libgit2 · joshtriplett · Oct 9, 2015 · Oct 9, 2015 · Oct 9, 2015 · Oct 9, 2015
diff --git a/.travis.yml b/.travis.yml
@@ -45,6 +45,16 @@ matrix:
        - VALGRIND=1
          OPTIONS="-DBUILD_CLAR=ON -DBUILD_EXAMPLES=OFF -DDEBUG_POOL=ON -DCMAKE_BUILD_TYPE=Debug"
      os: linux
+   - compiler: gcc
+     env:
+       - MBEDTLS=1
+         OPTIONS="-DTHREADSAFE=ON -DCMAKE_BUILD_TYPE=Release -DUSE_OPENSSL=OFF -DUSE_MBEDTLS=ON"
+     os: linux
+   - compiler: gcc
+     env:
+       - MBEDTLS=1
+         OPTIONS="-DTHREADSAFE=OFF -DBUILD_EXAMPLES=ON -DUSE_OPENSSL=OFF -DUSE_MBEDTLS=ON"
+     os: linux
  allow_failures:
    - env: COVERITY=1
    - env:

diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -89,8 +89,12 @@ ENDIF()
 
 IF (NOT ${CMAKE_SYSTEM_NAME} MATCHES "Darwin")
 	OPTION( USE_OPENSSL                     "Link with and use openssl library"             ON )
+	IF (NOT USE_OPENSSL)
+		OPTION(USE_MBEDTLS "Link with and use mbedTLS library" ON)
+	ENDIF()
 ENDIF()
 
+
 CHECK_STRUCT_HAS_MEMBER ("struct stat" st_mtim "sys/types.h;sys/stat.h"
 	HAVE_STRUCT_STAT_ST_MTIM LANGUAGE C)
 CHECK_STRUCT_HAS_MEMBER ("struct stat" st_mtimespec "sys/types.h;sys/stat.h"
@@ -283,6 +287,10 @@ ELSE ()
 		FIND_PACKAGE(OpenSSL)
 	ENDIF ()
 
+	IF (NOT AMIGA AND USE_MBEDTLS)
+		FIND_PACKAGE(mbedTLS)
+	ENDIF ()
+
 	IF (CURL_FOUND)
 		ADD_DEFINITIONS(-DGIT_CURL)
 		INCLUDE_DIRECTORIES(${CURL_INCLUDE_DIRS})
@@ -316,6 +324,9 @@ ELSEIF (OPENSSL_FOUND AND NOT SHA1_TYPE STREQUAL "builtin")
 	ELSE()
 		SET(LIBGIT2_PC_REQUIRES "${LIBGIT2_PC_REQUIRES} openssl")
 	ENDIF ()
+ELSEIF (MBEDTLS_FOUND AND NOT SHA1_TYPE STREQUAL "builtin")
+	ADD_DEFINITIONS(-DMBEDTLS_SHA1)
+	FILE(GLOB SRC_SHA1 src/hash/hash_mbedtls.c)
 ELSE()
 	FILE(GLOB SRC_SHA1 src/hash/hash_generic.c)
 ENDIF()
@@ -543,6 +554,11 @@ IF (OPENSSL_FOUND)
   SET(SSL_LIBRARIES ${OPENSSL_LIBRARIES})
 ENDIF()
 
+IF (MBEDTLS_FOUND)
+  ADD_DEFINITIONS(-DGIT_MBEDTLS)
+  INCLUDE_DIRECTORIES(${MBEDTLS_INCLUDE_DIR})
+  SET(SSL_LIBRARIES ${MBEDTLS_LIBRARIES})
+ENDIF()
 
 
 IF (THREADSAFE)
@@ -690,7 +706,7 @@ IF (BUILD_CLAR)
 	ENDIF ()
 
 	ENABLE_TESTING()
-	IF (WINHTTP OR OPENSSL_FOUND OR SECURITY_FOUND)
+	IF (WINHTTP OR OPENSSL_FOUND OR SECURITY_FOUND OR MBEDTLS_FOUND)
 		ADD_TEST(libgit2_clar libgit2_clar -ionline)
 	ELSE ()
 		ADD_TEST(libgit2_clar libgit2_clar -v)

