"Fossies" - the Fresh Open Source Software Archive 
Member "littleutils-1.2.5/littleutils/sha512.c" (29 Oct 2021, 22274 Bytes) of package /linux/privat/littleutils-1.2.5.tar.lz:
As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) C and C++ source code syntax highlighting (style:
standard) with prefixed line numbers and
code folding option.
Alternatively you can here
view or
download the uninterpreted source code file.
For more information about "sha512.c" see the
Fossies "Dox" file reference documentation and the latest
Fossies "Diffs" side-by-side code changes report:
1.2.4_vs_1.2.5.
1 /* sha512.c - Functions to compute SHA512 and SHA384 message digest of files or
2 memory blocks according to the NIST specification FIPS-180-2.
3
4 Copyright (C) 2005-2006, 2008-2018 Free Software Foundation, Inc.
5
6 This program is free software: you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation, either version 3 of the License, or
9 (at your option) any later version.
10
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <https://www.gnu.org/licenses/>. */
18
19 /* Written by David Madore, considerably copypasting from Scott G. Miller's
20 sha1.c. Modifications for portability and partial file reads by Brian
21 Lindholm, 2007-2021. */
22
23 #include <config.h>
24
25 #ifdef HAVE_STDALIGN_H
26 # include <stdalign.h>
27 #endif
28 #ifdef HAVE_STDINT_H
29 # include <stdint.h>
30 #endif
31 #ifdef HAVE_STDLIB_H
32 # include <stdlib.h>
33 #endif
34 #ifdef HAVE_STRING_H
35 # include <string.h>
36 #endif
37 #ifdef HAVE_SYS_TYPES_H
38 # include <sys/types.h>
39 #endif
40
41 #include "sha512.h"
42
43 #ifdef WORDS_BIGENDIAN
44 # define SWAP(n) (n)
45 #else
46 # ifdef HAVE_BYTESWAP_H
47 # include <byteswap.h>
48 # define SWAP(n) bswap_64 (n)
49 # else
50 # define SWAP(n) \
51 u64or (u64or (u64or (u64shl (n, 56), \
52 u64shl (u64and (n, u64lo (0x0000ff00)), 40)), \
53 u64or (u64shl (u64and (n, u64lo (0x00ff0000)), 24), \
54 u64shl (u64and (n, u64lo (0xff000000)), 8))), \
55 u64or (u64or (u64and (u64shr (n, 8), u64lo (0xff000000)), \
56 u64and (u64shr (n, 24), u64lo (0x00ff0000))), \
57 u64or (u64and (u64shr (n, 40), u64lo (0x0000ff00)), \
58 u64shr (n, 56))))
59 # endif
60 #endif
61
62 #define BLOCKSIZE 32768
63 #if BLOCKSIZE % 128 != 0
64 # error "invalid BLOCKSIZE"
65 #endif
66
67 /* This array contains the bytes used to pad the buffer to the next
68 128-byte boundary. */
69 static const unsigned char fillbuf[128] = { 0x80, 0 /* , 0, 0, ... */ };
70
71
72 /*
73 Takes a pointer to a 512 bit block of data (eight 64 bit ints) and
74 initializes it to the start constants of the SHA512 algorithm. This
75 must be called before using hash in the call to sha512_hash
76 */
77 void
78 sha512_init_ctx (struct sha512_ctx *ctx)
79 {
80 ctx->state[0] = u64hilo (0x6a09e667, 0xf3bcc908);
81 ctx->state[1] = u64hilo (0xbb67ae85, 0x84caa73b);
82 ctx->state[2] = u64hilo (0x3c6ef372, 0xfe94f82b);
83 ctx->state[3] = u64hilo (0xa54ff53a, 0x5f1d36f1);
84 ctx->state[4] = u64hilo (0x510e527f, 0xade682d1);
85 ctx->state[5] = u64hilo (0x9b05688c, 0x2b3e6c1f);
86 ctx->state[6] = u64hilo (0x1f83d9ab, 0xfb41bd6b);
87 ctx->state[7] = u64hilo (0x5be0cd19, 0x137e2179);
88
89 ctx->total[0] = ctx->total[1] = u64lo (0);
90 ctx->buflen = 0;
91 }
92
93 void
94 sha384_init_ctx (struct sha512_ctx *ctx)
95 {
96 ctx->state[0] = u64hilo (0xcbbb9d5d, 0xc1059ed8);
97 ctx->state[1] = u64hilo (0x629a292a, 0x367cd507);
98 ctx->state[2] = u64hilo (0x9159015a, 0x3070dd17);
99 ctx->state[3] = u64hilo (0x152fecd8, 0xf70e5939);
100 ctx->state[4] = u64hilo (0x67332667, 0xffc00b31);
101 ctx->state[5] = u64hilo (0x8eb44a87, 0x68581511);
102 ctx->state[6] = u64hilo (0xdb0c2e0d, 0x64f98fa7);
103 ctx->state[7] = u64hilo (0x47b5481d, 0xbefa4fa4);
104
105 ctx->total[0] = ctx->total[1] = u64lo (0);
106 ctx->buflen = 0;
107 }
108
109 /* Copy the value from V into the memory location pointed to by *CP,
110 If your architecture allows unaligned access, this is equivalent to
111 * (__typeof__ (v) *) cp = v */
112 static void
113 set_uint64 (char *cp, u64 v)
114 {
115 memcpy (cp, &v, sizeof v);
116 }
117
118 /* Put result from CTX in first 64 bytes following RESBUF.
119 The result must be in little endian byte order. */
120 void *
121 sha512_read_ctx (const struct sha512_ctx *ctx, void *resbuf)
122 {
123 int i;
124 char *r = resbuf;
125
126 for (i = 0; i < 8; i++)
127 set_uint64 (r + i * sizeof ctx->state[0], SWAP (ctx->state[i]));
128
129 return resbuf;
130 }
131
132 void *
133 sha384_read_ctx (const struct sha512_ctx *ctx, void *resbuf)
134 {
135 int i;
136 char *r = resbuf;
137
138 for (i = 0; i < 6; i++)
139 set_uint64 (r + i * sizeof ctx->state[0], SWAP (ctx->state[i]));
140
141 return resbuf;
142 }
143
144 /* Process the remaining bytes in the internal buffer and the usual
145 prolog according to the standard and write the result to RESBUF. */
146 static void
147 sha512_conclude_ctx (struct sha512_ctx *ctx)
148 {
149 /* Take yet unprocessed bytes into account. */
150 size_t bytes = ctx->buflen;
151 size_t size = (bytes < 112) ? 128 / 8 : 128 * 2 / 8;
152
153 /* Now count remaining bytes. */
154 ctx->total[0] = u64plus (ctx->total[0], u64lo (bytes));
155 if (u64lt (ctx->total[0], u64lo (bytes)))
156 ctx->total[1] = u64plus (ctx->total[1], u64lo (1));
157
158 /* Put the 128-bit file length in *bits* at the end of the buffer.
159 Use set_uint64 rather than a simple assignment, to avoid risk of
160 unaligned access. */
161 set_uint64 ((char *) &ctx->buffer[size - 2],
162 SWAP (u64or (u64shl (ctx->total[1], 3),
163 u64shr (ctx->total[0], 61))));
164 set_uint64 ((char *) &ctx->buffer[size - 1],
165 SWAP (u64shl (ctx->total[0], 3)));
166
167 memcpy (&((char *) ctx->buffer)[bytes], fillbuf, (size - 2) * 8 - bytes);
168
169 /* Process last bytes. */
170 sha512_process_block (ctx->buffer, size * 8, ctx);
171 }
172
173 void *
174 sha512_finish_ctx (struct sha512_ctx *ctx, void *resbuf)
175 {
176 sha512_conclude_ctx (ctx);
177 return sha512_read_ctx (ctx, resbuf);
178 }
179
180 void *
181 sha384_finish_ctx (struct sha512_ctx *ctx, void *resbuf)
182 {
183 sha512_conclude_ctx (ctx);
184 return sha384_read_ctx (ctx, resbuf);
185 }
186
187 /* Compute message digest for bytes read from STREAM using algorithm ALG.
188 Write the message digest into RESBLOCK, which contains HASHLEN bytes. The
189 initial and finishing operations are INIT_CTX and FINISH_CTX. Return zero
190 if and only if successful. Readbytes == -1 implies whole file. */
191
192 static int
193 shaxxx_stream (FILE *stream, char const *alg, void *resblock, off_t readbytes,
194 ssize_t hashlen, void (*init_ctx) (struct sha512_ctx *),
195 void *(*finish_ctx) (struct sha512_ctx *, void *))
196 {
197 char *buffer = malloc (BLOCKSIZE + 72);
198 if (!buffer)
199 return 1;
200
201 /* Initialize the computation context. */
202 struct sha512_ctx ctx;
203 init_ctx (&ctx);
204 size_t sum, target;
205 off_t total = 0;
206
207 /* Jump to end for readbytes == 0. */
208 if (readbytes == 0)
209 {
210 sum = 0;
211 goto process_partial_block;
212 }
213
214 /* Iterate over full file contents. */
215 while (1)
216 {
217 /* We read the file in blocks of BLOCKSIZE bytes. One call of the
218 computation function processes the whole buffer so that with the
219 next round of the loop another block can be read. */
220 size_t n;
221 if ((readbytes < 0) || ((readbytes - total) > (off_t) BLOCKSIZE))
222 target = (size_t) BLOCKSIZE;
223 else
224 target = (size_t) (readbytes - total);
225 sum = 0;
226
227 /* Read block. Take care for partial reads. */
228 while (1)
229 {
230 /* Either process a partial fread() from this loop,
231 or the fread() in afalg_stream may have gotten EOF.
232 We need to avoid a subsequent fread() as EOF may
233 not be sticky. For details of such systems, see:
234 https://sourceware.org/bugzilla/show_bug.cgi?id=1190 */
235 if (((off_t) sum >= target) || feof (stream))
236 goto process_partial_block;
237
238 n = fread (buffer + sum, 1, target - sum, stream);
239 sum += n;
240
241 if (sum == BLOCKSIZE)
242 break;
243
244 if (n == 0)
245 {
246 /* Check for the error flag IFF N == 0, so that we don't
247 exit the loop after a partial read due to e.g., EAGAIN
248 or EWOULDBLOCK. */
249 if (ferror (stream))
250 {
251 free (buffer);
252 return 1;
253 }
254 goto process_partial_block;
255 }
256 }
257 total += (off_t) sum;
258
259 /* Process buffer with BLOCKSIZE bytes. Note that
260 BLOCKSIZE % 128 == 0
261 */
262 sha512_process_block (buffer, BLOCKSIZE, &ctx);
263 }
264
265 process_partial_block:;
266
267 /* Process any remaining bytes. */
268 if (sum > 0)
269 sha512_process_bytes (buffer, sum, &ctx);
270
271 /* Construct result in desired memory. */
272 finish_ctx (&ctx, resblock);
273 free (buffer);
274 return 0;
275 }
276
277 int
278 sha512_stream (FILE *stream, void *resblock, off_t readbytes)
279 {
280 return shaxxx_stream (stream, "sha512", resblock, readbytes,
281 SHA512_DIGEST_SIZE, sha512_init_ctx,
282 sha512_finish_ctx);
283 }
284
285 int
286 sha384_stream (FILE *stream, void *resblock, off_t readbytes)
287 {
288 return shaxxx_stream (stream, "sha384", resblock, readbytes,
289 SHA384_DIGEST_SIZE, sha384_init_ctx,
290 sha384_finish_ctx);
291 }
292
293 /* Compute SHA512 message digest for LEN bytes beginning at BUFFER. The
294 result is always in little endian byte order, so that a byte-wise
295 output yields to the wanted ASCII representation of the message
296 digest. */
297 void *
298 sha512_buffer (const char *buffer, size_t len, void *resblock)
299 {
300 struct sha512_ctx ctx;
301
302 /* Initialize the computation context. */
303 sha512_init_ctx (&ctx);
304
305 /* Process whole buffer but last len % 128 bytes. */
306 sha512_process_bytes (buffer, len, &ctx);
307
308 /* Put result in desired memory area. */
309 return sha512_finish_ctx (&ctx, resblock);
310 }
311
312 void *
313 sha384_buffer (const char *buffer, size_t len, void *resblock)
314 {
315 struct sha512_ctx ctx;
316
317 /* Initialize the computation context. */
318 sha384_init_ctx (&ctx);
319
320 /* Process whole buffer but last len % 128 bytes. */
321 sha512_process_bytes (buffer, len, &ctx);
322
323 /* Put result in desired memory area. */
324 return sha384_finish_ctx (&ctx, resblock);
325 }
326
327 void
328 sha512_process_bytes (const void *buffer, size_t len, struct sha512_ctx *ctx)
329 {
330 /* When we already have some bits in our internal buffer concatenate
331 both inputs first. */
332 if (ctx->buflen != 0)
333 {
334 size_t left_over = ctx->buflen;
335 size_t add = 256 - left_over > len ? len : 256 - left_over;
336
337 memcpy (&((char *) ctx->buffer)[left_over], buffer, add);
338 ctx->buflen += add;
339
340 if (ctx->buflen > 128)
341 {
342 sha512_process_block (ctx->buffer, ctx->buflen & ~127, ctx);
343
344 ctx->buflen &= 127;
345 /* The regions in the following copy operation cannot overlap,
346 because ctx->buflen < 128 ≤ (left_over + add) & ~127. */
347 memcpy (ctx->buffer,
348 &((char *) ctx->buffer)[(left_over + add) & ~127],
349 ctx->buflen);
350 }
351
352 buffer = (const char *) buffer + add;
353 len -= add;
354 }
355
356 /* Process available complete blocks. */
357 if (len >= 128)
358 {
359 #if !(_STRING_ARCH_unaligned || _STRING_INLINE_unaligned)
360 # define UNALIGNED_P(p) ((uintptr_t) (p) % alignof (u64) != 0)
361 if (UNALIGNED_P (buffer))
362 while (len > 128)
363 {
364 sha512_process_block (memcpy (ctx->buffer, buffer, 128), 128, ctx);
365 buffer = (const char *) buffer + 128;
366 len -= 128;
367 }
368 else
369 #endif
370 {
371 sha512_process_block (buffer, len & ~127, ctx);
372 buffer = (const char *) buffer + (len & ~127);
373 len &= 127;
374 }
375 }
376
377 /* Move remaining bytes in internal buffer. */
378 if (len > 0)
379 {
380 size_t left_over = ctx->buflen;
381
382 memcpy (&((char *) ctx->buffer)[left_over], buffer, len);
383 left_over += len;
384 if (left_over >= 128)
385 {
386 sha512_process_block (ctx->buffer, 128, ctx);
387 left_over -= 128;
388 /* The regions in the following copy operation cannot overlap,
389 because left_over ≤ 128. */
390 memcpy (ctx->buffer, &ctx->buffer[16], left_over);
391 }
392 ctx->buflen = left_over;
393 }
394 }
395
396 /* --- Code below is the primary difference between sha1.c and sha512.c --- */
397
398 /* SHA512 round constants */
399 #define K(I) sha512_round_constants[I]
400 static u64 const sha512_round_constants[80] = {
401 u64init (0x428a2f98, 0xd728ae22), u64init (0x71374491, 0x23ef65cd),
