diff options
-rw-r--r-- | .travis.yml | 3 | ||||
-rw-r--r-- | appveyor.yml | 6 | ||||
-rw-r--r-- | include/git2/common.h | 9 | ||||
-rwxr-xr-x | script/appveyor-mingw.sh | 4 | ||||
-rw-r--r-- | script/toolchain-mingw32.cmake | 13 | ||||
-rw-r--r-- | src/global.c | 2 | ||||
-rw-r--r-- | src/global.h | 1 | ||||
-rw-r--r-- | src/openssl_stream.c | 13 | ||||
-rw-r--r-- | src/settings.c | 24 | ||||
-rw-r--r-- | tests/online/badssl.c | 8 |
10 files changed, 56 insertions, 27 deletions
diff --git a/.travis.yml b/.travis.yml index 2f3ffe355..bfc0fac48 100644 --- a/.travis.yml +++ b/.travis.yml @@ -37,9 +37,6 @@ matrix: - os: osx compiler: gcc include: - - compiler: i586-mingw32msvc-gcc - env: OPTIONS="-DCMAKE_TOOLCHAIN_FILE=../script/toolchain-mingw32.cmake" SKIP_TESTS=1 - os: linux - compiler: gcc env: COVERITY=1 os: linux diff --git a/appveyor.yml b/appveyor.yml index 24a507ea9..5ba8aaabd 100644 --- a/appveyor.yml +++ b/appveyor.yml @@ -13,15 +13,9 @@ environment: - GENERATOR: "Visual Studio 11 Win64" ARCH: 64 - GENERATOR: "MSYS Makefiles" - ARCH: 32 - - GENERATOR: "MSYS Makefiles" ARCH: i686 # this is for 32-bit MinGW-w64 - GENERATOR: "MSYS Makefiles" ARCH: 64 -matrix: - allow_failures: - - GENERATOR: "MSYS Makefiles" - ARCH: 32 cache: - i686-4.9.2-release-win32-sjlj-rt_v3-rev1.7z - x86_64-4.9.2-release-win32-seh-rt_v3-rev1.7z diff --git a/include/git2/common.h b/include/git2/common.h index 4f43185f8..0629abb7f 100644 --- a/include/git2/common.h +++ b/include/git2/common.h @@ -24,7 +24,8 @@ GIT_BEGIN_DECL # include "inttypes.h" GIT_END_DECL -#else +/** This check is needed for importing this file in an iOS/OS X framework throws an error in Xcode otherwise.*/ +#elif !defined(__CLANG_INTTYPES_H) # include <inttypes.h> #endif @@ -148,6 +149,7 @@ typedef enum { GIT_OPT_SET_SSL_CERT_LOCATIONS, GIT_OPT_SET_USER_AGENT, GIT_OPT_ENABLE_STRICT_OBJECT_CREATION, + GIT_OPT_SET_SSL_CIPHERS, } git_libgit2_opt_t; /** @@ -259,6 +261,11 @@ typedef enum { * > example, when this is enabled, the parent(s) and tree inputs * > will be validated when creating a new commit. This defaults * > to disabled. + * * opts(GIT_OPT_SET_SSL_CIPHERS, const char *ciphers) + * + * > Set the SSL ciphers use for HTTPS connections. + * > + * > - `ciphers` is the list of ciphers that are eanbled. * * @param option Option key * @param ... value to set the option diff --git a/script/appveyor-mingw.sh b/script/appveyor-mingw.sh index 48e0bad0a..198801875 100755 --- a/script/appveyor-mingw.sh +++ b/script/appveyor-mingw.sh @@ -1,9 +1,7 @@ #!/bin/sh set -e cd `dirname "$0"`/.. -if [ "$ARCH" = "32" ]; then - echo 'C:\MinGW\ /MinGW' > /etc/fstab -elif [ "$ARCH" = "i686" ]; then +if [ "$ARCH" = "i686" ]; then f=i686-4.9.2-release-win32-sjlj-rt_v3-rev1.7z if ! [ -e $f ]; then curl -LsSO http://sourceforge.net/projects/mingw-w64/files/Toolchains%20targetting%20Win32/Personal%20Builds/mingw-builds/4.9.2/threads-win32/sjlj/$f diff --git a/script/toolchain-mingw32.cmake b/script/toolchain-mingw32.cmake deleted file mode 100644 index 2536b01c3..000000000 --- a/script/toolchain-mingw32.cmake +++ /dev/null @@ -1,13 +0,0 @@ -# CMake toolchain file for Win32 cross-compile -SET(CMAKE_SYSTEM_NAME Windows) - -SET(CMAKE_C_COMPILER i586-mingw32msvc-gcc) -SET(CMAKE_RC_COMPILER i586-mingw32msvc-windres) - -SET(CMAKE_FIND_ROOT_PATH /usr/i586-mingw32msvc) - -SET(CMAKE_FIND_ROOT_PATH_MODE_PROGRAM NEVER) -SET(CMAKE_FIND_ROOT_PATH_MODE_LIBRARY ONLY) -SET(CMAKE_FIND_ROOT_PATH_MODE_INCLUDE ONLY) - -SET(ENV{PKG_CONFIG_LIBDIR} ${CMAKE_FIND_ROOT_PATH}/lib/pkgconfig) diff --git a/src/global.c b/src/global.c index 0bfde1e04..c725b5184 100644 --- a/src/global.c +++ b/src/global.c @@ -27,6 +27,7 @@ static git_global_shutdown_fn git__shutdown_callbacks[MAX_SHUTDOWN_CB]; static git_atomic git__n_shutdown_callbacks; static git_atomic git__n_inits; char *git__user_agent; +char *git__ssl_ciphers; void git__on_shutdown(git_global_shutdown_fn callback) { @@ -83,6 +84,7 @@ static void shutdown_common(void) } git__free(git__user_agent); + git__free(git__ssl_ciphers); #if defined(GIT_MSVC_CRTDBG) git_win32__crtdbg_stacktrace_cleanup(); diff --git a/src/global.h b/src/global.h index 9fdcee573..219951525 100644 --- a/src/global.h +++ b/src/global.h @@ -36,5 +36,6 @@ extern void git__on_shutdown(git_global_shutdown_fn callback); extern void git__free_tls_data(void); extern const char *git_libgit2__user_agent(void); +extern const char *git_libgit2__ssl_ciphers(void); #endif diff --git a/src/openssl_stream.c b/src/openssl_stream.c index 97736b714..a65f5586e 100644 --- a/src/openssl_stream.c +++ b/src/openssl_stream.c @@ -34,6 +34,8 @@ SSL_CTX *git__ssl_ctx; +#define GIT_SSL_DEFAULT_CIPHERS "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-SHA256:DHE-DSS-AES128-SHA:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA" + #ifdef GIT_THREADS static git_mutex *openssl_locks; @@ -85,6 +87,7 @@ int git_openssl_stream_global_init(void) { #ifdef GIT_OPENSSL long ssl_opts = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3; + const char *ciphers = git_libgit2__ssl_ciphers(); /* Older OpenSSL and MacOS OpenSSL doesn't have this */ #ifdef SSL_OP_NO_COMPRESSION @@ -108,6 +111,16 @@ int git_openssl_stream_global_init(void) git__ssl_ctx = NULL; return -1; } + + if (!ciphers) { + ciphers = GIT_SSL_DEFAULT_CIPHERS; + } + + if(!SSL_CTX_set_cipher_list(git__ssl_ctx, ciphers)) { + SSL_CTX_free(git__ssl_ctx); + git__ssl_ctx = NULL; + return -1; + } #endif git__on_shutdown(shutdown_ssl); diff --git a/src/settings.c b/src/settings.c index 88602bad0..0da19ea03 100644 --- a/src/settings.c +++ b/src/settings.c @@ -71,12 +71,18 @@ static int config_level_to_sysdir(int config_level) } extern char *git__user_agent; +extern char *git__ssl_ciphers; const char *git_libgit2__user_agent() { return git__user_agent; } +const char *git_libgit2__ssl_ciphers() +{ + return git__ssl_ciphers; +} + int git_libgit2_opts(int key, ...) { int error = 0; @@ -169,7 +175,7 @@ int git_libgit2_opts(int key, ...) } } #else - giterr_set(GITERR_NET, "Cannot set certificate locations: OpenSSL is not enabled"); + giterr_set(GITERR_NET, "cannot set certificate locations: OpenSSL is not enabled"); error = -1; #endif break; @@ -187,6 +193,22 @@ int git_libgit2_opts(int key, ...) git_object__strict_input_validation = (va_arg(ap, int) != 0); break; + case GIT_OPT_SET_SSL_CIPHERS: +#ifdef GIT_OPENSSL + { + git__free(git__ssl_ciphers); + git__ssl_ciphers = git__strdup(va_arg(ap, const char *)); + if (!git__ssl_ciphers) { + giterr_set_oom(); + error = -1; + } + } +#else + giterr_set(GITERR_NET, "cannot set custom ciphers: OpenSSL is not enabled"); + error = -1; +#endif + break; + default: giterr_set(GITERR_INVALID, "invalid option key"); error = -1; diff --git a/tests/online/badssl.c b/tests/online/badssl.c index 12badbda3..66b090df4 100644 --- a/tests/online/badssl.c +++ b/tests/online/badssl.c @@ -36,3 +36,11 @@ void test_online_badssl__self_signed(void) cl_git_fail_with(GIT_ECERTIFICATE, git_clone(&g_repo, "https://self-signed.badssl.com/fake.git", "./fake", NULL)); } + +void test_online_badssl__old_cipher(void) +{ + if (!g_has_ssl) + cl_skip(); + + cl_git_fail(git_clone(&g_repo, "https://rc4.badssl.com/fake.git", "./fake", NULL)); +} |