Mercurial > public > mercurial-scm > hg
comparison mercurial/sslutil.py @ 29293:1b3a0b0c414f
sslutil: print the fingerprint from the last hash used
Before, we would always print the unprefixed SHA-1 fingerprint when
fingerprint comparison failed. Now, we print the fingerprint of the
last hash used, including the prefix if necessary. This helps ensure
that the printed hash type matches what is in the user configuration.
There are still some cases where this can print a mismatched hash type.
e.g. if there are both SHA-1 and SHA-256 fingerprints in the config,
we could print a SHA-1 hash if it comes after the SHA-256 hash. But
I'm inclined to ignore this edge case.
While I was here, the "section" variable assignment has been moved to
just above where it is used because it is now only needed for this
error message and it makes the code easier to read.
| author | Gregory Szorc <gregory.szorc@gmail.com> |
|---|---|
| date | Sat, 04 Jun 2016 11:16:08 -0700 |
| parents | bc5f55493397 |
| children | ecc9b788fd69 |
comparison
equal
deleted
inserted
replaced
| 29292:bc5f55493397 | 29293:1b3a0b0c414f |
|---|---|
| 375 } | 375 } |
| 376 | 376 |
| 377 def fmtfingerprint(s): | 377 def fmtfingerprint(s): |
| 378 return ':'.join([s[x:x + 2] for x in range(0, len(s), 2)]) | 378 return ':'.join([s[x:x + 2] for x in range(0, len(s), 2)]) |
| 379 | 379 |
| 380 legacyfingerprint = fmtfingerprint(peerfingerprints['sha1']) | |
| 381 nicefingerprint = 'sha256:%s' % fmtfingerprint(peerfingerprints['sha256']) | 380 nicefingerprint = 'sha256:%s' % fmtfingerprint(peerfingerprints['sha256']) |
| 382 | |
| 383 if settings['legacyfingerprint']: | |
| 384 section = 'hostfingerprint' | |
| 385 else: | |
| 386 section = 'hostsecurity' | |
| 387 | 381 |
| 388 if settings['certfingerprints']: | 382 if settings['certfingerprints']: |
| 389 for hash, fingerprint in settings['certfingerprints']: | 383 for hash, fingerprint in settings['certfingerprints']: |
| 390 if peerfingerprints[hash].lower() == fingerprint: | 384 if peerfingerprints[hash].lower() == fingerprint: |
| 391 ui.debug('%s certificate matched fingerprint %s:%s\n' % | 385 ui.debug('%s certificate matched fingerprint %s:%s\n' % |
| 392 (host, hash, fmtfingerprint(fingerprint))) | 386 (host, hash, fmtfingerprint(fingerprint))) |
| 393 return | 387 return |
| 394 | 388 |
| 389 # Pinned fingerprint didn't match. This is a fatal error. | |
| 390 if settings['legacyfingerprint']: | |
| 391 section = 'hostfingerprint' | |
| 392 nice = fmtfingerprint(peerfingerprints['sha1']) | |
| 393 else: | |
| 394 section = 'hostsecurity' | |
| 395 nice = '%s:%s' % (hash, fmtfingerprint(peerfingerprints[hash])) | |
| 395 raise error.Abort(_('certificate for %s has unexpected ' | 396 raise error.Abort(_('certificate for %s has unexpected ' |
| 396 'fingerprint %s') % (host, legacyfingerprint), | 397 'fingerprint %s') % (host, nice), |
| 397 hint=_('check %s configuration') % section) | 398 hint=_('check %s configuration') % section) |
| 398 | 399 |
| 399 if not sock._hgstate['caloaded']: | 400 if not sock._hgstate['caloaded']: |
| 400 ui.warn(_('warning: certificate for %s not verified ' | 401 ui.warn(_('warning: certificate for %s not verified ' |
| 401 '(set hostsecurity.%s:certfingerprints=%s or web.cacerts ' | 402 '(set hostsecurity.%s:certfingerprints=%s or web.cacerts ' |