Mercurial: mercurial/sslutil.py annotate

annotate mercurial/sslutil.py @ 44873:47b3c8383cc1

sslutil: set `_canloaddefaultcerts` to `True` if `ssl.SSLContext` is present The `load_default_certs()` method was already present when `ssl.SSLContext` was backported to Python 2.7 (https://hg.python.org/cpython/rev/221a1f9155e2).

author	Manuel Jacob <me@manueljacob.de>
date	Sat, 30 May 2020 03:46:59 +0200
parents	cbc5755df6bf
children	7c19eb372438

rev	line source
14204 5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	1 # sslutil.py - SSL handling for mercurial
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	2 #
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	3 # Copyright 2005, 2006, 2007, 2008 Matt Mackall <mpm@selenic.com>
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	4 # Copyright 2006, 2007 Alexis S. L. Carvalho <alexis@cecm.usp.br>
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	5 # Copyright 2006 Vadim Gelfer <vadim.gelfer@gmail.com>
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	6 #
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	7 # This software may be used and distributed according to the terms of the
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	8 # GNU General Public License version 2 or any later version.
25977 696f6e2be282 sslutil: use absolute_import Gregory Szorc <gregory.szorc@gmail.com> parents: 25432 diff changeset	9
696f6e2be282 sslutil: use absolute_import Gregory Szorc <gregory.szorc@gmail.com> parents: 25432 diff changeset	10 from __future__ import absolute_import
14204 5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	11
29341 0d83ad967bf8 cleanup: replace uses of util.(md5\|sha1\|sha256\|sha512) with hashlib.\1 Augie Fackler <raf@durin42.com> parents: 29334 diff changeset	12 import hashlib
25977 696f6e2be282 sslutil: use absolute_import Gregory Szorc <gregory.szorc@gmail.com> parents: 25432 diff changeset	13 import os
29452 26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	14 import re
25977 696f6e2be282 sslutil: use absolute_import Gregory Szorc <gregory.szorc@gmail.com> parents: 25432 diff changeset	15 import ssl
696f6e2be282 sslutil: use absolute_import Gregory Szorc <gregory.szorc@gmail.com> parents: 25432 diff changeset	16
696f6e2be282 sslutil: use absolute_import Gregory Szorc <gregory.szorc@gmail.com> parents: 25432 diff changeset	17 from .i18n import _
43089 c59eb1560c44 py3: manually import getattr where it is needed Gregory Szorc <gregory.szorc@gmail.com> parents: 43080 diff changeset	18 from .pycompat import getattr
28577 7efff6ce9826 sslutil: use preferred formatting for import syntax Gregory Szorc <gregory.szorc@gmail.com> parents: 28525 diff changeset	19 from . import (
42269 c8d55ff80da1 sslutil: add support for SSLKEYLOGFILE to wrapsocket Augie Fackler <augie@google.com> parents: 42263 diff changeset	20 encoding,
28577 7efff6ce9826 sslutil: use preferred formatting for import syntax Gregory Szorc <gregory.szorc@gmail.com> parents: 28525 diff changeset	21 error,
35582 72b91f905065 py3: use node.hex(h.digest()) instead of h.hexdigest() Pulkit Goyal <7895pulkit@gmail.com> parents: 35369 diff changeset	22 node,
30639 d524c88511a7 py3: replace os.name with pycompat.osname (part 1 of 2) Pulkit Goyal <7895pulkit@gmail.com> parents: 30332 diff changeset	23 pycompat,
28577 7efff6ce9826 sslutil: use preferred formatting for import syntax Gregory Szorc <gregory.szorc@gmail.com> parents: 28525 diff changeset	24 util,
7efff6ce9826 sslutil: use preferred formatting for import syntax Gregory Szorc <gregory.szorc@gmail.com> parents: 28525 diff changeset	25 )
37084 f0b6fbea00cf stringutil: bulk-replace call sites to point to new module Yuya Nishihara <yuya@tcha.org> parents: 36747 diff changeset	26 from .utils import (
44061 cbc5755df6bf sslutil: migrate to hashutil.sha1 instead of hashlib.sha1 Augie Fackler <augie@google.com> parents: 43671 diff changeset	27 hashutil,
43671 664e24207728 procutil: move mainfrozen() to new resourceutil.py Martin von Zweigbergk <martinvonz@google.com> parents: 43506 diff changeset	28 resourceutil,
37084 f0b6fbea00cf stringutil: bulk-replace call sites to point to new module Yuya Nishihara <yuya@tcha.org> parents: 36747 diff changeset	29 stringutil,
f0b6fbea00cf stringutil: bulk-replace call sites to point to new module Yuya Nishihara <yuya@tcha.org> parents: 36747 diff changeset	30 )
24291 760a86865f80 ssl: load CA certificates from system's store by default on Python 2.7.9 Yuya Nishihara <yuya@tcha.org> parents: 24290 diff changeset	31
28647 834d1c4ba749 sslutil: better document state of security/ssl module Gregory Szorc <gregory.szorc@gmail.com> parents: 28577 diff changeset	32 # Python 2.7.9+ overhauled the built-in SSL/TLS features of Python. It added
834d1c4ba749 sslutil: better document state of security/ssl module Gregory Szorc <gregory.szorc@gmail.com> parents: 28577 diff changeset	33 # support for TLS 1.1, TLS 1.2, SNI, system CA stores, etc. These features are
834d1c4ba749 sslutil: better document state of security/ssl module Gregory Szorc <gregory.szorc@gmail.com> parents: 28577 diff changeset	34 # all exposed via the "ssl" module.
834d1c4ba749 sslutil: better document state of security/ssl module Gregory Szorc <gregory.szorc@gmail.com> parents: 28577 diff changeset	35 #
834d1c4ba749 sslutil: better document state of security/ssl module Gregory Szorc <gregory.szorc@gmail.com> parents: 28577 diff changeset	36 # Depending on the version of Python being used, SSL/TLS support is either
834d1c4ba749 sslutil: better document state of security/ssl module Gregory Szorc <gregory.szorc@gmail.com> parents: 28577 diff changeset	37 # modern/secure or legacy/insecure. Many operations in this module have
834d1c4ba749 sslutil: better document state of security/ssl module Gregory Szorc <gregory.szorc@gmail.com> parents: 28577 diff changeset	38 # separate code paths depending on support in Python.
834d1c4ba749 sslutil: better document state of security/ssl module Gregory Szorc <gregory.szorc@gmail.com> parents: 28577 diff changeset	39
32291 bd872f64a8ba cleanup: use set literals Martin von Zweigbergk <martinvonz@google.com> parents: 32273 diff changeset	40 configprotocols = {
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	41 b'tls1.0',
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	42 b'tls1.1',
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	43 b'tls1.2',
32291 bd872f64a8ba cleanup: use set literals Martin von Zweigbergk <martinvonz@google.com> parents: 32273 diff changeset	44 }
26622 9e15286609ae sslutil: expose attribute indicating whether SNI is supported Gregory Szorc <gregory.szorc@gmail.com> parents: 26587 diff changeset	45
29559 7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	46 hassni = getattr(ssl, 'HAS_SNI', False)
28648 7fc787e5d8ec sslutil: store OP_NO_SSL* constants in module scope Gregory Szorc <gregory.szorc@gmail.com> parents: 28647 diff changeset	47
29601 6cff2ac0ccb9 sslutil: more robustly detect protocol support Gregory Szorc <gregory.szorc@gmail.com> parents: 29578 diff changeset	48 # TLS 1.1 and 1.2 may not be supported if the OpenSSL Python is compiled
6cff2ac0ccb9 sslutil: more robustly detect protocol support Gregory Szorc <gregory.szorc@gmail.com> parents: 29578 diff changeset	49 # against doesn't support them.
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	50 supportedprotocols = {b'tls1.0'}
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	51 if util.safehasattr(ssl, b'PROTOCOL_TLSv1_1'):
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	52 supportedprotocols.add(b'tls1.1')
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	53 if util.safehasattr(ssl, b'PROTOCOL_TLSv1_2'):
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	54 supportedprotocols.add(b'tls1.2')
29601 6cff2ac0ccb9 sslutil: more robustly detect protocol support Gregory Szorc <gregory.szorc@gmail.com> parents: 29578 diff changeset	55
28649 7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	56 try:
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	57 # ssl.SSLContext was added in 2.7.9 and presence indicates modern
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	58 # SSL/TLS features are available.
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	59 SSLContext = ssl.SSLContext
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	60 modernssl = True
44873 47b3c8383cc1 sslutil: set `_canloaddefaultcerts` to `True` if `ssl.SSLContext` is present Manuel Jacob <me@manueljacob.de> parents: 44061 diff changeset	61 _canloaddefaultcerts = True
28649 7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	62 except AttributeError:
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	63 modernssl = False
28650 737863b01d9f sslutil: move _canloaddefaultcerts logic Gregory Szorc <gregory.szorc@gmail.com> parents: 28649 diff changeset	64 _canloaddefaultcerts = False
28649 7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	65
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	66 # We implement SSLContext using the interface from the standard library.
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	67 class SSLContext(object):
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	68 def __init__(self, protocol):
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	69 # From the public interface of SSLContext
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	70 self.protocol = protocol
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	71 self.check_hostname = False
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	72 self.options = 0
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	73 self.verify_mode = ssl.CERT_NONE
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	74
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	75 # Used by our implementation.
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	76 self._certfile = None
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	77 self._keyfile = None
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	78 self._certpassword = None
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	79 self._cacerts = None
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	80 self._ciphers = None
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	81
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	82 def load_cert_chain(self, certfile, keyfile=None, password=None):
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	83 self._certfile = certfile
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	84 self._keyfile = keyfile
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	85 self._certpassword = password
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	86
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	87 def load_default_certs(self, purpose=None):
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	88 pass
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	89
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	90 def load_verify_locations(self, cafile=None, capath=None, cadata=None):
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	91 if capath:
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	92 raise error.Abort(_(b'capath not supported'))
28649 7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	93 if cadata:
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	94 raise error.Abort(_(b'cadata not supported'))
28649 7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	95
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	96 self._cacerts = cafile
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	97
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	98 def set_ciphers(self, ciphers):
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	99 self._ciphers = ciphers
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	100
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	101 def wrap_socket(self, socket, server_hostname=None, server_side=False):
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	102 # server_hostname is unique to SSLContext.wrap_socket and is used
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	103 # for SNI in that context. So there's nothing for us to do with it
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	104 # in this legacy code since we don't support SNI.
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	105
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	106 args = {
43506 9f70512ae2cf cleanup: remove pointless r-prefixes on single-quoted strings Augie Fackler <augie@google.com> parents: 43117 diff changeset	107 'keyfile': self._keyfile,
9f70512ae2cf cleanup: remove pointless r-prefixes on single-quoted strings Augie Fackler <augie@google.com> parents: 43117 diff changeset	108 'certfile': self._certfile,
9f70512ae2cf cleanup: remove pointless r-prefixes on single-quoted strings Augie Fackler <augie@google.com> parents: 43117 diff changeset	109 'server_side': server_side,
9f70512ae2cf cleanup: remove pointless r-prefixes on single-quoted strings Augie Fackler <augie@google.com> parents: 43117 diff changeset	110 'cert_reqs': self.verify_mode,
9f70512ae2cf cleanup: remove pointless r-prefixes on single-quoted strings Augie Fackler <augie@google.com> parents: 43117 diff changeset	111 'ssl_version': self.protocol,
9f70512ae2cf cleanup: remove pointless r-prefixes on single-quoted strings Augie Fackler <augie@google.com> parents: 43117 diff changeset	112 'ca_certs': self._cacerts,
9f70512ae2cf cleanup: remove pointless r-prefixes on single-quoted strings Augie Fackler <augie@google.com> parents: 43117 diff changeset	113 'ciphers': self._ciphers,
28649 7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	114 }
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	115
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	116 return ssl.wrap_socket(socket, **args)
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	117
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	118
29258 6315c1e14f75 sslutil: introduce a function for determining host-specific settings Gregory Szorc <gregory.szorc@gmail.com> parents: 29253 diff changeset	119 def _hostsettings(ui, hostname):
6315c1e14f75 sslutil: introduce a function for determining host-specific settings Gregory Szorc <gregory.szorc@gmail.com> parents: 29253 diff changeset	120 """Obtain security settings for a hostname.
6315c1e14f75 sslutil: introduce a function for determining host-specific settings Gregory Szorc <gregory.szorc@gmail.com> parents: 29253 diff changeset	121
6315c1e14f75 sslutil: introduce a function for determining host-specific settings Gregory Szorc <gregory.szorc@gmail.com> parents: 29253 diff changeset	122 Returns a dict of settings relevant to that hostname.
6315c1e14f75 sslutil: introduce a function for determining host-specific settings Gregory Szorc <gregory.szorc@gmail.com> parents: 29253 diff changeset	123 """
36745 424994a0adfd sslutil: lots of unicode/bytes cleanup Augie Fackler <augie@google.com> parents: 35582 diff changeset	124 bhostname = pycompat.bytesurl(hostname)
29258 6315c1e14f75 sslutil: introduce a function for determining host-specific settings Gregory Szorc <gregory.szorc@gmail.com> parents: 29253 diff changeset	125 s = {
29288 7dee15dee53c sslutil: add devel.disableloaddefaultcerts to disable CA loading Gregory Szorc <gregory.szorc@gmail.com> parents: 29287 diff changeset	126 # Whether we should attempt to load default/available CA certs
7dee15dee53c sslutil: add devel.disableloaddefaultcerts to disable CA loading Gregory Szorc <gregory.szorc@gmail.com> parents: 29287 diff changeset	127 # if an explicit ``cafile`` is not defined.
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	128 b'allowloaddefaultcerts': True,
29258 6315c1e14f75 sslutil: introduce a function for determining host-specific settings Gregory Szorc <gregory.szorc@gmail.com> parents: 29253 diff changeset	129 # List of 2-tuple of (hash algorithm, hash).
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	130 b'certfingerprints': [],
29260 70bc9912d83d sslutil: move CA file processing into _hostsettings() Gregory Szorc <gregory.szorc@gmail.com> parents: 29259 diff changeset	131 # Path to file containing concatenated CA certs. Used by
70bc9912d83d sslutil: move CA file processing into _hostsettings() Gregory Szorc <gregory.szorc@gmail.com> parents: 29259 diff changeset	132 # SSLContext.load_verify_locations().
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	133 b'cafile': None,
29287 fbccb334efe7 sslutil: store flag for whether cert verification is disabled Gregory Szorc <gregory.szorc@gmail.com> parents: 29286 diff changeset	134 # Whether certificate verification should be disabled.
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	135 b'disablecertverification': False,
29268 f200b58497f1 sslutil: reference appropriate config section in messaging Gregory Szorc <gregory.szorc@gmail.com> parents: 29267 diff changeset	136 # Whether the legacy [hostfingerprints] section has data for this host.
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	137 b'legacyfingerprint': False,
29507 97dcdcf75f4f sslutil: move protocol determination to _hostsettings Gregory Szorc <gregory.szorc@gmail.com> parents: 29501 diff changeset	138 # PROTOCOL_* constant to use for SSLContext.__init__.
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	139 b'protocol': None,
29618 fbf4adc0d8f2 sslutil: capture string string representation of protocol Gregory Szorc <gregory.szorc@gmail.com> parents: 29617 diff changeset	140 # String representation of minimum protocol to be used for UI
fbf4adc0d8f2 sslutil: capture string string representation of protocol Gregory Szorc <gregory.szorc@gmail.com> parents: 29617 diff changeset	141 # presentation.
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	142 b'protocolui': None,
29259 ec247e8595f9 sslutil: move SSLContext.verify_mode value into _hostsettings Gregory Szorc <gregory.szorc@gmail.com> parents: 29258 diff changeset	143 # ssl.CERT_* constant used by SSLContext.verify_mode.
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	144 b'verifymode': None,
29508 d65ec41b6384 sslutil: move context options flags to _hostsettings Gregory Szorc <gregory.szorc@gmail.com> parents: 29507 diff changeset	145 # Defines extra ssl.OP* bitwise options to set.
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	146 b'ctxoptions': None,
29577 9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	147 # OpenSSL Cipher List to use (instead of default).
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	148 b'ciphers': None,
29258 6315c1e14f75 sslutil: introduce a function for determining host-specific settings Gregory Szorc <gregory.szorc@gmail.com> parents: 29253 diff changeset	149 }
6315c1e14f75 sslutil: introduce a function for determining host-specific settings Gregory Szorc <gregory.szorc@gmail.com> parents: 29253 diff changeset	150
29559 7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	151 # Allow minimum TLS protocol to be specified in the config.
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	152 def validateprotocol(protocol, key):
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	153 if protocol not in configprotocols:
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	154 raise error.Abort(
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	155 _(b'unsupported protocol from hostsecurity.%s: %s')
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	156 % (key, protocol),
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	157 hint=_(b'valid protocols: %s')
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	158 % b' '.join(sorted(configprotocols)),
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	159 )
29507 97dcdcf75f4f sslutil: move protocol determination to _hostsettings Gregory Szorc <gregory.szorc@gmail.com> parents: 29501 diff changeset	160
29601 6cff2ac0ccb9 sslutil: more robustly detect protocol support Gregory Szorc <gregory.szorc@gmail.com> parents: 29578 diff changeset	161 # We default to TLS 1.1+ where we can because TLS 1.0 has known
6cff2ac0ccb9 sslutil: more robustly detect protocol support Gregory Szorc <gregory.szorc@gmail.com> parents: 29578 diff changeset	162 # vulnerabilities (like BEAST and POODLE). We allow users to downgrade to
6cff2ac0ccb9 sslutil: more robustly detect protocol support Gregory Szorc <gregory.szorc@gmail.com> parents: 29578 diff changeset	163 # TLS 1.0+ via config options in case a legacy server is encountered.
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	164 if b'tls1.1' in supportedprotocols:
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	165 defaultprotocol = b'tls1.1'
29560 303e9300772a sslutil: require TLS 1.1+ when supported Gregory Szorc <gregory.szorc@gmail.com> parents: 29559 diff changeset	166 else:
29601 6cff2ac0ccb9 sslutil: more robustly detect protocol support Gregory Szorc <gregory.szorc@gmail.com> parents: 29578 diff changeset	167 # Let people know they are borderline secure.
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	168 # We don't document this config option because we want people to see
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	169 # the bold warnings on the web site.
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	170 # internal config: hostsecurity.disabletls10warning
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	171 if not ui.configbool(b'hostsecurity', b'disabletls10warning'):
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	172 ui.warn(
2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	173 _(
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	174 b'warning: connecting to %s using legacy security '
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	175 b'technology (TLS 1.0); see '
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	176 b'https://mercurial-scm.org/wiki/SecureConnections for '
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	177 b'more info\n'
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	178 )
2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	179 % bhostname
2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	180 )
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	181 defaultprotocol = b'tls1.0'
29560 303e9300772a sslutil: require TLS 1.1+ when supported Gregory Szorc <gregory.szorc@gmail.com> parents: 29559 diff changeset	182
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	183 key = b'minimumprotocol'
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	184 protocol = ui.config(b'hostsecurity', key, defaultprotocol)
29559 7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	185 validateprotocol(protocol, key)
29508 d65ec41b6384 sslutil: move context options flags to _hostsettings Gregory Szorc <gregory.szorc@gmail.com> parents: 29507 diff changeset	186
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	187 key = b'%s:minimumprotocol' % bhostname
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	188 protocol = ui.config(b'hostsecurity', key, protocol)
29559 7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	189 validateprotocol(protocol, key)
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	190
29617 2960ceee1948 sslutil: allow TLS 1.0 when --insecure is used Gregory Szorc <gregory.szorc@gmail.com> parents: 29601 diff changeset	191 # If --insecure is used, we allow the use of TLS 1.0 despite config options.
2960ceee1948 sslutil: allow TLS 1.0 when --insecure is used Gregory Szorc <gregory.szorc@gmail.com> parents: 29601 diff changeset	192 # We always print a "connection security to %s is disabled..." message when
2960ceee1948 sslutil: allow TLS 1.0 when --insecure is used Gregory Szorc <gregory.szorc@gmail.com> parents: 29601 diff changeset	193 # --insecure is used. So no need to print anything more here.
2960ceee1948 sslutil: allow TLS 1.0 when --insecure is used Gregory Szorc <gregory.szorc@gmail.com> parents: 29601 diff changeset	194 if ui.insecureconnections:
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	195 protocol = b'tls1.0'
29558 a935cd7d51a6 sslutil: prevent CRIME Gregory Szorc <gregory.szorc@gmail.com> parents: 29557 diff changeset	196
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	197 s[b'protocol'], s[b'ctxoptions'], s[b'protocolui'] = protocolsettings(
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	198 protocol
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	199 )
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	200
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	201 ciphers = ui.config(b'hostsecurity', b'ciphers')
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	202 ciphers = ui.config(b'hostsecurity', b'%s:ciphers' % bhostname, ciphers)
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	203 s[b'ciphers'] = ciphers
29577 9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	204
29267 f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity] Gregory Szorc <gregory.szorc@gmail.com> parents: 29262 diff changeset	205 # Look for fingerprints in [hostsecurity] section. Value is a list
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity] Gregory Szorc <gregory.szorc@gmail.com> parents: 29262 diff changeset	206 # of <alg>:<fingerprint> strings.
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	207 fingerprints = ui.configlist(
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	208 b'hostsecurity', b'%s:fingerprints' % bhostname
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	209 )
29267 f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity] Gregory Szorc <gregory.szorc@gmail.com> parents: 29262 diff changeset	210 for fingerprint in fingerprints:
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	211 if not (fingerprint.startswith((b'sha1:', b'sha256:', b'sha512:'))):
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	212 raise error.Abort(
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	213 _(b'invalid fingerprint for %s: %s') % (bhostname, fingerprint),
43117 8ff1ecfadcd1 cleanup: join string literals that are already on one line Martin von Zweigbergk <martinvonz@google.com> parents: 43089 diff changeset	214 hint=_(b'must begin with "sha1:", "sha256:", or "sha512:"'),
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	215 )
29267 f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity] Gregory Szorc <gregory.szorc@gmail.com> parents: 29262 diff changeset	216
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	217 alg, fingerprint = fingerprint.split(b':', 1)
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	218 fingerprint = fingerprint.replace(b':', b'').lower()
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	219 s[b'certfingerprints'].append((alg, fingerprint))
29267 f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity] Gregory Szorc <gregory.szorc@gmail.com> parents: 29262 diff changeset	220
29258 6315c1e14f75 sslutil: introduce a function for determining host-specific settings Gregory Szorc <gregory.szorc@gmail.com> parents: 29253 diff changeset	221 # Fingerprints from [hostfingerprints] are always SHA-1.
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	222 for fingerprint in ui.configlist(b'hostfingerprints', bhostname):
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	223 fingerprint = fingerprint.replace(b':', b'').lower()
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	224 s[b'certfingerprints'].append((b'sha1', fingerprint))
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	225 s[b'legacyfingerprint'] = True
29258 6315c1e14f75 sslutil: introduce a function for determining host-specific settings Gregory Szorc <gregory.szorc@gmail.com> parents: 29253 diff changeset	226
29259 ec247e8595f9 sslutil: move SSLContext.verify_mode value into _hostsettings Gregory Szorc <gregory.szorc@gmail.com> parents: 29258 diff changeset	227 # If a host cert fingerprint is defined, it is the only thing that
ec247e8595f9 sslutil: move SSLContext.verify_mode value into _hostsettings Gregory Szorc <gregory.szorc@gmail.com> parents: 29258 diff changeset	228 # matters. No need to validate CA certs.
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	229 if s[b'certfingerprints']:
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	230 s[b'verifymode'] = ssl.CERT_NONE
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	231 s[b'allowloaddefaultcerts'] = False
29259 ec247e8595f9 sslutil: move SSLContext.verify_mode value into _hostsettings Gregory Szorc <gregory.szorc@gmail.com> parents: 29258 diff changeset	232
ec247e8595f9 sslutil: move SSLContext.verify_mode value into _hostsettings Gregory Szorc <gregory.szorc@gmail.com> parents: 29258 diff changeset	233 # If --insecure is used, don't take CAs into consideration.
ec247e8595f9 sslutil: move SSLContext.verify_mode value into _hostsettings Gregory Szorc <gregory.szorc@gmail.com> parents: 29258 diff changeset	234 elif ui.insecureconnections:
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	235 s[b'disablecertverification'] = True
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	236 s[b'verifymode'] = ssl.CERT_NONE
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	237 s[b'allowloaddefaultcerts'] = False
29259 ec247e8595f9 sslutil: move SSLContext.verify_mode value into _hostsettings Gregory Szorc <gregory.szorc@gmail.com> parents: 29258 diff changeset	238
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	239 if ui.configbool(b'devel', b'disableloaddefaultcerts'):
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	240 s[b'allowloaddefaultcerts'] = False
29288 7dee15dee53c sslutil: add devel.disableloaddefaultcerts to disable CA loading Gregory Szorc <gregory.szorc@gmail.com> parents: 29287 diff changeset	241
29334 ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29293 diff changeset	242 # If both fingerprints and a per-host ca file are specified, issue a warning
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29293 diff changeset	243 # because users should not be surprised about what security is or isn't
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29293 diff changeset	244 # being performed.
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	245 cafile = ui.config(b'hostsecurity', b'%s:verifycertsfile' % bhostname)
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	246 if s[b'certfingerprints'] and cafile:
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	247 ui.warn(
2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	248 _(
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	249 b'(hostsecurity.%s:verifycertsfile ignored when host '
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	250 b'fingerprints defined; using host fingerprints for '
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	251 b'verification)\n'
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	252 )
2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	253 % bhostname
2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	254 )
29334 ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29293 diff changeset	255
29260 70bc9912d83d sslutil: move CA file processing into _hostsettings() Gregory Szorc <gregory.szorc@gmail.com> parents: 29259 diff changeset	256 # Try to hook up CA certificate validation unless something above
70bc9912d83d sslutil: move CA file processing into _hostsettings() Gregory Szorc <gregory.szorc@gmail.com> parents: 29259 diff changeset	257 # makes it not necessary.
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	258 if s[b'verifymode'] is None:
29334 ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29293 diff changeset	259 # Look at per-host ca file first.
29260 70bc9912d83d sslutil: move CA file processing into _hostsettings() Gregory Szorc <gregory.szorc@gmail.com> parents: 29259 diff changeset	260 if cafile:
70bc9912d83d sslutil: move CA file processing into _hostsettings() Gregory Szorc <gregory.szorc@gmail.com> parents: 29259 diff changeset	261 cafile = util.expandpath(cafile)
70bc9912d83d sslutil: move CA file processing into _hostsettings() Gregory Szorc <gregory.szorc@gmail.com> parents: 29259 diff changeset	262 if not os.path.exists(cafile):
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	263 raise error.Abort(
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	264 _(b'path specified by %s does not exist: %s')
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	265 % (
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	266 b'hostsecurity.%s:verifycertsfile' % (bhostname,),
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	267 cafile,
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	268 )
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	269 )
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	270 s[b'cafile'] = cafile
29260 70bc9912d83d sslutil: move CA file processing into _hostsettings() Gregory Szorc <gregory.szorc@gmail.com> parents: 29259 diff changeset	271 else:
29334 ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29293 diff changeset	272 # Find global certificates file in config.
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	273 cafile = ui.config(b'web', b'cacerts')
29334 ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29293 diff changeset	274
29260 70bc9912d83d sslutil: move CA file processing into _hostsettings() Gregory Szorc <gregory.szorc@gmail.com> parents: 29259 diff changeset	275 if cafile:
29334 ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29293 diff changeset	276 cafile = util.expandpath(cafile)
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29293 diff changeset	277 if not os.path.exists(cafile):
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	278 raise error.Abort(
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	279 _(b'could not find web.cacerts: %s') % cafile
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	280 )
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	281 elif s[b'allowloaddefaultcerts']:
29482 4e72995f6c9c sslutil: change comment and logged message for found ca cert file Gregory Szorc <gregory.szorc@gmail.com> parents: 29459 diff changeset	282 # CAs not defined in config. Try to find system bundles.
29483 918dce4b8c26 sslutil: pass ui to _defaultcacerts Gregory Szorc <gregory.szorc@gmail.com> parents: 29482 diff changeset	283 cafile = _defaultcacerts(ui)
29334 ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29293 diff changeset	284 if cafile:
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	285 ui.debug(b'using %s for CA file\n' % cafile)
29260 70bc9912d83d sslutil: move CA file processing into _hostsettings() Gregory Szorc <gregory.szorc@gmail.com> parents: 29259 diff changeset	286
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	287 s[b'cafile'] = cafile
29260 70bc9912d83d sslutil: move CA file processing into _hostsettings() Gregory Szorc <gregory.szorc@gmail.com> parents: 29259 diff changeset	288
70bc9912d83d sslutil: move CA file processing into _hostsettings() Gregory Szorc <gregory.szorc@gmail.com> parents: 29259 diff changeset	289 # Require certificate validation if CA certs are being loaded and
70bc9912d83d sslutil: move CA file processing into _hostsettings() Gregory Szorc <gregory.szorc@gmail.com> parents: 29259 diff changeset	290 # verification hasn't been disabled above.
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	291 if cafile or (_canloaddefaultcerts and s[b'allowloaddefaultcerts']):
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	292 s[b'verifymode'] = ssl.CERT_REQUIRED
29260 70bc9912d83d sslutil: move CA file processing into _hostsettings() Gregory Szorc <gregory.szorc@gmail.com> parents: 29259 diff changeset	293 else:
70bc9912d83d sslutil: move CA file processing into _hostsettings() Gregory Szorc <gregory.szorc@gmail.com> parents: 29259 diff changeset	294 # At this point we don't have a fingerprint, aren't being
70bc9912d83d sslutil: move CA file processing into _hostsettings() Gregory Szorc <gregory.szorc@gmail.com> parents: 29259 diff changeset	295 # explicitly insecure, and can't load CA certs. Connecting
29411 e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC) Gregory Szorc <gregory.szorc@gmail.com> parents: 29410 diff changeset	296 # is insecure. We allow the connection and abort during
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC) Gregory Szorc <gregory.szorc@gmail.com> parents: 29410 diff changeset	297 # validation (once we have the fingerprint to print to the
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC) Gregory Szorc <gregory.szorc@gmail.com> parents: 29410 diff changeset	298 # user).
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	299 s[b'verifymode'] = ssl.CERT_NONE
29260 70bc9912d83d sslutil: move CA file processing into _hostsettings() Gregory Szorc <gregory.szorc@gmail.com> parents: 29259 diff changeset	300
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	301 assert s[b'protocol'] is not None
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	302 assert s[b'ctxoptions'] is not None
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	303 assert s[b'verifymode'] is not None
29259 ec247e8595f9 sslutil: move SSLContext.verify_mode value into _hostsettings Gregory Szorc <gregory.szorc@gmail.com> parents: 29258 diff changeset	304
29258 6315c1e14f75 sslutil: introduce a function for determining host-specific settings Gregory Szorc <gregory.szorc@gmail.com> parents: 29253 diff changeset	305 return s
6315c1e14f75 sslutil: introduce a function for determining host-specific settings Gregory Szorc <gregory.szorc@gmail.com> parents: 29253 diff changeset	306
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	307
29559 7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	308 def protocolsettings(protocol):
29618 fbf4adc0d8f2 sslutil: capture string string representation of protocol Gregory Szorc <gregory.szorc@gmail.com> parents: 29617 diff changeset	309 """Resolve the protocol for a config value.
fbf4adc0d8f2 sslutil: capture string string representation of protocol Gregory Szorc <gregory.szorc@gmail.com> parents: 29617 diff changeset	310
fbf4adc0d8f2 sslutil: capture string string representation of protocol Gregory Szorc <gregory.szorc@gmail.com> parents: 29617 diff changeset	311 Returns a 3-tuple of (protocol, options, ui value) where the first
fbf4adc0d8f2 sslutil: capture string string representation of protocol Gregory Szorc <gregory.szorc@gmail.com> parents: 29617 diff changeset	312 2 items are values used by SSLContext and the last is a string value
fbf4adc0d8f2 sslutil: capture string string representation of protocol Gregory Szorc <gregory.szorc@gmail.com> parents: 29617 diff changeset	313 of the ``minimumprotocol`` config option equivalent.
fbf4adc0d8f2 sslutil: capture string string representation of protocol Gregory Szorc <gregory.szorc@gmail.com> parents: 29617 diff changeset	314 """
29559 7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	315 if protocol not in configprotocols:
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	316 raise ValueError(b'protocol value not supported: %s' % protocol)
29559 7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	317
29578 4a4b8d3b4e43 sslutil: move comment about protocol constants Gregory Szorc <gregory.szorc@gmail.com> parents: 29577 diff changeset	318 # Despite its name, PROTOCOL_SSLv23 selects the highest protocol
4a4b8d3b4e43 sslutil: move comment about protocol constants Gregory Szorc <gregory.szorc@gmail.com> parents: 29577 diff changeset	319 # that both ends support, including TLS protocols. On legacy stacks,
4a4b8d3b4e43 sslutil: move comment about protocol constants Gregory Szorc <gregory.szorc@gmail.com> parents: 29577 diff changeset	320 # the highest it likely goes is TLS 1.0. On modern stacks, it can
4a4b8d3b4e43 sslutil: move comment about protocol constants Gregory Szorc <gregory.szorc@gmail.com> parents: 29577 diff changeset	321 # support TLS 1.2.
4a4b8d3b4e43 sslutil: move comment about protocol constants Gregory Szorc <gregory.szorc@gmail.com> parents: 29577 diff changeset	322 #
4a4b8d3b4e43 sslutil: move comment about protocol constants Gregory Szorc <gregory.szorc@gmail.com> parents: 29577 diff changeset	323 # The PROTOCOL_TLSv* constants select a specific TLS version
4a4b8d3b4e43 sslutil: move comment about protocol constants Gregory Szorc <gregory.szorc@gmail.com> parents: 29577 diff changeset	324 # only (as opposed to multiple versions). So the method for
4a4b8d3b4e43 sslutil: move comment about protocol constants Gregory Szorc <gregory.szorc@gmail.com> parents: 29577 diff changeset	325 # supporting multiple TLS versions is to use PROTOCOL_SSLv23 and
4a4b8d3b4e43 sslutil: move comment about protocol constants Gregory Szorc <gregory.szorc@gmail.com> parents: 29577 diff changeset	326 # disable protocols via SSLContext.options and OP_NO_* constants.
4a4b8d3b4e43 sslutil: move comment about protocol constants Gregory Szorc <gregory.szorc@gmail.com> parents: 29577 diff changeset	327 # However, SSLContext.options doesn't work unless we have the
4a4b8d3b4e43 sslutil: move comment about protocol constants Gregory Szorc <gregory.szorc@gmail.com> parents: 29577 diff changeset	328 # full/real SSLContext available to us.
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	329 if supportedprotocols == {b'tls1.0'}:
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	330 if protocol != b'tls1.0':
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	331 raise error.Abort(
43117 8ff1ecfadcd1 cleanup: join string literals that are already on one line Martin von Zweigbergk <martinvonz@google.com> parents: 43089 diff changeset	332 _(b'current Python does not support protocol setting %s')
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	333 % protocol,
2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	334 hint=_(
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	335 b'upgrade Python or disable setting since '
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	336 b'only TLS 1.0 is supported'
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	337 ),
2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	338 )
29559 7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	339
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	340 return ssl.PROTOCOL_TLSv1, 0, b'tls1.0'
29559 7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	341
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	342 # WARNING: returned options don't work unless the modern ssl module
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	343 # is available. Be careful when adding options here.
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	344
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	345 # SSLv2 and SSLv3 are broken. We ban them outright.
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	346 options = ssl.OP_NO_SSLv2 \| ssl.OP_NO_SSLv3
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	347
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	348 if protocol == b'tls1.0':
29559 7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	349 # Defaults above are to use TLS 1.0+
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	350 pass
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	351 elif protocol == b'tls1.1':
29559 7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	352 options \|= ssl.OP_NO_TLSv1
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	353 elif protocol == b'tls1.2':
29559 7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	354 options \|= ssl.OP_NO_TLSv1 \| ssl.OP_NO_TLSv1_1
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	355 else:
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	356 raise error.Abort(_(b'this should not happen'))
29559 7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	357
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	358 # Prevent CRIME.
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	359 # There is no guarantee this attribute is defined on the module.
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	360 options \|= getattr(ssl, 'OP_NO_COMPRESSION', 0)
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	361
29618 fbf4adc0d8f2 sslutil: capture string string representation of protocol Gregory Szorc <gregory.szorc@gmail.com> parents: 29617 diff changeset	362 return ssl.PROTOCOL_SSLv23, options, protocol
29559 7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	363
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	364
29249 cca59ef27e60 sslutil: move sslkwargs logic into internal function (API) Gregory Szorc <gregory.szorc@gmail.com> parents: 29248 diff changeset	365 def wrapsocket(sock, keyfile, certfile, ui, serverhostname=None):
28653 1eb0bd8adf39 sslutil: add docstring to wrapsocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 28652 diff changeset	366 """Add SSL/TLS to a socket.
1eb0bd8adf39 sslutil: add docstring to wrapsocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 28652 diff changeset	367
1eb0bd8adf39 sslutil: add docstring to wrapsocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 28652 diff changeset	368 This is a glorified wrapper for ``ssl.wrap_socket()``. It makes sane
1eb0bd8adf39 sslutil: add docstring to wrapsocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 28652 diff changeset	369 choices based on what security options are available.
