1 /*
2 +----------------------------------------------------------------------+
3 | Copyright (c) The PHP Group |
4 +----------------------------------------------------------------------+
5 | This source file is subject to version 3.01 of the PHP license, |
6 | that is bundled with this package in the file LICENSE, and is |
7 | available through the world-wide-web at the following url: |
8 | https://www.php.net/license/3_01.txt |
9 | If you did not receive a copy of the PHP license and are unable to |
10 | obtain it through the world-wide-web, please send a note to |
11 | license@php.net so we can mail you a copy immediately. |
12 +----------------------------------------------------------------------+
13 | Authors: Michael Wallner <mike@php.net> |
14 | Sara Golemon <pollita@php.net> |
15 +----------------------------------------------------------------------+
16 */
17
18 #include "php_hash.h"
19
20 /*
21 * TODO: simplify Update and Final, those look ridiculously complex
22 * Mike, 2005-11-23
23 */
24
25 #include "php_hash_whirlpool.h"
26 #include "php_hash_whirlpool_tables.h"
27
28 #define DIGESTBYTES 64
29 #define DIGESTBITS (8*DIGESTBYTES) /* 512 */
30
31 #define WBLOCKBYTES 64
32 #define WBLOCKBITS (8*WBLOCKBYTES) /* 512 */
33
34 #define LENGTHBYTES 32
35 #define LENGTHBITS (8*LENGTHBYTES) /* 256 */
36
WhirlpoolTransform(PHP_WHIRLPOOL_CTX * context)37 static void WhirlpoolTransform(PHP_WHIRLPOOL_CTX *context)
38 {
39 int i, r;
40 uint64_t K[8]; /* the round key */
41 uint64_t block[8]; /* mu(buffer) */
42 uint64_t state[8]; /* the cipher state */
43 uint64_t L[8];
44 unsigned char *buffer = context->buffer.data;
45
46 /*
47 * map the buffer to a block:
48 */
49 for (i = 0; i < 8; i++, buffer += 8) {
50 block[i] =
51 (((uint64_t)buffer[0] ) << 56) ^
52 (((uint64_t)buffer[1] & 0xffL) << 48) ^
53 (((uint64_t)buffer[2] & 0xffL) << 40) ^
54 (((uint64_t)buffer[3] & 0xffL) << 32) ^
55 (((uint64_t)buffer[4] & 0xffL) << 24) ^
56 (((uint64_t)buffer[5] & 0xffL) << 16) ^
57 (((uint64_t)buffer[6] & 0xffL) << 8) ^
58 (((uint64_t)buffer[7] & 0xffL) );
59 }
60 /*
61 * compute and apply K^0 to the cipher state:
62 */
63 state[0] = block[0] ^ (K[0] = context->state[0]);
64 state[1] = block[1] ^ (K[1] = context->state[1]);
65 state[2] = block[2] ^ (K[2] = context->state[2]);
66 state[3] = block[3] ^ (K[3] = context->state[3]);
67 state[4] = block[4] ^ (K[4] = context->state[4]);
68 state[5] = block[5] ^ (K[5] = context->state[5]);
69 state[6] = block[6] ^ (K[6] = context->state[6]);
70 state[7] = block[7] ^ (K[7] = context->state[7]);
71 /*
72 * iterate over all rounds:
73 */
74 for (r = 1; r <= R; r++) {
75 /*
76 * compute K^r from K^{r-1}:
77 */
78 L[0] =
79 C0[(int)(K[0] >> 56) ] ^
80 C1[(int)(K[7] >> 48) & 0xff] ^
81 C2[(int)(K[6] >> 40) & 0xff] ^
82 C3[(int)(K[5] >> 32) & 0xff] ^
83 C4[(int)(K[4] >> 24) & 0xff] ^
84 C5[(int)(K[3] >> 16) & 0xff] ^
85 C6[(int)(K[2] >> 8) & 0xff] ^
86 C7[(int)(K[1] ) & 0xff] ^
87 rc[r];
88 L[1] =
89 C0[(int)(K[1] >> 56) ] ^
90 C1[(int)(K[0] >> 48) & 0xff] ^
91 C2[(int)(K[7] >> 40) & 0xff] ^
92 C3[(int)(K[6] >> 32) & 0xff] ^
93 C4[(int)(K[5] >> 24) & 0xff] ^
94 C5[(int)(K[4] >> 16) & 0xff] ^
95 C6[(int)(K[3] >> 8) & 0xff] ^
96 C7[(int)(K[2] ) & 0xff];
97 L[2] =
98 C0[(int)(K[2] >> 56) ] ^
99 C1[(int)(K[1] >> 48) & 0xff] ^
100 C2[(int)(K[0] >> 40) & 0xff] ^
101 C3[(int)(K[7] >> 32) & 0xff] ^
102 C4[(int)(K[6] >> 24) & 0xff] ^
103 C5[(int)(K[5] >> 16) & 0xff] ^
104 C6[(int)(K[4] >> 8) & 0xff] ^
105 C7[(int)(K[3] ) & 0xff];
106 L[3] =
107 C0[(int)(K[3] >> 56) ] ^
108 C1[(int)(K[2] >> 48) & 0xff] ^
109 C2[(int)(K[1] >> 40) & 0xff] ^
110 C3[(int)(K[0] >> 32) & 0xff] ^
111 C4[(int)(K[7] >> 24) & 0xff] ^
112 C5[(int)(K[6] >> 16) & 0xff] ^
113 C6[(int)(K[5] >> 8) & 0xff] ^
114 C7[(int)(K[4] ) & 0xff];
115 L[4] =
116 C0[(int)(K[4] >> 56) ] ^
117 C1[(int)(K[3] >> 48) & 0xff] ^
118 C2[(int)(K[2] >> 40) & 0xff] ^
119 C3[(int)(K[1] >> 32) & 0xff] ^
120 C4[(int)(K[0] >> 24) & 0xff] ^
121 C5[(int)(K[7] >> 16) & 0xff] ^
122 C6[(int)(K[6] >> 8) & 0xff] ^
123 C7[(int)(K[5] ) & 0xff];
124 L[5] =
125 C0[(int)(K[5] >> 56) ] ^
126 C1[(int)(K[4] >> 48) & 0xff] ^
127 C2[(int)(K[3] >> 40) & 0xff] ^
128 C3[(int)(K[2] >> 32) & 0xff] ^
129 C4[(int)(K[1] >> 24) & 0xff] ^
130 C5[(int)(K[0] >> 16) & 0xff] ^
131 C6[(int)(K[7] >> 8) & 0xff] ^
132 C7[(int)(K[6] ) & 0xff];
133 L[6] =
134 C0[(int)(K[6] >> 56) ] ^
135 C1[(int)(K[5] >> 48) & 0xff] ^
136 C2[(int)(K[4] >> 40) & 0xff] ^
137 C3[(int)(K[3] >> 32) & 0xff] ^
138 C4[(int)(K[2] >> 24) & 0xff] ^
139 C5[(int)(K[1] >> 16) & 0xff] ^
140 C6[(int)(K[0] >> 8) & 0xff] ^
141 C7[(int)(K[7] ) & 0xff];
142 L[7] =
143 C0[(int)(K[7] >> 56) ] ^
144 C1[(int)(K[6] >> 48) & 0xff] ^
145 C2[(int)(K[5] >> 40) & 0xff] ^
146 C3[(int)(K[4] >> 32) & 0xff] ^
147 C4[(int)(K[3] >> 24) & 0xff] ^
148 C5[(int)(K[2] >> 16) & 0xff] ^
149 C6[(int)(K[1] >> 8) & 0xff] ^
150 C7[(int)(K[0] ) & 0xff];
151 K[0] = L[0];
152 K[1] = L[1];
153 K[2] = L[2];
154 K[3] = L[3];
155 K[4] = L[4];
156 K[5] = L[5];
157 K[6] = L[6];
158 K[7] = L[7];
159 /*
160 * apply the r-th round transformation:
161 */
162 L[0] =
163 C0[(int)(state[0] >> 56) ] ^
164 C1[(int)(state[7] >> 48) & 0xff] ^
165 C2[(int)(state[6] >> 40) & 0xff] ^
166 C3[(int)(state[5] >> 32) & 0xff] ^
167 C4[(int)(state[4] >> 24) & 0xff] ^
168 C5[(int)(state[3] >> 16) & 0xff] ^
169 C6[(int)(state[2] >> 8) & 0xff] ^
170 C7[(int)(state[1] ) & 0xff] ^
171 K[0];
172 L[1] =
173 C0[(int)(state[1] >> 56) ] ^
174 C1[(int)(state[0] >> 48) & 0xff] ^
175 C2[(int)(state[7] >> 40) & 0xff] ^
176 C3[(int)(state[6] >> 32) & 0xff] ^
177 C4[(int)(state[5] >> 24) & 0xff] ^
178 C5[(int)(state[4] >> 16) & 0xff] ^
179 C6[(int)(state[3] >> 8) & 0xff] ^
