1 /* sha512.c - Functions to compute SHA512 and SHA384 message digest of files or
2 memory blocks according to the NIST specification FIPS-180-2.
4 Copyright (C) 2005, 2006, 2008 Free Software Foundation, Inc.
6 This program is free software: you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation, either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>. */
19 /* Written by David Madore, considerably copypasting from
20 Scott G. Miller's sha1.c
31 # include "unlocked-io.h"
34 #ifdef WORDS_BIGENDIAN
38 u64or (u64or (u64or (u64shl (n, 56), \
39 u64shl (u64and (n, u64lo (0x0000ff00)), 40)), \
40 u64or (u64shl (u64and (n, u64lo (0x00ff0000)), 24), \
41 u64shl (u64and (n, u64lo (0xff000000)), 8))), \
42 u64or (u64or (u64and (u64shr (n, 8), u64lo (0xff000000)), \
43 u64and (u64shr (n, 24), u64lo (0x00ff0000))), \
44 u64or (u64and (u64shr (n, 40), u64lo (0x0000ff00)), \
48 #define BLOCKSIZE 4096
49 #if BLOCKSIZE % 128 != 0
50 # error "invalid BLOCKSIZE"
53 /* This array contains the bytes used to pad the buffer to the next
55 static const unsigned char fillbuf[128] = { 0x80, 0 /* , 0, 0, ... */ };
59 Takes a pointer to a 512 bit block of data (eight 64 bit ints) and
60 intializes it to the start constants of the SHA512 algorithm. This
61 must be called before using hash in the call to sha512_hash
64 sha512_init_ctx (struct sha512_ctx *ctx)
66 ctx->state[0] = u64hilo (0x6a09e667, 0xf3bcc908);
67 ctx->state[1] = u64hilo (0xbb67ae85, 0x84caa73b);
68 ctx->state[2] = u64hilo (0x3c6ef372, 0xfe94f82b);
69 ctx->state[3] = u64hilo (0xa54ff53a, 0x5f1d36f1);
70 ctx->state[4] = u64hilo (0x510e527f, 0xade682d1);
71 ctx->state[5] = u64hilo (0x9b05688c, 0x2b3e6c1f);
72 ctx->state[6] = u64hilo (0x1f83d9ab, 0xfb41bd6b);
73 ctx->state[7] = u64hilo (0x5be0cd19, 0x137e2179);
75 ctx->total[0] = ctx->total[1] = u64lo (0);
80 sha384_init_ctx (struct sha512_ctx *ctx)
82 ctx->state[0] = u64hilo (0xcbbb9d5d, 0xc1059ed8);
83 ctx->state[1] = u64hilo (0x629a292a, 0x367cd507);
84 ctx->state[2] = u64hilo (0x9159015a, 0x3070dd17);
85 ctx->state[3] = u64hilo (0x152fecd8, 0xf70e5939);
86 ctx->state[4] = u64hilo (0x67332667, 0xffc00b31);
87 ctx->state[5] = u64hilo (0x8eb44a87, 0x68581511);
88 ctx->state[6] = u64hilo (0xdb0c2e0d, 0x64f98fa7);
89 ctx->state[7] = u64hilo (0x47b5481d, 0xbefa4fa4);
91 ctx->total[0] = ctx->total[1] = u64lo (0);
95 /* Copy the value from V into the memory location pointed to by *CP,
96 If your architecture allows unaligned access, this is equivalent to
97 * (__typeof__ (v) *) cp = v */
99 set_uint64 (char *cp, u64 v)
101 memcpy (cp, &v, sizeof v);
104 /* Put result from CTX in first 64 bytes following RESBUF.
