Show More
@@ -1,110 +1,117 b'' | |||||
1 | /*** |
|
1 | /*** | |
2 | * Copyright 2017 Marc Stevens <marc@marc-stevens.nl>, Dan Shumow <danshu@microsoft.com> |
|
2 | * Copyright 2017 Marc Stevens <marc@marc-stevens.nl>, Dan Shumow <danshu@microsoft.com> | |
3 | * Distributed under the MIT Software License. |
|
3 | * Distributed under the MIT Software License. | |
4 | * See accompanying file LICENSE.txt or copy at |
|
4 | * See accompanying file LICENSE.txt or copy at | |
5 | * https://opensource.org/licenses/MIT |
|
5 | * https://opensource.org/licenses/MIT | |
6 | ***/ |
|
6 | ***/ | |
7 |
|
7 | |||
8 | #ifndef SHA1DC_SHA1_H |
|
8 | #ifndef SHA1DC_SHA1_H | |
9 | #define SHA1DC_SHA1_H |
|
9 | #define SHA1DC_SHA1_H | |
10 |
|
10 | |||
11 | #if defined(__cplusplus) |
|
11 | #if defined(__cplusplus) | |
12 | extern "C" { |
|
12 | extern "C" { | |
13 | #endif |
|
13 | #endif | |
14 |
|
14 | |||
15 | #ifndef SHA1DC_NO_STANDARD_INCLUDES |
|
15 | #ifndef SHA1DC_NO_STANDARD_INCLUDES | |
|
16 | /* PY27 this can be changed to a straight #include once Python 2.7 is | |||
|
17 | dropped, since this is for MSVC 2008 support. */ | |||
|
18 | #if !defined(_MSC_VER) || _MSC_VER >= 1600 | |||
16 | #include <stdint.h> |
|
19 | #include <stdint.h> | |
|
20 | #else | |||
|
21 | typedef unsigned __int32 uint32_t; | |||
|
22 | typedef unsigned __int64 uint64_t; | |||
|
23 | #endif | |||
17 | #endif |
|
24 | #endif | |
18 |
|
25 | |||
19 | /* sha-1 compression function that takes an already expanded message, and additionally store intermediate states */ |
|
26 | /* sha-1 compression function that takes an already expanded message, and additionally store intermediate states */ | |
20 | /* only stores states ii (the state between step ii-1 and step ii) when DOSTORESTATEii is defined in ubc_check.h */ |
|
27 | /* only stores states ii (the state between step ii-1 and step ii) when DOSTORESTATEii is defined in ubc_check.h */ | |
21 | void sha1_compression_states(uint32_t[5], const uint32_t[16], uint32_t[80], uint32_t[80][5]); |
|
28 | void sha1_compression_states(uint32_t[5], const uint32_t[16], uint32_t[80], uint32_t[80][5]); | |
22 |
|
29 | |||
23 | /* |
|
30 | /* | |
24 | // Function type for sha1_recompression_step_T (uint32_t ihvin[5], uint32_t ihvout[5], const uint32_t me2[80], const uint32_t state[5]). |
|
31 | // Function type for sha1_recompression_step_T (uint32_t ihvin[5], uint32_t ihvout[5], const uint32_t me2[80], const uint32_t state[5]). | |
25 | // Where 0 <= T < 80 |
|
32 | // Where 0 <= T < 80 | |
26 | // me2 is an expanded message (the expansion of an original message block XOR'ed with a disturbance vector's message block difference.) |
|
33 | // me2 is an expanded message (the expansion of an original message block XOR'ed with a disturbance vector's message block difference.) | |
27 | // state is the internal state (a,b,c,d,e) before step T of the SHA-1 compression function while processing the original message block. |
|
34 | // state is the internal state (a,b,c,d,e) before step T of the SHA-1 compression function while processing the original message block. | |
28 | // The function will return: |
|
35 | // The function will return: | |
29 | // ihvin: The reconstructed input chaining value. |
|
36 | // ihvin: The reconstructed input chaining value. | |
30 | // ihvout: The reconstructed output chaining value. |
|
37 | // ihvout: The reconstructed output chaining value. | |
31 | */ |
|
38 | */ | |
