12a6b7db3Sskrll /* sha1.c - Functions to compute SHA1 message digest of files or
22a6b7db3Sskrll memory blocks according to the NIST specification FIPS-180-1.
32a6b7db3Sskrll
4*f22f0ef4Schristos Copyright (C) 2000-2022 Free Software Foundation, Inc.
52a6b7db3Sskrll
62a6b7db3Sskrll This program is free software; you can redistribute it and/or modify it
72a6b7db3Sskrll under the terms of the GNU General Public License as published by the
82a6b7db3Sskrll Free Software Foundation; either version 2, or (at your option) any
92a6b7db3Sskrll later version.
102a6b7db3Sskrll
112a6b7db3Sskrll This program is distributed in the hope that it will be useful,
122a6b7db3Sskrll but WITHOUT ANY WARRANTY; without even the implied warranty of
132a6b7db3Sskrll MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
142a6b7db3Sskrll GNU General Public License for more details.
152a6b7db3Sskrll
162a6b7db3Sskrll You should have received a copy of the GNU General Public License
172a6b7db3Sskrll along with this program; if not, write to the Free Software Foundation,
182a6b7db3Sskrll Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. */
192a6b7db3Sskrll
202a6b7db3Sskrll /* Written by Scott G. Miller
212a6b7db3Sskrll Credits:
222a6b7db3Sskrll Robert Klep <robert@ilse.nl> -- Expansion function fix
232a6b7db3Sskrll */
242a6b7db3Sskrll
252a6b7db3Sskrll #include <config.h>
262a6b7db3Sskrll
272a6b7db3Sskrll #include "sha1.h"
282a6b7db3Sskrll
292a6b7db3Sskrll #include <stddef.h>
302a6b7db3Sskrll #include <string.h>
312a6b7db3Sskrll
322a6b7db3Sskrll #if USE_UNLOCKED_IO
332a6b7db3Sskrll # include "unlocked-io.h"
342a6b7db3Sskrll #endif
352a6b7db3Sskrll
362a6b7db3Sskrll #ifdef WORDS_BIGENDIAN
372a6b7db3Sskrll # define SWAP(n) (n)
382a6b7db3Sskrll #else
392a6b7db3Sskrll # define SWAP(n) \
402a6b7db3Sskrll (((n) << 24) | (((n) & 0xff00) << 8) | (((n) >> 8) & 0xff00) | ((n) >> 24))
412a6b7db3Sskrll #endif
422a6b7db3Sskrll
432a6b7db3Sskrll #define BLOCKSIZE 4096
442a6b7db3Sskrll #if BLOCKSIZE % 64 != 0
452a6b7db3Sskrll # error "invalid BLOCKSIZE"
462a6b7db3Sskrll #endif
472a6b7db3Sskrll
482a6b7db3Sskrll /* This array contains the bytes used to pad the buffer to the next
492a6b7db3Sskrll 64-byte boundary. (RFC 1321, 3.1: Step 1) */
502a6b7db3Sskrll static const unsigned char fillbuf[64] = { 0x80, 0 /* , 0, 0, ... */ };
512a6b7db3Sskrll
522a6b7db3Sskrll
532a6b7db3Sskrll /* Take a pointer to a 160 bit block of data (five 32 bit ints) and
542a6b7db3Sskrll initialize it to the start constants of the SHA1 algorithm. This
552a6b7db3Sskrll must be called before using hash in the call to sha1_hash. */
562a6b7db3Sskrll void
sha1_init_ctx(struct sha1_ctx * ctx)572a6b7db3Sskrll sha1_init_ctx (struct sha1_ctx *ctx)
582a6b7db3Sskrll {
592a6b7db3Sskrll ctx->A = 0x67452301;
602a6b7db3Sskrll ctx->B = 0xefcdab89;
612a6b7db3Sskrll ctx->C = 0x98badcfe;
622a6b7db3Sskrll ctx->D = 0x10325476;
632a6b7db3Sskrll ctx->E = 0xc3d2e1f0;
642a6b7db3Sskrll
652a6b7db3Sskrll ctx->total[0] = ctx->total[1] = 0;
662a6b7db3Sskrll ctx->buflen = 0;
672a6b7db3Sskrll }
682a6b7db3Sskrll
692a6b7db3Sskrll /* Put result from CTX in first 20 bytes following RESBUF. The result
702a6b7db3Sskrll must be in little endian byte order.
