/src/php-src/ext/hash/hash_whirlpool.c

Source
/*
  +----------------------------------------------------------------------+
  | Copyright © The PHP Group and Contributors.                          |
  +----------------------------------------------------------------------+
  | This source file is subject to the Modified BSD License that is      |
  | bundled with this package in the file LICENSE, and is available      |
  | through the World Wide Web at <https://www.php.net/license/>.        |
  |                                                                      |
  | SPDX-License-Identifier: BSD-3-Clause                                |
  +----------------------------------------------------------------------+
  | Authors: Michael Wallner <mike@php.net>                              |
  |          Sara Golemon <pollita@php.net>                              |
  +----------------------------------------------------------------------+
*/

#include "php_hash.h"

/*
 * TODO: simplify Update and Final, those look ridiculously complex
 * Mike, 2005-11-23
 */

#include "php_hash_whirlpool.h"
#include "php_hash_whirlpool_tables.h"

#define DIGESTBYTES 64
#define DIGESTBITS  (8*DIGESTBYTES) /* 512 */

#define WBLOCKBYTES 64
#define WBLOCKBITS  (8*WBLOCKBYTES) /* 512 */

#define LENGTHBYTES 32
#define LENGTHBITS  (8*LENGTHBYTES) /* 256 */

static void WhirlpoolTransform(PHP_WHIRLPOOL_CTX *context)
{
    int i, r;
    uint64_t K[8];        /* the round key */
    uint64_t block[8];    /* mu(buffer) */
    uint64_t state[8];    /* the cipher state */
    uint64_t L[8];
    unsigned char *buffer = context->buffer.data;

