kernel
/
git
mirror of https://git.kernel.org/pub/scm/git/git.git
1
0
Fork 0
Code Releases Activity

Makefile: allow specifying a SHA-1 for non-cryptographic uses 

Introduce _UNSAFE variants of the OPENSSL_SHA1, BLK_SHA1, and
APPLE_COMMON_CRYPTO_SHA1 compile-time knobs which indicate which SHA-1
implementation is to be used for non-cryptographic uses.

There are a couple of small implementation notes worth mentioning:

  - There is no way to select the collision detecting SHA-1 as the
    "fast" fallback, since the fast fallback is only for
    non-cryptographic uses, and is meant to be faster than our
    collision-detecting implementation.

  - There are no similar knobs for SHA-256, since no collision attacks
    are presently known and thus no collision-detecting implementations
    actually exist.

Signed-off-by: Taylor Blau <me@ttaylorr.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
maint
Taylor Blau 2024-09-26 11:22:50 -04:00 committed by Junio C Hamano
parent 253ed9ecff
commit 06c92dafb8
2 changed files with 55 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
Makefile
View File

@ -521,6 +521,10 @@ include shared.mak
# Define APPLE_COMMON_CRYPTO_SHA1 to use Apple's CommonCrypto for # Define APPLE_COMMON_CRYPTO_SHA1 to use Apple's CommonCrypto for
# SHA-1. # SHA-1.
# #
# Define the same Makefile knobs as above, but suffixed with _UNSAFE to
# use the corresponding implementations for unsafe SHA-1 hashing for
# non-cryptographic purposes.
#
# If don't enable any of the *_SHA1 settings in this section, Git will # If don't enable any of the *_SHA1 settings in this section, Git will
# default to its built-in sha1collisiondetection library, which is a # default to its built-in sha1collisiondetection library, which is a
# collision-detecting sha1 This is slower, but may detect attempted # collision-detecting sha1 This is slower, but may detect attempted
@ -1987,6 +1991,27 @@ endif
endif endif
endif endif


ifdef OPENSSL_SHA1_UNSAFE
ifndef OPENSSL_SHA1
EXTLIBS += $(LIB_4_CRYPTO)
BASIC_CFLAGS += -DSHA1_OPENSSL_UNSAFE
endif
else
ifdef BLK_SHA1_UNSAFE
ifndef BLK_SHA1
LIB_OBJS += block-sha1/sha1.o
BASIC_CFLAGS += -DSHA1_BLK_UNSAFE
endif
else
ifdef APPLE_COMMON_CRYPTO_SHA1_UNSAFE
ifndef APPLE_COMMON_CRYPTO_SHA1
COMPAT_CFLAGS += -DCOMMON_DIGEST_FOR_OPENSSL
BASIC_CFLAGS += -DSHA1_APPLE_UNSAFE
endif
endif
endif
endif

ifdef OPENSSL_SHA256 ifdef OPENSSL_SHA256
EXTLIBS += $(LIB_4_CRYPTO) EXTLIBS += $(LIB_4_CRYPTO)
BASIC_CFLAGS += -DSHA256_OPENSSL BASIC_CFLAGS += -DSHA256_OPENSSL

30
hash.h
View File

@ -15,6 +15,36 @@
#include "block-sha1/sha1.h" #include "block-sha1/sha1.h"
#endif #endif


#if defined(SHA1_APPLE_UNSAFE)
# include <CommonCrypto/CommonDigest.h>
# define platform_SHA_CTX_unsafe CC_SHA1_CTX
# define platform_SHA1_Init_unsafe CC_SHA1_Init
# define platform_SHA1_Update_unsafe CC_SHA1_Update
# define platform_SHA1_Final_unsafe CC_SHA1_Final
#elif defined(SHA1_OPENSSL_UNSAFE)
# include <openssl/sha.h>
# if defined(OPENSSL_API_LEVEL) && OPENSSL_API_LEVEL >= 3
# define SHA1_NEEDS_CLONE_HELPER_UNSAFE
# include "sha1/openssl.h"
# define platform_SHA_CTX_unsafe openssl_SHA1_CTX
# define platform_SHA1_Init_unsafe openssl_SHA1_Init
# define platform_SHA1_Clone_unsafe openssl_SHA1_Clone
# define platform_SHA1_Update_unsafe openssl_SHA1_Update
# define platform_SHA1_Final_unsafe openssl_SHA1_Final
# else
# define platform_SHA_CTX_unsafe SHA_CTX
# define platform_SHA1_Init_unsafe SHA1_Init
# define platform_SHA1_Update_unsafe SHA1_Update
# define platform_SHA1_Final_unsafe SHA1_Final
# endif
#elif defined(SHA1_BLK_UNSAFE)
# include "block-sha1/sha1.h"
# define platform_SHA_CTX_unsafe blk_SHA_CTX
# define platform_SHA1_Init_unsafe blk_SHA1_Init
# define platform_SHA1_Update_unsafe blk_SHA1_Update
# define platform_SHA1_Final_unsafe blk_SHA1_Final
#endif

#if defined(SHA256_NETTLE) #if defined(SHA256_NETTLE)
#include "sha256/nettle.h" #include "sha256/nettle.h"
#elif defined(SHA256_GCRYPT) #elif defined(SHA256_GCRYPT)