From nobody Tue Sep 9 16:20:08 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7D2A227FD59; Sat, 6 Sep 2025 21:36:57 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757194617; cv=none; b=qIY0gWgI/yKFxEqYptjonFSYORRDOUYi7IybYubqkEHqTCeaTsfJa2jpczawe0s8TacwuTGIn+Oa+CnVMnmysxDKAScurpv7VZ72i/drQ4NYVLaabH7SkXD8nFkISdYpzyP+F7cL8iBbPTscxrBaUwZuLV7Yzii2wHMI0I8f2d0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757194617; c=relaxed/simple; bh=CFS9vz2j53OJuYoHCdlJXzd7e3S1AiCj+N0kF7V3qPc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=GvJb/Hku2SBN8LNgphKb4TP6Z6OE0bMRfFVMJvUe3j3cQiXYGItKmO+ivjgcqyTHmsDmhvl4Y+08INERMvd8VtzHAVYb0lpHMisLnz2JXgLQXux5pwnWNYJ9UvhLIy9V7SVb0qwY0/vUWZ/WBuNWvxul3eo8u5H1YhzGjZTZV28= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=Zs5puN8p; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="Zs5puN8p" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6CE7CC4CEFA; Sat, 6 Sep 2025 21:36:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1757194617; bh=CFS9vz2j53OJuYoHCdlJXzd7e3S1AiCj+N0kF7V3qPc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Zs5puN8pqaOPgtrBfVXKlTfrEhUBE756cy4wCcnvWE7esCjF58CBQe7T9DGs6C+FN NRjphBZ3jEA6uG7FN2xW/fJsPigCNpuARrU0qje0OiJBjicIhy0zG6yBxEly8GkNkD AosRBrS3mviIH/RVdqWKomqs5vkBOXQAcfOgzYqyzKcS+i1fhFwXjKIVQhQi1O52dy HgMkUyC6d6jfqRFfPbkXxy9nasSFJ810CUYgOhHlpBbRERqMXTg9ci01xNnqSoCpBz 67c2aSS2y7iu57N4Wpe3Qwkphkpzmydtp0wJ+EB7F9oBI7RtCT6i5qvqfzGgKv2XfM eXQFYEQUK3g1Q== From: Eric Biggers To: linux-crypto@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Ard Biesheuvel , "Jason A . Donenfeld" , Zhiqi Song , Longfang Liu , x86@kernel.org, linux-arm-kernel@lists.infradead.org, linuxppc-dev@lists.ozlabs.org, Eric Biggers Subject: [PATCH v2 01/12] crypto: hisilicon/hpre - Remove unused curve25519 kpp support Date: Sat, 6 Sep 2025 14:35:12 -0700 Message-ID: <20250906213523.84915-2-ebiggers@kernel.org> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250906213523.84915-1-ebiggers@kernel.org> References: <20250906213523.84915-1-ebiggers@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Curve25519 is used only via the library API, not the crypto_kpp API. In preparation for removing the unused crypto_kpp API for Curve25519, remove the unused "hpre-curve25519" kpp algorithm. Cc: Longfang Liu Cc: Zhiqi Song Signed-off-by: Eric Biggers --- drivers/crypto/hisilicon/Kconfig | 1 - drivers/crypto/hisilicon/hpre/hpre_crypto.c | 403 +------------------- 2 files changed, 4 insertions(+), 400 deletions(-) diff --git a/drivers/crypto/hisilicon/Kconfig b/drivers/crypto/hisilicon/Kc= onfig index 4137a8bf131f0..4835bdebdbb38 100644 --- a/drivers/crypto/hisilicon/Kconfig +++ b/drivers/crypto/hisilicon/Kconfig @@ -67,11 +67,10 @@ config CRYPTO_DEV_HISI_HPRE depends on ARM64 || (COMPILE_TEST && 64BIT) depends on ACPI select CRYPTO_DEV_HISI_QM select CRYPTO_DH select CRYPTO_RSA - select CRYPTO_CURVE25519 select CRYPTO_ECDH help Support for HiSilicon HPRE(High Performance RSA Engine) accelerator, which can accelerate RSA and DH algorithms. =20 diff --git a/drivers/crypto/hisilicon/hpre/hpre_crypto.c b/drivers/crypto/h= isilicon/hpre/hpre_crypto.c index 1550c3818383a..21ccf879f70c5 100644 --- a/drivers/crypto/hisilicon/hpre/hpre_crypto.c +++ b/drivers/crypto/hisilicon/hpre/hpre_crypto.c @@ -1,9 +1,8 @@ // SPDX-License-Identifier: GPL-2.0 /* Copyright (c) 2019 HiSilicon Limited. */ #include -#include #include #include #include #include #include @@ -104,20 +103,10 @@ struct hpre_ecdh_ctx { /* low address: x->y */ unsigned char *g; dma_addr_t dma_g; }; =20 -struct hpre_curve25519_ctx { - /* low address: p->a->k */ - unsigned char *p; - dma_addr_t dma_p; - - /* gx coordinate */ - unsigned char *g; - dma_addr_t dma_g; -}; - struct hpre_ctx { struct hisi_qp *qp; struct device *dev; struct hpre_asym_request **req_list; struct hpre *hpre; @@ -127,11 +116,10 @@ struct hpre_ctx { struct idr req_idr; union { struct hpre_rsa_ctx rsa; struct hpre_dh_ctx dh; struct hpre_ecdh_ctx ecdh; - struct hpre_curve25519_ctx curve25519; }; /* for ecc algorithms */ unsigned int curve_id; /* for high performance core */ u8 enable_hpcore; @@ -144,11 +132,10 @@ struct hpre_asym_request { struct hpre_ctx *ctx; union { struct akcipher_request *rsa; struct kpp_request *dh; struct kpp_request *ecdh; - struct kpp_request *curve25519; } areq; int err; int req_id; hpre_cb cb; struct timespec64 req_time; @@ -1212,31 +1199,24 @@ static void hpre_key_to_big_end(u8 *data, int len) j =3D len - i - 1; swap(data[j], data[i]); } } =20 -static void hpre_ecc_clear_ctx(struct hpre_ctx *ctx, bool is_clear_all, - bool is_ecdh) +static void hpre_ecc_clear_ctx(struct hpre_ctx *ctx, bool is_clear_all) { struct device *dev =3D ctx->dev; unsigned int sz =3D ctx->key_sz; unsigned int shift =3D sz << 1; =20 if (is_clear_all) hisi_qm_stop_qp(ctx->qp); =20 - if (is_ecdh && ctx->ecdh.p) { + if (ctx->ecdh.p) { /* ecdh: p->a->k->b */ memzero_explicit(ctx->ecdh.p + shift, sz); dma_free_coherent(dev, sz << 3, ctx->ecdh.p, ctx->ecdh.dma_p); ctx->ecdh.p =3D NULL; - } else if (!is_ecdh && ctx->curve25519.p) { - /* curve25519: p->a->k */ - memzero_explicit(ctx->curve25519.p + shift, sz); - dma_free_coherent(dev, sz << 2, ctx->curve25519.p, - ctx->curve25519.dma_p); - ctx->curve25519.p =3D NULL; } =20 hpre_ctx_clear(ctx, is_clear_all); } =20 @@ -1430,11 +1410,11 @@ static int hpre_ecdh_set_secret(struct crypto_kpp *= tfm, const void *buf, if (hpre_key_is_zero(params.key, params.key_size)) { dev_err(dev, "Invalid hpre key!\n"); return -EINVAL; } =20 - hpre_ecc_clear_ctx(ctx, false, true); + hpre_ecc_clear_ctx(ctx, false); =20 ret =3D hpre_ecdh_set_param(ctx, ¶ms); if (ret < 0) { dev_err(dev, "failed to set hpre param, ret =3D %d!\n", ret); return ret; @@ -1681,341 +1661,11 @@ static int hpre_ecdh_nist_p384_init_tfm(struct cry= pto_kpp *tfm) =20 static void hpre_ecdh_exit_tfm(struct crypto_kpp *tfm) { struct hpre_ctx *ctx =3D kpp_tfm_ctx(tfm); =20 - hpre_ecc_clear_ctx(ctx, true, true); -} - -static void hpre_curve25519_fill_curve(struct hpre_ctx *ctx, const void *b= uf, - unsigned int len) -{ - u8 secret[CURVE25519_KEY_SIZE] =3D { 0 }; - unsigned int sz =3D ctx->key_sz; - const struct ecc_curve *curve; - unsigned int shift =3D sz << 1; - void *p; - - /* - * The key from 'buf' is in little-endian, we should preprocess it as - * the description in rfc7748: "k[0] &=3D 248, k[31] &=3D 127, k[31] |=3D= 64", - * then convert it to big endian. Only in this way, the result can be - * the same as the software curve-25519 that exists in crypto. - */ - memcpy(secret, buf, len); - curve25519_clamp_secret(secret); - hpre_key_to_big_end(secret, CURVE25519_KEY_SIZE); - - p =3D ctx->curve25519.p + sz - len; - - curve =3D ecc_get_curve25519(); - - /* fill curve parameters */ - fill_curve_param(p, curve->p, len, curve->g.ndigits); - fill_curve_param(p + sz, curve->a, len, curve->g.ndigits); - memcpy(p + shift, secret, len); - fill_curve_param(p + shift + sz, curve->g.x, len, curve->g.ndigits); - memzero_explicit(secret, CURVE25519_KEY_SIZE); -} - -static int hpre_curve25519_set_param(struct hpre_ctx *ctx, const void *buf, - unsigned int len) -{ - struct device *dev =3D ctx->dev; - unsigned int sz =3D ctx->key_sz; - unsigned int shift =3D sz << 1; - - /* p->a->k->gx */ - if (!ctx->curve25519.p) { - ctx->curve25519.p =3D dma_alloc_coherent(dev, sz << 2, - &ctx->curve25519.dma_p, - GFP_KERNEL); - if (!ctx->curve25519.p) - return -ENOMEM; - } - - ctx->curve25519.g =3D ctx->curve25519.p + shift + sz; - ctx->curve25519.dma_g =3D ctx->curve25519.dma_p + shift + sz; - - hpre_curve25519_fill_curve(ctx, buf, len); - - return 0; -} - -static int hpre_curve25519_set_secret(struct crypto_kpp *tfm, const void *= buf, - unsigned int len) -{ - struct hpre_ctx *ctx =3D kpp_tfm_ctx(tfm); - struct device *dev =3D ctx->dev; - int ret =3D -EINVAL; - - if (len !