Mercurial: mercurial/sslutil.py annotate

annotate mercurial/sslutil.py @ 28647:834d1c4ba749

sslutil: better document state of security/ssl module Pythons older than 2.7.9 are lacking the modern ssl module and have horrible security. Let's document this explicitly.

author	Gregory Szorc <gregory.szorc@gmail.com>
date	Sun, 27 Mar 2016 14:07:06 -0700
parents	7efff6ce9826
children	7fc787e5d8ec

rev	line source
14204 5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	1 # sslutil.py - SSL handling for mercurial
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	2 #
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	3 # Copyright 2005, 2006, 2007, 2008 Matt Mackall <mpm@selenic.com>
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	4 # Copyright 2006, 2007 Alexis S. L. Carvalho <alexis@cecm.usp.br>
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	5 # Copyright 2006 Vadim Gelfer <vadim.gelfer@gmail.com>
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	6 #
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	7 # This software may be used and distributed according to the terms of the
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	8 # GNU General Public License version 2 or any later version.
25977 696f6e2be282 sslutil: use absolute_import Gregory Szorc <gregory.szorc@gmail.com> parents: 25432 diff changeset	9
696f6e2be282 sslutil: use absolute_import Gregory Szorc <gregory.szorc@gmail.com> parents: 25432 diff changeset	10 from __future__ import absolute_import
14204 5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	11
25977 696f6e2be282 sslutil: use absolute_import Gregory Szorc <gregory.szorc@gmail.com> parents: 25432 diff changeset	12 import os
696f6e2be282 sslutil: use absolute_import Gregory Szorc <gregory.szorc@gmail.com> parents: 25432 diff changeset	13 import ssl
696f6e2be282 sslutil: use absolute_import Gregory Szorc <gregory.szorc@gmail.com> parents: 25432 diff changeset	14 import sys
696f6e2be282 sslutil: use absolute_import Gregory Szorc <gregory.szorc@gmail.com> parents: 25432 diff changeset	15
696f6e2be282 sslutil: use absolute_import Gregory Szorc <gregory.szorc@gmail.com> parents: 25432 diff changeset	16 from .i18n import _
28577 7efff6ce9826 sslutil: use preferred formatting for import syntax Gregory Szorc <gregory.szorc@gmail.com> parents: 28525 diff changeset	17 from . import (
7efff6ce9826 sslutil: use preferred formatting for import syntax Gregory Szorc <gregory.szorc@gmail.com> parents: 28525 diff changeset	18 error,
7efff6ce9826 sslutil: use preferred formatting for import syntax Gregory Szorc <gregory.szorc@gmail.com> parents: 28525 diff changeset	19 util,
7efff6ce9826 sslutil: use preferred formatting for import syntax Gregory Szorc <gregory.szorc@gmail.com> parents: 28525 diff changeset	20 )
24291 760a86865f80 ssl: load CA certificates from system's store by default on Python 2.7.9 Yuya Nishihara <yuya@tcha.org> parents: 24290 diff changeset	21
28647 834d1c4ba749 sslutil: better document state of security/ssl module Gregory Szorc <gregory.szorc@gmail.com> parents: 28577 diff changeset	22 # Python 2.7.9+ overhauled the built-in SSL/TLS features of Python. It added
834d1c4ba749 sslutil: better document state of security/ssl module Gregory Szorc <gregory.szorc@gmail.com> parents: 28577 diff changeset	23 # support for TLS 1.1, TLS 1.2, SNI, system CA stores, etc. These features are
834d1c4ba749 sslutil: better document state of security/ssl module Gregory Szorc <gregory.szorc@gmail.com> parents: 28577 diff changeset	24 # all exposed via the "ssl" module.
834d1c4ba749 sslutil: better document state of security/ssl module Gregory Szorc <gregory.szorc@gmail.com> parents: 28577 diff changeset	25 #
834d1c4ba749 sslutil: better document state of security/ssl module Gregory Szorc <gregory.szorc@gmail.com> parents: 28577 diff changeset	26 # Depending on the version of Python being used, SSL/TLS support is either
834d1c4ba749 sslutil: better document state of security/ssl module Gregory Szorc <gregory.szorc@gmail.com> parents: 28577 diff changeset	27 # modern/secure or legacy/insecure. Many operations in this module have
834d1c4ba749 sslutil: better document state of security/ssl module Gregory Szorc <gregory.szorc@gmail.com> parents: 28577 diff changeset	28 # separate code paths depending on support in Python.
834d1c4ba749 sslutil: better document state of security/ssl module Gregory Szorc <gregory.szorc@gmail.com> parents: 28577 diff changeset	29
26622 9e15286609ae sslutil: expose attribute indicating whether SNI is supported Gregory Szorc <gregory.szorc@gmail.com> parents: 26587 diff changeset	30 hassni = getattr(ssl, 'HAS_SNI', False)
9e15286609ae sslutil: expose attribute indicating whether SNI is supported Gregory Szorc <gregory.szorc@gmail.com> parents: 26587 diff changeset	31
24291 760a86865f80 ssl: load CA certificates from system's store by default on Python 2.7.9 Yuya Nishihara <yuya@tcha.org> parents: 24290 diff changeset	32 _canloaddefaultcerts = False
14204 5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	33 try:
28647 834d1c4ba749 sslutil: better document state of security/ssl module Gregory Szorc <gregory.szorc@gmail.com> parents: 28577 diff changeset	34 # ssl.SSLContext was added in 2.7.9 and presence indicates modern
834d1c4ba749 sslutil: better document state of security/ssl module Gregory Szorc <gregory.szorc@gmail.com> parents: 28577 diff changeset	35 # SSL/TLS features are available.
25431 96159068c506 ssl: drop try-except clause that was necessary for ancient Python Yuya Nishihara <yuya@tcha.org> parents: 25430 diff changeset	36 ssl_context = ssl.SSLContext
96159068c506 ssl: drop try-except clause that was necessary for ancient Python Yuya Nishihara <yuya@tcha.org> parents: 25430 diff changeset	37 _canloaddefaultcerts = util.safehasattr(ssl_context, 'load_default_certs')
23834 bf07c19b4c82 https: support tls sni (server name indication) for https urls (issue3090) Alex Orange <crazycasta@gmail.com> parents: 23069 diff changeset	38
25431 96159068c506 ssl: drop try-except clause that was necessary for ancient Python Yuya Nishihara <yuya@tcha.org> parents: 25430 diff changeset	39 def wrapsocket(sock, keyfile, certfile, ui, cert_reqs=ssl.CERT_NONE,
96159068c506 ssl: drop try-except clause that was necessary for ancient Python Yuya Nishihara <yuya@tcha.org> parents: 25430 diff changeset	40 ca_certs=None, serverhostname=None):
96159068c506 ssl: drop try-except clause that was necessary for ancient Python Yuya Nishihara <yuya@tcha.org> parents: 25430 diff changeset	41 # Allow any version of SSL starting with TLSv1 and
96159068c506 ssl: drop try-except clause that was necessary for ancient Python Yuya Nishihara <yuya@tcha.org> parents: 25430 diff changeset	42 # up. Note that specifying TLSv1 here prohibits use of
96159068c506 ssl: drop try-except clause that was necessary for ancient Python Yuya Nishihara <yuya@tcha.org> parents: 25430 diff changeset	43 # newer standards (like TLSv1_2), so this is the right way
96159068c506 ssl: drop try-except clause that was necessary for ancient Python Yuya Nishihara <yuya@tcha.org> parents: 25430 diff changeset	44 # to do this. Note that in the future it'd be better to
96159068c506 ssl: drop try-except clause that was necessary for ancient Python Yuya Nishihara <yuya@tcha.org> parents: 25430 diff changeset	45 # support using ssl.create_default_context(), which sets
96159068c506 ssl: drop try-except clause that was necessary for ancient Python Yuya Nishihara <yuya@tcha.org> parents: 25430 diff changeset	46 # up a bunch of things in smart ways (strong ciphers,
96159068c506 ssl: drop try-except clause that was necessary for ancient Python Yuya Nishihara <yuya@tcha.org> parents: 25430 diff changeset	47 # protocol versions, etc) and is upgraded by Python
96159068c506 ssl: drop try-except clause that was necessary for ancient Python Yuya Nishihara <yuya@tcha.org> parents: 25430 diff changeset	48 # maintainers for us, but that breaks too many things to
96159068c506 ssl: drop try-except clause that was necessary for ancient Python Yuya Nishihara <yuya@tcha.org> parents: 25430 diff changeset	49 # do it in a hurry.
96159068c506 ssl: drop try-except clause that was necessary for ancient Python Yuya Nishihara <yuya@tcha.org> parents: 25430 diff changeset	50 sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
27688 6c7d26cef0cd sslutil: fix reversed logic (issue5034) Gábor Stefanik <gabor.stefanik@nng.com> parents: 26622 diff changeset	51 sslcontext.options \|= ssl.OP_NO_SSLv2 \| ssl.OP_NO_SSLv3
25431 96159068c506 ssl: drop try-except clause that was necessary for ancient Python Yuya Nishihara <yuya@tcha.org> parents: 25430 diff changeset	52 if certfile is not None:
96159068c506 ssl: drop try-except clause that was necessary for ancient Python Yuya Nishihara <yuya@tcha.org> parents: 25430 diff changeset	53 def password():
96159068c506 ssl: drop try-except clause that was necessary for ancient Python Yuya Nishihara <yuya@tcha.org> parents: 25430 diff changeset	54 f = keyfile or certfile
96159068c506 ssl: drop try-except clause that was necessary for ancient Python Yuya Nishihara <yuya@tcha.org> parents: 25430 diff changeset	55 return ui.getpass(_('passphrase for %s: ') % f, '')
96159068c506 ssl: drop try-except clause that was necessary for ancient Python Yuya Nishihara <yuya@tcha.org> parents: 25430 diff changeset	56 sslcontext.load_cert_chain(certfile, keyfile, password)
96159068c506 ssl: drop try-except clause that was necessary for ancient Python Yuya Nishihara <yuya@tcha.org> parents: 25430 diff changeset	57 sslcontext.verify_mode = cert_reqs
96159068c506 ssl: drop try-except clause that was necessary for ancient Python Yuya Nishihara <yuya@tcha.org> parents: 25430 diff changeset	58 if ca_certs is not None:
96159068c506 ssl: drop try-except clause that was necessary for ancient Python Yuya Nishihara <yuya@tcha.org> parents: 25430 diff changeset	59 sslcontext.load_verify_locations(cafile=ca_certs)
96159068c506 ssl: drop try-except clause that was necessary for ancient Python Yuya Nishihara <yuya@tcha.org> parents: 25430 diff changeset	60 elif _canloaddefaultcerts:
96159068c506 ssl: drop try-except clause that was necessary for ancient Python Yuya Nishihara <yuya@tcha.org> parents: 25430 diff changeset	61 sslcontext.load_default_certs()
23834 bf07c19b4c82 https: support tls sni (server name indication) for https urls (issue3090) Alex Orange <crazycasta@gmail.com> parents: 23069 diff changeset	62
25431 96159068c506 ssl: drop try-except clause that was necessary for ancient Python Yuya Nishihara <yuya@tcha.org> parents: 25430 diff changeset	63 sslsocket = sslcontext.wrap_socket(sock, server_hostname=serverhostname)
96159068c506 ssl: drop try-except clause that was necessary for ancient Python Yuya Nishihara <yuya@tcha.org> parents: 25430 diff changeset	64 # check if wrap_socket failed silently because socket had been
96159068c506 ssl: drop try-except clause that was necessary for ancient Python Yuya Nishihara <yuya@tcha.org> parents: 25430 diff changeset	65 # closed
96159068c506 ssl: drop try-except clause that was necessary for ancient Python Yuya Nishihara <yuya@tcha.org> parents: 25430 diff changeset	66 # - see http://bugs.python.org/issue13721
96159068c506 ssl: drop try-except clause that was necessary for ancient Python Yuya Nishihara <yuya@tcha.org> parents: 25430 diff changeset	67 if not sslsocket.cipher():
26587 56b2bcea2529 error: get Abort from 'error' instead of 'util' Pierre-Yves David <pierre-yves.david@fb.com> parents: 25977 diff changeset	68 raise error.Abort(_('ssl connection failed'))
25431 96159068c506 ssl: drop try-except clause that was necessary for ancient Python Yuya Nishihara <yuya@tcha.org> parents: 25430 diff changeset	69 return sslsocket
96159068c506 ssl: drop try-except clause that was necessary for ancient Python Yuya Nishihara <yuya@tcha.org> parents: 25430 diff changeset	70 except AttributeError:
28647 834d1c4ba749 sslutil: better document state of security/ssl module Gregory Szorc <gregory.szorc@gmail.com> parents: 28577 diff changeset	71 # We don't have a modern version of the "ssl" module and are running
834d1c4ba749 sslutil: better document state of security/ssl module Gregory Szorc <gregory.szorc@gmail.com> parents: 28577 diff changeset	72 # Python <2.7.9.
25431 96159068c506 ssl: drop try-except clause that was necessary for ancient Python Yuya Nishihara <yuya@tcha.org> parents: 25430 diff changeset	73 def wrapsocket(sock, keyfile, certfile, ui, cert_reqs=ssl.CERT_NONE,
96159068c506 ssl: drop try-except clause that was necessary for ancient Python Yuya Nishihara <yuya@tcha.org> parents: 25430 diff changeset	74 ca_certs=None, serverhostname=None):
96159068c506 ssl: drop try-except clause that was necessary for ancient Python Yuya Nishihara <yuya@tcha.org> parents: 25430 diff changeset	75 sslsocket = ssl.wrap_socket(sock, keyfile, certfile,
96159068c506 ssl: drop try-except clause that was necessary for ancient Python Yuya Nishihara <yuya@tcha.org> parents: 25430 diff changeset	76 cert_reqs=cert_reqs, ca_certs=ca_certs,
96159068c506 ssl: drop try-except clause that was necessary for ancient Python Yuya Nishihara <yuya@tcha.org> parents: 25430 diff changeset	77 ssl_version=ssl.PROTOCOL_TLSv1)
96159068c506 ssl: drop try-except clause that was necessary for ancient Python Yuya Nishihara <yuya@tcha.org> parents: 25430 diff changeset	78 # check if wrap_socket failed silently because socket had been
96159068c506 ssl: drop try-except clause that was necessary for ancient Python Yuya Nishihara <yuya@tcha.org> parents: 25430 diff changeset	79 # closed
96159068c506 ssl: drop try-except clause that was necessary for ancient Python Yuya Nishihara <yuya@tcha.org> parents: 25430 diff changeset	80 # - see http://bugs.python.org/issue13721
96159068c506 ssl: drop try-except clause that was necessary for ancient Python Yuya Nishihara <yuya@tcha.org> parents: 25430 diff changeset	81 if not sslsocket.cipher():
26587 56b2bcea2529 error: get Abort from 'error' instead of 'util' Pierre-Yves David <pierre-yves.david@fb.com> parents: 25977 diff changeset	82 raise error.Abort(_('ssl connection failed'))
25431 96159068c506 ssl: drop try-except clause that was necessary for ancient Python Yuya Nishihara <yuya@tcha.org> parents: 25430 diff changeset	83 return sslsocket
14204 5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	84
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	85 def _verifycert(cert, hostname):
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	86 '''Verify that cert (in socket.getpeercert() format) matches hostname.
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	87 CRLs is not handled.
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	88
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	89 Returns error message if any problems are found and None on success.
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	90 '''
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	91 if not cert:
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	92 return _('no certificate received')
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	93 dnsname = hostname.lower()
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	94 def matchdnsname(certname):
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	95 return (certname == dnsname or
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	96 '.' in dnsname and certname == '*.' + dnsname.split('.', 1)[1])
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	97
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	98 san = cert.get('subjectAltName', [])
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	99 if san:
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	100 certnames = [value.lower() for key, value in san if key == 'DNS']
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	101 for name in certnames:
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	102 if matchdnsname(name):
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	103 return None
14666 27b080aa880a sslutil: fall back to commonName when no dNSName in subjectAltName (issue2798) Nicolas Bareil <nico@chdir.org> parents: 14616 diff changeset	104 if certnames:
27b080aa880a sslutil: fall back to commonName when no dNSName in subjectAltName (issue2798) Nicolas Bareil <nico@chdir.org> parents: 14616 diff changeset	105 return _('certificate is for %s') % ', '.join(certnames)
14204 5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	106
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	107 # subject is only checked when subjectAltName is empty
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	108 for s in cert.get('subject', []):
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	109 key, value = s[0]
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	110 if key == 'commonName':
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	111 try:
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	112 # 'subject' entries are unicode
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	113 certname = value.lower().encode('ascii')
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	114 except UnicodeEncodeError:
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	115 return _('IDN in certificate not supported')
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	116 if matchdnsname(certname):
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	117 return None
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	118 return _('certificate is for %s') % certname
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	119 return _('no commonName or subjectAltName found in certificate')
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	120
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	121
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	122 # CERT_REQUIRED means fetch the cert from the server all the time AND
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	123 # validate it against the CA store provided in web.cacerts.
