Replace slow generic sha3 implementation by https://github.com/gvanas…

…/KeccakCodePackage

Fix hash_copy() tests by using correct size for sha3 context

sync config.w32 with with new sha3 files

Move dependency on KeccakHash.h to hash_sha3.c so we do not rely on it to install php_hash_sha3.h

Allocate memory for KeccacInstance in hash_sha3.c so header files do not need to know about implementation details while keeping API backward compatible to original sha3 implementation

Fix memory leak because hash_copy is called after init which already allocates the hashinstance

ext/hash/config.m4

@@ -25,15 +25,24 @@ if test "$PHP_HASH" != "no"; then
   AC_CHECK_SIZEOF(long, 4)
   AC_CHECK_SIZEOF(long long, 8)
 
+  PHP_CHECK_64BIT([
+    SHA3_DIR="sha3/generic32lc"
+    SHA3_OPT_SRC="$SHA3_DIR/KeccakP-1600-inplace32BI.c"
+  ],[
+    SHA3_DIR="sha3/generic64lc"
+    SHA3_OPT_SRC="$SHA3_DIR/KeccakP-1600-opt64.c"
+  ])
+  EXT_HASH_SHA3_SOURCES="$SHA3_OPT_SRC $SHA3_DIR/KeccakHash.c $SHA3_DIR/KeccakSponge.c"
+  PHP_HASH_CFLAGS="-I@ext_srcdir@/$SHA3_DIR -DKeccakP200_excluded -DKeccakP400_excluded -DKeccakP800_excluded"
   EXT_HASH_SOURCES="hash.c hash_md.c hash_sha.c hash_ripemd.c hash_haval.c \
     hash_tiger.c hash_gost.c hash_snefru.c hash_whirlpool.c hash_adler32.c \
-    hash_crc32.c hash_fnv.c hash_joaat.c hash_sha3.c"
+    hash_crc32.c hash_fnv.c hash_joaat.c hash_sha3.c $EXT_HASH_SHA3_SOURCES"
   EXT_HASH_HEADERS="php_hash.h php_hash_md.h php_hash_sha.h php_hash_ripemd.h \
     php_hash_haval.h php_hash_tiger.h php_hash_gost.h php_hash_snefru.h \
     php_hash_whirlpool.h php_hash_adler32.h php_hash_crc32.h \
     php_hash_fnv.h php_hash_joaat.h php_hash_sha3.h"
 
-  PHP_NEW_EXTENSION(hash, $EXT_HASH_SOURCES, $ext_shared)
+  PHP_NEW_EXTENSION(hash, $EXT_HASH_SOURCES, $ext_shared,,$PHP_HASH_CFLAGS)
   ifdef([PHP_INSTALL_HEADERS], [
   	PHP_INSTALL_HEADERS(ext/hash, $EXT_HASH_HEADERS)
   ])

ext/hash/config.w32

@@ -12,13 +12,24 @@ if (PHP_MHASH != "no") {
 }
 
 if (PHP_HASH != "no") {
-	AC_DEFINE('HAVE_HASH_EXT', 1);
-	EXTENSION("hash", "hash.c hash_md.c hash_sha.c hash_ripemd.c hash_haval.c "
-		+ "hash_tiger.c hash_gost.c hash_snefru.c hash_whirlpool.c "
-		+ "hash_adler32.c hash_crc32.c hash_joaat.c hash_fnv.c hash_sha3.c");
+	var sha3_arch_dir = "sha3/" + (X64 ? "generic64lc" : "generic32lc");
+	var sha3_dir = "ext/hash/" + sha3_arch_dir;
+	if (CHECK_HEADER_ADD_INCLUDE("KeccakHash.h", "CFLAGS_HASH", PHP_HASH + ";" + sha3_dir)) {
+		AC_DEFINE('HAVE_HASH_EXT', 1);
+		EXTENSION("hash", "hash.c hash_md.c hash_sha.c hash_ripemd.c hash_haval.c "
+			+ "hash_tiger.c hash_gost.c hash_snefru.c hash_whirlpool.c "
+			+ "hash_adler32.c hash_crc32.c hash_joaat.c hash_fnv.c hash_sha3.c");
+
+		ADD_SOURCES(sha3_dir, "KeccakHash.c KeccakSponge.c " + (X64 ? "KeccakP-1600-opt64.c" : "KeccakP-1600-inplace32BI.c"),
+			"hash");
+		ADD_FLAG("CFLAGS_HASH", "/DKeccakP200_excluded /DKeccakP400_excluded /DKeccakP800_excluded");
+
 
 		PHP_INSTALL_HEADERS("ext/hash/", "php_hash.h php_hash_md.h php_hash_sha.h php_hash_ripemd.h " +
 		"php_hash_haval.h php_hash_tiger.h php_hash_gost.h php_hash_snefru.h " + 
-		"php_hash_whirlpool.h php_hash_adler32.h php_hash_crc32.h php_hash_sha3.h");
+		"php_hash_whirlpool.h php_hash_adler32.h php_hash_crc32.h php_hash_sha3.h ");
+	} else {
+		WARNING("gd not enabled; libraries and headers not found");
+	}
 }
 

ext/hash/hash_sha3.c

@@ -19,204 +19,41 @@
 #include "php_hash.h"
 #include "php_hash_sha3.h"
 
-#if (defined(__APPLE__) || defined(__APPLE_CC__)) && \
-    (defined(__BIG_ENDIAN__) || defined(__LITTLE_ENDIAN__))
-# if defined(__LITTLE_ENDIAN__)
-#  undef WORDS_BIGENDIAN
-# else
-#  if defined(__BIG_ENDIAN__)
-#   define WORDS_BIGENDIAN
-#  endif
-# endif
-#endif
+#define SUCCESS SHA3_SUCCESS /* Avoid conflict between KeccacHash.h and zend_types.h */
+#include "KeccakHash.h"
 
-static inline uint64_t rol64(uint64_t v, unsigned char b) {
-	return (v << b) | (v >> (64 - b));
-}
-static inline unsigned char idx(unsigned char x, unsigned char y) {
-	return x + (5 * y);
-}
-
-#ifdef WORDS_BIGENDIAN
-static inline uint64_t load64(const unsigned char* x) {
-	char i;
-	uint64_t ret = 0;
-	for (i = 7; i >= 0; --i) {
-		ret <<= 8;
-		ret |= x[i];
-	}
-	return ret;
-}
-static inline void store64(unsigned char* x, uint64_t val) {
-	char i;
-	for (i = 0; i < 8; ++i) {
-		x[i] = val & 0xFF;
-		val >>= 8;
-	}
-}
-static inline void xor64(unsigned char* x, uint64_t val) {
-	char i;
-	for (i = 0; i < 8; ++i) {
-		x[i] ^= val & 0xFF;
-		val >>= 8;
-	}
-}
-# define readLane(x, y)     load64(ctx->state+sizeof(uint64_t)*idx(x, y))
-# define writeLane(x, y, v) store64(ctx->state+sizeof(uint64_t)*idx(x, y), v)
-# define XORLane(x, y, v)   xor64(ctx->state+sizeof(uint64_t)*idx(x, y), v)
-#else
-# define readLane(x, y)     (((uint64_t*)ctx->state)[idx(x,y)])
-# define writeLane(x, y, v) (((uint64_t*)ctx->state)[idx(x,y)] = v)
-# define XORLane(x, y, v)   (((uint64_t*)ctx->state)[idx(x,y)] ^= v)
-#endif
-
-static inline char LFSR86540(unsigned char* pLFSR)
-{
-	unsigned char LFSR = *pLFSR;
-	char result = LFSR & 0x01;
-	if (LFSR & 0x80) {
-		// Primitive polynomial over GF(2): x^8+x^6+x^5+x^4+1
-		LFSR = (LFSR << 1) ^ 0x71;
-	} else {
-		LFSR <<= 1;
-	}
-	*pLFSR = LFSR;
-	return result;
-}
-
-static void permute(PHP_SHA3_CTX* ctx) {
-	unsigned char LFSRstate = 0x01;
-	unsigned char round;
-
-	for (round = 0; round < 24; ++round) {
-		{ // Theta step (see [Keccak Reference, Section 2.3.2])
-			uint64_t C[5], D;
-			unsigned char x, y;
-			for (x = 0; x < 5; ++x) {
-				C[x] = readLane(x, 0) ^ readLane(x, 1) ^
-				readLane(x, 2) ^ readLane(x, 3) ^ readLane(x, 4);
-			}
-			for (x = 0; x < 5; ++x) {
-				D = C[(x+4)%5] ^ rol64(C[(x+1)%5], 1);
-				for (y = 0; y < 5; ++y) {
-					XORLane(x, y, D);
-				}
-			}
-		}
-
-		{ // p and Pi steps (see [Keccak Reference, Sections 2.3.3 and 2.3.4])
-			unsigned char x = 1, y = 0, t;
-			uint64_t current = readLane(x, y);
-			for (t = 0; t < 24; ++t) {
-				unsigned char r = ((t + 1) * (t + 2) / 2) % 64;
-				unsigned char Y = (2*x + 3*y) % 5;
-				uint64_t temp;
-				x = y;
-				y = Y;
-				temp = readLane(x, y);
-				writeLane(x, y, rol64(current, r));
-				current = temp;
-			}
-		}
-
-		{ // X step (see [Keccak Reference, Section 2.3.1])
-			unsigned char x, y;
-			for (y = 0; y < 5; ++y) {
-				uint64_t temp[5];
-				for (x = 0; x < 5; ++x) {
-					temp[x] = readLane(x, y);
-				}
-				for (x = 0; x < 5; ++x) {
-					writeLane(x, y, temp[x] ^((~temp[(x+1)%5]) & temp[(x+2)%5]));
-				}
-			}
-		}
-
-		{ // i step (see [Keccak Reference, Section 2.3.5])
-			unsigned char j;
-			for (j = 0; j < 7; ++j) {
-				if (LFSR86540(&LFSRstate)) {
-					uint64_t bitPos = (1<<j) - 1;
-					XORLane(0, 0, (uint64_t)1 << bitPos);
-				}
-			}
-		}
-	}
-}
 
