mercurial: mercurial/sslutil.py@26a5d605b868 (annotated)

14204 5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	1	# sslutil.py - SSL handling for mercurial
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	2	#
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	3	# Copyright 2005, 2006, 2007, 2008 Matt Mackall <mpm@selenic.com>
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	4	# Copyright 2006, 2007 Alexis S. L. Carvalho <alexis@cecm.usp.br>
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	5	# Copyright 2006 Vadim Gelfer <vadim.gelfer@gmail.com>
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	6	#
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	7	# This software may be used and distributed according to the terms of the
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	8	# GNU General Public License version 2 or any later version.
25977 696f6e2be282 sslutil: use absolute_import Gregory Szorc <gregory.szorc@gmail.com> parents: 25432 diff changeset	9
696f6e2be282 sslutil: use absolute_import Gregory Szorc <gregory.szorc@gmail.com> parents: 25432 diff changeset	10	from __future__ import absolute_import
14204 5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	11
25977 696f6e2be282 sslutil: use absolute_import Gregory Szorc <gregory.szorc@gmail.com> parents: 25432 diff changeset	12	import os
29452 26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	13	import re
25977 696f6e2be282 sslutil: use absolute_import Gregory Szorc <gregory.szorc@gmail.com> parents: 25432 diff changeset	14	import ssl
696f6e2be282 sslutil: use absolute_import Gregory Szorc <gregory.szorc@gmail.com> parents: 25432 diff changeset	15	import sys
696f6e2be282 sslutil: use absolute_import Gregory Szorc <gregory.szorc@gmail.com> parents: 25432 diff changeset	16
696f6e2be282 sslutil: use absolute_import Gregory Szorc <gregory.szorc@gmail.com> parents: 25432 diff changeset	17	from .i18n import _
28577 7efff6ce9826 sslutil: use preferred formatting for import syntax Gregory Szorc <gregory.szorc@gmail.com> parents: 28525 diff changeset	18	from . import (
7efff6ce9826 sslutil: use preferred formatting for import syntax Gregory Szorc <gregory.szorc@gmail.com> parents: 28525 diff changeset	19	error,
7efff6ce9826 sslutil: use preferred formatting for import syntax Gregory Szorc <gregory.szorc@gmail.com> parents: 28525 diff changeset	20	util,
7efff6ce9826 sslutil: use preferred formatting for import syntax Gregory Szorc <gregory.szorc@gmail.com> parents: 28525 diff changeset	21	)
24291 760a86865f80 ssl: load CA certificates from system's store by default on Python 2.7.9 Yuya Nishihara <yuya@tcha.org> parents: 24290 diff changeset	22
28647 834d1c4ba749 sslutil: better document state of security/ssl module Gregory Szorc <gregory.szorc@gmail.com> parents: 28577 diff changeset	23	# Python 2.7.9+ overhauled the built-in SSL/TLS features of Python. It added
834d1c4ba749 sslutil: better document state of security/ssl module Gregory Szorc <gregory.szorc@gmail.com> parents: 28577 diff changeset	24	# support for TLS 1.1, TLS 1.2, SNI, system CA stores, etc. These features are
834d1c4ba749 sslutil: better document state of security/ssl module Gregory Szorc <gregory.szorc@gmail.com> parents: 28577 diff changeset	25	# all exposed via the "ssl" module.
834d1c4ba749 sslutil: better document state of security/ssl module Gregory Szorc <gregory.szorc@gmail.com> parents: 28577 diff changeset	26	#
834d1c4ba749 sslutil: better document state of security/ssl module Gregory Szorc <gregory.szorc@gmail.com> parents: 28577 diff changeset	27	# Depending on the version of Python being used, SSL/TLS support is either
834d1c4ba749 sslutil: better document state of security/ssl module Gregory Szorc <gregory.szorc@gmail.com> parents: 28577 diff changeset	28	# modern/secure or legacy/insecure. Many operations in this module have
834d1c4ba749 sslutil: better document state of security/ssl module Gregory Szorc <gregory.szorc@gmail.com> parents: 28577 diff changeset	29	# separate code paths depending on support in Python.
834d1c4ba749 sslutil: better document state of security/ssl module Gregory Szorc <gregory.szorc@gmail.com> parents: 28577 diff changeset	30
26622 9e15286609ae sslutil: expose attribute indicating whether SNI is supported Gregory Szorc <gregory.szorc@gmail.com> parents: 26587 diff changeset	31	hassni = getattr(ssl, 'HAS_SNI', False)
9e15286609ae sslutil: expose attribute indicating whether SNI is supported Gregory Szorc <gregory.szorc@gmail.com> parents: 26587 diff changeset	32
28648 7fc787e5d8ec sslutil: store OP_NO_SSL* constants in module scope Gregory Szorc <gregory.szorc@gmail.com> parents: 28647 diff changeset	33	try:
7fc787e5d8ec sslutil: store OP_NO_SSL* constants in module scope Gregory Szorc <gregory.szorc@gmail.com> parents: 28647 diff changeset	34	OP_NO_SSLv2 = ssl.OP_NO_SSLv2
7fc787e5d8ec sslutil: store OP_NO_SSL* constants in module scope Gregory Szorc <gregory.szorc@gmail.com> parents: 28647 diff changeset	35	OP_NO_SSLv3 = ssl.OP_NO_SSLv3
7fc787e5d8ec sslutil: store OP_NO_SSL* constants in module scope Gregory Szorc <gregory.szorc@gmail.com> parents: 28647 diff changeset	36	except AttributeError:
7fc787e5d8ec sslutil: store OP_NO_SSL* constants in module scope Gregory Szorc <gregory.szorc@gmail.com> parents: 28647 diff changeset	37	OP_NO_SSLv2 = 0x1000000
7fc787e5d8ec sslutil: store OP_NO_SSL* constants in module scope Gregory Szorc <gregory.szorc@gmail.com> parents: 28647 diff changeset	38	OP_NO_SSLv3 = 0x2000000
7fc787e5d8ec sslutil: store OP_NO_SSL* constants in module scope Gregory Szorc <gregory.szorc@gmail.com> parents: 28647 diff changeset	39
28649 7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	40	try:
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	41	# ssl.SSLContext was added in 2.7.9 and presence indicates modern
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	42	# SSL/TLS features are available.
