rugged 0.27.9 → 0.27.10

data/vendor/libgit2/src/status.c

@@ -8,7 +8,7 @@
 #include "status.h"
 
 #include "git2.h"
-#include "fileops.h"
+#include "futils.h"
 #include "hash.h"
 #include "vector.h"
 #include "tree.h"
@@ -16,6 +16,7 @@
 #include "repository.h"
 #include "ignore.h"
 #include "index.h"
+#include "wildmatch.h"
 
 #include "git2/diff.h"
 #include "diff.h"
@@ -85,14 +86,14 @@ static unsigned int workdir_delta2status(
 			/* if OIDs don't match, we might need to calculate them now to
 			 * discern between RENAMED vs RENAMED+MODIFED
 			 */
-			if (git_oid_iszero(&idx2wd->old_file.id) &&
+			if (git_oid_is_zero(&idx2wd->old_file.id) &&
 				diff->old_src == GIT_ITERATOR_TYPE_WORKDIR &&
 				!git_diff__oid_for_file(
 					&idx2wd->old_file.id, diff, idx2wd->old_file.path,
 					idx2wd->old_file.mode, idx2wd->old_file.size))
 			idx2wd->old_file.flags |= GIT_DIFF_FLAG_VALID_ID;
 
-			if (git_oid_iszero(&idx2wd->new_file.id) &&
+			if (git_oid_is_zero(&idx2wd->new_file.id) &&
 				diff->new_src == GIT_ITERATOR_TYPE_WORKDIR &&
 				!git_diff__oid_for_file(
 					&idx2wd->new_file.id, diff, idx2wd->new_file.path,
@@ -174,7 +175,7 @@ static int status_collect(
 		return 0;
 
 	status_entry = git__malloc(sizeof(git_status_entry));
-	GITERR_CHECK_ALLOC(status_entry);
+	GIT_ERROR_CHECK_ALLOC(status_entry);
 
 	status_entry->status = status_compute(status, head2idx, idx2wd);
 	status_entry->head_to_index = head2idx;
@@ -240,16 +241,16 @@ static int status_validate_options(const git_status_options *opts)
 	if (!opts)
 		return 0;
 
-	GITERR_CHECK_VERSION(opts, GIT_STATUS_OPTIONS_VERSION, "git_status_options");
+	GIT_ERROR_CHECK_VERSION(opts, GIT_STATUS_OPTIONS_VERSION, "git_status_options");
 
 	if (opts->show > GIT_STATUS_SHOW_WORKDIR_ONLY) {
-		giterr_set(GITERR_INVALID, "unknown status 'show' option");
+		git_error_set(GIT_ERROR_INVALID, "unknown status 'show' option");
 		return -1;
 	}
 
 	if ((opts->flags & GIT_STATUS_OPT_NO_REFRESH) != 0 &&
 		(opts->flags & GIT_STATUS_OPT_UPDATE_INDEX) != 0) {
-		giterr_set(GITERR_INVALID, "updating index from status "
+		git_error_set(GIT_ERROR_INVALID, "updating index from status "
 			"is not allowed when index refresh is disabled");
 		return -1;
 	}
@@ -280,7 +281,7 @@ int git_status_list_new(
 	if ((error = git_repository__ensure_not_bare(repo, "status")) < 0 ||
 		(error = git_repository_index(&index, repo)) < 0)
 		return error;
-	
+
 	if (opts != NULL && opts->baseline != NULL) {
 		head = opts->baseline;
 	} else {
@@ -288,17 +289,17 @@ int git_status_list_new(
 		if ((error = git_repository_head_tree(&head, repo)) < 0) {
 			if (error != GIT_ENOTFOUND && error != GIT_EUNBORNBRANCH)
 				goto done;
-			giterr_clear();
+			git_error_clear();
 		}
 	}
 
 	/* refresh index from disk unless prevented */
 	if ((flags & GIT_STATUS_OPT_NO_REFRESH) == 0 &&
-		git_index_read(index, false) < 0)
-		giterr_clear();
+		git_index_read_safely(index) < 0)
+		git_error_clear();
 
 	status = git_status_list_alloc(index);
-	GITERR_CHECK_ALLOC(status);
+	GIT_ERROR_CHECK_ALLOC(status);
 
 	if (opts) {
 		memcpy(&status->opts, opts, sizeof(git_status_options));
@@ -437,7 +438,7 @@ int git_status_foreach_ext(
 			status_entry->index_to_workdir->old_file.path;
 
 		if ((error = cb(path, status_entry->status, payload)) != 0) {
-			giterr_set_after_callback(error);
+			git_error_set_after_callback(error);
 			break;
 		}
 	}
@@ -456,7 +457,7 @@ struct status_file_info {
 	char *expected;
 	unsigned int count;
 	unsigned int status;
-	int fnm_flags;
+	int wildmatch_flags;
 	int ambiguous;
 };
 
@@ -468,14 +469,14 @@ static int get_one_status(const char *path, unsigned int status, void *data)
 	sfi->count++;
 	sfi->status = status;
 
-	strcomp = (sfi->fnm_flags & FNM_CASEFOLD) ? git__strcasecmp : git__strcmp;
+	strcomp = (sfi->wildmatch_flags & WM_CASEFOLD) ? git__strcasecmp : git__strcmp;
 
 	if (sfi->count > 1 ||
 		(strcomp(sfi->expected, path) != 0 &&
-		 p_fnmatch(sfi->expected, path, sfi->fnm_flags) != 0))
+		 wildmatch(sfi->expected, path, sfi->wildmatch_flags) != 0))
 	{
 		sfi->ambiguous = true;
-		return GIT_EAMBIGUOUS; /* giterr_set will be done by caller */
+		return GIT_EAMBIGUOUS; /* git_error_set will be done by caller */
 	}
 
 	return 0;
@@ -499,7 +500,7 @@ int git_status_file(
 	if ((sfi.expected = git__strdup(path)) == NULL)
 		return -1;
 	if (index->ignore_case)
-		sfi.fnm_flags = FNM_CASEFOLD;
+		sfi.wildmatch_flags = WM_CASEFOLD;
 
 	opts.show = GIT_STATUS_SHOW_INDEX_AND_WORKDIR;
 	opts.flags = GIT_STATUS_OPT_INCLUDE_IGNORED |
@@ -514,13 +515,13 @@ int git_status_file(
 	error = git_status_foreach_ext(repo, &opts, get_one_status, &sfi);
 
 	if (error < 0 && sfi.ambiguous) {
-		giterr_set(GITERR_INVALID,
+		git_error_set(GIT_ERROR_INVALID,
 			"ambiguous path '%s' given to git_status_file", sfi.expected);
 		error = GIT_EAMBIGUOUS;
 	}
 
 	if (!error && !sfi.count) {
-		giterr_set(GITERR_INVALID,
+		git_error_set(GIT_ERROR_INVALID,
 			"attempt to get status of nonexistent file '%s'", path);
 		error = GIT_ENOTFOUND;
 	}
@@ -540,18 +541,23 @@ int git_status_should_ignore(
 	return git_ignore_path_is_ignored(ignored, repo, path);
 }
 
-int git_status_init_options(git_status_options *opts, unsigned int version)
+int git_status_options_init(git_status_options *opts, unsigned int version)
 {
 	GIT_INIT_STRUCTURE_FROM_TEMPLATE(
 		opts, version, git_status_options, GIT_STATUS_OPTIONS_INIT);
 	return 0;
 }
 
+int git_status_init_options(git_status_options *opts, unsigned int version)
+{
+	return git_status_options_init(opts, version);
+}
+
 int git_status_list_get_perfdata(
 	git_diff_perfdata *out, const git_status_list *status)
 {
 	assert(out);
-	GITERR_CHECK_VERSION(out, GIT_DIFF_PERFDATA_VERSION, "git_diff_perfdata");
+	GIT_ERROR_CHECK_VERSION(out, GIT_DIFF_PERFDATA_VERSION, "git_diff_perfdata");
 
 	out->stat_calls = 0;
 	out->oid_calculations = 0;

data/vendor/libgit2/src/stream.h

@@ -23,7 +23,7 @@ GIT_INLINE(int) git_stream_is_encrypted(git_stream *st)
 GIT_INLINE(int) git_stream_certificate(git_cert **out, git_stream *st)
 {
 	if (!st->encrypted) {
-		giterr_set(GITERR_INVALID, "an unencrypted stream does not have a certificate");
+		git_error_set(GIT_ERROR_INVALID, "an unencrypted stream does not have a certificate");
 		return -1;
 	}
 
@@ -38,7 +38,7 @@ GIT_INLINE(int) git_stream_supports_proxy(git_stream *st)
 GIT_INLINE(int) git_stream_set_proxy(git_stream *st, const git_proxy_options *proxy_opts)
 {
 	if (!st->proxy_support) {
-		giterr_set(GITERR_INVALID, "proxy not supported on this stream");
+		git_error_set(GIT_ERROR_INVALID, "proxy not supported on this stream");
 		return -1;
 	}
 
@@ -55,6 +55,21 @@ GIT_INLINE(ssize_t) git_stream_write(git_stream *st, const char *data, size_t le
 	return st->write(st, data, len, flags);
 }
 
+GIT_INLINE(int) git_stream__write_full(git_stream *st, const char *data, size_t len, int flags)
+{
+	size_t total_written = 0;
+
+	while (total_written < len) {
+		ssize_t written = git_stream_write(st, data + total_written, len - total_written, flags);
+		if (written <= 0)
+			return -1;
+
+		total_written += written;
+	}
+
+	return 0;
+}
+
 GIT_INLINE(int) git_stream_close(git_stream *st)
 {
 	return st->close(st);

data/vendor/libgit2/src/streams/mbedtls.c

@@ -0,0 +1,483 @@
+/*
+ * Copyright (C) the libgit2 contributors. All rights reserved.
+ *
+ * This file is part of libgit2, distributed under the GNU GPL v2 with
+ * a Linking Exception. For full terms see the included COPYING file.
+ */
+
+#include "streams/mbedtls.h"
+
+#ifdef GIT_MBEDTLS
+
+#include <ctype.h>
+
+#include "global.h"
+#include "stream.h"
+#include "streams/socket.h"
+#include "netops.h"
+#include "git2/transport.h"
+#include "util.h"
+
+#ifndef GIT_DEFAULT_CERT_LOCATION
+#define GIT_DEFAULT_CERT_LOCATION NULL
+#endif
+
+/* Work around C90-conformance issues */
+#if defined(_MSC_VER)
+# define inline __inline
+#elif defined(__GNUC__)
+# define inline __inline__
+#else
+# define inline
+#endif
+
+#include <mbedtls/config.h>
+#include <mbedtls/ssl.h>
+#include <mbedtls/error.h>
+#include <mbedtls/entropy.h>
+#include <mbedtls/ctr_drbg.h>
+
+#undef inline
+
+#define GIT_SSL_DEFAULT_CIPHERS "TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-DSS-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-DSS-WITH-AES-256-GCM-SHA384:TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256:TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA:TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA:TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384:TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384:TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA:TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-DSS-WITH-AES-128-CBC-SHA256:TLS-DHE-DSS-WITH-AES-256-CBC-SHA256:TLS-DHE-DSS-WITH-AES-128-CBC-SHA:TLS-DHE-DSS-WITH-AES-256-CBC-SHA:TLS-RSA-WITH-AES-128-GCM-SHA256:TLS-RSA-WITH-AES-256-GCM-SHA384:TLS-RSA-WITH-AES-128-CBC-SHA256:TLS-RSA-WITH-AES-256-CBC-SHA256:TLS-RSA-WITH-AES-128-CBC-SHA:TLS-RSA-WITH-AES-256-CBC-SHA"
+#define GIT_SSL_DEFAULT_CIPHERS_COUNT 30
+
+static mbedtls_ssl_config *git__ssl_conf;
+static int ciphers_list[GIT_SSL_DEFAULT_CIPHERS_COUNT];
+static mbedtls_entropy_context *mbedtls_entropy;
+
+/**
+ * This function aims to clean-up the SSL context which
+ * we allocated.
+ */
+static void shutdown_ssl(void)
+{
+	if (git__ssl_conf) {
+		mbedtls_x509_crt_free(git__ssl_conf->ca_chain);
+		git__free(git__ssl_conf->ca_chain);
+		mbedtls_ctr_drbg_free(git__ssl_conf->p_rng);
+		git__free(git__ssl_conf->p_rng);
+		mbedtls_ssl_config_free(git__ssl_conf);
+		git__free(git__ssl_conf);
+		git__ssl_conf = NULL;
+	}
+	if (mbedtls_entropy) {
+		mbedtls_entropy_free(mbedtls_entropy);
+		git__free(mbedtls_entropy);
+		mbedtls_entropy = NULL;
+	}
+}
+
+int git_mbedtls__set_cert_location(const char *path, int is_dir);
+
+int git_mbedtls_stream_global_init(void)
+{
+	int loaded = 0;
+	char *crtpath = GIT_DEFAULT_CERT_LOCATION;
+	struct stat statbuf;
+	mbedtls_ctr_drbg_context *ctr_drbg = NULL;
+
+	size_t ciphers_known = 0;
+	char *cipher_name = NULL;
+	char *cipher_string = NULL;
+	char *cipher_string_tmp = NULL;
+
+	git__ssl_conf = git__malloc(sizeof(mbedtls_ssl_config));
+	GIT_ERROR_CHECK_ALLOC(git__ssl_conf);
+
+	mbedtls_ssl_config_init(git__ssl_conf);
+	if (mbedtls_ssl_config_defaults(git__ssl_conf,
+		                            MBEDTLS_SSL_IS_CLIENT,
+		                            MBEDTLS_SSL_TRANSPORT_STREAM,
+		                            MBEDTLS_SSL_PRESET_DEFAULT) != 0) {
