libgit2 · wildart · Oct 9, 2015 · Oct 9, 2015 · Oct 9, 2015 · Oct 9, 2015
diff --git a/.travis.yml b/.travis.yml
@@ -48,6 +48,16 @@ matrix:
        - VALGRIND=1
          OPTIONS="-DBUILD_CLAR=ON -DBUILD_EXAMPLES=OFF -DCMAKE_BUILD_TYPE=Debug"
      os: linux
+   - compiler: gcc
+     env:
+       - MBEDTLS=1
+         OPTIONS="-DTHREADSAFE=ON -DCMAKE_BUILD_TYPE=Release -DUSE_OPENSSL=OFF -DMBEDTLS_ROOT_DIR=../mbedtls"
+     os: linux
+   - compiler: gcc
+     env:
+       - MBEDTLS=1
+         OPTIONS="-DTHREADSAFE=OFF -DBUILD_EXAMPLES=ON -DUSE_OPENSSL=OFF -DMBEDTLS_ROOT_DIR=../mbedtls"
+     os: linux
  allow_failures:
    - env: COVERITY=1
    - env:

diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -85,6 +85,10 @@ IF (NOT ${CMAKE_SYSTEM_NAME} MATCHES "Darwin")
 	OPTION( USE_OPENSSL                     "Link with and use openssl library"             ON )
 ENDIF()
 
+IF (NOT USE_OPENSSL)
+	OPTION( USE_MBEDTLS                     "Link with and use mbedtls library"             ON )
+ENDIF()
+
 # This variable will contain the libraries we need to put into
 # libgit2.pc's Requires.private. That is, what we're linking to or
 # what someone who's statically linking us needs to link to.
@@ -249,6 +253,10 @@ ELSE ()
 		FIND_PACKAGE(OpenSSL)
 	ENDIF ()
 
+	IF (NOT AMIGA AND USE_MBEDTLS AND NOT USE_OPENSSL)
+		FIND_PACKAGE(mbedTLS)
+	ENDIF ()
+
 	IF (CURL_FOUND)
 		ADD_DEFINITIONS(-DGIT_CURL)
 		INCLUDE_DIRECTORIES(${CURL_INCLUDE_DIRS})
@@ -281,6 +289,9 @@ ELSEIF (OPENSSL_FOUND AND NOT SHA1_TYPE STREQUAL "builtin")
 	ELSE()
 		SET(LIBGIT2_PC_REQUIRES "${LIBGIT2_PC_REQUIRES} openssl")
 	ENDIF ()
+ELSEIF (MBEDTLS_FOUND AND NOT SHA1_TYPE STREQUAL "builtin")
+	ADD_DEFINITIONS(-DMBEDTLS_SHA1)
+	FILE(GLOB SRC_SHA1 src/hash/hash_mbedtls.c)
 ELSE()
 	FILE(GLOB SRC_SHA1 src/hash/hash_generic.c)
 ENDIF()
@@ -506,6 +517,11 @@ IF (OPENSSL_FOUND)
   SET(SSL_LIBRARIES ${OPENSSL_LIBRARIES})
 ENDIF()
 
+IF (MBEDTLS_FOUND)
+  ADD_DEFINITIONS(-DGIT_MBEDTLS)
+  INCLUDE_DIRECTORIES(${MBEDTLS_INCLUDE_DIR})
+  SET(SSL_LIBRARIES ${MBEDTLS_LIBRARIES})
+ENDIF()
 
 
 IF (THREADSAFE)
@@ -632,7 +648,7 @@ IF (BUILD_CLAR)
 	ENDIF ()
 
 	ENABLE_TESTING()
-	IF (WINHTTP OR OPENSSL_FOUND OR SECURITY_FOUND)
+	IF (WINHTTP OR OPENSSL_FOUND OR SECURITY_FOUND OR MBEDTLS_FOUND)
 		ADD_TEST(libgit2_clar libgit2_clar -ionline)
 	ELSE ()
 		ADD_TEST(libgit2_clar libgit2_clar -v)

