From d0b5d9850fb7b51c7831d3897ad46e4d3478d322 Mon Sep 17 00:00:00 2001
From: Milan Bouchet-Valat <nalimilan@club.fr>
Date: Thu, 22 Aug 2019 11:55:11 +0200
Subject: [PATCH] Bump libgit2 to 0.28.2 (#32806)
This allows dropping MbedTLS patches which have been upstreamed.
The order in which configuration options are returned has changed, making a test fail:
make the code more robust by giving priority to more specific options over global ones.
---
deps/Versions.make | 4 +-
deps/libgit2.mk | 16 +-
deps/libgit2.version | 4 +-
deps/patches/libgit2-mbedtls.patch | 952 ----------------------------
deps/patches/libgit2-mbedtls2.patch | 28 -
stdlib/LibGit2/src/gitcredential.jl | 8 +-
6 files changed, 12 insertions(+), 1000 deletions(-)
delete mode 100644 deps/patches/libgit2-mbedtls.patch
delete mode 100644 deps/patches/libgit2-mbedtls2.patch
diff --git a/deps/Versions.make b/deps/Versions.make
index ff103cbbe1..0fac074998 100644
--- a/deps/Versions.make
+++ b/deps/Versions.make
@@ -25,7 +25,7 @@ LIBSSH2_VER = 1.8.2
LIBSSH2_BB_REL = 0
CURL_VER = 7.61.0
CURL_BB_REL = 1
-LIBGIT2_VER = 0.27.7
+LIBGIT2_VER = 0.28.2
LIBGIT2_BB_REL = 1
LIBUV_VER = 1.24.0
LIBUV_BB_REL = 1
diff --git a/deps/libgit2.mk b/deps/libgit2.mk
index 845cfba273..ae634542b0 100644
--- a/deps/libgit2.mk
+++ b/deps/libgit2.mk
@@ -44,24 +44,12 @@ endif
LIBGIT2_SRC_PATH := $(SRCCACHE)/$(LIBGIT2_SRC_DIR)
-$(LIBGIT2_SRC_PATH)/libgit2-mbedtls.patch-applied: $(SRCCACHE)/$(LIBGIT2_SRC_DIR)/source-extracted
- cd $(LIBGIT2_SRC_PATH) && \
- patch -p1 -f < $(SRCDIR)/patches/libgit2-mbedtls.patch
- echo 1 > $@
-
-$(LIBGIT2_SRC_PATH)/libgit2-mbedtls2.patch-applied: $(SRCCACHE)/$(LIBGIT2_SRC_DIR)/source-extracted | $(LIBGIT2_SRC_PATH)/libgit2-mbedtls.patch-applied
- cd $(LIBGIT2_SRC_PATH) && \
- patch -p1 -f < $(SRCDIR)/patches/libgit2-mbedtls2.patch
- echo 1 > $@
-
-$(LIBGIT2_SRC_PATH)/libgit2-agent-nonfatal.patch-applied: $(LIBGIT2_SRC_PATH)/source-extracted | $(LIBGIT2_SRC_PATH)/libgit2-mbedtls.patch-applied
+$(LIBGIT2_SRC_PATH)/libgit2-agent-nonfatal.patch-applied: $(LIBGIT2_SRC_PATH)/source-extracted
cd $(LIBGIT2_SRC_PATH) && \
patch -p1 -f < $(SRCDIR)/patches/libgit2-agent-nonfatal.patch
echo 1 > $@
$(BUILDDIR)/$(LIBGIT2_SRC_DIR)/build-configured: \
- $(LIBGIT2_SRC_PATH)/libgit2-mbedtls.patch-applied \
- $(LIBGIT2_SRC_PATH)/libgit2-mbedtls2.patch-applied \
$(LIBGIT2_SRC_PATH)/libgit2-agent-nonfatal.patch-applied \
$(BUILDDIR)/$(LIBGIT2_SRC_DIR)/build-configured: $(LIBGIT2_SRC_PATH)/source-extracted
@@ -109,7 +97,7 @@ $(build_prefix)/manifest/libgit2: $(build_datarootdir)/julia/cert.pem # use libg
else # USE_BINARYBUILDER_LIBGIT2
-LIBGIT2_BB_URL_BASE := https://github.com/JuliaPackaging/Yggdrasil/releases/download/LibGit2-v$(LIBGIT2_VER)-$(LIBGIT2_BB_REL)
+LIBGIT2_BB_URL_BASE := https://github.com/JuliaPackaging/Yggdrasil/releases/download/LibGit2-v$(LIBGIT2_VER)+$(LIBGIT2_BB_REL)
LIBGIT2_BB_NAME := LibGit2.v$(LIBGIT2_VER)
$(eval $(call bb-install,libgit2,LIBGIT2,false))
diff --git a/deps/libgit2.version b/deps/libgit2.version
index d35b024233..f67bedc414 100644
--- a/deps/libgit2.version
+++ b/deps/libgit2.version
@@ -1,2 +1,2 @@
-LIBGIT2_BRANCH=v0.27.7
-LIBGIT2_SHA1=f23dc5b29f1394928a940d7ec447f4bfd53dad1f
+LIBGIT2_BRANCH=v0.28.2
+LIBGIT2_SHA1=b3e1a56ebb2b9291e82dc027ba9cbcfc3ead54d3
diff --git a/deps/patches/libgit2-mbedtls.patch b/deps/patches/libgit2-mbedtls.patch
deleted file mode 100644
index c54a7e78c1..0000000000
--- a/deps/patches/libgit2-mbedtls.patch
+++ /dev/null
@@ -1,952 +0,0 @@
-Enables MbedTLS support
-
-Upstream: https://github.com/libgit2/libgit2/pull/4173
-
-NOTE: libgit2 has switched its CI to Azure Pipelines. The aforementioned PR makes modifications
-to the Travis YAML file, which has since been removed, causing patch conflicts. That part of
-the diff has thus been removed here.
-
-git diff ca3b2234dc7f1bd0d0f81488d3e29980b47a85b4^..cb2da47e56159faaaf143943c74ffb8f60a988b1 > libgit2-mbedtls.patch
-
-mbedtls: initial support
-mbedtls: proper certificate verification
-mbedtls: use libmbedcrypto for hashing
-mbedtls: add global initialization
-mbedtls: default cipher list support
-mbedtls: fix libgit2 hanging due to incomplete writes
-mbedtls: enable Travis CI tests
-mbedtls: use our own certificate validation
-mbedtls: use mbedTLS certificate verification
-mbedtls: load default CA certificates
-mbedtls: display error codes as hex for consistency with mbedTLS docs
-tests: clarify comment
-cmake: make our preferred backend ordering consistent
-travis: just grab what we need from mbedtls
-travis: pass -fPIC when configuring mbedtls
-
-diff --git a/CMakeLists.txt b/CMakeLists.txt
-index 2ca5354a7..9176eee04 100644
---- a/CMakeLists.txt
-+++ b/CMakeLists.txt
-@@ -48,7 +48,7 @@ OPTION( PROFILE "Generate profiling information" OFF )
- OPTION( ENABLE_TRACE "Enables tracing support" OFF )
- OPTION( LIBGIT2_FILENAME "Name of the produced binary" OFF )
-
--SET(SHA1_BACKEND "CollisionDetection" CACHE STRING "Backend to use for SHA1. One of Generic, OpenSSL, Win32, CommonCrypto, CollisionDetection. ")
-+SET(SHA1_BACKEND "CollisionDetection" CACHE STRING "Backend to use for SHA1. One of Generic, OpenSSL, Win32, CommonCrypto, mbedTLS, CollisionDetection. ")
- OPTION( USE_SSH "Link with libssh to enable SSH support" ON )
- OPTION( USE_HTTPS "Enable HTTPS support. Can be set to a specific backend" ON )
- OPTION( USE_GSSAPI "Link with libgssapi for SPNEGO auth" OFF )
-diff --git a/cmake/Modules/FindmbedTLS.cmake b/cmake/Modules/FindmbedTLS.cmake
-new file mode 100644
-index 000000000..93297555e
---- /dev/null
-+++ b/cmake/Modules/FindmbedTLS.cmake
-@@ -0,0 +1,93 @@
-+# - Try to find mbedTLS
-+# Once done this will define
-+#
-+# Read-Only variables
-+# MBEDTLS_FOUND - system has mbedTLS
-+# MBEDTLS_INCLUDE_DIR - the mbedTLS include directory
-+# MBEDTLS_LIBRARY_DIR - the mbedTLS library directory
-+# MBEDTLS_LIBRARIES - Link these to use mbedTLS
-+# MBEDTLS_LIBRARY - path to mbedTLS library
-+# MBEDX509_LIBRARY - path to mbedTLS X.509 library
-+# MBEDCRYPTO_LIBRARY - path to mbedTLS Crypto library
-+#
-+# Hint
-+# MBEDTLS_ROOT_DIR can be pointed to a local mbedTLS installation.
-+
-+SET(_MBEDTLS_ROOT_HINTS
-+ ${MBEDTLS_ROOT_DIR}
-+ ENV MBEDTLS_ROOT_DIR
-+)
-+
-+SET(_MBEDTLS_ROOT_HINTS_AND_PATHS
-+ HINTS ${_MBEDTLS_ROOT_HINTS}
-+ PATHS ${_MBEDTLS_ROOT_PATHS}
-+)
-+
-+FIND_PATH(MBEDTLS_INCLUDE_DIR
-+ NAMES mbedtls/version.h
-+ ${_MBEDTLS_ROOT_HINTS_AND_PATHS}
-+ PATH_SUFFIXES include
-+)
-+
-+IF(MBEDTLS_INCLUDE_DIR AND MBEDTLS_LIBRARIES)
-+ # Already in cache, be silent
-+ SET(MBEDTLS_FIND_QUIETLY TRUE)
-+ENDIF()
-+
-+FIND_LIBRARY(MBEDTLS_LIBRARY
-+ NAMES mbedtls libmbedtls
-+ ${_MBEDTLS_ROOT_HINTS_AND_PATHS}
-+ PATH_SUFFIXES library
-+)
-+FIND_LIBRARY(MBEDX509_LIBRARY
-+ NAMES mbedx509 libmbedx509
-+ ${_MBEDTLS_ROOT_HINTS_AND_PATHS}
-+ PATH_SUFFIXES library
-+)
-+FIND_LIBRARY(MBEDCRYPTO_LIBRARY
-+ NAMES mbedcrypto libmbedcrypto
-+ ${_MBEDTLS_ROOT_HINTS_AND_PATHS}
-+ PATH_SUFFIXES library
-+)
-+
-+IF(MBEDTLS_INCLUDE_DIR AND MBEDTLS_LIBRARY AND MBEDX509_LIBRARY AND MBEDCRYPTO_LIBRARY)
-+ SET(MBEDTLS_FOUND TRUE)
-+ENDIF()
-+
-+IF(MBEDTLS_FOUND)
-+ # split mbedTLS into -L and -l linker options, so we can set them for pkg-config
-+ GET_FILENAME_COMPONENT(MBEDTLS_LIBRARY_DIR ${MBEDTLS_LIBRARY} PATH)
-+ GET_FILENAME_COMPONENT(MBEDTLS_LIBRARY_FILE ${MBEDTLS_LIBRARY} NAME_WE)
-+ GET_FILENAME_COMPONENT(MBEDX509_LIBRARY_FILE ${MBEDX509_LIBRARY} NAME_WE)
-+ GET_FILENAME_COMPONENT(MBEDCRYPTO_LIBRARY_FILE ${MBEDCRYPTO_LIBRARY} NAME_WE)
-+ STRING(REGEX REPLACE "^lib" "" MBEDTLS_LIBRARY_FILE ${MBEDTLS_LIBRARY_FILE})
-+ STRING(REGEX REPLACE "^lib" "" MBEDX509_LIBRARY_FILE ${MBEDX509_LIBRARY_FILE})
-+ STRING(REGEX REPLACE "^lib" "" MBEDCRYPTO_LIBRARY_FILE ${MBEDCRYPTO_LIBRARY_FILE})
-+ SET(MBEDTLS_LIBRARIES "-L${MBEDTLS_LIBRARY_DIR} -l${MBEDTLS_LIBRARY_FILE} -l${MBEDX509_LIBRARY_FILE} -l${MBEDCRYPTO_LIBRARY_FILE}")
-+
-+ IF(NOT MBEDTLS_FIND_QUIETLY)
-+ MESSAGE(STATUS "Found mbedTLS:")
-+ FILE(READ ${MBEDTLS_INCLUDE_DIR}/mbedtls/version.h MBEDTLSCONTENT)
-+ STRING(REGEX MATCH "MBEDTLS_VERSION_STRING +\"[0-9|.]+\"" MBEDTLSMATCH ${MBEDTLSCONTENT})
-+ IF (MBEDTLSMATCH)
-+ STRING(REGEX REPLACE "MBEDTLS_VERSION_STRING +\"([0-9|.]+)\"" "\\1" MBEDTLS_VERSION ${MBEDTLSMATCH})
-+ MESSAGE(STATUS " version ${MBEDTLS_VERSION}")
-+ ENDIF(MBEDTLSMATCH)
-+ MESSAGE(STATUS " TLS: ${MBEDTLS_LIBRARY}")
-+ MESSAGE(STATUS " X509: ${MBEDX509_LIBRARY}")
-+ MESSAGE(STATUS " Crypto: ${MBEDCRYPTO_LIBRARY}")
-+ ENDIF(NOT MBEDTLS_FIND_QUIETLY)
-+ELSE(MBEDTLS_FOUND)
-+ IF(MBEDTLS_FIND_REQUIRED)
-+ MESSAGE(FATAL_ERROR "Could not find mbedTLS")
-+ ENDIF(MBEDTLS_FIND_REQUIRED)
-+ENDIF(MBEDTLS_FOUND)
-+
-+MARK_AS_ADVANCED(
-+ MBEDTLS_INCLUDE_DIR
-+ MBEDTLS_LIBRARY_DIR
-+ MBEDTLS_LIBRARIES
-+ MBEDTLS_LIBRARY
-+ MBEDX509_LIBRARY
-+ MBEDCRYPTO_LIBRARY
-+)
-diff --git a/script/install-deps-linux.sh b/script/install-deps-linux.sh
-new file mode 100755
-index 000000000..99cbde4e0
---- /dev/null
-+++ b/script/install-deps-linux.sh
-@@ -0,0 +1,13 @@
-+#!/bin/sh
-+
-+set -x
-+
-+if [ "$MBEDTLS" ]; then
-+ git clone --depth 10 --single-branch --branch mbedtls-2.6.1 https://github.com/ARMmbed/mbedtls.git ./deps/mbedtls
-+ cd ./deps/mbedtls
-+ # We pass -fPIC explicitely because we'll include it in libgit2.so
-+ CFLAGS=-fPIC cmake -DENABLE_PROGRAMS=OFF -DENABLE_TESTING=OFF -DUSE_SHARED_MBEDTLS_LIBRARY=OFF -DUSE_STATIC_MBEDTLS_LIBRARY=ON .
-+ cmake --build .
-+
-+ echo "mbedTLS built in `pwd`"
-+fi
-diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
-index b03b96af9..0f5d78547 100644
---- a/src/CMakeLists.txt
-+++ b/src/CMakeLists.txt
-@@ -133,6 +133,9 @@ ELSE ()
- ENDIF()
-
- IF (USE_HTTPS)
-+ # We try to find any packages our backends might use
-+ FIND_PACKAGE(OpenSSL)
-+ FIND_PACKAGE(mbedTLS)
- IF (CMAKE_SYSTEM_NAME MATCHES "Darwin")
- FIND_PACKAGE(Security)
- FIND_PACKAGE(CoreFoundation)
-@@ -149,8 +152,13 @@ IF (USE_HTTPS)
- ENDIF()
- ELSEIF (WINHTTP)
- SET(HTTPS_BACKEND "WinHTTP")
-- ELSE()
-+ ELSEIF(OPENSSL_FOUND)
- SET(HTTPS_BACKEND "OpenSSL")
-+ ELSEIF(MBEDTLS_FOUND)
-+ SET(HTTPS_BACKEND "mbedTLS")
-+ ELSE()
-+ MESSAGE(FATAL_ERROR "Unable to autodetect a usable HTTPS backend."
-+ "Please pass the backend name explicitly (-DUSE_HTTPS=backend)")
- ENDIF()
- ELSE()
- # Backend was explicitly set
-@@ -174,8 +182,6 @@ IF (USE_HTTPS)
- LIST(APPEND LIBGIT2_LIBS ${COREFOUNDATION_LIBRARIES} ${SECURITY_LIBRARIES})
- LIST(APPEND LIBGIT2_PC_LIBS ${COREFOUNDATION_LDFLAGS} ${SECURITY_LDFLAGS})
- ELSEIF (HTTPS_BACKEND STREQUAL "OpenSSL")
-- FIND_PACKAGE(OpenSSL)
--
- IF (NOT OPENSSL_FOUND)
- MESSAGE(FATAL_ERROR "Asked for OpenSSL TLS backend, but it wasn't found")
- ENDIF()
-@@ -185,6 +191,53 @@ IF (USE_HTTPS)
- LIST(APPEND LIBGIT2_LIBS ${OPENSSL_LIBRARIES})
- LIST(APPEND LIBGIT2_PC_LIBS ${OPENSSL_LDFLAGS})
- LIST(APPEND LIBGIT2_PC_REQUIRES "openssl")
-+ ELSEIF(HTTPS_BACKEND STREQUAL "mbedTLS")
-+ IF (NOT MBEDTLS_FOUND)
-+ MESSAGE(FATAL_ERROR "Asked for mbedTLS backend, but it wasn't found")
-+ ENDIF()
-+
-+ IF(NOT CERT_LOCATION)
-+ MESSAGE("Auto-detecting default certificates location")
-+ IF(CMAKE_SYSTEM_NAME MATCHES Darwin)
-+ # Check for an Homebrew installation
-+ SET(OPENSSL_CMD "/usr/local/opt/openssl/bin/openssl")
-+ ELSE()
-+ SET(OPENSSL_CMD "openssl")
-+ ENDIF()
-+ EXECUTE_PROCESS(COMMAND ${OPENSSL_CMD} version -d OUTPUT_VARIABLE OPENSSL_DIR OUTPUT_STRIP_TRAILING_WHITESPACE)
-+ IF(OPENSSL_DIR)
-+ STRING(REGEX REPLACE "^OPENSSLDIR: \"(.*)\"$" "\\1/" OPENSSL_DIR ${OPENSSL_DIR})
-+
-+ SET(OPENSSL_CA_LOCATIONS
-+ "ca-bundle.pem" # OpenSUSE Leap 42.1
-+ "cert.pem" # Ubuntu 14.04, FreeBSD
-+ "certs/ca-certificates.crt" # Ubuntu 16.04
-+ "certs/ca.pem" # Debian 7
-+ )
-+ FOREACH(SUFFIX IN LISTS OPENSSL_CA_LOCATIONS)
-+ SET(LOC "${OPENSSL_DIR}${SUFFIX}")
-+ IF(NOT CERT_LOCATION AND EXISTS "${OPENSSL_DIR}${SUFFIX}")
-+ SET(CERT_LOCATION ${LOC})
-+ ENDIF()
-+ ENDFOREACH()
-+ ELSE()
-+ MESSAGE("Unable to find OpenSSL executable. Please provide default certificate location via CERT_LOCATION")
-+ ENDIF()
-+ ENDIF()
-+
-+ IF(CERT_LOCATION)
-+ IF(NOT EXISTS ${CERT_LOCATION})
-+ MESSAGE(FATAL_ERROR "Cannot use CERT_LOCATION=${CERT_LOCATION} as it doesn't exist")
-+ ENDIF()
-+ ADD_FEATURE_INFO(CERT_LOCATION ON "using certificates from ${CERT_LOCATION}")
-+ ADD_DEFINITIONS(-DGIT_DEFAULT_CERT_LOCATION="${CERT_LOCATION}")
-+ ENDIF()
-+
-+ SET(GIT_MBEDTLS 1)
-+ LIST(APPEND LIBGIT2_INCLUDES ${MBEDTLS_INCLUDE_DIR})
-+ LIST(APPEND LIBGIT2_LIBS ${MBEDTLS_LIBRARIES})
-+ LIST(APPEND LIBGIT2_PC_LIBS ${MBEDTLS_LDFLAGS})
-+ LIST(APPEND LIBGIT2_PC_REQUIRES "mbedtls")
- ELSEIF (HTTPS_BACKEND STREQUAL "WinHTTP")
- # WinHTTP setup was handled in the WinHTTP-specific block above
- ELSE()
-@@ -230,6 +283,11 @@ ELSEIF(SHA1_BACKEND STREQUAL "Win32")
- ELSEIF(SHA1_BACKEND STREQUAL "CommonCrypto")
- ADD_FEATURE_INFO(SHA ON "using CommonCrypto")
- SET(GIT_SHA1_COMMON_CRYPTO 1)
-+ELSEIF (SHA1_BACKEND STREQUAL "mbedTLS")
-+ ADD_FEATURE_INFO(SHA ON "using mbedTLS")
-+ SET(GIT_SHA1_MBEDTLS 1)
-+ FILE(GLOB SRC_SHA1 src/hash/hash_mbedtls.c)
-+ LIST(APPEND LIBGIT2_PC_REQUIRES "mbedtls")
- ELSE()
- MESSAGE(FATAL_ERROR "Asked for unknown SHA1 backend ${SHA1_BACKEND}")
- ENDIF()
-diff --git a/src/features.h.in b/src/features.h.in
-index e03b7a251..f414c5843 100644
---- a/src/features.h.in
-+++ b/src/features.h.in
-@@ -27,10 +27,12 @@
- #cmakedefine GIT_HTTPS 1
- #cmakedefine GIT_OPENSSL 1
- #cmakedefine GIT_SECURE_TRANSPORT 1
-+#cmakedefine GIT_MBEDTLS 1
-
- #cmakedefine GIT_SHA1_COLLISIONDETECT 1
- #cmakedefine GIT_SHA1_WIN32 1
- #cmakedefine GIT_SHA1_COMMON_CRYPTO 1
- #cmakedefine GIT_SHA1_OPENSSL 1
-+#cmakedefine GIT_SHA1_MBEDTLS 1
-
- #endif
-diff --git a/src/global.c b/src/global.c
-index 2f9b45bcd..02aedf57d 100644
---- a/src/global.c
-+++ b/src/global.c
-@@ -12,6 +12,7 @@
- #include "filter.h"
- #include "merge_driver.h"
- #include "streams/curl.h"
-+#include "streams/mbedtls.h"
- #include "streams/openssl.h"
- #include "thread-utils.h"
- #include "git2/global.h"
-@@ -65,7 +66,8 @@ static int init_common(void)
- (ret = git_merge_driver_global_init()) == 0 &&
- (ret = git_transport_ssh_global_init()) == 0 &&
- (ret = git_openssl_stream_global_init()) == 0 &&
-- (ret = git_curl_stream_global_init()) == 0)
-+ (ret = git_curl_stream_global_init()) == 0 &&
-+ (ret = git_mbedtls_stream_global_init()) == 0)
- ret = git_mwindow_global_init();
-
- GIT_MEMORY_BARRIER;
-diff --git a/src/hash.h b/src/hash.h
-index 31eaf8889..93765adf3 100644
---- a/src/hash.h
-+++ b/src/hash.h
-@@ -26,6 +26,8 @@ void git_hash_ctx_cleanup(git_hash_ctx *ctx);
- # include "hash/hash_openssl.h"
- #elif defined(GIT_SHA1_WIN32)
- # include "hash/hash_win32.h"
-+#elif defined(GIT_SHA1_MBEDTLS)
-+# include "hash/hash_mbedtls.h"
- #else
- # include "hash/hash_generic.h"
- #endif
-diff --git a/src/hash/hash_mbedtls.c b/src/hash/hash_mbedtls.c
-new file mode 100644
-index 000000000..a19d76308
---- /dev/null
-+++ b/src/hash/hash_mbedtls.c
-@@ -0,0 +1,38 @@
-+/*
-+ * Copyright (C) the libgit2 contributors. All rights reserved.
-+ *
-+ * This file is part of libgit2, distributed under the GNU GPL v2 with
-+ * a Linking Exception. For full terms see the included COPYING file.
-+ */
-+
-+#include "common.h"
-+#include "hash.h"
-+#include "hash/hash_mbedtls.h"
-+
-+void git_hash_ctx_cleanup(git_hash_ctx *ctx)
-+{
-+ assert(ctx);
-+ mbedtls_sha1_free(&ctx->c);
-+}
-+
-+int git_hash_init(git_hash_ctx *ctx)
-+{
-+ assert(ctx);
-+ mbedtls_sha1_init(&ctx->c);
-+ mbedtls_sha1_starts(&ctx->c);
-+ return 0;
-+}
-+
-+int git_hash_update(git_hash_ctx *ctx, const void *data, size_t len)
-+{
-+ assert(ctx);
-+ mbedtls_sha1_update(&ctx->c, data, len);
-+ return 0;
-+}
-+
-+int git_hash_final(git_oid *out, git_hash_ctx *ctx)
-+{
-+ assert(ctx);
-+ mbedtls_sha1_finish(&ctx->c, out->id);
-+ return 0;
-+}
-diff --git a/src/hash/hash_mbedtls.h b/src/hash/hash_mbedtls.h
-new file mode 100644
-index 000000000..24196c5bf
---- /dev/null
-+++ b/src/hash/hash_mbedtls.h
-@@ -0,0 +1,20 @@
-+/*
-+ * Copyright (C) the libgit2 contributors. All rights reserved.
-+ *
-+ * This file is part of libgit2, distributed under the GNU GPL v2 with
-+ * a Linking Exception. For full terms see the included COPYING file.
-+ */
-+
-+#ifndef INCLUDE_hash_mbedtld_h__
-+#define INCLUDE_hash_mbedtld_h__
-+
-+#include <mbedtls/sha1.h>
-+
-+struct git_hash_ctx {
-+ mbedtls_sha1_context c;
-+};
-+
-+#define git_hash_global_init() 0
-+#define git_hash_ctx_init(ctx) git_hash_init(ctx)
-+
-+#endif /* INCLUDE_hash_mbedtld_h__ */
-diff --git a/src/settings.c b/src/settings.c
-index 2a52ffbf6..f6bc5b270 100644
---- a/src/settings.c
-+++ b/src/settings.c
-@@ -11,6 +11,10 @@
- # include <openssl/err.h>
- #endif
-
-+#ifdef GIT_MBEDTLS
-+# include <mbedtls/error.h>
-+#endif
-+
- #include <git2.h>
- #include "sysdir.h"
- #include "cache.h"
-@@ -20,6 +24,7 @@
- #include "refs.h"
- #include "transports/smart.h"
- #include "streams/openssl.h"
-+#include "streams/mbedtls.h"
-
- void git_libgit2_version(int *major, int *minor, int *rev)
- {
-@@ -175,6 +180,15 @@ int git_libgit2_opts(int key, ...)
- const char *path = va_arg(ap, const char *);
- error = git_openssl__set_cert_location(file, path);
- }
-+#elif defined(GIT_MBEDTLS)
-+ {
-+ const char *file = va_arg(ap, const char *);
-+ const char *path = va_arg(ap, const char *);
-+ if (file)
-+ error = git_mbedtls__set_cert_location(file, 0);
-+ if (error && path)
-+ error = git_mbedtls__set_cert_location(path, 1);
-+ }
- #else
- giterr_set(GITERR_SSL, "TLS backend doesn't support certificate locations");
- error = -1;
-@@ -199,7 +213,7 @@ int git_libgit2_opts(int key, ...)
- break;
-
- case GIT_OPT_SET_SSL_CIPHERS:
--#ifdef GIT_OPENSSL
-+#if (GIT_OPENSSL || GIT_MBEDTLS)
- {
- git__free(git__ssl_ciphers);
- git__ssl_ciphers = git__strdup(va_arg(ap, const char *));
-diff --git a/src/streams/mbedtls.c b/src/streams/mbedtls.c
-new file mode 100644
-index 000000000..0a49a36a6
---- /dev/null
-+++ b/src/streams/mbedtls.c
-@@ -0,0 +1,452 @@
-+/*
-+ * Copyright (C) the libgit2 contributors. All rights reserved.
-+ *
-+ * This file is part of libgit2, distributed under the GNU GPL v2 with
-+ * a Linking Exception. For full terms see the included COPYING file.
-+ */
-+
-+#include "streams/mbedtls.h"
-+
-+#ifdef GIT_MBEDTLS
-+
-+#include <ctype.h>
-+
-+#include "global.h"
-+#include "stream.h"
-+#include "streams/socket.h"
-+#include "netops.h"
-+#include "git2/transport.h"
-+#include "util.h"
-+
-+#ifdef GIT_CURL
-+# include "streams/curl.h"
-+#endif
-+
-+#ifndef GIT_DEFAULT_CERT_LOCATION
-+#define GIT_DEFAULT_CERT_LOCATION NULL
-+#endif
-+
-+#include <mbedtls/config.h>
-+#include <mbedtls/ssl.h>
-+#include <mbedtls/error.h>
-+#include <mbedtls/entropy.h>
-+#include <mbedtls/ctr_drbg.h>
-+
-+mbedtls_ssl_config *git__ssl_conf;
-+mbedtls_entropy_context *mbedtls_entropy;
-+
-+#define GIT_SSL_DEFAULT_CIPHERS "TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-DSS-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-DSS-WITH-AES-256-GCM-SHA384:TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256:TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA:TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA:TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384:TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384:TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA:TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-DSS-WITH-AES-128-CBC-SHA256:TLS-DHE-DSS-WITH-AES-256-CBC-SHA256:TLS-DHE-DSS-WITH-AES-128-CBC-SHA:TLS-DHE-DSS-WITH-AES-256-CBC-SHA:TLS-RSA-WITH-AES-128-GCM-SHA256:TLS-RSA-WITH-AES-256-GCM-SHA384:TLS-RSA-WITH-AES-128-CBC-SHA256:TLS-RSA-WITH-AES-256-CBC-SHA256:TLS-RSA-WITH-AES-128-CBC-SHA:TLS-RSA-WITH-AES-256-CBC-SHA"
-+#define GIT_SSL_DEFAULT_CIPHERS_COUNT 30
-+
-+/**
-+ * This function aims to clean-up the SSL context which
-+ * we allocated.
-+ */
-+static void shutdown_ssl(void)
-+{
-+ if (git__ssl_conf) {
-+ mbedtls_x509_crt_free(git__ssl_conf->ca_chain);
-+ git__free(git__ssl_conf->ca_chain);
-+ mbedtls_ctr_drbg_free(git__ssl_conf->p_rng);
-+ git__free(git__ssl_conf->p_rng);
-+ mbedtls_ssl_config_free(git__ssl_conf);
-+ git__free(git__ssl_conf);
-+ git__ssl_conf = NULL;
-+ }
-+ if (mbedtls_entropy) {
-+ mbedtls_entropy_free(mbedtls_entropy);
-+ git__free(mbedtls_entropy);
-+ mbedtls_entropy = NULL;
-+ }
-+}
-+
-+int git_mbedtls__set_cert_location(const char *path, int is_dir);
-+
-+int git_mbedtls_stream_global_init(void)
-+{
-+ int loaded = 0;
-+ char *crtpath = GIT_DEFAULT_CERT_LOCATION;
-+ struct stat statbuf;
-+ mbedtls_ctr_drbg_context *ctr_drbg = NULL;
-+
-+ int *ciphers_list = NULL;
-+ int ciphers_known = 0;
-+ char *cipher_name = NULL;
-+ char *cipher_string = NULL;
-+ char *cipher_string_tmp = NULL;
-+
-+ mbedtls_x509_crt *cacert = NULL;
-+
-+ git__ssl_conf = git__malloc(sizeof(mbedtls_ssl_config));
-+ mbedtls_ssl_config_init(git__ssl_conf);
-+ if (mbedtls_ssl_config_defaults(git__ssl_conf,
-+ MBEDTLS_SSL_IS_CLIENT,
-+ MBEDTLS_SSL_TRANSPORT_STREAM,
-+ MBEDTLS_SSL_PRESET_DEFAULT) != 0) {
-+ giterr_set(GITERR_SSL, "failed to initialize mbedTLS");
-+ goto cleanup;
-+ }
-+
-+ /* configure TLSv1 */
-+ mbedtls_ssl_conf_min_version(git__ssl_conf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0);
-+
-+ /* verify_server_cert is responsible for making the check.
-+ * OPTIONAL because REQUIRED drops the certificate as soon as the check
-+ * is made, so we can never see the certificate and override it. */
-+ mbedtls_ssl_conf_authmode(git__ssl_conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
-+
-+ /* set the list of allowed ciphersuites */
-+ ciphers_list = calloc(GIT_SSL_DEFAULT_CIPHERS_COUNT, sizeof(int));
-+ ciphers_known = 0;
-+ cipher_string = cipher_string_tmp = git__strdup(GIT_SSL_DEFAULT_CIPHERS);
-+ while ((cipher_name = git__strtok(&cipher_string_tmp, ":")) != NULL) {
-+ int cipherid = mbedtls_ssl_get_ciphersuite_id(cipher_name);
-+ if (cipherid == 0) continue;
-+
-+ ciphers_list[ciphers_known++] = cipherid;
-+ }
-+ git__free(cipher_string);
-+
-+ if (!ciphers_known) {
-+ giterr_set(GITERR_SSL, "no cipher could be enabled");
-+ goto cleanup;
-+ }
-+ mbedtls_ssl_conf_ciphersuites(git__ssl_conf, ciphers_list);
-+
-+ /* Seeding the random number generator */
-+ mbedtls_entropy = git__malloc(sizeof(mbedtls_entropy_context));
-+ mbedtls_entropy_init(mbedtls_entropy);
-+
-+ ctr_drbg = git__malloc(sizeof(mbedtls_ctr_drbg_context));
-+ mbedtls_ctr_drbg_init(ctr_drbg);
-+ if (mbedtls_ctr_drbg_seed(ctr_drbg,
-+ mbedtls_entropy_func,
-+ mbedtls_entropy, NULL, 0) != 0) {
-+ giterr_set(GITERR_SSL, "failed to initialize mbedTLS entropy pool");
-+ goto cleanup;
-+ }
-+
-+ mbedtls_ssl_conf_rng(git__ssl_conf, mbedtls_ctr_drbg_random, ctr_drbg);
-+
-+ /* load default certificates */
-+ if (crtpath != NULL && stat(crtpath, &statbuf) == 0 && S_ISREG(statbuf.st_mode))
-+ loaded = (git_mbedtls__set_cert_location(crtpath, 0) == 0);
-+ if (!loaded && crtpath != NULL && stat(crtpath, &statbuf) == 0 && S_ISDIR(statbuf.st_mode))
-+ loaded = (git_mbedtls__set_cert_location(crtpath, 1) == 0);
-+
-+ git__on_shutdown(shutdown_ssl);
-+
-+ return 0;
-+
-+cleanup:
-+ mbedtls_x509_crt_free(cacert);
-+ git__free(cacert);
-+ mbedtls_ctr_drbg_free(ctr_drbg);
-+ git__free(ctr_drbg);
-+ mbedtls_ssl_config_free(git__ssl_conf);
-+ git__free(git__ssl_conf);
-+ git__ssl_conf = NULL;
-+
-+ return -1;
-+}
-+
-+mbedtls_ssl_config *git__ssl_conf;
-+
-+static int bio_read(void *b, unsigned char *buf, size_t len)
-+{
-+ git_stream *io = (git_stream *) b;
-+ return (int) git_stream_read(io, buf, len);
-+}
-+
-+static int bio_write(void *b, const unsigned char *buf, size_t len)
-+{
-+ git_stream *io = (git_stream *) b;
-+ return (int) git_stream_write(io, (const char *)buf, len, 0);
-+}
-+
-+static int ssl_set_error(mbedtls_ssl_context *ssl, int error)
-+{
-+ char errbuf[512];
-+ int ret = -1;
-+
-+ assert(error != MBEDTLS_ERR_SSL_WANT_READ);
-+ assert(error != MBEDTLS_ERR_SSL_WANT_WRITE);
-+
-+ if (error != 0)
-+ mbedtls_strerror( error, errbuf, 512 );
-+
-+ switch(error) {
-+ case 0:
-+ giterr_set(GITERR_SSL, "SSL error: unknown error");
-+ break;
-+
-+ case MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:
-+ giterr_set(GITERR_SSL, "SSL error: %#04x [%x] - %s", error, ssl->session_negotiate->verify_result, errbuf);
-+ ret = GIT_ECERTIFICATE;
-+ break;
-+
-+ default:
-+ giterr_set(GITERR_SSL, "SSL error: %#04x - %s", error, errbuf);
-+ }
-+
-+ return ret;
-+}
-+
-+static int ssl_teardown(mbedtls_ssl_context *ssl)
-+{
-+ int ret = 0;
-+
-+ ret = mbedtls_ssl_close_notify(ssl);
-+ if (ret < 0)
-+ ret = ssl_set_error(ssl, ret);
-+
-+ mbedtls_ssl_free(ssl);
-+ return ret;
-+}
-+
-+static int verify_server_cert(mbedtls_ssl_context *ssl)
-+{
-+ int ret = -1;
-+
-+ if ((ret = mbedtls_ssl_get_verify_result(ssl)) != 0) {
-+ char vrfy_buf[512];
-+ int len = mbedtls_x509_crt_verify_info(vrfy_buf, sizeof(vrfy_buf), "", ret);
-+ if (len >= 1) vrfy_buf[len - 1] = '\0'; /* Remove trailing \n */
-+ giterr_set(GITERR_SSL, "the SSL certificate is invalid: %#04x - %s", ret, vrfy_buf);
-+ return GIT_ECERTIFICATE;
-+ }
-+
-+ return 0;
-+}
-+
-+typedef struct {
-+ git_stream parent;
-+ git_stream *io;
-+ bool connected;
-+ char *host;
-+ mbedtls_ssl_context *ssl;
-+ git_cert_x509 cert_info;
-+} mbedtls_stream;
-+
-+
-+int mbedtls_connect(git_stream *stream)
-+{
-+ int ret;
-+ mbedtls_stream *st = (mbedtls_stream *) stream;
-+
-+ if ((ret = git_stream_connect(st->io)) < 0)
-+ return ret;
-+
-+ st->connected = true;
-+
-+ mbedtls_ssl_set_hostname(st->ssl, st->host);
-+
-+ mbedtls_ssl_set_bio(st->ssl, st->io, bio_write, bio_read, NULL);
-+
-+ if ((ret = mbedtls_ssl_handshake(st->ssl)) != 0)
-+ return ssl_set_error(st->ssl, ret);
-+
-+ return verify_server_cert(st->ssl);
-+}
-+
-+int mbedtls_certificate(git_cert **out, git_stream *stream)
-+{
-+ unsigned char *encoded_cert;
-+ mbedtls_stream *st = (mbedtls_stream *) stream;
-+
-+ const mbedtls_x509_crt *cert = mbedtls_ssl_get_peer_cert(st->ssl);
-+ if (!cert) {
-+ giterr_set(GITERR_SSL, "the server did not provide a certificate");
-+ return -1;
-+ }
-+
-+ /* Retrieve the length of the certificate first */
-+ if (cert->raw.len == 0) {