+		git_error_set(GIT_ERROR_SSL, "failed to initialize mbedTLS");
+		goto cleanup;
+	}
+
+	/* configure TLSv1 */
+	mbedtls_ssl_conf_min_version(git__ssl_conf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0);
+
+	/* verify_server_cert is responsible for making the check.
+	 * OPTIONAL because REQUIRED drops the certificate as soon as the check
+	 * is made, so we can never see the certificate and override it. */
+	mbedtls_ssl_conf_authmode(git__ssl_conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
+
+	/* set the list of allowed ciphersuites */
+	ciphers_known = 0;
+	cipher_string = cipher_string_tmp = git__strdup(GIT_SSL_DEFAULT_CIPHERS);
+	GIT_ERROR_CHECK_ALLOC(cipher_string);
+
+	while ((cipher_name = git__strtok(&cipher_string_tmp, ":")) != NULL) {
+		int cipherid = mbedtls_ssl_get_ciphersuite_id(cipher_name);
+		if (cipherid == 0) continue;
+
+		if (ciphers_known >= ARRAY_SIZE(ciphers_list)) {
+			git_error_set(GIT_ERROR_SSL, "out of cipher list space");
+			goto cleanup;
+		}
+
+		ciphers_list[ciphers_known++] = cipherid;
+	}
+	git__free(cipher_string);
+
+	if (!ciphers_known) {
+		git_error_set(GIT_ERROR_SSL, "no cipher could be enabled");
+		goto cleanup;
+	}
+	mbedtls_ssl_conf_ciphersuites(git__ssl_conf, ciphers_list);
+
+	/* Seeding the random number generator */
+	mbedtls_entropy = git__malloc(sizeof(mbedtls_entropy_context));
+	GIT_ERROR_CHECK_ALLOC(mbedtls_entropy);
+
+	mbedtls_entropy_init(mbedtls_entropy);
+
+	ctr_drbg = git__malloc(sizeof(mbedtls_ctr_drbg_context));
+	GIT_ERROR_CHECK_ALLOC(ctr_drbg);
+
+	mbedtls_ctr_drbg_init(ctr_drbg);
+
+	if (mbedtls_ctr_drbg_seed(ctr_drbg,
+		                      mbedtls_entropy_func,
+		                      mbedtls_entropy, NULL, 0) != 0) {
+		git_error_set(GIT_ERROR_SSL, "failed to initialize mbedTLS entropy pool");
+		goto cleanup;
+	}
+
+	mbedtls_ssl_conf_rng(git__ssl_conf, mbedtls_ctr_drbg_random, ctr_drbg);
+
+	/* load default certificates */
+	if (crtpath != NULL && stat(crtpath, &statbuf) == 0 && S_ISREG(statbuf.st_mode))
+		loaded = (git_mbedtls__set_cert_location(crtpath, 0) == 0);
+	if (!loaded && crtpath != NULL && stat(crtpath, &statbuf) == 0 && S_ISDIR(statbuf.st_mode))
+		loaded = (git_mbedtls__set_cert_location(crtpath, 1) == 0);
+
+	git__on_shutdown(shutdown_ssl);
+
+	return 0;
+
+cleanup:
+	mbedtls_ctr_drbg_free(ctr_drbg);
+	git__free(ctr_drbg);
+	mbedtls_ssl_config_free(git__ssl_conf);
+	git__free(git__ssl_conf);
+	git__ssl_conf = NULL;
+
+	return -1;
+}
+
+static int bio_read(void *b, unsigned char *buf, size_t len)
+{
+	git_stream *io = (git_stream *) b;
+	return (int) git_stream_read(io, buf, min(len, INT_MAX));
+}
+
+static int bio_write(void *b, const unsigned char *buf, size_t len)
+{
+	git_stream *io = (git_stream *) b;
+	return (int) git_stream_write(io, (const char *)buf, min(len, INT_MAX), 0);
+}
+
+static int ssl_set_error(mbedtls_ssl_context *ssl, int error)
+{
+	char errbuf[512];
+	int ret = -1;
+
+	assert(error != MBEDTLS_ERR_SSL_WANT_READ);
+	assert(error != MBEDTLS_ERR_SSL_WANT_WRITE);
+
+	if (error != 0)
+		mbedtls_strerror( error, errbuf, 512 );
+
+	switch(error) {
+		case 0:
+		git_error_set(GIT_ERROR_SSL, "SSL error: unknown error");
+		break;
+
+	case MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:
+		git_error_set(GIT_ERROR_SSL, "SSL error: %#04x [%x] - %s", error, ssl->session_negotiate->verify_result, errbuf);
