fix(*): Vendored project dependencies

vendor/github.com/pjbgf/sha1cd/cgo/README.md

@@ -0,0 +1,102 @@
+# sha1collisiondetection
+Library and command line tool to detect SHA-1 collisions in files
+
+Copyright 2017 Marc Stevens <marc@marc-stevens.nl>
+
+Distributed under the MIT Software License.
+
+See accompanying file LICENSE.txt or copy at https://opensource.org/licenses/MIT.
+
+## Developers
+
+- Marc Stevens, CWI Amsterdam (https://marc-stevens.nl)
+- Dan Shumow, Microsoft Research (https://www.microsoft.com/en-us/research/people/danshu/)
+
+## About
+This library and command line tool were designed as near drop-in replacements for common SHA-1 libraries and sha1sum.
+They will compute the SHA-1 hash of any given file and additionally will detect cryptanalytic collision attacks against SHA-1 present in each file. It is very fast and takes less than twice the amount of time as regular SHA-1.
+
+More specifically they will detect any cryptanalytic collision attack against SHA-1 using any of the top 32 SHA-1 disturbance vectors with probability 1:
+```
+    I(43,0), I(44,0), I(45,0), I(46,0), I(47,0), I(48,0), I(49,0), I(50,0), I(51,0), I(52,0),
+    I(46,2), I(47,2), I(48,2), I(49,2), I(50,2), I(51,2),
+    II(45,0), II(46,0), II(47,0), II(48,0), II(49,0), II(50,0), II(51,0), II(52,0), II(53,0), II(54,0), II(55,0), II(56,0),
+    II(46,2), II(49,2), II(50,2), II(51,2)
+```
+The possibility of false positives can be neglected as the probability is smaller than 2^-90.
+
+The library supports both an indicator flag that applications can check and act on, as well as a special _safe-hash_ mode that returns the real SHA-1 hash when no collision was detected and a different _safe_ hash when a collision was detected.
+Colliding files will have the same SHA-1 hash, but will have different unpredictable safe-hashes.
+This essentially enables protection of applications against SHA-1 collisions with no further changes in the application, e.g., digital signature forgeries based on SHA-1 collisions automatically become invalid.
+
+For the theoretical explanation of collision detection see the award-winning paper on _Counter-Cryptanalysis_:
+
+Counter-cryptanalysis, Marc Stevens, CRYPTO 2013, Lecture Notes in Computer Science, vol. 8042, Springer, 2013, pp. 129-146,
+https://marc-stevens.nl/research/papers/C13-S.pdf
+
+
+## Inclusion in other programs
+
+In order to make it easier to include these sources in other project
+there are several preprocessor macros that the code uses. Rather than
+copy/pasting and customizing or specializing the code, first see if
+setting any of these defines appropriately will allow you to avoid
+modifying the code yourself.
+
+- SHA1DC_NO_STANDARD_INCLUDES
+
+ Skips including standard headers. Use this if your project for
+ whatever reason wishes to do its own header includes.
+
+- SHA1DC_CUSTOM_INCLUDE_SHA1_C
+
+  Includes a custom header at the top of sha1.c. Usually this would be
+  set in conjunction with SHA1DC_NO_STANDARD_INCLUDES to point to a
+  header file which includes various standard headers.
+
+- SHA1DC_INIT_SAFE_HASH_DEFAULT
+
+  Sets the default for safe_hash in SHA1DCInit(). Valid values are 0
+  and 1. If unset 1 is the default.
+
+- SHA1DC_CUSTOM_TRAILING_INCLUDE_SHA1_C
+
+  Includes a custom trailer in sha1.c. Useful for any extra utility
+  functions that make use of the functions already defined in sha1.c.
+
+- SHA1DC_CUSTOM_TRAILING_INCLUDE_SHA1_H
+
+  Includes a custom trailer in sha1.h. Useful for defining the
+  prototypes of the functions or code included by
+  SHA1DC_CUSTOM_TRAILING_INCLUDE_SHA1_C.
+
+- SHA1DC_CUSTOM_INCLUDE_UBC_CHECK_C
+
+  Includes a custom header at the top of ubc_check.c.
+
+- SHA1DC_CUSTOM_TRAILING_INCLUDE_UBC_CHECK_C
+
+  Includes a custom trailer in ubc_check.c.
+
+- SHA1DC_CUSTOM_TRAILING_INCLUDE_UBC_CHECK_H
+
+  Includes a custom trailer in ubc_check.H.
+
+This code will try to auto-detect certain things based on
+CPU/platform. Unless you're running on some really obscure CPU or
+porting to a new platform you should not need to tweak this. If you do
+please open an issue at
+https://github.com/cr-marcstevens/sha1collisiondetection
+
+- SHA1DC_FORCE_LITTLEENDIAN / SHA1DC_FORCE_BIGENDIAN
+
+  Override the check for processor endianenss and force either
+  Little-Endian or Big-Endian.
+
+- SHA1DC_FORCE_UNALIGNED_ACCESS
+
+  Permit unaligned access. This will fail on e.g. SPARC processors, so
+  it's only permitted on a whitelist of processors. If your CPU isn't
+  detected as allowing this, and allows unaligned access, setting this
+  may improve performance (or make it worse, if the kernel has to
+  catch and emulate such access on its own).

