On Sun, Jul 29, 2018 at 09:48:43PM +0200, Michael wrote:
> On 29/07/2018 21:27, brian m. carlson wrote:
> > Well, that explains it.  I would recommend submitting a patch to
> > https://github.com/cr-marcstevens/sha1collisiondetection, and the we can
> > pull in the updated submodule with that fix.
> Not sure I am smart enough to do that. I'll have to download, build, and see
> what it says.

The issue is that somewhere in lib/sha1.c, you need to cause
SHA1DC_BIGENDIAN to be set.  That means you need to figure out what
compiler macro might indicate that.  I can tell you that a POWER- or
PowerPC-specific one is going to be a bad choice unless it includes the
endianness, since those chips come in little-endian versions as well.

_AIX might be a fine choice if you know that it only ever runs on
big-endian chips.

> > In the mean time, you could build using OpenSSL or the block SHA-1
> > implementation, and switch back once things are in a good state.  I do
> > recommend using SHA1DC for things long term, though, as attacks on SHA-1
> > are only going to get better.
> Any suggestions on where/how to do this?
> 
> root@x066:[/data/prj/aixtools/git/git-2.13.2]./configure --help | grep -i
> sha
>   --sharedstatedir=DIR    modifiable architecture-independent data
> [PREFIX/com]
>   --datarootdir=DIR       read-only arch.-independent data root
> [PREFIX/share]
> 
> root@x066:[/data/prj/aixtools/git/git-2.13.2]./configure --help | grep ssl
>   --with-openssl          use OpenSSL library (default is YES)
>                           ARG can be prefix for openssl library and headers

If you're using configure, you can use --with-openssl, or
--with-openssl=PREFIX if your OpenSSL isn't in the standard location but
is instead in PREFIX.
-- 
brian m. carlson: Houston, Texas, US
OpenPGP: https://keybase.io/bk2204