Commit | Line | Data |
---|---|---|
3ce9d0d4 LL |
1 | /* sha256.c - Functions to compute SHA256 and SHA224 message digest of files or |
2 | memory blocks according to the NIST specification FIPS-180-2. | |
3 | ||
ba318903 | 4 | Copyright (C) 2005-2006, 2008-2014 Free Software Foundation, Inc. |
3ce9d0d4 LL |
5 | |
6 | This program is free software: you can redistribute it and/or modify | |
7 | it under the terms of the GNU General Public License as published by | |
8 | the Free Software Foundation, either version 3 of the License, or | |
9 | (at your option) any later version. | |
10 | ||
11 | This program is distributed in the hope that it will be useful, | |
12 | but WITHOUT ANY WARRANTY; without even the implied warranty of | |
13 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
14 | GNU General Public License for more details. | |
15 | ||
16 | You should have received a copy of the GNU General Public License | |
17 | along with this program. If not, see <http://www.gnu.org/licenses/>. */ | |
18 | ||
19 | /* Written by David Madore, considerably copypasting from | |
20 | Scott G. Miller's sha1.c | |
21 | */ | |
22 | ||
23 | #include <config.h> | |
24 | ||
e9551b12 PE |
25 | #if HAVE_OPENSSL_SHA256 |
26 | # define GL_OPENSSL_INLINE _GL_EXTERN_INLINE | |
27 | #endif | |
3ce9d0d4 LL |
28 | #include "sha256.h" |
29 | ||
caf8a9b2 PE |
30 | #include <stdalign.h> |
31 | #include <stdint.h> | |
3ce9d0d4 LL |
32 | #include <stdlib.h> |
33 | #include <string.h> | |
34 | ||
35 | #if USE_UNLOCKED_IO | |
36 | # include "unlocked-io.h" | |
37 | #endif | |
38 | ||
39 | #ifdef WORDS_BIGENDIAN | |
40 | # define SWAP(n) (n) | |
41 | #else | |
42 | # define SWAP(n) \ | |
43 | (((n) << 24) | (((n) & 0xff00) << 8) | (((n) >> 8) & 0xff00) | ((n) >> 24)) | |
44 | #endif | |
45 | ||
46 | #define BLOCKSIZE 32768 | |
47 | #if BLOCKSIZE % 64 != 0 | |
48 | # error "invalid BLOCKSIZE" | |
49 | #endif | |
50 | ||
e9551b12 | 51 | #if ! HAVE_OPENSSL_SHA256 |
3ce9d0d4 LL |
52 | /* This array contains the bytes used to pad the buffer to the next |
53 | 64-byte boundary. */ | |
54 | static const unsigned char fillbuf[64] = { 0x80, 0 /* , 0, 0, ... */ }; | |
55 | ||
56 | ||
57 | /* | |
58 | Takes a pointer to a 256 bit block of data (eight 32 bit ints) and | |
cd1181db | 59 | initializes it to the start constants of the SHA256 algorithm. This |
3ce9d0d4 LL |
60 | must be called before using hash in the call to sha256_hash |
61 | */ | |
62 | void | |
63 | sha256_init_ctx (struct sha256_ctx *ctx) | |
64 | { | |
65 | ctx->state[0] = 0x6a09e667UL; | |
66 | ctx->state[1] = 0xbb67ae85UL; | |
67 | ctx->state[2] = 0x3c6ef372UL; | |
68 | ctx->state[3] = 0xa54ff53aUL; | |
69 | ctx->state[4] = 0x510e527fUL; | |
70 | ctx->state[5] = 0x9b05688cUL; | |
71 | ctx->state[6] = 0x1f83d9abUL; | |
72 | ctx->state[7] = 0x5be0cd19UL; | |
73 | ||
74 | ctx->total[0] = ctx->total[1] = 0; | |
75 | ctx->buflen = 0; | |
76 | } | |
77 | ||
78 | void | |
79 | sha224_init_ctx (struct sha256_ctx *ctx) | |
80 | { | |
81 | ctx->state[0] = 0xc1059ed8UL; | |
82 | ctx->state[1] = 0x367cd507UL; | |
83 | ctx->state[2] = 0x3070dd17UL; | |
84 | ctx->state[3] = 0xf70e5939UL; | |
85 | ctx->state[4] = 0xffc00b31UL; | |
86 | ctx->state[5] = 0x68581511UL; | |
87 | ctx->state[6] = 0x64f98fa7UL; | |
88 | ctx->state[7] = 0xbefa4fa4UL; | |
89 | ||
90 | ctx->total[0] = ctx->total[1] = 0; | |
91 | ctx->buflen = 0; | |
92 | } | |
93 | ||
94 | /* Copy the value from v into the memory location pointed to by *cp, | |
95 | If your architecture allows unaligned access this is equivalent to | |
96 | * (uint32_t *) cp = v */ | |
f64898ab | 97 | static void |
3ce9d0d4 LL |
98 | set_uint32 (char *cp, uint32_t v) |
99 | { | |
100 | memcpy (cp, &v, sizeof v); | |
101 | } | |
102 | ||
103 | /* Put result from CTX in first 32 bytes following RESBUF. The result | |
104 | must be in little endian byte order. */ | |
105 | void * | |
106 | sha256_read_ctx (const struct sha256_ctx *ctx, void *resbuf) | |
107 | { | |
108 | int i; | |
109 | char *r = resbuf; | |
110 | ||
111 | for (i = 0; i < 8; i++) | |
112 | set_uint32 (r + i * sizeof ctx->state[0], SWAP (ctx->state[i])); | |
113 | ||
114 | return resbuf; | |
115 | } | |
116 | ||
117 | void * | |
118 | sha224_read_ctx (const struct sha256_ctx *ctx, void *resbuf) | |
119 | { | |
120 | int i; | |
121 | char *r = resbuf; | |
122 | ||
123 | for (i = 0; i < 7; i++) | |
124 | set_uint32 (r + i * sizeof ctx->state[0], SWAP (ctx->state[i])); | |
125 | ||
126 | return resbuf; | |
127 | } | |
128 | ||
129 | /* Process the remaining bytes in the internal buffer and the usual | |
130 | prolog according to the standard and write the result to RESBUF. */ | |
131 | static void | |
132 | sha256_conclude_ctx (struct sha256_ctx *ctx) | |
133 | { | |
134 | /* Take yet unprocessed bytes into account. */ | |
135 | size_t bytes = ctx->buflen; | |
136 | size_t size = (bytes < 56) ? 64 / 4 : 64 * 2 / 4; | |
137 | ||
138 | /* Now count remaining bytes. */ | |
139 | ctx->total[0] += bytes; | |
140 | if (ctx->total[0] < bytes) | |
141 | ++ctx->total[1]; | |
142 | ||
143 | /* Put the 64-bit file length in *bits* at the end of the buffer. | |
144 | Use set_uint32 rather than a simple assignment, to avoid risk of | |
145 | unaligned access. */ | |
146 | set_uint32 ((char *) &ctx->buffer[size - 2], | |
147 | SWAP ((ctx->total[1] << 3) | (ctx->total[0] >> 29))); | |
148 | set_uint32 ((char *) &ctx->buffer[size - 1], | |
149 | SWAP (ctx->total[0] << 3)); | |
150 | ||
151 | memcpy (&((char *) ctx->buffer)[bytes], fillbuf, (size - 2) * 4 - bytes); | |
152 | ||
153 | /* Process last bytes. */ | |
154 | sha256_process_block (ctx->buffer, size * 4, ctx); | |
155 | } | |
156 | ||
157 | void * | |
158 | sha256_finish_ctx (struct sha256_ctx *ctx, void *resbuf) | |
159 | { | |
160 | sha256_conclude_ctx (ctx); | |
161 | return sha256_read_ctx (ctx, resbuf); | |
162 | } | |
163 | ||
164 | void * | |
165 | sha224_finish_ctx (struct sha256_ctx *ctx, void *resbuf) | |
166 | { | |
167 | sha256_conclude_ctx (ctx); | |
168 | return sha224_read_ctx (ctx, resbuf); | |
169 | } | |
e9551b12 | 170 | #endif |
3ce9d0d4 LL |
171 | |
172 | /* Compute SHA256 message digest for bytes read from STREAM. The | |
173 | resulting message digest number will be written into the 32 bytes | |
174 | beginning at RESBLOCK. */ | |
175 | int | |
176 | sha256_stream (FILE *stream, void *resblock) | |
177 | { | |
178 | struct sha256_ctx ctx; | |
179 | size_t sum; | |
180 | ||
181 | char *buffer = malloc (BLOCKSIZE + 72); | |
182 | if (!buffer) | |
183 | return 1; | |
184 | ||
185 | /* Initialize the computation context. */ | |
186 | sha256_init_ctx (&ctx); | |
187 | ||
188 | /* Iterate over full file contents. */ | |
189 | while (1) | |
190 | { | |
191 | /* We read the file in blocks of BLOCKSIZE bytes. One call of the | |
192 | computation function processes the whole buffer so that with the | |
193 | next round of the loop another block can be read. */ | |
194 | size_t n; | |
195 | sum = 0; | |
196 | ||
197 | /* Read block. Take care for partial reads. */ | |
198 | while (1) | |
199 | { | |
200 | n = fread (buffer + sum, 1, BLOCKSIZE - sum, stream); | |
201 | ||
202 | sum += n; | |
203 | ||
204 | if (sum == BLOCKSIZE) | |
205 | break; | |
206 | ||
207 | if (n == 0) | |
208 | { | |
209 | /* Check for the error flag IFF N == 0, so that we don't | |
210 | exit the loop after a partial read due to e.g., EAGAIN | |
211 | or EWOULDBLOCK. */ | |
212 | if (ferror (stream)) | |
213 | { | |
214 | free (buffer); | |
215 | return 1; | |
216 | } | |
217 | goto process_partial_block; | |
218 | } | |
219 | ||
220 | /* We've read at least one byte, so ignore errors. But always | |
221 | check for EOF, since feof may be true even though N > 0. | |
222 | Otherwise, we could end up calling fread after EOF. */ | |
223 | if (feof (stream)) | |
224 | goto process_partial_block; | |
225 | } | |
226 | ||
227 | /* Process buffer with BLOCKSIZE bytes. Note that | |
228 | BLOCKSIZE % 64 == 0 | |
229 | */ | |
230 | sha256_process_block (buffer, BLOCKSIZE, &ctx); | |
231 | } | |
232 | ||
233 | process_partial_block:; | |
234 | ||
235 | /* Process any remaining bytes. */ | |
236 | if (sum > 0) | |
237 | sha256_process_bytes (buffer, sum, &ctx); | |
238 | ||
239 | /* Construct result in desired memory. */ | |
240 | sha256_finish_ctx (&ctx, resblock); | |
241 | free (buffer); | |
242 | return 0; | |
243 | } | |
244 | ||
245 | /* FIXME: Avoid code duplication */ | |
246 | int | |
247 | sha224_stream (FILE *stream, void *resblock) | |
248 | { | |
249 | struct sha256_ctx ctx; | |
250 | size_t sum; | |
251 | ||
252 | char *buffer = malloc (BLOCKSIZE + 72); | |
253 | if (!buffer) | |
254 | return 1; | |
255 | ||
256 | /* Initialize the computation context. */ | |
257 | sha224_init_ctx (&ctx); | |
258 | ||
259 | /* Iterate over full file contents. */ | |
260 | while (1) | |
261 | { | |
262 | /* We read the file in blocks of BLOCKSIZE bytes. One call of the | |
263 | computation function processes the whole buffer so that with the | |
264 | next round of the loop another block can be read. */ | |
265 | size_t n; | |
266 | sum = 0; | |
