root/lib/sha512.c

DEFINITIONS

1. sha512_init_ctx
2. sha384_init_ctx
3. set_uint64
4. sha512_read_ctx
5. sha384_read_ctx
6. sha512_conclude_ctx
7. sha512_finish_ctx
8. sha384_finish_ctx
9. sha512_buffer
10. sha384_buffer
11. sha512_process_bytes
12. sha512_process_block

     1 /* sha512.c - Functions to compute SHA512 and SHA384 message digest of files or
     2    memory blocks according to the NIST specification FIPS-180-2.
     3 
     4    Copyright (C) 2005-2006, 2008-2023 Free Software Foundation, Inc.
     5 
     6    This file is free software: you can redistribute it and/or modify
     7    it under the terms of the GNU Lesser General Public License as
     8    published by the Free Software Foundation; either version 2.1 of the
     9    License, or (at your option) any later version.
    10 
    11    This file is distributed in the hope that it will be useful,
    12    but WITHOUT ANY WARRANTY; without even the implied warranty of
    13    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    14    GNU Lesser General Public License for more details.
    15 
    16    You should have received a copy of the GNU Lesser General Public License
    17    along with this program.  If not, see <https://www.gnu.org/licenses/>.  */
    18 
    19 /* Written by David Madore, considerably copypasting from
    20    Scott G. Miller's sha1.c
    21 */
    22 
    23 #include <config.h>
    24 
    25 /* Specification.  */
    26 #if HAVE_OPENSSL_SHA512
    27 # define GL_OPENSSL_INLINE _GL_EXTERN_INLINE
    28 #endif
    29 #include "sha512.h"
    30 
    31 #include <stdint.h>
    32 #include <string.h>
    33 
    34 #include <byteswap.h>
    35 #ifdef WORDS_BIGENDIAN
    36 # define SWAP(n) (n)
    37 #else
    38 # define SWAP(n) bswap_64 (n)
    39 #endif
    40 
    41 #if ! HAVE_OPENSSL_SHA512
    42 
    43 /* This array contains the bytes used to pad the buffer to the next
    44    128-byte boundary.  */
    45 static const unsigned char fillbuf[128] = { 0x80, 0 /* , 0, 0, ...  */ };
    46 
    47 
    48 /*
    49   Takes a pointer to a 512 bit block of data (eight 64 bit ints) and
    50   initializes it to the start constants of the SHA512 algorithm.  This
    51   must be called before using hash in the call to sha512_hash
    52 */
    53 void
    54 sha512_init_ctx (struct sha512_ctx *ctx)
    55 {
    56   ctx->state[0] = u64hilo (0x6a09e667, 0xf3bcc908);
    57   ctx->state[1] = u64hilo (0xbb67ae85, 0x84caa73b);
    58   ctx->state[2] = u64hilo (0x3c6ef372, 0xfe94f82b);
    59   ctx->state[3] = u64hilo (0xa54ff53a, 0x5f1d36f1);
    60   ctx->state[4] = u64hilo (0x510e527f, 0xade682d1);
    61   ctx->state[5] = u64hilo (0x9b05688c, 0x2b3e6c1f);
    62   ctx->state[6] = u64hilo (0x1f83d9ab, 0xfb41bd6b);
    63   ctx->state[7] = u64hilo (0x5be0cd19, 0x137e2179);
    64 
    65   ctx->total[0] = ctx->total[1] = u64lo (0);
    66   ctx->buflen = 0;
    67 }
    68 
    69 void
    70 sha384_init_ctx (struct sha512_ctx *ctx)
    71 {
    72   ctx->state[0] = u64hilo (0xcbbb9d5d, 0xc1059ed8);
    73   ctx->state[1] = u64hilo (0x629a292a, 0x367cd507);
    74   ctx->state[2] = u64hilo (0x9159015a, 0x3070dd17);
    75   ctx->state[3] = u64hilo (0x152fecd8, 0xf70e5939);
    76   ctx->state[4] = u64hilo (0x67332667, 0xffc00b31);
    77   ctx->state[5] = u64hilo (0x8eb44a87, 0x68581511);
    78   ctx->state[6] = u64hilo (0xdb0c2e0d, 0x64f98fa7);
    79   ctx->state[7] = u64hilo (0x47b5481d, 0xbefa4fa4);
    80 
    81   ctx->total[0] = ctx->total[1] = u64lo (0);
    82   ctx->buflen = 0;
    83 }
    84 
    85 /* Copy the value from V into the memory location pointed to by *CP,
    86    If your architecture allows unaligned access, this is equivalent to
    87    * (__typeof__ (v) *) cp = v  */
    88 static void
    89 set_uint64 (char *cp, u64 v)
    90 {
    91   memcpy (cp, &v, sizeof v);
    92 }
    93 
    94 /* Put result from CTX in first 64 bytes following RESBUF.