diff --git a/cmake/Modules/FindmbedTLS.cmake b/cmake/Modules/FindmbedTLS.cmake
@@ -0,0 +1,78 @@
+# - Try to find mbedTLS
+# Once done this will define
+#
+#  MBEDTLS_ROOT_DIR - Set this variable to the root installation of mbedTLS
+#
+# Read-Only variables
+#  MBEDTLS_FOUND - system has mbedTLS
+#  MBEDTLS_INCLUDE_DIR - the mbedTLS include directory
+#  MBEDTLS_LIBRARIES - Link these to use mbedTLS
+#
+
+FIND_PATH(MBEDTLS_ROOT_DIR NAMES include/mbedtls/version.h)
+
+IF(MBEDTLS_INCLUDE_DIR AND MBEDTLS_LIBRARIES)
+    # Already in cache, be silent
+    SET(MBEDTLS_FIND_QUIETLY TRUE)
+ENDIF()
+FIND_PATH(MBEDTLS_INCLUDE_DIR
+    NAMES mbedtls/ssl.h
+    PATHS
+        ${MBEDTLS_ROOT_DIR}/include
+)
+FIND_LIBRARY(mbedtls_lib
+    NAMES mbedtls libmbedtls libmbedx509
+    PATHS
+        ${MBEDTLS_ROOT_DIR}/library
+        ${MBEDTLS_ROOT_DIR}/build/library
+)
+FIND_LIBRARY(mbedx509_lib
+    NAMES mbedx509 libmbedx509
+    PATHS
+        ${MBEDTLS_ROOT_DIR}/library
+        ${MBEDTLS_ROOT_DIR}/build/library
+)
+FIND_LIBRARY(mbedcrypto_lib
+    NAMES mbedcrypto libmbedcrypto
+    PATHS
+        ${MBEDTLS_ROOT_DIR}/library
+        ${MBEDTLS_ROOT_DIR}/build/library
+)
+
+IF(MBEDTLS_INCLUDE_DIR AND mbedtls_lib AND mbedx509_lib AND mbedcrypto_lib)
+     SET(MBEDTLS_FOUND TRUE)
+ENDIF()
+
+IF(MBEDTLS_FOUND)
+    # split mbedTLS into -L and -l linker options, so we can set them for pkg-config
+    GET_FILENAME_COMPONENT(mbedtls_path ${mbedtls_lib} PATH)
+    GET_FILENAME_COMPONENT(mbedtls_name ${mbedtls_lib} NAME_WE)
+    GET_FILENAME_COMPONENT(mbedx509_name ${mbedx509_lib} NAME_WE)
+    GET_FILENAME_COMPONENT(mbedcrypto_name ${mbedcrypto_lib} NAME_WE)
+    STRING(REGEX REPLACE "^lib" "" mbedtls_name ${mbedtls_name})
+    STRING(REGEX REPLACE "^lib" "" mbedx509_name ${mbedx509_name})
+    STRING(REGEX REPLACE "^lib" "" mbedcrypto_name ${mbedcrypto_name})
+    SET(MBEDTLS_LIBRARIES "-L${mbedtls_path} -l${mbedtls_name} -l${mbedx509_name} -l${mbedcrypto_name}")
+
+    IF(NOT MBEDTLS_FIND_QUIETLY)
+        MESSAGE(STATUS "Found mbedTLS:")
+        FILE(READ ${MBEDTLS_INCLUDE_DIR}/mbedtls/version.h MBEDTLSCONTENT)
+        STRING(REGEX MATCH "MBEDTLS_VERSION_STRING +\"[0-9|.]+\"" MBEDTLSMATCH ${MBEDTLSCONTENT})
+        IF (MBEDTLSMATCH)
+            STRING(REGEX REPLACE "MBEDTLS_VERSION_STRING +\"([0-9|.]+)\"" "\\1" MBEDTLS_VERSION ${MBEDTLSMATCH})
+            MESSAGE(STATUS "  version ${MBEDTLS_VERSION}")
+        ENDIF(MBEDTLSMATCH)
+        MESSAGE(STATUS "  TLS: ${mbedtls_lib}")
+        MESSAGE(STATUS "  X509: ${mbedx509_lib}")
+        MESSAGE(STATUS "  Crypto: ${mbedcrypto_lib}")
+    ENDIF(NOT MBEDTLS_FIND_QUIETLY)
+ELSE(MBEDTLS_FOUND)
+    IF(MBEDTLS_FIND_REQUIRED)
+        MESSAGE(FATAL_ERROR "Could not find mbedTLS")
+    ENDIF(MBEDTLS_FIND_REQUIRED)
+ENDIF(MBEDTLS_FOUND)
+
+MARK_AS_ADVANCED(
+    MBEDTLS_INCLUDE_DIR
+    MBEDTLS_LIBRARIES
+)
diff --git a/script/cibuild.sh b/script/cibuild.sh
@@ -6,6 +6,11 @@ then
 	exit $?;
 fi
 