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	43	SSLContext = ssl.SSLContext
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	44	modernssl = True
28650 737863b01d9f sslutil: move _canloaddefaultcerts logic Gregory Szorc <gregory.szorc@gmail.com> parents: 28649 diff changeset	45	_canloaddefaultcerts = util.safehasattr(SSLContext, 'load_default_certs')
28649 7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	46	except AttributeError:
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	47	modernssl = False
28650 737863b01d9f sslutil: move _canloaddefaultcerts logic Gregory Szorc <gregory.szorc@gmail.com> parents: 28649 diff changeset	48	_canloaddefaultcerts = False
28649 7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	49
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	50	# We implement SSLContext using the interface from the standard library.
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	51	class SSLContext(object):
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	52	# ssl.wrap_socket gained the "ciphers" named argument in 2.7.
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	53	_supportsciphers = sys.version_info >= (2, 7)
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	54
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	55	def __init__(self, protocol):
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	56	# From the public interface of SSLContext
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	57	self.protocol = protocol
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	58	self.check_hostname = False
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	59	self.options = 0
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	60	self.verify_mode = ssl.CERT_NONE
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	61
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	62	# Used by our implementation.
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	63	self._certfile = None
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	64	self._keyfile = None
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	65	self._certpassword = None
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	66	self._cacerts = None
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	67	self._ciphers = None
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	68
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	69	def load_cert_chain(self, certfile, keyfile=None, password=None):
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	70	self._certfile = certfile
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	71	self._keyfile = keyfile
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	72	self._certpassword = password
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	73
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	74	def load_default_certs(self, purpose=None):
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	75	pass
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	76
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	77	def load_verify_locations(self, cafile=None, capath=None, cadata=None):
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	78	if capath:
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	79	raise error.Abort('capath not supported')
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	80	if cadata:
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	81	raise error.Abort('cadata not supported')
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	82
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	83	self._cacerts = cafile
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	84
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	85	def set_ciphers(self, ciphers):
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	86	if not self._supportsciphers:
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	87	raise error.Abort('setting ciphers not supported')
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	88
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	89	self._ciphers = ciphers
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	90
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	91	def wrap_socket(self, socket, server_hostname=None, server_side=False):
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	92	# server_hostname is unique to SSLContext.wrap_socket and is used
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	93	# for SNI in that context. So there's nothing for us to do with it
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	94	# in this legacy code since we don't support SNI.
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	95
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	96	args = {
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	97	'keyfile': self._keyfile,
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	98	'certfile': self._certfile,
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	99	'server_side': server_side,
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	100	'cert_reqs': self.verify_mode,
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	101	'ssl_version': self.protocol,
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	102	'ca_certs': self._cacerts,
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	103	}
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	104
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	105	if self._supportsciphers:
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	106	args['ciphers'] = self._ciphers
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	107
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	108	return ssl.wrap_socket(socket, **args)
7acab42ef184 sslutil: implement SSLContext class Gregory Szorc <gregory.szorc@gmail.com> parents: 28648 diff changeset	109
28652 c617614aefd2 sslutil: remove indentation in wrapsocket declaration Gregory Szorc <gregory.szorc@gmail.com> parents: 28651 diff changeset	110	def wrapsocket(sock, keyfile, certfile, ui, cert_reqs=ssl.CERT_NONE,
c617614aefd2 sslutil: remove indentation in wrapsocket declaration Gregory Szorc <gregory.szorc@gmail.com> parents: 28651 diff changeset	111	ca_certs=None, serverhostname=None):
28653 1eb0bd8adf39 sslutil: add docstring to wrapsocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 28652 diff changeset	112	"""Add SSL/TLS to a socket.
1eb0bd8adf39 sslutil: add docstring to wrapsocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 28652 diff changeset	113
1eb0bd8adf39 sslutil: add docstring to wrapsocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 28652 diff changeset	114	This is a glorified wrapper for ``ssl.wrap_socket()``. It makes sane
1eb0bd8adf39 sslutil: add docstring to wrapsocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 28652 diff changeset	115	choices based on what security options are available.
1eb0bd8adf39 sslutil: add docstring to wrapsocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 28652 diff changeset	116
1eb0bd8adf39 sslutil: add docstring to wrapsocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 28652 diff changeset	117	In addition to the arguments supported by ``ssl.wrap_socket``, we allow
1eb0bd8adf39 sslutil: add docstring to wrapsocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 28652 diff changeset	118	the following additional arguments:
1eb0bd8adf39 sslutil: add docstring to wrapsocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 28652 diff changeset	119
1eb0bd8adf39 sslutil: add docstring to wrapsocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 28652 diff changeset	120	* serverhostname - The expected hostname of the remote server. If the
1eb0bd8adf39 sslutil: add docstring to wrapsocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 28652 diff changeset	121	server (and client) support SNI, this tells the server which certificate
1eb0bd8adf39 sslutil: add docstring to wrapsocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 28652 diff changeset	122	to use.
