|
Server : Apache System : Linux iad1-shared-b8-43 6.6.49-grsec-jammy+ #10 SMP Thu Sep 12 23:23:08 UTC 2024 x86_64 User : dh_edsupp ( 6597262) PHP Version : 8.2.26 Disable Function : NONE Directory : /lib/python3/dist-packages/mercurial/__pycache__/ |
Upload File : |
o
����^�Ub%�����������������������@���s\��d�dl�mZ�d�dlZd�dlZd�dlZd�dlZd�dlZddlmZ�ddl m
Z
�ddl
m
Z
�ddl
mZmZm Z mZ�ddlmZmZmZ�h�d �Ze
ed
d
�Ze��Ze
ed
e�ed
��r^e�d��e
ede�ed��rme�d��e
ede�ed��r|e�d��dd��Zdd��Z
d)dd�Z
d*dd
�Z
G�d
d
��d
e �Z d+d d �Z!d!d"��Z"d#d$��Z#d%d&��Z$d'd(��Z%dS�),�����)�absolute_importN����)�_)�getattr)�hex)�encoding�error�pycompat�util)�hashutil�
resourceutil�
stringutil>�������tls1.0����tls1.1����tls1.2�HAS_SNIF� HAS_TLSv1�PROTOCOL_TLSv1r����
HAS_TLSv1_1�PROTOCOL_TLSv1_1r����
HAS_TLSv1_2�PROTOCOL_TLSv1_2r���c�����������
��� ���C���s���t��|�}dg�ddddddd�}dd��}tdh�sJ��d}d }|��d
||�}|||��d
|�}|��d
||�}|||��|��d
d
�}|��d
d
|�|�}|�jrSd}|sSd}||d <�||d
<�|��d
d|��} | D�]/}
|
�d�s{tjt d�||
f�t d�d��|
�
dd�\}
}
|
�
dd��
��}
|d��
|
|
f��qe|��d|�D�]}
|
�
dd��
��}
|d��
d|
f��d|d<�q�|d�r�tj|d<�d|d
<�n|�jr�d|d
<�tj|d<�d|d
<�|��d
d �r�d|d
<�|��d
d |��}
|d�r�|
r�|��t d!�|���|d�du��rj|
�rt�|
�}
tj�|
��st�t d"�d#|f�|
f���|
|d$<�n<|��d%d&�}
|
�r@t�|
�}
tj�|
��s?t�t d'�|
�t d(�d)����n|d
��rSt|��}
|
�rS|��d*|
���|
|d$<�|
�s_|d
��retj|d<�ntj|d<�|d�du�ssJ��|S�)+zhObtain security settings for a hostname.
Returns a dict of settings relevant to that hostname.
TNF)����allowloaddefaultcerts����certfingerprints����cafile����disablecertverification����legacyfingerprint����minimumprotocol�
���verifymode����ciphersc�����������������S���s8���|�t�vrtjtd�||�f�td�d�tt����d��d�S�)Ns-���unsupported protocol from hostsecurity.%s: %ss���valid protocols: %s���� ��hint)�configprotocolsr����Abortr����join�sorted)�protocol�key��r)����3/usr/lib/python3/dist-packages/mercurial/sslutil.py�validateprotocol[���s����
���z'_hostsettings.<locals>.validateprotocolr���r���r
����
���hostsecuritys���%s:minimumprotocolr ���s
���%s:cipherss���DEFAULTs���%s:fingerprints)s���sha1:s���sha256:s���sha512:s
���invalid fingerprint for %s: %ss0���must begin with "sha1:", "sha256:", or "sha512:"r!�������:r��������r���s���hostfingerprints����sha1r
���r
���r���r�������devels���disableloaddefaultcertss���%s:verifycertsfiless���(hostsecurity.%s:verifycertsfile ignored when host fingerprints defined; using host fingerprints for verification)
