[openssl-dev] [openssl.org #4483] Wrong results with Poly1305 functions

Andy Polyakov via RT rt at openssl.org
Fri Mar 25 19:07:44 UTC 2016

> For x86-64, this seems to be the bug:
> $ git diff
> diff --git a/crypto/poly1305/asm/poly1305-x86_64.pl b/crypto/poly1305/asm/
> poly1305-x86_64.pl
> index 3c810c5..bc14ed1 100755
> --- a/crypto/poly1305/asm/poly1305-x86_64.pl
> +++ b/crypto/poly1305/asm/poly1305-x86_64.pl
> @@ -97,6 +97,7 @@ $code.=<<___;
>         add     $d3,%rax
>         add     %rax,$h0
>         adc     \$0,$h1
> +       adc     \$0,$h2
>  ___
>  }

Correct. Testing is done on all platforms.

> In the final reduction, $h1 is all ones, so there is one more carry to
> propagate. Though $h2 can then overflow its two bits, I think? I expect
> that and the cleared bits of r mean the imulqs in poly1305_iteration are
> still safe, so we can pick up that slack in poly1305_emit, but I'm not sure
> about all the complex switching back and forth in the SIMD codepaths. Does
> __poly1305_block need to follow up with one more reduction?

That additional adc goes to a perl subroutine that is used in both
poly1305_blocks and __poly1305_blocks, so modification covers both. Pure
SIMD paths (or FP) are not affected...

Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4483
Please log in as guest with password guest if prompted

More information about the openssl-dev mailing list