Blob Blame Raw
From d0b5d9850fb7b51c7831d3897ad46e4d3478d322 Mon Sep 17 00:00:00 2001
From: Milan Bouchet-Valat <nalimilan@club.fr>
Date: Thu, 22 Aug 2019 11:55:11 +0200
Subject: [PATCH] Bump libgit2 to 0.28.2 (#32806)

This allows dropping MbedTLS patches which have been upstreamed.
The order in which configuration options are returned has changed, making a test fail:
make the code more robust by giving priority to more specific options over global ones.
---
 deps/Versions.make                  |   4 +-
 deps/libgit2.mk                     |  16 +-
 deps/libgit2.version                |   4 +-
 deps/patches/libgit2-mbedtls.patch  | 952 ----------------------------
 deps/patches/libgit2-mbedtls2.patch |  28 -
 stdlib/LibGit2/src/gitcredential.jl |   8 +-
 6 files changed, 12 insertions(+), 1000 deletions(-)
 delete mode 100644 deps/patches/libgit2-mbedtls.patch
 delete mode 100644 deps/patches/libgit2-mbedtls2.patch

diff --git a/deps/Versions.make b/deps/Versions.make
index ff103cbbe1..0fac074998 100644
--- a/deps/Versions.make
+++ b/deps/Versions.make
@@ -25,7 +25,7 @@ LIBSSH2_VER = 1.8.2
 LIBSSH2_BB_REL = 0
 CURL_VER = 7.61.0
 CURL_BB_REL = 1
-LIBGIT2_VER = 0.27.7
+LIBGIT2_VER = 0.28.2
 LIBGIT2_BB_REL = 1
 LIBUV_VER = 1.24.0
 LIBUV_BB_REL = 1
diff --git a/deps/libgit2.mk b/deps/libgit2.mk
index 845cfba273..ae634542b0 100644
--- a/deps/libgit2.mk
+++ b/deps/libgit2.mk
@@ -44,24 +44,12 @@ endif
 
 LIBGIT2_SRC_PATH := $(SRCCACHE)/$(LIBGIT2_SRC_DIR)
 
-$(LIBGIT2_SRC_PATH)/libgit2-mbedtls.patch-applied: $(SRCCACHE)/$(LIBGIT2_SRC_DIR)/source-extracted
-	cd $(LIBGIT2_SRC_PATH) && \
-		patch -p1 -f < $(SRCDIR)/patches/libgit2-mbedtls.patch
-	echo 1 > $@
-
-$(LIBGIT2_SRC_PATH)/libgit2-mbedtls2.patch-applied: $(SRCCACHE)/$(LIBGIT2_SRC_DIR)/source-extracted | $(LIBGIT2_SRC_PATH)/libgit2-mbedtls.patch-applied
-	cd $(LIBGIT2_SRC_PATH) && \
-		patch -p1 -f < $(SRCDIR)/patches/libgit2-mbedtls2.patch
-	echo 1 > $@
-
-$(LIBGIT2_SRC_PATH)/libgit2-agent-nonfatal.patch-applied: $(LIBGIT2_SRC_PATH)/source-extracted | $(LIBGIT2_SRC_PATH)/libgit2-mbedtls.patch-applied
+$(LIBGIT2_SRC_PATH)/libgit2-agent-nonfatal.patch-applied: $(LIBGIT2_SRC_PATH)/source-extracted
 	cd $(LIBGIT2_SRC_PATH) && \
 		patch -p1 -f < $(SRCDIR)/patches/libgit2-agent-nonfatal.patch
 	echo 1 > $@
 
 $(BUILDDIR)/$(LIBGIT2_SRC_DIR)/build-configured: \
-	$(LIBGIT2_SRC_PATH)/libgit2-mbedtls.patch-applied \
-	$(LIBGIT2_SRC_PATH)/libgit2-mbedtls2.patch-applied \
 	$(LIBGIT2_SRC_PATH)/libgit2-agent-nonfatal.patch-applied \
 
 $(BUILDDIR)/$(LIBGIT2_SRC_DIR)/build-configured: $(LIBGIT2_SRC_PATH)/source-extracted
@@ -109,7 +97,7 @@ $(build_prefix)/manifest/libgit2: $(build_datarootdir)/julia/cert.pem # use libg
 
 else # USE_BINARYBUILDER_LIBGIT2
 
-LIBGIT2_BB_URL_BASE := https://github.com/JuliaPackaging/Yggdrasil/releases/download/LibGit2-v$(LIBGIT2_VER)-$(LIBGIT2_BB_REL)
+LIBGIT2_BB_URL_BASE := https://github.com/JuliaPackaging/Yggdrasil/releases/download/LibGit2-v$(LIBGIT2_VER)+$(LIBGIT2_BB_REL)
 LIBGIT2_BB_NAME := LibGit2.v$(LIBGIT2_VER)
 $(eval $(call bb-install,libgit2,LIBGIT2,false))
 
diff --git a/deps/libgit2.version b/deps/libgit2.version
index d35b024233..f67bedc414 100644
--- a/deps/libgit2.version
+++ b/deps/libgit2.version
@@ -1,2 +1,2 @@
-LIBGIT2_BRANCH=v0.27.7
-LIBGIT2_SHA1=f23dc5b29f1394928a940d7ec447f4bfd53dad1f
+LIBGIT2_BRANCH=v0.28.2
+LIBGIT2_SHA1=b3e1a56ebb2b9291e82dc027ba9cbcfc3ead54d3
diff --git a/deps/patches/libgit2-mbedtls.patch b/deps/patches/libgit2-mbedtls.patch
deleted file mode 100644
index c54a7e78c1..0000000000
--- a/deps/patches/libgit2-mbedtls.patch
+++ /dev/null
@@ -1,952 +0,0 @@
-Enables MbedTLS support
-
-Upstream: https://github.com/libgit2/libgit2/pull/4173
-
-NOTE: libgit2 has switched its CI to Azure Pipelines. The aforementioned PR makes modifications
-to the Travis YAML file, which has since been removed, causing patch conflicts. That part of
-the diff has thus been removed here.
-
-git diff ca3b2234dc7f1bd0d0f81488d3e29980b47a85b4^..cb2da47e56159faaaf143943c74ffb8f60a988b1 > libgit2-mbedtls.patch
-
-mbedtls: initial support
-mbedtls: proper certificate verification
-mbedtls: use libmbedcrypto for hashing
-mbedtls: add global initialization
-mbedtls: default cipher list support
-mbedtls: fix libgit2 hanging due to incomplete writes
-mbedtls: enable Travis CI tests
-mbedtls: use our own certificate validation
-mbedtls: use mbedTLS certificate verification
-mbedtls: load default CA certificates
-mbedtls: display error codes as hex for consistency with mbedTLS docs
-tests: clarify comment
-cmake: make our preferred backend ordering consistent
-travis: just grab what we need from mbedtls
-travis: pass -fPIC when configuring mbedtls
-
-diff --git a/CMakeLists.txt b/CMakeLists.txt
-index 2ca5354a7..9176eee04 100644
---- a/CMakeLists.txt
-+++ b/CMakeLists.txt
-@@ -48,7 +48,7 @@ OPTION( PROFILE				"Generate profiling information"		OFF )
- OPTION( ENABLE_TRACE		"Enables tracing support"				OFF )
- OPTION( LIBGIT2_FILENAME	"Name of the produced binary"			OFF )
- 
--SET(SHA1_BACKEND "CollisionDetection" CACHE STRING "Backend to use for SHA1. One of Generic, OpenSSL, Win32, CommonCrypto, CollisionDetection. ")
-+SET(SHA1_BACKEND "CollisionDetection" CACHE STRING "Backend to use for SHA1. One of Generic, OpenSSL, Win32, CommonCrypto, mbedTLS, CollisionDetection. ")
- OPTION( USE_SSH				"Link with libssh to enable SSH support" ON )
- OPTION( USE_HTTPS			"Enable HTTPS support. Can be set to a specific backend"	ON )
- OPTION( USE_GSSAPI			"Link with libgssapi for SPNEGO auth"   OFF )
-diff --git a/cmake/Modules/FindmbedTLS.cmake b/cmake/Modules/FindmbedTLS.cmake
-new file mode 100644
-index 000000000..93297555e
---- /dev/null
-+++ b/cmake/Modules/FindmbedTLS.cmake
-@@ -0,0 +1,93 @@
-+# - Try to find mbedTLS
-+# Once done this will define
-+#
-+# Read-Only variables
-+#  MBEDTLS_FOUND - system has mbedTLS
-+#  MBEDTLS_INCLUDE_DIR - the mbedTLS include directory
-+#  MBEDTLS_LIBRARY_DIR - the mbedTLS library directory
-+#  MBEDTLS_LIBRARIES - Link these to use mbedTLS
-+#  MBEDTLS_LIBRARY - path to mbedTLS library
-+#  MBEDX509_LIBRARY - path to mbedTLS X.509 library
-+#  MBEDCRYPTO_LIBRARY - path to mbedTLS Crypto library
-+#
-+# Hint
-+#  MBEDTLS_ROOT_DIR can be pointed to a local mbedTLS installation.
-+
-+SET(_MBEDTLS_ROOT_HINTS
-+    ${MBEDTLS_ROOT_DIR}
-+    ENV MBEDTLS_ROOT_DIR
-+)
-+
-+SET(_MBEDTLS_ROOT_HINTS_AND_PATHS
-+    HINTS ${_MBEDTLS_ROOT_HINTS}
-+    PATHS ${_MBEDTLS_ROOT_PATHS}
-+)
-+
-+FIND_PATH(MBEDTLS_INCLUDE_DIR
-+    NAMES mbedtls/version.h
-+    ${_MBEDTLS_ROOT_HINTS_AND_PATHS}
-+    PATH_SUFFIXES include
-+)
-+
-+IF(MBEDTLS_INCLUDE_DIR AND MBEDTLS_LIBRARIES)
-+    # Already in cache, be silent
-+    SET(MBEDTLS_FIND_QUIETLY TRUE)
-+ENDIF()
-+
-+FIND_LIBRARY(MBEDTLS_LIBRARY
-+    NAMES mbedtls libmbedtls
-+    ${_MBEDTLS_ROOT_HINTS_AND_PATHS}
-+    PATH_SUFFIXES library
-+)
-+FIND_LIBRARY(MBEDX509_LIBRARY
-+    NAMES mbedx509 libmbedx509
-+    ${_MBEDTLS_ROOT_HINTS_AND_PATHS}
-+    PATH_SUFFIXES library
-+)
-+FIND_LIBRARY(MBEDCRYPTO_LIBRARY
-+    NAMES mbedcrypto libmbedcrypto
-+    ${_MBEDTLS_ROOT_HINTS_AND_PATHS}
-+    PATH_SUFFIXES library
-+)
-+
-+IF(MBEDTLS_INCLUDE_DIR AND MBEDTLS_LIBRARY AND MBEDX509_LIBRARY AND MBEDCRYPTO_LIBRARY)
-+     SET(MBEDTLS_FOUND TRUE)
-+ENDIF()
-+
-+IF(MBEDTLS_FOUND)
-+    # split mbedTLS into -L and -l linker options, so we can set them for pkg-config
-+    GET_FILENAME_COMPONENT(MBEDTLS_LIBRARY_DIR ${MBEDTLS_LIBRARY} PATH)
-+    GET_FILENAME_COMPONENT(MBEDTLS_LIBRARY_FILE ${MBEDTLS_LIBRARY} NAME_WE)
-+    GET_FILENAME_COMPONENT(MBEDX509_LIBRARY_FILE ${MBEDX509_LIBRARY} NAME_WE)
-+    GET_FILENAME_COMPONENT(MBEDCRYPTO_LIBRARY_FILE ${MBEDCRYPTO_LIBRARY} NAME_WE)
-+    STRING(REGEX REPLACE "^lib" "" MBEDTLS_LIBRARY_FILE ${MBEDTLS_LIBRARY_FILE})
-+    STRING(REGEX REPLACE "^lib" "" MBEDX509_LIBRARY_FILE ${MBEDX509_LIBRARY_FILE})
-+    STRING(REGEX REPLACE "^lib" "" MBEDCRYPTO_LIBRARY_FILE ${MBEDCRYPTO_LIBRARY_FILE})
-+    SET(MBEDTLS_LIBRARIES "-L${MBEDTLS_LIBRARY_DIR} -l${MBEDTLS_LIBRARY_FILE} -l${MBEDX509_LIBRARY_FILE} -l${MBEDCRYPTO_LIBRARY_FILE}")
-+
-+    IF(NOT MBEDTLS_FIND_QUIETLY)
-+        MESSAGE(STATUS "Found mbedTLS:")
-+        FILE(READ ${MBEDTLS_INCLUDE_DIR}/mbedtls/version.h MBEDTLSCONTENT)
-+        STRING(REGEX MATCH "MBEDTLS_VERSION_STRING +\"[0-9|.]+\"" MBEDTLSMATCH ${MBEDTLSCONTENT})
-+        IF (MBEDTLSMATCH)
-+            STRING(REGEX REPLACE "MBEDTLS_VERSION_STRING +\"([0-9|.]+)\"" "\\1" MBEDTLS_VERSION ${MBEDTLSMATCH})
-+            MESSAGE(STATUS "  version ${MBEDTLS_VERSION}")
-+        ENDIF(MBEDTLSMATCH)
-+        MESSAGE(STATUS "  TLS: ${MBEDTLS_LIBRARY}")
-+        MESSAGE(STATUS "  X509: ${MBEDX509_LIBRARY}")
-+        MESSAGE(STATUS "  Crypto: ${MBEDCRYPTO_LIBRARY}")
-+    ENDIF(NOT MBEDTLS_FIND_QUIETLY)
-+ELSE(MBEDTLS_FOUND)
-+    IF(MBEDTLS_FIND_REQUIRED)
-+        MESSAGE(FATAL_ERROR "Could not find mbedTLS")
-+    ENDIF(MBEDTLS_FIND_REQUIRED)
-+ENDIF(MBEDTLS_FOUND)
-+
-+MARK_AS_ADVANCED(
-+    MBEDTLS_INCLUDE_DIR
-+    MBEDTLS_LIBRARY_DIR
-+    MBEDTLS_LIBRARIES
-+    MBEDTLS_LIBRARY
-+    MBEDX509_LIBRARY
-+    MBEDCRYPTO_LIBRARY
-+)
-diff --git a/script/install-deps-linux.sh b/script/install-deps-linux.sh
-new file mode 100755
-index 000000000..99cbde4e0
---- /dev/null
-+++ b/script/install-deps-linux.sh
-@@ -0,0 +1,13 @@
-+#!/bin/sh
-+
-+set -x
-+
-+if [ "$MBEDTLS" ]; then
-+  git clone --depth 10 --single-branch --branch mbedtls-2.6.1 https://github.com/ARMmbed/mbedtls.git ./deps/mbedtls
-+  cd ./deps/mbedtls
-+  # We pass -fPIC explicitely because we'll include it in libgit2.so
-+  CFLAGS=-fPIC cmake -DENABLE_PROGRAMS=OFF -DENABLE_TESTING=OFF -DUSE_SHARED_MBEDTLS_LIBRARY=OFF -DUSE_STATIC_MBEDTLS_LIBRARY=ON .
-+  cmake --build .
-+
-+  echo "mbedTLS built in `pwd`"
-+fi
-diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
-index b03b96af9..0f5d78547 100644
---- a/src/CMakeLists.txt
-+++ b/src/CMakeLists.txt
-@@ -133,6 +133,9 @@ ELSE ()
- ENDIF()
- 
- IF (USE_HTTPS)
-+	# We try to find any packages our backends might use
-+	FIND_PACKAGE(OpenSSL)
-+	FIND_PACKAGE(mbedTLS)
- 	IF (CMAKE_SYSTEM_NAME MATCHES "Darwin")
- 		FIND_PACKAGE(Security)
- 		FIND_PACKAGE(CoreFoundation)
-@@ -149,8 +152,13 @@ IF (USE_HTTPS)
- 			ENDIF()
- 		ELSEIF (WINHTTP)
- 			SET(HTTPS_BACKEND "WinHTTP")
--		ELSE()
-+		ELSEIF(OPENSSL_FOUND)
- 			SET(HTTPS_BACKEND "OpenSSL")
-+		ELSEIF(MBEDTLS_FOUND)
-+			SET(HTTPS_BACKEND "mbedTLS")
-+		ELSE()
-+			MESSAGE(FATAL_ERROR "Unable to autodetect a usable HTTPS backend."
-+				"Please pass the backend name explicitly (-DUSE_HTTPS=backend)")
- 		ENDIF()
- 	ELSE()
- 		# Backend was explicitly set
-@@ -174,8 +182,6 @@ IF (USE_HTTPS)
- 		LIST(APPEND LIBGIT2_LIBS ${COREFOUNDATION_LIBRARIES} ${SECURITY_LIBRARIES})
- 		LIST(APPEND LIBGIT2_PC_LIBS ${COREFOUNDATION_LDFLAGS} ${SECURITY_LDFLAGS})
- 	ELSEIF (HTTPS_BACKEND STREQUAL "OpenSSL")
--		FIND_PACKAGE(OpenSSL)
--
- 		IF (NOT OPENSSL_FOUND)
- 			MESSAGE(FATAL_ERROR "Asked for OpenSSL TLS backend, but it wasn't found")
- 		ENDIF()
-@@ -185,6 +191,53 @@ IF (USE_HTTPS)
- 		LIST(APPEND LIBGIT2_LIBS ${OPENSSL_LIBRARIES})
- 		LIST(APPEND LIBGIT2_PC_LIBS ${OPENSSL_LDFLAGS})
- 		LIST(APPEND LIBGIT2_PC_REQUIRES "openssl")
-+	ELSEIF(HTTPS_BACKEND STREQUAL "mbedTLS")
-+		IF (NOT MBEDTLS_FOUND)
-+			MESSAGE(FATAL_ERROR "Asked for mbedTLS backend, but it wasn't found")
-+		ENDIF()
-+
-+		IF(NOT CERT_LOCATION)
-+			MESSAGE("Auto-detecting default certificates location")
-+			IF(CMAKE_SYSTEM_NAME MATCHES Darwin)
-+				# Check for an Homebrew installation
-+				SET(OPENSSL_CMD "/usr/local/opt/openssl/bin/openssl")
-+			ELSE()
-+				SET(OPENSSL_CMD "openssl")
-+			ENDIF()
-+			EXECUTE_PROCESS(COMMAND ${OPENSSL_CMD} version -d OUTPUT_VARIABLE OPENSSL_DIR OUTPUT_STRIP_TRAILING_WHITESPACE)
-+			IF(OPENSSL_DIR)
-+				STRING(REGEX REPLACE "^OPENSSLDIR: \"(.*)\"$" "\\1/" OPENSSL_DIR ${OPENSSL_DIR})
-+
-+				SET(OPENSSL_CA_LOCATIONS
-+					"ca-bundle.pem"             # OpenSUSE Leap 42.1
-+					"cert.pem"                  # Ubuntu 14.04, FreeBSD
-+					"certs/ca-certificates.crt" # Ubuntu 16.04
-+					"certs/ca.pem"              # Debian 7
-+				)
-+				FOREACH(SUFFIX IN LISTS OPENSSL_CA_LOCATIONS)
-+					SET(LOC "${OPENSSL_DIR}${SUFFIX}")
-+					IF(NOT CERT_LOCATION AND EXISTS "${OPENSSL_DIR}${SUFFIX}")
-+						SET(CERT_LOCATION ${LOC})
-+					ENDIF()
-+				ENDFOREACH()
-+			ELSE()
-+				MESSAGE("Unable to find OpenSSL executable. Please provide default certificate location via CERT_LOCATION")
-+			ENDIF()
-+		ENDIF()
-+
-+		IF(CERT_LOCATION)
-+			IF(NOT EXISTS ${CERT_LOCATION})
-+				MESSAGE(FATAL_ERROR "Cannot use CERT_LOCATION=${CERT_LOCATION} as it doesn't exist")
-+			ENDIF()
-+			ADD_FEATURE_INFO(CERT_LOCATION ON "using certificates from ${CERT_LOCATION}")
-+			ADD_DEFINITIONS(-DGIT_DEFAULT_CERT_LOCATION="${CERT_LOCATION}")
-+		ENDIF()
-+
-+		SET(GIT_MBEDTLS 1)
-+		LIST(APPEND LIBGIT2_INCLUDES ${MBEDTLS_INCLUDE_DIR})
-+		LIST(APPEND LIBGIT2_LIBS ${MBEDTLS_LIBRARIES})
-+		LIST(APPEND LIBGIT2_PC_LIBS ${MBEDTLS_LDFLAGS})
-+		LIST(APPEND LIBGIT2_PC_REQUIRES "mbedtls")
- 	ELSEIF (HTTPS_BACKEND STREQUAL "WinHTTP")
- 		# WinHTTP setup was handled in the WinHTTP-specific block above
- 	ELSE()
-@@ -230,6 +283,11 @@ ELSEIF(SHA1_BACKEND STREQUAL "Win32")
- ELSEIF(SHA1_BACKEND STREQUAL "CommonCrypto")
- 	ADD_FEATURE_INFO(SHA ON "using CommonCrypto")
- 	SET(GIT_SHA1_COMMON_CRYPTO 1)
-+ELSEIF (SHA1_BACKEND STREQUAL "mbedTLS")
-+	ADD_FEATURE_INFO(SHA ON "using mbedTLS")
-+	SET(GIT_SHA1_MBEDTLS 1)
-+	FILE(GLOB SRC_SHA1 src/hash/hash_mbedtls.c)
-+	LIST(APPEND LIBGIT2_PC_REQUIRES "mbedtls")
- ELSE()
- 	MESSAGE(FATAL_ERROR "Asked for unknown SHA1 backend ${SHA1_BACKEND}")
- ENDIF()
-diff --git a/src/features.h.in b/src/features.h.in
-index e03b7a251..f414c5843 100644
---- a/src/features.h.in
-+++ b/src/features.h.in
-@@ -27,10 +27,12 @@
- #cmakedefine GIT_HTTPS 1
- #cmakedefine GIT_OPENSSL 1
- #cmakedefine GIT_SECURE_TRANSPORT 1
-+#cmakedefine GIT_MBEDTLS 1
- 
- #cmakedefine GIT_SHA1_COLLISIONDETECT 1
- #cmakedefine GIT_SHA1_WIN32 1
- #cmakedefine GIT_SHA1_COMMON_CRYPTO 1
- #cmakedefine GIT_SHA1_OPENSSL 1
-+#cmakedefine GIT_SHA1_MBEDTLS 1
- 
- #endif
-diff --git a/src/global.c b/src/global.c
-index 2f9b45bcd..02aedf57d 100644
---- a/src/global.c
-+++ b/src/global.c
-@@ -12,6 +12,7 @@
- #include "filter.h"
- #include "merge_driver.h"
- #include "streams/curl.h"
-+#include "streams/mbedtls.h"
- #include "streams/openssl.h"
- #include "thread-utils.h"
- #include "git2/global.h"
-@@ -65,7 +66,8 @@ static int init_common(void)
- 		(ret = git_merge_driver_global_init()) == 0 &&
- 		(ret = git_transport_ssh_global_init()) == 0 &&
- 		(ret = git_openssl_stream_global_init()) == 0 &&
--		(ret = git_curl_stream_global_init()) == 0)
-+		(ret = git_curl_stream_global_init()) == 0 &&
-+		(ret = git_mbedtls_stream_global_init()) == 0)
- 		ret = git_mwindow_global_init();
- 
- 	GIT_MEMORY_BARRIER;
-diff --git a/src/hash.h b/src/hash.h
-index 31eaf8889..93765adf3 100644
---- a/src/hash.h
-+++ b/src/hash.h
-@@ -26,6 +26,8 @@ void git_hash_ctx_cleanup(git_hash_ctx *ctx);
- # include "hash/hash_openssl.h"
- #elif defined(GIT_SHA1_WIN32)
- # include "hash/hash_win32.h"
-+#elif defined(GIT_SHA1_MBEDTLS)
-+# include "hash/hash_mbedtls.h"
- #else
- # include "hash/hash_generic.h"
- #endif
-diff --git a/src/hash/hash_mbedtls.c b/src/hash/hash_mbedtls.c
-new file mode 100644
-index 000000000..a19d76308
---- /dev/null
-+++ b/src/hash/hash_mbedtls.c
-@@ -0,0 +1,38 @@
-+/*
-+ * Copyright (C) the libgit2 contributors. All rights reserved.
-+ *
-+ * This file is part of libgit2, distributed under the GNU GPL v2 with
-+ * a Linking Exception. For full terms see the included COPYING file.
-+ */
-+
-+#include "common.h"
-+#include "hash.h"
-+#include "hash/hash_mbedtls.h"
-+
-+void git_hash_ctx_cleanup(git_hash_ctx *ctx)
-+{
-+    assert(ctx);
-+    mbedtls_sha1_free(&ctx->c);
-+}
-+
-+int git_hash_init(git_hash_ctx *ctx)
-+{
-+    assert(ctx);
-+    mbedtls_sha1_init(&ctx->c);
-+    mbedtls_sha1_starts(&ctx->c);
-+    return 0;
-+}
-+
-+int git_hash_update(git_hash_ctx *ctx, const void *data, size_t len)
-+{
-+    assert(ctx);
-+    mbedtls_sha1_update(&ctx->c, data, len);
-+    return 0;
-+}
-+
-+int git_hash_final(git_oid *out, git_hash_ctx *ctx)
-+{
-+    assert(ctx);
-+    mbedtls_sha1_finish(&ctx->c, out->id);
-+    return 0;
-+}
-diff --git a/src/hash/hash_mbedtls.h b/src/hash/hash_mbedtls.h
-new file mode 100644
-index 000000000..24196c5bf
---- /dev/null
-+++ b/src/hash/hash_mbedtls.h
-@@ -0,0 +1,20 @@
-+/*
-+ * Copyright (C) the libgit2 contributors. All rights reserved.
-+ *
-+ * This file is part of libgit2, distributed under the GNU GPL v2 with
-+ * a Linking Exception. For full terms see the included COPYING file.
-+ */
-+
-+#ifndef INCLUDE_hash_mbedtld_h__
-+#define INCLUDE_hash_mbedtld_h__
-+
-+#include <mbedtls/sha1.h>
-+
-+struct git_hash_ctx {
-+    mbedtls_sha1_context c;
-+};
-+
-+#define git_hash_global_init() 0
-+#define git_hash_ctx_init(ctx) git_hash_init(ctx)
-+
-+#endif /* INCLUDE_hash_mbedtld_h__ */
-diff --git a/src/settings.c b/src/settings.c
-index 2a52ffbf6..f6bc5b270 100644
---- a/src/settings.c
-+++ b/src/settings.c
-@@ -11,6 +11,10 @@
- # include <openssl/err.h>
- #endif
- 
-+#ifdef GIT_MBEDTLS
-+# include <mbedtls/error.h>
-+#endif
-+
- #include <git2.h>
- #include "sysdir.h"
- #include "cache.h"
-@@ -20,6 +24,7 @@
- #include "refs.h"
- #include "transports/smart.h"
- #include "streams/openssl.h"
-+#include "streams/mbedtls.h"
- 
- void git_libgit2_version(int *major, int *minor, int *rev)
- {
-@@ -175,6 +180,15 @@ int git_libgit2_opts(int key, ...)
- 			const char *path = va_arg(ap, const char *);
- 			error = git_openssl__set_cert_location(file, path);
- 		}
-+#elif defined(GIT_MBEDTLS)
-+		{
-+			const char *file = va_arg(ap, const char *);
-+			const char *path = va_arg(ap, const char *);
-+			if (file)
-+				error = git_mbedtls__set_cert_location(file, 0);
-+			if (error && path)
-+				error = git_mbedtls__set_cert_location(path, 1);
-+		}
- #else
- 		giterr_set(GITERR_SSL, "TLS backend doesn't support certificate locations");
- 		error = -1;
-@@ -199,7 +213,7 @@ int git_libgit2_opts(int key, ...)
- 		break;
- 
- 	case GIT_OPT_SET_SSL_CIPHERS:
--#ifdef GIT_OPENSSL
-+#if (GIT_OPENSSL || GIT_MBEDTLS)
- 		{
- 			git__free(git__ssl_ciphers);
- 			git__ssl_ciphers = git__strdup(va_arg(ap, const char *));
-diff --git a/src/streams/mbedtls.c b/src/streams/mbedtls.c
-new file mode 100644
-index 000000000..0a49a36a6
---- /dev/null
-+++ b/src/streams/mbedtls.c
-@@ -0,0 +1,452 @@
-+/*
-+ * Copyright (C) the libgit2 contributors. All rights reserved.
-+ *
-+ * This file is part of libgit2, distributed under the GNU GPL v2 with
-+ * a Linking Exception. For full terms see the included COPYING file.
-+ */
-+
-+#include "streams/mbedtls.h"
-+
-+#ifdef GIT_MBEDTLS
-+
-+#include <ctype.h>
-+
-+#include "global.h"
-+#include "stream.h"
-+#include "streams/socket.h"
-+#include "netops.h"
-+#include "git2/transport.h"
-+#include "util.h"
-+
-+#ifdef GIT_CURL
-+# include "streams/curl.h"
-+#endif
-+
-+#ifndef GIT_DEFAULT_CERT_LOCATION
-+#define GIT_DEFAULT_CERT_LOCATION NULL
-+#endif
-+
-+#include <mbedtls/config.h>
-+#include <mbedtls/ssl.h>
-+#include <mbedtls/error.h>
-+#include <mbedtls/entropy.h>
-+#include <mbedtls/ctr_drbg.h>
-+
-+mbedtls_ssl_config *git__ssl_conf;
-+mbedtls_entropy_context *mbedtls_entropy;
-+
-+#define GIT_SSL_DEFAULT_CIPHERS "TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-DSS-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-DSS-WITH-AES-256-GCM-SHA384:TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256:TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA:TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA:TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384:TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384:TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA:TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-DSS-WITH-AES-128-CBC-SHA256:TLS-DHE-DSS-WITH-AES-256-CBC-SHA256:TLS-DHE-DSS-WITH-AES-128-CBC-SHA:TLS-DHE-DSS-WITH-AES-256-CBC-SHA:TLS-RSA-WITH-AES-128-GCM-SHA256:TLS-RSA-WITH-AES-256-GCM-SHA384:TLS-RSA-WITH-AES-128-CBC-SHA256:TLS-RSA-WITH-AES-256-CBC-SHA256:TLS-RSA-WITH-AES-128-CBC-SHA:TLS-RSA-WITH-AES-256-CBC-SHA"
-+#define GIT_SSL_DEFAULT_CIPHERS_COUNT 30
-+
-+/**
-+ * This function aims to clean-up the SSL context which
-+ * we allocated.
-+ */
-+static void shutdown_ssl(void)
-+{
-+	if (git__ssl_conf) {
-+		mbedtls_x509_crt_free(git__ssl_conf->ca_chain);
-+		git__free(git__ssl_conf->ca_chain);
-+		mbedtls_ctr_drbg_free(git__ssl_conf->p_rng);
-+		git__free(git__ssl_conf->p_rng);
-+		mbedtls_ssl_config_free(git__ssl_conf);
-+		git__free(git__ssl_conf);
-+		git__ssl_conf = NULL;
-+	}
-+	if (mbedtls_entropy) {
-+		mbedtls_entropy_free(mbedtls_entropy);
-+		git__free(mbedtls_entropy);
-+		mbedtls_entropy = NULL;
-+	}
-+}
-+
-+int git_mbedtls__set_cert_location(const char *path, int is_dir);
-+
-+int git_mbedtls_stream_global_init(void)
-+{
-+	int loaded = 0;
-+	char *crtpath = GIT_DEFAULT_CERT_LOCATION;
-+	struct stat statbuf;
-+	mbedtls_ctr_drbg_context *ctr_drbg = NULL;
-+
-+	int *ciphers_list = NULL;
-+	int ciphers_known = 0;
-+	char *cipher_name = NULL;
-+	char *cipher_string = NULL;
-+	char *cipher_string_tmp = NULL;
-+
-+	mbedtls_x509_crt *cacert = NULL;
-+
-+	git__ssl_conf = git__malloc(sizeof(mbedtls_ssl_config));
-+	mbedtls_ssl_config_init(git__ssl_conf);
-+	if (mbedtls_ssl_config_defaults(git__ssl_conf,
-+		                            MBEDTLS_SSL_IS_CLIENT,
-+		                            MBEDTLS_SSL_TRANSPORT_STREAM,
-+		                            MBEDTLS_SSL_PRESET_DEFAULT) != 0) {
-+		giterr_set(GITERR_SSL, "failed to initialize mbedTLS");
-+		goto cleanup;
-+	}
-+
-+	/* configure TLSv1 */
-+	mbedtls_ssl_conf_min_version(git__ssl_conf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0);
-+
-+	/* verify_server_cert is responsible for making the check.
-+	 * OPTIONAL because REQUIRED drops the certificate as soon as the check
-+	 * is made, so we can never see the certificate and override it. */
-+	mbedtls_ssl_conf_authmode(git__ssl_conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
-+
-+	/* set the list of allowed ciphersuites */
-+	ciphers_list = calloc(GIT_SSL_DEFAULT_CIPHERS_COUNT, sizeof(int));
-+	ciphers_known = 0;
-+	cipher_string = cipher_string_tmp = git__strdup(GIT_SSL_DEFAULT_CIPHERS);
-+	while ((cipher_name = git__strtok(&cipher_string_tmp, ":")) != NULL) {
-+		int cipherid = mbedtls_ssl_get_ciphersuite_id(cipher_name);
-+		if (cipherid == 0) continue;
-+
-+		ciphers_list[ciphers_known++] = cipherid;
-+	}
-+	git__free(cipher_string);
-+
-+	if (!ciphers_known) {
-+		giterr_set(GITERR_SSL, "no cipher could be enabled");
-+		goto cleanup;
-+	}
-+	mbedtls_ssl_conf_ciphersuites(git__ssl_conf, ciphers_list);
-+
-+	/* Seeding the random number generator */
-+	mbedtls_entropy = git__malloc(sizeof(mbedtls_entropy_context));
-+	mbedtls_entropy_init(mbedtls_entropy);
-+
-+	ctr_drbg = git__malloc(sizeof(mbedtls_ctr_drbg_context));
-+	mbedtls_ctr_drbg_init(ctr_drbg);
-+	if (mbedtls_ctr_drbg_seed(ctr_drbg,
-+		                      mbedtls_entropy_func,
-+		                      mbedtls_entropy, NULL, 0) != 0) {
-+		giterr_set(GITERR_SSL, "failed to initialize mbedTLS entropy pool");
-+		goto cleanup;
-+	}
-+
-+	mbedtls_ssl_conf_rng(git__ssl_conf, mbedtls_ctr_drbg_random, ctr_drbg);
-+
-+	/* load default certificates */
-+	if (crtpath != NULL && stat(crtpath, &statbuf) == 0 && S_ISREG(statbuf.st_mode))
-+		loaded = (git_mbedtls__set_cert_location(crtpath, 0) == 0);
-+	if (!loaded && crtpath != NULL && stat(crtpath, &statbuf) == 0 && S_ISDIR(statbuf.st_mode))
-+		loaded = (git_mbedtls__set_cert_location(crtpath, 1) == 0);
-+
-+	git__on_shutdown(shutdown_ssl);
-+
-+	return 0;
-+
-+cleanup:
-+	mbedtls_x509_crt_free(cacert);
-+	git__free(cacert);
-+	mbedtls_ctr_drbg_free(ctr_drbg);
-+	git__free(ctr_drbg);
-+	mbedtls_ssl_config_free(git__ssl_conf);
-+	git__free(git__ssl_conf);
-+	git__ssl_conf = NULL;
-+
-+	return -1;
-+}
-+
-+mbedtls_ssl_config *git__ssl_conf;
-+
-+static int bio_read(void *b, unsigned char *buf, size_t len)
-+{
-+	git_stream *io = (git_stream *) b;
-+	return (int) git_stream_read(io, buf, len);
-+}
-+
-+static int bio_write(void *b, const unsigned char *buf, size_t len)
-+{
-+	git_stream *io = (git_stream *) b;
-+	return (int) git_stream_write(io, (const char *)buf, len, 0);
-+}
-+
-+static int ssl_set_error(mbedtls_ssl_context *ssl, int error)
-+{
-+	char errbuf[512];
-+	int ret = -1;
-+
-+	assert(error != MBEDTLS_ERR_SSL_WANT_READ);
-+	assert(error != MBEDTLS_ERR_SSL_WANT_WRITE);
-+
-+	if (error != 0)
-+		mbedtls_strerror( error, errbuf, 512 );
-+
-+	switch(error) {
-+		case 0:
-+		giterr_set(GITERR_SSL, "SSL error: unknown error");
-+		break;
-+
-+	case MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:
-+		giterr_set(GITERR_SSL, "SSL error: %#04x [%x] - %s", error, ssl->session_negotiate->verify_result, errbuf);
-+		ret = GIT_ECERTIFICATE;
-+		break;
-+
-+	default:
-+		giterr_set(GITERR_SSL, "SSL error: %#04x - %s", error, errbuf);
-+	}
-+
-+	return ret;
-+}
-+
-+static int ssl_teardown(mbedtls_ssl_context *ssl)
-+{
-+	int ret = 0;
-+
-+	ret = mbedtls_ssl_close_notify(ssl);
-+	if (ret < 0)
-+		ret = ssl_set_error(ssl, ret);
-+
-+	mbedtls_ssl_free(ssl);
-+	return ret;
-+}
-+
-+static int verify_server_cert(mbedtls_ssl_context *ssl)
-+{
-+	int ret = -1;
-+
-+	if ((ret = mbedtls_ssl_get_verify_result(ssl)) != 0) {
-+		char vrfy_buf[512];
-+		int len = mbedtls_x509_crt_verify_info(vrfy_buf, sizeof(vrfy_buf), "", ret);
-+		if (len >= 1) vrfy_buf[len - 1] = '\0'; /* Remove trailing \n */
-+		giterr_set(GITERR_SSL, "the SSL certificate is invalid: %#04x - %s", ret, vrfy_buf);
-+		return GIT_ECERTIFICATE;
-+	}
-+
-+	return 0;
-+}
-+
-+typedef struct {
-+	git_stream parent;
-+	git_stream *io;
-+	bool connected;
-+	char *host;
-+	mbedtls_ssl_context *ssl;
-+	git_cert_x509 cert_info;
-+} mbedtls_stream;
-+
-+
-+int mbedtls_connect(git_stream *stream)
-+{
-+	int ret;
-+	mbedtls_stream *st = (mbedtls_stream *) stream;
-+
-+	if ((ret = git_stream_connect(st->io)) < 0)
-+		return ret;
-+
-+	st->connected = true;
-+
-+	mbedtls_ssl_set_hostname(st->ssl, st->host);
-+
-+	mbedtls_ssl_set_bio(st->ssl, st->io, bio_write, bio_read, NULL);
-+
-+	if ((ret = mbedtls_ssl_handshake(st->ssl)) != 0)
-+		return ssl_set_error(st->ssl, ret);
-+
-+	return verify_server_cert(st->ssl);
-+}
-+
-+int mbedtls_certificate(git_cert **out, git_stream *stream)
-+{
-+	unsigned char *encoded_cert;
-+	mbedtls_stream *st = (mbedtls_stream *) stream;
-+
-+	const mbedtls_x509_crt *cert = mbedtls_ssl_get_peer_cert(st->ssl);
-+	if (!cert) {
-+		giterr_set(GITERR_SSL, "the server did not provide a certificate");
-+		return -1;
-+	}
-+
-+	/* Retrieve the length of the certificate first */
-+	if (cert->raw.len == 0) {
-+		giterr_set(GITERR_NET, "failed to retrieve certificate information");
-+		return -1;
-+	}
-+
-+	encoded_cert = git__malloc(cert->raw.len);
-+	GITERR_CHECK_ALLOC(encoded_cert);
-+	memcpy(encoded_cert, cert->raw.p, cert->raw.len);
-+
-+	st->cert_info.parent.cert_type = GIT_CERT_X509;
-+	st->cert_info.data = encoded_cert;
-+	st->cert_info.len = cert->raw.len;
-+
-+	*out = &st->cert_info.parent;
-+
-+	return 0;
-+}
-+
-+static int mbedtls_set_proxy(git_stream *stream, const git_proxy_options *proxy_options)
-+{
-+	mbedtls_stream *st = (mbedtls_stream *) stream;
-+
-+	return git_stream_set_proxy(st->io, proxy_options);
-+}
-+
-+ssize_t mbedtls_stream_write(git_stream *stream, const char *data, size_t len, int flags)
-+{
-+	size_t read = 0;
-+	mbedtls_stream *st = (mbedtls_stream *) stream;
-+
-+	GIT_UNUSED(flags);
-+
-+	do {
-+		int error = mbedtls_ssl_write(st->ssl, (const unsigned char *)data + read, len - read);
-+		if (error <= 0) {
-+			return ssl_set_error(st->ssl, error);
-+		}
-+		read += error;
-+	} while (read < len);
-+
-+	return read;
-+}
-+
-+ssize_t mbedtls_stream_read(git_stream *stream, void *data, size_t len)
-+{
-+	mbedtls_stream *st = (mbedtls_stream *) stream;
-+	int ret;
-+
-+	if ((ret = mbedtls_ssl_read(st->ssl, (unsigned char *)data, len)) <= 0)
-+		ssl_set_error(st->ssl, ret);
-+
-+	return ret;
-+}
-+
-+int mbedtls_stream_close(git_stream *stream)
-+{
-+	mbedtls_stream *st = (mbedtls_stream *) stream;
-+	int ret = 0;
-+
-+	if (st->connected && (ret = ssl_teardown(st->ssl)) != 0)
-+		return -1;
-+
-+	st->connected = false;
-+
-+	return git_stream_close(st->io);
-+}
-+
-+void mbedtls_stream_free(git_stream *stream)
-+{
-+	mbedtls_stream *st = (mbedtls_stream *) stream;
-+
-+	git__free(st->host);
-+	git__free(st->cert_info.data);
-+	git_stream_free(st->io);
-+	git__free(st->ssl);
-+	git__free(st);
-+}
-+
-+int git_mbedtls_stream_new(git_stream **out, const char *host, const char *port)
-+{
-+	int error;
-+	mbedtls_stream *st;
-+
-+	st = git__calloc(1, sizeof(mbedtls_stream));
-+	GITERR_CHECK_ALLOC(st);
-+
-+#ifdef GIT_CURL
-+	error = git_curl_stream_new(&st->io, host, port);
-+#else
-+	error = git_socket_stream_new(&st->io, host, port);
-+#endif
-+
-+	if (error < 0)
-+		goto out_err;
-+
-+	st->ssl = git__malloc(sizeof(mbedtls_ssl_context));
-+	GITERR_CHECK_ALLOC(st->ssl);
-+	mbedtls_ssl_init(st->ssl);
-+	if (mbedtls_ssl_setup(st->ssl, git__ssl_conf)) {
-+		giterr_set(GITERR_SSL, "failed to create ssl object");
-+		error = -1;
-+		goto out_err;
-+	}
-+
-+	st->host = git__strdup(host);
-+	GITERR_CHECK_ALLOC(st->host);
-+
-+	st->parent.version = GIT_STREAM_VERSION;
-+	st->parent.encrypted = 1;
-+	st->parent.proxy_support = git_stream_supports_proxy(st->io);
-+	st->parent.connect = mbedtls_connect;
-+	st->parent.certificate = mbedtls_certificate;
-+	st->parent.set_proxy = mbedtls_set_proxy;
-+	st->parent.read = mbedtls_stream_read;
-+	st->parent.write = mbedtls_stream_write;
-+	st->parent.close = mbedtls_stream_close;
-+	st->parent.free = mbedtls_stream_free;
-+
-+	*out = (git_stream *) st;
-+	return 0;
-+
-+out_err:
-+	mbedtls_ssl_free(st->ssl);
-+	git_stream_free(st->io);
-+	git__free(st);
-+
-+	return error;
-+}
-+
-+int git_mbedtls__set_cert_location(const char *path, int is_dir)
-+{
-+	int ret = 0;
-+	char errbuf[512];
-+	mbedtls_x509_crt *cacert;
-+
-+	assert(path != NULL);
-+
-+	cacert = git__malloc(sizeof(mbedtls_x509_crt));
-+	mbedtls_x509_crt_init(cacert);
-+	if (is_dir) {
-+		ret = mbedtls_x509_crt_parse_path(cacert, path);
-+	} else {
-+		ret = mbedtls_x509_crt_parse_file(cacert, path);
-+	}
-+	/* mbedtls_x509_crt_parse_path returns the number of invalid certs on success */
-+	if (ret < 0) {
-+		mbedtls_x509_crt_free(cacert);
-+		git__free(cacert);
-+		mbedtls_strerror( ret, errbuf, 512 );
-+		giterr_set(GITERR_SSL, "failed to load CA certificates: %#04x - %s", ret, errbuf);
-+		return -1;
-+	}
-+
-+	mbedtls_x509_crt_free(git__ssl_conf->ca_chain);
-+	git__free(git__ssl_conf->ca_chain);
-+	mbedtls_ssl_conf_ca_chain(git__ssl_conf, cacert, NULL);
-+
-+	return 0;
-+}
-+
-+#else
-+
-+#include "stream.h"
-+
-+int git_mbedtls_stream_global_init(void)
-+{
-+	return 0;
-+}
-+
-+int git_mbedtls_stream_new(git_stream **out, const char *host, const char *port)
-+{
-+	GIT_UNUSED(out);
-+	GIT_UNUSED(host);
-+	GIT_UNUSED(port);
-+
-+	giterr_set(GITERR_SSL, "mbedTLS is not supported in this version");
-+	return -1;
-+}
-+
-+int git_mbedtls__set_cert_location(const char *path, int is_dir)
-+{
-+	GIT_UNUSED(path);
-+	GIT_UNUSED(is_dir);
-+
-+	giterr_set(GITERR_SSL, "mbedTLS is not supported in this version");
-+	return -1;
-+}
-+
-+#endif
-diff --git a/src/streams/mbedtls.h b/src/streams/mbedtls.h
-new file mode 100644
-index 000000000..7283698ff
---- /dev/null
-+++ b/src/streams/mbedtls.h
-@@ -0,0 +1,20 @@
-+/*
-+ * Copyright (C) the libgit2 contributors. All rights reserved.
-+ *
-+ * This file is part of libgit2, distributed under the GNU GPL v2 with
-+ * a Linking Exception. For full terms see the included COPYING file.
-+ */
-+#ifndef INCLUDE_steams_mbedtls_h__
-+#define INCLUDE_steams_mbedtls_h__
-+
-+#include "common.h"
-+
-+#include "git2/sys/stream.h"
-+
-+extern int git_mbedtls_stream_global_init(void);
-+
-+extern int git_mbedtls_stream_new(git_stream **out, const char *host, const char *port);
-+
-+extern int git_mbedtls__set_cert_location(const char *path, int is_dir);
-+
-+#endif
-diff --git a/src/streams/tls.c b/src/streams/tls.c
-index d6ca7d40d..1bcb0d984 100644
---- a/src/streams/tls.c
-+++ b/src/streams/tls.c
-@@ -9,6 +9,7 @@
- 
- #include "git2/errors.h"
- 
-+#include "streams/mbedtls.h"
- #include "streams/openssl.h"
- #include "streams/stransport.h"
- 
-@@ -31,6 +32,8 @@ int git_tls_stream_new(git_stream **out, const char *host, const char *port)
- 	return git_stransport_stream_new(out, host, port);
- #elif defined(GIT_OPENSSL)
- 	return git_openssl_stream_new(out, host, port);
-+#elif defined(GIT_MBEDTLS)
-+	return git_mbedtls_stream_new(out, host, port);
- #else
- 	GIT_UNUSED(out);
- 	GIT_UNUSED(host);
-diff --git a/tests/core/stream.c b/tests/core/stream.c
-index 9bed4ae27..262888b10 100644
---- a/tests/core/stream.c
-+++ b/tests/core/stream.c
-@@ -33,9 +33,8 @@ void test_core_stream__register_tls(void)
- 	cl_git_pass(git_stream_register_tls(NULL));
- 	error = git_tls_stream_new(&stream, "localhost", "443");
- 
--	/* We don't have arbitrary TLS stream support on Windows
--	 * or when openssl support is disabled (except on OSX
--	 * with Security framework).
-+	/* We don't have TLS support enabled, or we're on Windows,
-+	 * which has no arbitrary TLS stream support.
- 	 */
- #if defined(GIT_WIN32) || !defined(GIT_HTTPS)
- 	cl_git_fail_with(-1, error);
diff --git a/deps/patches/libgit2-mbedtls2.patch b/deps/patches/libgit2-mbedtls2.patch
deleted file mode 100644
index 2bc02a3725..0000000000
--- a/deps/patches/libgit2-mbedtls2.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-Fixes mbedTLS support to link properly and not include libssl.so
-
-Tracked in upstream PR https://github.com/libgit2/libgit2/pull/4678
-
-NOTE: libgit2 has switched its CI to Azure Pipelines. The aforementioned PR makes modifications
-to the Travis YAML file, which has since been removed, causing patch conflicts. That part of
-the diff has thus been removed here.
-
-diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
-index 2b82bb325..2deed5f87 100644
---- a/src/CMakeLists.txt
-+++ b/src/CMakeLists.txt
-@@ -284,8 +284,13 @@ ELSEIF(SHA1_BACKEND STREQUAL "CommonCrypto")
- ELSEIF (SHA1_BACKEND STREQUAL "mbedTLS")
- 	ADD_FEATURE_INFO(SHA ON "using mbedTLS")
- 	SET(GIT_SHA1_MBEDTLS 1)
--	FILE(GLOB SRC_SHA1 src/hash/hash_mbedtls.c)
--	LIST(APPEND LIBGIT2_PC_REQUIRES "mbedtls")
-+	FILE(GLOB SRC_SHA1 hash/hash_mbedtls.c)
-+	LIST(APPEND LIBGIT2_INCLUDES ${MBEDTLS_INCLUDE_DIR})
-+	LIST(APPEND LIBGIT2_LIBS ${MBEDTLS_LIBRARIES})
-+	# mbedTLS has no pkgconfig file, hence we can't require it
-+	# https://github.com/ARMmbed/mbedtls/issues/228
-+	# For now, pass its link flags as our own
-+	LIST(APPEND LIBGIT2_PC_LIBS ${MBEDTLS_LIBRARIES})
- ELSE()
- 	MESSAGE(FATAL_ERROR "Asked for unknown SHA1 backend ${SHA1_BACKEND}")
- ENDIF()
diff --git a/stdlib/LibGit2/src/gitcredential.jl b/stdlib/LibGit2/src/gitcredential.jl
index 09c70d7d73..a0504b1c3d 100644
--- a/stdlib/LibGit2/src/gitcredential.jl
+++ b/stdlib/LibGit2/src/gitcredential.jl
@@ -263,6 +263,7 @@ function default_username(cfg::GitConfig, cred::GitCredential)
 end
 
 function use_http_path(cfg::GitConfig, cred::GitCredential)
+    seen_specific = false
     use_path = false  # Default is to ignore the path
 
     # https://git-scm.com/docs/gitcredentials#gitcredentials-useHttpPath
@@ -272,8 +273,11 @@ function use_http_path(cfg::GitConfig, cred::GitCredential)
     for entry in GitConfigIter(cfg, r"credential.*\.usehttppath")
         section, url, name, value = split_cfg_entry(entry)
 
-        ismatch(url, cred) || continue
-        use_path = value == "true"
+        # Ignore global configuration if we have already encountered more specific entry
+        if ismatch(url, cred) && (!isempty(url) || !seen_specific)
+            seen_specific = !isempty(url)
+            use_path = value == "true"
+        end
     end
 
     return use_path
-- 
2.20.1