7d4d423b9d347cf1d9c32d28f1fc09a9c98ad01e
   1/***
   2* Copyright 2017 Marc Stevens <marc@marc-stevens.nl>, Dan Shumow <danshu@microsoft.com>
   3* Distributed under the MIT Software License.
   4* See accompanying file LICENSE.txt or copy at
   5* https://opensource.org/licenses/MIT
   6***/
   7#ifndef SHA1DC_SHA1_H
   8#define SHA1DC_SHA1_H
   9
  10#if defined(__cplusplus)
  11extern "C" {
  12#endif
  13
  14/* uses SHA-1 message expansion to expand the first 16 words of W[] to 80 words */
  15/* void sha1_message_expansion(uint32_t W[80]); */
  16
  17/* sha-1 compression function; first version takes a message block pre-parsed as 16 32-bit integers, second version takes an already expanded message) */
  18/* void sha1_compression(uint32_t ihv[5], const uint32_t m[16]);
  19void sha1_compression_W(uint32_t ihv[5], const uint32_t W[80]); */
  20
  21/* same as sha1_compression_W, but additionally store intermediate states */
  22/* only stores states ii (the state between step ii-1 and step ii) when DOSTORESTATEii is defined in ubc_check.h */
  23void sha1_compression_states(uint32_t[5], const uint32_t[16], uint32_t[80], uint32_t[80][5]);
  24
  25/*
  26// function type for sha1_recompression_step_T (uint32_t ihvin[5], uint32_t ihvout[5], const uint32_t me2[80], const uint32_t state[5])
  27// where 0 <= T < 80
  28//       me2 is an expanded message (the expansion of an original message block XOR'ed with a disturbance vector's message block difference)
  29//       state is the internal state (a,b,c,d,e) before step T of the SHA-1 compression function while processing the original message block
  30// the function will return:
  31//       ihvin: the reconstructed input chaining value
  32//       ihvout: the reconstructed output chaining value
  33*/
  34typedef void(*sha1_recompression_type)(uint32_t*, uint32_t*, const uint32_t*, const uint32_t*);
  35
  36/* table of sha1_recompression_step_0, ... , sha1_recompression_step_79 */
  37/* extern sha1_recompression_type sha1_recompression_step[80];*/
  38
  39/* a callback function type that can be set to be called when a collision block has been found: */
  40/* void collision_block_callback(uint64_t byteoffset, const uint32_t ihvin1[5], const uint32_t ihvin2[5], const uint32_t m1[80], const uint32_t m2[80]) */
  41typedef void(*collision_block_callback)(uint64_t, const uint32_t*, const uint32_t*, const uint32_t*, const uint32_t*);
  42
  43/* the SHA-1 context */
  44typedef struct {
  45        uint64_t total;
  46        uint32_t ihv[5];
  47        unsigned char buffer[64];
  48        int found_collision;
  49        int safe_hash;
  50        int detect_coll;
  51        int ubc_check;
  52        int reduced_round_coll;
  53        collision_block_callback callback;
  54
  55        uint32_t ihv1[5];
  56        uint32_t ihv2[5];
  57        uint32_t m1[80];
  58        uint32_t m2[80];
  59        uint32_t states[80][5];
  60} SHA1_CTX;
  61
  62/* initialize SHA-1 context */
  63void SHA1DCInit(SHA1_CTX*);
  64
  65/*
  66// function to enable safe SHA-1 hashing:
  67// collision attacks are thwarted by hashing a detected near-collision block 3 times
  68// think of it as extending SHA-1 from 80-steps to 240-steps for such blocks:
  69//   the best collision attacks against SHA-1 have complexity about 2^60,
  70//   thus for 240-steps an immediate lower-bound for the best cryptanalytic attacks would 2^180
  71//   an attacker would be better off using a generic birthday search of complexity 2^80
  72//
  73// enabling safe SHA-1 hashing will result in the correct SHA-1 hash for messages where no collision attack was detected
  74// but it will result in a different SHA-1 hash for messages where a collision attack was detected
  75// this will automatically invalidate SHA-1 based digital signature forgeries
  76// enabled by default
  77*/
  78void SHA1DCSetSafeHash(SHA1_CTX*, int);
  79
  80/* function to disable or enable the use of Unavoidable Bitconditions (provides a significant speed up) */
  81/* enabled by default */
  82void SHA1DCSetUseUBC(SHA1_CTX*, int);
  83
  84/* function to disable or enable the use of Collision Detection */
  85/* enabled by default */
  86void SHA1DCSetUseDetectColl(SHA1_CTX*, int);
  87
  88/* function to disable or enable the detection of reduced-round SHA-1 collisions */
  89/* disabled by default */
  90void SHA1DCSetDetectReducedRoundCollision(SHA1_CTX*, int);
  91
  92/* function to set a callback function, pass NULL to disable */
  93/* by default no callback set */
  94void SHA1DCSetCallback(SHA1_CTX*, collision_block_callback);
  95
  96/* update SHA-1 context with buffer contents */
  97void SHA1DCUpdate(SHA1_CTX*, const char*, size_t);
  98
  99/* obtain SHA-1 hash from SHA-1 context */
 100/* returns: 0 = no collision detected, otherwise = collision found => warn user for active attack */
 101int  SHA1DCFinal(unsigned char[20], SHA1_CTX*);
 102
 103#if defined(__cplusplus)
 104}
 105#endif
 106
 107#endif /* SHA1DC_SHA1_H */