search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
seq no longer mishandles cases like "seq 0 0.000001 0.000003",
[coreutils/ericb.git] / lib / sha512.c
blobe24c6f5a35531419bfd56f9fcfcf2b7d00b1645f
1 /* sha512.c - Functions to compute SHA512 and SHA384 message digest of files or
2 memory blocks according to the NIST specification FIPS-180-2.
3
4 Copyright (C) 2005, 2006 Free Software Foundation, Inc.
5
6 This program is free software; you can redistribute it and/or modify it
7 under the terms of the GNU General Public License as published by the
8 Free Software Foundation; either version 2, or (at your option) any
9 later version.
10
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with this program; if not, write to the Free Software Foundation,
18 Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. */
19
20 /* Written by David Madore, considerably copypasting from
21 Scott G. Miller's sha1.c
22 */
23
24 #include <config.h>
25
26 #include "sha512.h"
27
28 #include <stddef.h>
29 #include <string.h>
30
31 #if USE_UNLOCKED_IO
32 # include "unlocked-io.h"
33 #endif
34
35 #ifdef WORDS_BIGENDIAN
36 # define SWAP(n) (n)
37 #else
38 # define SWAP(n) \
39 u64or (u64or (u64or (u64shl (n, 56), \
40 u64shl (u64and (n, u64lo (0x0000ff00)), 40)), \
41 u64or (u64shl (u64and (n, u64lo (0x00ff0000)), 24), \
42 u64shl (u64and (n, u64lo (0xff000000)), 8))), \
43 u64or (u64or (u64and (u64shr (n, 8), u64lo (0xff000000)), \
44 u64and (u64shr (n, 24), u64lo (0x00ff0000))), \
45 u64or (u64and (u64shr (n, 40), u64lo (0x0000ff00)), \
46 u64shr (n, 56))))
47 #endif
48
49 #define BLOCKSIZE 4096
50 #if BLOCKSIZE % 128 != 0
51 # error "invalid BLOCKSIZE"
52 #endif
53
54 /* This array contains the bytes used to pad the buffer to the next
55 128-byte boundary. */
56 static const unsigned char fillbuf[128] = { 0x80, 0 /* , 0, 0, ... */ };
57
58
59 /*
60 Takes a pointer to a 512 bit block of data (eight 64 bit ints) and
61 intializes it to the start constants of the SHA512 algorithm. This
62 must be called before using hash in the call to sha512_hash
63 */
64 void
65 sha512_init_ctx (struct sha512_ctx *ctx)
66 {
67 ctx->state[0] = u64hilo (0x6a09e667, 0xf3bcc908);
68 ctx->state[1] = u64hilo (0xbb67ae85, 0x84caa73b);
69 ctx->state[2] = u64hilo (0x3c6ef372, 0xfe94f82b);
70 ctx->state[3] = u64hilo (0xa54ff53a, 0x5f1d36f1);
71 ctx->state[4] = u64hilo (0x510e527f, 0xade682d1);
72 ctx->state[5] = u64hilo (0x9b05688c, 0x2b3e6c1f);
73 ctx->state[6] = u64hilo (0x1f83d9ab, 0xfb41bd6b);
74 ctx->state[7] = u64hilo (0x5be0cd19, 0x137e2179);
75
76 ctx->total[0] = ctx->total[1] = u64lo (0);
77 ctx->buflen = 0;
78 }
79
80 void
81 sha384_init_ctx (struct sha512_ctx *ctx)
82 {
83 ctx->state[0] = u64hilo (0xcbbb9d5d, 0xc1059ed8);
84 ctx->state[1] = u64hilo (0x629a292a, 0x367cd507);
85 ctx->state[2] = u64hilo (0x9159015a, 0x3070dd17);
86 ctx->state[3] = u64hilo (0x152fecd8, 0xf70e5939);
87 ctx->state[4] = u64hilo (0x67332667, 0xffc00b31);
88 ctx->state[5] = u64hilo (0x8eb44a87, 0x68581511);
89 ctx->state[6] = u64hilo (0xdb0c2e0d, 0x64f98fa7);
90 ctx->state[7] = u64hilo (0x47b5481d, 0xbefa4fa4);
91
92 ctx->total[0] = ctx->total[1] = u64lo (0);
93 ctx->buflen = 0;
94 }
95
96 /* Put result from CTX in first 64 bytes following RESBUF. The result
97 must be in little endian byte order.
