"Fossies" - the Fresh Open Source Software Archive

Member "littleutils-1.2.5/littleutils/sha512.c" (29 Oct 2021, 22274 Bytes) of package /linux/privat/littleutils-1.2.5.tar.lz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) C and C++ source code syntax highlighting (style: standard) with prefixed line numbers and code folding option. Alternatively you can here view or download the uninterpreted source code file. For more information about "sha512.c" see the Fossies "Dox" file reference documentation and the latest Fossies "Diffs" side-by-side code changes report: 1.2.4_vs_1.2.5.

    1 /* sha512.c - Functions to compute SHA512 and SHA384 message digest of files or
    2    memory blocks according to the NIST specification FIPS-180-2.
    3 
    4    Copyright (C) 2005-2006, 2008-2018 Free Software Foundation, Inc.
    5 
    6    This program is free software: you can redistribute it and/or modify
    7    it under the terms of the GNU General Public License as published by
    8    the Free Software Foundation, either version 3 of the License, or
    9    (at your option) any later version.
   10 
   11    This program is distributed in the hope that it will be useful,
   12    but WITHOUT ANY WARRANTY; without even the implied warranty of
   13    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   14    GNU General Public License for more details.
   15 
   16    You should have received a copy of the GNU General Public License
   17    along with this program.  If not, see <https://www.gnu.org/licenses/>.  */
   18 
   19 /* Written by David Madore, considerably copypasting from Scott G. Miller's
   20    sha1.c.  Modifications for portability and partial file reads by Brian
   21    Lindholm, 2007-2021.  */
   22 
   23 #include <config.h>
   24 
   25 #ifdef HAVE_STDALIGN_H
   26 # include <stdalign.h>
   27 #endif
   28 #ifdef HAVE_STDINT_H
   29 # include <stdint.h>
   30 #endif
   31 #ifdef HAVE_STDLIB_H
   32 # include <stdlib.h>
   33 #endif
   34 #ifdef HAVE_STRING_H
   35 # include <string.h>
   36 #endif
   37 #ifdef HAVE_SYS_TYPES_H
   38 # include <sys/types.h>
   39 #endif
   40 
   41 #include "sha512.h"
   42 
   43 #ifdef WORDS_BIGENDIAN
   44 # define SWAP(n) (n)
   45 #else
   46 # ifdef HAVE_BYTESWAP_H
   47 #  include <byteswap.h>
   48 #  define SWAP(n) bswap_64 (n)
   49 # else
   50 #  define SWAP(n) \
   51     u64or (u64or (u64or (u64shl (n, 56),                                \
   52                          u64shl (u64and (n, u64lo (0x0000ff00)), 40)),  \
   53                   u64or (u64shl (u64and (n, u64lo (0x00ff0000)), 24),   \
   54                          u64shl (u64and (n, u64lo (0xff000000)),  8))), \
   55            u64or (u64or (u64and (u64shr (n,  8), u64lo (0xff000000)),   \
   56                          u64and (u64shr (n, 24), u64lo (0x00ff0000))),  \
   57                   u64or (u64and (u64shr (n, 40), u64lo (0x0000ff00)),   \
   58                          u64shr (n, 56))))
   59 # endif
   60 #endif
   61 
   62 #define BLOCKSIZE 32768
   63 #if BLOCKSIZE % 128 != 0
   64 # error "invalid BLOCKSIZE"
   65 #endif
   66 
   67 /* This array contains the bytes used to pad the buffer to the next
   68    128-byte boundary.  */
   69 static const unsigned char fillbuf[128] = { 0x80, 0 /* , 0, 0, ...  */ };
   70 
   71 
   72 /*
   73   Takes a pointer to a 512 bit block of data (eight 64 bit ints) and
   74   initializes it to the start constants of the SHA512 algorithm.  This
   75   must be called before using hash in the call to sha512_hash
   76 */
   77 void
   78 sha512_init_ctx (struct sha512_ctx *ctx)
   79 {
   80   ctx->state[0] = u64hilo (0x6a09e667, 0xf3bcc908);
   81   ctx->state[1] = u64hilo (0xbb67ae85, 0x84caa73b);
   82   ctx->state[2] = u64hilo (0x3c6ef372, 0xfe94f82b);
   83   ctx->state[3] = u64hilo (0xa54ff53a, 0x5f1d36f1);
   84   ctx->state[4] = u64hilo (0x510e527f, 0xade682d1);
   85   ctx->state[5] = u64hilo (0x9b05688c, 0x2b3e6c1f);
   86   ctx->state[6] = u64hilo (0x1f83d9ab, 0xfb41bd6b);
   87   ctx->state[7] = u64hilo (0x5be0cd19, 0x137e2179);
   88 
   89   ctx->total[0] = ctx->total[1] = u64lo (0);
   90   ctx->buflen = 0;
   91 }
   92 
   93 void
   94 sha384_init_ctx (struct sha512_ctx *ctx)
   95 {
   96   ctx->state[0] = u64hilo (0xcbbb9d5d, 0xc1059ed8);
   97   ctx->state[1] = u64hilo (0x629a292a, 0x367cd507);
   98   ctx->state[2] = u64hilo (0x9159015a, 0x3070dd17);
   99   ctx->state[3] = u64hilo (0x152fecd8, 0xf70e5939);
  100   ctx->state[4] = u64hilo (0x67332667, 0xffc00b31);
  101   ctx->state[5] = u64hilo (0x8eb44a87, 0x68581511);
  102   ctx->state[6] = u64hilo (0xdb0c2e0d, 0x64f98fa7);
  103   ctx->state[7] = u64hilo (0x47b5481d, 0xbefa4fa4);
  104 
  105   ctx->total[0] = ctx->total[1] = u64lo (0);
  106   ctx->buflen = 0;
  107 }
  108 
  109 /* Copy the value from V into the memory location pointed to by *CP,
  110    If your architecture allows unaligned access, this is equivalent to
  111    * (__typeof__ (v) *) cp = v  */
  112 static void
  113 set_uint64 (char *cp, u64 v)
  114 {
  115   memcpy (cp, &v, sizeof v);
  116 }
  117 
  118 /* Put result from CTX in first 64 bytes following RESBUF.
  119    The result must be in little endian byte order.  */
  120 void *
  121 sha512_read_ctx (const struct sha512_ctx *ctx, void *resbuf)
  122 {
  123   int i;
  124   char *r = resbuf;
  125 
  126   for (i = 0; i < 8; i++)
  127     set_uint64 (r + i * sizeof ctx->state[0], SWAP (ctx->state[i]));
  128 
  129   return resbuf;
  130 }
  131 
  132 void *
  133 sha384_read_ctx (const struct sha512_ctx *ctx, void *resbuf)
  134 {
  135   int i;
  136   char *r = resbuf;
  137 
  138   for (i = 0; i < 6; i++)
  139     set_uint64 (r + i * sizeof ctx->state[0], SWAP (ctx->state[i]));
  140 
  141   return resbuf;
  142 }
  143 
  144 /* Process the remaining bytes in the internal buffer and the usual
  145    prolog according to the standard and write the result to RESBUF.  */
  146 static void
  147 sha512_conclude_ctx (struct sha512_ctx *ctx)
  148 {
  149   /* Take yet unprocessed bytes into account.  */
  150   size_t bytes = ctx->buflen;
  151   size_t size = (bytes < 112) ? 128 / 8 : 128 * 2 / 8;
  152 
  153   /* Now count remaining bytes.  */
  154   ctx->total[0] = u64plus (ctx->total[0], u64lo (bytes));
  155   if (u64lt (ctx->total[0], u64lo (bytes)))
  156     ctx->total[1] = u64plus (ctx->total[1], u64lo (1));
  157 
  158   /* Put the 128-bit file length in *bits* at the end of the buffer.
