lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <202105130227.BIzH8agw-lkp@intel.com>
Date:   Thu, 13 May 2021 02:39:35 +0800
From:   kernel test robot <lkp@...el.com>
To:     Hongbo Li <herbert.tencent@...il.com>, keyrings@...r.kernel.org,
        linux-crypto@...r.kernel.org, herbert@...dor.apana.org.au,
        dhowells@...hat.com, jarkko@...nel.org,
        tianjia.zhang@...ux.alibaba.com, herberthbli@...cent.com
Cc:     kbuild-all@...ts.01.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 6/7] crypto: ed25519 cert verification

Hi Hongbo,

Thank you for the patch! Perhaps something to improve:

[auto build test WARNING on cryptodev/master]
[also build test WARNING on crypto/master linus/master v5.13-rc1 next-20210512]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]

url:    https://github.com/0day-ci/linux/commits/Hongbo-Li/crypto-add-eddsa-support-for-x509/20210512-220722
base:   https://git.kernel.org/pub/scm/linux/kernel/git/herbert/cryptodev-2.6.git master
config: arc-allyesconfig (attached as .config)
compiler: arceb-elf-gcc (GCC) 9.3.0
reproduce (this is a W=1 build):
        wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        # https://github.com/0day-ci/linux/commit/f9de73b89d39483afde4fc9ba079b66dee2f05ab
        git remote add linux-review https://github.com/0day-ci/linux
        git fetch --no-tags linux-review Hongbo-Li/crypto-add-eddsa-support-for-x509/20210512-220722
        git checkout f9de73b89d39483afde4fc9ba079b66dee2f05ab
        # save the attached .config to linux build tree
        COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-9.3.0 make.cross W=1 ARCH=arc 

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@...el.com>

All warnings (new ones prefixed by >>):

>> crypto/eddsa.c:67:5: warning: no previous prototype for 'ecc_eddsa_encodepoint' [-Wmissing-prototypes]
      67 | int ecc_eddsa_encodepoint(MPI_POINT point, struct mpi_ec_ctx *ec,
         |     ^~~~~~~~~~~~~~~~~~~~~
>> crypto/eddsa.c:174:5: warning: no previous prototype for 'eddsa_verify' [-Wmissing-prototypes]
     174 | int eddsa_verify(struct akcipher_request *req)
         |     ^~~~~~~~~~~~
>> crypto/eddsa.c:255:5: warning: no previous prototype for 'eddsa_max_size' [-Wmissing-prototypes]
     255 | u32 eddsa_max_size(struct crypto_akcipher *tfm)
         |     ^~~~~~~~~~~~~~


vim +/ecc_eddsa_encodepoint +67 crypto/eddsa.c

    66	
  > 67	int ecc_eddsa_encodepoint(MPI_POINT point, struct mpi_ec_ctx *ec,
    68				  MPI x, MPI y, u8 *buf, u32 key_size)
    69	{
    70		if (mpi_ec_get_affine(x, y, point, ec))
    71			return -EINVAL;
    72	
    73		return eddsa_encode_x_y(x, y, buf, key_size);
    74	}
    75	
    76	/* Recover X from Y and SIGN (which actually is a parity bit).  */
    77	static int eddsa_recover_x(MPI x, MPI y, int sign, struct mpi_ec_ctx *ec)
    78	{
    79		MPI u, v, v3, t;
    80		int ret = 0;
    81	
    82		if (ec->dialect != ECC_DIALECT_ED25519)
    83			return -ENOPKG;
    84	
    85		u = mpi_new(0);
    86		v = mpi_new(0);
    87		v3 = mpi_new(0);
    88		t = mpi_new(0);
    89	
    90		/* Compute u and v */
    91		/* u = y^2 */
    92		mpi_mulm(u, y, y, ec->p);
    93		/* v = b*y^2 */
    94		mpi_mulm(v, ec->b, u, ec->p);
    95		/* u = y^2-1 */
    96		mpi_sub_ui(u, u, 1);
    97		/* v = b*y^2+1 */
    98		mpi_add_ui(v, v, 1);
    99	
   100		/* Compute sqrt(u/v) */
   101		/* v3 = v^3 */
   102		mpi_powm(v3, v, mpi_const(MPI_C_THREE), ec->p);
   103		/* t = v3 * v3 * u * v = u * v^7 */
   104		mpi_powm(t, v, seven, ec->p);
   105		mpi_mulm(t, t, u, ec->p);
   106		/* t = t^((p-5)/8) = (u * v^7)^((p-5)/8)  */
   107		mpi_powm(t, t, p58, ec->p);
   108		/* x = t * u * v^3 = (u * v^3) * (u * v^7)^((p-5)/8) */
   109		mpi_mulm(t, t, u, ec->p);
   110		mpi_mulm(x, t, v3, ec->p);
   111	
   112		/* Adjust if needed. */
   113		/* t = v * x^2 */
   114		mpi_mulm(t, x, x, ec->p);
   115		mpi_mulm(t, t, v, ec->p);
   116		/* -t == u ? x = x * sqrt(-1) */
   117		mpi_sub(t, ec->p, t);
   118		if (!mpi_cmp(t, u)) {
   119			mpi_mulm(x, x, m1, ec->p);
   120			/* t = v * x^2 */
   121			mpi_mulm(t, x, x, ec->p);
   122			mpi_mulm(t, t, v, ec->p);
   123			/* -t == u ? x = x * sqrt(-1) */
   124			mpi_sub(t, ec->p, t);
   125			if (!mpi_cmp(t, u))
   126				ret = -EINVAL;
   127		}
   128	
   129		/* Choose the desired square root according to parity */
   130		if (mpi_test_bit(x, 0) != !!sign)
   131			mpi_sub(x, ec->p, x);
   132	
   133		mpi_free(t);
   134		mpi_free(v3);
   135		mpi_free(v);
   136		mpi_free(u);
   137	
   138		return ret;
   139	}
   140	
   141	static int ecc_eddsa_decodepoint(const u8 *pk, int key_size,
   142					 struct mpi_ec_ctx *ec, MPI_POINT result)
   143	{
   144		MPI y;
   145		u8 *rawmpi;
   146		int sign, ret = 0;
   147	
   148		rawmpi = kmalloc(key_size, GFP_KERNEL);
   149		if (!rawmpi)
   150			return -ENOMEM;
   151		memcpy(rawmpi, pk, key_size);
   152		reverse_buffer(rawmpi, key_size);
   153	
   154		sign = !!(rawmpi[0] & 0x80);
   155		rawmpi[0] &= 0x7f;
   156	
   157		y = mpi_read_raw_data(rawmpi, key_size);
   158		if (!y) {
   159			ret = -EINVAL;
   160			goto out;
   161		}
   162	
   163		mpi_normalize(y);
   164		mpi_set(result->y, y);
   165		mpi_free(y);
   166	
   167		ret = eddsa_recover_x(result->x, result->y, sign, ec);
   168		mpi_set_ui(result->z, 1);
   169	out:
   170		kfree(rawmpi);
   171		return ret;
   172	}
   173	
 > 174	int eddsa_verify(struct akcipher_request *req)
   175	{
   176		struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req);
   177		struct eddsa_ctx *ctx = akcipher_tfm_ctx(tfm);
   178		struct mpi_ec_ctx *ec = &ctx->ec_ctx;
   179		struct gcry_mpi_point sb, ka;
   180		MPI s = NULL;
   181		MPI k = NULL;
   182		u8 sig[CURVE25519_KEY_SIZE * 2], digest[SHA512_DIGEST_SIZE];
   183		u8 *buf;
   184		u32 key_size;
   185		int ret = 0;
   186	
   187		if (ctx->algo_oid != OID_ed25519)
   188			return -ENOPKG;
   189	
   190		key_size = CURVE25519_KEY_SIZE;
   191	
   192		if (!ec->Q || req->src_len != key_size * 2)
   193			return -EINVAL;
   194	
   195		sg_copy_to_buffer(req->src, sg_nents_for_len(req->src, req->src_len),
   196				  sig, req->src_len);
   197	
   198		sg_pcopy_to_buffer(req->src,
   199				   sg_nents_for_len(req->src,
   200						    req->src_len + req->dst_len),
   201				   digest, req->dst_len, req->src_len);
   202	
   203		reverse_buffer(digest, SHA512_DIGEST_SIZE);
   204		k = mpi_read_raw_data(digest, SHA512_DIGEST_SIZE);
   205	
   206		reverse_buffer(sig + key_size, key_size);
   207		s = mpi_read_raw_data(sig + key_size, key_size);
   208	
   209		mpi_point_init(&sb);
   210		mpi_point_init(&ka);
   211	
   212		mpi_ec_mul_point(&sb, s, ec->G, ec);
   213		mpi_ec_mul_point(&ka, k, ec->Q, ec);
   214		mpi_sub(ka.x, ec->p, ka.x);
   215		mpi_ec_add_points(&sb, &sb, &ka, ec);
   216	
   217		buf = kmalloc(key_size, GFP_KERNEL);
   218		if (!buf) {
   219			ret = -ENOMEM;
   220			goto out;
   221		}
   222	
   223		ret = ecc_eddsa_encodepoint(&sb, ec, s, k, buf, key_size);
   224		if (ret)
   225			goto out;
   226	
   227		if (memcmp(buf, sig, key_size))
   228			ret = -EKEYREJECTED;
   229	
   230	out:
   231		mpi_point_free_parts(&sb);
   232		mpi_point_free_parts(&ka);
   233		mpi_free(k);
   234		mpi_free(s);
   235		kfree(buf);
   236		return ret;
   237	}
   238	
   239	static int eddsa_set_pub_key(struct crypto_akcipher *tfm, const void *key,
   240				     unsigned int keylen)
   241	{
   242		struct eddsa_ctx *ctx = akcipher_tfm_ctx(tfm);
   243		struct mpi_ec_ctx *ec = &ctx->ec_ctx;
   244		const u8 *pk = key;
   245	
   246		if (ctx->algo_oid != OID_ed25519)
   247			return -ENOPKG;
   248	
   249		if (keylen != CURVE25519_KEY_SIZE)
   250			return -EINVAL;
   251	
   252		return ecc_eddsa_decodepoint(pk, keylen, ec, ec->Q);
   253	}
   254	
 > 255	u32 eddsa_max_size(struct crypto_akcipher *tfm)
   256	{
   257		struct eddsa_ctx *ctx = akcipher_tfm_ctx(tfm);
   258	
   259		if (ctx->algo_oid == OID_ed25519)
   260			return CURVE25519_KEY_SIZE;
   261	
   262		return 0;
   263	}
   264	

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org

Download attachment ".config.gz" of type "application/gzip" (67468 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