105 The result must be in little endian byte order. */
107 sha512_read_ctx (const struct sha512_ctx *ctx, void *resbuf)
112 for (i = 0; i < 8; i++)
113 set_uint64 (r + i * sizeof ctx->state[0], SWAP (ctx->state[i]));
119 sha384_read_ctx (const struct sha512_ctx *ctx, void *resbuf)
124 for (i = 0; i < 6; i++)
125 set_uint64 (r + i * sizeof ctx->state[0], SWAP (ctx->state[i]));
130 /* Process the remaining bytes in the internal buffer and the usual
131 prolog according to the standard and write the result to RESBUF. */
133 sha512_conclude_ctx (struct sha512_ctx *ctx)
135 /* Take yet unprocessed bytes into account. */
136 size_t bytes = ctx->buflen;
137 size_t size = (bytes < 112) ? 128 / 8 : 128 * 2 / 8;
139 /* Now count remaining bytes. */
140 ctx->total[0] = u64plus (ctx->total[0], u64lo (bytes));
141 if (u64lt (ctx->total[0], u64lo (bytes)))
142 ctx->total[1] = u64plus (ctx->total[1], u64lo (1));
144 /* Put the 128-bit file length in *bits* at the end of the buffer. */
145 ctx->buffer[size - 2] = SWAP (u64or (u64shl (ctx->total[1], 3),
146 u64shr (ctx->total[0], 61)));
147 ctx->buffer[size - 1] = SWAP (u64shl (ctx->total[0], 3));
149 memcpy (&((char *) ctx->buffer)[bytes], fillbuf, (size - 2) * 8 - bytes);
151 /* Process last bytes. */
152 sha512_process_block (ctx->buffer, size * 8, ctx);
156 sha512_finish_ctx (struct sha512_ctx *ctx, void *resbuf)
158 sha512_conclude_ctx (ctx);
159 return sha512_read_ctx (ctx, resbuf);
163 sha384_finish_ctx (struct sha512_ctx *ctx, void *resbuf)
165 sha512_conclude_ctx (ctx);
166 return sha384_read_ctx (ctx, resbuf);
169 /* Compute SHA512 message digest for bytes read from STREAM. The
170 resulting message digest number will be written into the 64 bytes
171 beginning at RESBLOCK. */
173 sha512_stream (FILE *stream, void *resblock)
175 struct sha512_ctx ctx;
176 char buffer[BLOCKSIZE + 72];
179 /* Initialize the computation context. */
180 sha512_init_ctx (&ctx);
182 /* Iterate over full file contents. */
185 /* We read the file in blocks of BLOCKSIZE bytes. One call of the
186 computation function processes the whole buffer so that with the
187 next round of the loop another block can be read. */
191 /* Read block. Take care for partial reads. */
194 n = fread (buffer + sum, 1, BLOCKSIZE - sum, stream);
198 if (sum == BLOCKSIZE)
203 /* Check for the error flag IFF N == 0, so that we don't
204 exit the loop after a partial read due to e.g., EAGAIN
208 goto process_partial_block;
211 /* We've read at least one byte, so ignore errors. But always
212 check for EOF, since feof may be true even though N > 0.
213 Otherwise, we could end up calling fread after EOF. */
215 goto process_partial_block;
218 /* Process buffer with BLOCKSIZE bytes. Note that
221 sha512_process_block (buffer, BLOCKSIZE, &ctx);
224 process_partial_block:;
226 /* Process any remaining bytes. */
228 sha512_process_bytes (buffer, sum, &ctx);
230 /* Construct result in desired memory. */
231 sha512_finish_ctx (&ctx, resblock);
235 /* FIXME: Avoid code duplication */
237 sha384_stream (FILE *stream, void *resblock)
239 struct sha512_ctx ctx;
240 char buffer[BLOCKSIZE + 72];
243 /* Initialize the computation context. */
244 sha384_init_ctx (&ctx);
246 /* Iterate over full file contents. */
249 /* We read the file in blocks of BLOCKSIZE bytes. One call of the
250 computation function processes the whole buffer so that with the
251 next round of the loop another block can be read. */
255 /* Read block. Take care for partial reads. */
258 n = fread (buffer + sum, 1, BLOCKSIZE - sum, stream);
262 if (sum == BLOCKSIZE)
267 /* Check for the error flag IFF N == 0, so that we don't
268 exit the loop after a partial read due to e.g., EAGAIN
272 goto process_partial_block;
275 /* We've read at least one byte, so ignore errors. But always
276 check for EOF, since feof may be true even though N > 0.