vendor/github.com/pjbgf/sha1cd/cgo/fallback_no_cgo.go

@@ -0,0 +1,32 @@
+//go:build !cgo
+// +build !cgo
+
+package cgo
+
+import (
+	"hash"
+
+	"github.com/pjbgf/sha1cd"
+	"github.com/pjbgf/sha1cd/ubc"
+)
+
+// CalculateDvMask falls back to github.com/pjbgf/sha1cd/ubc implementation
+// due to CGO being disabled at compilation time.
+func CalculateDvMask(W []uint32) (uint32, error) {
+	return ubc.CalculateDvMask(W)
+}
+
+// CalculateDvMask falls back to github.com/pjbgf/sha1cd implementation
+// due to CGO being disabled at compilation time.
+func New() hash.Hash {
+	return sha1cd.New()
+}
+
+// CalculateDvMask falls back to github.com/pjbgf/sha1cd implementation
+// due to CGO being disabled at compilation time.
+func Sum(data []byte) ([]byte, bool) {
+	d := sha1cd.New().(sha1cd.CollisionResistantHash)
+	d.Write(data)
+
+	return d.CollisionResistantSum(nil)
+}

vendor/github.com/pjbgf/sha1cd/cgo/sha1.go

@@ -0,0 +1,78 @@
+package cgo
+
+// #include <sha1.h>
+// #include <ubc_check.h>
+import "C"
+
+import (
+	"crypto"
+	"hash"
+	"unsafe"
+)
+
+const (
+	Size      = 20
+	BlockSize = 64
+)
+
+func init() {
+	crypto.RegisterHash(crypto.SHA1, New)
+}
+
+func New() hash.Hash {
+	d := new(digest)
+	d.Reset()
+	return d
+}
+
+type digest struct {
+	ctx C.SHA1_CTX
+}
+
+func (d *digest) sum() ([]byte, bool) {
+	b := make([]byte, Size)
+	c := C.SHA1DCFinal((*C.uchar)(unsafe.Pointer(&b[0])), &d.ctx)
+	if c != 0 {
+		return b, true
+	}
+
+	return b, false
+}
+
+func (d *digest) Sum(in []byte) []byte {
+	d0 := *d // use a copy of d to avoid race conditions.
+	h, _ := d0.sum()
+	return append(in, h...)
+}
+
+func (d *digest) CollisionResistantSum(in []byte) ([]byte, bool) {
+	d0 := *d // use a copy of d to avoid race conditions.
+	h, c := d0.sum()
+	return append(in, h...), c
+}
+
+func (d *digest) Reset() {
+	C.SHA1DCInit(&d.ctx)
+}
+
+func (d *digest) Size() int { return Size }
+
+func (d *digest) BlockSize() int { return BlockSize }
+
+func Sum(data []byte) ([]byte, bool) {
+	d := New().(*digest)
+	d.Write(data)
+
+	return d.sum()
+}
+
+func (d *digest) Write(p []byte) (nn int, err error) {
+	if len(p) == 0 {
+		return 0, nil
+	}
+
+	data := (*C.char)(unsafe.Pointer(&p[0]))
+	C.SHA1DCUpdate(&d.ctx, data, (C.size_t)(len(p)))
+
+	return len(p), nil
+}

