Home | History | Annotate | Line # | Download | only in libiberty
sha1.c revision 1.1.1.1.8.1
      1          1.1  mrg /* sha1.c - Functions to compute SHA1 message digest of files or
      2          1.1  mrg    memory blocks according to the NIST specification FIPS-180-1.
      3          1.1  mrg 
      4          1.1  mrg    Copyright (C) 2000, 2001, 2003, 2004, 2005, 2006, 2008 Free Software
      5          1.1  mrg    Foundation, Inc.
      6          1.1  mrg 
      7          1.1  mrg    This program is free software; you can redistribute it and/or modify it
      8          1.1  mrg    under the terms of the GNU General Public License as published by the
      9          1.1  mrg    Free Software Foundation; either version 2, or (at your option) any
     10          1.1  mrg    later version.
     11          1.1  mrg 
     12          1.1  mrg    This program is distributed in the hope that it will be useful,
     13          1.1  mrg    but WITHOUT ANY WARRANTY; without even the implied warranty of
     14          1.1  mrg    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     15          1.1  mrg    GNU General Public License for more details.
     16          1.1  mrg 
     17          1.1  mrg    You should have received a copy of the GNU General Public License
     18          1.1  mrg    along with this program; if not, write to the Free Software Foundation,
     19          1.1  mrg    Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.  */
     20          1.1  mrg 
     21          1.1  mrg /* Written by Scott G. Miller
     22          1.1  mrg    Credits:
     23          1.1  mrg       Robert Klep <robert (at) ilse.nl>  -- Expansion function fix
     24          1.1  mrg */
     25          1.1  mrg 
     26          1.1  mrg #include <config.h>
     27          1.1  mrg 
     28          1.1  mrg #include "sha1.h"
     29          1.1  mrg 
     30          1.1  mrg #include <stddef.h>
     31          1.1  mrg #include <string.h>
     32          1.1  mrg 
     33          1.1  mrg #if USE_UNLOCKED_IO
     34          1.1  mrg # include "unlocked-io.h"
     35          1.1  mrg #endif
     36          1.1  mrg 
     37          1.1  mrg #ifdef WORDS_BIGENDIAN
     38          1.1  mrg # define SWAP(n) (n)
     39          1.1  mrg #else
     40          1.1  mrg # define SWAP(n) \
     41          1.1  mrg     (((n) << 24) | (((n) & 0xff00) << 8) | (((n) >> 8) & 0xff00) | ((n) >> 24))
     42          1.1  mrg #endif
     43          1.1  mrg 
     44          1.1  mrg #define BLOCKSIZE 4096
     45          1.1  mrg #if BLOCKSIZE % 64 != 0
     46          1.1  mrg # error "invalid BLOCKSIZE"
     47          1.1  mrg #endif
     48          1.1  mrg 
     49          1.1  mrg /* This array contains the bytes used to pad the buffer to the next
     50          1.1  mrg    64-byte boundary.  (RFC 1321, 3.1: Step 1)  */
     51          1.1  mrg static const unsigned char fillbuf[64] = { 0x80, 0 /* , 0, 0, ...  */ };
     52          1.1  mrg 
     53          1.1  mrg 
     54          1.1  mrg /* Take a pointer to a 160 bit block of data (five 32 bit ints) and
     55          1.1  mrg    initialize it to the start constants of the SHA1 algorithm.  This
     56          1.1  mrg    must be called before using hash in the call to sha1_hash.  */
     57          1.1  mrg void
     58          1.1  mrg sha1_init_ctx (struct sha1_ctx *ctx)
     59          1.1  mrg {
     60          1.1  mrg   ctx->A = 0x67452301;
     61          1.1  mrg   ctx->B = 0xefcdab89;
     62          1.1  mrg   ctx->C = 0x98badcfe;
     63          1.1  mrg   ctx->D = 0x10325476;
     64          1.1  mrg   ctx->E = 0xc3d2e1f0;
     65          1.1  mrg 
     66          1.1  mrg   ctx->total[0] = ctx->total[1] = 0;
     67          1.1  mrg   ctx->buflen = 0;
     68          1.1  mrg }
     69          1.1  mrg 
     70          1.1  mrg /* Put result from CTX in first 20 bytes following RESBUF.  The result
     71          1.1  mrg    must be in little endian byte order.
     72          1.1  mrg 
     73          1.1  mrg    IMPORTANT: On some systems it is required that RESBUF is correctly
     74          1.1  mrg    aligned for a 32-bit value.  */
     75          1.1  mrg void *
     76          1.1  mrg sha1_read_ctx (const struct sha1_ctx *ctx, void *resbuf)
     77          1.1  mrg {
     78          1.1  mrg   ((sha1_uint32 *) resbuf)[0] = SWAP (ctx->A);
     79          1.1  mrg   ((sha1_uint32 *) resbuf)[1] = SWAP (ctx->B);
     80          1.1  mrg   ((sha1_uint32 *) resbuf)[2] = SWAP (ctx->C);
     81          1.1  mrg   ((sha1_uint32 *) resbuf)[3] = SWAP (ctx->D);
     82          1.1  mrg   ((sha1_uint32 *) resbuf)[4] = SWAP (ctx->E);
     83          1.1  mrg 
     84          1.1  mrg   return resbuf;
     85          1.1  mrg }
     86          1.1  mrg 
     87          1.1  mrg /* Process the remaining bytes in the internal buffer and the usual
     88          1.1  mrg    prolog according to the standard and write the result to RESBUF.
     89          1.1  mrg 
     90          1.1  mrg    IMPORTANT: On some systems it is required that RESBUF is correctly
     91          1.1  mrg    aligned for a 32-bit value.  */
     92          1.1  mrg void *
     93          1.1  mrg sha1_finish_ctx (struct sha1_ctx *ctx, void *resbuf)
     94          1.1  mrg {
     95          1.1  mrg   /* Take yet unprocessed bytes into account.  */
     96          1.1  mrg   sha1_uint32 bytes = ctx->buflen;
     97          1.1  mrg   size_t size = (bytes < 56) ? 64 / 4 : 64 * 2 / 4;
     98          1.1  mrg 
     99          1.1  mrg   /* Now count remaining bytes.  */
    100          1.1  mrg   ctx->total[0] += bytes;
    101          1.1  mrg   if (ctx->total[0] < bytes)
    102          1.1  mrg     ++ctx->total[1];
    103          1.1  mrg 
    104          1.1  mrg   /* Put the 64-bit file length in *bits* at the end of the buffer.  */
    105          1.1  mrg   ctx->buffer[size - 2] = SWAP ((ctx->total[1] << 3) | (ctx->total[0] >> 29));
    106          1.1  mrg   ctx->buffer[size - 1] = SWAP (ctx->total[0] << 3);
    107          1.1  mrg 
    108          1.1  mrg   memcpy (&((char *) ctx->buffer)[bytes], fillbuf, (size - 2) * 4 - bytes);
    109          1.1  mrg 
    110          1.1  mrg   /* Process last bytes.  */
    111          1.1  mrg   sha1_process_block (ctx->buffer, size * 4, ctx);
    112          1.1  mrg 
    113          1.1  mrg   return sha1_read_ctx (ctx, resbuf);
    114          1.1  mrg }
    115          1.1  mrg 
    116          1.1  mrg /* Compute SHA1 message digest for bytes read from STREAM.  The
    117          1.1  mrg    resulting message digest number will be written into the 16 bytes
    118          1.1  mrg    beginning at RESBLOCK.  */
    119          1.1  mrg int
    120          1.1  mrg sha1_stream (FILE *stream, void *resblock)
    121          1.1  mrg {
    122          1.1  mrg   struct sha1_ctx ctx;
    123          1.1  mrg   char buffer[BLOCKSIZE + 72];
    124          1.1  mrg   size_t sum;
    125          1.1  mrg 
    126          1.1  mrg   /* Initialize the computation context.  */
    127          1.1  mrg   sha1_init_ctx (&ctx);
    128          1.1  mrg 
    129          1.1  mrg   /* Iterate over full file contents.  */
    130          1.1  mrg   while (1)
    131          1.1  mrg     {
    132          1.1  mrg       /* We read the file in blocks of BLOCKSIZE bytes.  One call of the
    133          1.1  mrg 	 computation function processes the whole buffer so that with the
    134          1.1  mrg 	 next round of the loop another block can be read.  */
    135          1.1  mrg       size_t n;
    136          1.1  mrg       sum = 0;
    137          1.1  mrg 
    138          1.1  mrg       /* Read block.  Take care for partial reads.  */
    139          1.1  mrg       while (1)
    140          1.1  mrg 	{
    141          1.1  mrg 	  n = fread (buffer + sum, 1, BLOCKSIZE - sum, stream);
    142          1.1  mrg 
    143          1.1  mrg 	  sum += n;
    144          1.1  mrg 
    145          1.1  mrg 	  if (sum == BLOCKSIZE)
    146          1.1  mrg 	    break;
    147          1.1  mrg 
    148          1.1  mrg 	  if (n == 0)
    149          1.1  mrg 	    {
    150          1.1  mrg 	      /* Check for the error flag IFF N == 0, so that we don't
    151          1.1  mrg 		 exit the loop after a partial read due to e.g., EAGAIN
    152          1.1  mrg 		 or EWOULDBLOCK.  */
    153          1.1  mrg 	      if (ferror (stream))
    154          1.1  mrg 		return 1;
    155          1.1  mrg 	      goto process_partial_block;
    156          1.1  mrg 	    }
    157          1.1  mrg 
    158          1.1  mrg 	  /* We've read at least one byte, so ignore errors.  But always
    159          1.1  mrg 	     check for EOF, since feof may be true even though N > 0.
    160          1.1  mrg 	     Otherwise, we could end up calling fread after EOF.  */
    161          1.1  mrg 	  if (feof (stream))
    162          1.1  mrg 	    goto process_partial_block;
    163          1.1  mrg 	}
    164          1.1  mrg 
    165          1.1  mrg       /* Process buffer with BLOCKSIZE bytes.  Note that
    166          1.1  mrg 			BLOCKSIZE % 64 == 0
    167          1.1  mrg        */
    168          1.1  mrg       sha1_process_block (buffer, BLOCKSIZE, &ctx);
    169          1.1  mrg     }
    170          1.1  mrg 
    171          1.1  mrg  process_partial_block:;
    172          1.1  mrg 
    173          1.1  mrg   /* Process any remaining bytes.  */
    174          1.1  mrg   if (sum > 0)
    175          1.1  mrg     sha1_process_bytes (buffer, sum, &ctx);
    176          1.1  mrg 
    177          1.1  mrg   /* Construct result in desired memory.  */
    178          1.1  mrg   sha1_finish_ctx (&ctx, resblock);
    179          1.1  mrg   return 0;
    180          1.1  mrg }
    181          1.1  mrg 
    182          1.1  mrg /* Compute SHA1 message digest for LEN bytes beginning at BUFFER.  The
    183          1.1  mrg    result is always in little endian byte order, so that a byte-wise
    184          1.1  mrg    output yields to the wanted ASCII representation of the message
    185          1.1  mrg    digest.  */
    186          1.1  mrg void *
    187          1.1  mrg sha1_buffer (const char *buffer, size_t len, void *resblock)
    188          1.1  mrg {
    189          1.1  mrg   struct sha1_ctx ctx;
    190          1.1  mrg 
