1 /*
2 +----------------------------------------------------------------------+
3 | PHP Version 7 |
4 +----------------------------------------------------------------------+
5 | Copyright (c) 1997-2018 The PHP Group |
6 +----------------------------------------------------------------------+
7 | This source file is subject to version 3.01 of the PHP license, |
8 | that is bundled with this package in the file LICENSE, and is |
9 | available through the world-wide-web at the following url: |
10 | http://www.php.net/license/3_01.txt |
11 | If you did not receive a copy of the PHP license and are unable to |
12 | obtain it through the world-wide-web, please send a note to |
13 | license@php.net so we can mail you a copy immediately. |
14 +----------------------------------------------------------------------+
15 | Authors: Michael Wallner <mike@php.net> |
16 | Sara Golemon <pollita@php.net> |
17 +----------------------------------------------------------------------+
18 */
19
20 #include "php_hash.h"
21
22 /*
23 * TODO: simplify Update and Final, those look ridiculously complex
24 * Mike, 2005-11-23
25 */
26
27 #include "php_hash_whirlpool.h"
28 #include "php_hash_whirlpool_tables.h"
29
30 #define DIGESTBYTES 64
31 #define DIGESTBITS (8*DIGESTBYTES) /* 512 */
32
33 #define WBLOCKBYTES 64
34 #define WBLOCKBITS (8*WBLOCKBYTES) /* 512 */
35
36 #define LENGTHBYTES 32
37 #define LENGTHBITS (8*LENGTHBYTES) /* 256 */
38
WhirlpoolTransform(PHP_WHIRLPOOL_CTX * context)39 static void WhirlpoolTransform(PHP_WHIRLPOOL_CTX *context)
40 {
41 int i, r;
42 uint64_t K[8]; /* the round key */
43 uint64_t block[8]; /* mu(buffer) */
44 uint64_t state[8]; /* the cipher state */
45 uint64_t L[8];
46 unsigned char *buffer = context->buffer.data;
47
48 /*
49 * map the buffer to a block:
50 */
51 for (i = 0; i < 8; i++, buffer += 8) {
52 block[i] =
53 (((uint64_t)buffer[0] ) << 56) ^
54 (((uint64_t)buffer[1] & 0xffL) << 48) ^
55 (((uint64_t)buffer[2] & 0xffL) << 40) ^
56 (((uint64_t)buffer[3] & 0xffL) << 32) ^
57 (((uint64_t)buffer[4] & 0xffL) << 24) ^
58 (((uint64_t)buffer[5] & 0xffL) << 16) ^
59 (((uint64_t)buffer[6] & 0xffL) << 8) ^
60 (((uint64_t)buffer[7] & 0xffL) );
61 }
62 /*
63 * compute and apply K^0 to the cipher state:
64 */
65 state[0] = block[0] ^ (K[0] = context->state[0]);
66 state[1] = block[1] ^ (K[1] = context->state[1]);
67 state[2] = block[2] ^ (K[2] = context->state[2]);
68 state[3] = block[3] ^ (K[3] = context->state[3]);
69 state[4] = block[4] ^ (K[4] = context->state[4]);
70 state[5] = block[5] ^ (K[5] = context->state[5]);
71 state[6] = block[6] ^ (K[6] = context->state[6]);
72 state[7] = block[7] ^ (K[7] = context->state[7]);
73 /*
74 * iterate over all rounds:
75 */
76 for (r = 1; r <= R; r++) {
77 /*
78 * compute K^r from K^{r-1}:
79 */
80 L[0] =
81 C0[(int)(K[0] >> 56) ] ^
82 C1[(int)(K[7] >> 48) & 0xff] ^
83 C2[(int)(K[6] >> 40) & 0xff] ^
84 C3[(int)(K[5] >> 32) & 0xff] ^
85 C4[(int)(K[4] >> 24) & 0xff] ^
86 C5[(int)(K[3] >> 16) & 0xff] ^
87 C6[(int)(K[2] >> 8) & 0xff] ^
88 C7[(int)(K[1] ) & 0xff] ^
89 rc[r];
90 L[1] =
91 C0[(int)(K[1] >> 56) ] ^
92 C1[(int)(K[0] >> 48) & 0xff] ^
93 C2[(int)(K[7] >> 40) & 0xff] ^
94 C3[(int)(K[6] >> 32) & 0xff] ^
95 C4[(int)(K[5] >> 24) & 0xff] ^
96 C5[(int)(K[4] >> 16) & 0xff] ^
97 C6[(int)(K[3] >> 8) & 0xff] ^
98 C7[(int)(K[2] ) & 0xff];
99 L[2] =
100 C0[(int)(K[2] >> 56) ] ^
101 C1[(int)(K[1] >> 48) & 0xff] ^
102 C2[(int)(K[0] >> 40) & 0xff] ^
103 C3[(int)(K[7] >> 32) & 0xff] ^
104 C4[(int)(K[6] >> 24) & 0xff] ^
105 C5[(int)(K[5] >> 16) & 0xff] ^
106 C6[(int)(K[4] >> 8) & 0xff] ^
107 C7[(int)(K[3] ) & 0xff];
108 L[3] =
109 C0[(int)(K[3] >> 56) ] ^
110 C1[(int)(K[2] >> 48) & 0xff] ^
111 C2[(int)(K[1] >> 40) & 0xff] ^
112 C3[(int)(K[0] >> 32) & 0xff] ^
113 C4[(int)(K[7] >> 24) & 0xff] ^
114 C5[(int)(K[6] >> 16) & 0xff] ^
115 C6[(int)(K[5] >> 8) & 0xff] ^
116 C7[(int)(K[4] ) & 0xff];
117 L[4] =
118 C0[(int)(K[4] >> 56) ] ^
119 C1[(int)(K[3] >> 48) & 0xff] ^
120 C2[(int)(K[2] >> 40) & 0xff] ^
121 C3[(int)(K[1] >> 32) & 0xff] ^
122 C4[(int)(K[0] >> 24) & 0xff] ^
123 C5[(int)(K[7] >> 16) & 0xff] ^
124 C6[(int)(K[6] >> 8) & 0xff] ^
125 C7[(int)(K[5] ) & 0xff];
126 L[5] =
127 C0[(int)(K[5] >> 56) ] ^
128 C1[(int)(K[4] >> 48) & 0xff] ^
129 C2[(int)(K[3] >> 40) & 0xff] ^
130 C3[(int)(K[2] >> 32) & 0xff] ^
131 C4[(int)(K[1] >> 24) & 0xff] ^
132 C5[(int)(K[0] >> 16) & 0xff] ^
133 C6[(int)(K[7] >> 8) & 0xff] ^
134 C7[(int)(K[6] ) & 0xff];
135 L[6] =
136 C0[(int)(K[6] >> 56) ] ^
137 C1[(int)(K[5] >> 48) & 0xff] ^
138 C2[(int)(K[4] >> 40) & 0xff] ^
139 C3[(int)(K[3] >> 32) & 0xff] ^
140 C4[(int)(K[2] >> 24) & 0xff] ^
141 C5[(int)(K[1] >> 16) & 0xff] ^
142 C6[(int)(K[0] >> 8) & 0xff] ^
143 C7[(int)(K[7] ) & 0xff];
144 L[7] =
145 C0[(int)(K[7] >> 56) ] ^
146 C1[(int)(K[6] >> 48) & 0xff] ^
147 C2[(int)(K[5] >> 40) & 0xff] ^
148 C3[(int)(K[4] >> 32) & 0xff] ^
149 C4[(int)(K[3] >> 24) & 0xff] ^
150 C5[(int)(K[2] >> 16) & 0xff] ^
151 C6[(int)(K[1] >> 8) & 0xff] ^
152 C7[(int)(K[0] ) & 0xff];
153 K[0] = L[0];
154 K[1] = L[1];
155 K[2] = L[2];
156 K[3] = L[3];
157 K[4] = L[4];
158 K[5] = L[5];
159 K[6] = L[6];
160 K[7] = L[7];
161 /*
162 * apply the r-th round transformation:
163 */
164 L[0] =
165 C0[(int)(state[0] >> 56) ] ^
166 C1[(int)(state[7] >> 48) & 0xff] ^
167 C2[(int)(state[6] >> 40) & 0xff] ^
168 C3[(int)(state[5] >> 32) & 0xff] ^
169 C4[(int)(state[4] >> 24) & 0xff] ^
170 C5[(int)(state[3] >> 16) & 0xff] ^
171 C6[(int)(state[2] >> 8) & 0xff] ^
172 C7[(int)(state[1] ) & 0xff] ^
173 K[0];
174 L[1] =
