author | Pierre-Yves David <pierre-yves.david@octobus.net> |
Tue, 24 Sep 2024 15:44:10 +0200 | |
changeset 51907 | bd7359c18d69 |
parent 51863 | f4733654f144 |
permissions | -rw-r--r-- |
14204
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
1 |
# sslutil.py - SSL handling for mercurial |
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
2 |
# |
46819
d4ba4d51f85f
contributor: change mentions of mpm to olivia
Raphaël Gomès <rgomes@octobus.net>
parents:
46786
diff
changeset
|
3 |
# Copyright 2005, 2006, 2007, 2008 Olivia Mackall <olivia@selenic.com> |
14204
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
4 |
# Copyright 2006, 2007 Alexis S. L. Carvalho <alexis@cecm.usp.br> |
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
5 |
# Copyright 2006 Vadim Gelfer <vadim.gelfer@gmail.com> |
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
6 |
# |
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
7 |
# This software may be used and distributed according to the terms of the |
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
8 |
# GNU General Public License version 2 or any later version. |
25977
696f6e2be282
sslutil: use absolute_import
Gregory Szorc <gregory.szorc@gmail.com>
parents:
25432
diff
changeset
|
9 |
|
51863
f4733654f144
typing: add `from __future__ import annotations` to most files
Matt Harbison <matt_harbison@yahoo.com>
parents:
51703
diff
changeset
|
10 |
from __future__ import annotations |
14204
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
11 |
|
29341
0d83ad967bf8
cleanup: replace uses of util.(md5|sha1|sha256|sha512) with hashlib.\1
Augie Fackler <raf@durin42.com>
parents:
29334
diff
changeset
|
12 |
import hashlib |
25977
696f6e2be282
sslutil: use absolute_import
Gregory Szorc <gregory.szorc@gmail.com>
parents:
25432
diff
changeset
|
13 |
import os |
29452
26a5d605b868
sslutil: synchronize hostname matching logic with CPython
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29042
diff
changeset
|
14 |
import re |
25977
696f6e2be282
sslutil: use absolute_import
Gregory Szorc <gregory.szorc@gmail.com>
parents:
25432
diff
changeset
|
15 |
import ssl |
49054
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
16 |
import warnings |
25977
696f6e2be282
sslutil: use absolute_import
Gregory Szorc <gregory.szorc@gmail.com>
parents:
25432
diff
changeset
|
17 |
|
696f6e2be282
sslutil: use absolute_import
Gregory Szorc <gregory.szorc@gmail.com>
parents:
25432
diff
changeset
|
18 |
from .i18n import _ |
46113
59fa3890d40a
node: import symbols explicitly
Joerg Sonnenberger <joerg@bec.de>
parents:
45942
diff
changeset
|
19 |
from .node import hex |
28577
7efff6ce9826
sslutil: use preferred formatting for import syntax
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28525
diff
changeset
|
20 |
from . import ( |
42269
c8d55ff80da1
sslutil: add support for SSLKEYLOGFILE to wrapsocket
Augie Fackler <augie@google.com>
parents:
42263
diff
changeset
|
21 |
encoding, |
28577
7efff6ce9826
sslutil: use preferred formatting for import syntax
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28525
diff
changeset
|
22 |
error, |
30639
d524c88511a7
py3: replace os.name with pycompat.osname (part 1 of 2)
Pulkit Goyal <7895pulkit@gmail.com>
parents:
30332
diff
changeset
|
23 |
pycompat, |
28577
7efff6ce9826
sslutil: use preferred formatting for import syntax
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28525
diff
changeset
|
24 |
util, |
7efff6ce9826
sslutil: use preferred formatting for import syntax
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28525
diff
changeset
|
25 |
) |
37084
f0b6fbea00cf
stringutil: bulk-replace call sites to point to new module
Yuya Nishihara <yuya@tcha.org>
parents:
36747
diff
changeset
|
26 |
from .utils import ( |
44061
cbc5755df6bf
sslutil: migrate to hashutil.sha1 instead of hashlib.sha1
Augie Fackler <augie@google.com>
parents:
43671
diff
changeset
|
27 |
hashutil, |
43671
664e24207728
procutil: move mainfrozen() to new resourceutil.py
Martin von Zweigbergk <martinvonz@google.com>
parents:
43506
diff
changeset
|
28 |
resourceutil, |
37084
f0b6fbea00cf
stringutil: bulk-replace call sites to point to new module
Yuya Nishihara <yuya@tcha.org>
parents:
36747
diff
changeset
|
29 |
stringutil, |
f0b6fbea00cf
stringutil: bulk-replace call sites to point to new module
Yuya Nishihara <yuya@tcha.org>
parents:
36747
diff
changeset
|
30 |
) |
24291
760a86865f80
ssl: load CA certificates from system's store by default on Python 2.7.9
Yuya Nishihara <yuya@tcha.org>
parents:
24290
diff
changeset
|
31 |
|
28647
834d1c4ba749
sslutil: better document state of security/ssl module
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28577
diff
changeset
|
32 |
# Python 2.7.9+ overhauled the built-in SSL/TLS features of Python. It added |
834d1c4ba749
sslutil: better document state of security/ssl module
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28577
diff
changeset
|
33 |
# support for TLS 1.1, TLS 1.2, SNI, system CA stores, etc. These features are |
834d1c4ba749
sslutil: better document state of security/ssl module
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28577
diff
changeset
|
34 |
# all exposed via the "ssl" module. |
834d1c4ba749
sslutil: better document state of security/ssl module
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28577
diff
changeset
|
35 |
# |
44875
7c19eb372438
sslutil: remove code checking for presence of ssl.SSLContext
Manuel Jacob <me@manueljacob.de>
parents:
44873
diff
changeset
|
36 |
# We require in setup.py the presence of ssl.SSLContext, which indicates modern |
7c19eb372438
sslutil: remove code checking for presence of ssl.SSLContext
Manuel Jacob <me@manueljacob.de>
parents:
44873
diff
changeset
|
37 |
# SSL/TLS support. |
28647
834d1c4ba749
sslutil: better document state of security/ssl module
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28577
diff
changeset
|
38 |
|
32291
bd872f64a8ba
cleanup: use set literals
Martin von Zweigbergk <martinvonz@google.com>
parents:
32273
diff
changeset
|
39 |
configprotocols = { |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
40 |
b'tls1.0', |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
41 |
b'tls1.1', |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
42 |
b'tls1.2', |
32291
bd872f64a8ba
cleanup: use set literals
Martin von Zweigbergk <martinvonz@google.com>
parents:
32273
diff
changeset
|
43 |
} |
26622
9e15286609ae
sslutil: expose attribute indicating whether SNI is supported
Gregory Szorc <gregory.szorc@gmail.com>
parents:
26587
diff
changeset
|
44 |
|
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29558
diff
changeset
|
45 |
hassni = getattr(ssl, 'HAS_SNI', False) |
28648
7fc787e5d8ec
sslutil: store OP_NO_SSL* constants in module scope
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28647
diff
changeset
|
46 |
|
44898
d61c05450b37
sslutil: properly detect which TLS versions are supported by the ssl module
Manuel Jacob <me@manueljacob.de>
parents:
44897
diff
changeset
|
47 |
# ssl.HAS_TLSv1* are preferred to check support but they were added in Python |
d61c05450b37
sslutil: properly detect which TLS versions are supported by the ssl module
Manuel Jacob <me@manueljacob.de>
parents:
44897
diff
changeset
|
48 |
# 3.7. Prior to CPython commit 6e8cda91d92da72800d891b2fc2073ecbc134d98 |
d61c05450b37
sslutil: properly detect which TLS versions are supported by the ssl module
Manuel Jacob <me@manueljacob.de>
parents:
44897
diff
changeset
|
49 |
# (backported to the 3.7 branch), ssl.PROTOCOL_TLSv1_1 / ssl.PROTOCOL_TLSv1_2 |
d61c05450b37
sslutil: properly detect which TLS versions are supported by the ssl module
Manuel Jacob <me@manueljacob.de>
parents:
44897
diff
changeset
|
50 |
# were defined only if compiled against a OpenSSL version with TLS 1.1 / 1.2 |
d61c05450b37
sslutil: properly detect which TLS versions are supported by the ssl module
Manuel Jacob <me@manueljacob.de>
parents:
44897
diff
changeset
|
51 |
# support. At the mentioned commit, they were unconditionally defined. |
d61c05450b37
sslutil: properly detect which TLS versions are supported by the ssl module
Manuel Jacob <me@manueljacob.de>
parents:
44897
diff
changeset
|
52 |
supportedprotocols = set() |
50928
d718eddf01d9
safehasattr: drop usage in favor of hasattr
Pierre-Yves David <pierre-yves.david@octobus.net>
parents:
50602
diff
changeset
|
53 |
if getattr(ssl, 'HAS_TLSv1', hasattr(ssl, 'PROTOCOL_TLSv1')): |
44898
d61c05450b37
sslutil: properly detect which TLS versions are supported by the ssl module
Manuel Jacob <me@manueljacob.de>
parents:
44897
diff
changeset
|
54 |
supportedprotocols.add(b'tls1.0') |
50928
d718eddf01d9
safehasattr: drop usage in favor of hasattr
Pierre-Yves David <pierre-yves.david@octobus.net>
parents:
50602
diff
changeset
|
55 |
if getattr(ssl, 'HAS_TLSv1_1', hasattr(ssl, 'PROTOCOL_TLSv1_1')): |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
56 |
supportedprotocols.add(b'tls1.1') |
50928
d718eddf01d9
safehasattr: drop usage in favor of hasattr
Pierre-Yves David <pierre-yves.david@octobus.net>
parents:
50602
diff
changeset
|
57 |
if getattr(ssl, 'HAS_TLSv1_2', hasattr(ssl, 'PROTOCOL_TLSv1_2')): |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
58 |
supportedprotocols.add(b'tls1.2') |
29601
6cff2ac0ccb9
sslutil: more robustly detect protocol support
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29578
diff
changeset
|
59 |
|
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
60 |
|
29258
6315c1e14f75
sslutil: introduce a function for determining host-specific settings
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29253
diff
changeset
|
61 |
def _hostsettings(ui, hostname): |
6315c1e14f75
sslutil: introduce a function for determining host-specific settings
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29253
diff
changeset
|
62 |
"""Obtain security settings for a hostname. |
6315c1e14f75
sslutil: introduce a function for determining host-specific settings
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29253
diff
changeset
|
63 |
|
6315c1e14f75
sslutil: introduce a function for determining host-specific settings
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29253
diff
changeset
|
64 |
Returns a dict of settings relevant to that hostname. |
6315c1e14f75
sslutil: introduce a function for determining host-specific settings
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29253
diff
changeset
|
65 |
""" |
36745
424994a0adfd
sslutil: lots of unicode/bytes cleanup
Augie Fackler <augie@google.com>
parents:
35582
diff
changeset
|
66 |
bhostname = pycompat.bytesurl(hostname) |
29258
6315c1e14f75
sslutil: introduce a function for determining host-specific settings
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29253
diff
changeset
|
67 |
s = { |
29288
7dee15dee53c
sslutil: add devel.disableloaddefaultcerts to disable CA loading
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29287
diff
changeset
|
68 |
# Whether we should attempt to load default/available CA certs |
7dee15dee53c
sslutil: add devel.disableloaddefaultcerts to disable CA loading
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29287
diff
changeset
|
69 |
# if an explicit ``cafile`` is not defined. |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
70 |
b'allowloaddefaultcerts': True, |
29258
6315c1e14f75
sslutil: introduce a function for determining host-specific settings
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29253
diff
changeset
|
71 |
# List of 2-tuple of (hash algorithm, hash). |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
72 |
b'certfingerprints': [], |
29260
70bc9912d83d
sslutil: move CA file processing into _hostsettings()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29259
diff
changeset
|
73 |
# Path to file containing concatenated CA certs. Used by |
70bc9912d83d
sslutil: move CA file processing into _hostsettings()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29259
diff
changeset
|
74 |
# SSLContext.load_verify_locations(). |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
75 |
b'cafile': None, |
29287
fbccb334efe7
sslutil: store flag for whether cert verification is disabled
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29286
diff
changeset
|
76 |
# Whether certificate verification should be disabled. |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
77 |
b'disablecertverification': False, |
29268
f200b58497f1
sslutil: reference appropriate config section in messaging
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29267
diff
changeset
|
78 |
# Whether the legacy [hostfingerprints] section has data for this host. |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
79 |
b'legacyfingerprint': False, |
29618
fbf4adc0d8f2
sslutil: capture string string representation of protocol
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
80 |
# String representation of minimum protocol to be used for UI |
fbf4adc0d8f2
sslutil: capture string string representation of protocol
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
81 |
# presentation. |
44899
4ca1110991c4
sslutil: rename 'minimumprotocolui' -> 'minimumprotocol'
Manuel Jacob <me@manueljacob.de>
parents:
44898
diff
changeset
|
82 |
b'minimumprotocol': None, |
29259
ec247e8595f9
sslutil: move SSLContext.verify_mode value into _hostsettings
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29258
diff
changeset
|
83 |
# ssl.CERT_* constant used by SSLContext.verify_mode. |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
84 |
b'verifymode': None, |
29577
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
85 |
# OpenSSL Cipher List to use (instead of default). |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
86 |
b'ciphers': None, |
29258
6315c1e14f75
sslutil: introduce a function for determining host-specific settings
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29253
diff
changeset
|
87 |
} |
6315c1e14f75
sslutil: introduce a function for determining host-specific settings
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29253
diff
changeset
|
88 |
|
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29558
diff
changeset
|
89 |
# Allow minimum TLS protocol to be specified in the config. |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29558
diff
changeset
|
90 |
def validateprotocol(protocol, key): |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29558
diff
changeset
|
91 |
if protocol not in configprotocols: |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29558
diff
changeset
|
92 |
raise error.Abort( |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
93 |
_(b'unsupported protocol from hostsecurity.%s: %s') |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
94 |
% (key, protocol), |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
95 |
hint=_(b'valid protocols: %s') |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
96 |
% b' '.join(sorted(configprotocols)), |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
97 |
) |
29507
97dcdcf75f4f
sslutil: move protocol determination to _hostsettings
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29501
diff
changeset
|
98 |
|
44895
5921dc0d5c3a
sslutil: remove dead code (that downgraded default minimum TLS version)
Manuel Jacob <me@manueljacob.de>
parents:
44894
diff
changeset
|
99 |
# We default to TLS 1.1+ because TLS 1.0 has known vulnerabilities (like |
5921dc0d5c3a
sslutil: remove dead code (that downgraded default minimum TLS version)
Manuel Jacob <me@manueljacob.de>
parents:
44894
diff
changeset
|
100 |
# BEAST and POODLE). We allow users to downgrade to TLS 1.0+ via config |
5921dc0d5c3a
sslutil: remove dead code (that downgraded default minimum TLS version)
Manuel Jacob <me@manueljacob.de>
parents:
44894
diff
changeset
|
101 |
# options in case a legacy server is encountered. |
5921dc0d5c3a
sslutil: remove dead code (that downgraded default minimum TLS version)
Manuel Jacob <me@manueljacob.de>
parents:
44894
diff
