cn4ddlZddlZddlZddlZddlZddlmZddlmZddl m Z ddl m Z m Z mZmZddlmZmZmZhdZeed d ZeZeed ejed red eedejedredeedejedreddZdZddZ d dZGddeZd!dZdZ dZ!dZ"dZ#dS)"N)_)getattr)hex)encodingerrorpycompatutil)hashutil resourceutil stringutil>tls1.0tls1.1tls1.2HAS_SNIF HAS_TLSv1PROTOCOL_TLSv1r HAS_TLSv1_1PROTOCOL_TLSv1_1r HAS_TLSv1_2PROTOCOL_TLSv1_2rc tj|}dgddddddd}d}tdhz sJd}d}|d ||}|||d |z}|d ||}||||d d }|d d |z|}|jrd}|sd }||d<||d <|d d|z} | D]} | ds5tjtd|| fztd| dd\} } | dd } |d | | f|d|D]L} | dd } |d d| fd|d<M|drtj|d<d|d<n |jrd|d<tj|d<d|d<|ddrd|d<|d d|z} |dr'| r%|td |z|dG| rct%j| } t(j| s*tjtd!d"|fz| fz| |d#<n|d$d%} | rkt%j| } t(j| s7tjtd&| ztd'd(zzn1|dr)t/|} | r|d)| z| |d#<| s|drtj|d<ntj|d<|dJ|S)*zhObtain security settings for a hostname. Returns a dict of settings relevant to that hostname. TNF)allowloaddefaultcertscertfingerprintscafiledisablecertverificationlegacyfingerprintminimumprotocol verifymodeciphersc |tvr]tjtd||fztddt tzdS)Ns-unsupported protocol from hostsecurity.%s: %ssvalid protocols: %s hint)configprotocolsrAbortrjoinsorted)protocolkeys 3/usr/lib/python3/dist-packages/mercurial/sslutil.pyvalidateprotocolz'_hostsettings..validateprotocolZsn ? * *+BCC/"-..))F?33445  + *rrr hostsecuritys%s:minimumprotocolr s %s:cipherssDEFAULT:@SECLEVEL=0s%s:fingerprints)ssha1:ssha256:ssha512:sinvalid fingerprint for %s: %ss0must begin with "sha1:", "sha256:", or "sha512:"r#:rr-rshostfingerprintssha1rrrrdevelsdisableloaddefaultcertss%s:verifycertsfiless(hostsecurity.%s:verifycertsfile ignored when host fingerprints defined; using host fingerprints for verification) s'path specified by %s does not exist: %sshostsecurity.%s:verifycertsfilerswebscacertsscould not find web.cacerts: %ss (try installing the %s package)sca-certificatessusing %s for CA file )r bytesurlsupportedprotocolsconfiginsecureconnections configlist startswithrr&rsplitreplacelowerappendssl CERT_NONE configboolwarnr expandpathospathexists_defaultcacertsdebug CERT_REQUIRED) uihostname bhostnamesr,defaultminimumprotocolr*minimumprotocolciphers fingerprints fingerprintalgcafiles r+ _hostsettingsrR=s !(++I#'$)#!'  A.  ++++& Cii6LMMO_c*** ) +CiioFFO_c***ii44Gii)BGLLG  -# -,G+AAjM==+i7L$ : : &&'IJJ +344 ;7OOJKK  ',,T155[!))$44::<<  %%sK&89999}}%8)DD'' !))$44::<<  %%w &<==="&  ,=-&+ "## ,(, $%=-&+ "# }}X9::,&+ "# YY(= (I J JF  &   #           "_V,,F7>>&)) k@AA:i\I"AiLLYYvz22F A00w~~f--+;<>ASST +, A(,,AHH6?@@@!AiL  -Q/0 -"0Am   #}Am  ]  ' ' ' Hr-cb|tvrtd|ztjtjz}|dkrnZ|dkr|tjz}nD|dkr|tjtjzz}n!tjtd|ttddz}|S)z8Return SSLContext options common to servers and clients.s protocol value not supported: %srrrthis should not happenOP_NO_COMPRESSIONr) r% ValueErrorr< OP_NO_SSLv2 OP_NO_SSLv3 OP_NO_TLSv1 OP_NO_TLSv1_1rr&rr)rLoptionss r+commonssloptionsr\so--<NOOOo/G)## I % %3?" I % %3?S%666k!566777 ws/333G Nr-c |s!tjtddtjvrw ddl}|tjtjd dn%#t$r dYnwxYwfD]j}|rftj |sGtjtd|tj|fztd kt|}t!jt$d rOt%jt$j}|d } | d kr]t+j5t+jd dt0t$jj|_dddn #1swxYwYn| dkr]t+j5t+jd dt0t$jj|_dddn #1swxYwYn>| dkrt$jj|_n!tjtd|xjt?t$ddzc_nAt%jt$j }|xjtC|d zc_d|_"|d|_#|dr |$tj%|dnp#t$j&$r^} tjtdtOj(| j)dztd|dz d} ~ wwxYwfd} |*| |d |+|dn#t$j&$r} tY| j)dkr| j)d} n | j)d} tjtd|dtOj(| fztd d} ~ wwxYwd} n!