Hi Hongbo, Thank you for the patch! Perhaps something to improve: [auto build test WARNING on cryptodev/master] [also build test WARNING on crypto/master linus/master v5.13-rc1 next-20210512] [If your patch is applied to the wrong git tree, kindly drop us a note. And when submitting patch, we suggest to use '--base' as documented in https://git-scm.com/docs/git-format-patch] url: https://github.com/0day-ci/linux/commits/Hongbo-Li/crypto-add-eddsa-support-for-x509/20210512-220722 base: https://git.kernel.org/pub/scm/linux/kernel/git/herbert/cryptodev-2.6.git master config: arc-allyesconfig (attached as .config) compiler: arceb-elf-gcc (GCC) 9.3.0 reproduce (this is a W=1 build): wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross chmod +x ~/bin/make.cross # https://github.com/0day-ci/linux/commit/f9de73b89d39483afde4fc9ba079b66dee2f05ab git remote add linux-review https://github.com/0day-ci/linux git fetch --no-tags linux-review Hongbo-Li/crypto-add-eddsa-support-for-x509/20210512-220722 git checkout f9de73b89d39483afde4fc9ba079b66dee2f05ab # save the attached .config to linux build tree COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-9.3.0 make.cross W=1 ARCH=arc If you fix the issue, kindly add following tag as appropriate Reported-by: kernel test robot <lkp@xxxxxxxxx> All warnings (new ones prefixed by >>): >> crypto/eddsa.c:67:5: warning: no previous prototype for 'ecc_eddsa_encodepoint' [-Wmissing-prototypes] 67 | int ecc_eddsa_encodepoint(MPI_POINT point, struct mpi_ec_ctx *ec, | ^~~~~~~~~~~~~~~~~~~~~ >> crypto/eddsa.c:174:5: warning: no previous prototype for 'eddsa_verify' [-Wmissing-prototypes] 174 | int eddsa_verify(struct akcipher_request *req) | ^~~~~~~~~~~~ >> crypto/eddsa.c:255:5: warning: no previous prototype for 'eddsa_max_size' [-Wmissing-prototypes] 255 | u32 eddsa_max_size(struct crypto_akcipher *tfm) | ^~~~~~~~~~~~~~ vim +/ecc_eddsa_encodepoint +67 crypto/eddsa.c 66 > 67 int ecc_eddsa_encodepoint(MPI_POINT point, struct mpi_ec_ctx *ec, 68 MPI x, MPI y, u8 *buf, u32 key_size) 69 { 70 if (mpi_ec_get_affine(x, y, point, ec)) 71 return -EINVAL; 72 73 return eddsa_encode_x_y(x, y, buf, key_size); 74 } 75 76 /* Recover X from Y and SIGN (which actually is a parity bit). */ 77 static int eddsa_recover_x(MPI x, MPI y, int sign, struct mpi_ec_ctx *ec) 78 { 79 MPI u, v, v3, t; 80 int ret = 0; 81 82 if (ec->dialect != ECC_DIALECT_ED25519) 83 return -ENOPKG; 84 85 u = mpi_new(0); 86 v = mpi_new(0); 87 v3 = mpi_new(0); 88 t = mpi_new(0); 89 90 /* Compute u and v */ 91 /* u = y^2 */ 92 mpi_mulm(u, y, y, ec->p); 93 /* v = b*y^2 */ 94 mpi_mulm(v, ec->b, u, ec->p); 95 /* u = y^2-1 */ 96 mpi_sub_ui(u, u, 1); 97 /* v = b*y^2+1 */ 98 mpi_add_ui(v, v, 1); 99 100 /* Compute sqrt(u/v) */ 101 /* v3 = v^3 */ 102 mpi_powm(v3, v, mpi_const(MPI_C_THREE), ec->p); 103 /* t = v3 * v3 * u * v = u * v^7 */ 104 mpi_powm(t, v, seven, ec->p); 105 mpi_mulm(t, t, u, ec->p); 106 /* t = t^((p-5)/8) = (u * v^7)^((p-5)/8) */ 107 mpi_powm(t, t, p58, ec->p); 108 /* x = t * u * v^3 = (u * v^3) * (u * v^7)^((p-5)/8) */ 109 mpi_mulm(t, t, u, ec->p); 110 mpi_mulm(x, t, v3, ec->p); 111 112 /* Adjust if needed. */ 113 /* t = v * x^2 */ 114 mpi_mulm(t, x, x, ec->p); 115 mpi_mulm(t, t, v, ec->p); 116 /* -t == u ? x = x * sqrt(-1) */ 117 mpi_sub(t, ec->p, t); 118 if (!mpi_cmp(t, u)) { 119 mpi_mulm(x, x, m1, ec->p); 120 /* t = v * x^2 */ 121 mpi_mulm(t, x, x, ec->p); 122 mpi_mulm(t, t, v, ec->p); 123 /* -t == u ? x = x * sqrt(-1) */ 124 mpi_sub(t, ec->p, t); 125 if (!mpi_cmp(t, u)) 126 ret = -EINVAL; 127 } 128 129 /* Choose the desired square root according to parity */ 130 if (mpi_test_bit(x, 0) != !!sign) 131 mpi_sub(x, ec->p, x); 132 133 mpi_free(t); 134 mpi_free(v3); 135 mpi_free(v); 136 mpi_free(u); 137 138 return ret; 139 } 140 141 static int ecc_eddsa_decodepoint(const u8 *pk, int key_size, 142 struct mpi_ec_ctx *ec, MPI_POINT result) 143 { 144 MPI y; 145 u8 *rawmpi; 146 int sign, ret = 0; 147 148 rawmpi = kmalloc(key_size, GFP_KERNEL); 149 if (!rawmpi) 150 return -ENOMEM; 151 memcpy(rawmpi, pk, key_size); 152 reverse_buffer(rawmpi, key_size); 153 154 sign = !!(rawmpi[0] & 0x80); 155 rawmpi[0] &= 0x7f; 156 157 y = mpi_read_raw_data(rawmpi, key_size); 158 if (!y) { 159 ret = -EINVAL; 160 goto out; 161 } 162 163 mpi_normalize(y); 164 mpi_set(result->y, y); 165 mpi_free(y); 166 167 ret = eddsa_recover_x(result->x, result->y, sign, ec); 168 mpi_set_ui(result->z, 1); 169 out: 170 kfree(rawmpi); 171 return ret; 172 } 173 > 174 int eddsa_verify(struct akcipher_request *req) 175 { 176 struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req); 177 struct eddsa_ctx *ctx = akcipher_tfm_ctx(tfm); 178 struct mpi_ec_ctx *ec = &ctx->ec_ctx; 179 struct gcry_mpi_point sb, ka; 180 MPI s = NULL; 181 MPI k = NULL; 182 u8 sig[CURVE25519_KEY_SIZE * 2], digest[SHA512_DIGEST_SIZE]; 183 u8 *buf; 184 u32 key_size; 185 int ret = 0; 186 187 if (ctx->algo_oid != OID_ed25519) 188 return -ENOPKG; 189 190 key_size = CURVE25519_KEY_SIZE; 191 192 if (!ec->Q || req->src_len != key_size * 2) 193 return -EINVAL; 194 195 sg_copy_to_buffer(req->src, sg_nents_for_len(req->src, req->src_len), 196 sig, req->src_len); 197 198 sg_pcopy_to_buffer(req->src, 199 sg_nents_for_len(req->src, 200 req->src_len + req->dst_len), 201 digest, req->dst_len, req->src_len); 202 203 reverse_buffer(digest, SHA512_DIGEST_SIZE); 204 k = mpi_read_raw_data(digest, SHA512_DIGEST_SIZE); 205 206 reverse_buffer(sig + key_size, key_size); 207 s = mpi_read_raw_data(sig + key_size, key_size); 208 209 mpi_point_init(&sb); 210 mpi_point_init(&ka); 211 212 mpi_ec_mul_point(&sb, s, ec->G, ec); 213 mpi_ec_mul_point(&ka, k, ec->Q, ec); 214 mpi_sub(ka.x, ec->p, ka.x); 215 mpi_ec_add_points(&sb, &sb, &ka, ec); 216 217 buf = kmalloc(key_size, GFP_KERNEL); 218 if (!buf) { 219 ret = -ENOMEM; 220 goto out; 221 } 222 223 ret = ecc_eddsa_encodepoint(&sb, ec, s, k, buf, key_size); 224 if (ret) 225 goto out; 226 227 if (memcmp(buf, sig, key_size)) 228 ret = -EKEYREJECTED; 229 230 out: 231 mpi_point_free_parts(&sb); 232 mpi_point_free_parts(&ka); 233 mpi_free(k); 234 mpi_free(s); 235 kfree(buf); 236 return ret; 237 } 238 239 static int eddsa_set_pub_key(struct crypto_akcipher *tfm, const void *key, 240 unsigned int keylen) 241 { 242 struct eddsa_ctx *ctx = akcipher_tfm_ctx(tfm); 243 struct mpi_ec_ctx *ec = &ctx->ec_ctx; 244 const u8 *pk = key; 245 246 if (ctx->algo_oid != OID_ed25519) 247 return -ENOPKG; 248 249 if (keylen != CURVE25519_KEY_SIZE) 250 return -EINVAL; 251 252 return ecc_eddsa_decodepoint(pk, keylen, ec, ec->Q); 253 } 254 > 255 u32 eddsa_max_size(struct crypto_akcipher *tfm) 256 { 257 struct eddsa_ctx *ctx = akcipher_tfm_ctx(tfm); 258 259 if (ctx->algo_oid == OID_ed25519) 260 return CURVE25519_KEY_SIZE; 261 262 return 0; 263 } 264 --- 0-DAY CI Kernel Test Service, Intel Corporation https://lists.01.org/hyperkitty/list/kbuild-all@xxxxxxxxxxxx
Attachment:
.config.gz
Description: application/gzip