| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 13 May 2021 02:39:35 +0800
From: kernel test robot <lkp@...el.com>
To: Hongbo Li <herbert.tencent@...il.com>, keyrings@...r.kernel.org,
linux-crypto@...r.kernel.org, herbert@...dor.apana.org.au,
dhowells@...hat.com, jarkko@...nel.org,
tianjia.zhang@...ux.alibaba.com, herberthbli@...cent.com
Cc: kbuild-all@...ts.01.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 6/7] crypto: ed25519 cert verification
Hi Hongbo,
Thank you for the patch! Perhaps something to improve:
[auto build test WARNING on cryptodev/master]
[also build test WARNING on crypto/master linus/master v5.13-rc1 next-20210512]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]
url: https://github.com/0day-ci/linux/commits/Hongbo-Li/crypto-add-eddsa-support-for-x509/20210512-220722
base: https://git.kernel.org/pub/scm/linux/kernel/git/herbert/cryptodev-2.6.git master
config: arc-allyesconfig (attached as .config)
compiler: arceb-elf-gcc (GCC) 9.3.0
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# https://github.com/0day-ci/linux/commit/f9de73b89d39483afde4fc9ba079b66dee2f05ab
git remote add linux-review https://github.com/0day-ci/linux
git fetch --no-tags linux-review Hongbo-Li/crypto-add-eddsa-support-for-x509/20210512-220722
git checkout f9de73b89d39483afde4fc9ba079b66dee2f05ab
# save the attached .config to linux build tree
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-9.3.0 make.cross W=1 ARCH=arc
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@...el.com>
All warnings (new ones prefixed by >>):
>> crypto/eddsa.c:67:5: warning: no previous prototype for 'ecc_eddsa_encodepoint' [-Wmissing-prototypes]
67 | int ecc_eddsa_encodepoint(MPI_POINT point, struct mpi_ec_ctx *ec,
| ^~~~~~~~~~~~~~~~~~~~~
>> crypto/eddsa.c:174:5: warning: no previous prototype for 'eddsa_verify' [-Wmissing-prototypes]
174 | int eddsa_verify(struct akcipher_request *req)
| ^~~~~~~~~~~~
>> crypto/eddsa.c:255:5: warning: no previous prototype for 'eddsa_max_size' [-Wmissing-prototypes]
255 | u32 eddsa_max_size(struct crypto_akcipher *tfm)
| ^~~~~~~~~~~~~~
vim +/ecc_eddsa_encodepoint +67 crypto/eddsa.c
66
> 67 int ecc_eddsa_encodepoint(MPI_POINT point, struct mpi_ec_ctx *ec,
68 MPI x, MPI y, u8 *buf, u32 key_size)
69 {
70 if (mpi_ec_get_affine(x, y, point, ec))
71 return -EINVAL;
72
73 return eddsa_encode_x_y(x, y, buf, key_size);
74 }
75
76 /* Recover X from Y and SIGN (which actually is a parity bit). */
77 static int eddsa_recover_x(MPI x, MPI y, int sign, struct mpi_ec_ctx *ec)
78 {
79 MPI u, v, v3, t;
80 int ret = 0;
81
82 if (ec->dialect != ECC_DIALECT_ED25519)
83 return -ENOPKG;
84
85 u = mpi_new(0);
86 v = mpi_new(0);
87 v3 = mpi_new(0);
88 t = mpi_new(0);
89
90 /* Compute u and v */
91 /* u = y^2 */
92 mpi_mulm(u, y, y, ec->p);
93 /* v = b*y^2 */
94 mpi_mulm(v, ec->b, u, ec->p);
95 /* u = y^2-1 */
96 mpi_sub_ui(u, u, 1);
97 /* v = b*y^2+1 */
98 mpi_add_ui(v, v, 1);
99
100 /* Compute sqrt(u/v) */
101 /* v3 = v^3 */
102 mpi_powm(v3, v, mpi_const(MPI_C_THREE), ec->p);
103 /* t = v3 * v3 * u * v = u * v^7 */
104 mpi_powm(t, v, seven, ec->p);
105 mpi_mulm(t, t, u, ec->p);
106 /* t = t^((p-5)/8) = (u * v^7)^((p-5)/8) */
107 mpi_powm(t, t, p58, ec->p);
108 /* x = t * u * v^3 = (u * v^3) * (u * v^7)^((p-5)/8) */
109 mpi_mulm(t, t, u, ec->p);
110 mpi_mulm(x, t, v3, ec->p);
111
112 /* Adjust if needed. */
113 /* t = v * x^2 */
114 mpi_mulm(t, x, x, ec->p);
115 mpi_mulm(t, t, v, ec->p);
116 /* -t == u ? x = x * sqrt(-1) */
117 mpi_sub(t, ec->p, t);
118 if (!mpi_cmp(t, u)) {
119 mpi_mulm(x, x, m1, ec->p);
120 /* t = v * x^2 */
121 mpi_mulm(t, x, x, ec->p);
122 mpi_mulm(t, t, v, ec->p);
123 /* -t == u ? x = x * sqrt(-1) */
124 mpi_sub(t, ec->p, t);
125 if (!mpi_cmp(t, u))
126 ret = -EINVAL;
127 }
128
129 /* Choose the desired square root according to parity */
130 if (mpi_test_bit(x, 0) != !!sign)
131 mpi_sub(x, ec->p, x);
132
133 mpi_free(t);
134 mpi_free(v3);
135 mpi_free(v);
136 mpi_free(u);
137
138 return ret;
139 }
140
141 static int ecc_eddsa_decodepoint(const u8 *pk, int key_size,
142 struct mpi_ec_ctx *ec, MPI_POINT result)
143 {
144 MPI y;
145 u8 *rawmpi;
146 int sign, ret = 0;
147
148 rawmpi = kmalloc(key_size, GFP_KERNEL);
149 if (!rawmpi)
150 return -ENOMEM;
151 memcpy(rawmpi, pk, key_size);
152 reverse_buffer(rawmpi, key_size);
153
154 sign = !!(rawmpi[0] & 0x80);
155 rawmpi[0] &= 0x7f;
156
157 y = mpi_read_raw_data(rawmpi, key_size);
158 if (!y) {
159 ret = -EINVAL;
160 goto out;
161 }
162
163 mpi_normalize(y);
164 mpi_set(result->y, y);
165 mpi_free(y);
166
167 ret = eddsa_recover_x(result->x, result->y, sign, ec);
168 mpi_set_ui(result->z, 1);
169 out:
170 kfree(rawmpi);
171 return ret;
172 }
173
> 174 int eddsa_verify(struct akcipher_request *req)
175 {
176 struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req);
177 struct eddsa_ctx *ctx = akcipher_tfm_ctx(tfm);
178 struct mpi_ec_ctx *ec = &ctx->ec_ctx;
179 struct gcry_mpi_point sb, ka;
180 MPI s = NULL;
181 MPI k = NULL;
182 u8 sig[CURVE25519_KEY_SIZE * 2], digest[SHA512_DIGEST_SIZE];
183 u8 *buf;
184 u32 key_size;
185 int ret = 0;
186
187 if (ctx->algo_oid != OID_ed25519)
188 return -ENOPKG;
189
190 key_size = CURVE25519_KEY_SIZE;
191
192 if (!ec->Q || req->src_len != key_size * 2)
193 return -EINVAL;
194
195 sg_copy_to_buffer(req->src, sg_nents_for_len(req->src, req->src_len),
196 sig, req->src_len);
197
198 sg_pcopy_to_buffer(req->src,
199 sg_nents_for_len(req->src,
200 req->src_len + req->dst_len),
201 digest, req->dst_len, req->src_len);
202
203 reverse_buffer(digest, SHA512_DIGEST_SIZE);
204 k = mpi_read_raw_data(digest, SHA512_DIGEST_SIZE);
205
206 reverse_buffer(sig + key_size, key_size);
207 s = mpi_read_raw_data(sig + key_size, key_size);
208
209 mpi_point_init(&sb);
210 mpi_point_init(&ka);
211
212 mpi_ec_mul_point(&sb, s, ec->G, ec);
213 mpi_ec_mul_point(&ka, k, ec->Q, ec);
214 mpi_sub(ka.x, ec->p, ka.x);
215 mpi_ec_add_points(&sb, &sb, &ka, ec);
216
217 buf = kmalloc(key_size, GFP_KERNEL);
218 if (!buf) {
219 ret = -ENOMEM;
220 goto out;
221 }
222
223 ret = ecc_eddsa_encodepoint(&sb, ec, s, k, buf, key_size);
224 if (ret)
225 goto out;
226
227 if (memcmp(buf, sig, key_size))
228 ret = -EKEYREJECTED;
229
230 out:
231 mpi_point_free_parts(&sb);
232 mpi_point_free_parts(&ka);
233 mpi_free(k);
234 mpi_free(s);
235 kfree(buf);
236 return ret;
237 }
238
239 static int eddsa_set_pub_key(struct crypto_akcipher *tfm, const void *key,
240 unsigned int keylen)
241 {
242 struct eddsa_ctx *ctx = akcipher_tfm_ctx(tfm);
243 struct mpi_ec_ctx *ec = &ctx->ec_ctx;
244 const u8 *pk = key;
245
246 if (ctx->algo_oid != OID_ed25519)
247 return -ENOPKG;
248
249 if (keylen != CURVE25519_KEY_SIZE)
250 return -EINVAL;
251
252 return ecc_eddsa_decodepoint(pk, keylen, ec, ec->Q);
253 }
254
> 255 u32 eddsa_max_size(struct crypto_akcipher *tfm)
256 {
257 struct eddsa_ctx *ctx = akcipher_tfm_ctx(tfm);
258
259 if (ctx->algo_oid == OID_ed25519)
260 return CURVE25519_KEY_SIZE;
261
262 return 0;
263 }
264
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
Download attachment ".config.gz" of type "application/gzip" (67468 bytes)
Powered by blists - more mailing lists