1eb0bd8adf39 sslutil: add docstring to wrapsocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 28652 diff changeset	370
1eb0bd8adf39 sslutil: add docstring to wrapsocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 28652 diff changeset	371 In addition to the arguments supported by ``ssl.wrap_socket``, we allow
1eb0bd8adf39 sslutil: add docstring to wrapsocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 28652 diff changeset	372 the following additional arguments:
1eb0bd8adf39 sslutil: add docstring to wrapsocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 28652 diff changeset	373
1eb0bd8adf39 sslutil: add docstring to wrapsocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 28652 diff changeset	374 * serverhostname - The expected hostname of the remote server. If the
1eb0bd8adf39 sslutil: add docstring to wrapsocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 28652 diff changeset	375 server (and client) support SNI, this tells the server which certificate
1eb0bd8adf39 sslutil: add docstring to wrapsocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 28652 diff changeset	376 to use.
1eb0bd8adf39 sslutil: add docstring to wrapsocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 28652 diff changeset	377 """
29224 7424f4294199 sslutil: require serverhostname argument (API) Gregory Szorc <gregory.szorc@gmail.com> parents: 29115 diff changeset	378 if not serverhostname:
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	379 raise error.Abort(_(b'serverhostname argument is required'))
29224 7424f4294199 sslutil: require serverhostname argument (API) Gregory Szorc <gregory.szorc@gmail.com> parents: 29115 diff changeset	380
42269 c8d55ff80da1 sslutil: add support for SSLKEYLOGFILE to wrapsocket Augie Fackler <augie@google.com> parents: 42263 diff changeset	381 if b'SSLKEYLOGFILE' in encoding.environ:
c8d55ff80da1 sslutil: add support for SSLKEYLOGFILE to wrapsocket Augie Fackler <augie@google.com> parents: 42263 diff changeset	382 try:
c8d55ff80da1 sslutil: add support for SSLKEYLOGFILE to wrapsocket Augie Fackler <augie@google.com> parents: 42263 diff changeset	383 import sslkeylog
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	384
2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	385 sslkeylog.set_keylog(
2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	386 pycompat.fsdecode(encoding.environ[b'SSLKEYLOGFILE'])
2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	387 )
43080 86e4daa2d54c cleanup: mark some ui.(status\|note\|warn\|write) calls as not needing i18n Augie Fackler <augie@google.com> parents: 43077 diff changeset	388 ui.warnnoi18n(
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	389 b'sslkeylog enabled by SSLKEYLOGFILE environment variable\n'
2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	390 )
42269 c8d55ff80da1 sslutil: add support for SSLKEYLOGFILE to wrapsocket Augie Fackler <augie@google.com> parents: 42263 diff changeset	391 except ImportError:
43080 86e4daa2d54c cleanup: mark some ui.(status\|note\|warn\|write) calls as not needing i18n Augie Fackler <augie@google.com> parents: 43077 diff changeset	392 ui.warnnoi18n(
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	393 b'sslkeylog module missing, '
2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	394 b'but SSLKEYLOGFILE set in environment\n'
2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	395 )
42269 c8d55ff80da1 sslutil: add support for SSLKEYLOGFILE to wrapsocket Augie Fackler <augie@google.com> parents: 42263 diff changeset	396
33381 3bdbbadddecc sslutil: check for missing certificate and key files (issue5598) Gregory Szorc <gregory.szorc@gmail.com> parents: 32291 diff changeset	397 for f in (keyfile, certfile):
3bdbbadddecc sslutil: check for missing certificate and key files (issue5598) Gregory Szorc <gregory.szorc@gmail.com> parents: 32291 diff changeset	398 if f and not os.path.exists(f):
36747 4c71a26a4009 sslutil: some more forcebytes() on some exception messages Augie Fackler <augie@google.com> parents: 36746 diff changeset	399 raise error.Abort(
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	400 _(b'certificate file (%s) does not exist; cannot connect to %s')
36747 4c71a26a4009 sslutil: some more forcebytes() on some exception messages Augie Fackler <augie@google.com> parents: 36746 diff changeset	401 % (f, pycompat.bytesurl(serverhostname)),
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	402 hint=_(
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	403 b'restore missing file or fix references '
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	404 b'in Mercurial config'
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	405 ),
2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	406 )
33381 3bdbbadddecc sslutil: check for missing certificate and key files (issue5598) Gregory Szorc <gregory.szorc@gmail.com> parents: 32291 diff changeset	407
29259 ec247e8595f9 sslutil: move SSLContext.verify_mode value into _hostsettings Gregory Szorc <gregory.szorc@gmail.com> parents: 29258 diff changeset	408 settings = _hostsettings(ui, serverhostname)
29249 cca59ef27e60 sslutil: move sslkwargs logic into internal function (API) Gregory Szorc <gregory.szorc@gmail.com> parents: 29248 diff changeset	409
29557 53de8255ec4e sslutil: update comment about create_default_context() Gregory Szorc <gregory.szorc@gmail.com> parents: 29554 diff changeset	410 # We can't use ssl.create_default_context() because it calls
53de8255ec4e sslutil: update comment about create_default_context() Gregory Szorc <gregory.szorc@gmail.com> parents: 29554 diff changeset	411 # load_default_certs() unless CA arguments are passed to it. We want to
53de8255ec4e sslutil: update comment about create_default_context() Gregory Szorc <gregory.szorc@gmail.com> parents: 29554 diff changeset	412 # have explicit control over CA loading because implicitly loading
53de8255ec4e sslutil: update comment about create_default_context() Gregory Szorc <gregory.szorc@gmail.com> parents: 29554 diff changeset	413 # CAs may undermine the user's intent. For example, a user may define a CA
53de8255ec4e sslutil: update comment about create_default_context() Gregory Szorc <gregory.szorc@gmail.com> parents: 29554 diff changeset	414 # bundle with a specific CA cert removed. If the system/default CA bundle
53de8255ec4e sslutil: update comment about create_default_context() Gregory Szorc <gregory.szorc@gmail.com> parents: 29554 diff changeset	415 # is loaded and contains that removed CA, you've just undone the user's
53de8255ec4e sslutil: update comment about create_default_context() Gregory Szorc <gregory.szorc@gmail.com> parents: 29554 diff changeset	416 # choice.
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	417 sslcontext = SSLContext(settings[b'protocol'])
29507 97dcdcf75f4f sslutil: move protocol determination to _hostsettings Gregory Szorc <gregory.szorc@gmail.com> parents: 29501 diff changeset	418
29508 d65ec41b6384 sslutil: move context options flags to _hostsettings Gregory Szorc <gregory.szorc@gmail.com> parents: 29507 diff changeset	419 # This is a no-op unless using modern ssl.
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	420 sslcontext.options \|= settings[b'ctxoptions']
28651 4827d07073e6 sslutil: always use SSLContext Gregory Szorc <gregory.szorc@gmail.com> parents: 28650 diff changeset	421
28848 e330db205b20 sslutil: move and document verify_mode assignment Gregory Szorc <gregory.szorc@gmail.com> parents: 28653 diff changeset	422 # This still works on our fake SSLContext.
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	423 sslcontext.verify_mode = settings[b'verifymode']
28848 e330db205b20 sslutil: move and document verify_mode assignment Gregory Szorc <gregory.szorc@gmail.com> parents: 28653 diff changeset	424
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	425 if settings[b'ciphers']:
29577 9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	426 try:
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	427 sslcontext.set_ciphers(pycompat.sysstr(settings[b'ciphers']))
29577 9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	428 except ssl.SSLError as e:
36747 4c71a26a4009 sslutil: some more forcebytes() on some exception messages Augie Fackler <augie@google.com> parents: 36746 diff changeset	429 raise error.Abort(
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	430 _(b'could not set ciphers: %s')
37084 f0b6fbea00cf stringutil: bulk-replace call sites to point to new module Yuya Nishihara <yuya@tcha.org> parents: 36747 diff changeset	431 % stringutil.forcebytestr(e.args[0]),
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	432 hint=_(b'change cipher string (%s) in config')
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	433 % settings[b'ciphers'],
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	434 )
29577 9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	435
28652 c617614aefd2 sslutil: remove indentation in wrapsocket declaration Gregory Szorc <gregory.szorc@gmail.com> parents: 28651 diff changeset	436 if certfile is not None:
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	437
28652 c617614aefd2 sslutil: remove indentation in wrapsocket declaration Gregory Szorc <gregory.szorc@gmail.com> parents: 28651 diff changeset	438 def password():
c617614aefd2 sslutil: remove indentation in wrapsocket declaration Gregory Szorc <gregory.szorc@gmail.com> parents: 28651 diff changeset	439 f = keyfile or certfile
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	440 return ui.getpass(_(b'passphrase for %s: ') % f, b'')
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	441
28652 c617614aefd2 sslutil: remove indentation in wrapsocket declaration Gregory Szorc <gregory.szorc@gmail.com> parents: 28651 diff changeset	442 sslcontext.load_cert_chain(certfile, keyfile, password)
28848 e330db205b20 sslutil: move and document verify_mode assignment Gregory Szorc <gregory.szorc@gmail.com> parents: 28653 diff changeset	443
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	444 if settings[b'cafile'] is not None:
29446 2f7f1e10f840 sslutil: display a better error message when CA file loading fails Gregory Szorc <gregory.szorc@gmail.com> parents: 29411 diff changeset	445 try:
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	446 sslcontext.load_verify_locations(cafile=settings[b'cafile'])
29446 2f7f1e10f840 sslutil: display a better error message when CA file loading fails Gregory Szorc <gregory.szorc@gmail.com> parents: 29411 diff changeset	447 except ssl.SSLError as e:
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	448 if len(e.args) == 1: # pypy has different SSLError args
29927 799e36749f1a ssl: handle a difference in SSLError with pypy (issue5348) Pierre-Yves David <pierre-yves.david@ens-lyon.org> parents: 29631 diff changeset	449 msg = e.args[0]
799e36749f1a ssl: handle a difference in SSLError with pypy (issue5348) Pierre-Yves David <pierre-yves.david@ens-lyon.org> parents: 29631 diff changeset	450 else:
799e36749f1a ssl: handle a difference in SSLError with pypy (issue5348) Pierre-Yves David <pierre-yves.david@ens-lyon.org> parents: 29631 diff changeset	451 msg = e.args[1]
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	452 raise error.Abort(
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	453 _(b'error loading CA file %s: %s')
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	454 % (settings[b'cafile'], stringutil.forcebytestr(msg)),
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	455 hint=_(b'file is empty or malformed?'),
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	456 )
29113 5b9577edf745 sslutil: use CA loaded state to drive validation logic Gregory Szorc <gregory.szorc@gmail.com> parents: 29112 diff changeset	457 caloaded = True
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	458 elif settings[b'allowloaddefaultcerts']:
28652 c617614aefd2 sslutil: remove indentation in wrapsocket declaration Gregory Szorc <gregory.szorc@gmail.com> parents: 28651 diff changeset	459 # This is a no-op on old Python.
c617614aefd2 sslutil: remove indentation in wrapsocket declaration Gregory Szorc <gregory.szorc@gmail.com> parents: 28651 diff changeset	460 sslcontext.load_default_certs()
29288 7dee15dee53c sslutil: add devel.disableloaddefaultcerts to disable CA loading Gregory Szorc <gregory.szorc@gmail.com> parents: 29287 diff changeset	461 caloaded = True
7dee15dee53c sslutil: add devel.disableloaddefaultcerts to disable CA loading Gregory Szorc <gregory.szorc@gmail.com> parents: 29287 diff changeset	462 else:
7dee15dee53c sslutil: add devel.disableloaddefaultcerts to disable CA loading Gregory Szorc <gregory.szorc@gmail.com> parents: 29287 diff changeset	463 caloaded = False
23834 bf07c19b4c82 https: support tls sni (server name indication) for https urls (issue3090) Alex Orange <crazycasta@gmail.com> parents: 23069 diff changeset	464
29449 5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded Gregory Szorc <gregory.szorc@gmail.com> parents: 29447 diff changeset	465 try:
5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded Gregory Szorc <gregory.szorc@gmail.com> parents: 29447 diff changeset	466 sslsocket = sslcontext.wrap_socket(sock, server_hostname=serverhostname)
29559 7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	467 except ssl.SSLError as e:
29449 5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded Gregory Szorc <gregory.szorc@gmail.com> parents: 29447 diff changeset	468 # If we're doing certificate verification and no CA certs are loaded,
5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded Gregory Szorc <gregory.szorc@gmail.com> parents: 29447 diff changeset	469 # that is almost certainly the reason why verification failed. Provide
5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded Gregory Szorc <gregory.szorc@gmail.com> parents: 29447 diff changeset	470 # a hint to the user.
5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded Gregory Szorc <gregory.szorc@gmail.com> parents: 29447 diff changeset	471 # Only modern ssl module exposes SSLContext.get_ca_certs() so we can
5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded Gregory Szorc <gregory.szorc@gmail.com> parents: 29447 diff changeset	472 # only show this warning if modern ssl is available.
31725 c777b12cdc9b sslutil: clarify internal documentation Matt Harbison <matt_harbison@yahoo.com> parents: 31290 diff changeset	473 # The exception handler is here to handle bugs around cert attributes:
c777b12cdc9b sslutil: clarify internal documentation Matt Harbison <matt_harbison@yahoo.com> parents: 31290 diff changeset	474 # https://bugs.python.org/issue20916#msg213479. (See issues5313.)
c777b12cdc9b sslutil: clarify internal documentation Matt Harbison <matt_harbison@yahoo.com> parents: 31290 diff changeset	475 # When the main 20916 bug occurs, 'sslcontext.get_ca_certs()' is a
c777b12cdc9b sslutil: clarify internal documentation Matt Harbison <matt_harbison@yahoo.com> parents: 31290 diff changeset	476 # non-empty list, but the following conditional is otherwise True.
29631 387bdd53c77e sslutil: work around SSLContext.get_ca_certs bug on Windows (issue5313) Gregory Szorc <gregory.szorc@gmail.com> parents: 29619 diff changeset	477 try:
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	478 if (
2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	479 caloaded
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	480 and settings[b'verifymode'] == ssl.CERT_REQUIRED
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	481 and modernssl
2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	482 and not sslcontext.get_ca_certs()
2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	483 ):
2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	484 ui.warn(
2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	485 _(
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	486 b'(an attempt was made to load CA certificates but '
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	487 b'none were loaded; see '
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	488 b'https://mercurial-scm.org/wiki/SecureConnections '
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	489 b'for how to configure Mercurial to avoid this '
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	490 b'error)\n'
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	491 )
2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	492 )
29631 387bdd53c77e sslutil: work around SSLContext.get_ca_certs bug on Windows (issue5313) Gregory Szorc <gregory.szorc@gmail.com> parents: 29619 diff changeset	493 except ssl.SSLError:
387bdd53c77e sslutil: work around SSLContext.get_ca_certs bug on Windows (issue5313) Gregory Szorc <gregory.szorc@gmail.com> parents: 29619 diff changeset	494 pass
41410 0d226b2139df sslutil: use raw strings for exception reason compare Gregory Szorc <gregory.szorc@gmail.com> parents: 38475 diff changeset	495
29559 7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	496 # Try to print more helpful error messages for known failures.
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	497 if util.safehasattr(e, b'reason'):
29619 53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29618 diff changeset	498 # This error occurs when the client and server don't share a
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29618 diff changeset	499 # common/supported SSL/TLS protocol. We've disabled SSLv2 and SSLv3
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29618 diff changeset	500 # outright. Hopefully the reason for this error is that we require
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29618 diff changeset	501 # TLS 1.1+ and the server only supports TLS 1.0. Whatever the
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29618 diff changeset	502 # reason, try to emit an actionable warning.
43506 9f70512ae2cf cleanup: remove pointless r-prefixes on single-quoted strings Augie Fackler <augie@google.com> parents: 43117 diff changeset	503 if e.reason == 'UNSUPPORTED_PROTOCOL':
29619 53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29618 diff changeset	504 # We attempted TLS 1.0+.
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	505 if settings[b'protocolui'] == b'tls1.0':
29619 53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29618 diff changeset	506 # We support more than just TLS 1.0+. If this happens,
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29618 diff changeset	507 # the likely scenario is either the client or the server
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29618 diff changeset	508 # is really old. (e.g. server doesn't support TLS 1.0+ or
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29618 diff changeset	509 # client doesn't support modern TLS versions introduced
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29618 diff changeset	510 # several years from when this comment was written).
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	511 if supportedprotocols != {b'tls1.0'}:
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	512 ui.warn(
2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	513 _(
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	514 b'(could not communicate with %s using security '
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	515 b'protocols %s; if you are using a modern Mercurial '
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	516 b'version, consider contacting the operator of this '
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	517 b'server; see '
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	518 b'https://mercurial-scm.org/wiki/SecureConnections '
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	519 b'for more info)\n'
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	520 )
2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	521 % (
41411 f07aff7e8b5a sslutil: ensure serverhostname is bytes when formatting Gregory Szorc <gregory.szorc@gmail.com> parents: 41410 diff changeset	522 pycompat.bytesurl(serverhostname),
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	523 b', '.join(sorted(supportedprotocols)),
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	524 )
2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	525 )
29619 53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29618 diff changeset	526 else:
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	527 ui.warn(
2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	528 _(
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	529 b'(could not communicate with %s using TLS 1.0; the '
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	530 b'likely cause of this is the server no longer '
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	531 b'supports TLS 1.0 because it has known security '
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	532 b'vulnerabilities; see '
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	533 b'https://mercurial-scm.org/wiki/SecureConnections '
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	534 b'for more info)\n'
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	535 )
2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	536 % pycompat.bytesurl(serverhostname)
2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	537 )
29619 53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29618 diff changeset	538 else:
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29618 diff changeset	539 # We attempted TLS 1.1+. We can only get here if the client
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29618 diff changeset	540 # supports the configured protocol. So the likely reason is
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29618 diff changeset	541 # the client wants better security than the server can
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29618 diff changeset	542 # offer.
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	543 ui.warn(
2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	544 _(
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	545 b'(could not negotiate a common security protocol (%s+) '
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	546 b'with %s; the likely cause is Mercurial is configured '
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	547 b'to be more secure than the server can support)\n'
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	548 )
2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	549 % (
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	550 settings[b'protocolui'],
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	551 pycompat.bytesurl(serverhostname),
2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	552 )
2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	553 )
2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	554 ui.warn(
2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	555 _(
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	556 b'(consider contacting the operator of this '
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	557 b'server and ask them to support modern TLS '
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	558 b'protocol versions; or, set '
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	559 b'hostsecurity.%s:minimumprotocol=tls1.0 to allow '
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	560 b'use of legacy, less secure protocols when '
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	561 b'communicating with this server)\n'
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	562 )
2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	563 % pycompat.bytesurl(serverhostname)
2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	564 )
2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	565 ui.warn(
2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	566 _(
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	567 b'(see https://mercurial-scm.org/wiki/SecureConnections '
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	568 b'for more info)\n'
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	569 )
2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	570 )
33494 30f2715be123 sslutil: inform the user about how to fix an incomplete certificate chain Matt Harbison <matt_harbison@yahoo.com> parents: 33381 diff changeset	571
43506 9f70512ae2cf cleanup: remove pointless r-prefixes on single-quoted strings Augie Fackler <augie@google.com> parents: 43117 diff changeset	572 elif e.reason == 'CERTIFICATE_VERIFY_FAILED' and pycompat.iswindows:
33494 30f2715be123 sslutil: inform the user about how to fix an incomplete certificate chain Matt Harbison <matt_harbison@yahoo.com> parents: 33381 diff changeset	573
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	574 ui.warn(
2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	575 _(
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	576 b'(the full certificate chain may not be available '
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	577 b'locally; see "hg help debugssl")\n'
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	578 )
2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	579 )
29449 5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded Gregory Szorc <gregory.szorc@gmail.com> parents: 29447 diff changeset	580 raise
5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded Gregory Szorc <gregory.szorc@gmail.com> parents: 29447 diff changeset	581
28652 c617614aefd2 sslutil: remove indentation in wrapsocket declaration Gregory Szorc <gregory.szorc@gmail.com> parents: 28651 diff changeset	582 # check if wrap_socket failed silently because socket had been
c617614aefd2 sslutil: remove indentation in wrapsocket declaration Gregory Szorc <gregory.szorc@gmail.com> parents: 28651 diff changeset	583 # closed
c617614aefd2 sslutil: remove indentation in wrapsocket declaration Gregory Szorc <gregory.szorc@gmail.com> parents: 28651 diff changeset	584 # - see http://bugs.python.org/issue13721
c617614aefd2 sslutil: remove indentation in wrapsocket declaration Gregory Szorc <gregory.szorc@gmail.com> parents: 28651 diff changeset	585 if not sslsocket.cipher():
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	586 raise error.Abort(_(b'ssl connection failed'))
29113 5b9577edf745 sslutil: use CA loaded state to drive validation logic Gregory Szorc <gregory.szorc@gmail.com> parents: 29112 diff changeset	587
29225 b115eed11780 sslutil: use a dict for hanging hg state off the wrapped socket Gregory Szorc <gregory.szorc@gmail.com> parents: 29224 diff changeset	588 sslsocket._hgstate = {
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	589 b'caloaded': caloaded,
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	590 b'hostname': serverhostname,
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	591 b'settings': settings,
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	592 b'ui': ui,
29225 b115eed11780 sslutil: use a dict for hanging hg state off the wrapped socket Gregory Szorc <gregory.szorc@gmail.com> parents: 29224 diff changeset	593 }
29113 5b9577edf745 sslutil: use CA loaded state to drive validation logic Gregory Szorc <gregory.szorc@gmail.com> parents: 29112 diff changeset	594
28652 c617614aefd2 sslutil: remove indentation in wrapsocket declaration Gregory Szorc <gregory.szorc@gmail.com> parents: 28651 diff changeset	595 return sslsocket
14204 5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	596
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	597
2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	598 def wrapserversocket(
2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	599 sock, ui, certfile=None, keyfile=None, cafile=None, requireclientcert=False
2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	600 ):
29554 4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	601 """Wrap a socket for use by servers.
4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	602
4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	603 ``certfile`` and ``keyfile`` specify the files containing the certificate's
4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	604 public and private keys, respectively. Both keys can be defined in the same
4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	605 file via ``certfile`` (the private key must come first in the file).
4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	606
4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	607 ``cafile`` defines the path to certificate authorities.
4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	608
4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	609 ``requireclientcert`` specifies whether to require client certificates.
4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	610
4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	611 Typically ``cafile`` is only defined if ``requireclientcert`` is true.
4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	612 """
33381 3bdbbadddecc sslutil: check for missing certificate and key files (issue5598) Gregory Szorc <gregory.szorc@gmail.com> parents: 32291 diff changeset	613 # This function is not used much by core Mercurial, so the error messaging
3bdbbadddecc sslutil: check for missing certificate and key files (issue5598) Gregory Szorc <gregory.szorc@gmail.com> parents: 32291 diff changeset	614 # doesn't have to be as detailed as for wrapsocket().
3bdbbadddecc sslutil: check for missing certificate and key files (issue5598) Gregory Szorc <gregory.szorc@gmail.com> parents: 32291 diff changeset	615 for f in (certfile, keyfile, cafile):
3bdbbadddecc sslutil: check for missing certificate and key files (issue5598) Gregory Szorc <gregory.szorc@gmail.com> parents: 32291 diff changeset	616 if f and not os.path.exists(f):
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	617 raise error.Abort(
43117 8ff1ecfadcd1 cleanup: join string literals that are already on one line Martin von Zweigbergk <martinvonz@google.com> parents: 43089 diff changeset	618 _(b'referenced certificate file (%s) does not exist') % f
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	619 )
33381 3bdbbadddecc sslutil: check for missing certificate and key files (issue5598) Gregory Szorc <gregory.szorc@gmail.com> parents: 32291 diff changeset	620
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	621 protocol, options, _protocolui = protocolsettings(b'tls1.0')
29559 7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	622
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	623 # This config option is intended for use in tests only. It is a giant
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	624 # footgun to kill security. Don't define it.
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	625 exactprotocol = ui.config(b'devel', b'serverexactprotocol')
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	626 if exactprotocol == b'tls1.0':
29559 7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	627 protocol = ssl.PROTOCOL_TLSv1
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	628 elif exactprotocol == b'tls1.1':
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	629 if b'tls1.1' not in supportedprotocols:
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	630 raise error.Abort(_(b'TLS 1.1 not supported by this Python'))
29559 7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	631 protocol = ssl.PROTOCOL_TLSv1_1
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	632 elif exactprotocol == b'tls1.2':
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	633 if b'tls1.2' not in supportedprotocols:
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	634 raise error.Abort(_(b'TLS 1.2 not supported by this Python'))
29559 7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	635 protocol = ssl.PROTOCOL_TLSv1_2
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	636 elif exactprotocol:
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	637 raise error.Abort(
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	638 _(b'invalid value for serverexactprotocol: %s') % exactprotocol
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	639 )
29559 7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	640
29554 4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	641 if modernssl:
4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	642 # We /could/ use create_default_context() here since it doesn't load
29559 7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	643 # CAs when configured for client auth. However, it is hard-coded to
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	644 # use ssl.PROTOCOL_SSLv23 which may not be appropriate here.