32 | typedef void(*sha1_recompression_type)(uint32_t*, uint32_t*, const uint32_t*, const uint32_t*); |
|
39 | typedef void(*sha1_recompression_type)(uint32_t*, uint32_t*, const uint32_t*, const uint32_t*); | |
33 |
|
40 | |||
34 | /* A callback function type that can be set to be called when a collision block has been found: */ |
|
41 | /* A callback function type that can be set to be called when a collision block has been found: */ | |
35 | /* void collision_block_callback(uint64_t byteoffset, const uint32_t ihvin1[5], const uint32_t ihvin2[5], const uint32_t m1[80], const uint32_t m2[80]) */ |
|
42 | /* void collision_block_callback(uint64_t byteoffset, const uint32_t ihvin1[5], const uint32_t ihvin2[5], const uint32_t m1[80], const uint32_t m2[80]) */ | |
36 | typedef void(*collision_block_callback)(uint64_t, const uint32_t*, const uint32_t*, const uint32_t*, const uint32_t*); |
|
43 | typedef void(*collision_block_callback)(uint64_t, const uint32_t*, const uint32_t*, const uint32_t*, const uint32_t*); | |
37 |
|
44 | |||
38 | /* The SHA-1 context. */ |
|
45 | /* The SHA-1 context. */ | |
39 | typedef struct { |
|
46 | typedef struct { | |
40 | uint64_t total; |
|
47 | uint64_t total; | |
41 | uint32_t ihv[5]; |
|
48 | uint32_t ihv[5]; | |
42 | unsigned char buffer[64]; |
|
49 | unsigned char buffer[64]; | |
43 | int found_collision; |
|
50 | int found_collision; | |
44 | int safe_hash; |
|
51 | int safe_hash; | |
45 | int detect_coll; |
|
52 | int detect_coll; | |
46 | int ubc_check; |
|
53 | int ubc_check; | |
47 | int reduced_round_coll; |
|
54 | int reduced_round_coll; | |
48 | collision_block_callback callback; |
|
55 | collision_block_callback callback; | |
49 |
|
56 | |||
50 | uint32_t ihv1[5]; |
|
57 | uint32_t ihv1[5]; | |
51 | uint32_t ihv2[5]; |
|
58 | uint32_t ihv2[5]; | |
52 | uint32_t m1[80]; |
|
59 | uint32_t m1[80]; | |
53 | uint32_t m2[80]; |
|
60 | uint32_t m2[80]; | |
54 | uint32_t states[80][5]; |
|
61 | uint32_t states[80][5]; | |
55 | } SHA1_CTX; |
|
62 | } SHA1_CTX; | |
56 |
|
63 | |||
57 | /* Initialize SHA-1 context. */ |
|
64 | /* Initialize SHA-1 context. */ | |
58 | void SHA1DCInit(SHA1_CTX*); |
|
65 | void SHA1DCInit(SHA1_CTX*); | |
59 |
|
66 | |||
60 | /* |
|
67 | /* | |
61 | Function to enable safe SHA-1 hashing: |
|
68 | Function to enable safe SHA-1 hashing: | |
62 | Collision attacks are thwarted by hashing a detected near-collision block 3 times. |
|
69 | Collision attacks are thwarted by hashing a detected near-collision block 3 times. | |
63 | Think of it as extending SHA-1 from 80-steps to 240-steps for such blocks: |
|
70 | Think of it as extending SHA-1 from 80-steps to 240-steps for such blocks: | |
64 | The best collision attacks against SHA-1 have complexity about 2^60, |
|
71 | The best collision attacks against SHA-1 have complexity about 2^60, | |
65 | thus for 240-steps an immediate lower-bound for the best cryptanalytic attacks would be 2^180. |
|
72 | thus for 240-steps an immediate lower-bound for the best cryptanalytic attacks would be 2^180. | |
66 | An attacker would be better off using a generic birthday search of complexity 2^80. |
|
73 | An attacker would be better off using a generic birthday search of complexity 2^80. | |
67 |
|
74 | |||
68 | Enabling safe SHA-1 hashing will result in the correct SHA-1 hash for messages where no collision attack was detected, |
|
75 | Enabling safe SHA-1 hashing will result in the correct SHA-1 hash for messages where no collision attack was detected, | |