712a6b7db3Sskrll
722a6b7db3Sskrll IMPORTANT: On some systems it is required that RESBUF is correctly
732a6b7db3Sskrll aligned for a 32-bit value. */
742a6b7db3Sskrll void *
sha1_read_ctx(const struct sha1_ctx * ctx,void * resbuf)752a6b7db3Sskrll sha1_read_ctx (const struct sha1_ctx *ctx, void *resbuf)
762a6b7db3Sskrll {
772a6b7db3Sskrll ((sha1_uint32 *) resbuf)[0] = SWAP (ctx->A);
782a6b7db3Sskrll ((sha1_uint32 *) resbuf)[1] = SWAP (ctx->B);
792a6b7db3Sskrll ((sha1_uint32 *) resbuf)[2] = SWAP (ctx->C);
802a6b7db3Sskrll ((sha1_uint32 *) resbuf)[3] = SWAP (ctx->D);
812a6b7db3Sskrll ((sha1_uint32 *) resbuf)[4] = SWAP (ctx->E);
822a6b7db3Sskrll
832a6b7db3Sskrll return resbuf;
842a6b7db3Sskrll }
852a6b7db3Sskrll
862a6b7db3Sskrll /* Process the remaining bytes in the internal buffer and the usual
872a6b7db3Sskrll prolog according to the standard and write the result to RESBUF.
882a6b7db3Sskrll
892a6b7db3Sskrll IMPORTANT: On some systems it is required that RESBUF is correctly
902a6b7db3Sskrll aligned for a 32-bit value. */
912a6b7db3Sskrll void *
sha1_finish_ctx(struct sha1_ctx * ctx,void * resbuf)922a6b7db3Sskrll sha1_finish_ctx (struct sha1_ctx *ctx, void *resbuf)
932a6b7db3Sskrll {
942a6b7db3Sskrll /* Take yet unprocessed bytes into account. */
952a6b7db3Sskrll sha1_uint32 bytes = ctx->buflen;
962a6b7db3Sskrll size_t size = (bytes < 56) ? 64 / 4 : 64 * 2 / 4;
972a6b7db3Sskrll
982a6b7db3Sskrll /* Now count remaining bytes. */
992a6b7db3Sskrll ctx->total[0] += bytes;
1002a6b7db3Sskrll if (ctx->total[0] < bytes)
1012a6b7db3Sskrll ++ctx->total[1];
1022a6b7db3Sskrll
1032a6b7db3Sskrll /* Put the 64-bit file length in *bits* at the end of the buffer. */
1042a6b7db3Sskrll ctx->buffer[size - 2] = SWAP ((ctx->total[1] << 3) | (ctx->total[0] >> 29));
1052a6b7db3Sskrll ctx->buffer[size - 1] = SWAP (ctx->total[0] << 3);
1062a6b7db3Sskrll
1072a6b7db3Sskrll memcpy (&((char *) ctx->buffer)[bytes], fillbuf, (size - 2) * 4 - bytes);
1082a6b7db3Sskrll
1092a6b7db3Sskrll /* Process last bytes. */
1102a6b7db3Sskrll sha1_process_block (ctx->buffer, size * 4, ctx);
1112a6b7db3Sskrll
1122a6b7db3Sskrll return sha1_read_ctx (ctx, resbuf);
1132a6b7db3Sskrll }
1142a6b7db3Sskrll
1152a6b7db3Sskrll /* Compute SHA1 message digest for bytes read from STREAM. The
1162a6b7db3Sskrll resulting message digest number will be written into the 16 bytes
1172a6b7db3Sskrll beginning at RESBLOCK. */
1182a6b7db3Sskrll int
sha1_stream(FILE * stream,void * resblock)1192a6b7db3Sskrll sha1_stream (FILE *stream, void *resblock)
1202a6b7db3Sskrll {
1212a6b7db3Sskrll struct sha1_ctx ctx;
1222a6b7db3Sskrll char buffer[BLOCKSIZE + 72];
1232a6b7db3Sskrll size_t sum;
1242a6b7db3Sskrll
1252a6b7db3Sskrll /* Initialize the computation context. */
1262a6b7db3Sskrll sha1_init_ctx (&ctx);
1272a6b7db3Sskrll
1282a6b7db3Sskrll /* Iterate over full file contents. */
1292a6b7db3Sskrll while (1)
1302a6b7db3Sskrll {
1312a6b7db3Sskrll /* We read the file in blocks of BLOCKSIZE bytes. One call of the
1322a6b7db3Sskrll computation function processes the whole buffer so that with the
1332a6b7db3Sskrll next round of the loop another block can be read. */
1342a6b7db3Sskrll size_t n;
1352a6b7db3Sskrll sum = 0;
1362a6b7db3Sskrll
1372a6b7db3Sskrll /* Read block. Take care for partial reads. */
1382a6b7db3Sskrll while (1)
1392a6b7db3Sskrll {
1402a6b7db3Sskrll n = fread (buffer + sum, 1, BLOCKSIZE - sum, stream);
1412a6b7db3Sskrll
1422a6b7db3Sskrll sum += n;
1432a6b7db3Sskrll
1442a6b7db3Sskrll if (sum == BLOCKSIZE)
1452a6b7db3Sskrll break;
1462a6b7db3Sskrll
1472a6b7db3Sskrll if (n == 0)
1482a6b7db3Sskrll {
1492a6b7db3Sskrll /* Check for the error flag IFF N == 0, so that we don't
1502a6b7db3Sskrll exit the loop after a partial read due to e.g., EAGAIN
1512a6b7db3Sskrll or EWOULDBLOCK. */
1522a6b7db3Sskrll if (ferror (stream))
1532a6b7db3Sskrll return 1;
1542a6b7db3Sskrll goto process_partial_block;
1552a6b7db3Sskrll }
1562a6b7db3Sskrll
1572a6b7db3Sskrll /* We've read at least one byte, so ignore errors. But always
1582a6b7db3Sskrll check for EOF, since feof may be true even though N > 0.
1592a6b7db3Sskrll Otherwise, we could end up calling fread after EOF. */
1602a6b7db3Sskrll if (feof (stream))
1612a6b7db3Sskrll goto process_partial_block;
1622a6b7db3Sskrll }
1632a6b7db3Sskrll
1642a6b7db3Sskrll /* Process buffer with BLOCKSIZE bytes. Note that
1652a6b7db3Sskrll BLOCKSIZE % 64 == 0
1662a6b7db3Sskrll */
1672a6b7db3Sskrll sha1_process_block (buffer, BLOCKSIZE, &ctx);
1682a6b7db3Sskrll }
1692a6b7db3Sskrll
1702a6b7db3Sskrll process_partial_block:;
1712a6b7db3Sskrll
1722a6b7db3Sskrll /* Process any remaining bytes. */
1732a6b7db3Sskrll if (sum > 0)
1742a6b7db3Sskrll sha1_process_bytes (buffer, sum, &ctx);
1752a6b7db3Sskrll
1762a6b7db3Sskrll /* Construct result in desired memory. */
1772a6b7db3Sskrll sha1_finish_ctx (&ctx, resblock);
1782a6b7db3Sskrll return 0;
1792a6b7db3Sskrll }
1802a6b7db3Sskrll
1812a6b7db3Sskrll /* Compute SHA1 message digest for LEN bytes beginning at BUFFER. The
1822a6b7db3Sskrll result is always in little endian byte order, so that a byte-wise
1832a6b7db3Sskrll output yields to the wanted ASCII representation of the message
1842a6b7db3Sskrll digest. */
1852a6b7db3Sskrll void *
sha1_buffer(const char * buffer,size_t len,void * resblock)1862a6b7db3Sskrll sha1_buffer (const char *buffer, size_t len, void *resblock)
