mercurial-scm/hg-stable: mercurial/sslutil.py comparison

comparison mercurial/sslutil.py @ 29452:26a5d605b868 stable 3.8.4

sslutil: synchronize hostname matching logic with CPython sslutil contains its own hostname matching logic. CPython has code for the same intent. However, it is only available to Python 2.7.9+ (or distributions that have backported 2.7.9's ssl module improvements). This patch effectively imports CPython's hostname matching code from its ssl.py into sslutil.py. The hostname matching code itself is pretty similar. However, the DNS name matching code is much more robust and spec conformant. As the test changes show, this changes some behavior around wildcard handling and IDNA matching. The new behavior allows wildcards in the middle of words (e.g. 'f*.com' matches 'foo.com') This is spec compliant according to RFC 6125 Section 6.5.3 item 3. There is one test where the matcher is more strict. Before, '*.a.com' matched '.a.com'. Now it doesn't match. Strictly speaking this is a security vulnerability.

author	Gregory Szorc <gregory.szorc@gmail.com>
date	Sun, 26 Jun 2016 19:34:48 -0700
parents	693b856a4d45
children	fd93b15b5c30 a7d1532b26a1

comparison

equal deleted inserted replaced

-:676f4d0e3a7b
+:26a5d605b868
 # GNU General Public License version 2 or any later version.
 from __future__ import absolute_import
 import os
+import re
 import ssl
 import sys
 from .i18n import _
 from . import (
 # - see http://bugs.python.org/issue13721
 if not sslsocket.cipher():
 raise error.Abort(_('ssl connection failed'))
 return sslsocket
+class wildcarderror(Exception):
+"""Represents an error parsing wildcards in DNS name."""
+def _dnsnamematch(dn, hostname, maxwildcards=1):
+"""Match DNS names according RFC 6125 section 6.4.3.
+This code is effectively copied from CPython's ssl._dnsname_match.
+Returns a bool indicating whether the expected hostname matches
+the value in ``dn``.
+"""
+pats = []
+if not dn:
+return False
+pieces = dn.split(r'.')
+leftmost = pieces[0]
+remainder = pieces[1:]
+wildcards = leftmost.count('*')
+if wildcards > maxwildcards:
+raise wildcarderror(
+_('too many wildcards in certificate DNS name: %s') % dn)
+# speed up common case w/o wildcards
+if not wildcards:
+return dn.lower() == hostname.lower()
+# RFC 6125, section 6.4.3, subitem 1.
+# The client SHOULD NOT attempt to match a presented identifier in which
+# the wildcard character comprises a label other than the left-most label.
+if leftmost == '*':
+# When '*' is a fragment by itself, it matches a non-empty dotless
+# fragment.
+pats.append('[^.]+')
+elif leftmost.startswith('xn--') or hostname.startswith('xn--'):
+# RFC 6125, section 6.4.3, subitem 3.
+# The client SHOULD NOT attempt to match a presented identifier
+# where the wildcard character is embedded within an A-label or
+# U-label of an internationalized domain name.
+pats.append(re.escape(leftmost))
+else:
+# Otherwise, '*' matches any dotless string, e.g. www*
+pats.append(re.escape(leftmost).replace(r'\*', '[^.]*'))
+# add the remaining fragments, ignore any wildcards
+for frag in remainder:
+pats.append(re.escape(frag))
+pat = re.compile(r'\A' + r'\.'.join(pats) + r'\Z', re.IGNORECASE)
+return pat.match(hostname) is not None
 def _verifycert(cert, hostname):
 '''Verify that cert (in socket.getpeercert() format) matches hostname.
 CRLs is not handled.
 Returns error message if any problems are found and None on success.
 '''
 if not cert:
 return _('no certificate received')
-dnsname = hostname.lower()
-def matchdnsname(certname):
+dnsnames = []
-return (certname == dnsname or
-'.' in dnsname and certname == '*.' + dnsname.split('.', 1)[1])
 san = cert.get('subjectAltName', [])
-if san:
+for key, value in san:
-certnames = [value.lower() for key, value in san if key == 'DNS']
+if key == 'DNS':
-for name in certnames:
-if matchdnsname(name):
-return None
-if certnames:
-return _('certificate is for %s') % ', '.join(certnames)
-# subject is only checked when subjectAltName is empty
-for s in cert.get('subject', []):
-key, value = s[0]
-if key == 'commonName':
 try:
-# 'subject' entries are unicode
+if _dnsnamematch(value, hostname):
-certname = value.lower().encode('ascii')
+return
-except UnicodeEncodeError:
+except wildcarderror as e:
-return _('IDN in certificate not supported')
+return e.message
-if matchdnsname(certname):
-return None
+dnsnames.append(value)
-return _('certificate is for %s') % certname
-return _('no commonName or subjectAltName found in certificate')
+if not dnsnames:
+# The subject is only checked when there is no DNS in subjectAltName.
+for sub in cert.get('subject', []):
+for key, value in sub:
+# According to RFC 2818 the most specific Common Name must
+# be used.
+if key == 'commonName':
+# 'subject' entries are unicide.
+try:
+value = value.encode('ascii')
+except UnicodeEncodeError:
+return _('IDN in certificate not supported')
+try:
+if _dnsnamematch(value, hostname):
+return
+except wildcarderror as e:
+return e.message
+dnsnames.append(value)
+if len(dnsnames) > 1:
+return _('certificate is for %s') % ', '.join(dnsnames)
+elif len(dnsnames) == 1:
+return _('certificate is for %s') % dnsnames[0]
+else:
+return _('no commonName or subjectAltName found in certificate')
 # CERT_REQUIRED means fetch the cert from the server all the time AND
 # validate it against the CA store provided in web.cacerts.

Mercurial > public > mercurial-scm > hg-stable

comparison mercurial/sslutil.py @ 29452:26a5d605b868 stable 3.8.4