\x89\x50\x4E\x47\x0D\x0A\x1A\x0A PNG  \x89\x50\x4E\x47\x0D\x0A\x1A\x0A  13\c@@sddlmZddlZddlZddlZddlZddlmZddlm Z m Z m Z m Z ddl mZmZddd hZeed eZdhZe jed rejdne jed rejd ny%ejZeZe jed ZWn3ek rPeZeZdefdYZnXdZdZddZ dddedZ!de"fdYZ#ddZ$dZ%dZ&ddgZ'dZ(dZ)dS(i(tabsolute_importNi(t_(terrortnodetpycompattutil(tprocutilt stringutilstls1.0stls1.1stls1.2tHAS_SNItPROTOCOL_TLSv1_1tPROTOCOL_TLSv1_2tload_default_certst SSLContextcB@sVeZdZdddZddZddddZdZdedZ RS(cC@sX||_t|_d|_tj|_d|_d|_ d|_ d|_ d|_ dS(Ni( tprotocoltFalsetcheck_hostnametoptionstsslt CERT_NONEt verify_modetNonet _certfilet_keyfilet _certpasswordt_cacertst_ciphers(tselfR ((s7/usr/lib64/python2.7/site-packages/mercurial/sslutil.pyt__init__As        cC@s||_||_||_dS(N(RRR(Rtcertfiletkeyfiletpassword((s7/usr/lib64/python2.7/site-packages/mercurial/sslutil.pytload_cert_chainOs  cC@sdS(N((Rtpurpose((s7/usr/lib64/python2.7/site-packages/mercurial/sslutil.pyR TscC@sI|rtjtdn|r<tjtdn||_dS(Nscapath not supportedscadata not supported(RtAbortRR(Rtcafiletcapathtcadata((s7/usr/lib64/python2.7/site-packages/mercurial/sslutil.pytload_verify_locationsWs cC@s ||_dS(N(R(Rtciphers((s7/usr/lib64/python2.7/site-packages/mercurial/sslutil.pyt set_ciphers_scC@sYi|jd6|jd6|d6|jd6|jd6|jd6|jd6}tj||S(NRRt server_sidet cert_reqst ssl_versiontca_certsR&(RRRR RRRt wrap_socket(Rtsockettserver_hostnameR(targs((s7/usr/lib64/python2.7/site-packages/mercurial/sslutil.pyR,bs      N( t__name__t __module__RRRR R%R'RR,(((s7/usr/lib64/python2.7/site-packages/mercurial/sslutil.pyR @s    c C@stj|}i td6gd6d*d6td6td6d*d6d*d6d*d6d*d 6d*d 6}d }d tkryd }n2|jd ds|jtd|nd}d}|j d ||}|||d|}|j d ||}||||j rd}nt |\|d<|d <|d<|j d d }|j d d||}||d <|j d d|} x| D]} | j d+stjtd|| fdtdn| jdd\} } | jddj} |dj| | fqWxS|j d|D]?} | jddj} |djd| ft|dR R&t fingerprintst fingerprinttalgR"((s7/usr/lib64/python2.7/site-packages/mercurial/sslutil.pyt _hostsettingsss         !                cC@s |tkrtd|ntdhkrr|dkrbtjtd|dtdntjddfStjtj B}|dkrnT|dkr|tj O}n8|dkr|tj tj BO}ntjtd |t td dO}tj ||fS( sResolve the protocol for a config value. Returns a 3-tuple of (protocol, options, ui value) where the first 2 items are values used by SSLContext and the last is a string value of the ``minimumprotocol`` config option equivalent. s protocol value not supported: %sstls1.0s3current Python does not support protocol setting %sR9sAupgrade Python or disable setting since only TLS 1.0 is supportedistls1.1stls1.2sthis should not happentOP_NO_COMPRESSION(R;t ValueErrorRMRR!RRtPROTOCOL_TLSv1t OP_NO_SSLv2t OP_NO_SSLv3t OP_NO_TLSv1t OP_NO_TLSv1_1tgetattrtPROTOCOL_SSLv23(R R((s7/usr/lib64/python2.7/site-packages/mercurial/sslutil.pyRRs$      c @s:|stjtdnxdfD]V}|r+tjj| r+tjtd|tj|fdtdq+q+Wt|}t |d}|j |dO_ |d|_ |drEy|j tj |dWqEtjk rA}tjtd tj|jd dtd |dqEXnd%k r|fd } |j| n|d d%k r0y|jd |d Wntjk r&}t|jdkr|jd } n |jd} tjtd|d tj| fdtdnXt} n#|drM|jt} nt} y|j|d|} Wn~tjk r}yF| r|dtjkrtr|j rjtdnWntjk rnXtj |dr|j!dkr|ddkrgt"dhkrMjtd|dj#t$t"fqjtd|qjtd|d|fjtd|jtdq|j!dkrtj%rjtdqnnX| j&stjtd ni| d!6|d"6|d#6d$6| _'| S(&sAdd SSL/TLS to a socket. This is a glorified wrapper for ``ssl.wrap_socket()``. It makes sane choices based on what security options are available. In addition to the arguments supported by ``ssl.wrap_socket``, we allow the following additional arguments: * serverhostname - The expected hostname of the remote server. If the server (and client) support SNI, this tells the server which certificate to use. s#serverhostname argument is requireds:certificate file (%s) does not exist; cannot connect to %sR9s:restore missing file or fix references in Mercurial configR R8R7R&scould not set ciphers: %sis#change cipher string (%s) in configc@s&p }jtd|dS(Nspassphrase for %s: RD(tgetpassR(tf(RRRb(s7/usr/lib64/python2.7/site-packages/mercurial/sslutil.pyRs R"iserror loading CA file %s: %ssfile is empty or malformed?R2R.s(an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error) treasontUNSUPPORTED_PROTOCOLR6stls1.0s(could not communicate with %s using security protocols %s; if you are using a modern Mercurial version, consider contacting the operator of this server; see https://mercurial-scm.org/wiki/SecureConnections for more info) s, s(could not communicate with %s using TLS 1.0; the likely cause of this is the server no longer supports TLS 1.0 because it has known security vulnerabilities; see https://mercurial-scm.org/wiki/SecureConnections for more info) s(could not negotiate a common security protocol (%s+) with %s; the likely cause is Mercurial is configured to be more secure than the server can support) s(consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.%s:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) sE(see https://mercurial-scm.org/wiki/SecureConnections for more info) tCERTIFICATE_VERIFY_FAILEDsR(the full certificate chain may not be available locally; see "hg help debugssl") sssl connection failedtcaloadedRctsettingsRbN((RR!RRZR[R\RRKRjR RRR'tsysstrRtSSLErrorRt forcebytestrR/RRR%tlenRLR RR,R`t modernsslt get_ca_certsRORt safehasattrRvRMR<R=t iswindowstciphert_hgstate( tsockRRRbtserverhostnameRuRzt sslcontextteRtmsgRyt sslsocket((RRRbs7/usr/lib64/python2.7/site-packages/mercurial/sslutil.pyt wrapsocketOs                       c C@sCxL|||fD];}|rtjj| rtjtd|qqWtd\}}} |jdd} | dkrtj }n| dkrdt krtjtdntj }n^| dkrdt krtjtdntj }n"| r(tjtd | nt rt|} | j|O_| jttd d O_| jttd d O_tjtd r| jttdd O_| jtjqnttj } |rtj| _n tj| _|s|r| jd|d|n|r0| jd|n| j|dtS(sWrap a socket for use by servers. ``certfile`` and ``keyfile`` specify the files containing the certificate's public and private keys, respectively. Both keys can be defined in the same file via ``certfile`` (the private key must come first in the file). ``cafile`` defines the path to certificate authorities. ``requireclientcert`` specifies whether to require client certificates. Typically ``cafile`` is only defined if ``requireclientcert`` is true. s/referenced certificate file (%s) does not existstls1.0RGtserverexactprotocolstls1.1s$TLS 1.1 not supported by this Pythonstls1.2s$TLS 1.2 not supported by this Pythons)invalid value for serverexactprotocol: %stOP_SINGLE_DH_USEitOP_SINGLE_ECDH_USEt_RESTRICTED_SERVER_CIPHERStOP_CIPHER_SERVER_PREFERENCERRR"R((RZR[R\RR!RRRRPRRmRMR R RR RRrRRR'RR`RRRR%R,RL( RRbRRR"trequireclientcertRuR Rt _protocoluit exactprotocolR((s7/usr/lib64/python2.7/site-packages/mercurial/sslutil.pytwrapserversocketsH            t wildcarderrorcB@seZdZRS(s2Represents an error parsing wildcards in DNS name.(R0R1t__doc__(((s7/usr/lib64/python2.7/site-packages/mercurial/sslutil.pyRDsc C@svg}|stStj|}tj|}|jd}|d}|d}|jd}||krttd|n|s|j|jkS|dkr|jdnY|j ds|j dr|jt j |n"|jt j |j dd x$|D]}|jt j |qWt jd d j|d t j} | j|d k S(sMatch DNS names according RFC 6125 section 6.4.3. This code is effectively copied from CPython's ssl._dnsname_match. Returns a bool indicating whether the expected hostname matches the value in ``dn``. t.iit*s.too many wildcards in certificate DNS name: %ss[^.]+sxn--s\*s[^.]*s\As\.s\ZN(RRRKRUtcountRRRWRXRTRtreescapeRVtretcompileR<t IGNORECASEtmatchR( tdnRct maxwildcardstpatstpiecestleftmostt remaindert wildcardstfragtpat((s7/usr/lib64/python2.7/site-packages/mercurial/sslutil.pyt _dnsnamematchGs.    " &c C@s|stdSg}|jdg}xn|D]f\}}|dkr/yt||r]dSWn$tk r}tj|jdSX|j|q/q/W|s^x|jdgD]}x|D]\}}|dkry|jd}Wnt k rtd SXyt||rdSWn$tk rB}tj|jdSX|j|qqWqWng|D]}t j |^qe}t |d krtd d j |St |d krtd |dStd SdS(sVerify that cert (in socket.getpeercert() format) matches hostname. CRLs is not handled. Returns error message if any problems are found and None on success. sno certificate receivedtsubjectAltNametDNSNitsubjectt commonNametasciis IDN in certificate not supportediscertificate is for %ss, s4no commonName or subjectAltName found in certificate(RtgetRRRR}R/RXtencodetUnicodeEncodeErrorRRKR~R<( tcertRctdnsnamestsanR>tvalueRtsubtd((s7/usr/lib64/python2.7/site-packages/mercurial/sslutil.pyt _verifycertys@     "cC@s[tj s tjs tj r$tStjjtjj }|j dpZ|j dS(s@return true if this seems to be a pure Apple Python that * is unfrozen and presumably has the whole mercurial module in the file system * presumably is an Apple Python that uses Apple OpenSSL which has patches for using system certificate store CAs in addition to the provided cacerts file s/usr/bin/pythons,/system/library/frameworks/python.framework/( RtisdarwinRt mainfrozent sysexecutableRRZR[trealpathRWRT(texe((s7/usr/lib64/python2.7/site-packages/mercurial/sslutil.pyt_plainapplepythons  s&/etc/pki/tls/certs/ca-bundle.trust.crts"/etc/ssl/certs/ca-certificates.crtcC@sey?ddl}|j}tjj|r>|jd|SWnttfk rXnXtj rt s~|j t dndStrtjjtjjtjtd}tjj|r|Sntjrt s|j t dndStj stt sax;tD]3}tjj|r|j t d||SqW|j t dndS(sreturn path to default CA certificates or None. It is assumed this function is called when the returned certificates file will actually be used to validate connections. Therefore this function may print warnings or debug messages assuming this usage. We don't print a message when the Python is able to load default CA certs because this scenario is detected at socket connect time. iNs#using ca certificates from certifi s(unable to load Windows CA certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) s dummycert.pems(unable to load CA certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) s(using CA certificates from %s; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (tcertifitwhereRZR[R\R^t ImportErrortAttributeErrorRRR_RORRRR<tdirnametfsencodet__file__RRat_systemcacertpathstisfile(RbRtcertst dummycertR[((s7/usr/lib64/python2.7/site-packages/mercurial/sslutil.pyR]s<       !   cC@s|jd}tj|}|jd}|jd}y|jt}|j}Wn*tk rtjtd|nX|stjtd|n|dr|j td|dSit j t j |jd 6t j t j|jd 6t j t j|jd 6}d }d ||d } |drJx|dD]s\} } || j| kr^|jd|| || f|dr|j td||| fndSq^W|drd} ||d } n d} d| ||| f} tjtd|| fdtd| n|jdstjtd|dtd|| fnt||}|rtjtd||fdtd|| fndS(sxValidate a socket meets security requirements. The passed socket must have been created with ``wrapsocket()``. RcRbRzs%s ssl connection errors-%s certificate error: no certificate receivedR4swarning: connection security to %s is disabled per current settings; communication is susceptible to eavesdropping and tampering NRFtsha256tsha512cS@s=djgtdt|dD]}|||d!^qS(NRCii(R<trangeR~(Retx((s7/usr/lib64/python2.7/site-packages/mercurial/sslutil.pytfmtfingerprint=ss sha256:%sR3s)%s certificate matched fingerprint %s:%s R5s(SHA-1 fingerprint for %s found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: %s:fingerprints=%s) thostfingerprintR@s%s:%ss0certificate for %s has unexpected fingerprint %sR9scheck %s configurationRysPunable to verify security of %s (no loaded CA certificates); refusing to connectssee https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.%s:fingerprints=%s to trust this servers%s certificate error: %ss^set hostsecurity.%s:certfingerprints=%s config setting or use --insecure to connect insecurely(RRRKt getpeercertRLRRR!RRORthexthashlibRFtdigestRRRWR^R(RtshostthostRbRztpeercertt peercert2tpeerfingerprintsRtnicefingerprintthashRhtsectiontniceR((s7/usr/lib64/python2.7/site-packages/mercurial/sslutil.pytvalidatesocketsd      "          (*t __future__RRRZRRti18nRRDRRRRtutilsRRR;RrRthassniRMRtaddR RLRR_RtobjectRjRRRRRt ExceptionRRRRRR]R(((s7/usr/lib64/python2.7/site-packages/mercurial/sslutil.pyt sJ    "    3 4  F 2 2   T