From b3e3fa10eacbdf11efb1815d6f3cfcccdde2a23d Mon Sep 17 00:00:00 2001
From: Edward Thomson <ethomson@edwardthomson.com>
Date: Sun, 12 Dec 2021 15:34:35 -0500
Subject: [PATCH] sha: support mbedTLS for SHA256

---
 cmake/SelectHTTPSBackend.cmake |  2 +-
 cmake/SelectHashes.cmake       | 25 +++++++++++++-----
 src/features.h.in              |  1 +
 src/util/CMakeLists.txt        |  2 ++
 src/util/hash/mbedtls.c        | 46 ++++++++++++++++++++++++++++++++++
 src/util/hash/mbedtls.h        | 12 ++++++++-
 6 files changed, 80 insertions(+), 8 deletions(-)

diff --git a/cmake/SelectHTTPSBackend.cmake b/cmake/SelectHTTPSBackend.cmake
index 79319502e..20221bf9f 100644
--- a/cmake/SelectHTTPSBackend.cmake
+++ b/cmake/SelectHTTPSBackend.cmake
@@ -64,7 +64,7 @@ if(USE_HTTPS)
 
 		if(NOT CERT_LOCATION)
 			message(STATUS "Auto-detecting default certificates location")
-			if(CMAKE_SYSTEM_NAME MATCHES Darwin)
+			if(EXISTS "/usr/local/opt/openssl/bin/openssl")
 				# Check for an Homebrew installation
 				set(OPENSSL_CMD "/usr/local/opt/openssl/bin/openssl")
 			else()
diff --git a/cmake/SelectHashes.cmake b/cmake/SelectHashes.cmake
index acd470654..d358acd74 100644
--- a/cmake/SelectHashes.cmake
+++ b/cmake/SelectHashes.cmake
@@ -6,6 +6,8 @@ include(SanitizeBool)
 sanitizebool(USE_SHA1)
 sanitizebool(USE_SHA256)
 
+# sha1
+
 if(USE_SHA1 STREQUAL ON)
 	SET(USE_SHA1 "CollisionDetection")
 elseif(USE_SHA1 STREQUAL "HTTPS")
@@ -35,18 +37,14 @@ elseif(USE_SHA1 STREQUAL "CommonCrypto")
 	set(GIT_SHA1_COMMON_CRYPTO 1)
 elseif(USE_SHA1 STREQUAL "mbedTLS")
 	set(GIT_SHA1_MBEDTLS 1)
-	list(APPEND LIBGIT2_SYSTEM_INCLUDES ${MBEDTLS_INCLUDE_DIR})
-	list(APPEND LIBGIT2_SYSTEM_LIBS ${MBEDTLS_LIBRARIES})
-	# mbedTLS has no pkgconfig file, hence we can't require it
-	# https://github.com/ARMmbed/mbedtls/issues/228
-	# For now, pass its link flags as our own
-	list(APPEND LIBGIT2_PC_LIBS ${MBEDTLS_LIBRARIES})
 elseif(USE_SHA1 STREQUAL "Win32")
 	set(GIT_SHA1_WIN32 1)
 else()
 	message(FATAL_ERROR "Asked for unknown SHA1 backend: ${USE_SHA1}")
 endif()
 
+# sha256
+
 if(USE_SHA256 STREQUAL ON AND USE_HTTPS)
 	SET(USE_SHA256 "HTTPS")
 elseif(USE_SHA256 STREQUAL ON)
@@ -67,9 +65,24 @@ if(USE_SHA256 STREQUAL "Builtin")
 	set(GIT_SHA256_BUILTIN 1)
 elseif(USE_SHA256 STREQUAL "CommonCrypto")
 	set(GIT_SHA256_COMMON_CRYPTO 1)
+elseif(USE_SHA256 STREQUAL "mbedTLS")
+	set(GIT_SHA256_MBEDTLS 1)
 else()
 	message(FATAL_ERROR "Asked for unknown SHA256 backend: ${USE_SHA256}")
 endif()
 
+# add library requirements
+
+if(USE_SHA1 STREQUAL "mbedTLS" OR USE_SHA256 STREQUAL "mbedTLS")
+	list(APPEND LIBGIT2_SYSTEM_INCLUDES ${MBEDTLS_INCLUDE_DIR})
+	list(APPEND LIBGIT2_SYSTEM_LIBS ${MBEDTLS_LIBRARIES})
+	# mbedTLS has no pkgconfig file, hence we can't require it
+	# https://github.com/ARMmbed/mbedtls/issues/228
+	# For now, pass its link flags as our own
+	list(APPEND LIBGIT2_PC_LIBS ${MBEDTLS_LIBRARIES})
+endif()
+
+# notify feature enablement
+
 add_feature_info(SHA1 ON "using ${USE_SHA1}")
 add_feature_info(SHA256 ON "using ${USE_SHA256}")
diff --git a/src/features.h.in b/src/features.h.in
index 30852592e..351fdf356 100644
--- a/src/features.h.in
+++ b/src/features.h.in
@@ -50,6 +50,7 @@
 
