1 /* sha512.c - Functions to compute SHA512 and SHA384 message digest of files or
2 memory blocks according to the NIST specification FIPS-180-2.
4 Copyright (C) 2005-2006, 2008-2018 Free Software Foundation, Inc.
6 This program is free software: you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation, either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <https://www.gnu.org/licenses/>. */
19 /* Written by David Madore, considerably copypasting from
20 Scott G. Miller's sha1.c
25 #if HAVE_OPENSSL_SHA512
26 # define GL_OPENSSL_INLINE _GL_EXTERN_INLINE
36 # include "unlocked-io.h"
39 #ifdef WORDS_BIGENDIAN
43 u64or (u64or (u64or (u64shl (n, 56), \
44 u64shl (u64and (n, u64lo (0x0000ff00)), 40)), \
45 u64or (u64shl (u64and (n, u64lo (0x00ff0000)), 24), \
46 u64shl (u64and (n, u64lo (0xff000000)), 8))), \
47 u64or (u64or (u64and (u64shr (n, 8), u64lo (0xff000000)), \
48 u64and (u64shr (n, 24), u64lo (0x00ff0000))), \
49 u64or (u64and (u64shr (n, 40), u64lo (0x0000ff00)), \
53 #define BLOCKSIZE 32768
54 #if BLOCKSIZE % 128 != 0
55 # error "invalid BLOCKSIZE"
58 #if ! HAVE_OPENSSL_SHA512
59 /* This array contains the bytes used to pad the buffer to the next
61 static const unsigned char fillbuf
[128] = { 0x80, 0 /* , 0, 0, ... */ };
65 Takes a pointer to a 512 bit block of data (eight 64 bit ints) and
66 initializes it to the start constants of the SHA512 algorithm. This
67 must be called before using hash in the call to sha512_hash
70 sha512_init_ctx (struct sha512_ctx
*ctx
)
72 ctx
->state
[0] = u64hilo (0x6a09e667, 0xf3bcc908);
73 ctx
->state
[1] = u64hilo (0xbb67ae85, 0x84caa73b);
74 ctx
->state
[2] = u64hilo (0x3c6ef372, 0xfe94f82b);
75 ctx
->state
[3] = u64hilo (0xa54ff53a, 0x5f1d36f1);
76 ctx
->state
[4] = u64hilo (0x510e527f, 0xade682d1);
77 ctx
->state
[5] = u64hilo (0x9b05688c, 0x2b3e6c1f);
78 ctx
->state
[6] = u64hilo (0x1f83d9ab, 0xfb41bd6b);
79 ctx
->state
[7] = u64hilo (0x5be0cd19, 0x137e2179);
81 ctx
->total
[0] = ctx
->total
[1] = u64lo (0);
86 sha384_init_ctx (struct sha512_ctx
*ctx
)
88 ctx
->state
[0] = u64hilo (0xcbbb9d5d, 0xc1059ed8);
89 ctx
->state
[1] = u64hilo (0x629a292a, 0x367cd507);
90 ctx
->state
[2] = u64hilo (0x9159015a, 0x3070dd17);
91 ctx
->state
[3] = u64hilo (0x152fecd8, 0xf70e5939);
92 ctx
->state
[4] = u64hilo (0x67332667, 0xffc00b31);
93 ctx
->state
[5] = u64hilo (0x8eb44a87, 0x68581511);
94 ctx
->state
[6] = u64hilo (0xdb0c2e0d, 0x64f98fa7);
95 ctx
->state
[7] = u64hilo (0x47b5481d, 0xbefa4fa4);
97 ctx
->total
[0] = ctx
->total
[1] = u64lo (0);
101 /* Copy the value from V into the memory location pointed to by *CP,
102 If your architecture allows unaligned access, this is equivalent to
103 * (__typeof__ (v) *) cp = v */
105 set_uint64 (char *cp
, u64 v
)
107 memcpy (cp
, &v
, sizeof v
);
110 /* Put result from CTX in first 64 bytes following RESBUF.
111 The result must be in little endian byte order. */
113 sha512_read_ctx (const struct sha512_ctx
*ctx
, void *resbuf
)
118 for (i
= 0; i
< 8; i
++)
119 set_uint64 (r
+ i
* sizeof ctx
->state
[0], SWAP (ctx
->state
[i
]));
125 sha384_read_ctx (const struct sha512_ctx
*ctx
, void *resbuf
)
130 for (i
= 0; i
< 6; i
++)
131 set_uint64 (r
+ i
* sizeof ctx
->state
[0], SWAP (ctx
->state
[i
]));
136 /* Process the remaining bytes in the internal buffer and the usual
137 prolog according to the standard and write the result to RESBUF. */
139 sha512_conclude_ctx (struct sha512_ctx
*ctx
)
141 /* Take yet unprocessed bytes into account. */
142 size_t bytes
= ctx
->buflen
;
143 size_t size
= (bytes
< 112) ? 128 / 8 : 128 * 2 / 8;
145 /* Now count remaining bytes. */
146 ctx
->total
[0] = u64plus (ctx
->total
[0], u64lo (bytes
));
147 if (u64lt (ctx
->total
[0], u64lo (bytes
)))
148 ctx
->total
[1] = u64plus (ctx
->total
[1], u64lo (1));
150 /* Put the 128-bit file length in *bits* at the end of the buffer.
151 Use set_uint64 rather than a simple assignment, to avoid risk of
153 set_uint64 ((char *) &ctx
->buffer
[size
- 2],
154 SWAP (u64or (u64shl (ctx
->total
[1], 3),
155 u64shr (ctx
->total
[0], 61))));
156 set_uint64 ((char *) &ctx
->buffer
[size
- 1],
157 SWAP (u64shl (ctx
->total
[0], 3)));
159 memcpy (&((char *) ctx
->buffer
)[bytes
], fillbuf
, (size
- 2) * 8 - bytes
);
161 /* Process last bytes. */
162 sha512_process_block (ctx
->buffer
, size
* 8, ctx
);
166 sha512_finish_ctx (struct sha512_ctx
*ctx
, void *resbuf
)
168 sha512_conclude_ctx (ctx
);
169 return sha512_read_ctx (ctx
, resbuf
);
173 sha384_finish_ctx (struct sha512_ctx
*ctx
, void *resbuf
)
175 sha512_conclude_ctx (ctx
);
176 return sha384_read_ctx (ctx
, resbuf
);
180 #ifdef GL_COMPILE_CRYPTO_STREAM
184 /* Compute message digest for bytes read from STREAM using algorithm ALG.
185 Write the message digest into RESBLOCK, which contains HASHLEN bytes.
186 The initial and finishing operations are INIT_CTX and FINISH_CTX.
187 Return zero if and only if successful. */
189 shaxxx_stream (FILE *stream
, char const *alg
, void *resblock
,
190 ssize_t hashlen
, void (*init_ctx
) (struct sha512_ctx
*),
191 void *(*finish_ctx
) (struct sha512_ctx
*, void *))
193 switch (afalg_stream (stream
, alg
, resblock
, hashlen
))
199 char *buffer
= malloc (BLOCKSIZE
+ 72);
203 struct sha512_ctx ctx
;
207 /* Iterate over full file contents. */
210 /* We read the file in blocks of BLOCKSIZE bytes. One call of the
211 computation function processes the whole buffer so that with the
212 next round of the loop another block can be read. */
216 /* Read block. Take care for partial reads. */
219 n
= fread (buffer
+ sum
, 1, BLOCKSIZE
- sum
, stream
);
223 if (sum
== BLOCKSIZE
)
228 /* Check for the error flag IFF N == 0, so that we don't
229 exit the loop after a partial read due to e.g., EAGAIN
236 goto process_partial_block
;
239 /* We've read at least one byte, so ignore errors. But always
240 check for EOF, since feof may be true even though N > 0.
