kmx git

Commit	Date	Message
0c7f49dd	2017-06-30T13:39:01	Make sure to always include "common.h" first Next to including several files, our "common.h" header also declares various macros which are then used throughout the project. As such, we have to make sure to always include this file first in all implementation files. Otherwise, we might encounter problems or even silent behavioural differences due to macros or defines not being defined as they should be. So in fact, our header and implementation files should make sure to always include "common.h" first. This commit does so by establishing a common include pattern. Header files inside of "src" will now always include "common.h" as its first other file, separated by a newline from all the other includes to make it stand out as special. There are two cases for the implementation files. If they do have a matching header file, they will always include this one first, leading to "common.h" being transitively included as first file. If they do not have a matching header file, they instead include "common.h" as first file themselves. This fixes the outlined problems and will become our standard practice for header and source files inside of the "src/" from now on.
f28744a5	2017-06-05T10:11:20	openssl_stream: fix building with libressl OpenSSL v1.1 has introduced a new way of initializing the library without having to call various functions of different subsystems. In libgit2, we have been adapting to that change with 88520151f (openssl_stream: use new initialization function on OpenSSL version >=1.1, 2017-04-07), where we added an #ifdef depending on the OpenSSL version. This change broke building with libressl, though, which has not changed its API in the same way. Fix the issue by expanding the #ifdef condition to use the old way of initializing with libressl. Signed-off-by: Marc-Antoine Perennou <Marc-Antoine@Perennou.com>
88520151	2017-04-07T13:02:50	openssl_stream: use new initialization function on OpenSSL version >=1.1 Previous to OpenSSL version 1.1, the user had to initialize at least the error strings as well as the SSL algorithms by himself. OpenSSL version 1.1 instead provides a new function `OPENSSL_init_ssl`, which handles initialization of all subsystems. As the new API call will by default load error strings and initialize the SSL algorithms, we can safely replace these calls when compiling against version 1.1 or later. This fixes a compiler error when compiling against OpenSSL version 1.1 which has been built without stubs for deprecated syntax.
29081c2f	2017-04-07T12:54:33	openssl_stream: remove locking initialization on OpenSSL version >=1.1 Up to version 1.0, OpenSSL required us to provide a callback which implements a locking mechanism. Due to problems in the API design though this mechanism was inherently broken, especially regarding that the locking callback cannot report errors in an obvious way. Due to this shortcoming, the locking initialization has been completely removed in OpenSSL version 1.1. As the library has also been refactored to not make any use of these callback functions, we can safely remove all initialization of the locking subsystem if compiling against OpenSSL version 1.1 or higher. This fixes a compilation error when compiling against OpenSSL version 1.1 which has been built without stubs for deprecated syntax.
dd0b1e8c	2017-03-20T09:13:25	openssl_stream: fix releasing OpenSSL locks The OpenSSL library may require multiple locks to work correctly, where it is the caller's responsibility to initialize and release the locks. While we correctly initialized up to `n` locks, as determined by `CRYPTO_num_locks`, we were repeatedly freeing the same mutex in our shutdown procedure. Fix the issue by freeing locks at the correct index.
909d5494	2016-12-29T12:25:15	giterr_set: consistent error messages Error messages should be sentence fragments, and therefore: 1. Should not begin with a capital letter, 2. Should not conclude with punctuation, and 3. Should not end a sentence and begin a new one
7175222c	2016-11-02T14:50:59	Merge pull request #3960 from ignatenkobrain/openssl-1.1.0 add support for OpenSSL 1.1.0 for BIO filter
2f3adf95	2016-11-02T12:35:46	openssl: use ASN1_STRING_get0_data when compiling against 1.1 For older versions we can fall back on the deprecated ASN1_STRING_data.
f15eedb3	2016-11-02T12:28:25	openssl: recreate the OpenSSL 1.1 BIO interface for older versions We want to program against the interface, so recreate it when we compile against pre-1.1 versions.
dc98cb28	2016-10-31T13:50:23	openssl_stream: fix typo
feb330d5	2016-10-12T12:41:36	add support for OpenSSL 1.1.0 for BIO filter Closes: https://github.com/libgit2/libgit2/issues/3959 Signed-off-by: Igor Gnatenko <i.gnatenko.brain@gmail.com>
568c5a9f	2016-04-27T13:56:16	Fix style: no braces
4734c52a	2016-04-26T18:04:03	Fix return value of openssl_read (infinite loop) openssl_read should return -1 in case of error. SSL_read returns values <= 0 in case of error. A return value of 0 can lead to an infinite loop, so the return value of ssl_set_error will be returned if SSL_read is not successful (analog to openssl_write).
b373e9a6	2015-09-21T22:38:50	net: use proxy options struct in the stream config
fa72d6da	2016-03-14T12:02:00	Setup better defaults for OpenSSL ciphers This ensures that when using OpenSSL a safe default set of ciphers is selected. This is done so that the client communicates securely and we don't accidentally enable unsafe ciphers like RC4, or even worse some old export ciphers. Implements the first part of https://github.com/libgit2/libgit2/issues/3682