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	124
23042 2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410) Mads Kiilerich <madski@unity3d.com> parents: 22575 diff changeset	125 def _plainapplepython():
2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410) Mads Kiilerich <madski@unity3d.com> parents: 22575 diff changeset	126 """return true if this seems to be a pure Apple Python that
2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410) Mads Kiilerich <madski@unity3d.com> parents: 22575 diff changeset	127 * is unfrozen and presumably has the whole mercurial module in the file
2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410) Mads Kiilerich <madski@unity3d.com> parents: 22575 diff changeset	128 system
2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410) Mads Kiilerich <madski@unity3d.com> parents: 22575 diff changeset	129 * presumably is an Apple Python that uses Apple OpenSSL which has patches
2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410) Mads Kiilerich <madski@unity3d.com> parents: 22575 diff changeset	130 for using system certificate store CAs in addition to the provided
2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410) Mads Kiilerich <madski@unity3d.com> parents: 22575 diff changeset	131 cacerts file
2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410) Mads Kiilerich <madski@unity3d.com> parents: 22575 diff changeset	132 """
24614 241d98d84aed ssl: resolve symlink before checking for Apple python executable (issue4588) Yuya Nishihara <yuya@tcha.org> parents: 24291 diff changeset	133 if sys.platform != 'darwin' or util.mainfrozen() or not sys.executable:
23042 2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410) Mads Kiilerich <madski@unity3d.com> parents: 22575 diff changeset	134 return False
24614 241d98d84aed ssl: resolve symlink before checking for Apple python executable (issue4588) Yuya Nishihara <yuya@tcha.org> parents: 24291 diff changeset	135 exe = os.path.realpath(sys.executable).lower()
23042 2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410) Mads Kiilerich <madski@unity3d.com> parents: 22575 diff changeset	136 return (exe.startswith('/usr/bin/python') or
2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410) Mads Kiilerich <madski@unity3d.com> parents: 22575 diff changeset	137 exe.startswith('/system/library/frameworks/python.framework/'))
2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410) Mads Kiilerich <madski@unity3d.com> parents: 22575 diff changeset	138
24288 922e087ba158 ssl: extract function that returns dummycert path on Apple python Yuya Nishihara <yuya@tcha.org> parents: 23851 diff changeset	139 def _defaultcacerts():
24291 760a86865f80 ssl: load CA certificates from system's store by default on Python 2.7.9 Yuya Nishihara <yuya@tcha.org> parents: 24290 diff changeset	140 """return path to CA certificates; None for system's store; ! to disable"""
24288 922e087ba158 ssl: extract function that returns dummycert path on Apple python Yuya Nishihara <yuya@tcha.org> parents: 23851 diff changeset	141 if _plainapplepython():
922e087ba158 ssl: extract function that returns dummycert path on Apple python Yuya Nishihara <yuya@tcha.org> parents: 23851 diff changeset	142 dummycert = os.path.join(os.path.dirname(__file__), 'dummycert.pem')
922e087ba158 ssl: extract function that returns dummycert path on Apple python Yuya Nishihara <yuya@tcha.org> parents: 23851 diff changeset	143 if os.path.exists(dummycert):
922e087ba158 ssl: extract function that returns dummycert path on Apple python Yuya Nishihara <yuya@tcha.org> parents: 23851 diff changeset	144 return dummycert
24291 760a86865f80 ssl: load CA certificates from system's store by default on Python 2.7.9 Yuya Nishihara <yuya@tcha.org> parents: 24290 diff changeset	145 if _canloaddefaultcerts:
760a86865f80 ssl: load CA certificates from system's store by default on Python 2.7.9 Yuya Nishihara <yuya@tcha.org> parents: 24290 diff changeset	146 return None
24290 b76d8c641746 ssl: set explicit symbol "!" to web.cacerts to disable SSL verification (BC) Yuya Nishihara <yuya@tcha.org> parents: 24288 diff changeset	147 return '!'