241 Otherwise, we could end up calling fread after EOF. */
243 goto process_partial_block
;
246 /* Process buffer with BLOCKSIZE bytes. Note that
249 sha512_process_block (buffer
, BLOCKSIZE
, &ctx
);
252 process_partial_block
:;
254 /* Process any remaining bytes. */
256 sha512_process_bytes (buffer
, sum
, &ctx
);
258 /* Construct result in desired memory. */
259 finish_ctx (&ctx
, resblock
);
265 sha512_stream (FILE *stream
, void *resblock
)
267 return shaxxx_stream (stream
, "sha512", resblock
, SHA512_DIGEST_SIZE
,
268 sha512_init_ctx
, sha512_finish_ctx
);
272 sha384_stream (FILE *stream
, void *resblock
)
274 return shaxxx_stream (stream
, "sha384", resblock
, SHA384_DIGEST_SIZE
,
275 sha384_init_ctx
, sha384_finish_ctx
);
279 #if ! HAVE_OPENSSL_SHA512
280 /* Compute SHA512 message digest for LEN bytes beginning at BUFFER. The
281 result is always in little endian byte order, so that a byte-wise
282 output yields to the wanted ASCII representation of the message
285 sha512_buffer (const char *buffer
, size_t len
, void *resblock
)
287 struct sha512_ctx ctx
;
289 /* Initialize the computation context. */
290 sha512_init_ctx (&ctx
);
292 /* Process whole buffer but last len % 128 bytes. */
293 sha512_process_bytes (buffer
, len
, &ctx
);
295 /* Put result in desired memory area. */
296 return sha512_finish_ctx (&ctx
, resblock
);
300 sha384_buffer (const char *buffer
, size_t len
, void *resblock
)
302 struct sha512_ctx ctx
;
304 /* Initialize the computation context. */
305 sha384_init_ctx (&ctx
);
307 /* Process whole buffer but last len % 128 bytes. */
308 sha512_process_bytes (buffer
, len
, &ctx
);
310 /* Put result in desired memory area. */
311 return sha384_finish_ctx (&ctx
, resblock
);
315 sha512_process_bytes (const void *buffer
, size_t len
, struct sha512_ctx
*ctx
)
317 /* When we already have some bits in our internal buffer concatenate
318 both inputs first. */
319 if (ctx
->buflen
!= 0)
321 size_t left_over
= ctx
->buflen
;
322 size_t add
= 256 - left_over
> len
? len
: 256 - left_over
;
324 memcpy (&((char *) ctx
->buffer
)[left_over
], buffer
, add
);
327 if (ctx
->buflen
> 128)
329 sha512_process_block (ctx
->buffer
, ctx
->buflen
& ~127, ctx
);
332 /* The regions in the following copy operation cannot overlap,
333 because ctx->buflen < 128 ≤ (left_over + add) & ~127. */
335 &((char *) ctx
->buffer
)[(left_over
+ add
) & ~127],
339 buffer
= (const char *) buffer
+ add
;
343 /* Process available complete blocks. */
346 #if !(_STRING_ARCH_unaligned || _STRING_INLINE_unaligned)
347 # define UNALIGNED_P(p) ((uintptr_t) (p) % alignof (u64) != 0)
348 if (UNALIGNED_P (buffer
))
351 sha512_process_block (memcpy (ctx
->buffer
, buffer
, 128), 128, ctx
);
352 buffer
= (const char *) buffer
+ 128;
358 sha512_process_block (buffer
, len
& ~127, ctx
);
359 buffer
= (const char *) buffer
+ (len
& ~127);
364 /* Move remaining bytes in internal buffer. */
367 size_t left_over
= ctx
->buflen
;
369 memcpy (&((char *) ctx
->buffer
)[left_over
], buffer
, len
);
371 if (left_over
>= 128)
373 sha512_process_block (ctx
->buffer
, 128, ctx
);
375 /* The regions in the following copy operation cannot overlap,
376 because left_over ≤ 128. */
377 memcpy (ctx
->buffer
, &ctx
->buffer
[16], left_over
);
379 ctx
->buflen
= left_over
;
