> For x86-64, this seems to be the bug: > > $ git diff > diff --git a/crypto/poly1305/asm/poly1305-x86_64.pl b/crypto/poly1305/asm/ > poly1305-x86_64.pl > index 3c810c5..bc14ed1 100755 > --- a/crypto/poly1305/asm/poly1305-x86_64.pl > +++ b/crypto/poly1305/asm/poly1305-x86_64.pl > @@ -97,6 +97,7 @@ $code.=<<___; > add $d3,%rax > add %rax,$h0 > adc \$0,$h1 > + adc \$0,$h2 > ___ > }
Correct. Testing is done on all platforms. > In the final reduction, $h1 is all ones, so there is one more carry to > propagate. Though $h2 can then overflow its two bits, I think? I expect > that and the cleared bits of r mean the imulqs in poly1305_iteration are > still safe, so we can pick up that slack in poly1305_emit, but I'm not sure > about all the complex switching back and forth in the SIMD codepaths. Does > __poly1305_block need to follow up with one more reduction? That additional adc goes to a perl subroutine that is used in both poly1305_blocks and __poly1305_blocks, so modification covers both. Pure SIMD paths (or FP) are not affected... -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4483 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev