mbedtls: default cipher list support

author: Etienne Samson <samson.etienne@gmail.com> 2018-03-29 22:14:02 +0200
committer: Etienne Samson <samson.etienne@gmail.com> 2018-04-11 21:02:43 +0200
commit: 2419cccd16ae6585e2b58360dc6a53304a3baee8 (patch)
tree: dfcf5413cb4f90334cd2d39a8f93c732b0c733a1 /src/streams
parent: 60e1ad927b7f64ad33681fc162b512e2cf12b5b8 (diff)
download: libgit2-2419cccd16ae6585e2b58360dc6a53304a3baee8.tar.gz
1 files changed, 29 insertions, 0 deletions
diff --git a/src/streams/mbedtls.c b/src/streams/mbedtls.c
index ea0989caa..42ac8aa17 100644
--- a/src/streams/mbedtls.c
+++ b/src/streams/mbedtls.c
@@ -16,6 +16,7 @@
 #include "streams/socket.h"
 #include "netops.h"
 #include "git2/transport.h"
+#include "util.h"
 
 #ifdef GIT_CURL
 # include "streams/curl.h"
@@ -31,6 +32,9 @@
 mbedtls_ssl_config *git__ssl_conf;
 mbedtls_entropy_context *mbedtls_entropy;
 
+#define GIT_SSL_DEFAULT_CIPHERS "TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-DSS-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-DSS-WITH-AES-256-GCM-SHA384:TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256:TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA:TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA:TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384:TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384:TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA:TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-DSS-WITH-AES-128-CBC-SHA256:TLS-DHE-DSS-WITH-AES-256-CBC-SHA256:TLS-DHE-DSS-WITH-AES-128-CBC-SHA:TLS-DHE-DSS-WITH-AES-256-CBC-SHA:TLS-RSA-WITH-AES-128-GCM-SHA256:TLS-RSA-WITH-AES-256-GCM-SHA384:TLS-RSA-WITH-AES-128-CBC-SHA256:TLS-RSA-WITH-AES-256-CBC-SHA256:TLS-RSA-WITH-AES-128-CBC-SHA:TLS-RSA-WITH-AES-256-CBC-SHA"
+#define GIT_SSL_DEFAULT_CIPHERS_COUNT 30
+
 /**
  * This function aims to clean-up the SSL context which
  * we allocated.
@@ -57,6 +61,13 @@ int git_mbedtls_stream_global_init(void)
 {
 	int ret;
 	mbedtls_ctr_drbg_context *ctr_drbg = NULL;
+
+	int *ciphers_list = NULL;
+	int ciphers_known = 0;
+	char *cipher_name = NULL;
+	char *cipher_string = NULL;
+	char *cipher_string_tmp = NULL;
+
 	mbedtls_x509_crt *cacert = NULL;
 
 	git__ssl_conf = git__malloc(sizeof(mbedtls_ssl_config));
@@ -73,6 +84,24 @@ int git_mbedtls_stream_global_init(void)
 	mbedtls_ssl_conf_min_version(git__ssl_conf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0);
 	mbedtls_ssl_conf_authmode(git__ssl_conf, MBEDTLS_SSL_VERIFY_REQUIRED);
 
+	/* set the list of allowed ciphersuites */
+	ciphers_list = calloc(GIT_SSL_DEFAULT_CIPHERS_COUNT, sizeof(int));
+	ciphers_known = 0;
+	cipher_string = cipher_string_tmp = git__strdup(GIT_SSL_DEFAULT_CIPHERS);
+	while ((cipher_name = git__strtok(&cipher_string_tmp, ":")) != NULL) {
+		int cipherid = mbedtls_ssl_get_ciphersuite_id(cipher_name);
+		if (cipherid == 0) continue;
+
+		ciphers_list[ciphers_known++] = cipherid;
+	}
+	git__free(cipher_string);
+
+	if (!ciphers_known) {
+		giterr_set(GITERR_SSL, "no cipher could be enabled");
+		goto cleanup;
+	}
+	mbedtls_ssl_conf_ciphersuites(git__ssl_conf, ciphers_list);
+
 	/* Seeding the random number generator */
 	mbedtls_entropy = git__malloc(sizeof(mbedtls_entropy_context));
 	mbedtls_entropy_init(mbedtls_entropy);
author	Etienne Samson <samson.etienne@gmail.com>	2018-03-29 22:14:02 +0200
committer	Etienne Samson <samson.etienne@gmail.com>	2018-04-11 21:02:43 +0200
commit	2419cccd16ae6585e2b58360dc6a53304a3baee8 (patch)
tree	dfcf5413cb4f90334cd2d39a8f93c732b0c733a1 /src/streams
parent	60e1ad927b7f64ad33681fc162b512e2cf12b5b8 (diff)
download	libgit2-2419cccd16ae6585e2b58360dc6a53304a3baee8.tar.gz