From 93d895de72c2cb3ac7bc106f03e33715f8f304c2 Mon Sep 17 00:00:00 2001
From: Artyom Pavlov <newpavlov@gmail.com>
Date: Thu, 9 Sep 2021 10:18:46 +0000
Subject: [PATCH] sha2: Fix bug in the AVX2 backend (#314)

---
 sha2/CHANGELOG.md      |  2 +-
 sha2/src/sha512/x86.rs |  4 ++--
 sha2/tests/lib.rs      | 16 ++++++++++++++++
 3 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/sha2/CHANGELOG.md b/sha2/CHANGELOG.md
index 724dbbd56..9b7bf0930 100644
--- a/sha2/CHANGELOG.md
+++ b/sha2/CHANGELOG.md
@@ -5,7 +5,7 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-## 0.9.7 (2021-09-08)
+## 0.9.7 (2021-09-08) [YANKED]
 ### Added
 - x86 intrinsics support for SHA-512 ([#312])
 
diff --git a/sha2/src/sha512/x86.rs b/sha2/src/sha512/x86.rs
index 09b3ceeaf..14a72497c 100644
--- a/sha2/src/sha512/x86.rs
+++ b/sha2/src/sha512/x86.rs
@@ -106,8 +106,8 @@ unsafe fn load_data_avx2(
 
     macro_rules! unrolled_iterations {
         ($($i:literal),*) => {$(
-            x[$i] = _mm256_insertf128_si256(x[$i], _mm_loadu_si128(data.add($i) as *const _), 1);
-            x[$i] = _mm256_insertf128_si256(x[$i], _mm_loadu_si128(data.add($i + 1) as *const _), 0);
+            x[$i] = _mm256_insertf128_si256(x[$i], _mm_loadu_si128(data.add(8 + $i) as *const _), 1);
+            x[$i] = _mm256_insertf128_si256(x[$i], _mm_loadu_si128(data.add($i) as *const _), 0);
 
             x[$i] = _mm256_shuffle_epi8(x[$i], MASK);
 
diff --git a/sha2/tests/lib.rs b/sha2/tests/lib.rs
index b9cb8628a..fe120455b 100644
--- a/sha2/tests/lib.rs
+++ b/sha2/tests/lib.rs
@@ -24,6 +24,22 @@ fn sha256_1million_a() {
     one_million_a::<sha2::Sha256>(output);
 }
 
+#[test]
+#[rustfmt::skip]
+fn sha512_avx2_bug() {
+    use sha2::Digest;
+    use hex_literal::hex;
+
+    let mut msg = [0u8; 256];
+    msg[0] = 42;
+    let expected = hex!("
+        2a3e943072f30afa45f2bf57ccd386f29b76dbcdb3a861224ca0b77bc3f55c7a
+        d3880a49c0c9c166eedf7f209c41b380896886155acb8f6c7c07044343a3e692
+    ");
+    let res = sha2::Sha512::digest(&msg);
+    assert_eq!(res[..], expected[..]);
+}
+
 #[test]
 fn sha512_1million_a() {
     let output = include_bytes!("data/sha512_one_million_a.bin");