sha1dc/sha1.h - git - Git at Google

 /***
 * Copyright 2017 Marc Stevens <marc@marc-stevens.nl>, Dan Shumow <danshu@microsoft.com>
 * Distributed under the MIT Software License.
 * See accompanying file LICENSE.txt or copy at
 * https://opensource.org/licenses/MIT
 ***/

 #ifndef SHA1DC_SHA1_H
 #define SHA1DC_SHA1_H

 #if defined(__cplusplus)
 extern "C" {
 #endif

 #ifndef SHA1DC_NO_STANDARD_INCLUDES
 #include <stdint.h>
 #endif

 /* sha-1 compression function that takes an already expanded message, and additionally store intermediate states */
 /* only stores states ii (the state between step ii-1 and step ii) when DOSTORESTATEii is defined in ubc_check.h */
 void sha1_compression_states(uint32_t[5], const uint32_t[16], uint32_t[80], uint32_t[80][5]);

 /*
 // Function type for sha1_recompression_step_T (uint32_t ihvin[5], uint32_t ihvout[5], const uint32_t me2[80], const uint32_t state[5]).
 // Where 0 <= T < 80
 //       me2 is an expanded message (the expansion of an original message block XOR'ed with a disturbance vector's message block difference.)
 //       state is the internal state (a,b,c,d,e) before step T of the SHA-1 compression function while processing the original message block.
 // The function will return:
 //       ihvin: The reconstructed input chaining value.
 //       ihvout: The reconstructed output chaining value.
 */
 typedef void(*sha1_recompression_type)(uint32_t*, uint32_t*, const uint32_t*, const uint32_t*);

 /* A callback function type that can be set to be called when a collision block has been found: */
 /* void collision_block_callback(uint64_t byteoffset, const uint32_t ihvin1[5], const uint32_t ihvin2[5], const uint32_t m1[80], const uint32_t m2[80]) */
 typedef void(*collision_block_callback)(uint64_t, const uint32_t*, const uint32_t*, const uint32_t*, const uint32_t*);

 /* The SHA-1 context. */
 typedef struct {
 	uint64_t total;
 	uint32_t ihv[5];
 	unsigned char buffer[64];
 	int found_collision;
 	int safe_hash;
 	int detect_coll;
 	int ubc_check;
 	int reduced_round_coll;
 	collision_block_callback callback;

 	uint32_t ihv1[5];
 	uint32_t ihv2[5];
 	uint32_t m1[80];
 	uint32_t m2[80];
 	uint32_t states[80][5];
 } SHA1_CTX;

 /* Initialize SHA-1 context. */
 void SHA1DCInit(SHA1_CTX*);

 /*
     Function to enable safe SHA-1 hashing:
     Collision attacks are thwarted by hashing a detected near-collision block 3 times.
     Think of it as extending SHA-1 from 80-steps to 240-steps for such blocks:
 	The best collision attacks against SHA-1 have complexity about 2^60,
 	thus for 240-steps an immediate lower-bound for the best cryptanalytic attacks would be 2^180.
 	An attacker would be better off using a generic birthday search of complexity 2^80.

    Enabling safe SHA-1 hashing will result in the correct SHA-1 hash for messages where no collision attack was detected,
    but it will result in a different SHA-1 hash for messages where a collision attack was detected.
    This will automatically invalidate SHA-1 based digital signature forgeries.
    Enabled by default.
 */
 void SHA1DCSetSafeHash(SHA1_CTX*, int);

 /*
     Function to disable or enable the use of Unavoidable Bitconditions (provides a significant speed up).
     Enabled by default
  */
 void SHA1DCSetUseUBC(SHA1_CTX*, int);

 /*
     Function to disable or enable the use of Collision Detection.
     Enabled by default.
  */
 void SHA1DCSetUseDetectColl(SHA1_CTX*, int);

 /* function to disable or enable the detection of reduced-round SHA-1 collisions */
 /* disabled by default */
 void SHA1DCSetDetectReducedRoundCollision(SHA1_CTX*, int);

 /* function to set a callback function, pass NULL to disable */
 /* by default no callback set */
 void SHA1DCSetCallback(SHA1_CTX*, collision_block_callback);

 /* update SHA-1 context with buffer contents */
 void SHA1DCUpdate(SHA1_CTX*, const char*, size_t);

 /* obtain SHA-1 hash from SHA-1 context */
 /* returns: 0 = no collision detected, otherwise = collision found => warn user for active attack */
 int  SHA1DCFinal(unsigned char[20], SHA1_CTX*);

 #if defined(__cplusplus)
 }
 #endif

 #ifdef SHA1DC_CUSTOM_TRAILING_INCLUDE_SHA1_H
 #include SHA1DC_CUSTOM_TRAILING_INCLUDE_SHA1_H
 #endif

