kernel
/
git
mirror of https://git.kernel.org/pub/scm/git/git.git
1
0
Fork 0
Code Releases Activity
Browse Source

Merge branch 'ab/sha1dc-maint' into maint 

The "collision detecting" SHA-1 implementation shipped with 2.13
was quite broken on some big-endian platforms and/or platforms that
do not like unaligned fetches.  Update to the upstream code which
has already fixed these issues.

* ab/sha1dc-maint:
  sha1dc: update from upstream
maint
Junio C Hamano 8 years ago
parent
e6f80aee29 a0103914c2
commit
d0506fc419
7 changed files with 172 additions and 88 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 9
      Makefile
  2. 91
      sha1dc/sha1.c
  3. 90
      sha1dc/sha1.h
  4. 13
      sha1dc/ubc_check.c
  5. 14
      sha1dc/ubc_check.h
  6. 24
      sha1dc_git.c
  7. 19
      sha1dc_git.h

9
Makefile
Unescape View File

@ -1414,7 +1414,14 @@ else @@ -1414,7 +1414,14 @@ else
DC_SHA1 := YesPlease
LIB_OBJS += sha1dc/sha1.o
LIB_OBJS += sha1dc/ubc_check.o
BASIC_CFLAGS += -DSHA1_DC
BASIC_CFLAGS += \
-DSHA1_DC \
-DSHA1DC_NO_STANDARD_INCLUDES \
-DSHA1DC_INIT_SAFE_HASH_DEFAULT=0 \
-DSHA1DC_CUSTOM_INCLUDE_SHA1_C="\"cache.h\"" \
-DSHA1DC_CUSTOM_TRAILING_INCLUDE_SHA1_C="\"sha1dc_git.c\"" \
-DSHA1DC_CUSTOM_TRAILING_INCLUDE_SHA1_H="\"sha1dc_git.h\"" \
-DSHA1DC_CUSTOM_INCLUDE_UBC_CHECK_C="\"git-compat-util.h\""
endif
endif
endif

91
sha1dc/sha1.c
Unescape View File

@ -5,9 +5,23 @@ @@ -5,9 +5,23 @@
* https://opensource.org/licenses/MIT
***/

#include "cache.h"
#include "sha1dc/sha1.h"
#include "sha1dc/ubc_check.h"
#ifndef SHA1DC_NO_STANDARD_INCLUDES
#include <string.h>
#include <memory.h>
#include <stdio.h>
#include <stdlib.h>
#endif

#ifdef SHA1DC_CUSTOM_INCLUDE_SHA1_C
#include SHA1DC_CUSTOM_INCLUDE_SHA1_C
#endif

#ifndef SHA1DC_INIT_SAFE_HASH_DEFAULT
#define SHA1DC_INIT_SAFE_HASH_DEFAULT 1
#endif

#include "sha1.h"
#include "ubc_check.h"


/*
@ -18,16 +32,31 @@ @@ -18,16 +32,31 @@
If you are compiling on a big endian platform and your compiler does not define one of these,
you will have to add whatever macros your tool chain defines to indicate Big-Endianness.
*/
#if (defined(__BYTE_ORDER) && (__BYTE_ORDER == __BIG_ENDIAN)) || \
#ifdef SHA1DC_BIGENDIAN
#undef SHA1DC_BIGENDIAN
#endif
#if (!defined SHA1DC_FORCE_LITTLEENDIAN) && \
((defined(__BYTE_ORDER) && (__BYTE_ORDER == __BIG_ENDIAN)) || \
(defined(__BYTE_ORDER__) && (__BYTE_ORDER__ == __BIG_ENDIAN__)) || \
defined(__BIG_ENDIAN__) || defined(__ARMEB__) || defined(__THUMBEB__) || defined(__AARCH64EB__) || \
defined(_MIPSEB) || defined(__MIPSEB) || defined(__MIPSEB__)
defined(_BIG_ENDIAN) || defined(__BIG_ENDIAN__) || defined(__ARMEB__) || defined(__THUMBEB__) || defined(__AARCH64EB__) || \
defined(_MIPSEB) || defined(__MIPSEB) || defined(__MIPSEB__) || defined(SHA1DC_FORCE_BIGENDIAN))

