xref: /PHP-7.4/ext/hash/hash_whirlpool.c (revision 92ac598a)
1 /*
2   +----------------------------------------------------------------------+
3   | PHP Version 7                                                        |
4   +----------------------------------------------------------------------+
5   | Copyright (c) The PHP Group                                          |
6   +----------------------------------------------------------------------+
7   | This source file is subject to version 3.01 of the PHP license,      |
8   | that is bundled with this package in the file LICENSE, and is        |
9   | available through the world-wide-web at the following url:           |
10   | http://www.php.net/license/3_01.txt                                  |
11   | If you did not receive a copy of the PHP license and are unable to   |
12   | obtain it through the world-wide-web, please send a note to          |
13   | license@php.net so we can mail you a copy immediately.               |
14   +----------------------------------------------------------------------+
15   | Authors: Michael Wallner <mike@php.net>                              |
16   |          Sara Golemon <pollita@php.net>                              |
17   +----------------------------------------------------------------------+
18 */
19 
20 #include "php_hash.h"
21 
22 /*
23  * TODO: simplify Update and Final, those look ridiculously complex
24  * Mike, 2005-11-23
25  */
26 
27 #include "php_hash_whirlpool.h"
28 #include "php_hash_whirlpool_tables.h"
29 
30 #define DIGESTBYTES 64
31 #define DIGESTBITS  (8*DIGESTBYTES) /* 512 */
32 
33 #define WBLOCKBYTES 64
34 #define WBLOCKBITS  (8*WBLOCKBYTES) /* 512 */
35 
36 #define LENGTHBYTES 32
37 #define LENGTHBITS  (8*LENGTHBYTES) /* 256 */
38 
WhirlpoolTransform(PHP_WHIRLPOOL_CTX * context)39 static void WhirlpoolTransform(PHP_WHIRLPOOL_CTX *context)
40 {
41     int i, r;
42     uint64_t K[8];        /* the round key */
43     uint64_t block[8];    /* mu(buffer) */
44     uint64_t state[8];    /* the cipher state */
45     uint64_t L[8];
46     unsigned char *buffer = context->buffer.data;
47 
48     /*
49      * map the buffer to a block:
50      */
51     for (i = 0; i < 8; i++, buffer += 8) {
52         block[i] =
53             (((uint64_t)buffer[0]        ) << 56) ^
54             (((uint64_t)buffer[1] & 0xffL) << 48) ^
55             (((uint64_t)buffer[2] & 0xffL) << 40) ^
56             (((uint64_t)buffer[3] & 0xffL) << 32) ^
57             (((uint64_t)buffer[4] & 0xffL) << 24) ^
58             (((uint64_t)buffer[5] & 0xffL) << 16) ^
59             (((uint64_t)buffer[6] & 0xffL) <<  8) ^
60             (((uint64_t)buffer[7] & 0xffL)      );
61     }
62     /*
63      * compute and apply K^0 to the cipher state:
64      */
65     state[0] = block[0] ^ (K[0] = context->state[0]);
66     state[1] = block[1] ^ (K[1] = context->state[1]);
67     state[2] = block[2] ^ (K[2] = context->state[2]);
68     state[3] = block[3] ^ (K[3] = context->state[3]);
69     state[4] = block[4] ^ (K[4] = context->state[4]);
70     state[5] = block[5] ^ (K[5] = context->state[5]);
71     state[6] = block[6] ^ (K[6] = context->state[6]);
72     state[7] = block[7] ^ (K[7] = context->state[7]);
73     /*
74      * iterate over all rounds:
75      */
76     for (r = 1; r <= R; r++) {
77         /*
78          * compute K^r from K^{r-1}:
79          */
80         L[0] =
81             C0[(int)(K[0] >> 56)       ] ^
82             C1[(int)(K[7] >> 48) & 0xff] ^
83             C2[(int)(K[6] >> 40) & 0xff] ^
84             C3[(int)(K[5] >> 32) & 0xff] ^