98
99 IMPORTANT: On some systems it is required that RESBUF is correctly
100 aligned for a 64-bit value. */
101 void *
102 sha512_read_ctx (const struct sha512_ctx *ctx, void *resbuf)
103 {
104 int i;
105
106 for (i = 0; i < 8; i++)
107 ((u64 *) resbuf)[i] = SWAP (ctx->state[i]);
108
109 return resbuf;
110 }
111
112 void *
113 sha384_read_ctx (const struct sha512_ctx *ctx, void *resbuf)
114 {
115 int i;
116
117 for (i = 0; i < 6; i++)
118 ((u64 *) resbuf)[i] = SWAP (ctx->state[i]);
119
120 return resbuf;
121 }
122
123 /* Process the remaining bytes in the internal buffer and the usual
124 prolog according to the standard and write the result to RESBUF.
125
126 IMPORTANT: On some systems it is required that RESBUF is correctly
127 aligned for a 64-bit value. */
128 static void
129 sha512_conclude_ctx (struct sha512_ctx *ctx)
130 {
131 /* Take yet unprocessed bytes into account. */
132 size_t bytes = ctx->buflen;
133 size_t size = (bytes < 112) ? 128 / 8 : 128 * 2 / 8;
134
135 /* Now count remaining bytes. */
136 ctx->total[0] = u64plus (ctx->total[0], u64lo (bytes));
137 if (u64lt (ctx->total[0], u64lo (bytes)))
138 ctx->total[1] = u64plus (ctx->total[1], u64lo (1));
139
140 /* Put the 64-bit file length in *bits* at the end of the buffer. */
141 ctx->buffer[size - 2] = SWAP (u64or (u64shl (ctx->total[1], 3),
142 u64shr (ctx->total[0], 61)));
143 ctx->buffer[size - 1] = SWAP (u64shl (ctx->total[0], 3));
144
145 memcpy (&((char *) ctx->buffer)[bytes], fillbuf, (size - 2) * 8 - bytes);
146
147 /* Process last bytes. */
148 sha512_process_block (ctx->buffer, size * 8, ctx);
149 }
150
151 void *
152 sha512_finish_ctx (struct sha512_ctx *ctx, void *resbuf)
153 {
154 sha512_conclude_ctx (ctx);
155 return sha512_read_ctx (ctx, resbuf);
156 }
157
158 void *
159 sha384_finish_ctx (struct sha512_ctx *ctx, void *resbuf)
160 {
161 sha512_conclude_ctx (ctx);
162 return sha384_read_ctx (ctx, resbuf);
163 }
164
165 /* Compute SHA512 message digest for bytes read from STREAM. The
166 resulting message digest number will be written into the 64 bytes
167 beginning at RESBLOCK. */
168 int
169 sha512_stream (FILE *stream, void *resblock)
170 {
171 struct sha512_ctx ctx;
172 char buffer[BLOCKSIZE + 72];
173 size_t sum;
174
175 /* Initialize the computation context. */
176 sha512_init_ctx (&ctx);
177
178 /* Iterate over full file contents. */
179 while (1)
180 {
181 /* We read the file in blocks of BLOCKSIZE bytes. One call of the
182 computation function processes the whole buffer so that with the
183 next round of the loop another block can be read. */
184 size_t n;
185 sum = 0;
186
187 /* Read block. Take care for partial reads. */
188 while (1)
189 {
190 n = fread (buffer + sum, 1, BLOCKSIZE - sum, stream);
191
192 sum += n;
193
194 if (sum == BLOCKSIZE)
195 break;
196
197 if (n == 0)
198 {
199 /* Check for the error flag IFF N == 0, so that we don't
200 exit the loop after a partial read due to e.g., EAGAIN
201 or EWOULDBLOCK. */
202 if (ferror (stream))
203 return 1;
204 goto process_partial_block;
205 }
206
207 /* We've read at least one byte, so ignore errors. But always
208 check for EOF, since feof may be true even though N > 0.