1eb0bd8adf39 sslutil: add docstring to wrapsocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 28652 diff changeset	123	"""
28652 c617614aefd2 sslutil: remove indentation in wrapsocket declaration Gregory Szorc <gregory.szorc@gmail.com> parents: 28651 diff changeset	124	# Despite its name, PROTOCOL_SSLv23 selects the highest protocol
c617614aefd2 sslutil: remove indentation in wrapsocket declaration Gregory Szorc <gregory.szorc@gmail.com> parents: 28651 diff changeset	125	# that both ends support, including TLS protocols. On legacy stacks,
c617614aefd2 sslutil: remove indentation in wrapsocket declaration Gregory Szorc <gregory.szorc@gmail.com> parents: 28651 diff changeset	126	# the highest it likely goes in TLS 1.0. On modern stacks, it can
c617614aefd2 sslutil: remove indentation in wrapsocket declaration Gregory Szorc <gregory.szorc@gmail.com> parents: 28651 diff changeset	127	# support TLS 1.2.
c617614aefd2 sslutil: remove indentation in wrapsocket declaration Gregory Szorc <gregory.szorc@gmail.com> parents: 28651 diff changeset	128	#
c617614aefd2 sslutil: remove indentation in wrapsocket declaration Gregory Szorc <gregory.szorc@gmail.com> parents: 28651 diff changeset	129	# The PROTOCOL_TLSv* constants select a specific TLS version
c617614aefd2 sslutil: remove indentation in wrapsocket declaration Gregory Szorc <gregory.szorc@gmail.com> parents: 28651 diff changeset	130	# only (as opposed to multiple versions). So the method for
c617614aefd2 sslutil: remove indentation in wrapsocket declaration Gregory Szorc <gregory.szorc@gmail.com> parents: 28651 diff changeset	131	# supporting multiple TLS versions is to use PROTOCOL_SSLv23 and
c617614aefd2 sslutil: remove indentation in wrapsocket declaration Gregory Szorc <gregory.szorc@gmail.com> parents: 28651 diff changeset	132	# disable protocols via SSLContext.options and OP_NO_* constants.
c617614aefd2 sslutil: remove indentation in wrapsocket declaration Gregory Szorc <gregory.szorc@gmail.com> parents: 28651 diff changeset	133	# However, SSLContext.options doesn't work unless we have the
c617614aefd2 sslutil: remove indentation in wrapsocket declaration Gregory Szorc <gregory.szorc@gmail.com> parents: 28651 diff changeset	134	# full/real SSLContext available to us.
c617614aefd2 sslutil: remove indentation in wrapsocket declaration Gregory Szorc <gregory.szorc@gmail.com> parents: 28651 diff changeset	135	#
c617614aefd2 sslutil: remove indentation in wrapsocket declaration Gregory Szorc <gregory.szorc@gmail.com> parents: 28651 diff changeset	136	# SSLv2 and SSLv3 are broken. We ban them outright.
c617614aefd2 sslutil: remove indentation in wrapsocket declaration Gregory Szorc <gregory.szorc@gmail.com> parents: 28651 diff changeset	137	if modernssl:
c617614aefd2 sslutil: remove indentation in wrapsocket declaration Gregory Szorc <gregory.szorc@gmail.com> parents: 28651 diff changeset	138	protocol = ssl.PROTOCOL_SSLv23
c617614aefd2 sslutil: remove indentation in wrapsocket declaration Gregory Szorc <gregory.szorc@gmail.com> parents: 28651 diff changeset	139	else:
c617614aefd2 sslutil: remove indentation in wrapsocket declaration Gregory Szorc <gregory.szorc@gmail.com> parents: 28651 diff changeset	140	protocol = ssl.PROTOCOL_TLSv1
28651 4827d07073e6 sslutil: always use SSLContext Gregory Szorc <gregory.szorc@gmail.com> parents: 28650 diff changeset	141
28652 c617614aefd2 sslutil: remove indentation in wrapsocket declaration Gregory Szorc <gregory.szorc@gmail.com> parents: 28651 diff changeset	142	# TODO use ssl.create_default_context() on modernssl.
c617614aefd2 sslutil: remove indentation in wrapsocket declaration Gregory Szorc <gregory.szorc@gmail.com> parents: 28651 diff changeset	143	sslcontext = SSLContext(protocol)
28651 4827d07073e6 sslutil: always use SSLContext Gregory Szorc <gregory.szorc@gmail.com> parents: 28650 diff changeset	144
28652 c617614aefd2 sslutil: remove indentation in wrapsocket declaration Gregory Szorc <gregory.szorc@gmail.com> parents: 28651 diff changeset	145	# This is a no-op on old Python.
c617614aefd2 sslutil: remove indentation in wrapsocket declaration Gregory Szorc <gregory.szorc@gmail.com> parents: 28651 diff changeset	146	sslcontext.options \|= OP_NO_SSLv2 \| OP_NO_SSLv3
28651 4827d07073e6 sslutil: always use SSLContext Gregory Szorc <gregory.szorc@gmail.com> parents: 28650 diff changeset	147
28848 e330db205b20 sslutil: move and document verify_mode assignment Gregory Szorc <gregory.szorc@gmail.com> parents: 28653 diff changeset	148	# This still works on our fake SSLContext.
