Hi, > The x86_64 implementation of Poly1305 produces the wrong result on > some inputs because poly1305_4block_avx2() incorrectly assumes that > when partially reducing the accumulator, the bits carried from limb > 'd4' to limb 'h0' fit in a 32-bit integer. > [...] This bug was originally detected by my patches that improve > testmgr to fuzz algorithms against their generic implementation. Thanks Eric. This shows how valuable your continued work on the crypto testing code is, and how useful such a (common) testing infrastructure can be. Reviewed-by: Martin Willi <martin@xxxxxxxxxxxxxx>