267 | ||
268 | /* Read block. Take care for partial reads. */ | |
269 | while (1) | |
270 | { | |
271 | n = fread (buffer + sum, 1, BLOCKSIZE - sum, stream); | |
272 | ||
273 | sum += n; | |
274 | ||
275 | if (sum == BLOCKSIZE) | |
276 | break; | |
277 | ||
278 | if (n == 0) | |
279 | { | |
280 | /* Check for the error flag IFF N == 0, so that we don't | |
281 | exit the loop after a partial read due to e.g., EAGAIN | |
282 | or EWOULDBLOCK. */ | |
283 | if (ferror (stream)) | |
284 | { | |
285 | free (buffer); | |
286 | return 1; | |
287 | } | |
288 | goto process_partial_block; | |
289 | } | |
290 | ||
291 | /* We've read at least one byte, so ignore errors. But always | |
292 | check for EOF, since feof may be true even though N > 0. | |
293 | Otherwise, we could end up calling fread after EOF. */ | |
294 | if (feof (stream)) | |
295 | goto process_partial_block; | |
296 | } | |
297 | ||
298 | /* Process buffer with BLOCKSIZE bytes. Note that | |
299 | BLOCKSIZE % 64 == 0 | |
300 | */ | |
301 | sha256_process_block (buffer, BLOCKSIZE, &ctx); | |
302 | } | |
303 | ||
304 | process_partial_block:; | |
305 | ||
306 | /* Process any remaining bytes. */ | |
307 | if (sum > 0) | |
308 | sha256_process_bytes (buffer, sum, &ctx); | |
309 | ||
310 | /* Construct result in desired memory. */ | |
311 | sha224_finish_ctx (&ctx, resblock); | |
312 | free (buffer); | |
313 | return 0; | |
314 | } | |
315 | ||
e9551b12 | 316 | #if ! HAVE_OPENSSL_SHA256 |
3ce9d0d4 LL |
317 | /* Compute SHA512 message digest for LEN bytes beginning at BUFFER. The |
318 | result is always in little endian byte order, so that a byte-wise | |
319 | output yields to the wanted ASCII representation of the message | |
320 | digest. */ | |
321 | void * | |
322 | sha256_buffer (const char *buffer, size_t len, void *resblock) | |
323 | { | |
324 | struct sha256_ctx ctx; | |
325 | ||
326 | /* Initialize the computation context. */ | |
327 | sha256_init_ctx (&ctx); | |
328 | ||
329 | /* Process whole buffer but last len % 64 bytes. */ | |
330 | sha256_process_bytes (buffer, len, &ctx); | |
331 | ||
332 | /* Put result in desired memory area. */ | |
333 | return sha256_finish_ctx (&ctx, resblock); | |
334 | } | |
335 | ||
336 | void * | |
337 | sha224_buffer (const char *buffer, size_t len, void *resblock) | |
338 | { | |
339 | struct sha256_ctx ctx; | |
340 | ||
341 | /* Initialize the computation context. */ | |
342 | sha224_init_ctx (&ctx); | |
343 | ||
344 | /* Process whole buffer but last len % 64 bytes. */ | |
345 | sha256_process_bytes (buffer, len, &ctx); | |
346 | ||
347 | /* Put result in desired memory area. */ | |
348 | return sha224_finish_ctx (&ctx, resblock); | |
349 | } | |
350 | ||
351 | void | |
352 | sha256_process_bytes (const void *buffer, size_t len, struct sha256_ctx *ctx) | |
353 | { | |
354 | /* When we already have some bits in our internal buffer concatenate | |
355 | both inputs first. */ | |
356 | if (ctx->buflen != 0) | |
357 | { | |
358 | size_t left_over = ctx->buflen; | |
