Currently, the DefaultCFlags.cmake overrides the
CMAKE_STATIC_LINKER_FLAGS to suppress linker warnings about files with
no symbols defined.
This has the side effect of breaking MSVC cross compilation (where
CMAKE_STATIC_LINKER_FLAGS is used to specify the /MACHINE:ARCH flag)
This commit make sure we append to CMAKE_STATIC_LINKER_FLAGS instead of
replacing its values
Compiling libssh2 into libgit2 directly is madness. If users want to
create a single library that contains libssh2, then they should link a
static library.
It's hard to remember whether it's `-DUSE_HTTPS=mbedTLS` or
`-DUSE_HTTPS=mbedtls`. Even worse for things like `builtin` which we may
have been inconsistent about. Allow for case insensitive options.
There were a few oddities around HTTPS provider selection: namely,
`GIT_OPENSSL_DYNAMIC` implied `GIT_OPENSSL`, which made a bit of sense,
until we added FIPS support. In addition, dynamic OpenSSL for _hashes_
and dynamic OpenSSL for HTTPS was conflated in a few places.
Untangle these, and make `GIT_HTTPS_*` the define, for consistency with
other feature provider selection.
For consistency, specify the nanosecond option in the same way as other
options, and identify it as such. Split the detection of platform
support (`FindStatNsec`) and its selection (`SelectNsec`).
The `USE_` prefix for inputs denotes a backend; the `DEBUG_` prefix
denotes a debugging option. Make `DEBUG_LEAK_CHECKER` the name of the
leak checking option.
Selecting regular expression backend should be specified in the same way
as everything else; `USE_REGEX`. Keep `REGEX_BACKEND` as an optional
fallback.
git's hash algorithm is sha1dc, it is not sha1. Per Linus:
> Honestly, git has effectively already moved from SHA1 to SHA1DC.
>
> So the actual known attack and weakness of SHA1 should simply not be
> part of the discussion for the next hash. You can basically say "we're
> _already_ on the second hash, we just picked one that was so
> compatible with SHA1 that nobody even really noticed.
Warn users who try to compile with SHA1 instead of SHA1DC.
When `-DUSE_HTTP_PARSER=...` is specified, ensure that the specified
HTTP Parser is valid, do not fallback to builtin.
Restore `-DUSE_HTTP_PARSER=system` for backcompatibility.
Usage of the deprecated 'SHA256_*' OpenSSL API in a FIPS compliant
environment results in OpenSSL's assertion failure with the following
description:
"OpenSSL internal error, assertion failed: Low level API call to
digest SHA256 forbidden in FIPS mode!"
This commit adds a possibility to use the OpenSSL's 'EVP_MD*' API instead
of the deprecated 'SHA256_*' API, by extending the optional CMake flag
'USE_SHA256' with the new option called 'OpenSSL-FIPS'.
The new option is used to choose a hashing backend used by libgit2 to
calculate SHA256 hashes, in a similar way that currently existing
options like 'OpenSSL', 'OpenSSL-Dynamic', 'mbedTLS' etc do.
'OpenSSL-FIPS' is a fully opt-in option which is purposely not
interfering with the existing options, because, after running some
benchmarks, it's been discovered that using the 'EVP_MD*' API causes
hashing to be a bit slower in comparison to using the deprecated
'SHA256_*' API.
Another change introduced in this commit is the enhancement of the
Nightly workflow (nightly.yml) which will cause libgit2 to be
automatically built with '-DUSE_SHA256="OpenSSL-FIPS"' CMake flag,
on Linux, macOS and Windows.
Some minor refactoring for iOS:
- Roll back clar changes; these should be a bit more measured, and occur
in clar upstream.
- Move iOS to nightly builds
We may want to support SSH but with a different provider that is not
libssh2. Add GIT_SSH to indicate that we have some inbuilt SSH support
and GIT_SSH_LIBSSH2 to indicate that support is via libssh2. This is
similar to how we support GIT_HTTPS and GIT_OPENSSL, for example.
since f15c8ac71a libgit unconditionally depends on secur32 on Windows
but only added it in cmake for the winhttp and schannel variants.
In case libgit is built against openssl it would fail to link.
This moves secur32 out of the https backend selection code into
the global win32 condition (and while at it also adds ws2_32 to the .pc file)
Provide a stream interface for Schannel - the native crypto APIs - on
Windows. This allows Windows to use the same HTTP transport that all the
other platforms use, with its own native crypto.
Ultimately this allows us to deprecate WinHTTP and we need not add
support for our socket changes in two places (our HTTP stack and the
WinHTTP stack).
xdiff is a dependency (from git core) and more properly belongs in the
'deps' directory. Move it there, and add a stub for cmake to resolve
xdiff from the system location in the future. (At present, bundled xdiff
remains hardcoded.)
