From patchwork Thu Jun  2 03:16:21 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: [7,of,9,V3] sslutil: refactor code for fingerprint matching
From: Gregory Szorc <gregory.szorc@gmail.com>
X-Patchwork-Id: 15333
Message-Id: <cc855ebb788812f15808.1464837381@ubuntu-vm-main>
To: mercurial-devel@mercurial-scm.org
Date: Wed, 01 Jun 2016 20:16:21 -0700

# HG changeset patch
# User Gregory Szorc <gregory.szorc@gmail.com>
# Date 1464648183 25200
#      Mon May 30 15:43:03 2016 -0700
# Node ID cc855ebb788812f158084387690685c9551dd6b6
# Parent  baae958f1ccd0a5f905b4ce9a675c50cdf25c335
sslutil: refactor code for fingerprint matching

We didn't need to use a temporary variable to indicate success because
we just return anyway.

This refactor makes the code simpler. While we're here, we also call
into formatfingerprint() to ensure the fingerprint from the proper
hashing algorithm is logged.

diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -381,28 +381,25 @@ def validatesocket(sock):
     nicefingerprint = 'sha256:%s' % fmtfingerprint(peerfingerprints['sha256'])
 
     if settings['legacyfingerprint']:
         section = 'hostfingerprint'
     else:
         section = 'hostsecurity'
 
     if settings['certfingerprints']:
-        fingerprintmatch = False
         for hash, fingerprint in settings['certfingerprints']:
             if peerfingerprints[hash].lower() == fingerprint:
-                fingerprintmatch = True
-                break
-        if not fingerprintmatch:
-            raise error.Abort(_('certificate for %s has unexpected '
-                               'fingerprint %s') % (host, legacyfingerprint),
-                              hint=_('check %s configuration') % section)
-        ui.debug('%s certificate matched fingerprint %s\n' %
-                 (host, legacyfingerprint))
-        return
+                ui.debug('%s certificate matched fingerprint %s:%s\n' %
+                         (host, hash, fmtfingerprint(fingerprint)))
+                return
+
+        raise error.Abort(_('certificate for %s has unexpected '
+                           'fingerprint %s') % (host, legacyfingerprint),
+                          hint=_('check %s configuration') % section)
 
     if not sock._hgstate['caloaded']:
         ui.warn(_('warning: %s certificate with fingerprint %s '
                   'not verified (check %s or web.cacerts config '
                   'setting)\n') %
                 (host, nicefingerprint, section))
         return