Patchwork [6,of,7] sslutil: remove indentation in wrapsocket declaration

login
register
mail settings
Submitter Gregory Szorc
Date March 28, 2016, 4:28 a.m.
Message ID <6804722830cd256bdc89.1459139315@ubuntu-vm-main>
Download mbox | patch
Permalink /patch/14097/
State Accepted
Headers show

Comments

Gregory Szorc - March 28, 2016, 4:28 a.m.
# HG changeset patch
# User Gregory Szorc <gregory.szorc@gmail.com>
# Date 1459103979 25200
#      Sun Mar 27 11:39:39 2016 -0700
# Node ID 6804722830cd256bdc898069c41059edd07f18a0
# Parent  cb4f105cc25744f725bb721ba53fde08a709f788
sslutil: remove indentation in wrapsocket declaration

It is no longer needed because we have a single code path.

Patch

diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -101,64 +101,61 @@  except AttributeError:
                 'ca_certs': self._cacerts,
             }
 
             if self._supportsciphers:
                 args['ciphers'] = self._ciphers
 
             return ssl.wrap_socket(socket, **args)
 
-try:
-    def wrapsocket(sock, keyfile, certfile, ui, cert_reqs=ssl.CERT_NONE,
-                   ca_certs=None, serverhostname=None):
-        # Despite its name, PROTOCOL_SSLv23 selects the highest protocol
-        # that both ends support, including TLS protocols. On legacy stacks,
-        # the highest it likely goes in TLS 1.0. On modern stacks, it can
-        # support TLS 1.2.
-        #
-        # The PROTOCOL_TLSv* constants select a specific TLS version
-        # only (as opposed to multiple versions). So the method for
-        # supporting multiple TLS versions is to use PROTOCOL_SSLv23 and
-        # disable protocols via SSLContext.options and OP_NO_* constants.
-        # However, SSLContext.options doesn't work unless we have the
-        # full/real SSLContext available to us.
-        #
-        # SSLv2 and SSLv3 are broken. We ban them outright.
-        if modernssl:
-            protocol = ssl.PROTOCOL_SSLv23
-        else:
-            protocol = ssl.PROTOCOL_TLSv1
+def wrapsocket(sock, keyfile, certfile, ui, cert_reqs=ssl.CERT_NONE,
+               ca_certs=None, serverhostname=None):
+    # Despite its name, PROTOCOL_SSLv23 selects the highest protocol
+    # that both ends support, including TLS protocols. On legacy stacks,
+    # the highest it likely goes in TLS 1.0. On modern stacks, it can
+    # support TLS 1.2.
+    #
+    # The PROTOCOL_TLSv* constants select a specific TLS version
+    # only (as opposed to multiple versions). So the method for
+    # supporting multiple TLS versions is to use PROTOCOL_SSLv23 and
+    # disable protocols via SSLContext.options and OP_NO_* constants.
+    # However, SSLContext.options doesn't work unless we have the
+    # full/real SSLContext available to us.
+    #
+    # SSLv2 and SSLv3 are broken. We ban them outright.
+    if modernssl:
+        protocol = ssl.PROTOCOL_SSLv23
+    else:
+        protocol = ssl.PROTOCOL_TLSv1
 
-        # TODO use ssl.create_default_context() on modernssl.
-        sslcontext = SSLContext(protocol)
+    # TODO use ssl.create_default_context() on modernssl.
+    sslcontext = SSLContext(protocol)
 
+    # This is a no-op on old Python.
+    sslcontext.options |= OP_NO_SSLv2 | OP_NO_SSLv3
+
+    if certfile is not None:
+        def password():
+            f = keyfile or certfile
+            return ui.getpass(_('passphrase for %s: ') % f, '')
+        sslcontext.load_cert_chain(certfile, keyfile, password)
+    sslcontext.verify_mode = cert_reqs
+    if ca_certs is not None:
+        sslcontext.load_verify_locations(cafile=ca_certs)
+    else:
         # This is a no-op on old Python.
-        sslcontext.options |= OP_NO_SSLv2 | OP_NO_SSLv3
+        sslcontext.load_default_certs()
 
-        if certfile is not None:
-            def password():
-                f = keyfile or certfile
-                return ui.getpass(_('passphrase for %s: ') % f, '')
-            sslcontext.load_cert_chain(certfile, keyfile, password)
-        sslcontext.verify_mode = cert_reqs
-        if ca_certs is not None:
-            sslcontext.load_verify_locations(cafile=ca_certs)
-        else:
-            # This is a no-op on old Python.
-            sslcontext.load_default_certs()
-
-        sslsocket = sslcontext.wrap_socket(sock, server_hostname=serverhostname)
-        # check if wrap_socket failed silently because socket had been
-        # closed
-        # - see http://bugs.python.org/issue13721
-        if not sslsocket.cipher():
-            raise error.Abort(_('ssl connection failed'))
-        return sslsocket
-except AttributeError:
-    raise util.Abort('this should not happen')
+    sslsocket = sslcontext.wrap_socket(sock, server_hostname=serverhostname)
+    # check if wrap_socket failed silently because socket had been
+    # closed
+    # - see http://bugs.python.org/issue13721
+    if not sslsocket.cipher():
+        raise error.Abort(_('ssl connection failed'))
+    return sslsocket
 
 def _verifycert(cert, hostname):
     '''Verify that cert (in socket.getpeercert() format) matches hostname.
     CRLs is not handled.
 
     Returns error message if any problems are found and None on success.
     '''
     if not cert: