1c5dff60aSchristos /* sha1.c - Functions to compute SHA1 message digest of files or
2c5dff60aSchristos memory blocks according to the NIST specification FIPS-180-1.
3c5dff60aSchristos
4*1424dfb3Schristos Copyright (C) 2000-2020 Free Software Foundation, Inc.
5c5dff60aSchristos
6c5dff60aSchristos This program is free software; you can redistribute it and/or modify it
7c5dff60aSchristos under the terms of the GNU General Public License as published by the
8c5dff60aSchristos Free Software Foundation; either version 2, or (at your option) any
9c5dff60aSchristos later version.
10c5dff60aSchristos
11c5dff60aSchristos This program is distributed in the hope that it will be useful,
12c5dff60aSchristos but WITHOUT ANY WARRANTY; without even the implied warranty of
13c5dff60aSchristos MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14c5dff60aSchristos GNU General Public License for more details.
15c5dff60aSchristos
16c5dff60aSchristos You should have received a copy of the GNU General Public License
17c5dff60aSchristos along with this program; if not, write to the Free Software Foundation,
18c5dff60aSchristos Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. */
19c5dff60aSchristos
20c5dff60aSchristos /* Written by Scott G. Miller
21c5dff60aSchristos Credits:
22c5dff60aSchristos Robert Klep <robert@ilse.nl> -- Expansion function fix
23c5dff60aSchristos */
24c5dff60aSchristos
25c5dff60aSchristos #include <config.h>
26c5dff60aSchristos
27c5dff60aSchristos #include "sha1.h"
28c5dff60aSchristos
29c5dff60aSchristos #include <stddef.h>
30c5dff60aSchristos #include <string.h>
31c5dff60aSchristos
32c5dff60aSchristos #if USE_UNLOCKED_IO
33c5dff60aSchristos # include "unlocked-io.h"
34c5dff60aSchristos #endif
35c5dff60aSchristos
36c5dff60aSchristos #ifdef WORDS_BIGENDIAN
37c5dff60aSchristos # define SWAP(n) (n)
38c5dff60aSchristos #else
39c5dff60aSchristos # define SWAP(n) \
40c5dff60aSchristos (((n) << 24) | (((n) & 0xff00) << 8) | (((n) >> 8) & 0xff00) | ((n) >> 24))
41c5dff60aSchristos #endif
42c5dff60aSchristos
43c5dff60aSchristos #define BLOCKSIZE 4096
44c5dff60aSchristos #if BLOCKSIZE % 64 != 0
45c5dff60aSchristos # error "invalid BLOCKSIZE"
46c5dff60aSchristos #endif
47c5dff60aSchristos
48c5dff60aSchristos /* This array contains the bytes used to pad the buffer to the next
49c5dff60aSchristos 64-byte boundary. (RFC 1321, 3.1: Step 1) */
50c5dff60aSchristos static const unsigned char fillbuf[64] = { 0x80, 0 /* , 0, 0, ... */ };
51c5dff60aSchristos
52c5dff60aSchristos
53c5dff60aSchristos /* Take a pointer to a 160 bit block of data (five 32 bit ints) and
54c5dff60aSchristos initialize it to the start constants of the SHA1 algorithm. This
55c5dff60aSchristos must be called before using hash in the call to sha1_hash. */
56c5dff60aSchristos void
sha1_init_ctx(struct sha1_ctx * ctx)57c5dff60aSchristos sha1_init_ctx (struct sha1_ctx *ctx)
58c5dff60aSchristos {
59c5dff60aSchristos ctx->A = 0x67452301;
60c5dff60aSchristos ctx->B = 0xefcdab89;
61c5dff60aSchristos ctx->C = 0x98badcfe;
62c5dff60aSchristos ctx->D = 0x10325476;
63c5dff60aSchristos ctx->E = 0xc3d2e1f0;
64c5dff60aSchristos
65c5dff60aSchristos ctx->total[0] = ctx->total[1] = 0;
66c5dff60aSchristos ctx->buflen = 0;
67c5dff60aSchristos }
68c5dff60aSchristos
69c5dff60aSchristos /* Put result from CTX in first 20 bytes following RESBUF. The result
70c5dff60aSchristos must be in little endian byte order.