0d9a7498	2016-02-25T12:09:49	Merge pull request #3628 from pks-t/pks/coverity-fixes Coverity fixes
68ad3156	2016-02-24T17:17:57	openssl: we already had the function, just needed the header
f3d1be7d	2016-02-24T16:38:22	openssl: export the locking function when building without OpenSSL This got lost duing the move and it lets the users call this function just in case.
05bf67b9	2016-02-23T11:16:36	openssl_stream: fix NULL pointer dereference
2baf854e	2016-02-22T16:08:56	openssl_stream: fix memory leak when creating new stream
c8fe6c09	2016-02-19T16:23:14	openssl: re-export the last-resort locking function We need to include the header where we define the function. Otherwise it won't be available on the DLL.
deecaa2e	2016-02-19T13:31:54	openssl: free the context even if we don't connect
8a6d6677	2016-02-08T16:14:03	global: make openssl registration like the rest
146a96de	2015-09-30T09:41:25	openssl: don't try to teardown an unconnected SSL context SSL_shutdown() does not like it when we pass an unitialized ssl context to it. This means that when we fail to connect to a host, we hide the error message saying so with OpenSSL's indecipherable error message.
a1687f78	2015-07-10T19:07:41	Merge pull request #3297 from tkelman/patch-2 Fix undefined reference with old versions of openssl
79698030	2015-06-29T22:51:18	git_cert: child types use proper base type
febc8c46	2015-07-07T06:55:05	Fix undefined reference with old versions of openssl Versions prior to 0.9.8f did not have this function, rhel/centos5 are still on a heavily backported version of 0.9.8e and theoretically supported until March 2017 Without this ifdef, I get the following link failure: ``` CMakeFiles/libgit2_clar.dir/src/openssl_stream.c.o: In function `openssl_connect': openssl_stream.c:(.text+0x45a): undefined reference to `SSL_set_tlsext_host_name' collect2: error: ld returned 1 exit status make[6]: *** [libgit2_clar] Error 1 ```
3ca84ac0	2015-06-29T20:29:29	openssl: free hostname
cae2a555	2015-06-26T08:17:56	Fixed build failure if GIT_CURL is not defined
8443f492	2015-06-11T16:57:04	curl: remove the encrypted param to the constructor We do not want libcurl to perform the TLS negotiation for us, so we don't need to pass this option.
e247649d	2015-06-11T16:50:44	openssl: use the curl stream if available When linking against libcurl, use it as the underlying transport instead of straight sockets. We can't quite just give over the file descriptor, as curl puts it into non-blocking mode, so we build a custom BIO so OpenSSL sends the data through our stream, be it the socket or curl streams.
2540487f	2015-05-22T12:53:52	Merge pull request #3108 from libgit2/cmn/ssl-no-want openssl: don't try to handle WANT_READ or WANT_WRITE
a6ea108b	2015-05-21T14:04:46	Merge branch 'sni'
987045c7	2015-05-20T18:03:54	Call the openssl API to be able to work with SNI servers.
1396c381	2015-05-18T16:04:55	errors: add GIT_EEOF to indicate early EOF This can be used by tools to show mesages about failing to communicate with the server. The error message in this case will often contain the server's error message, as far as it managed to send anything.
77bffc2c	2015-05-09T13:21:39	openssl: don't try to handle WANT_READ or WANT_WRITE We use a blocking socket and set the mode to AUTO_RETRY which means that `SSL_write` and `SSL_read` will only return once the read or write has been completed. We therefore don't need to handle partial writes or re-try read due to a regenotiation. While here, consider that a zero also indicates an error condition.
24e53d2f	2015-03-19T09:55:20	Rename GIT_SSL to GIT_OPENSSL This is what it's meant all along, but now we actually have multiple implementations, it's clearer to use the name of the library.
70b852ce	2015-03-19T00:45:43	Silence unused warnings when not using OpenSSL
ec032442	2015-02-27T10:49:02	Include openssl headers last Windows headers #define some names that openssl uses too. Openssl headers #undef the offending names before reusing them. But if those offending Windows headers get included after the openssl headers the namespace is polluted and nothing good happens. Fixes issue #2850.
a944c6cc	2015-03-02T11:08:04	Don't include headers on windows that aren't available This mainly concerns mingw build.
3cda6be7	2015-01-24T16:19:43	openssl: Add all required includes for AF_INET6 and in6_addr. This fixes the build at least on FreeBSD, where those types were not defined indirectly: src/openssl_stream.c:100:18: error: variable has incomplete type 'struct in6_addr' struct in6_addr addr6; ^ src/openssl_stream.c:100:9: note: forward declaration of 'struct in6_addr' struct in6_addr addr6; ^ src/openssl_stream.c:111:18: error: use of undeclared identifier 'AF_INET' if (p_inet_pton(AF_INET, host, &addr4)) { ^ src/unix/posix.h:31:40: note: expanded from macro 'p_inet_pton' ^ src/openssl_stream.c:115:18: error: use of undeclared identifier 'AF_INET6' if(p_inet_pton(AF_INET6, host, &addr6)) { ^ src/unix/posix.h:31:40: note: expanded from macro 'p_inet_pton' ^
49ae22ba	2014-12-10T01:38:52	stream: constify the write buffer
1b75c29e	2014-11-02T11:17:01	gitno: remove code which is no longer needed Most of the network-facing facilities have been copied to the socket and openssl streams. No code now uses these functions directly anymore, so we can now remove them.
468d7b11	2014-11-01T15:19:54	Add an OpenSSL IO stream This unfortunately isn't as stackable as could be possible, as it hard-codes the socket stream. This is because the method of using a custom openssl BIO is not clear, and we do not need this for now. We can still bring this in if and as we need it.