changeset
|
102 |
|
44902
24d440e2fdbb
sslutil: fix comment to use inclusive or instead of exclusive or
Manuel Jacob <me@manueljacob.de>
parents:
44901
diff
changeset
|
103 |
# setup.py checks that TLS 1.1 or TLS 1.2 is present, so the following |
24d440e2fdbb
sslutil: fix comment to use inclusive or instead of exclusive or
Manuel Jacob <me@manueljacob.de>
parents:
44901
diff
changeset
|
104 |
# assert should not fail. |
44895
5921dc0d5c3a
sslutil: remove dead code (that downgraded default minimum TLS version)
Manuel Jacob <me@manueljacob.de>
parents:
44894
diff
changeset
|
105 |
assert supportedprotocols - {b'tls1.0'} |
5921dc0d5c3a
sslutil: remove dead code (that downgraded default minimum TLS version)
Manuel Jacob <me@manueljacob.de>
parents:
44894
diff
changeset
|
106 |
defaultminimumprotocol = b'tls1.1' |
29560
303e9300772a
sslutil: require TLS 1.1+ when supported
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29559
diff
changeset
|
107 |
|
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
108 |
key = b'minimumprotocol' |
44889
ceb7318013d5
sslutil: fix names of variables containing minimum protocol strings
Manuel Jacob <me@manueljacob.de>
parents:
44888
diff
changeset
|
109 |
minimumprotocol = ui.config(b'hostsecurity', key, defaultminimumprotocol) |
ceb7318013d5
sslutil: fix names of variables containing minimum protocol strings
Manuel Jacob <me@manueljacob.de>
parents:
44888
diff
changeset
|
110 |
validateprotocol(minimumprotocol, key) |
29508
d65ec41b6384
sslutil: move context options flags to _hostsettings
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29507
diff
changeset
|
111 |
|
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
112 |
key = b'%s:minimumprotocol' % bhostname |
44889
ceb7318013d5
sslutil: fix names of variables containing minimum protocol strings
Manuel Jacob <me@manueljacob.de>
parents:
44888
diff
changeset
|
113 |
minimumprotocol = ui.config(b'hostsecurity', key, minimumprotocol) |
ceb7318013d5
sslutil: fix names of variables containing minimum protocol strings
Manuel Jacob <me@manueljacob.de>
parents:
44888
diff
changeset
|
114 |
validateprotocol(minimumprotocol, key) |
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29558
diff
changeset
|
115 |
|
49055
50bd2910d162
sslutil: be less strict about which ciphers are allowed when using --insecure
Julien Cristau <jcristau@debian.org>
parents:
49054
diff
changeset
|
116 |
ciphers = ui.config(b'hostsecurity', b'ciphers') |
50bd2910d162
sslutil: be less strict about which ciphers are allowed when using --insecure
Julien Cristau <jcristau@debian.org>
parents:
49054
diff
changeset
|
117 |
ciphers = ui.config(b'hostsecurity', b'%s:ciphers' % bhostname, ciphers) |
50bd2910d162
sslutil: be less strict about which ciphers are allowed when using --insecure
Julien Cristau <jcristau@debian.org>
parents:
49054
diff
changeset
|
118 |
|
29617
2960ceee1948
sslutil: allow TLS 1.0 when --insecure is used
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29601
diff
changeset
|
119 |
# If --insecure is used, we allow the use of TLS 1.0 despite config options. |
2960ceee1948
sslutil: allow TLS 1.0 when --insecure is used
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29601
diff
changeset
|
120 |
# We always print a "connection security to %s is disabled..." message when |
2960ceee1948
sslutil: allow TLS 1.0 when --insecure is used
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29601
diff
changeset
|
121 |
# --insecure is used. So no need to print anything more here. |
2960ceee1948
sslutil: allow TLS 1.0 when --insecure is used
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29601
diff
changeset
|
122 |
if ui.insecureconnections: |
44889
ceb7318013d5
sslutil: fix names of variables containing minimum protocol strings
Manuel Jacob <me@manueljacob.de>
parents:
44888
diff
changeset
|
123 |
minimumprotocol = b'tls1.0' |
49055
50bd2910d162
sslutil: be less strict about which ciphers are allowed when using --insecure
Julien Cristau <jcristau@debian.org>
parents:
49054
diff
changeset
|
124 |
if not ciphers: |
50342
c54e9bb5737e
sslutil: set context security level for legacy tls testing (issue6760)
pacien <pacien.trangirard@pacien.net>
parents:
50341
diff
changeset
|
125 |
ciphers = b'DEFAULT:@SECLEVEL=0' |
29558
a935cd7d51a6
sslutil: prevent CRIME
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29557
diff
changeset
|
126 |
|
44899
4ca1110991c4
sslutil: rename 'minimumprotocolui' -> 'minimumprotocol'
Manuel Jacob <me@manueljacob.de>
parents:
44898
diff
changeset
|
127 |
s[b'minimumprotocol'] = minimumprotocol |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
128 |
s[b'ciphers'] = ciphers |
29577
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
129 |
|
29267
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29262
diff
changeset
|
130 |
# Look for fingerprints in [hostsecurity] section. Value is a list |
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29262
diff
changeset
|
131 |
# of <alg>:<fingerprint> strings. |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
132 |
fingerprints = ui.configlist( |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
133 |
b'hostsecurity', b'%s:fingerprints' % bhostname |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
134 |
) |
29267
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29262
diff
changeset
|
135 |
for fingerprint in fingerprints: |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
136 |
if not (fingerprint.startswith((b'sha1:', b'sha256:', b'sha512:'))): |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
137 |
raise error.Abort( |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
138 |
_(b'invalid fingerprint for %s: %s') % (bhostname, fingerprint), |
43117
8ff1ecfadcd1
cleanup: join string literals that are already on one line
Martin von Zweigbergk <martinvonz@google.com>
parents:
43089
diff
changeset
|
139 |
hint=_(b'must begin with "sha1:", "sha256:", or "sha512:"'), |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
140 |
) |
29267
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29262
diff
changeset
|
141 |
|
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
142 |
alg, fingerprint = fingerprint.split(b':', 1) |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
143 |
fingerprint = fingerprint.replace(b':', b'').lower() |
48491
08af0adc235c
pytype: stop excluding ssutil.py
Matt Harbison <matt_harbison@yahoo.com>
parents:
46819
diff
changeset
|
144 |
# pytype: disable=attribute-error |
08af0adc235c
pytype: stop excluding ssutil.py
Matt Harbison <matt_harbison@yahoo.com>
parents:
46819
diff
changeset
|
145 |
# `s` is heterogeneous, but this entry is always a list of tuples |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
146 |
s[b'certfingerprints'].append((alg, fingerprint)) |
48491
08af0adc235c
pytype: stop excluding ssutil.py
Matt Harbison <matt_harbison@yahoo.com>
parents:
46819
diff
changeset
|
147 |
# pytype: enable=attribute-error |
29267
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29262
diff
changeset
|
148 |
|
29258
6315c1e14f75
sslutil: introduce a function for determining host-specific settings
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29253
diff
changeset
|
149 |
# Fingerprints from [hostfingerprints] are always SHA-1. |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
150 |
for fingerprint in ui.configlist(b'hostfingerprints', bhostname): |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
151 |
fingerprint = fingerprint.replace(b':', b'').lower() |
48491
08af0adc235c
pytype: stop excluding ssutil.py
Matt Harbison <matt_harbison@yahoo.com>
parents:
46819
diff
changeset
|
152 |
# pytype: disable=attribute-error |
08af0adc235c
pytype: stop excluding ssutil.py
Matt Harbison <matt_harbison@yahoo.com>
parents:
46819
diff
changeset
|
153 |
# `s` is heterogeneous, but this entry is always a list of tuples |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
154 |
s[b'certfingerprints'].append((b'sha1', fingerprint)) |
48491
08af0adc235c
pytype: stop excluding ssutil.py
Matt Harbison <matt_harbison@yahoo.com>
parents:
46819
diff
changeset
|
155 |
# pytype: enable=attribute-error |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
156 |
s[b'legacyfingerprint'] = True |
29258
6315c1e14f75
sslutil: introduce a function for determining host-specific settings
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29253
diff
changeset
|
157 |
|
29259
ec247e8595f9
sslutil: move SSLContext.verify_mode value into _hostsettings
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29258
diff
changeset
|
158 |
# If a host cert fingerprint is defined, it is the only thing that |
ec247e8595f9
sslutil: move SSLContext.verify_mode value into _hostsettings
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29258
diff
changeset
|
159 |
# matters. No need to validate CA certs. |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
160 |
if s[b'certfingerprints']: |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
161 |
s[b'verifymode'] = ssl.CERT_NONE |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
162 |
s[b'allowloaddefaultcerts'] = False |
29259
ec247e8595f9
sslutil: move SSLContext.verify_mode value into _hostsettings
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29258
diff
changeset
|
163 |
|
ec247e8595f9
sslutil: move SSLContext.verify_mode value into _hostsettings
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29258
diff
changeset
|
164 |
# If --insecure is used, don't take CAs into consideration. |
ec247e8595f9
sslutil: move SSLContext.verify_mode value into _hostsettings
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29258
diff
changeset
|
165 |
elif ui.insecureconnections: |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
166 |
s[b'disablecertverification'] = True |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
167 |
s[b'verifymode'] = ssl.CERT_NONE |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
168 |
s[b'allowloaddefaultcerts'] = False |
29259
ec247e8595f9
sslutil: move SSLContext.verify_mode value into _hostsettings
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29258
diff
changeset
|
169 |
|
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
170 |
if ui.configbool(b'devel', b'disableloaddefaultcerts'): |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
171 |
s[b'allowloaddefaultcerts'] = False |
29288
7dee15dee53c
sslutil: add devel.disableloaddefaultcerts to disable CA loading
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29287
diff
changeset
|
172 |
|
29334
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29293
diff
changeset
|
173 |
# If both fingerprints and a per-host ca file are specified, issue a warning |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29293
diff
changeset
|
174 |
# because users should not be surprised about what security is or isn't |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29293
diff
changeset
|
175 |
# being performed. |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
176 |
cafile = ui.config(b'hostsecurity', b'%s:verifycertsfile' % bhostname) |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
177 |
if s[b'certfingerprints'] and cafile: |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
178 |
ui.warn( |
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
179 |
_( |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
180 |
b'(hostsecurity.%s:verifycertsfile ignored when host ' |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
181 |
b'fingerprints defined; using host fingerprints for ' |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
182 |
b'verification)\n' |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
183 |
) |
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
184 |
% bhostname |
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
185 |
) |
29334
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29293
diff
changeset
|
186 |
|
29260
70bc9912d83d
sslutil: move CA file processing into _hostsettings()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29259
diff
changeset
|
187 |
# Try to hook up CA certificate validation unless something above |
70bc9912d83d
sslutil: move CA file processing into _hostsettings()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29259
diff
changeset
|
188 |
# makes it not necessary. |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
189 |
if s[b'verifymode'] is None: |
29334
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29293
diff
changeset
|
190 |
# Look at per-host ca file first. |
29260
70bc9912d83d
sslutil: move CA file processing into _hostsettings()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29259
diff
changeset
|
191 |
if cafile: |
70bc9912d83d
sslutil: move CA file processing into _hostsettings()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29259
diff
changeset
|
192 |
cafile = util.expandpath(cafile) |
70bc9912d83d
sslutil: move CA file processing into _hostsettings()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29259
diff
changeset
|
193 |
if not os.path.exists(cafile): |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
194 |
raise error.Abort( |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
195 |
_(b'path specified by %s does not exist: %s') |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
196 |
% ( |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
197 |
b'hostsecurity.%s:verifycertsfile' % (bhostname,), |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
198 |
cafile, |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
199 |
) |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
200 |
) |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
201 |
s[b'cafile'] = cafile |
29260
70bc9912d83d
sslutil: move CA file processing into _hostsettings()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29259
diff
changeset
|
202 |
else: |
29334
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29293
diff
changeset
|
203 |
# Find global certificates file in config. |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
204 |
cafile = ui.config(b'web', b'cacerts') |
29334
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29293
diff
changeset
|
205 |
|
29260
70bc9912d83d
sslutil: move CA file processing into _hostsettings()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29259
diff
changeset
|
206 |
if cafile: |
29334
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29293
diff
changeset
|
207 |
cafile = util.expandpath(cafile) |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29293
diff
changeset
|
208 |
if not os.path.exists(cafile): |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
209 |
raise error.Abort( |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
210 |
_(b'could not find web.cacerts: %s') % cafile |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
211 |
) |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
212 |
elif s[b'allowloaddefaultcerts']: |
29482
4e72995f6c9c
sslutil: change comment and logged message for found ca cert file
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29459
diff
changeset
|
213 |
# CAs not defined in config. Try to find system bundles. |
29483
918dce4b8c26
sslutil: pass ui to _defaultcacerts
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29482
diff
changeset
|
214 |
cafile = _defaultcacerts(ui) |
29334
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29293
diff
changeset
|
215 |
if cafile: |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
216 |
ui.debug(b'using %s for CA file\n' % cafile) |
29260
70bc9912d83d
sslutil: move CA file processing into _hostsettings()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29259
diff
changeset
|
217 |
|
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
218 |
s[b'cafile'] = cafile |
29260
70bc9912d83d
sslutil: move CA file processing into _hostsettings()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29259
diff
changeset
|
219 |
|