 #cmakedefine GIT_SHA256_BUILTIN 1
 #cmakedefine GIT_SHA256_COMMON_CRYPTO 1
+#cmakedefine GIT_SHA256_MBEDTLS 1
 
 #cmakedefine GIT_RAND_GETENTROPY 1
 
diff --git a/src/util/CMakeLists.txt b/src/util/CMakeLists.txt
index e18789ccb..509b7517e 100644
--- a/src/util/CMakeLists.txt
+++ b/src/util/CMakeLists.txt
@@ -51,6 +51,8 @@ if(USE_SHA256 STREQUAL "Builtin")
 	file(GLOB UTIL_SRC_SHA256 hash/builtin.* hash/rfc6234/*)
 elseif(USE_SHA256 STREQUAL "CommonCrypto")
 	file(GLOB UTIL_SRC_SHA256 hash/common_crypto.*)
+elseif(USE_SHA256 STREQUAL "mbedTLS")
+	file(GLOB UTIL_SRC_SHA256 hash/mbedtls.*)
 else()
 	message(FATAL_ERROR "Asked for unknown SHA256 backend: ${USE_SHA256}")
 endif()
diff --git a/src/util/hash/mbedtls.c b/src/util/hash/mbedtls.c
index 56016bec8..ecdfb7879 100644
--- a/src/util/hash/mbedtls.c
+++ b/src/util/hash/mbedtls.c
@@ -7,6 +7,8 @@
 
 #include "mbedtls.h"
 
+#ifdef GIT_SHA1_MBEDTLS
+
 int git_hash_sha1_global_init(void)
 {
 	return 0;
@@ -44,3 +46,47 @@ int git_hash_sha1_final(unsigned char *out, git_hash_sha1_ctx *ctx)
 	mbedtls_sha1_finish(&ctx->c, out);
 	return 0;
 }
+
+#endif
+
+#ifdef GIT_SHA256_MBEDTLS
+
+int git_hash_sha256_global_init(void)
+{
+	return 0;
+}
+
+int git_hash_sha256_ctx_init(git_hash_sha256_ctx *ctx)
+{
+	return git_hash_sha256_init(ctx);
+}
+
+void git_hash_sha256_ctx_cleanup(git_hash_sha256_ctx *ctx)
+{
+	if (ctx)
+		mbedtls_sha256_free(&ctx->c);
+}
+
+int git_hash_sha256_init(git_hash_sha256_ctx *ctx)
+{
+	GIT_ASSERT_ARG(ctx);
+	mbedtls_sha256_init(&ctx->c);
+	mbedtls_sha256_starts(&ctx->c, 0);
+	return 0;
+}
+
+int git_hash_sha256_update(git_hash_sha256_ctx *ctx, const void *data, size_t len)
+{
+	GIT_ASSERT_ARG(ctx);
+	mbedtls_sha256_update(&ctx->c, data, len);
+	return 0;
+}
+
+int git_hash_sha256_final(unsigned char *out, git_hash_sha256_ctx *ctx)
+{
+	GIT_ASSERT_ARG(ctx);
+	mbedtls_sha256_finish(&ctx->c, out);
+	return 0;
+}
+
+#endif
diff --git a/src/util/hash/mbedtls.h b/src/util/hash/mbedtls.h
index efe9c07a5..05fb38b0e 100644
--- a/src/util/hash/mbedtls.h
+++ b/src/util/hash/mbedtls.h
@@ -10,10 +10,20 @@
 
 #include "hash/sha.h"
 
-#include <mbedtls/sha1.h>
+#ifdef GIT_SHA1_MBEDTLS
+# include <mbedtls/sha1.h>
 
 struct git_hash_sha1_ctx {
     mbedtls_sha1_context c;
 };
+#endif
+
+#ifdef GIT_SHA256_MBEDTLS
+# include <mbedtls/sha256.h>
+
+struct git_hash_sha256_ctx {
+    mbedtls_sha256_context c;
+};
+#endif
 
 #endif /* INCLUDE_hash_sha1_mbedtls_h__ */