cannot connect to %s')

                % (f, pycompat.bytesurl(serverhostname)),

    settings = _hostsettings(ui, serverhostname)

    # We can't use ssl.create_default_context() because it calls

    # load_default_certs() unless CA arguments are passed to it. We want to

    # have explicit control over CA loading because implicitly loading

    # CAs may undermine the user's intent. For example, a user may define a CA

    # bundle with a specific CA cert removed. If the system/default CA bundle

    # is loaded and contains that removed CA, you've just undone the user's

    # choice.

    sslcontext = SSLContext(settings['protocol'])

    # This is a no-op unless using modern ssl.

    sslcontext.options |= settings['ctxoptions']

    # This still works on our fake SSLContext.

    sslcontext.verify_mode = settings['verifymode']

    if settings['ciphers']:

        try:

            sslcontext.set_ciphers(pycompat.sysstr(settings['ciphers']))

        except ssl.SSLError as e:

            raise error.Abort(

                _('could not set ciphers: %s')

                % stringutil.forcebytestr(e.args[0]),

    if certfile is not None:

        def password():

            f = keyfile or certfile

            return ui.getpass(_('passphrase for %s: ') % f, '')

        sslcontext.load_cert_chain(certfile, keyfile, password)

    if settings['cafile'] is not None:

        try:

            sslcontext.load_verify_locations(cafile=settings['cafile'])

        except ssl.SSLError as e:

                msg = e.args[0]

            else:

                msg = e.args[1]

        caloaded = True

    elif settings['allowloaddefaultcerts']:

        # This is a no-op on old Python.

        sslcontext.load_default_certs()

        caloaded = True

    else:

        caloaded = False

    try:

        sslsocket = sslcontext.wrap_socket(sock, server_hostname=serverhostname)

    except ssl.SSLError as e:

        # If we're doing certificate verification and no CA certs are loaded,

        # that is almost certainly the reason why verification failed. Provide

        # a hint to the user.

        # Only modern ssl module exposes SSLContext.get_ca_certs() so we can

        # only show this warning if modern ssl is available.

        # The exception handler is here to handle bugs around cert attributes:

        # https://bugs.python.org/issue20916#msg213479.  (See issues5313.)

        # When the main 20916 bug occurs, 'sslcontext.get_ca_certs()' is a

        # non-empty list, but the following conditional is otherwise True.

        try:

        except ssl.SSLError: