| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Make some syntax change to follow coding style.
|
| |
|
|
| |
fixes #6003
|
| |
|
|
|
| |
Defer dlopen until it's needed when dynamically loading OpenSSL
libraries.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Provide an interface around OpenSSL to dynamically load the libraries
and symbols, so that users can distribute a libgit2 library that is not
linked directly against OpenSSL. This enables users to target multiple
distributions with a single binary.
This mechanism is optional and disabled by default. Configure cmake
with -DUSE_HTTPS=OpenSSL-Dynamic to use it.
|
| |
|
|
|
| |
Refactor the OpenSSL stream implementation so that the legacy code is better
abstracted. This will enable future development.
|
| |
|
|
|
|
|
|
|
|
| |
During valgrind runs, we try to swap out the OpenSSL allocators for our
own. This allows us to avoid some unnecessary warnings about usage.
Unfortunately, many builds of OpenSSL do not allow you to swap
allocators; for example FIPS builds and the builds running in CentOS.
Try to swap the allocators, but do not fail when they cannot be
customized.
|
| | |
|
| |
|
|
|
| |
Provide a mechanism for system components to register for initialization
and shutdown of the libgit2 runtime.
|
| |
|
|
|
| |
Move the settings global data teardown into its own separate function,
instead of intermingled with the global state.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When compiling libgit2 with -DDEPRECATE_HARD, we add a preprocessor
definition `GIT_DEPRECATE_HARD` which causes the "git2/deprecated.h"
header to be empty. As a result, no function declarations are made
available to callers, but the implementations are still available to
link against. This has the problem that function declarations also
aren't visible to the implementations, meaning that the symbol's
visibility will not be set up correctly. As a result, the resulting
library may not expose those deprecated symbols at all on some platforms
and thus cause linking errors.
Fix the issue by conditionally compiling deprecated functions, only.
While it becomes impossible to link against such a library in case one
uses deprecated functions, distributors of libgit2 aren't expected to
pass -DDEPRECATE_HARD anyway. Instead, users of libgit2 should manually
define GIT_DEPRECATE_HARD to hide deprecated functions. Using "real"
hard deprecation still makes sense in the context of CI to test we don't
use deprecated symbols ourselves and in case a dependant uses libgit2 in
a vendored way and knows it won't ever use any of the deprecated symbols
anyway.
|
| |
|
|
|
|
|
| |
We're missing some header includes leading to missing function
prototypes. While we currently don't warn about these, we should have
their respective headers included in order to detect the case where a
function signature change results in an incompatibility.
|
| |
|
|
|
|
|
|
|
| |
When creating a `git_cert` from the OpenSSL X509 certificate of a given
stream, we do not call `X509_free()` on the certificate, leading to a
memory leak as soon as the certificate is requested e.g. by the
certificate check callback.
Fix the issue by properly calling `X509_free()`.
|
| |\
| |
| | |
Coverity fixes
|
| | |
| |
| |
| |
| |
| |
| |
| | |
OpenSSL pre-v1.1 required us to set up a locking function to properly
support multithreading. The locking function signature cannot return any
error codes, and as a result we can't do anything if `git_mutex_lock`
fails. To silence static analysis tools, let's just explicitly ignore
its return value by casting it to `void`.
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As OpenSSL loves using uninitialized bytes as another source of entropy,
we need to mark them as defined so that Valgrind won't complain about
use of these bytes. Traditionally, we've been using the macro
`VALGRIND_MAKE_MEM_DEFINED` provided by Valgrind, but starting with
OpenSSL 1.1 the code doesn't compile anymore due to `struct SSL` having
become opaque. As such, we also can't set it as defined anymore, as we
have no way of knowing its size.
Let's change gears instead by just swapping out the allocator functions
of OpenSSL with our own ones. The twist is that instead of calling
`malloc`, we just call `calloc` to have the bytes initialized
automatically. Next to soothing Valgrind, this approach has the benefit
of being completely agnostic of the memory sanitizer and is neatly
contained at a single place.