  159      Use set_uint64 rather than a simple assignment, to avoid risk of
  160      unaligned access.  */
  161   set_uint64 ((char *) &ctx->buffer[size - 2],
  162               SWAP (u64or (u64shl (ctx->total[1], 3),
  163                            u64shr (ctx->total[0], 61))));
  164   set_uint64 ((char *) &ctx->buffer[size - 1],
  165               SWAP (u64shl (ctx->total[0], 3)));
  166 
  167   memcpy (&((char *) ctx->buffer)[bytes], fillbuf, (size - 2) * 8 - bytes);
  168 
  169   /* Process last bytes.  */
  170   sha512_process_block (ctx->buffer, size * 8, ctx);
  171 }
  172 
  173 void *
  174 sha512_finish_ctx (struct sha512_ctx *ctx, void *resbuf)
  175 {
  176   sha512_conclude_ctx (ctx);
  177   return sha512_read_ctx (ctx, resbuf);
  178 }
  179 
  180 void *
  181 sha384_finish_ctx (struct sha512_ctx *ctx, void *resbuf)
  182 {
  183   sha512_conclude_ctx (ctx);
  184   return sha384_read_ctx (ctx, resbuf);
  185 }
  186 
  187 /* Compute message digest for bytes read from STREAM using algorithm ALG.
  188    Write the message digest into RESBLOCK, which contains HASHLEN bytes.  The
  189    initial and finishing operations are INIT_CTX and FINISH_CTX.  Return zero
  190    if and only if successful.  Readbytes == -1 implies whole file.  */
  191 
  192 static int
  193 shaxxx_stream (FILE *stream, char const *alg, void *resblock, off_t readbytes,
  194                ssize_t hashlen, void (*init_ctx) (struct sha512_ctx *),
  195                void *(*finish_ctx) (struct sha512_ctx *, void *))
  196 {
  197   char *buffer = malloc (BLOCKSIZE + 72);
  198   if (!buffer)
  199     return 1;
  200 
  201   /* Initialize the computation context.  */
  202   struct sha512_ctx ctx;
  203   init_ctx (&ctx);
  204   size_t sum, target;
  205   off_t total = 0;
  206 
  207   /* Jump to end for readbytes == 0.  */
  208   if (readbytes == 0)
  209     {
  210       sum = 0;
  211       goto process_partial_block;
  212     }
  213 
  214   /* Iterate over full file contents.  */
  215   while (1)
  216     {
  217       /* We read the file in blocks of BLOCKSIZE bytes.  One call of the
  218          computation function processes the whole buffer so that with the
  219          next round of the loop another block can be read.  */
  220       size_t n;
  221       if ((readbytes < 0) || ((readbytes - total) > (off_t) BLOCKSIZE))
  222         target = (size_t) BLOCKSIZE;
  223       else
  224         target = (size_t) (readbytes - total);
  225       sum = 0;
  226 
  227       /* Read block.  Take care for partial reads.  */
  228       while (1)
  229         {
  230           /* Either process a partial fread() from this loop,
  231              or the fread() in afalg_stream may have gotten EOF.
  232              We need to avoid a subsequent fread() as EOF may
  233              not be sticky.  For details of such systems, see:
  234              https://sourceware.org/bugzilla/show_bug.cgi?id=1190  */
  235           if (((off_t) sum >= target) || feof (stream))
  236             goto process_partial_block;
  237 
  238           n = fread (buffer + sum, 1, target - sum, stream);
  239           sum += n;
  240 
  241           if (sum == BLOCKSIZE)
  242             break;
  243 
  244           if (n == 0)
  245             {
  246               /* Check for the error flag IFF N == 0, so that we don't
  247                  exit the loop after a partial read due to e.g., EAGAIN
  248                  or EWOULDBLOCK.  */
  249               if (ferror (stream))
  250                 {
  251                   free (buffer);
  252                   return 1;
  253                 }
  254               goto process_partial_block;
  255             }
  256         }
  257       total += (off_t) sum;
  258 
  259       /* Process buffer with BLOCKSIZE bytes.  Note that
  260                         BLOCKSIZE % 128 == 0
  261        */
  262       sha512_process_block (buffer, BLOCKSIZE, &ctx);
  263     }
  264 
  265  process_partial_block:;
  266 
  267   /* Process any remaining bytes.  */
  268   if (sum > 0)
  269     sha512_process_bytes (buffer, sum, &ctx);
  270 
  271   /* Construct result in desired memory.  */
  272   finish_ctx (&ctx, resblock);
  273   free (buffer);
  274   return 0;
  275 }
  276 
  277 int
  278 sha512_stream (FILE *stream, void *resblock, off_t readbytes)
  279 {
  280   return shaxxx_stream (stream, "sha512", resblock, readbytes,
  281                         SHA512_DIGEST_SIZE, sha512_init_ctx,
  282                         sha512_finish_ctx);
  283 }
  284 
  285 int
  286 sha384_stream (FILE *stream, void *resblock, off_t readbytes)
  287 {
  288   return shaxxx_stream (stream, "sha384", resblock, readbytes,
  289                         SHA384_DIGEST_SIZE, sha384_init_ctx,
  290                         sha384_finish_ctx);
  291 }
  292 
  293 /* Compute SHA512 message digest for LEN bytes beginning at BUFFER.  The
  294    result is always in little endian byte order, so that a byte-wise
  295    output yields to the wanted ASCII representation of the message
  296    digest.  */
  297 void *
  298 sha512_buffer (const char *buffer, size_t len, void *resblock)
  299 {
  300   struct sha512_ctx ctx;
  301 
  302   /* Initialize the computation context.  */
  303   sha512_init_ctx (&ctx);
  304 
  305   /* Process whole buffer but last len % 128 bytes.  */
  306   sha512_process_bytes (buffer, len, &ctx);
  307 
  308   /* Put result in desired memory area.  */
  309   return sha512_finish_ctx (&ctx, resblock);
  310 }
  311 
  312 void *
  313 sha384_buffer (const char *buffer, size_t len, void *resblock)
  314 {
  315   struct sha512_ctx ctx;
  316 
  317   /* Initialize the computation context.  */
  318   sha384_init_ctx (&ctx);
  319 
  320   /* Process whole buffer but last len % 128 bytes.  */
  321   sha512_process_bytes (buffer, len, &ctx);
  322 
  323   /* Put result in desired memory area.  */
  324   return sha384_finish_ctx (&ctx, resblock);
  325 }
  326 
  327 void
  328 sha512_process_bytes (const void *buffer, size_t len, struct sha512_ctx *ctx)
  329 {
  330   /* When we already have some bits in our internal buffer concatenate