70bc9912d83d
sslutil: move CA file processing into _hostsettings()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29259
diff
changeset
|
220 |
# Require certificate validation if CA certs are being loaded and |
70bc9912d83d
sslutil: move CA file processing into _hostsettings()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29259
diff
changeset
|
221 |
# verification hasn't been disabled above. |
44880
7dd63a8cb1ee
sslutil: eliminate `_canloaddefaultcerts` by constant-folding code using it
Manuel Jacob <me@manueljacob.de>
parents:
44878
diff
changeset
|
222 |
if cafile or s[b'allowloaddefaultcerts']: |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
223 |
s[b'verifymode'] = ssl.CERT_REQUIRED |
29260
70bc9912d83d
sslutil: move CA file processing into _hostsettings()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29259
diff
changeset
|
224 |
else: |
70bc9912d83d
sslutil: move CA file processing into _hostsettings()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29259
diff
changeset
|
225 |
# At this point we don't have a fingerprint, aren't being |
70bc9912d83d
sslutil: move CA file processing into _hostsettings()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29259
diff
changeset
|
226 |
# explicitly insecure, and can't load CA certs. Connecting |
29411
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29410
diff
changeset
|
227 |
# is insecure. We allow the connection and abort during |
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29410
diff
changeset
|
228 |
# validation (once we have the fingerprint to print to the |
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29410
diff
changeset
|
229 |
# user). |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
230 |
s[b'verifymode'] = ssl.CERT_NONE |
29260
70bc9912d83d
sslutil: move CA file processing into _hostsettings()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29259
diff
changeset
|
231 |
|
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
232 |
assert s[b'verifymode'] is not None |
29259
ec247e8595f9
sslutil: move SSLContext.verify_mode value into _hostsettings
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29258
diff
changeset
|
233 |
|
29258
6315c1e14f75
sslutil: introduce a function for determining host-specific settings
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29253
diff
changeset
|
234 |
return s |
6315c1e14f75
sslutil: introduce a function for determining host-specific settings
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29253
diff
changeset
|
235 |
|
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
236 |
|
44901
53b3baaadb64
sslutil: propagate return value ssl.PROTOCOL_SSLv23 from protocolsettings()
Manuel Jacob <me@manueljacob.de>
parents:
44900
diff
changeset
|
237 |
def commonssloptions(minimumprotocol): |
45942
89a2afe31e82
formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents:
45915
diff
changeset
|
238 |
"""Return SSLContext options common to servers and clients.""" |
44889
ceb7318013d5
sslutil: fix names of variables containing minimum protocol strings
Manuel Jacob <me@manueljacob.de>
parents:
44888
diff
changeset
|
239 |
if minimumprotocol not in configprotocols: |
ceb7318013d5
sslutil: fix names of variables containing minimum protocol strings
Manuel Jacob <me@manueljacob.de>
parents:
44888
diff
changeset
|
240 |
raise ValueError(b'protocol value not supported: %s' % minimumprotocol) |
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29558
diff
changeset
|
241 |
|
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29558
diff
changeset
|
242 |
# SSLv2 and SSLv3 are broken. We ban them outright. |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29558
diff
changeset
|
243 |
options = ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3 |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29558
diff
changeset
|
244 |
|
44889
ceb7318013d5
sslutil: fix names of variables containing minimum protocol strings
Manuel Jacob <me@manueljacob.de>
parents:
44888
diff
changeset
|
245 |
if minimumprotocol == b'tls1.0': |
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29558
diff
changeset
|
246 |
# Defaults above are to use TLS 1.0+ |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29558
diff
changeset
|
247 |
pass |
44889
ceb7318013d5
sslutil: fix names of variables containing minimum protocol strings
Manuel Jacob <me@manueljacob.de>
parents:
44888
diff
changeset
|
248 |
elif minimumprotocol == b'tls1.1': |
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29558
diff
changeset
|
249 |
options |= ssl.OP_NO_TLSv1 |
44889
ceb7318013d5
sslutil: fix names of variables containing minimum protocol strings
Manuel Jacob <me@manueljacob.de>
parents:
44888
diff
changeset
|
250 |
elif minimumprotocol == b'tls1.2': |
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29558
diff
changeset
|
251 |
options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1 |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29558
diff
changeset
|
252 |
else: |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
253 |
raise error.Abort(_(b'this should not happen')) |
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29558
diff
changeset
|
254 |
|
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29558
diff
changeset
|
255 |
# Prevent CRIME. |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29558
diff
changeset
|
256 |
# There is no guarantee this attribute is defined on the module. |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29558
diff
changeset
|
257 |
options |= getattr(ssl, 'OP_NO_COMPRESSION', 0) |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29558
diff
changeset
|
258 |
|
44901
53b3baaadb64
sslutil: propagate return value ssl.PROTOCOL_SSLv23 from protocolsettings()
Manuel Jacob <me@manueljacob.de>
parents:
44900
diff
changeset
|
259 |
return options |
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29558
diff
changeset
|
260 |
|
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
261 |
|
29249
cca59ef27e60
sslutil: move sslkwargs logic into internal function (API)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29248
diff
changeset
|
262 |
def wrapsocket(sock, keyfile, certfile, ui, serverhostname=None): |
28653
1eb0bd8adf39
sslutil: add docstring to wrapsocket()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28652
diff
changeset
|
263 |
"""Add SSL/TLS to a socket. |
1eb0bd8adf39
sslutil: add docstring to wrapsocket()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28652
diff
changeset
|
264 |
|
1eb0bd8adf39
sslutil: add docstring to wrapsocket()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28652
diff
changeset
|
265 |
This is a glorified wrapper for ``ssl.wrap_socket()``. It makes sane |
1eb0bd8adf39
sslutil: add docstring to wrapsocket()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28652
diff
changeset
|
266 |
choices based on what security options are available. |
1eb0bd8adf39
sslutil: add docstring to wrapsocket()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28652
diff
changeset
|
267 |
|
1eb0bd8adf39
sslutil: add docstring to wrapsocket()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28652
diff
changeset
|
268 |
In addition to the arguments supported by ``ssl.wrap_socket``, we allow |
1eb0bd8adf39
sslutil: add docstring to wrapsocket()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28652
diff
changeset
|
269 |
the following additional arguments: |
1eb0bd8adf39
sslutil: add docstring to wrapsocket()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28652
diff
changeset
|
270 |
|
1eb0bd8adf39
sslutil: add docstring to wrapsocket()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28652
diff
changeset
|
271 |
* serverhostname - The expected hostname of the remote server. If the |
1eb0bd8adf39
sslutil: add docstring to wrapsocket()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28652
diff
changeset
|
272 |
server (and client) support SNI, this tells the server which certificate |
1eb0bd8adf39
sslutil: add docstring to wrapsocket()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28652
diff
changeset
|
273 |
to use. |
1eb0bd8adf39
sslutil: add docstring to wrapsocket()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28652
diff
changeset
|
274 |
""" |
29224
7424f4294199
sslutil: require serverhostname argument (API)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29115
diff
changeset
|
275 |
if not serverhostname: |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
276 |
raise error.Abort(_(b'serverhostname argument is required')) |
29224
7424f4294199
sslutil: require serverhostname argument (API)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29115
diff
changeset
|
277 |
|
42269
c8d55ff80da1
sslutil: add support for SSLKEYLOGFILE to wrapsocket
Augie Fackler <augie@google.com>
parents:
42263
diff
changeset
|
278 |
if b'SSLKEYLOGFILE' in encoding.environ: |
c8d55ff80da1
sslutil: add support for SSLKEYLOGFILE to wrapsocket
Augie Fackler <augie@google.com>
parents:
42263
diff
changeset
|
279 |
try: |
46785
521ac0d7047f
typing: disable import error warnings that are already handled
Matt Harbison <matt_harbison@yahoo.com>
parents:
46113
diff
changeset
|
280 |
import sslkeylog # pytype: disable=import-error |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
281 |
|
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
282 |
sslkeylog.set_keylog( |
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
283 |
pycompat.fsdecode(encoding.environ[b'SSLKEYLOGFILE']) |
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
284 |
) |
43080
86e4daa2d54c
cleanup: mark some ui.(status|note|warn|write) calls as not needing i18n
Augie Fackler <augie@google.com>
parents:
43077
diff
changeset
|
285 |
ui.warnnoi18n( |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
286 |
b'sslkeylog enabled by SSLKEYLOGFILE environment variable\n' |
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
287 |
) |
42269
c8d55ff80da1
sslutil: add support for SSLKEYLOGFILE to wrapsocket
Augie Fackler <augie@google.com>
parents:
42263
diff
changeset
|
288 |
except ImportError: |
43080
86e4daa2d54c
cleanup: mark some ui.(status|note|warn|write) calls as not needing i18n
Augie Fackler <augie@google.com>
parents:
43077
diff
changeset
|
289 |
ui.warnnoi18n( |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
290 |
b'sslkeylog module missing, ' |
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
291 |
b'but SSLKEYLOGFILE set in environment\n' |
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
292 |
) |
42269
c8d55ff80da1
sslutil: add support for SSLKEYLOGFILE to wrapsocket
Augie Fackler <augie@google.com>
parents:
42263
diff
changeset
|
293 |
|
33381
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32291
diff
changeset
|
294 |
for f in (keyfile, certfile): |
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32291
diff
changeset
|
295 |
if f and not os.path.exists(f): |
36747
4c71a26a4009
sslutil: some more forcebytes() on some exception messages
Augie Fackler <augie@google.com>
parents:
36746
diff
changeset
|
296 |
raise error.Abort( |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
297 |
_(b'certificate file (%s) does not exist; cannot connect to %s') |
36747
4c71a26a4009
sslutil: some more forcebytes() on some exception messages
Augie Fackler <augie@google.com>
parents:
36746
diff
changeset
|
298 |
% (f, pycompat.bytesurl(serverhostname)), |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
299 |
hint=_( |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
300 |
b'restore missing file or fix references ' |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
301 |
b'in Mercurial config' |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
302 |
), |
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
303 |
) |
33381
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32291
diff
changeset
|
304 |
|
29259
ec247e8595f9
sslutil: move SSLContext.verify_mode value into _hostsettings
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29258
diff
changeset
|
305 |
settings = _hostsettings(ui, serverhostname) |
29249
cca59ef27e60
sslutil: move sslkwargs logic into internal function (API)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29248
diff
changeset
|
306 |
|
29557
53de8255ec4e
sslutil: update comment about create_default_context()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29554
diff
changeset
|
307 |
# We can't use ssl.create_default_context() because it calls |
53de8255ec4e
sslutil: update comment about create_default_context()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29554
diff
changeset
|
308 |
# load_default_certs() unless CA arguments are passed to it. We want to |
53de8255ec4e
sslutil: update comment about create_default_context()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29554
diff
changeset
|
309 |
# have explicit control over CA loading because implicitly loading |
53de8255ec4e
sslutil: update comment about create_default_context()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29554
diff
changeset
|
310 |
# CAs may undermine the user's intent. For example, a user may define a CA |
53de8255ec4e
sslutil: update comment about create_default_context()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29554
diff
changeset
|
311 |
# bundle with a specific CA cert removed. If the system/default CA bundle |
53de8255ec4e
sslutil: update comment about create_default_context()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29554
diff
changeset
|
312 |
# is loaded and contains that removed CA, you've just undone the user's |
53de8255ec4e
sslutil: update comment about create_default_context()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29554
diff
changeset
|
313 |
# choice. |
49054
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
314 |
|
50928
d718eddf01d9
safehasattr: drop usage in favor of hasattr
Pierre-Yves David <pierre-yves.david@octobus.net>
parents:
50602
diff
changeset
|
315 |
if hasattr(ssl, 'TLSVersion'): |
49054
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
316 |
# python 3.7+ |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
317 |
sslcontext = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT) |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
318 |
minimumprotocol = settings[b'minimumprotocol'] |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
319 |
if minimumprotocol == b'tls1.0': |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
320 |
with warnings.catch_warnings(): |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
321 |
warnings.filterwarnings( |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
322 |
'ignore', |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
323 |
'ssl.TLSVersion.TLSv1 is deprecated', |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
324 |
DeprecationWarning, |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
325 |
) |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
326 |
sslcontext.minimum_version = ssl.TLSVersion.TLSv1 |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
327 |
elif minimumprotocol == b'tls1.1': |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
328 |
with warnings.catch_warnings(): |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
329 |
warnings.filterwarnings( |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
330 |
'ignore', |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
331 |
'ssl.TLSVersion.TLSv1_1 is deprecated', |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
332 |
DeprecationWarning, |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
333 |
) |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
334 |
sslcontext.minimum_version = ssl.TLSVersion.TLSv1_1 |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
335 |
elif minimumprotocol == b'tls1.2': |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
336 |
sslcontext.minimum_version = ssl.TLSVersion.TLSv1_2 |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
337 |
else: |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
338 |
raise error.Abort(_(b'this should not happen')) |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
339 |
# Prevent CRIME. |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
340 |
# There is no guarantee this attribute is defined on the module. |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
341 |
sslcontext.options |= getattr(ssl, 'OP_NO_COMPRESSION', 0) |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
342 |
else: |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
343 |
# Despite its name, PROTOCOL_SSLv23 selects the highest protocol that both |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
344 |
# ends support, including TLS protocols. commonssloptions() restricts the |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
345 |
# set of allowed protocols. |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
346 |
sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23) |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
347 |
sslcontext.options |= commonssloptions(settings[b'minimumprotocol']) |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
348 |
|
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
349 |
# We check the hostname ourselves in _verifycert |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
350 |
sslcontext.check_hostname = False |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
351 |
sslcontext.verify_mode = settings[b'verifymode'] |
28848
e330db205b20
sslutil: move and document verify_mode assignment
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28653
diff
changeset
|
352 |
|
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
353 |
if settings[b'ciphers']: |
29577
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
354 |
try: |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
355 |
sslcontext.set_ciphers(pycompat.sysstr(settings[b'ciphers'])) |
29577
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
356 |
except ssl.SSLError as e: |
36747
4c71a26a4009
sslutil: some more forcebytes() on some exception messages
Augie Fackler <augie@google.com>
parents:
36746
diff
changeset
|
357 |
raise error.Abort( |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
358 |
_(b'could not set ciphers: %s') |
37084
f0b6fbea00cf
stringutil: bulk-replace call sites to point to new module
Yuya Nishihara <yuya@tcha.org>
parents:
36747
diff
changeset
|
359 |
% stringutil.forcebytestr(e.args[0]), |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
360 |
hint=_(b'change cipher string (%s) in config') |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
361 |
% settings[b'ciphers'], |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
362 |
) |
29577
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
363 |
|
28652
c617614aefd2
sslutil: remove indentation in wrapsocket declaration
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28651
diff
changeset
|
364 |
if certfile is not None: |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
365 |
|
28652
c617614aefd2
sslutil: remove indentation in wrapsocket declaration
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28651
diff
changeset
|
366 |
def password(): |
c617614aefd2
sslutil: remove indentation in wrapsocket declaration
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28651
diff
changeset
|
367 |
f = keyfile or certfile |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
368 |
return ui.getpass(_(b'passphrase for %s: ') % f, b'') |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
369 |
|
28652
c617614aefd2
sslutil: remove indentation in wrapsocket declaration
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28651
diff
changeset
|
370 |
sslcontext.load_cert_chain(certfile, keyfile, password) |
28848
e330db205b20
sslutil: move and document verify_mode assignment
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28653
diff
changeset
|
371 |
|
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
372 |
if settings[b'cafile'] is not None: |
29446
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29411
diff
changeset
|
373 |
try: |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
374 |
sslcontext.load_verify_locations(cafile=settings[b'cafile']) |
29446
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29411
diff
changeset
|
375 |
except ssl.SSLError as e: |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
376 |
if len(e.args) == 1: # pypy has different SSLError args |
29927
799e36749f1a
ssl: handle a difference in SSLError with pypy (issue5348)
Pierre-Yves David <pierre-yves.david@ens-lyon.org>
parents:
29631
diff
changeset
|
377 |
msg = e.args[0] |
799e36749f1a
ssl: handle a difference in SSLError with pypy (issue5348)
Pierre-Yves David <pierre-yves.david@ens-lyon.org>
parents:
29631
diff
changeset
|
378 |
else: |
799e36749f1a
ssl: handle a difference in SSLError with pypy (issue5348)
Pierre-Yves David <pierre-yves.david@ens-lyon.org>
parents:
29631
diff
changeset
|
379 |
msg = e.args[1] |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
380 |
raise error.Abort( |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
381 |
_(b'error loading CA file %s: %s') |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
382 |
% (settings[b'cafile'], stringutil.forcebytestr(msg)), |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
383 |
hint=_(b'file is empty or malformed?'), |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
384 |
) |
29113
5b9577edf745
sslutil: use CA loaded state to drive validation logic
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29112
diff
changeset
|
385 |
caloaded = True |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
386 |
elif settings[b'allowloaddefaultcerts']: |
28652
c617614aefd2
sslutil: remove indentation in wrapsocket declaration
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28651
diff
changeset
|
387 |
# This is a no-op on old Python. |
c617614aefd2
sslutil: remove indentation in wrapsocket declaration
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28651
diff
changeset
|
388 |
sslcontext.load_default_certs() |
29288
7dee15dee53c
sslutil: add devel.disableloaddefaultcerts to disable CA loading
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29287
diff
changeset
|
389 |
caloaded = True |
7dee15dee53c
sslutil: add devel.disableloaddefaultcerts to disable CA loading
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29287
diff
changeset
|
390 |
else: |
7dee15dee53c
sslutil: add devel.disableloaddefaultcerts to disable CA loading
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29287
diff
changeset
|
391 |
caloaded = False |
23834
bf07c19b4c82
https: support tls sni (server name indication) for https urls (issue3090)
Alex Orange <crazycasta@gmail.com>
parents:
23069
diff
changeset
|
392 |
|
29449
5b71a8d7f7ff
sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29447
diff
changeset
|
393 |
try: |
5b71a8d7f7ff
sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29447
diff
changeset
|
394 |
sslsocket = sslcontext.wrap_socket(sock, server_hostname=serverhostname) |
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29558
diff
changeset
|
395 |
except ssl.SSLError as e: |
29449
5b71a8d7f7ff
sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29447
diff
changeset
|
396 |
# If we're doing certificate verification and no CA certs are loaded, |
5b71a8d7f7ff
sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29447
diff
changeset
|
397 |
# that is almost certainly the reason why verification failed. Provide |
5b71a8d7f7ff
sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29447
diff
changeset
|
398 |
# a hint to the user. |
31725
c777b12cdc9b
sslutil: clarify internal documentation
Matt Harbison <matt_harbison@yahoo.com>
parents:
31290
diff
changeset
|
399 |
# The exception handler is here to handle bugs around cert attributes: |
c777b12cdc9b
sslutil: clarify internal documentation
Matt Harbison <matt_harbison@yahoo.com>
parents:
31290
diff
changeset
|
400 |
# https://bugs.python.org/issue20916#msg213479. (See issues5313.) |
c777b12cdc9b
sslutil: clarify internal documentation
Matt Harbison <matt_harbison@yahoo.com>
parents:
31290
diff
changeset
|
401 |
# When the main 20916 bug occurs, 'sslcontext.get_ca_certs()' is a |
c777b12cdc9b
sslutil: clarify internal documentation
Matt Harbison <matt_harbison@yahoo.com>
parents:
31290
diff
changeset
|
402 |
# non-empty list, but the following conditional is otherwise True. |
29631
387bdd53c77e
sslutil: work around SSLContext.get_ca_certs bug on Windows (issue5313)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29619
diff
changeset
|
403 |
try: |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
404 |
if ( |
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
405 |
caloaded |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
406 |
and settings[b'verifymode'] == ssl.CERT_REQUIRED |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
407 |
and not sslcontext.get_ca_certs() |
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
408 |
): |
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
409 |
ui.warn( |
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
410 |
_( |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
411 |
b'(an attempt was made to load CA certificates but ' |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
412 |
b'none were loaded; see ' |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
413 |
b'https://mercurial-scm.org/wiki/SecureConnections ' |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
414 |
b'for how to configure Mercurial to avoid this ' |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
415 |
b'error)\n' |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
416 |
) |
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
417 |
) |
29631
387bdd53c77e
sslutil: work around SSLContext.get_ca_certs bug on Windows (issue5313)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29619
diff
changeset
|
418 |
except ssl.SSLError: |
387bdd53c77e
sslutil: work around SSLContext.get_ca_certs bug on Windows (issue5313)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29619
diff
changeset
|
419 |
pass |
41410
0d226b2139df
sslutil: use raw strings for exception reason compare
Gregory Szorc <gregory.szorc@gmail.com>
parents:
38475
diff
changeset
|
420 |
|
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29558
diff
changeset
|
421 |
# Try to print more helpful error messages for known failures. |
50928
d718eddf01d9
safehasattr: drop usage in favor of hasattr
Pierre-Yves David <pierre-yves.david@octobus.net>
parents:
50602
diff
changeset
|
422 |
if hasattr(e, 'reason'): |
29619
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29618
diff
changeset
|
423 |
# This error occurs when the client and server don't share a |
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29618
diff
changeset
|
424 |
# common/supported SSL/TLS protocol. We've disabled SSLv2 and SSLv3 |
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29618
diff
changeset
|
425 |
# outright. Hopefully the reason for this error is that we require |
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29618
diff
changeset
|
426 |
# TLS 1.1+ and the server only supports TLS 1.0. Whatever the |
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29618
diff
changeset
|
427 |
# reason, try to emit an actionable warning. |
49057
27ef2aa953dd
sslutil: support TLSV1_ALERT_PROTOCOL_VERSION reason code
Julien Cristau <jcristau@debian.org>
parents:
49055
diff
changeset
|
428 |
if e.reason in ( |
27ef2aa953dd
sslutil: support TLSV1_ALERT_PROTOCOL_VERSION reason code
Julien Cristau <jcristau@debian.org>
parents:
49055
diff
changeset
|
429 |
'UNSUPPORTED_PROTOCOL', |
27ef2aa953dd
sslutil: support TLSV1_ALERT_PROTOCOL_VERSION reason code
Julien Cristau <jcristau@debian.org>
parents:
49055
diff
changeset
|
430 |
'TLSV1_ALERT_PROTOCOL_VERSION', |
27ef2aa953dd
sslutil: support TLSV1_ALERT_PROTOCOL_VERSION reason code
Julien Cristau <jcristau@debian.org>
parents:
49055
diff
changeset
|
431 |
): |
29619
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29618
diff
changeset
|
432 |
# We attempted TLS 1.0+. |
44899
4ca1110991c4
sslutil: rename 'minimumprotocolui' -> 'minimumprotocol'
Manuel Jacob <me@manueljacob.de>
parents:
44898
diff
changeset
|
433 |
if settings[b'minimumprotocol'] == b'tls1.0': |
29619
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29618
diff
changeset
|
434 |
# We support more than just TLS 1.0+. If this happens, |
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29618
diff
changeset
|
435 |
# the likely scenario is either the client or the server |
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29618
diff
changeset
|
436 |
# is really old. (e.g. server doesn't support TLS 1.0+ or |
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29618
diff
changeset
|
437 |
# client doesn't support modern TLS versions introduced |
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29618
diff
changeset
|
438 |
# several years from when this comment was written). |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
439 |
if supportedprotocols != {b'tls1.0'}: |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
440 |
ui.warn( |
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
441 |
_( |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
442 |
b'(could not communicate with %s using security ' |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
443 |
b'protocols %s; if you are using a modern Mercurial ' |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
444 |
b'version, consider contacting the operator of this ' |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
445 |
b'server; see ' |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
446 |
b'https://mercurial-scm.org/wiki/SecureConnections ' |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
447 |
b'for more info)\n' |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
448 |
) |
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
449 |
% ( |
41411
f07aff7e8b5a
sslutil: ensure serverhostname is bytes when formatting
Gregory Szorc <gregory.szorc@gmail.com>
parents:
41410
diff
changeset
|
450 |
pycompat.bytesurl(serverhostname), |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
451 |
b', '.join(sorted(supportedprotocols)), |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
452 |
) |
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
453 |
) |
29619
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29618
diff
changeset
|
454 |
else: |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
455 |
ui.warn( |
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
456 |
_( |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
457 |
b'(could not communicate with %s using TLS 1.0; the ' |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
458 |
b'likely cause of this is the server no longer ' |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
459 |
b'supports TLS 1.0 because it has known security ' |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
460 |
b'vulnerabilities; see ' |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
461 |
b'https://mercurial-scm.org/wiki/SecureConnections ' |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
462 |
b'for more info)\n' |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
463 |
) |
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
464 |
% pycompat.bytesurl(serverhostname) |
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
465 |
) |
29619
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29618
diff
changeset
|
466 |
else: |
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29618
diff
changeset
|
467 |
# We attempted TLS 1.1+. We can only get here if the client |
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29618
diff
changeset
|
468 |
# supports the configured protocol. So the likely reason is |
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29618