=3D CURVE25519_KEY_SIZE || - !crypto_memneq(buf, curve25519_null_point, CURVE25519_KEY_SIZE)) { - dev_err(dev, "key is null or key len is not 32bytes!\n"); - return ret; - } - - /* Free old secret if any */ - hpre_ecc_clear_ctx(ctx, false, false); - - ctx->key_sz =3D CURVE25519_KEY_SIZE; - ret =3D hpre_curve25519_set_param(ctx, buf, CURVE25519_KEY_SIZE); - if (ret) { - dev_err(dev, "failed to set curve25519 param, ret =3D %d!\n", ret); - hpre_ecc_clear_ctx(ctx, false, false); - return ret; - } - - return 0; -} - -static void hpre_curve25519_hw_data_clr_all(struct hpre_ctx *ctx, - struct hpre_asym_request *req, - struct scatterlist *dst, - struct scatterlist *src) -{ - struct device *dev =3D ctx->dev; - struct hpre_sqe *sqe =3D &req->req; - dma_addr_t dma; - - dma =3D le64_to_cpu(sqe->in); - if (unlikely(dma_mapping_error(dev, dma))) - return; - - if (src && req->src) - dma_free_coherent(dev, ctx->key_sz, req->src, dma); - - dma =3D le64_to_cpu(sqe->out); - if (unlikely(dma_mapping_error(dev, dma))) - return; - - if (req->dst) - dma_free_coherent(dev, ctx->key_sz, req->dst, dma); - if (dst) - dma_unmap_single(dev, dma, ctx->key_sz, DMA_FROM_DEVICE); -} - -static void hpre_curve25519_cb(struct hpre_ctx *ctx, void *resp) -{ - struct hpre_dfx *dfx =3D ctx->hpre->debug.dfx; - struct hpre_asym_request *req =3D NULL; - struct kpp_request *areq; - u64 overtime_thrhld; - int ret; - - ret =3D hpre_alg_res_post_hf(ctx, resp, (void **)&req); - areq =3D req->areq.curve25519; - areq->dst_len =3D ctx->key_sz; - - overtime_thrhld =3D atomic64_read(&dfx[HPRE_OVERTIME_THRHLD].value); - if (overtime_thrhld && hpre_is_bd_timeout(req, overtime_thrhld)) - atomic64_inc(&dfx[HPRE_OVER_THRHLD_CNT].value); - - /* Do unmap before data processing */ - hpre_curve25519_hw_data_clr_all(ctx, req, areq->dst, areq->src); - - hpre_key_to_big_end(sg_virt(areq->dst), CURVE25519_KEY_SIZE); - - kpp_request_complete(areq, ret); - - atomic64_inc(&dfx[HPRE_RECV_CNT].value); -} - -static int hpre_curve25519_msg_request_set(struct hpre_ctx *ctx, - struct kpp_request *req) -{ - struct hpre_asym_request *h_req; - struct hpre_sqe *msg; - int req_id; - void *tmp; - - if (unlikely(req->dst_len < ctx->key_sz)) { - req->dst_len =3D ctx->key_sz; - return -EINVAL; - } - - tmp =3D kpp_request_ctx(req); - h_req =3D PTR_ALIGN(tmp, hpre_align_sz()); - h_req->cb =3D hpre_curve25519_cb; - h_req->areq.curve25519 =3D req; - msg =3D &h_req->req; - memset(msg, 0, sizeof(*msg)); - msg->in =3D cpu_to_le64(DMA_MAPPING_ERROR); - msg->out =3D cpu_to_le64(DMA_MAPPING_ERROR); - msg->key =3D cpu_to_le64(ctx->curve25519.dma_p); - - msg->dw0 |=3D cpu_to_le32(0x1U << HPRE_SQE_DONE_SHIFT); - msg->task_len1 =3D (ctx->key_sz >> HPRE_BITS_2_BYTES_SHIFT) - 1; - h_req->ctx =3D ctx; - - req_id =3D hpre_add_req_to_ctx(h_req); - if (req_id < 0) - return -EBUSY; - - msg->tag =3D cpu_to_le16((u16)req_id); - return 0; -} - -static void hpre_curve25519_src_modulo_p(u8 *ptr) -{ - int i; - - for (i =3D 0; i < CURVE25519_KEY_SIZE - 1; i++) - ptr[i] =3D 0; - - /* The modulus is ptr's last byte minus '0xed'(last byte of p) */ - ptr[i] -=3D 0xed; -} - -static int hpre_curve25519_src_init(struct hpre_asym_request *hpre_req, - struct scatterlist *data, unsigned int len) -{ - struct hpre_sqe *msg =3D &hpre_req->req; - struct hpre_ctx *ctx =3D hpre_req->ctx; - struct device *dev =3D ctx->dev; - u8 p[CURVE25519_KEY_SIZE] =3D { 0 }; - const struct ecc_curve *curve; - dma_addr_t dma =3D 0; - u8 *ptr; - - if (len !=3D CURVE25519_KEY_SIZE) { - dev_err(dev, "sourc_data len is not 32bytes, len =3D %u!\n", len); - return -EINVAL; - } - - ptr =3D dma_alloc_coherent(dev, ctx->key_sz, &dma, GFP_KERNEL); - if (unlikely(!ptr)) - return -ENOMEM; - - scatterwalk_map_and_copy(ptr, data, 0, len, 0); - - if (!crypto_memneq(ptr, curve25519_null_point, CURVE25519_KEY_SIZE)) { - dev_err(dev, "gx is null!\n"); - goto err; - } - - /* - * Src_data(gx) is in little-endian order, MSB in the final byte should - * be masked as described in RFC7748, then transform it to big-endian - * form, then hisi_hpre can use the data. - */ - ptr[31] &=3D 0x7f; - hpre_key_to_big_end(ptr, CURVE25519_KEY_SIZE); - - curve =3D ecc_get_curve25519(); - - fill_curve_param(p, curve->p, CURVE25519_KEY_SIZE, curve->g.ndigits); - - /* - * When src_data equals (2^255 - 19) ~ (2^255 - 1), it is out of p, - * we get its modulus to p, and then use it. - */ - if (memcmp(ptr, p, ctx->key_sz) =3D=3D 0) { - dev_err(dev, "gx is p!\n"); - goto err; - } else if (memcmp(ptr, p, ctx->key_sz) > 0) { - hpre_curve25519_src_modulo_p(ptr); - } - - hpre_req->src =3D ptr; - msg->in =3D cpu_to_le64(dma); - return 0; - -err: - dma_free_coherent(dev, ctx->key_sz, ptr, dma); - return -EINVAL; -} - -static int hpre_curve25519_dst_init(struct hpre_asym_request *hpre_req, - struct scatterlist *data, unsigned int len) -{ - struct hpre_sqe *msg =3D &hpre_req->req; - struct hpre_ctx *ctx =3D hpre_req->ctx; - struct device *dev =3D ctx->dev; - dma_addr_t dma; - - if (!data || !sg_is_last(data) || len !=3D ctx->key_sz) { - dev_err(dev, "data or data length is illegal!\n"); - return -EINVAL; - } - - hpre_req->dst =3D NULL; - dma =3D dma_map_single(dev, sg_virt(data), len, DMA_FROM_DEVICE); - if (unlikely(dma_mapping_error(dev, dma))) { - dev_err(dev, "dma map data err!\n"); - return -ENOMEM; - } - - msg->out =3D cpu_to_le64(dma); - return 0; -} - -static int hpre_curve25519_compute_value(struct kpp_request *req) -{ - struct crypto_kpp *tfm =3D crypto_kpp_reqtfm(req); - struct hpre_ctx *ctx =3D kpp_tfm_ctx(tfm); - struct device *dev =3D ctx->dev; - void *tmp =3D kpp_request_ctx(req); - struct hpre_asym_request *hpre_req =3D PTR_ALIGN(tmp, hpre_align_sz()); - struct hpre_sqe *msg =3D &hpre_req->req; - int ret; - - ret =3D hpre_curve25519_msg_request_set(ctx, req); - if (unlikely(ret)) { - dev_err(dev, "failed to set curve25519 request, ret =3D %d!\n", ret); - return ret; - } - - if (req->src) { - ret =3D hpre_curve25519_src_init(hpre_req, req->src, req->src_len); - if (unlikely(ret)) { - dev_err(dev, "failed to init src data, ret =3D %d!\n", - ret); - goto clear_all; - } - } else { - msg->in =3D cpu_to_le64(ctx->curve25519.dma_g); - } - - ret =3D hpre_curve25519_dst_init(hpre_req, req->dst, req->dst_len); - if (unlikely(ret)) { - dev_err(dev, "failed to init dst data, ret =3D %d!\n", ret); - goto clear_all; - } - - msg->dw0 =3D cpu_to_le32(le32_to_cpu(msg->dw0) | HPRE_ALG_CURVE25519_MUL); - ret =3D hpre_send(ctx, msg); - if (likely(!ret)) - return -EINPROGRESS; - -clear_all: - hpre_rm_req_from_ctx(hpre_req); - hpre_curve25519_hw_data_clr_all(ctx, hpre_req, req->dst, req->src); - return ret; -} - -static unsigned int hpre_curve25519_max_size(struct crypto_kpp *tfm) -{ - struct hpre_ctx *ctx =3D kpp_tfm_ctx(tfm); - - return ctx->key_sz; -} - -static int hpre_curve25519_init_tfm(struct crypto_kpp *tfm) -{ - struct hpre_ctx *ctx =3D kpp_tfm_ctx(tfm); - - kpp_set_reqsize(tfm, sizeof(struct hpre_asym_request) + hpre_align_pd()); - - return hpre_ctx_init(ctx, HPRE_V3_ECC_ALG_TYPE); -} - -static void hpre_curve25519_exit_tfm(struct crypto_kpp *tfm) -{ - struct hpre_ctx *ctx =3D kpp_tfm_ctx(tfm); - - hpre_ecc_clear_ctx(ctx, true, false); + hpre_ecc_clear_ctx(ctx, true); } =20 static struct akcipher_alg rsa =3D { .encrypt =3D hpre_rsa_enc, .decrypt =3D hpre_rsa_dec, @@ -2093,26 +1743,10 @@ static struct kpp_alg ecdh_curves[] =3D { .cra_module =3D THIS_MODULE, }, } }; =20 -static struct kpp_alg curve25519_alg =3D { - .set_secret =3D hpre_curve25519_set_secret, - .generate_public_key =3D hpre_curve25519_compute_value, - .compute_shared_secret =3D hpre_curve25519_compute_value, - .max_size =3D hpre_curve25519_max_size, - .init =3D hpre_curve25519_init_tfm, - .exit =3D hpre_curve25519_exit_tfm, - .base =3D { - .cra_ctxsize =3D sizeof(struct hpre_ctx), - .cra_priority =3D HPRE_CRYPTO_ALG_PRI, - .cra_name =3D "curve25519", - .cra_driver_name =3D "hpre-curve25519", - .cra_module =3D THIS_MODULE, - }, -}; - static int hpre_register_rsa(struct hisi_qm *qm) { int ret; =20 if (!hpre_check_alg_support(qm, HPRE_DRV_RSA_MASK_CAP)) @@ -2190,32 +1824,10 @@ static void hpre_unregister_ecdh(struct hisi_qm *qm) =20 for (i =3D ARRAY_SIZE(ecdh_curves) - 1; i >=3D 0; --i) crypto_unregister_kpp(&ecdh_curves[i]); } =20 -static int hpre_register_x25519(struct hisi_qm *qm) -{ - int ret; - - if (!hpre_check_alg_support(qm, HPRE_DRV_X25519_MASK_CAP)) - return 0; - - ret =3D crypto_register_kpp(&curve25519_alg); - if (ret) - dev_err(&qm->pdev->dev, "failed to register x25519 (%d)!\n", ret); - - return ret; -} - -static void hpre_unregister_x25519(struct hisi_qm *qm) -{ - if (!hpre_check_alg_support(qm, HPRE_DRV_X25519_MASK_CAP)) - return; - - crypto_unregister_kpp(&curve25519_alg); -} - int hpre_algs_register(struct hisi_qm *qm) { int ret =3D 0; =20 mutex_lock(&hpre_algs_lock); @@ -2234,21 +1846,15 @@ int hpre_algs_register(struct hisi_qm *qm) =20 ret =3D hpre_register_ecdh(qm); if (ret) goto unreg_dh; =20 - ret =3D hpre_register_x25519(qm); - if (ret) - goto unreg_ecdh; - hpre_available_devs++; mutex_unlock(&hpre_algs_lock); =20 return ret; =20 -unreg_ecdh: - hpre_unregister_ecdh(qm); unreg_dh: hpre_unregister_dh(qm); unreg_rsa: hpre_unregister_rsa(qm); unlock: @@ -2260,11 +1866,10 @@ void hpre_algs_unregister(struct hisi_qm *qm) { mutex_lock(&hpre_algs_lock); if (--hpre_available_devs) goto unlock; =20 - hpre_unregister_x25519(qm); hpre_unregister_ecdh(qm); hpre_unregister_dh(qm); hpre_unregister_rsa(qm); =20 unlock: --=20 2.50.1 From nobody Tue Sep 9 16:20:08 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A42F12882C5; Sat, 6 Sep 2025 21:36:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757194618; cv=none; b=SBYoQqihIYA78SCVt+lZCLB8SJxU8vF6KqvCilzSdJR4NUb5xbEmu4ccZfromakU5KqHCGobDJE92Ev3xVlk+zmio1oswu9B7oMkzSr6xqYPGJNgWP12MENV4U1fQEDdQqlMZcHBW+pXD6f5ea0+/KM9HcXT7QlCFyoywa25R0I= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757194618; c=relaxed/simple; bh=65bERrm6Cr6LAIUiJbaJGscz/JpMgV2DYwvlkxe3SoQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=uUkIyk8c+qQbZnAuScEQSyidFtiIBHZGO6EITf8SRQMqc0mEGRU/z7wp+I10oqqMGFMofJDvwkUHS+mO3/tHiV/rCZsEkt+ymIDKI0xC1y7++OQRg8CQhHtYz5PyJzHmAyWbX/SlUYcUuUvge360qRJFEOD6sV0/yP0EihQ4wx4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=K2ZCkNnL; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="K2ZCkNnL" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 82FD5C4CEF5; Sat, 6 Sep 2025 21:36:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1757194618; bh=65bERrm6Cr6LAIUiJbaJGscz/JpMgV2DYwvlkxe3SoQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=K2ZCkNnLRcwhugFHUVY+bVqzNXoytm1m2TnBvPwvhftsxchX8Kb5jAumolGSbDgBj aIaOI3CSe002OhewhRzbrwqOsUuFxl4hbXqBeYcfzikBGpYNPVvqelRW83dlFbOnfE RM1FOu9/mrtAtYbfy4ZoakTdS9NLmbYs9n14YTXNKXfX32G6YYH3LN73XbfAMeov4s IdmjVEHYZTEmvu7t59wrErJaCUji9VfLQb4d7bVS/RuqChf4hfYMIpEotGPlvEH42F 66kNJ+IEGZAs8ysvMFUjZnUjchni99pVXJBW9cXB8OaFKglwKro9F3r4OGSmsMFBLE 1r4ipNxwVelQQ== From: Eric Biggers To: linux-crypto@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Ard Biesheuvel , "Jason A . Donenfeld" , Zhiqi Song , Longfang Liu , x86@kernel.org, linux-arm-kernel@lists.infradead.org, linuxppc-dev@lists.ozlabs.org, Eric Biggers Subject: [PATCH v2 02/12] crypto: arm/curve25519 - Remove unused kpp support Date: Sat, 6 Sep 2025 14:35:13 -0700 Message-ID: <20250906213523.84915-3-ebiggers@kernel.org> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250906213523.84915-1-ebiggers@kernel.org> References: <20250906213523.84915-1-ebiggers@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Curve25519 is used only via the library API, not the crypto_kpp API. In preparation for removing the unused crypto_kpp API for Curve25519, remove the unused "curve25519-neon" kpp algorithm. Note that the underlying NEON optimized Curve25519 code remains fully supported and accessible via the library API. It's also worth noting that even if the kpp support for Curve25519 comes back later, there is no need for arch-specific kpp glue code like this, as a single kpp algorithm that wraps the library API is sufficient. Signed-off-by: Eric Biggers --- arch/arm/crypto/Kconfig | 1 - arch/arm/crypto/curve25519-glue.c | 77 +------------------------------ 2 files changed, 1 insertion(+), 77 deletions(-) diff --git a/arch/arm/crypto/Kconfig b/arch/arm/crypto/Kconfig index 1e5f3cdf691c4..97718d86f6007 100644 --- a/arch/arm/crypto/Kconfig +++ b/arch/arm/crypto/Kconfig @@ -3,11 +3,10 @@ menu "Accelerated Cryptographic Algorithms for CPU (arm)" =20 config CRYPTO_CURVE25519_NEON tristate depends on KERNEL_MODE_NEON - select CRYPTO_KPP select CRYPTO_LIB_CURVE25519_GENERIC select CRYPTO_ARCH_HAVE_LIB_CURVE25519 default CRYPTO_LIB_CURVE25519_INTERNAL help Curve25519 algorithm diff --git a/arch/arm/crypto/curve25519-glue.c b/arch/arm/crypto/curve25519= -glue.c index e7b87e09dd99f..3076020d8fbeb 100644 --- a/arch/arm/crypto/curve25519-glue.c +++ b/arch/arm/crypto/curve25519-glue.c @@ -8,17 +8,15 @@ */ =20 #include #include #include -#include #include #include #include #include #include -#include #include =20 asmlinkage void curve25519_neon(u8 mypublic[CURVE25519_KEY_SIZE], const u8 secret[CURVE25519_KEY_SIZE], const u8 basepoint[CURVE25519_KEY_SIZE]); @@ -44,94 +42,21 @@ void curve25519_base_arch(u8 pub[CURVE25519_KEY_SIZE], { return curve25519_arch(pub, secret, curve25519_base_point); } EXPORT_SYMBOL(curve25519_base_arch); =20 -static int curve25519_set_secret(struct crypto_kpp *tfm, const void *buf, - unsigned int len) -{ - u8 *secret =3D kpp_tfm_ctx(tfm); - - if (!len) - curve25519_generate_secret(secret); - else if (len =3D=3D CURVE25519_KEY_SIZE && - crypto_memneq(buf, curve25519_null_point, CURVE25519_KEY_SIZE)) - memcpy(secret, buf, CURVE25519_KEY_SIZE); - else - return -EINVAL; - return 0; -} - -static int curve25519_compute_value(struct kpp_request *req) -{ - struct crypto_kpp *tfm =3D crypto_kpp_reqtfm(req); - const u8 *secret =3D kpp_tfm_ctx(tfm); - u8 public_key[CURVE25519_KEY_SIZE]; - u8 buf[CURVE25519_KEY_SIZE]; - int copied, nbytes; - u8 const *bp; - - if (req->src) { - copied =3D sg_copy_to_buffer(req->src, - sg_nents_for_len(req->src, - CURVE25519_KEY_SIZE), - public_key, CURVE25519_KEY_SIZE); - if (copied !=3D CURVE25519_KEY_SIZE) - return -EINVAL; - bp =3D public_key; - } else { - bp =3D curve25519_base_point; - } - - curve25519_arch(buf, secret, bp); - - /* might want less than we've got */ - nbytes =3D min_t(size_t, CURVE25519_KEY_SIZE, req->dst_len); - copied =3D sg_copy_from_buffer(req->dst, sg_nents_for_len(req->dst, - nbytes), - buf, nbytes); - if (copied !=3D nbytes) - return -EINVAL; - return 0; -} - -static unsigned int curve25519_max_size(struct crypto_kpp *tfm) -{ - return CURVE25519_KEY_SIZE; -} - -static struct kpp_alg curve25519_alg =3D { - .base.cra_name =3D "curve25519", - .base.cra_driver_name =3D "curve25519-neon", - .base.cra_priority =3D 200, - .base.cra_module =3D THIS_MODULE, - .base.cra_ctxsize =3D CURVE25519_KEY_SIZE, - - .set_secret =3D curve25519_set_secret, - .generate_public_key =3D curve25519_compute_value, - .compute_shared_secret =3D curve25519_compute_value, - .max_size =3D curve25519_max_size, -}; - static int __init arm_curve25519_init(void) { - if (elf_hwcap & HWCAP_NEON) { + if (elf_hwcap & HWCAP_NEON) static_branch_enable(&have_neon); - return IS_REACHABLE(CONFIG_CRYPTO_KPP) ? - crypto_register_kpp(&curve25519_alg) : 0; - } return 0; } =20 static void __exit arm_curve25519_exit(void) { - if (IS_REACHABLE(CONFIG_CRYPTO_KPP) && elf_hwcap & HWCAP_NEON) - crypto_unregister_kpp(&curve25519_alg); } =20 module_init(arm_curve25519_init); module_exit(arm_curve25519_exit); =20 -MODULE_ALIAS_CRYPTO("curve25519"); -MODULE_ALIAS_CRYPTO("curve25519-neon"); MODULE_DESCRIPTION("Public key crypto: Curve25519 (NEON-accelerated)"); MODULE_LICENSE("GPL v2"); --=20 2.50.1 From nobody Tue Sep 9 16:20:08 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7F0FC296BD7; Sat, 6 Sep 2025 21:36:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757194619; cv=none; b=AtHA2Rgk6Ak3vwYLc83rIAgU/cNN4zNvc8vrvH9gl6ikjt+C8qldMbAqY3DTcTpDuMDeGWC1gzkcGATPoyD79ti+9RDf8mqbfxvdGuQvYbnIslgWSw39kAR3WqsU4v5cXpUIxIkx8XSs/LlQFNldD9p8gckyVsYEzh/OJ4il5Vw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757194619; c=relaxed/simple; bh=VPdOFbOFfFUM5Rs4n3jQWJkq3lHGWPzXISc9hbkpRBU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=gYAol0XsWwX87ZkoncvDIFpvAE6qbIIhFRzilgVL1OBTSQ7DyPBDyOQkABJBk0o3Y6meqGBS7KEOJ7fLJH40lmA3E1ufTiOkJ79kmpqEaqEf+vaSaUZ/IndJjqBdjYQHU0I4xOrcMqm1XcppdlnuzRADj+v1MU9gRWqjKVQKgqU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=hFZ9itCY; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="hFZ9itCY" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 65AA4C4CEE7; Sat, 6 Sep 2025 21:36:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1757194619; bh=VPdOFbOFfFUM5Rs4n3jQWJkq3lHGWPzXISc9hbkpRBU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=hFZ9itCYTgBY8M3fyX1sur3owxrvaazIwm6xawrcX4SCSDQBTyAybxUVEO3E7SfBp 1XzDRCvP66sqF3xlf9dC6R5apsZtV722vGcWmjrvgppKRlxh2FJp6pTy4dheq4aD0A s2OfuXlqZ0St4oB9PKXIrFhnUNWEppWsV3xOd5w3ERFSSlDo76CM5nSX/XedRvmRGU ZIzz6IOTsmSB/XYZwRNo1amYMoLhZMOl3uyB+QiW/ot25KvlCtUb8Xbcif9fWRc+M3 qhedcfIAOmMRSewykNZC4eR6pDA1UZYU9/pi5XmiwraGdhlmZnp1ErR/tz0cvQRRpy yfUVU0SmS7HoA== From: Eric Biggers To: linux-crypto@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Ard Biesheuvel , "Jason A . Donenfeld" , Zhiqi Song , Longfang Liu , x86@kernel.org, linux-arm-kernel@lists.infradead.org, linuxppc-dev@lists.ozlabs.org, Eric Biggers Subject: [PATCH v2 03/12] crypto: powerpc/curve25519 - Remove unused kpp support Date: Sat, 6 Sep 2025 14:35:14 -0700 Message-ID: <20250906213523.84915-4-ebiggers@kernel.org> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250906213523.84915-1-ebiggers@kernel.org> References: <20250906213523.84915-1-ebiggers@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Curve25519 is used only via the library API, not the crypto_kpp API. In preparation for removing the unused crypto_kpp API for Curve25519, remove the unused "curve25519-ppc64le" kpp algorithm. Note that the underlying PowerPC optimized Curve25519 code remains fully supported and accessible via the library API. It's also worth noting that even if the kpp support for Curve25519 comes back later, there is no need for arch-specific kpp glue code like this, as a single kpp algorithm that wraps the library API is sufficient. Signed-off-by: Eric Biggers --- arch/powerpc/crypto/Kconfig | 1 - arch/powerpc/crypto/curve25519-ppc64le-core.c | 105 ------------------ 2 files changed, 106 deletions(-) diff --git a/arch/powerpc/crypto/Kconfig b/arch/powerpc/crypto/Kconfig index f4b779c7352de..6106a219da6af 100644 --- a/arch/powerpc/crypto/Kconfig +++ b/arch/powerpc/crypto/Kconfig @@ -3,11 +3,10 @@ menu "Accelerated Cryptographic Algorithms for CPU (powerpc)" =20 config CRYPTO_CURVE25519_PPC64 tristate depends on PPC64 && CPU_LITTLE_ENDIAN - select CRYPTO_KPP select CRYPTO_LIB_CURVE25519_GENERIC select CRYPTO_ARCH_HAVE_LIB_CURVE25519 default CRYPTO_LIB_CURVE25519_INTERNAL help Curve25519 algorithm diff --git a/arch/powerpc/crypto/curve25519-ppc64le-core.c b/arch/powerpc/c= rypto/curve25519-ppc64le-core.c index f7810be0b292b..6eb18ee19cad3 100644 --- a/arch/powerpc/crypto/curve25519-ppc64le-core.c +++ b/arch/powerpc/crypto/curve25519-ppc64le-core.c @@ -6,17 +6,15 @@ * Based on RFC7748 and AArch64 optimized implementation for X25519 * - Algorithm 1 Scalar multiplication of a variable point */ =20 #include -#include =20 #include #include #include #include -#include =20 #include #include =20 typedef uint64_t fe51[5]; @@ -190,111 +188,8 @@ void curve25519_base_arch(u8 pub[CURVE25519_KEY_SIZE], { curve25519_fe51(pub, secret, curve25519_base_point); } EXPORT_SYMBOL(curve25519_base_arch); =20 -static int curve25519_set_secret(struct crypto_kpp *tfm, const void *buf, - unsigned int len) -{ - u8 *secret =3D kpp_tfm_ctx(tfm); - - if (!len) - curve25519_generate_secret(secret); - else if (len =3D=3D CURVE25519_KEY_SIZE && - crypto_memneq(buf, curve25519_null_point, CURVE25519_KEY_SIZE)) - memcpy(secret, buf, CURVE25519_KEY_SIZE); - else - return -EINVAL; - return 0; -} - -static int curve25519_generate_public_key(struct kpp_request *req) -{ - struct crypto_kpp *tfm =3D crypto_kpp_reqtfm(req); - const u8 *secret =3D kpp_tfm_ctx(tfm); - u8 buf[CURVE25519_KEY_SIZE]; - int copied, nbytes; - - if (req->src) - return -EINVAL; - - curve25519_base_arch(buf, secret); - - /* might want less than we've got */ - nbytes =3D min_t(size_t, CURVE25519_KEY_SIZE, req->dst_len); - copied =3D sg_copy_from_buffer(req->dst, sg_nents_for_len(req->dst, - nbytes), - buf, nbytes); - if (copied !=3D nbytes) - return -EINVAL; - return 0; -} - -static int curve25519_compute_shared_secret(struct kpp_request *req) -{ - struct crypto_kpp *tfm =3D crypto_kpp_reqtfm(req); - const u8 *secret =3D kpp_tfm_ctx(tfm); - u8 public_key[CURVE25519_KEY_SIZE]; - u8 buf[CURVE25519_KEY_SIZE]; - int copied, nbytes; - - if (!req->src) - return -EINVAL; - - copied =3D sg_copy_to_buffer(req->src, - sg_nents_for_len(req->src, - CURVE25519_KEY_SIZE), - public_key, CURVE25519_KEY_SIZE); - if (copied !=3D CURVE25519_KEY_SIZE) - return -EINVAL; - - curve25519_arch(buf, secret, public_key); - - /* might want less than we've got */ - nbytes =3D min_t(size_t, CURVE25519_KEY_SIZE, req->dst_len); - copied =3D sg_copy_from_buffer(req->dst, sg_nents_for_len(req->dst, - nbytes), - buf, nbytes); - if (copied !=3D nbytes) - return -EINVAL; - return 0; -} - -static unsigned int curve25519_max_size(struct crypto_kpp *tfm) -{ - return CURVE25519_KEY_SIZE; -} - -static struct kpp_alg curve25519_alg =3D { - .base.cra_name =3D "curve25519", - .base.cra_driver_name =3D "curve25519-ppc64le", - .base.cra_priority =3D 200, - .base.cra_module =3D THIS_MODULE, - .base.cra_ctxsize =3D CURVE25519_KEY_SIZE, - - .set_secret =3D curve25519_set_secret, - .generate_public_key =3D curve25519_generate_public_key, - .compute_shared_secret =3D curve25519_compute_shared_secret, - .max_size =3D curve25519_max_size, -}; - - -static int __init curve25519_mod_init(void) -{ - return IS_REACHABLE(CONFIG_CRYPTO_KPP) ? - crypto_register_kpp(&curve25519_alg) : 0; -} - -static void __exit curve25519_mod_exit(void) -{ - if (IS_REACHABLE(CONFIG_CRYPTO_KPP)) - crypto_unregister_kpp(&curve25519_alg); -} - -module_init(curve25519_mod_init); -module_exit(curve25519_mod_exit); - -MODULE_ALIAS_CRYPTO("curve25519"); -MODULE_ALIAS_CRYPTO("curve25519-ppc64le"); MODULE_DESCRIPTION("PPC64le Curve25519 scalar multiplication with 51 bits = limbs"); MODULE_LICENSE("GPL v2"); MODULE_AUTHOR("Danny Tsen "); --=20 2.50.1 From nobody Tue Sep 9 16:20:08 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5F6E42135AD; Sat, 6 Sep 2025 21:37:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757194620; cv=none; b=ElS0vAzEcysA5kAF82Aigoir5WIfxy5kaBPSndcL7ZehuwgdFetL3kyUtRIoIPOQAqWNeTUArnsj39/DJbdemWb1XvWp/oqtPlnwscWIq7p3ykWNjSg85M8+jeb6bSbUmQZ+3/6xTELHxRimou5+ZR17LLKRcNeUwb+PGUx2+nA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757194620; c=relaxed/simple; bh=b2kyrv9GFCik/BKIFbZ27LKOAd7AEvTjfTWJfDtuZc4=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=OKngDyGQIp7KgMy/qH5PbCgIQjNDb1cjqjC1p+LPEE3CkdoywMWnIAXeXR5TN87V23mT06noRniK+3/g1zXR0bbf15Sj4lyGCfR6rm+0n9OBOWnwAw5rVQnbPxpBV2GC6Mw74JQq39PSfkk/TkxMj7VnrbhOl80vJvu8v8tWOvg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=Ui3AP+Vw; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="Ui3AP+Vw" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4AECFC4CEF9; Sat, 6 Sep 2025 21:36:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1757194620; bh=b2kyrv9GFCik/BKIFbZ27LKOAd7AEvTjfTWJfDtuZc4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Ui3AP+Vwt2+C0Wwth5KD5a1GA7Y0lDSKB/05nC07zKJG6qYA3fflzkHi63TuHJjkt nOmmgDsiYO3KOHgpAg9ZanfcC53poi6noKU5idw3F/I0L2YHmNM+ek63DJqHc/BXRy 3PzbXbkgp6mU1+oigacKmZcEXT8QFteYSoLStAWpE0EbAXvFm3uNTtUzzgk410X9TE IG4ivYk5HDze/2UYiHlqo07IWxq+UDWqKNdFG1s4Out4kerTjLjYB0cpI+y2dl4N1K E3xzm8akEZCP6aDXpz6x7te/y2C6v7UzYXvKm05hwQKuqvvzTTh8MbTrBTrXjqUQkF eI5Y/Qc4+BQ2Q== From: Eric Biggers To: linux-crypto@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Ard Biesheuvel , "Jason A . Donenfeld" , Zhiqi Song , Longfang Liu , x86@kernel.org, linux-arm-kernel@lists.infradead.org, linuxppc-dev@lists.ozlabs.org, Eric Biggers Subject: [PATCH v2 04/12] crypto: x86/curve25519 - Remove unused kpp support Date: Sat, 6 Sep 2025 14:35:15 -0700 Message-ID: <20250906213523.84915-5-ebiggers@kernel.org> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250906213523.84915-1-ebiggers@kernel.org> References: <20250906213523.84915-1-ebiggers@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Curve25519 is used only via the library API, not the crypto_kpp API. In preparation for removing the unused crypto_kpp API for Curve25519, remove the unused "curve25519-x86" kpp algorithm. Note that the underlying x86_64 optimized Curve25519 code remains fully supported and accessible via the library API. It's also worth noting that even if the kpp support for Curve25519 comes back later, there is no need for arch-specific kpp glue code like this, as a single kpp algorithm that wraps the library API is sufficient. Signed-off-by: Eric Biggers --- arch/x86/crypto/Kconfig | 1 - arch/x86/crypto/curve25519-x86_64.c | 98 +---------------------------- 2 files changed, 1 insertion(+), 98 deletions(-) diff --git a/arch/x86/crypto/Kconfig b/arch/x86/crypto/Kconfig index 94016c60561e2..6a895a571b00e 100644 --- a/arch/x86/crypto/Kconfig +++ b/arch/x86/crypto/Kconfig @@ -3,11 +3,10 @@ menu "Accelerated Cryptographic Algorithms for CPU (x86)" =20 config CRYPTO_CURVE25519_X86 tristate depends on 64BIT - select CRYPTO_KPP select CRYPTO_LIB_CURVE25519_GENERIC select CRYPTO_ARCH_HAVE_LIB_CURVE25519 default CRYPTO_LIB_CURVE25519_INTERNAL help Curve25519 algorithm diff --git a/arch/x86/crypto/curve25519-x86_64.c b/arch/x86/crypto/curve255= 19-x86_64.c index d587f05c3c8c3..ab91368284a47 100644 --- a/arch/x86/crypto/curve25519-x86_64.c +++ b/arch/x86/crypto/curve25519-x86_64.c @@ -3,18 +3,16 @@ * Copyright (C) 2020 Jason A. Donenfeld . All Rights Res= erved. * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation */ =20 #include -#include =20 #include #include #include #include #include -#include =20 #include #include =20 static __always_inline u64 eq_mask(u64 a, u64 b) @@ -1611,116 +1609,22 @@ void curve25519_base_arch(u8 pub[CURVE25519_KEY_SI= ZE], else curve25519_generic(pub, secret, curve25519_base_point); } EXPORT_SYMBOL(curve25519_base_arch); =20 -static int curve25519_set_secret(struct crypto_kpp *tfm, const void *buf, - unsigned int len) -{ - u8 *secret =3D kpp_tfm_ctx(tfm); - - if (!len) - curve25519_generate_secret(secret); - else if (len =3D=3D CURVE25519_KEY_SIZE && - crypto_memneq(buf, curve25519_null_point, CURVE25519_KEY_SIZE)) - memcpy(secret, buf, CURVE25519_KEY_SIZE); - else - return -EINVAL; - return 0; -} - -static int curve25519_generate_public_key(struct kpp_request *req) -{ - struct crypto_kpp *tfm =3D crypto_kpp_reqtfm(req); - const u8 *secret =3D kpp_tfm_ctx(tfm); - u8 buf[CURVE25519_KEY_SIZE]; - int copied, nbytes; - - if (req->src) - return -EINVAL; - - curve25519_base_arch(buf, secret); - - /* might want less than we've got */ - nbytes =3D min_t(size_t, CURVE25519_KEY_SIZE, req->dst_len); - copied =3D sg_copy_from_buffer(req->dst, sg_nents_for_len(req->dst, - nbytes), - buf, nbytes); - if (copied !=3D nbytes) - return -EINVAL; - return 0; -} - -static int curve25519_compute_shared_secret(struct kpp_request *req) -{ - struct crypto_kpp *tfm =3D crypto_kpp_reqtfm(req); - const u8 *secret =3D kpp_tfm_ctx(tfm); - u8 public_key[CURVE25519_KEY_SIZE]; - u8 buf[CURVE25519_KEY_SIZE]; - int copied, nbytes; - - if (!req->src) - return -EINVAL; - - copied =3D sg_copy_to_buffer(req->src, - sg_nents_for_len(req->src, - CURVE25519_KEY_SIZE), - public_key, CURVE25519_KEY_SIZE); - if (copied !=3D CURVE25519_KEY_SIZE) - return -EINVAL; - - curve25519_arch(buf, secret, public_key); - - /* might want less than we've got */ - nbytes =3D min_t(size_t, CURVE25519_KEY_SIZE, req->dst_len); - copied =3D sg_copy_from_buffer(req->dst, sg_nents_for_len(req->dst, - nbytes), - buf, nbytes); - if (copied !=3D nbytes) - return -EINVAL; - return 0; -} - -static unsigned int curve25519_max_size(struct crypto_kpp *tfm) -{ - return CURVE25519_KEY_SIZE; -} - -static struct kpp_alg curve25519_alg =3D { - .base.cra_name =3D "curve25519", - .base.cra_driver_name =3D "curve25519-x86", - .base.cra_priority =3D 200, - .base.cra_module =3D THIS_MODULE, - .base.cra_ctxsize =3D CURVE25519_KEY_SIZE, - - .set_secret =3D curve25519_set_secret, - .generate_public_key =3D curve25519_generate_public_key, - .compute_shared_secret =3D curve25519_compute_shared_secret, - .max_size =3D curve25519_max_size, -}; - - static int __init curve25519_mod_init(void) { if (boot_cpu_has(X86_FEATURE_BMI2) && boot_cpu_has(X86_FEATURE_ADX)) static_branch_enable(&curve25519_use_bmi2_adx); - else - return 0; - return IS_REACHABLE(CONFIG_CRYPTO_KPP) ? - crypto_register_kpp(&curve25519_alg) : 0; + return 0; } =20 static void __exit curve25519_mod_exit(void) { - if (IS_REACHABLE(CONFIG_CRYPTO_KPP) && - static_branch_likely(&curve25519_use_bmi2_adx)) - crypto_unregister_kpp(&curve25519_alg); } =20 module_init(curve25519_mod_init); module_exit(curve25519_mod_exit); =20 -MODULE_ALIAS_CRYPTO("curve25519"); -MODULE_ALIAS_CRYPTO("curve25519-x86"); MODULE_DESCRIPTION("Curve25519 algorithm, ADX optimized"); MODULE_LICENSE("GPL v2"); MODULE_AUTHOR("Jason A. Donenfeld "); --=20 2.50.1 From nobody Tue Sep 9 16:20:08 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A17742BDC1D; Sat, 6 Sep 2025 21:37:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757194621; cv=none; b=ODhX3hMxmoYanDb6cnnNQxNgZ0lABQVASfhY2fhT7vlotYQ2SbLiyvb/PA0DgtDrQ4FLbmRZyHHFQwxTqOinHFx+9mlcQH2oGkeC6jyelimmDGDo4mi15LaQRr/t/0N4HjLf2QopQYaR5ho0bcbxpA54H7ifTJ48z8n/j1fuHns= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757194621; c=relaxed/simple; bh=VLbbqak2vCgkw6VBbqmuilvV96r61DuIKlKzgY2ssdw=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=NMXkijUu4FRRxvyb1+++aIFQcphWY2gbtG6zGTRzAFOcqQyr55sE3oAkMSdbgJVUfI/4kKTidGOHlrdGWYODmQudIMeDP0a36OOqJkL5rlKp0+hA4Ik4LHIJWeyFYQlWcoSO7qeDlLOd5Kr33DmsYdJ15I0V3MC6p374RmkVVXA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=lf2NpvAZ; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="lf2NpvAZ" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 2ABB6C4CEE7; Sat, 6 Sep 2025 21:37:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1757194621; bh=VLbbqak2vCgkw6VBbqmuilvV96r61DuIKlKzgY2ssdw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=lf2NpvAZIb1QKzIUBSwXqxItUSIMIgb+ygSkqeODrW45P5e0rSqNK37J7aem+X8Lm A4HUwQg4ucf+Q3tnsyoAxH79tsuLXipAAkSE9x5Gn1tTrnoSN289n8pPk9fkBAoG5H gF8ifNBKJpPinBtKXNUe8/0xXWiBxkzdSeaYApNr4FhyK5i4OcFFhyqKINNFmzsLZe +TA0d2xvakteit961dGE+cc3FnB37M0JUI5dvan+58NK94x3a9+ELBKu7Njy68+KpC LgVHgApVD1J8vNFFrT8dO6q5ckfdOxuHemkEPNsrVTf7KgEIJe2AXD5+B1NeRzVjsH D2W+FsbjRQa1w== From: Eric Biggers To: linux-crypto@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Ard Biesheuvel , "Jason A . Donenfeld" , Zhiqi Song , Longfang Liu , x86@kernel.org, linux-arm-kernel@lists.infradead.org, linuxppc-dev@lists.ozlabs.org, Eric Biggers Subject: [PATCH v2 05/12] crypto: testmgr - Remove curve25519 kpp tests Date: Sat, 6 Sep 2025 14:35:16 -0700 Message-ID: <20250906213523.84915-6-ebiggers@kernel.org> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250906213523.84915-1-ebiggers@kernel.org> References: <20250906213523.84915-1-ebiggers@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Curve25519 is used only via the library API, not the crypto_kpp API. In preparation for removing the unused crypto_kpp API for Curve25519, remove the tests for the "curve25519" kpp from crypto/testmgr.c. Note that these tests just duplicated lib/crypto/curve25519-selftest.c, which uses the same list of test vectors. So they didn't really provide any additional value. Signed-off-by: Eric Biggers --- crypto/testmgr.c | 6 - crypto/testmgr.h | 1225 ---------------------------------------------- 2 files changed, 1231 deletions(-) diff --git a/crypto/testmgr.c b/crypto/testmgr.c index 781445f5f56a6..9dca41e7ee738 100644 --- a/crypto/testmgr.c +++ b/crypto/testmgr.c @@ -4639,16 +4639,10 @@ static const struct alg_test_desc alg_test_descs[] = =3D { .alg =3D "cts(cbc(sm4))", .test =3D alg_test_skcipher, .suite =3D { .cipher =3D __VECS(sm4_cts_tv_template) } - }, { - .alg =3D "curve25519", - .test =3D alg_test_kpp, - .suite =3D { - .kpp =3D __VECS(curve25519_tv_template) - } }, { .alg =3D "deflate", .test =3D alg_test_comp, .fips_allowed =3D 1, .suite =3D { diff --git a/crypto/testmgr.h b/crypto/testmgr.h index 32d099ac9e737..2682312272824 100644 --- a/crypto/testmgr.h +++ b/crypto/testmgr.h @@ -3796,1235 +3796,10 @@ static const struct kpp_testvec ffdhe8192_dh_tv_t= emplate[] __maybe_unused =3D { .expected_ss_size =3D 1024, .genkey =3D true, }, }; =20 -static const struct kpp_testvec curve25519_tv_template[] =3D { -{ - .secret =3D (u8[32]){ 0x77, 0x07, 0x6d, 0x0a, 0x73, 0x18, 0xa5, 0x7d, - 0x3c, 0x16, 0xc1, 0x72, 0x51, 0xb2, 0x66, 0x45, - 0xdf, 0x4c, 0x2f, 0x87, 0xeb, 0xc0, 0x99, 0x2a, - 0xb1, 0x77, 0xfb, 0xa5, 0x1d, 0xb9, 0x2c, 0x2a }, - .b_public =3D (u8[32]){ 0xde, 0x9e, 0xdb, 0x7d, 0x7b, 0x7d, 0xc1, 0xb4, - 0xd3, 0x5b, 