180 C7[(int)(state[2] ) & 0xff] ^
181 K[1];
182 L[2] =
183 C0[(int)(state[2] >> 56) ] ^
184 C1[(int)(state[1] >> 48) & 0xff] ^
185 C2[(int)(state[0] >> 40) & 0xff] ^
186 C3[(int)(state[7] >> 32) & 0xff] ^
187 C4[(int)(state[6] >> 24) & 0xff] ^
188 C5[(int)(state[5] >> 16) & 0xff] ^
189 C6[(int)(state[4] >> 8) & 0xff] ^
190 C7[(int)(state[3] ) & 0xff] ^
191 K[2];
192 L[3] =
193 C0[(int)(state[3] >> 56) ] ^
194 C1[(int)(state[2] >> 48) & 0xff] ^
195 C2[(int)(state[1] >> 40) & 0xff] ^
196 C3[(int)(state[0] >> 32) & 0xff] ^
197 C4[(int)(state[7] >> 24) & 0xff] ^
198 C5[(int)(state[6] >> 16) & 0xff] ^
199 C6[(int)(state[5] >> 8) & 0xff] ^
200 C7[(int)(state[4] ) & 0xff] ^
201 K[3];
202 L[4] =
203 C0[(int)(state[4] >> 56) ] ^
204 C1[(int)(state[3] >> 48) & 0xff] ^
205 C2[(int)(state[2] >> 40) & 0xff] ^
206 C3[(int)(state[1] >> 32) & 0xff] ^
207 C4[(int)(state[0] >> 24) & 0xff] ^
208 C5[(int)(state[7] >> 16) & 0xff] ^
209 C6[(int)(state[6] >> 8) & 0xff] ^
210 C7[(int)(state[5] ) & 0xff] ^
211 K[4];
212 L[5] =
213 C0[(int)(state[5] >> 56) ] ^
214 C1[(int)(state[4] >> 48) & 0xff] ^
215 C2[(int)(state[3] >> 40) & 0xff] ^
216 C3[(int)(state[2] >> 32) & 0xff] ^
217 C4[(int)(state[1] >> 24) & 0xff] ^
218 C5[(int)(state[0] >> 16) & 0xff] ^
219 C6[(int)(state[7] >> 8) & 0xff] ^
220 C7[(int)(state[6] ) & 0xff] ^
221 K[5];
222 L[6] =
223 C0[(int)(state[6] >> 56) ] ^
224 C1[(int)(state[5] >> 48) & 0xff] ^
225 C2[(int)(state[4] >> 40) & 0xff] ^
226 C3[(int)(state[3] >> 32) & 0xff] ^
227 C4[(int)(state[2] >> 24) & 0xff] ^
228 C5[(int)(state[1] >> 16) & 0xff] ^
229 C6[(int)(state[0] >> 8) & 0xff] ^
230 C7[(int)(state[7] ) & 0xff] ^
231 K[6];
232 L[7] =
233 C0[(int)(state[7] >> 56) ] ^
234 C1[(int)(state[6] >> 48) & 0xff] ^
235 C2[(int)(state[5] >> 40) & 0xff] ^
236 C3[(int)(state[4] >> 32) & 0xff] ^
237 C4[(int)(state[3] >> 24) & 0xff] ^
238 C5[(int)(state[2] >> 16) & 0xff] ^
239 C6[(int)(state[1] >> 8) & 0xff] ^
240 C7[(int)(state[0] ) & 0xff] ^
241 K[7];
242 state[0] = L[0];
243 state[1] = L[1];
244 state[2] = L[2];
245 state[3] = L[3];
246 state[4] = L[4];
247 state[5] = L[5];
248 state[6] = L[6];
249 state[7] = L[7];
250 }
251 /*
252 * apply the Miyaguchi-Preneel compression function:
253 */
254 context->state[0] ^= state[0] ^ block[0];
255 context->state[1] ^= state[1] ^ block[1];
256 context->state[2] ^= state[2] ^ block[2];
257 context->state[3] ^= state[3] ^ block[3];
258 context->state[4] ^= state[4] ^ block[4];
259 context->state[5] ^= state[5] ^ block[5];
260 context->state[6] ^= state[6] ^ block[6];
261 context->state[7] ^= state[7] ^ block[7];
262
263 ZEND_SECURE_ZERO(state, sizeof(state));
264 }
265
PHP_WHIRLPOOLInit(PHP_WHIRLPOOL_CTX * context,ZEND_ATTRIBUTE_UNUSED HashTable * args)266 PHP_HASH_API void PHP_WHIRLPOOLInit(PHP_WHIRLPOOL_CTX *context, ZEND_ATTRIBUTE_UNUSED HashTable *args)
267 {
268 memset(context, 0, sizeof(*context));
269 }
270
PHP_WHIRLPOOLUpdate(PHP_WHIRLPOOL_CTX * context,const unsigned char * input,size_t len)271 PHP_HASH_API void PHP_WHIRLPOOLUpdate(PHP_WHIRLPOOL_CTX *context, const unsigned char *input, size_t len)
272 {
273 uint64_t sourceBits = len * 8;
274 int sourcePos = 0; /* index of leftmost source unsigned char containing data (1 to 8 bits). */
275 int sourceGap = (8 - ((int)sourceBits & 7)) & 7; /* space on source[sourcePos]. */
276 int bufferRem = context->buffer.bits & 7; /* occupied bits on buffer[bufferPos]. */
277 const unsigned char *source = input;
278 unsigned char *buffer = context->buffer.data;
279 unsigned char *bitLength = context->bitlength;
280 int bufferBits = context->buffer.bits;
281 int bufferPos = context->buffer.pos;
282 uint32_t b, carry;
283 int i;
284
285 /*
286 * tally the length of the added data:
287 */
288 uint64_t value = sourceBits;
289 for (i = 31, carry = 0; i >= 0 && (carry != 0 || value != L64(0)); i--) {
290 carry += bitLength[i] + ((uint32_t)value & 0xff);
291 bitLength[i] = (unsigned char)carry;
292 carry >>= 8;
293 value >>= 8;
294 }
295 /*
296 * process data in chunks of 8 bits (a more efficient approach would be to take whole-word chunks):
297 */
298 while (sourceBits > 8) {
299 /* N.B. at least source[sourcePos] and source[sourcePos+1] contain data. */
300 /*
301 * take a byte from the source:
302 */
303 b = ((source[sourcePos] << sourceGap) & 0xff) |
304 ((source[sourcePos + 1] & 0xff) >> (8 - sourceGap));
305 /*
306 * process this byte:
307 */
308 buffer[bufferPos++] |= (unsigned char)(b >> bufferRem);
309 bufferBits += 8 - bufferRem; /* bufferBits = 8*bufferPos; */
310 if (bufferBits == DIGESTBITS) {
311 /*
312 * process data block:
313 */
314 WhirlpoolTransform(context);
315 /*
316 * reset buffer:
317 */
318 bufferBits = bufferPos = 0;
319 }
320 buffer[bufferPos] = (unsigned char) (b << (8 - bufferRem));
321 bufferBits += bufferRem;
322 /*
323 * proceed to remaining data:
324 */
325 sourceBits -= 8;
326 sourcePos++;
327 }
328 /* now 0 <= sourceBits <= 8;
329 * furthermore, all data (if any is left) is in source[sourcePos].
330 */
331 if (sourceBits > 0) {
332 b = (source[sourcePos] << sourceGap) & 0xff; /* bits are left-justified on b. */
333 /*
334 * process the remaining bits:
335 */
336 buffer[bufferPos] |= b >> bufferRem;
337 } else {
338 b = 0;
339 }
340 if (bufferRem + sourceBits < 8) {
341 /*
342 * all remaining data fits on buffer[bufferPos],
343 * and there still remains some space.
344 */
345 bufferBits += (int) sourceBits;
346 } else {
347 /*
348 * buffer[bufferPos] is full:
349 */
350 bufferPos++;
351 bufferBits += 8 - bufferRem; /* bufferBits = 8*bufferPos; */
352 sourceBits -= 8 - bufferRem;
353 /* now 0 <= sourceBits < 8;
354 * furthermore, all data (if any is left) is in source[sourcePos].
