]>
Commit | Line | Data |
---|---|---|
28dc98e3 JK |
1 | /*** |
2 | * Copyright 2017 Marc Stevens <marc@marc-stevens.nl>, Dan Shumow <danshu@microsoft.com> | |
3 | * Distributed under the MIT Software License. | |
4 | * See accompanying file LICENSE.txt or copy at | |
5 | * https://opensource.org/licenses/MIT | |
6 | ***/ | |
a0103914 | 7 | |
45a574ee JK |
8 | #ifndef SHA1DC_SHA1_H |
9 | #define SHA1DC_SHA1_H | |
28dc98e3 JK |
10 | |
11 | #if defined(__cplusplus) | |
12 | extern "C" { | |
13 | #endif | |
14 | ||
a0103914 ÆAB |
15 | #ifndef SHA1DC_NO_STANDARD_INCLUDES |
16 | #include <stdint.h> | |
17 | #endif | |
28dc98e3 | 18 | |
a0103914 | 19 | /* sha-1 compression function that takes an already expanded message, and additionally store intermediate states */ |
28dc98e3 JK |
20 | /* only stores states ii (the state between step ii-1 and step ii) when DOSTORESTATEii is defined in ubc_check.h */ |
21 | void sha1_compression_states(uint32_t[5], const uint32_t[16], uint32_t[80], uint32_t[80][5]); | |
22 | ||
23 | /* | |
a0103914 ÆAB |
24 | // Function type for sha1_recompression_step_T (uint32_t ihvin[5], uint32_t ihvout[5], const uint32_t me2[80], const uint32_t state[5]). |
25 | // Where 0 <= T < 80 | |
26 | // me2 is an expanded message (the expansion of an original message block XOR'ed with a disturbance vector's message block difference.) | |
27 | // state is the internal state (a,b,c,d,e) before step T of the SHA-1 compression function while processing the original message block. | |
28 | // The function will return: | |
29 | // ihvin: The reconstructed input chaining value. | |
30 | // ihvout: The reconstructed output chaining value. | |
28dc98e3 JK |
31 | */ |
32 | typedef void(*sha1_recompression_type)(uint32_t*, uint32_t*, const uint32_t*, const uint32_t*); | |
33 | ||
a0103914 | 34 | /* A callback function type that can be set to be called when a collision block has been found: */ |
28dc98e3 JK |
35 | /* void collision_block_callback(uint64_t byteoffset, const uint32_t ihvin1[5], const uint32_t ihvin2[5], const uint32_t m1[80], const uint32_t m2[80]) */ |
36 | typedef void(*collision_block_callback)(uint64_t, const uint32_t*, const uint32_t*, const uint32_t*, const uint32_t*); | |
37 | ||
a0103914 | 38 | /* The SHA-1 context. */ |
28dc98e3 JK |
39 | typedef struct { |
40 | uint64_t total; | |
41 | uint32_t ihv[5]; | |
42 | unsigned char buffer[64]; | |
43 | int found_collision; | |
44 | int safe_hash; | |
45 | int detect_coll; | |
46 | int ubc_check; | |
47 | int reduced_round_coll; | |
48 | collision_block_callback callback; | |
49 | ||
50 | uint32_t ihv1[5]; | |
51 | uint32_t ihv2[5]; | |
52 | uint32_t m1[80]; | |
53 | uint32_t m2[80]; | |
54 | uint32_t states[80][5]; | |
55 | } SHA1_CTX; | |
56 | ||
a0103914 | 57 | /* Initialize SHA-1 context. */ |
28dc98e3 JK |
58 | void SHA1DCInit(SHA1_CTX*); |
59 | ||
60 | /* | |
a0103914 ÆAB |
61 | Function to enable safe SHA-1 hashing: |
62 | Collision attacks are thwarted by hashing a detected near-collision block 3 times. | |
63 | Think of it as extending SHA-1 from 80-steps to 240-steps for such blocks: | |
6b851e53 ÆAB |
64 | The best collision attacks against SHA-1 have complexity about 2^60, |
65 | thus for 240-steps an immediate lower-bound for the best cryptanalytic attacks would be 2^180. | |
66 | An attacker would be better off using a generic birthday search of complexity 2^80. | |
a0103914 ÆAB |
67 | |
68 | Enabling safe SHA-1 hashing will result in the correct SHA-1 hash for messages where no collision attack was detected, | |
69 | but it will result in a different SHA-1 hash for messages where a collision attack was detected. | |
70 | This will automatically invalidate SHA-1 based digital signature forgeries. | |
71 | Enabled by default. | |
28dc98e3 JK |
72 | */ |
73 | void SHA1DCSetSafeHash(SHA1_CTX*, int); | |
74 | ||
a0103914 ÆAB |
75 | /* |
76 | Function to disable or enable the use of Unavoidable Bitconditions (provides a significant speed up). | |
77 | Enabled by default | |
78 | */ | |
28dc98e3 JK |
79 | void SHA1DCSetUseUBC(SHA1_CTX*, int); |
80 | ||
a0103914 ÆAB |
81 | /* |
82 | Function to disable or enable the use of Collision Detection. | |
83 | Enabled by default. | |
84 | */ | |
28dc98e3 JK |
85 | void SHA1DCSetUseDetectColl(SHA1_CTX*, int); |
86 | ||
87 | /* function to disable or enable the detection of reduced-round SHA-1 collisions */ | |
88 | /* disabled by default */ | |
89 | void SHA1DCSetDetectReducedRoundCollision(SHA1_CTX*, int); | |
90 | ||
91 | /* function to set a callback function, pass NULL to disable */ | |
92 | /* by default no callback set */ | |
93 | void SHA1DCSetCallback(SHA1_CTX*, collision_block_callback); | |
94 | ||
95 | /* update SHA-1 context with buffer contents */ | |
96 | void SHA1DCUpdate(SHA1_CTX*, const char*, size_t); | |
97 | ||
98 | /* obtain SHA-1 hash from SHA-1 context */ | |
99 | /* returns: 0 = no collision detected, otherwise = collision found => warn user for active attack */ | |
100 | int SHA1DCFinal(unsigned char[20], SHA1_CTX*); | |
101 | ||
102 | #if defined(__cplusplus) | |
103 | } | |
104 | #endif | |
45a574ee | 105 | |
a0103914 ÆAB |
106 | #ifdef SHA1DC_CUSTOM_TRAILING_INCLUDE_SHA1_H |
107 | #include SHA1DC_CUSTOM_TRAILING_INCLUDE_SHA1_H | |
108 | #endif | |
109 | ||
110 | #endif |