383 /* --- Code below is the primary difference between sha1.c and sha512.c --- */
385 /* SHA512 round constants */
386 #define K(I) sha512_round_constants[I]
387 static u64
const sha512_round_constants
[80] = {
388 u64init (0x428a2f98, 0xd728ae22), u64init (0x71374491, 0x23ef65cd),
389 u64init (0xb5c0fbcf, 0xec4d3b2f), u64init (0xe9b5dba5, 0x8189dbbc),
390 u64init (0x3956c25b, 0xf348b538), u64init (0x59f111f1, 0xb605d019),
391 u64init (0x923f82a4, 0xaf194f9b), u64init (0xab1c5ed5, 0xda6d8118),
392 u64init (0xd807aa98, 0xa3030242), u64init (0x12835b01, 0x45706fbe),
393 u64init (0x243185be, 0x4ee4b28c), u64init (0x550c7dc3, 0xd5ffb4e2),
394 u64init (0x72be5d74, 0xf27b896f), u64init (0x80deb1fe, 0x3b1696b1),
395 u64init (0x9bdc06a7, 0x25c71235), u64init (0xc19bf174, 0xcf692694),
396 u64init (0xe49b69c1, 0x9ef14ad2), u64init (0xefbe4786, 0x384f25e3),
397 u64init (0x0fc19dc6, 0x8b8cd5b5), u64init (0x240ca1cc, 0x77ac9c65),
398 u64init (0x2de92c6f, 0x592b0275), u64init (0x4a7484aa, 0x6ea6e483),
399 u64init (0x5cb0a9dc, 0xbd41fbd4), u64init (0x76f988da, 0x831153b5),
400 u64init (0x983e5152, 0xee66dfab), u64init (0xa831c66d, 0x2db43210),
401 u64init (0xb00327c8, 0x98fb213f), u64init (0xbf597fc7, 0xbeef0ee4),
402 u64init (0xc6e00bf3, 0x3da88fc2), u64init (0xd5a79147, 0x930aa725),
403 u64init (0x06ca6351, 0xe003826f), u64init (0x14292967, 0x0a0e6e70),
404 u64init (0x27b70a85, 0x46d22ffc), u64init (0x2e1b2138, 0x5c26c926),
405 u64init (0x4d2c6dfc, 0x5ac42aed), u64init (0x53380d13, 0x9d95b3df),
406 u64init (0x650a7354, 0x8baf63de), u64init (0x766a0abb, 0x3c77b2a8),
407 u64init (0x81c2c92e, 0x47edaee6), u64init (0x92722c85, 0x1482353b),
408 u64init (0xa2bfe8a1, 0x4cf10364), u64init (0xa81a664b, 0xbc423001),
409 u64init (0xc24b8b70, 0xd0f89791), u64init (0xc76c51a3, 0x0654be30),
410 u64init (0xd192e819, 0xd6ef5218), u64init (0xd6990624, 0x5565a910),
411 u64init (0xf40e3585, 0x5771202a), u64init (0x106aa070, 0x32bbd1b8),
412 u64init (0x19a4c116, 0xb8d2d0c8), u64init (0x1e376c08, 0x5141ab53),
413 u64init (0x2748774c, 0xdf8eeb99), u64init (0x34b0bcb5, 0xe19b48a8),
414 u64init (0x391c0cb3, 0xc5c95a63), u64init (0x4ed8aa4a, 0xe3418acb),
415 u64init (0x5b9cca4f, 0x7763e373), u64init (0x682e6ff3, 0xd6b2b8a3),
416 u64init (0x748f82ee, 0x5defb2fc), u64init (0x78a5636f, 0x43172f60),
417 u64init (0x84c87814, 0xa1f0ab72), u64init (0x8cc70208, 0x1a6439ec),
418 u64init (0x90befffa, 0x23631e28), u64init (0xa4506ceb, 0xde82bde9),
419 u64init (0xbef9a3f7, 0xb2c67915), u64init (0xc67178f2, 0xe372532b),
420 u64init (0xca273ece, 0xea26619c), u64init (0xd186b8c7, 0x21c0c207),
421 u64init (0xeada7dd6, 0xcde0eb1e), u64init (0xf57d4f7f, 0xee6ed178),
422 u64init (0x06f067aa, 0x72176fba), u64init (0x0a637dc5, 0xa2c898a6),
423 u64init (0x113f9804, 0xbef90dae), u64init (0x1b710b35, 0x131c471b),
424 u64init (0x28db77f5, 0x23047d84), u64init (0x32caab7b, 0x40c72493),
425 u64init (0x3c9ebe0a, 0x15c9bebc), u64init (0x431d67c4, 0x9c100d4c),
426 u64init (0x4cc5d4be, 0xcb3e42b6), u64init (0x597f299c, 0xfc657e2a),
427 u64init (0x5fcb6fab, 0x3ad6faec), u64init (0x6c44198c, 0x4a475817),
430 /* Round functions. */
431 #define F2(A, B, C) u64or (u64and (A, B), u64and (C, u64or (A, B)))
432 #define F1(E, F, G) u64xor (G, u64and (E, u64xor (F, G)))
434 /* Process LEN bytes of BUFFER, accumulating context into CTX.