diff
changeset
|
469 |
# the client wants better security than the server can |
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29618
diff
changeset
|
470 |
# offer. |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
471 |
ui.warn( |
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
472 |
_( |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
473 |
b'(could not negotiate a common security protocol (%s+) ' |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
474 |
b'with %s; the likely cause is Mercurial is configured ' |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
475 |
b'to be more secure than the server can support)\n' |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
476 |
) |
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
477 |
% ( |
44899
4ca1110991c4
sslutil: rename 'minimumprotocolui' -> 'minimumprotocol'
Manuel Jacob <me@manueljacob.de>
parents:
44898
diff
changeset
|
478 |
settings[b'minimumprotocol'], |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
479 |
pycompat.bytesurl(serverhostname), |
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
480 |
) |
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
481 |
) |
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
482 |
ui.warn( |
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
483 |
_( |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
484 |
b'(consider contacting the operator of this ' |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
485 |
b'server and ask them to support modern TLS ' |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
486 |
b'protocol versions; or, set ' |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
487 |
b'hostsecurity.%s:minimumprotocol=tls1.0 to allow ' |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
488 |
b'use of legacy, less secure protocols when ' |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
489 |
b'communicating with this server)\n' |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
490 |
) |
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
491 |
% pycompat.bytesurl(serverhostname) |
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
492 |
) |
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
493 |
ui.warn( |
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
494 |
_( |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
495 |
b'(see https://mercurial-scm.org/wiki/SecureConnections ' |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
496 |
b'for more info)\n' |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
497 |
) |
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
498 |
) |
33494
30f2715be123
sslutil: inform the user about how to fix an incomplete certificate chain
Matt Harbison <matt_harbison@yahoo.com>
parents:
33381
diff
changeset
|
499 |
|
43506
9f70512ae2cf
cleanup: remove pointless r-prefixes on single-quoted strings
Augie Fackler <augie@google.com>
parents:
43117
diff
changeset
|
500 |
elif e.reason == 'CERTIFICATE_VERIFY_FAILED' and pycompat.iswindows: |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
501 |
ui.warn( |
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
502 |
_( |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
503 |
b'(the full certificate chain may not be available ' |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
504 |
b'locally; see "hg help debugssl")\n' |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
505 |
) |
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
506 |
) |
29449
5b71a8d7f7ff
sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29447
diff
changeset
|
507 |
raise |
5b71a8d7f7ff
sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29447
diff
changeset
|
508 |
|
28652
c617614aefd2
sslutil: remove indentation in wrapsocket declaration
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28651
diff
changeset
|
509 |
# check if wrap_socket failed silently because socket had been |
c617614aefd2
sslutil: remove indentation in wrapsocket declaration
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28651
diff
changeset
|
510 |
# closed |
c617614aefd2
sslutil: remove indentation in wrapsocket declaration
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28651
diff
changeset
|
511 |
# - see http://bugs.python.org/issue13721 |
c617614aefd2
sslutil: remove indentation in wrapsocket declaration
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28651
diff
changeset
|
512 |
if not sslsocket.cipher(): |
45915
8f50dc096cf4
errors: introduce SecurityError and use it in a few places
Martin von Zweigbergk <martinvonz@google.com>
parents:
44902
diff
changeset
|
513 |
raise error.SecurityError(_(b'ssl connection failed')) |
29113
5b9577edf745
sslutil: use CA loaded state to drive validation logic
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29112
diff
changeset
|
514 |
|
29225
b115eed11780
sslutil: use a dict for hanging hg state off the wrapped socket
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29224
diff
changeset
|
515 |
sslsocket._hgstate = { |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
516 |
b'caloaded': caloaded, |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
517 |
b'hostname': serverhostname, |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
518 |
b'settings': settings, |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
519 |
b'ui': ui, |
29225
b115eed11780
sslutil: use a dict for hanging hg state off the wrapped socket
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29224
diff
changeset
|
520 |
} |
29113
5b9577edf745
sslutil: use CA loaded state to drive validation logic
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29112
diff
changeset
|
521 |
|
28652
c617614aefd2
sslutil: remove indentation in wrapsocket declaration
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28651
diff
changeset
|
522 |
return sslsocket |
14204
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
523 |
|
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
524 |
|
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
525 |
def wrapserversocket( |
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
526 |
sock, ui, certfile=None, keyfile=None, cafile=None, requireclientcert=False |
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
527 |
): |
29554
4a7b0c696fbc
sslutil: implement wrapserversocket()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29537
diff
changeset
|
528 |
"""Wrap a socket for use by servers. |
4a7b0c696fbc
sslutil: implement wrapserversocket()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29537
diff
changeset
|
529 |
|
4a7b0c696fbc
sslutil: implement wrapserversocket()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29537
diff
changeset
|
530 |
``certfile`` and ``keyfile`` specify the files containing the certificate's |
4a7b0c696fbc
sslutil: implement wrapserversocket()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29537
diff
changeset
|
531 |
public and private keys, respectively. Both keys can be defined in the same |
4a7b0c696fbc
sslutil: implement wrapserversocket()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29537
diff
changeset
|
532 |
file via ``certfile`` (the private key must come first in the file). |
4a7b0c696fbc
sslutil: implement wrapserversocket()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29537
diff
changeset
|
533 |
|
4a7b0c696fbc
sslutil: implement wrapserversocket()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29537
diff
changeset
|
534 |
``cafile`` defines the path to certificate authorities. |
4a7b0c696fbc
sslutil: implement wrapserversocket()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29537
diff
changeset
|
535 |
|
4a7b0c696fbc
sslutil: implement wrapserversocket()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29537
diff
changeset
|
536 |
``requireclientcert`` specifies whether to require client certificates. |
4a7b0c696fbc
sslutil: implement wrapserversocket()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29537
diff
changeset
|
537 |
|
4a7b0c696fbc
sslutil: implement wrapserversocket()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29537
diff
changeset
|
538 |
Typically ``cafile`` is only defined if ``requireclientcert`` is true. |
4a7b0c696fbc
sslutil: implement wrapserversocket()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29537
diff
changeset
|
539 |
""" |
33381
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32291
diff
changeset
|
540 |
# This function is not used much by core Mercurial, so the error messaging |
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32291
diff
changeset
|
541 |
# doesn't have to be as detailed as for wrapsocket(). |
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32291
diff
changeset
|
542 |
for f in (certfile, keyfile, cafile): |
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32291
diff
changeset
|
543 |
if f and not os.path.exists(f): |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
544 |
raise error.Abort( |
43117
8ff1ecfadcd1
cleanup: join string literals that are already on one line
Martin von Zweigbergk <martinvonz@google.com>
parents:
43089
diff
changeset
|
545 |
_(b'referenced certificate file (%s) does not exist') % f |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
546 |
) |
33381
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32291
diff
changeset
|
547 |
|
50928
d718eddf01d9
safehasattr: drop usage in favor of hasattr
Pierre-Yves David <pierre-yves.david@octobus.net>
parents:
50602
diff
changeset
|
548 |
if hasattr(ssl, 'TLSVersion'): |
49054
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
549 |
# python 3.7+ |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
550 |
sslcontext = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER) |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
551 |
sslcontext.options |= getattr(ssl, 'OP_NO_COMPRESSION', 0) |
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29558
diff
changeset
|
552 |
|
49054
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
553 |
# This config option is intended for use in tests only. It is a giant |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
554 |
# footgun to kill security. Don't define it. |
50341
698ffff7024b
configitems: make devel.serverexactprotocol look dangerous
pacien <pacien.trangirard@pacien.net>
parents:
49383
diff
changeset
|
555 |
exactprotocol = ui.config(b'devel', b'server-insecure-exact-protocol') |
49054
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
556 |
if exactprotocol == b'tls1.0': |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
557 |
if b'tls1.0' not in supportedprotocols: |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
558 |
raise error.Abort(_(b'TLS 1.0 not supported by this Python')) |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
559 |
with warnings.catch_warnings(): |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
560 |
warnings.filterwarnings( |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
561 |
'ignore', |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
562 |
'ssl.TLSVersion.TLSv1 is deprecated', |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
563 |
DeprecationWarning, |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
564 |
) |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
565 |
sslcontext.minimum_version = ssl.TLSVersion.TLSv1 |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
566 |
sslcontext.maximum_version = ssl.TLSVersion.TLSv1 |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
567 |
elif exactprotocol == b'tls1.1': |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
568 |
if b'tls1.1' not in supportedprotocols: |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
569 |
raise error.Abort(_(b'TLS 1.1 not supported by this Python')) |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
570 |
with warnings.catch_warnings(): |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
571 |
warnings.filterwarnings( |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
572 |
'ignore', |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
573 |
'ssl.TLSVersion.TLSv1_1 is deprecated', |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
574 |
DeprecationWarning, |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
575 |
) |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
576 |
sslcontext.minimum_version = ssl.TLSVersion.TLSv1_1 |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
577 |
sslcontext.maximum_version = ssl.TLSVersion.TLSv1_1 |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
578 |
elif exactprotocol == b'tls1.2': |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
579 |
if b'tls1.2' not in supportedprotocols: |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
580 |
raise error.Abort(_(b'TLS 1.2 not supported by this Python')) |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
581 |
sslcontext.minimum_version = ssl.TLSVersion.TLSv1_2 |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
582 |
sslcontext.maximum_version = ssl.TLSVersion.TLSv1_2 |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
583 |
elif exactprotocol: |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
584 |
raise error.Abort( |
50341
698ffff7024b
configitems: make devel.serverexactprotocol look dangerous
pacien <pacien.trangirard@pacien.net>
parents:
49383
diff
changeset
|
585 |
_(b'invalid value for server-insecure-exact-protocol: %s') |
698ffff7024b
configitems: make devel.serverexactprotocol look dangerous
pacien <pacien.trangirard@pacien.net>
parents:
49383
diff
changeset
|
586 |
% exactprotocol |
49054
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
587 |
) |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
588 |
else: |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
589 |
# Despite its name, PROTOCOL_SSLv23 selects the highest protocol that both |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
590 |
# ends support, including TLS protocols. commonssloptions() restricts the |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
591 |
# set of allowed protocols. |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
592 |
protocol = ssl.PROTOCOL_SSLv23 |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
593 |
options = commonssloptions(b'tls1.0') |
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29558
diff
changeset
|
594 |
|
49054
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
595 |
# This config option is intended for use in tests only. It is a giant |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
596 |
# footgun to kill security. Don't define it. |
50341
698ffff7024b
configitems: make devel.serverexactprotocol look dangerous
pacien <pacien.trangirard@pacien.net>
parents:
49383
diff
changeset
|
597 |
exactprotocol = ui.config(b'devel', b'server-insecure-exact-protocol') |
49054
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
598 |
if exactprotocol == b'tls1.0': |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
599 |
if b'tls1.0' not in supportedprotocols: |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
600 |
raise error.Abort(_(b'TLS 1.0 not supported by this Python')) |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
601 |
protocol = ssl.PROTOCOL_TLSv1 |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
602 |
elif exactprotocol == b'tls1.1': |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
603 |
if b'tls1.1' not in supportedprotocols: |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
604 |
raise error.Abort(_(b'TLS 1.1 not supported by this Python')) |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
605 |
protocol = ssl.PROTOCOL_TLSv1_1 |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
606 |
elif exactprotocol == b'tls1.2': |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
607 |
if b'tls1.2' not in supportedprotocols: |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
608 |