1872a6b7db3Sskrll {
1882a6b7db3Sskrll struct sha1_ctx ctx;
1892a6b7db3Sskrll
1902a6b7db3Sskrll /* Initialize the computation context. */
1912a6b7db3Sskrll sha1_init_ctx (&ctx);
1922a6b7db3Sskrll
1932a6b7db3Sskrll /* Process whole buffer but last len % 64 bytes. */
1942a6b7db3Sskrll sha1_process_bytes (buffer, len, &ctx);
1952a6b7db3Sskrll
1962a6b7db3Sskrll /* Put result in desired memory area. */
1972a6b7db3Sskrll return sha1_finish_ctx (&ctx, resblock);
1982a6b7db3Sskrll }
1992a6b7db3Sskrll
2002a6b7db3Sskrll void
sha1_process_bytes(const void * buffer,size_t len,struct sha1_ctx * ctx)2012a6b7db3Sskrll sha1_process_bytes (const void *buffer, size_t len, struct sha1_ctx *ctx)
2022a6b7db3Sskrll {
2032a6b7db3Sskrll /* When we already have some bits in our internal buffer concatenate
2042a6b7db3Sskrll both inputs first. */
2052a6b7db3Sskrll if (ctx->buflen != 0)
2062a6b7db3Sskrll {
2072a6b7db3Sskrll size_t left_over = ctx->buflen;
2082a6b7db3Sskrll size_t add = 128 - left_over > len ? len : 128 - left_over;
2092a6b7db3Sskrll
2102a6b7db3Sskrll memcpy (&((char *) ctx->buffer)[left_over], buffer, add);
2112a6b7db3Sskrll ctx->buflen += add;
2122a6b7db3Sskrll
2132a6b7db3Sskrll if (ctx->buflen > 64)
2142a6b7db3Sskrll {
2152a6b7db3Sskrll sha1_process_block (ctx->buffer, ctx->buflen & ~63, ctx);
2162a6b7db3Sskrll
2172a6b7db3Sskrll ctx->buflen &= 63;
2182a6b7db3Sskrll /* The regions in the following copy operation cannot overlap. */
2192a6b7db3Sskrll memcpy (ctx->buffer,
2202a6b7db3Sskrll &((char *) ctx->buffer)[(left_over + add) & ~63],
2212a6b7db3Sskrll ctx->buflen);
2222a6b7db3Sskrll }
2232a6b7db3Sskrll
2242a6b7db3Sskrll buffer = (const char *) buffer + add;
2252a6b7db3Sskrll len -= add;
2262a6b7db3Sskrll }
2272a6b7db3Sskrll
2282a6b7db3Sskrll /* Process available complete blocks. */
2292a6b7db3Sskrll if (len >= 64)
2302a6b7db3Sskrll {
2312a6b7db3Sskrll #if !_STRING_ARCH_unaligned
2322a6b7db3Sskrll # define alignof(type) offsetof (struct { char c; type x; }, x)
2332a6b7db3Sskrll # define UNALIGNED_P(p) (((size_t) p) % alignof (sha1_uint32) != 0)
2342a6b7db3Sskrll if (UNALIGNED_P (buffer))
2352a6b7db3Sskrll while (len > 64)
2362a6b7db3Sskrll {
2372a6b7db3Sskrll sha1_process_block (memcpy (ctx->buffer, buffer, 64), 64, ctx);
2382a6b7db3Sskrll buffer = (const char *) buffer + 64;
2392a6b7db3Sskrll len -= 64;
2402a6b7db3Sskrll }
2412a6b7db3Sskrll else
2422a6b7db3Sskrll #endif
2432a6b7db3Sskrll {
2442a6b7db3Sskrll sha1_process_block (buffer, len & ~63, ctx);
2452a6b7db3Sskrll buffer = (const char *) buffer + (len & ~63);
2462a6b7db3Sskrll len &= 63;