209 Otherwise, we could end up calling fread after EOF. */
210 if (feof (stream))
211 goto process_partial_block;
212 }
213
214 /* Process buffer with BLOCKSIZE bytes. Note that
215 BLOCKSIZE % 128 == 0
216 */
217 sha512_process_block (buffer, BLOCKSIZE, &ctx);
218 }
219
220 process_partial_block:;
221
222 /* Process any remaining bytes. */
223 if (sum > 0)
224 sha512_process_bytes (buffer, sum, &ctx);
225
226 /* Construct result in desired memory. */
227 sha512_finish_ctx (&ctx, resblock);
228 return 0;
229 }
230
231 /* FIXME: Avoid code duplication */
232 int
233 sha384_stream (FILE *stream, void *resblock)
234 {
235 struct sha512_ctx ctx;
236 char buffer[BLOCKSIZE + 72];
237 size_t sum;
238
239 /* Initialize the computation context. */
240 sha384_init_ctx (&ctx);
241
242 /* Iterate over full file contents. */
243 while (1)
244 {
245 /* We read the file in blocks of BLOCKSIZE bytes. One call of the
246 computation function processes the whole buffer so that with the
247 next round of the loop another block can be read. */
248 size_t n;
249 sum = 0;
250
251 /* Read block. Take care for partial reads. */
252 while (1)
253 {
254 n = fread (buffer + sum, 1, BLOCKSIZE - sum, stream);
255
256 sum += n;
257
258 if (sum == BLOCKSIZE)
259 break;
260
261 if (n == 0)
262 {
263 /* Check for the error flag IFF N == 0, so that we don't
264 exit the loop after a partial read due to e.g., EAGAIN
265 or EWOULDBLOCK. */
266 if (ferror (stream))
267 return 1;
268 goto process_partial_block;
269 }
270
271 /* We've read at least one byte, so ignore errors. But always
272 check for EOF, since feof may be true even though N > 0.
273 Otherwise, we could end up calling fread after EOF. */
274 if (feof (stream))
275 goto process_partial_block;
276 }
277
278 /* Process buffer with BLOCKSIZE bytes. Note that
279 BLOCKSIZE % 128 == 0
280 */
281 sha512_process_block (buffer, BLOCKSIZE, &ctx);
282 }
283
284 process_partial_block:;
285
286 /* Process any remaining bytes. */
287 if (sum > 0)
288 sha512_process_bytes (buffer, sum, &ctx);
289
290 /* Construct result in desired memory. */
291 sha384_finish_ctx (&ctx, resblock);
292 return 0;
293 }
294
295 /* Compute SHA512 message digest for LEN bytes beginning at BUFFER. The
296 result is always in little endian byte order, so that a byte-wise
297 output yields to the wanted ASCII representation of the message
298 digest. */
299 void *
300 sha512_buffer (const char *buffer, size_t len, void *resblock)
301 {
302 struct sha512_ctx ctx;
303
304 /* Initialize the computation context. */
305 sha512_init_ctx (&ctx);
306
307 /* Process whole buffer but last len % 128 bytes. */
308 sha512_process_bytes (buffer, len, &ctx);
309
310 /* Put result in desired memory area. */
311 return sha512_finish_ctx (&ctx, resblock);