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	645 sslcontext = SSLContext(protocol)
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	646 sslcontext.options \|= options
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29558 diff changeset	647
29554 4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	648 # Improve forward secrecy.
4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	649 sslcontext.options \|= getattr(ssl, 'OP_SINGLE_DH_USE', 0)
4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	650 sslcontext.options \|= getattr(ssl, 'OP_SINGLE_ECDH_USE', 0)
4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	651
4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	652 # Use the list of more secure ciphers if found in the ssl module.
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	653 if util.safehasattr(ssl, b'_RESTRICTED_SERVER_CIPHERS'):
29554 4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	654 sslcontext.options \|= getattr(ssl, 'OP_CIPHER_SERVER_PREFERENCE', 0)
4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	655 sslcontext.set_ciphers(ssl._RESTRICTED_SERVER_CIPHERS)
4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	656 else:
4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	657 sslcontext = SSLContext(ssl.PROTOCOL_TLSv1)
4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	658
4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	659 if requireclientcert:
4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	660 sslcontext.verify_mode = ssl.CERT_REQUIRED
4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	661 else:
4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	662 sslcontext.verify_mode = ssl.CERT_NONE
4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	663
4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	664 if certfile or keyfile:
4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	665 sslcontext.load_cert_chain(certfile=certfile, keyfile=keyfile)
4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	666
4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	667 if cafile:
4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	668 sslcontext.load_verify_locations(cafile=cafile)
4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	669
4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	670 return sslcontext.wrap_socket(sock, server_side=True)
4a7b0c696fbc sslutil: implement wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29537 diff changeset	671
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	672
29452 26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	673 class wildcarderror(Exception):
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	674 """Represents an error parsing wildcards in DNS name."""
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	675
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	676
29452 26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	677 def _dnsnamematch(dn, hostname, maxwildcards=1):
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	678 """Match DNS names according RFC 6125 section 6.4.3.
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	679
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	680 This code is effectively copied from CPython's ssl._dnsname_match.
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	681
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	682 Returns a bool indicating whether the expected hostname matches
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	683 the value in ``dn``.
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	684 """
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	685 pats = []
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	686 if not dn:
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	687 return False
36745 424994a0adfd sslutil: lots of unicode/bytes cleanup Augie Fackler <augie@google.com> parents: 35582 diff changeset	688 dn = pycompat.bytesurl(dn)
424994a0adfd sslutil: lots of unicode/bytes cleanup Augie Fackler <augie@google.com> parents: 35582 diff changeset	689 hostname = pycompat.bytesurl(hostname)
29452 26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	690
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	691 pieces = dn.split(b'.')
29452 26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	692 leftmost = pieces[0]
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	693 remainder = pieces[1:]
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	694 wildcards = leftmost.count(b'*')
29452 26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	695 if wildcards > maxwildcards:
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	696 raise wildcarderror(
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	697 _(b'too many wildcards in certificate DNS name: %s') % dn
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	698 )
29452 26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	699
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	700 # speed up common case w/o wildcards
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	701 if not wildcards:
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	702 return dn.lower() == hostname.lower()
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	703
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	704 # RFC 6125, section 6.4.3, subitem 1.
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	705 # The client SHOULD NOT attempt to match a presented identifier in which
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	706 # the wildcard character comprises a label other than the left-most label.
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	707 if leftmost == b'*':
29452 26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	708 # When '*' is a fragment by itself, it matches a non-empty dotless
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	709 # fragment.
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	710 pats.append(b'[^.]+')
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	711 elif leftmost.startswith(b'xn--') or hostname.startswith(b'xn--'):
29452 26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	712 # RFC 6125, section 6.4.3, subitem 3.
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	713 # The client SHOULD NOT attempt to match a presented identifier
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	714 # where the wildcard character is embedded within an A-label or
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	715 # U-label of an internationalized domain name.
38475 67dc32d4e790 cleanup: migrate from re.escape to stringutil.reescape Augie Fackler <augie@google.com> parents: 37872 diff changeset	716 pats.append(stringutil.reescape(leftmost))
29452 26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	717 else:
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	718 # Otherwise, '' matches any dotless string, e.g. www
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	719 pats.append(stringutil.reescape(leftmost).replace(br'\', b'[^.]'))
29452 26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	720
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	721 # add the remaining fragments, ignore any wildcards
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	722 for frag in remainder:
38475 67dc32d4e790 cleanup: migrate from re.escape to stringutil.reescape Augie Fackler <augie@google.com> parents: 37872 diff changeset	723 pats.append(stringutil.reescape(frag))
29452 26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	724
37666 46e705b79323 py3: add b'' prefixes to make values bytes Pulkit Goyal <7895pulkit@gmail.com> parents: 37120 diff changeset	725 pat = re.compile(br'\A' + br'\.'.join(pats) + br'\Z', re.IGNORECASE)
29452 26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	726 return pat.match(hostname) is not None
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	727
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	728
14204 5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	729 def _verifycert(cert, hostname):
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	730 '''Verify that cert (in socket.getpeercert() format) matches hostname.
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	731 CRLs is not handled.
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	732
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	733 Returns error message if any problems are found and None on success.
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	734 '''
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	735 if not cert:
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	736 return _(b'no certificate received')
14204 5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	737
29452 26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	738 dnsnames = []
43506 9f70512ae2cf cleanup: remove pointless r-prefixes on single-quoted strings Augie Fackler <augie@google.com> parents: 43117 diff changeset	739 san = cert.get('subjectAltName', [])
29452 26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	740 for key, value in san:
43506 9f70512ae2cf cleanup: remove pointless r-prefixes on single-quoted strings Augie Fackler <augie@google.com> parents: 43117 diff changeset	741 if key == 'DNS':
29452 26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	742 try:
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	743 if _dnsnamematch(value, hostname):
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	744 return
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	745 except wildcarderror as e:
37084 f0b6fbea00cf stringutil: bulk-replace call sites to point to new module Yuya Nishihara <yuya@tcha.org> parents: 36747 diff changeset	746 return stringutil.forcebytestr(e.args[0])
29452 26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	747
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	748 dnsnames.append(value)
14204 5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	749
29452 26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	750 if not dnsnames:
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	751 # The subject is only checked when there is no DNS in subjectAltName.
43506 9f70512ae2cf cleanup: remove pointless r-prefixes on single-quoted strings Augie Fackler <augie@google.com> parents: 43117 diff changeset	752 for sub in cert.get('subject', []):
29452 26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	753 for key, value in sub:
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	754 # According to RFC 2818 the most specific Common Name must
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	755 # be used.
43506 9f70512ae2cf cleanup: remove pointless r-prefixes on single-quoted strings Augie Fackler <augie@google.com> parents: 43117 diff changeset	756 if key == 'commonName':
30332 318a24b52eeb spelling: fixes of non-dictionary words Mads Kiilerich <madski@unity3d.com> parents: 30228 diff changeset	757 # 'subject' entries are unicode.
29452 26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	758 try:
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	759 value = value.encode('ascii')
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	760 except UnicodeEncodeError:
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	761 return _(b'IDN in certificate not supported')
29452 26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	762
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	763 try:
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	764 if _dnsnamematch(value, hostname):
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	765 return
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	766 except wildcarderror as e:
37084 f0b6fbea00cf stringutil: bulk-replace call sites to point to new module Yuya Nishihara <yuya@tcha.org> parents: 36747 diff changeset	767 return stringutil.forcebytestr(e.args[0])
29452 26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	768
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	769 dnsnames.append(value)
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	770
37872 51a2f8d199c7 sslutil: fix some edge cases in Python 3 support Augie Fackler <augie@google.com> parents: 37666 diff changeset	771 dnsnames = [pycompat.bytesurl(d) for d in dnsnames]
29452 26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	772 if len(dnsnames) > 1:
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	773 return _(b'certificate is for %s') % b', '.join(dnsnames)
29452 26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	774 elif len(dnsnames) == 1:
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	775 return _(b'certificate is for %s') % dnsnames[0]
29452 26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	776 else:
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	777 return _(b'no commonName or subjectAltName found in certificate')
14204 5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	778
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	779
23042 2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410) Mads Kiilerich <madski@unity3d.com> parents: 22575 diff changeset	780 def _plainapplepython():
2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410) Mads Kiilerich <madski@unity3d.com> parents: 22575 diff changeset	781 """return true if this seems to be a pure Apple Python that
2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410) Mads Kiilerich <madski@unity3d.com> parents: 22575 diff changeset	782 * is unfrozen and presumably has the whole mercurial module in the file
2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410) Mads Kiilerich <madski@unity3d.com> parents: 22575 diff changeset	783 system
2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410) Mads Kiilerich <madski@unity3d.com> parents: 22575 diff changeset	784 * presumably is an Apple Python that uses Apple OpenSSL which has patches
2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410) Mads Kiilerich <madski@unity3d.com> parents: 22575 diff changeset	785 for using system certificate store CAs in addition to the provided
2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410) Mads Kiilerich <madski@unity3d.com> parents: 22575 diff changeset	786 cacerts file
2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410) Mads Kiilerich <madski@unity3d.com> parents: 22575 diff changeset	787 """
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	788 if (
2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	789 not pycompat.isdarwin
43671 664e24207728 procutil: move mainfrozen() to new resourceutil.py Martin von Zweigbergk <martinvonz@google.com> parents: 43506 diff changeset	790 or resourceutil.mainfrozen()
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	791 or not pycompat.sysexecutable
2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	792 ):
23042 2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410) Mads Kiilerich <madski@unity3d.com> parents: 22575 diff changeset	793 return False
30669 10b17ed9b591 py3: replace sys.executable with pycompat.sysexecutable Pulkit Goyal <7895pulkit@gmail.com> parents: 30641 diff changeset	794 exe = os.path.realpath(pycompat.sysexecutable).lower()
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	795 return exe.startswith(b'/usr/bin/python') or exe.startswith(
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	796 b'/system/library/frameworks/python.framework/'
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	797 )
2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	798
23042 2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410) Mads Kiilerich <madski@unity3d.com> parents: 22575 diff changeset	799
29500 4b16a5bd9948 sslutil: try to find CA certficates in well-known locations Gregory Szorc <gregory.szorc@gmail.com> parents: 29499 diff changeset	800 _systemcacertpaths = [
4b16a5bd9948 sslutil: try to find CA certficates in well-known locations Gregory Szorc <gregory.szorc@gmail.com> parents: 29499 diff changeset	801 # RHEL, CentOS, and Fedora
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	802 b'/etc/pki/tls/certs/ca-bundle.trust.crt',
29500 4b16a5bd9948 sslutil: try to find CA certficates in well-known locations Gregory Szorc <gregory.szorc@gmail.com> parents: 29499 diff changeset	803 # Debian, Ubuntu, Gentoo
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	804 b'/etc/ssl/certs/ca-certificates.crt',
29500 4b16a5bd9948 sslutil: try to find CA certficates in well-known locations Gregory Szorc <gregory.szorc@gmail.com> parents: 29499 diff changeset	805 ]
4b16a5bd9948 sslutil: try to find CA certficates in well-known locations Gregory Szorc <gregory.szorc@gmail.com> parents: 29499 diff changeset	806
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	807
29483 918dce4b8c26 sslutil: pass ui to _defaultcacerts Gregory Szorc <gregory.szorc@gmail.com> parents: 29482 diff changeset	808 def _defaultcacerts(ui):
29488 1c26b9ce66f8 sslutil: expand _defaultcacerts docstring to note calling assumptions Gregory Szorc <gregory.szorc@gmail.com> parents: 29487 diff changeset	809 """return path to default CA certificates or None.
1c26b9ce66f8 sslutil: expand _defaultcacerts docstring to note calling assumptions Gregory Szorc <gregory.szorc@gmail.com> parents: 29487 diff changeset	810
1c26b9ce66f8 sslutil: expand _defaultcacerts docstring to note calling assumptions Gregory Szorc <gregory.szorc@gmail.com> parents: 29487 diff changeset	811 It is assumed this function is called when the returned certificates
1c26b9ce66f8 sslutil: expand _defaultcacerts docstring to note calling assumptions Gregory Szorc <gregory.szorc@gmail.com> parents: 29487 diff changeset	812 file will actually be used to validate connections. Therefore this
1c26b9ce66f8 sslutil: expand _defaultcacerts docstring to note calling assumptions Gregory Szorc <gregory.szorc@gmail.com> parents: 29487 diff changeset	813 function may print warnings or debug messages assuming this usage.