0c7f49dd

2017-06-30T13:39:01

Make sure to always include "common.h" first Next to including several files, our "common.h" header also declares various macros which are then used throughout the project. As such, we have to make sure to always include this file first in all implementation files. Otherwise, we might encounter problems or even silent behavioural differences due to macros or defines not being defined as they should be. So in fact, our header and implementation files should make sure to always include "common.h" first. This commit does so by establishing a common include pattern. Header files inside of "src" will now always include "common.h" as its first other file, separated by a newline from all the other includes to make it stand out as special. There are two cases for the implementation files. If they do have a matching header file, they will always include this one first, leading to "common.h" being transitively included as first file. If they do not have a matching header file, they instead include "common.h" as first file themselves. This fixes the outlined problems and will become our standard practice for header and source files inside of the "src/" from now on.

f28744a5

2017-06-05T10:11:20

openssl_stream: fix building with libressl OpenSSL v1.1 has introduced a new way of initializing the library without having to call various functions of different subsystems. In libgit2, we have been adapting to that change with 88520151f (openssl_stream: use new initialization function on OpenSSL version >=1.1, 2017-04-07), where we added an #ifdef depending on the OpenSSL version. This change broke building with libressl, though, which has not changed its API in the same way. Fix the issue by expanding the #ifdef condition to use the old way of initializing with libressl. Signed-off-by: Marc-Antoine Perennou <Marc-Antoine@Perennou.com>

88520151

2017-04-07T13:02:50

openssl_stream: use new initialization function on OpenSSL version >=1.1 Previous to OpenSSL version 1.1, the user had to initialize at least the error strings as well as the SSL algorithms by himself. OpenSSL version 1.1 instead provides a new function `OPENSSL_init_ssl`, which handles initialization of all subsystems. As the new API call will by default load error strings and initialize the SSL algorithms, we can safely replace these calls when compiling against version 1.1 or later. This fixes a compiler error when compiling against OpenSSL version 1.1 which has been built without stubs for deprecated syntax.

