line |
stmt |
bran |
cond |
sub |
pod |
time |
code |
1
|
|
|
|
|
|
|
/* |
2
|
|
|
|
|
|
|
* Copyright (C) the libgit2 contributors. All rights reserved. |
3
|
|
|
|
|
|
|
* |
4
|
|
|
|
|
|
|
* This file is part of libgit2, distributed under the GNU GPL v2 with |
5
|
|
|
|
|
|
|
* a Linking Exception. For full terms see the included COPYING file. |
6
|
|
|
|
|
|
|
*/ |
7
|
|
|
|
|
|
|
|
8
|
|
|
|
|
|
|
#include "streams/mbedtls.h" |
9
|
|
|
|
|
|
|
|
10
|
|
|
|
|
|
|
#ifdef GIT_MBEDTLS |
11
|
|
|
|
|
|
|
|
12
|
|
|
|
|
|
|
#include |
13
|
|
|
|
|
|
|
|
14
|
|
|
|
|
|
|
#include "runtime.h" |
15
|
|
|
|
|
|
|
#include "stream.h" |
16
|
|
|
|
|
|
|
#include "streams/socket.h" |
17
|
|
|
|
|
|
|
#include "netops.h" |
18
|
|
|
|
|
|
|
#include "git2/transport.h" |
19
|
|
|
|
|
|
|
#include "util.h" |
20
|
|
|
|
|
|
|
|
21
|
|
|
|
|
|
|
#ifndef GIT_DEFAULT_CERT_LOCATION |
22
|
|
|
|
|
|
|
#define GIT_DEFAULT_CERT_LOCATION NULL |
23
|
|
|
|
|
|
|
#endif |
24
|
|
|
|
|
|
|
|
25
|
|
|
|
|
|
|
/* Work around C90-conformance issues */ |
26
|
|
|
|
|
|
|
#if !defined(__STDC_VERSION__) || (__STDC_VERSION__ < 199901L) |
27
|
|
|
|
|
|
|
# if defined(_MSC_VER) |
28
|
|
|
|
|
|
|
# define inline __inline |
29
|
|
|
|
|
|
|
# elif defined(__GNUC__) |
30
|
|
|
|
|
|
|
# define inline __inline__ |
31
|
|
|
|
|
|
|
# else |
32
|
|
|
|
|
|
|
# define inline |
33
|
|
|
|
|
|
|
# endif |
34
|
|
|
|
|
|
|
#endif |
35
|
|
|
|
|
|
|
|
36
|
|
|
|
|
|
|
#include |
37
|
|
|
|
|
|
|
#include |
38
|
|
|
|
|
|
|
#include |
39
|
|
|
|
|
|
|
#include |
40
|
|
|
|
|
|
|
#include |
41
|
|
|
|
|
|
|
|
42
|
|
|
|
|
|
|
#undef inline |
43
|
|
|
|
|
|
|
|
44
|
|
|
|
|
|
|
#define GIT_SSL_DEFAULT_CIPHERS "TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-DSS-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-DSS-WITH-AES-256-GCM-SHA384:TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256:TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA:TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA:TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384:TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384:TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA:TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-DSS-WITH-AES-128-CBC-SHA256:TLS-DHE-DSS-WITH-AES-256-CBC-SHA256:TLS-DHE-DSS-WITH-AES-128-CBC-SHA:TLS-DHE-DSS-WITH-AES-256-CBC-SHA:TLS-RSA-WITH-AES-128-GCM-SHA256:TLS-RSA-WITH-AES-256-GCM-SHA384:TLS-RSA-WITH-AES-128-CBC-SHA256:TLS-RSA-WITH-AES-256-CBC-SHA256:TLS-RSA-WITH-AES-128-CBC-SHA:TLS-RSA-WITH-AES-256-CBC-SHA" |
45
|
|
|
|
|
|
|
#define GIT_SSL_DEFAULT_CIPHERS_COUNT 30 |
46
|
|
|
|
|
|
|
|
47
|
|
|
|
|
|
|
static mbedtls_ssl_config *git__ssl_conf; |
48
|
|
|
|
|
|
|
static int ciphers_list[GIT_SSL_DEFAULT_CIPHERS_COUNT]; |
49
|
|
|
|
|
|
|
static mbedtls_entropy_context *mbedtls_entropy; |
50
|
|
|
|
|
|
|
|
51
|
|
|
|
|
|
|
/** |
52
|
|
|
|
|
|
|
* This function aims to clean-up the SSL context which |
53
|
|
|
|
|
|
|
* we allocated. |
54
|
|
|
|
|
|
|
*/ |
55
|
|
|
|
|
|
|
static void shutdown_ssl(void) |
56
|
|
|
|
|
|
|
{ |
57
|
|
|
|
|
|
|
if (git__ssl_conf) { |
58
|
|
|
|
|
|
|
mbedtls_x509_crt_free(git__ssl_conf->ca_chain); |
59
|
|
|
|
|
|
|
git__free(git__ssl_conf->ca_chain); |
60
|
|
|
|
|
|
|
mbedtls_ctr_drbg_free(git__ssl_conf->p_rng); |
61
|
|
|
|
|
|
|
git__free(git__ssl_conf->p_rng); |
62
|
|
|
|
|
|
|
mbedtls_ssl_config_free(git__ssl_conf); |
63
|
|
|
|
|
|
|
git__free(git__ssl_conf); |
64
|
|
|
|
|
|
|
git__ssl_conf = NULL; |
65
|
|
|
|
|
|
|
} |
66
|
|
|
|
|
|
|
if (mbedtls_entropy) { |
67
|
|
|
|
|
|
|
mbedtls_entropy_free(mbedtls_entropy); |
68
|
|
|
|
|
|
|
git__free(mbedtls_entropy); |
69
|
|
|
|
|
|
|
mbedtls_entropy = NULL; |
70
|
|
|
|
|
|
|
} |
71
|
|
|
|
|
|
|
} |
72
|
|
|
|
|
|
|
|
73
|
|
|
|
|
|
|
int git_mbedtls_stream_global_init(void) |
74
|
|
|
|
|
|
|
{ |
75
|
|
|
|
|
|
|
int loaded = 0; |
76
|
|
|
|
|
|
|
char *crtpath = GIT_DEFAULT_CERT_LOCATION; |
77
|
|
|
|
|
|
|
struct stat statbuf; |
78
|
|
|
|
|
|
|
mbedtls_ctr_drbg_context *ctr_drbg = NULL; |
79
|
|
|
|
|
|
|
|
80
|
|
|
|
|
|
|
size_t ciphers_known = 0; |
81
|
|
|
|
|
|
|
char *cipher_name = NULL; |
82
|
|
|
|
|
|
|
char *cipher_string = NULL; |
83
|
|
|
|
|
|
|
char *cipher_string_tmp = NULL; |
84
|
|
|
|
|
|
|
|
85
|
|
|
|
|
|
|
git__ssl_conf = git__malloc(sizeof(mbedtls_ssl_config)); |
86
|
|
|
|
|
|
|
GIT_ERROR_CHECK_ALLOC(git__ssl_conf); |
87
|
|
|
|
|
|
|
|
88
|
|
|
|
|
|
|
mbedtls_ssl_config_init(git__ssl_conf); |
89
|
|
|
|
|
|
|
if (mbedtls_ssl_config_defaults(git__ssl_conf, |
90
|
|
|
|
|
|
|
MBEDTLS_SSL_IS_CLIENT, |
91
|
|
|
|
|
|
|
MBEDTLS_SSL_TRANSPORT_STREAM, |
92
|
|
|
|
|
|
|
MBEDTLS_SSL_PRESET_DEFAULT) != 0) { |
93
|
|
|
|
|
|
|
git_error_set(GIT_ERROR_SSL, "failed to initialize mbedTLS"); |
94
|
|
|
|
|
|
|
goto cleanup; |
95
|
|
|
|
|
|
|
} |
96
|
|
|
|
|
|
|
|
97
|
|
|
|
|
|
|
/* configure TLSv1 */ |
98
|
|
|
|
|
|
|
mbedtls_ssl_conf_min_version(git__ssl_conf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0); |
99
|
|
|
|
|
|
|
|
100
|
|
|
|
|
|
|
/* verify_server_cert is responsible for making the check. |
101
|
|
|
|
|
|
|
* OPTIONAL because REQUIRED drops the certificate as soon as the check |
102
|
|
|
|
|
|
|
* is made, so we can never see the certificate and override it. */ |
103
|
|
|
|
|
|
|
mbedtls_ssl_conf_authmode(git__ssl_conf, MBEDTLS_SSL_VERIFY_OPTIONAL); |
104
|
|
|
|
|
|
|
|
105
|
|
|
|
|
|
|
/* set the list of allowed ciphersuites */ |
106
|
|
|
|
|
|
|
ciphers_known = 0; |
107
|
|
|
|
|
|
|
cipher_string = cipher_string_tmp = git__strdup(GIT_SSL_DEFAULT_CIPHERS); |
108
|
|
|
|
|
|
|
GIT_ERROR_CHECK_ALLOC(cipher_string); |
109
|
|
|
|
|
|
|
|
110
|
|
|
|
|
|
|
while ((cipher_name = git__strtok(&cipher_string_tmp, ":")) != NULL) { |
111
|
|
|
|
|
|
|
int cipherid = mbedtls_ssl_get_ciphersuite_id(cipher_name); |
112
|
|
|
|
|
|
|
if (cipherid == 0) continue; |
113
|
|
|
|
|
|
|
|
114
|
|
|
|
|
|
|
if (ciphers_known >= ARRAY_SIZE(ciphers_list)) { |
115
|
|
|
|
|
|
|
git_error_set(GIT_ERROR_SSL, "out of cipher list space"); |
116
|
|
|
|
|
|
|
goto cleanup; |
117
|
|
|
|
|
|
|
} |
118
|
|
|
|
|
|
|
|
119
|
|
|
|
|
|
|
ciphers_list[ciphers_known++] = cipherid; |
120
|
|
|
|
|
|
|
} |
121
|
|
|
|
|
|
|
git__free(cipher_string); |
122
|
|
|
|
|
|
|
|
123
|
|
|
|
|
|
|
if (!ciphers_known) { |
124
|
|
|
|
|
|
|
git_error_set(GIT_ERROR_SSL, "no cipher could be enabled"); |
125
|
|
|
|
|
|
|
goto cleanup; |
126
|
|
|
|
|
|
|
} |
127
|
|
|
|
|
|
|
mbedtls_ssl_conf_ciphersuites(git__ssl_conf, ciphers_list); |
128
|
|
|
|
|
|
|
|
129
|
|
|
|
|
|
|
/* Seeding the random number generator */ |
130
|
|
|
|
|
|
|
mbedtls_entropy = git__malloc(sizeof(mbedtls_entropy_context)); |
131
|
|
|
|
|
|
|
GIT_ERROR_CHECK_ALLOC(mbedtls_entropy); |
132
|
|
|
|
|
|
|
|
133
|
|
|
|
|
|
|
mbedtls_entropy_init(mbedtls_entropy); |
134
|
|
|
|
|
|
|
|
135
|
|
|
|
|
|
|
ctr_drbg = git__malloc(sizeof(mbedtls_ctr_drbg_context)); |
136
|
|
|
|
|
|
|
GIT_ERROR_CHECK_ALLOC(ctr_drbg); |
137
|
|
|
|
|
|
|
|
138
|
|
|
|
|
|
|
mbedtls_ctr_drbg_init(ctr_drbg); |
139
|
|
|
|
|
|
|
|
140
|
|
|
|
|
|
|
if (mbedtls_ctr_drbg_seed(ctr_drbg, |
141
|
|
|
|
|
|
|
mbedtls_entropy_func, |
142
|
|
|
|
|
|
|
mbedtls_entropy, NULL, 0) != 0) { |
143
|
|
|
|
|
|
|
git_error_set(GIT_ERROR_SSL, "failed to initialize mbedTLS entropy pool"); |
144
|
|
|
|
|
|
|
goto cleanup; |
145
|
|
|
|
|
|
|
} |
146
|
|
|
|
|
|
|
|
147
|
|
|
|
|
|
|
mbedtls_ssl_conf_rng(git__ssl_conf, mbedtls_ctr_drbg_random, ctr_drbg); |
148
|
|
|
|
|
|
|
|
149
|
|
|
|
|
|
|
/* load default certificates */ |
150
|
|
|
|
|
|
|
if (crtpath != NULL && stat(crtpath, &statbuf) == 0 && S_ISREG(statbuf.st_mode)) |
151
|
|
|
|
|
|
|
loaded = (git_mbedtls__set_cert_location(crtpath, NULL) == 0); |
152
|
|
|
|
|
|
|
if (!loaded && crtpath != NULL && stat(crtpath, &statbuf) == 0 && S_ISDIR(statbuf.st_mode)) |
153
|
|
|
|
|
|
|
loaded = (git_mbedtls__set_cert_location(NULL, crtpath) == 0); |
154
|
|
|
|
|
|
|
|
155
|
|
|
|
|
|
|
return git_runtime_shutdown_register(shutdown_ssl); |
156
|
|
|
|
|
|
|
|
157
|
|
|
|
|
|
|
cleanup: |
158
|
|
|
|
|
|
|
mbedtls_ctr_drbg_free(ctr_drbg); |
159
|
|
|
|
|
|
|
git__free(ctr_drbg); |
160
|
|
|
|
|
|
|
mbedtls_ssl_config_free(git__ssl_conf); |
161
|
|
|
|
|
|
|
git__free(git__ssl_conf); |
162
|
|
|
|
|
|
|
git__ssl_conf = NULL; |
163
|
|
|
|
|
|
|
|
164
|
|
|
|
|
|
|
return -1; |
165
|
|
|
|
|
|
|
} |
166
|
|
|
|
|
|
|
|
167
|
|
|
|
|
|
|
static int bio_read(void *b, unsigned char *buf, size_t len) |
168
|
|
|
|
|
|
|
{ |
169
|
|
|
|
|
|
|
git_stream *io = (git_stream *) b; |
170
|
|
|
|
|
|
|
return (int) git_stream_read(io, buf, min(len, INT_MAX)); |
171
|
|
|
|
|
|
|
} |
172
|
|
|
|
|
|
|
|
173
|
|
|
|
|
|
|
static int bio_write(void *b, const unsigned char *buf, size_t len) |
174
|
|
|
|
|
|
|
{ |
175
|
|
|
|
|
|
|
git_stream *io = (git_stream *) b; |
176
|
|
|
|
|
|
|
return (int) git_stream_write(io, (const char *)buf, min(len, INT_MAX), 0); |
177
|
|
|
|
|
|
|
} |
178
|
|
|
|
|
|
|
|
179
|
|
|
|
|
|
|
static int ssl_set_error(mbedtls_ssl_context *ssl, int error) |
180
|
|
|
|
|
|
|
{ |
181
|
|
|
|
|
|
|
char errbuf[512]; |
182
|
|
|
|
|
|
|
int ret = -1; |
183
|
|
|
|
|
|
|
|
184
|
|
|
|
|
|
|
GIT_ASSERT(error != MBEDTLS_ERR_SSL_WANT_READ); |
185
|
|
|
|
|
|
|
GIT_ASSERT(error != MBEDTLS_ERR_SSL_WANT_WRITE); |
186
|
|
|
|
|
|
|
|
187
|
|
|
|
|
|
|
if (error != 0) |
188
|
|
|
|
|
|
|
mbedtls_strerror( error, errbuf, 512 ); |
189
|
|
|
|
|
|
|
|
190
|
|
|
|
|
|
|
switch(error) { |
191
|
|
|
|
|
|
|
case 0: |
192
|
|
|
|
|
|
|
git_error_set(GIT_ERROR_SSL, "SSL error: unknown error"); |
193
|
|
|
|
|
|
|
break; |
194
|
|
|
|
|
|
|
|
195
|
|
|
|
|
|
|
case MBEDTLS_ERR_X509_CERT_VERIFY_FAILED: |
196
|
|
|
|
|
|
|
git_error_set(GIT_ERROR_SSL, "SSL error: %#04x [%x] - %s", error, ssl->session_negotiate->verify_result, errbuf); |
197
|
|
|
|
|
|
|
ret = GIT_ECERTIFICATE; |
198
|
|
|
|
|
|
|
break; |
199
|
|
|
|
|
|
|
|
200
|
|
|
|
|
|
|
default: |
201
|
|
|
|
|
|
|
git_error_set(GIT_ERROR_SSL, "SSL error: %#04x - %s", error, errbuf); |
202
|
|
|
|
|
|
|
} |
203
|
|
|
|
|
|
|
|
204
|
|
|
|
|
|
|
return ret; |
205
|
|
|
|
|
|
|
} |
206
|
|
|
|
|
|
|
|
207
|
|
|
|
|
|
|
static int ssl_teardown(mbedtls_ssl_context *ssl) |
208
|
|
|
|
|
|
|
{ |
209
|
|
|
|
|
|
|
int ret = 0; |
210
|
|
|
|
|
|
|
|
211
|
|
|
|
|
|
|
ret = mbedtls_ssl_close_notify(ssl); |
212
|
|
|
|
|
|
|
if (ret < 0) |
213
|
|
|
|
|
|
|
ret = ssl_set_error(ssl, ret); |
214
|
|
|
|
|
|
|
|
215
|
|
|
|
|
|
|
mbedtls_ssl_free(ssl); |
216
|
|
|
|
|
|
|
return ret; |
217
|
|
|
|
|
|
|
} |
218
|
|
|
|
|
|
|
|
219
|
|
|
|
|
|
|
static int verify_server_cert(mbedtls_ssl_context *ssl) |
220
|
|
|
|
|
|
|
{ |
221
|
|
|
|
|
|
|
int ret = -1; |
222
|
|
|
|
|
|
|
|
223
|
|
|
|
|
|
|
if ((ret = mbedtls_ssl_get_verify_result(ssl)) != 0) { |
224
|
|
|
|
|
|
|
char vrfy_buf[512]; |
225
|
|
|
|
|
|
|
int len = mbedtls_x509_crt_verify_info(vrfy_buf, sizeof(vrfy_buf), "", ret); |
226
|
|
|
|
|
|
|
if (len >= 1) vrfy_buf[len - 1] = '\0'; /* Remove trailing \n */ |
227
|
|
|
|
|
|
|
git_error_set(GIT_ERROR_SSL, "the SSL certificate is invalid: %#04x - %s", ret, vrfy_buf); |
228
|
|
|
|
|
|
|
return GIT_ECERTIFICATE; |
229
|
|
|
|
|
|
|
} |
230
|
|
|
|
|
|
|
|
231
|
|
|
|
|
|
|
return 0; |
232
|
|
|
|
|
|
|
} |
233
|
|
|
|
|
|
|
|
234
|
|
|
|
|
|
|
typedef struct { |
235
|
|
|
|
|
|
|
git_stream parent; |
236
|
|
|
|
|
|
|
git_stream *io; |
237
|
|
|
|
|
|
|
int owned; |
238
|
|
|
|
|
|
|
bool connected; |
239
|
|
|
|
|
|
|
char *host; |
240
|
|
|
|
|
|
|
mbedtls_ssl_context *ssl; |
241
|
|
|
|
|
|
|
git_cert_x509 cert_info; |
242
|
|
|
|
|
|
|
} mbedtls_stream; |
243
|
|
|
|
|
|
|
|
244
|
|
|
|
|
|
|
|
245
|
|
|
|
|
|
|
static int mbedtls_connect(git_stream *stream) |
246
|
|
|
|
|
|
|
{ |
247
|
|
|
|
|
|
|
int ret; |
248
|
|
|
|
|
|
|
mbedtls_stream *st = (mbedtls_stream *) stream; |
249
|
|
|
|
|
|
|
|
250
|
|
|
|
|
|
|
if (st->owned && (ret = git_stream_connect(st->io)) < 0) |
251
|
|
|
|
|
|
|
return ret; |
252
|
|
|
|
|
|
|
|
253
|
|
|
|
|
|
|
st->connected = true; |
254
|
|
|
|
|
|
|
|
255
|
|
|
|
|
|
|
mbedtls_ssl_set_hostname(st->ssl, st->host); |
256
|
|
|
|
|
|
|
|
257
|
|
|
|
|
|
|
mbedtls_ssl_set_bio(st->ssl, st->io, bio_write, bio_read, NULL); |
258
|
|
|
|
|
|
|
|
259
|
|
|
|
|
|
|
if ((ret = mbedtls_ssl_handshake(st->ssl)) != 0) |
260
|
|
|
|
|
|
|
return ssl_set_error(st->ssl, ret); |
261
|
|
|
|
|
|
|
|
262
|
|
|
|
|
|
|
return verify_server_cert(st->ssl); |
263
|
|
|
|
|
|
|
} |
264
|
|
|
|
|
|
|
|
265
|
|
|
|
|
|
|
static int mbedtls_certificate(git_cert **out, git_stream *stream) |
266
|
|
|
|
|
|
|
{ |
267
|
|
|
|
|
|
|
unsigned char *encoded_cert; |
268
|
|
|
|
|
|
|
mbedtls_stream *st = (mbedtls_stream *) stream; |
269
|
|
|
|
|
|
|
|
270
|
|
|
|
|
|
|
const mbedtls_x509_crt *cert = mbedtls_ssl_get_peer_cert(st->ssl); |
271
|
|
|
|
|
|
|
if (!cert) { |
272
|
|
|
|
|
|
|
git_error_set(GIT_ERROR_SSL, "the server did not provide a certificate"); |
273
|
|
|
|
|
|
|
return -1; |
274
|
|
|
|
|
|
|
} |
275
|
|
|
|
|
|
|
|
276
|
|
|
|
|
|
|
/* Retrieve the length of the certificate first */ |
277
|
|
|
|
|
|
|
if (cert->raw.len == 0) { |
278
|
|
|
|
|
|
|
git_error_set(GIT_ERROR_NET, "failed to retrieve certificate information"); |
279
|
|
|
|
|
|
|
return -1; |
280
|
|
|
|
|
|
|
} |
281
|
|
|
|
|
|
|
|
282
|
|
|
|
|
|
|
encoded_cert = git__malloc(cert->raw.len); |
283
|
|
|
|
|
|
|
GIT_ERROR_CHECK_ALLOC(encoded_cert); |
284
|
|
|
|
|
|
|
memcpy(encoded_cert, cert->raw.p, cert->raw.len); |
285
