/src/php-src/ext/hash/hash_whirlpool.c

Source
/*
  +----------------------------------------------------------------------+
  | Copyright (c) The PHP Group                                          |
  +----------------------------------------------------------------------+
  | This source file is subject to version 3.01 of the PHP license,      |
  | that is bundled with this package in the file LICENSE, and is        |
  | available through the world-wide-web at the following url:           |
  | https://www.php.net/license/3_01.txt                                 |
  | If you did not receive a copy of the PHP license and are unable to   |
  | obtain it through the world-wide-web, please send a note to          |
  | license@php.net so we can mail you a copy immediately.               |
  +----------------------------------------------------------------------+
  | Authors: Michael Wallner <mike@php.net>                              |
  |          Sara Golemon <pollita@php.net>                              |
  +----------------------------------------------------------------------+
*/

#include "php_hash.h"

/*
 * TODO: simplify Update and Final, those look ridiculously complex
 * Mike, 2005-11-23
 */

#include "php_hash_whirlpool.h"
#include "php_hash_whirlpool_tables.h"

#define DIGESTBYTES 64
#define DIGESTBITS  (8*DIGESTBYTES) /* 512 */

#define WBLOCKBYTES 64
#define WBLOCKBITS  (8*WBLOCKBYTES) /* 512 */

#define LENGTHBYTES 32
#define LENGTHBITS  (8*LENGTHBYTES) /* 256 */

static void WhirlpoolTransform(PHP_WHIRLPOOL_CTX *context)
{
    int i, r;
    uint64_t K[8];        /* the round key */
    uint64_t block[8];    /* mu(buffer) */
    uint64_t state[8];    /* the cipher state */
    uint64_t L[8];
    unsigned char *buffer = context->buffer.data;

    /*
     * map the buffer to a block:
     */
    for (i = 0; i < 8; i++, buffer += 8) {
        block[i] =
            (((uint64_t)buffer[0]        ) << 56) ^
            (((uint64_t)buffer[1] & 0xffL) << 48) ^
            (((uint64_t)buffer[2] & 0xffL) << 40) ^
            (((uint64_t)buffer[3] & 0xffL) << 32) ^
            (((uint64_t)buffer[4] & 0xffL) << 24) ^
            (((uint64_t)buffer[5] & 0xffL) << 16) ^
            (((uint64_t)buffer[6] & 0xffL) <<  8) ^
            (((uint64_t)buffer[7] & 0xffL)      );
    }
    /*
     * compute and apply K^0 to the cipher state:
     */
    state[0] = block[0] ^ (K[0] = context->state[0]);
    state[1] = block[1] ^ (K[1] = context->state[1]);
    state[2] = block[2] ^ (K[2] = context->state[2]);
    state[3] = block[3] ^ (K[3] = context->state[3]);
    state[4] = block[4] ^ (K[4] = context->state[4]);
    state[5] = block[5] ^ (K[5] = context->state[5]);
    state[6] = block[6] ^ (K[6] = context->state[6]);
    state[7] = block[7] ^ (K[7] = context->state[7]);
    /*
     * iterate over all rounds:
     */
    for (r = 1; r <= R; r++) {
        /*
         * compute K^r from K^{r-1}:
         */
        L[0] =
            C0[(int)(K[0] >> 56)       ] ^
            C1[(int)(K[7] >> 48) & 0xff] ^
            C2[(int)(K[6] >> 40) & 0xff] ^
            C3[(int)(K[5] >> 32) & 0xff] ^
            C4[(int)(K[4] >> 24) & 0xff] ^
            C5[(int)(K[3] >> 16) & 0xff] ^
            C6[(int)(K[2] >>  8) & 0xff] ^
            C7[(int)(K[1]      ) & 0xff] ^
            rc[r];
        L[1] =
            C0[(int)(K[1] >> 56)       ] ^
            C1[(int)(K[0] >> 48) & 0xff] ^
            C2[(int)(K[7] >> 40) & 0xff] ^
            C3[(int)(K[6] >> 32) & 0xff] ^
            C4[(int)(K[5] >> 24) & 0xff] ^
            C5[(int)(K[4] >> 16) & 0xff] ^
            C6[(int)(K[3] >>  8) & 0xff] ^
            C7[(int)(K[2]      ) & 0xff];
        L[2] =
            C0[(int)(K[2] >> 56)       ] ^
            C1[(int)(K[1] >> 48) & 0xff] ^
            C2[(int)(K[0] >> 40) & 0xff] ^
            C3[(int)(K[7] >> 32) & 0xff] ^
            C4[(int)(K[6] >> 24) & 0xff] ^
            C5[(int)(K[5] >> 16) & 0xff] ^
            C6[(int)(K[4] >>  8) & 0xff] ^
            C7[(int)(K[3]      ) & 0xff];
        L[3] =
            C0[(int)(K[3] >> 56)       ] ^
            C1[(int)(K[2] >> 48) & 0xff] ^
            C2[(int)(K[1] >> 40) & 0xff] ^
            C3[(int)(K[0] >> 32) & 0xff] ^
            C4[(int)(K[7] >> 24) & 0xff] ^
            C5[(int)(K[6] >> 16) & 0xff] ^
            C6[(int)(K[5] >>  8) & 0xff] ^
            C7[(int)(K[4]      ) & 0xff];
        L[4] =
            C0[(int)(K[4] >> 56)       ] ^
            C1[(int)(K[3] >> 48) & 0xff] ^
            C2[(int)(K[2] >> 40) & 0xff] ^
            C3[(int)(K[1] >> 32) & 0xff] ^
            C4[(int)(K[0] >> 24) & 0xff] ^
            C5[(int)(K[7] >> 16) & 0xff] ^
            C6[(int)(K[6] >>  8) & 0xff] ^
            C7[(int)(K[5]      ) & 0xff];
        L[5] =
            C0[(int)(K[5] >> 56)       ] ^
            C1[(int)(K[4] >> 48) & 0xff] ^
            C2[(int)(K[3] >> 40) & 0xff] ^
            C3[(int)(K[2] >> 32) & 0xff] ^
            C4[(int)(K[1] >> 24) & 0xff] ^
            C5[(int)(K[0] >> 16) & 0xff] ^
            C6[(int)(K[7] >>  8) & 0xff] ^
            C7[(int)(K[6]      ) & 0xff];
        L[6] =
            C0[(int)(K[6] >> 56)       ] ^
            C1[(int)(K[5] >> 48) & 0xff] ^
            C2[(int)(K[4] >> 40) & 0xff] ^
            C3[(int)(K[3] >> 32) & 0xff] ^
            C4[(int)(K[2] >> 24) & 0xff] ^
            C5[(int)(K[1] >> 16) & 0xff] ^
            C6[(int)(K[0] >>  8) & 0xff] ^
            C7[(int)(K[7]      ) & 0xff];
        L[7] =
            C0[(int)(K[7] >> 56)       ] ^
            C1[(int)(K[6] >> 48) & 0xff] ^
            C2[(int)(K[5] >> 40) & 0xff] ^
            C3[(int)(K[4] >> 32) & 0xff] ^
            C4[(int)(K[3] >> 24) & 0xff] ^
            C5[(int)(K[2] >> 16) & 0xff] ^
            C6[(int)(K[1] >>  8) & 0xff] ^
            C7[(int)(K[0]      ) & 0xff];
        K[0] = L[0];
        K[1] = L[1];
        K[2] = L[2];
        K[3] = L[3];
        K[4] = L[4];
        K[5] = L[5];
        K[6] = L[6];
        K[7] = L[7];
        /*
         * apply the r-th round transformation:
         */
        L[0] =
            C0[(int)(state[0] >> 56)       ] ^
            C1[(int)(state[7] >> 48) & 0xff] ^
            C2[(int)(state[6] >> 40) & 0xff] ^
            C3[(int)(state[5] >> 32) & 0xff] ^
            C4[(int)(state[4] >> 24) & 0xff] ^
            C5[(int)(state[3] >> 16) & 0xff] ^
            C6[(int)(state[2] >>  8) & 0xff] ^
            C7[(int)(state[1]      ) & 0xff] ^
            K[0];
        L[1] =
            C0[(int)(state[1] >> 56)       ] ^
            C1[(int)(state[0] >> 48) & 0xff] ^
            C2[(int)(state[7] >> 40) & 0xff] ^
            C3[(int)(state[6] >> 32) & 0xff] ^
            C4[(int)(state[5] >> 24) & 0xff] ^
            C5[(int)(state[4] >> 16) & 0xff] ^
            C6[(int)(state[3] >>  8) & 0xff] ^
            C7[(int)(state[2]      ) & 0xff] ^
            K[1];
        L[2] =
            C0[(int)(state[2] >> 56)       ] ^
            C1[(int)(state[1] >> 48) & 0xff] ^
            C2[(int)(state[0] >> 40) & 0xff] ^
            C3[(int)(state[7] >> 32) & 0xff] ^
            C4[(int)(state[6] >> 24) & 0xff] ^
            C5[(int)(state[5] >> 16) & 0xff] ^
            C6[(int)(state[4] >>  8) & 0xff] ^
            C7[(int)(state[3]      ) & 0xff] ^
            K[2];
        L[3] =
            C0[(int)(state[3] >> 56)       ] ^
            C1[(int)(state[2] >> 48) & 0xff] ^
            C2[(int)(state[1] >> 40) & 0xff] ^
            C3[(int)(state[0] >> 32) & 0xff] ^
            C4[(int)(state[7] >> 24) & 0xff] ^
            C5[(int)(state[6] >> 16) & 0xff] ^
            C6[(int)(state[5] >>  8) & 0xff] ^
            C7[(int)(state[4]      ) & 0xff] ^
            K[3];
        L[4] =
            C0[(int)(state[4] >> 56)       ] ^
            C1[(int)(state[3] >> 48) & 0xff] ^
            C2[(int)(state[2] >> 40) & 0xff] ^
            C3[(int)(state[1] >> 32) & 0xff] ^
            C4[(int)(state[0] >> 24) & 0xff] ^
            C5[(int)(state[7] >> 16) & 0xff] ^
            C6[(int)(state[6] >>  8) & 0xff] ^
            C7[(int)(state[5]      ) & 0xff] ^
            K[4];
        L[5] =
            C0[(int)(state[5] >> 56)       ] ^
            C1[(int)(state[4] >> 48) & 0xff] ^
            C2[(int)(state[3] >> 40) & 0xff] ^
            C3[(int)(state[2] >> 32) & 0xff] ^
            C4[(int)(state[1] >> 24) & 0xff] ^
            C5[(int)(state[0] >> 16) & 0xff] ^
            C6[(int)(state[7] >>  8) & 0xff] ^
            C7[(int)(state[6]      ) & 0xff] ^
            K[5];
        L[6] =
            C0[(int)(state[6] >> 56)       ] ^
            C1[(int)(state[5] >> 48) & 0xff] ^
            C2[(int)(state[4] >> 40) & 0xff] ^
            C3[(int)(state[3] >> 32) & 0xff] ^
            C4[(int)(state[2] >> 24) & 0xff] ^
            C5[(int)(state[1] >> 16) & 0xff] ^
            C6[(int)(state[0] >>  8) & 0xff] ^
            C7[(int)(state[7]      ) & 0xff] ^
            K[6];
        L[7] =
            C0[(int)(state[7] >> 56)       ] ^
            C1[(int)(state[6] >> 48) & 0xff] ^
            C2[(int)(state[5] >> 40) & 0xff] ^
            C3[(int)(state[4] >> 32) & 0xff] ^
            C4[(int)(state[3] >> 24) & 0xff] ^
            C5[(int)(state[2] >> 16) & 0xff] ^
            C6[(int)(state[1] >>  8) & 0xff] ^
            C7[(int)(state[0]      ) & 0xff] ^
            K[7];
        state[0] = L[0];
        state[1] = L[1];
        state[2] = L[2];
        state[3] = L[3];
        state[4] = L[4];
        state[5] = L[5];
        state[6] = L[6];
        state[7] = L[7];
    }
    /*
     * apply the Miyaguchi-Preneel compression function:
     */
    context->state[0] ^= state[0] ^ block[0];
    context->state[1] ^= state[1] ^ block[1];
    context->state[2] ^= state[2] ^ block[2];
    context->state[3] ^= state[3] ^ block[3];
    context->state[4] ^= state[4] ^ block[4];
    context->state[5] ^= state[5] ^ block[5];
    context->state[6] ^= state[6] ^ block[6];
    context->state[7] ^= state[7] ^ block[7];

  ZEND_SECURE_ZERO(state, sizeof(state));
}

PHP_HASH_API void PHP_WHIRLPOOLInit(PHP_WHIRLPOOL_CTX *context, ZEND_ATTRIBUTE_UNUSED HashTable *args)
{
  memset(context, 0, sizeof(*context));
}

PHP_HASH_API void PHP_WHIRLPOOLUpdate(PHP_WHIRLPOOL_CTX *context, const unsigned char *input, size_t len)
{
    uint64_t sourceBits = len * 8;
    int sourcePos    = 0; /* index of leftmost source unsigned char containing data (1 to 8 bits). */
    int sourceGap    = (8 - ((int)sourceBits & 7)) & 7; /* space on source[sourcePos]. */
    int bufferRem    = context->buffer.bits & 7; /* occupied bits on buffer[bufferPos]. */
    const unsigned char *source = input;
    unsigned char *buffer       = context->buffer.data;
    unsigned char *bitLength    = context->bitlength;
    int bufferBits   = context->buffer.bits;
    int bufferPos    = context->buffer.pos;
    uint32_t b, carry;
    int i;

    /*
     * tally the length of the added data:
     */
    uint64_t value = sourceBits;
    for (i = 31, carry = 0; i >= 0 && (carry != 0 || value != L64(0)); i--) {
        carry += bitLength[i] + ((uint32_t)value & 0xff);
        bitLength[i] = (unsigned char)carry;
        carry >>= 8;
        value >>= 8;
    }
    /*
     * process data in chunks of 8 bits (a more efficient approach would be to take whole-word chunks):
     */
    while (sourceBits > 8) {
        /* N.B. at least source[sourcePos] and source[sourcePos+1] contain data. */
        /*
         * take a byte from the source:
         */
        b = ((source[sourcePos] << sourceGap) & 0xff) |
            ((source[sourcePos + 1] & 0xff) >> (8 - sourceGap));
        /*
         * process this byte:
         */
        buffer[bufferPos++] |= (unsigned char)(b >> bufferRem);
        bufferBits += 8 - bufferRem; /* bufferBits = 8*bufferPos; */
        if (bufferBits == DIGESTBITS) {
            /*
             * process data block:
             */
            WhirlpoolTransform(context);
            /*
             * reset buffer:
             */
            bufferBits = bufferPos = 0;
        }
        buffer[bufferPos] = (unsigned char) (b << (8 - bufferRem));
        bufferBits += bufferRem;
        /*
         * proceed to remaining data:
         */
        sourceBits -= 8;
        sourcePos++;
    }
    /* now 0 <= sourceBits <= 8;
     * furthermore, all data (if any is left) is in source[sourcePos].
     */
    if (sourceBits > 0) {
        b = (source[sourcePos] << sourceGap) & 0xff; /* bits are left-justified on b. */
        /*
         * process the remaining bits:
         */
        buffer[bufferPos] |= b >> bufferRem;
    } else {
        b = 0;
    }
    if (bufferRem + sourceBits < 8) {
        /*
         * all remaining data fits on buffer[bufferPos],
         * and there still remains some space.
         */
        bufferBits += (int) sourceBits;
    } else {
        /*
         * buffer[bufferPos] is full:
         */
        bufferPos++;
        bufferBits += 8 - bufferRem; /* bufferBits = 8*bufferPos; */
        sourceBits -= 8 - bufferRem;
        /* now 0 <= sourceBits < 8;
         * furthermore, all data (if any is left) is in source[sourcePos].
         */
        if (bufferBits == DIGESTBITS) {
            /*
             * process data block:
             */
            WhirlpoolTransform(context);
            /*
             * reset buffer:
             */
            bufferBits = bufferPos = 0;
        }
        buffer[bufferPos] = (unsigned char) (b << (8 - bufferRem));
        bufferBits += (int)sourceBits;
    }
    context->buffer.bits   = bufferBits;
    context->buffer.pos    = bufferPos;
}

PHP_HASH_API void PHP_WHIRLPOOLFinal(unsigned char digest[64], PHP_WHIRLPOOL_CTX *context)
{
    int i;
    unsigned char *buffer      = context->buffer.data;
    unsigned char *bitLength   = context->bitlength;
    int bufferBits  = context->buffer.bits;
    int bufferPos   = context->buffer.pos;

    /*
     * append a '1'-bit:
     */
    buffer[bufferPos] |= 0x80U >> (bufferBits & 7);
    bufferPos++; /* all remaining bits on the current unsigned char are set to zero. */
    /*
     * pad with zero bits to complete (N*WBLOCKBITS - LENGTHBITS) bits:
     */
    if (bufferPos > WBLOCKBYTES - LENGTHBYTES) {
        if (bufferPos < WBLOCKBYTES) {
            memset(&buffer[bufferPos], 0, WBLOCKBYTES - bufferPos);
        }
        /*
         * process data block:
         */
        WhirlpoolTransform(context);
        /*
         * reset buffer:
         */
        bufferPos = 0;
    }
    if (bufferPos < WBLOCKBYTES - LENGTHBYTES) {
        memset(&buffer[bufferPos], 0, (WBLOCKBYTES - LENGTHBYTES) - bufferPos);
    }
    bufferPos = WBLOCKBYTES - LENGTHBYTES;
    /*
     * append bit length of hashed data:
     */
    memcpy(&buffer[WBLOCKBYTES - LENGTHBYTES], bitLength, LENGTHBYTES);
    /*
     * process data block:
     */
    WhirlpoolTransform(context);
    /*
     * return the completed message digest:
     */
    for (i = 0; i < DIGESTBYTES/8; i++) {
        digest[0] = (unsigned char)(context->state[i] >> 56);
        digest[1] = (unsigned char)(context->state[i] >> 48);
        digest[2] = (unsigned char)(context->state[i] >> 40);
        digest[3] = (unsigned char)(context->state[i] >> 32);
        digest[4] = (unsigned char)(context->state[i] >> 24);
        digest[5] = (unsigned char)(context->state[i] >> 16);
        digest[6] = (unsigned char)(context->state[i] >>  8);
        digest[7] = (unsigned char)(context->state[i]      );
        digest += 8;
    }

    ZEND_SECURE_ZERO(context, sizeof(*context));
}

static hash_spec_result php_whirlpool_unserialize(php_hashcontext_object *hash, zend_long magic, const zval *zv)
{
    PHP_WHIRLPOOL_CTX *ctx = (PHP_WHIRLPOOL_CTX *) hash->context;
    hash_spec_result r = HASH_SPEC_FAILURE;
    if (magic == PHP_HASH_SERIALIZE_MAGIC_SPEC
        && (r = php_hash_unserialize_spec(hash, zv, PHP_WHIRLPOOL_SPEC)) == HASH_SPEC_SUCCESS
        && ctx->buffer.pos >= 0
        && ctx->buffer.pos < (int) sizeof(ctx->buffer.data)
        && ctx->buffer.bits >= ctx->buffer.pos * 8
        && ctx->buffer.bits < ctx->buffer.pos * 8 + 8) {
        return HASH_SPEC_SUCCESS;
    }

    return r != HASH_SPEC_SUCCESS ? r : CONTEXT_VALIDATION_FAILURE;
}

const php_hash_ops php_hash_whirlpool_ops = {
  "whirlpool",
  (php_hash_init_func_t) PHP_WHIRLPOOLInit,
  (php_hash_update_func_t) PHP_WHIRLPOOLUpdate,
  (php_hash_final_func_t) PHP_WHIRLPOOLFinal,
  php_hash_copy,
  php_hash_serialize,
  php_whirlpool_unserialize,
  PHP_WHIRLPOOL_SPEC,
  64,
  64,
  sizeof(PHP_WHIRLPOOL_CTX),
  1
};

