changeset 29226:33006bd6a1d7

sslutil: store and use hostname and ui in socket instance Currently, we pass a hostname and ui to sslutil.wrap_socket() then create a separate sslutil.validator instance also from a hostname and ui. There is a 1:1 mapping between a wrapped socket and a validator instance. This commit lays the groundwork for making the validation function generic by storing the hostname and ui instance in the state dict attached to the socket instance and then using these variables in the validator function. Since the arguments to sslutil.validator.__init__ are no longer used, we make them optional and make __init__ a no-op.
author Gregory Szorc <gregory.szorc@gmail.com>
date Sun, 15 May 2016 11:32:11 -0700
parents b115eed11780
children dffe78d80a6c
files mercurial/sslutil.py
diffstat 1 files changed, 18 insertions(+), 16 deletions(-) [+]
line wrap: on
line diff
--- a/mercurial/sslutil.py	Sun May 15 11:25:07 2016 -0700
+++ b/mercurial/sslutil.py	Sun May 15 11:32:11 2016 -0700
@@ -173,6 +173,8 @@
 
     sslsocket._hgstate = {
         'caloaded': caloaded,
+        'hostname': serverhostname,
+        'ui': ui,
     }
 
     return sslsocket
@@ -290,12 +292,12 @@
     return kws
 
 class validator(object):
-    def __init__(self, ui, host):
-        self.ui = ui
-        self.host = host
+    def __init__(self, ui=None, host=None):
+        pass
 
     def __call__(self, sock, strict=False):
-        host = self.host
+        host = sock._hgstate['hostname']
+        ui = sock._hgstate['ui']
 
         if not sock.cipher(): # work around http://bugs.python.org/issue13721
             raise error.Abort(_('%s ssl connection error') % host)
@@ -311,7 +313,7 @@
 
         # If a certificate fingerprint is pinned, use it and only it to
         # validate the remote cert.
-        hostfingerprints = self.ui.configlist('hostfingerprints', host)
+        hostfingerprints = ui.configlist('hostfingerprints', host)
         peerfingerprint = util.sha1(peercert).hexdigest()
         nicefingerprint = ":".join([peerfingerprint[x:x + 2]
             for x in xrange(0, len(peerfingerprint), 2)])
@@ -326,8 +328,8 @@
                 raise error.Abort(_('certificate for %s has unexpected '
                                    'fingerprint %s') % (host, nicefingerprint),
                                  hint=_('check hostfingerprint configuration'))
-            self.ui.debug('%s certificate matched fingerprint %s\n' %
-                          (host, nicefingerprint))
+            ui.debug('%s certificate matched fingerprint %s\n' %
+                     (host, nicefingerprint))
             return
 
         # If insecure connections were explicitly requested via --insecure,
@@ -336,11 +338,11 @@
         # It may seem odd that this is checked *after* host fingerprint pinning.
         # This is for backwards compatibility (for now). The message is also
         # the same as below for BC.
-        if self.ui.insecureconnections:
-            self.ui.warn(_('warning: %s certificate with fingerprint %s not '
-                           'verified (check hostfingerprints or web.cacerts '
-                           'config setting)\n') %
-                         (host, nicefingerprint))
+        if ui.insecureconnections:
+            ui.warn(_('warning: %s certificate with fingerprint %s not '
+                      'verified (check hostfingerprints or web.cacerts '
+                      'config setting)\n') %
+                    (host, nicefingerprint))
             return
 
         if not sock._hgstate['caloaded']:
@@ -350,10 +352,10 @@
                                   hint=_('check hostfingerprints or '
                                          'web.cacerts config setting'))
             else:
-                self.ui.warn(_('warning: %s certificate with fingerprint %s '
-                               'not verified (check hostfingerprints or '
-                               'web.cacerts config setting)\n') %
-                             (host, nicefingerprint))
+                ui.warn(_('warning: %s certificate with fingerprint %s '
+                          'not verified (check hostfingerprints or '
+                          'web.cacerts config setting)\n') %
+                        (host, nicefingerprint))
 
             return