|
|
|
|
|
|
|
|
286
|
|
|
|
|
|
|
st->cert_info.parent.cert_type = GIT_CERT_X509; |
287
|
|
|
|
|
|
|
st->cert_info.data = encoded_cert; |
288
|
|
|
|
|
|
|
st->cert_info.len = cert->raw.len; |
289
|
|
|
|
|
|
|
|
290
|
|
|
|
|
|
|
*out = &st->cert_info.parent; |
291
|
|
|
|
|
|
|
|
292
|
|
|
|
|
|
|
return 0; |
293
|
|
|
|
|
|
|
} |
294
|
|
|
|
|
|
|
|
295
|
|
|
|
|
|
|
static int mbedtls_set_proxy(git_stream *stream, const git_proxy_options *proxy_options) |
296
|
|
|
|
|
|
|
{ |
297
|
|
|
|
|
|
|
mbedtls_stream *st = (mbedtls_stream *) stream; |
298
|
|
|
|
|
|
|
|
299
|
|
|
|
|
|
|
return git_stream_set_proxy(st->io, proxy_options); |
300
|
|
|
|
|
|
|
} |
301
|
|
|
|
|
|
|
|
302
|
|
|
|
|
|
|
static ssize_t mbedtls_stream_write(git_stream *stream, const char *data, size_t len, int flags) |
303
|
|
|
|
|
|
|
{ |
304
|
|
|
|
|
|
|
mbedtls_stream *st = (mbedtls_stream *) stream; |
305
|
|
|
|
|
|
|
int written; |
306
|
|
|
|
|
|
|
|
307
|
|
|
|
|
|
|
GIT_UNUSED(flags); |
308
|
|
|
|
|
|
|
|
309
|
|
|
|
|
|
|
/* |
310
|
|
|
|
|
|
|
* `mbedtls_ssl_write` can only represent INT_MAX bytes |
311
|
|
|
|
|
|
|
* written via its return value. We thus need to clamp |
312
|
|
|
|
|
|
|
* the maximum number of bytes written. |
313
|
|
|
|
|
|
|
*/ |
314
|
|
|
|
|
|
|
len = min(len, INT_MAX); |
315
|
|
|
|
|
|
|
|
316
|
|
|
|
|
|
|
if ((written = mbedtls_ssl_write(st->ssl, (const unsigned char *)data, len)) <= 0) |
317
|
|
|
|
|
|
|
return ssl_set_error(st->ssl, written); |
318
|
|
|
|
|
|
|
|
319
|
|
|
|
|
|
|
return written; |
320
|
|
|
|
|
|
|
} |
321
|
|
|
|
|
|
|
|
322
|
|
|
|
|
|
|
static ssize_t mbedtls_stream_read(git_stream *stream, void *data, size_t len) |
323
|
|
|
|
|
|
|
{ |
324
|
|
|
|
|
|
|
mbedtls_stream *st = (mbedtls_stream *) stream; |
325
|
|
|
|
|
|
|
int ret; |
326
|
|
|
|
|
|
|
|
327
|
|
|
|
|
|
|
if ((ret = mbedtls_ssl_read(st->ssl, (unsigned char *)data, len)) <= 0) |
328
|
|
|
|
|
|
|
ssl_set_error(st->ssl, ret); |
329
|
|
|
|
|
|
|
|
330
|
|
|
|
|
|
|
return ret; |
331
|
|
|
|
|
|
|
} |
332
|
|
|
|
|
|
|
|
333
|
|
|
|
|
|
|
static int mbedtls_stream_close(git_stream *stream) |
334
|
|
|
|
|
|
|
{ |
335
|
|
|
|
|
|
|
mbedtls_stream *st = (mbedtls_stream *) stream; |
336
|
|
|
|
|
|
|
int ret = 0; |
337
|
|
|
|
|
|
|
|
338
|
|
|
|
|
|
|
if (st->connected && (ret = ssl_teardown(st->ssl)) != 0) |
339
|
|
|
|
|
|
|
return -1; |
340
|
|
|
|
|
|
|
|
341
|
|
|
|
|
|
|
st->connected = false; |
342
|
|
|
|
|
|
|
|
343
|
|
|
|
|
|
|
return st->owned ? git_stream_close(st->io) : 0; |
344
|
|
|
|
|
|
|
} |
345
|
|
|
|
|
|
|
|
346
|
|
|
|
|
|
|
static void mbedtls_stream_free(git_stream *stream) |
347
|
|
|
|
|
|
|
{ |
348
|
|
|
|
|
|
|