85             C4[(int)(K[4] >> 24) & 0xff] ^
86             C5[(int)(K[3] >> 16) & 0xff] ^
87             C6[(int)(K[2] >>  8) & 0xff] ^
88             C7[(int)(K[1]      ) & 0xff] ^
89             rc[r];
90         L[1] =
91             C0[(int)(K[1] >> 56)       ] ^
92             C1[(int)(K[0] >> 48) & 0xff] ^
93             C2[(int)(K[7] >> 40) & 0xff] ^
94             C3[(int)(K[6] >> 32) & 0xff] ^
95             C4[(int)(K[5] >> 24) & 0xff] ^
96             C5[(int)(K[4] >> 16) & 0xff] ^
97             C6[(int)(K[3] >>  8) & 0xff] ^
98             C7[(int)(K[2]      ) & 0xff];
99         L[2] =
100             C0[(int)(K[2] >> 56)       ] ^
101             C1[(int)(K[1] >> 48) & 0xff] ^
102             C2[(int)(K[0] >> 40) & 0xff] ^
103             C3[(int)(K[7] >> 32) & 0xff] ^
104             C4[(int)(K[6] >> 24) & 0xff] ^
105             C5[(int)(K[5] >> 16) & 0xff] ^
106             C6[(int)(K[4] >>  8) & 0xff] ^
107             C7[(int)(K[3]      ) & 0xff];
108         L[3] =
109             C0[(int)(K[3] >> 56)       ] ^
110             C1[(int)(K[2] >> 48) & 0xff] ^
111             C2[(int)(K[1] >> 40) & 0xff] ^
112             C3[(int)(K[0] >> 32) & 0xff] ^
113             C4[(int)(K[7] >> 24) & 0xff] ^
114             C5[(int)(K[6] >> 16) & 0xff] ^
115             C6[(int)(K[5] >>  8) & 0xff] ^
116             C7[(int)(K[4]      ) & 0xff];
117         L[4] =
118             C0[(int)(K[4] >> 56)       ] ^
119             C1[(int)(K[3] >> 48) & 0xff] ^
120             C2[(int)(K[2] >> 40) & 0xff] ^
121             C3[(int)(K[1] >> 32) & 0xff] ^
122             C4[(int)(K[0] >> 24) & 0xff] ^
123             C5[(int)(K[7] >> 16) & 0xff] ^
124             C6[(int)(K[6] >>  8) & 0xff] ^
125             C7[(int)(K[5]      ) & 0xff];
126         L[5] =
127             C0[(int)(K[5] >> 56)       ] ^
128             C1[(int)(K[4] >> 48) & 0xff] ^
129             C2[(int)(K[3] >> 40) & 0xff] ^
130             C3[(int)(K[2] >> 32) & 0xff] ^
131             C4[(int)(K[1] >> 24) & 0xff] ^
132             C5[(int)(K[0] >> 16) & 0xff] ^
133             C6[(int)(K[7] >>  8) & 0xff] ^
134             C7[(int)(K[6]      ) & 0xff];
135         L[6] =
136             C0[(int)(K[6] >> 56)       ] ^
137             C1[(int)(K[5] >> 48) & 0xff] ^
138             C2[(int)(K[4] >> 40) & 0xff] ^
139             C3[(int)(K[3] >> 32) & 0xff] ^
140             C4[(int)(K[2] >> 24) & 0xff] ^
141             C5[(int)(K[1] >> 16) & 0xff] ^
142             C6[(int)(K[0] >>  8) & 0xff] ^
143             C7[(int)(K[7]      ) & 0xff];
144         L[7] =
145             C0[(int)(K[7] >> 56)       ] ^
146             C1[(int)(K[6] >> 48) & 0xff] ^
147             C2[(int)(K[5] >> 40) & 0xff] ^
148             C3[(int)(K[4] >> 32) & 0xff] ^
149             C4[(int)(K[3] >> 24) & 0xff] ^
150             C5[(int)(K[2] >> 16) & 0xff] ^
151             C6[(int)(K[1] >>  8) & 0xff] ^
152             C7[(int)(K[0]      ) & 0xff];
153         K[0] = L[0];
154         K[1] = L[1];
155         K[2] = L[2];
156         K[3] = L[3];
157         K[4] = L[4];
158         K[5] = L[5];
159         K[6] = L[6];
160         K[7] = L[7];
161         /*
162          * apply the r-th round transformation:
163          */
164         L[0] =
165             C0[(int)(state[0] >> 56)       ] ^
166             C1[(int)(state[7] >> 48) & 0xff] ^
167             C2[(int)(state[6] >> 40) & 0xff] ^
168             C3[(int)(state[5] >> 32) & 0xff] ^
169             C4[(int)(state[4] >> 24) & 0xff] ^
170             C5[(int)(state[3] >> 16) & 0xff] ^
171             C6[(int)(state[2] >>  8) & 0xff] ^
172             C7[(int)(state[1]      ) & 0xff] ^
173             K[0];
174         L[1] =
175             C0[(int)(state[1] >> 56)       ] ^
176             C1[(int)(state[0] >> 48) & 0xff] ^
177             C2[(int)(state[7] >> 40) & 0xff] ^
178             C3[(int)(state[6] >> 32) & 0xff] ^
179             C4[(int)(state[5] >> 24) & 0xff] ^
180             C5[(int)(state[4] >> 16) & 0xff] ^
181             C6[(int)(state[3] >>  8) & 0xff] ^
182             C7[(int)(state[2]      ) & 0xff] ^
183             K[1];
184         L[2] =
185             C0[(int)(state[2] >> 56)       ] ^
186             C1[(int)(state[1] >> 48) & 0xff] ^
187             C2[(int)(state[0] >> 40) & 0xff] ^
188             C3[(int)(state[7] >> 32) & 0xff] ^
189             C4[(int)(state[6] >> 24) & 0xff] ^
190             C5[(int)(state[5] >> 16) & 0xff] ^
191             C6[(int)(state[4] >>  8) & 0xff] ^
192             C7[(int)(state[3]      ) & 0xff] ^
193             K[2];
194         L[3] =
195             C0[(int)(state[3] >> 56)       ] ^
196             C1[(int)(state[2] >> 48) & 0xff] ^
197             C2[(int)(state[1] >> 40) & 0xff] ^
198             C3[(int)(state[0] >> 32) & 0xff] ^
199             C4[(int)(state[7] >> 24) & 0xff] ^
200             C5[(int)(state[6] >> 16) & 0xff] ^
201             C6[(int)(state[5] >>  8) & 0xff] ^
202             C7[(int)(state[4]      ) & 0xff] ^
203             K[3];
204         L[4] =
205             C0[(int)(state[4] >> 56)       ] ^
206             C1[(int)(state[3] >> 48) & 0xff] ^
207             C2[(int)(state[2] >> 40) & 0xff] ^
208             C3[(int)(state[1] >> 32) & 0xff] ^
209             C4[(int)(state[0] >> 24) & 0xff] ^
210             C5[(int)(state[7] >> 16) & 0xff] ^
211             C6[(int)(state[6] >>  8) & 0xff] ^
212             C7[(int)(state[5]      ) & 0xff] ^
213             K[4];
214         L[5] =
215             C0[(int)(state[5] >> 56)       ] ^
216             C1[(int)(state[4] >> 48) & 0xff] ^
217             C2[(int)(state[3] >> 40) & 0xff] ^
218             C3[(int)(state[2] >> 32) & 0xff] ^
219             C4[(int)(state[1] >> 24) & 0xff] ^
220             C5[(int)(state[0] >> 16) & 0xff] ^
221             C6[(int)(state[7] >>  8) & 0xff] ^
222             C7[(int)(state[6]      ) & 0xff] ^
223             K[5];
224         L[6] =
225             C0[(int)(state[6] >> 56)       ] ^
226             C1[(int)(state[5] >> 48) & 0xff] ^
227             C2[(int)(state[4] >> 40) & 0xff] ^
228             C3[(int)(state[3] >> 32) & 0xff] ^
229             C4[(int)(state[2] >> 24) & 0xff] ^
230             C5[(int)(state[1] >> 16) & 0xff] ^
231             C6[(int)(state[0] >>  8) & 0xff] ^
232             C7[(int)(state[7]      ) & 0xff] ^
233             K[6];
234         L[7] =
235             C0[(int)(state[7] >> 56)       ] ^
236             C1[(int)(state[6] >> 48) & 0xff] ^
237             C2[(int)(state[5] >> 40) & 0xff] ^
238             C3[(int)(state[4] >> 32) & 0xff] ^
239             C4[(int)(state[3] >> 24) & 0xff] ^
240             C5[(int)(state[2] >> 16) & 0xff] ^
241             C6[(int)(state[1] >>  8) & 0xff] ^
242             C7[(int)(state[0]      ) & 0xff] ^
243             K[7];
244         state[0] = L[0];
245         state[1] = L[1];
246         state[2] = L[2];
247         state[3] = L[3];
248         state[4] = L[4];
249         state[5] = L[5];
250         state[6] = L[6];
251         state[7] = L[7];
252     }
253     /*
254      * apply the Miyaguchi-Preneel compression function:
255      */
256     context->state[0] ^= state[0] ^ block[0];
257     context->state[1] ^= state[1] ^ block[1];
258     context->state[2] ^= state[2] ^ block[2];
259     context->state[3] ^= state[3] ^ block[3];
260     context->state[4] ^= state[4] ^ block[4];
261     context->state[5] ^= state[5] ^ block[5];
262     context->state[6] ^= state[6] ^ block[6];
263     context->state[7] ^= state[7] ^ block[7];
264 
265 	ZEND_SECURE_ZERO(state, sizeof(state));
266 }
267 
PHP_WHIRLPOOLInit(PHP_WHIRLPOOL_CTX * context)268 PHP_HASH_API void PHP_WHIRLPOOLInit(PHP_WHIRLPOOL_CTX *context)
269 {
270 	memset(context, 0, sizeof(*context));
271 }
272 
PHP_WHIRLPOOLUpdate(PHP_WHIRLPOOL_CTX * context,const unsigned char * input,size_t len)273 PHP_HASH_API void PHP_WHIRLPOOLUpdate(PHP_WHIRLPOOL_CTX *context, const unsigned char *input, size_t len)
274 {
275     uint64_t sourceBits = len * 8;
276     int sourcePos    = 0; /* index of leftmost source unsigned char containing data (1 to 8 bits). */
277     int sourceGap    = (8 - ((int)sourceBits & 7)) & 7; /* space on source[sourcePos]. */
278     int bufferRem    = context->buffer.bits & 7; /* occupied bits on buffer[bufferPos]. */
279     const unsigned char *source = input;
280     unsigned char *buffer       = context->buffer.data;
281     unsigned char *bitLength    = context->bitlength;
282     int bufferBits   = context->buffer.bits;
283     int bufferPos    = context->buffer.pos;
284     uint32_t b, carry;
285     int i;
286 
287     /*
288      * tally the length of the added data:
289      */
290     uint64_t value = sourceBits;
291     for (i = 31, carry = 0; i >= 0 && (carry != 0 || value != L64(0)); i--) {
292         carry += bitLength[i] + ((uint32_t)value & 0xff);
293         bitLength[i] = (unsigned char)carry;
294         carry >>= 8;
295         value >>= 8;
296     }
297     /*
298      * process data in chunks of 8 bits (a more efficient approach would be to take whole-word chunks):
299      */
300     while (sourceBits > 8) {
301         /* N.B. at least source[sourcePos] and source[sourcePos+1] contain data. */
302         /*
303          * take a byte from the source:
304          */
305         b = ((source[sourcePos] << sourceGap) & 0xff) |
306             ((source[sourcePos + 1] & 0xff) >> (8 - sourceGap));
307         /*
308          * process this byte:
309          */
310         buffer[bufferPos++] |= (unsigned char)(b >> bufferRem);
311         bufferBits += 8 - bufferRem; /* bufferBits = 8*bufferPos; */
312         if (bufferBits == DIGESTBITS) {
313             /*
314              * process data block:
315              */
316             WhirlpoolTransform(context);
317             /*
318              * reset buffer:
319              */
320             bufferBits = bufferPos = 0;
321         }
322         buffer[bufferPos] = (unsigned char) (b << (8 - bufferRem));
323         bufferBits += bufferRem;
324         /*
325          * proceed to remaining data:
326          */
327         sourceBits -= 8;
328         sourcePos++;
329     }
330     /* now 0 <= sourceBits <= 8;
331      * furthermore, all data (if any is left) is in source[sourcePos].
332      */
333     if (sourceBits > 0) {
334         b = (source[sourcePos] << sourceGap) & 0xff; /* bits are left-justified on b. */
335         /*
336          * process the remaining bits:
337          */
338         buffer[bufferPos] |= b >> bufferRem;
339     } else {
340         b = 0;
341     }
342     if (bufferRem + sourceBits < 8) {
343         /*
344          * all remaining data fits on buffer[bufferPos],
345          * and there still remains some space.