Coverage Report

Created: 2026-02-14 06:52

Line	Count	Source
1		/*
2		+----------------------------------------------------------------------+
3		\| Copyright (c) The PHP Group \|
4		+----------------------------------------------------------------------+
5		\| This source file is subject to version 3.01 of the PHP license, \|
6		\| that is bundled with this package in the file LICENSE, and is \|
7		\| available through the world-wide-web at the following url: \|
8		\| https://www.php.net/license/3_01.txt \|
9		\| If you did not receive a copy of the PHP license and are unable to \|
10		\| obtain it through the world-wide-web, please send a note to \|
11		\| license@php.net so we can mail you a copy immediately. \|
12		+----------------------------------------------------------------------+
13		\| Authors: Michael Wallner <mike@php.net> \|
14		\| Sara Golemon <pollita@php.net> \|
15		+----------------------------------------------------------------------+
16		*/
17
18		#include "php_hash.h"
19
20		/*
21		* TODO: simplify Update and Final, those look ridiculously complex
22		* Mike, 2005-11-23
23		*/
24
25		#include "php_hash_whirlpool.h"
26		#include "php_hash_whirlpool_tables.h"
27
28	824k	#define DIGESTBYTES 64
29	823k	#define DIGESTBITS (8DIGESTBYTES) / 512 */
30
31	187	#define WBLOCKBYTES 64
32		#define WBLOCKBITS (8WBLOCKBYTES) / 512 */
33
34	197	#define LENGTHBYTES 32
35		#define LENGTHBITS (8LENGTHBYTES) / 256 */
36
37		static void WhirlpoolTransform(PHP_WHIRLPOOL_CTX *context)
38	12.9k	{
39	12.9k	int i, r;
40	12.9k	uint64_t K[8]; /* the round key */
41	12.9k	uint64_t block[8]; /* mu(buffer) */
42	12.9k	uint64_t state[8]; /* the cipher state */
43	12.9k	uint64_t L[8];
44	12.9k	unsigned char *buffer = context->buffer.data;
45
46		/*
47		* map the buffer to a block:
48		*/
49	116k	for (i = 0; i < 8; i++, buffer += 8) {
50	103k	block[i] =
51	103k	(((uint64_t)buffer[0] ) << 56) ^
52	103k	(((uint64_t)buffer[1] & 0xffL) << 48) ^
53	103k	(((uint64_t)buffer[2] & 0xffL) << 40) ^
54	103k	(((uint64_t)buffer[3] & 0xffL) << 32) ^
55	103k	(((uint64_t)buffer[4] & 0xffL) << 24) ^
56	103k	(((uint64_t)buffer[5] & 0xffL) << 16) ^
57	103k	(((uint64_t)buffer[6] & 0xffL) << 8) ^
58	103k	(((uint64_t)buffer[7] & 0xffL) );
59	103k	}
60		/*
61		* compute and apply K^0 to the cipher state:
62		*/
63	12.9k	state[0] = block[0] ^ (K[0] = context->state[0]);
64	12.9k	state[1] = block[1] ^ (K[1] = context->state[1]);
65	12.9k	state[2] = block[2] ^ (K[2] = context->state[2]);
66	12.9k	state[3] = block[3] ^ (K[3] = context->state[3]);
67	12.9k	state[4] = block[4] ^ (K[4] = context->state[4]);
68	12.9k	state[5] = block[5] ^ (K[5] = context->state[5]);
69	12.9k	state[6] = block[6] ^ (K[6] = context->state[6]);
70	12.9k	state[7] = block[7] ^ (K[7] = context->state[7]);
71		/*
72		* iterate over all rounds:
73		*/
74	142k	for (r = 1; r <= R; r++) {
75		/*
76		* compute K^r from K^{r-1}:
77		*/
78	129k	L[0] =
79	129k	C0[(int)(K[0] >> 56) ] ^
80	129k	C1[(int)(K[7] >> 48) & 0xff] ^
81	129k	C2[(int)(K[6] >> 40) & 0xff] ^
82	129k	C3[(int)(K[5] >> 32) & 0xff] ^
83	129k	C4[(int)(K[4] >> 24) & 0xff] ^
84	129k	C5[(int)(K[3] >> 16) & 0xff] ^
85	129k	C6[(int)(K[2] >> 8) & 0xff] ^
86	129k	C7[(int)(K[1] ) & 0xff] ^
87	129k	rc[r];
88	129k	L[1] =
89	129k	C0[(int)(K[1] >> 56) ] ^
90	129k	C1[(int)(K[0] >> 48) & 0xff] ^
91	129k	C2[(int)(K[7] >> 40) & 0xff] ^
92	129k	C3[(int)(K[6] >> 32) & 0xff] ^
93	129k	C4[(int)(K[5] >> 24) & 0xff] ^
94	129k	C5[(int)(K[4] >> 16) & 0xff] ^
95	129k	C6[(int)(K[3] >> 8) & 0xff] ^
96	129k	C7[(int)(K[2] ) & 0xff];
97	129k	L[2] =
98	129k	C0[(int)(K[2] >> 56) ] ^
99	129k	C1[(int)(K[1] >> 48) & 0xff] ^
100	129k	C2[(int)(K[0] >> 40) & 0xff] ^
101	129k	C3[(int)(K[7] >> 32) & 0xff] ^
102	129k	C4[(int)(K[6] >> 24) & 0xff] ^
103	129k	C5[(int)(K[5] >> 16) & 0xff] ^
104	129k	C6[(int)(K[4] >> 8) & 0xff] ^
105	129k	C7[(int)(K[3] ) & 0xff];
106	129k	L[3] =
107	129k	C0[(int)(K[3] >> 56) ] ^
108	129k	C1[(int)(K[2] >> 48) & 0xff] ^
109	129k	C2[(int)(K[1] >> 40) & 0xff] ^