#define SHA1DC_BIGENDIAN

#define SHA1DC_BIGENDIAN 1
#else
#undef SHA1DC_BIGENDIAN
#endif /*ENDIANNESS SELECTION*/

#if (defined SHA1DC_FORCE_UNALIGNED_ACCESS || \
defined(__amd64__) || defined(__amd64) || defined(__x86_64__) || defined(__x86_64) || \
defined(i386) || defined(__i386) || defined(__i386__) || defined(__i486__) || \
defined(__i586__) || defined(__i686__) || defined(_M_IX86) || defined(__X86__) || \
defined(_X86_) || defined(__THW_INTEL__) || defined(__I86__) || defined(__INTEL__) || \
defined(__386) || defined(_M_X64) || defined(_M_AMD64))

#define SHA1DC_ALLOW_UNALIGNED_ACCESS

#endif /*UNALIGNMENT DETECTION*/


#define rotate_right(x,n) (((x)>>(n))|((x)<<(32-(n))))
#define rotate_left(x,n) (((x)<<(n))|((x)>>(32-(n))))

@ -36,11 +65,11 @@ @@ -36,11 +65,11 @@

#define sha1_mix(W, t) (rotate_left(W[t - 3] ^ W[t - 8] ^ W[t - 14] ^ W[t - 16], 1))

#if defined(SHA1DC_BIGENDIAN)
#ifdef SHA1DC_BIGENDIAN
#define sha1_load(m, t, temp) { temp = m[t]; }
#else
#define sha1_load(m, t, temp) { temp = m[t]; sha1_bswap32(temp); }
#endif /* !defined(SHA1DC_BIGENDIAN) */
#endif

#define sha1_store(W, t, x) *(volatile uint32_t *)&W[t] = x

@ -869,6 +898,11 @@ static void sha1recompress_fast_ ## t (uint32_t ihvin[5], uint32_t ihvout[5], co @@ -869,6 +898,11 @@ static void sha1recompress_fast_ ## t (uint32_t ihvin[5], uint32_t ihvout[5], co
ihvout[0] = ihvin[0] + a; ihvout[1] = ihvin[1] + b; ihvout[2] = ihvin[2] + c; ihvout[3] = ihvin[3] + d; ihvout[4] = ihvin[4] + e; \
}

#ifdef _MSC_VER
#pragma warning(push)
#pragma warning(disable: 4127) /* Complier complains about the checks in the above macro being constant. */
#endif

#ifdef DOSTORESTATE0
SHA1_RECOMPRESS(0)
#endif
@ -1189,6 +1223,10 @@ SHA1_RECOMPRESS(78) @@ -1189,6 +1223,10 @@ SHA1_RECOMPRESS(78)
SHA1_RECOMPRESS(79)
#endif

#ifdef _MSC_VER
#pragma warning(pop)
#endif

static void sha1_recompression_step(uint32_t step, uint32_t ihvin[5], uint32_t ihvout[5], const uint32_t me2[80], const uint32_t state[5])
{
switch (step)
@ -1662,7 +1700,7 @@ void SHA1DCInit(SHA1_CTX* ctx) @@ -1662,7 +1700,7 @@ void SHA1DCInit(SHA1_CTX* ctx)
ctx->ihv[3] = 0x10325476;
ctx->ihv[4] = 0xC3D2E1F0;
ctx->found_collision = 0;
ctx->safe_hash = 0;
ctx->safe_hash = SHA1DC_INIT_SAFE_HASH_DEFAULT;
ctx->ubc_check = 1;
ctx->detect_coll = 1;
ctx->reduced_round_coll = 0;
@ -1710,6 +1748,7 @@ void SHA1DCSetCallback(SHA1_CTX* ctx, collision_block_callback callback) @@ -1710,6 +1748,7 @@ void SHA1DCSetCallback(SHA1_CTX* ctx, collision_block_callback callback)
void SHA1DCUpdate(SHA1_CTX* ctx, const char* buf, size_t len)
{
unsigned left, fill;

if (len == 0)
return;

@ -1728,7 +1767,13 @@ void SHA1DCUpdate(SHA1_CTX* ctx, const char* buf, size_t len) @@ -1728,7 +1767,13 @@ void SHA1DCUpdate(SHA1_CTX* ctx, const char* buf, size_t len)
while (len >= 64)
{
ctx->total += 64;

#if defined(SHA1DC_ALLOW_UNALIGNED_ACCESS)
sha1_process(ctx, (uint32_t*)(buf));
#else
memcpy(ctx->buffer, buf, 64);
sha1_process(ctx, (uint32_t*)(ctx->buffer));
#endif /* defined(SHA1DC_ALLOW_UNALIGNED_ACCESS) */
buf += 64;
len -= 64;
}
@ -1788,22 +1833,6 @@ int SHA1DCFinal(unsigned char output[20], SHA1_CTX *ctx) @@ -1788,22 +1833,6 @@ int SHA1DCFinal(unsigned char output[20], SHA1_CTX *ctx)
return ctx->found_collision;
}

void git_SHA1DCFinal(unsigned char hash[20], SHA1_CTX *ctx)
{
if (!SHA1DCFinal(hash, ctx))
return;
die("SHA-1 appears to be part of a collision attack: %s",
sha1_to_hex(hash));
}

void git_SHA1DCUpdate(SHA1_CTX *ctx, const void *vdata, unsigned long len)
{
const char *data = vdata;
/* We expect an unsigned long, but sha1dc only takes an int */
while (len > INT_MAX) {
SHA1DCUpdate(ctx, data, INT_MAX);
data += INT_MAX;
len -= INT_MAX;
}
SHA1DCUpdate(ctx, data, len);
}
#ifdef SHA1DC_CUSTOM_TRAILING_INCLUDE_SHA1_C
#include SHA1DC_CUSTOM_TRAILING_INCLUDE_SHA1_C
#endif

90
sha1dc/sha1.h
Unescape View File

@ -4,6 +4,7 @@ @@ -4,6 +4,7 @@
* See accompanying file LICENSE.txt or copy at
* https://opensource.org/licenses/MIT
***/

#ifndef SHA1DC_SHA1_H
#define SHA1DC_SHA1_H

@ -11,36 +12,30 @@ @@ -11,36 +12,30 @@
extern "C" {
#endif

/* uses SHA-1 message expansion to expand the first 16 words of W[] to 80 words */
/* void sha1_message_expansion(uint32_t W[80]); */

/* sha-1 compression function; first version takes a message block pre-parsed as 16 32-bit integers, second version takes an already expanded message) */
/* void sha1_compression(uint32_t ihv[5], const uint32_t m[16]);
void sha1_compression_W(uint32_t ihv[5], const uint32_t W[80]); */
#ifndef SHA1DC_NO_STANDARD_INCLUDES
#include <stdint.h>
#endif

/* same as sha1_compression_W, but additionally store intermediate states */
/* sha-1 compression function that takes an already expanded message, and additionally store intermediate states */
/* only stores states ii (the state between step ii-1 and step ii) when DOSTORESTATEii is defined in ubc_check.h */
void sha1_compression_states(uint32_t[5], const uint32_t[16], uint32_t[80], uint32_t[80][5]);

/*
// function type for sha1_recompression_step_T (uint32_t ihvin[5], uint32_t ihvout[5], const uint32_t me2[80], const uint32_t state[5])
// where 0 <= T < 80
// me2 is an expanded message (the expansion of an original message block XOR'ed with a disturbance vector's message block difference)
// state is the internal state (a,b,c,d,e) before step T of the SHA-1 compression function while processing the original message block
// the function will return:
// ihvin: the reconstructed input chaining value
// ihvout: the reconstructed output chaining value
// Function type for sha1_recompression_step_T (uint32_t ihvin[5], uint32_t ihvout[5], const uint32_t me2[80], const uint32_t state[5]).
// Where 0 <= T < 80
// me2 is an expanded message (the expansion of an original message block XOR'ed with a disturbance vector's message block difference.)
// state is the internal state (a,b,c,d,e) before step T of the SHA-1 compression function while processing the original message block.
// The function will return:
// ihvin: The reconstructed input chaining value.
// ihvout: The reconstructed output chaining value.
*/
typedef void(*sha1_recompression_type)(uint32_t*, uint32_t*, const uint32_t*, const uint32_t*);

/* table of sha1_recompression_step_0, ... , sha1_recompression_step_79 */
/* extern sha1_recompression_type sha1_recompression_step[80];*/