29500 4b16a5bd9948 sslutil: try to find CA certficates in well-known locations Gregory Szorc <gregory.szorc@gmail.com> parents: 29499 diff changeset	814
4b16a5bd9948 sslutil: try to find CA certficates in well-known locations Gregory Szorc <gregory.szorc@gmail.com> parents: 29499 diff changeset	815 We don't print a message when the Python is able to load default
4b16a5bd9948 sslutil: try to find CA certficates in well-known locations Gregory Szorc <gregory.szorc@gmail.com> parents: 29499 diff changeset	816 CA certs because this scenario is detected at socket connect time.
29488 1c26b9ce66f8 sslutil: expand _defaultcacerts docstring to note calling assumptions Gregory Szorc <gregory.szorc@gmail.com> parents: 29487 diff changeset	817 """
30228 b9f7b0c10027 sslutil: guard against broken certifi installations (issue5406) Gábor Stefanik <gabor.stefanik@nng.com> parents: 29927 diff changeset	818 # The "certifi" Python package provides certificates. If it is installed
b9f7b0c10027 sslutil: guard against broken certifi installations (issue5406) Gábor Stefanik <gabor.stefanik@nng.com> parents: 29927 diff changeset	819 # and usable, assume the user intends it to be used and use it.
29486 a62c00f6dd04 sslutil: use certificates provided by certifi if available Gregory Szorc <gregory.szorc@gmail.com> parents: 29484 diff changeset	820 try:
a62c00f6dd04 sslutil: use certificates provided by certifi if available Gregory Szorc <gregory.szorc@gmail.com> parents: 29484 diff changeset	821 import certifi
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	822
29486 a62c00f6dd04 sslutil: use certificates provided by certifi if available Gregory Szorc <gregory.szorc@gmail.com> parents: 29484 diff changeset	823 certs = certifi.where()
30228 b9f7b0c10027 sslutil: guard against broken certifi installations (issue5406) Gábor Stefanik <gabor.stefanik@nng.com> parents: 29927 diff changeset	824 if os.path.exists(certs):
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	825 ui.debug(b'using ca certificates from certifi\n')
42263 ce5f1232631f sslutil: fsencode path returned by certifi (issue6132) Augie Fackler <augie@google.com> parents: 41411 diff changeset	826 return pycompat.fsencode(certs)
30228 b9f7b0c10027 sslutil: guard against broken certifi installations (issue5406) Gábor Stefanik <gabor.stefanik@nng.com> parents: 29927 diff changeset	827 except (ImportError, AttributeError):
29486 a62c00f6dd04 sslutil: use certificates provided by certifi if available Gregory Szorc <gregory.szorc@gmail.com> parents: 29484 diff changeset	828 pass
a62c00f6dd04 sslutil: use certificates provided by certifi if available Gregory Szorc <gregory.szorc@gmail.com> parents: 29484 diff changeset	829
29489 54ad81b0665f sslutil: handle default CA certificate loading on Windows Gregory Szorc <gregory.szorc@gmail.com> parents: 29488 diff changeset	830 # On Windows, only the modern ssl module is capable of loading the system
54ad81b0665f sslutil: handle default CA certificate loading on Windows Gregory Szorc <gregory.szorc@gmail.com> parents: 29488 diff changeset	831 # CA certificates. If we're not capable of doing that, emit a warning
54ad81b0665f sslutil: handle default CA certificate loading on Windows Gregory Szorc <gregory.szorc@gmail.com> parents: 29488 diff changeset	832 # because we'll get a certificate verification error later and the lack
54ad81b0665f sslutil: handle default CA certificate loading on Windows Gregory Szorc <gregory.szorc@gmail.com> parents: 29488 diff changeset	833 # of loaded CA certificates will be the reason why.
54ad81b0665f sslutil: handle default CA certificate loading on Windows Gregory Szorc <gregory.szorc@gmail.com> parents: 29488 diff changeset	834 # Assertion: this code is only called if certificates are being verified.
34645 75979c8d4572 codemod: use pycompat.iswindows Jun Wu <quark@fb.com> parents: 33494 diff changeset	835 if pycompat.iswindows:
29489 54ad81b0665f sslutil: handle default CA certificate loading on Windows Gregory Szorc <gregory.szorc@gmail.com> parents: 29488 diff changeset	836 if not _canloaddefaultcerts:
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	837 ui.warn(
2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	838 _(
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	839 b'(unable to load Windows CA certificates; see '
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	840 b'https://mercurial-scm.org/wiki/SecureConnections for '
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	841 b'how to configure Mercurial to avoid this message)\n'
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	842 )
2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	843 )
29489 54ad81b0665f sslutil: handle default CA certificate loading on Windows Gregory Szorc <gregory.szorc@gmail.com> parents: 29488 diff changeset	844
54ad81b0665f sslutil: handle default CA certificate loading on Windows Gregory Szorc <gregory.szorc@gmail.com> parents: 29488 diff changeset	845 return None
54ad81b0665f sslutil: handle default CA certificate loading on Windows Gregory Szorc <gregory.szorc@gmail.com> parents: 29488 diff changeset	846
29487 cdcb5747dc88 sslutil: document the Apple OpenSSL cert trick Gregory Szorc <gregory.szorc@gmail.com> parents: 29486 diff changeset	847 # Apple's OpenSSL has patches that allow a specially constructed certificate
cdcb5747dc88 sslutil: document the Apple OpenSSL cert trick Gregory Szorc <gregory.szorc@gmail.com> parents: 29486 diff changeset	848 # to load the system CA store. If we're running on Apple Python, use this
cdcb5747dc88 sslutil: document the Apple OpenSSL cert trick Gregory Szorc <gregory.szorc@gmail.com> parents: 29486 diff changeset	849 # trick.
24288 922e087ba158 ssl: extract function that returns dummycert path on Apple python Yuya Nishihara <yuya@tcha.org> parents: 23851 diff changeset	850 if _plainapplepython():
31074 2912b06905dc py3: use pycompat.fsencode() to convert __file__ to bytes Pulkit Goyal <7895pulkit@gmail.com> parents: 30669 diff changeset	851 dummycert = os.path.join(
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	852 os.path.dirname(pycompat.fsencode(__file__)), b'dummycert.pem'
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	853 )
24288 922e087ba158 ssl: extract function that returns dummycert path on Apple python Yuya Nishihara <yuya@tcha.org> parents: 23851 diff changeset	854 if os.path.exists(dummycert):
922e087ba158 ssl: extract function that returns dummycert path on Apple python Yuya Nishihara <yuya@tcha.org> parents: 23851 diff changeset	855 return dummycert
29107 c8fbfb9163ce sslutil: move code examining _canloaddefaultcerts out of _defaultcacerts Gregory Szorc <gregory.szorc@gmail.com> parents: 29106 diff changeset	856
29499 9c5325c79683 sslutil: issue warning when unable to load certificates on OS X Gregory Szorc <gregory.szorc@gmail.com> parents: 29489 diff changeset	857 # The Apple OpenSSL trick isn't available to us. If Python isn't able to
9c5325c79683 sslutil: issue warning when unable to load certificates on OS X Gregory Szorc <gregory.szorc@gmail.com> parents: 29489 diff changeset	858 # load system certs, we're out of luck.
34647 dacfcdd8b94e codemod: use pycompat.isdarwin Jun Wu <quark@fb.com> parents: 34645 diff changeset	859 if pycompat.isdarwin:
29499 9c5325c79683 sslutil: issue warning when unable to load certificates on OS X Gregory Szorc <gregory.szorc@gmail.com> parents: 29489 diff changeset	860 # FUTURE Consider looking for Homebrew or MacPorts installed certs
9c5325c79683 sslutil: issue warning when unable to load certificates on OS X Gregory Szorc <gregory.szorc@gmail.com> parents: 29489 diff changeset	861 # files. Also consider exporting the keychain certs to a file during
9c5325c79683 sslutil: issue warning when unable to load certificates on OS X Gregory Szorc <gregory.szorc@gmail.com> parents: 29489 diff changeset	862 # Mercurial install.
9c5325c79683 sslutil: issue warning when unable to load certificates on OS X Gregory Szorc <gregory.szorc@gmail.com> parents: 29489 diff changeset	863 if not _canloaddefaultcerts:
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	864 ui.warn(
2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	865 _(
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	866 b'(unable to load CA certificates; see '
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	867 b'https://mercurial-scm.org/wiki/SecureConnections for '
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	868 b'how to configure Mercurial to avoid this message)\n'
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	869 )
2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	870 )
24291 760a86865f80 ssl: load CA certificates from system's store by default on Python 2.7.9 Yuya Nishihara <yuya@tcha.org> parents: 24290 diff changeset	871 return None
24288 922e087ba158 ssl: extract function that returns dummycert path on Apple python Yuya Nishihara <yuya@tcha.org> parents: 23851 diff changeset	872
29537 5f8b36d5a6ec sslutil: add assertion to prevent accidental CA usage on Windows Gregory Szorc <gregory.szorc@gmail.com> parents: 29508 diff changeset	873 # / is writable on Windows. Out of an abundance of caution make sure
5f8b36d5a6ec sslutil: add assertion to prevent accidental CA usage on Windows Gregory Szorc <gregory.szorc@gmail.com> parents: 29508 diff changeset	874 # we're not on Windows because paths from _systemcacerts could be installed
5f8b36d5a6ec sslutil: add assertion to prevent accidental CA usage on Windows Gregory Szorc <gregory.szorc@gmail.com> parents: 29508 diff changeset	875 # by non-admin users.
34645 75979c8d4572 codemod: use pycompat.iswindows Jun Wu <quark@fb.com> parents: 33494 diff changeset	876 assert not pycompat.iswindows
29537 5f8b36d5a6ec sslutil: add assertion to prevent accidental CA usage on Windows Gregory Szorc <gregory.szorc@gmail.com> parents: 29508 diff changeset	877
29500 4b16a5bd9948 sslutil: try to find CA certficates in well-known locations Gregory Szorc <gregory.szorc@gmail.com> parents: 29499 diff changeset	878 # Try to find CA certificates in well-known locations. We print a warning
4b16a5bd9948 sslutil: try to find CA certficates in well-known locations Gregory Szorc <gregory.szorc@gmail.com> parents: 29499 diff changeset	879 # when using a found file because we don't want too much silent magic
4b16a5bd9948 sslutil: try to find CA certficates in well-known locations Gregory Szorc <gregory.szorc@gmail.com> parents: 29499 diff changeset	880 # for security settings. The expectation is that proper Mercurial
4b16a5bd9948 sslutil: try to find CA certficates in well-known locations Gregory Szorc <gregory.szorc@gmail.com> parents: 29499 diff changeset	881 # installs will have the CA certs path defined at install time and the
4b16a5bd9948 sslutil: try to find CA certficates in well-known locations Gregory Szorc <gregory.szorc@gmail.com> parents: 29499 diff changeset	882 # installer/packager will make an appropriate decision on the user's
4b16a5bd9948 sslutil: try to find CA certficates in well-known locations Gregory Szorc <gregory.szorc@gmail.com> parents: 29499 diff changeset	883 # behalf. We only get here and perform this setting as a feature of
4b16a5bd9948 sslutil: try to find CA certficates in well-known locations Gregory Szorc <gregory.szorc@gmail.com> parents: 29499 diff changeset	884 # last resort.
