1 /***
2 * Copyright 2017 Marc Stevens <marc@marc-stevens.nl>, Dan Shumow <danshu@microsoft.com>
3 * Distributed under the MIT Software License.
4 * See accompanying file LICENSE.txt or copy at
5 * https://opensource.org/licenses/MIT
6 ***/
7 
8 #ifndef SHA1DC_SHA1_H
9 #define SHA1DC_SHA1_H
10 
11 #if defined(__cplusplus)
12 extern "C" {
13 #endif
14 
15 #include <stdint.h>
16 
17 /* uses SHA-1 message expansion to expand the first 16 words of W[] to 80 words */
18 /* void sha1_message_expansion(uint32_t W[80]); */
19 
20 /* sha-1 compression function; first version takes a message block pre-parsed as 16 32-bit integers, second version takes an already expanded message) */
21 /* void sha1_compression(uint32_t ihv[5], const uint32_t m[16]);
22 void sha1_compression_W(uint32_t ihv[5], const uint32_t W[80]); */
23 
24 /* same as sha1_compression_W, but additionally store intermediate states */
25 /* only stores states ii (the state between step ii-1 and step ii) when DOSTORESTATEii is defined in ubc_check.h */
26 void sha1_compression_states(uint32_t[5], const uint32_t[16], uint32_t[80], uint32_t[80][5]);
27 
28 /*
29 // function type for sha1_recompression_step_T (uint32_t ihvin[5], uint32_t ihvout[5], const uint32_t me2[80], const uint32_t state[5])
30 // where 0 <= T < 80
31 //       me2 is an expanded message (the expansion of an original message block XOR'ed with a disturbance vector's message block difference)
32 //       state is the internal state (a,b,c,d,e) before step T of the SHA-1 compression function while processing the original message block
33 // the function will return:
34 //       ihvin: the reconstructed input chaining value
35 //       ihvout: the reconstructed output chaining value
36 */
37 typedef void(*sha1_recompression_type)(uint32_t*, uint32_t*, const uint32_t*, const uint32_t*);
38 
39 /* table of sha1_recompression_step_0, ... , sha1_recompression_step_79 */
40 /* extern sha1_recompression_type sha1_recompression_step[80];*/
41 
42 /* a callback function type that can be set to be called when a collision block has been found: */
43 /* void collision_block_callback(uint64_t byteoffset, const uint32_t ihvin1[5], const uint32_t ihvin2[5], const uint32_t m1[80], const uint32_t m2[80]) */
44 typedef void(*collision_block_callback)(uint64_t, const uint32_t*, const uint32_t*, const uint32_t*, const uint32_t*);
45 
46 /* the SHA-1 context */
47 typedef struct {
48 	uint64_t total;
49 	uint32_t ihv[5];
50 	unsigned char buffer[64];
51 	int found_collision;
52 	int safe_hash;
53 	int detect_coll;
54 	int ubc_check;
55 	int reduced_round_coll;
56 	collision_block_callback callback;
57 
58 	uint32_t ihv1[5];
59 	uint32_t ihv2[5];
60 	uint32_t m1[80];
61 	uint32_t m2[80];
62 	uint32_t states[80][5];
63 } SHA1_CTX;
64 
65 /* initialize SHA-1 context */
66 void SHA1DCInit(SHA1_CTX*);
67 
68 /*
69 // function to enable safe SHA-1 hashing:
70 // collision attacks are thwarted by hashing a detected near-collision block 3 times
71 // think of it as extending SHA-1 from 80-steps to 240-steps for such blocks:
72 //   the best collision attacks against SHA-1 have complexity about 2^60,
73 //   thus for 240-steps an immediate lower-bound for the best cryptanalytic attacks would 2^180
74 //   an attacker would be better off using a generic birthday search of complexity 2^80
75 //
76 // enabling safe SHA-1 hashing will result in the correct SHA-1 hash for messages where no collision attack was detected
77 // but it will result in a different SHA-1 hash for messages where a collision attack was detected
78 // this will automatically invalidate SHA-1 based digital signature forgeries
79 // enabled by default
80 */
81 void SHA1DCSetSafeHash(SHA1_CTX*, int);
82 
83 /* function to disable or enable the use of Unavoidable Bitconditions (provides a significant speed up) */
84 /* enabled by default */
85 void SHA1DCSetUseUBC(SHA1_CTX*, int);
86 
87 /* function to disable or enable the use of Collision Detection */
88 /* enabled by default */
89 void SHA1DCSetUseDetectColl(SHA1_CTX*, int);
90 
91 /* function to disable or enable the detection of reduced-round SHA-1 collisions */
92 /* disabled by default */
93 void SHA1DCSetDetectReducedRoundCollision(SHA1_CTX*, int);
94 
95 /* function to set a callback function, pass NULL to disable */
96 /* by default no callback set */
97 void SHA1DCSetCallback(SHA1_CTX*, collision_block_callback);
98 
99 /* update SHA-1 context with buffer contents */
100 void SHA1DCUpdate(SHA1_CTX*, const char*, size_t);
101 
102 /* obtain SHA-1 hash from SHA-1 context */
103 /* returns: 0 = no collision detected, otherwise = collision found => warn user for active attack */
104 int  SHA1DCFinal(unsigned char[20], SHA1_CTX*);
105 
106 #if defined(__cplusplus)
107 }
108 #endif
109 
110 #endif
111