/* a callback function type that can be set to be called when a collision block has been found: */
/* A callback function type that can be set to be called when a collision block has been found: */
/* void collision_block_callback(uint64_t byteoffset, const uint32_t ihvin1[5], const uint32_t ihvin2[5], const uint32_t m1[80], const uint32_t m2[80]) */
typedef void(*collision_block_callback)(uint64_t, const uint32_t*, const uint32_t*, const uint32_t*, const uint32_t*);

/* the SHA-1 context */
/* The SHA-1 context. */
typedef struct {
uint64_t total;
uint32_t ihv[5];
@ -59,30 +54,34 @@ typedef struct { @@ -59,30 +54,34 @@ typedef struct {
uint32_t states[80][5];
} SHA1_CTX;

/* initialize SHA-1 context */
/* Initialize SHA-1 context. */
void SHA1DCInit(SHA1_CTX*);

/*
// function to enable safe SHA-1 hashing:
// collision attacks are thwarted by hashing a detected near-collision block 3 times
// think of it as extending SHA-1 from 80-steps to 240-steps for such blocks:
// the best collision attacks against SHA-1 have complexity about 2^60,
// thus for 240-steps an immediate lower-bound for the best cryptanalytic attacks would 2^180
// an attacker would be better off using a generic birthday search of complexity 2^80
//
// enabling safe SHA-1 hashing will result in the correct SHA-1 hash for messages where no collision attack was detected
// but it will result in a different SHA-1 hash for messages where a collision attack was detected
// this will automatically invalidate SHA-1 based digital signature forgeries
// enabled by default
Function to enable safe SHA-1 hashing:
Collision attacks are thwarted by hashing a detected near-collision block 3 times.
Think of it as extending SHA-1 from 80-steps to 240-steps for such blocks:
The best collision attacks against SHA-1 have complexity about 2^60,
thus for 240-steps an immediate lower-bound for the best cryptanalytic attacks would be 2^180.
An attacker would be better off using a generic birthday search of complexity 2^80.

Enabling safe SHA-1 hashing will result in the correct SHA-1 hash for messages where no collision attack was detected,
but it will result in a different SHA-1 hash for messages where a collision attack was detected.
This will automatically invalidate SHA-1 based digital signature forgeries.
Enabled by default.
*/
void SHA1DCSetSafeHash(SHA1_CTX*, int);

/* function to disable or enable the use of Unavoidable Bitconditions (provides a significant speed up) */
/* enabled by default */
/*
Function to disable or enable the use of Unavoidable Bitconditions (provides a significant speed up).
Enabled by default
*/
void SHA1DCSetUseUBC(SHA1_CTX*, int);

/* function to disable or enable the use of Collision Detection */
/* enabled by default */
/*
Function to disable or enable the use of Collision Detection.
Enabled by default.
*/
void SHA1DCSetUseDetectColl(SHA1_CTX*, int);

/* function to disable or enable the detection of reduced-round SHA-1 collisions */
@ -100,23 +99,12 @@ void SHA1DCUpdate(SHA1_CTX*, const char*, size_t); @@ -100,23 +99,12 @@ void SHA1DCUpdate(SHA1_CTX*, const char*, size_t);
/* returns: 0 = no collision detected, otherwise = collision found => warn user for active attack */
int SHA1DCFinal(unsigned char[20], SHA1_CTX*);

/*
* Same as SHA1DCFinal, but convert collision attack case into a verbose die().
*/
void git_SHA1DCFinal(unsigned char [20], SHA1_CTX *);

/*
* Same as SHA1DCUpdate, but adjust types to match git's usual interface.
*/
void git_SHA1DCUpdate(SHA1_CTX *ctx, const void *data, unsigned long len);

#define platform_SHA_CTX SHA1_CTX
#define platform_SHA1_Init SHA1DCInit
#define platform_SHA1_Update git_SHA1DCUpdate
#define platform_SHA1_Final git_SHA1DCFinal

#if defined(__cplusplus)
}
#endif

#endif /* SHA1DC_SHA1_H */
#ifdef SHA1DC_CUSTOM_TRAILING_INCLUDE_SHA1_H
#include SHA1DC_CUSTOM_TRAILING_INCLUDE_SHA1_H
#endif

#endif

13
sha1dc/ubc_check.c
Unescape View File

@ -24,8 +24,13 @@ @@ -24,8 +24,13 @@
// ubc_check has been verified against ubc_check_verify using the 'ubc_check_test' program in the tools section
*/

#include "git-compat-util.h"
#include "sha1dc/ubc_check.h"
#ifndef SHA1DC_NO_STANDARD_INCLUDES
#include <stdint.h>
#endif
#ifdef SHA1DC_CUSTOM_INCLUDE_UBC_CHECK_C
#include SHA1DC_CUSTOM_INCLUDE_UBC_CHECK_C
#endif
#include "ubc_check.h"

static const uint32_t DV_I_43_0_bit = (uint32_t)(1) << 0;
static const uint32_t DV_I_44_0_bit = (uint32_t)(1) << 1;
@ -361,3 +366,7 @@ if (mask) { @@ -361,3 +366,7 @@ if (mask) {

dvmask[0]=mask;
}

#ifdef SHA1DC_CUSTOM_TRAILING_INCLUDE_UBC_CHECK_C
#include SHA1DC_CUSTOM_TRAILING_INCLUDE_UBC_CHECK_C
#endif

14
sha1dc/ubc_check.h
Unescape View File

@ -20,13 +20,17 @@ @@ -20,13 +20,17 @@
// thus one needs to do the recompression check for each DV that has its bit set
*/

#ifndef UBC_CHECK_H
#define UBC_CHECK_H
#ifndef SHA1DC_UBC_CHECK_H
#define SHA1DC_UBC_CHECK_H

#if defined(__cplusplus)
extern "C" {
#endif

#ifndef SHA1DC_NO_STANDARD_INCLUDES
#include <stdint.h>
#endif

#define DVMASKSIZE 1
typedef struct { int dvType; int dvK; int dvB; int testt; int maski; int maskb; uint32_t dm[80]; } dv_info_t;
extern dv_info_t sha1_dvs[];
@ -41,4 +45,8 @@ void ubc_check(const uint32_t W[80], uint32_t dvmask[DVMASKSIZE]); @@ -41,4 +45,8 @@ void ubc_check(const uint32_t W[80], uint32_t dvmask[DVMASKSIZE]);
}
#endif

#endif /* UBC_CHECK_H */
#ifdef SHA1DC_CUSTOM_TRAILING_INCLUDE_UBC_CHECK_H
#include SHA1DC_CUSTOM_TRAILING_INCLUDE_UBC_CHECK_H
#endif

#endif

24
sha1dc_git.c
Unescape View File

@ -0,0 +1,24 @@ @@ -0,0 +1,24 @@
/*
* This code is included at the end of sha1dc/sha1.c with the
* SHA1DC_CUSTOM_TRAILING_INCLUDE_SHA1_C macro.
*/

void git_SHA1DCFinal(unsigned char hash[20], SHA1_CTX *ctx)
{
if (!SHA1DCFinal(hash, ctx))
return;
die("SHA-1 appears to be part of a collision attack: %s",
sha1_to_hex(hash));
}

void git_SHA1DCUpdate(SHA1_CTX *ctx, const void *vdata, unsigned long len)
{
const char *data = vdata;
/* We expect an unsigned long, but sha1dc only takes an int */
while (len > INT_MAX) {
SHA1DCUpdate(ctx, data, INT_MAX);
data += INT_MAX;
len -= INT_MAX;
}
SHA1DCUpdate(ctx, data, len);
}

19
sha1dc_git.h
Unescape View File

@ -0,0 +1,19 @@ @@ -0,0 +1,19 @@
/*
* This code is included at the end of sha1dc/sha1.h with the
* SHA1DC_CUSTOM_TRAILING_INCLUDE_SHA1_H macro.
*/

/*
* Same as SHA1DCFinal, but convert collision attack case into a verbose die().
*/
void git_SHA1DCFinal(unsigned char [20], SHA1_CTX *);

/*
* Same as SHA1DCUpdate, but adjust types to match git's usual interface.
*/
void git_SHA1DCUpdate(SHA1_CTX *ctx, const void *data, unsigned long len);

#define platform_SHA_CTX SHA1_CTX
#define platform_SHA1_Init SHA1DCInit
#define platform_SHA1_Update git_SHA1DCUpdate
#define platform_SHA1_Final git_SHA1DCFinal
Write Preview
Loading…
Cancel
Save