1 /*
2 +----------------------------------------------------------------------+
3 | PHP Version 7 |
4 +----------------------------------------------------------------------+
5 | Copyright (c) 1997-2018 The PHP Group |
6 +----------------------------------------------------------------------+
7 | This source file is subject to version 3.01 of the PHP license, |
8 | that is bundled with this package in the file LICENSE, and is |
9 | available through the world-wide-web at the following url: |
10 | http://www.php.net/license/3_01.txt |
11 | If you did not receive a copy of the PHP license and are unable to |
12 | obtain it through the world-wide-web, please send a note to |
13 | license@php.net so we can mail you a copy immediately. |
14 +----------------------------------------------------------------------+
15 | Authors: Michael Wallner <mike@php.net> |
16 | Sara Golemon <pollita@php.net> |
17 +----------------------------------------------------------------------+
18 */
19
20 /* $Id$ */
21
22 #include "php_hash.h"
23
24 /*
25 * TODO: simplify Update and Final, those look ridiculously complex
26 * Mike, 2005-11-23
27 */
28
29 #include "php_hash_whirlpool.h"
30 #include "php_hash_whirlpool_tables.h"
31
32 #define DIGESTBYTES 64
33 #define DIGESTBITS (8*DIGESTBYTES) /* 512 */
34
35 #define WBLOCKBYTES 64
36 #define WBLOCKBITS (8*WBLOCKBYTES) /* 512 */
37
38 #define LENGTHBYTES 32
39 #define LENGTHBITS (8*LENGTHBYTES) /* 256 */
40
WhirlpoolTransform(PHP_WHIRLPOOL_CTX * context)41 static void WhirlpoolTransform(PHP_WHIRLPOOL_CTX *context)
42 {
43 int i, r;
44 uint64_t K[8]; /* the round key */
45 uint64_t block[8]; /* mu(buffer) */
46 uint64_t state[8]; /* the cipher state */
47 uint64_t L[8];
48 unsigned char *buffer = context->buffer.data;
49
50 /*
51 * map the buffer to a block:
52 */
53 for (i = 0; i < 8; i++, buffer += 8) {
54 block[i] =
55 (((uint64_t)buffer[0] ) << 56) ^
56 (((uint64_t)buffer[1] & 0xffL) << 48) ^
57 (((uint64_t)buffer[2] & 0xffL) << 40) ^
58 (((uint64_t)buffer[3] & 0xffL) << 32) ^
59 (((uint64_t)buffer[4] & 0xffL) << 24) ^
60 (((uint64_t)buffer[5] & 0xffL) << 16) ^
61 (((uint64_t)buffer[6] & 0xffL) << 8) ^
62 (((uint64_t)buffer[7] & 0xffL) );
63 }
64 /*
65 * compute and apply K^0 to the cipher state:
66 */
67 state[0] = block[0] ^ (K[0] = context->state[0]);
68 state[1] = block[1] ^ (K[1] = context->state[1]);
69 state[2] = block[2] ^ (K[2] = context->state[2]);
70 state[3] = block[3] ^ (K[3] = context->state[3]);
71 state[4] = block[4] ^ (K[4] = context->state[4]);
72 state[5] = block[5] ^ (K[5] = context->state[5]);
73 state[6] = block[6] ^ (K[6] = context->state[6]);
74 state[7] = block[7] ^ (K[7] = context->state[7]);
75 /*
76 * iterate over all rounds:
77 */
78 for (r = 1; r <= R; r++) {
79 /*