+if [ -n "$MBEDTLS" ];
+then
+    ./script/mbedtls.sh;
+fi
+
 mkdir _build
 cd _build
 # shellcheck disable=SC2086

diff --git a/script/mbedtls.sh b/script/mbedtls.sh
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+git clone https://github.com/ARMmbed/mbedtls.git mbedtls
+cd mbedtls
+git checkout mbedtls-2.1.2
+make CFLAGS='-fPIC -fpic' -j2 lib
diff --git a/src/global.c b/src/global.c
@@ -28,6 +28,20 @@ static git_mutex *openssl_locks;
 # endif
 #endif
 
+#ifdef GIT_MBEDTLS
+#include "mbedtls/config.h"
+#include "mbedtls/platform.h"
+#include "mbedtls/ssl.h"
+#include "mbedtls/entropy.h"
+#include "mbedtls/ctr_drbg.h"
+#include "mbedtls/certs.h"
+
+#define CRT_LOC "/etc/ssl/certs"
+
+mbedtls_ssl_config *git__ssl_conf;
+mbedtls_entropy_context *mbedtls_entropy;
+#endif
+
 static git_global_shutdown_fn git__shutdown_callbacks[MAX_SHUTDOWN_CB];
 static git_atomic git__n_shutdown_callbacks;
 static git_atomic git__n_inits;
@@ -117,6 +131,60 @@ static void init_ssl(void)
 		git__ssl_ctx = NULL;
 	}
 #endif
+
+#ifdef GIT_MBEDTLS
+	int ret = 0;
+	mbedtls_ctr_drbg_context *ctr_drbg;
+	mbedtls_x509_crt *cacert;
+
+	mbedtls_entropy = git__malloc(sizeof(mbedtls_entropy_context));
+	mbedtls_entropy_init(mbedtls_entropy);
+
+	// Seeding the random number generator
+	ctr_drbg = git__malloc(sizeof(mbedtls_ctr_drbg_context));
+	mbedtls_ctr_drbg_init(ctr_drbg);
+	if (!ret && ( ret = mbedtls_ctr_drbg_seed(ctr_drbg,
+				mbedtls_entropy_func,
+				mbedtls_entropy, NULL, 0) ) != 0) {
+		mbedtls_ctr_drbg_free(ctr_drbg);
+		git__free(ctr_drbg);
+	}
+
+	// Configure TLSv1
+	if (!ret) {
+		git__ssl_conf = git__malloc(sizeof(mbedtls_ssl_config));
+		mbedtls_ssl_config_init(git__ssl_conf);
+		if ( (ret = mbedtls_ssl_config_defaults(git__ssl_conf,
+					MBEDTLS_SSL_IS_CLIENT,
+					MBEDTLS_SSL_TRANSPORT_STREAM,
+					MBEDTLS_SSL_PRESET_DEFAULT ) ) != 0) {
+			mbedtls_ctr_drbg_free(ctr_drbg);
+			git__free(ctr_drbg);
+			mbedtls_ssl_config_free(git__ssl_conf);
+			git__free(git__ssl_conf);
+			git__ssl_conf = NULL;
+		} else {
+			mbedtls_ssl_conf_authmode(git__ssl_conf, MBEDTLS_SSL_VERIFY_REQUIRED);
+			mbedtls_ssl_conf_rng(git__ssl_conf, mbedtls_ctr_drbg_random, ctr_drbg);
+
+			cacert = git__malloc(sizeof(mbedtls_x509_crt));
+			mbedtls_x509_crt_init(cacert);
+			ret = mbedtls_x509_crt_parse_path(cacert, CRT_LOC);
+			if (ret) {
+				giterr_set(GITERR_SSL, "failed to load CA certificates: %d", ret);
+				mbedtls_x509_crt_free(cacert);
+				git__free(cacert);
+				mbedtls_ctr_drbg_free(ctr_drbg);
+				git__free(ctr_drbg);
+				mbedtls_ssl_config_free(git__ssl_conf);
+				git__free(git__ssl_conf);
+				git__ssl_conf = NULL;
+			} else {
+				mbedtls_ssl_conf_ca_chain(git__ssl_conf, cacert, NULL);
+			}
+		}
+	}
+#endif
 }
 
