1 /* sha512.c - Functions to compute SHA512 and SHA384 message digest of files or
2 memory blocks according to the NIST specification FIPS-180-2.
3
4 Copyright (C) 2005-2006, 2008-2020 Free Software Foundation, Inc.
5
6 This program is free software: you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation, either version 3 of the License, or
9 (at your option) any later version.
10
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <https://www.gnu.org/licenses/>. */
18
19 /* Written by David Madore, considerably copypasting from
20 Scott G. Miller's sha1.c
21 */
22
23 #include <config.h>
24
25 #if HAVE_OPENSSL_SHA512
26 # define GL_OPENSSL_INLINE _GL_EXTERN_INLINE
27 #endif
28 #include "sha512.h"
29
30 #include <stdalign.h>
31 #include <stdint.h>
32 #include <stdlib.h>
33 #include <string.h>
34
35 #if USE_UNLOCKED_IO
36 # include "unlocked-io.h"
37 #endif
38
39 #include <byteswap.h>
40 #ifdef WORDS_BIGENDIAN
41 # define SWAP(n) (n)
42 #else
43 # define SWAP(n) bswap_64 (n)
44 #endif
45
46 #define BLOCKSIZE 32768
47 #if BLOCKSIZE % 128 != 0
48 # error "invalid BLOCKSIZE"
49 #endif
50
51 #if ! HAVE_OPENSSL_SHA512
52 /* This array contains the bytes used to pad the buffer to the next
53 128-byte boundary. */
54 static const unsigned char fillbuf[128] = { 0x80, 0 /* , 0, 0, ... */ };
55
56
57 /*
58 Takes a pointer to a 512 bit block of data (eight 64 bit ints) and
59 initializes it to the start constants of the SHA512 algorithm. This
60 must be called before using hash in the call to sha512_hash
61 */
62 void
sha512_init_ctx(struct sha512_ctx * ctx)63 sha512_init_ctx (struct sha512_ctx *ctx)
64 {
65 ctx->state[0] = u64hilo (0x6a09e667, 0xf3bcc908);
66 ctx->state[1] = u64hilo (0xbb67ae85, 0x84caa73b);
67 ctx->state[2] = u64hilo (0x3c6ef372, 0xfe94f82b);
68 ctx->state[3] = u64hilo (0xa54ff53a, 0x5f1d36f1);
69 ctx->state[4] = u64hilo (0x510e527f, 0xade682d1);
70 ctx->state[5] = u64hilo (0x9b05688c, 0x2b3e6c1f);
71 ctx->state[6] = u64hilo (0x1f83d9ab, 0xfb41bd6b);
72 ctx->state[7] = u64hilo (0x5be0cd19, 0x137e2179);
73
74 ctx->total[0] = ctx->total[1] = u64lo (0);
75 ctx->buflen = 0;
76 }
77
78 void
sha384_init_ctx(struct sha512_ctx * ctx)79 sha384_init_ctx (struct sha512_ctx *ctx)
80 {
81 ctx->state[0] = u64hilo (0xcbbb9d5d, 0xc1059ed8);
82 ctx->state[1] = u64hilo (0x629a292a, 0x367cd507);
83 ctx->state[2] = u64hilo (0x9159015a, 0x3070dd17);
84 ctx->state[3] = u64hilo (0x152fecd8, 0xf70e5939);
85 ctx->state[4] = u64hilo (0x67332667, 0xffc00b31);
86 ctx->state[5] = u64hilo (0x8eb44a87, 0x68581511);
87 ctx->state[6] = u64hilo (0xdb0c2e0d, 0x64f98fa7);
88 ctx->state[7] = u64hilo (0x47b5481d, 0xbefa4fa4);
89
90 ctx->total[0] = ctx->total[1] = u64lo (0);
91 ctx->buflen = 0;
92 }
93
94 /* Copy the value from V into the memory location pointed to by *CP,
95 If your architecture allows unaligned access, this is equivalent to
96 * (__typeof__ (v) *) cp = v */
97 static void
set_uint64(char * cp,u64 v)98 set_uint64 (char *cp, u64 v)
99 {
100 memcpy (cp, &v, sizeof v);
101 }
102
103 /* Put result from CTX in first 64 bytes following RESBUF.