277 Otherwise, we could end up calling fread after EOF. */
279 goto process_partial_block;
282 /* Process buffer with BLOCKSIZE bytes. Note that
285 sha512_process_block (buffer, BLOCKSIZE, &ctx);
288 process_partial_block:;
290 /* Process any remaining bytes. */
292 sha512_process_bytes (buffer, sum, &ctx);
294 /* Construct result in desired memory. */
295 sha384_finish_ctx (&ctx, resblock);
299 /* Compute SHA512 message digest for LEN bytes beginning at BUFFER. The
300 result is always in little endian byte order, so that a byte-wise
301 output yields to the wanted ASCII representation of the message
304 sha512_buffer (const char *buffer, size_t len, void *resblock)
306 struct sha512_ctx ctx;
308 /* Initialize the computation context. */
309 sha512_init_ctx (&ctx);
311 /* Process whole buffer but last len % 128 bytes. */
312 sha512_process_bytes (buffer, len, &ctx);
314 /* Put result in desired memory area. */
315 return sha512_finish_ctx (&ctx, resblock);
319 sha384_buffer (const char *buffer, size_t len, void *resblock)
321 struct sha512_ctx ctx;
323 /* Initialize the computation context. */
324 sha384_init_ctx (&ctx);
326 /* Process whole buffer but last len % 128 bytes. */
327 sha512_process_bytes (buffer, len, &ctx);
329 /* Put result in desired memory area. */
330 return sha384_finish_ctx (&ctx, resblock);
334 sha512_process_bytes (const void *buffer, size_t len, struct sha512_ctx *ctx)
336 /* When we already have some bits in our internal buffer concatenate
337 both inputs first. */
338 if (ctx->buflen != 0)
340 size_t left_over = ctx->buflen;
341 size_t add = 256 - left_over > len ? len : 256 - left_over;
343 memcpy (&((char *) ctx->buffer)[left_over], buffer, add);
346 if (ctx->buflen > 128)
348 sha512_process_block (ctx->buffer, ctx->buflen & ~127, ctx);
351 /* The regions in the following copy operation cannot overlap. */
353 &((char *) ctx->buffer)[(left_over + add) & ~127],
357 buffer = (const char *) buffer + add;
361 /* Process available complete blocks. */
364 #if !_STRING_ARCH_unaligned
365 # define alignof(type) offsetof (struct { char c; type x; }, x)
366 # define UNALIGNED_P(p) (((size_t) p) % alignof (u64) != 0)
367 if (UNALIGNED_P (buffer))
370 sha512_process_block (memcpy (ctx->buffer, buffer, 128), 128, ctx);
371 buffer = (const char *) buffer + 128;
377 sha512_process_block (buffer, len & ~127, ctx);
378 buffer = (const char *) buffer + (len & ~127);
383 /* Move remaining bytes in internal buffer. */
386 size_t left_over = ctx->buflen;
388 memcpy (&((char *) ctx->buffer)[left_over], buffer, len);
390 if (left_over >= 128)
392 sha512_process_block (ctx->buffer, 128, ctx);
394 memcpy (ctx->buffer, &ctx->buffer[16], left_over);
396 ctx->buflen = left_over;
400 /* --- Code below is the primary difference between sha1.c and sha512.c --- */
402 /* SHA512 round constants */
403 #define K(I) sha512_round_constants[I]
404 static u64 const sha512_round_constants[80] = {
405 u64init (0x428a2f98, 0xd728ae22), u64init (0x71374491, 0x23ef65cd),
406 u64init (0xb5c0fbcf, 0xec4d3b2f), u64init (0xe9b5dba5, 0x8189dbbc),
407 u64init (0x3956c25b, 0xf348b538), u64init (0x59f111f1, 0xb605d019),
408 u64init (0x923f82a4, 0xaf194f9b), u64init (0xab1c5ed5, 0xda6d8118),
409 u64init (0xd807aa98, 0xa3030242), u64init (0x12835b01, 0x45706fbe),
410 u64init (0x243185be, 0x4ee4b28c), u64init (0x550c7dc3, 0xd5ffb4e2),
411 u64init (0x72be5d74, 0xf27b896f), u64init (0x80deb1fe, 0x3b1696b1),
412 u64init (0x9bdc06a7, 0x25c71235), u64init (0xc19bf174, 0xcf692694),
413 u64init (0xe49b69c1, 0x9ef14ad2), u64init (0xefbe4786, 0x384f25e3),
414 u64init (0x0fc19dc6, 0x8b8cd5b5), u64init (0x240ca1cc, 0x77ac9c65),
415 u64init (0x2de92c6f, 0x592b0275), u64init (0x4a7484aa, 0x6ea6e483),
416 u64init (0x5cb0a9dc, 0xbd41fbd4), u64init (0x76f988da, 0x831153b5),
417 u64init (0x983e5152, 0xee66dfab), u64init (0xa831c66d, 0x2db43210),
418 u64init (0xb00327c8, 0x98fb213f), u64init (0xbf597fc7, 0xbeef0ee4),
419 u64init (0xc6e00bf3, 0x3da88fc2), u64init (0xd5a79147, 0x930aa725),
420 u64init (0x06ca6351, 0xe003826f), u64init (0x14292967, 0x0a0e6e70),
421 u64init (0x27b70a85, 0x46d22ffc), u64init (0x2e1b2138, 0x5c26c926),
422 u64init (0x4d2c6dfc, 0x5ac42aed), u64init (0x53380d13, 0x9d95b3df),
423 u64init (0x650a7354, 0x8baf63de), u64init (0x766a0abb, 0x3c77b2a8),
424 u64init (0x81c2c92e, 0x47edaee6), u64init (0x92722c85, 0x1482353b),
425 u64init (0xa2bfe8a1, 0x4cf10364), u64init (0xa81a664b, 0xbc423001),
426 u64init (0xc24b8b70, 0xd0f89791), u64init (0xc76c51a3, 0x0654be30),
427 u64init (0xd192e819, 0xd6ef5218), u64init (0xd6990624, 0x5565a910),
428 u64init (0xf40e3585, 0x5771202a), u64init (0x106aa070, 0x32bbd1b8),
429 u64init (0x19a4c116, 0xb8d2d0c8), u64init (0x1e376c08, 0x5141ab53),
430 u64init (0x2748774c, 0xdf8eeb99), u64init (0x34b0bcb5, 0xe19b48a8),
431 u64init (0x391c0cb3, 0xc5c95a63), u64init (0x4ed8aa4a, 0xe3418acb),
432 u64init (0x5b9cca4f, 0x7763e373), u64init (0x682e6ff3, 0xd6b2b8a3),
433 u64init (0x748f82ee, 0x5defb2fc), u64init (0x78a5636f, 0x43172f60),
434 u64init (0x84c87814, 0xa1f0ab72), u64init (0x8cc70208, 0x1a6439ec),
435 u64init (0x90befffa, 0x23631e28), u64init (0xa4506ceb, 0xde82bde9),
436 u64init (0xbef9a3f7, 0xb2c67915), u64init (0xc67178f2, 0xe372532b),
437 u64init (0xca273ece, 0xea26619c), u64init (0xd186b8c7, 0x21c0c207),
438 u64init (0xeada7dd6, 0xcde0eb1e), u64init (0xf57d4f7f, 0xee6ed178),
439 u64init (0x06f067aa, 0x72176fba), u64init (0x0a637dc5, 0xa2c898a6),
440 u64init (0x113f9804, 0xbef90dae), u64init (0x1b710b35, 0x131c471b),
441 u64init (0x28db77f5, 0x23047d84), u64init (0x32caab7b, 0x40c72493),
442 u64init (0x3c9ebe0a, 0x15c9bebc), u64init (0x431d67c4, 0x9c100d4c),
443 u64init (0x4cc5d4be, 0xcb3e42b6), u64init (0x597f299c, 0xfc657e2a),
444 u64init (0x5fcb6fab, 0x3ad6faec), u64init (0x6c44198c, 0x4a475817),
447 /* Round functions. */
448 #define F2(A, B, C) u64or (u64and (A, B), u64and (C, u64or (A, B)))
449 #define F1(E, F, G) u64xor (G, u64and (E, u64xor (F, G)))
451 /* Process LEN bytes of BUFFER, accumulating context into CTX.
