[thirdparty/git.git] / sha1dc / sha1.h

/***
* Copyright 2017 Marc Stevens <marc@marc-stevens.nl>, Dan Shumow <danshu@microsoft.com>
* Distributed under the MIT Software License.
* See accompanying file LICENSE.txt or copy at
* https://opensource.org/licenses/MIT
***/

#ifndef SHA1DC_SHA1_H
#define SHA1DC_SHA1_H

#if defined(__cplusplus)
extern "C" {
#endif

#ifndef SHA1DC_NO_STANDARD_INCLUDES
#include <stdint.h>
#endif

/* sha-1 compression function that takes an already expanded message, and additionally store intermediate states */
/* only stores states ii (the state between step ii-1 and step ii) when DOSTORESTATEii is defined in ubc_check.h */
void sha1_compression_states(uint32_t[5], const uint32_t[16], uint32_t[80], uint32_t[80][5]);

/*
// Function type for sha1_recompression_step_T (uint32_t ihvin[5], uint32_t ihvout[5], const uint32_t me2[80], const uint32_t state[5]).
// Where 0 <= T < 80
//       me2 is an expanded message (the expansion of an original message block XOR'ed with a disturbance vector's message block difference.)
//       state is the internal state (a,b,c,d,e) before step T of the SHA-1 compression function while processing the original message block.
// The function will return:
//       ihvin: The reconstructed input chaining value.
//       ihvout: The reconstructed output chaining value.
*/
typedef void(*sha1_recompression_type)(uint32_t*, uint32_t*, const uint32_t*, const uint32_t*);

/* A callback function type that can be set to be called when a collision block has been found: */
/* void collision_block_callback(uint64_t byteoffset, const uint32_t ihvin1[5], const uint32_t ihvin2[5], const uint32_t m1[80], const uint32_t m2[80]) */
typedef void(*collision_block_callback)(uint64_t, const uint32_t*, const uint32_t*, const uint32_t*, const uint32_t*);

/* The SHA-1 context. */
typedef struct {
	uint64_t total;
	uint32_t ihv[5];
	unsigned char buffer[64];
	int found_collision;
	int safe_hash;
	int detect_coll;
	int ubc_check;
	int reduced_round_coll;
	collision_block_callback callback;

	uint32_t ihv1[5];
	uint32_t ihv2[5];
	uint32_t m1[80];
	uint32_t m2[80];
	uint32_t states[80][5];
} SHA1_CTX;

/* Initialize SHA-1 context. */
void SHA1DCInit(SHA1_CTX*);

/*
    Function to enable safe SHA-1 hashing:
    Collision attacks are thwarted by hashing a detected near-collision block 3 times.
    Think of it as extending SHA-1 from 80-steps to 240-steps for such blocks:
        The best collision attacks against SHA-1 have complexity about 2^60,
        thus for 240-steps an immediate lower-bound for the best cryptanalytic attacks would be 2^180.
        An attacker would be better off using a generic birthday search of complexity 2^80.

   Enabling safe SHA-1 hashing will result in the correct SHA-1 hash for messages where no collision attack was detected,
   but it will result in a different SHA-1 hash for messages where a collision attack was detected.
   This will automatically invalidate SHA-1 based digital signature forgeries.
   Enabled by default.
*/
void SHA1DCSetSafeHash(SHA1_CTX*, int);

/*
    Function to disable or enable the use of Unavoidable Bitconditions (provides a significant speed up).
    Enabled by default
 */
void SHA1DCSetUseUBC(SHA1_CTX*, int);

/*
    Function to disable or enable the use of Collision Detection.
    Enabled by default.
 */
void SHA1DCSetUseDetectColl(SHA1_CTX*, int);

/* function to disable or enable the detection of reduced-round SHA-1 collisions */
/* disabled by default */
void SHA1DCSetDetectReducedRoundCollision(SHA1_CTX*, int);

/* function to set a callback function, pass NULL to disable */
/* by default no callback set */
void SHA1DCSetCallback(SHA1_CTX*, collision_block_callback);

/* update SHA-1 context with buffer contents */
void SHA1DCUpdate(SHA1_CTX*, const char*, size_t);

/* obtain SHA-1 hash from SHA-1 context */
/* returns: 0 = no collision detected, otherwise = collision found => warn user for active attack */
int  SHA1DCFinal(unsigned char[20], SHA1_CTX*);

#if defined(__cplusplus)
}
#endif

#ifdef SHA1DC_CUSTOM_TRAILING_INCLUDE_SHA1_H
#include SHA1DC_CUSTOM_TRAILING_INCLUDE_SHA1_H
#endif