-+ giterr_set(GITERR_NET, "failed to retrieve certificate information");
-+ return -1;
-+ }
-+
-+ encoded_cert = git__malloc(cert->raw.len);
-+ GITERR_CHECK_ALLOC(encoded_cert);
-+ memcpy(encoded_cert, cert->raw.p, cert->raw.len);
-+
-+ st->cert_info.parent.cert_type = GIT_CERT_X509;
-+ st->cert_info.data = encoded_cert;
-+ st->cert_info.len = cert->raw.len;
-+
-+ *out = &st->cert_info.parent;
-+
-+ return 0;
-+}
-+
-+static int mbedtls_set_proxy(git_stream *stream, const git_proxy_options *proxy_options)
-+{
-+ mbedtls_stream *st = (mbedtls_stream *) stream;
-+
-+ return git_stream_set_proxy(st->io, proxy_options);
-+}
-+
-+ssize_t mbedtls_stream_write(git_stream *stream, const char *data, size_t len, int flags)
-+{
-+ size_t read = 0;
-+ mbedtls_stream *st = (mbedtls_stream *) stream;
-+
-+ GIT_UNUSED(flags);
-+
-+ do {
-+ int error = mbedtls_ssl_write(st->ssl, (const unsigned char *)data + read, len - read);
-+ if (error <= 0) {
-+ return ssl_set_error(st->ssl, error);
-+ }
-+ read += error;
-+ } while (read < len);
-+
-+ return read;
-+}
-+
-+ssize_t mbedtls_stream_read(git_stream *stream, void *data, size_t len)
-+{
-+ mbedtls_stream *st = (mbedtls_stream *) stream;
-+ int ret;
-+
-+ if ((ret = mbedtls_ssl_read(st->ssl, (unsigned char *)data, len)) <= 0)
-+ ssl_set_error(st->ssl, ret);
-+
-+ return ret;
-+}
-+
-+int mbedtls_stream_close(git_stream *stream)
-+{
-+ mbedtls_stream *st = (mbedtls_stream *) stream;
-+ int ret = 0;
-+
-+ if (st->connected && (ret = ssl_teardown(st->ssl)) != 0)
-+ return -1;
-+
-+ st->connected = false;
-+
-+ return git_stream_close(st->io);
-+}
-+
-+void mbedtls_stream_free(git_stream *stream)
-+{
-+ mbedtls_stream *st = (mbedtls_stream *) stream;
-+
-+ git__free(st->host);
-+ git__free(st->cert_info.data);
-+ git_stream_free(st->io);
-+ git__free(st->ssl);
-+ git__free(st);
-+}
-+
-+int git_mbedtls_stream_new(git_stream **out, const char *host, const char *port)
-+{
-+ int error;
-+ mbedtls_stream *st;
-+
-+ st = git__calloc(1, sizeof(mbedtls_stream));
-+ GITERR_CHECK_ALLOC(st);
-+
-+#ifdef GIT_CURL
-+ error = git_curl_stream_new(&st->io, host, port);
-+#else
-+ error = git_socket_stream_new(&st->io, host, port);
-+#endif
-+
-+ if (error < 0)
-+ goto out_err;
-+
-+ st->ssl = git__malloc(sizeof(mbedtls_ssl_context));
-+ GITERR_CHECK_ALLOC(st->ssl);
-+ mbedtls_ssl_init(st->ssl);
-+ if (mbedtls_ssl_setup(st->ssl, git__ssl_conf)) {
-+ giterr_set(GITERR_SSL, "failed to create ssl object");
-+ error = -1;
-+ goto out_err;
-+ }
-+
-+ st->host = git__strdup(host);
-+ GITERR_CHECK_ALLOC(st->host);
-+
-+ st->parent.version = GIT_STREAM_VERSION;
-+ st->parent.encrypted = 1;
-+ st->parent.proxy_support = git_stream_supports_proxy(st->io);
-+ st->parent.connect = mbedtls_connect;
-+ st->parent.certificate = mbedtls_certificate;
-+ st->parent.set_proxy = mbedtls_set_proxy;
-+ st->parent.read = mbedtls_stream_read;
-+ st->parent.write = mbedtls_stream_write;
-+ st->parent.close = mbedtls_stream_close;
-+ st->parent.free = mbedtls_stream_free;
-+
-+ *out = (git_stream *) st;
-+ return 0;
-+
-+out_err:
-+ mbedtls_ssl_free(st->ssl);
-+ git_stream_free(st->io);
-+ git__free(st);
-+
-+ return error;
-+}
-+
-+int git_mbedtls__set_cert_location(const char *path, int is_dir)
-+{
-+ int ret = 0;
-+ char errbuf[512];
-+ mbedtls_x509_crt *cacert;
-+
-+ assert(path != NULL);
-+
-+ cacert = git__malloc(sizeof(mbedtls_x509_crt));
-+ mbedtls_x509_crt_init(cacert);
-+ if (is_dir) {
-+ ret = mbedtls_x509_crt_parse_path(cacert, path);
-+ } else {
-+ ret = mbedtls_x509_crt_parse_file(cacert, path);
-+ }
-+ /* mbedtls_x509_crt_parse_path returns the number of invalid certs on success */
-+ if (ret < 0) {
-+ mbedtls_x509_crt_free(cacert);
-+ git__free(cacert);
-+ mbedtls_strerror( ret, errbuf, 512 );
-+ giterr_set(GITERR_SSL, "failed to load CA certificates: %#04x - %s", ret, errbuf);
-+ return -1;
-+ }
-+
-+ mbedtls_x509_crt_free(git__ssl_conf->ca_chain);
-+ git__free(git__ssl_conf->ca_chain);
-+ mbedtls_ssl_conf_ca_chain(git__ssl_conf, cacert, NULL);
-+
-+ return 0;
-+}
-+
-+#else
-+
-+#include "stream.h"
-+
-+int git_mbedtls_stream_global_init(void)
-+{
-+ return 0;
-+}
-+
-+int git_mbedtls_stream_new(git_stream **out, const char *host, const char *port)
-+{
-+ GIT_UNUSED(out);
-+ GIT_UNUSED(host);
-+ GIT_UNUSED(port);
-+
-+ giterr_set(GITERR_SSL, "mbedTLS is not supported in this version");
-+ return -1;
-+}
-+
-+int git_mbedtls__set_cert_location(const char *path, int is_dir)
-+{
-+ GIT_UNUSED(path);
-+ GIT_UNUSED(is_dir);
-+
-+ giterr_set(GITERR_SSL, "mbedTLS is not supported in this version");
-+ return -1;
-+}
-+
-+#endif
-diff --git a/src/streams/mbedtls.h b/src/streams/mbedtls.h
-new file mode 100644
-index 000000000..7283698ff
---- /dev/null
-+++ b/src/streams/mbedtls.h
-@@ -0,0 +1,20 @@
-+/*
-+ * Copyright (C) the libgit2 contributors. All rights reserved.