29081c2f

2017-04-07T12:54:33

openssl_stream: remove locking initialization on OpenSSL version >=1.1 Up to version 1.0, OpenSSL required us to provide a callback which implements a locking mechanism. Due to problems in the API design though this mechanism was inherently broken, especially regarding that the locking callback cannot report errors in an obvious way. Due to this shortcoming, the locking initialization has been completely removed in OpenSSL version 1.1. As the library has also been refactored to not make any use of these callback functions, we can safely remove all initialization of the locking subsystem if compiling against OpenSSL version 1.1 or higher. This fixes a compilation error when compiling against OpenSSL version 1.1 which has been built without stubs for deprecated syntax.

dd0b1e8c

2017-03-20T09:13:25

openssl_stream: fix releasing OpenSSL locks The OpenSSL library may require multiple locks to work correctly, where it is the caller's responsibility to initialize and release the locks. While we correctly initialized up to `n` locks, as determined by `CRYPTO_num_locks`, we were repeatedly freeing the same mutex in our shutdown procedure. Fix the issue by freeing locks at the correct index.

909d5494

2016-12-29T12:25:15

giterr_set: consistent error messages Error messages should be sentence fragments, and therefore: 1. Should not begin with a capital letter, 2. Should not conclude with punctuation, and 3. Should not end a sentence and begin a new one

7175222c

2016-11-02T14:50:59

Merge pull request #3960 from ignatenkobrain/openssl-1.1.0 add support for OpenSSL 1.1.0 for BIO filter

2f3adf95

2016-11-02T12:35:46

openssl: use ASN1_STRING_get0_data when compiling against 1.1 For older versions we can fall back on the deprecated ASN1_STRING_data.

f15eedb3

2016-11-02T12:28:25

openssl: recreate the OpenSSL 1.1 BIO interface for older versions We want to program against the interface, so recreate it when we compile against pre-1.1 versions.

dc98cb28

2016-10-31T13:50:23

openssl_stream: fix typo

feb330d5

2016-10-12T12:41:36

add support for OpenSSL 1.1.0 for BIO filter Closes: https://github.com/libgit2/libgit2/issues/3959 Signed-off-by: Igor Gnatenko <i.gnatenko.brain@gmail.com>

568c5a9f

2016-04-27T13:56:16

Fix style: no braces

4734c52a

2016-04-26T18:04:03

Fix return value of openssl_read (infinite loop) openssl_read should return -1 in case of error. SSL_read returns values <= 0 in case of error. A return value of 0 can lead to an infinite loop, so the return value of ssl_set_error will be returned if SSL_read is not successful (analog to openssl_write).

b373e9a6

2015-09-21T22:38:50

net: use proxy options struct in the stream config

fa72d6da

2016-03-14T12:02:00

Setup better defaults for OpenSSL ciphers This ensures that when using OpenSSL a safe default set of ciphers is selected. This is done so that the client communicates securely and we don't accidentally enable unsafe ciphers like RC4, or even worse some old export ciphers. Implements the first part of https://github.com/libgit2/libgit2/issues/3682

0d9a7498

2016-02-25T12:09:49

Merge pull request #3628 from pks-t/pks/coverity-fixes Coverity fixes

68ad3156

2016-02-24T17:17:57

openssl: we already had the function, just needed the header

f3d1be7d

2016-02-24T16:38:22

openssl: export the locking function when building without OpenSSL This got lost duing the move and it lets the users call this function just in case.

05bf67b9

2016-02-23T11:16:36

openssl_stream: fix NULL pointer dereference

2baf854e

2016-02-22T16:08:56

openssl_stream: fix memory leak when creating new stream

c8fe6c09

2016-02-19T16:23:14

openssl: re-export the last-resort locking function We need to include the header where we define the function. Otherwise it won't be available on the DLL.

deecaa2e

2016-02-19T13:31:54

openssl: free the context even if we don't connect

8a6d6677

2016-02-08T16:14:03

global: make openssl registration like the rest

146a96de

2015-09-30T09:41:25

openssl: don't try to teardown an unconnected SSL context SSL_shutdown() does not like it when we pass an unitialized ssl context to it. This means that when we fail to connect to a host, we hide the error message saying so with OpenSSL's indecipherable error message.

a1687f78

2015-07-10T19:07:41

Merge pull request #3297 from tkelman/patch-2 Fix undefined reference with old versions of openssl

