CC: [email protected] CC: [email protected] BCC: [email protected] CC: [email protected] TO: Nicolai Stange <[email protected]> CC: Herbert Xu <[email protected]> CC: Hannes Reinecke <[email protected]>
tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master head: 559089e0a93d44280ec3ab478830af319c56dbe3 commit: 1e207964566738b49b003e80063fd712af75b82c crypto: dh - implement private key generation primitive for ffdheXYZ(dh) date: 7 weeks ago :::::: branch date: 28 hours ago :::::: commit date: 7 weeks ago config: riscv-randconfig-c006-20220418 (https://download.01.org/0day-ci/archive/20220421/[email protected]/config) compiler: clang version 15.0.0 (https://github.com/llvm/llvm-project ef94609d6ebe981767788e6877b0b3b731d425af) reproduce (this is a W=1 build): wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross chmod +x ~/bin/make.cross # install riscv cross compiling tool for clang build # apt-get install binutils-riscv64-linux-gnu # https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1e207964566738b49b003e80063fd712af75b82c git remote add linus https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git git fetch --no-tags linus master git checkout 1e207964566738b49b003e80063fd712af75b82c # save the config file COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross ARCH=riscv clang-analyzer If you fix the issue, kindly add following tag as appropriate Reported-by: kernel test robot <[email protected]> clang-analyzer warnings: (new ones prefixed by >>) ^ kernel/time/test_udelay.c:56:2: note: Left side of '&&' is false do_div(avg, iters); ^ include/asm-generic/div64.h:227:42: note: expanded from macro 'do_div' } else if (__builtin_constant_p(__base) && \ ^ kernel/time/test_udelay.c:56:2: note: '?' condition is false do_div(avg, iters); ^ include/asm-generic/div64.h:227:9: note: expanded from macro 'do_div' } else if (__builtin_constant_p(__base) && \ ^ include/linux/compiler.h:56:28: note: expanded from macro 'if' #define if(cond, ...) if ( __trace_if_var( !!(cond , ## __VA_ARGS__) ) ) ^ include/linux/compiler.h:58:31: note: expanded from macro '__trace_if_var' #define __trace_if_var(cond) (__builtin_constant_p(cond) ? (cond) : __trace_if_value(cond)) ^ kernel/time/test_udelay.c:56:2: note: Left side of '&&' is false do_div(avg, iters); ^ include/asm-generic/div64.h:227:42: note: expanded from macro 'do_div' } else if (__builtin_constant_p(__base) && \ ^ kernel/time/test_udelay.c:56:2: note: '?' condition is false do_div(avg, iters); ^ include/asm-generic/div64.h:227:9: note: expanded from macro 'do_div' } else if (__builtin_constant_p(__base) && \ ^ include/linux/compiler.h:56:28: note: expanded from macro 'if' #define if(cond, ...) if ( __trace_if_var( !!(cond , ## __VA_ARGS__) ) ) ^ include/linux/compiler.h:58:69: note: expanded from macro '__trace_if_var' #define __trace_if_var(cond) (__builtin_constant_p(cond) ? (cond) : __trace_if_value(cond)) ^ include/linux/compiler.h:69:2: note: expanded from macro '__trace_if_value' (cond) ? \ ^ kernel/time/test_udelay.c:56:2: note: Taking false branch do_div(avg, iters); ^ include/asm-generic/div64.h:227:9: note: expanded from macro 'do_div' } else if (__builtin_constant_p(__base) && \ ^ include/linux/compiler.h:56:23: note: expanded from macro 'if' #define if(cond, ...) if ( __trace_if_var( !!(cond , ## __VA_ARGS__) ) ) ^ kernel/time/test_udelay.c:56:2: note: '?' condition is false do_div(avg, iters); ^ include/asm-generic/div64.h:234:9: note: expanded from macro 'do_div' } else if (likely(((n) >> 32) == 0)) { \ ^ include/linux/compiler.h:56:28: note: expanded from macro 'if' #define if(cond, ...) if ( __trace_if_var( !!