80 * compute K^r from K^{r-1}:
81 */
82 L[0] =
83 C0[(int)(K[0] >> 56) ] ^
84 C1[(int)(K[7] >> 48) & 0xff] ^
85 C2[(int)(K[6] >> 40) & 0xff] ^
86 C3[(int)(K[5] >> 32) & 0xff] ^
87 C4[(int)(K[4] >> 24) & 0xff] ^
88 C5[(int)(K[3] >> 16) & 0xff] ^
89 C6[(int)(K[2] >> 8) & 0xff] ^
90 C7[(int)(K[1] ) & 0xff] ^
91 rc[r];
92 L[1] =
93 C0[(int)(K[1] >> 56) ] ^
94 C1[(int)(K[0] >> 48) & 0xff] ^
95 C2[(int)(K[7] >> 40) & 0xff] ^
96 C3[(int)(K[6] >> 32) & 0xff] ^
97 C4[(int)(K[5] >> 24) & 0xff] ^
98 C5[(int)(K[4] >> 16) & 0xff] ^
99 C6[(int)(K[3] >> 8) & 0xff] ^
100 C7[(int)(K[2] ) & 0xff];
101 L[2] =
102 C0[(int)(K[2] >> 56) ] ^
103 C1[(int)(K[1] >> 48) & 0xff] ^
104 C2[(int)(K[0] >> 40) & 0xff] ^
105 C3[(int)(K[7] >> 32) & 0xff] ^
106 C4[(int)(K[6] >> 24) & 0xff] ^
107 C5[(int)(K[5] >> 16) & 0xff] ^
108 C6[(int)(K[4] >> 8) & 0xff] ^
109 C7[(int)(K[3] ) & 0xff];
110 L[3] =
111 C0[(int)(K[3] >> 56) ] ^
112 C1[(int)(K[2] >> 48) & 0xff] ^
113 C2[(int)(K[1] >> 40) & 0xff] ^
114 C3[(int)(K[0] >> 32) & 0xff] ^
115 C4[(int)(K[7] >> 24) & 0xff] ^
116 C5[(int)(K[6] >> 16) & 0xff] ^
117 C6[(int)(K[5] >> 8) & 0xff] ^
118 C7[(int)(K[4] ) & 0xff];
119 L[4] =
120 C0[(int)(K[4] >> 56) ] ^
121 C1[(int)(K[3] >> 48) & 0xff] ^
122 C2[(int)(K[2] >> 40) & 0xff] ^
123 C3[(int)(K[1] >> 32) & 0xff] ^
124 C4[(int)(K[0] >> 24) & 0xff] ^
125 C5[(int)(K[7] >> 16) & 0xff] ^
126 C6[(int)(K[6] >> 8) & 0xff] ^
127 C7[(int)(K[5] ) & 0xff];
128 L[5] =
129 C0[(int)(K[5] >> 56) ] ^
130 C1[(int)(K[4] >> 48) & 0xff] ^
131 C2[(int)(K[3] >> 40) & 0xff] ^
132 C3[(int)(K[2] >> 32) & 0xff] ^
133 C4[(int)(K[1] >> 24) & 0xff] ^
134 C5[(int)(K[0] >> 16) & 0xff] ^
135 C6[(int)(K[7] >> 8) & 0xff] ^
136 C7[(int)(K[6] ) & 0xff];
137 L[6] =
138 C0[(int)(K[6] >> 56) ] ^
139 C1[(int)(K[5] >> 48) & 0xff] ^
140 C2[(int)(K[4] >> 40) & 0xff] ^
141 C3[(int)(K[3] >> 32) & 0xff] ^
142 C4[(int)(K[2] >> 24) & 0xff] ^
143 C5[(int)(K[1] >> 16) & 0xff] ^
144 C6[(int)(K[0] >> 8) & 0xff] ^
145 C7[(int)(K[7] ) & 0xff];
146 L[7] =
147 C0[(int)(K[7] >> 56) ] ^
148 C1[(int)(K[6] >> 48) & 0xff] ^
149 C2[(int)(K[5] >> 40) & 0xff] ^
150 C3[(int)(K[4] >> 32) & 0xff] ^
151 C4[(int)(K[3] >> 24) & 0xff] ^
152 C5[(int)(K[2] >> 16) & 0xff] ^
153 C6[(int)(K[1] >> 8) & 0xff] ^
154 C7[(int)(K[0] ) & 0xff];
155 K[0] = L[0];
156 K[1] = L[1];
157 K[2] = L[2];
158 K[3] = L[3];
159 K[4] = L[4];
160 K[5] = L[5];
161 K[6] = L[6];
162 K[7] = L[7];
163 /*
164 * apply the r-th round transformation:
165 */
166 L[0] =
167 C0[(int)(state[0] >> 56) ] ^
168 C1[(int)(state[7] >> 48) & 0xff] ^
169 C2[(int)(state[6] >> 40) & 0xff] ^
170 C3[(int)(state[5] >> 32) & 0xff] ^
171 C4[(int)(state[4] >> 24) & 0xff] ^
172 C5[(int)(state[3] >> 16) & 0xff] ^
173 C6[(int)(state[2] >> 8) & 0xff] ^
174 C7[(int)(state[1] ) & 0xff] ^
175 K[0];
176 L[1] =