0x61, 0xc2, 0xec, 0xe4, 0x35, 0x37, - 0x3f, 0x83, 0x43, 0xc8, 0x5b, 0x78, 0x67, 0x4d, - 0xad, 0xfc, 0x7e, 0x14, 0x6f, 0x88, 0x2b, 0x4f }, - .expected_ss =3D (u8[32]){ 0x4a, 0x5d, 0x9d, 0x5b, 0xa4, 0xce, 0x2d, 0xe1, - 0x72, 0x8e, 0x3b, 0xf4, 0x80, 0x35, 0x0f, 0x25, - 0xe0, 0x7e, 0x21, 0xc9, 0x47, 0xd1, 0x9e, 0x33, - 0x76, 0xf0, 0x9b, 0x3c, 0x1e, 0x16, 0x17, 0x42 }, - .secret_size =3D 32, - .b_public_size =3D 32, - .expected_ss_size =3D 32, - -}, -{ - .secret =3D (u8[32]){ 0x5d, 0xab, 0x08, 0x7e, 0x62, 0x4a, 0x8a, 0x4b, - 0x79, 0xe1, 0x7f, 0x8b, 0x83, 0x80, 0x0e, 0xe6, - 0x6f, 0x3b, 0xb1, 0x29, 0x26, 0x18, 0xb6, 0xfd, - 0x1c, 0x2f, 0x8b, 0x27, 0xff, 0x88, 0xe0, 0xeb }, - .b_public =3D (u8[32]){ 0x85, 0x20, 0xf0, 0x09, 0x89, 0x30, 0xa7, 0x54, - 0x74, 0x8b, 0x7d, 0xdc, 0xb4, 0x3e, 0xf7, 0x5a, - 0x0d, 0xbf, 0x3a, 0x0d, 0x26, 0x38, 0x1a, 0xf4, - 0xeb, 0xa4, 0xa9, 0x8e, 0xaa, 0x9b, 0x4e, 0x6a }, - .expected_ss =3D (u8[32]){ 0x4a, 0x5d, 0x9d, 0x5b, 0xa4, 0xce, 0x2d, 0xe1, - 0x72, 0x8e, 0x3b, 0xf4, 0x80, 0x35, 0x0f, 0x25, - 0xe0, 0x7e, 0x21, 0xc9, 0x47, 0xd1, 0x9e, 0x33, - 0x76, 0xf0, 0x9b, 0x3c, 0x1e, 0x16, 0x17, 0x42 }, - .secret_size =3D 32, - .b_public_size =3D 32, - .expected_ss_size =3D 32, - -}, -{ - .secret =3D (u8[32]){ 1 }, - .b_public =3D (u8[32]){ 0x25, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, - .expected_ss =3D (u8[32]){ 0x3c, 0x77, 0x77, 0xca, 0xf9, 0x97, 0xb2, 0x64, - 0x41, 0x60, 0x77, 0x66, 0x5b, 0x4e, 0x22, 0x9d, - 0x0b, 0x95, 0x48, 0xdc, 0x0c, 0xd8, 0x19, 0x98, - 0xdd, 0xcd, 0xc5, 0xc8, 0x53, 0x3c, 0x79, 0x7f }, - .secret_size =3D 32, - .b_public_size =3D 32, - .expected_ss_size =3D 32, - -}, -{ - .secret =3D (u8[32]){ 1 }, - .b_public =3D (u8[32]){ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, - .expected_ss =3D (u8[32]){ 0xb3, 0x2d, 0x13, 0x62, 0xc2, 0x48, 0xd6, 0x2f, - 0xe6, 0x26, 0x19, 0xcf, 0xf0, 0x4d, 0xd4, 0x3d, - 0xb7, 0x3f, 0xfc, 0x1b, 0x63, 0x08, 0xed, 0xe3, - 0x0b, 0x78, 0xd8, 0x73, 0x80, 0xf1, 0xe8, 0x34 }, - .secret_size =3D 32, - .b_public_size =3D 32, - .expected_ss_size =3D 32, - -}, -{ - .secret =3D (u8[32]){ 0xa5, 0x46, 0xe3, 0x6b, 0xf0, 0x52, 0x7c, 0x9d, - 0x3b, 0x16, 0x15, 0x4b, 0x82, 0x46, 0x5e, 0xdd, - 0x62, 0x14, 0x4c, 0x0a, 0xc1, 0xfc, 0x5a, 0x18, - 0x50, 0x6a, 0x22, 0x44, 0xba, 0x44, 0x9a, 0xc4 }, - .b_public =3D (u8[32]){ 0xe6, 0xdb, 0x68, 0x67, 0x58, 0x30, 0x30, 0xdb, - 0x35, 0x94, 0xc1, 0xa4, 0x24, 0xb1, 0x5f, 0x7c, - 0x72, 0x66, 0x24, 0xec, 0x26, 0xb3, 0x35, 0x3b, - 0x10, 0xa9, 0x03, 0xa6, 0xd0, 0xab, 0x1c, 0x4c }, - .expected_ss =3D (u8[32]){ 0xc3, 0xda, 0x55, 0x37, 0x9d, 0xe9, 0xc6, 0x90, - 0x8e, 0x94, 0xea, 0x4d, 0xf2, 0x8d, 0x08, 0x4f, - 0x32, 0xec, 0xcf, 0x03, 0x49, 0x1c, 0x71, 0xf7, - 0x54, 0xb4, 0x07, 0x55, 0x77, 0xa2, 0x85, 0x52 }, - .secret_size =3D 32, - .b_public_size =3D 32, - .expected_ss_size =3D 32, - -}, -{ - .secret =3D (u8[32]){ 0xff, 0xff, 0xff, 0xff, 0x0a, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, - .b_public =3D (u8[32]){ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0x0a, 0x00, 0xfb, 0x9f }, - .expected_ss =3D (u8[32]){ 0x77, 0x52, 0xb6, 0x18, 0xc1, 0x2d, 0x48, 0xd2, - 0xc6, 0x93, 0x46, 0x83, 0x81, 0x7c, 0xc6, 0x57, - 0xf3, 0x31, 0x03, 0x19, 0x49, 0x48, 0x20, 0x05, - 0x42, 0x2b, 0x4e, 0xae, 0x8d, 0x1d, 0x43, 0x23 }, - .secret_size =3D 32, - .b_public_size =3D 32, - .expected_ss_size =3D 32, - -}, -{ - .secret =3D (u8[32]){ 0x8e, 0x0a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, - .b_public =3D (u8[32]){ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x8e, 0x06 }, - .expected_ss =3D (u8[32]){ 0x5a, 0xdf, 0xaa, 0x25, 0x86, 0x8e, 0x32, 0x3d, - 0xae, 0x49, 0x62, 0xc1, 0x01, 0x5c, 0xb3, 0x12, - 0xe1, 0xc5, 0xc7, 0x9e, 0x95, 0x3f, 0x03, 0x99, - 0xb0, 0xba, 0x16, 0x22, 0xf3, 0xb6, 0xf7, 0x0c }, - .secret_size =3D 32, - .b_public_size =3D 32, - .expected_ss_size =3D 32, - -}, -/* wycheproof - normal case */ -{ - .secret =3D (u8[32]){ 0x48, 0x52, 0x83, 0x4d, 0x9d, 0x6b, 0x77, 0xda, - 0xde, 0xab, 0xaa, 0xf2, 0xe1, 0x1d, 0xca, 0x66, - 0xd1, 0x9f, 0xe7, 0x49, 0x93, 0xa7, 0xbe, 0xc3, - 0x6c, 0x6e, 0x16, 0xa0, 0x98, 0x3f, 0xea, 0xba }, - .b_public =3D (u8[32]){ 0x9c, 0x64, 0x7d, 0x9a, 0xe5, 0x89, 0xb9, 0xf5, - 0x8f, 0xdc, 0x3c, 0xa4, 0x94, 0x7e, 0xfb, 0xc9, - 0x15, 0xc4, 0xb2, 0xe0, 0x8e, 0x74, 0x4a, 0x0e, - 0xdf, 0x46, 0x9d, 0xac, 0x59, 0xc8, 0xf8, 0x5a }, - .expected_ss =3D (u8[32]){ 0x87, 0xb7, 0xf2, 0x12, 0xb6, 0x27, 0xf7, 0xa5, - 0x4c, 0xa5, 0xe0, 0xbc, 0xda, 0xdd, 0xd5, 0x38, - 0x9d, 0x9d, 0xe6, 0x15, 0x6c, 0xdb, 0xcf, 0x8e, - 0xbe, 0x14, 0xff, 0xbc, 0xfb, 0x43, 0x65, 0x51 }, - .secret_size =3D 32, - .b_public_size =3D 32, - .expected_ss_size =3D 32, - -}, -/* wycheproof - public key on twist */ -{ - .secret =3D (u8[32]){ 0x58, 0x8c, 0x06, 0x1a, 0x50, 0x80, 0x4a, 0xc4, - 0x88, 0xad, 0x77, 0x4a, 0xc7, 0x16, 0xc3, 0xf5, - 0xba, 0x71, 0x4b, 0x27, 0x12, 0xe0, 0x48, 0x49, - 0x13, 0x79, 0xa5, 0x00, 0x21, 0x19, 0x98, 0xa8 }, - .b_public =3D (u8[32]){ 0x63, 0xaa, 0x40, 0xc6, 0xe3, 0x83, 0x46, 0xc5, - 0xca, 0xf2, 0x3a, 0x6d, 0xf0, 0xa5, 0xe6, 0xc8, - 0x08, 0x89, 0xa0, 0x86, 0x47, 0xe5, 0x51, 0xb3, - 0x56, 0x34, 0x49, 0xbe, 0xfc, 0xfc, 0x97, 0x33 }, - .expected_ss =3D (u8[32]){ 0xb1, 0xa7, 0x07, 0x51, 0x94, 0x95, 0xff, 0xff, - 0xb2, 0x98, 0xff, 0x94, 0x17, 0x16, 0xb0, 0x6d, - 0xfa, 0xb8, 0x7c, 0xf8, 0xd9, 0x11, 0x23, 0xfe, - 0x2b, 0xe9, 0xa2, 0x33, 0xdd, 0xa2, 0x22, 0x12 }, - .secret_size =3D 32, - .b_public_size =3D 32, - .expected_ss_size =3D 32, - -}, -/* wycheproof - public key on twist */ -{ - .secret =3D (u8[32]){ 0xb0, 0x5b, 0xfd, 0x32, 0xe5, 0x53, 0x25, 0xd9, - 0xfd, 0x64, 0x8c, 0xb3, 0x02, 0x84, 0x80, 0x39, - 0x00, 0x0b, 0x39, 0x0e, 0x44, 0xd5, 0x21, 0xe5, - 0x8a, 0xab, 0x3b, 0x29, 0xa6, 0x96, 0x0b, 0xa8 }, - .b_public =3D (u8[32]){ 0x0f, 0x83, 0xc3, 0x6f, 0xde, 0xd9, 0xd3, 0x2f, - 0xad, 0xf4, 0xef, 0xa3, 0xae, 0x93, 0xa9, 0x0b, - 0xb5, 0xcf, 0xa6, 0x68, 0x93, 0xbc, 0x41, 0x2c, - 0x43, 0xfa, 0x72, 0x87, 0xdb, 0xb9, 0x97, 0x79 }, - .expected_ss =3D (u8[32]){ 0x67, 0xdd, 0x4a, 0x6e, 0x16, 0x55, 0x33, 0x53, - 0x4c, 0x0e, 0x3f, 0x17, 0x2e, 0x4a, 0xb8, 0x57, - 0x6b, 0xca, 0x92, 0x3a, 0x5f, 0x07, 0xb2, 0xc0, - 0x69, 0xb4, 0xc3, 0x10, 0xff, 0x2e, 0x93, 0x5b }, - .secret_size =3D 32, - .b_public_size =3D 32, - .expected_ss_size =3D 32, - -}, -/* wycheproof - public key on twist */ -{ - .secret =3D (u8[32]){ 0x70, 0xe3, 0x4b, 0xcb, 0xe1, 0xf4, 0x7f, 0xbc, - 0x0f, 0xdd, 0xfd, 0x7c, 0x1e, 0x1a, 0xa5, 0x3d, - 0x57, 0xbf, 0xe0, 0xf6, 0x6d, 0x24, 0x30, 0x67, - 0xb4, 0x24, 0xbb, 0x62, 0x10, 0xbe, 0xd1, 0x9c }, - .b_public =3D (u8[32]){ 0x0b, 0x82, 0x11, 0xa2, 0xb6, 0x04, 0x90, 0x97, - 0xf6, 0x87, 0x1c, 0x6c, 0x05, 0x2d, 0x3c, 0x5f, - 0xc1, 0xba, 0x17, 0xda, 0x9e, 0x32, 0xae, 0x45, - 0x84, 0x03, 0xb0, 0x5b, 0xb2, 0x83, 0x09, 0x2a }, - .expected_ss =3D (u8[32]){ 0x4a, 0x06, 0x38, 0xcf, 0xaa, 0x9e, 0xf1, 0x93, - 0x3b, 0x47, 0xf8, 0x93, 0x92, 0x96, 0xa6, 0xb2, - 