359 | size_t add = 128 - left_over > len ? len : 128 - left_over; | |
360 | ||
361 | memcpy (&((char *) ctx->buffer)[left_over], buffer, add); | |
362 | ctx->buflen += add; | |
363 | ||
364 | if (ctx->buflen > 64) | |
365 | { | |
366 | sha256_process_block (ctx->buffer, ctx->buflen & ~63, ctx); | |
367 | ||
368 | ctx->buflen &= 63; | |
369 | /* The regions in the following copy operation cannot overlap. */ | |
370 | memcpy (ctx->buffer, | |
371 | &((char *) ctx->buffer)[(left_over + add) & ~63], | |
372 | ctx->buflen); | |
373 | } | |
374 | ||
375 | buffer = (const char *) buffer + add; | |
376 | len -= add; | |
377 | } | |
378 | ||
379 | /* Process available complete blocks. */ | |
380 | if (len >= 64) | |
381 | { | |
382 | #if !_STRING_ARCH_unaligned | |
caf8a9b2 | 383 | # define UNALIGNED_P(p) ((uintptr_t) (p) % alignof (uint32_t) != 0) |
3ce9d0d4 LL |
384 | if (UNALIGNED_P (buffer)) |
385 | while (len > 64) | |
386 | { | |
387 | sha256_process_block (memcpy (ctx->buffer, buffer, 64), 64, ctx); | |
388 | buffer = (const char *) buffer + 64; | |
389 | len -= 64; | |
390 | } | |
391 | else | |
392 | #endif | |
393 | { | |
394 | sha256_process_block (buffer, len & ~63, ctx); | |
395 | buffer = (const char *) buffer + (len & ~63); | |
396 | len &= 63; | |
397 | } | |
398 | } | |
399 | ||
400 | /* Move remaining bytes in internal buffer. */ | |
401 | if (len > 0) | |
402 | { | |
403 | size_t left_over = ctx->buflen; | |
404 | ||
405 | memcpy (&((char *) ctx->buffer)[left_over], buffer, len); | |
406 | left_over += len; | |
407 | if (left_over >= 64) | |
408 | { | |
409 | sha256_process_block (ctx->buffer, 64, ctx); | |
410 | left_over -= 64; | |
411 | memcpy (ctx->buffer, &ctx->buffer[16], left_over); | |
412 | } | |
413 | ctx->buflen = left_over; | |
414 | } | |
415 | } | |
416 | ||
417 | /* --- Code below is the primary difference between sha1.c and sha256.c --- */ | |
418 | ||
419 | /* SHA256 round constants */ | |
420 | #define K(I) sha256_round_constants[I] | |
421 | static const uint32_t sha256_round_constants[64] = { | |
422 | 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, | |
423 | 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, | |
424 | 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL, | |
425 | 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL, | |
426 | 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL, | |
427 | 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, | |
428 | 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, | |
429 | 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL, | |
430 | 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL, | |
431 | 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL, | |
432 | 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, | |
433 | 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, | |
434 | 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL, | |
435 | 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL, | |
436 | 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL, | |
437 | 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL, | |
438 | }; | |
439 | ||
440 | /* Round functions. */ | |
441 | #define F2(A,B,C) ( ( A & B ) | ( C & ( A | B ) ) ) | |
442 | #define F1(E,F,G) ( G ^ ( E & ( F ^ G ) ) ) | |
443 | ||
444 | /* Process LEN bytes of BUFFER, accumulating context into CTX. | |
445 | It is assumed that LEN % 64 == 0. | |
446 | Most of this code comes from GnuPG's cipher/sha1.c. */ | |
447 | ||
448 | void | |
449 | sha256_process_block (const void *buffer, size_t len, struct sha256_ctx *ctx) | |
450 | { | |
451 | const uint32_t *words = buffer; | |
452 | size_t nwords = len / sizeof (uint32_t); | |
453 | const uint32_t *endp = words + nwords; | |
454 | uint32_t x[16]; | |
455 | uint32_t a = ctx->state[0]; | |
456 | uint32_t b = ctx->state[1]; | |
457 | uint32_t c = ctx->state[2]; | |
458 | uint32_t d = ctx->state[3]; | |
459 | uint32_t e = ctx->state[4]; | |
460 | uint32_t f = ctx->state[5]; | |
461 | uint32_t g = ctx->state[6]; | |
462 | uint32_t h = ctx->state[7]; | |
caf8a9b2 | 463 | uint32_t lolen = len; |
3ce9d0d4 LL |
464 | |
465 | /* First increment the byte count. FIPS PUB 180-2 specifies the possible | |
466 | length of the file up to 2^64 bits. Here we only compute the | |
467 | number of bytes. Do a double word increment. */ | |
caf8a9b2 PE |
468 | ctx->total[0] += lolen; |
469 | ctx->total[1] += (len >> 31 >> 1) + (ctx->total[0] < lolen); | |
3ce9d0d4 LL |
470 | |
471 | #define rol(x, n) (((x) << (n)) | ((x) >> (32 - (n)))) | |
472 | #define S0(x) (rol(x,25)^rol(x,14)^(x>>3)) | |
473 | #define S1(x) (rol(x,15)^rol(x,13)^(x>>10)) | |
474 | #define SS0(x) (rol(x,30)^rol(x,19)^rol(x,10)) | |
475 | #define SS1(x) (rol(x,26)^rol(x,21)^rol(x,7)) | |
476 | ||
477 | #define M(I) ( tm = S1(x[(I-2)&0x0f]) + x[(I-7)&0x0f] \ | |
478 | + S0(x[(I-15)&0x0f]) + x[I&0x0f] \ | |
479 | , x[I&0x0f] = tm ) | |
480 | ||
481 | #define R(A,B,C,D,E,F,G,H,K,M) do { t0 = SS0(A) + F2(A,B,C); \ | |
482 | t1 = H + SS1(E) \ | |
483 | + F1(E,F,G) \ | |
484 | + K \ | |
485 | + M; \ | |
486 | D += t1; H = t0 + t1; \ | |
487 | } while(0) | |
488 | ||
489 | while (words < endp) | |
490 | { | |
491 | uint32_t tm; | |
492 | uint32_t t0, t1; | |
493 | int t; | |
494 | /* FIXME: see sha1.c for a better implementation. */ | |
495 | for (t = 0; t < 16; t++) | |
496 | { | |
497 | x[t] = SWAP (*words); | |
498 | words++; | |
499 | } | |
500 | ||
501 | R( a, b, c, d, e, f, g, h, K( 0), x[ 0] ); | |
502 | R( h, a, b, c, d, e, f, g, K( 1), x[ 1] ); | |
503 | R( g, h, a, b, c, d, e, f, K( 2), x[ 2] ); | |
504 | R( f, g, h, a, b, c, d, e, K( 3), x[ 3] ); | |
505 | R( e, f, g, h, a, b, c, d, K( 4), x[ 4] ); | |
506 | R( d, e, f, g, h, a, b, c, K( 5), x[ 5] ); | |
507 | R( c, d, e, f, g, h, a, b, K( 6), x[ 6] ); | |
508 | R( b, c, d, e, f, g, h, a, K( 7), x[ 7] ); | |
509 | R( a, b, c, d, e, f, g, h, K( 8), x[ 8] ); | |
510 | R( h, a, b, c, d, e, f, g, K( 9), x[ 9] ); | |
511 | R( g, h, a, b, c, d, e, f, K(10), x[10] ); | |
512 | R( f, g, h, a, b, c, d, e, K(11), x[11] ); | |
513 | R( e, f, g, h, a, b, c, d, K(12), x[12] ); | |
