[openssl-dev] [openssl.org #4483] Wrong results with Poly1305 functions
Andy Polyakov via RT
rt at openssl.org
Fri Mar 25 19:07:44 UTC 2016
> For x86-64, this seems to be the bug:
>
> $ git diff
> diff --git a/crypto/poly1305/asm/poly1305-x86_64.pl b/crypto/poly1305/asm/
> poly1305-x86_64.pl
> index 3c810c5..bc14ed1 100755
> --- a/crypto/poly1305/asm/poly1305-x86_64.pl
> +++ b/crypto/poly1305/asm/poly1305-x86_64.pl
> @@ -97,6 +97,7 @@ $code.=<<___;
> add $d3,%rax
> add %rax,$h0
> adc \$0,$h1
> + adc \$0,$h2
> ___
> }
Correct. Testing is done on all platforms.
> In the final reduction, $h1 is all ones, so there is one more carry to
> propagate. Though $h2 can then overflow its two bits, I think? I expect
> that and the cleared bits of r mean the imulqs in poly1305_iteration are
> still safe, so we can pick up that slack in poly1305_emit, but I'm not sure
> about all the complex switching back and forth in the SIMD codepaths. Does
> __poly1305_block need to follow up with one more reduction?
That additional adc goes to a perl subroutine that is used in both
poly1305_blocks and __poly1305_blocks, so modification covers both. Pure
SIMD paths (or FP) are not affected...
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4483
Please log in as guest with password guest if prompted
More information about the openssl-dev
mailing list