79698030

2015-06-29T22:51:18

git_cert: child types use proper base type

febc8c46

2015-07-07T06:55:05

Fix undefined reference with old versions of openssl Versions prior to 0.9.8f did not have this function, rhel/centos5 are still on a heavily backported version of 0.9.8e and theoretically supported until March 2017 Without this ifdef, I get the following link failure: ``` CMakeFiles/libgit2_clar.dir/src/openssl_stream.c.o: In function `openssl_connect': openssl_stream.c:(.text+0x45a): undefined reference to `SSL_set_tlsext_host_name' collect2: error: ld returned 1 exit status make[6]: *** [libgit2_clar] Error 1 ```

3ca84ac0

2015-06-29T20:29:29

openssl: free hostname

cae2a555

2015-06-26T08:17:56

Fixed build failure if GIT_CURL is not defined

8443f492

2015-06-11T16:57:04

curl: remove the encrypted param to the constructor We do not want libcurl to perform the TLS negotiation for us, so we don't need to pass this option.

e247649d

2015-06-11T16:50:44

openssl: use the curl stream if available When linking against libcurl, use it as the underlying transport instead of straight sockets. We can't quite just give over the file descriptor, as curl puts it into non-blocking mode, so we build a custom BIO so OpenSSL sends the data through our stream, be it the socket or curl streams.

2540487f

2015-05-22T12:53:52

Merge pull request #3108 from libgit2/cmn/ssl-no-want openssl: don't try to handle WANT_READ or WANT_WRITE

a6ea108b

2015-05-21T14:04:46

Merge branch 'sni'

987045c7

2015-05-20T18:03:54

Call the openssl API to be able to work with SNI servers.

1396c381

2015-05-18T16:04:55

errors: add GIT_EEOF to indicate early EOF This can be used by tools to show mesages about failing to communicate with the server. The error message in this case will often contain the server's error message, as far as it managed to send anything.

77bffc2c

2015-05-09T13:21:39

openssl: don't try to handle WANT_READ or WANT_WRITE We use a blocking socket and set the mode to AUTO_RETRY which means that `SSL_write` and `SSL_read` will only return once the read or write has been completed. We therefore don't need to handle partial writes or re-try read due to a regenotiation. While here, consider that a zero also indicates an error condition.

24e53d2f

2015-03-19T09:55:20

Rename GIT_SSL to GIT_OPENSSL This is what it's meant all along, but now we actually have multiple implementations, it's clearer to use the name of the library.

70b852ce

2015-03-19T00:45:43

Silence unused warnings when not using OpenSSL

ec032442

2015-02-27T10:49:02

Include openssl headers last Windows headers #define some names that openssl uses too. Openssl headers #undef the offending names before reusing them. But if those offending Windows headers get included after the openssl headers the namespace is polluted and nothing good happens. Fixes issue #2850.

a944c6cc

2015-03-02T11:08:04

Don't include headers on windows that aren't available This mainly concerns mingw build.

3cda6be7

2015-01-24T16:19:43

openssl: Add all required includes for AF_INET6 and in6_addr. This fixes the build at least on FreeBSD, where those types were not defined indirectly: src/openssl_stream.c:100:18: error: variable has incomplete type 'struct in6_addr' struct in6_addr addr6; ^ src/openssl_stream.c:100:9: note: forward declaration of 'struct in6_addr' struct in6_addr addr6; ^ src/openssl_stream.c:111:18: error: use of undeclared identifier 'AF_INET' if (p_inet_pton(AF_INET, host, &addr4)) { ^ src/unix/posix.h:31:40: note: expanded from macro 'p_inet_pton' ^ src/openssl_stream.c:115:18: error: use of undeclared identifier 'AF_INET6' if(p_inet_pton(AF_INET6, host, &addr6)) { ^ src/unix/posix.h:31:40: note: expanded from macro 'p_inet_pton' ^

49ae22ba

2014-12-10T01:38:52

stream: constify the write buffer

1b75c29e

2014-11-02T11:17:01

gitno: remove code which is no longer needed Most of the network-facing facilities have been copied to the socket and openssl streams. No code now uses these functions directly anymore, so we can now remove them.

468d7b11

2014-11-01T15:19:54

Add an OpenSSL IO stream This unfortunately isn't as stackable as could be possible, as it hard-codes the socket stream. This is because the method of using a custom openssl BIO is not clear, and we do not need this for now. We can still bring this in if and as we need it.

thodg/libgit2/src/openssl_stream.c

src/openssl_stream.c

Log