104 The result must be in little endian byte order. */
105 void *
sha512_read_ctx(const struct sha512_ctx * ctx,void * resbuf)106 sha512_read_ctx (const struct sha512_ctx *ctx, void *resbuf)
107 {
108 int i;
109 char *r = resbuf;
110
111 for (i = 0; i < 8; i++)
112 set_uint64 (r + i * sizeof ctx->state[0], SWAP (ctx->state[i]));
113
114 return resbuf;
115 }
116
117 void *
sha384_read_ctx(const struct sha512_ctx * ctx,void * resbuf)118 sha384_read_ctx (const struct sha512_ctx *ctx, void *resbuf)
119 {
120 int i;
121 char *r = resbuf;
122
123 for (i = 0; i < 6; i++)
124 set_uint64 (r + i * sizeof ctx->state[0], SWAP (ctx->state[i]));
125
126 return resbuf;
127 }
128
129 /* Process the remaining bytes in the internal buffer and the usual
130 prolog according to the standard and write the result to RESBUF. */
131 static void
sha512_conclude_ctx(struct sha512_ctx * ctx)132 sha512_conclude_ctx (struct sha512_ctx *ctx)
133 {
134 /* Take yet unprocessed bytes into account. */
135 size_t bytes = ctx->buflen;
136 size_t size = (bytes < 112) ? 128 / 8 : 128 * 2 / 8;
137
138 /* Now count remaining bytes. */
139 ctx->total[0] = u64plus (ctx->total[0], u64lo (bytes));
140 if (u64lt (ctx->total[0], u64lo (bytes)))
141 ctx->total[1] = u64plus (ctx->total[1], u64lo (1));
142
143 /* Put the 128-bit file length in *bits* at the end of the buffer.
144 Use set_uint64 rather than a simple assignment, to avoid risk of
145 unaligned access. */
146 set_uint64 ((char *) &ctx->buffer[size - 2],
147 SWAP (u64or (u64shl (ctx->total[1], 3),
148 u64shr (ctx->total[0], 61))));
149 set_uint64 ((char *) &ctx->buffer[size - 1],
150 SWAP (u64shl (ctx->total[0], 3)));
151
152 memcpy (&((char *) ctx->buffer)[bytes], fillbuf, (size - 2) * 8 - bytes);
153
154 /* Process last bytes. */
155 sha512_process_block (ctx->buffer, size * 8, ctx);
156 }
157
158 void *
sha512_finish_ctx(struct sha512_ctx * ctx,void * resbuf)159 sha512_finish_ctx (struct sha512_ctx *ctx, void *resbuf)
160 {
161 sha512_conclude_ctx (ctx);
162 return sha512_read_ctx (ctx, resbuf);
163 }
164
165 void *
sha384_finish_ctx(struct sha512_ctx * ctx,void * resbuf)166 sha384_finish_ctx (struct sha512_ctx *ctx, void *resbuf)
167 {
168 sha512_conclude_ctx (ctx);
169 return sha384_read_ctx (ctx, resbuf);
170 }
171 #endif
172
173 #ifdef GL_COMPILE_CRYPTO_STREAM
174
175 #include "af_alg.h"
176
177 /* Compute message digest for bytes read from STREAM using algorithm ALG.
178 Write the message digest into RESBLOCK, which contains HASHLEN bytes.
179 The initial and finishing operations are INIT_CTX and FINISH_CTX.
180 Return zero if and only if successful. */
181 static int
shaxxx_stream(FILE * stream,char const * alg,void * resblock,ssize_t hashlen,void (* init_ctx)(struct sha512_ctx *),void * (* finish_ctx)(struct sha512_ctx *,void *))182 shaxxx_stream (FILE *stream, char const *alg, void *resblock,
183 ssize_t hashlen, void (*init_ctx) (struct sha512_ctx *),
184 void *(*finish_ctx) (struct sha512_ctx *, void *))
185 {
186 switch (afalg_stream (stream, alg, resblock, hashlen))
187 {
188 case 0: return 0;
189 case -EIO: return 1;
190 }
191
192 char *buffer = malloc (BLOCKSIZE + 72);
193 if (!buffer)
194 return 1;
195
196 struct sha512_ctx ctx;
197 init_ctx (&ctx);
198 size_t sum;
199
200 /* Iterate over full file contents. */
201 while (1)
202 {
203 /* We read the file in blocks of BLOCKSIZE bytes. One call of the
204 computation function processes the whole buffer so that with the
205 next round of the loop another block can be read. */
206 size_t n;
207 sum = 0;
208
209 /* Read block. Take care for partial reads. */
210 while (1)
211 {
212 /* Either process a partial fread() from this loop,
213 or the fread() in afalg_stream may have gotten EOF.
214 We need to avoid a subsequent fread() as EOF may
215 not be sticky. For details of such systems, see:
216 https://sourceware.org/bugzilla/show_bug.cgi?id=1190 */
217 if (feof (stream))
218 goto process_partial_block;
219
220 n = fread (buffer + sum, 1, BLOCKSIZE - sum, stream);
221
222 sum += n;
223
224 if (sum == BLOCKSIZE)
225 break;
226
227 if (n == 0)
228 {
229 /* Check for the error flag IFF N == 0, so that we don't
230 exit the loop after a partial read due to e.g., EAGAIN
231 or EWOULDBLOCK. */
232 if (ferror (stream))
233 {
234 free (buffer);
235 return 1;
236 }
237 goto process_partial_block;
238 }
239 }
240
241 /* Process buffer with BLOCKSIZE bytes. Note that
242 BLOCKSIZE % 128 == 0
243 */
244 sha512_process_block (buffer, BLOCKSIZE, &ctx);
245 }
246
247 process_partial_block:;
248
249 /* Process any remaining bytes. */
250 if (sum > 0)
251 sha512_process_bytes (buffer, sum, &ctx);
252
253 /* Construct result in desired memory. */
254 finish_ctx (&ctx, resblock);
255 free (buffer);
256 return 0;
257 }
258
259 int
sha512_stream(FILE * stream,void * resblock)260 sha512_stream (FILE *stream, void *resblock)
261 {
262 return shaxxx_stream (stream, "sha512", resblock, SHA512_DIGEST_SIZE,
263 sha512_init_ctx, sha512_finish_ctx);
264 }
265
266 int
sha384_stream(FILE * stream,void * resblock)267 sha384_stream (FILE *stream, void *resblock)
268 {
269 return shaxxx_stream (stream, "sha384", resblock, SHA384_DIGEST_SIZE,
270 sha384_init_ctx, sha384_finish_ctx);
271 }
272 #endif
273
274 #if ! HAVE_OPENSSL_SHA512
275 /* Compute SHA512 message digest for LEN bytes beginning at BUFFER. The
276 result is always in little endian byte order, so that a byte-wise
277 output yields to the wanted ASCII representation of the message
278 digest. */
279 void *
sha512_buffer(const char * buffer,size_t len,void * resblock)280 sha512_buffer (const char *buffer, size_t len, void *resblock)
281 {
282 struct sha512_ctx ctx;
283
284 /* Initialize the computation context. */
285 sha512_init_ctx (&ctx);
286
287 /* Process whole buffer but last len % 128 bytes. */
288 sha512_process_bytes (buffer, len, &ctx);
289
290 /* Put result in desired memory area. */
291 return sha512_finish_ctx (&ctx, resblock);
292 }
293
294 void *
sha384_buffer(const char * buffer,size_t len,void * resblock)295 sha384_buffer (const char *buffer, size_t len, void *resblock)
296 {
297 struct sha512_ctx ctx;
298
299 /* Initialize the computation context. */
300 sha384_init_ctx (&ctx);
301
302 /* Process whole buffer but last len % 128 bytes. */
303 sha512_process_bytes (buffer, len, &ctx);
304
305 /* Put result in desired memory area. */
306 return sha384_finish_ctx (&ctx, resblock);
307 }
308
309 void
sha512_process_bytes(const void * buffer,size_t len,struct sha512_ctx * ctx)310 sha512_process_bytes (const void *buffer, size_t len, struct sha512_ctx *ctx)
311 {
312 /* When we already have some bits in our internal buffer concatenate
313 both inputs first. */
314 if (ctx->buflen != 0)
315 {
316 size_t left_over = ctx->buflen;
317 size_t add = 256 - left_over > len ? len : 256 - left_over;
318
319 memcpy (&((char *) ctx->buffer)[left_over], buffer, add);
320 ctx->buflen += add;
321
322 if (ctx->buflen > 128)
323 {
324 sha512_process_block (ctx->buffer, ctx->buflen & ~127, ctx);
325
326 ctx->buflen &= 127;
327 /* The regions in the following copy operation cannot overlap,
328 because ctx->buflen < 128 ≤ (left_over + add) & ~127. */
329 memcpy (ctx->buffer,
330 &((char *) ctx->buffer)[(left_over + add) & ~127],
331 ctx->buflen);
332 }
333
334 buffer = (const char *) buffer + add;
335 len -= add;
336 }
337
338 /* Process available complete blocks. */
339 if (len >= 128)
340 {
341 #if !(_STRING_ARCH_unaligned || _STRING_INLINE_unaligned)
342 # define UNALIGNED_P(p) ((uintptr_t) (p) % alignof (u64) != 0)
343 if (UNALIGNED_P (buffer))
344 while (len > 128)
345 {
346 sha512_process_block (memcpy (ctx->buffer, buffer, 128), 128, ctx);
347 buffer = (const char *) buffer + 128;
348 len -= 128;
349 }
350 else
351 #endif
352 {
353 sha512_process_block (buffer, len & ~127, ctx);
354 buffer = (const char *) buffer + (len & ~127);
355 len &= 127;
356 }
357 }
358
359 /* Move remaining bytes in internal buffer. */
360 if (len > 0)
361 {
362 size_t left_over = ctx->buflen;
363
364 memcpy (&((char *) ctx->buffer)[left_over], buffer, len);
365 left_over += len;
366 if (left_over >= 128)
367 {
368 sha512_process_block (ctx->buffer, 128, ctx);
369 left_over -= 128;
370 /* The regions in the following copy operation cannot overlap,
371 because left_over ≤ 128. */
372 memcpy (ctx->buffer, &ctx->buffer[16], left_over);
373 }
374 ctx->buflen = left_over;
375 }
376 }
377
378 /* --- Code below is the primary difference between sha1.c and sha512.c --- */
379
380 /* SHA512 round constants */
381 #define K(I) sha512_round_constants[I]
382 static u64 const sha512_round_constants[80] = {
383 u64init (0x428a2f98, 0xd728ae22), u64init (0x71374491, 0x23ef65cd),
384 u64init (0xb5c0fbcf, 0xec4d3b2f), u64init (0xe9b5dba5, 0x8189dbbc),
385 u64init (0x3956c25b, 0xf348b538), u64init (0x59f111f1, 0xb605d019),
386 u64init (0x923f82a4, 0xaf194f9b), u64init (0xab1c5ed5, 0xda6d8118),
387 u64init (0xd807aa98, 0xa3030242), u64init (0x12835b01, 0x45706fbe),
388 u64init (0x243185be, 0x4ee4b28c), u64init (0x550c7dc3, 0xd5ffb4e2),
389 u64init (0x72be5d74, 0xf27b896f), u64init (0x80deb1fe, 0x3b1696b1),
390 u64init (0x9bdc06a7, 0x25c71235), u64init (0xc19bf174, 0xcf692694),
391 u64init (0xe49b69c1, 0x9ef14ad2), u64init (0xefbe4786, 0x384f25e3),
392 u64init (0x0fc19dc6, 0x8b8cd5b5), u64init (0x240ca1cc, 0x77ac9c65),
393 u64init (0x2de92c6f, 0x592b0275), u64init (0x4a7484aa, 0x6ea6e483),
394 u64init (0x5cb0a9dc, 0xbd41fbd4), u64init (0x76f988da, 0x831153b5),
395 u64init (0x983e5152, 0xee66dfab), u64init (0xa831c66d, 0x2db43210),
396 u64init (0xb00327c8, 0x98fb213f), u64init (0xbf597fc7, 0xbeef0ee4),
397 u64init (0xc6e00bf3, 0x3da88fc2), u64init (0xd5a79147, 0x930aa725),
398 u64init (0x06ca6351, 0xe003826f), u64init (0x14292967, 0x0a0e6e70),
399 u64init (0x27b70a85, 0x46d22ffc), u64init (0x2e1b2138, 0x5c26c926),
400 u64init (0x4d2c6dfc, 0x5ac42aed), u64init (0x53380d13, 0x9d95b3df),
401 u64init (0x650a7354, 0x8baf63de), u64init (0x766a0abb, 0x3c77b2a8),
402 u64init (0x81c2c92e, 0x47edaee6), u64init (0x92722c85, 0x1482353b),
403 u64init (0xa2bfe8a1, 0x4cf10364), u64init (0xa81a664b, 0xbc423001),
404 u64init (0xc24b8b70, 0xd0f89791), u64init (0xc76c51a3, 0x0654be30),
405 u64init (0xd192e819, 0xd6ef5218), u64init (0xd6990624, 0x5565a910),
406 u64init (0xf40e3585, 0x5771202a), u64init (0x106aa070, 0x32bbd1b8),
407 u64init (0x19a4c116, 0xb8d2d0c8), u64init (0x1e376c08, 0x5141ab53),
408 u64init (0x2748774c, 0xdf8eeb99), u64init (0x34b0bcb5, 0xe19b48a8),
409 u64init (0x391c0cb3, 0xc5c95a63), u64init (0x4ed8aa4a, 0xe3418acb),
410 u64init (0x5b9cca4f, 0x7763e373), u64init (0x682e6ff3, 0xd6b2b8a3),
411 u64init (0x748f82ee, 0x5defb2fc), u64init (0x78a5636f, 0x43172f60),
412 u64init (0x84c87814, 0xa1f0ab72), u64init (0x8cc70208, 0x1a6439ec),
413 u64init (0x90befffa, 0x23631e28), u64init (0xa4506ceb, 0xde82bde9),
414 u64init (0xbef9a3f7, 0xb2c67915), u64init (0xc67178f2, 0xe372532b),
415 u64init (0xca273ece, 0xea26619c), u64init (0xd186b8c7, 0x21c0c207),
416 u64init (0xeada7dd6, 0xcde0eb1e), u64init (0xf57d4f7f, 0xee6ed178),
417 u64init (0x06f067aa, 0x72176fba), u64init (0x0a637dc5, 0xa2c898a6),
418 u64init (0x113f9804, 0xbef90dae), u64init (0x1b710b35, 0x131c471b),
419 u64init (0x28db77f5, 0x23047d84), u64init (0x32caab7b, 0x40c72493),
420 u64init (0x3c9ebe0a, 0x15c9bebc), u64init (0x431d67c4, 0x9c100d4c),
421 u64init (0x4cc5d4be, 0xcb3e42b6), u64init (0x597f299c, 0xfc657e2a),
422 u64init (0x5fcb6fab, 0x3ad6faec), u64init (0x6c44198c, 0x4a475817),
423 };
424
425 /* Round functions. */
426 #define F2(A, B, C) u64or (u64and (A, B), u64and (C, u64or (A, B)))
427 #define F1(E, F, G) u64xor (G, u64and (E, u64xor (F, G)))
428
429 /* Process LEN bytes of BUFFER, accumulating context into CTX.
430 It is assumed that LEN % 128 == 0.
431 Most of this code comes from GnuPG's cipher/sha1.c. */
432
433 void
sha512_process_block(const void * buffer,size_t len,struct sha512_ctx * ctx)434 sha512_process_block (const void *buffer, size_t len, struct sha512_ctx *ctx)
435 {
436 u64 const *words = buffer;
437 u64 const *endp = words + len / sizeof (u64);
438 u64 x[16];
439 u64 a = ctx->state[0];
440 u64 b = ctx->state[1];
441 u64 c = ctx->state[2];
442 u64 d = ctx->state[3];
443 u64 e = ctx->state[4];
444 u64 f = ctx->state[5];
445 u64 g = ctx->state[6];
446 u64 h = ctx->state[7];
447 u64 lolen = u64size (len);
448
449 /* First increment the byte count. FIPS PUB 180-2 specifies the possible
450 length of the file up to 2^128 bits. Here we only compute the
451 number of bytes. Do a double word increment. */
452 ctx->total[0] = u64plus (ctx->total[0], lolen);
453 ctx->total[1] = u64plus (ctx->total[1],
454 u64plus (u64size (len >> 31 >> 31 >> 2),
455 u64lo (u64lt (ctx->total[0], lolen))));
456
457 #define S0(x) u64xor (u64rol(x, 63), u64xor (u64rol (x, 56), u64shr (x, 7)))
458 #define S1(x) u64xor (u64rol (x, 45), u64xor (u64rol (x, 3), u64shr (x, 6)))
459 #define SS0(x) u64xor (u64rol (x, 36), u64xor (u64rol (x, 30), u64rol (x, 25)))
460 #define SS1(x) u64xor (u64rol(x, 50), u64xor (u64rol (x, 46), u64rol (x, 23)))
461
462 #define M(I) (x[(I) & 15] \
463 = u64plus (x[(I) & 15], \
464 u64plus (S1 (x[((I) - 2) & 15]), \
465 u64plus (x[((I) - 7) & 15], \
466 S0 (x[((I) - 15) & 15])))))
467
468 #define R(A, B, C, D, E, F, G, H, K, M) \
469 do \
470 { \
471 u64 t0 = u64plus (SS0 (A), F2 (A, B, C)); \
472 u64 t1 = \
473 u64plus (H, u64plus (SS1 (E), \
474 u64plus (F1 (E, F, G), u64plus (K, M)))); \
475 D = u64plus (D, t1); \
476 H = u64plus (t0, t1); \
477 } \
478 while (0)
479
480 while (words < endp)
481 {
482 int t;
483 /* FIXME: see sha1.c for a better implementation. */
484 for (t = 0; t < 16; t++)
485 {
486 x[t] = SWAP (*words);
487 words++;
488 }
489
490 R( a, b, c, d, e, f, g, h, K( 0), x[ 0] );
491 R( h, a, b, c, d, e, f, g, K( 1), x[ 1] );
492 R( g, h, a, b, c, d, e, f, K( 2), x[ 2] );
493 R( f, g, h, a, b, c, d, e, K( 3), x[ 3] );
494 R( e, f, g, h, a, b, c, d, K( 4), x[ 4] );
495 R( d, e, f, g, h, a, b, c, K( 5), x[ 5] );
496 R( c, d, e, f, g, h, a, b, K( 6), x[ 6] );
497 R( b, c, d, e, f, g, h, a, K( 7), x[ 7] );
498 R( a, b, c, d, e, f, g, h, K( 8), x[ 8] );
499 R( h, a, b, c, d, e, f, g, K( 9), x[ 9] );
500 R( g, h, a, b, c, d, e, f, K(10), x[10] );
501 R( f, g, h, a, b, c, d, e, K(11), x[11] );
502 R( e, f, g, h, a, b, c, d, K(12), x[12] );
503 R( d, e, f, g, h, a, b, c, K(13), x[13] );
504 R( c, d, e, f, g, h, a, b, K(14), x[14] );
505 R( b, c, d, e, f, g, h, a, K(15), x[15] );
506 R( a, b, c, d, e, f, g, h, K(16), M(16) );
507 R( h, a, b, c, d, e, f, g, K(17), M(17) );
508 R( g, h, a, b, c, d, e, f, K(18), M(18) );
509 R( f, g, h, a, b, c, d, e, K(19), M(19) );
510 R( e, f, g, h, a, b, c, d, K(20), M(20) );
511 R( d, e, f, g, h, a, b, c, K(21), M(21) );
512 R( c, d, e, f, g, h, a, b, K(22), M(22) );
513 R( b, c, d, e, f, g, h, a, K(23), M(23) );
514 R( a, b, c, d, e, f, g, h, K(24), M(24) );
515 R( h, a, b, c, d, e, f, g, K(25), M(25) );
516 R( g, h, a, b, c, d, e, f, K(26), M(26) );
517 R( f, g, h, a, b, c, d, e, K(27), M(27) );
518 R( e, f, g, h, a, b, c, d, K(28), M(28) );
519 R( d, e, f, g, h, a, b, c, K(29), M(29) );
520 R( c, d, e, f, g, h, a, b, K(30), M(30) );
521 R( b, c, d, e, f, g, h, a, K(31), M(31) );
522 R( a, b, c, d, e, f, g, h, K(32), M(32) );
523 R( h, a, b, c, d, e, f, g, K(33), M(33) );
524 R( g, h, a, b, c, d, e, f, K(34), M(34) );
525 R( f, g, h, a, b, c, d, e, K(35), M(35) );
526 R( e, f, g, h, a, b, c, d, K(36), M(36) );
527 R( d, e, f, g, h, a, b, c, K(37), M(37) );
528 R( c, d, e, f, g, h, a, b, K(38), M(38) );
529 R( b, c, d, e, f, g, h, a, K(39), M(39) );
530 R( a, b, c, d, e, f, g, h, K(40), M(40) );
531 R( h, a, b, c, d, e, f, g, K(41), M(41) );
532 R( g, h, a, b, c, d, e, f, K(42), M(42) );
533 R( f, g, h, a, b, c, d, e, K(43), M(43) );
534 R( e, f, g, h, a, b, c, d, K(44), M(44) );
535 R( d, e, f, g, h, a, b, c, K(45), M(45) );
536 R( c, d, e, f, g, h, a, b, K(46), M(46) );
537 R( b, c, d, e, f, g, h, a, K(47), M(47) );
538 R( a, b, c, d, e, f, g, h, K(48), M(48) );
539 R( h, a, b, c, d, e, f, g, K(49), M(49) );
540 R( g, h, a, b, c, d, e, f, K(50), M(50) );
541 R( f, g, h, a, b, c, d, e, K(51), M(51) );
542 R( e, f, g, h, a, b, c, d, K(52), M(52) );
543 R( d, e, f, g, h, a, b, c, K(53), M(53) );
544 R( c, d, e, f, g, h, a, b, K(54), M(54) );
545 R( b, c, d, e, f, g, h, a, K(55), M(55) );
546 R( a, b, c, d, e, f, g, h, K(56), M(56) );
547 R( h, a, b, c, d, e, f, g, K(57), M(57) );
548 R( g, h, a, b, c, d, e, f, K(58), M(58) );
549 R( f, g, h, a, b, c, d, e, K(59), M(59) );
550 R( e, f, g, h, a, b, c, d, K(60), M(60) );
551 R( d, e, f, g, h, a, b, c, K(61), M(61) );
552 R( c, d, e, f, g, h, a, b, K(62), M(62) );
553 R( b, c, d, e, f, g, h, a, K(63), M(63) );
554 R( a, b, c, d, e, f, g, h, K(64), M(64) );
555 R( h, a, b, c, d, e, f, g, K(65), M(65) );
556 R( g, h, a, b, c, d, e, f, K(66), M(66) );
557 R( f, g, h, a, b, c, d, e, K(67), M(67) );
558 R( e, f, g, h, a, b, c, d, K(68), M(68) );
559 R( d, e, f, g, h, a, b, c, K(69), M(69) );
560 R( c, d, e, f, g, h, a, b, K(70), M(70) );
561 R( b, c, d, e, f, g, h, a, K(71), M(71) );
562 R( a, b, c, d, e, f, g, h, K(72), M(72) );
563 R( h, a, b, c, d, e, f, g, K(73), M(73) );
564 R( g, h, a, b, c, d, e, f, K(74), M(74) );
565 R( f, g, h, a, b, c, d, e, K(75), M(75) );
566 R( e, f, g, h, a, b, c, d, K(76), M(76) );
567 R( d, e, f, g, h, a, b, c, K(77), M(77) );
568 R( c, d, e, f, g, h, a, b, K(78), M(78) );
569 R( b, c, d, e, f, g, h, a, K(79), M(79) );
570
571 a = ctx->state[0] = u64plus (ctx->state[0], a);
572 b = ctx->state[1] = u64plus (ctx->state[1], b);
573 c = ctx->state[2] = u64plus (ctx->state[2], c);
574 d = ctx->state[3] = u64plus (ctx->state[3], d);
575 e = ctx->state[4] = u64plus (ctx->state[4], e);
576 f = ctx->state[5] = u64plus (ctx->state[5], f);
577 g = ctx->state[6] = u64plus (ctx->state[6], g);
578 h = ctx->state[7] = u64plus (ctx->state[7], h);
579 }
580 }
581 #endif
582
583 /*
584 * Hey Emacs!
585 * Local Variables:
586 * coding: utf-8
587 * End:
588 */
589