    95    The result must be in little endian byte order.  */
    96 void *
    97 sha512_read_ctx (const struct sha512_ctx *ctx, void *resbuf)
    98 {
    99   int i;
   100   char *r = resbuf;
   101 
   102   for (i = 0; i < 8; i++)
   103     set_uint64 (r + i * sizeof ctx->state[0], SWAP (ctx->state[i]));
   104 
   105   return resbuf;
   106 }
   107 
   108 void *
   109 sha384_read_ctx (const struct sha512_ctx *ctx, void *resbuf)
   110 {
   111   int i;
   112   char *r = resbuf;
   113 
   114   for (i = 0; i < 6; i++)
   115     set_uint64 (r + i * sizeof ctx->state[0], SWAP (ctx->state[i]));
   116 
   117   return resbuf;
   118 }
   119 
   120 /* Process the remaining bytes in the internal buffer and the usual
   121    prolog according to the standard and write the result to RESBUF.  */
   122 static void
   123 sha512_conclude_ctx (struct sha512_ctx *ctx)
   124 {
   125   /* Take yet unprocessed bytes into account.  */
   126   size_t bytes = ctx->buflen;
   127   size_t size = (bytes < 112) ? 128 / 8 : 128 * 2 / 8;
   128 
   129   /* Now count remaining bytes.  */
   130   ctx->total[0] = u64plus (ctx->total[0], u64lo (bytes));
   131   if (u64lt (ctx->total[0], u64lo (bytes)))
   132     ctx->total[1] = u64plus (ctx->total[1], u64lo (1));
   133 
   134   /* Put the 128-bit file length in *bits* at the end of the buffer.
   135      Use set_uint64 rather than a simple assignment, to avoid risk of
   136      unaligned access.  */
   137   set_uint64 ((char *) &ctx->buffer[size - 2],
   138               SWAP (u64or (u64shl (ctx->total[1], 3),
   139                            u64shr (ctx->total[0], 61))));
   140   set_uint64 ((char *) &ctx->buffer[size - 1],
   141               SWAP (u64shl (ctx->total[0], 3)));
   142 
   143   memcpy (&((char *) ctx->buffer)[bytes], fillbuf, (size - 2) * 8 - bytes);
   144 
   145   /* Process last bytes.  */
   146   sha512_process_block (ctx->buffer, size * 8, ctx);
   147 }
   148 
   149 void *
   150 sha512_finish_ctx (struct sha512_ctx *ctx, void *resbuf)
   151 {
   152   sha512_conclude_ctx (ctx);
   153   return sha512_read_ctx (ctx, resbuf);
   154 }
   155 
   156 void *
   157 sha384_finish_ctx (struct sha512_ctx *ctx, void *resbuf)
   158 {
   159   sha512_conclude_ctx (ctx);
   160   return sha384_read_ctx (ctx, resbuf);
   161 }
   162 
   163 /* Compute SHA512 message digest for LEN bytes beginning at BUFFER.  The
   164    result is always in little endian byte order, so that a byte-wise
   165    output yields to the wanted ASCII representation of the message
   166    digest.  */
   167 void *
   168 sha512_buffer (const char *buffer, size_t len, void *resblock)
   169 {
   170   struct sha512_ctx ctx;
   171 
   172   /* Initialize the computation context.  */
   173   sha512_init_ctx (&ctx);
   174 
   175   /* Process whole buffer but last len % 128 bytes.  */
   176   sha512_process_bytes (buffer, len, &ctx);
   177 
