1 /*** 2 * Copyright 2017 Marc Stevens <marc@marc-stevens.nl>, Dan Shumow <danshu@microsoft.com> 3 * Distributed under the MIT Software License. 4 * See accompanying file LICENSE.txt or copy at 5 * https://opensource.org/licenses/MIT 6 ***/ 7 8 #ifndef SHA1DC_SHA1_H 9 #define SHA1DC_SHA1_H 10 11 #if defined(__cplusplus) 12 extern "C" { 13 #endif 14 15 #include <stdint.h> 16 17 /* uses SHA-1 message expansion to expand the first 16 words of W[] to 80 words */ 18 /* void sha1_message_expansion(uint32_t W[80]); */ 19 20 /* sha-1 compression function; first version takes a message block pre-parsed as 16 32-bit integers, second version takes an already expanded message) */ 21 /* void sha1_compression(uint32_t ihv[5], const uint32_t m[16]); 22 void sha1_compression_W(uint32_t ihv[5], const uint32_t W[80]); */ 23 24 /* same as sha1_compression_W, but additionally store intermediate states */ 25 /* only stores states ii (the state between step ii-1 and step ii) when DOSTORESTATEii is defined in ubc_check.h */ 26 void sha1_compression_states(uint32_t[5], const uint32_t[16], uint32_t[80], uint32_t[80][5]); 27 28 /* 29 // function type for sha1_recompression_step_T (uint32_t ihvin[5], uint32_t ihvout[5], const uint32_t me2[80], const uint32_t state[5]) 30 // where 0 <= T < 80 31 // me2 is an expanded message (the expansion of an original message block XOR'ed with a disturbance vector's message block difference) 32 // state is the internal state (a,b,c,d,e) before step T of the SHA-1 compression function while processing the original message block 33 // the function will return: 34 // ihvin: the reconstructed input chaining value 35 // ihvout: the reconstructed output chaining value 36 */ 37 typedef void(*sha1_recompression_type)(uint32_t*, uint32_t*, const uint32_t*, const uint32_t*); 38 39 /* table of sha1_recompression_step_0, ... , sha1_recompression_step_79 */ 40 /* extern sha1_recompression_type sha1_recompression_step[80];*/ 41 42 /* a callback function type that can be set to be called when a collision block has been found: */ 43 /* void collision_block_callback(uint64_t byteoffset, const uint32_t ihvin1[5], const uint32_t ihvin2[5], const uint32_t m1[80], const uint32_t m2[80]) */ 44 typedef void(*collision_block_callback)(uint64_t, const uint32_t*, const uint32_t*, const uint32_t*, const uint32_t*); 45 46 /* the SHA-1 context */ 47 typedef struct { 48 uint64_t total; 49 uint32_t ihv[5]; 50 unsigned char buffer[64]; 51 int found_collision; 52 int safe_hash; 53 int detect_coll; 54 int ubc_check; 55 int reduced_round_coll; 56 collision_block_callback callback; 57 58 uint32_t ihv1[5]; 59 uint32_t ihv2[5]; 60 uint32_t m1[80]; 61 uint32_t m2[80]; 62 uint32_t states[80][5]; 63 } SHA1_CTX; 64 65 /* initialize SHA-1 context */ 66 void SHA1DCInit(SHA1_CTX*); 67 68 /* 69 // function to enable safe SHA-1 hashing: 70 // collision attacks are thwarted by hashing a detected near-collision block 3 times 71 // think of it as extending SHA-1 from 80-steps to 240-steps for such blocks: 72 // the best collision attacks against SHA-1 have complexity about 2^60, 73 // thus for 240-steps an immediate lower-bound for the best cryptanalytic attacks would 2^180 74 // an attacker would be better off using a generic birthday search of complexity 2^80 75 // 76 // enabling safe SHA-1 hashing will result in the correct SHA-1 hash for messages where no collision attack was detected 77 // but it will result in a different SHA-1 hash for messages where a collision attack was detected 78 // this will automatically invalidate SHA-1 based digital signature forgeries 79 // enabled by default 80 */ 81 void SHA1DCSetSafeHash(SHA1_CTX*, int); 82 83 /* function to disable or enable the use of Unavoidable Bitconditions (provides a significant speed up) */ 84 /* enabled by default */ 85 void SHA1DCSetUseUBC(SHA1_CTX*, int); 86 87 /* function to disable or enable the use of Collision Detection */ 88 /* enabled by default */ 89 void SHA1DCSetUseDetectColl(SHA1_CTX*, int); 90 91 /* function to disable or enable the detection of reduced-round SHA-1 collisions */ 92 /* disabled by default */ 93 void SHA1DCSetDetectReducedRoundCollision(SHA1_CTX*, int); 94 95 /* function to set a callback function, pass NULL to disable */ 96 /* by default no callback set */ 97 void SHA1DCSetCallback(SHA1_CTX*, collision_block_callback); 98 99 /* update SHA-1 context with buffer contents */ 100 void SHA1DCUpdate(SHA1_CTX*, const char*, size_t); 101 102 /* obtain SHA-1 hash from SHA-1 context */ 103 /* returns: 0 = no collision detected, otherwise = collision found => warn user for active attack */ 104 int SHA1DCFinal(unsigned char[20], SHA1_CTX*); 105 106 #if defined(__cplusplus) 107 } 108 #endif 109 110 #endif 111