e330db205b20 sslutil: move and document verify_mode assignment Gregory Szorc <gregory.szorc@gmail.com> parents: 28653 diff changeset	149	sslcontext.verify_mode = cert_reqs
e330db205b20 sslutil: move and document verify_mode assignment Gregory Szorc <gregory.szorc@gmail.com> parents: 28653 diff changeset	150
28652 c617614aefd2 sslutil: remove indentation in wrapsocket declaration Gregory Szorc <gregory.szorc@gmail.com> parents: 28651 diff changeset	151	if certfile is not None:
c617614aefd2 sslutil: remove indentation in wrapsocket declaration Gregory Szorc <gregory.szorc@gmail.com> parents: 28651 diff changeset	152	def password():
c617614aefd2 sslutil: remove indentation in wrapsocket declaration Gregory Szorc <gregory.szorc@gmail.com> parents: 28651 diff changeset	153	f = keyfile or certfile
c617614aefd2 sslutil: remove indentation in wrapsocket declaration Gregory Szorc <gregory.szorc@gmail.com> parents: 28651 diff changeset	154	return ui.getpass(_('passphrase for %s: ') % f, '')
c617614aefd2 sslutil: remove indentation in wrapsocket declaration Gregory Szorc <gregory.szorc@gmail.com> parents: 28651 diff changeset	155	sslcontext.load_cert_chain(certfile, keyfile, password)
28848 e330db205b20 sslutil: move and document verify_mode assignment Gregory Szorc <gregory.szorc@gmail.com> parents: 28653 diff changeset	156
28652 c617614aefd2 sslutil: remove indentation in wrapsocket declaration Gregory Szorc <gregory.szorc@gmail.com> parents: 28651 diff changeset	157	if ca_certs is not None:
c617614aefd2 sslutil: remove indentation in wrapsocket declaration Gregory Szorc <gregory.szorc@gmail.com> parents: 28651 diff changeset	158	sslcontext.load_verify_locations(cafile=ca_certs)
c617614aefd2 sslutil: remove indentation in wrapsocket declaration Gregory Szorc <gregory.szorc@gmail.com> parents: 28651 diff changeset	159	else:
c617614aefd2 sslutil: remove indentation in wrapsocket declaration Gregory Szorc <gregory.szorc@gmail.com> parents: 28651 diff changeset	160	# This is a no-op on old Python.
c617614aefd2 sslutil: remove indentation in wrapsocket declaration Gregory Szorc <gregory.szorc@gmail.com> parents: 28651 diff changeset	161	sslcontext.load_default_certs()
23834 bf07c19b4c82 https: support tls sni (server name indication) for https urls (issue3090) Alex Orange <crazycasta@gmail.com> parents: 23069 diff changeset	162
28652 c617614aefd2 sslutil: remove indentation in wrapsocket declaration Gregory Szorc <gregory.szorc@gmail.com> parents: 28651 diff changeset	163	sslsocket = sslcontext.wrap_socket(sock, server_hostname=serverhostname)
c617614aefd2 sslutil: remove indentation in wrapsocket declaration Gregory Szorc <gregory.szorc@gmail.com> parents: 28651 diff changeset	164	# check if wrap_socket failed silently because socket had been
c617614aefd2 sslutil: remove indentation in wrapsocket declaration Gregory Szorc <gregory.szorc@gmail.com> parents: 28651 diff changeset	165	# closed
c617614aefd2 sslutil: remove indentation in wrapsocket declaration Gregory Szorc <gregory.szorc@gmail.com> parents: 28651 diff changeset	166	# - see http://bugs.python.org/issue13721
c617614aefd2 sslutil: remove indentation in wrapsocket declaration Gregory Szorc <gregory.szorc@gmail.com> parents: 28651 diff changeset	167	if not sslsocket.cipher():
c617614aefd2 sslutil: remove indentation in wrapsocket declaration Gregory Szorc <gregory.szorc@gmail.com> parents: 28651 diff changeset	168	raise error.Abort(_('ssl connection failed'))
c617614aefd2 sslutil: remove indentation in wrapsocket declaration Gregory Szorc <gregory.szorc@gmail.com> parents: 28651 diff changeset	169	return sslsocket
14204 5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	170
29452 26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	171	class wildcarderror(Exception):
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	172	"""Represents an error parsing wildcards in DNS name."""
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	173
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	174	def _dnsnamematch(dn, hostname, maxwildcards=1):
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	175	"""Match DNS names according RFC 6125 section 6.4.3.
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	176
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	177	This code is effectively copied from CPython's ssl._dnsname_match.
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	178
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	179	Returns a bool indicating whether the expected hostname matches
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	180	the value in ``dn``.
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	181	"""
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	182	pats = []
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	183	if not dn:
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	184	return False
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	185
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	186	pieces = dn.split(r'.')
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	187	leftmost = pieces[0]
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	188	remainder = pieces[1:]
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	189	wildcards = leftmost.count('*')
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	190	if wildcards > maxwildcards:
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	191	raise wildcarderror(
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	192	_('too many wildcards in certificate DNS name: %s') % dn)
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	193
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	194	# speed up common case w/o wildcards
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	195	if not wildcards:
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	196	return dn.lower() == hostname.lower()
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	197
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	198	# RFC 6125, section 6.4.3, subitem 1.
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	199	# The client SHOULD NOT attempt to match a presented identifier in which
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	200	# the wildcard character comprises a label other than the left-most label.
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	201	if leftmost == '*':
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	202	# When '*' is a fragment by itself, it matches a non-empty dotless
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	203	# fragment.
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	204	pats.append('[^.]+')
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	205	elif leftmost.startswith('xn--') or hostname.startswith('xn--'):
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	206	# RFC 6125, section 6.4.3, subitem 3.
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	207	# The client SHOULD NOT attempt to match a presented identifier
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	208	# where the wildcard character is embedded within an A-label or
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	209	# U-label of an internationalized domain name.
