1. 24 Aug, 2021 3 commits
  2. 21 Aug, 2021 1 commit
    • openssl: don't fail when we can't customize allocators · 1903cfef
      During valgrind runs, we try to swap out the OpenSSL allocators for our
      own.  This allows us to avoid some unnecessary warnings about usage.
      Unfortunately, many builds of OpenSSL do not allow you to swap
      allocators; for example FIPS builds and the builds running in CentOS.
      
      Try to swap the allocators, but do not fail when they cannot be
      customized.
      Edward Thomson committed
  3. 27 Nov, 2020 1 commit
  4. 11 Oct, 2020 2 commits
  5. 15 May, 2020 1 commit
  6. 11 Feb, 2020 1 commit
    • streams: openssl: switch approach to silence Valgrind errors · 0119e57d
      As OpenSSL loves using uninitialized bytes as another source of entropy,
      we need to mark them as defined so that Valgrind won't complain about
      use of these bytes. Traditionally, we've been using the macro
      `VALGRIND_MAKE_MEM_DEFINED` provided by Valgrind, but starting with
      OpenSSL 1.1 the code doesn't compile anymore due to `struct SSL` having
      become opaque. As such, we also can't set it as defined anymore, as we
      have no way of knowing its size.
      
      Let's change gears instead by just swapping out the allocator functions
      of OpenSSL with our own ones. The twist is that instead of calling
      `malloc`, we just call `calloc` to have the bytes initialized
      automatically. Next to soothing Valgrind, this approach has the benefit
      of being completely agnostic of the memory sanitizer and is neatly
      contained at a single place.
      
      Note that we shouldn't do this for non-Valgrind builds. As we cannot
      set up memory functions for a given SSL context, only, we need to swap
      them at a global context. Furthermore, as it's possible to call
      `OPENSSL_set_mem_functions` once only, we'd prevent users of libgit2 to
      set up their own allocators.
      Patrick Steinhardt committed
  7. 07 Feb, 2020 1 commit
  8. 24 Nov, 2019 2 commits
    • valgrind: add valgrind hints in OpenSSL · cb77423f
      Provide usage hints to valgrind.  We trust the data coming back from
      OpenSSL to have been properly initialized.  (And if it has not, it's an
      OpenSSL bug, not a libgit2 bug.)
      
      We previously took the `VALGRIND` option to CMake as a hint to disable
      mmap.  Remove that; it's broken.  Now use it to pass on the `VALGRIND`
      definition so that sources can provide valgrind hints.
      Edward Thomson committed
    • valgrind: add suppressions for undefined use · 2ad3eb3e
      valgrind will warn that OpenSSL will use undefined data in connect/read
      when talking to certain other TLS stacks.  Thankfully, this only seems
      to occur when gcc is the compiler, so hopefully valgrind is just
      misunderstanding an optimization.  Regardless, suppress this warning.
      Edward Thomson committed
  9. 31 Jan, 2019 2 commits
  10. 25 Jan, 2019 1 commit
    • streams: don't write more than SSIZE_MAX · f1986a23
      Our streams implementation takes a `size_t` that indicates the length of
      the data buffer to be written, and returns an `ssize_t` that indicates
      the length that _was_ written.  Clearly no such implementation can write
      more than `SSIZE_MAX` bytes.  Ensure that each TLS stream implementation
      does not try to write more than `SSIZE_MAX` bytes (or smaller; if the
      given implementation takes a smaller size).
      Edward Thomson committed
  11. 22 Jan, 2019 1 commit
  12. 28 Nov, 2018 3 commits
    • http: remove cURL · 21142c5a
      We previously used cURL to support HTTP proxies.  Now that we've added
      this support natively, we can remove the curl dependency.
      Edward Thomson committed
    • streams: remove unused tls functions · 2878ad08
      The implementations of git_openssl_stream_new and
      git_mbedtls_stream_new have callers protected by #ifdefs and
      are never called unless compiled in.  There's no need for a
      dummy implementation.  Remove them.
      Edward Thomson committed
    • tls: introduce a wrap function · 43b592ac
      Introduce `git_tls_stream_wrap` which will take an existing `stream`
      with an already connected socket and begin speaking TLS on top of it.
      This is useful if you've built a connection to a proxy server and you
      wish to begin CONNECT over it to tunnel a TLS connection.
      
      Also update the pluggable TLS stream layer so that it can accept a
      registration structure that provides an `init` and `wrap` function,
      instead of a single initialization function.
      Edward Thomson committed
  13. 01 Nov, 2018 2 commits
  14. 06 Jul, 2018 1 commit
    • streams: report OpenSSL errors if global init fails · 75395c87
      In case when the global initialization of the OpenSSL stream fails, the
      user is left without any hint as to what went wrong as we do not provide
      any error message at all. This commit refactors the init function to
      have a common error path, which now also sets an error message including
      the error string provided by OpenSSL.
      Patrick Steinhardt committed
  15. 25 Jun, 2018 1 commit
  16. 30 May, 2018 1 commit
  17. 04 May, 2018 1 commit
    • streams: openssl: fix bogus warning on unused parameter · ba5e39ac
      Our provided callback function `threadid_cb(CRYPTO_THREADID
      *threadid)` sets up a unique thread ID by asking pthread for the
      current thread ID.  Since openssl version 1.1,
      `CRYPTO_THREADID_set_numeric` is simply a no-op macro, leaving
      the `threadid` argument unused after the preprocessor has
      processed the macro. GCC does not account for that situation and
      will thus complain about `threadid` being unused.
      
      Silence this warning by using `GIT_UNUSED(threadid)`.
      Patrick Steinhardt committed
  18. 30 Apr, 2018 1 commit
  19. 03 Apr, 2018 3 commits
    • streams: openssl: provide `OPENSSL_init_ssl` for legacy API · dd9de88a
      In order to further avoid using ifdef's in our code flow, provide the
      function `OPENSSL_init_ssl` in case we are using the legacy OpenSSL API.
      Patrick Steinhardt committed
    • streams: openssl: unify version checks into single define · ede63b99
      By now, we have several locations where we are checking the version of
      OpenSSL to determine whether we can use the new "modern" API or need to
      use the pre-1.1 legacy API. As we have multiple implementations of
      OpenSSL with the rather recent libressl implementation, these checks
      need to honor versions of both implementations, which is rather tedious.
      Instead, we can just check once for the correct versions and define
      `OPENSSL_LEGACY_API` in case we cannot use the modern API.
      Patrick Steinhardt committed
    • streams: openssl: move OpenSSL compat layer into implementation · 2505cbfc
      OpenSSL version 1.1 has broken its API in quite a few ways. To avoid
      having to use ifdef's everywhere, we have implemented the BIO functions
      added in version 1.1 ourselves in case we are using the legacy API. We
      were implementing them in the header file, though, which doesn't make a
      lot of sense, since these functions are only ever being used the the
      openssl stream implementation.
      
      Move these functions to the implementation file and mark them static.
      Patrick Steinhardt committed
  20. 02 Apr, 2018 1 commit
  21. 16 Feb, 2018 1 commit
    • streams: openssl: fix use of uninitialized variable · 84f03b3a
      When verifying the server certificate, we do try to make sure that the
      hostname actually matches the certificate alternative names. In cases
      where the host is either an IPv4 or IPv6 address, we have to compare the
      binary representations of the hostname with the declared IP address of
      the certificate. We only do that comparison in case we were successfully
      able to parse the hostname as an IP, which would always result in the
      memory region being initialized. Still, GCC 6.4.0 was complaining about
      usage of non-initialized memory.
      
      Fix the issue by simply asserting that `addr` needs to be initialized.
      This shuts up the GCC warning.
      Patrick Steinhardt committed
  22. 03 Jan, 2018 1 commit
    • streams: openssl: fix thread-safety for OpenSSL error messages · ba56f781
      The function `ERR_error_string` can be invoked without providing a
      buffer, in which case OpenSSL will simply return a string printed into a
      static buffer. Obviously and as documented in ERR_error_string(3), this
      is not thread-safe at all. As libgit2 is a library, though, it is easily
      possible that other threads may be using OpenSSL at the same time, which
      might lead to clobbered error strings.
      
      Fix the issue by instead using a stack-allocated buffer. According to
      the documentation, the caller has to provide a buffer of at least 256
      bytes of size. While we do so, make sure that the buffer will never get
      overflown by switching to `ERR_error_string_n` to specify the buffer's
      size.
      Patrick Steinhardt committed
  23. 15 Dec, 2017 2 commits
  24. 30 Nov, 2017 1 commit
    • openssl: fix thread-safety on non-glibc POSIX systems · 2d2e70f8
      While the OpenSSL library provides all means to work safely in a
      multi-threaded application, we fail to do so correctly. Quoting from
      crypto_lock(3):
      
          OpenSSL can safely be used in multi-threaded applications provided
          that at least two callback functions are set, locking_function and
          threadid_func.
      
      We do in fact provide the means to set up the locking function via
      `git_openssl_set_locking()`, where we initialize a set of locks by using
      the POSIX threads API and set the correct callback function to lock and
      unlock them.
      
      But what we do not do is setting the `threadid_func` callback. This
      function is being used to correctly locate thread-local data of the
      OpenSSL library and should thus return per-thread identifiers. Digging
      deeper into OpenSSL's documentation, the library does provide a fallback
      in case that locking function is not provided by the user. On Windows
      and BeOS we should be safe, as it simply "uses the system's default
      thread identifying API". On other platforms though OpenSSL will fall
      back to using the address of `errno`, assuming it is thread-local.
      
      While this assumption holds true for glibc-based systems, POSIX in fact
      does not specify whether it is thread-local or not. Quoting from
      errno(3p):
      
          It is unspecified whether errno is a macro or an identifier declared
          with external linkage.
      
      And in fact, with musl there is at least one libc implementation which
      simply declares `errno` as a simple `int` without being thread-local. On
      those systems, the fallback threadid function of OpenSSL will not be
      thread-safe.
      
      Fix this by setting up our own callback for this setting. As users of
      libgit2 may want to set it themselves, we obviously cannot always set
      that function on initialization. But as we already set up primitives for
      threading in `git_openssl_set_locking()`, this function becomes the
      obvious choice where to implement the additional setup.
      Patrick Steinhardt committed
  25. 23 Oct, 2017 2 commits
  26. 03 Jul, 2017 1 commit
    • Make sure to always include "common.h" first · 0c7f49dd
      Next to including several files, our "common.h" header also declares
      various macros which are then used throughout the project. As such, we
      have to make sure to always include this file first in all
      implementation files. Otherwise, we might encounter problems or even
      silent behavioural differences due to macros or defines not being
      defined as they should be. So in fact, our header and implementation
      files should make sure to always include "common.h" first.
      
      This commit does so by establishing a common include pattern. Header
      files inside of "src" will now always include "common.h" as its first
      other file, separated by a newline from all the other includes to make
      it stand out as special. There are two cases for the implementation
      files. If they do have a matching header file, they will always include
      this one first, leading to "common.h" being transitively included as
      first file. If they do not have a matching header file, they instead
      include "common.h" as first file themselves.
      
      This fixes the outlined problems and will become our standard practice
      for header and source files inside of the "src/" from now on.
      Patrick Steinhardt committed
  27. 07 Jun, 2017 1 commit
    • openssl_stream: fix building with libressl · f28744a5
      OpenSSL v1.1 has introduced a new way of initializing the library
      without having to call various functions of different subsystems. In
      libgit2, we have been adapting to that change with 88520151
      (openssl_stream: use new initialization function on OpenSSL version
      >=1.1, 2017-04-07), where we added an #ifdef depending on the OpenSSL
      version. This change broke building with libressl, though, which has not
      changed its API in the same way.
      
      Fix the issue by expanding the #ifdef condition to use the old way of
      initializing with libressl.
      
      Signed-off-by: Marc-Antoine Perennou <Marc-Antoine@Perennou.com>
      Marc-Antoine Perennou committed
  28. 10 Apr, 2017 1 commit
    • openssl_stream: use new initialization function on OpenSSL version >=1.1 · 88520151
      Previous to OpenSSL version 1.1, the user had to initialize at least the error
      strings as well as the SSL algorithms by himself. OpenSSL version 1.1 instead
      provides a new function `OPENSSL_init_ssl`, which handles initialization of all
      subsystems. As the new API call will by default load error strings and
      initialize the SSL algorithms, we can safely replace these calls when compiling
      against version 1.1 or later.
      
      This fixes a compiler error when compiling against OpenSSL version 1.1 which has
      been built without stubs for deprecated syntax.
      Patrick Steinhardt committed