s'���path specified by %s does not exist: %ss ���hostsecurity.%s:verifycertsfiler���s���webs���cacertss
���could not find web.cacerts: %ss ��� (try installing the %s package)s���ca-certificatess���using %s for CA file
)r ����bytesurl�supportedprotocols�config�insecureconnections�
configlist�
startswithr���r$���r����split�replace�lower�append�ssl� CERT_NONE�
configbool�warnr
����
expandpath�os�path�exists�_defaultcacerts�debug�
CERT_REQUIRED)
�ui�hostname� bhostname�sr+����defaultminimumprotocolr(����minimumprotocol�ciphers�
fingerprints�
fingerprint�alg�cafiler)���r)���r*����
_hostsettings>���s����
�
�
�
���
���
���
rQ���c�����������������C���sz���|�t�vr
td|����tjtjB�}|�dkrn
|�dkr |tjO�}n|�dkr,|tjtjB�O�}nt�t d���|t
tdd�O�}|S�)z8Return SSLContext options common to servers and clients.s ���protocol value not supported: %sr���r���r�������this should not happen�OP_NO_COMPRESSIONr���)
r#����
ValueErrorr;����
OP_NO_SSLv2�
OP_NO_SSLv3�
OP_NO_TLSv1�
OP_NO_TLSv1_1r���r$���r���r���)rK����optionsr)���r)���r*����commonssloptions����s���
rZ���c��������������
������s���|s t��td���dtjv�r3zddl}|�t�tjd������ d��W�n�t
y2����� d��Y�nw����fD�]
}|rSt
j
�
|�sSt�jtd�|t�|�f�td�d ��q7t�|�}t�td
�r�t�tj�}|d
�} | d
kr�t�����t�d
dt��tjj|_W�d����n1�s�w���Y��n6| dkr�t�����t�d
dt��tjj
|_W�d����n1�s�w���Y��n| dkr�tjj
|_nt��td���|�j
t tdd�O��_
nt�tj �}|�j
t!|d
��O��_
d|_"|d�|_#|d��r z
|�$t�%|d����W�n%�tj&�y �}
�zt�jtd�t'�(|
j)d���td�|d��d ��d}
~
ww���du�r4����fdd�}
|�*���|
��|d�du�r~z
|j+|d�d
��W�n5�tj&�yz�}
�z't,|
j)�d
k�r]|
j)d�}
n|
j)d
�}
t�jtd
�|d�t'�(|
�f�td �d ��d}
~
ww�d }
n|d!��r�|�-���d }
nd}
z |j.|�|d"�}W�n��tj&�y9�}
�z�z|
�r�|d�tj/k�r�|�0���s���1td#���W�n
�tj&�y����Y�nw�t�|
d$��r4|
j2d%v��r#|d
�d
k�r�t3d
hk�r��1td&�t�|�d'�4t5t3��f�������1td(�t�|��������1td)�|d
�t�|�f�����1td*�t�|������1td+�����|
j2d,k�r4tj6�r4��1td-�����d}
~
ww�|�7���sFt��8td.���|
||�d/�|_9|S�)0a���Add SSL/TLS to a socket.
This is a glorified wrapper for ``ssl.wrap_socket()``. It makes sane
choices based on what security options are available.
In addition to the arguments supported by ``ssl.wrap_socket``, we allow
the following additional arguments:
* serverhostname - The expected hostname of the remote server. If the
server (and client) support SNI, this tells the server which certificate
to use.