(cond , ## __VA_ARGS__) ) ) ^ include/linux/compiler.h:58:31: note: expanded from macro '__trace_if_var' #define __trace_if_var(cond) (__builtin_constant_p(cond) ? (cond) : __trace_if_value(cond)) ^ kernel/time/test_udelay.c:56:2: note: '?' condition is true do_div(avg, iters); ^ include/asm-generic/div64.h:234:9: note: expanded from macro 'do_div' } else if (likely(((n) >> 32) == 0)) { \ ^ include/linux/compiler.h:56:28: note: expanded from macro 'if' #define if(cond, ...) if ( __trace_if_var( !!(cond , ## __VA_ARGS__) ) ) ^ include/linux/compiler.h:58:69: note: expanded from macro '__trace_if_var' #define __trace_if_var(cond) (__builtin_constant_p(cond) ? (cond) : __trace_if_value(cond)) ^ include/linux/compiler.h:69:2: note: expanded from macro '__trace_if_value' (cond) ? \ ^ kernel/time/test_udelay.c:56:2: note: Taking true branch do_div(avg, iters); ^ include/asm-generic/div64.h:234:9: note: expanded from macro 'do_div' } else if (likely(((n) >> 32) == 0)) { \ ^ include/linux/compiler.h:56:23: note: expanded from macro 'if' #define if(cond, ...) if ( __trace_if_var( !!(cond , ## __VA_ARGS__) ) ) ^ kernel/time/test_udelay.c:56:2: note: Division by zero do_div(avg, iters); ^ include/asm-generic/div64.h:235:25: note: expanded from macro 'do_div' __rem = (uint32_t)(n) % __base; \ ~~~~~~~~~~~~~~^~~~~~~~ Suppressed 6 warnings (6 in non-user code). Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well. 7 warnings generated. Suppressed 7 warnings (7 in non-user code). Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well. 7 warnings generated. Suppressed 7 warnings (7 in non-user code). Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well. 9 warnings generated. >> crypto/dh.c:438:9: warning: Potential leak of memory pointed to by 'key' >> [clang-analyzer-unix.Malloc] return ERR_PTR(err); ^ crypto/dh.c:358:6: note: '?' condition is false n = roundup_pow_of_two(2 * safe_prime->max_strength); ^ include/linux/log2.h:176:2: note: expanded from macro 'roundup_pow_of_two' __builtin_constant_p(n) ? ( \ ^ crypto/dh.c:359:2: note: '?' condition is false WARN_ON_ONCE(n & ((1u << 6) - 1)); ^ include/asm-generic/bug.h:105:2: note: expanded from macro 'WARN_ON_ONCE' if (unlikely(__ret_warn_on)) \ ^ include/linux/compiler.h:56:28: note: expanded from macro 'if' #define if(cond, ...) if ( __trace_if_var( !!(cond , ## __VA_ARGS__) ) ) ^ include/linux/compiler.h:58:31: note: expanded from macro '__trace_if_var' #define __trace_if_var(cond) (__builtin_constant_p(cond) ? (cond) : __trace_if_value(cond)) ^ crypto/dh.c:359:2: note: '?' condition is true WARN_ON_ONCE(n & ((1u << 6) - 1)); ^ include/asm-generic/bug.h:105:2: note: expanded from macro 'WARN_ON_ONCE' if (unlikely(__ret_warn_on)) \ ^ include/linux/compiler.h:56:28: note: expanded from macro 'if' #define if(cond, ...) if ( __trace_if_var( !!(cond , ## __VA_ARGS__) ) ) ^ include/linux/compiler.h:58:69: note: expanded from macro '__trace_if_var' #define __trace_if_var(cond) (__builtin_constant_p(cond) ? (cond) : __trace_if_value(cond)) ^ include/linux/compiler.h:69:2: note: expanded from macro '__trace_if_value' (cond) ? \ ^ crypto/dh.c:359:2: note: Taking true branch WARN_ON_ONCE(n & ((1u << 6) - 1)); ^ include/asm-generic/bug.h:105:2: note: expanded from macro 'WARN_ON_ONCE' if (unlikely(__ret_warn_on)) \ ^ include/linux/compiler.h:56:23: note: expanded from macro 'if' #define if(cond, ...) if ( __trace_if_var( !!