changeset 29259:ec247e8595f9

sslutil: move SSLContext.verify_mode value into _hostsettings _determinecertoptions() and _hostsettings() are redundant with each other. _hostsettings() is used the flexible API we want. We start the process of removing _determinecertoptions() by moving some of the logic for the verify_mode value into _hostsettings(). As part of this, _determinecertoptions() now takes a settings dict as its argument. This is technically API incompatible. But since _determinecertoptions() came into existence a few days ago as part of this release, I'm not flagging it as such.
author Gregory Szorc <gregory.szorc@gmail.com>
date Sat, 28 May 2016 11:41:21 -0700
parents 6315c1e14f75
children 70bc9912d83d
files mercurial/sslutil.py
diffstat 1 files changed, 19 insertions(+), 12 deletions(-) [+]
line wrap: on
line diff
--- a/mercurial/sslutil.py	Sat May 28 11:12:02 2016 -0700
+++ b/mercurial/sslutil.py	Sat May 28 11:41:21 2016 -0700
@@ -114,6 +114,8 @@
     s = {
         # List of 2-tuple of (hash algorithm, hash).
         'certfingerprints': [],
+        # ssl.CERT_* constant used by SSLContext.verify_mode.
+        'verifymode': None,
     }
 
     # Fingerprints from [hostfingerprints] are always SHA-1.
@@ -121,22 +123,26 @@
         fingerprint = fingerprint.replace(':', '').lower()
         s['certfingerprints'].append(('sha1', fingerprint))
 
+    # If a host cert fingerprint is defined, it is the only thing that
+    # matters. No need to validate CA certs.
+    if s['certfingerprints']:
+        s['verifymode'] = ssl.CERT_NONE
+
+    # If --insecure is used, don't take CAs into consideration.
+    elif ui.insecureconnections:
+        s['verifymode'] = ssl.CERT_NONE
+
+    # TODO assert verifymode is not None once we integrate cacert
+    # checking in this function.
+
     return s
 
-def _determinecertoptions(ui, host):
+def _determinecertoptions(ui, settings):
     """Determine certificate options for a connections.
 
     Returns a tuple of (cert_reqs, ca_certs).
     """
-    # If a host key fingerprint is on file, it is the only thing that matters
-    # and CA certs don't come into play.
-    hostfingerprint = ui.config('hostfingerprints', host)
-    if hostfingerprint:
-        return ssl.CERT_NONE, None
-
-    # The code below sets up CA verification arguments. If --insecure is
-    # used, we don't take CAs into consideration, so return early.
-    if ui.insecureconnections:
+    if settings['verifymode'] == ssl.CERT_NONE:
         return ssl.CERT_NONE, None
 
     cacerts = ui.config('web', 'cacerts')
@@ -181,7 +187,8 @@
     if not serverhostname:
         raise error.Abort('serverhostname argument is required')
 
-    cert_reqs, ca_certs = _determinecertoptions(ui, serverhostname)
+    settings = _hostsettings(ui, serverhostname)
+    cert_reqs, ca_certs = _determinecertoptions(ui, settings)
 
     # Despite its name, PROTOCOL_SSLv23 selects the highest protocol
     # that both ends support, including TLS protocols. On legacy stacks,
@@ -234,7 +241,7 @@
     sslsocket._hgstate = {
         'caloaded': caloaded,
         'hostname': serverhostname,
-        'settings': _hostsettings(ui, serverhostname),
+        'settings': settings,
         'ui': ui,
     }