Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Support mbedTLS #3935

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 17 commits into from
Closed

Support mbedTLS #3935

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
04a2b1d
mbedtls cmake config
wildart Oct 9, 2015
cfc27a3
define mbedtls global configuration
wildart Oct 9, 2015
d44d020
added certificate location setup
wildart Oct 9, 2015
a5958d0
introduced GIT_MBEDTLS symbol
wildart Oct 9, 2015
ad2b2e2
added git_mbedtls_stream_new
wildart Oct 9, 2015
101ab46
proper certificate verification & cleanup of `git_mbedtls_stream_new`
wildart Oct 10, 2015
46db15f
use libmbedcrypto for SHA1
wildart Oct 11, 2015
369d23a
added new CI configuration for mbedtls
wildart Oct 11, 2015
4f8968b
add mbedtls stream initialization
wildart May 24, 2016
cc156e4
update to 0.24.1
wildart May 25, 2016
f814681
turned on https feature for mbedtls
wildart May 25, 2016
6b556a6
better search for CA certificates: using EVs and build-time macros
wildart May 27, 2016
a47a6bc
Merge branch 'mbedtls' of https://github.com/wildart/libgit2
joshtriplett Sep 25, 2016
05ca19a
Update for current libgit2 API with struct git_proxy_options
joshtriplett Sep 25, 2016
77cdc58
Cleanups for mbedTLS changes
joshtriplett Sep 25, 2016
dab8d43
mbedtls: Fix travis build
joshtriplett Sep 25, 2016
81555f5
Move USE_MBEDTLS option under not-Darwin condition
joshtriplett Sep 25, 2016
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
better search for CA certificates: using EVs and build-time macros 
reload properly certificates in libgit2_options
  • Loading branch information
@wildart
wildart committed Jul 29, 2016
commit 6b556a62ee102115ebc916612442f4e5948d689f
74 changes: 58 additions & 16 deletions src/mbedtls_stream.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,13 @@
#include "mbedtls/error.h"
#include "mbedtls/certs.h"

#define CRT_LOC "/etc/ssl/certs"
#ifndef OPENSSLDIR
# define OPENSSLDIR "/usr/lib/ssl"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cross-linking to JuliaLang/julia#18693, this isn't very uniform across distributions and we might want to come up with a better certificate search mechanism?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about taking the value for this from a cmake-time variable with /usr/lib/ssl as the default?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess that can already be done in CFLAGS (however cmake spells its equivalent) with a -DOPENSSLDIR mostly-equivalently. Maybe this isn't really libgit2's problem to solve.

#endif
#define X509_CERT_DIR OPENSSLDIR "/certs"
#define X509_CERT_FILE OPENSSLDIR "/cert.pem"
#define X509_CERT_DIR_EVP "SSL_CERT_DIR"
#define X509_CERT_FILE_EVP "SSL_CERT_FILE"

mbedtls_ssl_config *git__ssl_conf;
mbedtls_entropy_context *mbedtls_entropy;
Expand Down Expand Up @@ -60,12 +66,13 @@ static void shutdown_ssl(void)

int git_mbedtls_stream_global_init(void)
{
int ret;
int ret, isdir;
char *crtpath;
struct stat statbuf;
// const int *cipherids;
// const char *ciphers = git_libgit2__ssl_ciphers();

mbedtls_ctr_drbg_context *ctr_drbg;
mbedtls_x509_crt *cacert;

mbedtls_entropy = git__malloc(sizeof(mbedtls_entropy_context));
mbedtls_entropy_init(mbedtls_entropy);
Expand Down Expand Up @@ -101,29 +108,64 @@ int git_mbedtls_stream_global_init(void)
mbedtls_ssl_conf_authmode(git__ssl_conf, MBEDTLS_SSL_VERIFY_REQUIRED);
mbedtls_ssl_conf_rng(git__ssl_conf, mbedtls_ctr_drbg_random, ctr_drbg);

// set the list of allowed ciphersuites
// if (!ciphers) {
// cipherids = mbedtls_ssl_list_ciphersuites();
// }
// mbedtls_ssl_conf_ciphersuites(git__ssl_conf, cipherids);
// find locations for which CA certificates
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

libgit2 is very much not in the business of guessing where SSL certificates live on everyone's machine. A distribution-provided mbedtls should know already. And if this is being shipped as part of a bundle, the application is the only one which would know what to use.

isdir = 0;
crtpath = getenv(X509_CERT_FILE_EVP);
ret = crtpath != NULL && stat(crtpath, &statbuf) == 0 && S_ISREG(statbuf.st_mode) ? 0 : 1;
if (ret) {
isdir = 1;
crtpath = getenv(X509_CERT_DIR_EVP);
ret = crtpath != NULL && stat(crtpath, &statbuf) == 0 && S_ISDIR(statbuf.st_mode) ? 0 : 1;
}
if (ret) {
isdir = 0;
crtpath = X509_CERT_FILE;
ret = crtpath != NULL && stat(crtpath, &statbuf) == 0 && S_ISREG(statbuf.st_mode) ? 0 : 1;
}
if (ret) {
isdir = 1;
crtpath = X509_CERT_DIR;
ret = crtpath != NULL && stat(crtpath, &statbuf) == 0 && S_ISDIR(statbuf.st_mode) ? 0 : 1;
}

// set root certificates
cacert = git__malloc(sizeof(mbedtls_x509_crt));
mbedtls_x509_crt_init(cacert);
ret = mbedtls_x509_crt_parse_path(cacert, CRT_LOC);
// cannot find CA certificates
if (ret) {
giterr_set(GITERR_SSL, "failed to load CA certificates: %d", ret);
mbedtls_x509_crt_free(cacert);
git__free(cacert);
mbedtls_ctr_drbg_free(ctr_drbg);
git__free(ctr_drbg);
mbedtls_ssl_config_free(git__ssl_conf);
git__free(git__ssl_conf);
git__ssl_conf = NULL;
return -1;
} else {
mbedtls_ssl_conf_ca_chain(git__ssl_conf, cacert, NULL);
// set root certificates
mbedtls_x509_crt *cacert = git__malloc(sizeof(mbedtls_x509_crt));
mbedtls_x509_crt_init(cacert);
if (isdir)
ret = mbedtls_x509_crt_parse_path(cacert, crtpath);
else
ret = mbedtls_x509_crt_parse_file(cacert, crtpath);

if (ret) {
giterr_set(GITERR_SSL, "failed to load CA certificates: %d", ret);
mbedtls_x509_crt_free(cacert);
git__free(cacert);
mbedtls_ctr_drbg_free(ctr_drbg);
git__free(ctr_drbg);
mbedtls_ssl_config_free(git__ssl_conf);
git__free(git__ssl_conf);
git__ssl_conf = NULL;
return -1;
} else {
mbedtls_ssl_conf_ca_chain(git__ssl_conf, cacert, NULL);
}
}

// set the list of allowed ciphersuites
// if (!ciphers) {
// cipherids = mbedtls_ssl_list_ciphersuites();
// }
// mbedtls_ssl_conf_ciphersuites(git__ssl_conf, cipherids);

git__on_shutdown(shutdown_ssl);

return 0;
Expand Down
21 changes: 15 additions & 6 deletions src/settings.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -184,15 +184,24 @@ int git_libgit2_opts(int key, ...)
const char *path = va_arg(ap, const char *);
int ret = 0;
char errbuf[512];
if (!file) {
ret = mbedtls_x509_crt_parse_file(git__ssl_conf->ca_chain, file);
} else if (!path) {
ret = mbedtls_x509_crt_parse_path(git__ssl_conf->ca_chain, path);
mbedtls_x509_crt *cacert;
cacert = git__malloc(sizeof(mbedtls_x509_crt));
mbedtls_x509_crt_init(cacert);
if (file) {
ret = mbedtls_x509_crt_parse_file(cacert, file);
} else if (path) {
ret = mbedtls_x509_crt_parse_path(cacert, path);
}
if (ret != 0) {
if (!ret) {
mbedtls_x509_crt_free(cacert);
git__free(cacert);
mbedtls_strerror( ret, errbuf, 512 );
giterr_set(GITERR_NET, "SSL error: %d - %s", ret, errbuf);
giterr_set(GITERR_SSL, "SSL error: failed to load CA certificates : %s (%d)", ret, errbuf);
error = -1;
} else {
mbedtls_x509_crt_free(git__ssl_conf->ca_chain);
git__free(git__ssl_conf->ca_chain);
mbedtls_ssl_conf_ca_chain(git__ssl_conf, cacert, NULL);
}
}
#else
Expand Down