(cond , ## __VA_ARGS__) ) ) ^ crypto/dh.c:359:2: note: Loop condition is false. Exiting loop WARN_ON_ONCE(n & ((1u << 6) - 1)); ^ include/asm-generic/bug.h:106:3: note: expanded from macro 'WARN_ON_ONCE' __WARN_FLAGS(BUGFLAG_ONCE | \ ^ arch/riscv/include/asm/bug.h:79:29: note: expanded from macro '__WARN_FLAGS' #define __WARN_FLAGS(flags) __BUG_FLAGS(BUGFLAG_WARNING|(flags)) ^ arch/riscv/include/asm/bug.h:53:32: note: expanded from macro '__BUG_FLAGS' #define __BUG_FLAGS(flags) \ ^ crypto/dh.c:367:8: note: Memory is allocated key = kmalloc(oversampling_size, GFP_KERNEL); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ crypto/dh.c:368:6: note: Assuming 'key' is non-null if (!key) ^ include/linux/compiler.h:56:47: note: expanded from macro 'if' #define if(cond, ...) if ( __trace_if_var( !!(cond , ## __VA_ARGS__) ) ) ^~~~ include/linux/compiler.h:58:52: note: expanded from macro '__trace_if_var' #define __trace_if_var(cond) (__builtin_constant_p(cond) ? (cond) : __trace_if_value(cond)) ^~~~ crypto/dh.c:368:2: note: '?' condition is false if (!key) ^ include/linux/compiler.h:56:28: note: expanded from macro 'if' #define if(cond, ...) if ( __trace_if_var( !!(cond , ## __VA_ARGS__) ) ) ^ include/linux/compiler.h:58:31: note: expanded from macro '__trace_if_var' #define __trace_if_var(cond) (__builtin_constant_p(cond) ? (cond) : __trace_if_value(cond)) ^ crypto/dh.c:368:7: note: 'key' is non-null if (!key) ^ include/linux/compiler.h:56:47: note: expanded from macro 'if' #define if(cond, ...) if ( __trace_if_var( !!(cond , ## __VA_ARGS__) ) ) ^~~~ include/linux/compiler.h:58:86: note: expanded from macro '__trace_if_var' #define __trace_if_var(cond) (__builtin_constant_p(cond) ? (cond) : __trace_if_value(cond)) ^~~~ include/linux/compiler.h:69:3: note: expanded from macro '__trace_if_value' (cond) ? \ ^~~~ crypto/dh.c:368:2: note: '?' condition is false if (!key) ^ include/linux/compiler.h:56:28: note: expanded from macro 'if' #define if(cond, ...) if ( __trace_if_var( !!(cond , ## __VA_ARGS__) ) ) ^ include/linux/compiler.h:58:69: note: expanded from macro '__trace_if_var' #define __trace_if_var(cond) (__builtin_constant_p(cond) ? (cond) : __trace_if_value(cond)) ^ include/linux/compiler.h:69:2: note: expanded from macro '__trace_if_value' (cond) ? \ vim +/key +438 crypto/dh.c 1e207964566738 Nicolai Stange 2022-02-21 333 1e207964566738 Nicolai Stange 2022-02-21 334 static void *dh_safe_prime_gen_privkey(const struct dh_safe_prime *safe_prime, 1e207964566738 Nicolai Stange 2022-02-21 335 unsigned int *key_size) 1e207964566738 Nicolai Stange 2022-02-21 336 { 1e207964566738 Nicolai Stange 2022-02-21 337 unsigned int n, oversampling_size; 1e207964566738 Nicolai Stange 2022-02-21 338 __be64 *key; 1e207964566738 Nicolai Stange 2022-02-21 339 int err; 1e207964566738 Nicolai Stange 2022-02-21 340 u64 h, o; 1e207964566738 Nicolai Stange 2022-02-21 341 1e207964566738 Nicolai Stange 2022-02-21 342 /* 1e207964566738 Nicolai Stange 2022-02-21 343 * Generate a private key following NIST SP800-56Ar3, 1e207964566738 Nicolai Stange 2022-02-21 344 * sec. 5.6.1.1.1 and 5.6.1.1.3 resp.. 1e207964566738 Nicolai Stange 2022-02-21 345 * 1e207964566738 Nicolai Stange 2022-02-21 346 * 5.6.1.1.1: choose key length N such that 1e207964566738 Nicolai Stange 2022-02-21 347 * 2 * ->max_strength <= N <= log2(q) + 1 = ->p_size * 8 - 1 1e207964566738 Nicolai Stange 2022-02-21 348 * with q = (p - 1) / 2 for the safe-prime groups. 