2472a6b7db3Sskrll }
2482a6b7db3Sskrll }
2492a6b7db3Sskrll
2502a6b7db3Sskrll /* Move remaining bytes in internal buffer. */
2512a6b7db3Sskrll if (len > 0)
2522a6b7db3Sskrll {
2532a6b7db3Sskrll size_t left_over = ctx->buflen;
2542a6b7db3Sskrll
2552a6b7db3Sskrll memcpy (&((char *) ctx->buffer)[left_over], buffer, len);
2562a6b7db3Sskrll left_over += len;
2572a6b7db3Sskrll if (left_over >= 64)
2582a6b7db3Sskrll {
2592a6b7db3Sskrll sha1_process_block (ctx->buffer, 64, ctx);
2602a6b7db3Sskrll left_over -= 64;
261*f22f0ef4Schristos memmove (ctx->buffer, &ctx->buffer[16], left_over);
2622a6b7db3Sskrll }
2632a6b7db3Sskrll ctx->buflen = left_over;
2642a6b7db3Sskrll }
2652a6b7db3Sskrll }
2662a6b7db3Sskrll
2672a6b7db3Sskrll /* --- Code below is the primary difference between md5.c and sha1.c --- */
2682a6b7db3Sskrll
2692a6b7db3Sskrll /* SHA1 round constants */
2702a6b7db3Sskrll #define K1 0x5a827999
2712a6b7db3Sskrll #define K2 0x6ed9eba1
2722a6b7db3Sskrll #define K3 0x8f1bbcdc
2732a6b7db3Sskrll #define K4 0xca62c1d6
2742a6b7db3Sskrll
2752a6b7db3Sskrll /* Round functions. Note that F2 is the same as F4. */
2762a6b7db3Sskrll #define F1(B,C,D) ( D ^ ( B & ( C ^ D ) ) )
2772a6b7db3Sskrll #define F2(B,C,D) (B ^ C ^ D)
2782a6b7db3Sskrll #define F3(B,C,D) ( ( B & C ) | ( D & ( B | C ) ) )
2792a6b7db3Sskrll #define F4(B,C,D) (B ^ C ^ D)
2802a6b7db3Sskrll
2812a6b7db3Sskrll /* Process LEN bytes of BUFFER, accumulating context into CTX.
2822a6b7db3Sskrll It is assumed that LEN % 64 == 0.
2832a6b7db3Sskrll Most of this code comes from GnuPG's cipher/sha1.c. */
2842a6b7db3Sskrll
2852a6b7db3Sskrll void
sha1_process_block(const void * buffer,size_t len,struct sha1_ctx * ctx)2862a6b7db3Sskrll sha1_process_block (const void *buffer, size_t len, struct sha1_ctx *ctx)
2872a6b7db3Sskrll {
2882a6b7db3Sskrll const sha1_uint32 *words = (const sha1_uint32*) buffer;
2892a6b7db3Sskrll size_t nwords = len / sizeof (sha1_uint32);
2902a6b7db3Sskrll const sha1_uint32 *endp = words + nwords;
2912a6b7db3Sskrll sha1_uint32 x[16];
2922a6b7db3Sskrll sha1_uint32 a = ctx->A;
2932a6b7db3Sskrll sha1_uint32 b = ctx->B;
2942a6b7db3Sskrll sha1_uint32 c = ctx->C;
2952a6b7db3Sskrll sha1_uint32 d = ctx->D;
2962a6b7db3Sskrll sha1_uint32 e = ctx->E;
2972a6b7db3Sskrll
2982a6b7db3Sskrll /* First increment the byte count. RFC 1321 specifies the possible
2992a6b7db3Sskrll length of the file up to 2^64 bits. Here we only compute the
3002a6b7db3Sskrll number of bytes. Do a double word increment. */
3012a6b7db3Sskrll ctx->total[0] += len;
3025ba6b03cSchristos ctx->total[1] += ((len >> 31) >> 1) + (ctx->total[0] < len);
3032a6b7db3Sskrll