452 It is assumed that LEN % 128 == 0.
453 Most of this code comes from GnuPG's cipher/sha1.c. */
456 sha512_process_block (const void *buffer, size_t len, struct sha512_ctx *ctx)
458 u64 const *words = buffer;
459 u64 const *endp = words + len / sizeof (u64);
461 u64 a = ctx->state[0];
462 u64 b = ctx->state[1];
463 u64 c = ctx->state[2];
464 u64 d = ctx->state[3];
465 u64 e = ctx->state[4];
466 u64 f = ctx->state[5];
467 u64 g = ctx->state[6];
468 u64 h = ctx->state[7];
470 /* First increment the byte count. FIPS PUB 180-2 specifies the possible
471 length of the file up to 2^128 bits. Here we only compute the
472 number of bytes. Do a double word increment. */
473 ctx->total[0] = u64plus (ctx->total[0], u64lo (len));
474 if (u64lt (ctx->total[0], u64lo (len)))
475 ctx->total[1] = u64plus (ctx->total[1], u64lo (1));
477 #define S0(x) u64xor (u64rol(x, 63), u64xor (u64rol (x, 56), u64shr (x, 7)))
478 #define S1(x) u64xor (u64rol (x, 45), u64xor (u64rol (x, 3), u64shr (x, 6)))
479 #define SS0(x) u64xor (u64rol (x, 36), u64xor (u64rol (x, 30), u64rol (x, 25)))
480 #define SS1(x) u64xor (u64rol(x, 50), u64xor (u64rol (x, 46), u64rol (x, 23)))
482 #define M(I) (x[(I) & 15] \
483 = u64plus (x[(I) & 15], \
484 u64plus (S1 (x[((I) - 2) & 15]), \
485 u64plus (x[((I) - 7) & 15], \
486 S0 (x[((I) - 15) & 15])))))
488 #define R(A, B, C, D, E, F, G, H, K, M) \
491 u64 t0 = u64plus (SS0 (A), F2 (A, B, C)); \
493 u64plus (H, u64plus (SS1 (E), \
494 u64plus (F1 (E, F, G), u64plus (K, M)))); \
495 D = u64plus (D, t1); \
496 H = u64plus (t0, t1); \
503 /* FIXME: see sha1.c for a better implementation. */
504 for (t = 0; t < 16; t++)
506 x[t] = SWAP (*words);
510 R( a, b, c, d, e, f, g, h, K( 0), x[ 0] );
511 R( h, a, b, c, d, e, f, g, K( 1), x[ 1] );
512 R( g, h, a, b, c, d, e, f, K( 2), x[ 2] );
513 R( f, g, h, a, b, c, d, e, K( 3), x[ 3] );
514 R( e, f, g, h, a, b, c, d, K( 4), x[ 4] );
515 R( d, e, f, g, h, a, b, c, K( 5), x[ 5] );
516 R( c, d, e, f, g, h, a, b, K( 6), x[ 6] );
517 R( b, c, d, e, f, g, h, a, K( 7), x[ 7] );
518 R( a, b, c, d, e, f, g, h, K( 8), x[ 8] );
519 R( h, a, b, c, d, e, f, g, K( 9), x[ 9] );
520 R( g, h, a, b, c, d, e, f, K(10), x[10] );
521 R( f, g, h, a, b, c, d, e, K(11), x[11] );
522 R( e, f, g, h, a, b, c, d, K(12), x[12] );
523 R( d, e, f, g, h, a, b, c, K(13), x[13] );
524 R( c, d, e, f, g, h, a, b, K(14), x[14] );
525 R( b, c, d, e, f, g, h, a, K(15), x[15] );
526 R( a, b, c, d, e, f, g, h, K(16), M(16) );
527 R( h, a, b, c, d, e, f, g, K(17), M(17) );
528 R( g, h, a, b, c, d, e, f, K(18), M(18) );
529 R( f, g, h, a, b, c, d, e, K(19), M(19) );
530 R( e, f, g, h, a, b, c, d, K(20), M(20) );
531 R( d, e, f, g, h, a, b, c, K(21), M(21) );
532 R( c, d, e, f, g, h, a, b, K(22), M(22) );
533 R( b, c, d, e, f, g, h, a, K(23), M(23) );
534 R( a, b, c, d, e, f, g, h, K(24), M(24) );
535 R( h, a, b, c, d, e, f, g, K(25), M(25) );
536 R( g, h, a, b, c, d, e, f, K(26), M(26) );
537 R( f, g, h, a, b, c, d, e, K(27), M(27) );
538 R( e, f, g, h, a, b, c, d, K(28), M(28) );
539 R( d, e, f, g, h, a, b, c, K(29), M(29) );
540 R( c, d, e, f, g, h, a, b, K(30), M(30) );
541 R( b, c, d, e, f, g, h, a, K(31), M(31) );
542 R( a, b, c, d, e, f, g, h, K(32), M(32) );
543 R( h, a, b, c, d, e, f, g, K(33), M(33) );
544 R( g, h, a, b, c, d, e, f, K(34), M(34) );
545 R( f, g, h, a, b, c, d, e, K(35), M(35) );
546 R( e, f, g, h, a, b, c, d, K(36), M(36) );
547 R( d, e, f, g, h, a, b, c, K(37), M(37) );
548 R( c, d, e, f, g, h, a, b, K(38), M(38) );
549 R( b, c, d, e, f, g, h, a, K(39), M(39) );
550 R( a, b, c, d, e, f, g, h, K(40), M(40) );
551 R( h, a, b, c, d, e, f, g, K(41), M(41) );
552 R( g, h, a, b, c, d, e, f, K(42), M(42) );
553 R( f, g, h, a, b, c, d, e, K(43), M(43) );
554 R( e, f, g, h, a, b, c, d, K(44), M(44) );
555 R( d, e, f, g, h, a, b, c, K(45), M(45) );
556 R( c, d, e, f, g, h, a, b, K(46), M(46) );
557 R( b, c, d, e, f, g, h, a, K(47), M(47) );
558 R( a, b, c, d, e, f, g, h, K(48), M(48) );
559 R( h, a, b, c, d, e, f, g, K(49), M(49) );
560 R( g, h, a, b, c, d, e, f, K(50), M(50) );
561 R( f, g, h, a, b, c, d, e, K(51), M(51) );
562 R( e, f, g, h, a, b, c, d, K(52), M(52) );
563 R( d, e, f, g, h, a, b, c, K(53), M(53) );
564 R( c, d, e, f, g, h, a, b, K(54), M(54) );
565 R( b, c, d, e, f, g, h, a, K(55), M(55) );
566 R( a, b, c, d, e, f, g, h, K(56), M(56) );
567 R( h, a, b, c, d, e, f, g, K(57), M(57) );
568 R( g, h, a, b, c, d, e, f, K(58), M(58) );
569 R( f, g, h, a, b, c, d, e, K(59), M(59) );
570 R( e, f, g, h, a, b, c, d, K(60), M(60) );
571 R( d, e, f, g, h, a, b, c, K(61), M(61) );
572 R( c, d, e, f, g, h, a, b, K(62), M(62) );
573 R( b, c, d, e, f, g, h, a, K(63), M(63) );
574 R( a, b, c, d, e, f, g, h, K(64), M(64) );
575 R( h, a, b, c, d, e, f, g, K(65), M(65) );
576 R( g, h, a, b, c, d, e, f, K(66), M(66) );
577 R( f, g, h, a, b, c, d, e, K(67), M(67) );
578 R( e, f, g, h, a, b, c, d, K(68), M(68) );
579 R( d, e, f, g, h, a, b, c, K(69), M(69) );
580 R( c, d, e, f, g, h, a, b, K(70), M(70) );
581 R( b, c, d, e, f, g, h, a, K(71), M(71) );
582 R( a, b, c, d, e, f, g, h, K(72), M(72) );
583 R( h, a, b, c, d, e, f, g, K(73), M(73) );
584 R( g, h, a, b, c, d, e, f, K(74), M(74) );
585 R( f, g, h, a, b, c, d, e, K(75), M(75) );
586 R( e, f, g, h, a, b, c, d, K(76), M(76) );
587 R( d, e, f, g, h, a, b, c, K(77), M(77) );
588 R( c, d, e, f, g, h, a, b, K(78), M(78) );
589 R( b, c, d, e, f, g, h, a, K(79), M(79) );
591 a = ctx->state[0] = u64plus (ctx->state[0], a);
592 b = ctx->state[1] = u64plus (ctx->state[1], b);
593 c = ctx->state[2] = u64plus (ctx->state[2], c);
594 d = ctx->state[3] = u64plus (ctx->state[3], d);
595 e = ctx->state[4] = u64plus (ctx->state[4], e);
596 f = ctx->state[5] = u64plus (ctx->state[5], f);
597 g = ctx->state[6] = u64plus (ctx->state[6], g);
598 h = ctx->state[7] = u64plus (ctx->state[7], h);