 /**
@@ -131,6 +199,22 @@ static void uninit_ssl(void)
 		git__ssl_ctx = NULL;
 	}
 #endif
+#ifdef GIT_MBEDTLS
+	if (git__ssl_conf) {
+		mbedtls_x509_crt_free(git__ssl_conf->ca_chain);
+		git__free(git__ssl_conf->ca_chain);
+		mbedtls_ctr_drbg_free(git__ssl_conf->p_rng);
+		git__free(git__ssl_conf->p_rng);
+		mbedtls_ssl_config_free(git__ssl_conf);
+		git__free(git__ssl_conf);
+		git__ssl_conf = NULL;
+	}
+	if (mbedtls_entropy) {
+		mbedtls_entropy_free(mbedtls_entropy);
+		git__free(mbedtls_entropy);
+		mbedtls_entropy = NULL;
+	}
+#endif
 }
 
 int git_openssl_set_locking(void)

diff --git a/src/global.h b/src/global.h
@@ -23,6 +23,11 @@ typedef struct {
 extern SSL_CTX *git__ssl_ctx;
 #endif
 
+#ifdef GIT_MBEDTLS
+#include "mbedtls/ssl.h"
+extern mbedtls_ssl_config *git__ssl_conf;
+#endif
+
 git_global_st *git__global_state(void);
 
 extern git_mutex git__mwindow_mutex;

diff --git a/src/hash.h b/src/hash.h
@@ -20,6 +20,8 @@ void git_hash_ctx_cleanup(git_hash_ctx *ctx);
 # include "hash/hash_common_crypto.h"
 #elif defined(OPENSSL_SHA1)
 # include "hash/hash_openssl.h"
+#elif defined(MBEDTLS_SHA1)
+# include "hash/hash_mbedtls.h"
 #elif defined(WIN32_SHA1)
 # include "hash/hash_win32.h"
 #else

diff --git a/src/hash/hash_mbedtls.c b/src/hash/hash_mbedtls.c
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) the libgit2 contributors. All rights reserved.
+ *
+ * This file is part of libgit2, distributed under the GNU GPL v2 with
+ * a Linking Exception. For full terms see the included COPYING file.
+ */
+
+#include "common.h"
+#include "hash.h"
+#include "hash/hash_mbedtls.h"
+
+void git_hash_ctx_cleanup(git_hash_ctx *ctx)
+{
+    assert(ctx);
+    mbedtls_sha1_free(&ctx->c);
+}
+
+int git_hash_init(git_hash_ctx *ctx)
+{
+    assert(ctx);
+    mbedtls_sha1_init(&ctx->c);
+    mbedtls_sha1_starts(&ctx->c);
+    return 0;
+}
+
+int git_hash_update(git_hash_ctx *ctx, const void *data, size_t len)
+{
+    assert(ctx);
+    mbedtls_sha1_update(&ctx->c, data, len);
+    return 0;
+}
+
+int git_hash_final(git_oid *out, git_hash_ctx *ctx)
+{
+    assert(ctx);
+    mbedtls_sha1_finish(&ctx->c, out->id);
+    return 0;
+}
diff --git a/src/hash/hash_mbedtls.h b/src/hash/hash_mbedtls.h
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) the libgit2 contributors. All rights reserved.
+ *
+ * This file is part of libgit2, distributed under the GNU GPL v2 with
+ * a Linking Exception. For full terms see the included COPYING file.
+ */
+
+#ifndef INCLUDE_hash_mbedtld_h__
+#define INCLUDE_hash_mbedtld_h__
+
+#include <mbedtls/sha1.h>
+
+struct git_hash_ctx {
+    mbedtls_sha1_context c;
+};
+
+#define git_hash_global_init() 0
+#define git_hash_ctx_init(ctx) git_hash_init(ctx)
+
+#endif /* INCLUDE_hash_mbedtld_h__ */