Blame src/openssl_stream.c

Packit Service 20376f
/*
Packit Service 20376f
 * Copyright (C) the libgit2 contributors. All rights reserved.
Packit Service 20376f
 *
Packit Service 20376f
 * This file is part of libgit2, distributed under the GNU GPL v2 with
Packit Service 20376f
 * a Linking Exception. For full terms see the included COPYING file.
Packit Service 20376f
 */
Packit Service 20376f
Packit Service 20376f
#ifdef GIT_OPENSSL
Packit Service 20376f
Packit Service 20376f
#include <ctype.h>
Packit Service 20376f
Packit Service 20376f
#include "global.h"
Packit Service 20376f
#include "posix.h"
Packit Service 20376f
#include "stream.h"
Packit Service 20376f
#include "socket_stream.h"
Packit Service 20376f
#include "openssl_stream.h"
Packit Service 20376f
#include "netops.h"
Packit Service 20376f
#include "git2/transport.h"
Packit Service 20376f
#include "git2/sys/openssl.h"
Packit Service 20376f
Packit Service 20376f
#ifdef GIT_CURL
Packit Service 20376f
# include "curl_stream.h"
Packit Service 20376f
#endif
Packit Service 20376f
Packit Service 20376f
#ifndef GIT_WIN32
Packit Service 20376f
# include <sys/types.h>
Packit Service 20376f
# include <sys/socket.h>
Packit Service 20376f
# include <netinet/in.h>
Packit Service 20376f
#endif
Packit Service 20376f
Packit Service 20376f
#include <openssl/ssl.h>
Packit Service 20376f
#include <openssl/err.h>
Packit Service 20376f
#include <openssl/x509v3.h>
Packit Service 20376f
#include <openssl/bio.h>
Packit Service 20376f
Packit Service 20376f
SSL_CTX *git__ssl_ctx;
Packit Service 20376f
Packit Service 20376f
#define GIT_SSL_DEFAULT_CIPHERS "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-SHA256:DHE-DSS-AES128-SHA:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA"
Packit Service 20376f
Packit Service 20376f
#if defined(GIT_THREADS) && OPENSSL_VERSION_NUMBER < 0x10100000L
Packit Service 20376f
Packit Service 20376f
static git_mutex *openssl_locks;
Packit Service 20376f
Packit Service 20376f
static void openssl_locking_function(
Packit Service 20376f
	int mode, int n, const char *file, int line)
Packit Service 20376f
{
Packit Service 20376f
	int lock;
Packit Service 20376f
Packit Service 20376f
	GIT_UNUSED(file);
Packit Service 20376f
	GIT_UNUSED(line);
Packit Service 20376f
Packit Service 20376f
	lock = mode & CRYPTO_LOCK;
Packit Service 20376f
Packit Service 20376f
	if (lock) {
Packit Service 20376f
		git_mutex_lock(&openssl_locks[n]);
Packit Service 20376f
	} else {
Packit Service 20376f
		git_mutex_unlock(&openssl_locks[n]);
Packit Service 20376f
	}
Packit Service 20376f
}
Packit Service 20376f
Packit Service 20376f
static void shutdown_ssl_locking(void)
Packit Service 20376f
{
Packit Service 20376f
	int num_locks, i;
Packit Service 20376f
Packit Service 20376f
	num_locks = CRYPTO_num_locks();
Packit Service 20376f
	CRYPTO_set_locking_callback(NULL);
Packit Service 20376f
Packit Service 20376f
	for (i = 0; i < num_locks; ++i)
Packit Service 20376f
		git_mutex_free(&openssl_locks[i]);
Packit Service 20376f
	git__free(openssl_locks);
Packit Service 20376f
}
Packit Service 20376f
Packit Service 20376f
#endif /* GIT_THREADS && OPENSSL_VERSION_NUMBER < 0x10100000L */
Packit Service 20376f
Packit Service 20376f
static BIO_METHOD *git_stream_bio_method;
Packit Service 20376f
static int init_bio_method(void);
Packit Service 20376f
Packit Service 20376f
/**
Packit Service 20376f
 * This function aims to clean-up the SSL context which
Packit Service 20376f
 * we allocated.
Packit Service 20376f
 */
Packit Service 20376f
static void shutdown_ssl(void)
Packit Service 20376f
{
Packit Service 20376f
	if (git_stream_bio_method) {
Packit Service 20376f
		BIO_meth_free(git_stream_bio_method);
Packit Service 20376f
		git_stream_bio_method = NULL;
Packit Service 20376f
	}
Packit Service 20376f
Packit Service 20376f
	if (git__ssl_ctx) {
Packit Service 20376f
		SSL_CTX_free(git__ssl_ctx);
Packit Service 20376f
		git__ssl_ctx = NULL;
Packit Service 20376f
	}
Packit Service 20376f
}
Packit Service 20376f
Packit Service 20376f
int git_openssl_stream_global_init(void)
Packit Service 20376f
{
Packit Service 20376f
#ifdef GIT_OPENSSL
Packit Service 20376f
	long ssl_opts = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
Packit Service 20376f
	const char *ciphers = git_libgit2__ssl_ciphers();
Packit Service 20376f
Packit Service 20376f
	/* Older OpenSSL and MacOS OpenSSL doesn't have this */
Packit Service 20376f
#ifdef SSL_OP_NO_COMPRESSION
Packit Service 20376f
	ssl_opts |= SSL_OP_NO_COMPRESSION;
Packit Service 20376f
#endif
Packit Service 20376f
Packit Service 20376f
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
Packit Service 20376f
	SSL_load_error_strings();
Packit Service 20376f
	OpenSSL_add_ssl_algorithms();
Packit Service 20376f
#else
Packit Service 20376f
	OPENSSL_init_ssl(0, NULL);
Packit Service 20376f
#endif
Packit Service 20376f
Packit Service 20376f
	/*
Packit Service 20376f
	 * Load SSLv{2,3} and TLSv1 so that we can talk with servers
Packit Service 20376f
	 * which use the SSL hellos, which are often used for
Packit Service 20376f
	 * compatibility. We then disable SSL so we only allow OpenSSL
Packit Service 20376f
	 * to speak TLSv1 to perform the encryption itself.
Packit Service 20376f
	 */
Packit Service 20376f
	git__ssl_ctx = SSL_CTX_new(SSLv23_method());
Packit Service 20376f
	SSL_CTX_set_options(git__ssl_ctx, ssl_opts);
Packit Service 20376f
	SSL_CTX_set_mode(git__ssl_ctx, SSL_MODE_AUTO_RETRY);
Packit Service 20376f
	SSL_CTX_set_verify(git__ssl_ctx, SSL_VERIFY_NONE, NULL);
Packit Service 20376f
	if (!SSL_CTX_set_default_verify_paths(git__ssl_ctx)) {
Packit Service 20376f
		SSL_CTX_free(git__ssl_ctx);
Packit Service 20376f
		git__ssl_ctx = NULL;
Packit Service 20376f
		return -1;
Packit Service 20376f
	}
Packit Service 20376f
Packit Service 20376f
	if (!ciphers) {
Packit Service 20376f
		ciphers = GIT_SSL_DEFAULT_CIPHERS;
Packit Service 20376f
	}
Packit Service 20376f
Packit Service 20376f
	if(!SSL_CTX_set_cipher_list(git__ssl_ctx, ciphers)) {
Packit Service 20376f
		SSL_CTX_free(git__ssl_ctx);
Packit Service 20376f
		git__ssl_ctx = NULL;
Packit Service 20376f
		return -1;
Packit Service 20376f
	}
Packit Service 20376f
Packit Service 20376f
	if (init_bio_method() < 0) {
Packit Service 20376f
		SSL_CTX_free(git__ssl_ctx);
Packit Service 20376f
		git__ssl_ctx = NULL;
Packit Service 20376f
		return -1;
Packit Service 20376f
	}
Packit Service 20376f
Packit Service 20376f
#endif
Packit Service 20376f
Packit Service 20376f
	git__on_shutdown(shutdown_ssl);
Packit Service 20376f
Packit Service 20376f
	return 0;
Packit Service 20376f
}
Packit Service 20376f
Packit Service 20376f
#if defined(GIT_THREADS)
Packit Service 20376f
static void threadid_cb(CRYPTO_THREADID *threadid)
Packit Service 20376f
{
Packit Service 20376f
    CRYPTO_THREADID_set_numeric(threadid, git_thread_currentid());
Packit Service 20376f
}
Packit Service 20376f
#endif
Packit Service 20376f
Packit Service 20376f
int git_openssl_set_locking(void)
Packit Service 20376f
{
Packit Service 20376f
#if defined(GIT_THREADS) && OPENSSL_VERSION_NUMBER < 0x10100000L
Packit Service 20376f
	int num_locks, i;
Packit Service 20376f
Packit Service 20376f
	CRYPTO_THREADID_set_callback(threadid_cb);
Packit Service 20376f
Packit Service 20376f
	num_locks = CRYPTO_num_locks();
Packit Service 20376f
	openssl_locks = git__calloc(num_locks, sizeof(git_mutex));
Packit Service 20376f
	GITERR_CHECK_ALLOC(openssl_locks);
Packit Service 20376f
Packit Service 20376f
	for (i = 0; i < num_locks; i++) {
Packit Service 20376f
		if (git_mutex_init(&openssl_locks[i]) != 0) {
Packit Service 20376f
			giterr_set(GITERR_SSL, "failed to initialize openssl locks");
Packit Service 20376f
			return -1;
Packit Service 20376f
		}
Packit Service 20376f
	}
Packit Service 20376f
Packit Service 20376f
	CRYPTO_set_locking_callback(openssl_locking_function);
Packit Service 20376f
	git__on_shutdown(shutdown_ssl_locking);
Packit Service 20376f
	return 0;
Packit Service 20376f
#elif OPENSSL_VERSION_NUMBER >= 0x10100000L
Packit Service 20376f
	return 0;
Packit Service 20376f
#else
Packit Service 20376f
	giterr_set(GITERR_THREAD, "libgit2 was not built with threads");
Packit Service 20376f
	return -1;
Packit Service 20376f
#endif
Packit Service 20376f
}
Packit Service 20376f
Packit Service 20376f
Packit Service 20376f
static int bio_create(BIO *b)
Packit Service 20376f
{
Packit Service 20376f
	BIO_set_init(b, 1);
Packit Service 20376f
	BIO_set_data(b, NULL);
Packit Service 20376f
Packit Service 20376f
	return 1;
Packit Service 20376f
}
Packit Service 20376f
Packit Service 20376f
static int bio_destroy(BIO *b)
Packit Service 20376f
{
Packit Service 20376f
	if (!b)
Packit Service 20376f
		return 0;
Packit Service 20376f
Packit Service 20376f
	BIO_set_data(b, NULL);
Packit Service 20376f
Packit Service 20376f
	return 1;
Packit Service 20376f
}
Packit Service 20376f
Packit Service 20376f
static int bio_read(BIO *b, char *buf, int len)
Packit Service 20376f
{
Packit Service 20376f
	git_stream *io = (git_stream *) BIO_get_data(b);
Packit Service 20376f
Packit Service 20376f
	return (int) git_stream_read(io, buf, len);
Packit Service 20376f
}
Packit Service 20376f
Packit Service 20376f
static int bio_write(BIO *b, const char *buf, int len)
Packit Service 20376f
{
Packit Service 20376f
	git_stream *io = (git_stream *) BIO_get_data(b);
Packit Service 20376f
Packit Service 20376f
	return (int) git_stream_write(io, buf, len, 0);
Packit Service 20376f
}
Packit Service 20376f
Packit Service 20376f
static long bio_ctrl(BIO *b, int cmd, long num, void *ptr)
Packit Service 20376f
{
Packit Service 20376f
	GIT_UNUSED(b);
Packit Service 20376f
	GIT_UNUSED(num);
Packit Service 20376f
	GIT_UNUSED(ptr);
Packit Service 20376f
Packit Service 20376f
	if (cmd == BIO_CTRL_FLUSH)
Packit Service 20376f
		return 1;
Packit Service 20376f
Packit Service 20376f
	return 0;
Packit Service 20376f
}
Packit Service 20376f
Packit Service 20376f
static int bio_gets(BIO *b, char *buf, int len)
Packit Service 20376f
{
Packit Service 20376f
	GIT_UNUSED(b);
Packit Service 20376f
	GIT_UNUSED(buf);
Packit Service 20376f
	GIT_UNUSED(len);
Packit Service 20376f
	return -1;
Packit Service 20376f
}
Packit Service 20376f
Packit Service 20376f
static int bio_puts(BIO *b, const char *str)
Packit Service 20376f
{
Packit Service 20376f
	return bio_write(b, str, strlen(str));
Packit Service 20376f
}
Packit Service 20376f
Packit Service 20376f
static int init_bio_method(void)
Packit Service 20376f
{
Packit Service 20376f
	/* Set up the BIO_METHOD we use for wrapping our own stream implementations */
Packit Service 20376f
	git_stream_bio_method = BIO_meth_new(BIO_TYPE_SOURCE_SINK | BIO_get_new_index(), "git_stream");
Packit Service 20376f
	GITERR_CHECK_ALLOC(git_stream_bio_method);
Packit Service 20376f
Packit Service 20376f