402 u64init (0xb5c0fbcf, 0xec4d3b2f), u64init (0xe9b5dba5, 0x8189dbbc),
403 u64init (0x3956c25b, 0xf348b538), u64init (0x59f111f1, 0xb605d019),
404 u64init (0x923f82a4, 0xaf194f9b), u64init (0xab1c5ed5, 0xda6d8118),
405 u64init (0xd807aa98, 0xa3030242), u64init (0x12835b01, 0x45706fbe),
406 u64init (0x243185be, 0x4ee4b28c), u64init (0x550c7dc3, 0xd5ffb4e2),
407 u64init (0x72be5d74, 0xf27b896f), u64init (0x80deb1fe, 0x3b1696b1),
408 u64init (0x9bdc06a7, 0x25c71235), u64init (0xc19bf174, 0xcf692694),
409 u64init (0xe49b69c1, 0x9ef14ad2), u64init (0xefbe4786, 0x384f25e3),
410 u64init (0x0fc19dc6, 0x8b8cd5b5), u64init (0x240ca1cc, 0x77ac9c65),
411 u64init (0x2de92c6f, 0x592b0275), u64init (0x4a7484aa, 0x6ea6e483),
412 u64init (0x5cb0a9dc, 0xbd41fbd4), u64init (0x76f988da, 0x831153b5),
413 u64init (0x983e5152, 0xee66dfab), u64init (0xa831c66d, 0x2db43210),
414 u64init (0xb00327c8, 0x98fb213f), u64init (0xbf597fc7, 0xbeef0ee4),
415 u64init (0xc6e00bf3, 0x3da88fc2), u64init (0xd5a79147, 0x930aa725),
416 u64init (0x06ca6351, 0xe003826f), u64init (0x14292967, 0x0a0e6e70),
417 u64init (0x27b70a85, 0x46d22ffc), u64init (0x2e1b2138, 0x5c26c926),
418 u64init (0x4d2c6dfc, 0x5ac42aed), u64init (0x53380d13, 0x9d95b3df),
419 u64init (0x650a7354, 0x8baf63de), u64init (0x766a0abb, 0x3c77b2a8),
420 u64init (0x81c2c92e, 0x47edaee6), u64init (0x92722c85, 0x1482353b),
421 u64init (0xa2bfe8a1, 0x4cf10364), u64init (0xa81a664b, 0xbc423001),
422 u64init (0xc24b8b70, 0xd0f89791), u64init (0xc76c51a3, 0x0654be30),
423 u64init (0xd192e819, 0xd6ef5218), u64init (0xd6990624, 0x5565a910),
424 u64init (0xf40e3585, 0x5771202a), u64init (0x106aa070, 0x32bbd1b8),
425 u64init (0x19a4c116, 0xb8d2d0c8), u64init (0x1e376c08, 0x5141ab53),
426 u64init (0x2748774c, 0xdf8eeb99), u64init (0x34b0bcb5, 0xe19b48a8),
427 u64init (0x391c0cb3, 0xc5c95a63), u64init (0x4ed8aa4a, 0xe3418acb),
428 u64init (0x5b9cca4f, 0x7763e373), u64init (0x682e6ff3, 0xd6b2b8a3),
429 u64init (0x748f82ee, 0x5defb2fc), u64init (0x78a5636f, 0x43172f60),
430 u64init (0x84c87814, 0xa1f0ab72), u64init (0x8cc70208, 0x1a6439ec),
431 u64init (0x90befffa, 0x23631e28), u64init (0xa4506ceb, 0xde82bde9),
432 u64init (0xbef9a3f7, 0xb2c67915), u64init (0xc67178f2, 0xe372532b),
433 u64init (0xca273ece, 0xea26619c), u64init (0xd186b8c7, 0x21c0c207),
434 u64init (0xeada7dd6, 0xcde0eb1e), u64init (0xf57d4f7f, 0xee6ed178),
435 u64init (0x06f067aa, 0x72176fba), u64init (0x0a637dc5, 0xa2c898a6),
436 u64init (0x113f9804, 0xbef90dae), u64init (0x1b710b35, 0x131c471b),
437 u64init (0x28db77f5, 0x23047d84), u64init (0x32caab7b, 0x40c72493),
438 u64init (0x3c9ebe0a, 0x15c9bebc), u64init (0x431d67c4, 0x9c100d4c),
439 u64init (0x4cc5d4be, 0xcb3e42b6), u64init (0x597f299c, 0xfc657e2a),
440 u64init (0x5fcb6fab, 0x3ad6faec), u64init (0x6c44198c, 0x4a475817),
441 };
442
443 /* Round functions. */
444 #define F2(A, B, C) u64or (u64and (A, B), u64and (C, u64or (A, B)))
445 #define F1(E, F, G) u64xor (G, u64and (E, u64xor (F, G)))
446
447 /* Process LEN bytes of BUFFER, accumulating context into CTX.
448 It is assumed that LEN % 128 == 0.
449 Most of this code comes from GnuPG's cipher/sha1.c. */
450
451 void
452 sha512_process_block (const void *buffer, size_t len, struct sha512_ctx *ctx)
453 {
454 u64 const *words = buffer;
455 u64 const *endp = words + len / sizeof (u64);
456 u64 x[16];
457 u64 a = ctx->state[0];
458 u64 b = ctx->state[1];
459 u64 c = ctx->state[2];
460 u64 d = ctx->state[3];
461 u64 e = ctx->state[4];
462 u64 f = ctx->state[5];
463 u64 g = ctx->state[6];
464 u64 h = ctx->state[7];
465 u64 lolen = u64size (len);
466
467 /* First increment the byte count. FIPS PUB 180-2 specifies the possible
468 length of the file up to 2^128 bits. Here we only compute the
469 number of bytes. Do a double word increment. */
470 ctx->total[0] = u64plus (ctx->total[0], lolen);
471 ctx->total[1] = u64plus (ctx->total[1],
472 u64plus (u64size (len >> 31 >> 31 >> 2),
473 u64lo (u64lt (ctx->total[0], lolen))));
474
475 #define S0(x) u64xor (u64rol(x, 63), u64xor (u64rol (x, 56), u64shr (x, 7)))
476 #define S1(x) u64xor (u64rol (x, 45), u64xor (u64rol (x, 3), u64shr (x, 6)))
477 #define SS0(x) u64xor (u64rol (x, 36), u64xor (u64rol (x, 30), u64rol (x, 25)))
478 #define SS1(x) u64xor (u64rol(x, 50), u64xor (u64rol (x, 46), u64rol (x, 23)))
479
480 #define M(I) (x[(I) & 15] \
481 = u64plus (x[(I) & 15], \
482 u64plus (S1 (x[((I) - 2) & 15]), \
483 u64plus (x[((I) - 7) & 15], \
484 S0 (x[((I) - 15) & 15])))))
485
486 #define R(A, B, C, D, E, F, G, H, K, M) \
487 do \
488 { \
489 u64 t0 = u64plus (SS0 (A), F2 (A, B, C)); \
490 u64 t1 = \
491 u64plus (H, u64plus (SS1 (E), \
492 u64plus (F1 (E, F, G), u64plus (K, M)))); \
493 D = u64plus (D, t1); \
494 H = u64plus (t0, t1); \
495 } \
496 while (0)
497
498 while (words < endp)
499 {
500 int t;
501 /* FIXME: see sha1.c for a better implementation. */
502 for (t = 0; t < 16; t++)
503 {
504 x[t] = SWAP (*words);
505 words++;
506 }
507
508 R( a, b, c, d, e, f, g, h, K( 0), x[ 0] );
509 R( h, a, b, c, d, e, f, g, K( 1), x[ 1] );
510 R( g, h, a, b, c, d, e, f, K( 2), x[ 2] );
511 R( f, g, h, a, b, c, d, e, K( 3), x[ 3] );
512 R( e, f, g, h, a, b, c, d, K( 4), x[ 4] );
513 R( d, e, f, g, h, a, b, c, K( 5), x[ 5] );
514 R( c, d, e, f, g, h, a, b, K( 6), x[ 6] );
515 R( b, c, d, e, f, g, h, a, K( 7), x[ 7] );
516 R( a, b, c, d, e, f, g, h, K( 8), x[ 8] );
517 R( h, a, b, c, d, e, f, g, K( 9), x[ 9] );
518 R( g, h, a, b, c, d, e, f, K(10), x[10] );
519 R( f, g, h, a, b, c, d, e, K(11), x[11] );
520 R( e, f, g, h, a, b, c, d, K(12), x[12] );
521 R( d, e, f, g, h, a, b, c, K(13), x[13] );
522 R( c, d, e, f, g, h, a, b, K(14), x[14] );
523 R( b, c, d, e, f, g, h, a, K(15), x[15] );
524 R( a, b, c, d, e, f, g, h, K(16), M(16) );
525 R( h, a, b, c, d, e, f, g, K(17), M(17) );
526 R( g, h, a, b, c, d, e, f, K(18), M(18) );
527 R( f, g, h, a, b, c, d, e, K(19), M(19) );
528 R( e, f, g, h, a, b, c, d, K(20), M(20) );
529 R( d, e, f, g, h, a, b, c, K(21), M(21) );
530 R( c, d, e, f, g, h, a, b, K(22), M(22) );
531 R( b, c, d, e, f, g, h, a, K(23), M(23) );
