int git_openssl_stream_global_init(void)
{
#ifdef GIT_OPENSSL
long ssl_opts = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
/* Older OpenSSL and MacOS OpenSSL doesn't have this */
#ifdef SSL_OP_NO_COMPRESSION
ssl_opts |= SSL_OP_NO_COMPRESSION;
#endif
SSL_load_error_strings();
OpenSSL_add_ssl_algorithms();
/*
* Load SSLv{2,3} and TLSv1 so that we can talk with servers
* which use the SSL hellos, which are often used for
* compatibility. We then disable SSL so we only allow OpenSSL
* to speak TLSv1 to perform the encryption itself.
*/
git__ssl_ctx = SSL_CTX_new(SSLv23_method());
SSL_CTX_set_options(git__ssl_ctx, ssl_opts);
SSL_CTX_set_mode(git__ssl_ctx, SSL_MODE_AUTO_RETRY);
SSL_CTX_set_verify(git__ssl_ctx, SSL_VERIFY_NONE, NULL);
if (!SSL_CTX_set_default_verify_paths(git__ssl_ctx)) {
SSL_CTX_free(git__ssl_ctx);
git__ssl_ctx = NULL;
return -1;
}
#endif
git__on_shutdown(shutdown_ssl);
return 0;
}
int git_openssl_set_locking(void)
{
#if defined(GIT_THREADS) && OPENSSL_VERSION_NUMBER < 0x10100000L
int num_locks, i;
num_locks = CRYPTO_num_locks();
openssl_locks = git__calloc(num_locks, sizeof(git_mutex));
GITERR_CHECK_ALLOC(openssl_locks);
for (i = 0; i < num_locks; i++) {
if (git_mutex_init(&openssl_locks[i]) != 0) {
giterr_set(GITERR_SSL, "failed to initialize openssl locks");
return -1;
}
}
CRYPTO_set_locking_callback(openssl_locking_function);
git__on_shutdown(shutdown_ssl_locking);
return 0;
#elif OPENSSL_VERSION_NUMBER >= 0x10100000L
return 0;
#else
giterr_set(GITERR_THREAD, "libgit2 was not built with threads");
return -1;
#endif
}
int git_openssl_stream_global_init(void)
{
#ifdef GIT_OPENSSL
long ssl_opts = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
const char *ciphers = git_libgit2__ssl_ciphers();
/* Older OpenSSL and MacOS OpenSSL doesn't have this */
#ifdef SSL_OP_NO_COMPRESSION
ssl_opts |= SSL_OP_NO_COMPRESSION;
#endif
#if OPENSSL_VERSION_NUMBER < 0x10100000L || \
(defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L)
SSL_load_error_strings();
OpenSSL_add_ssl_algorithms();
#else
OPENSSL_init_ssl(0, NULL);
#endif
/*
* Load SSLv{2,3} and TLSv1 so that we can talk with servers
* which use the SSL hellos, which are often used for
* compatibility. We then disable SSL so we only allow OpenSSL
* to speak TLSv1 to perform the encryption itself.
*/
git__ssl_ctx = SSL_CTX_new(SSLv23_method());
SSL_CTX_set_options(git__ssl_ctx, ssl_opts);
SSL_CTX_set_mode(git__ssl_ctx, SSL_MODE_AUTO_RETRY);
SSL_CTX_set_verify(git__ssl_ctx, SSL_VERIFY_NONE, NULL);
if (!SSL_CTX_set_default_verify_paths(git__ssl_ctx)) {
SSL_CTX_free(git__ssl_ctx);
git__ssl_ctx = NULL;
return -1;
}
if (!ciphers) {
ciphers = GIT_SSL_DEFAULT_CIPHERS;
}
if(!SSL_CTX_set_cipher_list(git__ssl_ctx, ciphers)) {
SSL_CTX_free(git__ssl_ctx);
git__ssl_ctx = NULL;
return -1;
}
if (init_bio_method() < 0) {
SSL_CTX_free(git__ssl_ctx);
git__ssl_ctx = NULL;
return -1;
}
#endif
git__on_shutdown(shutdown_ssl);
return 0;
}
static void init_ssl(void)
{
#ifdef GIT_SSL
SSL_load_error_strings();
OpenSSL_add_ssl_algorithms();
/*
* Load SSLv{2,3} and TLSv1 so that we can talk with servers
* which use the SSL hellos, which are often used for
* compatibility. We then disable SSL so we only allow OpenSSL
* to speak TLSv1 to perform the encryption itself.
*/
git__ssl_ctx = SSL_CTX_new(SSLv23_method());
SSL_CTX_set_options(git__ssl_ctx,
SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3
/* Older OpenSSL and MacOS OpenSSL doesn't have this */
# ifdef SSL_OP_NO_COMPRESSION
| SSL_OP_NO_COMPRESSION
# endif
);
SSL_CTX_set_mode(git__ssl_ctx, SSL_MODE_AUTO_RETRY);
SSL_CTX_set_verify(git__ssl_ctx, SSL_VERIFY_NONE, NULL);
if (!SSL_CTX_set_default_verify_paths(git__ssl_ctx)) {
SSL_CTX_free(git__ssl_ctx);
git__ssl_ctx = NULL;
}
# ifdef GIT_THREADS
{
int num_locks, i;
num_locks = CRYPTO_num_locks();
openssl_locks = git__calloc(num_locks, sizeof(git_mutex));
if (openssl_locks == NULL) {
SSL_CTX_free(git__ssl_ctx);
git__ssl_ctx = NULL;
}
for (i = 0; i < num_locks; i++) {
if (git_mutex_init(&openssl_locks[i]) != 0) {
SSL_CTX_free(git__ssl_ctx);
git__ssl_ctx = NULL;
}
}
CRYPTO_set_locking_callback(openssl_locking_function);
}
git__on_shutdown(shutdown_ssl);
# endif
#endif
}
int git_hash_global_init(void)
{
int error = 0;
if (hash_prov.type != INVALID)
return 0;
if ((error = hash_cng_prov_init()) < 0)
error = hash_cryptoapi_prov_init();
git__on_shutdown(git_hash_global_shutdown);
return error;
}
int git_transport_ssh_global_init(void)
{
#ifdef GIT_SSH
if (libssh2_init(0) < 0) {
giterr_set(GITERR_SSH, "unable to initialize libssh2");
return -1;
}
git__on_shutdown(shutdown_ssh);
return 0;
#else
/* Nothing to initialize */
return 0;
#endif
}