355 */
356 if (bufferBits == DIGESTBITS) {
357 /*
358 * process data block:
359 */
360 WhirlpoolTransform(context);
361 /*
362 * reset buffer:
363 */
364 bufferBits = bufferPos = 0;
365 }
366 buffer[bufferPos] = (unsigned char) (b << (8 - bufferRem));
367 bufferBits += (int)sourceBits;
368 }
369 context->buffer.bits = bufferBits;
370 context->buffer.pos = bufferPos;
371 }
372
PHP_WHIRLPOOLFinal(unsigned char digest[64],PHP_WHIRLPOOL_CTX * context)373 PHP_HASH_API void PHP_WHIRLPOOLFinal(unsigned char digest[64], PHP_WHIRLPOOL_CTX *context)
374 {
375 int i;
376 unsigned char *buffer = context->buffer.data;
377 unsigned char *bitLength = context->bitlength;
378 int bufferBits = context->buffer.bits;
379 int bufferPos = context->buffer.pos;
380
381 /*
382 * append a '1'-bit:
383 */
384 buffer[bufferPos] |= 0x80U >> (bufferBits & 7);
385 bufferPos++; /* all remaining bits on the current unsigned char are set to zero. */
386 /*
387 * pad with zero bits to complete (N*WBLOCKBITS - LENGTHBITS) bits:
388 */
389 if (bufferPos > WBLOCKBYTES - LENGTHBYTES) {
390 if (bufferPos < WBLOCKBYTES) {
391 memset(&buffer[bufferPos], 0, WBLOCKBYTES - bufferPos);
392 }
393 /*
394 * process data block:
395 */
396 WhirlpoolTransform(context);
397 /*
398 * reset buffer:
399 */
400 bufferPos = 0;
401 }
402 if (bufferPos < WBLOCKBYTES - LENGTHBYTES) {
403 memset(&buffer[bufferPos], 0, (WBLOCKBYTES - LENGTHBYTES) - bufferPos);
404 }
405 bufferPos = WBLOCKBYTES - LENGTHBYTES;
406 /*
407 * append bit length of hashed data:
408 */
409 memcpy(&buffer[WBLOCKBYTES - LENGTHBYTES], bitLength, LENGTHBYTES);
410 /*
411 * process data block:
412 */
413 WhirlpoolTransform(context);
414 /*
415 * return the completed message digest:
416 */
417 for (i = 0; i < DIGESTBYTES/8; i++) {
418 digest[0] = (unsigned char)(context->state[i] >> 56);
419 digest[1] = (unsigned char)(context->state[i] >> 48);
420 digest[2] = (unsigned char)(context->state[i] >> 40);
421 digest[3] = (unsigned char)(context->state[i] >> 32);
422 digest[4] = (unsigned char)(context->state[i] >> 24);
423 digest[5] = (unsigned char)(context->state[i] >> 16);
424 digest[6] = (unsigned char)(context->state[i] >> 8);
425 digest[7] = (unsigned char)(context->state[i] );
426 digest += 8;
427 }
428
429 ZEND_SECURE_ZERO(context, sizeof(*context));
430 }
431
php_whirlpool_unserialize(php_hashcontext_object * hash,zend_long magic,const zval * zv)432 static int php_whirlpool_unserialize(php_hashcontext_object *hash, zend_long magic, const zval *zv)
433 {
434 PHP_WHIRLPOOL_CTX *ctx = (PHP_WHIRLPOOL_CTX *) hash->context;
435 int r = FAILURE;
436 if (magic == PHP_HASH_SERIALIZE_MAGIC_SPEC
437 && (r = php_hash_unserialize_spec(hash, zv, PHP_WHIRLPOOL_SPEC)) == SUCCESS
438 && ctx->buffer.pos >= 0
439 && ctx->buffer.pos < (int) sizeof(ctx->buffer.data)
440 && ctx->buffer.bits >= ctx->buffer.pos * 8
441 && ctx->buffer.bits < ctx->buffer.pos * 8 + 8) {
442 return SUCCESS;
443 } else {
444 return r != SUCCESS ? r : -2000;
445 }
446 }
447
448 const php_hash_ops php_hash_whirlpool_ops = {
449 "whirlpool",
450 (php_hash_init_func_t) PHP_WHIRLPOOLInit,
451 (php_hash_update_func_t) PHP_WHIRLPOOLUpdate,
452 (php_hash_final_func_t) PHP_WHIRLPOOLFinal,
453 php_hash_copy,
454 php_hash_serialize,
455 php_whirlpool_unserialize,
456 PHP_WHIRLPOOL_SPEC,
457 64,
458 64,
459 sizeof(PHP_WHIRLPOOL_CTX),
460 1
461 };
462
