Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Support mbedTLS #3935

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 17 commits into from
Closed

Support mbedTLS #3935

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
04a2b1d
mbedtls cmake config
wildart Oct 9, 2015
cfc27a3
define mbedtls global configuration
wildart Oct 9, 2015
d44d020
added certificate location setup
wildart Oct 9, 2015
a5958d0
introduced GIT_MBEDTLS symbol
wildart Oct 9, 2015
ad2b2e2
added git_mbedtls_stream_new
wildart Oct 9, 2015
101ab46
proper certificate verification & cleanup of `git_mbedtls_stream_new`
wildart Oct 10, 2015
46db15f
use libmbedcrypto for SHA1
wildart Oct 11, 2015
369d23a
added new CI configuration for mbedtls
wildart Oct 11, 2015
4f8968b
add mbedtls stream initialization
wildart May 24, 2016
cc156e4
update to 0.24.1
wildart May 25, 2016
f814681
turned on https feature for mbedtls
wildart May 25, 2016
6b556a6
better search for CA certificates: using EVs and build-time macros
wildart May 27, 2016
a47a6bc
Merge branch 'mbedtls' of https://github.com/wildart/libgit2
joshtriplett Sep 25, 2016
05ca19a
Update for current libgit2 API with struct git_proxy_options
joshtriplett Sep 25, 2016
77cdc58
Cleanups for mbedTLS changes
joshtriplett Sep 25, 2016
dab8d43
mbedtls: Fix travis build
joshtriplett Sep 25, 2016
81555f5
Move USE_MBEDTLS option under not-Darwin condition
joshtriplett Sep 25, 2016
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
update to 0.24.1
  • Loading branch information
@wildart
wildart committed Jul 29, 2016
commit cc156e4a1228882a93fe4d5b4cef35b34c1f39fb
5 changes: 3 additions & 2 deletions CMakeLists.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -110,9 +110,10 @@ ENDIF()

IF (HAVE_STRUCT_STAT_NSEC OR WIN32)
OPTION( USE_NSEC "Care about sub-second file mtimes and ctimes" ON )
ENDIF()

IF (NOT USE_OPENSSL)
OPTION( USE_MBEDTLS "Link with and use mbedtls library" ON )
OPTION( USE_MBEDTLS "Link with and use mbedTLS library" ON )
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we should default this to off, otherwise on darwin it'll try to use both the apple crypto and mbedtls if found

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it needs to default to on, but it needs to get wrapped in the same "not darwin". Will add a patch to fix.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why should it default to on?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it might be possible to use openssl or mbedtls on darwin instead of the apple crypto, but that might not be supported here

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It should default to on when not on Darwin and not using OpenSSL, to attempt to autodetect mbedTLS if it doesn't find OpenSSL. If it defaulted to off, you'd have to explicitly enable mbedTLS even if you have mbedTLS installed and OpenSSL not installed.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

right that makes sense, but that's what should determine the default, not whether or not the option gets defined at all? though since the openssl option isn't defined at all for darwin, at least this would be consistent

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right; consistency seems preferable here. It might make sense for a future patch to go through CMakeLists.txt, define all options unconditionally, and change all the conditionals to just set the default values. But I don't think this patch should make that unrelated change.

ENDIF()

# This variable will contain the libraries we need to put into
Expand Down Expand Up @@ -286,7 +287,7 @@ ELSE ()
FIND_PACKAGE(OpenSSL)
ENDIF ()

IF (NOT AMIGA AND USE_MBEDTLS AND NOT USE_OPENSSL)
IF (NOT AMIGA AND USE_MBEDTLS)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is amiga relevant? wonder why openssl is gated on NOT AMIGA ...

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure. @sba1 made that change in commit c57c4af.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think that it is relevant for the Amiga port right now.

However, the identification of OpenSSL is disabled on Amiga, because FIND_PACKAGE produced wrong results when cross compiling (it added wrong (i.e., native) include paths), at least, if I remember it correctly. Instead, it is assumed that OpenSSL is available on this platform in the (cross) compiler's standard include path and libgit2 is only statically linked.

In essence, special care for Amiga doesn't need to be done in new stuff. From time to time, I'll take care of it and submit pull requests.

FIND_PACKAGE(mbedTLS)
ENDIF ()

Expand Down
1 change: 1 addition & 0 deletions src/global.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ extern SSL_CTX *git__ssl_ctx;
#endif

#ifdef GIT_MBEDTLS
# include "mbedtls/platform.h"
# include "mbedtls/ssl.h"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why are these specified as relative imports? Why woldn't <mbedtls/platform.h> and <mbedtls/ssl.h> work?

extern mbedtls_ssl_config *git__ssl_conf;
#endif
Expand Down
132 changes: 122 additions & 10 deletions src/mbedtls_stream.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,10 +18,116 @@
# include "curl_stream.h"
#endif

#include <mbedtls/ssl.h>
#include "mbedtls/config.h"
#include <mbedtls/x509.h>
#include <mbedtls/x509_crt.h>
#include <mbedtls/error.h>
#include "mbedtls/net.h"
#include "mbedtls/debug.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/error.h"
#include "mbedtls/certs.h"

#define CRT_LOC "/etc/ssl/certs"

mbedtls_ssl_config *git__ssl_conf;
mbedtls_entropy_context *mbedtls_entropy;

#define GIT_SSL_DEFAULT_CIPHERS "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-SHA256:DHE-DSS-AES128-SHA:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA"

/**
* This function aims to clean-up the SSL context which
* we allocated.
*/
static void shutdown_ssl(void)
{
if (git__ssl_conf) {
mbedtls_x509_crt_free(git__ssl_conf->ca_chain);
git__free(git__ssl_conf->ca_chain);
mbedtls_ctr_drbg_free(git__ssl_conf->p_rng);
git__free(git__ssl_conf->p_rng);
mbedtls_ssl_config_free(git__ssl_conf);
git__free(git__ssl_conf);
git__ssl_conf = NULL;
}
if (mbedtls_entropy) {
mbedtls_entropy_free(mbedtls_entropy);
git__free(mbedtls_entropy);
mbedtls_entropy = NULL;
}
}

int git_mbedtls_stream_global_init(void)
{
int ret;
// const int *cipherids;
// const char *ciphers = git_libgit2__ssl_ciphers();

mbedtls_ctr_drbg_context *ctr_drbg;
mbedtls_x509_crt *cacert;

mbedtls_entropy = git__malloc(sizeof(mbedtls_entropy_context));
mbedtls_entropy_init(mbedtls_entropy);

// Seeding the random number generator
ctr_drbg = git__malloc(sizeof(mbedtls_ctr_drbg_context));
mbedtls_ctr_drbg_init(ctr_drbg);
if (mbedtls_ctr_drbg_seed(ctr_drbg,
mbedtls_entropy_func,
mbedtls_entropy, NULL, 0) != 0) {
mbedtls_ctr_drbg_free(ctr_drbg);
mbedtls_entropy_free(mbedtls_entropy);
git__free(ctr_drbg);
git__free(mbedtls_entropy);
return -1;
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We are we seeding the random number generator for crypto? This is something the library should be asking the operating system whenever it needs a random number.


// configure TLSv1
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This comment implies that we're setting the minimum SSL/TLS version to be TLS, but there's no code to do this. The documentation for mbedtls says the default is TLS 1.0 so leaving the defaults should be OK, but the comment should be saying explicitly how we're getting the minimum version.

git__ssl_conf = git__malloc(sizeof(mbedtls_ssl_config));
mbedtls_ssl_config_init(git__ssl_conf);
if ( mbedtls_ssl_config_defaults(git__ssl_conf,
MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT ) != 0) {
mbedtls_ctr_drbg_free(ctr_drbg);
git__free(ctr_drbg);
mbedtls_ssl_config_free(git__ssl_conf);
git__free(git__ssl_conf);
git__ssl_conf = NULL;
return -1;
}

mbedtls_ssl_conf_authmode(git__ssl_conf, MBEDTLS_SSL_VERIFY_REQUIRED);
mbedtls_ssl_conf_rng(git__ssl_conf, mbedtls_ctr_drbg_random, ctr_drbg);

// set the list of allowed ciphersuites
// if (!ciphers) {
// cipherids = mbedtls_ssl_list_ciphersuites();
// }
// mbedtls_ssl_conf_ciphersuites(git__ssl_conf, cipherids);