312 }
313
314 void *
315 sha384_buffer (const char *buffer, size_t len, void *resblock)
316 {
317 struct sha512_ctx ctx;
318
319 /* Initialize the computation context. */
320 sha384_init_ctx (&ctx);
321
322 /* Process whole buffer but last len % 128 bytes. */
323 sha512_process_bytes (buffer, len, &ctx);
324
325 /* Put result in desired memory area. */
326 return sha384_finish_ctx (&ctx, resblock);
327 }
328
329 void
330 sha512_process_bytes (const void *buffer, size_t len, struct sha512_ctx *ctx)
331 {
332 /* When we already have some bits in our internal buffer concatenate
333 both inputs first. */
334 if (ctx->buflen != 0)
335 {
336 size_t left_over = ctx->buflen;
337 size_t add = 256 - left_over > len ? len : 256 - left_over;
338
339 memcpy (&((char *) ctx->buffer)[left_over], buffer, add);
340 ctx->buflen += add;
341
342 if (ctx->buflen > 128)
343 {
344 sha512_process_block (ctx->buffer, ctx->buflen & ~63, ctx);
345
346 ctx->buflen &= 127;
347 /* The regions in the following copy operation cannot overlap. */
348 memcpy (ctx->buffer,
349 &((char *) ctx->buffer)[(left_over + add) & ~127],
350 ctx->buflen);
351 }
352
353 buffer = (const char *) buffer + add;
354 len -= add;
355 }
356
357 /* Process available complete blocks. */
358 if (len >= 128)
359 {
360 #if !_STRING_ARCH_unaligned
361 # define alignof(type) offsetof (struct { char c; type x; }, x)
362 # define UNALIGNED_P(p) (((size_t) p) % alignof (u64) != 0)
363 if (UNALIGNED_P (buffer))
364 while (len > 128)
365 {
366 sha512_process_block (memcpy (ctx->buffer, buffer, 128), 128, ctx);
367 buffer = (const char *) buffer + 128;
368 len -= 128;
369 }
370 else
371 #endif
372 {
373 sha512_process_block (buffer, len & ~127, ctx);
374 buffer = (const char *) buffer + (len & ~127);
375 len &= 127;
376 }
377 }
378
379 /* Move remaining bytes in internal buffer. */
380 if (len > 0)
381 {
382 size_t left_over = ctx->buflen;
383
384 memcpy (&((char *) ctx->buffer)[left_over], buffer, len);
385 left_over += len;
386 if (left_over >= 128)
387 {
388 sha512_process_block (ctx->buffer, 128, ctx);
389 left_over -= 128;
390 memcpy (ctx->buffer, &ctx->buffer[16], left_over);
391 }
392 ctx->buflen = left_over;
393 }
394 }
395
396 /* --- Code below is the primary difference between sha1.c and sha512.c --- */
397
398 /* SHA512 round constants */
399 #define K(I) sha512_round_constants[I]
400 static u64 const sha512_round_constants[80] = {
401 u64init (0x428a2f98, 0xd728ae22), u64init (0x71374491, 0x23ef65cd),
402 u64init (0xb5c0fbcf, 0xec4d3b2f), u64init (0xe9b5dba5, 0x8189dbbc),
403 u64init (0x3956c25b, 0xf348b538), u64init (0x59f111f1, 0xb605d019),
404 u64init (0x923f82a4, 0xaf194f9b), u64init (0xab1c5ed5, 0xda6d8118),
405 u64init (0xd807aa98, 0xa3030242), u64init (0x12835b01, 0x45706fbe),
406 u64init (0x243185be, 0x4ee4b28c), u64init (0x550c7dc3, 0xd5ffb4e2),
407 u64init (0x72be5d74, 0xf27b896f), u64init (0x80deb1fe, 0x3b1696b1),
408 u64init (0x9bdc06a7, 0x25c71235), u64init (0xc19bf174, 0xcf692694),
409 u64init (0xe49b69c1, 0x9ef14ad2), u64init (0xefbe4786, 0x384f25e3),
410 u64init (0x0fc19dc6, 0x8b8cd5b5), u64init (0x240ca1cc, 0x77ac9c65),
411 u64init (0x2de92c6f, 0x592b0275), u64init (0x4a7484aa, 0x6ea6e483),
412 u64init (0x5cb0a9dc, 0xbd41fbd4), u64init (0x76f988da, 0x831153b5),
413 u64init (0x983e5152, 0xee66dfab), u64init (0xa831c66d, 0x2db43210),
414 u64init (0xb00327c8, 0x98fb213f), u64init (0xbf597fc7, 0xbeef0ee4),
415 u64init (0xc6e00bf3, 0x3da88fc2), u64init (0xd5a79147, 0x930aa725),
416 u64init (0x06ca6351, 0xe003826f), u64init (0x14292967, 0x0a0e6e70),
417 u64init (0x27b70a85, 0x46d22ffc), u64init (0x2e1b2138, 0x5c26c926),
418 u64init (0x4d2c6dfc, 0x5ac42aed), u64init (0x53380d13, 0x9d95b3df),
419 u64init (0x650a7354, 0x8baf63de), u64init (0x766a0abb, 0x3c77b2a8),
420 u64init (0x81c2c92e, 0x47edaee6), u64init (0x92722c85, 0x1482353b),
421 u64init (0xa2bfe8a1, 0x4cf10364), u64init (0xa81a664b, 0xbc423001),
422 u64init (0xc24b8b70, 0xd0f89791), u64init (0xc76c51a3, 0x0654be30),
423 u64init (0xd192e819, 0xd6ef5218), u64init (0xd6990624, 0x5565a910),
424 u64init (0xf40e3585, 0x5771202a), u64init (0x106aa070, 0x32bbd1b8),
425 u64init (0x19a4c116, 0xb8d2d0c8), u64init (0x1e376c08, 0x5141ab53),
426 u64init (0x2748774c, 0xdf8eeb99), u64init (0x34b0bcb5, 0xe19b48a8),
427 u64init (0x391c0cb3, 0xc5c95a63), u64init (0x4ed8aa4a, 0xe3418acb),
428 u64init (0x5b9cca4f, 0x7763e373), u64init (0x682e6ff3, 0xd6b2b8a3),
429 u64init (0x748f82ee, 0x5defb2fc), u64init (0x78a5636f, 0x43172f60),
430 u64init (0x84c87814, 0xa1f0ab72), u64init (0x8cc70208, 0x1a6439ec),
431 u64init (0x90befffa, 0x23631e28), u64init (0xa4506ceb, 0xde82bde9),
432 u64init (0xbef9a3f7, 0xb2c67915), u64init (0xc67178f2, 0xe372532b),
433 u64init (0xca273ece, 0xea26619c), u64init (0xd186b8c7, 0x21c0c207),
434 u64init (0xeada7dd6, 0xcde0eb1e), u64init (0xf57d4f7f, 0xee6ed178),
435 u64init (0x06f067aa, 0x72176fba), u64init (0x0a637dc5, 0xa2c898a6),
436 u64init (0x113f9804, 0xbef90dae), u64init (0x1b710b35, 0x131c471b),
437 u64init (0x28db77f5, 0x23047d84), u64init (0x32caab7b, 0x40c72493),
438 u64init (0x3c9ebe0a, 0x15c9bebc), u64init (0x431d67c4, 0x9c100d4c),
439 u64init (0x4cc5d4be, 0xcb3e42b6), u64init (0x597f299c, 0xfc657e2a),
440 u64init (0x5fcb6fab, 0x3ad6faec), u64init (0x6c44198c, 0x4a475817),
441 };
442
443 /* Round functions. */
444 #define F2(A, B, C) u64or (u64and (A, B), u64and (C, u64or (A, B)))
445 #define F1(E, F, G) u64xor (G, u64and (E, u64xor (F, G)))
446
447 /* Process LEN bytes of BUFFER, accumulating context into CTX.