    /*
     * map the buffer to a block:
     */
    for (i = 0; i < 8; i++, buffer += 8) {
        block[i] =
            (((uint64_t)buffer[0]        ) << 56) ^
            (((uint64_t)buffer[1] & 0xffL) << 48) ^
            (((uint64_t)buffer[2] & 0xffL) << 40) ^
            (((uint64_t)buffer[3] & 0xffL) << 32) ^
            (((uint64_t)buffer[4] & 0xffL) << 24) ^
            (((uint64_t)buffer[5] & 0xffL) << 16) ^
            (((uint64_t)buffer[6] & 0xffL) <<  8) ^
            (((uint64_t)buffer[7] & 0xffL)      );
    }
    /*
     * compute and apply K^0 to the cipher state:
     */
    state[0] = block[0] ^ (K[0] = context->state[0]);
    state[1] = block[1] ^ (K[1] = context->state[1]);
    state[2] = block[2] ^ (K[2] = context->state[2]);
    state[3] = block[3] ^ (K[3] = context->state[3]);
    state[4] = block[4] ^ (K[4] = context->state[4]);
    state[5] = block[5] ^ (K[5] = context->state[5]);
    state[6] = block[6] ^ (K[6] = context->state[6]);
    state[7] = block[7] ^ (K[7] = context->state[7]);
    /*
     * iterate over all rounds:
     */
    for (r = 1; r <= R; r++) {
        /*
         * compute K^r from K^{r-1}:
         */
        L[0] =
            C0[(int)(K[0] >> 56)       ] ^
            C1[(int)(K[7] >> 48) & 0xff] ^
            C2[(int)(K[6] >> 40) & 0xff] ^
            C3[(int)(K[5] >> 32) & 0xff] ^
            C4[(int)(K[4] >> 24) & 0xff] ^
            C5[(int)(K[3] >> 16) & 0xff] ^
            C6[(int)(K[2] >>  8) & 0xff] ^
            C7[(int)(K[1]      ) & 0xff] ^
            rc[r];
        L[1] =
            C0[(int)(K[1] >> 56)       ] ^
            C1[(int)(K[0] >> 48) & 0xff] ^
            C2[(int)(K[7] >> 40) & 0xff] ^
            C3[(int)(K[6] >> 32) & 0xff] ^
            C4[(int)(K[5] >> 24) & 0xff] ^
            C5[(int)(K[4] >> 16) & 0xff] ^
            C6[(int)(K[3] >>  8) & 0xff] ^
            C7[(int)(K[2]      ) & 0xff];
        L[2] =
            C0[(int)(K[2] >> 56)       ] ^
            C1[(int)(K[1] >> 48) & 0xff] ^
            C2[(int)(K[0] >> 40) & 0xff] ^
            C3[(int)(K[7] >> 32) & 0xff] ^
            C4[(int)(K[6] >> 24) & 0xff] ^
            C5[(int)(K[5] >> 16) & 0xff] ^
            C6[(int)(K[4] >>  8) & 0xff] ^
            C7[(int)(K[3]      ) & 0xff];
        L[3] =
            C0[(int)(K[3] >> 56)       ] ^
            C1[(int)(K[2] >> 48) & 0xff] ^
            C2[(int)(K[1] >> 40) & 0xff] ^
            C3[(int)(K[0] >> 32) & 0xff] ^
            C4[(int)(K[7] >> 24) & 0xff] ^
            C5[(int)(K[6] >> 16) & 0xff] ^
            C6[(int)(K[5] >>  8) & 0xff] ^
            C7[(int)(K[4]      ) & 0xff];
        L[4] =
            C0[(int)(K[4] >> 56)       ] ^
            C1[(int)(K[3] >> 48) & 0xff] ^
            C2[(int)(K[2] >> 40) & 0xff] ^
            C3[(int)(K[1] >> 32) & 0xff] ^
            C4[(int)(K[0] >> 24) & 0xff] ^
            C5[(int)(K[7] >> 16) & 0xff] ^
            C6[(int)(K[6] >>  8) & 0xff] ^
            C7[(int)(K[5]      ) & 0xff];
        L[5] =
            C0[(int)(K[5] >> 56)       ] ^
            C1[(int)(K[4] >> 48) & 0xff] ^
            C2[(int)(K[3] >> 40) & 0xff] ^
            C3[(int)(K[2] >> 32) & 0xff] ^
            C4[(int)(K[1] >> 24) & 0xff] ^
            C5[(int)(K[0] >> 16) & 0xff] ^
            C6[(int)(K[7] >>  8) & 0xff] ^
            C7[(int)(K[6]      ) & 0xff];
        L[6] =
            C0[(int)(K[6] >> 56)       ] ^
            C1[(int)(K[5] >> 48) & 0xff] ^
            C2[(int)(K[4] >> 40) & 0xff] ^
            C3[(int)(K[3] >> 32) & 0xff] ^
            C4[(int)(K[2] >> 24) & 0xff] ^
            C5[(int)(K[1] >> 16) & 0xff] ^
            C6[(int)(K[0] >>  8) & 0xff] ^
            C7[(int)(K[7]      ) & 0xff];
        L[7] =
            C0[(int)(K[7] >> 56)       ] ^
            C1[(int)(K[6] >> 48) & 0xff] ^
            C2[(int)(K[5] >> 40) & 0xff] ^
            C3[(int)(K[4] >> 32) & 0xff] ^
            C4[(int)(K[3] >> 24) & 0xff] ^
            C5[(int)(K[2] >> 16) & 0xff] ^
            C6[(int)(K[1] >>  8) & 0xff] ^
            C7[(int)(K[0]      ) & 0xff];
        K[0] = L[0];
        K[1] = L[1];
        K[2] = L[2];
        K[3] = L[3];
        K[4] = L[4];
        K[5] = L[5];
        K[6] = L[6];
        K[7] = L[7];
        /*
         * apply the r-th round transformation:
         */
        L[0] =
            C0[(int)(state[0] >> 56)       ] ^
            C1[(int)(state[7] >> 48) & 0xff] ^
            C2[(int)(state[6] >> 40) & 0xff] ^
            C3[(int)(state[5] >> 32) & 0xff] ^
            C4[(int)(state[4] >> 24) & 0xff] ^
            C5[(int)(state[3] >> 16) & 0xff] ^
            C6[(int)(state[2] >>  8) & 0xff] ^
            C7[(int)(state[1]      ) & 0xff] ^
            K[0];
        L[1] =
            C0[(int)(state[1] >> 56)       ] ^
            C1[(int)(state[0] >> 48) & 0xff] ^
            C2[(int)(state[7] >> 40) & 0xff] ^
            C3[(int)(state[6] >> 32) & 0xff] ^
            C4[(int)(state[5] >> 24) & 0xff] ^
            C5[(int)(state[4] >> 16) & 0xff] ^
            C6[(int)(state[3] >>  8) & 0xff] ^
            C7[(int)(state[2]      ) & 0xff] ^
            K[1];
        L[2] =
            C0[(int)(state[2] >> 56)       ] ^
            C1[(int)(state[1] >> 48) & 0xff] ^
            C2[(int)(state[0] >> 40) & 0xff] ^
            C3[(int)(state[7] >> 32) & 0xff] ^
            C4[(int)(state[6] >> 24) & 0xff] ^
            C5[(int)(state[5] >> 16) & 0xff] ^
            C6[(int)(state[4] >>  8) & 0xff] ^
            C7[(int)(state[3]      ) & 0xff] ^
            K[2];
        L[3] =
            C0[(int)(state[3] >> 56)       ] ^
            C1[(int)(state[2] >> 48) & 0xff] ^
            C2[(int)(state[1] >> 40) & 0xff] ^
            C3[(int)(state[0] >> 32) & 0xff] ^
            C4[(int)(state[7] >> 24) & 0xff] ^
            C5[(int)(state[6] >> 16) & 0xff] ^
            C6[(int)(state[5] >>  8) & 0xff] ^
            C7[(int)(state[4]      ) & 0xff] ^
            K[3];
        L[4] =
            C0[(int)(state[4] >> 56)       ] ^
            C1[(int)(state[3] >> 48) & 0xff] ^
            C2[(int)(state[2] >> 40) & 0xff] ^
            C3[(int)(state[1] >> 32) & 0xff] ^
            C4[(int)(state[0] >> 24) & 0xff] ^
            C5[(int)(state[7] >> 16) & 0xff] ^
            C6[(int)(state[6] >>  8) & 0xff] ^
            C7[(int)(state[5]      ) & 0xff] ^
            K[4];
        L[5] =
            C0[(int)(state[5] >> 56)       ] ^
            C1[(int)(state[4] >> 48) & 0xff] ^
            C2[(int)(state[3] >> 40) & 0xff] ^
            C3[(int)(state[2] >> 32) & 0xff] ^
            C4[(int)(state[1] >> 24) & 0xff] ^
            C5[(int)(state[0] >> 16) & 0xff] ^
            C6[(int)(state[7] >>  8) & 0xff] ^
            C7[(int)(state[6]      ) & 0xff] ^
            K[5];
        L[6] =
            C0[(int)(state[6] >> 56)       ] ^
            C1[(int)(state[5] >> 48) & 0xff] ^
            C2[(int)(state[4] >> 40) & 0xff] ^
            C3[(int)(state[3] >> 32) & 0xff] ^
            C4[(int)(state[2] >> 24) & 0xff] ^
            C5[(int)(state[1] >> 16) & 0xff] ^
            C6[(int)(state[0] >>  8) & 0xff] ^
            C7[(int)(state[7]      ) & 0xff] ^
            K[6];
        L[7] =
            C0[(int)(state[7] >> 56)       ] ^
            C1[(int)(state[6] >> 48) & 0xff] ^
            C2[(int)(state[5] >> 40) & 0xff] ^
            C3[(int)(state[4] >> 32) & 0xff] ^
            C4[(int)(state[3] >> 24) & 0xff] ^
            C5[(int)(state[2] >> 16) & 0xff] ^
            C6[(int)(state[1] >>  8) & 0xff] ^
            C7[(int)(state[0]      ) & 0xff] ^
            K[7];
        state[0] = L[0];
        state[1] = L[1];
        state[2] = L[2];
        state[3] = L[3];
        state[4] = L[4];
        state[5] = L[5];
        state[6] = L[6];
        state[7] = L[7];
    }
    /*
     * apply the Miyaguchi-Preneel compression function:
     */
    context->state[0] ^= state[0] ^ block[0];
    context->state[1] ^= state[1] ^ block[1];
    context->state[2] ^= state[2] ^ block[2];
    context->state[3] ^= state[3] ^ block[3];
    context->state[4] ^= state[4] ^ block[4];
    context->state[5] ^= state[5] ^ block[5];
    context->state[6] ^= state[6] ^ block[6];
    context->state[7] ^= state[7] ^ block[7];

