"Fossies" - the Fresh Open Source Software Archive

Member "littleutils-1.2.5/littleutils/sha256.c" (29 Oct 2021, 17716 Bytes) of package /linux/privat/littleutils-1.2.5.tar.lz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) C and C++ source code syntax highlighting (style: standard) with prefixed line numbers and code folding option. Alternatively you can here view or download the uninterpreted source code file. For more information about "sha256.c" see the Fossies "Dox" file reference documentation and the latest Fossies "Diffs" side-by-side code changes report: 1.2.4_vs_1.2.5.

    1 /* sha256.c - Functions to compute SHA256 and SHA224 message digest of files or
    2    memory blocks according to the NIST specification FIPS-180-2.
    3 
    4    Copyright (C) 2005-2006, 2008-2018 Free Software Foundation, Inc.
    5 
    6    This program is free software: you can redistribute it and/or modify
    7    it under the terms of the GNU General Public License as published by
    8    the Free Software Foundation, either version 3 of the License, or
    9    (at your option) any later version.
   10 
   11    This program is distributed in the hope that it will be useful,
   12    but WITHOUT ANY WARRANTY; without even the implied warranty of
   13    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   14    GNU General Public License for more details.
   15 
   16    You should have received a copy of the GNU General Public License
   17    along with this program.  If not, see <https://www.gnu.org/licenses/>.  */
   18 
   19 /* Written by David Madore, considerably copypasting from Scott G. Miller's
   20    sha1.c.  Modifications for portability and partial file reads by Brian
   21    Lindholm, 2007-2021.  */
   22 
   23 #include <config.h>
   24 
   25 #ifdef HAVE_STDALIGN_H
   26 # include <stdalign.h>
   27 #endif
   28 #ifdef HAVE_STDINT_H
   29 # include <stdint.h>
   30 #endif
   31 #ifdef HAVE_STDLIB_H
   32 # include <stdlib.h>
   33 #endif
   34 #ifdef HAVE_STRING_H
   35 # include <string.h>
   36 #endif
   37 #ifdef HAVE_SYS_TYPES_H
   38 # include <sys/types.h>
   39 #endif
   40 
   41 #include "sha256.h"
   42 
   43 #ifdef WORDS_BIGENDIAN
   44 # define SWAP(n) (n)
   45 #else
   46 # ifdef HAVE_BYTESWAP_H
   47 #  include <byteswap.h>
   48 #  define SWAP(n) bswap_32 (n)
   49 # else
   50 #  define SWAP(n) (((n) << 24) | (((n) & 0xff00) << 8) | (((n) >> 8) & 0xff00) | ((n) >> 24))
   51 # endif
   52 #endif
   53 
   54 #define BLOCKSIZE 32768
   55 #if BLOCKSIZE % 64 != 0
   56 # error "invalid BLOCKSIZE"
   57 #endif
   58 
   59 /* This array contains the bytes used to pad the buffer to the next
   60    64-byte boundary.  */
   61 static const unsigned char fillbuf[64] = { 0x80, 0 /* , 0, 0, ...  */ };
   62 
   63 
   64 /*
   65   Takes a pointer to a 256 bit block of data (eight 32 bit ints) and
   66   initializes it to the start constants of the SHA256 algorithm.  This
   67   must be called before using hash in the call to sha256_hash
   68 */
   69 void
   70 sha256_init_ctx (struct sha256_ctx *ctx)
   71 {
   72   ctx->state[0] = 0x6a09e667UL;
   73   ctx->state[1] = 0xbb67ae85UL;
   74   ctx->state[2] = 0x3c6ef372UL;
   75   ctx->state[3] = 0xa54ff53aUL;
   76   ctx->state[4] = 0x510e527fUL;
   77   ctx->state[5] = 0x9b05688cUL;
   78   ctx->state[6] = 0x1f83d9abUL;
   79   ctx->state[7] = 0x5be0cd19UL;
   80 
   81   ctx->total[0] = ctx->total[1] = 0;
   82   ctx->buflen = 0;
   83 }
   84 
   85 void
   86 sha224_init_ctx (struct sha256_ctx *ctx)
   87 {
   88   ctx->state[0] = 0xc1059ed8UL;
   89   ctx->state[1] = 0x367cd507UL;
   90   ctx->state[2] = 0x3070dd17UL;
   91   ctx->state[3] = 0xf70e5939UL;
   92   ctx->state[4] = 0xffc00b31UL;
   93   ctx->state[5] = 0x68581511UL;
   94   ctx->state[6] = 0x64f98fa7UL;
   95   ctx->state[7] = 0xbefa4fa4UL;
   96 
   97   ctx->total[0] = ctx->total[1] = 0;
   98   ctx->buflen = 0;
   99 }
  100 
  101 /* Copy the value from v into the memory location pointed to by *CP,
  102    If your architecture allows unaligned access, this is equivalent to
  103    * (__typeof__ (v) *) cp = v  */
  104 static void
  105 set_uint32 (char *cp, uint32_t v)
  106 {
  107   memcpy (cp, &v, sizeof v);
  108 }
  109 
  110 /* Put result from CTX in first 32 bytes following RESBUF.
