|
f28744a5
|
2017-06-05T10:11:20
|
|
openssl_stream: fix building with libressl
OpenSSL v1.1 has introduced a new way of initializing the library
without having to call various functions of different subsystems. In
libgit2, we have been adapting to that change with 88520151f
(openssl_stream: use new initialization function on OpenSSL version
>=1.1, 2017-04-07), where we added an #ifdef depending on the OpenSSL
version. This change broke building with libressl, though, which has not
changed its API in the same way.
Fix the issue by expanding the #ifdef condition to use the old way of
initializing with libressl.
Signed-off-by: Marc-Antoine Perennou <Marc-Antoine@Perennou.com>
|
|
88520151
|
2017-04-07T13:02:50
|
|
openssl_stream: use new initialization function on OpenSSL version >=1.1
Previous to OpenSSL version 1.1, the user had to initialize at least the error
strings as well as the SSL algorithms by himself. OpenSSL version 1.1 instead
provides a new function `OPENSSL_init_ssl`, which handles initialization of all
subsystems. As the new API call will by default load error strings and
initialize the SSL algorithms, we can safely replace these calls when compiling
against version 1.1 or later.
This fixes a compiler error when compiling against OpenSSL version 1.1 which has
been built without stubs for deprecated syntax.
|
|
29081c2f
|
2017-04-07T12:54:33
|
|
openssl_stream: remove locking initialization on OpenSSL version >=1.1
Up to version 1.0, OpenSSL required us to provide a callback which implements
a locking mechanism. Due to problems in the API design though this mechanism was
inherently broken, especially regarding that the locking callback cannot report
errors in an obvious way. Due to this shortcoming, the locking initialization
has been completely removed in OpenSSL version 1.1. As the library has also been
refactored to not make any use of these callback functions, we can safely remove
all initialization of the locking subsystem if compiling against OpenSSL version
1.1 or higher.
This fixes a compilation error when compiling against OpenSSL version 1.1 which
has been built without stubs for deprecated syntax.
|
|
dd0b1e8c
|
2017-03-20T09:13:25
|
|
openssl_stream: fix releasing OpenSSL locks
The OpenSSL library may require multiple locks to work correctly, where
it is the caller's responsibility to initialize and release the locks.
While we correctly initialized up to `n` locks, as determined by
`CRYPTO_num_locks`, we were repeatedly freeing the same mutex in our
shutdown procedure.
Fix the issue by freeing locks at the correct index.
|
|
909d5494
|
2016-12-29T12:25:15
|
|
giterr_set: consistent error messages
Error messages should be sentence fragments, and therefore:
1. Should not begin with a capital letter,
2. Should not conclude with punctuation, and
3. Should not end a sentence and begin a new one
|
|
7175222c
|
2016-11-02T14:50:59
|
|
Merge pull request #3960 from ignatenkobrain/openssl-1.1.0
add support for OpenSSL 1.1.0 for BIO filter
|
|
2f3adf95
|
2016-11-02T12:35:46
|
|
openssl: use ASN1_STRING_get0_data when compiling against 1.1
For older versions we can fall back on the deprecated ASN1_STRING_data.
|
|
f15eedb3
|
2016-11-02T12:28:25
|
|
openssl: recreate the OpenSSL 1.1 BIO interface for older versions
We want to program against the interface, so recreate it when we compile
against pre-1.1 versions.
|
|
dc98cb28
|
2016-10-31T13:50:23
|
|
openssl_stream: fix typo
|
|
feb330d5
|
2016-10-12T12:41:36
|
|
add support for OpenSSL 1.1.0 for BIO filter
Closes: https://github.com/libgit2/libgit2/issues/3959
Signed-off-by: Igor Gnatenko <i.gnatenko.brain@gmail.com>
|
|
568c5a9f
|
2016-04-27T13:56:16
|
|
Fix style: no braces
|
|
4734c52a
|
2016-04-26T18:04:03
|
|
Fix return value of openssl_read (infinite loop)
openssl_read should return -1 in case of error.
SSL_read returns values <= 0 in case of error.
A return value of 0 can lead to an infinite loop, so the return value
of ssl_set_error will be returned if SSL_read is not successful (analog
to openssl_write).
|
|
b373e9a6
|
2015-09-21T22:38:50
|
|
net: use proxy options struct in the stream config
|
|
fa72d6da
|
2016-03-14T12:02:00
|
|
Setup better defaults for OpenSSL ciphers
This ensures that when using OpenSSL a safe default set of ciphers
is selected. This is done so that the client communicates securely
and we don't accidentally enable unsafe ciphers like RC4, or even
worse some old export ciphers.
Implements the first part of https://github.com/libgit2/libgit2/issues/3682
|
|
0d9a7498
|
2016-02-25T12:09:49
|
|
Merge pull request #3628 from pks-t/pks/coverity-fixes
Coverity fixes
|
|
68ad3156
|
2016-02-24T17:17:57
|
|
openssl: we already had the function, just needed the header
|
|
f3d1be7d
|
2016-02-24T16:38:22
|
|
openssl: export the locking function when building without OpenSSL
This got lost duing the move and it lets the users call this function
just in case.
|
|
05bf67b9
|
2016-02-23T11:16:36
|
|
openssl_stream: fix NULL pointer dereference
|
|
2baf854e
|
2016-02-22T16:08:56
|
|
openssl_stream: fix memory leak when creating new stream
|
|
c8fe6c09
|
2016-02-19T16:23:14
|
|
openssl: re-export the last-resort locking function
We need to include the header where we define the function. Otherwise it
won't be available on the DLL.