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	210	pats.append(re.escape(leftmost))
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	211	else:
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	212	# Otherwise, '' matches any dotless string, e.g. www
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	213	pats.append(re.escape(leftmost).replace(r'\', '[^.]'))
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	214
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	215	# add the remaining fragments, ignore any wildcards
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	216	for frag in remainder:
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	217	pats.append(re.escape(frag))
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	218
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	219	pat = re.compile(r'\A' + r'\.'.join(pats) + r'\Z', re.IGNORECASE)
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	220	return pat.match(hostname) is not None
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	221
14204 5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	222	def _verifycert(cert, hostname):
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	223	'''Verify that cert (in socket.getpeercert() format) matches hostname.
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	224	CRLs is not handled.
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	225
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	226	Returns error message if any problems are found and None on success.
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	227	'''
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	228	if not cert:
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	229	return _('no certificate received')
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	230
29452 26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	231	dnsnames = []
14204 5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	232	san = cert.get('subjectAltName', [])
29452 26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	233	for key, value in san:
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	234	if key == 'DNS':
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	235	try:
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	236	if _dnsnamematch(value, hostname):
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	237	return
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	238	except wildcarderror as e:
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	239	return e.message
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	240
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	241	dnsnames.append(value)
14204 5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	242
29452 26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	243	if not dnsnames:
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	244	# The subject is only checked when there is no DNS in subjectAltName.
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	245	for sub in cert.get('subject', []):
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	246	for key, value in sub:
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	247	# According to RFC 2818 the most specific Common Name must
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	248	# be used.
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	249	if key == 'commonName':
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	250	# 'subject' entries are unicide.
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	251	try:
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	252	value = value.encode('ascii')
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	253	except UnicodeEncodeError:
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	254	return _('IDN in certificate not supported')
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	255
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	256	try:
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	257	if _dnsnamematch(value, hostname):
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	258	return
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	259	except wildcarderror as e:
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	260	return e.message
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	261
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	262	dnsnames.append(value)
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	263
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	264	if len(dnsnames) > 1:
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	265	return _('certificate is for %s') % ', '.join(dnsnames)
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	266	elif len(dnsnames) == 1:
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	267	return _('certificate is for %s') % dnsnames[0]
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	268	else:
26a5d605b868 sslutil: synchronize hostname matching logic with CPython Gregory Szorc <gregory.szorc@gmail.com> parents: 29042 diff changeset	269	return _('no commonName or subjectAltName found in certificate')
14204 5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	270
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	271
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	272	# CERT_REQUIRED means fetch the cert from the server all the time AND
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	273	# validate it against the CA store provided in web.cacerts.
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	274
23042 2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410) Mads Kiilerich <madski@unity3d.com> parents: 22575 diff changeset	275	def _plainapplepython():
2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410) Mads Kiilerich <madski@unity3d.com> parents: 22575 diff changeset	276	"""return true if this seems to be a pure Apple Python that
2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410) Mads Kiilerich <madski@unity3d.com> parents: 22575 diff changeset	277	* is unfrozen and presumably has the whole mercurial module in the file
2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410) Mads Kiilerich <madski@unity3d.com> parents: 22575 diff changeset	278	system
2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410) Mads Kiilerich <madski@unity3d.com> parents: 22575 diff changeset	279	* presumably is an Apple Python that uses Apple OpenSSL which has patches
2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410) Mads Kiilerich <madski@unity3d.com> parents: 22575 diff changeset	280	for using system certificate store CAs in addition to the provided
2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410) Mads Kiilerich <madski@unity3d.com> parents: 22575 diff changeset	281	cacerts file
2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410) Mads Kiilerich <madski@unity3d.com> parents: 22575 diff changeset	282	"""
24614 241d98d84aed ssl: resolve symlink before checking for Apple python executable (issue4588) Yuya Nishihara <yuya@tcha.org> parents: 24291 diff changeset	283	if sys.platform != 'darwin' or util.mainfrozen() or not sys.executable:
23042 2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410) Mads Kiilerich <madski@unity3d.com> parents: 22575 diff changeset	284	return False
24614 241d98d84aed ssl: resolve symlink before checking for Apple python executable (issue4588) Yuya Nishihara <yuya@tcha.org> parents: 24291 diff changeset	285	exe = os.path.realpath(sys.executable).lower()
23042 2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410) Mads Kiilerich <madski@unity3d.com> parents: 22575 diff changeset	286	return (exe.startswith('/usr/bin/python') or
2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410) Mads Kiilerich <madski@unity3d.com> parents: 22575 diff changeset	287	exe.startswith('/system/library/frameworks/python.framework/'))
2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410) Mads Kiilerich <madski@unity3d.com> parents: 22575 diff changeset	288
24288 922e087ba158 ssl: extract function that returns dummycert path on Apple python Yuya Nishihara <yuya@tcha.org> parents: 23851 diff changeset	289	def _defaultcacerts():
24291 760a86865f80 ssl: load CA certificates from system's store by default on Python 2.7.9 Yuya Nishihara <yuya@tcha.org> parents: 24290 diff changeset	290	"""return path to CA certificates; None for system's store; ! to disable"""
24288 922e087ba158 ssl: extract function that returns dummycert path on Apple python Yuya Nishihara <yuya@tcha.org> parents: 23851 diff changeset	291	if _plainapplepython():
922e087ba158 ssl: extract function that returns dummycert path on Apple python Yuya Nishihara <yuya@tcha.org> parents: 23851 diff changeset	292	dummycert = os.path.join(os.path.dirname(__file__), 'dummycert.pem')
922e087ba158 ssl: extract function that returns dummycert path on Apple python Yuya Nishihara <yuya@tcha.org> parents: 23851 diff changeset	293	if os.path.exists(dummycert):
922e087ba158 ssl: extract function that returns dummycert path on Apple python Yuya Nishihara <yuya@tcha.org> parents: 23851 diff changeset	294	return dummycert
24291 760a86865f80 ssl: load CA certificates from system's store by default on Python 2.7.9 Yuya Nishihara <yuya@tcha.org> parents: 24290 diff changeset	295	if _canloaddefaultcerts:
760a86865f80 ssl: load CA certificates from system's store by default on Python 2.7.9 Yuya Nishihara <yuya@tcha.org> parents: 24290 diff changeset	296	return None
24290 b76d8c641746 ssl: set explicit symbol "!" to web.cacerts to disable SSL verification (BC) Yuya Nishihara <yuya@tcha.org> parents: 24288 diff changeset	297	return '!'