  ZEND_SECURE_ZERO(state, sizeof(state));
}

PHP_HASH_API void PHP_WHIRLPOOLInit(PHP_WHIRLPOOL_CTX *context, ZEND_ATTRIBUTE_UNUSED HashTable *args)
{
  memset(context, 0, sizeof(*context));
}

PHP_HASH_API void PHP_WHIRLPOOLUpdate(PHP_WHIRLPOOL_CTX *context, const unsigned char *input, size_t len)
{
    uint64_t sourceBits = len * 8;
    int sourcePos    = 0; /* index of leftmost source unsigned char containing data (1 to 8 bits). */
    int sourceGap    = (8 - ((int)sourceBits & 7)) & 7; /* space on source[sourcePos]. */
    int bufferRem    = context->buffer.bits & 7; /* occupied bits on buffer[bufferPos]. */
    const unsigned char *source = input;
    unsigned char *buffer       = context->buffer.data;
    unsigned char *bitLength    = context->bitlength;
    int bufferBits   = context->buffer.bits;
    int bufferPos    = context->buffer.pos;
    uint32_t b, carry;
    int i;

    /*
     * tally the length of the added data:
     */
    uint64_t value = sourceBits;
    for (i = 31, carry = 0; i >= 0 && (carry != 0 || value != L64(0)); i--) {
        carry += bitLength[i] + ((uint32_t)value & 0xff);
        bitLength[i] = (unsigned char)carry;
        carry >>= 8;
        value >>= 8;
    }
    /*
     * process data in chunks of 8 bits (a more efficient approach would be to take whole-word chunks):
     */
    while (sourceBits > 8) {
        /* N.B. at least source[sourcePos] and source[sourcePos+1] contain data. */
        /*
         * take a byte from the source:
         */
        b = ((source[sourcePos] << sourceGap) & 0xff) |
            ((source[sourcePos + 1] & 0xff) >> (8 - sourceGap));
        /*
         * process this byte:
         */
        buffer[bufferPos++] |= (unsigned char)(b >> bufferRem);
        bufferBits += 8 - bufferRem; /* bufferBits = 8*bufferPos; */
        if (bufferBits == DIGESTBITS) {
            /*
             * process data block:
             */
            WhirlpoolTransform(context);
            /*
             * reset buffer:
             */
            bufferBits = bufferPos = 0;
        }
        buffer[bufferPos] = (unsigned char) (b << (8 - bufferRem));
        bufferBits += bufferRem;
        /*
         * proceed to remaining data:
         */
        sourceBits -= 8;
        sourcePos++;
    }
    /* now 0 <= sourceBits <= 8;
     * furthermore, all data (if any is left) is in source[sourcePos].
     */
    if (sourceBits > 0) {
        b = (source[sourcePos] << sourceGap) & 0xff; /* bits are left-justified on b. */
        /*
         * process the remaining bits:
         */
        buffer[bufferPos] |= b >> bufferRem;
    } else {
        b = 0;
    }
    if (bufferRem + sourceBits < 8) {
        /*
         * all remaining data fits on buffer[bufferPos],
         * and there still remains some space.
         */
        bufferBits += (int) sourceBits;
    } else {
        /*
         * buffer[bufferPos] is full:
         */
        bufferPos++;
        bufferBits += 8 - bufferRem; /* bufferBits = 8*bufferPos; */
        sourceBits -= 8 - bufferRem;
        /* now 0 <= sourceBits < 8;
         * furthermore, all data (if any is left) is in source[sourcePos].
         */
        if (bufferBits == DIGESTBITS) {
            /*
             * process data block:
             */
            WhirlpoolTransform(context);
            /*
             * reset buffer:
             */
            bufferBits = bufferPos = 0;
        }
        buffer[bufferPos] = (unsigned char) (b << (8 - bufferRem));
        bufferBits += (int)sourceBits;
    }
    context->buffer.bits   = bufferBits;
    context->buffer.pos    = bufferPos;
}