	BIO_meth_set_write(git_stream_bio_method, bio_write);
Packit Service 20376f
	BIO_meth_set_read(git_stream_bio_method, bio_read);
Packit Service 20376f
	BIO_meth_set_puts(git_stream_bio_method, bio_puts);
Packit Service 20376f
	BIO_meth_set_gets(git_stream_bio_method, bio_gets);
Packit Service 20376f
	BIO_meth_set_ctrl(git_stream_bio_method, bio_ctrl);
Packit Service 20376f
	BIO_meth_set_create(git_stream_bio_method, bio_create);
Packit Service 20376f
	BIO_meth_set_destroy(git_stream_bio_method, bio_destroy);
Packit Service 20376f
Packit Service 20376f
	return 0;
Packit Service 20376f
}
Packit Service 20376f
Packit Service 20376f
static int ssl_set_error(SSL *ssl, int error)
Packit Service 20376f
{
Packit Service 20376f
	int err;
Packit Service 20376f
	unsigned long e;
Packit Service 20376f
Packit Service 20376f
	err = SSL_get_error(ssl, error);
Packit Service 20376f
Packit Service 20376f
	assert(err != SSL_ERROR_WANT_READ);
Packit Service 20376f
	assert(err != SSL_ERROR_WANT_WRITE);
Packit Service 20376f
Packit Service 20376f
	switch (err) {
Packit Service 20376f
	case SSL_ERROR_WANT_CONNECT:
Packit Service 20376f
	case SSL_ERROR_WANT_ACCEPT:
Packit Service 20376f
		giterr_set(GITERR_NET, "SSL error: connection failure");
Packit Service 20376f
		break;
Packit Service 20376f
	case SSL_ERROR_WANT_X509_LOOKUP:
Packit Service 20376f
		giterr_set(GITERR_NET, "SSL error: x509 error");
Packit Service 20376f
		break;
Packit Service 20376f
	case SSL_ERROR_SYSCALL:
Packit Service 20376f
		e = ERR_get_error();
Packit Service 20376f
		if (e > 0) {
Packit Service 20376f
			char errmsg[256];
Packit Service 20376f
			ERR_error_string_n(e, errmsg, sizeof(errmsg));
Packit Service 20376f
			giterr_set(GITERR_NET, "SSL error: %s", errmsg);
Packit Service 20376f
			break;
Packit Service 20376f
		} else if (error < 0) {
Packit Service 20376f
			giterr_set(GITERR_OS, "SSL error: syscall failure");
Packit Service 20376f
			break;
Packit Service 20376f
		}
Packit Service 20376f
		giterr_set(GITERR_NET, "SSL error: received early EOF");
Packit Service 20376f
		return GIT_EEOF;
Packit Service 20376f
		break;
Packit Service 20376f
	case SSL_ERROR_SSL:
Packit Service 20376f
	{
Packit Service 20376f
		char errmsg[256];
Packit Service 20376f
		e = ERR_get_error();
Packit Service 20376f
		ERR_error_string_n(e, errmsg, sizeof(errmsg));
Packit Service 20376f
		giterr_set(GITERR_NET, "SSL error: %s", errmsg);
Packit Service 20376f
		break;
Packit Service 20376f
	}
Packit Service 20376f
	case SSL_ERROR_NONE:
Packit Service 20376f
	case SSL_ERROR_ZERO_RETURN:
Packit Service 20376f
	default:
Packit Service 20376f
		giterr_set(GITERR_NET, "SSL error: unknown error");
Packit Service 20376f
		break;
Packit Service 20376f
	}
Packit Service 20376f
	return -1;
Packit Service 20376f
}
Packit Service 20376f
Packit Service 20376f
static int ssl_teardown(SSL *ssl)
Packit Service 20376f
{
Packit Service 20376f
	int ret;
Packit Service 20376f
Packit Service 20376f
	ret = SSL_shutdown(ssl);
Packit Service 20376f
	if (ret < 0)
Packit Service 20376f
		ret = ssl_set_error(ssl, ret);
Packit Service 20376f
	else
Packit Service 20376f
		ret = 0;
Packit Service 20376f
Packit Service 20376f
	return ret;
Packit Service 20376f
}
Packit Service 20376f
Packit Service 20376f
static int check_host_name(const char *name, const char *host)
Packit Service 20376f
{
Packit Service 20376f
	if (!strcasecmp(name, host))
Packit Service 20376f
		return 0;
Packit Service 20376f
Packit Service 20376f
	if (gitno__match_host(name, host) < 0)
Packit Service 20376f
		return -1;
Packit Service 20376f
Packit Service 20376f
	return 0;
Packit Service 20376f
}
Packit Service 20376f
Packit Service 20376f
static int verify_server_cert(SSL *ssl, const char *host)
Packit Service 20376f
{
Packit Service 20376f
	X509 *cert;
Packit Service 20376f
	X509_NAME *peer_name;
Packit Service 20376f
	ASN1_STRING *str;
Packit Service 20376f
	unsigned char *peer_cn = NULL;
Packit Service 20376f
	int matched = -1, type = GEN_DNS;
Packit Service 20376f
	GENERAL_NAMES *alts;
Packit Service 20376f
	struct in6_addr addr6;
Packit Service 20376f
	struct in_addr addr4;
Packit Service 20376f
	void *addr;
Packit Service 20376f
	int i = -1,j;
Packit Service 20376f
Packit Service 20376f
	if (SSL_get_verify_result(ssl) != X509_V_OK) {
Packit Service 20376f
		giterr_set(GITERR_SSL, "the SSL certificate is invalid");
Packit Service 20376f
		return GIT_ECERTIFICATE;
Packit Service 20376f
	}
Packit Service 20376f
Packit Service 20376f
	/* Try to parse the host as an IP address to see if it is */
Packit Service 20376f
	if (p_inet_pton(AF_INET, host, &addr4)) {
Packit Service 20376f
		type = GEN_IPADD;
Packit Service 20376f
		addr = &addr4;
Packit Service 20376f
	} else {
Packit Service 20376f
		if(p_inet_pton(AF_INET6, host, &addr6)) {
Packit Service 20376f
			type = GEN_IPADD;
Packit Service 20376f
			addr = &addr6;
Packit Service 20376f
		}
Packit Service 20376f
	}
Packit Service 20376f
Packit Service 20376f
Packit Service 20376f
	cert = SSL_get_peer_certificate(ssl);
Packit Service 20376f
	if (!cert) {
Packit Service 20376f
		giterr_set(GITERR_SSL, "the server did not provide a certificate");
Packit Service 20376f
		return -1;
Packit Service 20376f
	}
Packit Service 20376f
Packit Service 20376f
	/* Check the alternative names */
Packit Service 20376f
	alts = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);
Packit Service 20376f
	if (alts) {
Packit Service 20376f
		int num;
Packit Service 20376f
Packit Service 20376f
		num = sk_GENERAL_NAME_num(alts);
Packit Service 20376f
		for (i = 0; i < num && matched != 1; i++) {
Packit Service 20376f
			const GENERAL_NAME *gn = sk_GENERAL_NAME_value(alts, i);
Packit Service 20376f
			const char *name = (char *) ASN1_STRING_get0_data(gn->d.ia5);
Packit Service 20376f
			size_t namelen = (size_t) ASN1_STRING_length(gn->d.ia5);
Packit Service 20376f
Packit Service 20376f
			/* Skip any names of a type we're not looking for */
Packit Service 20376f
			if (gn->type != type)
Packit Service 20376f
				continue;
Packit Service 20376f
Packit Service 20376f
			if (type == GEN_DNS) {
Packit Service 20376f
				/* If it contains embedded NULs, don't even try */
Packit Service 20376f
				if (memchr(name, '\0', namelen))
Packit Service 20376f
					continue;
Packit Service 20376f
Packit Service 20376f
				if (check_host_name(name, host) < 0)
Packit Service 20376f
					matched = 0;
Packit Service 20376f
				else
Packit Service 20376f
					matched = 1;
Packit Service 20376f
			} else if (type == GEN_IPADD) {
Packit Service 20376f
				/* Here name isn't so much a name but a binary representation of the IP */
Packit Service 20376f
				matched = !!memcmp(name, addr, namelen);
Packit Service 20376f
			}
Packit Service 20376f
		}
Packit Service 20376f
	}
Packit Service 20376f
	GENERAL_NAMES_free(alts);
Packit Service 20376f
Packit Service 20376f
	if (matched == 0)
Packit Service 20376f
		goto cert_fail_name;
Packit Service 20376f
Packit Service 20376f
	if (matched == 1)
Packit Service 20376f
		return 0;
Packit Service 20376f
Packit Service 20376f
	/* If no alternative names are available, check the common name */
Packit Service 20376f
	peer_name = X509_get_subject_name(cert);
Packit Service 20376f
	if (peer_name == NULL)
Packit Service 20376f
		goto on_error;
Packit Service 20376f
Packit Service 20376f
	if (peer_name) {
Packit Service 20376f
		/* Get the index of the last CN entry */
Packit Service 20376f
		while ((j = X509_NAME_get_index_by_NID(peer_name, NID_commonName, i)) >= 0)
Packit Service 20376f
			i = j;
Packit Service 20376f
	}
Packit Service 20376f
Packit Service 20376f
	if (i < 0)
Packit Service 20376f
		goto on_error;
Packit Service 20376f
Packit Service 20376f
	str = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(peer_name, i));
Packit Service 20376f
	if (str == NULL)
Packit Service 20376f
		goto on_error;
Packit Service 20376f
Packit Service 20376f
	/* Work around a bug in OpenSSL whereby ASN1_STRING_to_UTF8 fails if it's already in utf-8 */
Packit Service 20376f
	if (ASN1_STRING_type(str) == V_ASN1_UTF8STRING) {
Packit Service 20376f
		int size = ASN1_STRING_length(str);
Packit Service 20376f
Packit Service 20376f
		if (size > 0) {
Packit Service 20376f
			peer_cn = OPENSSL_malloc(size + 1);
Packit Service 20376f
			GITERR_CHECK_ALLOC(peer_cn);
Packit Service 20376f
			memcpy(peer_cn, ASN1_STRING_get0_data(str), size);
Packit Service 20376f
			peer_cn[size] = '\0';
Packit Service 20376f
		} else {
Packit Service 20376f
			goto cert_fail_name;
Packit Service 20376f
		}
Packit Service 20376f
	} else {
Packit Service 20376f
		int size = ASN1_STRING_to_UTF8(&peer_cn, str);
Packit Service 20376f
		GITERR_CHECK_ALLOC(peer_cn);
Packit Service 20376f
		if (memchr(peer_cn, '\0', size))
Packit Service 20376f
			goto cert_fail_name;
Packit Service 20376f
	}
Packit Service 20376f
Packit Service 20376f
	if (check_host_name((char *)peer_cn, host) < 0)
Packit Service 20376f
		goto cert_fail_name;
Packit Service 20376f
Packit Service 20376f
	OPENSSL_free(peer_cn);
Packit Service 20376f
Packit Service 20376f
	return 0;
Packit Service 20376f
Packit Service 20376f
on_error:
Packit Service 20376f
	OPENSSL_free(peer_cn);
Packit Service 20376f
	return ssl_set_error(ssl, 0);
Packit Service 20376f
Packit Service 20376f
cert_fail_name:
Packit Service 20376f
	OPENSSL_free(peer_cn);
Packit Service 20376f
	giterr_set(GITERR_SSL, "hostname does not match certificate");
Packit Service 20376f
	return GIT_ECERTIFICATE;
Packit Service 20376f
}
Packit Service 20376f
Packit Service 20376f
typedef struct {
Packit Service 20376f
	git_stream parent;
Packit Service 20376f
	git_stream *io;
Packit Service 20376f
	bool connected;
Packit Service 20376f
	char *host;
Packit Service 20376f
	SSL *ssl;
Packit Service 20376f
	git_cert_x509 cert_info;
Packit Service 20376f
} openssl_stream;
Packit Service 20376f
Packit Service 20376f
int openssl_close(git_stream *stream);
Packit Service 20376f
Packit Service 20376f
int openssl_connect(git_stream *stream)
Packit Service 20376f
{
Packit Service 20376f
	int ret;
Packit Service 20376f
	BIO *bio;
Packit Service 20376f
	openssl_stream *st = (openssl_stream *) stream;
Packit Service 20376f
Packit Service 20376f
	if ((ret = git_stream_connect(st->io)) < 0)
Packit Service 20376f
		return ret;
Packit Service 20376f
Packit Service 20376f
	st->connected = true;
Packit Service 20376f
Packit Service 20376f
	bio = BIO_new(git_stream_bio_method);
Packit Service 20376f
	GITERR_CHECK_ALLOC(bio);
Packit Service 20376f
Packit Service 20376f
	BIO_set_data(bio, st->io);
Packit Service 20376f
	SSL_set_bio(st->ssl, bio, bio);
Packit Service 20376f
Packit Service 20376f
	/* specify the host in case SNI is needed */
Packit Service 20376f
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
Packit Service 20376f
	SSL_set_tlsext_host_name(st->ssl, st->host);
Packit Service 20376f
#endif
Packit Service 20376f
Packit Service 20376f
	if ((ret = SSL_connect(st->ssl)) <= 0)
Packit Service 20376f
		return ssl_set_error(st->ssl, ret);