 #endif
	/***
	* Copyright 2017 Marc Stevens <marc@marc-stevens.nl>, Dan Shumow <danshu@microsoft.com>
	* Distributed under the MIT Software License.
	* See accompanying file LICENSE.txt or copy at
	* https://opensource.org/licenses/MIT
	***/

	#ifndef SHA1DC_SHA1_H
	#define SHA1DC_SHA1_H

	#if defined(__cplusplus)
	extern "C" {
	#endif

	#ifndef SHA1DC_NO_STANDARD_INCLUDES
	#include <stdint.h>
	#endif

	/* sha-1 compression function that takes an already expanded message, and additionally store intermediate states */
	/* only stores states ii (the state between step ii-1 and step ii) when DOSTORESTATEii is defined in ubc_check.h */
	void sha1_compression_states(uint32_t[5], const uint32_t[16], uint32_t[80], uint32_t[80][5]);

	/*
	// Function type for sha1_recompression_step_T (uint32_t ihvin[5], uint32_t ihvout[5], const uint32_t me2[80], const uint32_t state[5]).
	// Where 0 <= T < 80
	// me2 is an expanded message (the expansion of an original message block XOR'ed with a disturbance vector's message block difference.)
	// state is the internal state (a,b,c,d,e) before step T of the SHA-1 compression function while processing the original message block.
	// The function will return:
	// ihvin: The reconstructed input chaining value.
	// ihvout: The reconstructed output chaining value.
	*/
	typedef void(sha1_recompression_type)(uint32_t, uint32_t, const uint32_t, const uint32_t*);

	/* A callback function type that can be set to be called when a collision block has been found: */
	/* void collision_block_callback(uint64_t byteoffset, const uint32_t ihvin1[5], const uint32_t ihvin2[5], const uint32_t m1[80], const uint32_t m2[80]) */
	typedef void(collision_block_callback)(uint64_t, const uint32_t, const uint32_t, const uint32_t, const uint32_t*);

	/* The SHA-1 context. */
	typedef struct {
	uint64_t total;
	uint32_t ihv[5];
	unsigned char buffer[64];
	int found_collision;
	int safe_hash;
	int detect_coll;
	int ubc_check;
	int reduced_round_coll;
	collision_block_callback callback;

	uint32_t ihv1[5];
	uint32_t ihv2[5];
	uint32_t m1[80];
	uint32_t m2[80];
	uint32_t states[80][5];
	} SHA1_CTX;

	/* Initialize SHA-1 context. */
	void SHA1DCInit(SHA1_CTX*);

	/*
	Function to enable safe SHA-1 hashing:
	Collision attacks are thwarted by hashing a detected near-collision block 3 times.
	Think of it as extending SHA-1 from 80-steps to 240-steps for such blocks:
	The best collision attacks against SHA-1 have complexity about 2^60,
	thus for 240-steps an immediate lower-bound for the best cryptanalytic attacks would be 2^180.
	An attacker would be better off using a generic birthday search of complexity 2^80.

	Enabling safe SHA-1 hashing will result in the correct SHA-1 hash for messages where no collision attack was detected,
	but it will result in a different SHA-1 hash for messages where a collision attack was detected.
	This will automatically invalidate SHA-1 based digital signature forgeries.
	Enabled by default.
	*/
	void SHA1DCSetSafeHash(SHA1_CTX*, int);

	/*
	Function to disable or enable the use of Unavoidable Bitconditions (provides a significant speed up).
	Enabled by default
	*/
	void SHA1DCSetUseUBC(SHA1_CTX*, int);

	/*
	Function to disable or enable the use of Collision Detection.
	Enabled by default.
	*/
	void SHA1DCSetUseDetectColl(SHA1_CTX*, int);

	/* function to disable or enable the detection of reduced-round SHA-1 collisions */
	/* disabled by default */
	void SHA1DCSetDetectReducedRoundCollision(SHA1_CTX*, int);

	/* function to set a callback function, pass NULL to disable */
	/* by default no callback set */
	void SHA1DCSetCallback(SHA1_CTX*, collision_block_callback);

	/* update SHA-1 context with buffer contents */
	void SHA1DCUpdate(SHA1_CTX, const char, size_t);

	/* obtain SHA-1 hash from SHA-1 context */
	/* returns: 0 = no collision detected, otherwise = collision found => warn user for active attack */
	int SHA1DCFinal(unsigned char[20], SHA1_CTX*);

	#if defined(__cplusplus)
	}
	#endif

	#ifdef SHA1DC_CUSTOM_TRAILING_INCLUDE_SHA1_H
	#include SHA1DC_CUSTOM_TRAILING_INCLUDE_SHA1_H
	#endif

	#endif