177 C0[(int)(state[1] >> 56) ] ^
178 C1[(int)(state[0] >> 48) & 0xff] ^
179 C2[(int)(state[7] >> 40) & 0xff] ^
180 C3[(int)(state[6] >> 32) & 0xff] ^
181 C4[(int)(state[5] >> 24) & 0xff] ^
182 C5[(int)(state[4] >> 16) & 0xff] ^
183 C6[(int)(state[3] >> 8) & 0xff] ^
184 C7[(int)(state[2] ) & 0xff] ^
185 K[1];
186 L[2] =
187 C0[(int)(state[2] >> 56) ] ^
188 C1[(int)(state[1] >> 48) & 0xff] ^
189 C2[(int)(state[0] >> 40) & 0xff] ^
190 C3[(int)(state[7] >> 32) & 0xff] ^
191 C4[(int)(state[6] >> 24) & 0xff] ^
192 C5[(int)(state[5] >> 16) & 0xff] ^
193 C6[(int)(state[4] >> 8) & 0xff] ^
194 C7[(int)(state[3] ) & 0xff] ^
195 K[2];
196 L[3] =
197 C0[(int)(state[3] >> 56) ] ^
198 C1[(int)(state[2] >> 48) & 0xff] ^
199 C2[(int)(state[1] >> 40) & 0xff] ^
200 C3[(int)(state[0] >> 32) & 0xff] ^
201 C4[(int)(state[7] >> 24) & 0xff] ^
202 C5[(int)(state[6] >> 16) & 0xff] ^
203 C6[(int)(state[5] >> 8) & 0xff] ^
204 C7[(int)(state[4] ) & 0xff] ^
205 K[3];
206 L[4] =
207 C0[(int)(state[4] >> 56) ] ^
208 C1[(int)(state[3] >> 48) & 0xff] ^
209 C2[(int)(state[2] >> 40) & 0xff] ^
210 C3[(int)(state[1] >> 32) & 0xff] ^
211 C4[(int)(state[0] >> 24) & 0xff] ^
212 C5[(int)(state[7] >> 16) & 0xff] ^
213 C6[(int)(state[6] >> 8) & 0xff] ^
214 C7[(int)(state[5] ) & 0xff] ^
215 K[4];
216 L[5] =
217 C0[(int)(state[5] >> 56) ] ^
218 C1[(int)(state[4] >> 48) & 0xff] ^
219 C2[(int)(state[3] >> 40) & 0xff] ^
220 C3[(int)(state[2] >> 32) & 0xff] ^
221 C4[(int)(state[1] >> 24) & 0xff] ^
222 C5[(int)(state[0] >> 16) & 0xff] ^
223 C6[(int)(state[7] >> 8) & 0xff] ^
224 C7[(int)(state[6] ) & 0xff] ^
225 K[5];
226 L[6] =
227 C0[(int)(state[6] >> 56) ] ^
228 C1[(int)(state[5] >> 48) & 0xff] ^
229 C2[(int)(state[4] >> 40) & 0xff] ^
230 C3[(int)(state[3] >> 32) & 0xff] ^
231 C4[(int)(state[2] >> 24) & 0xff] ^
232 C5[(int)(state[1] >> 16) & 0xff] ^
233 C6[(int)(state[0] >> 8) & 0xff] ^
234 C7[(int)(state[7] ) & 0xff] ^
235 K[6];
236 L[7] =
237 C0[(int)(state[7] >> 56) ] ^
238 C1[(int)(state[6] >> 48) & 0xff] ^
239 C2[(int)(state[5] >> 40) & 0xff] ^
240 C3[(int)(state[4] >> 32) & 0xff] ^
241 C4[(int)(state[3] >> 24) & 0xff] ^
242 C5[(int)(state[2] >> 16) & 0xff] ^
243 C6[(int)(state[1] >> 8) & 0xff] ^
244 C7[(int)(state[0] ) & 0xff] ^
245 K[7];
246 state[0] = L[0];
247 state[1] = L[1];
248 state[2] = L[2];
249 state[3] = L[3];
250 state[4] = L[4];
251 state[5] = L[5];
252 state[6] = L[6];
253 state[7] = L[7];
254 }
255 /*
256 * apply the Miyaguchi-Preneel compression function:
257 */
258 context->state[0] ^= state[0] ^ block[0];
259 context->state[1] ^= state[1] ^ block[1];
260 context->state[2] ^= state[2] ^ block[2];
261 context->state[3] ^= state[3] ^ block[3];
262 context->state[4] ^= state[4] ^ block[4];
263 context->state[5] ^= state[5] ^ block[5];