PHP_HASH_API void PHP_WHIRLPOOLFinal(unsigned char digest[64], PHP_WHIRLPOOL_CTX *context)
{
    int i;
    unsigned char *buffer      = context->buffer.data;
    unsigned char *bitLength   = context->bitlength;
    int bufferBits  = context->buffer.bits;
    int bufferPos   = context->buffer.pos;

    /*
     * append a '1'-bit:
     */
    buffer[bufferPos] |= 0x80U >> (bufferBits & 7);
    bufferPos++; /* all remaining bits on the current unsigned char are set to zero. */
    /*
     * pad with zero bits to complete (N*WBLOCKBITS - LENGTHBITS) bits:
     */
    if (bufferPos > WBLOCKBYTES - LENGTHBYTES) {
        if (bufferPos < WBLOCKBYTES) {
            memset(&buffer[bufferPos], 0, WBLOCKBYTES - bufferPos);
        }
        /*
         * process data block:
         */
        WhirlpoolTransform(context);
        /*
         * reset buffer:
         */
        bufferPos = 0;
    }
    if (bufferPos < WBLOCKBYTES - LENGTHBYTES) {
        memset(&buffer[bufferPos], 0, (WBLOCKBYTES - LENGTHBYTES) - bufferPos);
    }
    bufferPos = WBLOCKBYTES - LENGTHBYTES;
    /*
     * append bit length of hashed data:
     */
    memcpy(&buffer[WBLOCKBYTES - LENGTHBYTES], bitLength, LENGTHBYTES);
    /*
     * process data block:
     */
    WhirlpoolTransform(context);
    /*
     * return the completed message digest:
     */
    for (i = 0; i < DIGESTBYTES/8; i++) {
        digest[0] = (unsigned char)(context->state[i] >> 56);
        digest[1] = (unsigned char)(context->state[i] >> 48);
        digest[2] = (unsigned char)(context->state[i] >> 40);
        digest[3] = (unsigned char)(context->state[i] >> 32);
        digest[4] = (unsigned char)(context->state[i] >> 24);
        digest[5] = (unsigned char)(context->state[i] >> 16);
        digest[6] = (unsigned char)(context->state[i] >>  8);
        digest[7] = (unsigned char)(context->state[i]      );
        digest += 8;
    }

    ZEND_SECURE_ZERO(context, sizeof(*context));
}

static hash_spec_result php_whirlpool_unserialize(php_hashcontext_object *hash, zend_long magic, const zval *zv)
{
    PHP_WHIRLPOOL_CTX *ctx = (PHP_WHIRLPOOL_CTX *) hash->context;
    hash_spec_result r = HASH_SPEC_FAILURE;
    if (magic == PHP_HASH_SERIALIZE_MAGIC_SPEC
        && (r = php_hash_unserialize_spec(hash, zv, PHP_WHIRLPOOL_SPEC)) == HASH_SPEC_SUCCESS
        && ctx->buffer.pos >= 0
        && ctx->buffer.pos < (int) sizeof(ctx->buffer.data)
        && ctx->buffer.bits >= ctx->buffer.pos * 8
        && ctx->buffer.bits < ctx->buffer.pos * 8 + 8) {
        return HASH_SPEC_SUCCESS;
    }

    return r != HASH_SPEC_SUCCESS ? r : CONTEXT_VALIDATION_FAILURE;
}

const php_hash_ops php_hash_whirlpool_ops = {
  "whirlpool",
  (php_hash_init_func_t) PHP_WHIRLPOOLInit,
  (php_hash_update_func_t) PHP_WHIRLPOOLUpdate,
  (php_hash_final_func_t) PHP_WHIRLPOOLFinal,
  php_hash_copy,
  php_hash_serialize,
  php_whirlpool_unserialize,
  PHP_WHIRLPOOL_SPEC,
  64,
  64,
  sizeof(PHP_WHIRLPOOL_CTX),
  1
};

Coverage Report

Created: 2026-06-02 06:37

Line	Count	Source
1		/*
2		+----------------------------------------------------------------------+
3		\| Copyright © The PHP Group and Contributors. \|
4		+----------------------------------------------------------------------+
5		\| This source file is subject to the Modified BSD License that is \|
6		\| bundled with this package in the file LICENSE, and is available \|
7		\| through the World Wide Web at <https://www.php.net/license/>. \|
8		\| \|
9		\| SPDX-License-Identifier: BSD-3-Clause \|
10		+----------------------------------------------------------------------+
11		\| Authors: Michael Wallner <mike@php.net> \|
12		\| Sara Golemon <pollita@php.net> \|
13		+----------------------------------------------------------------------+
14		*/
15
16		#include "php_hash.h"
17
18		/*
19		* TODO: simplify Update and Final, those look ridiculously complex
20		* Mike, 2005-11-23
21		*/
22
23		#include "php_hash_whirlpool.h"
24		#include "php_hash_whirlpool_tables.h"
25
26	1.30M	#define DIGESTBYTES 64
27	1.30M	#define DIGESTBITS (8DIGESTBYTES) / 512 */
28
29	228	#define WBLOCKBYTES 64
30		#define WBLOCKBITS (8WBLOCKBYTES) / 512 */
31
32	233	#define LENGTHBYTES 32
33		#define LENGTHBITS (8LENGTHBYTES) / 256 */
34
35		static void WhirlpoolTransform(PHP_WHIRLPOOL_CTX *context)
36	20.4k	{
37	20.4k	int i, r;
38	20.4k	uint64_t K[8]; /* the round key */
39	20.4k	uint64_t block[8]; /* mu(buffer) */
40	20.4k	uint64_t state[8]; /* the cipher state */
41	20.4k	uint64_t L[8];
42	20.4k	unsigned char *buffer = context->buffer.data;
43
44		/*
45		* map the buffer to a block:
46		*/
47	184k	for (i = 0; i < 8; i++, buffer += 8) {
48	163k	block[i] =
49	163k	(((uint64_t)buffer[0] ) << 56) ^
50	163k	(((uint64_t)buffer[1] & 0xffL) << 48) ^
51	163k	(((uint64_t)buffer[2] & 0xffL) << 40) ^
52	163k	(((uint64_t)buffer[3] & 0xffL) << 32) ^
53	163k	(((uint64_t)buffer[4] & 0xffL) << 24) ^
54	163k	(((uint64_t)buffer[5] & 0xffL) << 16) ^
55	163k	(((uint64_t)buffer[6] & 0xffL) << 8) ^
56	163k	(((uint64_t)buffer[7] & 0xffL) );
57	163k	}
58		/*
59		* compute and apply K^0 to the cipher state:
60		*/
61	20.4k	state[0] = block[0] ^ (K[0] = context->state[0]);
62	20.4k	state[1] = block[1] ^ (K[1] = context->state[1]);
63	20.4k	state[2] = block[2] ^ (K[2] = context->state[2]);
64	20.4k	state[3] = block[3] ^ (K[3] = context->state[3]);
65	20.4k	state[4] = block[4] ^ (K[4] = context->state[4]);
66	20.4k	state[5] = block[5] ^ (K[5] = context->state[5]);
67	20.4k	state[6] = block[6] ^ (K[6] = context->state[6]);
68	20.4k	state[7] = block[7] ^ (K[7] = context->state[7]);
69		/*
70		* iterate over all rounds:
71		*/
72	225k	for (r = 1; r <= R; r++) {
73		/*
74		* compute K^r from K^{r-1}:
75		*/
76	204k	L[0] =
77	204k	C0[(int)(K[0] >> 56) ] ^
78	204k	C1[(int)(K[7] >> 48) & 0xff] ^
79	204k	C2[(int)(K[6] >> 40) & 0xff] ^
80	204k	C3[(int)(K[5] >> 32) & 0xff] ^
81	204k	C4[(int)(K[4] >> 24) & 0xff] ^
82	204k	C5[(int)(K[3] >> 16) & 0xff] ^
83	204k	C6[(int)(K[2] >> 8) & 0xff] ^
84	204k	C7[(int)(K[1] ) & 0xff] ^
85	204k	rc[r];
86	204k	L[1] =
87	204k	C0[(int)(K[1] >> 56) ] ^
88	204k	C1[(int)(K[0] >> 48) & 0xff] ^
89	204k	C2[(int)(K[7] >> 40) & 0xff] ^
90	204k	C3[(int)(K[6] >> 32) & 0xff] ^
91	204k	C4[(int)(K[5] >> 24) & 0xff] ^
92	204k	C5[(int)(K[4] >> 16) & 0xff] ^
93	204k	C6[(int)(K[3] >> 8) & 0xff] ^
94	204k	C7[(int)(K[2] ) & 0xff];
95	204k	L[2] =
96	204k	C0[(int)(K[2] >> 56) ] ^
97	204k	C1[(int)(K[1] >> 48) & 0xff] ^
98	204k	C2[(int)(K[0] >> 40) & 0xff] ^
99	204k	C3[(int)(K[7] >> 32) & 0xff] ^
100	204k	C4[(int)(K[6] >> 24) & 0xff] ^
101	204k	C5[(int)(K[5] >> 16) & 0xff] ^
102	204k	C6[(int)(K[4] >> 8) & 0xff] ^
103	204k	C7[(int)(K[3] ) & 0xff];
104	204k	L[3] =
105	204k	C0[(int)(K[3] >> 56) ] ^
106	204k	C1[(int)(K[2] >> 48) & 0xff] ^
107	204k	C2[(int)(K[1] >> 40) & 0xff] ^
108	204k	C3[(int)(K[0] >> 32) & 0xff] ^
109	204k	C4[(int)(K[7] >> 24) & 0xff] ^
110	204k	C5[(int)(K[6] >> 16) & 0xff] ^
111	204k	C6[(int)(K[5] >> 8) & 0xff] ^