435 It is assumed that LEN % 128 == 0.
436 Most of this code comes from GnuPG's cipher/sha1.c. */
439 sha512_process_block (const void *buffer
, size_t len
, struct sha512_ctx
*ctx
)
441 u64
const *words
= buffer
;
442 u64
const *endp
= words
+ len
/ sizeof (u64
);
444 u64 a
= ctx
->state
[0];
445 u64 b
= ctx
->state
[1];
446 u64 c
= ctx
->state
[2];
447 u64 d
= ctx
->state
[3];
448 u64 e
= ctx
->state
[4];
449 u64 f
= ctx
->state
[5];
450 u64 g
= ctx
->state
[6];
451 u64 h
= ctx
->state
[7];
452 u64 lolen
= u64size (len
);
454 /* First increment the byte count. FIPS PUB 180-2 specifies the possible
455 length of the file up to 2^128 bits. Here we only compute the
456 number of bytes. Do a double word increment. */
457 ctx
->total
[0] = u64plus (ctx
->total
[0], lolen
);
458 ctx
->total
[1] = u64plus (ctx
->total
[1],
459 u64plus (u64size (len
>> 31 >> 31 >> 2),
460 u64lo (u64lt (ctx
->total
[0], lolen
))));
462 #define S0(x) u64xor (u64rol(x, 63), u64xor (u64rol (x, 56), u64shr (x, 7)))
463 #define S1(x) u64xor (u64rol (x, 45), u64xor (u64rol (x, 3), u64shr (x, 6)))
464 #define SS0(x) u64xor (u64rol (x, 36), u64xor (u64rol (x, 30), u64rol (x, 25)))
465 #define SS1(x) u64xor (u64rol(x, 50), u64xor (u64rol (x, 46), u64rol (x, 23)))
467 #define M(I) (x[(I) & 15] \
468 = u64plus (x[(I) & 15], \
469 u64plus (S1 (x[((I) - 2) & 15]), \
470 u64plus (x[((I) - 7) & 15], \
471 S0 (x[((I) - 15) & 15])))))
473 #define R(A, B, C, D, E, F, G, H, K, M) \
476 u64 t0 = u64plus (SS0 (A), F2 (A, B, C)); \
478 u64plus (H, u64plus (SS1 (E), \
479 u64plus (F1 (E, F, G), u64plus (K, M)))); \
480 D = u64plus (D, t1); \
481 H = u64plus (t0, t1); \
488 /* FIXME: see sha1.c for a better implementation. */
489 for (t
= 0; t
< 16; t
++)
491 x
[t
] = SWAP (*words
);
495 R( a
, b
, c
, d
, e
, f
, g
, h
, K( 0), x
[ 0] );
496 R( h
, a
, b
, c
, d
, e
, f
, g
, K( 1), x
[ 1] );
497 R( g
, h
, a
, b
, c
, d
, e
, f
, K( 2), x
[ 2] );
498 R( f
, g
, h
, a
, b
, c
, d
, e
, K( 3), x
[ 3] );
499 R( e
, f
, g
, h
, a
, b
, c
, d
, K( 4), x
[ 4] );
500 R( d
, e
, f
, g
, h
, a
, b
, c
, K( 5), x
[ 5] );
501 R( c
, d
, e
, f
, g
, h
, a
, b
, K( 6), x
[ 6] );
502 R( b
, c
, d
, e
, f
, g
, h
, a
, K( 7), x
[ 7] );