  111    The result must be in little endian byte order.  */
  112 void *
  113 sha256_read_ctx (const struct sha256_ctx *ctx, void *resbuf)
  114 {
  115   int i;
  116   char *r = resbuf;
  117 
  118   for (i = 0; i < 8; i++)
  119     set_uint32 (r + i * sizeof ctx->state[0], SWAP (ctx->state[i]));
  120 
  121   return resbuf;
  122 }
  123 
  124 void *
  125 sha224_read_ctx (const struct sha256_ctx *ctx, void *resbuf)
  126 {
  127   int i;
  128   char *r = resbuf;
  129 
  130   for (i = 0; i < 7; i++)
  131     set_uint32 (r + i * sizeof ctx->state[0], SWAP (ctx->state[i]));
  132 
  133   return resbuf;
  134 }
  135 
  136 /* Process the remaining bytes in the internal buffer and the usual
  137    prolog according to the standard and write the result to RESBUF.  */
  138 static void
  139 sha256_conclude_ctx (struct sha256_ctx *ctx)
  140 {
  141   /* Take yet unprocessed bytes into account.  */
  142   size_t bytes = ctx->buflen;
  143   size_t size = (bytes < 56) ? 64 / 4 : 64 * 2 / 4;
  144 
  145   /* Now count remaining bytes.  */
  146   ctx->total[0] += bytes;
  147   if (ctx->total[0] < bytes)
  148     ++ctx->total[1];
  149 
  150   /* Put the 64-bit file length in *bits* at the end of the buffer.
  151      Use set_uint32 rather than a simple assignment, to avoid risk of
  152      unaligned access.  */
  153   set_uint32 ((char *) &ctx->buffer[size - 2],
  154               SWAP ((ctx->total[1] << 3) | (ctx->total[0] >> 29)));
  155   set_uint32 ((char *) &ctx->buffer[size - 1],
  156               SWAP (ctx->total[0] << 3));
  157 
  158   memcpy (&((char *) ctx->buffer)[bytes], fillbuf, (size - 2) * 4 - bytes);
  159 
  160   /* Process last bytes.  */
  161   sha256_process_block (ctx->buffer, size * 4, ctx);
  162 }
  163 
  164 void *
  165 sha256_finish_ctx (struct sha256_ctx *ctx, void *resbuf)
  166 {
  167   sha256_conclude_ctx (ctx);
  168   return sha256_read_ctx (ctx, resbuf);
  169 }
  170 
  171 void *
  172 sha224_finish_ctx (struct sha256_ctx *ctx, void *resbuf)
  173 {
  174   sha256_conclude_ctx (ctx);
  175   return sha224_read_ctx (ctx, resbuf);
  176 }
  177 
  178 /* Compute message digest for bytes read from STREAM using algorithm ALG.
