Hi,
The x86_64 implementation of Poly1305 produces the wrong result on some inputs because poly1305_4block_avx2() incorrectly assumes that when partially reducing the accumulator, the bits carried from limb 'd4' to limb 'h0' fit in a 32-bit integer.
[...] This bug was originally detected by my patches that improve testmgr to fuzz algorithms against their generic implementation.
Thanks Eric. This shows how valuable your continued work on the crypto testing code is, and how useful such a (common) testing infrastructure can be.
Reviewed-by: Martin Willi martin@strongswan.org