mbedtls_stream *st = (mbedtls_stream *) stream; |
349
|
|
|
|
|
|
|
|
350
|
|
|
|
|
|
|
if (st->owned) |
351
|
|
|
|
|
|
|
git_stream_free(st->io); |
352
|
|
|
|
|
|
|
|
353
|
|
|
|
|
|
|
git__free(st->host); |
354
|
|
|
|
|
|
|
git__free(st->cert_info.data); |
355
|
|
|
|
|
|
|
mbedtls_ssl_free(st->ssl); |
356
|
|
|
|
|
|
|
git__free(st->ssl); |
357
|
|
|
|
|
|
|
git__free(st); |
358
|
|
|
|
|
|
|
} |
359
|
|
|
|
|
|
|
|
360
|
|
|
|
|
|
|
static int mbedtls_stream_wrap( |
361
|
|
|
|
|
|
|
git_stream **out, |
362
|
|
|
|
|
|
|
git_stream *in, |
363
|
|
|
|
|
|
|
const char *host, |
364
|
|
|
|
|
|
|
int owned) |
365
|
|
|
|
|
|
|
{ |
366
|
|
|
|
|
|
|
mbedtls_stream *st; |
367
|
|
|
|
|
|
|
int error; |
368
|
|
|
|
|
|
|
|
369
|
|
|
|
|
|
|
st = git__calloc(1, sizeof(mbedtls_stream)); |
370
|
|
|
|
|
|
|
GIT_ERROR_CHECK_ALLOC(st); |
371
|
|
|
|
|
|
|
|
372
|
|
|
|
|
|
|
st->io = in; |
373
|
|
|
|
|
|
|
st->owned = owned; |
374
|
|
|
|
|
|
|
|
375
|
|
|
|
|
|
|
st->ssl = git__malloc(sizeof(mbedtls_ssl_context)); |
376
|
|
|
|
|
|
|
GIT_ERROR_CHECK_ALLOC(st->ssl); |
377
|
|
|
|
|
|
|
mbedtls_ssl_init(st->ssl); |
378
|
|
|
|
|
|
|
if (mbedtls_ssl_setup(st->ssl, git__ssl_conf)) { |
379
|
|
|
|
|
|
|
git_error_set(GIT_ERROR_SSL, "failed to create ssl object"); |
380
|
|
|
|
|
|
|
error = -1; |
381
|
|
|
|
|
|
|
goto out_err; |
382
|
|
|
|
|
|
|
} |
383
|
|
|
|
|
|
|
|
384
|
|
|
|
|
|
|
st->host = git__strdup(host); |
385
|
|
|
|
|
|
|
GIT_ERROR_CHECK_ALLOC(st->host); |
386
|
|
|
|
|
|
|
|
387
|
|
|
|
|
|
|
st->parent.version = GIT_STREAM_VERSION; |
388
|
|
|
|
|
|
|
st->parent.encrypted = 1; |
389
|
|
|
|
|
|
|
st->parent.proxy_support = git_stream_supports_proxy(st->io); |
390
|
|
|
|
|
|
|
st->parent.connect = mbedtls_connect; |
391
|
|
|
|
|
|
|
st->parent.certificate = mbedtls_certificate; |
392
|
|
|
|
|
|
|
st->parent.set_proxy = mbedtls_set_proxy; |
393
|
|
|
|
|
|
|
st->parent.read = mbedtls_stream_read; |
394
|
|
|
|
|
|
|
st->parent.write = mbedtls_stream_write; |
395
|
|
|
|
|
|
|
st->parent.close = mbedtls_stream_close; |
396
|
|
|
|
|
|
|
st->parent.free = mbedtls_stream_free; |
397
|
|
|
|
|
|
|
|
398
|
|
|
|
|
|
|
*out = (git_stream *) st; |
399
|
|
|
|
|
|
|
return 0; |
400
|
|
|
|
|
|
|
|
401
|
|
|
|
|
|
|
out_err: |
402
|
|
|
|
|
|
|
mbedtls_ssl_free(st->ssl); |
403
|
|
|
|
|
|
|
git_stream_close(st->io); |
404
|
|
|
|
|
|
|
git_stream_free(st->io); |
405
|
|
|
|
|
|
|
git__free(st); |
406
|
|
|
|
|
|
|
|
407
|
|
|
|
|
|
|
return error; |
408
|
|
|
|
|
|
|
} |
409
|
|
|
|
|
|
|
|
410
|
|
|
|
|
|
|
int git_mbedtls_stream_wrap( |
411
|
|
|
|
|
|
|
git_stream **out, |
412
|
|
|
|
|
|
|
git_stream *in, |
413
|
|
|
|
|
|
|
const char *host) |
414
|
|
|
|
|
|
|
{ |
415
|
|
|
|
|