112	204k	C7[(int)(K[4] ) & 0xff];
113	204k	L[4] =
114	204k	C0[(int)(K[4] >> 56) ] ^
115	204k	C1[(int)(K[3] >> 48) & 0xff] ^
116	204k	C2[(int)(K[2] >> 40) & 0xff] ^
117	204k	C3[(int)(K[1] >> 32) & 0xff] ^
118	204k	C4[(int)(K[0] >> 24) & 0xff] ^
119	204k	C5[(int)(K[7] >> 16) & 0xff] ^
120	204k	C6[(int)(K[6] >> 8) & 0xff] ^
121	204k	C7[(int)(K[5] ) & 0xff];
122	204k	L[5] =
123	204k	C0[(int)(K[5] >> 56) ] ^
124	204k	C1[(int)(K[4] >> 48) & 0xff] ^
125	204k	C2[(int)(K[3] >> 40) & 0xff] ^
126	204k	C3[(int)(K[2] >> 32) & 0xff] ^
127	204k	C4[(int)(K[1] >> 24) & 0xff] ^
128	204k	C5[(int)(K[0] >> 16) & 0xff] ^
129	204k	C6[(int)(K[7] >> 8) & 0xff] ^
130	204k	C7[(int)(K[6] ) & 0xff];
131	204k	L[6] =
132	204k	C0[(int)(K[6] >> 56) ] ^
133	204k	C1[(int)(K[5] >> 48) & 0xff] ^
134	204k	C2[(int)(K[4] >> 40) & 0xff] ^
135	204k	C3[(int)(K[3] >> 32) & 0xff] ^
136	204k	C4[(int)(K[2] >> 24) & 0xff] ^
137	204k	C5[(int)(K[1] >> 16) & 0xff] ^
138	204k	C6[(int)(K[0] >> 8) & 0xff] ^
139	204k	C7[(int)(K[7] ) & 0xff];
140	204k	L[7] =
141	204k	C0[(int)(K[7] >> 56) ] ^
142	204k	C1[(int)(K[6] >> 48) & 0xff] ^
143	204k	C2[(int)(K[5] >> 40) & 0xff] ^
144	204k	C3[(int)(K[4] >> 32) & 0xff] ^
145	204k	C4[(int)(K[3] >> 24) & 0xff] ^
146	204k	C5[(int)(K[2] >> 16) & 0xff] ^
147	204k	C6[(int)(K[1] >> 8) & 0xff] ^
148	204k	C7[(int)(K[0] ) & 0xff];
149	204k	K[0] = L[0];
150	204k	K[1] = L[1];
151	204k	K[2] = L[2];
152	204k	K[3] = L[3];
153	204k	K[4] = L[4];
154	204k	K[5] = L[5];
155	204k	K[6] = L[6];
156	204k	K[7] = L[7];
157		/*
158		* apply the r-th round transformation:
159		*/
160	204k	L[0] =
161	204k	C0[(int)(state[0] >> 56) ] ^
162	204k	C1[(int)(state[7] >> 48) & 0xff] ^
163	204k	C2[(int)(state[6] >> 40) & 0xff] ^
164	204k	C3[(int)(state[5] >> 32) & 0xff] ^
165	204k	C4[(int)(state[4] >> 24) & 0xff] ^
166	204k	C5[(int)(state[3] >> 16) & 0xff] ^
167	204k	C6[(int)(state[2] >> 8) & 0xff] ^
168	204k	C7[(int)(state[1] ) & 0xff] ^
169	204k	K[0];
170	204k	L[1] =
171	204k	C0[(int)(state[1] >> 56) ] ^
172	204k	C1[(int)(state[0] >> 48) & 0xff] ^
173	204k	C2[(int)(state[7] >> 40) & 0xff] ^
174	204k	C3[(int)(state[6] >> 32) & 0xff] ^
175	204k	C4[(int)(state[5] >> 24) & 0xff] ^
176	204k	C5[(int)(state[4] >> 16) & 0xff] ^
177	204k	C6[(int)(state[3] >> 8) & 0xff] ^
178	204k	C7[(int)(state[2] ) & 0xff] ^
179	204k	K[1];
180	204k	L[2] =
181	204k	C0[(int)(state[2] >> 56) ] ^
182	204k	C1[(int)(state[1] >> 48) & 0xff] ^
183	204k	C2[(int)(state[0] >> 40) & 0xff] ^
184	204k	C3[(int)(state[7] >> 32) & 0xff] ^
185	204k	C4[(int)(state[6] >> 24) & 0xff] ^
186	204k	C5[(int)(state[5] >> 16) & 0xff] ^
187	204k	C6[(int)(state[4] >> 8) & 0xff] ^
188	204k	C7[(int)(state[3] ) & 0xff] ^
189	204k	K[2];
190	204k	L[3] =
191	204k	C0[(int)(state[3] >> 56) ] ^
192	204k	C1[(int)(state[2] >> 48) & 0xff] ^
193	204k	C2[(int)(state[1] >> 40) & 0xff] ^
194	204k	C3[(int)(state[0] >> 32) & 0xff] ^
195	204k	C4[(int)(state[7] >> 24) & 0xff] ^
196	204k	C5[(int)(state[6] >> 16) & 0xff] ^
197	204k	C6[(int)(state[5] >> 8) & 0xff] ^
198	204k	C7[(int)(state[4] ) & 0xff] ^
199	204k	K[3];
200	204k	L[4] =
201	204k	C0[(int)(state[4] >> 56) ] ^
202	204k	C1[(int)(state[3] >> 48) & 0xff] ^
203	204k	C2[(int)(state[2] >> 40) & 0xff] ^
204	204k	C3[(int)(state[1] >> 32) & 0xff] ^
205	204k	C4[(int)(state[0] >> 24) & 0xff] ^
206	204k	C5[(int)(state[7] >> 16) & 0xff] ^
207	204k	C6[(int)(state[6] >> 8) & 0xff] ^
208	204k	C7[(int)(state[5] ) & 0xff] ^
209	204k	K[4];
210	204k	L[5] =
211	204k	C0[(int)(state[5] >> 56) ] ^
212	204k	C1[(int)(state[4] >> 48) & 0xff] ^
213	204k	C2[(int)(state[3] >> 40) & 0xff] ^
214	204k	C3[(int)(state[2] >> 32) & 0xff] ^
215	204k	C4[(int)(state[1] >> 24) & 0xff] ^
216	204k	C5[(int)(state[0] >> 16) & 0xff] ^
217	204k	C6[(int)(state[7] >> 8) & 0xff] ^
218	204k	C7[(int)(state[6] ) & 0xff] ^
219	204k	K[5];
220	204k	L[6] =
221	204k	C0[(int)(state[6] >> 56) ] ^
222	204k	C1[(int)(state[5] >> 48) & 0xff] ^
223	204k	C2[(int)(state[4] >> 40) & 0xff] ^
224	204k	C3[(int)(state[3] >> 32) & 0xff] ^
