src/hash/sha1dc/sha1.h - third_party/libgit2 - Git at Google

 /***
 * Copyright 2017 Marc Stevens <marc@marc-stevens.nl>, Dan Shumow <danshu@microsoft.com>
 * Distributed under the MIT Software License.
 * See accompanying file LICENSE.txt or copy at
 * https://opensource.org/licenses/MIT
 ***/

 #include <stdint.h>

 // uses SHA-1 message expansion to expand the first 16 words of W[] to 80 words
 void sha1_message_expansion(uint32_t W[80]);

 // sha-1 compression function; first version takes a message block pre-parsed as 16 32-bit integers, second version takes an already expanded message)
 void sha1_compression(uint32_t ihv[5], const uint32_t m[16]);
 void sha1_compression_W(uint32_t ihv[5], const uint32_t W[80]);

 // same as sha1_compression_W, but additionally store intermediate states
 // only stores states ii (the state between step ii-1 and step ii) when DOSTORESTATEii is defined in ubc_check.h
 void sha1_compression_states(uint32_t ihv[5], const uint32_t W[80], uint32_t states[80][5]);

 // function type for sha1_recompression_step_T (uint32_t ihvin[5], uint32_t ihvout[5], const uint32_t me2[80], const uint32_t state[5])
 // where 0 <= T < 80
 //       me2 is an expanded message (the expansion of an original message block XOR'ed with a disturbance vector's message block difference)
 //       state is the internal state (a,b,c,d,e) before step T of the SHA-1 compression function while processing the original message block
 // the function will return:
 //       ihvin: the reconstructed input chaining value
 //       ihvout: the reconstructed output chaining value
 typedef void(*sha1_recompression_type)(uint32_t*, uint32_t*, const uint32_t*, const uint32_t*);

 // table of sha1_recompression_step_0, ... , sha1_recompression_step_79
 extern sha1_recompression_type sha1_recompression_step[80];

 // a callback function type that can be set to be called when a collision block has been found:
 // void collision_block_callback(uint64_t byteoffset, const uint32_t ihvin1[5], const uint32_t ihvin2[5], const uint32_t m1[80], const uint32_t m2[80])
 typedef void(*collision_block_callback)(uint64_t, const uint32_t*, const uint32_t*, const uint32_t*, const uint32_t*);

 // the SHA-1 context
 typedef struct {
 	uint64_t total;
 	uint32_t ihv[5];
 	unsigned char buffer[64];
 	int bigendian;
 	int found_collision;
 	int safe_hash;
 	int detect_coll;
 	int ubc_check;
 	int reduced_round_coll;
 	collision_block_callback callback;

 	uint32_t ihv1[5];
 	uint32_t ihv2[5];
 	uint32_t m1[80];
 	uint32_t m2[80];
 	uint32_t states[80][5];
 } SHA1_CTX;

 // initialize SHA-1 context
 void SHA1DCInit(SHA1_CTX*);

 // function to enable safe SHA-1 hashing:
 // collision attacks are thwarted by hashing a detected near-collision block 3 times
 // think of it as extending SHA-1 from 80-steps to 240-steps for such blocks:
 //   the best collision attacks against SHA-1 have complexity about 2^60,
 //   thus for 240-steps an immediate lower-bound for the best cryptanalytic attacks would 2^180
 //   an attacker would be better off using a generic birthday search of complexity 2^80
 //
 // enabling safe SHA-1 hashing will result in the correct SHA-1 hash for messages where no collision attack was detected
 // but it will result in a different SHA-1 hash for messages where a collision attack was detected
 // this will automatically invalidate SHA-1 based digital signature forgeries
 // enabled by default
 void SHA1DCSetSafeHash(SHA1_CTX*, int);

 // function to disable or enable the use of Unavoidable Bitconditions (provides a significant speed up)
 // enabled by default
 void SHA1DCSetUseUBC(SHA1_CTX*, int);

 // function to disable or enable the use of Collision Detection
 // enabled by default
 void SHA1DCSetUseDetectColl(SHA1_CTX* ctx, int detect_coll);

 // function to disable or enable the detection of reduced-round SHA-1 collisions
 // disabled by default
 void SHA1DCSetDetectReducedRoundCollision(SHA1_CTX*, int);

 // function to set a callback function, pass NULL to disable
 // by default no callback set
 void SHA1DCSetCallback(SHA1_CTX*, collision_block_callback);

 // update SHA-1 context with buffer contents
 void SHA1DCUpdate(SHA1_CTX*, const char*, unsigned);