   178   /* Put result in desired memory area.  */
   179   return sha512_finish_ctx (&ctx, resblock);
   180 }
   181 
   182 void *
   183 sha384_buffer (const char *buffer, size_t len, void *resblock)
   184 {
   185   struct sha512_ctx ctx;
   186 
   187   /* Initialize the computation context.  */
   188   sha384_init_ctx (&ctx);
   189 
   190   /* Process whole buffer but last len % 128 bytes.  */
   191   sha512_process_bytes (buffer, len, &ctx);
   192 
   193   /* Put result in desired memory area.  */
   194   return sha384_finish_ctx (&ctx, resblock);
   195 }
   196 
   197 void
   198 sha512_process_bytes (const void *buffer, size_t len, struct sha512_ctx *ctx)
   199 {
   200   /* When we already have some bits in our internal buffer concatenate
   201      both inputs first.  */
   202   if (ctx->buflen != 0)
   203     {
   204       size_t left_over = ctx->buflen;
   205       size_t add = 256 - left_over > len ? len : 256 - left_over;
   206 
   207       memcpy (&((char *) ctx->buffer)[left_over], buffer, add);
   208       ctx->buflen += add;
   209 
   210       if (ctx->buflen > 128)
   211         {
   212           sha512_process_block (ctx->buffer, ctx->buflen & ~127, ctx);
   213 
   214           ctx->buflen &= 127;
   215           /* The regions in the following copy operation cannot overlap,
   216              because ctx->buflen < 128 ≤ (left_over + add) & ~127.  */
   217           memcpy (ctx->buffer,
   218                   &((char *) ctx->buffer)[(left_over + add) & ~127],
   219                   ctx->buflen);
   220         }
   221 
   222       buffer = (const char *) buffer + add;
   223       len -= add;
   224     }
   225 
   226   /* Process available complete blocks.  */
   227   if (len >= 128)
   228     {
   229 #if !(_STRING_ARCH_unaligned || _STRING_INLINE_unaligned)
   230 # define UNALIGNED_P(p) ((uintptr_t) (p) % alignof (u64) != 0)
   231       if (UNALIGNED_P (buffer))
   232         while (len > 128)
   233           {
   234             sha512_process_block (memcpy (ctx->buffer, buffer, 128), 128, ctx);
   235             buffer = (const char *) buffer + 128;
   236             len -= 128;
   237           }
   238       else
   239 #endif
   240         {
   241           sha512_process_block (buffer, len & ~127, ctx);
   242           buffer = (const char *) buffer + (len & ~127);
   243           len &= 127;
   244         }
   245     }
   246 
   247   /* Move remaining bytes in internal buffer.  */
   248   if (len > 0)
   249     {
   250       size_t left_over = ctx->buflen;
   251 
   252       memcpy (&((char *) ctx->buffer)[left_over], buffer, len);
   253       left_over += len;
   254       if (left_over >= 128)
   255         {
   256           sha512_process_block (ctx->buffer, 128, ctx);
   257           left_over -= 128;
   258           /* The regions in the following copy operation cannot overlap,
   259              because left_over ≤ 128.  */
   260           memcpy (ctx->buffer, &ctx->buffer[16], left_over);
   261         }
   262       ctx->buflen = left_over;
   263     }
   264 }
   265 
   266 /* --- Code below is the primary difference between sha1.c and sha512.c --- */
   267 
   268 /* SHA512 round constants */
   269 #define K(I) sha512_round_constants[I]
   270 static u64 const sha512_round_constants[80] = {
   271   u64init (0x428a2f98, 0xd728ae22), u64init (0x71374491, 0x23ef65cd),
   272   u64init (0xb5c0fbcf, 0xec4d3b2f), u64init (0xe9b5dba5, 0x8189dbbc),
   273   u64init (0x3956c25b, 0xf348b538), u64init (0x59f111f1, 0xb605d019),
   274   u64init (0x923f82a4, 0xaf194f9b), u64init (0xab1c5ed5, 0xda6d8118),
   275   u64init (0xd807aa98, 0xa3030242), u64init (0x12835b01, 0x45706fbe),
   276   u64init (0x243185be, 0x4ee4b28c), u64init (0x550c7dc3, 0xd5ffb4e2),
   277   u64init (0x72be5d74, 0xf27b896f), u64init (0x80deb1fe, 0x3b1696b1),
   278   u64init (0x9bdc06a7, 0x25c71235), u64init (0xc19bf174, 0xcf692694),
   279   u64init (0xe49b69c1, 0x9ef14ad2), u64init (0xefbe4786, 0x384f25e3),
   280   u64init (0x0fc19dc6, 0x8b8cd5b5), u64init (0x240ca1cc, 0x77ac9c65),
   281   u64init (0x2de92c6f, 0x592b0275), u64init (0x4a7484aa, 0x6ea6e483),
   282   u64init (0x5cb0a9dc, 0xbd41fbd4), u64init (0x76f988da, 0x831153b5),
   283   u64init (0x983e5152, 0xee66dfab), u64init (0xa831c66d, 0x2db43210),
   284   u64init (0xb00327c8, 0x98fb213f), u64init (0xbf597fc7, 0xbeef0ee4),
   285   u64init (0xc6e00bf3, 0x3da88fc2), u64init (0xd5a79147, 0x930aa725),
   286   u64init (0x06ca6351, 0xe003826f), u64init (0x14292967, 0x0a0e6e70),
   287   u64init (0x27b70a85, 0x46d22ffc), u64init (0x2e1b2138, 0x5c26c926),
   288   u64init (0x4d2c6dfc, 0x5ac42aed), u64init (0x53380d13, 0x9d95b3df),
   289   u64init (0x650a7354, 0x8baf63de), u64init (0x766a0abb, 0x3c77b2a8),
   290   u64init (0x81c2c92e, 0x47edaee6), u64init (0x92722c85, 0x1482353b),
   291   u64init (0xa2bfe8a1, 0x4cf10364), u64init (0xa81a664b, 0xbc423001),
   292   u64init (0xc24b8b70, 0xd0f89791), u64init (0xc76c51a3, 0x0654be30),
   293   u64init (0xd192e819, 0xd6ef5218), u64init (0xd6990624, 0x5565a910),
   294   u64init (0xf40e3585, 0x5771202a), u64init (0x106aa070, 0x32bbd1b8),
   295   u64init (0x19a4c116, 0xb8d2d0c8), u64init (0x1e376c08, 0x5141ab53),
   296   u64init (0x2748774c, 0xdf8eeb99), u64init (0x34b0bcb5, 0xe19b48a8),
   297   u64init (0x391c0cb3, 0xc5c95a63), u64init (0x4ed8aa4a, 0xe3418acb),
   298   u64init (0x5b9cca4f, 0x7763e373), u64init (0x682e6ff3, 0xd6b2b8a3),
   299   u64init (0x748f82ee, 0x5defb2fc), u64init (0x78a5636f, 0x43172f60),
   300   u64init (0x84c87814, 0xa1f0ab72), u64init (0x8cc70208, 0x1a6439ec),
   301   u64init (0x90befffa, 0x23631e28), u64init (0xa4506ceb, 0xde82bde9),
   302   u64init (0xbef9a3f7, 0xb2c67915), u64init (0xc67178f2, 0xe372532b),
   303   u64init (0xca273ece, 0xea26619c), u64init (0xd186b8c7, 0x21c0c207),
   304   u64init (0xeada7dd6, 0xcde0eb1e), u64init (0xf57d4f7f, 0xee6ed178),
