We used to use the SHA1 implementation from the OpenSSL library by
default. As we are trying to be careful against collision attacks
after the recent "shattered" announcement, switch the default to
encourage people to use DC_SHA1 implementation instead. Those who
want to use the implementation from OpenSSL can explicitly ask for
it by OPENSSL_SHA1=YesPlease when running "make".
Signed-off-by: Junio C Hamano <gits...@pobox.com>
---
Makefile | 16 ++++++++++------
1 file changed, 10 insertions(+), 6 deletions(-)
diff --git a/Makefile b/Makefile
index fc9d89498b..fd4421eeb8 100644
--- a/Makefile
+++ b/Makefile
@@ -146,6 +146,9 @@ all::
# algorithm. This is slower, but may detect attempted collision attacks.
# Takes priority over other *_SHA1 knobs.
#
+# Define OPENSSL_SHA1 environment variable when running make to link
+# with the SHA1 routine from openssl library.
+#
# Define SHA1_MAX_BLOCK_SIZE to limit the amount of data that will be hashed
# in one call to the platform's SHA1_Update(). e.g. APPLE_COMMON_CRYPTO
# wants 'SHA1_MAX_BLOCK_SIZE=1024L*1024L*1024L' defined.
@@ -1390,10 +1393,9 @@ ifdef APPLE_COMMON_CRYPTO
SHA1_MAX_BLOCK_SIZE = 1024L*1024L*1024L
endif
-ifdef DC_SHA1
- LIB_OBJS += sha1dc/sha1.o
- LIB_OBJS += sha1dc/ubc_check.o
- BASIC_CFLAGS += -DSHA1_DC
+ifdef OPENSSL_SHA1
+ EXTLIBS += $(LIB_4_CRYPTO)
+ BASIC_CFLAGS += -DSHA1_OPENSSL
else
ifdef BLK_SHA1
LIB_OBJS += block-sha1/sha1.o
@@ -1407,8 +1409,10 @@ ifdef APPLE_COMMON_CRYPTO
COMPAT_CFLAGS += -DCOMMON_DIGEST_FOR_OPENSSL
BASIC_CFLAGS += -DSHA1_APPLE
else
- EXTLIBS += $(LIB_4_CRYPTO)
- BASIC_CFLAGS += -DSHA1_OPENSSL
+ DC_SHA1 := YesPlease
+ LIB_OBJS += sha1dc/sha1.o
+ LIB_OBJS += sha1dc/ubc_check.o
+ BASIC_CFLAGS += -DSHA1_DC
endif
endif
endif
--
2.12.0-317-g32c43f595f