  331      both inputs first.  */
  332   if (ctx->buflen != 0)
  333     {
  334       size_t left_over = ctx->buflen;
  335       size_t add = 256 - left_over > len ? len : 256 - left_over;
  336 
  337       memcpy (&((char *) ctx->buffer)[left_over], buffer, add);
  338       ctx->buflen += add;
  339 
  340       if (ctx->buflen > 128)
  341         {
  342           sha512_process_block (ctx->buffer, ctx->buflen & ~127, ctx);
  343 
  344           ctx->buflen &= 127;
  345           /* The regions in the following copy operation cannot overlap,
  346              because ctx->buflen < 128 ≤ (left_over + add) & ~127.  */
  347           memcpy (ctx->buffer,
  348                   &((char *) ctx->buffer)[(left_over + add) & ~127],
  349                   ctx->buflen);
  350         }
  351 
  352       buffer = (const char *) buffer + add;
  353       len -= add;
  354     }
  355 
  356   /* Process available complete blocks.  */
  357   if (len >= 128)
  358     {
  359 #if !(_STRING_ARCH_unaligned || _STRING_INLINE_unaligned)
  360 # define UNALIGNED_P(p) ((uintptr_t) (p) % alignof (u64) != 0)
  361       if (UNALIGNED_P (buffer))
  362         while (len > 128)
  363           {
  364             sha512_process_block (memcpy (ctx->buffer, buffer, 128), 128, ctx);
  365             buffer = (const char *) buffer + 128;
  366             len -= 128;
  367           }
  368       else
  369 #endif
  370         {
  371           sha512_process_block (buffer, len & ~127, ctx);
  372           buffer = (const char *) buffer + (len & ~127);
  373           len &= 127;
  374         }
  375     }
  376 
  377   /* Move remaining bytes in internal buffer.  */
  378   if (len > 0)
  379     {
  380       size_t left_over = ctx->buflen;
  381 
  382       memcpy (&((char *) ctx->buffer)[left_over], buffer, len);
  383       left_over += len;
  384       if (left_over >= 128)
  385         {
  386           sha512_process_block (ctx->buffer, 128, ctx);
  387           left_over -= 128;
  388           /* The regions in the following copy operation cannot overlap,
  389              because left_over ≤ 128.  */
  390           memcpy (ctx->buffer, &ctx->buffer[16], left_over);
  391         }
  392       ctx->buflen = left_over;
  393     }
  394 }
  395 
  396 /* --- Code below is the primary difference between sha1.c and sha512.c --- */
  397 
  398 /* SHA512 round constants */
  399 #define K(I) sha512_round_constants[I]
  400 static u64 const sha512_round_constants[80] = {
  401   u64init (0x428a2f98, 0xd728ae22), u64init (0x71374491, 0x23ef65cd),
  402   u64init (0xb5c0fbcf, 0xec4d3b2f), u64init (0xe9b5dba5, 0x8189dbbc),
  403   u64init (0x3956c25b, 0xf348b538), u64init (0x59f111f1, 0xb605d019),
  404   u64init (0x923f82a4, 0xaf194f9b), u64init (0xab1c5ed5, 0xda6d8118),
  405   u64init (0xd807aa98, 0xa3030242), u64init (0x12835b01, 0x45706fbe),
  406   u64init (0x243185be, 0x4ee4b28c), u64init (0x550c7dc3, 0xd5ffb4e2),
  407   u64init (0x72be5d74, 0xf27b896f), u64init (0x80deb1fe, 0x3b1696b1),
  408   u64init (0x9bdc06a7, 0x25c71235), u64init (0xc19bf174, 0xcf692694),
  409   u64init (0xe49b69c1, 0x9ef14ad2), u64init (0xefbe4786, 0x384f25e3),
  410   u64init (0x0fc19dc6, 0x8b8cd5b5), u64init (0x240ca1cc, 0x77ac9c65),
  411   u64init (0x2de92c6f, 0x592b0275), u64init (0x4a7484aa, 0x6ea6e483),
  412   u64init (0x5cb0a9dc, 0xbd41fbd4), u64init (0x76f988da, 0x831153b5),
  413   u64init (0x983e5152, 0xee66dfab), u64init (0xa831c66d, 0x2db43210),
  414   u64init (0xb00327c8, 0x98fb213f), u64init (0xbf597fc7, 0xbeef0ee4),
  415   u64init (0xc6e00bf3, 0x3da88fc2), u64init (0xd5a79147, 0x930aa725),
  416   u64init (0x06ca6351, 0xe003826f), u64init (0x14292967, 0x0a0e6e70),
  417   u64init (0x27b70a85, 0x46d22ffc), u64init (0x2e1b2138, 0x5c26c926),
  418   u64init (0x4d2c6dfc, 0x5ac42aed), u64init (0x53380d13, 0x9d95b3df),
  419   u64init (0x650a7354, 0x8baf63de), u64init (0x766a0abb, 0x3c77b2a8),
  420   u64init (0x81c2c92e, 0x47edaee6), u64init (0x92722c85, 0x1482353b),
  421   u64init (0xa2bfe8a1, 0x4cf10364), u64init (0xa81a664b, 0xbc423001),
  422   u64init (0xc24b8b70, 0xd0f89791), u64init (0xc76c51a3, 0x0654be30),
  423   u64init (0xd192e819, 0xd6ef5218), u64init (0xd6990624, 0x5565a910),
  424   u64init (0xf40e3585, 0x5771202a), u64init (0x106aa070, 0x32bbd1b8),
  425   u64init (0x19a4c116, 0xb8d2d0c8), u64init (0x1e376c08, 0x5141ab53),
  426   u64init (0x2748774c, 0xdf8eeb99), u64init (0x34b0bcb5, 0xe19b48a8),
  427   u64init (0x391c0cb3, 0xc5c95a63), u64init (0x4ed8aa4a, 0xe3418acb),
  428   u64init (0x5b9cca4f, 0x7763e373), u64init (0x682e6ff3, 0xd6b2b8a3),
  429   u64init (0x748f82ee, 0x5defb2fc), u64init (0x78a5636f, 0x43172f60),
  430   u64init (0x84c87814, 0xa1f0ab72), u64init (0x8cc70208, 0x1a6439ec),
  431   u64init (0x90befffa, 0x23631e28), u64init (0xa4506ceb, 0xde82bde9),
  432   u64init (0xbef9a3f7, 0xb2c67915), u64init (0xc67178f2, 0xe372532b),
  433   u64init (0xca273ece, 0xea26619c), u64init (0xd186b8c7, 0x21c0c207),
  434   u64init (0xeada7dd6, 0xcde0eb1e), u64init (0xf57d4f7f, 0xee6ed178),
  435   u64init (0x06f067aa, 0x72176fba), u64init (0x0a637dc5, 0xa2c898a6),
  436   u64init (0x113f9804, 0xbef90dae), u64init (0x1b710b35, 0x131c471b),
  437   u64init (0x28db77f5, 0x23047d84), u64init (0x32caab7b, 0x40c72493),
  438   u64init (0x3c9ebe0a, 0x15c9bebc), u64init (0x431d67c4, 0x9c100d4c),
  439   u64init (0x4cc5d4be, 0xcb3e42b6), u64init (0x597f299c, 0xfc657e2a),
  440   u64init (0x5fcb6fab, 0x3ad6faec), u64init (0x6c44198c, 0x4a475817),
  441 };
  442 
  443 /* Round functions.  */
  444 #define F2(A, B, C) u64or (u64and (A, B), u64and (C, u64or (A, B)))
  445 #define F1(E, F, G) u64xor (G, u64and (E, u64xor (F, G)))
  446 
  447 /* Process LEN bytes of BUFFER, accumulating context into CTX.
  448    It is assumed that LEN % 128 == 0.
  449    Most of this code comes from GnuPG's cipher/sha1.c.  */
  450 
  451 void
  452 sha512_process_block (const void *buffer, size_t len, struct sha512_ctx *ctx)
  453 {
  454   u64 const *words = buffer;
  455   u64 const *endp = words + len / sizeof (u64);
  456   u64 x[16];
  457   u64 a = ctx->state[0];
  458   u64 b = ctx->state[1];
  459   u64 c = ctx->state[2];
  460   u64 d = ctx->state[3];
  461   u64 e = ctx->state[4];
  462   u64 f = ctx->state[5];
  463   u64 g = ctx->state[6];
  464   u64 h = ctx->state[7];
  465   u64 lolen = u64size (len);
  466 
  467   /* First increment the byte count.  FIPS PUB 180-2 specifies the possible
  468      length of the file up to 2^128 bits.  Here we only compute the
  469      number of bytes.  Do a double word increment.  */
  470   ctx->total[0] = u64plus (ctx->total[0], lolen);
  471   ctx->total[1] = u64plus (ctx->total[1],
  472                            u64plus (u64size (len >> 31 >> 31 >> 2),
