Git Source Code Mirror - This is a publish-only repository and all pull requests are ignored. Please follow Documentation/SubmittingPatches procedure for any of your improvements.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

110 lines
4.0 KiB

* Copyright 2017 Marc Stevens <>, Dan Shumow <>
* Distributed under the MIT Software License.
* See accompanying file LICENSE.txt or copy at
#ifndef SHA1DC_SHA1_H
#define SHA1DC_SHA1_H
#if defined(__cplusplus)
extern "C" {
#include <stdint.h>
/* sha-1 compression function that takes an already expanded message, and additionally store intermediate states */
/* only stores states ii (the state between step ii-1 and step ii) when DOSTORESTATEii is defined in ubc_check.h */
void sha1_compression_states(uint32_t[5], const uint32_t[16], uint32_t[80], uint32_t[80][5]);
// Function type for sha1_recompression_step_T (uint32_t ihvin[5], uint32_t ihvout[5], const uint32_t me2[80], const uint32_t state[5]).
// Where 0 <= T < 80
// me2 is an expanded message (the expansion of an original message block XOR'ed with a disturbance vector's message block difference.)
// state is the internal state (a,b,c,d,e) before step T of the SHA-1 compression function while processing the original message block.
// The function will return:
// ihvin: The reconstructed input chaining value.
// ihvout: The reconstructed output chaining value.
typedef void(*sha1_recompression_type)(uint32_t*, uint32_t*, const uint32_t*, const uint32_t*);
/* A callback function type that can be set to be called when a collision block has been found: */
/* void collision_block_callback(uint64_t byteoffset, const uint32_t ihvin1[5], const uint32_t ihvin2[5], const uint32_t m1[80], const uint32_t m2[80]) */
typedef void(*collision_block_callback)(uint64_t, const uint32_t*, const uint32_t*, const uint32_t*, const uint32_t*);
/* The SHA-1 context. */
typedef struct {
uint64_t total;
uint32_t ihv[5];
unsigned char buffer[64];
int found_collision;
int safe_hash;
int detect_coll;
int ubc_check;
int reduced_round_coll;
collision_block_callback callback;
uint32_t ihv1[5];
uint32_t ihv2[5];
uint32_t m1[80];
uint32_t m2[80];
uint32_t states[80][5];
/* Initialize SHA-1 context. */
void SHA1DCInit(SHA1_CTX*);
Function to enable safe SHA-1 hashing:
Collision attacks are thwarted by hashing a detected near-collision block 3 times.
Think of it as extending SHA-1 from 80-steps to 240-steps for such blocks:
The best collision attacks against SHA-1 have complexity about 2^60,
thus for 240-steps an immediate lower-bound for the best cryptanalytic attacks would be 2^180.
An attacker would be better off using a generic birthday search of complexity 2^80.
Enabling safe SHA-1 hashing will result in the correct SHA-1 hash for messages where no collision attack was detected,
but it will result in a different SHA-1 hash for messages where a collision attack was detected.
This will automatically invalidate SHA-1 based digital signature forgeries.
Enabled by default.
void SHA1DCSetSafeHash(SHA1_CTX*, int);
Function to disable or enable the use of Unavoidable Bitconditions (provides a significant speed up).
Enabled by default
void SHA1DCSetUseUBC(SHA1_CTX*, int);
Function to disable or enable the use of Collision Detection.
Enabled by default.
void SHA1DCSetUseDetectColl(SHA1_CTX*, int);
/* function to disable or enable the detection of reduced-round SHA-1 collisions */
/* disabled by default */
void SHA1DCSetDetectReducedRoundCollision(SHA1_CTX*, int);
/* function to set a callback function, pass NULL to disable */
/* by default no callback set */
void SHA1DCSetCallback(SHA1_CTX*, collision_block_callback);
/* update SHA-1 context with buffer contents */
void SHA1DCUpdate(SHA1_CTX*, const char*, size_t);
/* obtain SHA-1 hash from SHA-1 context */
/* returns: 0 = no collision detected, otherwise = collision found => warn user for active attack */
int SHA1DCFinal(unsigned char[20], SHA1_CTX*);
#if defined(__cplusplus)