Patchwork D7850: sslutil: migrate to hashutil.sha1 instead of hashlib.sha1

login
register
mail settings
Submitter phabricator
Date Jan. 13, 2020, 10:48 p.m.
Message ID <differential-rev-PHID-DREV-bcgqm3unfcbsrik6biso-req@mercurial-scm.org>
Download mbox | patch
Permalink /patch/44295/
State Superseded
Headers show

Comments

phabricator - Jan. 13, 2020, 10:48 p.m.
durin42 created this revision.
Herald added a subscriber: mercurial-devel.
Herald added a reviewer: hg-reviewers.

REVISION SUMMARY
  This is a straight-line replacement like the others, but I split it
  out since it's used in a network context and I'm not sure this is
  appropriate (we should probably drop support for sha1
  fingerprints over TLS) and wanted this to be easily dropped.

REPOSITORY
  rHG Mercurial

BRANCH
  default

REVISION DETAIL
  https://phab.mercurial-scm.org/D7850

AFFECTED FILES
  mercurial/sslutil.py

CHANGE DETAILS




To: durin42, #hg-reviewers
Cc: mercurial-devel
phabricator - Jan. 14, 2020, 4:24 a.m.
This revision is now accepted and ready to land.
indygreg added a comment.
indygreg accepted this revision.


  Yeah, the new SHA-1 routine probably doesn't matter in this context. And we should probably drop support for SHA-1 certificate fingerprint verification. But consistency in using our SHA-1 wrapper is worth it, IMO.

REPOSITORY
  rHG Mercurial

BRANCH
  default

CHANGES SINCE LAST ACTION
  https://phab.mercurial-scm.org/D7850/new/

REVISION DETAIL
  https://phab.mercurial-scm.org/D7850

To: durin42, #hg-reviewers, indygreg
Cc: indygreg, mercurial-devel

Patch

diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -24,6 +24,7 @@ 
     util,
 )
 from .utils import (
+    hashutil,
     resourceutil,
     stringutil,
 )
@@ -949,7 +950,7 @@ 
     # If a certificate fingerprint is pinned, use it and only it to
     # validate the remote cert.
     peerfingerprints = {
-        b'sha1': node.hex(hashlib.sha1(peercert).digest()),
+        b'sha1': node.hex(hashutil.sha1(peercert).digest()),
         b'sha256': node.hex(hashlib.sha256(peercert).digest()),
         b'sha512': node.hex(hashlib.sha512(peercert).digest()),
     }