upstream/mercurial-mirror Commit - r29258:6315c1e1

sslutil: introduce a function for determining host-specific settings...

Gregory Szorc -

r29258:6315c1e1 default

parent child

mercurial/sslutil.py

0 +22 -5

                         return ssl.wrap_socket(socket, **args)
+            def _hostsettings(ui, hostname):
+                """Obtain security settings for a hostname.
+                Returns a dict of settings relevant to that hostname.
+                """
+                s = {
+                    # List of 2-tuple of (hash algorithm, hash).
+                    'certfingerprints': [],
+                }
+                # Fingerprints from [hostfingerprints] are always SHA-1.
+                for fingerprint in ui.configlist('hostfingerprints', hostname, []):
+                    fingerprint = fingerprint.replace(':', '').lower()
+                    s['certfingerprints'].append(('sha1', fingerprint))
+                return s
             def _determinecertoptions(ui, host):
                 """Determine certificate options for a connections.
                 sslsocket._hgstate = {
                     'caloaded': caloaded,
                     'hostname': serverhostname,
+                    'settings': _hostsettings(ui, serverhostname),
                     'ui': ui,
                 }
                 """
                 host = sock._hgstate['hostname']
                 ui = sock._hgstate['ui']
+                settings = sock._hgstate['settings']
                 try:
                     peercert = sock.getpeercert(True)
                 # If a certificate fingerprint is pinned, use it and only it to
                 # validate the remote cert.
-                hostfingerprints = ui.configlist('hostfingerprints', host)
                 peerfingerprint = util.sha1(peercert).hexdigest()
                 nicefingerprint = ":".join([peerfingerprint[x:x + 2]
                     for x in xrange(0, len(peerfingerprint), 2)])
-                if hostfingerprints:
+                if settings['certfingerprints']:
                     fingerprintmatch = False
-                    for hostfingerprint in hostfingerprints:
+                    for hash, fingerprint in settings['certfingerprints']:
-                        if peerfingerprint.lower() == \
+                        if peerfingerprint.lower() == fingerprint:
-                                hostfingerprint.replace(':', '').lower():
                             fingerprintmatch = True
                             break
                     if not fingerprintmatch:

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages