# HG changeset patch
# User Gregory Szorc <gregory.szorc@gmail.com>
# Date 1465064168 25200
# Node ID 1b3a0b0c414faa3d6d4dbcf4c5abbbe18aa9efd4
# Parent  bc5f55493397d62d3e2d69fb671e5101f31e7245
sslutil: print the fingerprint from the last hash used

Before, we would always print the unprefixed SHA-1 fingerprint when
fingerprint comparison failed. Now, we print the fingerprint of the
last hash used, including the prefix if necessary. This helps ensure
that the printed hash type matches what is in the user configuration.

There are still some cases where this can print a mismatched hash type.
e.g. if there are both SHA-1 and SHA-256 fingerprints in the config,
we could print a SHA-1 hash if it comes after the SHA-256 hash. But
I'm inclined to ignore this edge case.

While I was here, the "section" variable assignment has been moved to
just above where it is used because it is now only needed for this
error message and it makes the code easier to read.

diff -r bc5f55493397 -r 1b3a0b0c414f mercurial/sslutil.py
--- a/mercurial/sslutil.py	Tue May 31 19:21:08 2016 -0700
+++ b/mercurial/sslutil.py	Sat Jun 04 11:16:08 2016 -0700
@@ -377,14 +377,8 @@
     def fmtfingerprint(s):
         return ':'.join([s[x:x + 2] for x in range(0, len(s), 2)])
 
-    legacyfingerprint = fmtfingerprint(peerfingerprints['sha1'])
     nicefingerprint = 'sha256:%s' % fmtfingerprint(peerfingerprints['sha256'])
 
-    if settings['legacyfingerprint']:
-        section = 'hostfingerprint'
-    else:
-        section = 'hostsecurity'
-
     if settings['certfingerprints']:
         for hash, fingerprint in settings['certfingerprints']:
             if peerfingerprints[hash].lower() == fingerprint:
@@ -392,8 +386,15 @@
                          (host, hash, fmtfingerprint(fingerprint)))
                 return
 
+        # Pinned fingerprint didn't match. This is a fatal error.
+        if settings['legacyfingerprint']:
+            section = 'hostfingerprint'
+            nice = fmtfingerprint(peerfingerprints['sha1'])
+        else:
+            section = 'hostsecurity'
+            nice = '%s:%s' % (hash, fmtfingerprint(peerfingerprints[hash]))
         raise error.Abort(_('certificate for %s has unexpected '
-                            'fingerprint %s') % (host, legacyfingerprint),
+                            'fingerprint %s') % (host, nice),
                           hint=_('check %s configuration') % section)
 
     if not sock._hgstate['caloaded']:
diff -r bc5f55493397 -r 1b3a0b0c414f tests/test-https.t
--- a/tests/test-https.t	Tue May 31 19:21:08 2016 -0700
+++ b/tests/test-https.t	Sat Jun 04 11:16:08 2016 -0700
@@ -314,7 +314,7 @@
   [255]
 
   $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
-  abort: certificate for localhost has unexpected fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca
+  abort: certificate for localhost has unexpected fingerprint sha1:91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca
   (check hostsecurity configuration)
   [255]