diff --git a/cmake/Modules/FindmbedTLS.cmake b/cmake/Modules/FindmbedTLS.cmake
@@ -0,0 +1,64 @@
+# - Try to find mbedTLS
+# Once done this will define
+#
+# Read-Only variables
+#  MBEDTLS_FOUND - system has mbedTLS
+#  MBEDTLS_INCLUDE_DIR - the mbedTLS include directory
+#  MBEDTLS_LIBRARY_DIR - the mbedTLS library directory
+#  MBEDTLS_LIBRARIES - Link these to use mbedTLS
+#  MBEDTLS_LIBRARY - path to mbedTLS library
+#  MBEDX509_LIBRARY - path to mbedTLS X.509 library
+#  MBEDCRYPTO_LIBRARY - path to mbedTLS Crypto library
+
+FIND_PATH(MBEDTLS_INCLUDE_DIR mbedtls/version.h)
+
+IF(MBEDTLS_INCLUDE_DIR AND MBEDTLS_LIBRARIES)
+    # Already in cache, be silent
+    SET(MBEDTLS_FIND_QUIETLY TRUE)
+ENDIF()
+
+FIND_LIBRARY(MBEDTLS_LIBRARY NAMES mbedtls libmbedtls libmbedx509)
+FIND_LIBRARY(MBEDX509_LIBRARY NAMES mbedx509 libmbedx509)
+FIND_LIBRARY(MBEDCRYPTO_LIBRARY NAMES mbedcrypto libmbedcrypto)
+
+IF(MBEDTLS_INCLUDE_DIR AND MBEDTLS_LIBRARY AND MBEDX509_LIBRARY AND MBEDCRYPTO_LIBRARY)
+     SET(MBEDTLS_FOUND TRUE)
+ENDIF()
+
+IF(MBEDTLS_FOUND)
+    # split mbedTLS into -L and -l linker options, so we can set them for pkg-config
+    GET_FILENAME_COMPONENT(MBEDTLS_LIBRARY_DIR ${MBEDTLS_LIBRARY} PATH)
+    GET_FILENAME_COMPONENT(MBEDTLS_LIBRARY_FILE ${MBEDTLS_LIBRARY} NAME_WE)
+    GET_FILENAME_COMPONENT(MBEDX509_LIBRARY_FILE ${MBEDX509_LIBRARY} NAME_WE)
+    GET_FILENAME_COMPONENT(MBEDCRYPTO_LIBRARY_FILE ${MBEDCRYPTO_LIBRARY} NAME_WE)
+    STRING(REGEX REPLACE "^lib" "" MBEDTLS_LIBRARY_FILE ${MBEDTLS_LIBRARY_FILE})
+    STRING(REGEX REPLACE "^lib" "" MBEDX509_LIBRARY_FILE ${MBEDX509_LIBRARY_FILE})
+    STRING(REGEX REPLACE "^lib" "" MBEDCRYPTO_LIBRARY_FILE ${MBEDCRYPTO_LIBRARY_FILE})
+    SET(MBEDTLS_LIBRARIES "-L${MBEDTLS_LIBRARY_DIR} -l${MBEDTLS_LIBRARY_FILE} -l${MBEDX509_LIBRARY_FILE} -l${MBEDCRYPTO_LIBRARY_FILE}")
+
+    IF(NOT MBEDTLS_FIND_QUIETLY)
+        MESSAGE(STATUS "Found mbedTLS:")
+        FILE(READ ${MBEDTLS_INCLUDE_DIR}/mbedtls/version.h MBEDTLSCONTENT)
+        STRING(REGEX MATCH "MBEDTLS_VERSION_STRING +\"[0-9|.]+\"" MBEDTLSMATCH ${MBEDTLSCONTENT})
+        IF (MBEDTLSMATCH)
+            STRING(REGEX REPLACE "MBEDTLS_VERSION_STRING +\"([0-9|.]+)\"" "\\1" MBEDTLS_VERSION ${MBEDTLSMATCH})
+            MESSAGE(STATUS "  version ${MBEDTLS_VERSION}")
+        ENDIF(MBEDTLSMATCH)
+        MESSAGE(STATUS "  TLS: ${MBEDTLS_LIBRARY}")
+        MESSAGE(STATUS "  X509: ${MBEDX509_LIBRARY}")
+        MESSAGE(STATUS "  Crypto: ${MBEDCRYPTO_LIBRARY}")
+    ENDIF(NOT MBEDTLS_FIND_QUIETLY)
+ELSE(MBEDTLS_FOUND)
+    IF(MBEDTLS_FIND_REQUIRED)
+        MESSAGE(FATAL_ERROR "Could not find mbedTLS")
+    ENDIF(MBEDTLS_FIND_REQUIRED)
+ENDIF(MBEDTLS_FOUND)
+
+MARK_AS_ADVANCED(
+    MBEDTLS_INCLUDE_DIR
+    MBEDTLS_LIBRARY_DIR
+    MBEDTLS_LIBRARIES
+    MBEDTLS_LIBRARY
+    MBEDX509_LIBRARY
+    MBEDCRYPTO_LIBRARY
+)
diff --git a/script/cibuild.sh b/script/cibuild.sh
@@ -15,6 +15,14 @@ curl -L https://github.com/ethomson/poxyproxy/releases/download/v0.1.0/poxyproxy
 # Run this early so we know it's ready by the time we need it
 java -jar poxyproxy.jar -d --port 8080 --credentials foo:bar &
 
+if [ -n "$MBEDTLS" ];
+then
+    ./script/mbedtls.sh;
+    CMAKE_INCLUDE_PATH=../mbedtls/include
+    CMAKE_LIBRARY_PATH=../mbedtls/library
+    export CMAKE_INCLUDE_PATH CMAKE_LIBRARY_PATH
+fi
+
 mkdir _build
 cd _build
 # shellcheck disable=SC2086

diff --git a/script/mbedtls.sh b/script/mbedtls.sh
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+git clone https://github.com/ARMmbed/mbedtls.git mbedtls
+cd mbedtls
+git checkout mbedtls-2.1.2
+make CFLAGS='-fPIC -fpic' -j2 lib
diff --git a/src/global.c b/src/global.c
@@ -10,7 +10,11 @@
 #include "sysdir.h"
 #include "filter.h"
 #include "merge_driver.h"
+#ifdef GIT_OPENSSL
 #include "openssl_stream.h"
+#elif GIT_MBEDTLS
+#include "mbedtls_stream.h"
+#endif
 #include "thread-utils.h"
 #include "git2/global.h"
 #include "transports/ssh.h"
@@ -61,8 +65,13 @@ static int init_common(void)
 		(ret = git_sysdir_global_init()) == 0 &&
 		(ret = git_filter_global_init()) == 0 &&
 		(ret = git_merge_driver_global_init()) == 0 &&
-		(ret = git_transport_ssh_global_init()) == 0 &&
-		(ret = git_openssl_stream_global_init()) == 0)
+		(ret = git_transport_ssh_global_init()) == 0
+#ifdef GIT_OPENSSL
+		&& (ret = git_openssl_stream_global_init()) == 0
+#elif GIT_MBEDTLS
+		&& (ret = git_mbedtls_stream_global_init()) == 0
+#endif
+		)
 		ret = git_mwindow_global_init();
 
 	GIT_MEMORY_BARRIER;

diff --git a/src/global.h b/src/global.h
@@ -23,6 +23,12 @@ typedef struct {
 extern SSL_CTX *git__ssl_ctx;
 #endif
 
+#ifdef GIT_MBEDTLS
+# include "mbedtls/platform.h"
+# include "mbedtls/ssl.h"
+extern mbedtls_ssl_config *git__ssl_conf;
+#endif
+
 git_global_st *git__global_state(void);
 
 extern git_mutex git__mwindow_mutex;

diff --git a/src/hash.h b/src/hash.h
@@ -20,6 +20,8 @@ void git_hash_ctx_cleanup(git_hash_ctx *ctx);
 # include "hash/hash_common_crypto.h"
 #elif defined(OPENSSL_SHA1)
 # include "hash/hash_openssl.h"
+#elif defined(MBEDTLS_SHA1)
+# include "hash/hash_mbedtls.h"
 #elif defined(WIN32_SHA1)
 # include "hash/hash_win32.h"
 #else

diff --git a/src/hash/hash_mbedtls.c b/src/hash/hash_mbedtls.c
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) the libgit2 contributors. All rights reserved.
+ *
+ * This file is part of libgit2, distributed under the GNU GPL v2 with
+ * a Linking Exception. For full terms see the included COPYING file.
+ */
+
+#include "common.h"
+#include "hash.h"
+#include "hash/hash_mbedtls.h"
+
+void git_hash_ctx_cleanup(git_hash_ctx *ctx)
+{
+    assert(ctx);
+    mbedtls_sha1_free(&ctx->c);
+}
+
+int git_hash_init(git_hash_ctx *ctx)
+{
+    assert(ctx);
+    mbedtls_sha1_init(&ctx->c);
+    mbedtls_sha1_starts(&ctx->c);
+    return 0;
+}
+
+int git_hash_update(git_hash_ctx *ctx, const void *data, size_t len)
+{
+    assert(ctx);
+    mbedtls_sha1_update(&ctx->c, data, len);
+    return 0;
+}
+
+int git_hash_final(git_oid *out, git_hash_ctx *ctx)
+{
+    assert(ctx);
+    mbedtls_sha1_finish(&ctx->c, out->id);
+    return 0;
+}
diff --git a/src/hash/hash_mbedtls.h b/src/hash/hash_mbedtls.h
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) the libgit2 contributors. All rights reserved.
+ *
+ * This file is part of libgit2, distributed under the GNU GPL v2 with
+ * a Linking Exception. For full terms see the included COPYING file.
+ */
+
+#ifndef INCLUDE_hash_mbedtld_h__
+#define INCLUDE_hash_mbedtld_h__
+
+#include <mbedtls/sha1.h>
+
+struct git_hash_ctx {
+    mbedtls_sha1_context c;
+};
+
+#define git_hash_global_init() 0
+#define git_hash_ctx_init(ctx) git_hash_init(ctx)
+
+#endif /* INCLUDE_hash_mbedtld_h__ */