undef/git-commit-vandalism
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Makefile: use sha1collisiondetection by default on OSX and Darwin

Browse Source 
When the sha1collisiondetection library was added and made the default
in [1] the interaction with APPLE_COMMON_CRYPTO added in [2] and [3]
seems to have been missed. On modern OSX and Darwin we are able to use
Apple's CommonCrypto both for SHA-1, and as a generic (but partial)
OpenSSL replacement.

This left OSX and Darwin without protection against the SHAttered
attack when building Git in its default configuration.

Let's also use sha1collisiondetection on OSX, to do so we'll need to
split up the "APPLE_COMMON_CRYPTO" flag into that flag and a new
"APPLE_COMMON_CRYPTO_SHA1".

Because of this we can stop conflating whether we want to use Apple's
CommonCrypto at all, and whether we want to use it for SHA-1.  This
makes the CI recipe added in [4] simpler.

1. e6b07da278 (Makefile: make DC_SHA1 the default, 2017-03-17)
2. 4dcd7732db (Makefile: add support for Apple CommonCrypto facility, 2013-05-19)
3. 61067954ce (cache.h: eliminate SHA-1 deprecation warnings on Mac OS X, 2013-05-19)
4. 1ad5c3df35 (ci: use DC_SHA1=YesPlease on osx-clang job for CI,
   2022-10-20)

Signed-off-by: Ævar Arnfjörð Bjarmason <avarab@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
This commit is contained in:
Ævar Arnfjörð Bjarmason 2022-12-15 09:43:05 +01:00 committed by Junio C Hamano
parent c48035d29b
commit 35898ad24d
2 changed files with 5 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
Makefile
View File

@ -511,10 +511,8 @@ include shared.mak
# Define BLK_SHA1 to make use of optimized C SHA-1 routines bundled # Define BLK_SHA1 to make use of optimized C SHA-1 routines bundled
# with git (in the block-sha1/ directory). # with git (in the block-sha1/ directory).
# #
# Define NO_APPLE_COMMON_CRYPTO on OSX to opt-out of using the # Define APPLE_COMMON_CRYPTO_SHA1 to use Apple's CommonCrypto for
# "APPLE_COMMON_CRYPTO" backend for SHA-1, which is currently the # SHA-1.
# default on that OS. On macOS 01.4 (Tiger) or older,
# NO_APPLE_COMMON_CRYPTO is defined by default.
# #
# If don't enable any of the *_SHA1 settings in this section, Git will # If don't enable any of the *_SHA1 settings in this section, Git will
# default to its built-in sha1collisiondetection library, which is a # default to its built-in sha1collisiondetection library, which is a
@ -1912,7 +1910,7 @@ ifdef NO_POSIX_GOODIES
BASIC_CFLAGS += -DNO_POSIX_GOODIES BASIC_CFLAGS += -DNO_POSIX_GOODIES
endif endif
ifdef APPLE_COMMON_CRYPTO ifdef APPLE_COMMON_CRYPTO_SHA1
# Apple CommonCrypto requires chunking # Apple CommonCrypto requires chunking
SHA1_MAX_BLOCK_SIZE = 1024L*1024L*1024L SHA1_MAX_BLOCK_SIZE = 1024L*1024L*1024L
endif endif
@ -1929,7 +1927,7 @@ ifdef BLK_SHA1
LIB_OBJS += block-sha1/sha1.o LIB_OBJS += block-sha1/sha1.o
BASIC_CFLAGS += -DSHA1_BLK BASIC_CFLAGS += -DSHA1_BLK
else else
ifdef APPLE_COMMON_CRYPTO ifdef APPLE_COMMON_CRYPTO_SHA1
COMPAT_CFLAGS += -DCOMMON_DIGEST_FOR_OPENSSL COMPAT_CFLAGS += -DCOMMON_DIGEST_FOR_OPENSSL
BASIC_CFLAGS += -DSHA1_APPLE BASIC_CFLAGS += -DSHA1_APPLE
else else

3
ci/lib.sh
View File

@ -258,8 +258,7 @@ macos-*)
MAKEFLAGS="$MAKEFLAGS PYTHON_PATH=$(which python3)" MAKEFLAGS="$MAKEFLAGS PYTHON_PATH=$(which python3)"
else else
MAKEFLAGS="$MAKEFLAGS PYTHON_PATH=$(which python2)" MAKEFLAGS="$MAKEFLAGS PYTHON_PATH=$(which python2)"
MAKEFLAGS="$MAKEFLAGS NO_APPLE_COMMON_CRYPTO=NoThanks" MAKEFLAGS="$MAKEFLAGS APPLE_COMMON_CRYPTO_SHA1=Yes"
MAKEFLAGS="$MAKEFLAGS NO_OPENSSL=NoThanks"
fi fi
;; ;;
esac esac