264 context->state[6] ^= state[6] ^ block[6];
265 context->state[7] ^= state[7] ^ block[7];
266
267 ZEND_SECURE_ZERO(state, sizeof(state));
268 }
269
PHP_WHIRLPOOLInit(PHP_WHIRLPOOL_CTX * context)270 PHP_HASH_API void PHP_WHIRLPOOLInit(PHP_WHIRLPOOL_CTX *context)
271 {
272 memset(context, 0, sizeof(*context));
273 }
274
PHP_WHIRLPOOLUpdate(PHP_WHIRLPOOL_CTX * context,const unsigned char * input,size_t len)275 PHP_HASH_API void PHP_WHIRLPOOLUpdate(PHP_WHIRLPOOL_CTX *context, const unsigned char *input, size_t len)
276 {
277 uint64_t sourceBits = len * 8;
278 int sourcePos = 0; /* index of leftmost source unsigned char containing data (1 to 8 bits). */
279 int sourceGap = (8 - ((int)sourceBits & 7)) & 7; /* space on source[sourcePos]. */
280 int bufferRem = context->buffer.bits & 7; /* occupied bits on buffer[bufferPos]. */
281 const unsigned char *source = input;
282 unsigned char *buffer = context->buffer.data;
283 unsigned char *bitLength = context->bitlength;
284 int bufferBits = context->buffer.bits;
285 int bufferPos = context->buffer.pos;
286 uint32_t b, carry;
287 int i;
288
289 /*
290 * tally the length of the added data:
291 */
292 uint64_t value = sourceBits;
293 for (i = 31, carry = 0; i >= 0 && (carry != 0 || value != L64(0)); i--) {
294 carry += bitLength[i] + ((uint32_t)value & 0xff);
295 bitLength[i] = (unsigned char)carry;
296 carry >>= 8;
297 value >>= 8;
298 }
299 /*
300 * process data in chunks of 8 bits (a more efficient approach would be to take whole-word chunks):
301 */
302 while (sourceBits > 8) {
303 /* N.B. at least source[sourcePos] and source[sourcePos+1] contain data. */
304 /*
305 * take a byte from the source:
306 */
307 b = ((source[sourcePos] << sourceGap) & 0xff) |
308 ((source[sourcePos + 1] & 0xff) >> (8 - sourceGap));
309 /*
310 * process this byte:
311 */
312 buffer[bufferPos++] |= (unsigned char)(b >> bufferRem);
313 bufferBits += 8 - bufferRem; /* bufferBits = 8*bufferPos; */
314 if (bufferBits == DIGESTBITS) {
315 /*
316 * process data block:
317 */
318 WhirlpoolTransform(context);
319 /*
320 * reset buffer:
321 */
322 bufferBits = bufferPos = 0;
323 }
324 buffer[bufferPos] = (unsigned char) (b << (8 - bufferRem));
325 bufferBits += bufferRem;
326 /*
327 * proceed to remaining data:
328 */
329 sourceBits -= 8;
330 sourcePos++;
331 }
332 /* now 0 <= sourceBits <= 8;
333 * furthermore, all data (if any is left) is in source[sourcePos].
334 */
335 if (sourceBits > 0) {
336 b = (source[sourcePos] << sourceGap) & 0xff; /* bits are left-justified on b. */
337 /*
338 * process the remaining bits:
339 */
340 buffer[bufferPos] |= b >> bufferRem;
341 } else {
342 b = 0;
343 }
344 if (bufferRem + sourceBits < 8) {
345 /*
346 * all remaining data fits on buffer[bufferPos],
347 * and there still remains some space.