110	129k	C3[(int)(K[0] >> 32) & 0xff] ^
111	129k	C4[(int)(K[7] >> 24) & 0xff] ^
112	129k	C5[(int)(K[6] >> 16) & 0xff] ^
113	129k	C6[(int)(K[5] >> 8) & 0xff] ^
114	129k	C7[(int)(K[4] ) & 0xff];
115	129k	L[4] =
116	129k	C0[(int)(K[4] >> 56) ] ^
117	129k	C1[(int)(K[3] >> 48) & 0xff] ^
118	129k	C2[(int)(K[2] >> 40) & 0xff] ^
119	129k	C3[(int)(K[1] >> 32) & 0xff] ^
120	129k	C4[(int)(K[0] >> 24) & 0xff] ^
121	129k	C5[(int)(K[7] >> 16) & 0xff] ^
122	129k	C6[(int)(K[6] >> 8) & 0xff] ^
123	129k	C7[(int)(K[5] ) & 0xff];
124	129k	L[5] =
125	129k	C0[(int)(K[5] >> 56) ] ^
126	129k	C1[(int)(K[4] >> 48) & 0xff] ^
127	129k	C2[(int)(K[3] >> 40) & 0xff] ^
128	129k	C3[(int)(K[2] >> 32) & 0xff] ^
129	129k	C4[(int)(K[1] >> 24) & 0xff] ^
130	129k	C5[(int)(K[0] >> 16) & 0xff] ^
131	129k	C6[(int)(K[7] >> 8) & 0xff] ^
132	129k	C7[(int)(K[6] ) & 0xff];
133	129k	L[6] =
134	129k	C0[(int)(K[6] >> 56) ] ^
135	129k	C1[(int)(K[5] >> 48) & 0xff] ^
136	129k	C2[(int)(K[4] >> 40) & 0xff] ^
137	129k	C3[(int)(K[3] >> 32) & 0xff] ^
138	129k	C4[(int)(K[2] >> 24) & 0xff] ^
139	129k	C5[(int)(K[1] >> 16) & 0xff] ^
140	129k	C6[(int)(K[0] >> 8) & 0xff] ^
141	129k	C7[(int)(K[7] ) & 0xff];
142	129k	L[7] =
143	129k	C0[(int)(K[7] >> 56) ] ^
144	129k	C1[(int)(K[6] >> 48) & 0xff] ^
145	129k	C2[(int)(K[5] >> 40) & 0xff] ^
146	129k	C3[(int)(K[4] >> 32) & 0xff] ^
147	129k	C4[(int)(K[3] >> 24) & 0xff] ^
148	129k	C5[(int)(K[2] >> 16) & 0xff] ^
149	129k	C6[(int)(K[1] >> 8) & 0xff] ^
150	129k	C7[(int)(K[0] ) & 0xff];
151	129k	K[0] = L[0];
152	129k	K[1] = L[1];
153	129k	K[2] = L[2];
154	129k	K[3] = L[3];
155	129k	K[4] = L[4];
156	129k	K[5] = L[5];
157	129k	K[6] = L[6];
158	129k	K[7] = L[7];
159		/*
160		* apply the r-th round transformation:
161		*/
162	129k	L[0] =
163	129k	C0[(int)(state[0] >> 56) ] ^
164	129k	C1[(int)(state[7] >> 48) & 0xff] ^
165	129k	C2[(int)(state[6] >> 40) & 0xff] ^
166	129k	C3[(int)(state[5] >> 32) & 0xff] ^
167	129k	C4[(int)(state[4] >> 24) & 0xff] ^
168	129k	C5[(int)(state[3] >> 16) & 0xff] ^
169	129k	C6[(int)(state[2] >> 8) & 0xff] ^
170	129k	C7[(int)(state[1] ) & 0xff] ^
171	129k	K[0];
172	129k	L[1] =
173	129k	C0[(int)(state[1] >> 56) ] ^
174	129k	C1[(int)(state[0] >> 48) & 0xff] ^
175	129k	C2[(int)(state[7] >> 40) & 0xff] ^
176	129k	C3[(int)(state[6] >> 32) & 0xff] ^
177	129k	C4[(int)(state[5] >> 24) & 0xff] ^
178	129k	C5[(int)(state[4] >> 16) & 0xff] ^
179	129k	C6[(int)(state[3] >> 8) & 0xff] ^
180	129k	C7[(int)(state[2] ) & 0xff] ^
181	129k	K[1];
182	129k	L[2] =
183	129k	C0[(int)(state[2] >> 56) ] ^
184	129k	C1[(int)(state[1] >> 48) & 0xff] ^
185	129k	C2[(int)(state[0] >> 40) & 0xff] ^
186	129k	C3[(int)(state[7] >> 32) & 0xff] ^
187	129k	C4[(int)(state[6] >> 24) & 0xff] ^
188	129k	C5[(int)(state[5] >> 16) & 0xff] ^
189	129k	C6[(int)(state[4] >> 8) & 0xff] ^
190	129k	C7[(int)(state[3] ) & 0xff] ^
191	129k	K[2];
192	129k	L[3] =
193	129k	C0[(int)(state[3] >> 56) ] ^
194	129k	C1[(int)(state[2] >> 48) & 0xff] ^
195	129k	C2[(int)(state[1] >> 40) & 0xff] ^
196	129k	C3[(int)(state[0] >> 32) & 0xff] ^
197	129k	C4[(int)(state[7] >> 24) & 0xff] ^
198	129k	C5[(int)(state[6] >> 16) & 0xff] ^
199	129k	C6[(int)(state[5] >> 8) & 0xff] ^
200	129k	C7[(int)(state[4] ) & 0xff] ^
201	129k	K[3];
202	129k	L[4] =
203	129k	C0[(int)(state[4] >> 56) ] ^
204	129k	C1[(int)(state[3] >> 48) & 0xff] ^
205	129k	C2[(int)(state[2] >> 40) & 0xff] ^
206	129k	C3[(int)(state[1] >> 32) & 0xff] ^
207	129k	C4[(int)(state[0] >> 24) & 0xff] ^
208	129k	C5[(int)(state[7] >> 16) & 0xff] ^
209	129k	C6[(int)(state[6] >> 8) & 0xff] ^
210	129k	C7[(int)(state[5] ) & 0xff] ^
211	129k	K[4];
212	129k	L[5] =
213	129k	C0[(int)(state[5] >> 56) ] ^
214	129k	C1[(int)(state[4] >> 48) & 0xff] ^
215	129k	C2[(int)(state[3] >> 40) & 0xff] ^
216	129k	C3[(int)(state[2] >> 32) & 0xff] ^
217	129k	C4[(int)(state[1] >> 24) & 0xff] ^
218	129k	C5[(int)(state[0] >> 16) & 0xff] ^
219	129k	C6[(int)(state[7] >> 8) & 0xff] ^
220	129k	C7[(int)(state[6] ) & 0xff] ^
221	129k	K[5];
222	129k	L[6] =
223	129k	C0[(int)(state[6] >> 56) ] ^
