sslutil: store and use hostname and ui in socket instance
Currently, we pass a hostname and ui to sslutil.wrap_socket()
then create a separate sslutil.validator instance also from
a hostname and ui. There is a 1:1 mapping between a wrapped
socket and a validator instance. This commit lays the groundwork
for making the validation function generic by storing the
hostname and ui instance in the state dict attached to the
socket instance and then using these variables in the
validator function.
Since the arguments to sslutil.validator.__init__ are no longer
used, we make them optional and make __init__ a no-op.
--- a/mercurial/sslutil.py Sun May 15 11:25:07 2016 -0700
+++ b/mercurial/sslutil.py Sun May 15 11:32:11 2016 -0700
@@ -173,6 +173,8 @@
sslsocket._hgstate = {
'caloaded': caloaded,
+ 'hostname': serverhostname,
+ 'ui': ui,
}
return sslsocket
@@ -290,12 +292,12 @@
return kws
class validator(object):
- def __init__(self, ui, host):
- self.ui = ui
- self.host = host
+ def __init__(self, ui=None, host=None):
+ pass
def __call__(self, sock, strict=False):
- host = self.host
+ host = sock._hgstate['hostname']
+ ui = sock._hgstate['ui']
if not sock.cipher(): # work around http://bugs.python.org/issue13721
raise error.Abort(_('%s ssl connection error') % host)
@@ -311,7 +313,7 @@
# If a certificate fingerprint is pinned, use it and only it to
# validate the remote cert.
- hostfingerprints = self.ui.configlist('hostfingerprints', host)
+ hostfingerprints = ui.configlist('hostfingerprints', host)
peerfingerprint = util.sha1(peercert).hexdigest()
nicefingerprint = ":".join([peerfingerprint[x:x + 2]
for x in xrange(0, len(peerfingerprint), 2)])
@@ -326,8 +328,8 @@
raise error.Abort(_('certificate for %s has unexpected '
'fingerprint %s') % (host, nicefingerprint),
hint=_('check hostfingerprint configuration'))
- self.ui.debug('%s certificate matched fingerprint %s\n' %
- (host, nicefingerprint))
+ ui.debug('%s certificate matched fingerprint %s\n' %
+ (host, nicefingerprint))
return
# If insecure connections were explicitly requested via --insecure,
@@ -336,11 +338,11 @@
# It may seem odd that this is checked *after* host fingerprint pinning.
# This is for backwards compatibility (for now). The message is also
# the same as below for BC.
- if self.ui.insecureconnections:
- self.ui.warn(_('warning: %s certificate with fingerprint %s not '
- 'verified (check hostfingerprints or web.cacerts '
- 'config setting)\n') %
- (host, nicefingerprint))
+ if ui.insecureconnections:
+ ui.warn(_('warning: %s certificate with fingerprint %s not '
+ 'verified (check hostfingerprints or web.cacerts '
+ 'config setting)\n') %
+ (host, nicefingerprint))
return
if not sock._hgstate['caloaded']:
@@ -350,10 +352,10 @@
hint=_('check hostfingerprints or '
'web.cacerts config setting'))
else:
- self.ui.warn(_('warning: %s certificate with fingerprint %s '
- 'not verified (check hostfingerprints or '
- 'web.cacerts config setting)\n') %
- (host, nicefingerprint))
+ ui.warn(_('warning: %s certificate with fingerprint %s '
+ 'not verified (check hostfingerprints or '
+ 'web.cacerts config setting)\n') %
+ (host, nicefingerprint))
return