+		ret = GIT_ECERTIFICATE;
+		break;
+
+	default:
+		git_error_set(GIT_ERROR_SSL, "SSL error: %#04x - %s", error, errbuf);
+	}
+
+	return ret;
+}
+
+static int ssl_teardown(mbedtls_ssl_context *ssl)
+{
+	int ret = 0;
+
+	ret = mbedtls_ssl_close_notify(ssl);
+	if (ret < 0)
+		ret = ssl_set_error(ssl, ret);
+
+	mbedtls_ssl_free(ssl);
+	return ret;
+}
+
+static int verify_server_cert(mbedtls_ssl_context *ssl)
+{
+	int ret = -1;
+
+	if ((ret = mbedtls_ssl_get_verify_result(ssl)) != 0) {
+		char vrfy_buf[512];
+		int len = mbedtls_x509_crt_verify_info(vrfy_buf, sizeof(vrfy_buf), "", ret);
+		if (len >= 1) vrfy_buf[len - 1] = '\0'; /* Remove trailing \n */
+		git_error_set(GIT_ERROR_SSL, "the SSL certificate is invalid: %#04x - %s", ret, vrfy_buf);
+		return GIT_ECERTIFICATE;
+	}
+
+	return 0;
+}
+
+typedef struct {
+	git_stream parent;
+	git_stream *io;
+	int owned;
+	bool connected;
+	char *host;
+	mbedtls_ssl_context *ssl;
+	git_cert_x509 cert_info;
+} mbedtls_stream;
+
+
+static int mbedtls_connect(git_stream *stream)
+{
+	int ret;
+	mbedtls_stream *st = (mbedtls_stream *) stream;
+
+	if (st->owned && (ret = git_stream_connect(st->io)) < 0)
+		return ret;
+
+	st->connected = true;
+
+	mbedtls_ssl_set_hostname(st->ssl, st->host);
+
+	mbedtls_ssl_set_bio(st->ssl, st->io, bio_write, bio_read, NULL);
+
+	if ((ret = mbedtls_ssl_handshake(st->ssl)) != 0)
+		return ssl_set_error(st->ssl, ret);
+
+	return verify_server_cert(st->ssl);
+}
+
+static int mbedtls_certificate(git_cert **out, git_stream *stream)
+{
+	unsigned char *encoded_cert;
+	mbedtls_stream *st = (mbedtls_stream *) stream;
+
+	const mbedtls_x509_crt *cert = mbedtls_ssl_get_peer_cert(st->ssl);
+	if (!cert) {
+		git_error_set(GIT_ERROR_SSL, "the server did not provide a certificate");
+		return -1;
+	}
+
+	/* Retrieve the length of the certificate first */
+	if (cert->raw.len == 0) {
+		git_error_set(GIT_ERROR_NET, "failed to retrieve certificate information");
+		return -1;
+	}
+
+	encoded_cert = git__malloc(cert->raw.len);
+	GIT_ERROR_CHECK_ALLOC(encoded_cert);
+	memcpy(encoded_cert, cert->raw.p, cert->raw.len);
+
+	st->cert_info.parent.cert_type = GIT_CERT_X509;
+	st->cert_info.data = encoded_cert;
+	st->cert_info.len = cert->raw.len;
+
+	*out = &st->cert_info.parent;
+
+	return 0;
+}
+
+static int mbedtls_set_proxy(git_stream *stream, const git_proxy_options *proxy_options)
+{
+	mbedtls_stream *st = (mbedtls_stream *) stream;
+
+	return git_stream_set_proxy(st->io, proxy_options);
+}
+
+static ssize_t mbedtls_stream_write(git_stream *stream, const char *data, size_t len, int flags)
+{
+	mbedtls_stream *st = (mbedtls_stream *) stream;
+	int written;
+
+	GIT_UNUSED(flags);
+
+	/*
+	 * `mbedtls_ssl_write` can only represent INT_MAX bytes
+	 * written via its return value. We thus need to clamp
+	 * the maximum number of bytes written.
+	 */
+	len = min(len, INT_MAX);
+
+	if ((written = mbedtls_ssl_write(st->ssl, (const unsigned char *)data, len)) <= 0)
+		return ssl_set_error(st->ssl, written);
+
+	return written;
+}
+
+static ssize_t mbedtls_stream_read(git_stream *stream, void *data, size_t len)
+{
+	mbedtls_stream *st = (mbedtls_stream *) stream;
+	int ret;
+
+	if ((ret = mbedtls_ssl_read(st->ssl, (unsigned char *)data, len)) <= 0)
+		ssl_set_error(st->ssl, ret);