448 It is assumed that LEN % 128 == 0.
449 Most of this code comes from GnuPG's cipher/sha1.c. */
450
451 void
452 sha512_process_block (const void *buffer, size_t len, struct sha512_ctx *ctx)
453 {
454 u64 const *words = buffer;
455 u64 const *endp = words + len / sizeof (u64);
456 u64 x[16];
457 u64 a = ctx->state[0];
458 u64 b = ctx->state[1];
459 u64 c = ctx->state[2];
460 u64 d = ctx->state[3];
461 u64 e = ctx->state[4];
462 u64 f = ctx->state[5];
463 u64 g = ctx->state[6];
464 u64 h = ctx->state[7];
465
466 /* First increment the byte count. FIPS PUB 180-2 specifies the possible
467 length of the file up to 2^128 bits. Here we only compute the
468 number of bytes. Do a double word increment. */
469 ctx->total[0] = u64plus (ctx->total[0], u64lo (len));
470 if (u64lt (ctx->total[0], u64lo (len)))
471 ctx->total[1] = u64plus (ctx->total[1], u64lo (1));
472
473 #define S0(x) u64xor (u64rol(x, 63), u64xor (u64rol (x, 56), u64shr (x, 7)))
474 #define S1(x) u64xor (u64rol (x, 45), u64xor (u64rol (x, 3), u64shr (x, 6)))
475 #define SS0(x) u64xor (u64rol (x, 36), u64xor (u64rol (x, 30), u64rol (x, 25)))
476 #define SS1(x) u64xor (u64rol(x, 50), u64xor (u64rol (x, 46), u64rol (x, 23)))
477
478 #define M(I) (x[(I) & 15] \
479 = u64plus (x[(I) & 15], \
480 u64plus (S1 (x[((I) - 2) & 15]), \
481 u64plus (x[((I) - 7) & 15], \
482 S0 (x[((I) - 15) & 15])))))
483
484 #define R(A, B, C, D, E, F, G, H, K, M) \
485 do \
486 { \
487 u64 t0 = u64plus (SS0 (A), F2 (A, B, C)); \
488 u64 t1 = \
489 u64plus (H, u64plus (SS1 (E), \
490 u64plus (F1 (E, F, G), u64plus (K, M)))); \
491 D = u64plus (D, t1); \
492 H = u64plus (t0, t1); \
493 } \
494 while (0)
495
496 while (words < endp)
497 {
498 int t;
499 /* FIXME: see sha1.c for a better implementation. */
500 for (t = 0; t < 16; t++)
501 {
502 x[t] = SWAP (*words);
503 words++;
504 }
505
506 R( a, b, c, d, e, f, g, h, K( 0), x[ 0] );
507 R( h, a, b, c, d, e, f, g, K( 1), x[ 1] );
508 R( g, h, a, b, c, d, e, f, K( 2), x[ 2] );
509 R( f, g, h, a, b, c, d, e, K( 3), x[ 3] );
510 R( e, f, g, h, a, b, c, d, K( 4), x[ 4] );
511 R( d, e, f, g, h, a, b, c, K( 5), x[ 5] );
512 R( c, d, e, f, g, h, a, b, K( 6), x[ 6] );
513 R( b, c, d, e, f, g, h, a, K( 7), x[ 7] );
514 R( a, b, c, d, e, f, g, h, K( 8), x[ 8] );
515 R( h, a, b, c, d, e, f, g, K( 9), x[ 9] );
516 R( g, h, a, b, c, d, e, f, K(10), x[10] );
517 R( f, g, h, a, b, c, d, e, K(11), x[11] );
518 R( e, f, g, h, a, b, c, d, K(12), x[12] );
519 R( d, e, f, g, h, a, b, c, K(13), x[13] );
520 R( c, d, e, f, g, h, a, b, K(14), x[14] );
521 R( b, c, d, e, f, g, h, a, K(15), x[15] );
522 R( a, b, c, d, e, f, g, h, K(16), M(16) );
523 R( h, a, b, c, d, e, f, g, K(17), M(17) );
524 R( g, h, a, b, c, d, e, f, K(18), M(18) );
525 R( f, g, h, a, b, c, d, e, K(19), M(19) );
526 R( e, f, g, h, a, b, c, d, K(20), M(20) );
527 R( d, e, f, g, h, a, b, c, K(21), M(21) );
528 R( c, d, e, f, g, h, a, b, K(22), M(22) );
529 R( b, c, d, e, f, g, h, a, K(23), M(23) );
530 R( a, b, c, d, e, f, g, h, K(24), M(24) );