346          */
347         bufferBits += (int) sourceBits;
348     } else {
349         /*
350          * buffer[bufferPos] is full:
351          */
352         bufferPos++;
353         bufferBits += 8 - bufferRem; /* bufferBits = 8*bufferPos; */
354         sourceBits -= 8 - bufferRem;
355         /* now 0 <= sourceBits < 8;
356          * furthermore, all data (if any is left) is in source[sourcePos].
357          */
358         if (bufferBits == DIGESTBITS) {
359             /*
360              * process data block:
361              */
362             WhirlpoolTransform(context);
363             /*
364              * reset buffer:
365              */
366             bufferBits = bufferPos = 0;
367         }
368         buffer[bufferPos] = (unsigned char) (b << (8 - bufferRem));
369         bufferBits += (int)sourceBits;
370     }
371     context->buffer.bits   = bufferBits;
372     context->buffer.pos    = bufferPos;
373 }
374 
PHP_WHIRLPOOLFinal(unsigned char digest[64],PHP_WHIRLPOOL_CTX * context)375 PHP_HASH_API void PHP_WHIRLPOOLFinal(unsigned char digest[64], PHP_WHIRLPOOL_CTX *context)
376 {
377     int i;
378     unsigned char *buffer      = context->buffer.data;
379     unsigned char *bitLength   = context->bitlength;
380     int bufferBits  = context->buffer.bits;
381     int bufferPos   = context->buffer.pos;
382 
383     /*
384      * append a '1'-bit:
385      */
386     buffer[bufferPos] |= 0x80U >> (bufferBits & 7);
387     bufferPos++; /* all remaining bits on the current unsigned char are set to zero. */
388     /*
389      * pad with zero bits to complete (N*WBLOCKBITS - LENGTHBITS) bits:
390      */
391     if (bufferPos > WBLOCKBYTES - LENGTHBYTES) {
392         if (bufferPos < WBLOCKBYTES) {
393             memset(&buffer[bufferPos], 0, WBLOCKBYTES - bufferPos);
394         }
395         /*
396          * process data block:
397          */
398         WhirlpoolTransform(context);
399         /*
400          * reset buffer:
401          */
402         bufferPos = 0;
403     }
404     if (bufferPos < WBLOCKBYTES - LENGTHBYTES) {
405         memset(&buffer[bufferPos], 0, (WBLOCKBYTES - LENGTHBYTES) - bufferPos);
406     }
407     bufferPos = WBLOCKBYTES - LENGTHBYTES;
408     /*
409      * append bit length of hashed data:
410      */
411     memcpy(&buffer[WBLOCKBYTES - LENGTHBYTES], bitLength, LENGTHBYTES);
412     /*
413      * process data block:
414      */
415     WhirlpoolTransform(context);
416     /*
417      * return the completed message digest:
418      */
419     for (i = 0; i < DIGESTBYTES/8; i++) {
420         digest[0] = (unsigned char)(context->state[i] >> 56);
421         digest[1] = (unsigned char)(context->state[i] >> 48);
422         digest[2] = (unsigned char)(context->state[i] >> 40);
423         digest[3] = (unsigned char)(context->state[i] >> 32);
424         digest[4] = (unsigned char)(context->state[i] >> 24);
425         digest[5] = (unsigned char)(context->state[i] >> 16);
426         digest[6] = (unsigned char)(context->state[i] >>  8);
427         digest[7] = (unsigned char)(context->state[i]      );
428         digest += 8;
429     }
430 
431     ZEND_SECURE_ZERO(context, sizeof(*context));
432 }
433 
434 const php_hash_ops php_hash_whirlpool_ops = {
435 	(php_hash_init_func_t) PHP_WHIRLPOOLInit,
436 	(php_hash_update_func_t) PHP_WHIRLPOOLUpdate,
437 	(php_hash_final_func_t) PHP_WHIRLPOOLFinal,
438 	(php_hash_copy_func_t) php_hash_copy,
439 	64,
440 	64,
441 	sizeof(PHP_WHIRLPOOL_CTX),
442 	1
443 };
444