Note that we shouldn't do this for non-Valgrind builds. As we cannot
set up memory functions for a given SSL context, only, we need to swap
them at a global context. Furthermore, as it's possible to call
`OPENSSL_set_mem_functions` once only, we'd prevent users of libgit2 to
set up their own allocators.
|
| |
|
|
|
|
|
|
|
|
| |
Provide usage hints to valgrind. We trust the data coming back from
OpenSSL to have been properly initialized. (And if it has not, it's an
OpenSSL bug, not a libgit2 bug.)
We previously took the `VALGRIND` option to CMake as a hint to disable
mmap. Remove that; it's broken. Now use it to pass on the `VALGRIND`
definition so that sources can provide valgrind hints.
|
| |
|
|
|
|
|
| |
valgrind will warn that OpenSSL will use undefined data in connect/read
when talking to certain other TLS stacks. Thankfully, this only seems
to occur when gcc is the compiler, so hopefully valgrind is just
misunderstanding an optimization. Regardless, suppress this warning.
|
| |
|
|
| |
Use lowercase for our error messages, per our custom.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The mbedtls library uses a callback mechanism to allow downstream users
to plug in their own receive and send functions. We implement `bio_read`
and `bio_write` functions, which simply wrap the `git_stream_read` and
`git_stream_write` functions, respectively.
The problem arises due to the return value of the callback functions:
mbedtls expects us to return an `int` containing the actual number of
bytes that were read or written. But this is in fact completely
misdesigned, as callers are allowed to pass in a buffer with length
`SIZE_MAX`. We thus may be unable to represent the number of bytes
written via the return value.
Fix this by only ever reading or writing at most `INT_MAX` bytes.
|
| |
|
|
|
|
| |
The mbedtls stream implementation makes use of some global variables
which are not marked as `static`, even though they're only used in this
compilation unit. Fix this and remove a duplicate declaration.
|
| |
|
|
|
|
|
| |
Our `openssl_write` function calls `SSL_write` by passing in both `data`
and `len` arguments directly. Thing is, our `len` parameter is of type
`size_t` and theirs is of type `int`. We thus need to clamp our length
to be at most `INT_MAX`.
|
| |
|
|
|
|
|
|
| |
Now that the function `git_stream__write_full` exists and callers of
`git_stream_write` have been adjusted, we can lift logic for short
writes out of the stream implementations. Instead, this is now handled
either by `git_stream__write_full` or by callers of `git_stream_write`
directly.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Similar to the write(3) function, implementations of `git_stream_write`
do not guarantee that all bytes are written. Instead, they return the
number of bytes that actually have been written, which may be smaller
than the total number of bytes. Furthermore, due to an interface design
issue, we cannot ever write more than `SSIZE_MAX` bytes at once, as
otherwise we cannot represent the number of bytes written to the caller.
Unfortunately, no caller of `git_stream_write` ever checks the return
value, except to verify that no error occurred. Due to this, they are
susceptible to the case where only partial data has been written.
Fix this by introducing a new function `git_stream__write_full`. In
contrast to `git_stream_write`, it will always return either success or
failure, without returning the number of bytes written. Thus, it is able
to write all `SIZE_MAX` bytes and loop around `git_stream_write` until
all data has been written. Adjust all callers except the BIO callbacks
in our mbedtls and OpenSSL streams, which already do the right thing and
require the amount of bytes written.
|
| |
|
|
|
|
| |
The callback functions that implement the `git_stream` structure are
only used inside of their respective implementation files, but they are
not marked as `static`. Fix this.
|
| |
|
|
|
|
|
|
|
| |
Our streams implementation takes a `size_t` that indicates the length of
the data buffer to be written, and returns an `ssize_t` that indicates
the length that _was_ written. Clearly no such implementation can write
more than `SSIZE_MAX` bytes. Ensure that each TLS stream implementation
does not try to write more than `SSIZE_MAX` bytes (or smaller; if the
given implementation takes a smaller size).
|
| |
|
|
|
|
| |
Avoid the deprecated `git_stream_cb` typedef since we want to compile
the library without deprecated functions or types. Instead, we can
unroll the alias to its actual type.
|
| |
|
|
|
|
| |
Follow up for PR #4917.