69 | but it will result in a different SHA-1 hash for messages where a collision attack was detected. |
|
76 | but it will result in a different SHA-1 hash for messages where a collision attack was detected. | |
70 | This will automatically invalidate SHA-1 based digital signature forgeries. |
|
77 | This will automatically invalidate SHA-1 based digital signature forgeries. | |
71 | Enabled by default. |
|
78 | Enabled by default. | |
72 | */ |
|
79 | */ | |
73 | void SHA1DCSetSafeHash(SHA1_CTX*, int); |
|
80 | void SHA1DCSetSafeHash(SHA1_CTX*, int); | |
74 |
|
81 | |||
75 | /* |
|
82 | /* | |
76 | Function to disable or enable the use of Unavoidable Bitconditions (provides a significant speed up). |
|
83 | Function to disable or enable the use of Unavoidable Bitconditions (provides a significant speed up). | |
77 | Enabled by default |
|
84 | Enabled by default | |
78 | */ |
|
85 | */ | |
79 | void SHA1DCSetUseUBC(SHA1_CTX*, int); |
|
86 | void SHA1DCSetUseUBC(SHA1_CTX*, int); | |
80 |
|
87 | |||
81 | /* |
|
88 | /* | |
82 | Function to disable or enable the use of Collision Detection. |
|
89 | Function to disable or enable the use of Collision Detection. | |
83 | Enabled by default. |
|
90 | Enabled by default. | |
84 | */ |
|
91 | */ | |
85 | void SHA1DCSetUseDetectColl(SHA1_CTX*, int); |
|
92 | void SHA1DCSetUseDetectColl(SHA1_CTX*, int); | |
86 |
|
93 | |||
87 | /* function to disable or enable the detection of reduced-round SHA-1 collisions */ |
|
94 | /* function to disable or enable the detection of reduced-round SHA-1 collisions */ | |
88 | /* disabled by default */ |
|
95 | /* disabled by default */ | |
89 | void SHA1DCSetDetectReducedRoundCollision(SHA1_CTX*, int); |
|
96 | void SHA1DCSetDetectReducedRoundCollision(SHA1_CTX*, int); | |
90 |
|
97 | |||
91 | /* function to set a callback function, pass NULL to disable */ |
|
98 | /* function to set a callback function, pass NULL to disable */ | |
92 | /* by default no callback set */ |
|
99 | /* by default no callback set */ | |
93 | void SHA1DCSetCallback(SHA1_CTX*, collision_block_callback); |
|
100 | void SHA1DCSetCallback(SHA1_CTX*, collision_block_callback); | |
94 |
|
101 | |||
95 | /* update SHA-1 context with buffer contents */ |
|
102 | /* update SHA-1 context with buffer contents */ | |
96 | void SHA1DCUpdate(SHA1_CTX*, const char*, size_t); |
|
103 | void SHA1DCUpdate(SHA1_CTX*, const char*, size_t); | |
97 |
|
104 | |||
98 | /* obtain SHA-1 hash from SHA-1 context */ |
|
105 | /* obtain SHA-1 hash from SHA-1 context */ | |
99 | /* returns: 0 = no collision detected, otherwise = collision found => warn user for active attack */ |
|
106 | /* returns: 0 = no collision detected, otherwise = collision found => warn user for active attack */ | |
100 | int SHA1DCFinal(unsigned char[20], SHA1_CTX*); |
|
107 | int SHA1DCFinal(unsigned char[20], SHA1_CTX*); | |
101 |
|
108 | |||
102 | #if defined(__cplusplus) |
|
109 | #if defined(__cplusplus) | |
103 | } |
|
110 | } | |
104 | #endif |
|
111 | #endif | |
105 |
|
112 | |||
106 | #ifdef SHA1DC_CUSTOM_TRAILING_INCLUDE_SHA1_H |
|
113 | #ifdef SHA1DC_CUSTOM_TRAILING_INCLUDE_SHA1_H | |
107 | #include SHA1DC_CUSTOM_TRAILING_INCLUDE_SHA1_H |
|
114 | #include SHA1DC_CUSTOM_TRAILING_INCLUDE_SHA1_H | |
108 | #endif |
|
115 | #endif | |
109 |
|
116 | |||
110 | #endif |
|
117 | #endif |
General Comments 0
You need to be logged in to leave comments.
Login now