71c5dff60aSchristos
72c5dff60aSchristos IMPORTANT: On some systems it is required that RESBUF is correctly
73c5dff60aSchristos aligned for a 32-bit value. */
74c5dff60aSchristos void *
sha1_read_ctx(const struct sha1_ctx * ctx,void * resbuf)75c5dff60aSchristos sha1_read_ctx (const struct sha1_ctx *ctx, void *resbuf)
76c5dff60aSchristos {
77c5dff60aSchristos ((sha1_uint32 *) resbuf)[0] = SWAP (ctx->A);
78c5dff60aSchristos ((sha1_uint32 *) resbuf)[1] = SWAP (ctx->B);
79c5dff60aSchristos ((sha1_uint32 *) resbuf)[2] = SWAP (ctx->C);
80c5dff60aSchristos ((sha1_uint32 *) resbuf)[3] = SWAP (ctx->D);
81c5dff60aSchristos ((sha1_uint32 *) resbuf)[4] = SWAP (ctx->E);
82c5dff60aSchristos
83c5dff60aSchristos return resbuf;
84c5dff60aSchristos }
85c5dff60aSchristos
86c5dff60aSchristos /* Process the remaining bytes in the internal buffer and the usual
87c5dff60aSchristos prolog according to the standard and write the result to RESBUF.
88c5dff60aSchristos
89c5dff60aSchristos IMPORTANT: On some systems it is required that RESBUF is correctly
90c5dff60aSchristos aligned for a 32-bit value. */
91c5dff60aSchristos void *
sha1_finish_ctx(struct sha1_ctx * ctx,void * resbuf)92c5dff60aSchristos sha1_finish_ctx (struct sha1_ctx *ctx, void *resbuf)
93c5dff60aSchristos {
94c5dff60aSchristos /* Take yet unprocessed bytes into account. */
95c5dff60aSchristos sha1_uint32 bytes = ctx->buflen;
96c5dff60aSchristos size_t size = (bytes < 56) ? 64 / 4 : 64 * 2 / 4;
97c5dff60aSchristos
98c5dff60aSchristos /* Now count remaining bytes. */
99c5dff60aSchristos ctx->total[0] += bytes;
100c5dff60aSchristos if (ctx->total[0] < bytes)
101c5dff60aSchristos ++ctx->total[1];
102c5dff60aSchristos
103c5dff60aSchristos /* Put the 64-bit file length in *bits* at the end of the buffer. */
104c5dff60aSchristos ctx->buffer[size - 2] = SWAP ((ctx->total[1] << 3) | (ctx->total[0] >> 29));
105c5dff60aSchristos ctx->buffer[size - 1] = SWAP (ctx->total[0] << 3);
106c5dff60aSchristos
107c5dff60aSchristos memcpy (&((char *) ctx->buffer)[bytes], fillbuf, (size - 2) * 4 - bytes);
108c5dff60aSchristos
109c5dff60aSchristos /* Process last bytes. */
110c5dff60aSchristos sha1_process_block (ctx->buffer, size * 4, ctx);
111c5dff60aSchristos
112c5dff60aSchristos return sha1_read_ctx (ctx, resbuf);
113c5dff60aSchristos }
114c5dff60aSchristos
115c5dff60aSchristos /* Compute SHA1 message digest for bytes read from STREAM. The
116c5dff60aSchristos resulting message digest number will be written into the 16 bytes
117c5dff60aSchristos beginning at RESBLOCK. */
118c5dff60aSchristos int
sha1_stream(FILE * stream,void * resblock)119c5dff60aSchristos sha1_stream (FILE *stream, void *resblock)
120c5dff60aSchristos {
121c5dff60aSchristos struct sha1_ctx ctx;
122c5dff60aSchristos char buffer[BLOCKSIZE + 72];
123c5dff60aSchristos size_t sum;
124c5dff60aSchristos
125c5dff60aSchristos /* Initialize the computation context. */
126c5dff60aSchristos sha1_init_ctx (&ctx);
127c5dff60aSchristos
128c5dff60aSchristos /* Iterate over full file contents. */
129c5dff60aSchristos while (1)
130c5dff60aSchristos {
131c5dff60aSchristos /* We read the file in blocks of BLOCKSIZE bytes. One call of the
132c5dff60aSchristos computation function processes the whole buffer so that with the
133c5dff60aSchristos next round of the loop another block can be read. */
134c5dff60aSchristos size_t n;
135c5dff60aSchristos sum = 0;
136c5dff60aSchristos
137c5dff60aSchristos /* Read block. Take care for partial reads. */
138c5dff60aSchristos while (1)
139c5dff60aSchristos {
140c5dff60aSchristos n = fread (buffer + sum, 1, BLOCKSIZE - sum, stream);
141c5dff60aSchristos
142c5dff60aSchristos sum += n;
143c5dff60aSchristos
144c5dff60aSchristos if (sum == BLOCKSIZE)
145c5dff60aSchristos break;
146c5dff60aSchristos
147c5dff60aSchristos if (n == 0)
148c5dff60aSchristos {
149c5dff60aSchristos /* Check for the error flag IFF N == 0, so that we don't
150c5dff60aSchristos exit the loop after a partial read due to e.g., EAGAIN
151c5dff60aSchristos or EWOULDBLOCK. */
152c5dff60aSchristos if (ferror (stream))
153c5dff60aSchristos return 1;
154c5dff60aSchristos goto process_partial_block;
155c5dff60aSchristos }
156c5dff60aSchristos
157c5dff60aSchristos /* We've read at least one byte, so ignore errors. But always
158c5dff60aSchristos check for EOF, since feof may be true even though N > 0.
159c5dff60aSchristos Otherwise, we could end up calling fread after EOF. */
160c5dff60aSchristos if (feof (stream))
161c5dff60aSchristos goto process_partial_block;
162c5dff60aSchristos }
163c5dff60aSchristos
164c5dff60aSchristos /* Process buffer with BLOCKSIZE bytes. Note that
165c5dff60aSchristos BLOCKSIZE % 64 == 0
166c5dff60aSchristos */
167c5dff60aSchristos sha1_process_block (buffer, BLOCKSIZE, &ctx);
168c5dff60aSchristos }
169c5dff60aSchristos
170c5dff60aSchristos process_partial_block:;
171c5dff60aSchristos
172c5dff60aSchristos /* Process any remaining bytes. */
173c5dff60aSchristos if (sum > 0)
174c5dff60aSchristos sha1_process_bytes (buffer, sum, &ctx);
175c5dff60aSchristos
176c5dff60aSchristos /* Construct result in desired memory. */
177c5dff60aSchristos sha1_finish_ctx (&ctx, resblock);
178c5dff60aSchristos return 0;
179c5dff60aSchristos }
180c5dff60aSchristos
181c5dff60aSchristos /* Compute SHA1 message digest for LEN bytes beginning at BUFFER. The
182c5dff60aSchristos result is always in little endian byte order, so that a byte-wise
183c5dff60aSchristos output yields to the wanted ASCII representation of the message
184c5dff60aSchristos digest. */
185c5dff60aSchristos void *