3042a6b7db3Sskrll #define rol(x, n) (((x) << (n)) | ((sha1_uint32) (x) >> (32 - (n))))
3052a6b7db3Sskrll
3062a6b7db3Sskrll #define M(I) ( tm = x[I&0x0f] ^ x[(I-14)&0x0f] \
3072a6b7db3Sskrll ^ x[(I-8)&0x0f] ^ x[(I-3)&0x0f] \
3082a6b7db3Sskrll , (x[I&0x0f] = rol(tm, 1)) )
3092a6b7db3Sskrll
3102a6b7db3Sskrll #define R(A,B,C,D,E,F,K,M) do { E += rol( A, 5 ) \
3112a6b7db3Sskrll + F( B, C, D ) \
3122a6b7db3Sskrll + K \
3132a6b7db3Sskrll + M; \
3142a6b7db3Sskrll B = rol( B, 30 ); \
3152a6b7db3Sskrll } while(0)
3162a6b7db3Sskrll
3172a6b7db3Sskrll while (words < endp)
3182a6b7db3Sskrll {
3192a6b7db3Sskrll sha1_uint32 tm;
3202a6b7db3Sskrll int t;
3212a6b7db3Sskrll for (t = 0; t < 16; t++)
3222a6b7db3Sskrll {
3232a6b7db3Sskrll x[t] = SWAP (*words);
3242a6b7db3Sskrll words++;
3252a6b7db3Sskrll }
3262a6b7db3Sskrll
3272a6b7db3Sskrll R( a, b, c, d, e, F1, K1, x[ 0] );
3282a6b7db3Sskrll R( e, a, b, c, d, F1, K1, x[ 1] );
3292a6b7db3Sskrll R( d, e, a, b, c, F1, K1, x[ 2] );
3302a6b7db3Sskrll R( c, d, e, a, b, F1, K1, x[ 3] );
3312a6b7db3Sskrll R( b, c, d, e, a, F1, K1, x[ 4] );
3322a6b7db3Sskrll R( a, b, c, d, e, F1, K1, x[ 5] );
3332a6b7db3Sskrll R( e, a, b, c, d, F1, K1, x[ 6] );
3342a6b7db3Sskrll R( d, e, a, b, c, F1, K1, x[ 7] );
3352a6b7db3Sskrll R( c, d, e, a, b, F1, K1, x[ 8] );
3362a6b7db3Sskrll R( b, c, d, e, a, F1, K1, x[ 9] );
3372a6b7db3Sskrll R( a, b, c, d, e, F1, K1, x[10] );
3382a6b7db3Sskrll R( e, a, b, c, d, F1, K1, x[11] );
3392a6b7db3Sskrll R( d, e, a, b, c, F1, K1, x[12] );
3402a6b7db3Sskrll R( c, d, e, a, b, F1, K1, x[13] );
3412a6b7db3Sskrll R( b, c, d, e, a, F1, K1, x[14] );
3422a6b7db3Sskrll R( a, b, c, d, e, F1, K1, x[15] );
3432a6b7db3Sskrll R( e, a, b, c, d, F1, K1, M(16) );
3442a6b7db3Sskrll R( d, e, a, b, c, F1, K1, M(17) );
3452a6b7db3Sskrll R( c, d, e, a, b, F1, K1, M(18) );
3462a6b7db3Sskrll R( b, c, d, e, a, F1, K1, M(19) );
3472a6b7db3Sskrll R( a, b, c, d, e, F2, K2, M(20) );
3482a6b7db3Sskrll R( e, a, b, c, d, F2, K2, M(21) );
3492a6b7db3Sskrll R( d, e, a, b, c, F2, K2, M(22) );
3502a6b7db3Sskrll R( c, d, e, a, b, F2, K2, M(23) );
3512a6b7db3Sskrll R( b, c, d, e, a, F2, K2, M(24) );
3522a6b7db3Sskrll R( a, b, c, d, e, F2, K2, M(25) );
3532a6b7db3Sskrll R( e, a, b, c, d, F2, K2, M(26) );
3542a6b7db3Sskrll R( d, e, a, b, c, F2, K2, M(27) );
3552a6b7db3Sskrll R( c, d, e, a, b, F2, K2, M(28) );
3562a6b7db3Sskrll R( b, c, d, e, a, F2, K2, M(29) );
3572a6b7db3Sskrll R( a, b, c, d, e, F2, K2, M(30) );
3582a6b7db3Sskrll R( e, a, b, c, d, F2, K2, M(31) );
3592a6b7db3Sskrll R( d, e, a, b, c, F2, K2, M(32) );
3602a6b7db3Sskrll R( c, d, e, a, b, F2, K2, M(33) );
3612a6b7db3Sskrll R( b, c, d, e, a, F2, K2, M(34) );