4b16a5bd9948 sslutil: try to find CA certficates in well-known locations Gregory Szorc <gregory.szorc@gmail.com> parents: 29499 diff changeset	885 if not _canloaddefaultcerts:
4b16a5bd9948 sslutil: try to find CA certficates in well-known locations Gregory Szorc <gregory.szorc@gmail.com> parents: 29499 diff changeset	886 for path in _systemcacertpaths:
4b16a5bd9948 sslutil: try to find CA certficates in well-known locations Gregory Szorc <gregory.szorc@gmail.com> parents: 29499 diff changeset	887 if os.path.isfile(path):
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	888 ui.warn(
2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	889 _(
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	890 b'(using CA certificates from %s; if you see this '
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	891 b'message, your Mercurial install is not properly '
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	892 b'configured; see '
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	893 b'https://mercurial-scm.org/wiki/SecureConnections '
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	894 b'for how to configure Mercurial to avoid this '
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	895 b'message)\n'
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	896 )
2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	897 % path
2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	898 )
29500 4b16a5bd9948 sslutil: try to find CA certficates in well-known locations Gregory Szorc <gregory.szorc@gmail.com> parents: 29499 diff changeset	899 return path
14204 5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	900
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	901 ui.warn(
2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	902 _(
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	903 b'(unable to load CA certificates; see '
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	904 b'https://mercurial-scm.org/wiki/SecureConnections for '
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	905 b'how to configure Mercurial to avoid this message)\n'
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	906 )
2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	907 )
14204 5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	908
29107 c8fbfb9163ce sslutil: move code examining _canloaddefaultcerts out of _defaultcacerts Gregory Szorc <gregory.szorc@gmail.com> parents: 29106 diff changeset	909 return None
24288 922e087ba158 ssl: extract function that returns dummycert path on Apple python Yuya Nishihara <yuya@tcha.org> parents: 23851 diff changeset	910
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	911
29286 a05a91a3f120 sslutil: remove "strict" argument from validatesocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29268 diff changeset	912 def validatesocket(sock):
30332 318a24b52eeb spelling: fixes of non-dictionary words Mads Kiilerich <madski@unity3d.com> parents: 30228 diff changeset	913 """Validate a socket meets security requirements.
18879 93b03a222c3e sslutil: try harder to avoid getpeercert problems Matt Mackall <mpm@selenic.com> parents: 16391 diff changeset	914
29227 dffe78d80a6c sslutil: convert socket validation from a class to a function (API) Gregory Szorc <gregory.szorc@gmail.com> parents: 29226 diff changeset	915 The passed socket must have been created with ``wrapsocket()``.
dffe78d80a6c sslutil: convert socket validation from a class to a function (API) Gregory Szorc <gregory.szorc@gmail.com> parents: 29226 diff changeset	916 """
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	917 shost = sock._hgstate[b'hostname']
36745 424994a0adfd sslutil: lots of unicode/bytes cleanup Augie Fackler <augie@google.com> parents: 35582 diff changeset	918 host = pycompat.bytesurl(shost)
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	919 ui = sock._hgstate[b'ui']
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	920 settings = sock._hgstate[b'settings']
18879 93b03a222c3e sslutil: try harder to avoid getpeercert problems Matt Mackall <mpm@selenic.com> parents: 16391 diff changeset	921
29227 dffe78d80a6c sslutil: convert socket validation from a class to a function (API) Gregory Szorc <gregory.szorc@gmail.com> parents: 29226 diff changeset	922 try:
dffe78d80a6c sslutil: convert socket validation from a class to a function (API) Gregory Szorc <gregory.szorc@gmail.com> parents: 29226 diff changeset	923 peercert = sock.getpeercert(True)
dffe78d80a6c sslutil: convert socket validation from a class to a function (API) Gregory Szorc <gregory.szorc@gmail.com> parents: 29226 diff changeset	924 peercert2 = sock.getpeercert()
dffe78d80a6c sslutil: convert socket validation from a class to a function (API) Gregory Szorc <gregory.szorc@gmail.com> parents: 29226 diff changeset	925 except AttributeError:
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	926 raise error.Abort(_(b'%s ssl connection error') % host)
24288 922e087ba158 ssl: extract function that returns dummycert path on Apple python Yuya Nishihara <yuya@tcha.org> parents: 23851 diff changeset	927
29227 dffe78d80a6c sslutil: convert socket validation from a class to a function (API) Gregory Szorc <gregory.szorc@gmail.com> parents: 29226 diff changeset	928 if not peercert:
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	929 raise error.Abort(
43117 8ff1ecfadcd1 cleanup: join string literals that are already on one line Martin von Zweigbergk <martinvonz@google.com> parents: 43089 diff changeset	930 _(b'%s certificate error: no certificate received') % host
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	931 )
18879 93b03a222c3e sslutil: try harder to avoid getpeercert problems Matt Mackall <mpm@selenic.com> parents: 16391 diff changeset	932
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	933 if settings[b'disablecertverification']:
29289 3536673a25ae sslutil: move and change warning when cert verification is disabled Gregory Szorc <gregory.szorc@gmail.com> parents: 29288 diff changeset	934 # We don't print the certificate fingerprint because it shouldn't
3536673a25ae sslutil: move and change warning when cert verification is disabled Gregory Szorc <gregory.szorc@gmail.com> parents: 29288 diff changeset	935 # be necessary: if the user requested certificate verification be
3536673a25ae sslutil: move and change warning when cert verification is disabled Gregory Szorc <gregory.szorc@gmail.com> parents: 29288 diff changeset	936 # disabled, they presumably already saw a message about the inability
3536673a25ae sslutil: move and change warning when cert verification is disabled Gregory Szorc <gregory.szorc@gmail.com> parents: 29288 diff changeset	937 # to verify the certificate and this message would have printed the
3536673a25ae sslutil: move and change warning when cert verification is disabled Gregory Szorc <gregory.szorc@gmail.com> parents: 29288 diff changeset	938 # fingerprint. So printing the fingerprint here adds little to no
3536673a25ae sslutil: move and change warning when cert verification is disabled Gregory Szorc <gregory.szorc@gmail.com> parents: 29288 diff changeset	939 # value.
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	940 ui.warn(
2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	941 _(
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	942 b'warning: connection security to %s is disabled per current '
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	943 b'settings; communication is susceptible to eavesdropping '
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	944 b'and tampering\n'
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	945 )
2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	946 % host
2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	947 )
29289 3536673a25ae sslutil: move and change warning when cert verification is disabled Gregory Szorc <gregory.szorc@gmail.com> parents: 29288 diff changeset	948 return
18879 93b03a222c3e sslutil: try harder to avoid getpeercert problems Matt Mackall <mpm@selenic.com> parents: 16391 diff changeset	949
29227 dffe78d80a6c sslutil: convert socket validation from a class to a function (API) Gregory Szorc <gregory.szorc@gmail.com> parents: 29226 diff changeset	950 # If a certificate fingerprint is pinned, use it and only it to
dffe78d80a6c sslutil: convert socket validation from a class to a function (API) Gregory Szorc <gregory.szorc@gmail.com> parents: 29226 diff changeset	951 # validate the remote cert.
29262 dfc4f08aa160 sslutil: calculate host fingerprints from additional algorithms Gregory Szorc <gregory.szorc@gmail.com> parents: 29260 diff changeset	952 peerfingerprints = {
44061 cbc5755df6bf sslutil: migrate to hashutil.sha1 instead of hashlib.sha1 Augie Fackler <augie@google.com> parents: 43671 diff changeset	953 b'sha1': node.hex(hashutil.sha1(peercert).digest()),
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	954 b'sha256': node.hex(hashlib.sha256(peercert).digest()),
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	955 b'sha512': node.hex(hashlib.sha512(peercert).digest()),
29262 dfc4f08aa160 sslutil: calculate host fingerprints from additional algorithms Gregory Szorc <gregory.szorc@gmail.com> parents: 29260 diff changeset	956 }
18879 93b03a222c3e sslutil: try harder to avoid getpeercert problems Matt Mackall <mpm@selenic.com> parents: 16391 diff changeset	957
29290 01248c37a68e sslutil: print SHA-256 fingerprint by default Gregory Szorc <gregory.szorc@gmail.com> parents: 29289 diff changeset	958 def fmtfingerprint(s):
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	959 return b':'.join([s[x : x + 2] for x in range(0, len(s), 2)])
29290 01248c37a68e sslutil: print SHA-256 fingerprint by default Gregory Szorc <gregory.szorc@gmail.com> parents: 29289 diff changeset	960
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	961 nicefingerprint = b'sha256:%s' % fmtfingerprint(peerfingerprints[b'sha256'])
28850 3819c349b194 sslutil: document and slightly refactor validation logic Gregory Szorc <gregory.szorc@gmail.com> parents: 28849 diff changeset	962
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	963 if settings[b'certfingerprints']:
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	964 for hash, fingerprint in settings[b'certfingerprints']:
29262 dfc4f08aa160 sslutil: calculate host fingerprints from additional algorithms Gregory Szorc <gregory.szorc@gmail.com> parents: 29260 diff changeset	965 if peerfingerprints[hash].lower() == fingerprint:
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	966 ui.debug(
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	967 b'%s certificate matched fingerprint %s:%s\n'
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	968 % (host, hash, fmtfingerprint(fingerprint))
2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	969 )
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	970 if settings[b'legacyfingerprint']:
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	971 ui.warn(
2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	972 _(
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	973 b'(SHA-1 fingerprint for %s found in legacy '
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	974 b'[hostfingerprints] section; '
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	975 b'if you trust this fingerprint, remove the old '
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	976 b'SHA-1 fingerprint from [hostfingerprints] and '
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	977 b'add the following entry to the new '
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	978 b'[hostsecurity] section: %s:fingerprints=%s)\n'
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	979 )
2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	980 % (host, host, nicefingerprint)
2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	981 )
29291 15e533b7909c sslutil: refactor code for fingerprint matching Gregory Szorc <gregory.szorc@gmail.com> parents: 29290 diff changeset	982 return
28850 3819c349b194 sslutil: document and slightly refactor validation logic Gregory Szorc <gregory.szorc@gmail.com> parents: 28849 diff changeset	983
29293 1b3a0b0c414f sslutil: print the fingerprint from the last hash used Gregory Szorc <gregory.szorc@gmail.com> parents: 29292 diff changeset	984 # Pinned fingerprint didn't match. This is a fatal error.
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	985 if settings[b'legacyfingerprint']:
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	986 section = b'hostfingerprint'
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	987 nice = fmtfingerprint(peerfingerprints[b'sha1'])
29293 1b3a0b0c414f sslutil: print the fingerprint from the last hash used Gregory Szorc <gregory.szorc@gmail.com> parents: 29292 diff changeset	988 else:
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	989 section = b'hostsecurity'
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	990 nice = b'%s:%s' % (hash, fmtfingerprint(peerfingerprints[hash]))
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	991 raise error.Abort(
43117 8ff1ecfadcd1 cleanup: join string literals that are already on one line Martin von Zweigbergk <martinvonz@google.com> parents: 43089 diff changeset	992 _(b'certificate for %s has unexpected fingerprint %s')
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	993 % (host, nice),
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	994 hint=_(b'check %s configuration') % section,
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	995 )
28850 3819c349b194 sslutil: document and slightly refactor validation logic Gregory Szorc <gregory.szorc@gmail.com> parents: 28849 diff changeset	996
29411 e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC) Gregory Szorc <gregory.szorc@gmail.com> parents: 29410 diff changeset	997 # Security is enabled but no CAs are loaded. We can't establish trust
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC) Gregory Szorc <gregory.szorc@gmail.com> parents: 29410 diff changeset	998 # for the cert so abort.
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	999 if not sock._hgstate[b'caloaded']:
29411 e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC) Gregory Szorc <gregory.szorc@gmail.com> parents: 29410 diff changeset	1000 raise error.Abort(
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	1001 _(
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	1002 b'unable to verify security of %s (no loaded CA certificates); '
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	1003 b'refusing to connect'
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	1004 )
2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	1005 % host,
2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	1006 hint=_(
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	1007 b'see https://mercurial-scm.org/wiki/SecureConnections for '
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	1008 b'how to configure Mercurial to avoid this error or set '
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	1009 b'hostsecurity.%s:fingerprints=%s to trust this server'
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	1010 )
2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	1011 % (host, nicefingerprint),
2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	1012 )
29113 5b9577edf745 sslutil: use CA loaded state to drive validation logic Gregory Szorc <gregory.szorc@gmail.com> parents: 29112 diff changeset	1013
36745 424994a0adfd sslutil: lots of unicode/bytes cleanup Augie Fackler <augie@google.com> parents: 35582 diff changeset	1014 msg = _verifycert(peercert2, shost)
29227 dffe78d80a6c sslutil: convert socket validation from a class to a function (API) Gregory Szorc <gregory.szorc@gmail.com> parents: 29226 diff changeset	1015 if msg:
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	1016 raise error.Abort(
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	1017 _(b'%s certificate error: %s') % (host, msg),
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	1018 hint=_(
43077 687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	1019 b'set hostsecurity.%s:certfingerprints=%s '
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	1020 b'config setting or use --insecure to connect '
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals Augie Fackler <augie@google.com> parents: 43076 diff changeset	1021 b'insecurely'
43076 2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	1022 )
2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	1023 % (host, nicefingerprint),
2372284d9457 formatting: blacken the codebase Augie Fackler <augie@google.com> parents: 42269 diff changeset	1024 )

Mercurial > hg

annotate mercurial/sslutil.py @ 44873:47b3c8383cc1