sha1_buffer(const char * buffer,size_t len,void * resblock)186c5dff60aSchristos sha1_buffer (const char *buffer, size_t len, void *resblock)
187c5dff60aSchristos {
188c5dff60aSchristos struct sha1_ctx ctx;
189c5dff60aSchristos
190c5dff60aSchristos /* Initialize the computation context. */
191c5dff60aSchristos sha1_init_ctx (&ctx);
192c5dff60aSchristos
193c5dff60aSchristos /* Process whole buffer but last len % 64 bytes. */
194c5dff60aSchristos sha1_process_bytes (buffer, len, &ctx);
195c5dff60aSchristos
196c5dff60aSchristos /* Put result in desired memory area. */
197c5dff60aSchristos return sha1_finish_ctx (&ctx, resblock);
198c5dff60aSchristos }
199c5dff60aSchristos
200c5dff60aSchristos void
sha1_process_bytes(const void * buffer,size_t len,struct sha1_ctx * ctx)201c5dff60aSchristos sha1_process_bytes (const void *buffer, size_t len, struct sha1_ctx *ctx)
202c5dff60aSchristos {
203c5dff60aSchristos /* When we already have some bits in our internal buffer concatenate
204c5dff60aSchristos both inputs first. */
205c5dff60aSchristos if (ctx->buflen != 0)
206c5dff60aSchristos {
207c5dff60aSchristos size_t left_over = ctx->buflen;
208c5dff60aSchristos size_t add = 128 - left_over > len ? len : 128 - left_over;
209c5dff60aSchristos
210c5dff60aSchristos memcpy (&((char *) ctx->buffer)[left_over], buffer, add);
211c5dff60aSchristos ctx->buflen += add;
212c5dff60aSchristos
213c5dff60aSchristos if (ctx->buflen > 64)
214c5dff60aSchristos {
215c5dff60aSchristos sha1_process_block (ctx->buffer, ctx->buflen & ~63, ctx);
216c5dff60aSchristos
217c5dff60aSchristos ctx->buflen &= 63;
218c5dff60aSchristos /* The regions in the following copy operation cannot overlap. */
219c5dff60aSchristos memcpy (ctx->buffer,
220c5dff60aSchristos &((char *) ctx->buffer)[(left_over + add) & ~63],
221c5dff60aSchristos ctx->buflen);
222c5dff60aSchristos }
223c5dff60aSchristos
224c5dff60aSchristos buffer = (const char *) buffer + add;
225c5dff60aSchristos len -= add;
226c5dff60aSchristos }
227c5dff60aSchristos
228c5dff60aSchristos /* Process available complete blocks. */
229c5dff60aSchristos if (len >= 64)
230c5dff60aSchristos {
231c5dff60aSchristos #if !_STRING_ARCH_unaligned
232c5dff60aSchristos # define alignof(type) offsetof (struct { char c; type x; }, x)
233c5dff60aSchristos # define UNALIGNED_P(p) (((size_t) p) % alignof (sha1_uint32) != 0)
234c5dff60aSchristos if (UNALIGNED_P (buffer))
235c5dff60aSchristos while (len > 64)
236c5dff60aSchristos {
237c5dff60aSchristos sha1_process_block (memcpy (ctx->buffer, buffer, 64), 64, ctx);
238c5dff60aSchristos buffer = (const char *) buffer + 64;
239c5dff60aSchristos len -= 64;
240c5dff60aSchristos }
241c5dff60aSchristos else
242c5dff60aSchristos #endif
243c5dff60aSchristos {
244c5dff60aSchristos sha1_process_block (buffer, len & ~63, ctx);
245c5dff60aSchristos buffer = (const char *) buffer + (len & ~63);
246c5dff60aSchristos len &= 63;
247c5dff60aSchristos }
248c5dff60aSchristos }
249c5dff60aSchristos
250c5dff60aSchristos /* Move remaining bytes in internal buffer. */
251c5dff60aSchristos if (len > 0)
252c5dff60aSchristos {
253c5dff60aSchristos size_t left_over = ctx->buflen;
254c5dff60aSchristos
255c5dff60aSchristos memcpy (&((char *) ctx->buffer)[left_over], buffer, len);
256c5dff60aSchristos left_over += len;
257c5dff60aSchristos if (left_over >= 64)
258c5dff60aSchristos {
259c5dff60aSchristos sha1_process_block (ctx->buffer, 64, ctx);
260c5dff60aSchristos left_over -= 64;
261c5dff60aSchristos memcpy (ctx->buffer, &ctx->buffer[16], left_over);
262c5dff60aSchristos }
263c5dff60aSchristos ctx->buflen = left_over;
264c5dff60aSchristos }
265c5dff60aSchristos }
266c5dff60aSchristos
267c5dff60aSchristos /* --- Code below is the primary difference between md5.c and sha1.c --- */
268c5dff60aSchristos
269c5dff60aSchristos /* SHA1 round constants */
270c5dff60aSchristos #define K1 0x5a827999
271c5dff60aSchristos #define K2 0x6ed9eba1
272c5dff60aSchristos #define K3 0x8f1bbcdc
273c5dff60aSchristos #define K4 0xca62c1d6
274c5dff60aSchristos
275c5dff60aSchristos /* Round functions. Note that F2 is the same as F4. */
276c5dff60aSchristos #define F1(B,C,D) ( D ^ ( B & ( C ^ D ) ) )
277c5dff60aSchristos #define F2(B,C,D) (B ^ C ^ D)
278c5dff60aSchristos #define F3(B,C,D) ( ( B & C ) | ( D & ( B | C ) ) )
279c5dff60aSchristos #define F4(B,C,D) (B ^ C ^ D)
280c5dff60aSchristos
281c5dff60aSchristos /* Process LEN bytes of BUFFER, accumulating context into CTX.
282c5dff60aSchristos It is assumed that LEN % 64 == 0.
283c5dff60aSchristos Most of this code comes from GnuPG's cipher/sha1.c. */
284c5dff60aSchristos
285c5dff60aSchristos void
sha1_process_block(const void * buffer,size_t len,struct sha1_ctx * ctx)286c5dff60aSchristos sha1_process_block (const void *buffer, size_t len, struct sha1_ctx *ctx)
287c5dff60aSchristos {
288c5dff60aSchristos const sha1_uint32 *words = (const sha1_uint32*) buffer;
289c5dff60aSchristos size_t nwords = len / sizeof (sha1_uint32);
290c5dff60aSchristos const sha1_uint32 *endp = words + nwords;
291c5dff60aSchristos sha1_uint32 x[16];
292c5dff60aSchristos sha1_uint32 a = ctx->A;
293c5dff60aSchristos sha1_uint32 b = ctx->B;
294c5dff60aSchristos sha1_uint32 c = ctx->C;
295c5dff60aSchristos sha1_uint32 d = ctx->D;
296c5dff60aSchristos sha1_uint32 e = ctx->E;
297c5dff60aSchristos
298c5dff60aSchristos /* First increment the byte count. RFC 1321 specifies the possible
299c5dff60aSchristos length of the file up to 2^64 bits. Here we only compute the
300c5dff60aSchristos number of bytes. Do a double word increment. */
301c5dff60aSchristos ctx->total[0] += len;
30248596154Schristos ctx->total[1] += ((len >> 31) >> 1) + (ctx->total[0] < len);
303c5dff60aSchristos
304c5dff60aSchristos #define rol(x, n) (((x) << (n)) | ((sha1_uint32) (x) >> (32 - (n))))
305c5dff60aSchristos
306c5dff60aSchristos #define M(I) ( tm = x[I&0x0f] ^ x[(I-14)&0x0f] \
307c5dff60aSchristos ^ x[(I-8)&0x0f] ^ x[(I-3)&0x0f] \
308c5dff60aSchristos , (x[I&0x0f] = rol(tm, 1)) )
309c5dff60aSchristos
310c5dff60aSchristos #define R(A,B,C,D,E,F,K,M) do { E += rol( A, 5 ) \
311c5dff60aSchristos + F( B, C, D ) \
312c5dff60aSchristos + K \
313c5dff60aSchristos + M; \
314c5dff60aSchristos B = rol( B, 30 ); \
315c5dff60aSchristos } while(0)
316c5dff60aSchristos
317c5dff60aSchristos while (words < endp)
318c5dff60aSchristos {
319c5dff60aSchristos sha1_uint32 tm;
320c5dff60aSchristos int t;
321c5dff60aSchristos for (t = 0; t < 16; t++)
322c5dff60aSchristos {
323c5dff60aSchristos x[t] = SWAP (*words);
324c5dff60aSchristos words++;
325c5dff60aSchristos }
326c5dff60aSchristos
327c5dff60aSchristos R( a, b, c, d, e, F1, K1, x[ 0] );
328c5dff60aSchristos R( e, a, b, c, d, F1, K1, x[ 1] );
329c5dff60aSchristos R( d, e, a, b, c, F1, K1, x[ 2] );
330c5dff60aSchristos R( c, d, e, a, b, F1, K1, x[ 3] );
331c5dff60aSchristos R( b, c, d, e, a, F1, K1, x[ 4] );
332c5dff60aSchristos R( a, b, c, d, e, F1, K1, x[ 5] );
333c5dff60aSchristos R( e, a, b, c, d, F1, K1, x[ 6] );
334c5dff60aSchristos R( d, e, a, b, c, F1, K1, x[ 7] );
335c5dff60aSchristos R( c, d, e, a, b, F1, K1, x[ 8] );
336c5dff60aSchristos R( b, c, d, e, a, F1, K1, x[ 9] );
337c5dff60aSchristos R( a, b, c, d, e, F1, K1, x[10] );
338c5dff60aSchristos R( e, a, b, c, d, F1, K1, x[11] );
339c5dff60aSchristos R( d, e, a, b, c, F1, K1, x[12] );
340c5dff60aSchristos R( c, d, e, a, b, F1, K1, x[13] );
341c5dff60aSchristos R( b, c, d, e, a, F1, K1, x[14] );
342c5dff60aSchristos R( a, b, c, d, e, F1, K1, x[15] );
343c5dff60aSchristos R( e, a, b, c, d, F1, K1, M(16) );
344c5dff60aSchristos R( d, e, a, b, c, F1, K1, M(17) );
345c5dff60aSchristos R( c, d, e, a, b, F1, K1, M(18) );
346c5dff60aSchristos R( b, c, d, e, a, F1, K1, M(19) );
347c5dff60aSchristos R( a, b, c, d, e, F2, K2, M(20) );
348c5dff60aSchristos R( e, a, b, c, d, F2, K2, M(21) );
349c5dff60aSchristos R( d, e, a, b, c, F2, K2, M(22) );
350c5dff60aSchristos R( c, d, e, a, b, F2, K2, M(23) );
351c5dff60aSchristos R( b, c, d, e, a, F2, K2, M(24) );
352c5dff60aSchristos R( a, b, c, d, e, F2, K2, M(25) );
353c5dff60aSchristos R( e, a, b, c, d, F2, K2, M(26) );
354c5dff60aSchristos R( d, e, a, b, c, F2, K2, M(27) );
355c5dff60aSchristos R( c, d, e, a, b, F2, K2, M(28) );
356c5dff60aSchristos R( b, c, d, e, a, F2, K2, M(29) );
357c5dff60aSchristos R( a, b, c, d, e, F2, K2, M(30) );
358c5dff60aSchristos R( e, a, b, c, d, F2, K2, M(31) );
359c5dff60aSchristos R( d, e, a, b, c, F2, K2, M(32) );
360c5dff60aSchristos R( c, d, e, a, b, F2, K2, M(33) );
361c5dff60aSchristos R( b, c, d, e, a, F2, K2, M(34) );
362c5dff60aSchristos R( a, b, c, d, e, F2, K2, M(35) );
363c5dff60aSchristos R( e, a, b, c, d, F2, K2, M(36) );
364c5dff60aSchristos R( d, e, a, b, c, F2, K2, M(37) );
365c5dff60aSchristos R( c, d, e, a, b, F2, K2, M(38) );
366c5dff60aSchristos R( b, c, d, e, a, F2, K2, M(39) );
367c5dff60aSchristos R( a, b, c, d, e, F3, K3, M(40) );
368c5dff60aSchristos R( e, a, b, c, d, F3, K3, M(41) );
369c5dff60aSchristos R( d, e, a, b, c, F3, K3, M(42) );
370c5dff60aSchristos R( c, d, e, a, b, F3, K3, M(43) );
371c5dff60aSchristos R( b, c, d, e, a, F3, K3, M(44) );
372c5dff60aSchristos R( a, b, c, d, e, F3, K3, M(45) );
373c5dff60aSchristos R( e, a, b, c, d, F3, K3, M(46) );
374c5dff60aSchristos R( d, e, a, b, c, F3, K3, M(47) );
375c5dff60aSchristos R( c, d, e, a, b, F3, K3, M(48) );
376c5dff60aSchristos R( b, c, d, e, a, F3, K3, M(49) );
377c5dff60aSchristos R( a, b, c, d, e, F3, K3, M(50) );
378c5dff60aSchristos R( e, a, b, c, d, F3, K3, M(51) );
379c5dff60aSchristos R( d, e, a, b, c, F3, K3, M(52) );
380c5dff60aSchristos R( c, d, e, a, b, F3, K3, M(53) );
381c5dff60aSchristos R( b, c, d, e, a, F3, K3, M(54) );
382c5dff60aSchristos R( a, b, c, d, e, F3, K3, M(55) );
383c5dff60aSchristos R( e, a, b, c, d, F3, K3, M(56) );
384c5dff60aSchristos R( d, e, a, b, c, F3, K3, M(57) );
385c5dff60aSchristos R( c, d, e, a, b, F3, K3, M(58) );
386c5dff60aSchristos R( b, c, d, e, a, F3, K3, M(59) );
387c5dff60aSchristos R( a, b, c, d, e, F4, K4, M(60) );
388c5dff60aSchristos R( e, a, b, c, d, F4, K4, M(61) );
389c5dff60aSchristos R( d, e, a, b, c, F4, K4, M(62) );
390c5dff60aSchristos R( c, d, e, a, b, F4, K4, M(63) );
391c5dff60aSchristos R( b, c, d, e, a, F4, K4, M(64) );
392c5dff60aSchristos R( a, b, c, d, e, F4, K4, M(65) );
393c5dff60aSchristos R( e, a, b, c, d, F4, K4, M(66) );
394c5dff60aSchristos R( d, e, a, b, c, F4, K4, M(67) );
395c5dff60aSchristos R( c, d, e, a, b, F4, K4, M(68) );
396c5dff60aSchristos R( b, c, d, e, a, F4, K4, M(69) );
397c5dff60aSchristos R( a, b, c, d, e, F4, K4, M(70) );
398c5dff60aSchristos R( e, a, b, c, d, F4, K4, M(71) );
399c5dff60aSchristos R( d, e, a, b, c, F4, K4, M(72) );
400c5dff60aSchristos R( c, d, e, a, b, F4, K4, M(73) );
401c5dff60aSchristos R( b, c, d, e, a, F4, K4, M(74) );
402c5dff60aSchristos R( a, b, c, d, e, F4, K4, M(75) );
403c5dff60aSchristos R( e, a, b, c, d, F4, K4, M(76) );
404c5dff60aSchristos R( d, e, a, b, c, F4, K4, M(77) );
405c5dff60aSchristos R( c, d, e, a, b, F4, K4, M(78) );
406c5dff60aSchristos R( b, c, d, e, a, F4, K4, M(79) );
407c5dff60aSchristos
408c5dff60aSchristos a = ctx->A += a;
409c5dff60aSchristos b = ctx->B += b;
410c5dff60aSchristos c = ctx->C += c;
411c5dff60aSchristos d = ctx->D += d;
412c5dff60aSchristos e = ctx->E += e;
413c5dff60aSchristos }
414c5dff60aSchristos }
415