rugged 1.6.3 → 1.9.0

data/vendor/libgit2/src/libgit2/stash.c

@@ -284,7 +284,7 @@ static int build_untracked_tree(
 	struct stash_update_rules data = {0};
 	int error;
 
-	if ((error = git_index_new(&i_index)) < 0)
+	if ((error = git_index__new(&i_index, repo->oid_type)) < 0)
 		goto cleanup;
 
 	if (flags & GIT_STASH_INCLUDE_UNTRACKED) {
@@ -487,7 +487,7 @@ static int commit_worktree(
 	int error = 0, ignorecase;
 
 	if ((error = git_repository_index(&r_index, repo) < 0) ||
-	    (error = git_index_new(&i_index)) < 0 ||
+	    (error = git_index__new(&i_index, repo->oid_type)) < 0 ||
 	    (error = git_index__fill(i_index, &r_index->entries) < 0) ||
 	    (error = git_repository__configmap_lookup(&ignorecase, repo, GIT_CONFIGMAP_IGNORECASE)) < 0)
 		goto cleanup;
@@ -732,7 +732,7 @@ int git_stash_save_with_opts(
 					     i_commit, b_commit, u_commit)) < 0)
 			goto cleanup;
 	} else {
-		if ((error = git_index_new(&paths_index)) < 0 ||
+		if ((error = git_index__new(&paths_index, repo->oid_type)) < 0 ||
 		    (error = retrieve_head(&head, repo)) < 0 ||
 		    (error = git_reference_peel((git_object**)&tree, head, GIT_OBJECT_TREE)) < 0 ||
 		    (error = git_index_read_tree(paths_index, tree)) < 0 ||
@@ -1003,6 +1003,7 @@ static int stage_new_file(const git_index_entry **entries, void *data)
 
 static int stage_new_files(
 	git_index **out,
+	git_repository *repo,
 	git_tree *parent_tree,
 	git_tree *tree)
 {
@@ -1011,7 +1012,7 @@ static int stage_new_files(
 	git_index *index = NULL;
 	int error;
 
-	if ((error = git_index_new(&index)) < 0 ||
+	if ((error = git_index__new(&index, repo->oid_type)) < 0 ||
 		(error = git_iterator_for_tree(
 			&iterators[0], parent_tree, &iterator_options)) < 0 ||
 		(error = git_iterator_for_tree(
@@ -1095,10 +1096,10 @@ int git_stash_apply(
 	 * previously unstaged contents are staged, not the previously staged.)
 	 */
 	} else if ((opts.flags & GIT_STASH_APPLY_REINSTATE_INDEX) == 0) {
-		if ((error = stage_new_files(
-				&stash_adds, stash_parent_tree, stash_tree)) < 0 ||
-			(error = merge_indexes(
-				&unstashed_index, repo, stash_parent_tree, repo_index, stash_adds)) < 0)
+		if ((error = stage_new_files(&stash_adds, repo,
+				stash_parent_tree, stash_tree)) < 0 ||
+		    (error = merge_indexes(&unstashed_index, repo,
+				stash_parent_tree, repo_index, stash_adds)) < 0)
 			goto cleanup;
 	}
 

data/vendor/libgit2/src/libgit2/status.c

@@ -414,7 +414,7 @@ void git_status_list_free(git_status_list *status)
 	git_diff_free(status->head2idx);
 	git_diff_free(status->idx2wd);
 
-	git_vector_free_deep(&status->paired);
+	git_vector_dispose_deep(&status->paired);
 
 	git__memzero(status, sizeof(*status));
 	git__free(status);

data/vendor/libgit2/src/libgit2/streams/mbedtls.c

@@ -14,7 +14,6 @@
 #include "runtime.h"
 #include "stream.h"
 #include "streams/socket.h"
-#include "netops.h"
 #include "git2/transport.h"
 #include "util.h"
 
@@ -33,7 +32,6 @@
 # endif
 #endif
 
-#include <mbedtls/config.h>
 #include <mbedtls/ssl.h>
 #include <mbedtls/error.h>
 #include <mbedtls/entropy.h>
@@ -41,12 +39,18 @@
 
 #undef inline
 
-#define GIT_SSL_DEFAULT_CIPHERS "TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-DSS-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-DSS-WITH-AES-256-GCM-SHA384:TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256:TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA:TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA:TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384:TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384:TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA:TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-DSS-WITH-AES-128-CBC-SHA256:TLS-DHE-DSS-WITH-AES-256-CBC-SHA256:TLS-DHE-DSS-WITH-AES-128-CBC-SHA:TLS-DHE-DSS-WITH-AES-256-CBC-SHA:TLS-RSA-WITH-AES-128-GCM-SHA256:TLS-RSA-WITH-AES-256-GCM-SHA384:TLS-RSA-WITH-AES-128-CBC-SHA256:TLS-RSA-WITH-AES-256-CBC-SHA256:TLS-RSA-WITH-AES-128-CBC-SHA:TLS-RSA-WITH-AES-256-CBC-SHA"
-#define GIT_SSL_DEFAULT_CIPHERS_COUNT 30
+#define GIT_SSL_DEFAULT_CIPHERS "TLS1-3-AES-128-GCM-SHA256:TLS1-3-AES-256-GCM-SHA384:TLS1-3-CHACHA20-POLY1305-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256:TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA:TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA:TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384:TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384:TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA:TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-RSA-WITH-AES-128-GCM-SHA256:TLS-RSA-WITH-AES-256-GCM-SHA384:TLS-RSA-WITH-AES-128-CBC-SHA256:TLS-RSA-WITH-AES-256-CBC-SHA256:TLS-RSA-WITH-AES-128-CBC-SHA:TLS-RSA-WITH-AES-256-CBC-SHA"
+#define GIT_SSL_DEFAULT_CIPHERS_COUNT 28
 
-static mbedtls_ssl_config *git__ssl_conf;
 static int ciphers_list[GIT_SSL_DEFAULT_CIPHERS_COUNT];
-static mbedtls_entropy_context *mbedtls_entropy;
+
+static bool initialized = false;
+static mbedtls_ssl_config mbedtls_config;
+static mbedtls_ctr_drbg_context mbedtls_rng;
+static mbedtls_entropy_context mbedtls_entropy;
+
+static bool has_ca_chain = false;
+static mbedtls_x509_crt mbedtls_ca_chain;
 
 /**
  * This function aims to clean-up the SSL context which
@@ -54,19 +58,16 @@ static mbedtls_entropy_context *mbedtls_entropy;
  */
 static void shutdown_ssl(void)
 {
-	if (git__ssl_conf) {
-		mbedtls_x509_crt_free(git__ssl_conf->ca_chain);
-		git__free(git__ssl_conf->ca_chain);
-		mbedtls_ctr_drbg_free(git__ssl_conf->p_rng);
-		git__free(git__ssl_conf->p_rng);
-		mbedtls_ssl_config_free(git__ssl_conf);
-		git__free(git__ssl_conf);
-		git__ssl_conf = NULL;
+	if (has_ca_chain) {
+		mbedtls_x509_crt_free(&mbedtls_ca_chain);
+		has_ca_chain = false;
 	}
-	if (mbedtls_entropy) {
-		mbedtls_entropy_free(mbedtls_entropy);
-		git__free(mbedtls_entropy);
-		mbedtls_entropy = NULL;
+
+	if (initialized) {
+		mbedtls_ctr_drbg_free(&mbedtls_rng);
+		mbedtls_ssl_config_free(&mbedtls_config);
+		mbedtls_entropy_free(&mbedtls_entropy);
+		initialized = false;
 	}
 }
 
@@ -75,32 +76,33 @@ int git_mbedtls_stream_global_init(void)
 	int loaded = 0;
 	char *crtpath = GIT_DEFAULT_CERT_LOCATION;
 	struct stat statbuf;
-	mbedtls_ctr_drbg_context *ctr_drbg = NULL;
 
 	size_t ciphers_known = 0;
 	char *cipher_name = NULL;
 	char *cipher_string = NULL;
 	char *cipher_string_tmp = NULL;
 
-	git__ssl_conf = git__malloc(sizeof(mbedtls_ssl_config));
-	GIT_ERROR_CHECK_ALLOC(git__ssl_conf);
+	mbedtls_ssl_config_init(&mbedtls_config);
+	mbedtls_entropy_init(&mbedtls_entropy);
+	mbedtls_ctr_drbg_init(&mbedtls_rng);
 
-	mbedtls_ssl_config_init(git__ssl_conf);
-	if (mbedtls_ssl_config_defaults(git__ssl_conf,
-		                            MBEDTLS_SSL_IS_CLIENT,
-		                            MBEDTLS_SSL_TRANSPORT_STREAM,
-		                            MBEDTLS_SSL_PRESET_DEFAULT) != 0) {
+	if (mbedtls_ssl_config_defaults(&mbedtls_config,
+	                                MBEDTLS_SSL_IS_CLIENT,
+	                                MBEDTLS_SSL_TRANSPORT_STREAM,
+	                                MBEDTLS_SSL_PRESET_DEFAULT) != 0) {
 		git_error_set(GIT_ERROR_SSL, "failed to initialize mbedTLS");
 		goto cleanup;
 	}
 
-	/* configure TLSv1 */
-	mbedtls_ssl_conf_min_version(git__ssl_conf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0);
+	/* configure TLSv1.1 or better */
+#ifdef MBEDTLS_SSL_MINOR_VERSION_2
+	mbedtls_ssl_conf_min_version(&mbedtls_config, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_2);
+#endif
 
 	/* verify_server_cert is responsible for making the check.
 	 * OPTIONAL because REQUIRED drops the certificate as soon as the check
 	 * is made, so we can never see the certificate and override it. */
-	mbedtls_ssl_conf_authmode(git__ssl_conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
+	mbedtls_ssl_conf_authmode(&mbedtls_config, MBEDTLS_SSL_VERIFY_OPTIONAL);
 
 	/* set the list of allowed ciphersuites */
 	ciphers_known = 0;
@@ -124,42 +126,33 @@ int git_mbedtls_stream_global_init(void)
 		git_error_set(GIT_ERROR_SSL, "no cipher could be enabled");
 		goto cleanup;
 	}
-	mbedtls_ssl_conf_ciphersuites(git__ssl_conf, ciphers_list);
+	mbedtls_ssl_conf_ciphersuites(&mbedtls_config, ciphers_list);
 
 	/* Seeding the random number generator */
-	mbedtls_entropy = git__malloc(sizeof(mbedtls_entropy_context));
-	GIT_ERROR_CHECK_ALLOC(mbedtls_entropy);
-
-	mbedtls_entropy_init(mbedtls_entropy);
-
-	ctr_drbg = git__malloc(sizeof(mbedtls_ctr_drbg_context));
-	GIT_ERROR_CHECK_ALLOC(ctr_drbg);
 
-	mbedtls_ctr_drbg_init(ctr_drbg);
-
-	if (mbedtls_ctr_drbg_seed(ctr_drbg,
-		                      mbedtls_entropy_func,
-		                      mbedtls_entropy, NULL, 0) != 0) {
+	if (mbedtls_ctr_drbg_seed(&mbedtls_rng, mbedtls_entropy_func,
+			&mbedtls_entropy, NULL, 0) != 0) {
 		git_error_set(GIT_ERROR_SSL, "failed to initialize mbedTLS entropy pool");
 		goto cleanup;
 	}
 
-	mbedtls_ssl_conf_rng(git__ssl_conf, mbedtls_ctr_drbg_random, ctr_drbg);
+	mbedtls_ssl_conf_rng(&mbedtls_config, mbedtls_ctr_drbg_random, &mbedtls_rng);
 
 	/* load default certificates */
 	if (crtpath != NULL && stat(crtpath, &statbuf) == 0 && S_ISREG(statbuf.st_mode))
 		loaded = (git_mbedtls__set_cert_location(crtpath, NULL) == 0);
+
 	if (!loaded && crtpath != NULL && stat(crtpath, &statbuf) == 0 && S_ISDIR(statbuf.st_mode))
 		loaded = (git_mbedtls__set_cert_location(NULL, crtpath) == 0);
 
+	initialized = true;
+
 	return git_runtime_shutdown_register(shutdown_ssl);
 
 cleanup:
-	mbedtls_ctr_drbg_free(ctr_drbg);
-	git__free(ctr_drbg);
-	mbedtls_ssl_config_free(git__ssl_conf);
-	git__free(git__ssl_conf);
-	git__ssl_conf = NULL;
+	mbedtls_ctr_drbg_free(&mbedtls_rng);
+	mbedtls_ssl_config_free(&mbedtls_config);
+	mbedtls_entropy_free(&mbedtls_entropy);
 
 	return -1;
 }
@@ -193,7 +186,7 @@ static int ssl_set_error(mbedtls_ssl_context *ssl, int error)
 		break;
 
 	case MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:
-		git_error_set(GIT_ERROR_SSL, "SSL error: %#04x [%x] - %s", error, ssl->session_negotiate->verify_result, errbuf);
+		git_error_set(GIT_ERROR_SSL, "SSL error: %#04x [%x] - %s", error, mbedtls_ssl_get_verify_result(ssl), errbuf);
 		ret = GIT_ECERTIFICATE;
 		break;
 
@@ -375,7 +368,7 @@ static int mbedtls_stream_wrap(
 	st->ssl = git__malloc(sizeof(mbedtls_ssl_context));
 	GIT_ERROR_CHECK_ALLOC(st->ssl);
 	mbedtls_ssl_init(st->ssl);
-	if (mbedtls_ssl_setup(st->ssl, git__ssl_conf)) {
+	if (mbedtls_ssl_setup(st->ssl, &mbedtls_config)) {
 		git_error_set(GIT_ERROR_SSL, "failed to create ssl object");
 		error = -1;
 		goto out_err;
@@ -442,30 +435,30 @@ int git_mbedtls__set_cert_location(const char *file, const char *path)
 {
 	int ret = 0;
 	char errbuf[512];
-	mbedtls_x509_crt *cacert;
 
 	GIT_ASSERT_ARG(file || path);
 
-	cacert = git__malloc(sizeof(mbedtls_x509_crt));
-	GIT_ERROR_CHECK_ALLOC(cacert);
+	if (has_ca_chain)
+		mbedtls_x509_crt_free(&mbedtls_ca_chain);
+
+	mbedtls_x509_crt_init(&mbedtls_ca_chain);
 
-	mbedtls_x509_crt_init(cacert);
 	if (file)
-		ret = mbedtls_x509_crt_parse_file(cacert, file);
+		ret = mbedtls_x509_crt_parse_file(&mbedtls_ca_chain, file);
+
 	if (ret >= 0 && path)
-		ret = mbedtls_x509_crt_parse_path(cacert, path);
+		ret = mbedtls_x509_crt_parse_path(&mbedtls_ca_chain, path);
+
 	/* mbedtls_x509_crt_parse_path returns the number of invalid certs on success */
 	if (ret < 0) {
-		mbedtls_x509_crt_free(cacert);
-		git__free(cacert);
+		mbedtls_x509_crt_free(&mbedtls_ca_chain);
 		mbedtls_strerror( ret, errbuf, 512 );
 		git_error_set(GIT_ERROR_SSL, "failed to load CA certificates: %#04x - %s", ret, errbuf);
 		return -1;
 	}
 
-	mbedtls_x509_crt_free(git__ssl_conf->ca_chain);
-	git__free(git__ssl_conf->ca_chain);
-	mbedtls_ssl_conf_ca_chain(git__ssl_conf, cacert, NULL);
+	mbedtls_ssl_conf_ca_chain(&mbedtls_config, &mbedtls_ca_chain, NULL);
+	has_ca_chain = true;
 
 	return 0;
 }

data/vendor/libgit2/src/libgit2/streams/openssl.c

@@ -18,8 +18,8 @@
 #include "settings.h"
 #include "posix.h"
 #include "stream.h"
+#include "net.h"
 #include "streams/socket.h"
-#include "netops.h"
 #include "git2/transport.h"
 #include "git2/sys/openssl.h"
 
@@ -36,10 +36,11 @@
 # include <openssl/bio.h>
 #endif
 
-SSL_CTX *git__ssl_ctx;
+extern char *git__ssl_ciphers;
 
-#define GIT_SSL_DEFAULT_CIPHERS "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-SHA256:DHE-DSS-AES128-SHA:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA"
+SSL_CTX *git__ssl_ctx;
 
+#define GIT_SSL_DEFAULT_CIPHERS "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA"
 
 static BIO_METHOD *git_stream_bio_method;
 static int init_bio_method(void);
@@ -70,14 +71,14 @@ static void *git_openssl_malloc(size_t bytes, const char *file, int line)
 	GIT_UNUSED(line);
 	return git__calloc(1, bytes);
 }
- 
+
 static void *git_openssl_realloc(void *mem, size_t size, const char *file, int line)
 {
 	GIT_UNUSED(file);
 	GIT_UNUSED(line);
 	return git__realloc(mem, size);
 }
- 
+
 static void git_openssl_free(void *mem, const char *file, int line)
 {
 	GIT_UNUSED(file);
@@ -105,7 +106,7 @@ static void git_openssl_free(void *mem)
 static int openssl_init(void)
 {
 	long ssl_opts = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
-	const char *ciphers = git_libgit2__ssl_ciphers();
+	const char *ciphers = git__ssl_ciphers;
 #ifdef VALGRIND
 	static bool allocators_initialized = false;
 #endif
@@ -133,10 +134,10 @@ static int openssl_init(void)
 	OPENSSL_init_ssl(0, NULL);
 
 	/*
-	 * Load SSLv{2,3} and TLSv1 so that we can talk with servers
-	 * which use the SSL hellos, which are often used for
-	 * compatibility. We then disable SSL so we only allow OpenSSL
-	 * to speak TLSv1 to perform the encryption itself.
+	 * Despite the name SSLv23_method, this is actually a version-
+	 * flexible context, which honors the protocol versions
+	 * specified in `ssl_opts`. So we only support TLSv1.0 and
+	 * higher.
 	 */
 	if (!(git__ssl_ctx = SSL_CTX_new(SSLv23_method())))
 		goto error;
@@ -357,15 +358,10 @@ static int ssl_teardown(SSL *ssl)
 	return ret;
 }
 
-static int check_host_name(const char *name, const char *host)
+static bool check_host_name(const char *host, const char *name)
 {
-	if (!strcasecmp(name, host))
-		return 0;
-
-	if (gitno__match_host(name, host) < 0)
-		return -1;
-
-	return 0;
+	return !strcasecmp(host, name) ||
+	       git_net_hostname_matches_cert(host, name);
 }
 
 static int verify_server_cert(SSL *ssl, const char *host)
@@ -425,10 +421,7 @@ static int verify_server_cert(SSL *ssl, const char *host)
 				if (memchr(name, '\0', namelen))
 					continue;
 
-				if (check_host_name(name, host) < 0)
-					matched = 0;
-				else
-					matched = 1;
+				matched = !!check_host_name(host, name);
 			} else if (type == GEN_IPADD) {
 				/* Here name isn't so much a name but a binary representation of the IP */
 				matched = addr && !!memcmp(name, addr, namelen);
@@ -481,7 +474,7 @@ static int verify_server_cert(SSL *ssl, const char *host)
 			goto cert_fail_name;
 	}
 
-	if (check_host_name((char *)peer_cn, host) < 0)
+	if (!check_host_name(host, (char *)peer_cn))
 		goto cert_fail_name;
 
 	goto cleanup;
@@ -728,6 +721,30 @@ int git_openssl__set_cert_location(const char *file, const char *path)
 	return 0;
 }
 
+int git_openssl__add_x509_cert(X509 *cert)
+{
+	X509_STORE *cert_store;
+
+	if (openssl_ensure_initialized() < 0)
+		return -1;
+
+	if (!(cert_store = SSL_CTX_get_cert_store(git__ssl_ctx)))
+		return -1;
+
+	if (cert && X509_STORE_add_cert(cert_store, cert) == 0) {
+		git_error_set(GIT_ERROR_SSL, "OpenSSL error: failed to add raw X509 certificate");
+		return -1;
+	}
+
+	return 0;
+}
+
+int git_openssl__reset_context(void)
+{
+	shutdown_ssl();
+	return openssl_init();
+}
+
 #else
 
 #include "stream.h"

data/vendor/libgit2/src/libgit2/streams/openssl.h

@@ -24,6 +24,8 @@ extern int git_openssl_stream_global_init(void);
 
 #ifdef GIT_OPENSSL
 extern int git_openssl__set_cert_location(const char *file, const char *path);
+extern int git_openssl__add_x509_cert(X509 *cert);
+extern int git_openssl__reset_context(void);
 extern int git_openssl_stream_new(git_stream **out, const char *host, const char *port);
 extern int git_openssl_stream_wrap(git_stream **out, git_stream *in, const char *host);
 #endif