24288 922e087ba158 ssl: extract function that returns dummycert path on Apple python Yuya Nishihara <yuya@tcha.org> parents: 23851 diff changeset	298
14204 5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	299	def sslkwargs(ui, host):
25415 21b536f01eda ssl: prompt passphrase of client key file via ui.getpass() (issue4648) Yuya Nishihara <yuya@tcha.org> parents: 24614 diff changeset	300	kws = {'ui': ui}
22574 a00a7951b20c ssl: refactor sslkwargs - move things around a bit, preparing for next change Mads Kiilerich <madski@unity3d.com> parents: 19808 diff changeset	301	hostfingerprint = ui.config('hostfingerprints', host)
a00a7951b20c ssl: refactor sslkwargs - move things around a bit, preparing for next change Mads Kiilerich <madski@unity3d.com> parents: 19808 diff changeset	302	if hostfingerprint:
a00a7951b20c ssl: refactor sslkwargs - move things around a bit, preparing for next change Mads Kiilerich <madski@unity3d.com> parents: 19808 diff changeset	303	return kws
a00a7951b20c ssl: refactor sslkwargs - move things around a bit, preparing for next change Mads Kiilerich <madski@unity3d.com> parents: 19808 diff changeset	304	cacerts = ui.config('web', 'cacerts')
24290 b76d8c641746 ssl: set explicit symbol "!" to web.cacerts to disable SSL verification (BC) Yuya Nishihara <yuya@tcha.org> parents: 24288 diff changeset	305	if cacerts == '!':
b76d8c641746 ssl: set explicit symbol "!" to web.cacerts to disable SSL verification (BC) Yuya Nishihara <yuya@tcha.org> parents: 24288 diff changeset	306	pass
b76d8c641746 ssl: set explicit symbol "!" to web.cacerts to disable SSL verification (BC) Yuya Nishihara <yuya@tcha.org> parents: 24288 diff changeset	307	elif cacerts:
14204 5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	308	cacerts = util.expandpath(cacerts)
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	309	if not os.path.exists(cacerts):
26587 56b2bcea2529 error: get Abort from 'error' instead of 'util' Pierre-Yves David <pierre-yves.david@fb.com> parents: 25977 diff changeset	310	raise error.Abort(_('could not find web.cacerts: %s') % cacerts)
24290 b76d8c641746 ssl: set explicit symbol "!" to web.cacerts to disable SSL verification (BC) Yuya Nishihara <yuya@tcha.org> parents: 24288 diff changeset	311	else:
b76d8c641746 ssl: set explicit symbol "!" to web.cacerts to disable SSL verification (BC) Yuya Nishihara <yuya@tcha.org> parents: 24288 diff changeset	312	cacerts = _defaultcacerts()
b76d8c641746 ssl: set explicit symbol "!" to web.cacerts to disable SSL verification (BC) Yuya Nishihara <yuya@tcha.org> parents: 24288 diff changeset	313	if cacerts and cacerts != '!':
b76d8c641746 ssl: set explicit symbol "!" to web.cacerts to disable SSL verification (BC) Yuya Nishihara <yuya@tcha.org> parents: 24288 diff changeset	314	ui.debug('using %s to enable OS X system CA\n' % cacerts)
b76d8c641746 ssl: set explicit symbol "!" to web.cacerts to disable SSL verification (BC) Yuya Nishihara <yuya@tcha.org> parents: 24288 diff changeset	315	ui.setconfig('web', 'cacerts', cacerts, 'defaultcacerts')
b76d8c641746 ssl: set explicit symbol "!" to web.cacerts to disable SSL verification (BC) Yuya Nishihara <yuya@tcha.org> parents: 24288 diff changeset	316	if cacerts != '!':
19806 47ff9d1abfa9 sslutil: add a config knob to support TLS (default) or SSLv23 (bc) (issue4038) Augie Fackler <raf@durin42.com> parents: 19749 diff changeset	317	kws.update({'ca_certs': cacerts,
25432 bdc15b3c9bdb ssl: remove CERT_REQUIRED constant that was necessary for compatibility Yuya Nishihara <yuya@tcha.org> parents: 25431 diff changeset	318	'cert_reqs': ssl.CERT_REQUIRED,
19806 47ff9d1abfa9 sslutil: add a config knob to support TLS (default) or SSLv23 (bc) (issue4038) Augie Fackler <raf@durin42.com> parents: 19749 diff changeset	319	})
47ff9d1abfa9 sslutil: add a config knob to support TLS (default) or SSLv23 (bc) (issue4038) Augie Fackler <raf@durin42.com> parents: 19749 diff changeset	320	return kws
14204 5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	321
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	322	class validator(object):
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	323	def __init__(self, ui, host):
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	324	self.ui = ui
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	325	self.host = host
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	326
18887 2d7fac049d3a sslutil: abort if peer certificate is not verified for secure use FUJIWARA Katsunori <foozy@lares.dti.ne.jp> parents: 18879 diff changeset	327	def __call__(self, sock, strict=False):
14204 5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	328	host = self.host
18879 93b03a222c3e sslutil: try harder to avoid getpeercert problems Matt Mackall <mpm@selenic.com> parents: 16391 diff changeset	329
15816 4bb59919c905 sslutil: work around validator crash getting certificate on failed sockets Mads Kiilerich <mads@kiilerich.com> parents: 15815 diff changeset	330	if not sock.cipher(): # work around http://bugs.python.org/issue13721
26587 56b2bcea2529 error: get Abort from 'error' instead of 'util' Pierre-Yves David <pierre-yves.david@fb.com> parents: 25977 diff changeset	331	raise error.Abort(_('%s ssl connection error') % host)
18879 93b03a222c3e sslutil: try harder to avoid getpeercert problems Matt Mackall <mpm@selenic.com> parents: 16391 diff changeset	332	try:
93b03a222c3e sslutil: try harder to avoid getpeercert problems Matt Mackall <mpm@selenic.com> parents: 16391 diff changeset	333	peercert = sock.getpeercert(True)
93b03a222c3e sslutil: try harder to avoid getpeercert problems Matt Mackall <mpm@selenic.com> parents: 16391 diff changeset	334	peercert2 = sock.getpeercert()
93b03a222c3e sslutil: try harder to avoid getpeercert problems Matt Mackall <mpm@selenic.com> parents: 16391 diff changeset	335	except AttributeError:
26587 56b2bcea2529 error: get Abort from 'error' instead of 'util' Pierre-Yves David <pierre-yves.david@fb.com> parents: 25977 diff changeset	336	raise error.Abort(_('%s ssl connection error') % host)
18879 93b03a222c3e sslutil: try harder to avoid getpeercert problems Matt Mackall <mpm@selenic.com> parents: 16391 diff changeset	337
15817 8f377751b510 sslutil: abort properly if no certificate received for https connection Mads Kiilerich <mads@kiilerich.com> parents: 15816 diff changeset	338	if not peercert:
26587 56b2bcea2529 error: get Abort from 'error' instead of 'util' Pierre-Yves David <pierre-yves.david@fb.com> parents: 25977 diff changeset	339	raise error.Abort(_('%s certificate error: '
15817 8f377751b510 sslutil: abort properly if no certificate received for https connection Mads Kiilerich <mads@kiilerich.com> parents: 15816 diff changeset	340	'no certificate received') % host)
28850 3819c349b194 sslutil: document and slightly refactor validation logic Gregory Szorc <gregory.szorc@gmail.com> parents: 28849 diff changeset	341
3819c349b194 sslutil: document and slightly refactor validation logic Gregory Szorc <gregory.szorc@gmail.com> parents: 28849 diff changeset	342	# If a certificate fingerprint is pinned, use it and only it to
3819c349b194 sslutil: document and slightly refactor validation logic Gregory Szorc <gregory.szorc@gmail.com> parents: 28849 diff changeset	343	# validate the remote cert.
3819c349b194 sslutil: document and slightly refactor validation logic Gregory Szorc <gregory.szorc@gmail.com> parents: 28849 diff changeset	344	hostfingerprints = self.ui.configlist('hostfingerprints', host)
15814 c3e958b50a22 sslutil: show fingerprint when cacerts validation fails Mads Kiilerich <mads@kiilerich.com> parents: 15813 diff changeset	345	peerfingerprint = util.sha1(peercert).hexdigest()
c3e958b50a22 sslutil: show fingerprint when cacerts validation fails Mads Kiilerich <mads@kiilerich.com> parents: 15813 diff changeset	346	nicefingerprint = ":".join([peerfingerprint[x:x + 2]
c3e958b50a22 sslutil: show fingerprint when cacerts validation fails Mads Kiilerich <mads@kiilerich.com> parents: 15813 diff changeset	347	for x in xrange(0, len(peerfingerprint), 2)])
28525 dfb21c34e07d sslutil: allow multiple fingerprints per host Gregory Szorc <gregory.szorc@gmail.com> parents: 27688 diff changeset	348	if hostfingerprints:
dfb21c34e07d sslutil: allow multiple fingerprints per host Gregory Szorc <gregory.szorc@gmail.com> parents: 27688 diff changeset	349	fingerprintmatch = False
dfb21c34e07d sslutil: allow multiple fingerprints per host Gregory Szorc <gregory.szorc@gmail.com> parents: 27688 diff changeset	350	for hostfingerprint in hostfingerprints:
dfb21c34e07d sslutil: allow multiple fingerprints per host Gregory Szorc <gregory.szorc@gmail.com> parents: 27688 diff changeset	351	if peerfingerprint.lower() == \
dfb21c34e07d sslutil: allow multiple fingerprints per host Gregory Szorc <gregory.szorc@gmail.com> parents: 27688 diff changeset	352	hostfingerprint.replace(':', '').lower():
dfb21c34e07d sslutil: allow multiple fingerprints per host Gregory Szorc <gregory.szorc@gmail.com> parents: 27688 diff changeset	353	fingerprintmatch = True
dfb21c34e07d sslutil: allow multiple fingerprints per host Gregory Szorc <gregory.szorc@gmail.com> parents: 27688 diff changeset	354	break
dfb21c34e07d sslutil: allow multiple fingerprints per host Gregory Szorc <gregory.szorc@gmail.com> parents: 27688 diff changeset	355	if not fingerprintmatch:
26587 56b2bcea2529 error: get Abort from 'error' instead of 'util' Pierre-Yves David <pierre-yves.david@fb.com> parents: 25977 diff changeset	356	raise error.Abort(_('certificate for %s has unexpected '
