# HG changeset patch # User Gregory Szorc # Date 1464461908 25200 # Node ID dfc4f08aa160a8d827a4c671f1227d669b9aefb5 # Parent 1eff545cef5245a2adc5e118cbee8287b6fca635 sslutil: calculate host fingerprints from additional algorithms Currently, we only support defining host fingerprints with SHA-1. A future patch will introduce support for defining fingerprints using other hashing algorithms. In preparation for that, we rewrite the fingerprint verification code to support multiple fingerprints, namely SHA-256 and SHA-512 fingerprints. We still only display the SHA-1 fingerprint. We'll have to revisit this code once we support defining fingerprints with other hash functions. As part of this, I snuck in a change to use range() instead of xrange() because xrange() isn't necessary for such small values. diff -r 1eff545cef52 -r dfc4f08aa160 mercurial/sslutil.py --- a/mercurial/sslutil.py Sat May 28 12:57:28 2016 -0700 +++ b/mercurial/sslutil.py Sat May 28 11:58:28 2016 -0700 @@ -327,13 +327,18 @@ # If a certificate fingerprint is pinned, use it and only it to # validate the remote cert. - peerfingerprint = util.sha1(peercert).hexdigest() - nicefingerprint = ":".join([peerfingerprint[x:x + 2] - for x in xrange(0, len(peerfingerprint), 2)]) + peerfingerprints = { + 'sha1': util.sha1(peercert).hexdigest(), + 'sha256': util.sha256(peercert).hexdigest(), + 'sha512': util.sha512(peercert).hexdigest(), + } + nicefingerprint = ':'.join([peerfingerprints['sha1'][x:x + 2] + for x in range(0, len(peerfingerprints['sha1']), 2)]) + if settings['certfingerprints']: fingerprintmatch = False for hash, fingerprint in settings['certfingerprints']: - if peerfingerprint.lower() == fingerprint: + if peerfingerprints[hash].lower() == fingerprint: fingerprintmatch = True break if not fingerprintmatch: