| 1 | /* sha256.c - Functions to compute SHA256 and SHA224 message digest of files or |
| 2 | memory blocks according to the NIST specification FIPS-180-2. |
| 3 | |
| 4 | Copyright (C) 2005-2006, 2008-2013 Free Software Foundation, Inc. |
| 5 | |
| 6 | This program is free software: you can redistribute it and/or modify |
| 7 | it under the terms of the GNU General Public License as published by |
| 8 | the Free Software Foundation, either version 3 of the License, or |
| 9 | (at your option) any later version. |
| 10 | |
| 11 | This program is distributed in the hope that it will be useful, |
| 12 | but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 13 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| 14 | GNU General Public License for more details. |
| 15 | |
| 16 | You should have received a copy of the GNU General Public License |
| 17 | along with this program. If not, see <http://www.gnu.org/licenses/>. */ |
| 18 | |
| 19 | /* Written by David Madore, considerably copypasting from |
| 20 | Scott G. Miller's sha1.c |
| 21 | */ |
| 22 | |
| 23 | #include <config.h> |
| 24 | |
| 25 | #if HAVE_OPENSSL_SHA256 |
| 26 | # define GL_OPENSSL_INLINE _GL_EXTERN_INLINE |
| 27 | #endif |
| 28 | #include "sha256.h" |
| 29 | |
| 30 | #include <stdalign.h> |
| 31 | #include <stdint.h> |
| 32 | #include <stdlib.h> |
| 33 | #include <string.h> |
| 34 | |
| 35 | #if USE_UNLOCKED_IO |
| 36 | # include "unlocked-io.h" |
| 37 | #endif |
| 38 | |
| 39 | #ifdef WORDS_BIGENDIAN |
| 40 | # define SWAP(n) (n) |
| 41 | #else |
| 42 | # define SWAP(n) \ |
| 43 | (((n) << 24) | (((n) & 0xff00) << 8) | (((n) >> 8) & 0xff00) | ((n) >> 24)) |
| 44 | #endif |
| 45 | |
| 46 | #define BLOCKSIZE 32768 |
| 47 | #if BLOCKSIZE % 64 != 0 |
| 48 | # error "invalid BLOCKSIZE" |
| 49 | #endif |
| 50 | |
| 51 | #if ! HAVE_OPENSSL_SHA256 |
| 52 | /* This array contains the bytes used to pad the buffer to the next |
| 53 | 64-byte boundary. */ |
| 54 | static const unsigned char fillbuf[64] = { 0x80, 0 /* , 0, 0, ... */ }; |
| 55 | |
| 56 | |
| 57 | /* |
| 58 | Takes a pointer to a 256 bit block of data (eight 32 bit ints) and |
| 59 | initializes it to the start constants of the SHA256 algorithm. This |
| 60 | must be called before using hash in the call to sha256_hash |
| 61 | */ |
| 62 | void |
| 63 | sha256_init_ctx (struct sha256_ctx *ctx) |
| 64 | { |
| 65 | ctx->state[0] = 0x6a09e667UL; |
| 66 | ctx->state[1] = 0xbb67ae85UL; |
| 67 | ctx->state[2] = 0x3c6ef372UL; |
| 68 | ctx->state[3] = 0xa54ff53aUL; |
| 69 | ctx->state[4] = 0x510e527fUL; |
| 70 | ctx->state[5] = 0x9b05688cUL; |
| 71 | ctx->state[6] = 0x1f83d9abUL; |
| 72 | ctx->state[7] = 0x5be0cd19UL; |
| 73 | |
| 74 | ctx->total[0] = ctx->total[1] = 0; |
| 75 | ctx->buflen = 0; |
| 76 | } |
| 77 | |
| 78 | void |
| 79 | sha224_init_ctx (struct sha256_ctx *ctx) |
| 80 | { |
| 81 | ctx->state[0] = 0xc1059ed8UL; |
| 82 | ctx->state[1] = 0x367cd507UL; |
| 83 | ctx->state[2] = 0x3070dd17UL; |
| 84 | ctx->state[3] = 0xf70e5939UL; |
| 85 | ctx->state[4] = 0xffc00b31UL; |
| 86 | ctx->state[5] = 0x68581511UL; |
| 87 | ctx->state[6] = 0x64f98fa7UL; |
| 88 | ctx->state[7] = 0xbefa4fa4UL; |
| 89 | |
| 90 | ctx->total[0] = ctx->total[1] = 0; |
| 91 | ctx->buflen = 0; |
| 92 | } |
| 93 | |
| 94 | /* Copy the value from v into the memory location pointed to by *cp, |
| 95 | If your architecture allows unaligned access this is equivalent to |
| 96 | * (uint32_t *) cp = v */ |
| 97 | static void |
| 98 | set_uint32 (char *cp, uint32_t v) |
| 99 | { |
| 100 | memcpy (cp, &v, sizeof v); |
| 101 | } |
| 102 | |
| 103 | /* Put result from CTX in first 32 bytes following RESBUF. The result |
| 104 | must be in little endian byte order. */ |
| 105 | void * |
| 106 | sha256_read_ctx (const struct sha256_ctx *ctx, void *resbuf) |
| 107 | { |
| 108 | int i; |
| 109 | char *r = resbuf; |
| 110 | |
| 111 | for (i = 0; i < 8; i++) |
| 112 | set_uint32 (r + i * sizeof ctx->state[0], SWAP (ctx->state[i])); |
| 113 | |
| 114 | return resbuf; |
| 115 | } |
| 116 | |
| 117 | void * |
| 118 | sha224_read_ctx (const struct sha256_ctx *ctx, void *resbuf) |
| 119 | { |
| 120 | int i; |
| 121 | char *r = resbuf; |
| 122 | |
| 123 | for (i = 0; i < 7; i++) |
| 124 | set_uint32 (r + i * sizeof ctx->state[0], SWAP (ctx->state[i])); |
| 125 | |
| 126 | return resbuf; |
| 127 | } |
| 128 | |
| 129 | /* Process the remaining bytes in the internal buffer and the usual |
| 130 | prolog according to the standard and write the result to RESBUF. */ |
| 131 | static void |
| 132 | sha256_conclude_ctx (struct sha256_ctx *ctx) |
| 133 | { |
| 134 | /* Take yet unprocessed bytes into account. */ |
| 135 | size_t bytes = ctx->buflen; |
| 136 | size_t size = (bytes < 56) ? 64 / 4 : 64 * 2 / 4; |
| 137 | |
| 138 | /* Now count remaining bytes. */ |
| 139 | ctx->total[0] += bytes; |
| 140 | if (ctx->total[0] < bytes) |
| 141 | ++ctx->total[1]; |
| 142 | |
| 143 | /* Put the 64-bit file length in *bits* at the end of the buffer. |
| 144 | Use set_uint32 rather than a simple assignment, to avoid risk of |
| 145 | unaligned access. */ |
| 146 | set_uint32 ((char *) &ctx->buffer[size - 2], |
| 147 | SWAP ((ctx->total[1] << 3) | (ctx->total[0] >> 29))); |
| 148 | set_uint32 ((char *) &ctx->buffer[size - 1], |
| 149 | SWAP (ctx->total[0] << 3)); |
| 150 | |
| 151 | memcpy (&((char *) ctx->buffer)[bytes], fillbuf, (size - 2) * 4 - bytes); |
| 152 | |
| 153 | /* Process last bytes. */ |
| 154 | sha256_process_block (ctx->buffer, size * 4, ctx); |
| 155 | } |
| 156 | |
| 157 | void * |
| 158 | sha256_finish_ctx (struct sha256_ctx *ctx, void *resbuf) |
| 159 | { |
| 160 | sha256_conclude_ctx (ctx); |
| 161 | return sha256_read_ctx (ctx, resbuf); |
| 162 | } |
| 163 | |
| 164 | void * |
| 165 | sha224_finish_ctx (struct sha256_ctx *ctx, void *resbuf) |
| 166 | { |
| 167 | sha256_conclude_ctx (ctx); |
| 168 | return sha224_read_ctx (ctx, resbuf); |
| 169 | } |
| 170 | #endif |
| 171 | |
| 172 | /* Compute SHA256 message digest for bytes read from STREAM. The |
| 173 | resulting message digest number will be written into the 32 bytes |
| 174 | beginning at RESBLOCK. */ |
| 175 | int |
| 176 | sha256_stream (FILE *stream, void *resblock) |
| 177 | { |
| 178 | struct sha256_ctx ctx; |
| 179 | size_t sum; |
| 180 | |
| 181 | char *buffer = malloc (BLOCKSIZE + 72); |
| 182 | if (!buffer) |
| 183 | return 1; |
| 184 | |
| 185 | /* Initialize the computation context. */ |
| 186 | sha256_init_ctx (&ctx); |
| 187 | |
| 188 | /* Iterate over full file contents. */ |
| 189 | while (1) |
| 190 | { |
| 191 | /* We read the file in blocks of BLOCKSIZE bytes. One call of the |
| 192 | computation function processes the whole buffer so that with the |
| 193 | next round of the loop another block can be read. */ |
| 194 | size_t n; |
| 195 | sum = 0; |
| 196 | |
| 197 | /* Read block. Take care for partial reads. */ |
| 198 | while (1) |
| 199 | { |
| 200 | n = fread (buffer + sum, 1, BLOCKSIZE - sum, stream); |
| 201 | |
| 202 | sum += n; |
| 203 | |
| 204 | if (sum == BLOCKSIZE) |
| 205 | break; |
| 206 | |
| 207 | if (n == 0) |
| 208 | { |
| 209 | /* Check for the error flag IFF N == 0, so that we don't |
| 210 | exit the loop after a partial read due to e.g., EAGAIN |
| 211 | or EWOULDBLOCK. */ |
| 212 | if (ferror (stream)) |
| 213 | { |
| 214 | free (buffer); |
| 215 | return 1; |
| 216 | } |
| 217 | goto process_partial_block; |
| 218 | } |
| 219 | |
| 220 | /* We've read at least one byte, so ignore errors. But always |
| 221 | check for EOF, since feof may be true even though N > 0. |
| 222 | Otherwise, we could end up calling fread after EOF. */ |
| 223 | if (feof (stream)) |
| 224 | goto process_partial_block; |
| 225 | } |
| 226 | |
| 227 | /* Process buffer with BLOCKSIZE bytes. Note that |
| 228 | BLOCKSIZE % 64 == 0 |
| 229 | */ |
| 230 | sha256_process_block (buffer, BLOCKSIZE, &ctx); |
| 231 | } |
| 232 | |
| 233 | process_partial_block:; |
| 234 | |
| 235 | /* Process any remaining bytes. */ |
| 236 | if (sum > 0) |
| 237 | sha256_process_bytes (buffer, sum, &ctx); |
| 238 | |
| 239 | /* Construct result in desired memory. */ |
| 240 | sha256_finish_ctx (&ctx, resblock); |
| 241 | free (buffer); |
| 242 | return 0; |
| 243 | } |
| 244 | |
| 245 | /* FIXME: Avoid code duplication */ |
| 246 | int |
| 247 | sha224_stream (FILE *stream, void *resblock) |
| 248 | { |
| 249 | struct sha256_ctx ctx; |
| 250 | size_t sum; |
| 251 | |
| 252 | char *buffer = malloc (BLOCKSIZE + 72); |
| 253 | if (!buffer) |
| 254 | return 1; |
| 255 | |
| 256 | /* Initialize the computation context. */ |
| 257 | sha224_init_ctx (&ctx); |
| 258 | |
| 259 | /* Iterate over full file contents. */ |
| 260 | while (1) |
| 261 | { |
| 262 | /* We read the file in blocks of BLOCKSIZE bytes. One call of the |
| 263 | computation function processes the whole buffer so that with the |
| 264 | next round of the loop another block can be read. */ |
| 265 | size_t n; |
| 266 | sum = 0; |
| 267 | |
| 268 | /* Read block. Take care for partial reads. */ |
| 269 | while (1) |
| 270 | { |
| 271 | n = fread (buffer + sum, 1, BLOCKSIZE - sum, stream); |
| 272 | |
| 273 | sum += n; |
| 274 | |
| 275 | if (sum == BLOCKSIZE) |
| 276 | break; |
| 277 | |
| 278 | if (n == 0) |
| 279 | { |
| 280 | /* Check for the error flag IFF N == 0, so that we don't |
| 281 | exit the loop after a partial read due to e.g., EAGAIN |
| 282 | or EWOULDBLOCK. */ |
| 283 | if (ferror (stream)) |
| 284 | { |
| 285 | free (buffer); |
| 286 | return 1; |
| 287 | } |
| 288 | goto process_partial_block; |
| 289 | } |
| 290 | |
| 291 | /* We've read at least one byte, so ignore errors. But always |
| 292 | check for EOF, since feof may be true even though N > 0. |
| 293 | Otherwise, we could end up calling fread after EOF. */ |
| 294 | if (feof (stream)) |
| 295 | goto process_partial_block; |
| 296 | } |
| 297 | |
| 298 | /* Process buffer with BLOCKSIZE bytes. Note that |
| 299 | BLOCKSIZE % 64 == 0 |
| 300 | */ |
| 301 | sha256_process_block (buffer, BLOCKSIZE, &ctx); |
| 302 | } |
| 303 | |
| 304 | process_partial_block:; |
| 305 | |
| 306 | /* Process any remaining bytes. */ |
| 307 | if (sum > 0) |
| 308 | sha256_process_bytes (buffer, sum, &ctx); |
| 309 | |
| 310 | /* Construct result in desired memory. */ |
| 311 | sha224_finish_ctx (&ctx, resblock); |
| 312 | free (buffer); |
| 313 | return 0; |
| 314 | } |
| 315 | |
| 316 | #if ! HAVE_OPENSSL_SHA256 |
| 317 | /* Compute SHA512 message digest for LEN bytes beginning at BUFFER. The |
| 318 | result is always in little endian byte order, so that a byte-wise |
| 319 | output yields to the wanted ASCII representation of the message |
| 320 | digest. */ |
| 321 | void * |
| 322 | sha256_buffer (const char *buffer, size_t len, void *resblock) |
| 323 | { |
| 324 | struct sha256_ctx ctx; |
| 325 | |
| 326 | /* Initialize the computation context. */ |
| 327 | sha256_init_ctx (&ctx); |
| 328 | |
| 329 | /* Process whole buffer but last len % 64 bytes. */ |
| 330 | sha256_process_bytes (buffer, len, &ctx); |
| 331 | |
| 332 | /* Put result in desired memory area. */ |
| 333 | return sha256_finish_ctx (&ctx, resblock); |
| 334 | } |
| 335 | |
| 336 | void * |
| 337 | sha224_buffer (const char *buffer, size_t len, void *resblock) |
| 338 | { |
| 339 | struct sha256_ctx ctx; |
| 340 | |
| 341 | /* Initialize the computation context. */ |
| 342 | sha224_init_ctx (&ctx); |
| 343 | |
| 344 | /* Process whole buffer but last len % 64 bytes. */ |
| 345 | sha256_process_bytes (buffer, len, &ctx); |
| 346 | |
| 347 | /* Put result in desired memory area. */ |
| 348 | return sha224_finish_ctx (&ctx, resblock); |
| 349 | } |
| 350 | |
| 351 | void |
| 352 | sha256_process_bytes (const void *buffer, size_t len, struct sha256_ctx *ctx) |
| 353 | { |
| 354 | /* When we already have some bits in our internal buffer concatenate |
| 355 | both inputs first. */ |
| 356 | if (ctx->buflen != 0) |
| 357 | { |
| 358 | size_t left_over = ctx->buflen; |
| 359 | size_t add = 128 - left_over > len ? len : 128 - left_over; |
| 360 | |
| 361 | memcpy (&((char *) ctx->buffer)[left_over], buffer, add); |
| 362 | ctx->buflen += add; |
| 363 | |
| 364 | if (ctx->buflen > 64) |
| 365 | { |
| 366 | sha256_process_block (ctx->buffer, ctx->buflen & ~63, ctx); |
| 367 | |
| 368 | ctx->buflen &= 63; |
| 369 | /* The regions in the following copy operation cannot overlap. */ |
| 370 | memcpy (ctx->buffer, |
| 371 | &((char *) ctx->buffer)[(left_over + add) & ~63], |
| 372 | ctx->buflen); |
| 373 | } |
| 374 | |
| 375 | buffer = (const char *) buffer + add; |
| 376 | len -= add; |
| 377 | } |
| 378 | |
| 379 | /* Process available complete blocks. */ |
| 380 | if (len >= 64) |
| 381 | { |
| 382 | #if !_STRING_ARCH_unaligned |
| 383 | # define UNALIGNED_P(p) ((uintptr_t) (p) % alignof (uint32_t) != 0) |
| 384 | if (UNALIGNED_P (buffer)) |
| 385 | while (len > 64) |
| 386 | { |
| 387 | sha256_process_block (memcpy (ctx->buffer, buffer, 64), 64, ctx); |
| 388 | buffer = (const char *) buffer + 64; |
| 389 | len -= 64; |
| 390 | } |
| 391 | else |
| 392 | #endif |
| 393 | { |
| 394 | sha256_process_block (buffer, len & ~63, ctx); |
| 395 | buffer = (const char *) buffer + (len & ~63); |
| 396 | len &= 63; |
| 397 | } |
| 398 | } |
| 399 | |
| 400 | /* Move remaining bytes in internal buffer. */ |
| 401 | if (len > 0) |
| 402 | { |
| 403 | size_t left_over = ctx->buflen; |
| 404 | |
| 405 | memcpy (&((char *) ctx->buffer)[left_over], buffer, len); |
| 406 | left_over += len; |
| 407 | if (left_over >= 64) |
| 408 | { |
| 409 | sha256_process_block (ctx->buffer, 64, ctx); |
| 410 | left_over -= 64; |
| 411 | memcpy (ctx->buffer, &ctx->buffer[16], left_over); |
| 412 | } |
| 413 | ctx->buflen = left_over; |
| 414 | } |
| 415 | } |
| 416 | |
| 417 | /* --- Code below is the primary difference between sha1.c and sha256.c --- */ |
| 418 | |
| 419 | /* SHA256 round constants */ |
| 420 | #define K(I) sha256_round_constants[I] |
| 421 | static const uint32_t sha256_round_constants[64] = { |
| 422 | 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, |
| 423 | 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, |
| 424 | 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL, |
| 425 | 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL, |
| 426 | 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL, |
| 427 | 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, |
| 428 | 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, |
| 429 | 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL, |
| 430 | 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL, |
| 431 | 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL, |
| 432 | 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, |
| 433 | 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, |
| 434 | 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL, |
| 435 | 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL, |
| 436 | 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL, |
| 437 | 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL, |
| 438 | }; |
| 439 | |
| 440 | /* Round functions. */ |
| 441 | #define F2(A,B,C) ( ( A & B ) | ( C & ( A | B ) ) ) |
| 442 | #define F1(E,F,G) ( G ^ ( E & ( F ^ G ) ) ) |
| 443 | |
| 444 | /* Process LEN bytes of BUFFER, accumulating context into CTX. |
| 445 | It is assumed that LEN % 64 == 0. |
| 446 | Most of this code comes from GnuPG's cipher/sha1.c. */ |
| 447 | |
| 448 | void |
| 449 | sha256_process_block (const void *buffer, size_t len, struct sha256_ctx *ctx) |
| 450 | { |
| 451 | const uint32_t *words = buffer; |
| 452 | size_t nwords = len / sizeof (uint32_t); |
| 453 | const uint32_t *endp = words + nwords; |
| 454 | uint32_t x[16]; |
| 455 | uint32_t a = ctx->state[0]; |
| 456 | uint32_t b = ctx->state[1]; |
| 457 | uint32_t c = ctx->state[2]; |
| 458 | uint32_t d = ctx->state[3]; |
| 459 | uint32_t e = ctx->state[4]; |
| 460 | uint32_t f = ctx->state[5]; |
| 461 | uint32_t g = ctx->state[6]; |
| 462 | uint32_t h = ctx->state[7]; |
| 463 | uint32_t lolen = len; |
| 464 | |
| 465 | /* First increment the byte count. FIPS PUB 180-2 specifies the possible |
| 466 | length of the file up to 2^64 bits. Here we only compute the |
| 467 | number of bytes. Do a double word increment. */ |
| 468 | ctx->total[0] += lolen; |
| 469 | ctx->total[1] += (len >> 31 >> 1) + (ctx->total[0] < lolen); |
| 470 | |
| 471 | #define rol(x, n) (((x) << (n)) | ((x) >> (32 - (n)))) |
| 472 | #define S0(x) (rol(x,25)^rol(x,14)^(x>>3)) |
| 473 | #define S1(x) (rol(x,15)^rol(x,13)^(x>>10)) |
| 474 | #define SS0(x) (rol(x,30)^rol(x,19)^rol(x,10)) |
| 475 | #define SS1(x) (rol(x,26)^rol(x,21)^rol(x,7)) |
| 476 | |
| 477 | #define M(I) ( tm = S1(x[(I-2)&0x0f]) + x[(I-7)&0x0f] \ |
| 478 | + S0(x[(I-15)&0x0f]) + x[I&0x0f] \ |
| 479 | , x[I&0x0f] = tm ) |
| 480 | |
| 481 | #define R(A,B,C,D,E,F,G,H,K,M) do { t0 = SS0(A) + F2(A,B,C); \ |
| 482 | t1 = H + SS1(E) \ |
| 483 | + F1(E,F,G) \ |
| 484 | + K \ |
| 485 | + M; \ |
| 486 | D += t1; H = t0 + t1; \ |
| 487 | } while(0) |
| 488 | |
| 489 | while (words < endp) |
| 490 | { |
| 491 | uint32_t tm; |
| 492 | uint32_t t0, t1; |
| 493 | int t; |
| 494 | /* FIXME: see sha1.c for a better implementation. */ |
| 495 | for (t = 0; t < 16; t++) |
| 496 | { |
| 497 | x[t] = SWAP (*words); |
| 498 | words++; |
| 499 | } |
| 500 | |
| 501 | R( a, b, c, d, e, f, g, h, K( 0), x[ 0] ); |
| 502 | R( h, a, b, c, d, e, f, g, K( 1), x[ 1] ); |
| 503 | R( g, h, a, b, c, d, e, f, K( 2), x[ 2] ); |
| 504 | R( f, g, h, a, b, c, d, e, K( 3), x[ 3] ); |
| 505 | R( e, f, g, h, a, b, c, d, K( 4), x[ 4] ); |
| 506 | R( d, e, f, g, h, a, b, c, K( 5), x[ 5] ); |
| 507 | R( c, d, e, f, g, h, a, b, K( 6), x[ 6] ); |
| 508 | R( b, c, d, e, f, g, h, a, K( 7), x[ 7] ); |
| 509 | R( a, b, c, d, e, f, g, h, K( 8), x[ 8] ); |
| 510 | R( h, a, b, c, d, e, f, g, K( 9), x[ 9] ); |
| 511 | R( g, h, a, b, c, d, e, f, K(10), x[10] ); |
| 512 | R( f, g, h, a, b, c, d, e, K(11), x[11] ); |
| 513 | R( e, f, g, h, a, b, c, d, K(12), x[12] ); |
| 514 | R( d, e, f, g, h, a, b, c, K(13), x[13] ); |
| 515 | R( c, d, e, f, g, h, a, b, K(14), x[14] ); |
| 516 | R( b, c, d, e, f, g, h, a, K(15), x[15] ); |
| 517 | R( a, b, c, d, e, f, g, h, K(16), M(16) ); |
| 518 | R( h, a, b, c, d, e, f, g, K(17), M(17) ); |
| 519 | R( g, h, a, b, c, d, e, f, K(18), M(18) ); |
| 520 | R( f, g, h, a, b, c, d, e, K(19), M(19) ); |
| 521 | R( e, f, g, h, a, b, c, d, K(20), M(20) ); |
| 522 | R( d, e, f, g, h, a, b, c, K(21), M(21) ); |
| 523 | R( c, d, e, f, g, h, a, b, K(22), M(22) ); |
| 524 | R( b, c, d, e, f, g, h, a, K(23), M(23) ); |
| 525 | R( a, b, c, d, e, f, g, h, K(24), M(24) ); |
| 526 | R( h, a, b, c, d, e, f, g, K(25), M(25) ); |
| 527 | R( g, h, a, b, c, d, e, f, K(26), M(26) ); |
| 528 | R( f, g, h, a, b, c, d, e, K(27), M(27) ); |
| 529 | R( e, f, g, h, a, b, c, d, K(28), M(28) ); |
| 530 | R( d, e, f, g, h, a, b, c, K(29), M(29) ); |
| 531 | R( c, d, e, f, g, h, a, b, K(30), M(30) ); |
| 532 | R( b, c, d, e, f, g, h, a, K(31), M(31) ); |
| 533 | R( a, b, c, d, e, f, g, h, K(32), M(32) ); |
| 534 | R( h, a, b, c, d, e, f, g, K(33), M(33) ); |
| 535 | R( g, h, a, b, c, d, e, f, K(34), M(34) ); |
| 536 | R( f, g, h, a, b, c, d, e, K(35), M(35) ); |
| 537 | R( e, f, g, h, a, b, c, d, K(36), M(36) ); |
| 538 | R( d, e, f, g, h, a, b, c, K(37), M(37) ); |
| 539 | R( c, d, e, f, g, h, a, b, K(38), M(38) ); |
| 540 | R( b, c, d, e, f, g, h, a, K(39), M(39) ); |
| 541 | R( a, b, c, d, e, f, g, h, K(40), M(40) ); |
| 542 | R( h, a, b, c, d, e, f, g, K(41), M(41) ); |
| 543 | R( g, h, a, b, c, d, e, f, K(42), M(42) ); |
| 544 | R( f, g, h, a, b, c, d, e, K(43), M(43) ); |
| 545 | R( e, f, g, h, a, b, c, d, K(44), M(44) ); |
| 546 | R( d, e, f, g, h, a, b, c, K(45), M(45) ); |
| 547 | R( c, d, e, f, g, h, a, b, K(46), M(46) ); |
| 548 | R( b, c, d, e, f, g, h, a, K(47), M(47) ); |
| 549 | R( a, b, c, d, e, f, g, h, K(48), M(48) ); |
| 550 | R( h, a, b, c, d, e, f, g, K(49), M(49) ); |
| 551 | R( g, h, a, b, c, d, e, f, K(50), M(50) ); |
| 552 | R( f, g, h, a, b, c, d, e, K(51), M(51) ); |
| 553 | R( e, f, g, h, a, b, c, d, K(52), M(52) ); |
| 554 | R( d, e, f, g, h, a, b, c, K(53), M(53) ); |
| 555 | R( c, d, e, f, g, h, a, b, K(54), M(54) ); |
| 556 | R( b, c, d, e, f, g, h, a, K(55), M(55) ); |
| 557 | R( a, b, c, d, e, f, g, h, K(56), M(56) ); |
| 558 | R( h, a, b, c, d, e, f, g, K(57), M(57) ); |
| 559 | R( g, h, a, b, c, d, e, f, K(58), M(58) ); |
| 560 | R( f, g, h, a, b, c, d, e, K(59), M(59) ); |
| 561 | R( e, f, g, h, a, b, c, d, K(60), M(60) ); |
| 562 | R( d, e, f, g, h, a, b, c, K(61), M(61) ); |
| 563 | R( c, d, e, f, g, h, a, b, K(62), M(62) ); |
| 564 | R( b, c, d, e, f, g, h, a, K(63), M(63) ); |
| 565 | |
| 566 | a = ctx->state[0] += a; |
| 567 | b = ctx->state[1] += b; |
| 568 | c = ctx->state[2] += c; |
| 569 | d = ctx->state[3] += d; |
| 570 | e = ctx->state[4] += e; |
| 571 | f = ctx->state[5] += f; |
| 572 | g = ctx->state[6] += g; |
| 573 | h = ctx->state[7] += h; |
| 574 | } |
| 575 | } |
| 576 | #endif |