Signed-off-by: Sven Strickroth <email@cs-ware.de>
|
| |
|
|
|
| |
Move to the `git_error` name in the internal API for error-related
functions.
|
| |
|
|
|
|
|
|
|
|
|
| |
This change fixes a bunch of warnings that were discovered by compiling
with `clang -target=i386-pc-linux-gnu`. It turned out that the
intrinsics were not necessarily being used in all platforms! Especially
in GCC, since it does not support __has_builtin.
Some more warnings were gleaned from the Windows build, but I stopped
when I saw that some third-party dependencies (e.g. zlib) have warnings
of their own, so we might never be able to enable -Werror there.
|
| |
|
|
|
|
| |
Accept an enum (`git_stream_t`) during custom stream registration that
indicates whether the registration structure should be used for standard
(non-TLS) streams or TLS streams.
|
| |
|
|
|
|
|
|
|
| |
Update the new stream registration API to be `git_stream_register`
which takes a registration structure and a TLS boolean. This allows
callers to register non-TLS streams as well as TLS streams.
Provide `git_stream_register_tls` that takes just the init callback for
backward compatibliity.
|
| |
|
|
|
| |
We previously used cURL to support HTTP proxies. Now that we've added
this support natively, we can remove the curl dependency.
|
| |
|
|
|
|
|
| |
The implementations of git_openssl_stream_new and
git_mbedtls_stream_new have callers protected by #ifdefs and
are never called unless compiled in. There's no need for a
dummy implementation. Remove them.
|
| |
|
|
|
|
|
|
|
|
|
| |
Introduce `git_tls_stream_wrap` which will take an existing `stream`
with an already connected socket and begin speaking TLS on top of it.
This is useful if you've built a connection to a proxy server and you
wish to begin CONNECT over it to tunnel a TLS connection.
Also update the pluggable TLS stream layer so that it can accept a
registration structure that provides an `init` and `wrap` function,
instead of a single initialization function.
|
| |
|
|
|
|
|
| |
ssl_close uses this boolean to know if SSL_shutdown should be called.
It turns out OpenSSL auto-shutdowns on failure, so if the call to
SSL_connect fails, it will complain about "shutdown while in init",
trampling the original error.
|
| | |
|
| |
|
|
|
|
|
| |
Replace remaining uses of the `git__strtol32` function. While these uses
are all safe as the strings were either sanitized or from a trusted
source, we want to remove `git__strtol32` altogether to avoid future
misuse.
|
| |
|
| |
"warning: values of type 'OSStatus' should not be used as format arguments; add an explicit cast to 'int' instead [-Wformat]"
|
| |
|
|
|
|
|
|
|
| |
In commit 382ed1e87 (mbedtls: load default CA certificates, 2018-03-29),
the function `git_mbedtls_stream_global_init` was refactored to call out
to `git_mbedtls__set_cert_location` instead of setting up the
certificates itself. The conversion forgot to remove the now-unused
"cacert" variable, which is now only getting declared to be free'd at
the end of the function. Remove it.
|
| | |
|
| |
|
|
|
| |
Instead of allocating the ciphers_list, make it a static array. This
prevents us from leaking it or having to manage its memory.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The mbedtls headers make direct use of the `inline` attribute to
instruct the compiler to inline functions. As this function is not C90
compliant, this can cause the compiler to error as soon as any of these
files is included and the `-std=c90` flag is being added.
The mbedtls headers declaring functions as inline always have a prelude
which define `inline` as a macro in case it is not yet defined. Thus, we
can easily replace their define with our own define, which simply copies
the logic of our own `GIT_INLINE` macro.
|
| |
|
|
|
|
|
|
| |
In case when the global initialization of the OpenSSL stream fails, the
user is left without any hint as to what went wrong as we do not provide
any error message at all. This commit refactors the init function to
have a common error path, which now also sets an error message including
the error string provided by OpenSSL.
|
| |
|
|
| |
SIGSEGV otherwise...
|
