8000 mbedTLS support by tiennou · Pull Request #4173 · libgit2/libgit2 · GitHub
[go: up one dir, main page]
Skip to content

mbedTLS support #4173

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 15 commits into from
Apr 22, 2018
Merged

mbedTLS support #4173

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
ca3b223
mbedtls: initial support
tiennou Mar 29, 2018
1a1875f
mbedtls: proper certificate verification
tiennou Mar 29, 2018
6c6be3c
mbedtls: use libmbedcrypto for hashing
tiennou Mar 29, 2018
60e1ad9
mbedtls: add global initialization
tiennou Mar 29, 2018
2419ccc
mbedtls: default cipher list support
tiennou Mar 29, 2018
ec79b0f
mbedtls: fix libgit2 hanging due to incomplete writes
tiennou Mar 29, 2018
262dfcf
mbedtls: enable Travis CI tests
tiennou Mar 29, 2018
4165bb7
mbedtls: use our own certificate validation
tiennou Mar 29, 2018
1edde0b
mbedtls: use mbedTLS certificate verification
tiennou Mar 29, 2018
382ed1e
mbedtls: load default CA certificates
tiennou Mar 29, 2018
b3e0280
mbedtls: display error codes as hex for consistency with mbedTLS docs
tiennou Mar 29, 2018 8000
e3d764a
tests: clarify comment
tiennou Mar 29, 2018
5455475
cmake: make our preferred backend ordering consistent
tiennou Mar 29, 2018
10aff3d
travis: just grab what we need from mbedtls
tiennou Mar 29, 2018
cb2da47
travis: pass -fPIC when configuring mbedtls
tiennou Mar 29, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8000
Next Next commit
mbedtls: initial support
  • Loading branch information
@tiennou
tiennou committed Apr 11, 2018
commit ca3b2234dc7f1bd0d0f81488d3e29980b47a85b4
93 changes: 93 additions & 0 deletions cmake/Modules/FindmbedTLS.cmake
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,93 @@
# - Try to find mbedTLS
# Once done this will define
#
# Read-Only variables
# MBEDTLS_FOUND - system has mbedTLS
# MBEDTLS_INCLUDE_DIR - the mbedTLS include directory
# MBEDTLS_LIBRARY_DIR - the mbedTLS library directory
# MBEDTLS_LIBRARIES - Link these to use mbedTLS
# MBEDTLS_LIBRARY - path to mbedTLS library
# MBEDX509_LIBRARY - path to mbedTLS X.509 library
# MBEDCRYPTO_LIBRARY - path to mbedTLS Crypto library
#
# Hint
# MBEDTLS_ROOT_DIR can be pointed to a local mbedTLS installation.

SET(_MBEDTLS_ROOT_HINTS
${MBEDTLS_ROOT_DIR}
ENV MBEDTLS_ROOT_DIR
)

SET(_MBEDTLS_ROOT_HINTS_AND_PATHS
HINTS ${_MBEDTLS_ROOT_HINTS}
PATHS ${_MBEDTLS_ROOT_PATHS}
)

FIND_PATH(MBEDTLS_INCLUDE_DIR
NAMES mbedtls/version.h
${_MBEDTLS_ROOT_HINTS_AND_PATHS}
PATH_SUFFIXES include
)

IF(MBEDTLS_INCLUDE_DIR AND MBEDTLS_LIBRARIES)
# Already in cache, be silent
SET(MBEDTLS_FIND_QUIETLY TRUE)
ENDIF()

FIND_LIBRARY(MBEDTLS_LIBRARY
NAMES mbedtls libmbedtls
${_MBEDTLS_ROOT_HINTS_AND_PATHS}
PATH_SUFFIXES library
)
FIND_LIBRARY(MBEDX509_LIBRARY
NAMES mbedx509 libmbedx509
${_MBEDTLS_ROOT_HINTS_AND_PATHS}
PATH_SUFFIXES library
)
FIND_LIBRARY(MBEDCRYPTO_LIBRARY
NAMES mbedcrypto libmbedcrypto
${_MBEDTLS_ROOT_HINTS_AND_PATHS}
PATH_SUFFIXES library
)

IF(MBEDTLS_INCLUDE_DIR AND MBEDTLS_LIBRARY AND MBEDX509_LIBRARY AND MBEDCRYPTO_LIBRARY)
SET(MBEDTLS_FOUND TRUE)
ENDIF()

IF(MBEDTLS_FOUND)
# split mbedTLS into -L and -l linker options, so we can set them for pkg-config
GET_FILENAME_COMPONENT(MBEDTLS_LIBRARY_DIR ${MBEDTLS_LIBRARY} PATH)
GET_FILENAME_COMPONENT(MBEDTLS_LIBRARY_FILE ${MBEDTLS_LIBRARY} NAME_WE)
GET_FILENAME_COMPONENT(MBEDX509_LIBRARY_FILE ${MBEDX509_LIBRARY} NAME_WE)
GET_FILENAME_COMPONENT(MBEDCRYPTO_LIBRARY_FILE ${MBEDCRYPTO_LIBRARY} NAME_WE)
STRING(REGEX REPLACE "^lib" "" MBEDTLS_LIBRARY_FILE ${MBEDTLS_LIBRARY_FILE})
STRING(REGEX REPLACE "^lib" "" MBEDX509_LIBRARY_FILE ${MBEDX509_LIBRARY_FILE})
STRING(REGEX REPLACE "^lib" "" MBEDCRYPTO_LIBRARY_FILE ${MBEDCRYPTO_LIBRARY_FILE})
SET(MBEDTLS_LIBRARIES "-L${MBEDTLS_LIBRARY_DIR} -l${MBEDTLS_LIBRARY_FILE} -l${MBEDX509_LIBRARY_FILE} -l${MBEDCRYPTO_LIBRARY_FILE}")

IF(NOT MBEDTLS_FIND_QUIETLY)
MESSAGE(STATUS "Found mbedTLS:")
FILE(READ ${MBEDTLS_INCLUDE_DIR}/mbedtls/version.h MBEDTLSCONTENT)
STRING(REGEX MATCH "MBEDTLS_VERSION_STRING +\"[0-9|.]+\"" MBEDTLSMATCH ${MBEDTLSCONTENT})
IF (MBEDTLSMATCH)
STRING(REGEX REPLACE "MBEDTLS_VERSION_STRING +\"([0-9|.]+)\"" "\\1" MBEDTLS_VERSION ${MBEDTLSMATCH})
MESSAGE(STATUS " version ${MBEDTLS_VERSION}")
ENDIF(MBEDTLSMATCH)
MESSAGE(STATUS " TLS: ${MBEDTLS_LIBRARY}")
MESSAGE(STATUS " X509: ${MBEDX509_LIBRARY}")
MESSAGE(STATUS " Crypto: ${MBEDCRYPTO_LIBRARY}")
ENDIF(NOT MBEDTLS_FIND_QUIETLY)
ELSE(MBEDTLS_FOUND)
IF(MBEDTLS_FIND_REQUIRED)
MESSAGE(FATAL_ERROR "Could not find mbedTLS")
ENDIF(MBEDTLS_FIND_REQUIRED)
ENDIF(MBEDTLS_FOUND)

MARK_AS_ADVANCED(
MBEDTLS_INCLUDE_DIR
MBEDTLS_LIBRARY_DIR
MBEDTLS_LIBRARIES
MBEDTLS_LIBRARY
MBEDX509_LIBRARY
MBEDCRYPTO_LIBRARY
)
13 changes: 13 additions & 0 deletions src/CMakeLists.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -133,6 +133,7 @@ ELSE ()
ENDIF()

IF (USE_HTTPS)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The comment for USE_HTTPS says that you can set it to the name of the backend that you want to use. I don't think that's true, but it would be nice if it was.

Copy link
Contributor Author

It does though. If you pass ON, this will use "autodetection" (a.k.a. use whatever backend we've found and is first in the following tests), Otherwise, this will be passed verbatim as HTTPS_BACKEND, which is handled just below (and will error if you passed nonsense).

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep, rereading, I see it now. Thanks!

FIND_PACKAGE(mbedTLS)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's still one thing I really don't like about this: even if I set USE_HTTPS=OpenSSL, it will try to find mbedTLS and vice versa, which is even printed out on command line. I think this is somewhat suprising for the user. The other way round, just making these calls QUIET, is not really a nice way either. If I set USE_HTTPS=OpenSSL, but never see a single line where it actually searches for the OpenSSL library, I'm confused as well. This is why I originally moved the FIND_PACKAGE logic into the OpenSSL branch itself.

Thinking a bit more about it, I feel like we just shouldn't bother too much about the auto detection. Instead of randomly picking whatever is there, we should declare platform-dependent defaults and just don't care whether those are installed or not. In case somebody has mbedTLS installed on Linux only, he will just have to choose that backend manually, as that is not the common case.

So, the end result should just first check the operating system and set HTTPS_BACKEND to the platform default iff USE_HTTPS=ON. Same for the SHA1 backend. After those two very simple blocks which do not do any checking whether those libraries exist, we can use unified logic to do the actual linking based on what backends for HTTPS and SHA1 are set.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(And obviously produce an error in case those libraries are not found)

IF (CMAKE_SYSTEM_NAME MATCHES "Darwin")
FIND_PACKAGE(Security)
FIND_PACKAGE(CoreFoundation)
Expand All @@ -149,6 +150,8 @@ IF (USE_HTTPS)
ENDIF()
ELSEIF (WINHTTP)
SET(HTTPS_BACKEND "WinHTTP")
ELSEIF(MBEDTLS_FOUND)
SET(HTTPS_BACKEND "mbedTLS")
ELSE()
SET(HTTPS_BACKEND "OpenSSL")
ENDIF()
Expand Down Expand Up @@ -185,6 +188,16 @@ IF (USE_HTTPS)
LIST(APPEND LIBGIT2_LIBS ${OPENSSL_LIBRARIES})
LIST(APPEND LIBGIT2_PC_LIBS ${OPENSSL_LDFLAGS})
LIST(APPEND LIBGIT2_PC_REQUIRES "openssl")
ELSEIF(HTTPS_BACKEND STREQUAL "mbedTLS")
IF (NOT MBEDTLS_FOUND)
MESSAGE(FATAL_ERROR "Asked for mbedTLS backend, but it wasn't found")
ENDIF()

SET(GIT_MBEDTLS 1)
LIST(APPEND LIBGIT2_INCLUDES ${MBEDTLS_INCLUDE_DIR})
LIST(APPEND LIBGIT2_LIBS ${MBEDTLS_LIBRARIES})
LIST(APPEND LIBGIT2_PC_LIBS ${MBEDTLS_LDFLAGS})
LIST(APPEND LIBGIT2_PC_REQUIRES "mbedtls")
ELSEIF (HTTPS_BACKEND STREQUAL "WinHTTP")
# WinHTTP setup was handled in the WinHTTP-specific block above
ELSE()
Expand Down
1 change: 1 addition & 0 deletions src/features.h.in
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@
#cmakedefine GIT_HTTPS 1
#cmakedefine GIT_OPENSSL 1
#cmakedefine GIT_SECURE_TRANSPORT 1
#cmakedefine GIT_MBEDTLS 1

#cmakedefine GIT_SHA1_COLLISIONDETECT 1
#cmakedefine GIT_SHA1_WIN32 1
Expand Down
11 changes: 11 additions & 0 deletions src/settings.c
A3E2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,10 @@
# include <openssl/err.h>
#endif

#ifdef GIT_MBEDTLS
# include <mbedtls/error.h>
#endif

#include <git2.h>
#include "sysdir.h"
#include "cache.h"
Expand All @@ -20,6 +24,7 @@
#include "refs.h"
#include "transports/smart.h"
#include "streams/openssl.h"
#include "streams/mbedtls.h"

void git_libgit2_version(int *major, int *minor, int *rev)
{
Expand Down Expand Up @@ -175,6 +180,12 @@ int git_libgit2_opts(int key, ...)
const char *path = va_arg(ap, const char *);
error = git_openssl__set_cert_location(file, path);
}
#elif defined(GIT_MBEDTLS)
{
const char *file = va_arg(ap, const char *);
const char *path = va_arg(ap, const char *);
error = git_mbedtls__set_cert_location(file, path);
}
#else
giterr_set(GITERR_SSL, "TLS backend doesn't support certificate locations");
error = -1;
Expand Down
Loading
0