|
|
return mbedtls_stream_wrap(out, in, host, 0); |
416
|
|
|
|
|
|
|
} |
417
|
|
|
|
|
|
|
|
418
|
|
|
|
|
|
|
int git_mbedtls_stream_new( |
419
|
|
|
|
|
|
|
git_stream **out, |
420
|
|
|
|
|
|
|
const char *host, |
421
|
|
|
|
|
|
|
const char *port) |
422
|
|
|
|
|
|
|
{ |
423
|
|
|
|
|
|
|
git_stream *stream; |
424
|
|
|
|
|
|
|
int error; |
425
|
|
|
|
|
|
|
|
426
|
|
|
|
|
|
|
GIT_ASSERT_ARG(out); |
427
|
|
|
|
|
|
|
GIT_ASSERT_ARG(host); |
428
|
|
|
|
|
|
|
GIT_ASSERT_ARG(port); |
429
|
|
|
|
|
|
|
|
430
|
|
|
|
|
|
|
if ((error = git_socket_stream_new(&stream, host, port)) < 0) |
431
|
|
|
|
|
|
|
return error; |
432
|
|
|
|
|
|
|
|
433
|
|
|
|
|
|
|
if ((error = mbedtls_stream_wrap(out, stream, host, 1)) < 0) { |
434
|
|
|
|
|
|
|
git_stream_close(stream); |
435
|
|
|
|
|
|
|
git_stream_free(stream); |
436
|
|
|
|
|
|
|
} |
437
|
|
|
|
|
|
|
|
438
|
|
|
|
|
|
|
return error; |
439
|
|
|
|
|
|
|
} |
440
|
|
|
|
|
|
|
|
441
|
|
|
|
|
|
|
int git_mbedtls__set_cert_location(const char *file, const char *path) |
442
|
|
|
|
|
|
|
{ |
443
|
|
|
|
|
|
|
int ret = 0; |
444
|
|
|
|
|
|
|
char errbuf[512]; |
445
|
|
|
|
|
|
|
mbedtls_x509_crt *cacert; |
446
|
|
|
|
|
|
|
|
447
|
|
|
|
|
|
|
GIT_ASSERT_ARG(file || path); |
448
|
|
|
|
|
|
|
|
449
|
|
|
|
|
|
|
cacert = git__malloc(sizeof(mbedtls_x509_crt)); |
450
|
|
|
|
|
|
|
GIT_ERROR_CHECK_ALLOC(cacert); |
451
|
|
|
|
|
|
|
|
452
|
|
|
|
|
|
|
mbedtls_x509_crt_init(cacert); |
453
|
|
|
|
|
|
|
if (file) |
454
|
|
|
|
|
|
|
ret = mbedtls_x509_crt_parse_file(cacert, file); |
455
|
|
|
|
|
|
|
if (ret >= 0 && path) |
456
|
|
|
|
|
|
|
ret = mbedtls_x509_crt_parse_path(cacert, path); |
457
|
|
|
|
|
|
|
/* mbedtls_x509_crt_parse_path returns the number of invalid certs on success */ |
458
|
|
|
|
|
|
|
if (ret < 0) { |
459
|
|
|
|
|
|
|
mbedtls_x509_crt_free(cacert); |
460
|
|
|
|
|
|
|
git__free(cacert); |
461
|
|
|
|
|
|
|
mbedtls_strerror( ret, errbuf, 512 ); |
462
|
|
|
|
|
|
|
git_error_set(GIT_ERROR_SSL, "failed to load CA certificates: %#04x - %s", ret, errbuf); |
463
|
|
|
|
|
|
|
return -1; |
464
|
|
|
|
|
|
|
} |
465
|
|
|
|
|
|
|
|
466
|
|
|
|
|
|
|
mbedtls_x509_crt_free(git__ssl_conf->ca_chain); |
467
|
|
|
|
|
|
|
git__free(git__ssl_conf->ca_chain); |
468
|
|
|
|
|
|
|
mbedtls_ssl_conf_ca_chain(git__ssl_conf, cacert, NULL); |
469
|
|
|
|
|
|
|
|
470
|
|
|
|
|
|
|
return 0; |
471
|
|
|
|
|
|
|
} |
472
|
|
|
|
|
|
|
|
473
|
|
|
|
|
|
|
#else |
474
|
|
|
|
|
|
|
|
475
|
|
|
|
|
|
|
#include "stream.h" |
476
|
|
|
|
|
|
|
|
477
|
87
|
|
|
|
|
|
int git_mbedtls_stream_global_init(void) |
478
|
|
|
|
|
|
|
{ |
479
|
87
|
|
|
|
|
|
return 0; |
480
|
|
|
|
|
|
|
} |
481
|
|
|
|
|
|
|
|
482
|
|
|
|
|
|
|
#endif |