mbedtls: load default CA certificates

wildart · tiennou · commit 27c3d684e716 · 2017-08-10T00:05:11.000+02:00
diff --git a/src/streams/mbedtls.c b/src/streams/mbedtls.c
@@ -22,10 +22,17 @@
 
 #include <mbedtls/config.h>
 #include <mbedtls/ssl.h>
+#include <mbedtls/error.h>
 #include <mbedtls/entropy.h>
 #include <mbedtls/ctr_drbg.h>
 
-#define CRT_LOC "/etc/ssl/certs"
+#ifndef OPENSSLDIR
+# define OPENSSLDIR              "/usr/lib/ssl"
+#endif
+#define X509_CERT_DIR            OPENSSLDIR "/certs"
+#define X509_CERT_FILE           OPENSSLDIR "/cert.pem"
+#define X509_CERT_DIR_EVP        "SSL_CERT_DIR"
+#define X509_CERT_FILE_EVP       "SSL_CERT_FILE"
 
 mbedtls_ssl_config *git__ssl_conf;
 mbedtls_entropy_context *mbedtls_entropy;
@@ -55,9 +62,13 @@ static void shutdown_ssl(void)
 	}
 }
 
+int git_mbedtls__set_cert_location(const char *file, const char *path);
+
 int git_mbedtls_stream_global_init(void)
 {
-	int ret;
+	int found, isdir;
+	char *crtpath;
+	struct stat statbuf;
 	mbedtls_ctr_drbg_context *ctr_drbg = NULL;
 
 	int *ciphers_list = NULL;
@@ -115,16 +126,33 @@ int git_mbedtls_stream_global_init(void)
 
 	mbedtls_ssl_conf_rng(git__ssl_conf, mbedtls_ctr_drbg_random, ctr_drbg);
 
-	// set root certificates
-	cacert = git__malloc(sizeof(mbedtls_x509_crt));
-	mbedtls_x509_crt_init(cacert);
-	ret = mbedtls_x509_crt_parse_path(cacert, CRT_LOC);
-	if (ret) {
-		giterr_set(GITERR_SSL, "failed to load CA certificates: %d", ret);
-		goto cleanup;
+	// find locations for which CA certificates
+	isdir = 0;
+	crtpath = getenv(X509_CERT_FILE_EVP);
+	found = crtpath != NULL && stat(crtpath, &statbuf) == 0 && S_ISREG(statbuf.st_mode);
+	if (!found) {
+		isdir = 1;
+		crtpath = getenv(X509_CERT_DIR_EVP);
+		found = crtpath != NULL && stat(crtpath, &statbuf) == 0 && S_ISDIR(statbuf.st_mode);
+	}
+	if (!found) {
+		isdir = 0;
+		crtpath = X509_CERT_FILE;
+		found = crtpath != NULL && stat(crtpath, &statbuf) == 0 && S_ISREG(statbuf.st_mode);
+	}
+	if (!found) {
+		isdir = 1;
+		crtpath = X509_CERT_DIR;
+		found = crtpath != NULL && stat(crtpath, &statbuf) == 0 && S_ISDIR(statbuf.st_mode);
 	}
 
-	mbedtls_ssl_conf_ca_chain(git__ssl_conf, cacert, NULL);
+	// set root certificates
+	if (found) {
+		if (isdir)
+			git_mbedtls__set_cert_location(NULL, crtpath);
+		else
+			git_mbedtls__set_cert_location(crtpath, NULL);
+	}
 
 	git__on_shutdown(shutdown_ssl);
 
@@ -445,16 +473,26 @@ int git_mbedtls__set_cert_location(const char *file, const char *path)
 {
 	int ret = 0;
 	char errbuf[512];
-	if (!file) {
-		ret = mbedtls_x509_crt_parse_file(git__ssl_conf->ca_chain, file);
-	} else if (!path) {
-		ret = mbedtls_x509_crt_parse_path(git__ssl_conf->ca_chain, path);
+	mbedtls_x509_crt *cacert;
+	cacert = git__malloc(sizeof(mbedtls_x509_crt));
+	mbedtls_x509_crt_init(cacert);
+	if (file) {
+		ret = mbedtls_x509_crt_parse_file(cacert, file);
+	} else if (path) {
+		ret = mbedtls_x509_crt_parse_path(cacert, path);
 	}
-	if (ret != 0) {
+	if (!ret) {
+		mbedtls_x509_crt_free(cacert);
+		git__free(cacert);
 		mbedtls_strerror( ret, errbuf, 512 );
-		giterr_set(GITERR_NET, "SSL error: %d - %s", ret, errbuf);
+		giterr_set(GITERR_SSL, "failed to load CA certificates : %s (%d)", errbuf, ret);
 		return -1;
 	}
+
+	mbedtls_x509_crt_free(git__ssl_conf->ca_chain);
+	git__free(git__ssl_conf->ca_chain);
+	mbedtls_ssl_conf_ca_chain(git__ssl_conf, cacert, NULL);
+
 	return 0;
 }
 