 // ==========================================================================
 
-static void PHP_SHA3_Init(PHP_SHA3_CTX* ctx,
-                          int bits) {
-	memset(ctx, 0, sizeof(PHP_SHA3_CTX));
-}
-
-static void PHP_SHA3_Update(PHP_SHA3_CTX* ctx,
-                            const unsigned char* buf,
-                            unsigned int count,
-                            size_t block_size) {
-	while (count > 0) {
-		unsigned int len = block_size - ctx->pos;
-		if (len > count) len = count;
-		count -= len;
-		while (len-- > 0) {
-			ctx->state[ctx->pos++] ^= *(buf++);
-		}
-		if (ctx->pos >= block_size) {
-			permute(ctx);
-			ctx->pos = 0;
-		}
-	}
-}
-
-static void PHP_SHA3_Final(unsigned char* digest,
-                           PHP_SHA3_CTX* ctx,
-                           int block_size,
-                           int digest_size) {
-	int len = digest_size;
-
-	// Pad state to finalize
-	ctx->state[ctx->pos++] ^= 0x06;
-	ctx->state[block_size-1] ^= 0x80;
-	permute(ctx);
-
-	// Square output for digest
-	for(;;) {
-		int bs = (len < block_size) ? len : block_size;
-		memcpy(digest, ctx->state, bs);
-		digest += bs;
-		len -= bs;
-		if (!len) break;
-		permute(ctx);
-	}
-
-	// Zero out context
-	memset(ctx, 0, sizeof(PHP_SHA3_CTX));
+static int hash_sha3_copy(const void *ops, void *orig_context, void *dest_context)
+{
+	PHP_SHA3_CTX* orig = (PHP_SHA3_CTX*)orig_context;
+	PHP_SHA3_CTX* dest = (PHP_SHA3_CTX*)dest_context;
+	memcpy(dest->hashinstance, orig->hashinstance, sizeof(Keccak_HashInstance));
+	return SUCCESS;
 }
 
-// ==========================================================================
-
 #define DECLARE_SHA3_OPS(bits) \
 void PHP_SHA3##bits##Init(PHP_SHA3_##bits##_CTX* ctx) { \
-	PHP_SHA3_Init(ctx, bits); \
+	ctx->hashinstance = emalloc(sizeof(Keccak_HashInstance)); \
+	Keccak_HashInitialize_SHA3_##bits((Keccak_HashInstance *)ctx->hashinstance); \
 } \
 void PHP_SHA3##bits##Update(PHP_SHA3_##bits##_CTX* ctx, \
                             const unsigned char* input, \
                             unsigned int inputLen) { \
-	PHP_SHA3_Update(ctx, input, inputLen, \
-                    (1600 - (2 * bits)) >> 3); \
+	Keccak_HashUpdate((Keccak_HashInstance *)ctx->hashinstance, input, inputLen * 8); \
 } \
 void PHP_SHA3##bits##Final(unsigned char* digest, \
                            PHP_SHA3_##bits##_CTX* ctx) { \
-	PHP_SHA3_Final(digest, ctx, \
-                   (1600 - (2 * bits)) >> 3, \
-                   bits >> 3); \
+	Keccak_HashFinal((Keccak_HashInstance *)ctx->hashinstance, digest); \
+	efree(ctx->hashinstance); \
+	ctx->hashinstance = NULL; \
 } \
 const php_hash_ops php_hash_sha3_##bits##_ops = { \
 	(php_hash_init_func_t) PHP_SHA3##bits##Init, \
 	(php_hash_update_func_t) PHP_SHA3##bits##Update, \
 	(php_hash_final_func_t) PHP_SHA3##bits##Final, \
-	php_hash_copy, \
+	hash_sha3_copy, \
 	bits >> 3, \
 	(1600 - (2 * bits)) >> 3, \
 	sizeof(PHP_SHA3_##bits##_CTX), \

ext/hash/php_hash_sha3.h

@@ -22,8 +22,7 @@
 #include "php.h"
 
 typedef struct {
-	unsigned char state[200]; // 5 * 5 * sizeof(uint64)
-	uint32_t pos;
+	void *hashinstance;
 } PHP_SHA3_CTX;
 
 typedef PHP_SHA3_CTX PHP_SHA3_224_CTX;

ext/hash/sha3/generic32lc/KeccakHash.c

@@ -0,0 +1,80 @@
+/*
+Implementation by the Keccak, Keyak and Ketje Teams, namely, Guido Bertoni,
+Joan Daemen, Michaël Peeters, Gilles Van Assche and Ronny Van Keer, hereby
+denoted as "the implementer".
+
+For more information, feedback or questions, please refer to our websites:
+http://keccak.noekeon.org/
+http://keyak.noekeon.org/
+http://ketje.noekeon.org/
+
+To the extent possible under law, the implementer has waived all copyright
+and related or neighboring rights to the source code in this file.
+http://creativecommons.org/publicdomain/zero/1.0/
+*/
+
+#include <string.h>
+#include "KeccakHash.h"
+
+/* ---------------------------------------------------------------- */
+
+HashReturn Keccak_HashInitialize(Keccak_HashInstance *instance, unsigned int rate, unsigned int capacity, unsigned int hashbitlen, unsigned char delimitedSuffix)
+{
+    HashReturn result;
+
+    if (delimitedSuffix == 0)
+        return FAIL;
+    result = (HashReturn)KeccakWidth1600_SpongeInitialize(&instance->sponge, rate, capacity);
+    if (result != SUCCESS)
+        return result;
+    instance->fixedOutputLength = hashbitlen;
+    instance->delimitedSuffix = delimitedSuffix;
+    return SUCCESS;
+}
+
+/* ---------------------------------------------------------------- */
+
+HashReturn Keccak_HashUpdate(Keccak_HashInstance *instance, const BitSequence *data, DataLength databitlen)
+{
+    if ((databitlen % 8) == 0)
+        return (HashReturn)KeccakWidth1600_SpongeAbsorb(&instance->sponge, data, databitlen/8);
+    else {
+        HashReturn ret = (HashReturn)KeccakWidth1600_SpongeAbsorb(&instance->sponge, data, databitlen/8);
+        if (ret == SUCCESS) {
+            /* The last partial byte is assumed to be aligned on the least significant bits */
+            unsigned char lastByte = data[databitlen/8];
+            /* Concatenate the last few bits provided here with those of the suffix */
+            unsigned short delimitedLastBytes = (unsigned short)((unsigned short)lastByte | ((unsigned short)instance->delimitedSuffix << (databitlen % 8)));
+            if ((delimitedLastBytes & 0xFF00) == 0x0000) {
+                instance->delimitedSuffix = delimitedLastBytes & 0xFF;
+            }
+            else {
+                unsigned char oneByte[1];
+                oneByte[0] = delimitedLastBytes & 0xFF;
+                ret = (HashReturn)KeccakWidth1600_SpongeAbsorb(&instance->sponge, oneByte, 1);
+                instance->delimitedSuffix = (delimitedLastBytes >> 8) & 0xFF;
+            }
+        }
+        return ret;
+    }
+}
+
+/* ---------------------------------------------------------------- */
+
+HashReturn Keccak_HashFinal(Keccak_HashInstance *instance, BitSequence *hashval)
+{
+    HashReturn ret = (HashReturn)KeccakWidth1600_SpongeAbsorbLastFewBits(&instance->sponge, instance->delimitedSuffix);
+    if (ret == SUCCESS)
+        return (HashReturn)KeccakWidth1600_SpongeSqueeze(&instance->sponge, hashval, instance->fixedOutputLength/8);
+    else
+        return ret;
+}
+
+/* ---------------------------------------------------------------- */
+
+HashReturn Keccak_HashSqueeze(Keccak_HashInstance *instance, BitSequence *data, DataLength databitlen)
+{
+    if ((databitlen % 8) != 0)
+        return FAIL;
+    return (HashReturn)KeccakWidth1600_SpongeSqueeze(&instance->sponge, data, databitlen/8);
+}