225	204k	C4[(int)(state[2] >> 24) & 0xff] ^
226	204k	C5[(int)(state[1] >> 16) & 0xff] ^
227	204k	C6[(int)(state[0] >> 8) & 0xff] ^
228	204k	C7[(int)(state[7] ) & 0xff] ^
229	204k	K[6];
230	204k	L[7] =
231	204k	C0[(int)(state[7] >> 56) ] ^
232	204k	C1[(int)(state[6] >> 48) & 0xff] ^
233	204k	C2[(int)(state[5] >> 40) & 0xff] ^
234	204k	C3[(int)(state[4] >> 32) & 0xff] ^
235	204k	C4[(int)(state[3] >> 24) & 0xff] ^
236	204k	C5[(int)(state[2] >> 16) & 0xff] ^
237	204k	C6[(int)(state[1] >> 8) & 0xff] ^
238	204k	C7[(int)(state[0] ) & 0xff] ^
239	204k	K[7];
240	204k	state[0] = L[0];
241	204k	state[1] = L[1];
242	204k	state[2] = L[2];
243	204k	state[3] = L[3];
244	204k	state[4] = L[4];
245	204k	state[5] = L[5];
246	204k	state[6] = L[6];
247	204k	state[7] = L[7];
248	204k	}
249		/*
250		* apply the Miyaguchi-Preneel compression function:
251		*/
252	20.4k	context->state[0] ^= state[0] ^ block[0];
253	20.4k	context->state[1] ^= state[1] ^ block[1];
254	20.4k	context->state[2] ^= state[2] ^ block[2];
255	20.4k	context->state[3] ^= state[3] ^ block[3];
256	20.4k	context->state[4] ^= state[4] ^ block[4];
257	20.4k	context->state[5] ^= state[5] ^ block[5];
258	20.4k	context->state[6] ^= state[6] ^ block[6];
259	20.4k	context->state[7] ^= state[7] ^ block[7];
260
261	20.4k	ZEND_SECURE_ZERO(state, sizeof(state));
262	20.4k	}
263
264		PHP_HASH_API void PHP_WHIRLPOOLInit(PHP_WHIRLPOOL_CTX context, ZEND_ATTRIBUTE_UNUSED HashTable args)
265	76	{
266	76	memset(context, 0, sizeof(*context));
267	76	}
268
269		PHP_HASH_API void PHP_WHIRLPOOLUpdate(PHP_WHIRLPOOL_CTX context, const unsigned char input, size_t len)
270	39	{
271	39	uint64_t sourceBits = len * 8;
272	39	int sourcePos = 0; /* index of leftmost source unsigned char containing data (1 to 8 bits). */
273	39	int sourceGap = (8 - ((int)sourceBits & 7)) & 7; /* space on source[sourcePos]. */
274	39	int bufferRem = context->buffer.bits & 7; /* occupied bits on buffer[bufferPos]. */
275	39	const unsigned char *source = input;
276	39	unsigned char *buffer = context->buffer.data;
277	39	unsigned char *bitLength = context->bitlength;
278	39	int bufferBits = context->buffer.bits;
279	39	int bufferPos = context->buffer.pos;
280	39	uint32_t b, carry;
281	39	int i;
282
283		/*
284		* tally the length of the added data:
285		*/
286	39	uint64_t value = sourceBits;
287	164	for (i = 31, carry = 0; i >= 0 && (carry != 0 \|\| value != L64(0)); i--) {
288	125	carry += bitLength[i] + ((uint32_t)value & 0xff);
289	125	bitLength[i] = (unsigned char)carry;
290	125	carry >>= 8;
291	125	value >>= 8;
292	125	}
293		/*
294		* process data in chunks of 8 bits (a more efficient approach would be to take whole-word chunks):
295		*/
296	1.30M	while (sourceBits > 8) {
297		/* N.B. at least source[sourcePos] and source[sourcePos+1] contain data. */
298		/*
299		* take a byte from the source:
300		*/
301	1.30M	b = ((source[sourcePos] << sourceGap) & 0xff) \|
302	1.30M	((source[sourcePos + 1] & 0xff) >> (8 - sourceGap));
303		/*
304		* process this byte:
305		*/
306	1.30M	buffer[bufferPos++] \|= (unsigned char)(b >> bufferRem);
307	1.30M	bufferBits += 8 - bufferRem; /* bufferBits = 8bufferPos; /
308	1.30M	if (bufferBits == DIGESTBITS) {
309		/*
310		* process data block:
311		*/
312	20.4k	WhirlpoolTransform(context);
313		/*
314		* reset buffer:
315		*/
316	20.4k	bufferBits = bufferPos = 0;
317	20.4k	}
318	1.30M	buffer[bufferPos] = (unsigned char) (b << (8 - bufferRem));
319	1.30M	bufferBits += bufferRem;
320		/*
321		* proceed to remaining data:
322		*/
323	1.30M	sourceBits -= 8;
324	1.30M	sourcePos++;
325	1.30M	}
326		/* now 0 <= sourceBits <= 8;
327		* furthermore, all data (if any is left) is in source[sourcePos].
328		*/
329	39	if (sourceBits > 0) {
330	39	b = (source[sourcePos] << sourceGap) & 0xff; /* bits are left-justified on b. */
331		/*
332		* process the remaining bits:
333		*/
334	39	buffer[bufferPos] \|= b >> bufferRem;
335	39	} else {
336	0	b = 0;
337	0	}