1e207964566738 Nicolai Stange 2022-02-21 349 * Choose the lower bound's next power of two for N in order to 1e207964566738 Nicolai Stange 2022-02-21 350 * avoid excessively large private keys while still 1e207964566738 Nicolai Stange 2022-02-21 351 * maintaining some extra reserve beyond the bare minimum in 1e207964566738 Nicolai Stange 2022-02-21 352 * most cases. Note that for each entry in safe_prime_groups[], 1e207964566738 Nicolai Stange 2022-02-21 353 * the following holds for such N: 1e207964566738 Nicolai Stange 2022-02-21 354 * - N >= 256, in particular it is a multiple of 2^6 = 64 1e207964566738 Nicolai Stange 2022-02-21 355 * bits and 1e207964566738 Nicolai Stange 2022-02-21 356 * - N < log2(q) + 1, i.e. N respects the upper bound. 1e207964566738 Nicolai Stange 2022-02-21 357 */ 1e207964566738 Nicolai Stange 2022-02-21 358 n = roundup_pow_of_two(2 * safe_prime->max_strength); 1e207964566738 Nicolai Stange 2022-02-21 359 WARN_ON_ONCE(n & ((1u << 6) - 1)); 1e207964566738 Nicolai Stange 2022-02-21 360 n >>= 6; /* Convert N into units of u64. */ 1e207964566738 Nicolai Stange 2022-02-21 361 1e207964566738 Nicolai Stange 2022-02-21 362 /* 1e207964566738 Nicolai Stange 2022-02-21 363 * Reserve one extra u64 to hold the extra random bits 1e207964566738 Nicolai Stange 2022-02-21 364 * required as per 5.6.1.1.3. 1e207964566738 Nicolai Stange 2022-02-21 365 */ 1e207964566738 Nicolai Stange 2022-02-21 366 oversampling_size = (n + 1) * sizeof(__be64); 1e207964566738 Nicolai Stange 2022-02-21 367 key = kmalloc(oversampling_size, GFP_KERNEL); 1e207964566738 Nicolai Stange 2022-02-21 368 if (!key) 1e207964566738 Nicolai Stange 2022-02-21 369 return ERR_PTR(-ENOMEM); 1e207964566738 Nicolai Stange 2022-02-21 370 1e207964566738 Nicolai Stange 2022-02-21 371 /* 1e207964566738 Nicolai Stange 2022-02-21 372 * 5.6.1.1.3, step 3 (and implicitly step 4): obtain N + 64 1e207964566738 Nicolai Stange 2022-02-21 373 * random bits and interpret them as a big endian integer. 1e207964566738 Nicolai Stange 2022-02-21 374 */ 1e207964566738 Nicolai Stange 2022-02-21 375 err = -EFAULT; 1e207964566738 Nicolai Stange 2022-02-21 376 if (crypto_get_default_rng()) 1e207964566738 Nicolai Stange 2022-02-21 377 goto out_err; 1e207964566738 Nicolai Stange 2022-02-21 378 1e207964566738 Nicolai Stange 2022-02-21 379 err = crypto_rng_get_bytes(crypto_default_rng, (u8 *)key, 1e207964566738 Nicolai Stange 2022-02-21 380 oversampling_size); 1e207964566738 Nicolai Stange 2022-02-21 381 crypto_put_default_rng(); 1e207964566738 Nicolai Stange 2022-02-21 382 if (err) 1e207964566738 Nicolai Stange 2022-02-21 383 goto out_err; 1e207964566738 Nicolai Stange 2022-02-21 384 1e207964566738 Nicolai Stange 2022-02-21 385 /* 1e207964566738 Nicolai Stange 2022-02-21 386 * 5.6.1.1.3, step 5 is implicit: 2^N < q and thus, 1e207964566738 Nicolai Stange 2022-02-21 387 * M = min(2^N, q) = 2^N. 1e207964566738 Nicolai Stange 2022-02-21 388 * 1e207964566738 Nicolai Stange 2022-02-21 389 * For step 6, calculate 1e207964566738 Nicolai Stange 2022-02-21 390 * key = (key[] mod (M - 1)) + 1 = (key[] mod (2^N - 1)) + 1. 1e207964566738 Nicolai Stange 2022-02-21 391 * 1e207964566738 Nicolai Stange 2022-02-21 392 * In order to avoid expensive divisions, note that 1e207964566738 Nicolai Stange 2022-02-21 393 * 2^N mod (2^N - 1) = 1 and thus, for any integer h, 1e207964566738 Nicolai Stange 2022-02-21 394 * 2^N * h mod (2^N - 1) = h mod (2^N - 1) always holds. 