Packit Service 20376f
Packit Service 20376f
	return verify_server_cert(st->ssl, st->host);
Packit Service 20376f
}
Packit Service 20376f
Packit Service 20376f
int openssl_certificate(git_cert **out, git_stream *stream)
Packit Service 20376f
{
Packit Service 20376f
	openssl_stream *st = (openssl_stream *) stream;
Packit Service 20376f
	int len;
Packit Service 20376f
	X509 *cert = SSL_get_peer_certificate(st->ssl);
Packit Service 20376f
	unsigned char *guard, *encoded_cert;
Packit Service 20376f
Packit Service 20376f
	/* Retrieve the length of the certificate first */
Packit Service 20376f
	len = i2d_X509(cert, NULL);
Packit Service 20376f
	if (len < 0) {
Packit Service 20376f
		giterr_set(GITERR_NET, "failed to retrieve certificate information");
Packit Service 20376f
		return -1;
Packit Service 20376f
	}
Packit Service 20376f
Packit Service 20376f
	encoded_cert = git__malloc(len);
Packit Service 20376f
	GITERR_CHECK_ALLOC(encoded_cert);
Packit Service 20376f
	/* i2d_X509 makes 'guard' point to just after the data */
Packit Service 20376f
	guard = encoded_cert;
Packit Service 20376f
Packit Service 20376f
	len = i2d_X509(cert, &guard);
Packit Service 20376f
	if (len < 0) {
Packit Service 20376f
		git__free(encoded_cert);
Packit Service 20376f
		giterr_set(GITERR_NET, "failed to retrieve certificate information");
Packit Service 20376f
		return -1;
Packit Service 20376f
	}
Packit Service 20376f
Packit Service 20376f
	st->cert_info.parent.cert_type = GIT_CERT_X509;
Packit Service 20376f
	st->cert_info.data = encoded_cert;
Packit Service 20376f
	st->cert_info.len = len;
Packit Service 20376f
Packit Service 20376f
	*out = &st->cert_info.parent;
Packit Service 20376f
Packit Service 20376f
	return 0;
Packit Service 20376f
}
Packit Service 20376f
Packit Service 20376f
static int openssl_set_proxy(git_stream *stream, const git_proxy_options *proxy_opts)
Packit Service 20376f
{
Packit Service 20376f
	openssl_stream *st = (openssl_stream *) stream;
Packit Service 20376f
Packit Service 20376f
	return git_stream_set_proxy(st->io, proxy_opts);
Packit Service 20376f
}
Packit Service 20376f
Packit Service 20376f
ssize_t openssl_write(git_stream *stream, const char *data, size_t len, int flags)
Packit Service 20376f
{
Packit Service 20376f
	openssl_stream *st = (openssl_stream *) stream;
Packit Service 20376f
	int ret;
Packit Service 20376f
Packit Service 20376f
	GIT_UNUSED(flags);
Packit Service 20376f
Packit Service 20376f
	if ((ret = SSL_write(st->ssl, data, len)) <= 0) {
Packit Service 20376f
		return ssl_set_error(st->ssl, ret);
Packit Service 20376f
	}
Packit Service 20376f
Packit Service 20376f
	return ret;
Packit Service 20376f
}
Packit Service 20376f
Packit Service 20376f
ssize_t openssl_read(git_stream *stream, void *data, size_t len)
Packit Service 20376f
{
Packit Service 20376f
	openssl_stream *st = (openssl_stream *) stream;
Packit Service 20376f
	int ret;
Packit Service 20376f
Packit Service 20376f
	if ((ret = SSL_read(st->ssl, data, len)) <= 0)
Packit Service 20376f
		return ssl_set_error(st->ssl, ret);
Packit Service 20376f
Packit Service 20376f
	return ret;
Packit Service 20376f
}
Packit Service 20376f
Packit Service 20376f
int openssl_close(git_stream *stream)
Packit Service 20376f
{
Packit Service 20376f
	openssl_stream *st = (openssl_stream *) stream;
Packit Service 20376f
	int ret;
Packit Service 20376f
Packit Service 20376f
	if (st->connected && (ret = ssl_teardown(st->ssl)) < 0)
Packit Service 20376f
		return -1;
Packit Service 20376f
Packit Service 20376f
	st->connected = false;
Packit Service 20376f
Packit Service 20376f
	return git_stream_close(st->io);
Packit Service 20376f
}
Packit Service 20376f
Packit Service 20376f
void openssl_free(git_stream *stream)
Packit Service 20376f
{
Packit Service 20376f
	openssl_stream *st = (openssl_stream *) stream;
Packit Service 20376f
Packit Service 20376f
	SSL_free(st->ssl);
Packit Service 20376f
	git__free(st->host);
Packit Service 20376f
	git__free(st->cert_info.data);
Packit Service 20376f
	git_stream_free(st->io);
Packit Service 20376f
	git__free(st);
Packit Service 20376f
}
Packit Service 20376f
Packit Service 20376f
int git_openssl_stream_new(git_stream **out, const char *host, const char *port)
Packit Service 20376f
{
Packit Service 20376f
	int error;
Packit Service 20376f
	openssl_stream *st;
Packit Service 20376f
Packit Service 20376f
	st = git__calloc(1, sizeof(openssl_stream));
Packit Service 20376f
	GITERR_CHECK_ALLOC(st);
Packit Service 20376f
Packit Service 20376f
	st->io = NULL;
Packit Service 20376f
#ifdef GIT_CURL
Packit Service 20376f
	error = git_curl_stream_new(&st->io, host, port);
Packit Service 20376f
#else
Packit Service 20376f
	error = git_socket_stream_new(&st->io, host, port);
Packit Service 20376f
#endif
Packit Service 20376f
Packit Service 20376f
	if (error < 0)
Packit Service 20376f
		goto out_err;
Packit Service 20376f
Packit Service 20376f
	st->ssl = SSL_new(git__ssl_ctx);
Packit Service 20376f
	if (st->ssl == NULL) {
Packit Service 20376f
		giterr_set(GITERR_SSL, "failed to create ssl object");
Packit Service 20376f
		error = -1;
Packit Service 20376f
		goto out_err;
Packit Service 20376f
	}
Packit Service 20376f
Packit Service 20376f
	st->host = git__strdup(host);
Packit Service 20376f
	GITERR_CHECK_ALLOC(st->host);
Packit Service 20376f
Packit Service 20376f
	st->parent.version = GIT_STREAM_VERSION;
Packit Service 20376f
	st->parent.encrypted = 1;
Packit Service 20376f
	st->parent.proxy_support = git_stream_supports_proxy(st->io);
Packit Service 20376f
	st->parent.connect = openssl_connect;
Packit Service 20376f
	st->parent.certificate = openssl_certificate;
Packit Service 20376f
	st->parent.set_proxy = openssl_set_proxy;
Packit Service 20376f
	st->parent.read = openssl_read;
Packit Service 20376f
	st->parent.write = openssl_write;
Packit Service 20376f
	st->parent.close = openssl_close;
Packit Service 20376f
	st->parent.free = openssl_free;
Packit Service 20376f
Packit Service 20376f
	*out = (git_stream *) st;
Packit Service 20376f
	return 0;
Packit Service 20376f
Packit Service 20376f
out_err:
Packit Service 20376f
	git_stream_free(st->io);
Packit Service 20376f
	git__free(st);
Packit Service 20376f
Packit Service 20376f
	return error;
Packit Service 20376f
}
Packit Service 20376f
Packit Service 20376f
#else
Packit Service 20376f
Packit Service 20376f
#include "stream.h"
Packit Service 20376f
#include "git2/sys/openssl.h"
Packit Service 20376f
Packit Service 20376f
int git_openssl_stream_global_init(void)
Packit Service 20376f
{
Packit Service 20376f
	return 0;
Packit Service 20376f
}
Packit Service 20376f
Packit Service 20376f
int git_openssl_set_locking(void)
Packit Service 20376f
{
Packit Service 20376f
	giterr_set(GITERR_SSL, "libgit2 was not built with OpenSSL support");
Packit Service 20376f
	return -1;
Packit Service 20376f
}
Packit Service 20376f
Packit Service 20376f
int git_openssl_stream_new(git_stream **out, const char *host, const char *port)
Packit Service 20376f
{
Packit Service 20376f
	GIT_UNUSED(out);
Packit Service 20376f
	GIT_UNUSED(host);
Packit Service 20376f
	GIT_UNUSED(port);
Packit Service 20376f
Packit Service 20376f
	giterr_set(GITERR_SSL, "openssl is not supported in this version");
Packit Service 20376f
	return -1;
Packit Service 20376f
}
Packit Service 20376f
Packit Service 20376f
#endif