On 22 January 2018 at 17:26, Ard Biesheuvel <ard.biesheu...@linaro.org> wrote: > This implements emulation of the new SHA-512 instructions that have > been added as an optional extensions to the ARMv8 Crypto Extensions > in ARM v8.2. > > Signed-off-by: Ard Biesheuvel <ard.biesheu...@linaro.org>
> +void HELPER(crypto_sha512h)(void *vd, void *vn, void *vm) > +{ > + uint64_t *rd = vd; > + uint64_t *rn = vn; > + uint64_t *rm = vm; > + > + rd[1] += S1_512(rm[1]) + cho512(rm[1], rn[0], rn[1]); > + rd[0] += S1_512(rd[1] + rm[0]) + cho512(rd[1] + rm[0], rm[1], rn[0]); This gives the wrong answer if the destination register happens to be the same as one of the inputs, because the assignment to rd[1] will overwrite the input before the calculation of rd[0] uses it. Some extra temporaries should fix this. I'll try fixing that up locally and see if it passes tests then. thanks -- PMM