vendor/github.com/pjbgf/sha1cd/cgo/sha1.h

@@ -0,0 +1,114 @@
+/***
+ * Copyright 2017 Marc Stevens <marc@marc-stevens.nl>, Dan Shumow <danshu@microsoft.com>
+ * Distributed under the MIT Software License.
+ * See accompanying file LICENSE.txt or copy at
+ * https://opensource.org/licenses/MIT
+ ***/
+
+// Originally from: https://github.com/cr-marcstevens/sha1collisiondetection
+
+#ifndef SHA1DC_SHA1_H
+#define SHA1DC_SHA1_H
+
+#if defined(__cplusplus)
+extern "C"
+{
+#endif
+
+#ifndef SHA1DC_NO_STANDARD_INCLUDES
+#include <stdint.h>
+#endif
+
+	/* sha-1 compression function that takes an already expanded message, and additionally store intermediate states */
+	/* only stores states ii (the state between step ii-1 and step ii) when DOSTORESTATEii is defined in ubc_check.h */
+	void sha1_compression_states(uint32_t[5], const uint32_t[16], uint32_t[80], uint32_t[80][5]);
+
+	/*
+	// Function type for sha1_recompression_step_T (uint32_t ihvin[5], uint32_t ihvout[5], const uint32_t me2[80], const uint32_t state[5]).
+	// Where 0 <= T < 80
+	//       me2 is an expanded message (the expansion of an original message block XOR'ed with a disturbance vector's message block difference.)
+	//       state is the internal state (a,b,c,d,e) before step T of the SHA-1 compression function while processing the original message block.
+	// The function will return:
+	//       ihvin: The reconstructed input chaining value.
+	//       ihvout: The reconstructed output chaining value.
+	*/
+	typedef void (*sha1_recompression_type)(uint32_t *, uint32_t *, const uint32_t *, const uint32_t *);
+
+	/* A callback function type that can be set to be called when a collision block has been found: */
+	/* void collision_block_callback(uint64_t byteoffset, const uint32_t ihvin1[5], const uint32_t ihvin2[5], const uint32_t m1[80], const uint32_t m2[80]) */
+	typedef void (*collision_block_callback)(uint64_t, const uint32_t *, const uint32_t *, const uint32_t *, const uint32_t *);
+
+	/* The SHA-1 context. */
+	typedef struct
+	{
+		uint64_t total;
+		uint32_t ihv[5];
+		unsigned char buffer[64];
+		int found_collision;
+		int safe_hash;
+		int detect_coll;
+		int ubc_check;
+		int reduced_round_coll;
+		collision_block_callback callback;
+
+		uint32_t ihv1[5];
+		uint32_t ihv2[5];
+		uint32_t m1[80];
+		uint32_t m2[80];
+		uint32_t states[80][5];
+	} SHA1_CTX;
+
+	/* Initialize SHA-1 context. */
+	void SHA1DCInit(SHA1_CTX *);
+
+	/*
+		Function to enable safe SHA-1 hashing:
+		Collision attacks are thwarted by hashing a detected near-collision block 3 times.
+		Think of it as extending SHA-1 from 80-steps to 240-steps for such blocks:
+			The best collision attacks against SHA-1 have complexity about 2^60,
+			thus for 240-steps an immediate lower-bound for the best cryptanalytic attacks would be 2^180.
+			An attacker would be better off using a generic birthday search of complexity 2^80.
+
+	   Enabling safe SHA-1 hashing will result in the correct SHA-1 hash for messages where no collision attack was detected,
+	   but it will result in a different SHA-1 hash for messages where a collision attack was detected.
+	   This will automatically invalidate SHA-1 based digital signature forgeries.
+	   Enabled by default.
+	*/
+	void SHA1DCSetSafeHash(SHA1_CTX *, int);
+
+	/*
+		Function to disable or enable the use of Unavoidable Bitconditions (provides a significant speed up).
+		Enabled by default
+	 */
+	void SHA1DCSetUseUBC(SHA1_CTX *, int);
+
+	/*
+		Function to disable or enable the use of Collision Detection.
+		Enabled by default.
+	 */
+	void SHA1DCSetUseDetectColl(SHA1_CTX *, int);
+
+	/* function to disable or enable the detection of reduced-round SHA-1 collisions */
+	/* disabled by default */
+	void SHA1DCSetDetectReducedRoundCollision(SHA1_CTX *, int);
+
+	/* function to set a callback function, pass NULL to disable */
+	/* by default no callback set */
+	void SHA1DCSetCallback(SHA1_CTX *, collision_block_callback);
+
+	/* update SHA-1 context with buffer contents */
+	void SHA1DCUpdate(SHA1_CTX *, const char *, size_t);
+
+	/* obtain SHA-1 hash from SHA-1 context */
+	/* returns: 0 = no collision detected, otherwise = collision found => warn user for active attack */
+	int SHA1DCFinal(unsigned char[20], SHA1_CTX *);
+
+#if defined(__cplusplus)
+}
+#endif
+
+#ifdef SHA1DC_CUSTOM_TRAILING_INCLUDE_SHA1_H
+#include SHA1DC_CUSTOM_TRAILING_INCLUDE_SHA1_H
+#endif
+
+#endif