|
|
deecaa2e
|
2016-02-19T13:31:54
|
|
openssl: free the context even if we don't connect
|
|
8a6d6677
|
2016-02-08T16:14:03
|
|
global: make openssl registration like the rest
|
|
146a96de
|
2015-09-30T09:41:25
|
|
openssl: don't try to teardown an unconnected SSL context
SSL_shutdown() does not like it when we pass an unitialized ssl context
to it. This means that when we fail to connect to a host, we hide the
error message saying so with OpenSSL's indecipherable error message.
|
|
a1687f78
|
2015-07-10T19:07:41
|
|
Merge pull request #3297 from tkelman/patch-2
Fix undefined reference with old versions of openssl
|
|
79698030
|
2015-06-29T22:51:18
|
|
git_cert: child types use proper base type
|
|
febc8c46
|
2015-07-07T06:55:05
|
|
Fix undefined reference with old versions of openssl
Versions prior to 0.9.8f did not have this function, rhel/centos5 are still on a
heavily backported version of 0.9.8e and theoretically supported until March 2017
Without this ifdef, I get the following link failure:
```
CMakeFiles/libgit2_clar.dir/src/openssl_stream.c.o: In function `openssl_connect':
openssl_stream.c:(.text+0x45a): undefined reference to `SSL_set_tlsext_host_name'
collect2: error: ld returned 1 exit status
make[6]: *** [libgit2_clar] Error 1
```
|
|
3ca84ac0
|
2015-06-29T20:29:29
|
|
openssl: free hostname
|
|
cae2a555
|
2015-06-26T08:17:56
|
|
Fixed build failure if GIT_CURL is not defined
|
|
8443f492
|
2015-06-11T16:57:04
|
|
curl: remove the encrypted param to the constructor
We do not want libcurl to perform the TLS negotiation for us, so we
don't need to pass this option.
|
|
e247649d
|
2015-06-11T16:50:44
|
|
openssl: use the curl stream if available
When linking against libcurl, use it as the underlying transport instead
of straight sockets. We can't quite just give over the file descriptor,
as curl puts it into non-blocking mode, so we build a custom BIO so
OpenSSL sends the data through our stream, be it the socket or curl
streams.
|
|
2540487f
|
2015-05-22T12:53:52
|
|
Merge pull request #3108 from libgit2/cmn/ssl-no-want
openssl: don't try to handle WANT_READ or WANT_WRITE
|
|
a6ea108b
|
2015-05-21T14:04:46
|
|
Merge branch 'sni'
|
|
987045c7
|
2015-05-20T18:03:54
|
|
Call the openssl API to be able to work with SNI servers.
|
|
1396c381
|
2015-05-18T16:04:55
|
|
errors: add GIT_EEOF to indicate early EOF
This can be used by tools to show mesages about failing to communicate
with the server. The error message in this case will often contain the
server's error message, as far as it managed to send anything.
|
|
77bffc2c
|
2015-05-09T13:21:39
|
|
openssl: don't try to handle WANT_READ or WANT_WRITE
We use a blocking socket and set the mode to AUTO_RETRY which means that
`SSL_write` and `SSL_read` will only return once the read or write has
been completed. We therefore don't need to handle partial writes or
re-try read due to a regenotiation.
While here, consider that a zero also indicates an error condition.
|
|
24e53d2f
|
2015-03-19T09:55:20
|
|
Rename GIT_SSL to GIT_OPENSSL
This is what it's meant all along, but now we actually have multiple
implementations, it's clearer to use the name of the library.
|
|
70b852ce
|
2015-03-19T00:45:43
|
|
Silence unused warnings when not using OpenSSL
|
|
ec032442
|
2015-02-27T10:49:02
|
|
Include openssl headers last
Windows headers #define some names that openssl uses too. Openssl
headers #undef the offending names before reusing them. But if those
offending Windows headers get included after the openssl headers the
namespace is polluted and nothing good happens.
Fixes issue #2850.
|
|
a944c6cc
|
2015-03-02T11:08:04
|
|
Don't include headers on windows that aren't available
This mainly concerns mingw build.
|
|
3cda6be7
|
2015-01-24T16:19:43
|
|
openssl: Add all required includes for AF_INET6 and in6_addr.
This fixes the build at least on FreeBSD, where those types were not
defined indirectly:
src/openssl_stream.c:100:18: error: variable has incomplete type 'struct in6_addr'
struct in6_addr addr6;
^
src/openssl_stream.c:100:9: note: forward declaration of 'struct in6_addr'
struct in6_addr addr6;
^
src/openssl_stream.c:111:18: error: use of undeclared identifier 'AF_INET'
if (p_inet_pton(AF_INET, host, &addr4)) {
^
src/unix/posix.h:31:40: note: expanded from macro 'p_inet_pton'
^
src/openssl_stream.c:115:18: error: use of undeclared identifier 'AF_INET6'
if(p_inet_pton(AF_INET6, host, &addr6)) {
^
src/unix/posix.h:31:40: note: expanded from macro 'p_inet_pton'
^
|
|
49ae22ba
|
2014-12-10T01:38:52
|
|
stream: constify the write buffer
|
|
1b75c29e
|
2014-11-02T11:17:01
|
|
gitno: remove code which is no longer needed
Most of the network-facing facilities have been copied to the socket and
openssl streams. No code now uses these functions directly anymore, so
we can now remove them.
|
|
468d7b11
|
2014-11-01T15:19:54
|
|
Add an OpenSSL IO stream
This unfortunately isn't as stackable as could be possible, as it
hard-codes the socket stream. This is because the method of using a
custom openssl BIO is not clear, and we do not need this for now. We can
still bring this in if and as we need it.
|