24288 922e087ba158 ssl: extract function that returns dummycert path on Apple python Yuya Nishihara <yuya@tcha.org> parents: 23851 diff changeset	148
14204 5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	149 def sslkwargs(ui, host):
25415 21b536f01eda ssl: prompt passphrase of client key file via ui.getpass() (issue4648) Yuya Nishihara <yuya@tcha.org> parents: 24614 diff changeset	150 kws = {'ui': ui}
22574 a00a7951b20c ssl: refactor sslkwargs - move things around a bit, preparing for next change Mads Kiilerich <madski@unity3d.com> parents: 19808 diff changeset	151 hostfingerprint = ui.config('hostfingerprints', host)
a00a7951b20c ssl: refactor sslkwargs - move things around a bit, preparing for next change Mads Kiilerich <madski@unity3d.com> parents: 19808 diff changeset	152 if hostfingerprint:
a00a7951b20c ssl: refactor sslkwargs - move things around a bit, preparing for next change Mads Kiilerich <madski@unity3d.com> parents: 19808 diff changeset	153 return kws
a00a7951b20c ssl: refactor sslkwargs - move things around a bit, preparing for next change Mads Kiilerich <madski@unity3d.com> parents: 19808 diff changeset	154 cacerts = ui.config('web', 'cacerts')
24290 b76d8c641746 ssl: set explicit symbol "!" to web.cacerts to disable SSL verification (BC) Yuya Nishihara <yuya@tcha.org> parents: 24288 diff changeset	155 if cacerts == '!':
b76d8c641746 ssl: set explicit symbol "!" to web.cacerts to disable SSL verification (BC) Yuya Nishihara <yuya@tcha.org> parents: 24288 diff changeset	156 pass
b76d8c641746 ssl: set explicit symbol "!" to web.cacerts to disable SSL verification (BC) Yuya Nishihara <yuya@tcha.org> parents: 24288 diff changeset	157 elif cacerts:
14204 5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	158 cacerts = util.expandpath(cacerts)
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	159 if not os.path.exists(cacerts):
26587 56b2bcea2529 error: get Abort from 'error' instead of 'util' Pierre-Yves David <pierre-yves.david@fb.com> parents: 25977 diff changeset	160 raise error.Abort(_('could not find web.cacerts: %s') % cacerts)
24290 b76d8c641746 ssl: set explicit symbol "!" to web.cacerts to disable SSL verification (BC) Yuya Nishihara <yuya@tcha.org> parents: 24288 diff changeset	161 else:
b76d8c641746 ssl: set explicit symbol "!" to web.cacerts to disable SSL verification (BC) Yuya Nishihara <yuya@tcha.org> parents: 24288 diff changeset	162 cacerts = _defaultcacerts()
b76d8c641746 ssl: set explicit symbol "!" to web.cacerts to disable SSL verification (BC) Yuya Nishihara <yuya@tcha.org> parents: 24288 diff changeset	163 if cacerts and cacerts != '!':
b76d8c641746 ssl: set explicit symbol "!" to web.cacerts to disable SSL verification (BC) Yuya Nishihara <yuya@tcha.org> parents: 24288 diff changeset	164 ui.debug('using %s to enable OS X system CA\n' % cacerts)
b76d8c641746 ssl: set explicit symbol "!" to web.cacerts to disable SSL verification (BC) Yuya Nishihara <yuya@tcha.org> parents: 24288 diff changeset	165 ui.setconfig('web', 'cacerts', cacerts, 'defaultcacerts')
b76d8c641746 ssl: set explicit symbol "!" to web.cacerts to disable SSL verification (BC) Yuya Nishihara <yuya@tcha.org> parents: 24288 diff changeset	166 if cacerts != '!':
19806 47ff9d1abfa9 sslutil: add a config knob to support TLS (default) or SSLv23 (bc) (issue4038) Augie Fackler <raf@durin42.com> parents: 19749 diff changeset	167 kws.update({'ca_certs': cacerts,
25432 bdc15b3c9bdb ssl: remove CERT_REQUIRED constant that was necessary for compatibility Yuya Nishihara <yuya@tcha.org> parents: 25431 diff changeset	168 'cert_reqs': ssl.CERT_REQUIRED,
19806 47ff9d1abfa9 sslutil: add a config knob to support TLS (default) or SSLv23 (bc) (issue4038) Augie Fackler <raf@durin42.com> parents: 19749 diff changeset	169 })
47ff9d1abfa9 sslutil: add a config knob to support TLS (default) or SSLv23 (bc) (issue4038) Augie Fackler <raf@durin42.com> parents: 19749 diff changeset	170 return kws
14204 5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	171
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	172 class validator(object):
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	173 def __init__(self, ui, host):
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	174 self.ui = ui
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	175 self.host = host