  179    Write the message digest into RESBLOCK, which contains HASHLEN bytes.  The
  180    initial and finishing operations are INIT_CTX and FINISH_CTX.  Return zero
  181    if and only if successful.  Readbytes == -1 implies whole file.  */
  182 static int
  183 shaxxx_stream (FILE *stream, char const *alg, void *resblock, off_t readbytes,
  184                ssize_t hashlen, void (*init_ctx) (struct sha256_ctx *),
  185                void *(*finish_ctx) (struct sha256_ctx *, void *))
  186 {
  187   char *buffer = malloc (BLOCKSIZE + 72);
  188   if (!buffer)
  189     return 1;
  190 
  191   /* Initialize the computation context.  */
  192   struct sha256_ctx ctx;
  193   init_ctx (&ctx);
  194   size_t sum, target;
  195   off_t total = 0;
  196 
  197   /* Jump to end for readbytes == 0.  */
  198   if (readbytes == 0)
  199     {
  200       sum = 0;
  201       goto process_partial_block;
  202     }
  203 
  204   /* Iterate over full file contents.  */
  205   while (1)
  206     {
  207       /* We read the file in blocks of BLOCKSIZE bytes.  One call of the
  208          computation function processes the whole buffer so that with the
  209          next round of the loop another block can be read.  */
  210       size_t n;
  211       if ((readbytes < 0) || ((readbytes - total) > (off_t) BLOCKSIZE))
  212         target = (size_t) BLOCKSIZE;
  213       else
  214         target = (size_t) (readbytes - total);
  215       sum = 0;
  216 
  217       /* Read block.  Take care for partial reads.  */
  218       while (1)
  219         {
  220           /* Either process a partial fread() from this loop,
  221              or the fread() in afalg_stream may have gotten EOF.
  222              We need to avoid a subsequent fread() as EOF may
  223              not be sticky.  For details of such systems, see:
  224              https://sourceware.org/bugzilla/show_bug.cgi?id=1190  */
  225           if (((off_t) sum >= target) || feof (stream))
  226             goto process_partial_block;
  227 
  228           n = fread (buffer + sum, 1, target - sum, stream);
  229           sum += n;
  230 
  231           if (sum == BLOCKSIZE)
  232             break;
  233 
  234           if (n == 0)
  235             {
  236               /* Check for the error flag IFF N == 0, so that we don't
  237                  exit the loop after a partial read due to e.g., EAGAIN
  238                  or EWOULDBLOCK.  */
  239               if (ferror (stream))
  240                 {
  241                   free (buffer);
  242                   return 1;
  243                 }
  244               goto process_partial_block;
  245             }
  246         }
  247       total += (off_t) sum;
  248 
  249       /* Process buffer with BLOCKSIZE bytes.  Note that
  250                         BLOCKSIZE % 64 == 0
  251        */
  252       sha256_process_block (buffer, BLOCKSIZE, &ctx);
  253     }
  254 
  255  process_partial_block:;
  256 
  257   /* Process any remaining bytes.  */
  258   if (sum > 0)
  259     sha256_process_bytes (buffer, sum, &ctx);
  260 
  261   /* Construct result in desired memory.  */
  262   finish_ctx (&ctx, resblock);
  263   free (buffer);
  264   return 0;
  265 }
  266 
  267 int
  268 sha256_stream (FILE *stream, void *resblock, off_t readbytes)
  269 {
  270   return shaxxx_stream (stream, "sha256", resblock, readbytes,
  271                         SHA256_DIGEST_SIZE, sha256_init_ctx,
  272                         sha256_finish_ctx);
  273 }
  274 
  275 int
  276 sha224_stream (FILE *stream, void *resblock, off_t readbytes)
  277 {
  278   return shaxxx_stream (stream, "sha224", resblock, readbytes,
  279                         SHA224_DIGEST_SIZE, sha224_init_ctx,
  280                         sha224_finish_ctx);
  281 }
  282 
  283 /* Compute SHA256 message digest for LEN bytes beginning at BUFFER.  The
  284    result is always in little endian byte order, so that a byte-wise
  285    output yields to the wanted ASCII representation of the message
  286    digest.  */
  287 void *
  288 sha256_buffer (const char *buffer, size_t len, void *resblock)
  289 {
  290   struct sha256_ctx ctx;
  291 
  292   /* Initialize the computation context.  */
  293   sha256_init_ctx (&ctx);
  294 
  295   /* Process whole buffer but last len % 64 bytes.  */
  296   sha256_process_bytes (buffer, len, &ctx);
  297 
  298   /* Put result in desired memory area.  */
  299   return sha256_finish_ctx (&ctx, resblock);
  300 }
  301 
  302 void *
  303 sha224_buffer (const char *buffer, size_t len, void *resblock)
  304 {
  305   struct sha256_ctx ctx;
  306 
  307   /* Initialize the computation context.  */
  308   sha224_init_ctx (&ctx);
  309 
  310   /* Process whole buffer but last len % 64 bytes.  */
  311   sha256_process_bytes (buffer, len, &ctx);
  312 
  313   /* Put result in desired memory area.  */
  314   return sha224_finish_ctx (&ctx, resblock);
  315 }
  316 
  317 void
  318 sha256_process_bytes (const void *buffer, size_t len, struct sha256_ctx *ctx)
  319 {
  320   /* When we already have some bits in our internal buffer concatenate
  321      both inputs first.  */
  322   if (ctx->buflen != 0)
  323     {
  324       size_t left_over = ctx->buflen;
  325       size_t add = 128 - left_over > len ? len : 128 - left_over;
  326 
  327       memcpy (&((char *) ctx->buffer)[left_over], buffer, add);
  328       ctx->buflen += add;
  329 
  330       if (ctx->buflen > 64)
  331         {
  332           sha256_process_block (ctx->buffer, ctx->buflen & ~63, ctx);
  333 
  334           ctx->buflen &= 63;
  335           /* The regions in the following copy operation cannot overlap,
  336              because ctx->buflen < 64 ≤ (left_over + add) & ~63.  */
  337           memcpy (ctx->buffer,
  338                   &((char *) ctx->buffer)[(left_over + add) & ~63],
  339                   ctx->buflen);
  340         }
  341 
  342       buffer = (const char *) buffer + add;
  343       len -= add;
  344     }
  345 
  346   /* Process available complete blocks.  */
  347   if (len >= 64)
  348     {
  349 #if !(_STRING_ARCH_unaligned || _STRING_INLINE_unaligned)
  350 # define UNALIGNED_P(p) ((uintptr_t) (p) % alignof (uint32_t) != 0)
  351       if (UNALIGNED_P (buffer))
  352         while (len > 64)
  353           {
  354             sha256_process_block (memcpy (ctx->buffer, buffer, 64), 64, ctx);
  355             buffer = (const char *) buffer + 64;
  356             len -= 64;
  357           }
  358       else
  359 #endif
  360         {
  361           sha256_process_block (buffer, len & ~63, ctx);
  362           buffer = (const char *) buffer + (len & ~63);
  363           len &= 63;
  364         }
  365     }
  366 
  367   /* Move remaining bytes in internal buffer.  */
  368   if (len > 0)
  369     {
  370       size_t left_over = ctx->buflen;
  371 
  372       memcpy (&((char *) ctx->buffer)[left_over], buffer, len);
  373       left_over += len;
  374       if (left_over >= 64)
  375         {
  376           sha256_process_block (ctx->buffer, 64, ctx);
  377           left_over -= 64;
  378           /* The regions in the following copy operation cannot overlap,
  379              because left_over ≤ 64.  */
  380           memcpy (ctx->buffer, &ctx->buffer[16], left_over);
  381         }
  382       ctx->buflen = left_over;
  383     }
  384 }
  385 
  386 /* --- Code below is the primary difference between sha1.c and sha256.c --- */
  387 
  388 /* SHA256 round constants */
  389 #define K(I) sha256_round_constants[I]
  390 static const uint32_t sha256_round_constants[64] = {
  391   0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
  392   0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
  393   0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
  394   0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
  395   0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
  396   0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
  397   0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
  398   0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
  399   0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
  400   0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
  401   0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
  402   0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
  403   0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
  404   0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
  405   0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
  406   0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL,
  407 };
  408 
  409 /* Round functions.  */
  410 #define F2(A,B,C) ( ( A & B ) | ( C & ( A | B ) ) )
  411 #define F1(E,F,G) ( G ^ ( E & ( F ^ G ) ) )
  412 
  413 /* Process LEN bytes of BUFFER, accumulating context into CTX.
  414    It is assumed that LEN % 64 == 0.
  415    Most of this code comes from GnuPG's cipher/sha1.c.  */
  416 
  417 void
  418 sha256_process_block (const void *buffer, size_t len, struct sha256_ctx *ctx)
  419 {
  420   const uint32_t *words = buffer;
  421   size_t nwords = len / sizeof (uint32_t);
  422   const uint32_t *endp = words + nwords;
  423   uint32_t x[16];
  424   uint32_t a = ctx->state[0];
  425   uint32_t b = ctx->state[1];
  426   uint32_t c = ctx->state[2];
  427   uint32_t d = ctx->state[3];
  428   uint32_t e = ctx->state[4];
  429   uint32_t f = ctx->state[5];
  430   uint32_t g = ctx->state[6];
  431   uint32_t h = ctx->state[7];
  432   uint32_t lolen = len;
  433 
  434   /* First increment the byte count.  FIPS PUB 180-2 specifies the possible
  435      length of the file up to 2^64 bits.  Here we only compute the
  436      number of bytes.  Do a double word increment.  */
  437   ctx->total[0] += lolen;
  438   ctx->total[1] += (len >> 31 >> 1) + (ctx->total[0] < lolen);
  439 
  440 #define rol(x, n) (((x) << (n)) | ((x) >> (32 - (n))))
  441 #define S0(x) (rol(x,25)^rol(x,14)^(x>>3))
  442 #define S1(x) (rol(x,15)^rol(x,13)^(x>>10))
  443 #define SS0(x) (rol(x,30)^rol(x,19)^rol(x,10))
  444 #define SS1(x) (rol(x,26)^rol(x,21)^rol(x,7))
  445 
  446 #define M(I) ( tm =   S1(x[(I-2)&0x0f]) + x[(I-7)&0x0f] \
  447                     + S0(x[(I-15)&0x0f]) + x[I&0x0f]    \
  448                , x[I&0x0f] = tm )
  449 
  450 #define R(A,B,C,D,E,F,G,H,K,M)  do { t0 = SS0(A) + F2(A,B,C); \
  451                                      t1 = H + SS1(E)  \
  452                                       + F1(E,F,G)     \
  453                                       + K             \
  454                                       + M;            \
  455                                      D += t1;  H = t0 + t1; \
  456                                } while(0)
  457 
  458   while (words < endp)
  459     {
  460       uint32_t tm;
  461       uint32_t t0, t1;
  462       int t;
  463       /* FIXME: see sha1.c for a better implementation.  */
  464       for (t = 0; t < 16; t++)
  465         {
  466           x[t] = SWAP (*words);
  467           words++;
  468         }
  469 
  470       R( a, b, c, d, e, f, g, h, K( 0), x[ 0] );
  471       R( h, a, b, c, d, e, f, g, K( 1), x[ 1] );
  472       R( g, h, a, b, c, d, e, f, K( 2), x[ 2] );
  473       R( f, g, h, a, b, c, d, e, K( 3), x[ 3] );
  474       R( e, f, g, h, a, b, c, d, K( 4), x[ 4] );
  475       R( d, e, f, g, h, a, b, c, K( 5), x[ 5] );
  476       R( c, d, e, f, g, h, a, b, K( 6), x[ 6] );
  477       R( b, c, d, e, f, g, h, a, K( 7), x[ 7] );
  478       R( a, b, c, d, e, f, g, h, K( 8), x[ 8] );
  479       R( h, a, b, c, d, e, f, g, K( 9), x[ 9] );
  480       R( g, h, a, b, c, d, e, f, K(10), x[10] );
  481       R( f, g, h, a, b, c, d, e, K(11), x[11] );
  482       R( e, f, g, h, a, b, c, d, K(12), x[12] );
  483       R( d, e, f, g, h, a, b, c, K(13), x[13] );
  484       R( c, d, e, f, g, h, a, b, K(14), x[14] );
  485       R( b, c, d, e, f, g, h, a, K(15), x[15] );
  486       R( a, b, c, d, e, f, g, h, K(16), M(16) );
  487       R( h, a, b, c, d, e, f, g, K(17), M(17) );
  488       R( g, h, a, b, c, d, e, f, K(18), M(18) );
  489       R( f, g, h, a, b, c, d, e, K(19), M(19) );
  490       R( e, f, g, h, a, b, c, d, K(20), M(20) );
  491       R( d, e, f, g, h, a, b, c, K(21), M(21) );
  492       R( c, d, e, f, g, h, a, b, K(22), M(22) );
  493       R( b, c, d, e, f, g, h, a, K(23), M(23) );
  494       R( a, b, c, d, e, f, g, h, K(24), M(24) );
  495       R( h, a, b, c, d, e, f, g, K(25), M(25) );
  496       R( g, h, a, b, c, d, e, f, K(26), M(26) );
  497       R( f, g, h, a, b, c, d, e, K(27), M(27) );
  498       R( e, f, g, h, a, b, c, d, K(28), M(28) );
  499       R( d, e, f, g, h, a, b, c, K(29), M(29) );
  500       R( c, d, e, f, g, h, a, b, K(30), M(30) );
  501       R( b, c, d, e, f, g, h, a, K(31), M(31) );
  502       R( a, b, c, d, e, f, g, h, K(32), M(32) );
  503       R( h, a, b, c, d, e, f, g, K(33), M(33) );
  504       R( g, h, a, b, c, d, e, f, K(34), M(34) );
  505       R( f, g, h, a, b, c, d, e, K(35), M(35) );
  506       R( e, f, g, h, a, b, c, d, K(36), M(36) );
  507       R( d, e, f, g, h, a, b, c, K(37), M(37) );
  508       R( c, d, e, f, g, h, a, b, K(38), M(38) );
  509       R( b, c, d, e, f, g, h, a, K(39), M(39) );
  510       R( a, b, c, d, e, f, g, h, K(40), M(40) );
  511       R( h, a, b, c, d, e, f, g, K(41), M(41) );
  512       R( g, h, a, b, c, d, e, f, K(42), M(42) );
  513       R( f, g, h, a, b, c, d, e, K(43), M(43) );
  514       R( e, f, g, h, a, b, c, d, K(44), M(44) );
  515       R( d, e, f, g, h, a, b, c, K(45), M(45) );
  516       R( c, d, e, f, g, h, a, b, K(46), M(46) );
  517       R( b, c, d, e, f, g, h, a, K(47), M(47) );
  518       R( a, b, c, d, e, f, g, h, K(48), M(48) );
  519       R( h, a, b, c, d, e, f, g, K(49), M(49) );
  520       R( g, h, a, b, c, d, e, f, K(50), M(50) );
  521       R( f, g, h, a, b, c, d, e, K(51), M(51) );
  522       R( e, f, g, h, a, b, c, d, K(52), M(52) );
  523       R( d, e, f, g, h, a, b, c, K(53), M(53) );
  524       R( c, d, e, f, g, h, a, b, K(54), M(54) );
  525       R( b, c, d, e, f, g, h, a, K(55), M(55) );
  526       R( a, b, c, d, e, f, g, h, K(56), M(56) );
  527       R( h, a, b, c, d, e, f, g, K(57), M(57) );
  528       R( g, h, a, b, c, d, e, f, K(58), M(58) );
  529       R( f, g, h, a, b, c, d, e, K(59), M(59) );
  530       R( e, f, g, h, a, b, c, d, K(60), M(60) );
  531       R( d, e, f, g, h, a, b, c, K(61), M(61) );
  532       R( c, d, e, f, g, h, a, b, K(62), M(62) );
  533       R( b, c, d, e, f, g, h, a, K(63), M(63) );
  534 
  535       a = ctx->state[0] += a;
  536       b = ctx->state[1] += b;
  537       c = ctx->state[2] += c;
  538       d = ctx->state[3] += d;
  539       e = ctx->state[4] += e;
  540       f = ctx->state[5] += f;
  541       g = ctx->state[6] += g;
  542       h = ctx->state[7] += h;
  543     }
  544 }