1e207964566738 Nicolai Stange 2022-02-21 395 * The big endian integer key[] composed of n + 1 64bit words 1e207964566738 Nicolai Stange 2022-02-21 396 * may be written as key[] = h * 2^N + l, with h = key[0] 1e207964566738 Nicolai Stange 2022-02-21 397 * representing the 64 most significant bits and l 1e207964566738 Nicolai Stange 2022-02-21 398 * corresponding to the remaining 2^N bits. With the remark 1e207964566738 Nicolai Stange 2022-02-21 399 * from above, 1e207964566738 Nicolai Stange 2022-02-21 400 * h * 2^N + l mod (2^N - 1) = l + h mod (2^N - 1). 1e207964566738 Nicolai Stange 2022-02-21 401 * As both, l and h are less than 2^N, their sum after 1e207964566738 Nicolai Stange 2022-02-21 402 * this first reduction is guaranteed to be <= 2^(N + 1) - 2. 1e207964566738 Nicolai Stange 2022-02-21 403 * Or equivalently, that their sum can again be written as 1e207964566738 Nicolai Stange 2022-02-21 404 * h' * 2^N + l' with h' now either zero or one and if one, 1e207964566738 Nicolai Stange 2022-02-21 405 * then l' <= 2^N - 2. Thus, all bits at positions >= N will 1e207964566738 Nicolai Stange 2022-02-21 406 * be zero after a second reduction: 1e207964566738 Nicolai Stange 2022-02-21 407 * h' * 2^N + l' mod (2^N - 1) = l' + h' mod (2^N - 1). 1e207964566738 Nicolai Stange 2022-02-21 408 * At this point, it is still possible that 1e207964566738 Nicolai Stange 2022-02-21 409 * l' + h' = 2^N - 1, i.e. that l' + h' mod (2^N - 1) 1e207964566738 Nicolai Stange 2022-02-21 410 * is zero. This condition will be detected below by means of 1e207964566738 Nicolai Stange 2022-02-21 411 * the final increment overflowing in this case. 1e207964566738 Nicolai Stange 2022-02-21 412 */ 1e207964566738 Nicolai Stange 2022-02-21 413 h = be64_to_cpu(key[0]); 1e207964566738 Nicolai Stange 2022-02-21 414 h = __add_u64_to_be(key + 1, n, h); 1e207964566738 Nicolai Stange 2022-02-21 415 h = __add_u64_to_be(key + 1, n, h); 1e207964566738 Nicolai Stange 2022-02-21 416 WARN_ON_ONCE(h); 1e207964566738 Nicolai Stange 2022-02-21 417 1e207964566738 Nicolai Stange 2022-02-21 418 /* Increment to obtain the final result. */ 1e207964566738 Nicolai Stange 2022-02-21 419 o = __add_u64_to_be(key + 1, n, 1); 1e207964566738 Nicolai Stange 2022-02-21 420 /* 1e207964566738 Nicolai Stange 2022-02-21 421 * The overflow bit o from the increment is either zero or 1e207964566738 Nicolai Stange 2022-02-21 422 * one. If zero, key[1:n] holds the final result in big-endian 1e207964566738 Nicolai Stange 2022-02-21 423 * order. If one, key[1:n] is zero now, but needs to be set to 1e207964566738 Nicolai Stange 2022-02-21 424 * one, c.f. above. 1e207964566738 Nicolai Stange 2022-02-21 425 */ 1e207964566738 Nicolai Stange 2022-02-21 426 if (o) 1e207964566738 Nicolai Stange 2022-02-21 427 key[n] = cpu_to_be64(1); 1e207964566738 Nicolai Stange 2022-02-21 428 1e207964566738 Nicolai Stange 2022-02-21 429 /* n is in units of u64, convert to bytes. */ 1e207964566738 Nicolai Stange 2022-02-21 430 *key_size = n << 3; 1e207964566738 Nicolai Stange 2022-02-21 431 /* Strip the leading extra __be64, which is (virtually) zero by now. */ 1e207964566738 Nicolai Stange 2022-02-21 432 memmove(key, &key[1], *key_size); 1e207964566738 Nicolai Stange 2022-02-21 433 1e207964566738 Nicolai Stange 2022-02-21 434 return key; 1e207964566738 Nicolai Stange 2022-02-21 435 1e207964566738 Nicolai Stange 2022-02-21 436 out_err: 1e207964566738 Nicolai Stange 2022-02-21 437 kfree_sensitive(key); 1e207964566738 Nicolai Stange 2022-02-21 @438 return ERR_PTR(err); 1e207964566738 Nicolai Stange 2022-02-21 439 } 1e207964566738 Nicolai Stange 2022-02-21 440 -- 0-DAY CI Kernel Test Service https://01.org/lkp _______________________________________________ kbuild mailing list -- [email protected] To unsubscribe send an email to [email protected]