532 R( a, b, c, d, e, f, g, h, K(24), M(24) );
533 R( h, a, b, c, d, e, f, g, K(25), M(25) );
534 R( g, h, a, b, c, d, e, f, K(26), M(26) );
535 R( f, g, h, a, b, c, d, e, K(27), M(27) );
536 R( e, f, g, h, a, b, c, d, K(28), M(28) );
537 R( d, e, f, g, h, a, b, c, K(29), M(29) );
538 R( c, d, e, f, g, h, a, b, K(30), M(30) );
539 R( b, c, d, e, f, g, h, a, K(31), M(31) );
540 R( a, b, c, d, e, f, g, h, K(32), M(32) );
541 R( h, a, b, c, d, e, f, g, K(33), M(33) );
542 R( g, h, a, b, c, d, e, f, K(34), M(34) );
543 R( f, g, h, a, b, c, d, e, K(35), M(35) );
544 R( e, f, g, h, a, b, c, d, K(36), M(36) );
545 R( d, e, f, g, h, a, b, c, K(37), M(37) );
546 R( c, d, e, f, g, h, a, b, K(38), M(38) );
547 R( b, c, d, e, f, g, h, a, K(39), M(39) );
548 R( a, b, c, d, e, f, g, h, K(40), M(40) );
549 R( h, a, b, c, d, e, f, g, K(41), M(41) );
550 R( g, h, a, b, c, d, e, f, K(42), M(42) );
551 R( f, g, h, a, b, c, d, e, K(43), M(43) );
552 R( e, f, g, h, a, b, c, d, K(44), M(44) );
553 R( d, e, f, g, h, a, b, c, K(45), M(45) );
554 R( c, d, e, f, g, h, a, b, K(46), M(46) );
555 R( b, c, d, e, f, g, h, a, K(47), M(47) );
556 R( a, b, c, d, e, f, g, h, K(48), M(48) );
557 R( h, a, b, c, d, e, f, g, K(49), M(49) );
558 R( g, h, a, b, c, d, e, f, K(50), M(50) );
559 R( f, g, h, a, b, c, d, e, K(51), M(51) );
560 R( e, f, g, h, a, b, c, d, K(52), M(52) );
561 R( d, e, f, g, h, a, b, c, K(53), M(53) );
562 R( c, d, e, f, g, h, a, b, K(54), M(54) );
563 R( b, c, d, e, f, g, h, a, K(55), M(55) );
564 R( a, b, c, d, e, f, g, h, K(56), M(56) );
565 R( h, a, b, c, d, e, f, g, K(57), M(57) );
566 R( g, h, a, b, c, d, e, f, K(58), M(58) );
567 R( f, g, h, a, b, c, d, e, K(59), M(59) );
568 R( e, f, g, h, a, b, c, d, K(60), M(60) );
569 R( d, e, f, g, h, a, b, c, K(61), M(61) );
570 R( c, d, e, f, g, h, a, b, K(62), M(62) );
571 R( b, c, d, e, f, g, h, a, K(63), M(63) );
572 R( a, b, c, d, e, f, g, h, K(64), M(64) );
573 R( h, a, b, c, d, e, f, g, K(65), M(65) );
574 R( g, h, a, b, c, d, e, f, K(66), M(66) );
575 R( f, g, h, a, b, c, d, e, K(67), M(67) );
576 R( e, f, g, h, a, b, c, d, K(68), M(68) );
577 R( d, e, f, g, h, a, b, c, K(69), M(69) );
578 R( c, d, e, f, g, h, a, b, K(70), M(70) );
579 R( b, c, d, e, f, g, h, a, K(71), M(71) );
580 R( a, b, c, d, e, f, g, h, K(72), M(72) );
581 R( h, a, b, c, d, e, f, g, K(73), M(73) );
582 R( g, h, a, b, c, d, e, f, K(74), M(74) );
583 R( f, g, h, a, b, c, d, e, K(75), M(75) );
584 R( e, f, g, h, a, b, c, d, K(76), M(76) );
585 R( d, e, f, g, h, a, b, c, K(77), M(77) );
586 R( c, d, e, f, g, h, a, b, K(78), M(78) );
587 R( b, c, d, e, f, g, h, a, K(79), M(79) );
588
589 a = ctx->state[0] = u64plus (ctx->state[0], a);
590 b = ctx->state[1] = u64plus (ctx->state[1], b);
591 c = ctx->state[2] = u64plus (ctx->state[2], c);
592 d = ctx->state[3] = u64plus (ctx->state[3], d);
593 e = ctx->state[4] = u64plus (ctx->state[4], e);
594 f = ctx->state[5] = u64plus (ctx->state[5], f);
595 g = ctx->state[6] = u64plus (ctx->state[6], g);
596 h = ctx->state[7] = u64plus (ctx->state[7], h);
597 }
598 }