   305   u64init (0x06f067aa, 0x72176fba), u64init (0x0a637dc5, 0xa2c898a6),
   306   u64init (0x113f9804, 0xbef90dae), u64init (0x1b710b35, 0x131c471b),
   307   u64init (0x28db77f5, 0x23047d84), u64init (0x32caab7b, 0x40c72493),
   308   u64init (0x3c9ebe0a, 0x15c9bebc), u64init (0x431d67c4, 0x9c100d4c),
   309   u64init (0x4cc5d4be, 0xcb3e42b6), u64init (0x597f299c, 0xfc657e2a),
   310   u64init (0x5fcb6fab, 0x3ad6faec), u64init (0x6c44198c, 0x4a475817),
   311 };
   312 
   313 /* Round functions.  */
   314 #define F2(A, B, C) u64or (u64and (A, B), u64and (C, u64or (A, B)))
   315 #define F1(E, F, G) u64xor (G, u64and (E, u64xor (F, G)))
   316 
   317 /* Process LEN bytes of BUFFER, accumulating context into CTX.
   318    It is assumed that LEN % 128 == 0.
   319    Most of this code comes from GnuPG's cipher/sha1.c.  */
   320 
   321 void
   322 sha512_process_block (const void *buffer, size_t len, struct sha512_ctx *ctx)
   323 {
   324   u64 const *words = buffer;
   325   u64 const *endp = words + len / sizeof (u64);
   326   u64 x[16];
   327   u64 a = ctx->state[0];
   328   u64 b = ctx->state[1];
   329   u64 c = ctx->state[2];
   330   u64 d = ctx->state[3];
   331   u64 e = ctx->state[4];
   332   u64 f = ctx->state[5];
   333   u64 g = ctx->state[6];
   334   u64 h = ctx->state[7];
   335   u64 lolen = u64size (len);
   336 
   337   /* First increment the byte count.  FIPS PUB 180-2 specifies the possible
   338      length of the file up to 2^128 bits.  Here we only compute the
   339      number of bytes.  Do a double word increment.  */
   340   ctx->total[0] = u64plus (ctx->total[0], lolen);
   341   ctx->total[1] = u64plus (ctx->total[1],
   342                            u64plus (u64size (len >> 31 >> 31 >> 2),
   343                                     u64lo (u64lt (ctx->total[0], lolen))));
   344 
   345 #define S0(x) u64xor (u64rol(x, 63), u64xor (u64rol (x, 56), u64shr (x, 7)))
   346 #define S1(x) u64xor (u64rol (x, 45), u64xor (u64rol (x, 3), u64shr (x, 6)))
   347 #define SS0(x) u64xor (u64rol (x, 36), u64xor (u64rol (x, 30), u64rol (x, 25)))
   348 #define SS1(x) u64xor (u64rol(x, 50), u64xor (u64rol (x, 46), u64rol (x, 23)))
   349 
   350 #define M(I) (x[(I) & 15]                                                 \
   351               = u64plus (x[(I) & 15],                                     \
   352                          u64plus (S1 (x[((I) - 2) & 15]),                 \
   353                                   u64plus (x[((I) - 7) & 15],             \
   354                                            S0 (x[((I) - 15) & 15])))))
   355 
   356 #define R(A, B, C, D, E, F, G, H, K, M)                                   \
   357   do                                                                      \
   358     {                                                                     \
   359       u64 t0 = u64plus (SS0 (A), F2 (A, B, C));                           \