-+ *
-+ * This file is part of libgit2, distributed under the GNU GPL v2 with
-+ * a Linking Exception. For full terms see the included COPYING file.
-+ */
-+#ifndef INCLUDE_steams_mbedtls_h__
-+#define INCLUDE_steams_mbedtls_h__
-+
-+#include "common.h"
-+
-+#include "git2/sys/stream.h"
-+
-+extern int git_mbedtls_stream_global_init(void);
-+
-+extern int git_mbedtls_stream_new(git_stream **out, const char *host, const char *port);
-+
-+extern int git_mbedtls__set_cert_location(const char *path, int is_dir);
-+
-+#endif
-diff --git a/src/streams/tls.c b/src/streams/tls.c
-index d6ca7d40d..1bcb0d984 100644
---- a/src/streams/tls.c
-+++ b/src/streams/tls.c
-@@ -9,6 +9,7 @@
-
- #include "git2/errors.h"
-
-+#include "streams/mbedtls.h"
- #include "streams/openssl.h"
- #include "streams/stransport.h"
-
-@@ -31,6 +32,8 @@ int git_tls_stream_new(git_stream **out, const char *host, const char *port)
- return git_stransport_stream_new(out, host, port);
- #elif defined(GIT_OPENSSL)
- return git_openssl_stream_new(out, host, port);
-+#elif defined(GIT_MBEDTLS)
-+ return git_mbedtls_stream_new(out, host, port);
- #else
- GIT_UNUSED(out);
- GIT_UNUSED(host);
-diff --git a/tests/core/stream.c b/tests/core/stream.c
-index 9bed4ae27..262888b10 100644
---- a/tests/core/stream.c
-+++ b/tests/core/stream.c
-@@ -33,9 +33,8 @@ void test_core_stream__register_tls(void)
- cl_git_pass(git_stream_register_tls(NULL));
- error = git_tls_stream_new(&stream, "localhost", "443");
-
-- /* We don't have arbitrary TLS stream support on Windows
-- * or when openssl support is disabled (except on OSX
-- * with Security framework).
-+ /* We don't have TLS support enabled, or we're on Windows,
-+ * which has no arbitrary TLS stream support.
- */
- #if defined(GIT_WIN32) || !defined(GIT_HTTPS)
- cl_git_fail_with(-1, error);
diff --git a/deps/patches/libgit2-mbedtls2.patch b/deps/patches/libgit2-mbedtls2.patch
deleted file mode 100644
index 2bc02a3725..0000000000
--- a/deps/patches/libgit2-mbedtls2.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-Fixes mbedTLS support to link properly and not include libssl.so
-
-Tracked in upstream PR https://github.com/libgit2/libgit2/pull/4678
-
-NOTE: libgit2 has switched its CI to Azure Pipelines. The aforementioned PR makes modifications
-to the Travis YAML file, which has since been removed, causing patch conflicts. That part of
-the diff has thus been removed here.
-
-diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
-index 2b82bb325..2deed5f87 100644
---- a/src/CMakeLists.txt
-+++ b/src/CMakeLists.txt
-@@ -284,8 +284,13 @@ ELSEIF(SHA1_BACKEND STREQUAL "CommonCrypto")
- ELSEIF (SHA1_BACKEND STREQUAL "mbedTLS")
- ADD_FEATURE_INFO(SHA ON "using mbedTLS")
- SET(GIT_SHA1_MBEDTLS 1)
-- FILE(GLOB SRC_SHA1 src/hash/hash_mbedtls.c)
-- LIST(APPEND LIBGIT2_PC_REQUIRES "mbedtls")
-+ FILE(GLOB SRC_SHA1 hash/hash_mbedtls.c)
-+ LIST(APPEND LIBGIT2_INCLUDES ${MBEDTLS_INCLUDE_DIR})
-+ LIST(APPEND LIBGIT2_LIBS ${MBEDTLS_LIBRARIES})
-+ # mbedTLS has no pkgconfig file, hence we can't require it
-+ # https://github.com/ARMmbed/mbedtls/issues/228
-+ # For now, pass its link flags as our own
-+ LIST(APPEND LIBGIT2_PC_LIBS ${MBEDTLS_LIBRARIES})
- ELSE()
- MESSAGE(FATAL_ERROR "Asked for unknown SHA1 backend ${SHA1_BACKEND}")
- ENDIF()
diff --git a/stdlib/LibGit2/src/gitcredential.jl b/stdlib/LibGit2/src/gitcredential.jl
index 09c70d7d73..a0504b1c3d 100644
--- a/stdlib/LibGit2/src/gitcredential.jl
+++ b/stdlib/LibGit2/src/gitcredential.jl
@@ -263,6 +263,7 @@ function default_username(cfg::GitConfig, cred::GitCredential)
end
function use_http_path(cfg::GitConfig, cred::GitCredential)
+ seen_specific = false
use_path = false # Default is to ignore the path
# https://git-scm.com/docs/gitcredentials#gitcredentials-useHttpPath
@@ -272,8 +273,11 @@ function use_http_path(cfg::GitConfig, cred::GitCredential)
for entry in GitConfigIter(cfg, r"credential.*\.usehttppath")
section, url, name, value = split_cfg_entry(entry)
- ismatch(url, cred) || continue
- use_path = value == "true"
+ # Ignore global configuration if we have already encountered more specific entry
+ if ismatch(url, cred) && (!isempty(url) || !seen_specific)
+ seen_specific = !isempty(url)
+ use_path = value == "true"
+ end
end
return use_path
--
2.20.1