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	176
18887 2d7fac049d3a sslutil: abort if peer certificate is not verified for secure use FUJIWARA Katsunori <foozy@lares.dti.ne.jp> parents: 18879 diff changeset	177 def __call__(self, sock, strict=False):
14204 5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	178 host = self.host
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	179 cacerts = self.ui.config('web', 'cacerts')
28525 dfb21c34e07d sslutil: allow multiple fingerprints per host Gregory Szorc <gregory.szorc@gmail.com> parents: 27688 diff changeset	180 hostfingerprints = self.ui.configlist('hostfingerprints', host)
18879 93b03a222c3e sslutil: try harder to avoid getpeercert problems Matt Mackall <mpm@selenic.com> parents: 16391 diff changeset	181
15816 4bb59919c905 sslutil: work around validator crash getting certificate on failed sockets Mads Kiilerich <mads@kiilerich.com> parents: 15815 diff changeset	182 if not sock.cipher(): # work around http://bugs.python.org/issue13721
26587 56b2bcea2529 error: get Abort from 'error' instead of 'util' Pierre-Yves David <pierre-yves.david@fb.com> parents: 25977 diff changeset	183 raise error.Abort(_('%s ssl connection error') % host)
18879 93b03a222c3e sslutil: try harder to avoid getpeercert problems Matt Mackall <mpm@selenic.com> parents: 16391 diff changeset	184 try:
93b03a222c3e sslutil: try harder to avoid getpeercert problems Matt Mackall <mpm@selenic.com> parents: 16391 diff changeset	185 peercert = sock.getpeercert(True)
93b03a222c3e sslutil: try harder to avoid getpeercert problems Matt Mackall <mpm@selenic.com> parents: 16391 diff changeset	186 peercert2 = sock.getpeercert()
93b03a222c3e sslutil: try harder to avoid getpeercert problems Matt Mackall <mpm@selenic.com> parents: 16391 diff changeset	187 except AttributeError:
26587 56b2bcea2529 error: get Abort from 'error' instead of 'util' Pierre-Yves David <pierre-yves.david@fb.com> parents: 25977 diff changeset	188 raise error.Abort(_('%s ssl connection error') % host)
18879 93b03a222c3e sslutil: try harder to avoid getpeercert problems Matt Mackall <mpm@selenic.com> parents: 16391 diff changeset	189
15817 8f377751b510 sslutil: abort properly if no certificate received for https connection Mads Kiilerich <mads@kiilerich.com> parents: 15816 diff changeset	190 if not peercert:
26587 56b2bcea2529 error: get Abort from 'error' instead of 'util' Pierre-Yves David <pierre-yves.david@fb.com> parents: 25977 diff changeset	191 raise error.Abort(_('%s certificate error: '
15817 8f377751b510 sslutil: abort properly if no certificate received for https connection Mads Kiilerich <mads@kiilerich.com> parents: 15816 diff changeset	192 'no certificate received') % host)
15814 c3e958b50a22 sslutil: show fingerprint when cacerts validation fails Mads Kiilerich <mads@kiilerich.com> parents: 15813 diff changeset	193 peerfingerprint = util.sha1(peercert).hexdigest()
c3e958b50a22 sslutil: show fingerprint when cacerts validation fails Mads Kiilerich <mads@kiilerich.com> parents: 15813 diff changeset	194 nicefingerprint = ":".join([peerfingerprint[x:x + 2]
c3e958b50a22 sslutil: show fingerprint when cacerts validation fails Mads Kiilerich <mads@kiilerich.com> parents: 15813 diff changeset	195 for x in xrange(0, len(peerfingerprint), 2)])
28525 dfb21c34e07d sslutil: allow multiple fingerprints per host Gregory Szorc <gregory.szorc@gmail.com> parents: 27688 diff changeset	196 if hostfingerprints:
dfb21c34e07d sslutil: allow multiple fingerprints per host Gregory Szorc <gregory.szorc@gmail.com> parents: 27688 diff changeset	197 fingerprintmatch = False
dfb21c34e07d sslutil: allow multiple fingerprints per host Gregory Szorc <gregory.szorc@gmail.com> parents: 27688 diff changeset	198 for hostfingerprint in hostfingerprints:
dfb21c34e07d sslutil: allow multiple fingerprints per host Gregory Szorc <gregory.szorc@gmail.com> parents: 27688 diff changeset	199 if peerfingerprint.lower() == \
dfb21c34e07d sslutil: allow multiple fingerprints per host Gregory Szorc <gregory.szorc@gmail.com> parents: 27688 diff changeset	200 hostfingerprint.replace(':', '').lower():
dfb21c34e07d sslutil: allow multiple fingerprints per host Gregory Szorc <gregory.szorc@gmail.com> parents: 27688 diff changeset	201 fingerprintmatch = True