#endif
Commit	Line	Data
28dc98e3 JK	1	/***
	2	* Copyright 2017 Marc Stevens <marc@marc-stevens.nl>, Dan Shumow <danshu@microsoft.com>
	3	* Distributed under the MIT Software License.
	4	* See accompanying file LICENSE.txt or copy at
	5	* https://opensource.org/licenses/MIT
	6	***/
a0103914	7
45a574ee JK	8	#ifndef SHA1DC_SHA1_H
45a574ee JK	9	#define SHA1DC_SHA1_H
28dc98e3 JK	10
	11	#if defined(__cplusplus)
	12	extern "C" {
	13	#endif
	14
a0103914 ÆAB	15	#ifndef SHA1DC_NO_STANDARD_INCLUDES
	16	#include <stdint.h>
	17	#endif
28dc98e3	18
a0103914	19	/* sha-1 compression function that takes an already expanded message, and additionally store intermediate states */
28dc98e3 JK	20	/* only stores states ii (the state between step ii-1 and step ii) when DOSTORESTATEii is defined in ubc_check.h */
	21	void sha1_compression_states(uint32_t[5], const uint32_t[16], uint32_t[80], uint32_t[80][5]);
	22
	23	/*
a0103914 ÆAB	24	// Function type for sha1_recompression_step_T (uint32_t ihvin[5], uint32_t ihvout[5], const uint32_t me2[80], const uint32_t state[5]).
	25	// Where 0 <= T < 80
	26	// me2 is an expanded message (the expansion of an original message block XOR'ed with a disturbance vector's message block difference.)
	27	// state is the internal state (a,b,c,d,e) before step T of the SHA-1 compression function while processing the original message block.
	28	// The function will return:
	29	// ihvin: The reconstructed input chaining value.
	30	// ihvout: The reconstructed output chaining value.
28dc98e3 JK	31	*/
	32	typedef void(sha1_recompression_type)(uint32_t, uint32_t, const uint32_t, const uint32_t*);
	33
a0103914	34	/* A callback function type that can be set to be called when a collision block has been found: */
28dc98e3 JK	35	/* void collision_block_callback(uint64_t byteoffset, const uint32_t ihvin1[5], const uint32_t ihvin2[5], const uint32_t m1[80], const uint32_t m2[80]) */
	36	typedef void(collision_block_callback)(uint64_t, const uint32_t, const uint32_t, const uint32_t, const uint32_t*);
	37
a0103914	38	/* The SHA-1 context. */
28dc98e3 JK	39	typedef struct {
	40	uint64_t total;
	41	uint32_t ihv[5];
	42	unsigned char buffer[64];
	43	int found_collision;
	44	int safe_hash;
	45	int detect_coll;
	46	int ubc_check;
	47	int reduced_round_coll;
	48	collision_block_callback callback;
	49
	50	uint32_t ihv1[5];
	51	uint32_t ihv2[5];
	52	uint32_t m1[80];
	53	uint32_t m2[80];
	54	uint32_t states[80][5];
	55	} SHA1_CTX;
	56
a0103914	57	/* Initialize SHA-1 context. */
28dc98e3 JK	58	void SHA1DCInit(SHA1_CTX*);
	59
	60	/*
a0103914 ÆAB	61	Function to enable safe SHA-1 hashing:
	62	Collision attacks are thwarted by hashing a detected near-collision block 3 times.
	63	Think of it as extending SHA-1 from 80-steps to 240-steps for such blocks:
6b851e53 ÆAB	64	The best collision attacks against SHA-1 have complexity about 2^60,
	65	thus for 240-steps an immediate lower-bound for the best cryptanalytic attacks would be 2^180.
	66	An attacker would be better off using a generic birthday search of complexity 2^80.
a0103914 ÆAB	67
	68	Enabling safe SHA-1 hashing will result in the correct SHA-1 hash for messages where no collision attack was detected,
	69	but it will result in a different SHA-1 hash for messages where a collision attack was detected.
	70	This will automatically invalidate SHA-1 based digital signature forgeries.
	71	Enabled by default.
28dc98e3 JK	72	*/
	73	void SHA1DCSetSafeHash(SHA1_CTX*, int);
	74
a0103914 ÆAB	75	/*
	76	Function to disable or enable the use of Unavoidable Bitconditions (provides a significant speed up).
	77	Enabled by default
	78	*/
28dc98e3 JK	79	void SHA1DCSetUseUBC(SHA1_CTX*, int);
28dc98e3 JK	80
a0103914 ÆAB	81	/*
	82	Function to disable or enable the use of Collision Detection.
	83	Enabled by default.
	84	*/
28dc98e3 JK	85	void SHA1DCSetUseDetectColl(SHA1_CTX*, int);
	86
	87	/* function to disable or enable the detection of reduced-round SHA-1 collisions */
	88	/* disabled by default */
	89	void SHA1DCSetDetectReducedRoundCollision(SHA1_CTX*, int);
	90
	91	/* function to set a callback function, pass NULL to disable */
	92	/* by default no callback set */
	93	void SHA1DCSetCallback(SHA1_CTX*, collision_block_callback);
	94
	95	/* update SHA-1 context with buffer contents */
	96	void SHA1DCUpdate(SHA1_CTX, const char, size_t);
	97
	98	/* obtain SHA-1 hash from SHA-1 context */
	99	/* returns: 0 = no collision detected, otherwise = collision found => warn user for active attack */
	100	int SHA1DCFinal(unsigned char[20], SHA1_CTX*);
	101
	102	#if defined(__cplusplus)
	103	}
	104	#endif
45a574ee	105
a0103914 ÆAB	106	#ifdef SHA1DC_CUSTOM_TRAILING_INCLUDE_SHA1_H
	107	#include SHA1DC_CUSTOM_TRAILING_INCLUDE_SHA1_H
	108	#endif
	109
	110	#endif