On 22 January 2018 at 17:26, Ard Biesheuvel <ard.biesheu...@linaro.org> wrote:
> This implements emulation of the new SHA-512 instructions that have
> been added as an optional extensions to the ARMv8 Crypto Extensions
> in ARM v8.2.
>
> Signed-off-by: Ard Biesheuvel <ard.biesheu...@linaro.org>


> +void HELPER(crypto_sha512h)(void *vd, void *vn, void *vm)
> +{
> +    uint64_t *rd = vd;
> +    uint64_t *rn = vn;
> +    uint64_t *rm = vm;
> +
> +    rd[1] += S1_512(rm[1]) + cho512(rm[1], rn[0], rn[1]);
> +    rd[0] += S1_512(rd[1] + rm[0]) + cho512(rd[1] + rm[0], rm[1], rn[0]);

This gives the wrong answer if the destination register
happens to be the same as one of the inputs, because the
assignment to rd[1] will overwrite the input before the
calculation of rd[0] uses it.

Some extra temporaries should fix this. I'll try fixing
that up locally and see if it passes tests then.

thanks
-- PMM

Reply via email to