Skip to content

Link mbedTLS libraries in when SHA1_BACKEND == "mbedTLS"#4678

Merged
pks-t merged 3 commits into
libgit2:masterfrom
staticfloat:sf/mbedtls_linkage
Jun 15, 2018
Merged

Link mbedTLS libraries in when SHA1_BACKEND == "mbedTLS"#4678
pks-t merged 3 commits into
libgit2:masterfrom
staticfloat:sf/mbedtls_linkage

Conversation

@staticfloat
Copy link
Copy Markdown
Contributor

@staticfloat staticfloat commented Jun 11, 2018

Over at Julia, we really enjoy the ability to build libgit2 against mbedTLS and completely elide dependency on libssl for cryptographic operations. We noticed that with the release of v0.27.1 there were a few holes in the buildsystem for mbedTLS:

  • The shim routines for sha1 calculation do not actually get added to the list of files to be compiled.

  • If SHA1_BACKEND is set to mbedTLS, but USE_HTTPS is not set to mbedTLS, libmbedtls doesn't get linked properly.

I have taken the liberty of editing the travis build configuration to do more complete mbedTLS testing.

@staticfloat staticfloat mentioned this pull request Jun 11, 2018
Merged
@carlosmn
Copy link
Copy Markdown
Member

carlosmn commented Jun 11, 2018

and completely elide dependency on libssl for cryptographic operations

Note that we do not use libssl for SHA-1 by default but instead use a vendored version of SHA-1 which can detect the SHAttered attack.

While I guess this is fine for completeness, are you sure you want to use a library that cannot detect the attack?

@simonbyrne
Copy link
Copy Markdown
Contributor

simonbyrne commented Jun 11, 2018

I should also clarify: we were using v0.27.1 + the changes from #4173

@staticfloat
Copy link
Copy Markdown
Contributor Author

staticfloat commented Jun 12, 2018

Note that we do not use libssl for SHA-1 by default but instead use a vendored version of SHA-1 which can detect the SHAttered attack.

Ah, I did not notice this, as I was last using v0.26.0, which I do not believe did this by default. That's neat! I agree with you; we should be using the collision detection version by default.

For code coverage purposes, I think the .travis.yml changes within this PR still make sense, however.

@pks-t
Copy link
Copy Markdown
Member

pks-t commented Jun 15, 2018

Yeah, it makes a lot of sense to put this into our existing mbedTLS builds. Thanks for your changes!

@pks-t pks-t merged commit 678fa45 into libgit2:master Jun 15, 2018
@staticfloat staticfloat deleted the sf/mbedtls_linkage branch June 15, 2018 22:01
@snyk-bot snyk-bot mentioned this pull request Feb 23, 2020
Open
@snyk-bot snyk-bot mentioned this pull request Apr 22, 2020
Open
@snyk-bot snyk-bot mentioned this pull request May 5, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@staticfloat @carlosmn @simonbyrne @pks-t