1/*** 2* Copyright 2017 Marc Stevens <marc@marc-stevens.nl>, Dan Shumow <danshu@microsoft.com> 3* Distributed under the MIT Software License. 4* See accompanying file LICENSE.txt or copy at 5* https://opensource.org/licenses/MIT 6***/ 7#ifndef SHA1DC_SHA1_H 8#define SHA1DC_SHA1_H 9 10#if defined(__cplusplus) 11extern "C" { 12#endif 13 14/* uses SHA-1 message expansion to expand the first 16 words of W[] to 80 words */ 15/* void sha1_message_expansion(uint32_t W[80]); */ 16 17/* sha-1 compression function; first version takes a message block pre-parsed as 16 32-bit integers, second version takes an already expanded message) */ 18/* void sha1_compression(uint32_t ihv[5], const uint32_t m[16]); 19void sha1_compression_W(uint32_t ihv[5], const uint32_t W[80]); */ 20 21/* same as sha1_compression_W, but additionally store intermediate states */ 22/* only stores states ii (the state between step ii-1 and step ii) when DOSTORESTATEii is defined in ubc_check.h */ 23void sha1_compression_states(uint32_t[5], const uint32_t[16], uint32_t[80], uint32_t[80][5]); 24 25/* 26// function type for sha1_recompression_step_T (uint32_t ihvin[5], uint32_t ihvout[5], const uint32_t me2[80], const uint32_t state[5]) 27// where 0 <= T < 80 28// me2 is an expanded message (the expansion of an original message block XOR'ed with a disturbance vector's message block difference) 29// state is the internal state (a,b,c,d,e) before step T of the SHA-1 compression function while processing the original message block 30// the function will return: 31// ihvin: the reconstructed input chaining value 32// ihvout: the reconstructed output chaining value 33*/ 34typedef void(*sha1_recompression_type)(uint32_t*, uint32_t*, const uint32_t*, const uint32_t*); 35 36/* table of sha1_recompression_step_0, ... , sha1_recompression_step_79 */ 37/* extern sha1_recompression_type sha1_recompression_step[80];*/ 38 39/* a callback function type that can be set to be called when a collision block has been found: */ 40/* void collision_block_callback(uint64_t byteoffset, const uint32_t ihvin1[5], const uint32_t ihvin2[5], const uint32_t m1[80], const uint32_t m2[80]) */ 41typedef void(*collision_block_callback)(uint64_t, const uint32_t*, const uint32_t*, const uint32_t*, const uint32_t*); 42 43/* the SHA-1 context */ 44typedef struct { 45 uint64_t total; 46 uint32_t ihv[5]; 47 unsigned char buffer[64]; 48 int found_collision; 49 int safe_hash; 50 int detect_coll; 51 int ubc_check; 52 int reduced_round_coll; 53 collision_block_callback callback; 54 55 uint32_t ihv1[5]; 56 uint32_t ihv2[5]; 57 uint32_t m1[80]; 58 uint32_t m2[80]; 59 uint32_t states[80][5]; 60} SHA1_CTX; 61 62/* initialize SHA-1 context */ 63void SHA1DCInit(SHA1_CTX*); 64 65/* 66// function to enable safe SHA-1 hashing: 67// collision attacks are thwarted by hashing a detected near-collision block 3 times 68// think of it as extending SHA-1 from 80-steps to 240-steps for such blocks: 69// the best collision attacks against SHA-1 have complexity about 2^60, 70// thus for 240-steps an immediate lower-bound for the best cryptanalytic attacks would 2^180 71// an attacker would be better off using a generic birthday search of complexity 2^80 72// 73// enabling safe SHA-1 hashing will result in the correct SHA-1 hash for messages where no collision attack was detected 74// but it will result in a different SHA-1 hash for messages where a collision attack was detected 75// this will automatically invalidate SHA-1 based digital signature forgeries 76// enabled by default 77*/ 78void SHA1DCSetSafeHash(SHA1_CTX*, int); 79 80/* function to disable or enable the use of Unavoidable Bitconditions (provides a significant speed up) */ 81/* enabled by default */ 82void SHA1DCSetUseUBC(SHA1_CTX*, int); 83 84/* function to disable or enable the use of Collision Detection */ 85/* enabled by default */ 86void SHA1DCSetUseDetectColl(SHA1_CTX*, int); 87 88/* function to disable or enable the detection of reduced-round SHA-1 collisions */ 89/* disabled by default */ 90void SHA1DCSetDetectReducedRoundCollision(SHA1_CTX*, int); 91 92/* function to set a callback function, pass NULL to disable */ 93/* by default no callback set */ 94void SHA1DCSetCallback(SHA1_CTX*, collision_block_callback); 95 96/* update SHA-1 context with buffer contents */ 97void SHA1DCUpdate(SHA1_CTX*, const char*, size_t); 98 99/* obtain SHA-1 hash from SHA-1 context */ 100/* returns: 0 = no collision detected, otherwise = collision found => warn user for active attack */ 101int SHA1DCFinal(unsigned char[20], SHA1_CTX*); 102 103#if defined(__cplusplus) 104} 105#endif 106 107#endif /* SHA1DC_SHA1_H */