    191          1.1  mrg   /* Initialize the computation context.  */
    192          1.1  mrg   sha1_init_ctx (&ctx);
    193          1.1  mrg 
    194          1.1  mrg   /* Process whole buffer but last len % 64 bytes.  */
    195          1.1  mrg   sha1_process_bytes (buffer, len, &ctx);
    196          1.1  mrg 
    197          1.1  mrg   /* Put result in desired memory area.  */
    198          1.1  mrg   return sha1_finish_ctx (&ctx, resblock);
    199          1.1  mrg }
    200          1.1  mrg 
    201          1.1  mrg void
    202          1.1  mrg sha1_process_bytes (const void *buffer, size_t len, struct sha1_ctx *ctx)
    203          1.1  mrg {
    204          1.1  mrg   /* When we already have some bits in our internal buffer concatenate
    205          1.1  mrg      both inputs first.  */
    206          1.1  mrg   if (ctx->buflen != 0)
    207          1.1  mrg     {
    208          1.1  mrg       size_t left_over = ctx->buflen;
    209          1.1  mrg       size_t add = 128 - left_over > len ? len : 128 - left_over;
    210          1.1  mrg 
    211          1.1  mrg       memcpy (&((char *) ctx->buffer)[left_over], buffer, add);
    212          1.1  mrg       ctx->buflen += add;
    213          1.1  mrg 
    214          1.1  mrg       if (ctx->buflen > 64)
    215          1.1  mrg 	{
    216          1.1  mrg 	  sha1_process_block (ctx->buffer, ctx->buflen & ~63, ctx);
    217          1.1  mrg 
    218          1.1  mrg 	  ctx->buflen &= 63;
    219          1.1  mrg 	  /* The regions in the following copy operation cannot overlap.  */
    220          1.1  mrg 	  memcpy (ctx->buffer,
    221          1.1  mrg 		  &((char *) ctx->buffer)[(left_over + add) & ~63],
    222          1.1  mrg 		  ctx->buflen);
    223          1.1  mrg 	}
    224          1.1  mrg 
    225          1.1  mrg       buffer = (const char *) buffer + add;
    226          1.1  mrg       len -= add;
    227          1.1  mrg     }
    228          1.1  mrg 
    229          1.1  mrg   /* Process available complete blocks.  */
    230          1.1  mrg   if (len >= 64)
    231          1.1  mrg     {
    232          1.1  mrg #if !_STRING_ARCH_unaligned
    233          1.1  mrg # define alignof(type) offsetof (struct { char c; type x; }, x)
    234          1.1  mrg # define UNALIGNED_P(p) (((size_t) p) % alignof (sha1_uint32) != 0)
    235          1.1  mrg       if (UNALIGNED_P (buffer))
    236          1.1  mrg 	while (len > 64)
    237          1.1  mrg 	  {
    238          1.1  mrg 	    sha1_process_block (memcpy (ctx->buffer, buffer, 64), 64, ctx);
    239          1.1  mrg 	    buffer = (const char *) buffer + 64;
    240          1.1  mrg 	    len -= 64;
    241          1.1  mrg 	  }
    242          1.1  mrg       else
    243          1.1  mrg #endif
    244          1.1  mrg 	{
    245          1.1  mrg 	  sha1_process_block (buffer, len & ~63, ctx);
    246          1.1  mrg 	  buffer = (const char *) buffer + (len & ~63);
    247          1.1  mrg 	  len &= 63;
    248          1.1  mrg 	}
    249          1.1  mrg     }
    250          1.1  mrg 
    251          1.1  mrg   /* Move remaining bytes in internal buffer.  */
    252          1.1  mrg   if (len > 0)