531 R( h, a, b, c, d, e, f, g, K(25), M(25) );
532 R( g, h, a, b, c, d, e, f, K(26), M(26) );
533 R( f, g, h, a, b, c, d, e, K(27), M(27) );
534 R( e, f, g, h, a, b, c, d, K(28), M(28) );
535 R( d, e, f, g, h, a, b, c, K(29), M(29) );
536 R( c, d, e, f, g, h, a, b, K(30), M(30) );
537 R( b, c, d, e, f, g, h, a, K(31), M(31) );
538 R( a, b, c, d, e, f, g, h, K(32), M(32) );
539 R( h, a, b, c, d, e, f, g, K(33), M(33) );
540 R( g, h, a, b, c, d, e, f, K(34), M(34) );
541 R( f, g, h, a, b, c, d, e, K(35), M(35) );
542 R( e, f, g, h, a, b, c, d, K(36), M(36) );
543 R( d, e, f, g, h, a, b, c, K(37), M(37) );
544 R( c, d, e, f, g, h, a, b, K(38), M(38) );
545 R( b, c, d, e, f, g, h, a, K(39), M(39) );
546 R( a, b, c, d, e, f, g, h, K(40), M(40) );
547 R( h, a, b, c, d, e, f, g, K(41), M(41) );
548 R( g, h, a, b, c, d, e, f, K(42), M(42) );
549 R( f, g, h, a, b, c, d, e, K(43), M(43) );
550 R( e, f, g, h, a, b, c, d, K(44), M(44) );
551 R( d, e, f, g, h, a, b, c, K(45), M(45) );
552 R( c, d, e, f, g, h, a, b, K(46), M(46) );
553 R( b, c, d, e, f, g, h, a, K(47), M(47) );
554 R( a, b, c, d, e, f, g, h, K(48), M(48) );
555 R( h, a, b, c, d, e, f, g, K(49), M(49) );
556 R( g, h, a, b, c, d, e, f, K(50), M(50) );
557 R( f, g, h, a, b, c, d, e, K(51), M(51) );
558 R( e, f, g, h, a, b, c, d, K(52), M(52) );
559 R( d, e, f, g, h, a, b, c, K(53), M(53) );
560 R( c, d, e, f, g, h, a, b, K(54), M(54) );
561 R( b, c, d, e, f, g, h, a, K(55), M(55) );
562 R( a, b, c, d, e, f, g, h, K(56), M(56) );
563 R( h, a, b, c, d, e, f, g, K(57), M(57) );
564 R( g, h, a, b, c, d, e, f, K(58), M(58) );
565 R( f, g, h, a, b, c, d, e, K(59), M(59) );
566 R( e, f, g, h, a, b, c, d, K(60), M(60) );
567 R( d, e, f, g, h, a, b, c, K(61), M(61) );
568 R( c, d, e, f, g, h, a, b, K(62), M(62) );
569 R( b, c, d, e, f, g, h, a, K(63), M(63) );
570 R( a, b, c, d, e, f, g, h, K(64), M(64) );
571 R( h, a, b, c, d, e, f, g, K(65), M(65) );
572 R( g, h, a, b, c, d, e, f, K(66), M(66) );
573 R( f, g, h, a, b, c, d, e, K(67), M(67) );
574 R( e, f, g, h, a, b, c, d, K(68), M(68) );
575 R( d, e, f, g, h, a, b, c, K(69), M(69) );
576 R( c, d, e, f, g, h, a, b, K(70), M(70) );
577 R( b, c, d, e, f, g, h, a, K(71), M(71) );
578 R( a, b, c, d, e, f, g, h, K(72), M(72) );
579 R( h, a, b, c, d, e, f, g, K(73), M(73) );
580 R( g, h, a, b, c, d, e, f, K(74), M(74) );
581 R( f, g, h, a, b, c, d, e, K(75), M(75) );
582 R( e, f, g, h, a, b, c, d, K(76), M(76) );
583 R( d, e, f, g, h, a, b, c, K(77), M(77) );
584 R( c, d, e, f, g, h, a, b, K(78), M(78) );
585 R( b, c, d, e, f, g, h, a, K(79), M(79) );
586
587 a = ctx->state[0] = u64plus (ctx->state[0], a);
588 b = ctx->state[1] = u64plus (ctx->state[1], b);
589 c = ctx->state[2] = u64plus (ctx->state[2], c);
590 d = ctx->state[3] = u64plus (ctx->state[3], d);
591 e = ctx->state[4] = u64plus (ctx->state[4], e);
592 f = ctx->state[5] = u64plus (ctx->state[5], f);
593 g = ctx->state[6] = u64plus (ctx->state[6], g);
594 h = ctx->state[7] = u64plus (ctx->state[7], h);
595 }
596 }
Eric Blake's GNU coreutils patches