503 R( a
, b
, c
, d
, e
, f
, g
, h
, K( 8), x
[ 8] );
504 R( h
, a
, b
, c
, d
, e
, f
, g
, K( 9), x
[ 9] );
505 R( g
, h
, a
, b
, c
, d
, e
, f
, K(10), x
[10] );
506 R( f
, g
, h
, a
, b
, c
, d
, e
, K(11), x
[11] );
507 R( e
, f
, g
, h
, a
, b
, c
, d
, K(12), x
[12] );
508 R( d
, e
, f
, g
, h
, a
, b
, c
, K(13), x
[13] );
509 R( c
, d
, e
, f
, g
, h
, a
, b
, K(14), x
[14] );
510 R( b
, c
, d
, e
, f
, g
, h
, a
, K(15), x
[15] );
511 R( a
, b
, c
, d
, e
, f
, g
, h
, K(16), M(16) );
512 R( h
, a
, b
, c
, d
, e
, f
, g
, K(17), M(17) );
513 R( g
, h
, a
, b
, c
, d
, e
, f
, K(18), M(18) );
514 R( f
, g
, h
, a
, b
, c
, d
, e
, K(19), M(19) );
515 R( e
, f
, g
, h
, a
, b
, c
, d
, K(20), M(20) );
516 R( d
, e
, f
, g
, h
, a
, b
, c
, K(21), M(21) );
517 R( c
, d
, e
, f
, g
, h
, a
, b
, K(22), M(22) );
518 R( b
, c
, d
, e
, f
, g
, h
, a
, K(23), M(23) );
519 R( a
, b
, c
, d
, e
, f
, g
, h
, K(24), M(24) );
520 R( h
, a
, b
, c
, d
, e
, f
, g
, K(25), M(25) );
521 R( g
, h
, a
, b
, c
, d
, e
, f
, K(26), M(26) );
522 R( f
, g
, h
, a
, b
, c
, d
, e
, K(27), M(27) );
523 R( e
, f
, g
, h
, a
, b
, c
, d
, K(28), M(28) );
524 R( d
, e
, f
, g
, h
, a
, b
, c
, K(29), M(29) );
525 R( c
, d
, e
, f
, g
, h
, a
, b
, K(30), M(30) );
526 R( b
, c
, d
, e
, f
, g
, h
, a
, K(31), M(31) );
527 R( a
, b
, c
, d
, e
, f
, g
, h
, K(32), M(32) );
528 R( h
, a
, b
, c
, d
, e
, f
, g
, K(33), M(33) );
529 R( g
, h
, a
, b
, c
, d
, e
, f
, K(34), M(34) );
530 R( f
, g
, h
, a
, b
, c
, d
, e
, K(35), M(35) );
531 R( e
, f
, g
, h
, a
, b
, c
, d
, K(36), M(36) );
532 R( d
, e
, f
, g
, h
, a
, b
, c
, K(37), M(37) );
533 R( c
, d
, e
, f
, g
, h
, a
, b
, K(38), M(38) );
534 R( b
, c
, d
, e
, f
, g
, h
, a
, K(39), M(39) );
535 R( a
, b
, c
, d
, e
, f
, g
, h
, K(40), M(40) );
536 R( h
, a
, b
, c
, d
, e
, f
, g
, K(41), M(41) );
537 R( g
, h
, a
, b
, c
, d
, e
, f
, K(42), M(42) );
538 R( f
, g
, h
, a
, b
, c
, d
, e
, K(43), M(43) );
539 R( e
, f
, g
, h
, a
, b
, c
, d
, K(44), M(44) );
540 R( d
, e
, f
, g
, h
, a
, b
, c
, K(45), M(45) );
541 R( c
, d
, e
, f
, g
, h
, a
, b
, K(46), M(46) );
542 R( b
, c
, d
, e
, f
, g
, h
, a
, K(47), M(47) );
543 R( a
, b
, c
, d
, e
, f
, g
, h
, K(48), M(48) );
544 R( h
, a
, b
, c
, d
, e
, f
, g
, K(49), M(49) );
545 R( g
, h
, a
, b
, c
, d
, e
, f
, K(50), M(50) );
546 R( f
, g
, h
, a
, b
, c
, d
, e
, K(51), M(51) );
547 R( e
, f
, g
, h
, a
, b
, c
, d
, K(52), M(52) );
548 R( d
, e
, f
, g
, h
, a
, b
, c
, K(53), M(53) );
549 R( c
, d
, e
, f
, g
, h
, a
, b
, K(54), M(54) );
550 R( b
, c
, d
, e
, f
, g
, h
, a
, K(55), M(55) );
551 R( a
, b
, c
, d
, e
, f
, g
, h
, K(56), M(56) );
552 R( h
, a
, b
, c
, d
, e
, f
, g
, K(57), M(57) );
553 R( g
, h
, a
, b
, c
, d
, e
, f
, K(58), M(58) );
554 R( f
, g
, h
, a
, b
, c
, d
, e
, K(59), M(59) );
555 R( e
, f
, g
, h
, a
, b
, c
, d
, K(60), M(60) );
556 R( d
, e
, f
, g
, h
, a
, b
, c
, K(61), M(61) );
557 R( c
, d
, e
, f
, g
, h
, a
, b
, K(62), M(62) );
558 R( b
, c
, d
, e
, f
, g
, h
, a
, K(63), M(63) );
559 R( a
, b
, c
, d
, e
, f
, g
, h
, K(64), M(64) );
560 R( h
, a
, b
, c
, d
, e
, f
, g
, K(65), M(65) );
561 R( g
, h
, a
, b
, c
, d
, e
, f
, K(66), M(66) );
562 R( f
, g
, h
, a
, b
, c
, d
, e
, K(67), M(67) );
563 R( e
, f
, g
, h
, a
, b
, c
, d
, K(68), M(68) );
564 R( d
, e
, f
, g
, h
, a
, b
, c
, K(69), M(69) );
565 R( c
, d
, e
, f
, g
, h
, a
, b
, K(70), M(70) );
566 R( b
, c
, d
, e
, f
, g
, h
, a
, K(71), M(71) );
567 R( a
, b
, c
, d
, e
, f
, g
, h
, K(72), M(72) );
568 R( h
, a
, b
, c
, d
, e
, f
, g
, K(73), M(73) );
569 R( g
, h
, a
, b
, c
, d
, e
, f
, K(74), M(74) );
570 R( f
, g
, h
, a
, b
, c
, d
, e
, K(75), M(75) );
571 R( e
, f
, g
, h
, a
, b
, c
, d
, K(76), M(76) );
572 R( d
, e
, f
, g
, h
, a
, b
, c
, K(77), M(77) );
573 R( c
, d
, e
, f
, g
, h
, a
, b
, K(78), M(78) );
574 R( b
, c
, d
, e
, f
, g
, h
, a
, K(79), M(79) );
576 a
= ctx
->state
[0] = u64plus (ctx
->state
[0], a
);
577 b
= ctx
->state
[1] = u64plus (ctx
->state
[1], b
);
578 c
= ctx
->state
[2] = u64plus (ctx
->state
[2], c
);
579 d
= ctx
->state
[3] = u64plus (ctx
->state
[3], d
);
580 e
= ctx
->state
[4] = u64plus (ctx
->state
[4], e
);
581 f
= ctx
->state
[5] = u64plus (ctx
->state
[5], f
);
582 g
= ctx
->state
[6] = u64plus (ctx
->state
[6], g
);
583 h
= ctx
->state
[7] = u64plus (ctx
->state
[7], h
);