    253          1.1  mrg     {
    254          1.1  mrg       size_t left_over = ctx->buflen;
    255          1.1  mrg 
    256          1.1  mrg       memcpy (&((char *) ctx->buffer)[left_over], buffer, len);
    257          1.1  mrg       left_over += len;
    258          1.1  mrg       if (left_over >= 64)
    259          1.1  mrg 	{
    260          1.1  mrg 	  sha1_process_block (ctx->buffer, 64, ctx);
    261          1.1  mrg 	  left_over -= 64;
    262          1.1  mrg 	  memcpy (ctx->buffer, &ctx->buffer[16], left_over);
    263          1.1  mrg 	}
    264          1.1  mrg       ctx->buflen = left_over;
    265          1.1  mrg     }
    266          1.1  mrg }
    267          1.1  mrg 
    268          1.1  mrg /* --- Code below is the primary difference between md5.c and sha1.c --- */
    269          1.1  mrg 
    270          1.1  mrg /* SHA1 round constants */
    271          1.1  mrg #define K1 0x5a827999
    272          1.1  mrg #define K2 0x6ed9eba1
    273          1.1  mrg #define K3 0x8f1bbcdc
    274          1.1  mrg #define K4 0xca62c1d6
    275          1.1  mrg 
    276          1.1  mrg /* Round functions.  Note that F2 is the same as F4.  */
    277          1.1  mrg #define F1(B,C,D) ( D ^ ( B & ( C ^ D ) ) )
    278          1.1  mrg #define F2(B,C,D) (B ^ C ^ D)
    279          1.1  mrg #define F3(B,C,D) ( ( B & C ) | ( D & ( B | C ) ) )
    280          1.1  mrg #define F4(B,C,D) (B ^ C ^ D)
    281          1.1  mrg 
    282          1.1  mrg /* Process LEN bytes of BUFFER, accumulating context into CTX.
    283          1.1  mrg    It is assumed that LEN % 64 == 0.
    284          1.1  mrg    Most of this code comes from GnuPG's cipher/sha1.c.  */
    285          1.1  mrg 
    286          1.1  mrg void
    287          1.1  mrg sha1_process_block (const void *buffer, size_t len, struct sha1_ctx *ctx)
    288          1.1  mrg {
    289          1.1  mrg   const sha1_uint32 *words = (const sha1_uint32*) buffer;
    290          1.1  mrg   size_t nwords = len / sizeof (sha1_uint32);
    291          1.1  mrg   const sha1_uint32 *endp = words + nwords;
    292          1.1  mrg   sha1_uint32 x[16];
    293          1.1  mrg   sha1_uint32 a = ctx->A;
    294          1.1  mrg   sha1_uint32 b = ctx->B;
    295          1.1  mrg   sha1_uint32 c = ctx->C;
    296          1.1  mrg   sha1_uint32 d = ctx->D;
    297          1.1  mrg   sha1_uint32 e = ctx->E;
    298          1.1  mrg 
    299          1.1  mrg   /* First increment the byte count.  RFC 1321 specifies the possible
    300          1.1  mrg      length of the file up to 2^64 bits.  Here we only compute the
    301          1.1  mrg      number of bytes.  Do a double word increment.  */
    302          1.1  mrg   ctx->total[0] += len;
    303  1.1.1.1.8.1  tls   ctx->total[1] += ((len >> 31) >> 1) + (ctx->total[0] < len);
    304          1.1  mrg 
    305          1.1  mrg #define rol(x, n) (((x) << (n)) | ((sha1_uint32) (x) >> (32 - (n))))
    306          1.1  mrg 
    307          1.1  mrg #define M(I) ( tm =   x[I&0x0f] ^ x[(I-14)&0x0f] \
    308          1.1  mrg 		    ^ x[(I-8)&0x0f] ^ x[(I-3)&0x0f] \
    309          1.1  mrg 	       , (x[I&0x0f] = rol(tm, 1)) )