|d r|-d} nd} |.||!}n #t$j&$r } | rL|dt$j/kr6|0s"1td"n#t$j&$rYnwxYwt!j| d#r| j2d$vrI|d d krtfd hkr`1td%tj|d&4tktffzn 1td'tj|zn҉1td(|d tj|fz1td)tj|z1td*n9| j2d+kr.tj6r"1td,d} ~ wwxYw|7s!tj8td-| ||d.|_9|S)/aAdd SSL/TLS to a socket. This is a glorified wrapper for ``ssl.wrap_socket()``. It makes sane choices based on what security options are available. In addition to the arguments supported by ``ssl.wrap_socket``, we allow the following additional arguments: * serverhostname - The expected hostname of the remote server. If the server (and client) support SNI, this tells the server which certificate to use. s#serverhostname argument is requireds SSLKEYLOGFILErNs8sslkeylog enabled by SSLKEYLOGFILE environment variable s?sslkeylog module missing, but SSLKEYLOGFILE set in environment s:certificate file (%s) does not exist; cannot connect to %ss:restore missing file or fix references in Mercurial configr# TLSVersionrrignore"ssl.TLSVersion.TLSv1 is deprecatedr$ssl.TLSVersion.TLSv1_1 is deprecatedrrTrUFrr scould not set ciphers: %ss#change cipher string (%s) in configcXp}td|zdS)Nspassphrase for %s: r-)getpassr)fcertfilekeyfilerGs r+passwordzwrapsocket..passwordos/#8A::a 677!;SAA Ar-rrQrserror loading CA file %s: %ssfile is empty or malformed?Tr)server_hostnames(an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error) sreason)UNSUPPORTED_PROTOCOLTLSV1_ALERT_PROTOCOL_VERSIONs(could not communicate with %s using security protocols %s; if you are using a modern Mercurial version, consider contacting the operator of this server; see https://mercurial-scm.org/wiki/SecureConnections for more info) , s(could not communicate with %s using TLS 1.0; the likely cause of this is the server no longer supports TLS 1.0 because it has known security vulnerabilities; see https://mercurial-scm.org/wiki/SecureConnections for more info) s(could not negotiate a common security protocol (%s+) with %s; the likely cause is Mercurial is configured to be more secure than the server can support) s(consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.%s:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) sE(see https://mercurial-scm.org/wiki/SecureConnections for more info) CERTIFICATE_VERIFY_FAILEDsR(the full certificate chain may not be available locally; see "hg help debugssl") sssl connection failed)caloadedhostnamesettingsui):rr&rrenviron sslkeylog set_keylogr fsdecode warnnoi18n ImportErrorrArBrCr2rRr safehasattrr< SSLContextPROTOCOL_TLS_CLIENTwarningscatch_warningsfilterwarningsDeprecationWarningr^TLSv1minimum_versionTLSv1_1TLSv1_2r[rPROTOCOL_SSLv23r\check_hostname verify_mode set_cipherssysstrSSLErrorr forcebytestrargsload_cert_chainload_verify_locationslenload_default_certs wrap_socketrF get_ca_certsr?reasonr3r'r( iswindowscipher SecurityError_hgstate)sockrfrerGserverhostnamersrdsettings sslcontextrLergmsgcaloaded sslsockets ``` r+ wrapsocketrs Ek!BCCDDD8+++       !("23C"DEE    MML        MM:       x    RW^^A&& +OPPh'7789+ R00H \** M^C$;<< "#56 i ' '(** B B'8& .1^-A *  B B B B B B B B B B B B B B B ) )(** D D':& .1^-C *  D D D D D D D D D D D D D D D ) )),)?J & &+a 9::;; ; gc+>BBB ^C$788 .x8J/KLLL!&J%m4J     " "8?8J3G#H#H I I I I|   +.//)!&)445=>>:&'   B B B B B B B ""8Wh??? &   , ,HY4G , H H H H|   16{{afQifQi+122I& (?(D(DEF566   * +%%'''s**4*PP <qqq  ]+s/@@@"//11A$|    D   Ay ) )U  x ./9<< *i[88!4!) 1. A A % 62D+E+E F F     !4'/??@     GGP %%78$-n==    GGA#+N;;<   GG0888X=O8> cql     ?!!$<"="=>>># I sABB)(B)2GG G(2H&&H*-H*3-L!!N0AN  N:OQ+&BQ&&Q+R,,[ =AT  [ T[TF&[[ c |||fD]G}|rCtj|s$tjt d|zHt jtdr&tj tj }|xj ttddzc_ | dd}|dkrdtvr!tjt dtj5tjd d t$tjj|_tjj|_d d d n #1swxYwYn\|d krd tvr!tjt d tj5tjd dt$tjj|_tjj|_d d d n #1swxYwYn|dkrXdtvr!tjt dtjj|_tjj|_nZ|r$tjt d|zn2tj} t5d} | dd}|dkr7dtvr!tjt dtj} n|d kr7d tvr!tjt d tj} nc|dkr7dtvr!tjt dtj} n&|r$tjt d|ztj | }|xj | zc_ |xj ttddzc_ |xj ttddzc_ |r|dn]t jtdrC|xj ttddzc_ |tj|rtj |_!ntj"|_!|s|r|#|||r|$||%|dS)aWrap a socket for use by servers. ``certfile`` and ``keyfile`` specify the files containing the certificate's public and private keys, respectively. Both keys can be defined in the same file via ``certfile`` (the private key must come first in the file). ``cafile`` defines the path to certificate authorities. ``requireclientcert`` specifies whether to require client certificates. Typically ``cafile`` is only defined if ``requireclientcert`` is true. s/referenced certificate file (%s) does not existr^rUrr1sserverexactprotocolrs$TLS 1.0 not supported by this Pythonr_r`Nrs$TLS 1.1 not supported by this Pythonrars$TLS 1.2 not supported by this Pythons)invalid value for serverexactprotocol: %sOP_SINGLE_DH_USEOP_SINGLE_ECDH_USEzDEFAULT:@SECLEVEL=0s_RESTRICTED_SERVER_CIPHERSOP_CIPHER_SERVER_PREFERENCE)rerfrhT) server_side)&rArBrCrr&rr rxr<ryPROTOCOL_TLS_SERVERr[rr4r3r{r|r}r~r^rrmaximum_versionrrrr\rrrr_RESTRICTED_SERVER_CIPHERSrFrr=rrr) rrGrerfrQrequireclientcertrdr exactprotocolr)r[s r+wrapserversocketrsf" (  RW^^A&& +DEEI  \**F&^C$;<< gc+>BBB (,BCC I % % 222k!$K"L"LMMM(** B B'8& .1^-A *-0^-A * B B B B B B B B B B B B B B Bi ' ' 222k!$K"L"LMMM(** D D':& .1^-C *-0^-C * D D D D D D D D D D D D D D Di ' ' 222k!$K"L"LMMM),)?J &),)?J & &  +>??-O  &"9-- (,BCC I % % 222k!$K"L"LMMM)HH i ' ' 222k!$K"L"LMMM+HH i ' ' 222k!$K"L"LMMM+HH  +>??-O ^H-- g%'#'91==='#';Q????45555 #< = =?gc+H!LLLs=>>>/!$!2 !$ G7G""Hg"FFF 8(((777  ! !$D ! 9 99s&AEEE(AG<<HHceZdZdZdS) wildcarderrorz2Represents an error parsing wildcards in DNS name.N)__name__ __module__ __qualname____doc__r-r+rrs<<<z_verifycert..s#777!!$$777r-rscertificate is for %srls4no commonName or subjectAltName found in certificate) rgetrrr rrr;encodeUnicodeEncodeErrorrr')certrHdnsnamessanr*valuersubs r+ _verifycertrs -+,,,H ((#R ( (C## U %<< : 11FF  : : :!.qvay9999999999 : OOE " " " +88Ir** + +C! + + U,&&F % W 5 5-FFF !DEEEEEEEEEFB(99#"FFF#(BBB)6qvayAAAAAAAAAAAABOOE***! +$87h777H 8}}q)**UZZ-A-AAA X!  )**Xa[88HIIIsMA  BA<4B<BCC87C8<D EE9EEc&tjrtjs tjsdSt jtj}| dp| dS)a@return true if this seems to be a pure Apple Python that * is unfrozen and presumably has the whole mercurial module in the file system * presumably is an Apple Python that uses Apple OpenSSL which has patches for using system certificate store CAs in addition to the provided cacerts file Fs/usr/bin/pythons,/system/library/frameworks/python.framework/) r isdarwinr mainfrozen sysexecutablerArBrealpathr:r7)exes r+_plainapplepythonrs    " $ $% u '  81 2 2 8 8 : :C >>, - - 722r-c ddl}|}tj|r)|dt j|Sn#ttf$rYnwxYwtrutj tj t jtd}tj|r|SdS)areturn path to default CA certificates or None. It is assumed this function is called when the returned certificates file will actually be used to validate connections. Therefore this function may print warnings or debug messages assuming this usage. We don't print a message when the Python is able to load default CA certs because this scenario is detected at socket connect time. rNs#using ca certificates from certifi s dummycert.pem)certifiwhererArBrCrEr fsencoderwAttributeErrorrr'dirname__file__)rGrcerts dummycerts r+rDrD s   7>>%  , HH< = = =$U++ + ,  (     GLL GOOH-h77 8 8:J   7>>) $ $   4sAA##A76A7c P|jd}tj|}|jd}|jd} |d}|}n2#t$r%t jtd|zwxYw|s$t jtd|z|dr'|td|zd Sttj | ttj| ttj| d }d }d ||d z} |dr|dD]z\} } || | krW|d|| || fz|dr(|td||| fzd S{|drd} ||d} nd} d| ||| fz} t jtd|| fztd| z|jds8t jtd|ztd|| fzt%||}|r:t jtd||fztd|| fzd S)zxValidate a socket meets security requirements. The passed socket must have been created with ``wrapsocket()``. rorqrpTs%s ssl connection errors-%s certificate error: no certificate receivedrswarning: connection security to %s is disabled per current settings; communication is susceptible to eavesdropping and tampering N)r0sha256ssha512c ~dfdtdtdDS)Nr/c*g|]}||dzS)r)rxrJs r+rz:validatesocket..fmtfingerprint..[s%DDD1!AAI,DDDr-rr)r'ranger)rJs`r+fmtfingerprintz&validatesocket..fmtfingerprintZs<yyDDDDaQ0C0CDDDEEEr-s sha256:%srrs)%s certificate matched fingerprint %s:%s rs(SHA-1 fingerprint for %s found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: %s:fingerprints=%s) shostfingerprintr0r.s%s:%ss0certificate for %s has unexpected fingerprint %sscheck %s configurationr#rnsPunable to verify security of %s (no loaded CA certificates); refusing to connectssee https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.%s:fingerprints=%s to trust this servers%s certificate error: %ss^set hostsecurity.%s:certfingerprints=%s config setting or use --insecure to connect insecurely)rr r2 getpeercertrrrrr?rr sha1digesthashlibsha256sha512r:rEr)rshosthostrGrpeercert peercert2peerfingerprintsrnicefingerprinthashrOsectionnicers r+validatesocketr,s M+ &E  U # #D u B}[)HH##D))$$&& HHH!!$>"?"?$"FGGGH  ! > ? ?$ F   *+  #          X]8,,335566w~h//668899w~h//668899 FFF#^^4DY4O%P%PPO#$  !)*=!>   D+%++--<<AT>>+#>#>?@01 GGM 78   #=( ( ) M(G!>"27";<rs   i ' 'SUU 73 -T-c3CDDEE&9%%% 73 /t/5GHHII&9%%% 73 /t/5GHHII&9%%%n n n b2EEEERKPx:x:x:x:v=====I===1+1+1+1+h0J0J0Jf(   Fp p p p p r-