   360       u64 t1 =                                                            \
   361         u64plus (H, u64plus (SS1 (E),                                     \
   362                              u64plus (F1 (E, F, G), u64plus (K, M))));    \
   363       D = u64plus (D, t1);                                                \
   364       H = u64plus (t0, t1);                                               \
   365     }                                                                     \
   366   while (0)
   367 
   368   while (words < endp)
   369     {
   370       int t;
   371       /* FIXME: see sha1.c for a better implementation.  */
   372       for (t = 0; t < 16; t++)
   373         {
   374           x[t] = SWAP (*words);
   375           words++;
   376         }
   377 
   378       R( a, b, c, d, e, f, g, h, K( 0), x[ 0] );
   379       R( h, a, b, c, d, e, f, g, K( 1), x[ 1] );
   380       R( g, h, a, b, c, d, e, f, K( 2), x[ 2] );
   381       R( f, g, h, a, b, c, d, e, K( 3), x[ 3] );
   382       R( e, f, g, h, a, b, c, d, K( 4), x[ 4] );
   383       R( d, e, f, g, h, a, b, c, K( 5), x[ 5] );
   384       R( c, d, e, f, g, h, a, b, K( 6), x[ 6] );
   385       R( b, c, d, e, f, g, h, a, K( 7), x[ 7] );
   386       R( a, b, c, d, e, f, g, h, K( 8), x[ 8] );
   387       R( h, a, b, c, d, e, f, g, K( 9), x[ 9] );
   388       R( g, h, a, b, c, d, e, f, K(10), x[10] );
   389       R( f, g, h, a, b, c, d, e, K(11), x[11] );
   390       R( e, f, g, h, a, b, c, d, K(12), x[12] );
   391       R( d, e, f, g, h, a, b, c, K(13), x[13] );
   392       R( c, d, e, f, g, h, a, b, K(14), x[14] );
   393       R( b, c, d, e, f, g, h, a, K(15), x[15] );
   394       R( a, b, c, d, e, f, g, h, K(16), M(16) );
   395       R( h, a, b, c, d, e, f, g, K(17), M(17) );
   396       R( g, h, a, b, c, d, e, f, K(18), M(18) );
   397       R( f, g, h, a, b, c, d, e, K(19), M(19) );
   398       R( e, f, g, h, a, b, c, d, K(20), M(20) );
   399       R( d, e, f, g, h, a, b, c, K(21), M(21) );
   400       R( c, d, e, f, g, h, a, b, K(22), M(22) );
   401       R( b, c, d, e, f, g, h, a, K(23), M(23) );
   402       R( a, b, c, d, e, f, g, h, K(24), M(24) );
   403       R( h, a, b, c, d, e, f, g, K(25), M(25) );
   404       R( g, h, a, b, c, d, e, f, K(26), M(26) );
   405       R( f, g, h, a, b, c, d, e, K(27), M(27) );
   406       R( e, f, g, h, a, b, c, d, K(28), M(28) );
   407       R( d, e, f, g, h, a, b, c, K(29), M(29) );
   408       R( c, d, e, f, g, h, a, b, K(30), M(30) );
   409       R( b, c, d, e, f, g, h, a, K(31), M(31) );
   410       R( a, b, c, d, e, f, g, h, K(32), M(32) );
   411       R( h, a, b, c, d, e, f, g, K(33), M(33) );
   412       R( g, h, a, b, c, d, e, f, K(34), M(34) );
   413       R( f, g, h, a, b, c, d, e, K(35), M(35) );
   414       R( e, f, g, h, a, b, c, d, K(36), M(36) );
   415       R( d, e, f, g, h, a, b, c, K(37), M(37) );
   416       R( c, d, e, f, g, h, a, b, K(38), M(38) );
   417       R( b, c, d, e, f, g, h, a, K(39), M(39) );
   418       R( a, b, c, d, e, f, g, h, K(40), M(40) );
   419       R( h, a, b, c, d, e, f, g, K(41), M(41) );
   420       R( g, h, a, b, c, d, e, f, K(42), M(42) );
   421       R( f, g, h, a, b, c, d, e, K(43), M(43) );
   422       R( e, f, g, h, a, b, c, d, K(44), M(44) );
   423       R( d, e, f, g, h, a, b, c, K(45), M(45) );
   424       R( c, d, e, f, g, h, a, b, K(46), M(46) );
   425       R( b, c, d, e, f, g, h, a, K(47), M(47) );
   426       R( a, b, c, d, e, f, g, h, K(48), M(48) );
   427       R( h, a, b, c, d, e, f, g, K(49), M(49) );
   428       R( g, h, a, b, c, d, e, f, K(50), M(50) );
   429       R( f, g, h, a, b, c, d, e, K(51), M(51) );
   430       R( e, f, g, h, a, b, c, d, K(52), M(52) );
   431       R( d, e, f, g, h, a, b, c, K(53), M(53) );
   432       R( c, d, e, f, g, h, a, b, K(54), M(54) );
   433       R( b, c, d, e, f, g, h, a, K(55), M(55) );
   434       R( a, b, c, d, e, f, g, h, K(56), M(56) );
   435       R( h, a, b, c, d, e, f, g, K(57), M(57) );
   436       R( g, h, a, b, c, d, e, f, K(58), M(58) );
   437       R( f, g, h, a, b, c, d, e, K(59), M(59) );
   438       R( e, f, g, h, a, b, c, d, K(60), M(60) );
   439       R( d, e, f, g, h, a, b, c, K(61), M(61) );
   440       R( c, d, e, f, g, h, a, b, K(62), M(62) );
   441       R( b, c, d, e, f, g, h, a, K(63), M(63) );
   442       R( a, b, c, d, e, f, g, h, K(64), M(64) );
   443       R( h, a, b, c, d, e, f, g, K(65), M(65) );
   444       R( g, h, a, b, c, d, e, f, K(66), M(66) );
   445       R( f, g, h, a, b, c, d, e, K(67), M(67) );
   446       R( e, f, g, h, a, b, c, d, K(68), M(68) );
   447       R( d, e, f, g, h, a, b, c, K(69), M(69) );
   448       R( c, d, e, f, g, h, a, b, K(70), M(70) );
   449       R( b, c, d, e, f, g, h, a, K(71), M(71) );
   450       R( a, b, c, d, e, f, g, h, K(72), M(72) );
   451       R( h, a, b, c, d, e, f, g, K(73), M(73) );
   452       R( g, h, a, b, c, d, e, f, K(74), M(74) );
   453       R( f, g, h, a, b, c, d, e, K(75), M(75) );
   454       R( e, f, g, h, a, b, c, d, K(76), M(76) );
   455       R( d, e, f, g, h, a, b, c, K(77), M(77) );
   456       R( c, d, e, f, g, h, a, b, K(78), M(78) );
   457       R( b, c, d, e, f, g, h, a, K(79), M(79) );
   458 
   459       a = ctx->state[0] = u64plus (ctx->state[0], a);
   460       b = ctx->state[1] = u64plus (ctx->state[1], b);
   461       c = ctx->state[2] = u64plus (ctx->state[2], c);
   462       d = ctx->state[3] = u64plus (ctx->state[3], d);
   463       e = ctx->state[4] = u64plus (ctx->state[4], e);
   464       f = ctx->state[5] = u64plus (ctx->state[5], f);
   465       g = ctx->state[6] = u64plus (ctx->state[6], g);
   466       h = ctx->state[7] = u64plus (ctx->state[7], h);
   467     }
   468 }
   469 
   470 #endif
   471 
   472 /*
   473  * Hey Emacs!
   474  * Local Variables:
   475  * coding: utf-8
   476  * End:
   477  */