// set root certificates
cacert = git__malloc(sizeof(mbedtls_x509_crt));
mbedtls_x509_crt_init(cacert);
ret = mbedtls_x509_crt_parse_path(cacert, CRT_LOC);
if (ret) {
giterr_set(GITERR_SSL, "failed to load CA certificates: %d", ret);
mbedtls_x509_crt_free(cacert);
git__free(cacert);
mbedtls_ctr_drbg_free(ctr_drbg);
git__free(ctr_drbg);
mbedtls_ssl_config_free(git__ssl_conf);
git__free(git__ssl_conf);
git__ssl_conf = NULL;
} else {
mbedtls_ssl_conf_ca_chain(git__ssl_conf, cacert, NULL);
}

git__on_shutdown(shutdown_ssl);

return 0;
}

static int bio_read(void *b, unsigned char *buf, size_t len)
{
Expand Down Expand Up @@ -218,7 +324,7 @@ static int mbedtls_set_proxy(git_stream *stream, const char *proxy_url)
return git_stream_set_proxy(st->io, proxy_url);
}

ssize_t mbedtls_write(git_stream *stream, const char *data, size_t len, int flags)
ssize_t mbedtls_stream_write(git_stream *stream, const char *data, size_t len, int flags)
{
mbedtls_stream *st = (mbedtls_stream *) stream;
int ret;
Expand All @@ -232,7 +338,7 @@ ssize_t mbedtls_write(git_stream *stream, const char *data, size_t len, int flag
return ret;
}

ssize_t mbedtls_read(git_stream *stream, void *data, size_t len)
ssize_t mbedtls_stream_read(git_stream *stream, void *data, size_t len)
{
mbedtls_stream *st = (mbedtls_stream *) stream;
int ret;
Expand All @@ -243,7 +349,7 @@ ssize_t mbedtls_read(git_stream *stream, void *data, size_t len)
return ret;
}

int mbedtls_close(git_stream *stream)
int mbedtls_stream_close(git_stream *stream)
{
mbedtls_stream *st = (mbedtls_stream *) stream;
int ret = 0;
Expand All @@ -256,7 +362,7 @@ int mbedtls_close(git_stream *stream)
return git_stream_close(st->io);
}

void mbedtls_free(git_stream *stream)
void mbedtls_stream_free(git_stream *stream)
{
mbedtls_stream *st = (mbedtls_stream *) stream;

Expand Down Expand Up @@ -302,10 +408,10 @@ int git_mbedtls_stream_new(git_stream **out, const char *host, const char *port)
st->parent.connect = mbedtls_connect;
st->parent.certificate = mbedtls_certificate;
st->parent.set_proxy = mbedtls_set_proxy;
st->parent.read = mbedtls_read;
st->parent.write = mbedtls_write;
st->parent.close = mbedtls_close;
st->parent.free = mbedtls_free;
st->parent.read = mbedtls_stream_read;
st->parent.write = mbedtls_stream_write;
st->parent.close = mbedtls_stream_close;
st->parent.free = mbedtls_stream_free;

*out = (git_stream *) st;
return 0;
Expand All @@ -314,14 +420,20 @@ int git_mbedtls_stream_new(git_stream **out, const char *host, const char *port)
#else

#include "stream.h"
#include "git2/sys/openssl.h"

int git_mbedtls_stream_global_init(void)
{
return 0;
}

int git_mbedtls_stream_new(git_stream **out, const char *host, const char *port)
{
GIT_UNUSED(out);
GIT_UNUSED(host);
GIT_UNUSED(port);

giterr_set(GITERR_SSL, "mbedtls is not supported in this version");
giterr_set(GITERR_SSL, "mbedTLS is not supported in this version");
return -1;
}

Expand Down
2 changes: 1 addition & 1 deletion tests/core/stream.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ void test_core_stream__register_tls(void)
* with Security framework).
*/
#if defined(GIT_WIN32) || \
(!defined(GIT_SECURE_TRANSPORT) && !defined(GIT_OPENSSL))
(!defined(GIT_SECURE_TRANSPORT) && !(defined(GIT_OPENSSL) || defined(GIT_MBEDTLS)))
cl_git_fail_with(-1, error);
#else
cl_git_pass(error);
Expand Down