338	39	if (bufferRem + sourceBits < 8) {
339		/*
340		* all remaining data fits on buffer[bufferPos],
341		* and there still remains some space.
342		*/
343	0	bufferBits += (int) sourceBits;
344	39	} else {
345		/*
346		* buffer[bufferPos] is full:
347		*/
348	39	bufferPos++;
349	39	bufferBits += 8 - bufferRem; /* bufferBits = 8bufferPos; /
350	39	sourceBits -= 8 - bufferRem;
351		/* now 0 <= sourceBits < 8;
352		* furthermore, all data (if any is left) is in source[sourcePos].
353		*/
354	39	if (bufferBits == DIGESTBITS) {
355		/*
356		* process data block:
357		*/
358	1	WhirlpoolTransform(context);
359		/*
360		* reset buffer:
361		*/
362	1	bufferBits = bufferPos = 0;
363	1	}
364	39	buffer[bufferPos] = (unsigned char) (b << (8 - bufferRem));
365	39	bufferBits += (int)sourceBits;
366	39	}
367	39	context->buffer.bits = bufferBits;
368	39	context->buffer.pos = bufferPos;
369	39	}
370
371		PHP_HASH_API void PHP_WHIRLPOOLFinal(unsigned char digest[64], PHP_WHIRLPOOL_CTX *context)
372	39	{
373	39	int i;
374	39	unsigned char *buffer = context->buffer.data;
375	39	unsigned char *bitLength = context->bitlength;
376	39	int bufferBits = context->buffer.bits;
377	39	int bufferPos = context->buffer.pos;
378
379		/*
380		* append a '1'-bit:
381		*/
382	39	buffer[bufferPos] \|= 0x80U >> (bufferBits & 7);
383	39	bufferPos++; /* all remaining bits on the current unsigned char are set to zero. */
384		/*
385		* pad with zero bits to complete (N*WBLOCKBITS - LENGTHBITS) bits:
386		*/
387	39	if (bufferPos > WBLOCKBYTES - LENGTHBYTES) {
388	17	if (bufferPos < WBLOCKBYTES) {
389	17	memset(&buffer[bufferPos], 0, WBLOCKBYTES - bufferPos);
390	17	}
391		/*
392		* process data block:
393		*/
394	17	WhirlpoolTransform(context);
395		/*
396		* reset buffer:
397		*/
398	17	bufferPos = 0;
399	17	}
400	39	if (bufferPos < WBLOCKBYTES - LENGTHBYTES) {
401	38	memset(&buffer[bufferPos], 0, (WBLOCKBYTES - LENGTHBYTES) - bufferPos);
402	38	}
403	39	bufferPos = WBLOCKBYTES - LENGTHBYTES;
404		/*
405		* append bit length of hashed data:
406		*/
407	39	memcpy(&buffer[WBLOCKBYTES - LENGTHBYTES], bitLength, LENGTHBYTES);
408		/*
409		* process data block:
410		*/
411	39	WhirlpoolTransform(context);
412		/*
413		* return the completed message digest:
414		*/
415	351	for (i = 0; i < DIGESTBYTES/8; i++) {
416	312	digest[0] = (unsigned char)(context->state[i] >> 56);
417	312	digest[1] = (unsigned char)(context->state[i] >> 48);
418	312	digest[2] = (unsigned char)(context->state[i] >> 40);
419	312	digest[3] = (unsigned char)(context->state[i] >> 32);
420	312	digest[4] = (unsigned char)(context->state[i] >> 24);
421	312	digest[5] = (unsigned char)(context->state[i] >> 16);
422	312	digest[6] = (unsigned char)(context->state[i] >> 8);
423	312	digest[7] = (unsigned char)(context->state[i] );
424	312	digest += 8;
425	312	}
426
427	39	ZEND_SECURE_ZERO(context, sizeof(*context));
428	39	}
429
430		static hash_spec_result php_whirlpool_unserialize(php_hashcontext_object hash, zend_long magic, const zval zv)
431	76	{
432	76	PHP_WHIRLPOOL_CTX ctx = (PHP_WHIRLPOOL_CTX ) hash->context;
433	76	hash_spec_result r = HASH_SPEC_FAILURE;
434	76	if (magic == PHP_HASH_SERIALIZE_MAGIC_SPEC
435	75	&& (r = php_hash_unserialize_spec(hash, zv, PHP_WHIRLPOOL_SPEC)) == HASH_SPEC_SUCCESS
436	69	&& ctx->buffer.pos >= 0
437	68	&& ctx->buffer.pos < (int) sizeof(ctx->buffer.data)
438	59	&& ctx->buffer.bits >= ctx->buffer.pos * 8
439	57	&& ctx->buffer.bits < ctx->buffer.pos * 8 + 8) {
440	39	return HASH_SPEC_SUCCESS;
441	39	}
442
443	37	return r != HASH_SPEC_SUCCESS ? r : CONTEXT_VALIDATION_FAILURE;
444	76	}
445
446		const php_hash_ops php_hash_whirlpool_ops = {
447		"whirlpool",
448		(php_hash_init_func_t) PHP_WHIRLPOOLInit,
449		(php_hash_update_func_t) PHP_WHIRLPOOLUpdate,
450		(php_hash_final_func_t) PHP_WHIRLPOOLFinal,
451		php_hash_copy,
452		php_hash_serialize,
453		php_whirlpool_unserialize,
454		PHP_WHIRLPOOL_SPEC,
455		64,
456		64,
457		sizeof(PHP_WHIRLPOOL_CTX),
458		1
459		};