dfb21c34e07d sslutil: allow multiple fingerprints per host Gregory Szorc <gregory.szorc@gmail.com> parents: 27688 diff changeset	202 break
dfb21c34e07d sslutil: allow multiple fingerprints per host Gregory Szorc <gregory.szorc@gmail.com> parents: 27688 diff changeset	203 if not fingerprintmatch:
26587 56b2bcea2529 error: get Abort from 'error' instead of 'util' Pierre-Yves David <pierre-yves.david@fb.com> parents: 25977 diff changeset	204 raise error.Abort(_('certificate for %s has unexpected '
15997 a45516cb8d9f sslutil: more helpful fingerprint mismatch message Matt Mackall <mpm@selenic.com> parents: 15817 diff changeset	205 'fingerprint %s') % (host, nicefingerprint),
a45516cb8d9f sslutil: more helpful fingerprint mismatch message Matt Mackall <mpm@selenic.com> parents: 15817 diff changeset	206 hint=_('check hostfingerprint configuration'))
15815 edc3a901a63d sslutil: reorder validator code to make it more readable Mads Kiilerich <mads@kiilerich.com> parents: 15814 diff changeset	207 self.ui.debug('%s certificate matched fingerprint %s\n' %
edc3a901a63d sslutil: reorder validator code to make it more readable Mads Kiilerich <mads@kiilerich.com> parents: 15814 diff changeset	208 (host, nicefingerprint))
24290 b76d8c641746 ssl: set explicit symbol "!" to web.cacerts to disable SSL verification (BC) Yuya Nishihara <yuya@tcha.org> parents: 24288 diff changeset	209 elif cacerts != '!':
18879 93b03a222c3e sslutil: try harder to avoid getpeercert problems Matt Mackall <mpm@selenic.com> parents: 16391 diff changeset	210 msg = _verifycert(peercert2, host)
14204 5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	211 if msg:
26587 56b2bcea2529 error: get Abort from 'error' instead of 'util' Pierre-Yves David <pierre-yves.david@fb.com> parents: 25977 diff changeset	212 raise error.Abort(_('%s certificate error: %s') % (host, msg),
15814 c3e958b50a22 sslutil: show fingerprint when cacerts validation fails Mads Kiilerich <mads@kiilerich.com> parents: 15813 diff changeset	213 hint=_('configure hostfingerprint %s or use '
c3e958b50a22 sslutil: show fingerprint when cacerts validation fails Mads Kiilerich <mads@kiilerich.com> parents: 15813 diff changeset	214 '--insecure to connect insecurely') %
c3e958b50a22 sslutil: show fingerprint when cacerts validation fails Mads Kiilerich <mads@kiilerich.com> parents: 15813 diff changeset	215 nicefingerprint)
14204 5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	216 self.ui.debug('%s certificate successfully verified\n' % host)
18887 2d7fac049d3a sslutil: abort if peer certificate is not verified for secure use FUJIWARA Katsunori <foozy@lares.dti.ne.jp> parents: 18879 diff changeset	217 elif strict:
26587 56b2bcea2529 error: get Abort from 'error' instead of 'util' Pierre-Yves David <pierre-yves.david@fb.com> parents: 25977 diff changeset	218 raise error.Abort(_('%s certificate with fingerprint %s not '
18887 2d7fac049d3a sslutil: abort if peer certificate is not verified for secure use FUJIWARA Katsunori <foozy@lares.dti.ne.jp> parents: 18879 diff changeset	219 'verified') % (host, nicefingerprint),
2d7fac049d3a sslutil: abort if peer certificate is not verified for secure use FUJIWARA Katsunori <foozy@lares.dti.ne.jp> parents: 18879 diff changeset	220 hint=_('check hostfingerprints or web.cacerts '
2d7fac049d3a sslutil: abort if peer certificate is not verified for secure use FUJIWARA Katsunori <foozy@lares.dti.ne.jp> parents: 18879 diff changeset	221 'config setting'))
14204 5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	222 else:
15815 edc3a901a63d sslutil: reorder validator code to make it more readable Mads Kiilerich <mads@kiilerich.com> parents: 15814 diff changeset	223 self.ui.warn(_('warning: %s certificate with fingerprint %s not '
edc3a901a63d sslutil: reorder validator code to make it more readable Mads Kiilerich <mads@kiilerich.com> parents: 15814 diff changeset	224 'verified (check hostfingerprints or web.cacerts '
edc3a901a63d sslutil: reorder validator code to make it more readable Mads Kiilerich <mads@kiilerich.com> parents: 15814 diff changeset	225 'config setting)\n') %
edc3a901a63d sslutil: reorder validator code to make it more readable Mads Kiilerich <mads@kiilerich.com> parents: 15814 diff changeset	226 (host, nicefingerprint))

Mercurial > hg

annotate mercurial/sslutil.py @ 28647:834d1c4ba749