Hash :
2dfd1294
Author :
Date :
2017-02-24T13:34:01
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94
/***
* Copyright 2017 Marc Stevens <marc@marc-stevens.nl>, Dan Shumow <danshu@microsoft.com>
* Distributed under the MIT Software License.
* See accompanying file LICENSE.txt or copy at
* https://opensource.org/licenses/MIT
***/
#include <stdint.h>
// uses SHA-1 message expansion to expand the first 16 words of W[] to 80 words
void sha1_message_expansion(uint32_t W[80]);
// sha-1 compression function; first version takes a message block pre-parsed as 16 32-bit integers, second version takes an already expanded message)
void sha1_compression(uint32_t ihv[5], const uint32_t m[16]);
void sha1_compression_W(uint32_t ihv[5], const uint32_t W[80]);
// same as sha1_compression_W, but additionally store intermediate states
// only stores states ii (the state between step ii-1 and step ii) when DOSTORESTATEii is defined in ubc_check.h
void sha1_compression_states(uint32_t ihv[5], const uint32_t W[80], uint32_t states[80][5]);
// function type for sha1_recompression_step_T (uint32_t ihvin[5], uint32_t ihvout[5], const uint32_t me2[80], const uint32_t state[5])
// where 0 <= T < 80
// me2 is an expanded message (the expansion of an original message block XOR'ed with a disturbance vector's message block difference)
// state is the internal state (a,b,c,d,e) before step T of the SHA-1 compression function while processing the original message block
// the function will return:
// ihvin: the reconstructed input chaining value
// ihvout: the reconstructed output chaining value
typedef void(*sha1_recompression_type)(uint32_t*, uint32_t*, const uint32_t*, const uint32_t*);
// table of sha1_recompression_step_0, ... , sha1_recompression_step_79
extern sha1_recompression_type sha1_recompression_step[80];
// a callback function type that can be set to be called when a collision block has been found:
// void collision_block_callback(uint64_t byteoffset, const uint32_t ihvin1[5], const uint32_t ihvin2[5], const uint32_t m1[80], const uint32_t m2[80])
typedef void(*collision_block_callback)(uint64_t, const uint32_t*, const uint32_t*, const uint32_t*, const uint32_t*);
// the SHA-1 context
typedef struct {
uint64_t total;
uint32_t ihv[5];
unsigned char buffer[64];
int bigendian;
int found_collision;
int safe_hash;
int detect_coll;
int ubc_check;
int reduced_round_coll;
collision_block_callback callback;
uint32_t ihv1[5];
uint32_t ihv2[5];
uint32_t m1[80];
uint32_t m2[80];
uint32_t states[80][5];
} SHA1_CTX;
// initialize SHA-1 context
void SHA1DCInit(SHA1_CTX*);
// function to enable safe SHA-1 hashing:
// collision attacks are thwarted by hashing a detected near-collision block 3 times
// think of it as extending SHA-1 from 80-steps to 240-steps for such blocks:
// the best collision attacks against SHA-1 have complexity about 2^60,
// thus for 240-steps an immediate lower-bound for the best cryptanalytic attacks would 2^180
// an attacker would be better off using a generic birthday search of complexity 2^80
//
// enabling safe SHA-1 hashing will result in the correct SHA-1 hash for messages where no collision attack was detected
// but it will result in a different SHA-1 hash for messages where a collision attack was detected
// this will automatically invalidate SHA-1 based digital signature forgeries
// enabled by default
void SHA1DCSetSafeHash(SHA1_CTX*, int);
// function to disable or enable the use of Unavoidable Bitconditions (provides a significant speed up)
// enabled by default
void SHA1DCSetUseUBC(SHA1_CTX*, int);
// function to disable or enable the use of Collision Detection
// enabled by default
void SHA1DCSetUseDetectColl(SHA1_CTX* ctx, int detect_coll);
// function to disable or enable the detection of reduced-round SHA-1 collisions
// disabled by default
void SHA1DCSetDetectReducedRoundCollision(SHA1_CTX*, int);
// function to set a callback function, pass NULL to disable
// by default no callback set
void SHA1DCSetCallback(SHA1_CTX*, collision_block_callback);
// update SHA-1 context with buffer contents
void SHA1DCUpdate(SHA1_CTX*, const char*, unsigned);
// obtain SHA-1 hash from SHA-1 context
// returns: 0 = no collision detected, otherwise = collision found => warn user for active attack
int SHA1DCFinal(unsigned char[20], SHA1_CTX*);