 // obtain SHA-1 hash from SHA-1 context
 // returns: 0 = no collision detected, otherwise = collision found => warn user for active attack
 int  SHA1DCFinal(unsigned char[20], SHA1_CTX*);
	/***
	* Copyright 2017 Marc Stevens <marc@marc-stevens.nl>, Dan Shumow <danshu@microsoft.com>
	* Distributed under the MIT Software License.
	* See accompanying file LICENSE.txt or copy at
	* https://opensource.org/licenses/MIT
	***/

	#include <stdint.h>

	// uses SHA-1 message expansion to expand the first 16 words of W[] to 80 words
	void sha1_message_expansion(uint32_t W[80]);

	// sha-1 compression function; first version takes a message block pre-parsed as 16 32-bit integers, second version takes an already expanded message)
	void sha1_compression(uint32_t ihv[5], const uint32_t m[16]);
	void sha1_compression_W(uint32_t ihv[5], const uint32_t W[80]);

	// same as sha1_compression_W, but additionally store intermediate states
	// only stores states ii (the state between step ii-1 and step ii) when DOSTORESTATEii is defined in ubc_check.h
	void sha1_compression_states(uint32_t ihv[5], const uint32_t W[80], uint32_t states[80][5]);

	// function type for sha1_recompression_step_T (uint32_t ihvin[5], uint32_t ihvout[5], const uint32_t me2[80], const uint32_t state[5])
	// where 0 <= T < 80
	// me2 is an expanded message (the expansion of an original message block XOR'ed with a disturbance vector's message block difference)
	// state is the internal state (a,b,c,d,e) before step T of the SHA-1 compression function while processing the original message block
	// the function will return:
	// ihvin: the reconstructed input chaining value
	// ihvout: the reconstructed output chaining value
	typedef void(sha1_recompression_type)(uint32_t, uint32_t, const uint32_t, const uint32_t*);

	// table of sha1_recompression_step_0, ... , sha1_recompression_step_79
	extern sha1_recompression_type sha1_recompression_step[80];

	// a callback function type that can be set to be called when a collision block has been found:
	// void collision_block_callback(uint64_t byteoffset, const uint32_t ihvin1[5], const uint32_t ihvin2[5], const uint32_t m1[80], const uint32_t m2[80])
	typedef void(collision_block_callback)(uint64_t, const uint32_t, const uint32_t, const uint32_t, const uint32_t*);

	// the SHA-1 context
	typedef struct {
	uint64_t total;
	uint32_t ihv[5];
	unsigned char buffer[64];
	int bigendian;
	int found_collision;
	int safe_hash;
	int detect_coll;
	int ubc_check;
	int reduced_round_coll;
	collision_block_callback callback;

	uint32_t ihv1[5];
	uint32_t ihv2[5];
	uint32_t m1[80];
	uint32_t m2[80];
	uint32_t states[80][5];
	} SHA1_CTX;

	// initialize SHA-1 context
	void SHA1DCInit(SHA1_CTX*);

	// function to enable safe SHA-1 hashing:
	// collision attacks are thwarted by hashing a detected near-collision block 3 times
	// think of it as extending SHA-1 from 80-steps to 240-steps for such blocks:
	// the best collision attacks against SHA-1 have complexity about 2^60,
	// thus for 240-steps an immediate lower-bound for the best cryptanalytic attacks would 2^180
	// an attacker would be better off using a generic birthday search of complexity 2^80
	//
	// enabling safe SHA-1 hashing will result in the correct SHA-1 hash for messages where no collision attack was detected
	// but it will result in a different SHA-1 hash for messages where a collision attack was detected
	// this will automatically invalidate SHA-1 based digital signature forgeries
	// enabled by default
	void SHA1DCSetSafeHash(SHA1_CTX*, int);

	// function to disable or enable the use of Unavoidable Bitconditions (provides a significant speed up)
	// enabled by default
	void SHA1DCSetUseUBC(SHA1_CTX*, int);

	// function to disable or enable the use of Collision Detection
	// enabled by default
	void SHA1DCSetUseDetectColl(SHA1_CTX* ctx, int detect_coll);

	// function to disable or enable the detection of reduced-round SHA-1 collisions
	// disabled by default
	void SHA1DCSetDetectReducedRoundCollision(SHA1_CTX*, int);

	// function to set a callback function, pass NULL to disable
	// by default no callback set
	void SHA1DCSetCallback(SHA1_CTX*, collision_block_callback);

	// update SHA-1 context with buffer contents
	void SHA1DCUpdate(SHA1_CTX, const char, unsigned);

	// obtain SHA-1 hash from SHA-1 context
	// returns: 0 = no collision detected, otherwise = collision found => warn user for active attack
	int SHA1DCFinal(unsigned char[20], SHA1_CTX*);