348 */
349 bufferBits += (int) sourceBits;
350 } else {
351 /*
352 * buffer[bufferPos] is full:
353 */
354 bufferPos++;
355 bufferBits += 8 - bufferRem; /* bufferBits = 8*bufferPos; */
356 sourceBits -= 8 - bufferRem;
357 /* now 0 <= sourceBits < 8;
358 * furthermore, all data (if any is left) is in source[sourcePos].
359 */
360 if (bufferBits == DIGESTBITS) {
361 /*
362 * process data block:
363 */
364 WhirlpoolTransform(context);
365 /*
366 * reset buffer:
367 */
368 bufferBits = bufferPos = 0;
369 }
370 buffer[bufferPos] = (unsigned char) (b << (8 - bufferRem));
371 bufferBits += (int)sourceBits;
372 }
373 context->buffer.bits = bufferBits;
374 context->buffer.pos = bufferPos;
375 }
376
PHP_WHIRLPOOLFinal(unsigned char digest[64],PHP_WHIRLPOOL_CTX * context)377 PHP_HASH_API void PHP_WHIRLPOOLFinal(unsigned char digest[64], PHP_WHIRLPOOL_CTX *context)
378 {
379 int i;
380 unsigned char *buffer = context->buffer.data;
381 unsigned char *bitLength = context->bitlength;
382 int bufferBits = context->buffer.bits;
383 int bufferPos = context->buffer.pos;
384
385 /*
386 * append a '1'-bit:
387 */
388 buffer[bufferPos] |= 0x80U >> (bufferBits & 7);
389 bufferPos++; /* all remaining bits on the current unsigned char are set to zero. */
390 /*
391 * pad with zero bits to complete (N*WBLOCKBITS - LENGTHBITS) bits:
392 */
393 if (bufferPos > WBLOCKBYTES - LENGTHBYTES) {
394 if (bufferPos < WBLOCKBYTES) {
395 memset(&buffer[bufferPos], 0, WBLOCKBYTES - bufferPos);
396 }
397 /*
398 * process data block:
399 */
400 WhirlpoolTransform(context);
401 /*
402 * reset buffer:
403 */
404 bufferPos = 0;
405 }
406 if (bufferPos < WBLOCKBYTES - LENGTHBYTES) {
407 memset(&buffer[bufferPos], 0, (WBLOCKBYTES - LENGTHBYTES) - bufferPos);
408 }
409 bufferPos = WBLOCKBYTES - LENGTHBYTES;
410 /*
411 * append bit length of hashed data:
412 */
413 memcpy(&buffer[WBLOCKBYTES - LENGTHBYTES], bitLength, LENGTHBYTES);
414 /*
415 * process data block:
416 */
417 WhirlpoolTransform(context);
418 /*
419 * return the completed message digest:
420 */
421 for (i = 0; i < DIGESTBYTES/8; i++) {
422 digest[0] = (unsigned char)(context->state[i] >> 56);
423 digest[1] = (unsigned char)(context->state[i] >> 48);
424 digest[2] = (unsigned char)(context->state[i] >> 40);
425 digest[3] = (unsigned char)(context->state[i] >> 32);
426 digest[4] = (unsigned char)(context->state[i] >> 24);
427 digest[5] = (unsigned char)(context->state[i] >> 16);
428 digest[6] = (unsigned char)(context->state[i] >> 8);
429 digest[7] = (unsigned char)(context->state[i] );
430 digest += 8;
431 }
432
433 ZEND_SECURE_ZERO(context, sizeof(*context));
434 }
435
436 const php_hash_ops php_hash_whirlpool_ops = {
437 (php_hash_init_func_t) PHP_WHIRLPOOLInit,
438 (php_hash_update_func_t) PHP_WHIRLPOOLUpdate,
439 (php_hash_final_func_t) PHP_WHIRLPOOLFinal,
440 (php_hash_copy_func_t) php_hash_copy,
441 64,
442 64,
443 sizeof(PHP_WHIRLPOOL_CTX),
444 1
445 };
446
447 /*
448 * Local variables:
449 * tab-width: 4
450 * c-basic-offset: 4
451 * End:
452 * vim600: sw=4 ts=4 fdm=marker
453 * vim<600: sw=4 ts=4
454 */
455