vendor/github.com/pjbgf/sha1cd/cgo/ubc_check.go

@@ -0,0 +1,28 @@
+package cgo
+
+// #include <ubc_check.h>
+// #include <stdlib.h>
+//
+// uint32_t check(const uint32_t W[80])
+// {
+//	 uint32_t ubc_dv_mask[DVMASKSIZE] = {(uint32_t)(0xFFFFFFFF)};
+//   ubc_check(W, ubc_dv_mask);
+//   return ubc_dv_mask[0];
+// }
+import "C"
+import (
+	"fmt"
+	"unsafe"
+)
+
+// CalculateDvMask takes as input an expanded message block and verifies the unavoidable
+// bitconditions for all listed DVs. It returns a dvmask where each bit belonging to a DV
+// is set if all unavoidable bitconditions for that DV have been met.
+// Thus, one needs to do the recompression check for each DV that has its bit set.
+func CalculateDvMask(W []uint32) (uint32, error) {
+	if len(W) < 80 {
+		return 0, fmt.Errorf("invalid input: len(W) must be 80, was %d", len(W))
+	}
+
+	return uint32(C.check((*C.uint32_t)(unsafe.Pointer(&W[0])))), nil
+}

vendor/github.com/pjbgf/sha1cd/cgo/ubc_check.h

@@ -0,0 +1,64 @@
+/***
+ * Copyright 2017 Marc Stevens <marc@marc-stevens.nl>, Dan Shumow <danshu@microsoft.com>
+ * Distributed under the MIT Software License.
+ * See accompanying file LICENSE.txt or copy at
+ * https://opensource.org/licenses/MIT
+ ***/
+
+// Originally from: https://github.com/cr-marcstevens/sha1collisiondetection
+
+/*
+// this file was generated by the 'parse_bitrel' program in the tools section
+// using the data files from directory 'tools/data/3565'
+//
+// sha1_dvs contains a list of SHA-1 Disturbance Vectors (DV) to check
+// dvType, dvK and dvB define the DV: I(K,B) or II(K,B) (see the paper)
+// dm[80] is the expanded message block XOR-difference defined by the DV
+// testt is the step to do the recompression from for collision detection
+// maski and maskb define the bit to check for each DV in the dvmask returned by ubc_check
+//
+// ubc_check takes as input an expanded message block and verifies the unavoidable bitconditions for all listed DVs
+// it returns a dvmask where each bit belonging to a DV is set if all unavoidable bitconditions for that DV have been met
+// thus one needs to do the recompression check for each DV that has its bit set
+*/
+
+#ifndef SHA1DC_UBC_CHECK_H
+#define SHA1DC_UBC_CHECK_H
+
+#if defined(__cplusplus)
+extern "C"
+{
+#endif
+
+#ifndef SHA1DC_NO_STANDARD_INCLUDES
+#include <stdint.h>
+#endif
+
+#define DVMASKSIZE 1
+	typedef struct
+	{
+		int dvType;
+		int dvK;
+		int dvB;
+		int testt;
+		int maski;
+		int maskb;
+		uint32_t dm[80];
+	} dv_info_t;
+	extern dv_info_t sha1_dvs[];
+	void ubc_check(const uint32_t W[80], uint32_t dvmask[DVMASKSIZE]);
+
+#define DOSTORESTATE58
+#define DOSTORESTATE65
+
+#define CHECK_DVMASK(_DVMASK) (0 != _DVMASK[0])
+
+#if defined(__cplusplus)
+}
+#endif
+
+#ifdef SHA1DC_CUSTOM_TRAILING_INCLUDE_UBC_CHECK_H
+#include SHA1DC_CUSTOM_TRAILING_INCLUDE_UBC_CHECK_H
+#endif
+
+#endif