s#���serverhostname argument is requireds
���SSLKEYLOGFILEr���Ns8���sslkeylog enabled by SSLKEYLOGFILE environment variable
s?���sslkeylog module missing, but SSLKEYLOGFILE set in environment
s:���certificate file (%s) does not exist; cannot connect to %ss:���restore missing file or fix references in Mercurial configr!����PROTOCOL_TLS_CLIENTr
���r����ignore�"ssl.TLSVersion.TLSv1 is deprecatedr����$ssl.TLSVersion.TLSv1_1 is deprecatedr���rR���rS���Fr
���r ���s���could not set ciphers: %ss#���change cipher string (%s) in configc���������������������s
����p��}����td�|��d�S�)Ns���passphrase for %s: r.���)�getpassr���)�f��certfile�keyfilerF���r)���r*����passwordi��s���z
wrapsocket.<locals>.passwordr����rP���r���s
���error loading CA file %s: %ss���file is empty or malformed?Tr���)�server_hostnames����(an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
s���reason)�UNSUPPORTED_PROTOCOL�
TLSV1_ALERT_PROTOCOL_VERSIONs����(could not communicate with %s using security protocols %s; if you are using a modern Mercurial version, consider contacting the operator of this server; see https://mercurial-scm.org/wiki/SecureConnections for more info)
����, s����(could not communicate with %s using TLS 1.0; the likely cause of this is the server no longer supports TLS 1.0 because it has known security vulnerabilities; see https://mercurial-scm.org/wiki/SecureConnections for more info)
s����(could not negotiate a common security protocol (%s+) with %s; the likely cause is Mercurial is configured to be more secure than the server can support)
s����(consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.%s:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
sE���(see https://mercurial-scm.org/wiki/SecureConnections for more info)
�CERTIFICATE_VERIFY_FAILEDsR���(the full certificate chain may not be available locally; see "hg help debugssl")
s���ssl connection failed)����caloaded����hostname����settings����ui):r���r$���r���r����environ� sslkeylog�
set_keylogr ����fsdecode�
warnnoi18n�
ImportErrorr@���rA���rB���r1���rQ���r
����
safehasattrr;����
SSLContextr[����warnings�catch_warnings�filterwarnings�DeprecationWarning�
TLSVersion�TLSv1�minimum_version�TLSv1_1�TLSv1_2rY���r����PROTOCOL_SSLv23rZ����check_hostname�
verify_mode�
set_ciphers�sysstr�SSLErrorr
����
forcebytestr�args�load_cert_chain�load_verify_locations�len�load_default_certs�
wrap_socketrE����
get_ca_certsr>����reasonr2���r%���r&���� iswindows�cipher�
SecurityError�_hgstate)�sockrc���rb���rF����serverhostnamerp���r`����settings�
sslcontextrK����erd����msg�caloaded� sslsocketr)���ra���r*����
wrapsocket��sN��
��
��
����
��
��
�����
����
����� �
�
���D����5�����
���
�������
s�r����c�����������
������C���s
��|||fD�]}|rt�j�|�st�td�|���qt�td�r�t� tj
�}|�j
t
tdd�O��_
|�
dd�}|dkrkdtvrEt�td���t�����t�d d
t��tjj|_tjj|_W�d
����n1�sew���Y��n�|d
kr�d
tvrzt�td
���t�����t�d dt��tjj|_tjj|_W�d
����n1�s�w���Y��n�|dkr�dtvr�t�td���tjj|_tjj|_nl|r�t�td�|���n`tj} td�}
|�
dd�}|dkr�dtvr�t�td���tj} n4|d
kr�d
tvr�t�td
���tj
} n!|dk�rdtv�r
t�td���tj
} n
|�rt�td�|���t� | �}|�j
|
O��_
|�j
t
tdd�O��_
|�j
t
tdd�O��_
|�rE|�
d��nt�td��r]|�j
t
tdd�O��_
|�
tj ��|�retj |_!ntj"|_!|�so|�rv|j#||d��|�r|j$|d��|j%|�dd�S�)a���Wrap a socket for use by servers.
``certfile`` and ``keyfile`` specify the files containing the certificate's
public and private keys, respectively. Both keys can be defined in the same
file via ``certfile`` (the private key must come first in the file).
``cafile`` defines the path to certificate authorities.
``requireclientcert`` specifies whether to require client certificates.