3622a6b7db3Sskrll R( a, b, c, d, e, F2, K2, M(35) );
3632a6b7db3Sskrll R( e, a, b, c, d, F2, K2, M(36) );
3642a6b7db3Sskrll R( d, e, a, b, c, F2, K2, M(37) );
3652a6b7db3Sskrll R( c, d, e, a, b, F2, K2, M(38) );
3662a6b7db3Sskrll R( b, c, d, e, a, F2, K2, M(39) );
3672a6b7db3Sskrll R( a, b, c, d, e, F3, K3, M(40) );
3682a6b7db3Sskrll R( e, a, b, c, d, F3, K3, M(41) );
3692a6b7db3Sskrll R( d, e, a, b, c, F3, K3, M(42) );
3702a6b7db3Sskrll R( c, d, e, a, b, F3, K3, M(43) );
3712a6b7db3Sskrll R( b, c, d, e, a, F3, K3, M(44) );
3722a6b7db3Sskrll R( a, b, c, d, e, F3, K3, M(45) );
3732a6b7db3Sskrll R( e, a, b, c, d, F3, K3, M(46) );
3742a6b7db3Sskrll R( d, e, a, b, c, F3, K3, M(47) );
3752a6b7db3Sskrll R( c, d, e, a, b, F3, K3, M(48) );
3762a6b7db3Sskrll R( b, c, d, e, a, F3, K3, M(49) );
3772a6b7db3Sskrll R( a, b, c, d, e, F3, K3, M(50) );
3782a6b7db3Sskrll R( e, a, b, c, d, F3, K3, M(51) );
3792a6b7db3Sskrll R( d, e, a, b, c, F3, K3, M(52) );
3802a6b7db3Sskrll R( c, d, e, a, b, F3, K3, M(53) );
3812a6b7db3Sskrll R( b, c, d, e, a, F3, K3, M(54) );
3822a6b7db3Sskrll R( a, b, c, d, e, F3, K3, M(55) );
3832a6b7db3Sskrll R( e, a, b, c, d, F3, K3, M(56) );
3842a6b7db3Sskrll R( d, e, a, b, c, F3, K3, M(57) );
3852a6b7db3Sskrll R( c, d, e, a, b, F3, K3, M(58) );
3862a6b7db3Sskrll R( b, c, d, e, a, F3, K3, M(59) );
3872a6b7db3Sskrll R( a, b, c, d, e, F4, K4, M(60) );
3882a6b7db3Sskrll R( e, a, b, c, d, F4, K4, M(61) );
3892a6b7db3Sskrll R( d, e, a, b, c, F4, K4, M(62) );
3902a6b7db3Sskrll R( c, d, e, a, b, F4, K4, M(63) );
3912a6b7db3Sskrll R( b, c, d, e, a, F4, K4, M(64) );
3922a6b7db3Sskrll R( a, b, c, d, e, F4, K4, M(65) );
3932a6b7db3Sskrll R( e, a, b, c, d, F4, K4, M(66) );
3942a6b7db3Sskrll R( d, e, a, b, c, F4, K4, M(67) );
3952a6b7db3Sskrll R( c, d, e, a, b, F4, K4, M(68) );
3962a6b7db3Sskrll R( b, c, d, e, a, F4, K4, M(69) );
3972a6b7db3Sskrll R( a, b, c, d, e, F4, K4, M(70) );
3982a6b7db3Sskrll R( e, a, b, c, d, F4, K4, M(71) );
3992a6b7db3Sskrll R( d, e, a, b, c, F4, K4, M(72) );
4002a6b7db3Sskrll R( c, d, e, a, b, F4, K4, M(73) );
4012a6b7db3Sskrll R( b, c, d, e, a, F4, K4, M(74) );
4022a6b7db3Sskrll R( a, b, c, d, e, F4, K4, M(75) );
4032a6b7db3Sskrll R( e, a, b, c, d, F4, K4, M(76) );
4042a6b7db3Sskrll R( d, e, a, b, c, F4, K4, M(77) );
4052a6b7db3Sskrll R( c, d, e, a, b, F4, K4, M(78) );
4062a6b7db3Sskrll R( b, c, d, e, a, F4, K4, M(79) );
4072a6b7db3Sskrll
4082a6b7db3Sskrll a = ctx->A += a;
4092a6b7db3Sskrll b = ctx->B += b;
4102a6b7db3Sskrll c = ctx->C += c;
4112a6b7db3Sskrll d = ctx->D += d;
4122a6b7db3Sskrll e = ctx->E += e;
4132a6b7db3Sskrll }
4142a6b7db3Sskrll }
415