15997 a45516cb8d9f sslutil: more helpful fingerprint mismatch message Matt Mackall <mpm@selenic.com> parents: 15817 diff changeset	357	'fingerprint %s') % (host, nicefingerprint),
a45516cb8d9f sslutil: more helpful fingerprint mismatch message Matt Mackall <mpm@selenic.com> parents: 15817 diff changeset	358	hint=_('check hostfingerprint configuration'))
15815 edc3a901a63d sslutil: reorder validator code to make it more readable Mads Kiilerich <mads@kiilerich.com> parents: 15814 diff changeset	359	self.ui.debug('%s certificate matched fingerprint %s\n' %
edc3a901a63d sslutil: reorder validator code to make it more readable Mads Kiilerich <mads@kiilerich.com> parents: 15814 diff changeset	360	(host, nicefingerprint))
28850 3819c349b194 sslutil: document and slightly refactor validation logic Gregory Szorc <gregory.szorc@gmail.com> parents: 28849 diff changeset	361	return
3819c349b194 sslutil: document and slightly refactor validation logic Gregory Szorc <gregory.szorc@gmail.com> parents: 28849 diff changeset	362
3819c349b194 sslutil: document and slightly refactor validation logic Gregory Szorc <gregory.szorc@gmail.com> parents: 28849 diff changeset	363	# No pinned fingerprint. Establish trust by looking at the CAs.
3819c349b194 sslutil: document and slightly refactor validation logic Gregory Szorc <gregory.szorc@gmail.com> parents: 28849 diff changeset	364	cacerts = self.ui.config('web', 'cacerts')
3819c349b194 sslutil: document and slightly refactor validation logic Gregory Szorc <gregory.szorc@gmail.com> parents: 28849 diff changeset	365	if cacerts != '!':
18879 93b03a222c3e sslutil: try harder to avoid getpeercert problems Matt Mackall <mpm@selenic.com> parents: 16391 diff changeset	366	msg = _verifycert(peercert2, host)
14204 5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	367	if msg:
26587 56b2bcea2529 error: get Abort from 'error' instead of 'util' Pierre-Yves David <pierre-yves.david@fb.com> parents: 25977 diff changeset	368	raise error.Abort(_('%s certificate error: %s') % (host, msg),
15814 c3e958b50a22 sslutil: show fingerprint when cacerts validation fails Mads Kiilerich <mads@kiilerich.com> parents: 15813 diff changeset	369	hint=_('configure hostfingerprint %s or use '
c3e958b50a22 sslutil: show fingerprint when cacerts validation fails Mads Kiilerich <mads@kiilerich.com> parents: 15813 diff changeset	370	'--insecure to connect insecurely') %
c3e958b50a22 sslutil: show fingerprint when cacerts validation fails Mads Kiilerich <mads@kiilerich.com> parents: 15813 diff changeset	371	nicefingerprint)
14204 5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	372	self.ui.debug('%s certificate successfully verified\n' % host)
18887 2d7fac049d3a sslutil: abort if peer certificate is not verified for secure use FUJIWARA Katsunori <foozy@lares.dti.ne.jp> parents: 18879 diff changeset	373	elif strict:
26587 56b2bcea2529 error: get Abort from 'error' instead of 'util' Pierre-Yves David <pierre-yves.david@fb.com> parents: 25977 diff changeset	374	raise error.Abort(_('%s certificate with fingerprint %s not '
18887 2d7fac049d3a sslutil: abort if peer certificate is not verified for secure use FUJIWARA Katsunori <foozy@lares.dti.ne.jp> parents: 18879 diff changeset	375	'verified') % (host, nicefingerprint),
2d7fac049d3a sslutil: abort if peer certificate is not verified for secure use FUJIWARA Katsunori <foozy@lares.dti.ne.jp> parents: 18879 diff changeset	376	hint=_('check hostfingerprints or web.cacerts '
2d7fac049d3a sslutil: abort if peer certificate is not verified for secure use FUJIWARA Katsunori <foozy@lares.dti.ne.jp> parents: 18879 diff changeset	377	'config setting'))
14204 5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	378	else:
15815 edc3a901a63d sslutil: reorder validator code to make it more readable Mads Kiilerich <mads@kiilerich.com> parents: 15814 diff changeset	379	self.ui.warn(_('warning: %s certificate with fingerprint %s not '
edc3a901a63d sslutil: reorder validator code to make it more readable Mads Kiilerich <mads@kiilerich.com> parents: 15814 diff changeset	380	'verified (check hostfingerprints or web.cacerts '
edc3a901a63d sslutil: reorder validator code to make it more readable Mads Kiilerich <mads@kiilerich.com> parents: 15814 diff changeset	381	'config setting)\n') %
edc3a901a63d sslutil: reorder validator code to make it more readable Mads Kiilerich <mads@kiilerich.com> parents: 15814 diff changeset	382	(host, nicefingerprint))

author	Gregory Szorc <gregory.szorc@gmail.com>
	Sun, 26 Jun 2016 19:34:48 -0700
branch	stable
changeset 29452	26a5d605b868
parent 29042	693b856a4d45
child 29459	fd93b15b5c30
child 29460	a7d1532b26a1
permissions	-rw-r--r--