data/vendor/libgit2/src/libgit2/streams/openssl_dynamic.c

@@ -65,6 +65,7 @@ int (*SSL_write)(SSL *ssl, const void *buf, int num);
 long (*SSL_CTX_ctrl)(SSL_CTX *ctx, int cmd, long larg, void *parg);
 void (*SSL_CTX_free)(SSL_CTX *ctx);
 SSL_CTX *(*SSL_CTX_new)(const SSL_METHOD *method);
+X509_STORE *(*SSL_CTX_get_cert_store)(const SSL_CTX *);
 int (*SSL_CTX_set_cipher_list)(SSL_CTX *ctx, const char *str);
 int (*SSL_CTX_set_default_verify_paths)(SSL_CTX *ctx);
 long (*SSL_CTX_set_options)(SSL_CTX *ctx, long options);
@@ -80,6 +81,7 @@ int (*X509_NAME_get_index_by_NID)(X509_NAME *name, int nid, int lastpos);
 void (*X509_free)(X509 *a);
 void *(*X509_get_ext_d2i)(const X509 *x, int nid, int *crit, int *idx);
 X509_NAME *(*X509_get_subject_name)(const X509 *x);
+int (*X509_STORE_add_cert)(X509_STORE *ctx, X509 *x);
 
 int (*i2d_X509)(X509 *a, unsigned char **ppout);
 
@@ -194,6 +196,7 @@ int git_openssl_stream_dynamic_init(void)
 	SSL_CTX_ctrl = (long (*)(SSL_CTX *, int, long, void *))openssl_sym(&err, "SSL_CTX_ctrl", true);
 	SSL_CTX_free = (void (*)(SSL_CTX *))openssl_sym(&err, "SSL_CTX_free", true);
 	SSL_CTX_new = (SSL_CTX *(*)(const SSL_METHOD *))openssl_sym(&err, "SSL_CTX_new", true);
+	SSL_CTX_get_cert_store = (X509_STORE *(*)(const SSL_CTX *))openssl_sym(&err, "SSL_CTX_get_cert_store", true);
 	SSL_CTX_set_cipher_list = (int (*)(SSL_CTX *, const char *))openssl_sym(&err, "SSL_CTX_set_cipher_list", true);
 	SSL_CTX_set_default_verify_paths = (int (*)(SSL_CTX *ctx))openssl_sym(&err, "SSL_CTX_set_default_verify_paths", true);
 	SSL_CTX_set_options = (long (*)(SSL_CTX *, long))openssl_sym(&err, "SSL_CTX_set_options", false);
@@ -209,6 +212,7 @@ int git_openssl_stream_dynamic_init(void)
 	X509_free = (void (*)(X509 *))openssl_sym(&err, "X509_free", true);
 	X509_get_ext_d2i = (void *(*)(const X509 *x, int nid, int *crit, int *idx))openssl_sym(&err, "X509_get_ext_d2i", true);
 	X509_get_subject_name = (X509_NAME *(*)(const X509 *))openssl_sym(&err, "X509_get_subject_name", true);
+	X509_STORE_add_cert = (int (*)(X509_STORE *ctx, X509 *x))openssl_sym(&err, "X509_STORE_add_cert", true);
 
 	i2d_X509 = (int (*)(X509 *a, unsigned char **ppout))openssl_sym(&err, "i2d_X509", true);
 

data/vendor/libgit2/src/libgit2/streams/openssl_dynamic.h

@@ -204,6 +204,7 @@ typedef void SSL_METHOD;
 typedef void X509;
 typedef void X509_NAME;
 typedef void X509_NAME_ENTRY;
+typedef void X509_STORE;
 typedef void X509_STORE_CTX;
 
 typedef struct {
@@ -309,6 +310,7 @@ extern int (*SSL_write)(SSL *ssl, const void *buf, int num);
 extern long (*SSL_CTX_ctrl)(SSL_CTX *ctx, int cmd, long larg, void *parg);
 extern void (*SSL_CTX_free)(SSL_CTX *ctx);
 extern SSL_CTX *(*SSL_CTX_new)(const SSL_METHOD *method);
+extern X509_STORE *(*SSL_CTX_get_cert_store)(const SSL_CTX *ctx);
 extern int (*SSL_CTX_set_cipher_list)(SSL_CTX *ctx, const char *str);
 extern int (*SSL_CTX_set_default_verify_paths)(SSL_CTX *ctx);
 extern long (*SSL_CTX_set_options)(SSL_CTX *ctx, long options);
@@ -326,6 +328,7 @@ extern int (*X509_NAME_get_index_by_NID)(X509_NAME *name, int nid, int lastpos);
 extern void (*X509_free)(X509 *a);
 extern void *(*X509_get_ext_d2i)(const X509 *x, int nid, int *crit, int *idx);
 extern X509_NAME *(*X509_get_subject_name)(const X509 *x);
+extern int (*X509_STORE_add_cert)(X509_STORE *ctx, X509 *x);
 
 extern int (*i2d_X509)(X509 *a, unsigned char **ppout);