sslutil: introduce a function for determining host-specific settings
This patch marks the beginning of a series that introduces a new,
more configurable, per-host security settings mechanism. Currently,
we have global settings (like web.cacerts and the --insecure argument).
We also have per-host settings via [hostfingerprints].
Global security settings are good for defaults, but they don't
provide the amount of control often wanted. For example, an
organization may want to require a particular CA is used for a
particular hostname.
[hostfingerprints] is nice. But it currently assumes SHA-1.
Furthermore, there is no obvious place to put additional per-host
settings.
Subsequent patches will be introducing new mechanisms for defining
security settings, some on a per-host basis. This commits starts
the transition to that world by introducing the _hostsettings
function. It takes a ui and hostname and returns a dict of security
settings. Currently, it limits itself to returning host fingerprint
info.
We foreshadow the future support of non-SHA1 hashing algorithms
for verifying the host fingerprint by making the "certfingerprints"
key a list of tuples instead of a list of hashes.
We add this dict to the hgstate property on the socket and use it
during socket validation for checking fingerprints. There should be
no change in behavior.
*** 'a\nc\n\n\n\n' 'a\nb\n\n\n'
*** 'a\nb\nc\n' 'a\nc\n'
*** '' ''
*** 'a\nb\nc' 'a\nb\nc'
*** 'a\nb\nc\nd\n' 'a\nd\n'
*** 'a\nb\nc\nd\n' 'a\nc\ne\n'
*** 'a\nb\nc\n' 'a\nc\n'
*** 'a\n' 'c\na\nb\n'
*** 'a\n' ''
*** 'a\n' 'b\nc\n'
*** 'a\n' 'c\na\n'
*** '' 'adjfkjdjksdhfksj'
*** '' 'ab'
*** '' 'abc'
*** 'a' 'a'
*** 'ab' 'ab'
*** 'abc' 'abc'
*** 'a\n' 'a\n'
*** 'a\nb' 'a\nb'
6 6 'y\n\n'
6 6 'y\n\n'
9 9 'y\n\n'
0 0 'a\nb\nb\n'
12 12 'b\nc\n.\n'
16 18 ''
done
done