+
+	return ret;
+}
+
+static int mbedtls_stream_close(git_stream *stream)
+{
+	mbedtls_stream *st = (mbedtls_stream *) stream;
+	int ret = 0;
+
+	if (st->connected && (ret = ssl_teardown(st->ssl)) != 0)
+		return -1;
+
+	st->connected = false;
+
+	return st->owned ? git_stream_close(st->io) : 0;
+}
+
+static void mbedtls_stream_free(git_stream *stream)
+{
+	mbedtls_stream *st = (mbedtls_stream *) stream;
+
+	if (st->owned)
+		git_stream_free(st->io);
+
+	git__free(st->host);
+	git__free(st->cert_info.data);
+	mbedtls_ssl_free(st->ssl);
+	git__free(st->ssl);
+	git__free(st);
+}
+
+static int mbedtls_stream_wrap(
+	git_stream **out,
+	git_stream *in,
+	const char *host,
+	int owned)
+{
+	mbedtls_stream *st;
+	int error;
+
+	st = git__calloc(1, sizeof(mbedtls_stream));
+	GIT_ERROR_CHECK_ALLOC(st);
+
+	st->io = in;
+	st->owned = owned;
+
+	st->ssl = git__malloc(sizeof(mbedtls_ssl_context));
+	GIT_ERROR_CHECK_ALLOC(st->ssl);
+	mbedtls_ssl_init(st->ssl);
+	if (mbedtls_ssl_setup(st->ssl, git__ssl_conf)) {
+		git_error_set(GIT_ERROR_SSL, "failed to create ssl object");
+		error = -1;
+		goto out_err;
+	}
+
+	st->host = git__strdup(host);
+	GIT_ERROR_CHECK_ALLOC(st->host);
+
+	st->parent.version = GIT_STREAM_VERSION;
+	st->parent.encrypted = 1;
+	st->parent.proxy_support = git_stream_supports_proxy(st->io);
+	st->parent.connect = mbedtls_connect;
+	st->parent.certificate = mbedtls_certificate;
+	st->parent.set_proxy = mbedtls_set_proxy;
+	st->parent.read = mbedtls_stream_read;
+	st->parent.write = mbedtls_stream_write;
+	st->parent.close = mbedtls_stream_close;
+	st->parent.free = mbedtls_stream_free;
+
+	*out = (git_stream *) st;
+	return 0;
+
+out_err:
+	mbedtls_ssl_free(st->ssl);
+	git_stream_close(st->io);
+	git_stream_free(st->io);
+	git__free(st);
+
+	return error;
+}
+
+int git_mbedtls_stream_wrap(
+	git_stream **out,
+	git_stream *in,
+	const char *host)
+{
+	return mbedtls_stream_wrap(out, in, host, 0);
+}
+
+int git_mbedtls_stream_new(
+	git_stream **out,
+	const char *host,
+	const char *port)
+{
+	git_stream *stream;
+	int error;
+
+	assert(out && host && port);
+
+	if ((error = git_socket_stream_new(&stream, host, port)) < 0)
+		return error;
+
+	if ((error = mbedtls_stream_wrap(out, stream, host, 1)) < 0) {
+		git_stream_close(stream);
+		git_stream_free(stream);
+	}
+
+	return error;
+}
+
+int git_mbedtls__set_cert_location(const char *path, int is_dir)
+{
+	int ret = 0;
+	char errbuf[512];
+	mbedtls_x509_crt *cacert;
+
+	assert(path != NULL);
+
+	cacert = git__malloc(sizeof(mbedtls_x509_crt));
+	GIT_ERROR_CHECK_ALLOC(cacert);
+
+	mbedtls_x509_crt_init(cacert);
+	if (is_dir) {
+		ret = mbedtls_x509_crt_parse_path(cacert, path);
+	} else {
+		ret = mbedtls_x509_crt_parse_file(cacert, path);
+	}
+	/* mbedtls_x509_crt_parse_path returns the number of invalid certs on success */
+	if (ret < 0) {
+		mbedtls_x509_crt_free(cacert);
+		git__free(cacert);
+		mbedtls_strerror( ret, errbuf, 512 );
+		git_error_set(GIT_ERROR_SSL, "failed to load CA certificates: %#04x - %s", ret, errbuf);
+		return -1;
+	}
+
+	mbedtls_x509_crt_free(git__ssl_conf->ca_chain);
+	git__free(git__ssl_conf->ca_chain);
+	mbedtls_ssl_conf_ca_chain(git__ssl_conf, cacert, NULL);
+
+	return 0;
+}
+
+#else
+
+#include "stream.h"
+
+int git_mbedtls_stream_global_init(void)
+{
+	return 0;
+}
+
+#endif