Typically ``cafile`` is only defined if ``requireclientcert`` is true.
s/���referenced certificate file (%s) does not exist�PROTOCOL_TLS_SERVERrS���r���r0���s���serverexactprotocolr���s$���TLS 1.0 not supported by this Pythonr\���r]���Nr���s$���TLS 1.1 not supported by this Pythonr^���r���s$���TLS 1.2 not supported by this Pythons)���invalid value for serverexactprotocol: %s�OP_SINGLE_DH_USE�OP_SINGLE_ECDH_USE�DEFAULTs���_RESTRICTED_SERVER_CIPHERS�OP_CIPHER_SERVER_PREFERENCE)rb���rc���re���T)�
server_side)&r@���rA���rB���r���r$���r���r
���ru���r;���rv���r����rY���r���r3���r2���rw���rx���ry���rz���r{���r|���r}����maximum_versionr~���r���r����rZ���r���r���r���r�����_RESTRICTED_SERVER_CIPHERSrE���r����r<���r����r����r����)
r����rF���rb���rc���rP����requireclientcertr`���r�����
exactprotocolr'���rY���r)���r)���r*����wrapserversocket��s����
��
��
��
��
�
r����c�������������������@���s���e�Zd�ZdZdS�)�
wildcarderrorz2Represents an error parsing wildcards in DNS name.N)�__name__�
__module__�
__qualname__�__doc__r)���r)���r)���r*���r����y��s����r����c�����������
������C���s
��g�}|�sdS�t��|��}�t��|�}|��d�}|d�}|dd��}|�d�}||kr0ttd�|����|s:|����|���kS�|dkrD|�d��n |�d �sN|�d �rW|�t �
|���n
|�t �
|��
d
d
���|D�]
}|�t �
|���qet
�
d
d
�|��d�t
j�} | �|�duS�)z�Match DNS names according RFC 6125 section 6.4.3.
This code is effectively copied from CPython's ssl._dnsname_match.
Returns a bool indicating whether the expected hostname matches
the value in ``dn``.
F����.r���r���N����*s.���too many wildcards in certificate DNS name: %ss���[^.]+s���xn--s���\*s���[^.]*s���\As���\.s���\Z)r ���r1���r7����countr����r���r9���r:���r6���r
����reescaper8����re�compiler%����
IGNORECASE�match)
�dnrG����
maxwildcards�pats�pieces�leftmost� remainder� wildcards�frag�patr)���r)���r*����
_dnsnamematch}��s0���
�
r����c��������������
���C���s���|�st�d�S�g�}|��dg��}|D�]5\}}|dkrEz
t||�r"W��dS�W�n
�ty?�}�zt�|jd��W��Y�d}~��S�d}~ww�|�|��q|s�|��dg��D�]V}|D�]Q\}}|dkr�z|�d�}W�n�t yr���t�d ��Y�����S�w�z
t||�r~W���dS�W�n
�ty��}�zt�|jd��W��Y�d}~����S�d}~ww�|�|��qRqNd
d
��|D��}t
|�d
kr�t�d
�d�
|��S�t
|�d
kr�t�d
�|d��S�t�d�S�)z�Verify that cert (in socket.getpeercert() format) matches hostname.
CRLs is not handled.
Returns error message if any problems are found and None on success.
s���no certificate received�subjectAltName�DNSNr����subject�
commonName�asciis ���IDN in certificate not supportedc�����������������S���s���g�|�]}t��|��qS�r)���)r ���r1���)�.0�dr)���r)���r*����
<listcomp>���s����z _verifycert.<locals>.<listcomp>r���s���certificate is for %sri���s4���no commonName or subjectAltName found in certificate)
r����getr����r����r
���r����r����r:����encode�UnicodeEncodeErrorr����r%���)�certrG����dnsnames�sanr(����valuer�����subr)���r)���r*����
_verifycert���sT���
� ��
�
�
�$��
��
r����c������������������C���s>���t�jr
t���s
t�js
dS�tj�t�j����}�|�� d�p
|�� d�S�)a@��return true if this seems to be a pure Apple Python that
* is unfrozen and presumably has the whole mercurial module in the file
system
* presumably is an Apple Python that uses Apple OpenSSL which has patches
for using system certificate store CAs in addition to the provided
cacerts file
Fs���/usr/bin/pythons,���/system/library/frameworks/python.framework/)
r ����isdarwinr
����
mainfrozen�
sysexecutabler@���rA����realpathr9���r6���)�exer)���r)���r*����_plainapplepython���s��� ����r����c�������������� ���C���s����zddl�}|���}tj�|�r|��d��t�|�W�S�W�n
�tt fy&���Y�nw�t
��r@tj�
tj�
t�t
��d�}tj�|�r@|S�dS�)a���return path to default CA certificates or None.