514 | R( d, e, f, g, h, a, b, c, K(13), x[13] ); | |
515 | R( c, d, e, f, g, h, a, b, K(14), x[14] ); | |
516 | R( b, c, d, e, f, g, h, a, K(15), x[15] ); | |
517 | R( a, b, c, d, e, f, g, h, K(16), M(16) ); | |
518 | R( h, a, b, c, d, e, f, g, K(17), M(17) ); | |
519 | R( g, h, a, b, c, d, e, f, K(18), M(18) ); | |
520 | R( f, g, h, a, b, c, d, e, K(19), M(19) ); | |
521 | R( e, f, g, h, a, b, c, d, K(20), M(20) ); | |
522 | R( d, e, f, g, h, a, b, c, K(21), M(21) ); | |
523 | R( c, d, e, f, g, h, a, b, K(22), M(22) ); | |
524 | R( b, c, d, e, f, g, h, a, K(23), M(23) ); | |
525 | R( a, b, c, d, e, f, g, h, K(24), M(24) ); | |
526 | R( h, a, b, c, d, e, f, g, K(25), M(25) ); | |
527 | R( g, h, a, b, c, d, e, f, K(26), M(26) ); | |
528 | R( f, g, h, a, b, c, d, e, K(27), M(27) ); | |
529 | R( e, f, g, h, a, b, c, d, K(28), M(28) ); | |
530 | R( d, e, f, g, h, a, b, c, K(29), M(29) ); | |
531 | R( c, d, e, f, g, h, a, b, K(30), M(30) ); | |
532 | R( b, c, d, e, f, g, h, a, K(31), M(31) ); | |
533 | R( a, b, c, d, e, f, g, h, K(32), M(32) ); | |
534 | R( h, a, b, c, d, e, f, g, K(33), M(33) ); | |
535 | R( g, h, a, b, c, d, e, f, K(34), M(34) ); | |
536 | R( f, g, h, a, b, c, d, e, K(35), M(35) ); | |
537 | R( e, f, g, h, a, b, c, d, K(36), M(36) ); | |
538 | R( d, e, f, g, h, a, b, c, K(37), M(37) ); | |
539 | R( c, d, e, f, g, h, a, b, K(38), M(38) ); | |
540 | R( b, c, d, e, f, g, h, a, K(39), M(39) ); | |
541 | R( a, b, c, d, e, f, g, h, K(40), M(40) ); | |
542 | R( h, a, b, c, d, e, f, g, K(41), M(41) ); | |
543 | R( g, h, a, b, c, d, e, f, K(42), M(42) ); | |
544 | R( f, g, h, a, b, c, d, e, K(43), M(43) ); | |
545 | R( e, f, g, h, a, b, c, d, K(44), M(44) ); | |
546 | R( d, e, f, g, h, a, b, c, K(45), M(45) ); | |
547 | R( c, d, e, f, g, h, a, b, K(46), M(46) ); | |
548 | R( b, c, d, e, f, g, h, a, K(47), M(47) ); | |
549 | R( a, b, c, d, e, f, g, h, K(48), M(48) ); | |
550 | R( h, a, b, c, d, e, f, g, K(49), M(49) ); | |
551 | R( g, h, a, b, c, d, e, f, K(50), M(50) ); | |
552 | R( f, g, h, a, b, c, d, e, K(51), M(51) ); | |
553 | R( e, f, g, h, a, b, c, d, K(52), M(52) ); | |
554 | R( d, e, f, g, h, a, b, c, K(53), M(53) ); | |
555 | R( c, d, e, f, g, h, a, b, K(54), M(54) ); | |
556 | R( b, c, d, e, f, g, h, a, K(55), M(55) ); | |
557 | R( a, b, c, d, e, f, g, h, K(56), M(56) ); | |
558 | R( h, a, b, c, d, e, f, g, K(57), M(57) ); | |
559 | R( g, h, a, b, c, d, e, f, K(58), M(58) ); | |
560 | R( f, g, h, a, b, c, d, e, K(59), M(59) ); | |
561 | R( e, f, g, h, a, b, c, d, K(60), M(60) ); | |
562 | R( d, e, f, g, h, a, b, c, K(61), M(61) ); | |
563 | R( c, d, e, f, g, h, a, b, K(62), M(62) ); | |
564 | R( b, c, d, e, f, g, h, a, K(63), M(63) ); | |
565 | ||
566 | a = ctx->state[0] += a; | |
567 | b = ctx->state[1] += b; | |
568 | c = ctx->state[2] += c; | |
569 | d = ctx->state[3] += d; | |
570 | e = ctx->state[4] += e; | |
571 | f = ctx->state[5] += f; | |
572 | g = ctx->state[6] += g; | |
573 | h = ctx->state[7] += h; | |
574 | } | |
575 | } | |
e9551b12 | 576 | #endif |