@@ -1327,15 +1327,16 @@ endif
https_backend = get_option('https_backend')
sha1_backend = get_option('sha1_backend')
+sha1_unsafe_backend = get_option('sha1_unsafe_backend')
sha256_backend = get_option('sha256_backend')
-security_framework = dependency('Security', required: 'CommonCrypto' in [https_backend, sha1_backend])
+security_framework = dependency('Security', required: 'CommonCrypto' in [https_backend, sha1_backend, sha1_unsafe_backend])
core_foundation_framework = dependency('CoreFoundation', required: security_framework.found())
if https_backend == 'auto' and security_framework.found()
https_backend = 'CommonCrypto'
endif
-openssl_required = 'openssl' in [https_backend, sha1_backend, sha256_backend]
+openssl_required = 'openssl' in [https_backend, sha1_backend, sha1_unsafe_backend, sha256_backend]
openssl = dependency('openssl', required: openssl_required, default_options: ['default_library=static'])
if https_backend == 'auto' and openssl.found()
https_backend = 'openssl'
@@ -1368,19 +1369,38 @@ if sha1_backend == 'sha1dc'
'sha1dc/sha1.c',
'sha1dc/ubc_check.c',
]
-elif sha1_backend == 'CommonCrypto'
+endif
+if sha1_backend == 'CommonCrypto' or sha1_unsafe_backend == 'CommonCrypto'
+ if sha1_backend == 'CommonCrypto'
+ libgit_c_args += '-DSHA1_APPLE'
+ endif
+ if sha1_unsafe_backend == 'CommonCrypto'
+ libgit_c_args += '-DSHA1_APPLE_UNSAFE'
+ endif
+
libgit_c_args += '-DCOMMON_DIGEST_FOR_OPENSSL'
- libgit_c_args += '-DSHA1_APPLE'
# Apple CommonCrypto requires chunking
libgit_c_args += '-DSHA1_MAX_BLOCK_SIZE=1024L*1024L*1024L'
-elif sha1_backend == 'openssl'
- libgit_c_args += '-DSHA1_OPENSSL'
+endif
+if sha1_backend == 'openssl' or sha1_unsafe_backend == 'openssl'
+ if sha1_backend == 'openssl'
+ libgit_c_args += '-DSHA1_OPENSSL'
+ endif
+ if sha1_unsafe_backend == 'openssl'
+ libgit_c_args += '-DSHA1_OPENSSL_UNSAFE'
+ endif
+
libgit_dependencies += openssl
-elif sha1_backend == 'block'
- libgit_c_args += '-DSHA1_BLK'
+endif
+if sha1_backend == 'block' or sha1_unsafe_backend == 'block'
+ if sha1_backend == 'block'
+ libgit_c_args += '-DSHA1_BLK'
+ endif
+ if sha1_unsafe_backend == 'block'
+ libgit_c_args += '-DSHA1_BLK_UNSAFE'
+ endif
+
libgit_sources += 'block-sha1/sha1.c'
-else
- error('Unhandled SHA1 backend ' + sha1_backend)
endif
if sha256_backend == 'openssl'
@@ -51,6 +51,8 @@ option('https_backend', type: 'combo', value: 'auto', choices: ['auto', 'openssl
description: 'The HTTPS backend to use when connecting to remotes.')
option('sha1_backend', type: 'combo', choices: ['openssl', 'block', 'sha1dc', 'CommonCrypto'], value: 'sha1dc',
description: 'The backend used for hashing objects with the SHA1 object format.')
+option('sha1_unsafe_backend', type: 'combo', choices: ['openssl', 'block', 'CommonCrypto', 'none'], value: 'none',
+ description: 'The backend used for hashing data with the SHA1 object format in case no cryptographic security is needed.')
option('sha256_backend', type: 'combo', choices: ['openssl', 'nettle', 'gcrypt', 'block'], value: 'block',
description: 'The backend used for hashing objects with the SHA256 object format.')
In 06c92dafb8 (Makefile: allow specifying a SHA-1 for non-cryptographic uses, 2024-09-26), we have introduced a cryptographically-insecure backend for SHA1 that can optionally be used in some contexts where the processed data is not security relevant. This effort was in-flight with the effort to introduce Meson, so we don't have an equivalent here. Wire up a new build option that lets users pick an unsafe SHA1 backend. Note that for simplicity's sake we have to drop the error condition around an unhandled SHA1 backend. This should be fine though given that Meson verifies the value for combo-options for us. Signed-off-by: Patrick Steinhardt <ps@pks.im> --- meson.build | 40 ++++++++++++++++++++++++++++++---------- meson_options.txt | 2 ++ 2 files changed, 32 insertions(+), 10 deletions(-)