On 22 January 2018 at 17:26, Ard Biesheuvel <ard.biesheu...@linaro.org> wrote:
> This implements emulation of the new SHA-512 instructions that have
> been added as an optional extensions to the ARMv8 Crypto Extensions
> in ARM v8.2.
>
> Signed-off-by: Ard Biesheuvel <ard.biesheu...@linaro.org>
> +void HELPER(crypto_sha512h)(void *vd, void *vn, void *vm)
> +{
> + uint64_t *rd = vd;
> + uint64_t *rn = vn;
> + uint64_t *rm = vm;
> +
> + rd[1] += S1_512(rm[1]) + cho512(rm[1], rn[0], rn[1]);
> + rd[0] += S1_512(rd[1] + rm[0]) + cho512(rd[1] + rm[0], rm[1], rn[0]);
This gives the wrong answer if the destination register
happens to be the same as one of the inputs, because the
assignment to rd[1] will overwrite the input before the
calculation of rd[0] uses it.
Some extra temporaries should fix this. I'll try fixing
that up locally and see if it passes tests then.
thanks
-- PMM