224	129k	C1[(int)(state[5] >> 48) & 0xff] ^
225	129k	C2[(int)(state[4] >> 40) & 0xff] ^
226	129k	C3[(int)(state[3] >> 32) & 0xff] ^
227	129k	C4[(int)(state[2] >> 24) & 0xff] ^
228	129k	C5[(int)(state[1] >> 16) & 0xff] ^
229	129k	C6[(int)(state[0] >> 8) & 0xff] ^
230	129k	C7[(int)(state[7] ) & 0xff] ^
231	129k	K[6];
232	129k	L[7] =
233	129k	C0[(int)(state[7] >> 56) ] ^
234	129k	C1[(int)(state[6] >> 48) & 0xff] ^
235	129k	C2[(int)(state[5] >> 40) & 0xff] ^
236	129k	C3[(int)(state[4] >> 32) & 0xff] ^
237	129k	C4[(int)(state[3] >> 24) & 0xff] ^
238	129k	C5[(int)(state[2] >> 16) & 0xff] ^
239	129k	C6[(int)(state[1] >> 8) & 0xff] ^
240	129k	C7[(int)(state[0] ) & 0xff] ^
241	129k	K[7];
242	129k	state[0] = L[0];
243	129k	state[1] = L[1];
244	129k	state[2] = L[2];
245	129k	state[3] = L[3];
246	129k	state[4] = L[4];
247	129k	state[5] = L[5];
248	129k	state[6] = L[6];
249	129k	state[7] = L[7];
250	129k	}
251		/*
252		* apply the Miyaguchi-Preneel compression function:
253		*/
254	12.9k	context->state[0] ^= state[0] ^ block[0];
255	12.9k	context->state[1] ^= state[1] ^ block[1];
256	12.9k	context->state[2] ^= state[2] ^ block[2];
257	12.9k	context->state[3] ^= state[3] ^ block[3];
258	12.9k	context->state[4] ^= state[4] ^ block[4];
259	12.9k	context->state[5] ^= state[5] ^ block[5];
260	12.9k	context->state[6] ^= state[6] ^ block[6];
261	12.9k	context->state[7] ^= state[7] ^ block[7];
262
263	12.9k	ZEND_SECURE_ZERO(state, sizeof(state));
264	12.9k	}
265
266		PHP_HASH_API void PHP_WHIRLPOOLInit(PHP_WHIRLPOOL_CTX context, ZEND_ATTRIBUTE_UNUSED HashTable args)
267	57	{
268	57	memset(context, 0, sizeof(*context));
269	57	}
270
271		PHP_HASH_API void PHP_WHIRLPOOLUpdate(PHP_WHIRLPOOL_CTX context, const unsigned char input, size_t len)
272	33	{
273	33	uint64_t sourceBits = len * 8;
274	33	int sourcePos = 0; /* index of leftmost source unsigned char containing data (1 to 8 bits). */
275	33	int sourceGap = (8 - ((int)sourceBits & 7)) & 7; /* space on source[sourcePos]. */
276	33	int bufferRem = context->buffer.bits & 7; /* occupied bits on buffer[bufferPos]. */
277	33	const unsigned char *source = input;
278	33	unsigned char *buffer = context->buffer.data;
279	33	unsigned char *bitLength = context->bitlength;
280	33	int bufferBits = context->buffer.bits;
281	33	int bufferPos = context->buffer.pos;
282	33	uint32_t b, carry;
283	33	int i;
284
285		/*
286		* tally the length of the added data:
287		*/
288	33	uint64_t value = sourceBits;
289	110	for (i = 31, carry = 0; i >= 0 && (carry != 0 \|\| value != L64(0)); i--) {
290	77	carry += bitLength[i] + ((uint32_t)value & 0xff);
291	77	bitLength[i] = (unsigned char)carry;
292	77	carry >>= 8;
293	77	value >>= 8;
294	77	}
295		/*
296		* process data in chunks of 8 bits (a more efficient approach would be to take whole-word chunks):
297		*/
298	823k	while (sourceBits > 8) {
299		/* N.B. at least source[sourcePos] and source[sourcePos+1] contain data. */
300		/*
301		* take a byte from the source:
302		*/
303	823k	b = ((source[sourcePos] << sourceGap) & 0xff) \|
304	823k	((source[sourcePos + 1] & 0xff) >> (8 - sourceGap));
305		/*
306		* process this byte:
307		*/
308	823k	buffer[bufferPos++] \|= (unsigned char)(b >> bufferRem);
309	823k	bufferBits += 8 - bufferRem; /* bufferBits = 8bufferPos; /
310	823k	if (bufferBits == DIGESTBITS) {
311		/*
312		* process data block:
313		*/
314	12.8k	WhirlpoolTransform(context);
315		/*
316		* reset buffer:
317		*/
318	12.8k	bufferBits = bufferPos = 0;
319	12.8k	}
320	823k	buffer[bufferPos] = (unsigned char) (b << (8 - bufferRem));
321	823k	bufferBits += bufferRem;
322		/*
323		* proceed to remaining data:
324		*/
325	823k	sourceBits -= 8;
326	823k	sourcePos++;
327	823k	}
328		/* now 0 <= sourceBits <= 8;
329		* furthermore, all data (if any is left) is in source[sourcePos].
330		*/
331	33	if (sourceBits > 0) {
332	32	b = (source[sourcePos] << sourceGap) & 0xff; /* bits are left-justified on b. */
333		/*
334		* process the remaining bits:
335		*/
336	32	buffer[bufferPos] \|= b >> bufferRem;
337	32	} else {
338	1	b = 0;
339	1	}
340	33	if (bufferRem + sourceBits < 8) {
341		/*
342		* all remaining data fits on buffer[bufferPos],
343		* and there still remains some space.
344		*/
345	1	bufferBits += (int) sourceBits;
346	32	} else {
347		/*
348		* buffer[bufferPos] is full:
349		*/
350	32	bufferPos++;
351	32	bufferBits += 8 - bufferRem; /* bufferBits = 8bufferPos; /
352	32	sourceBits -= 8 - bufferRem;
353		/* now 0 <= sourceBits < 8;
354		* furthermore, all data (if any is left) is in source[sourcePos].
355		*/
356	32	if (bufferBits == DIGESTBITS) {
357		/*
358		* process data block:
359		*/
360	1	WhirlpoolTransform(context);
361		/*
362		* reset buffer:
363		*/
364	1	bufferBits = bufferPos = 0;
365	1	}
366	32	buffer[bufferPos] = (unsigned char) (b << (8 - bufferRem));
367	32	bufferBits += (int)sourceBits;
368	32	}
369	33	context->buffer.bits = bufferBits;
370	33	context->buffer.pos = bufferPos;
371	33	}
372
373		PHP_HASH_API void PHP_WHIRLPOOLFinal(unsigned char digest[64], PHP_WHIRLPOOL_CTX *context)
374	33	{
375	33	int i;
376	33	unsigned char *buffer = context->buffer.data;
377	33	unsigned char *bitLength = context->bitlength;
378	33	int bufferBits = context->buffer.bits;
379	33	int bufferPos = context->buffer.pos;
380
381		/*
382		* append a '1'-bit:
383		*/
384	33	buffer[bufferPos] \|= 0x80U >> (bufferBits & 7);
385	33	bufferPos++; /* all remaining bits on the current unsigned char are set to zero. */
386		/*
387		* pad with zero bits to complete (N*WBLOCKBITS - LENGTHBITS) bits:
388		*/
389	33	if (bufferPos > WBLOCKBYTES - LENGTHBYTES) {
390	12	if (bufferPos < WBLOCKBYTES) {
391	11	memset(&buffer[bufferPos], 0, WBLOCKBYTES - bufferPos);
392	11	}
393		/*
394		* process data block:
395		*/
396	12	WhirlpoolTransform(context);
397		/*
398		* reset buffer:
399		*/
400	12	bufferPos = 0;
401	12	}
402	33	if (bufferPos < WBLOCKBYTES - LENGTHBYTES) {
403	32	memset(&buffer[bufferPos], 0, (WBLOCKBYTES - LENGTHBYTES) - bufferPos);
404	32	}
405	33	bufferPos = WBLOCKBYTES - LENGTHBYTES;
406		/*
407		* append bit length of hashed data:
408		*/
409	33	memcpy(&buffer[WBLOCKBYTES - LENGTHBYTES], bitLength, LENGTHBYTES);
410		/*
411		* process data block:
412		*/
413	33	WhirlpoolTransform(context);
414		/*
415		* return the completed message digest:
416		*/
417	297	for (i = 0; i < DIGESTBYTES/8; i++) {
418	264	digest[0] = (unsigned char)(context->state[i] >> 56);
419	264	digest[1] = (unsigned char)(context->state[i] >> 48);
420	264	digest[2] = (unsigned char)(context->state[i] >> 40);
421	264	digest[3] = (unsigned char)(context->state[i] >> 32);
422	264	digest[4] = (unsigned char)(context->state[i] >> 24);
423	264	digest[5] = (unsigned char)(context->state[i] >> 16);
424	264	digest[6] = (unsigned char)(context->state[i] >> 8);
425	264	digest[7] = (unsigned char)(context->state[i] );
426	264	digest += 8;
427	264	}
428
429	33	ZEND_SECURE_ZERO(context, sizeof(*context));
430	33	}
431
432		static hash_spec_result php_whirlpool_unserialize(php_hashcontext_object hash, zend_long magic, const zval zv)
433	57	{
434	57	PHP_WHIRLPOOL_CTX ctx = (PHP_WHIRLPOOL_CTX ) hash->context;
435	57	hash_spec_result r = HASH_SPEC_FAILURE;
436	57	if (magic == PHP_HASH_SERIALIZE_MAGIC_SPEC
437	57	&& (r = php_hash_unserialize_spec(hash, zv, PHP_WHIRLPOOL_SPEC)) == HASH_SPEC_SUCCESS
438	54	&& ctx->buffer.pos >= 0
439	54	&& ctx->buffer.pos < (int) sizeof(ctx->buffer.data)
440	50	&& ctx->buffer.bits >= ctx->buffer.pos * 8
441	49	&& ctx->buffer.bits < ctx->buffer.pos * 8 + 8) {
442	33	return HASH_SPEC_SUCCESS;
443	33	}
444
445	24	return r != HASH_SPEC_SUCCESS ? r : CONTEXT_VALIDATION_FAILURE;
446	57	}
447
448		const php_hash_ops php_hash_whirlpool_ops = {
449		"whirlpool",
450		(php_hash_init_func_t) PHP_WHIRLPOOLInit,
451		(php_hash_update_func_t) PHP_WHIRLPOOLUpdate,
452		(php_hash_final_func_t) PHP_WHIRLPOOLFinal,
453		php_hash_copy,
454		php_hash_serialize,
455		php_whirlpool_unserialize,
456		PHP_WHIRLPOOL_SPEC,
457		64,
458		64,
459		sizeof(PHP_WHIRLPOOL_CTX),
460		1
461		};