175 C0[(int)(state[1] >> 56) ] ^
176 C1[(int)(state[0] >> 48) & 0xff] ^
177 C2[(int)(state[7] >> 40) & 0xff] ^
178 C3[(int)(state[6] >> 32) & 0xff] ^
179 C4[(int)(state[5] >> 24) & 0xff] ^
180 C5[(int)(state[4] >> 16) & 0xff] ^
181 C6[(int)(state[3] >> 8) & 0xff] ^
182 C7[(int)(state[2] ) & 0xff] ^
183 K[1];
184 L[2] =
185 C0[(int)(state[2] >> 56) ] ^
186 C1[(int)(state[1] >> 48) & 0xff] ^
187 C2[(int)(state[0] >> 40) & 0xff] ^
188 C3[(int)(state[7] >> 32) & 0xff] ^
189 C4[(int)(state[6] >> 24) & 0xff] ^
190 C5[(int)(state[5] >> 16) & 0xff] ^
191 C6[(int)(state[4] >> 8) & 0xff] ^
192 C7[(int)(state[3] ) & 0xff] ^
193 K[2];
194 L[3] =
195 C0[(int)(state[3] >> 56) ] ^
196 C1[(int)(state[2] >> 48) & 0xff] ^
197 C2[(int)(state[1] >> 40) & 0xff] ^
198 C3[(int)(state[0] >> 32) & 0xff] ^
199 C4[(int)(state[7] >> 24) & 0xff] ^
200 C5[(int)(state[6] >> 16) & 0xff] ^
201 C6[(int)(state[5] >> 8) & 0xff] ^
202 C7[(int)(state[4] ) & 0xff] ^
203 K[3];
204 L[4] =
205 C0[(int)(state[4] >> 56) ] ^
206 C1[(int)(state[3] >> 48) & 0xff] ^
207 C2[(int)(state[2] >> 40) & 0xff] ^
208 C3[(int)(state[1] >> 32) & 0xff] ^
209 C4[(int)(state[0] >> 24) & 0xff] ^
210 C5[(int)(state[7] >> 16) & 0xff] ^
211 C6[(int)(state[6] >> 8) & 0xff] ^
212 C7[(int)(state[5] ) & 0xff] ^
213 K[4];
214 L[5] =
215 C0[(int)(state[5] >> 56) ] ^
216 C1[(int)(state[4] >> 48) & 0xff] ^
217 C2[(int)(state[3] >> 40) & 0xff] ^
218 C3[(int)(state[2] >> 32) & 0xff] ^
219 C4[(int)(state[1] >> 24) & 0xff] ^
220 C5[(int)(state[0] >> 16) & 0xff] ^
221 C6[(int)(state[7] >> 8) & 0xff] ^
222 C7[(int)(state[6] ) & 0xff] ^
223 K[5];
224 L[6] =
225 C0[(int)(state[6] >> 56) ] ^
226 C1[(int)(state[5] >> 48) & 0xff] ^
227 C2[(int)(state[4] >> 40) & 0xff] ^
228 C3[(int)(state[3] >> 32) & 0xff] ^
229 C4[(int)(state[2] >> 24) & 0xff] ^
230 C5[(int)(state[1] >> 16) & 0xff] ^
231 C6[(int)(state[0] >> 8) & 0xff] ^
232 C7[(int)(state[7] ) & 0xff] ^
233 K[6];
234 L[7] =
235 C0[(int)(state[7] >> 56) ] ^
236 C1[(int)(state[6] >> 48) & 0xff] ^
237 C2[(int)(state[5] >> 40) & 0xff] ^
238 C3[(int)(state[4] >> 32) & 0xff] ^
239 C4[(int)(state[3] >> 24) & 0xff] ^
240 C5[(int)(state[2] >> 16) & 0xff] ^
241 C6[(int)(state[1] >> 8) & 0xff] ^
242 C7[(int)(state[0] ) & 0xff] ^
243 K[7];
244 state[0] = L[0];
245 state[1] = L[1];
246 state[2] = L[2];
247 state[3] = L[3];
248 state[4] = L[4];
249 state[5] = L[5];
250 state[6] = L[6];
251 state[7] = L[7];
252 }
253 /*
254 * apply the Miyaguchi-Preneel compression function:
255 */
256 context->state[0] ^= state[0] ^ block[0];
257 context->state[1] ^= state[1] ^ block[1];
258 context->state[2] ^= state[2] ^ block[2];
259 context->state[3] ^= state[3] ^ block[3];
260 context->state[4] ^= state[4] ^ block[4];
261 context->state[5] ^= state[5] ^ block[5];
262 context->state[6] ^= state[6] ^ block[6];
263 context->state[7] ^= state[7] ^ block[7];
264
265 ZEND_SECURE_ZERO(state, sizeof(state));
266 }
267
PHP_WHIRLPOOLInit(PHP_WHIRLPOOL_CTX * context)268 PHP_HASH_API void PHP_WHIRLPOOLInit(PHP_WHIRLPOOL_CTX *context)
269 {
270 memset(context, 0, sizeof(*context));
271 }
272
PHP_WHIRLPOOLUpdate(PHP_WHIRLPOOL_CTX * context,const unsigned char * input,size_t len)273 PHP_HASH_API void PHP_WHIRLPOOLUpdate(PHP_WHIRLPOOL_CTX *context, const unsigned char *input, size_t len)
274 {
275 uint64_t sourceBits = len * 8;
276 int sourcePos = 0; /* index of leftmost source unsigned char containing data (1 to 8 bits). */
277 int sourceGap = (8 - ((int)sourceBits & 7)) & 7; /* space on source[sourcePos]. */
278 int bufferRem = context->buffer.bits & 7; /* occupied bits on buffer[bufferPos]. */
279 const unsigned char *source = input;
280 unsigned char *buffer = context->buffer.data;
281 unsigned char *bitLength = context->bitlength;
282 int bufferBits = context->buffer.bits;
283 int bufferPos = context->buffer.pos;
284 uint32_t b, carry;
285 int i;
286
287 /*
288 * tally the length of the added data:
289 */
290 uint64_t value = sourceBits;
291 for (i = 31, carry = 0; i >= 0 && (carry != 0 || value != L64(0)); i--) {
292 carry += bitLength[i] + ((uint32_t)value & 0xff);
293 bitLength[i] = (unsigned char)carry;
294 carry >>= 8;
295 value >>= 8;
296 }
297 /*
298 * process data in chunks of 8 bits (a more efficient approach would be to take whole-word chunks):
299 */
300 while (sourceBits > 8) {
301 /* N.B. at least source[sourcePos] and source[sourcePos+1] contain data. */
302 /*
303 * take a byte from the source:
304 */
305 b = ((source[sourcePos] << sourceGap) & 0xff) |
306 ((source[sourcePos + 1] & 0xff) >> (8 - sourceGap));
307 /*
308 * process this byte:
309 */
310 buffer[bufferPos++] |= (unsigned char)(b >> bufferRem);
311 bufferBits += 8 - bufferRem; /* bufferBits = 8*bufferPos; */
312 if (bufferBits == DIGESTBITS) {
313 /*
314 * process data block:
315 */
316 WhirlpoolTransform(context);
317 /*
318 * reset buffer:
319 */
320 bufferBits = bufferPos = 0;
321 }
322 buffer[bufferPos] = (unsigned char) (b << (8 - bufferRem));
323 bufferBits += bufferRem;
324 /*
325 * proceed to remaining data:
326 */
327 sourceBits -= 8;
328 sourcePos++;
329 }
330 /* now 0 <= sourceBits <= 8;
331 * furthermore, all data (if any is left) is in source[sourcePos].
332 */
333 if (sourceBits > 0) {
334 b = (source[sourcePos] << sourceGap) & 0xff; /* bits are left-justified on b. */
335 /*
336 * process the remaining bits:
337 */
338 buffer[bufferPos] |= b >> bufferRem;
339 } else {
340 b = 0;
341 }
342 if (bufferRem + sourceBits < 8) {
343 /*
344 * all remaining data fits on buffer[bufferPos],
345 * and there still remains some space.
346 */
347 bufferBits += (int) sourceBits;
348 } else {
349 /*
350 * buffer[bufferPos] is full:
351 */
352 bufferPos++;
353 bufferBits += 8 - bufferRem; /* bufferBits = 8*bufferPos; */
354 sourceBits -= 8 - bufferRem;
355 /* now 0 <= sourceBits < 8;
356 * furthermore, all data (if any is left) is in source[sourcePos].
357 */
358 if (bufferBits == DIGESTBITS) {
359 /*
360 * process data block:
361 */
362 WhirlpoolTransform(context);
363 /*
364 * reset buffer:
365 */
366 bufferBits = bufferPos = 0;
367 }
368 buffer[bufferPos] = (unsigned char) (b << (8 - bufferRem));
369 bufferBits += (int)sourceBits;
370 }
371 context->buffer.bits = bufferBits;
372 context->buffer.pos = bufferPos;
373 }
374
PHP_WHIRLPOOLFinal(unsigned char digest[64],PHP_WHIRLPOOL_CTX * context)375 PHP_HASH_API void PHP_WHIRLPOOLFinal(unsigned char digest[64], PHP_WHIRLPOOL_CTX *context)
376 {
377 int i;
378 unsigned char *buffer = context->buffer.data;
379 unsigned char *bitLength = context->bitlength;
380 int bufferBits = context->buffer.bits;
381 int bufferPos = context->buffer.pos;
382
383 /*
384 * append a '1'-bit:
385 */
386 buffer[bufferPos] |= 0x80U >> (bufferBits & 7);
387 bufferPos++; /* all remaining bits on the current unsigned char are set to zero. */
388 /*
389 * pad with zero bits to complete (N*WBLOCKBITS - LENGTHBITS) bits:
390 */
391 if (bufferPos > WBLOCKBYTES - LENGTHBYTES) {
392 if (bufferPos < WBLOCKBYTES) {
393 memset(&buffer[bufferPos], 0, WBLOCKBYTES - bufferPos);
394 }
395 /*
396 * process data block:
397 */
398 WhirlpoolTransform(context);
399 /*
400 * reset buffer:
401 */
402 bufferPos = 0;
403 }
404 if (bufferPos < WBLOCKBYTES - LENGTHBYTES) {
405 memset(&buffer[bufferPos], 0, (WBLOCKBYTES - LENGTHBYTES) - bufferPos);
406 }
407 bufferPos = WBLOCKBYTES - LENGTHBYTES;
408 /*
409 * append bit length of hashed data:
410 */
411 memcpy(&buffer[WBLOCKBYTES - LENGTHBYTES], bitLength, LENGTHBYTES);
412 /*
413 * process data block:
414 */
415 WhirlpoolTransform(context);
416 /*
417 * return the completed message digest:
418 */
419 for (i = 0; i < DIGESTBYTES/8; i++) {
420 digest[0] = (unsigned char)(context->state[i] >> 56);
421 digest[1] = (unsigned char)(context->state[i] >> 48);
422 digest[2] = (unsigned char)(context->state[i] >> 40);
423 digest[3] = (unsigned char)(context->state[i] >> 32);
424 digest[4] = (unsigned char)(context->state[i] >> 24);
425 digest[5] = (unsigned char)(context->state[i] >> 16);
426 digest[6] = (unsigned char)(context->state[i] >> 8);
427 digest[7] = (unsigned char)(context->state[i] );
428 digest += 8;
429 }
430
431 ZEND_SECURE_ZERO(context, sizeof(*context));
432 }
433
434 const php_hash_ops php_hash_whirlpool_ops = {
435 (php_hash_init_func_t) PHP_WHIRLPOOLInit,
436 (php_hash_update_func_t) PHP_WHIRLPOOLUpdate,
437 (php_hash_final_func_t) PHP_WHIRLPOOLFinal,
438 (php_hash_copy_func_t) php_hash_copy,
439 64,
440 64,
441 sizeof(PHP_WHIRLPOOL_CTX),
442 1
443 };
444
445 /*
446 * Local variables:
447 * tab-width: 4
448 * c-basic-offset: 4
449 * End:
450 * vim600: sw=4 ts=4 fdm=marker
451 * vim<600: sw=4 ts=4
452 */
453
