@@ -14,36 +14,26 @@ extern "C" {
1414
1515#include <stdint.h>
1616
17- /* uses SHA-1 message expansion to expand the first 16 words of W[] to 80 words */
18- /* void sha1_message_expansion(uint32_t W[80]); */
19-
20- /* sha-1 compression function; first version takes a message block pre-parsed as 16 32-bit integers, second version takes an already expanded message) */
21- /* void sha1_compression(uint32_t ihv[5], const uint32_t m[16]);
22- void sha1_compression_W(uint32_t ihv[5], const uint32_t W[80]); */
23-
24- /* same as sha1_compression_W, but additionally store intermediate states */
17+ /* sha-1 compression function that takes an already expanded message, and additionally store intermediate states */
2518/* only stores states ii (the state between step ii-1 and step ii) when DOSTORESTATEii is defined in ubc_check.h */
2619void sha1_compression_states (uint32_t [5 ], const uint32_t [16 ], uint32_t [80 ], uint32_t [80 ][5 ]);
2720
2821/*
29- // function type for sha1_recompression_step_T (uint32_t ihvin[5], uint32_t ihvout[5], const uint32_t me2[80], const uint32_t state[5])
30- // where 0 <= T < 80
31- // me2 is an expanded message (the expansion of an original message block XOR'ed with a disturbance vector's message block difference)
32- // state is the internal state (a,b,c,d,e) before step T of the SHA-1 compression function while processing the original message block
33- // the function will return:
34- // ihvin: the reconstructed input chaining value
35- // ihvout: the reconstructed output chaining value
22+ // Function type for sha1_recompression_step_T (uint32_t ihvin[5], uint32_t ihvout[5], const uint32_t me2[80], const uint32_t state[5]).
23+ // Where 0 <= T < 80
24+ // me2 is an expanded message (the expansion of an original message block XOR'ed with a disturbance vector's message block difference. )
25+ // state is the internal state (a,b,c,d,e) before step T of the SHA-1 compression function while processing the original message block.
26+ // The function will return:
27+ // ihvin: The reconstructed input chaining value.
28+ // ihvout: The reconstructed output chaining value.
3629*/
3730typedef void (* sha1_recompression_type )(uint32_t * , uint32_t * , const uint32_t * , const uint32_t * );
3831
39- /* table of sha1_recompression_step_0, ... , sha1_recompression_step_79 */
40- /* extern sha1_recompression_type sha1_recompression_step[80];*/
41-
42- /* a callback function type that can be set to be called when a collision block has been found: */
32+ /* A callback function type that can be set to be called when a collision block has been found: */
4333/* void collision_block_callback(uint64_t byteoffset, const uint32_t ihvin1[5], const uint32_t ihvin2[5], const uint32_t m1[80], const uint32_t m2[80]) */
4434typedef void (* collision_block_callback )(uint64_t , const uint32_t * , const uint32_t * , const uint32_t * , const uint32_t * );
4535
46- /* the SHA-1 context */
36+ /* The SHA-1 context. */
4737typedef struct {
4838 uint64_t total ;
4939 uint32_t ihv [5 ];
@@ -62,30 +52,34 @@ typedef struct {
6252 uint32_t states [80 ][5 ];
6353} SHA1_CTX ;
6454
65- /* initialize SHA-1 context */
55+ /* Initialize SHA-1 context. */
6656void SHA1DCInit (SHA1_CTX * );
6757
6858/*
69- // function to enable safe SHA-1 hashing:
70- // collision attacks are thwarted by hashing a detected near-collision block 3 times
71- // think of it as extending SHA-1 from 80-steps to 240-steps for such blocks:
72- // the best collision attacks against SHA-1 have complexity about 2^60,
73- // thus for 240-steps an immediate lower-bound for the best cryptanalytic attacks would 2^180
74- // an attacker would be better off using a generic birthday search of complexity 2^80
75- //
76- // enabling safe SHA-1 hashing will result in the correct SHA-1 hash for messages where no collision attack was detected
77- // but it will result in a different SHA-1 hash for messages where a collision attack was detected
78- // this will automatically invalidate SHA-1 based digital signature forgeries
79- // enabled by default
59+ Function to enable safe SHA-1 hashing:
60+ Collision attacks are thwarted by hashing a detected near-collision block 3 times.
61+ Think of it as extending SHA-1 from 80-steps to 240-steps for such blocks:
62+ The best collision attacks against SHA-1 have complexity about 2^60,
63+ thus for 240-steps an immediate lower-bound for the best cryptanalytic attacks would be 2^180.
64+ An attacker would be better off using a generic birthday search of complexity 2^80.
65+
66+ Enabling safe SHA-1 hashing will result in the correct SHA-1 hash for messages where no collision attack was detected,
67+ but it will result in a different SHA-1 hash for messages where a collision attack was detected.
68+ This will automatically invalidate SHA-1 based digital signature forgeries.
69+ Enabled by default.
8070*/
8171void SHA1DCSetSafeHash (SHA1_CTX * , int );
8272
83- /* function to disable or enable the use of Unavoidable Bitconditions (provides a significant speed up) */
84- /* enabled by default */
73+ /*
74+ Function to disable or enable the use of Unavoidable Bitconditions (provides a significant speed up).
75+ Enabled by default
76+ */
8577void SHA1DCSetUseUBC (SHA1_CTX * , int );
8678
87- /* function to disable or enable the use of Collision Detection */
88- /* enabled by default */
79+ /*
80+ Function to disable or enable the use of Collision Detection.
81+ Enabled by default.
82+ */
8983void SHA1DCSetUseDetectColl (SHA1_CTX * , int );
9084
9185/* function to disable or enable the detection of reduced-round SHA-1 collisions */
0 commit comments