  473                                     u64lo (u64lt (ctx->total[0], lolen))));
  474 
  475 #define S0(x) u64xor (u64rol(x, 63), u64xor (u64rol (x, 56), u64shr (x, 7)))
  476 #define S1(x) u64xor (u64rol (x, 45), u64xor (u64rol (x, 3), u64shr (x, 6)))
  477 #define SS0(x) u64xor (u64rol (x, 36), u64xor (u64rol (x, 30), u64rol (x, 25)))
  478 #define SS1(x) u64xor (u64rol(x, 50), u64xor (u64rol (x, 46), u64rol (x, 23)))
  479 
  480 #define M(I) (x[(I) & 15]                                                 \
  481               = u64plus (x[(I) & 15],                                     \
  482                          u64plus (S1 (x[((I) - 2) & 15]),                 \
  483                                   u64plus (x[((I) - 7) & 15],             \
  484                                            S0 (x[((I) - 15) & 15])))))
  485 
  486 #define R(A, B, C, D, E, F, G, H, K, M)                                   \
  487   do                                                                      \
  488     {                                                                     \
  489       u64 t0 = u64plus (SS0 (A), F2 (A, B, C));                           \
  490       u64 t1 =                                                            \
  491         u64plus (H, u64plus (SS1 (E),                                     \
  492                              u64plus (F1 (E, F, G), u64plus (K, M))));    \
  493       D = u64plus (D, t1);                                                \
  494       H = u64plus (t0, t1);                                               \
  495     }                                                                     \
  496   while (0)
  497 
  498   while (words < endp)
  499     {
  500       int t;
  501       /* FIXME: see sha1.c for a better implementation.  */
  502       for (t = 0; t < 16; t++)
  503         {
  504           x[t] = SWAP (*words);
  505           words++;
  506         }
  507 
  508       R( a, b, c, d, e, f, g, h, K( 0), x[ 0] );
  509       R( h, a, b, c, d, e, f, g, K( 1), x[ 1] );
  510       R( g, h, a, b, c, d, e, f, K( 2), x[ 2] );
  511       R( f, g, h, a, b, c, d, e, K( 3), x[ 3] );
  512       R( e, f, g, h, a, b, c, d, K( 4), x[ 4] );
  513       R( d, e, f, g, h, a, b, c, K( 5), x[ 5] );
  514       R( c, d, e, f, g, h, a, b, K( 6), x[ 6] );
  515       R( b, c, d, e, f, g, h, a, K( 7), x[ 7] );
  516       R( a, b, c, d, e, f, g, h, K( 8), x[ 8] );
  517       R( h, a, b, c, d, e, f, g, K( 9), x[ 9] );
  518       R( g, h, a, b, c, d, e, f, K(10), x[10] );
  519       R( f, g, h, a, b, c, d, e, K(11), x[11] );
  520       R( e, f, g, h, a, b, c, d, K(12), x[12] );
  521       R( d, e, f, g, h, a, b, c, K(13), x[13] );
  522       R( c, d, e, f, g, h, a, b, K(14), x[14] );
  523       R( b, c, d, e, f, g, h, a, K(15), x[15] );
  524       R( a, b, c, d, e, f, g, h, K(16), M(16) );
  525       R( h, a, b, c, d, e, f, g, K(17), M(17) );
  526       R( g, h, a, b, c, d, e, f, K(18), M(18) );
  527       R( f, g, h, a, b, c, d, e, K(19), M(19) );
  528       R( e, f, g, h, a, b, c, d, K(20), M(20) );
  529       R( d, e, f, g, h, a, b, c, K(21), M(21) );
  530       R( c, d, e, f, g, h, a, b, K(22), M(22) );
  531       R( b, c, d, e, f, g, h, a, K(23), M(23) );
  532       R( a, b, c, d, e, f, g, h, K(24), M(24) );
  533       R( h, a, b, c, d, e, f, g, K(25), M(25) );
  534       R( g, h, a, b, c, d, e, f, K(26), M(26) );
  535       R( f, g, h, a, b, c, d, e, K(27), M(27) );
  536       R( e, f, g, h, a, b, c, d, K(28), M(28) );
  537       R( d, e, f, g, h, a, b, c, K(29), M(29) );
  538       R( c, d, e, f, g, h, a, b, K(30), M(30) );
  539       R( b, c, d, e, f, g, h, a, K(31), M(31) );
  540       R( a, b, c, d, e, f, g, h, K(32), M(32) );
  541       R( h, a, b, c, d, e, f, g, K(33), M(33) );
  542       R( g, h, a, b, c, d, e, f, K(34), M(34) );
  543       R( f, g, h, a, b, c, d, e, K(35), M(35) );
  544       R( e, f, g, h, a, b, c, d, K(36), M(36) );
  545       R( d, e, f, g, h, a, b, c, K(37), M(37) );
  546       R( c, d, e, f, g, h, a, b, K(38), M(38) );
  547       R( b, c, d, e, f, g, h, a, K(39), M(39) );
  548       R( a, b, c, d, e, f, g, h, K(40), M(40) );
  549       R( h, a, b, c, d, e, f, g, K(41), M(41) );
  550       R( g, h, a, b, c, d, e, f, K(42), M(42) );
  551       R( f, g, h, a, b, c, d, e, K(43), M(43) );
  552       R( e, f, g, h, a, b, c, d, K(44), M(44) );
  553       R( d, e, f, g, h, a, b, c, K(45), M(45) );
  554       R( c, d, e, f, g, h, a, b, K(46), M(46) );
  555       R( b, c, d, e, f, g, h, a, K(47), M(47) );
  556       R( a, b, c, d, e, f, g, h, K(48), M(48) );
  557       R( h, a, b, c, d, e, f, g, K(49), M(49) );
  558       R( g, h, a, b, c, d, e, f, K(50), M(50) );
  559       R( f, g, h, a, b, c, d, e, K(51), M(51) );
  560       R( e, f, g, h, a, b, c, d, K(52), M(52) );
  561       R( d, e, f, g, h, a, b, c, K(53), M(53) );
  562       R( c, d, e, f, g, h, a, b, K(54), M(54) );
  563       R( b, c, d, e, f, g, h, a, K(55), M(55) );
  564       R( a, b, c, d, e, f, g, h, K(56), M(56) );
  565       R( h, a, b, c, d, e, f, g, K(57), M(57) );
  566       R( g, h, a, b, c, d, e, f, K(58), M(58) );
  567       R( f, g, h, a, b, c, d, e, K(59), M(59) );
  568       R( e, f, g, h, a, b, c, d, K(60), M(60) );
  569       R( d, e, f, g, h, a, b, c, K(61), M(61) );
  570       R( c, d, e, f, g, h, a, b, K(62), M(62) );
  571       R( b, c, d, e, f, g, h, a, K(63), M(63) );
  572       R( a, b, c, d, e, f, g, h, K(64), M(64) );
  573       R( h, a, b, c, d, e, f, g, K(65), M(65) );
  574       R( g, h, a, b, c, d, e, f, K(66), M(66) );
  575       R( f, g, h, a, b, c, d, e, K(67), M(67) );
  576       R( e, f, g, h, a, b, c, d, K(68), M(68) );
  577       R( d, e, f, g, h, a, b, c, K(69), M(69) );
  578       R( c, d, e, f, g, h, a, b, K(70), M(70) );
  579       R( b, c, d, e, f, g, h, a, K(71), M(71) );
  580       R( a, b, c, d, e, f, g, h, K(72), M(72) );
  581       R( h, a, b, c, d, e, f, g, K(73), M(73) );
  582       R( g, h, a, b, c, d, e, f, K(74), M(74) );
  583       R( f, g, h, a, b, c, d, e, K(75), M(75) );
  584       R( e, f, g, h, a, b, c, d, K(76), M(76) );
  585       R( d, e, f, g, h, a, b, c, K(77), M(77) );
  586       R( c, d, e, f, g, h, a, b, K(78), M(78) );
  587       R( b, c, d, e, f, g, h, a, K(79), M(79) );
  588 
  589       a = ctx->state[0] = u64plus (ctx->state[0], a);
  590       b = ctx->state[1] = u64plus (ctx->state[1], b);
  591       c = ctx->state[2] = u64plus (ctx->state[2], c);
  592       d = ctx->state[3] = u64plus (ctx->state[3], d);
  593       e = ctx->state[4] = u64plus (ctx->state[4], e);
  594       f = ctx->state[5] = u64plus (ctx->state[5], f);
  595       g = ctx->state[6] = u64plus (ctx->state[6], g);
  596       h = ctx->state[7] = u64plus (ctx->state[7], h);
  597     }
  598 }