tree: https://git.kernel.org/pub/scm/linux/kernel/git/herbert/cryptodev-2.6.git master head: 8f44df154de79a61b0e86734f51737b8cccf8dfe commit: 3c4b23901a0c766879dff680cd6bdab47bcdbbd2 [79/87] crypto: ecdh - Add ECDH software support config: s390-allyesconfig (attached as .config) compiler: s390x-linux-gnu-gcc (Debian 5.3.1-8) 5.3.1 20160205 reproduce: wget https://git.kernel.org/cgit/linux/kernel/git/wfg/lkp-tests.git/plain/sbin/make.cross -O ~/bin/make.cross chmod +x ~/bin/make.cross git checkout 3c4b23901a0c766879dff680cd6bdab47bcdbbd2 # save the attached .config to linux build tree make.cross ARCH=s390 All warnings (new ones prefixed by >>): crypto/ecc.c: In function 'vli_mmod_fast': >> crypto/ecc.c:532:1: warning: 'vli_mmod_fast' uses dynamic stack allocation } ^ crypto/ecc.c: In function 'vli_mod_square_fast': >> crypto/ecc.c:552:1: warning: 'vli_mod_square_fast' uses dynamic stack allocation } ^ crypto/ecc.c: In function 'vli_mod_mult_fast': >> crypto/ecc.c:542:1: warning: 'vli_mod_mult_fast' uses dynamic stack allocation } ^ crypto/ecc.c: In function 'xycz_add_c': >> crypto/ecc.c:840:1: warning: 'xycz_add_c' uses dynamic stack allocation } ^ crypto/ecc.c: In function 'xycz_add': >> crypto/ecc.c:783:1: warning: 'xycz_add' uses dynamic stack allocation } ^ crypto/ecc.c: In function 'apply_z': >> crypto/ecc.c:719:1: warning: 'apply_z' uses dynamic stack allocation } ^ crypto/ecc.c: In function 'ecc_point_mult.isra.0': >> crypto/ecc.c:895:1: warning: 'ecc_point_mult.isra.0' uses dynamic stack allocation } ^ crypto/ecc.c: In function 'ecdh_make_pub_key': >> crypto/ecc.c:967:1: warning: 'ecdh_make_pub_key' uses dynamic stack allocation } ^ crypto/ecc.c: In function 'ecdh_shared_secret': crypto/ecc.c:1018:1: warning: 'ecdh_shared_secret' uses dynamic stack allocation } ^ vim +/vli_mmod_fast +532 crypto/ecc.c 526 default: 527 pr_err("unsupports digits size!\n"); 528 return false; 529 } 530 531 return true; > 532 } 533 534 /* Computes result = (left * right) % curve_prime. */ 535 static void vli_mod_mult_fast(u64 *result, const u64 *left, const u64 *right, 536 const u64 *curve_prime, unsigned int ndigits) 537 { 538 u64 product[2 * ndigits]; 539 540 vli_mult(product, left, right, ndigits); 541 vli_mmod_fast(result, product, curve_prime, ndigits); > 542 } 543 544 /* Computes result = left^2 % curve_prime. */ 545 static void vli_mod_square_fast(u64 *result, const u64 *left, 546 const u64 *curve_prime, unsigned int ndigits) 547 { 548 u64 product[2 * ndigits]; 549 550 vli_square(product, left, ndigits); 551 vli_mmod_fast(result, product, curve_prime, ndigits); > 552 } 553 554 #define EVEN(vli) (!(vli[0] & 1)) 555 /* Computes result = (1 / p_input) % mod. All VLIs are the same size. 556 * See "From Euclid's GCD to Montgomery Multiplication to the Great Divide" 557 * https://labs.oracle.com/techrep/2001/smli_tr-2001-95.pdf 558 */ 559 static void vli_mod_inv(u64 *result, const u64 *input, const u64 *mod, 560 unsigned int ndigits) 561 { 562 u64 a[ndigits], b[ndigits]; 563 u64 u[ndigits], v[ndigits]; 564 u64 carry; 565 int cmp_result; 566 567 if (vli_is_zero(input, ndigits)) { 568 vli_clear(result, ndigits); 569 return; 570 } 571 572 vli_set(a, input, ndigits); 573 vli_set(b, mod, ndigits); 574 vli_clear(u, ndigits); 575 u[0] = 1; 576 vli_clear(v, ndigits); 577 578 while ((cmp_result = vli_cmp(a, b, ndigits)) != 0) { 579 carry = 0; 580 581 if (EVEN(a)) { 582 vli_rshift1(a, ndigits); 583 584 if (!EVEN(u)) 585 carry = vli_add(u, u, mod, ndigits); 586 587 vli_rshift1(u, ndigits); 588 if (carry) 589 u[ndigits - 1] |= 0x8000000000000000ull; 590 } else if (EVEN(b)) { 591 vli_rshift1(b, ndigits); 592 593 if (!EVEN(v)) 594 carry = vli_add(v, v, mod, ndigits); 595 596 vli_rshift1(v, ndigits); 597 if (carry) 598 v[ndigits - 1] |= 0x8000000000000000ull; 599 } else if (cmp_result > 0) { 600 vli_sub(a, a, b, ndigits); 601 vli_rshift1(a, ndigits); 602 603 if (vli_cmp(u, v, ndigits) < 0) 604 vli_add(u, u, mod, ndigits); 605 606 vli_sub(u, u, v, ndigits); 607 if (!EVEN(u)) 608 carry = vli_add(u, u, mod, ndigits); 609 610 vli_rshift1(u, ndigits); 611 if (carry) 612 u[ndigits - 1] |= 0x8000000000000000ull; 613 } else { 614 vli_sub(b, b, a, ndigits); 615 vli_rshift1(b, ndigits); 616 617 if (vli_cmp(v, u, ndigits) < 0) 618 vli_add(v, v, mod, ndigits); 619 620 vli_sub(v, v, u, ndigits); 621 if (!EVEN(v)) 622 carry = vli_add(v, v, mod, ndigits); 623 624 vli_rshift1(v, ndigits); 625 if (carry) 626 v[ndigits - 1] |= 0x8000000000000000ull; 627 } 628 } 629 630 vli_set(result, u, ndigits); 631 } 632 633 /* ------ Point operations ------ */ 634 635 /* Returns true if p_point is the point at infinity, false otherwise. */ 636 static bool ecc_point_is_zero(const struct ecc_point *point) 637 { 638 return (vli_is_zero(point->x, point->ndigits) && 639 vli_is_zero(point->y, point->ndigits)); 640 } 641 642 /* Point multiplication algorithm using Montgomery's ladder with co-Z 643 * coordinates. From http://eprint.iacr.org/2011/338.pdf 644 */ 645 646 /* Double in place */ 647 static void ecc_point_double_jacobian(u64 *x1, u64 *y1, u64 *z1, 648 u64 *curve_prime, unsigned int ndigits) 649 { 650 /* t1 = x, t2 = y, t3 = z */ 651 u64 t4[ndigits]; 652 u64 t5[ndigits]; 653 654 if (vli_is_zero(z1, ndigits)) 655 return; 656 657 /* t4 = y1^2 */ 658 vli_mod_square_fast(t4, y1, curve_prime, ndigits); 659 /* t5 = x1*y1^2 = A */ 660 vli_mod_mult_fast(t5, x1, t4, curve_prime, ndigits); 661 /* t4 = y1^4 */ 662 vli_mod_square_fast(t4, t4, curve_prime, ndigits); 663 /* t2 = y1*z1 = z3 */ 664 vli_mod_mult_fast(y1, y1, z1, curve_prime, ndigits); 665 /* t3 = z1^2 */ 666 vli_mod_square_fast(z1, z1, curve_prime, ndigits); 667 668 /* t1 = x1 + z1^2 */ 669 vli_mod_add(x1, x1, z1, curve_prime, ndigits); 670 /* t3 = 2*z1^2 */ 671 vli_mod_add(z1, z1, z1, curve_prime, ndigits); 672 /* t3 = x1 - z1^2 */ 673 vli_mod_sub(z1, x1, z1, curve_prime, ndigits); 674 /* t1 = x1^2 - z1^4 */ 675 vli_mod_mult_fast(x1, x1, z1, curve_prime, ndigits); 676 677 /* t3 = 2*(x1^2 - z1^4) */ 678 vli_mod_add(z1, x1, x1, curve_prime, ndigits); 679 /* t1 = 3*(x1^2 - z1^4) */ 680 vli_mod_add(x1, x1, z1, curve_prime, ndigits); 681 if (vli_test_bit(x1, 0)) { 682 u64 carry = vli_add(x1, x1, curve_prime, ndigits); 683 684 vli_rshift1(x1, ndigits); 685 x1[ndigits - 1] |= carry << 63; 686 } else { 687 vli_rshift1(x1, ndigits); 688 } 689 /* t1 = 3/2*(x1^2 - z1^4) = B */ 690 691 /* t3 = B^2 */ 692 vli_mod_square_fast(z1, x1, curve_prime, ndigits); 693 /* t3 = B^2 - A */ 694 vli_mod_sub(z1, z1, t5, curve_prime, ndigits); 695 /* t3 = B^2 - 2A = x3 */ 696 vli_mod_sub(z1, z1, t5, curve_prime, ndigits); 697 /* t5 = A - x3 */ 698 vli_mod_sub(t5, t5, z1, curve_prime, ndigits); 699 /* t1 = B * (A - x3) */ 700 vli_mod_mult_fast(x1, x1, t5, curve_prime, ndigits); 701 /* t4 = B * (A - x3) - y1^4 = y3 */ 702 vli_mod_sub(t4, x1, t4, curve_prime, ndigits); 703 704 vli_set(x1, z1, ndigits); 705 vli_set(z1, y1, ndigits); 706 vli_set(y1, t4, ndigits); 707 } 708 709 /* Modify (x1, y1) => (x1 * z^2, y1 * z^3) */ 710 static void apply_z(u64 *x1, u64 *y1, u64 *z, u64 *curve_prime, 711 unsigned int ndigits) 712 { 713 u64 t1[ndigits]; 714 715 vli_mod_square_fast(t1, z, curve_prime, ndigits); /* z^2 */ 716 vli_mod_mult_fast(x1, x1, t1, curve_prime, ndigits); /* x1 * z^2 */ 717 vli_mod_mult_fast(t1, t1, z, curve_prime, ndigits); /* z^3 */ 718 vli_mod_mult_fast(y1, y1, t1, curve_prime, ndigits); /* y1 * z^3 */ > 719 } 720 721 /* P = (x1, y1) => 2P, (x2, y2) => P' */ 722 static void xycz_initial_double(u64 *x1, u64 *y1, u64 *x2, u64 *y2, --- 0-DAY kernel test infrastructure Open Source Technology Center https://lists.01.org/pipermail/kbuild-all Intel Corporation
Attachment:
.config.gz
Description: Binary data