raise error.Abort(_(b'TLS 1.2 not supported by this Python')) |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
609 |
protocol = ssl.PROTOCOL_TLSv1_2 |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
610 |
elif exactprotocol: |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
611 |
raise error.Abort( |
50341
698ffff7024b
configitems: make devel.serverexactprotocol look dangerous
pacien <pacien.trangirard@pacien.net>
parents:
49383
diff
changeset
|
612 |
_(b'invalid value for server-insecure-exact-protocol: %s') |
698ffff7024b
configitems: make devel.serverexactprotocol look dangerous
pacien <pacien.trangirard@pacien.net>
parents:
49383
diff
changeset
|
613 |
% exactprotocol |
49054
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
614 |
) |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
615 |
|
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
616 |
# We /could/ use create_default_context() here since it doesn't load |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
617 |
# CAs when configured for client auth. However, it is hard-coded to |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
618 |
# use ssl.PROTOCOL_SSLv23 which may not be appropriate here. |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
619 |
sslcontext = ssl.SSLContext(protocol) |
5144d3579a9c
sslutil: avoid deprecation warnings from python 3.10's ssl module
Julien Cristau <jcristau@debian.org>
parents:
48875
diff
changeset
|
620 |
sslcontext.options |= options |
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29558
diff
changeset
|
621 |
|
44878
035199ba04ee
sslutil: eliminate `modernssl` by constant-folding code using it
Manuel Jacob <me@manueljacob.de>
parents:
44876
diff
changeset
|
622 |
# Improve forward secrecy. |
035199ba04ee
sslutil: eliminate `modernssl` by constant-folding code using it
Manuel Jacob <me@manueljacob.de>
parents:
44876
diff
changeset
|
623 |
sslcontext.options |= getattr(ssl, 'OP_SINGLE_DH_USE', 0) |
035199ba04ee
sslutil: eliminate `modernssl` by constant-folding code using it
Manuel Jacob <me@manueljacob.de>
parents:
44876
diff
changeset
|
624 |
sslcontext.options |= getattr(ssl, 'OP_SINGLE_ECDH_USE', 0) |
29554
4a7b0c696fbc
sslutil: implement wrapserversocket()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29537
diff
changeset
|
625 |
|
49055
50bd2910d162
sslutil: be less strict about which ciphers are allowed when using --insecure
Julien Cristau <jcristau@debian.org>
parents:
49054
diff
changeset
|
626 |
# In tests, allow insecure ciphers |
50bd2910d162
sslutil: be less strict about which ciphers are allowed when using --insecure
Julien Cristau <jcristau@debian.org>
parents:
49054
diff
changeset
|
627 |
# Otherwise, use the list of more secure ciphers if found in the ssl module. |
50bd2910d162
sslutil: be less strict about which ciphers are allowed when using --insecure
Julien Cristau <jcristau@debian.org>
parents:
49054
diff
changeset
|
628 |
if exactprotocol: |
50342
c54e9bb5737e
sslutil: set context security level for legacy tls testing (issue6760)
pacien <pacien.trangirard@pacien.net>
parents:
50341
diff
changeset
|
629 |
sslcontext.set_ciphers('DEFAULT:@SECLEVEL=0') |
50928
d718eddf01d9
safehasattr: drop usage in favor of hasattr
Pierre-Yves David <pierre-yves.david@octobus.net>
parents:
50602
diff
changeset
|
630 |
elif hasattr(ssl, '_RESTRICTED_SERVER_CIPHERS'): |
44878
035199ba04ee
sslutil: eliminate `modernssl` by constant-folding code using it
Manuel Jacob <me@manueljacob.de>
parents:
44876
diff
changeset
|
631 |
sslcontext.options |= getattr(ssl, 'OP_CIPHER_SERVER_PREFERENCE', 0) |
46786
52528570312e
typing: disable module attribute warnings for properly conditionalized code
Matt Harbison <matt_harbison@yahoo.com>
parents:
46785
diff
changeset
|
632 |
# pytype: disable=module-attr |
44878
035199ba04ee
sslutil: eliminate `modernssl` by constant-folding code using it
Manuel Jacob <me@manueljacob.de>
parents:
44876
diff
changeset
|
633 |
sslcontext.set_ciphers(ssl._RESTRICTED_SERVER_CIPHERS) |
46786
52528570312e
typing: disable module attribute warnings for properly conditionalized code
Matt Harbison <matt_harbison@yahoo.com>
parents:
46785
diff
changeset
|
634 |
# pytype: enable=module-attr |
29554
4a7b0c696fbc
sslutil: implement wrapserversocket()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29537
diff
changeset
|
635 |
|
4a7b0c696fbc
sslutil: implement wrapserversocket()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29537
diff
changeset
|
636 |
if requireclientcert: |
4a7b0c696fbc
sslutil: implement wrapserversocket()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29537
diff
changeset
|
637 |
sslcontext.verify_mode = ssl.CERT_REQUIRED |
4a7b0c696fbc
sslutil: implement wrapserversocket()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29537
diff
changeset
|
638 |
else: |
4a7b0c696fbc
sslutil: implement wrapserversocket()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29537
diff
changeset
|
639 |
sslcontext.verify_mode = ssl.CERT_NONE |
4a7b0c696fbc
sslutil: implement wrapserversocket()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29537
diff
changeset
|
640 |
|
4a7b0c696fbc
sslutil: implement wrapserversocket()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29537
diff
changeset
|
641 |
if certfile or keyfile: |
4a7b0c696fbc
sslutil: implement wrapserversocket()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29537
diff
changeset
|
642 |
sslcontext.load_cert_chain(certfile=certfile, keyfile=keyfile) |
4a7b0c696fbc
sslutil: implement wrapserversocket()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29537
diff
changeset
|
643 |
|
4a7b0c696fbc
sslutil: implement wrapserversocket()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29537
diff
changeset
|
644 |
if cafile: |
4a7b0c696fbc
sslutil: implement wrapserversocket()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29537
diff
changeset
|
645 |
sslcontext.load_verify_locations(cafile=cafile) |
4a7b0c696fbc
sslutil: implement wrapserversocket()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29537
diff
changeset
|
646 |
|
4a7b0c696fbc
sslutil: implement wrapserversocket()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29537
diff
changeset
|
647 |
return sslcontext.wrap_socket(sock, server_side=True) |
4a7b0c696fbc
sslutil: implement wrapserversocket()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29537
diff
changeset
|
648 |
|
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
649 |
|
29452
26a5d605b868
sslutil: synchronize hostname matching logic with CPython
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29042
diff
changeset
|
650 |
class wildcarderror(Exception): |
26a5d605b868
sslutil: synchronize hostname matching logic with CPython
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29042
diff
changeset
|
651 |
"""Represents an error parsing wildcards in DNS name.""" |
26a5d605b868
sslutil: synchronize hostname matching logic with CPython
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29042
diff
changeset
|
652 |
|
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
653 |
|
29452
26a5d605b868
sslutil: synchronize hostname matching logic with CPython
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29042
diff
changeset
|
654 |
def _dnsnamematch(dn, hostname, maxwildcards=1): |
26a5d605b868
sslutil: synchronize hostname matching logic with CPython
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29042
diff
changeset
|
655 |
"""Match DNS names according RFC 6125 section 6.4.3. |
26a5d605b868
sslutil: synchronize hostname matching logic with CPython
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29042
diff
changeset
|
656 |
|
26a5d605b868
sslutil: synchronize hostname matching logic with CPython
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29042
diff
changeset
|
657 |
This code is effectively copied from CPython's ssl._dnsname_match. |
26a5d605b868
sslutil: synchronize hostname matching logic with CPython
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29042
diff
changeset
|
658 |
|
26a5d605b868
sslutil: synchronize hostname matching logic with CPython
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29042
diff
changeset
|
659 |
Returns a bool indicating whether the expected hostname matches |
26a5d605b868
sslutil: synchronize hostname matching logic with CPython
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29042
diff
changeset
|
660 |
the value in ``dn``. |
26a5d605b868
sslutil: synchronize hostname matching logic with CPython
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29042
diff
changeset
|
661 |
""" |
26a5d605b868
sslutil: synchronize hostname matching logic with CPython
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29042
diff
changeset
|
662 |
pats = [] |
26a5d605b868
sslutil: synchronize hostname matching logic with CPython
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29042
diff
changeset
|
663 |
if not dn: |
26a5d605b868
sslutil: synchronize hostname matching logic with CPython
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29042
diff
changeset
|
664 |
return False |
36745
424994a0adfd
sslutil: lots of unicode/bytes cleanup
Augie Fackler <augie@google.com>
parents:
35582
diff
changeset
|
665 |
dn = pycompat.bytesurl(dn) |
424994a0adfd
sslutil: lots of unicode/bytes cleanup
Augie Fackler <augie@google.com>
parents:
35582
diff
changeset
|
666 |
hostname = pycompat.bytesurl(hostname) |
29452
26a5d605b868
sslutil: synchronize hostname matching logic with CPython
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29042
diff
changeset
|
667 |
|
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
668 |
pieces = dn.split(b'.') |
29452
26a5d605b868
sslutil: synchronize hostname matching logic with CPython
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29042
diff
changeset
|
669 |
leftmost = pieces[0] |
26a5d605b868
sslutil: synchronize hostname matching logic with CPython
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29042
diff
changeset
|
670 |
remainder = pieces[1:] |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
671 |
wildcards = leftmost.count(b'*') |
29452
26a5d605b868
sslutil: synchronize hostname matching logic with CPython
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29042
diff
changeset
|
672 |
if wildcards > maxwildcards: |
26a5d605b868
sslutil: synchronize hostname matching logic with CPython
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29042
diff
changeset
|
673 |
raise wildcarderror( |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
674 |
_(b'too many wildcards in certificate DNS name: %s') % dn |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
675 |
) |
29452
26a5d605b868
sslutil: synchronize hostname matching logic with CPython
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29042
diff
changeset
|
676 |
|
26a5d605b868
sslutil: synchronize hostname matching logic with CPython
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29042
diff
changeset
|
677 |
# speed up common case w/o wildcards |
26a5d605b868
sslutil: synchronize hostname matching logic with CPython
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29042
diff
changeset
|
678 |
if not wildcards: |
26a5d605b868
sslutil: synchronize hostname matching logic with CPython
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29042
diff
changeset
|
679 |
return dn.lower() == hostname.lower() |
26a5d605b868
sslutil: synchronize hostname matching logic with CPython
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29042
diff
changeset
|
680 |
|
26a5d605b868
sslutil: synchronize hostname matching logic with CPython
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29042
diff
changeset
|
681 |
# RFC 6125, section 6.4.3, subitem 1. |
26a5d605b868
sslutil: synchronize hostname matching logic with CPython
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29042
diff
changeset
|
682 |
# The client SHOULD NOT attempt to match a presented identifier in which |
26a5d605b868
sslutil: synchronize hostname matching logic with CPython
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29042
diff
changeset
|
683 |
# the wildcard character comprises a label other than the left-most label. |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
684 |
if leftmost == b'*': |
29452
26a5d605b868
sslutil: synchronize hostname matching logic with CPython
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29042
diff
changeset
|
685 |
# When '*' is a fragment by itself, it matches a non-empty dotless |
26a5d605b868
sslutil: synchronize hostname matching logic with CPython
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29042
diff
changeset
|
686 |
# fragment. |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
687 |
pats.append(b'[^.]+') |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
688 |
elif leftmost.startswith(b'xn--') or hostname.startswith(b'xn--'): |
29452
26a5d605b868
sslutil: synchronize hostname matching logic with CPython
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29042
diff
changeset
|
689 |
# RFC 6125, section 6.4.3, subitem 3. |
26a5d605b868
sslutil: synchronize hostname matching logic with CPython
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29042
diff
changeset
|
690 |
# The client SHOULD NOT attempt to match a presented identifier |
26a5d605b868
sslutil: synchronize hostname matching logic with CPython
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29042
diff
changeset
|
691 |
# where the wildcard character is embedded within an A-label or |
26a5d605b868
sslutil: synchronize hostname matching logic with CPython
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29042
diff
changeset
|
692 |
# U-label of an internationalized domain name. |
38475
67dc32d4e790
cleanup: migrate from re.escape to stringutil.reescape
Augie Fackler <augie@google.com>
parents:
37872
diff
changeset
|
693 |
pats.append(stringutil.reescape(leftmost)) |
29452
26a5d605b868
sslutil: synchronize hostname matching logic with CPython
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29042
diff
changeset
|
694 |
else: |
26a5d605b868
sslutil: synchronize hostname matching logic with CPython
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29042
diff
changeset
|
695 |
# Otherwise, '*' matches any dotless string, e.g. www* |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
696 |
pats.append(stringutil.reescape(leftmost).replace(br'\*', b'[^.]*')) |
29452
26a5d605b868
sslutil: synchronize hostname matching logic with CPython
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29042
diff
changeset
|
697 |
|
26a5d605b868
sslutil: synchronize hostname matching logic with CPython
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29042
diff
changeset
|
698 |
# add the remaining fragments, ignore any wildcards |
26a5d605b868
sslutil: synchronize hostname matching logic with CPython
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29042
diff
changeset
|
699 |
for frag in remainder: |
38475
67dc32d4e790
cleanup: migrate from re.escape to stringutil.reescape
Augie Fackler <augie@google.com>
parents:
37872
diff
changeset
|
700 |
pats.append(stringutil.reescape(frag)) |
29452
26a5d605b868
sslutil: synchronize hostname matching logic with CPython
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29042
diff
changeset
|
701 |
|
37666
46e705b79323
py3: add b'' prefixes to make values bytes
Pulkit Goyal <7895pulkit@gmail.com>
parents:
37120
diff
changeset
|
702 |
pat = re.compile(br'\A' + br'\.'.join(pats) + br'\Z', re.IGNORECASE) |
29452
26a5d605b868
sslutil: synchronize hostname matching logic with CPython
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29042
diff
changeset
|
703 |
return pat.match(hostname) is not None |
26a5d605b868
sslutil: synchronize hostname matching logic with CPython
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29042
diff
changeset
|
704 |
|
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
705 |
|
14204
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
706 |
def _verifycert(cert, hostname): |
45942
89a2afe31e82
formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents:
45915
diff
changeset
|
707 |
"""Verify that cert (in socket.getpeercert() format) matches hostname. |
14204
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
708 |
CRLs is not handled. |
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
709 |
|
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
710 |
Returns error message if any problems are found and None on success. |
45942
89a2afe31e82
formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents:
45915
diff
changeset
|
711 |
""" |
14204
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
712 |
if not cert: |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
713 |
return _(b'no certificate received') |
14204
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
714 |
|
29452
26a5d605b868
sslutil: synchronize hostname matching logic with CPython
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29042
diff
changeset
|
715 |
dnsnames = [] |
43506
9f70512ae2cf
cleanup: remove pointless r-prefixes on single-quoted strings
Augie Fackler <augie@google.com>
parents:
43117
diff
changeset
|
716 |
san = cert.get('subjectAltName', []) |
29452
26a5d605b868
sslutil: synchronize hostname matching logic with CPython
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29042
diff
changeset
|
717 |
for key, value in san: |
43506
9f70512ae2cf
cleanup: remove pointless r-prefixes on single-quoted strings
Augie Fackler <augie@google.com>
parents:
43117
diff
changeset
|
718 |
if key == 'DNS': |
29452
26a5d605b868
sslutil: synchronize hostname matching logic with CPython
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29042
diff
changeset
|
719 |
try: |
26a5d605b868
sslutil: synchronize hostname matching logic with CPython
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29042
diff
changeset
|
720 |
if _dnsnamematch(value, hostname): |
26a5d605b868
sslutil: synchronize hostname matching logic with CPython
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29042
diff
changeset
|
721 |
return |
26a5d605b868
sslutil: synchronize hostname matching logic with CPython
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29042
diff
changeset
|
722 |
except wildcarderror as e: |
37084
f0b6fbea00cf
stringutil: bulk-replace call sites to point to new module
Yuya Nishihara <yuya@tcha.org>
parents:
36747
diff
changeset
|
723 |
return stringutil.forcebytestr(e.args[0]) |
29452
26a5d605b868
sslutil: synchronize hostname matching logic with CPython
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29042
diff
changeset
|
724 |
|
26a5d605b868
sslutil: synchronize hostname matching logic with CPython
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29042
diff
changeset
|
725 |
dnsnames.append(value) |
14204
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
726 |
|
29452
26a5d605b868
sslutil: synchronize hostname matching logic with CPython
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29042
diff
changeset
|
727 |
if not dnsnames: |
26a5d605b868
sslutil: synchronize hostname matching logic with CPython
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29042
diff
changeset
|
728 |
# The subject is only checked when there is no DNS in subjectAltName. |
43506
9f70512ae2cf
cleanup: remove pointless r-prefixes on single-quoted strings
Augie Fackler <augie@google.com>
parents:
43117
diff
changeset
|
729 |
for sub in cert.get('subject', []): |
29452
26a5d605b868
sslutil: synchronize hostname matching logic with CPython
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29042
diff
changeset
|
730 |
for key, value in sub: |
26a5d605b868
sslutil: synchronize hostname matching logic with CPython
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29042
diff
changeset
|
731 |
# According to RFC 2818 the most specific Common Name must |
26a5d605b868
sslutil: synchronize hostname matching logic with CPython
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29042
diff
changeset
|
732 |
# be used. |
43506
9f70512ae2cf
cleanup: remove pointless r-prefixes on single-quoted strings
Augie Fackler <augie@google.com>
parents:
43117
diff
changeset
|
733 |
if key == 'commonName': |
30332
318a24b52eeb
spelling: fixes of non-dictionary words
Mads Kiilerich <madski@unity3d.com>
parents:
30228
diff
changeset
|
734 |
# 'subject' entries are unicode. |
29452
26a5d605b868
sslutil: synchronize hostname matching logic with CPython
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29042
diff
changeset
|
735 |
try: |
26a5d605b868
sslutil: synchronize hostname matching logic with CPython
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29042
diff
changeset
|
736 |
value = value.encode('ascii') |
26a5d605b868
sslutil: synchronize hostname matching logic with CPython
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29042
diff
changeset
|
737 |
except UnicodeEncodeError: |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
738 |
return _(b'IDN in certificate not supported') |
29452
26a5d605b868
sslutil: synchronize hostname matching logic with CPython
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29042
diff
changeset
|
739 |
|
26a5d605b868
sslutil: synchronize hostname matching logic with CPython
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29042
diff
changeset
|
740 |
try: |
26a5d605b868
sslutil: synchronize hostname matching logic with CPython
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29042
diff
changeset
|
741 |
if _dnsnamematch(value, hostname): |
26a5d605b868
sslutil: synchronize hostname matching logic with CPython
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29042
diff
changeset
|
742 |
return |
26a5d605b868
sslutil: synchronize hostname matching logic with CPython
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29042
diff
changeset
|
743 |
except wildcarderror as e: |
37084
f0b6fbea00cf
stringutil: bulk-replace call sites to point to new module
Yuya Nishihara <yuya@tcha.org>
parents:
36747
diff
changeset
|
744 |
return stringutil.forcebytestr(e.args[0]) |
29452
26a5d605b868
sslutil: synchronize hostname matching logic with CPython
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29042
diff
changeset
|
745 |
|
26a5d605b868
sslutil: synchronize hostname matching logic with CPython
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29042
diff
changeset
|
746 |
dnsnames.append(value) |
26a5d605b868
sslutil: synchronize hostname matching logic with CPython
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29042
diff
changeset
|
747 |
|
37872
51a2f8d199c7
sslutil: fix some edge cases in Python 3 support
Augie Fackler <augie@google.com>
parents:
37666
diff
changeset
|
748 |
dnsnames = [pycompat.bytesurl(d) for d in dnsnames] |
29452
26a5d605b868
sslutil: synchronize hostname matching logic with CPython
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29042
diff
changeset
|
749 |
if len(dnsnames) > 1: |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
750 |
return _(b'certificate is for %s') % b', '.join(dnsnames) |
29452
26a5d605b868
sslutil: synchronize hostname matching logic with CPython
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29042
diff
changeset
|
751 |
elif len(dnsnames) == 1: |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
752 |
return _(b'certificate is for %s') % dnsnames[0] |
29452
26a5d605b868
sslutil: synchronize hostname matching logic with CPython
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29042
diff
changeset
|
753 |
else: |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
754 |
return _(b'no commonName or subjectAltName found in certificate') |
14204
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
755 |
|
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
756 |
|
23042
2cd3fa4412dc
ssl: only use the dummy cert hack if using an Apple Python (issue4410)
Mads Kiilerich <madski@unity3d.com>
parents:
22575
diff
changeset
|
757 |
def _plainapplepython(): |
2cd3fa4412dc
ssl: only use the dummy cert hack if using an Apple Python (issue4410)
Mads Kiilerich <madski@unity3d.com>
parents:
22575
diff
changeset
|
758 |
"""return true if this seems to be a pure Apple Python that |
2cd3fa4412dc
ssl: only use the dummy cert hack if using an Apple Python (issue4410)
Mads Kiilerich <madski@unity3d.com>
parents:
22575
diff
changeset
|
759 |
* is unfrozen and presumably has the whole mercurial module in the file |
2cd3fa4412dc
ssl: only use the dummy cert hack if using an Apple Python (issue4410)
Mads Kiilerich <madski@unity3d.com>
parents:
22575
diff
changeset
|
760 |
system |
2cd3fa4412dc
ssl: only use the dummy cert hack if using an Apple Python (issue4410)
Mads Kiilerich <madski@unity3d.com>
parents:
22575
diff
changeset
|
761 |
* presumably is an Apple Python that uses Apple OpenSSL which has patches |
2cd3fa4412dc
ssl: only use the dummy cert hack if using an Apple Python (issue4410)
Mads Kiilerich <madski@unity3d.com>
parents:
22575
diff
changeset
|
762 |
for using system certificate store CAs in addition to the provided |
2cd3fa4412dc
ssl: only use the dummy cert hack if using an Apple Python (issue4410)
Mads Kiilerich <madski@unity3d.com>
parents:
22575
diff
changeset
|
763 |
cacerts file |
2cd3fa4412dc
ssl: only use the dummy cert hack if using an Apple Python (issue4410)
Mads Kiilerich <madski@unity3d.com>
parents:
22575
diff
changeset
|
764 |
""" |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
765 |
if ( |
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
766 |
not pycompat.isdarwin |
43671
664e24207728
procutil: move mainfrozen() to new resourceutil.py
Martin von Zweigbergk <martinvonz@google.com>
parents:
43506
diff
changeset
|
767 |
or resourceutil.mainfrozen() |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
768 |
or not pycompat.sysexecutable |
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
769 |
): |
23042
2cd3fa4412dc
ssl: only use the dummy cert hack if using an Apple Python (issue4410)
Mads Kiilerich <madski@unity3d.com>
parents:
22575
diff
changeset
|
770 |
return False |
30669
10b17ed9b591
py3: replace sys.executable with pycompat.sysexecutable
Pulkit Goyal <7895pulkit@gmail.com>
parents:
30641
diff
changeset
|
771 |
exe = os.path.realpath(pycompat.sysexecutable).lower() |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
772 |
return exe.startswith(b'/usr/bin/python') or exe.startswith( |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
773 |
b'/system/library/frameworks/python.framework/' |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
774 |
) |
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
775 |
|
23042
2cd3fa4412dc
ssl: only use the dummy cert hack if using an Apple Python (issue4410)
Mads Kiilerich <madski@unity3d.com>
parents:
22575
diff
changeset
|
776 |
|
29483
918dce4b8c26
sslutil: pass ui to _defaultcacerts
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29482
diff
changeset
|
777 |
def _defaultcacerts(ui): |
29488
1c26b9ce66f8
sslutil: expand _defaultcacerts docstring to note calling assumptions
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29487
diff
changeset
|
778 |
"""return path to default CA certificates or None. |
1c26b9ce66f8
sslutil: expand _defaultcacerts docstring to note calling assumptions
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29487
diff
changeset
|
779 |
|
1c26b9ce66f8
sslutil: expand _defaultcacerts docstring to note calling assumptions
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29487
diff
changeset
|
780 |
It is assumed this function is called when the returned certificates |
1c26b9ce66f8
sslutil: expand _defaultcacerts docstring to note calling assumptions
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29487
diff
changeset
|
781 |
file will actually be used to validate connections. Therefore this |
1c26b9ce66f8
sslutil: expand _defaultcacerts docstring to note calling assumptions
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29487
diff
changeset
|
782 |
function may print warnings or debug messages assuming this usage. |
29500
4b16a5bd9948
sslutil: try to find CA certficates in well-known locations
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29499
diff
changeset
|
783 |
|
4b16a5bd9948
sslutil: try to find CA certficates in well-known locations
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29499
diff
changeset
|
784 |
We don't print a message when the Python is able to load default |
4b16a5bd9948
sslutil: try to find CA certficates in well-known locations
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29499
diff
changeset
|
785 |
CA certs because this scenario is detected at socket connect time. |
29488
1c26b9ce66f8
sslutil: expand _defaultcacerts docstring to note calling assumptions
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29487
diff
changeset
|
786 |
""" |
30228
b9f7b0c10027
sslutil: guard against broken certifi installations (issue5406)
Gábor Stefanik <gabor.stefanik@nng.com>
parents:
29927
diff
changeset
|
787 |
# The "certifi" Python package provides certificates. If it is installed |
b9f7b0c10027
sslutil: guard against broken certifi installations (issue5406)
Gábor Stefanik <gabor.stefanik@nng.com>
parents:
29927
diff
changeset
|
788 |
# and usable, assume the user intends it to be used and use it. |
29486
a62c00f6dd04
sslutil: use certificates provided by certifi if available
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29484
diff
changeset
|
789 |
try: |
51293
03fc41fe8aa1
pytype: ignore certifi import error
Pierre-Yves David <pierre-yves.david@octobus.net>
parents:
50929
diff
changeset
|
790 |
import certifi # pytype: disable=import-error |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
791 |
|
29486
a62c00f6dd04
sslutil: use certificates provided by certifi if available
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29484
diff
changeset
|
792 |
certs = certifi.where() |
30228
b9f7b0c10027
sslutil: guard against broken certifi installations (issue5406)
Gábor Stefanik <gabor.stefanik@nng.com>
parents:
29927
diff
changeset
|
793 |
if os.path.exists(certs): |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
794 |
ui.debug(b'using ca certificates from certifi\n') |
42263
ce5f1232631f
sslutil: fsencode path returned by certifi (issue6132)
Augie Fackler <augie@google.com>
parents:
41411
diff
changeset
|
795 |
return pycompat.fsencode(certs) |
30228
b9f7b0c10027
sslutil: guard against broken certifi installations (issue5406)
Gábor Stefanik <gabor.stefanik@nng.com>
parents:
29927
diff
changeset
|
796 |
except (ImportError, AttributeError): |
29486
a62c00f6dd04
sslutil: use certificates provided by certifi if available
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29484
diff
changeset
|
797 |
pass |
a62c00f6dd04
sslutil: use certificates provided by certifi if available
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29484
diff
changeset
|
798 |
|
29487
cdcb5747dc88
sslutil: document the Apple OpenSSL cert trick
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29486
diff
changeset
|
799 |
# Apple's OpenSSL has patches that allow a specially constructed certificate |
cdcb5747dc88
sslutil: document the Apple OpenSSL cert trick
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29486
diff
changeset
|
800 |
# to load the system CA store. If we're running on Apple Python, use this |
cdcb5747dc88
sslutil: document the Apple OpenSSL cert trick
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29486
diff
changeset
|
801 |
# trick. |
24288
922e087ba158
ssl: extract function that returns dummycert path on Apple python
Yuya Nishihara <yuya@tcha.org>
parents:
23851
diff
changeset
|
802 |
if _plainapplepython(): |
31074
2912b06905dc
py3: use pycompat.fsencode() to convert __file__ to bytes
Pulkit Goyal <7895pulkit@gmail.com>
parents:
30669
diff
changeset
|
803 |
dummycert = os.path.join( |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
804 |
os.path.dirname(pycompat.fsencode(__file__)), b'dummycert.pem' |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
805 |
) |
24288
922e087ba158
ssl: extract function that returns dummycert path on Apple python
Yuya Nishihara <yuya@tcha.org>
parents:
23851
diff
changeset
|
806 |
if os.path.exists(dummycert): |
922e087ba158
ssl: extract function that returns dummycert path on Apple python
Yuya Nishihara <yuya@tcha.org>
parents:
23851
diff
changeset
|
807 |
return dummycert |
29107
c8fbfb9163ce
sslutil: move code examining _canloaddefaultcerts out of _defaultcacerts
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29106
diff
changeset
|
808 |
|
c8fbfb9163ce
sslutil: move code examining _canloaddefaultcerts out of _defaultcacerts
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29106
diff
changeset
|
809 |
return None |
24288
922e087ba158
ssl: extract function that returns dummycert path on Apple python
Yuya Nishihara <yuya@tcha.org>
parents:
23851
diff
changeset
|
810 |
|
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
811 |
|
29286
a05a91a3f120
sslutil: remove "strict" argument from validatesocket()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29268
diff
changeset
|
812 |
def validatesocket(sock): |
30332
318a24b52eeb
spelling: fixes of non-dictionary words
Mads Kiilerich <madski@unity3d.com>
parents:
30228
diff
changeset
|
813 |
"""Validate a socket meets security requirements. |
18879
93b03a222c3e
sslutil: try harder to avoid getpeercert problems
Matt Mackall <mpm@selenic.com>
parents:
16391
diff
changeset
|
814 |
|
29227
dffe78d80a6c
sslutil: convert socket validation from a class to a function (API)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29226
diff
changeset
|
815 |
The passed socket must have been created with ``wrapsocket()``. |
dffe78d80a6c
sslutil: convert socket validation from a class to a function (API)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29226
diff
changeset
|
816 |
""" |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
817 |
shost = sock._hgstate[b'hostname'] |
36745
424994a0adfd
sslutil: lots of unicode/bytes cleanup
Augie Fackler <augie@google.com>
parents:
35582
diff
changeset
|
818 |
host = pycompat.bytesurl(shost) |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
819 |
ui = sock._hgstate[b'ui'] |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
820 |
settings = sock._hgstate[b'settings'] |
18879
93b03a222c3e
sslutil: try harder to avoid getpeercert problems
Matt Mackall <mpm@selenic.com>
parents:
16391
diff
changeset
|
821 |
|
29227
dffe78d80a6c
sslutil: convert socket validation from a class to a function (API)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29226
diff
changeset
|
822 |
try: |
dffe78d80a6c
sslutil: convert socket validation from a class to a function (API)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29226
diff
changeset
|
823 |
peercert = sock.getpeercert(True) |
dffe78d80a6c
sslutil: convert socket validation from a class to a function (API)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29226
diff
changeset
|
824 |
peercert2 = sock.getpeercert() |
dffe78d80a6c
sslutil: convert socket validation from a class to a function (API)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29226
diff
changeset
|
825 |
except AttributeError: |
45915
8f50dc096cf4
errors: introduce SecurityError and use it in a few places
Martin von Zweigbergk <martinvonz@google.com>
parents:
44902
diff
changeset
|
826 |
raise error.SecurityError(_(b'%s ssl connection error') % host) |
24288
922e087ba158
ssl: extract function that returns dummycert path on Apple python
Yuya Nishihara <yuya@tcha.org>
parents:
23851
diff
changeset
|
827 |
|
29227
dffe78d80a6c
sslutil: convert socket validation from a class to a function (API)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29226
diff
changeset
|
828 |
if not peercert: |
45915
8f50dc096cf4
errors: introduce SecurityError and use it in a few places
Martin von Zweigbergk <martinvonz@google.com>
parents:
44902
diff
changeset
|
829 |
raise error.SecurityError( |
43117
8ff1ecfadcd1
cleanup: join string literals that are already on one line
Martin von Zweigbergk <martinvonz@google.com>
parents:
43089
diff
changeset
|
830 |
_(b'%s certificate error: no certificate received') % host |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
831 |
) |
18879
93b03a222c3e
sslutil: try harder to avoid getpeercert problems
Matt Mackall <mpm@selenic.com>
parents:
16391
diff
changeset
|
832 |
|
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
833 |
if settings[b'disablecertverification']: |
29289
3536673a25ae
sslutil: move and change warning when cert verification is disabled
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29288
diff
changeset
|
834 |
# We don't print the certificate fingerprint because it shouldn't |
3536673a25ae
sslutil: move and change warning when cert verification is disabled
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29288
diff
changeset
|
835 |
# be necessary: if the user requested certificate verification be |
3536673a25ae
sslutil: move and change warning when cert verification is disabled
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29288
diff
changeset
|
836 |
# disabled, they presumably already saw a message about the inability |
3536673a25ae
sslutil: move and change warning when cert verification is disabled
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29288
diff
changeset
|
837 |
# to verify the certificate and this message would have printed the |
3536673a25ae
sslutil: move and change warning when cert verification is disabled
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29288
diff
changeset
|
838 |
# fingerprint. So printing the fingerprint here adds little to no |
3536673a25ae
sslutil: move and change warning when cert verification is disabled
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29288
diff
changeset
|
839 |
# value. |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
840 |
ui.warn( |
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
841 |
_( |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
842 |
b'warning: connection security to %s is disabled per current ' |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
843 |
b'settings; communication is susceptible to eavesdropping ' |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
844 |
b'and tampering\n' |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
845 |
) |
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
846 |
% host |
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
847 |
) |
29289
3536673a25ae
sslutil: move and change warning when cert verification is disabled
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29288
diff
changeset
|
848 |
return |
18879
93b03a222c3e
sslutil: try harder to avoid getpeercert problems
Matt Mackall <mpm@selenic.com>
parents:
16391
diff
changeset
|
849 |
|
29227
dffe78d80a6c
sslutil: convert socket validation from a class to a function (API)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29226
diff
changeset
|
850 |
# If a certificate fingerprint is pinned, use it and only it to |
dffe78d80a6c
sslutil: convert socket validation from a class to a function (API)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29226
diff
changeset
|
851 |
# validate the remote cert. |
29262
dfc4f08aa160
sslutil: calculate host fingerprints from additional algorithms
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29260
diff
changeset
|
852 |
peerfingerprints = { |
46113
59fa3890d40a
node: import symbols explicitly
Joerg Sonnenberger <joerg@bec.de>
parents:
45942
diff
changeset
|
853 |
b'sha1': hex(hashutil.sha1(peercert).digest()), |
59fa3890d40a
node: import symbols explicitly
Joerg Sonnenberger <joerg@bec.de>
parents:
45942
diff
changeset
|
854 |
b'sha256': hex(hashlib.sha256(peercert).digest()), |
59fa3890d40a
node: import symbols explicitly
Joerg Sonnenberger <joerg@bec.de>
parents:
45942
diff
changeset
|
855 |
b'sha512': hex(hashlib.sha512(peercert).digest()), |
29262
dfc4f08aa160
sslutil: calculate host fingerprints from additional algorithms
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29260
diff
changeset
|
856 |
} |
18879
93b03a222c3e
sslutil: try harder to avoid getpeercert problems
Matt Mackall <mpm@selenic.com>
parents:
16391
diff
changeset
|
857 |
|
29290
01248c37a68e
sslutil: print SHA-256 fingerprint by default
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29289
diff
changeset
|
858 |
def fmtfingerprint(s): |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
859 |
return b':'.join([s[x : x + 2] for x in range(0, len(s), 2)]) |
29290
01248c37a68e
sslutil: print SHA-256 fingerprint by default
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29289
diff
changeset
|
860 |
|
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
861 |
nicefingerprint = b'sha256:%s' % fmtfingerprint(peerfingerprints[b'sha256']) |
28850
3819c349b194
sslutil: document and slightly refactor validation logic
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28849
diff
changeset
|
862 |
|
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
863 |
if settings[b'certfingerprints']: |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
864 |
for hash, fingerprint in settings[b'certfingerprints']: |
29262
dfc4f08aa160
sslutil: calculate host fingerprints from additional algorithms
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29260
diff
changeset
|
865 |
if peerfingerprints[hash].lower() == fingerprint: |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
866 |
ui.debug( |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
867 |
b'%s certificate matched fingerprint %s:%s\n' |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
868 |
% (host, hash, fmtfingerprint(fingerprint)) |
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
869 |
) |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
870 |
if settings[b'legacyfingerprint']: |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
871 |
ui.warn( |
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
872 |
_( |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
873 |
b'(SHA-1 fingerprint for %s found in legacy ' |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
874 |
b'[hostfingerprints] section; ' |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
875 |
b'if you trust this fingerprint, remove the old ' |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
876 |
b'SHA-1 fingerprint from [hostfingerprints] and ' |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
877 |
b'add the following entry to the new ' |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
878 |
b'[hostsecurity] section: %s:fingerprints=%s)\n' |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
879 |
) |
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
880 |
% (host, host, nicefingerprint) |
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
881 |
) |
29291
15e533b7909c
sslutil: refactor code for fingerprint matching
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29290
diff
changeset
|
882 |
return |
28850
3819c349b194
sslutil: document and slightly refactor validation logic
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28849
diff
changeset
|
883 |
|
29293
1b3a0b0c414f
sslutil: print the fingerprint from the last hash used
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29292
diff
changeset
|
884 |
# Pinned fingerprint didn't match. This is a fatal error. |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
885 |
if settings[b'legacyfingerprint']: |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
886 |
section = b'hostfingerprint' |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
887 |
nice = fmtfingerprint(peerfingerprints[b'sha1']) |
29293
1b3a0b0c414f
sslutil: print the fingerprint from the last hash used
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29292
diff
changeset
|
888 |
else: |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
889 |
section = b'hostsecurity' |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
890 |
nice = b'%s:%s' % (hash, fmtfingerprint(peerfingerprints[hash])) |
45915
8f50dc096cf4
errors: introduce SecurityError and use it in a few places
Martin von Zweigbergk <martinvonz@google.com>
parents:
44902
diff
changeset
|
891 |
raise error.SecurityError( |
43117
8ff1ecfadcd1
cleanup: join string literals that are already on one line
Martin von Zweigbergk <martinvonz@google.com>
parents:
43089
diff
changeset
|
892 |
_(b'certificate for %s has unexpected fingerprint %s') |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
893 |
% (host, nice), |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
894 |
hint=_(b'check %s configuration') % section, |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
895 |
) |
28850
3819c349b194
sslutil: document and slightly refactor validation logic
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28849
diff
changeset
|
896 |
|
29411
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29410
diff
changeset
|
897 |
# Security is enabled but no CAs are loaded. We can't establish trust |
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29410
diff
changeset
|
898 |
# for the cert so abort. |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
899 |
if not sock._hgstate[b'caloaded']: |
45915
8f50dc096cf4
errors: introduce SecurityError and use it in a few places
Martin von Zweigbergk <martinvonz@google.com>
parents:
44902
diff
changeset
|
900 |
raise error.SecurityError( |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
901 |
_( |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
902 |
b'unable to verify security of %s (no loaded CA certificates); ' |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
903 |
b'refusing to connect' |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
904 |
) |
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
905 |
% host, |
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
906 |
hint=_( |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
907 |
b'see https://mercurial-scm.org/wiki/SecureConnections for ' |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
908 |
b'how to configure Mercurial to avoid this error or set ' |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
909 |
b'hostsecurity.%s:fingerprints=%s to trust this server' |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
910 |
) |
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
911 |
% (host, nicefingerprint), |
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
912 |
) |
29113
5b9577edf745
sslutil: use CA loaded state to drive validation logic
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29112
diff
changeset
|
913 |
|
36745
424994a0adfd
sslutil: lots of unicode/bytes cleanup
Augie Fackler <augie@google.com>
parents:
35582
diff
changeset
|
914 |
msg = _verifycert(peercert2, shost) |
29227
dffe78d80a6c
sslutil: convert socket validation from a class to a function (API)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29226
diff
changeset
|
915 |
if msg: |
45915
8f50dc096cf4
errors: introduce SecurityError and use it in a few places
Martin von Zweigbergk <martinvonz@google.com>
parents:
44902
diff
changeset
|
916 |
raise error.SecurityError( |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
917 |
_(b'%s certificate error: %s') % (host, msg), |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
918 |
hint=_( |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
919 |
b'set hostsecurity.%s:certfingerprints=%s ' |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
920 |
b'config setting or use --insecure to connect ' |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
921 |
b'insecurely' |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
922 |
) |
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
923 |
% (host, nicefingerprint), |
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
42269
diff
changeset
|
924 |
) |