    310          1.1  mrg 
    311          1.1  mrg #define R(A,B,C,D,E,F,K,M)  do { E += rol( A, 5 )     \
    312          1.1  mrg 				      + F( B, C, D )  \
    313          1.1  mrg 				      + K	      \
    314          1.1  mrg 				      + M;	      \
    315          1.1  mrg 				 B = rol( B, 30 );    \
    316          1.1  mrg 			       } while(0)
    317          1.1  mrg 
    318          1.1  mrg   while (words < endp)
    319          1.1  mrg     {
    320          1.1  mrg       sha1_uint32 tm;
    321          1.1  mrg       int t;
    322          1.1  mrg       for (t = 0; t < 16; t++)
    323          1.1  mrg 	{
    324          1.1  mrg 	  x[t] = SWAP (*words);
    325          1.1  mrg 	  words++;
    326          1.1  mrg 	}
    327          1.1  mrg 
    328          1.1  mrg       R( a, b, c, d, e, F1, K1, x[ 0] );
    329          1.1  mrg       R( e, a, b, c, d, F1, K1, x[ 1] );
    330          1.1  mrg       R( d, e, a, b, c, F1, K1, x[ 2] );
    331          1.1  mrg       R( c, d, e, a, b, F1, K1, x[ 3] );
    332          1.1  mrg       R( b, c, d, e, a, F1, K1, x[ 4] );
    333          1.1  mrg       R( a, b, c, d, e, F1, K1, x[ 5] );
    334          1.1  mrg       R( e, a, b, c, d, F1, K1, x[ 6] );
    335          1.1  mrg       R( d, e, a, b, c, F1, K1, x[ 7] );
    336          1.1  mrg       R( c, d, e, a, b, F1, K1, x[ 8] );
    337          1.1  mrg       R( b, c, d, e, a, F1, K1, x[ 9] );
    338          1.1  mrg       R( a, b, c, d, e, F1, K1, x[10] );
    339          1.1  mrg       R( e, a, b, c, d, F1, K1, x[11] );
    340          1.1  mrg       R( d, e, a, b, c, F1, K1, x[12] );
    341          1.1  mrg       R( c, d, e, a, b, F1, K1, x[13] );
    342          1.1  mrg       R( b, c, d, e, a, F1, K1, x[14] );
    343          1.1  mrg       R( a, b, c, d, e, F1, K1, x[15] );
    344          1.1  mrg       R( e, a, b, c, d, F1, K1, M(16) );
    345          1.1  mrg       R( d, e, a, b, c, F1, K1, M(17) );
    346          1.1  mrg       R( c, d, e, a, b, F1, K1, M(18) );
    347          1.1  mrg       R( b, c, d, e, a, F1, K1, M(19) );
    348          1.1  mrg       R( a, b, c, d, e, F2, K2, M(20) );
    349          1.1  mrg       R( e, a, b, c, d, F2, K2, M(21) );
    350          1.1  mrg       R( d, e, a, b, c, F2, K2, M(22) );
    351          1.1  mrg       R( c, d, e, a, b, F2, K2, M(23) );
    352          1.1  mrg       R( b, c, d, e, a, F2, K2, M(24) );
    353          1.1  mrg       R( a, b, c, d, e, F2, K2, M(25) );
    354          1.1  mrg       R( e, a, b, c, d, F2, K2, M(26) );
    355          1.1  mrg       R( d, e, a, b, c, F2, K2, M(27) );
    356          1.1  mrg       R( c, d, e, a, b, F2, K2, M(28) );
    357          1.1  mrg       R( b, c, d, e, a, F2, K2, M(29) );
    358          1.1  mrg       R( a, b, c, d, e, F2, K2, M(30) );
    359          1.1  mrg       R( e, a, b, c, d, F2, K2, M(31) );
    360          1.1  mrg       R( d, e, a, b, c, F2, K2, M(32) );
    361          1.1  mrg       R( c, d, e, a, b, F2, K2, M(33) );
    362          1.1  mrg       R( b, c, d, e, a, F2, K2, M(34) );
    363          1.1  mrg       R( a, b, c, d, e, F2, K2, M(35) );
    364          1.1  mrg       R( e, a, b, c, d, F2, K2, M(36) );
    365          1.1  mrg       R( d, e, a, b, c, F2, K2, M(37) );
    366          1.1  mrg       R( c, d, e, a, b, F2, K2, M(38) );
    367          1.1  mrg       R( b, c, d, e, a, F2, K2, M(39) );
    368          1.1  mrg       R( a, b, c, d, e, F3, K3, M(40) );
    369          1.1  mrg       R( e, a, b, c, d, F3, K3, M(41) );
    370          1.1  mrg       R( d, e, a, b, c, F3, K3, M(42) );
    371          1.1  mrg       R( c, d, e, a, b, F3, K3, M(43) );
    372          1.1  mrg       R( b, c, d, e, a, F3, K3, M(44) );
    373          1.1  mrg       R( a, b, c, d, e, F3, K3, M(45) );
    374          1.1  mrg       R( e, a, b, c, d, F3, K3, M(46) );
    375          1.1  mrg       R( d, e, a, b, c, F3, K3, M(47) );
    376          1.1  mrg       R( c, d, e, a, b, F3, K3, M(48) );
    377          1.1  mrg       R( b, c, d, e, a, F3, K3, M(49) );
    378          1.1  mrg       R( a, b, c, d, e, F3, K3, M(50) );
    379          1.1  mrg       R( e, a, b, c, d, F3, K3, M(51) );
    380          1.1  mrg       R( d, e, a, b, c, F3, K3, M(52) );
    381          1.1  mrg       R( c, d, e, a, b, F3, K3, M(53) );
    382          1.1  mrg       R( b, c, d, e, a, F3, K3, M(54) );
    383          1.1  mrg       R( a, b, c, d, e, F3, K3, M(55) );
    384          1.1  mrg       R( e, a, b, c, d, F3, K3, M(56) );
    385          1.1  mrg       R( d, e, a, b, c, F3, K3, M(57) );
    386          1.1  mrg       R( c, d, e, a, b, F3, K3, M(58) );
    387          1.1  mrg       R( b, c, d, e, a, F3, K3, M(59) );
    388          1.1  mrg       R( a, b, c, d, e, F4, K4, M(60) );
    389          1.1  mrg       R( e, a, b, c, d, F4, K4, M(61) );
    390          1.1  mrg       R( d, e, a, b, c, F4, K4, M(62) );
    391          1.1  mrg       R( c, d, e, a, b, F4, K4, M(63) );
    392          1.1  mrg       R( b, c, d, e, a, F4, K4, M(64) );
    393          1.1  mrg       R( a, b, c, d, e, F4, K4, M(65) );
    394          1.1  mrg       R( e, a, b, c, d, F4, K4, M(66) );
    395          1.1  mrg       R( d, e, a, b, c, F4, K4, M(67) );
    396          1.1  mrg       R( c, d, e, a, b, F4, K4, M(68) );
    397          1.1  mrg       R( b, c, d, e, a, F4, K4, M(69) );
    398          1.1  mrg       R( a, b, c, d, e, F4, K4, M(70) );
    399          1.1  mrg       R( e, a, b, c, d, F4, K4, M(71) );
    400          1.1  mrg       R( d, e, a, b, c, F4, K4, M(72) );
    401          1.1  mrg       R( c, d, e, a, b, F4, K4, M(73) );
    402          1.1  mrg       R( b, c, d, e, a, F4, K4, M(74) );
    403          1.1  mrg       R( a, b, c, d, e, F4, K4, M(75) );
    404          1.1  mrg       R( e, a, b, c, d, F4, K4, M(76) );
    405          1.1  mrg       R( d, e, a, b, c, F4, K4, M(77) );
    406          1.1  mrg       R( c, d, e, a, b, F4, K4, M(78) );
    407          1.1  mrg       R( b, c, d, e, a, F4, K4, M(79) );
    408          1.1  mrg 
    409          1.1  mrg       a = ctx->A += a;
    410          1.1  mrg       b = ctx->B += b;
    411          1.1  mrg       c = ctx->C += c;
    412          1.1  mrg       d = ctx->D += d;
    413          1.1  mrg       e = ctx->E += e;
    414          1.1  mrg     }
    415          1.1  mrg }
    416