It is assumed this function is called when the returned certificates
file will actually be used to validate connections. Therefore this
function may print warnings or debug messages assuming this usage.
We don't print a message when the Python is able to load default
CA certs because this scenario is detected at socket connect time.
r���Ns#���using ca certificates from certifi
s
���dummycert.pem)�certifi�wherer@���rA���rB���rD���r ����fsencodert����AttributeErrorr����r%����dirname�__file__)rF���r�����certs� dummycertr)���r)���r*���rC������s"���
���
rC���c�����������������C���s��|�j�d�}t�|�}|�j�d�}|�j�d�}z
|��d�}|����}W�n�ty/���t�td�|���w�|s;t�td�|���|d�rJ|�td�|���d S�t t
�
|��
���t t
�|��
���t t
�|��
���d
�}d
d
��}d
||d���} |d�r�|d�D�]+\}
}
||
����|
kr�|�d||
||
�f���|d�r�|�td�||| f����d S�qy|d�r�d}
||d��}
n
d}
d|
|||
��f�}
tjtd�||
f�td�|
�d��|�j�d�s�tjtd�|�td
�|| f�d��t||�}|r�tjtd
�||f�td
�|| f�d��d S�) zxValidate a socket meets security requirements.
The passed socket must have been created with ``wrapsocket()``.
rl���rn���rm���Ts���%s ssl connection errors-���%s certificate error: no certificate receivedr���s����warning: connection security to %s is disabled per current settings; communication is susceptible to eavesdropping and tampering
N)r/�������sha256s���sha512c��������������������s$���d����fdd�tdt���d�D���S�)Nr-���c��������������������s
���g�|�]
}��||d�����qS�)����r)���)r�����x�rI���r)���r*���r����J��s���
�z:validatesocket.<locals>.fmtfingerprint.<locals>.<listcomp>r���r����)r%����ranger����r����r)���r����r*����fmtfingerprintI��s���$z&validatesocket.<locals>.fmtfingerprints ���sha256:%sr����r���s)���%s certificate matched fingerprint %s:%s
r
���s����(SHA-1 fingerprint for %s found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: %s:fingerprints=%s)
s���hostfingerprintr/���r,���s���%s:%ss0���certificate for %s has unexpected fingerprint %ss���check %s configurationr!���rk���sP���unable to verify security of %s (no loaded CA certificates); refusing to connects����see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.%s:fingerprints=%s to trust this servers���%s certificate error: %ss^���set hostsecurity.%s:certfingerprints=%s config setting or use --insecure to connect insecurely)r����r ���r1����
getpeercertr����r���r����r���r>���r���r
����sha1�digest�hashlib�sha256�sha512r9���rD���r����)r�����shost�hostrF���r�����peercert� peercert2�peerfingerprintsr�����nicefingerprint�hashrN����section�nicer����r)���r)���r*����validatesocket��s����
�
�����
�����
��
�
�����
����r����)N)NNNF)r���)&�
__future__r���r����r@���r����r;���rw����i18nr���r ���r����noder�����r���r���r
����utilsr
���r
���r
���r#����hassni�setr2���ru����addrQ���rZ���r����r����� Exceptionr����r����r����r����rC���r����r)���r)���r)���r*����<module>���sD���
�2
��
�s
43
#