0x5b, 0xe5, 0x41, 0xef, 0x7f, 0x70, 0xe8, 0x44, - 0xc0, 0xbc, 0xc0, 0x0b, 0x13, 0x4d, 0xe6, 0x4a }, - .secret_size =3D 32, - .b_public_size =3D 32, - .expected_ss_size =3D 32, - -}, -/* wycheproof - public key on twist */ -{ - .secret =3D (u8[32]){ 0x68, 0xc1, 0xf3, 0xa6, 0x53, 0xa4, 0xcd, 0xb1, - 0xd3, 0x7b, 0xba, 0x94, 0x73, 0x8f, 0x8b, 0x95, - 0x7a, 0x57, 0xbe, 0xb2, 0x4d, 0x64, 0x6e, 0x99, - 0x4d, 0xc2, 0x9a, 0x27, 0x6a, 0xad, 0x45, 0x8d }, - .b_public =3D (u8[32]){ 0x34, 0x3a, 0xc2, 0x0a, 0x3b, 0x9c, 0x6a, 0x27, - 0xb1, 0x00, 0x81, 0x76, 0x50, 0x9a, 0xd3, 0x07, - 0x35, 0x85, 0x6e, 0xc1, 0xc8, 0xd8, 0xfc, 0xae, - 0x13, 0x91, 0x2d, 0x08, 0xd1, 0x52, 0xf4, 0x6c }, - .expected_ss =3D (u8[32]){ 0x39, 0x94, 0x91, 0xfc, 0xe8, 0xdf, 0xab, 0x73, - 0xb4, 0xf9, 0xf6, 0x11, 0xde, 0x8e, 0xa0, 0xb2, - 0x7b, 0x28, 0xf8, 0x59, 0x94, 0x25, 0x0b, 0x0f, - 0x47, 0x5d, 0x58, 0x5d, 0x04, 0x2a, 0xc2, 0x07 }, - .secret_size =3D 32, - .b_public_size =3D 32, - .expected_ss_size =3D 32, - -}, -/* wycheproof - public key on twist */ -{ - .secret =3D (u8[32]){ 0xd8, 0x77, 0xb2, 0x6d, 0x06, 0xdf, 0xf9, 0xd9, - 0xf7, 0xfd, 0x4c, 0x5b, 0x37, 0x69, 0xf8, 0xcd, - 0xd5, 0xb3, 0x05, 0x16, 0xa5, 0xab, 0x80, 0x6b, - 0xe3, 0x24, 0xff, 0x3e, 0xb6, 0x9e, 0xa0, 0xb2 }, - .b_public =3D (u8[32]){ 0xfa, 0x69, 0x5f, 0xc7, 0xbe, 0x8d, 0x1b, 0xe5, - 0xbf, 0x70, 0x48, 0x98, 0xf3, 0x88, 0xc4, 0x52, - 0xba, 0xfd, 0xd3, 0xb8, 0xea, 0xe8, 0x05, 0xf8, - 0x68, 0x1a, 0x8d, 0x15, 0xc2, 0xd4, 0xe1, 0x42 }, - .expected_ss =3D (u8[32]){ 0x2c, 0x4f, 0xe1, 0x1d, 0x49, 0x0a, 0x53, 0x86, - 0x17, 0x76, 0xb1, 0x3b, 0x43, 0x54, 0xab, 0xd4, - 0xcf, 0x5a, 0x97, 0x69, 0x9d, 0xb6, 0xe6, 0xc6, - 0x8c, 0x16, 0x26, 0xd0, 0x76, 0x62, 0xf7, 0x58 }, - .secret_size =3D 32, - .b_public_size =3D 32, - .expected_ss_size =3D 32, - -}, -/* wycheproof - edge case on twist */ -{ - .secret =3D (u8[32]){ 0x38, 0xdd, 0xe9, 0xf3, 0xe7, 0xb7, 0x99, 0x04, - 0x5f, 0x9a, 0xc3, 0x79, 0x3d, 0x4a, 0x92, 0x77, - 0xda, 0xde, 0xad, 0xc4, 0x1b, 0xec, 0x02, 0x90, - 0xf8, 0x1f, 0x74, 0x4f, 0x73, 0x77, 0x5f, 0x84 }, - .b_public =3D (u8[32]){ 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, - .expected_ss =3D (u8[32]){ 0x9a, 0x2c, 0xfe, 0x84, 0xff, 0x9c, 0x4a, 0x97, - 0x39, 0x62, 0x5c, 0xae, 0x4a, 0x3b, 0x82, 0xa9, - 0x06, 0x87, 0x7a, 0x44, 0x19, 0x46, 0xf8, 0xd7, - 0xb3, 0xd7, 0x95, 0xfe, 0x8f, 0x5d, 0x16, 0x39 }, - .secret_size =3D 32, - .b_public_size =3D 32, - .expected_ss_size =3D 32, - -}, -/* wycheproof - edge case on twist */ -{ - .secret =3D (u8[32]){ 0x98, 0x57, 0xa9, 0x14, 0xe3, 0xc2, 0x90, 0x36, - 0xfd, 0x9a, 0x44, 0x2b, 0xa5, 0x26, 0xb5, 0xcd, - 0xcd, 0xf2, 0x82, 0x16, 0x15, 0x3e, 0x63, 0x6c, - 0x10, 0x67, 0x7a, 0xca, 0xb6, 0xbd, 0x6a, 0xa5 }, - .b_public =3D (u8[32]){ 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, - .expected_ss =3D (u8[32]){ 0x4d, 0xa4, 0xe0, 0xaa, 0x07, 0x2c, 0x23, 0x2e, - 0xe2, 0xf0, 0xfa, 0x4e, 0x51, 0x9a, 0xe5, 0x0b, - 0x52, 0xc1, 0xed, 0xd0, 0x8a, 0x53, 0x4d, 0x4e, - 0xf3, 0x46, 0xc2, 0xe1, 0x06, 0xd2, 0x1d, 0x60 }, - .secret_size =3D 32, - .b_public_size =3D 32, - .expected_ss_size =3D 32, - -}, -/* wycheproof - edge case on twist */ -{ - .secret =3D (u8[32]){ 0x48, 0xe2, 0x13, 0x0d, 0x72, 0x33, 0x05, 0xed, - 0x05, 0xe6, 0xe5, 0x89, 0x4d, 0x39, 0x8a, 0x5e, - 0x33, 0x36, 0x7a, 0x8c, 0x6a, 0xac, 0x8f, 0xcd, - 0xf0, 0xa8, 0x8e, 0x4b, 0x42, 0x82, 0x0d, 0xb7 }, - .b_public =3D (u8[32]){ 0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 0xf8, 0xff, - 0xff, 0x1f, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, - 0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0x07, 0x00, - 0x00, 0xf0, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00 }, - .expected_ss =3D (u8[32]){ 0x9e, 0xd1, 0x0c, 0x53, 0x74, 0x7f, 0x64, 0x7f, - 0x82, 0xf4, 0x51, 0x25, 0xd3, 0xde, 0x15, 0xa1, - 0xe6, 0xb8, 0x24, 0x49, 0x6a, 0xb4, 0x04, 0x10, - 0xff, 0xcc, 0x3c, 0xfe, 0x95, 0x76, 0x0f, 0x3b }, - .secret_size =3D 32, - .b_public_size =3D 32, - .expected_ss_size =3D 32, - -}, -/* wycheproof - edge case on twist */ -{ - .secret =3D (u8[32]){ 0x28, 0xf4, 0x10, 0x11, 0x69, 0x18, 0x51, 0xb3, - 0xa6, 0x2b, 0x64, 0x15, 0x53, 0xb3, 0x0d, 0x0d, - 0xfd, 0xdc, 0xb8, 0xff, 0xfc, 0xf5, 0x37, 0x00, - 0xa7, 0xbe, 0x2f, 0x6a, 0x87, 0x2e, 0x9f, 0xb0 }, - .b_public =3D (u8[32]){ 0x00, 0x00, 0x00, 0xfc, 0xff, 0xff, 0x07, 0x00, - 0x00, 0xe0, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00, - 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0xf8, 0xff, - 0xff, 0x0f, 0x00, 0x00, 0xc0, 0xff, 0xff, 0x7f }, - .expected_ss =3D (u8[32]){ 0xcf, 0x72, 0xb4, 0xaa, 0x6a, 0xa1, 0xc9, 0xf8, - 0x94, 0xf4, 0x16, 0x5b, 0x86, 0x10, 0x9a, 0xa4, - 0x68, 0x51, 0x76, 0x48, 0xe1, 0xf0, 0xcc, 0x70, - 0xe1, 0xab, 0x08, 0x46, 0x01, 0x76, 0x50, 0x6b }, - .secret_size =3D 32, - .b_public_size =3D 32, - .expected_ss_size =3D 32, - -}, -/* wycheproof - edge case on twist */ -{ - .secret =3D (u8[32]){ 0x18, 0xa9, 0x3b, 0x64, 0x99, 0xb9, 0xf6, 0xb3, - 0x22, 0x5c, 0xa0, 0x2f, 0xef, 0x41, 0x0e, 0x0a, - 0xde, 0xc2, 0x35, 0x32, 0x32, 0x1d, 0x2d, 0x8e, - 0xf1, 0xa6, 0xd6, 0x02, 0xa8, 0xc6, 0x5b, 0x83 }, - .b_public =3D (u8[32]){ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, - 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, - 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, - 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0x7f }, - .expected_ss =3D (u8[32]){ 0x5d, 0x50, 0xb6, 0x28, 0x36, 0xbb, 0x69, 0x57, - 0x94, 0x10, 0x38, 0x6c, 0xf7, 0xbb, 0x81, 0x1c, - 0x14, 0xbf, 0x85, 0xb1, 0xc7, 0xb1, 0x7e, 0x59, - 0x24, 0xc7, 0xff, 0xea, 0x91, 0xef, 0x9e, 0x12 }, - .secret_size =3D 32, - .b_public_size =3D 32, - .expected_ss_size =3D 32, - -}, -/* wycheproof - edge case on twist */ -{ - .secret =3D (u8[32]){ 0xc0, 0x1d, 0x13, 0x05, 0xa1, 0x33, 0x8a, 0x1f, - 0xca, 0xc2, 0xba, 0x7e, 0x2e, 0x03, 0x2b, 0x42, - 0x7e, 0x0b, 0x04, 0x90, 0x31, 0x65, 0xac, 0xa9, - 0x57, 0xd8, 0xd0, 0x55, 0x3d, 0x87, 0x17, 0xb0 }, - .b_public =3D (u8[32]){ 0xea, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f }, - .expected_ss =3D (u8[32]){ 0x19, 0x23, 0x0e, 0xb1, 0x48, 0xd5, 0xd6, 0x7c, - 0x3c, 0x22, 0xab, 0x1d, 0xae, 0xff, 0x80, 0xa5, - 0x7e, 0xae, 0x42, 0x65, 0xce, 0x28, 0x72, 0x65, - 0x7b, 0x2c, 0x80, 0x99, 0xfc, 0x69, 0x8e, 0x50 }, - .secret_size =3D 32, - .b_public_size =3D 32, - .expected_ss_size =3D 32, - -}, -/* wycheproof - edge case for public key */ -{ - .secret =3D (u8[32]){ 0x38, 0x6f, 0x7f, 0x16, 0xc5, 0x07, 0x31, 0xd6, - 0x4f, 0x82, 0xe6, 0xa1, 0x70, 0xb1, 0x42, 0xa4, - 0xe3, 0x4f, 0x31, 0xfd, 0x77, 0x68, 0xfc, 0xb8, - 0x90, 0x29, 0x25, 0xe7, 0xd1, 0xe2, 0x1a, 0xbe }, - .b_public =3D (u8[32]){ 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, - .expected_ss =3D (u8[32]){ 0x0f, 0xca, 0xb5, 0xd8, 0x42, 0xa0, 0x78, 0xd7, - 0xa7, 0x1f, 0xc5, 0x9b, 0x57, 0xbf, 0xb4, 0xca, - 0x0b, 0xe6, 0x87, 0x3b, 0x49, 0xdc, 0xdb, 0x9f, - 0x44, 0xe1, 0x4a, 0xe8, 0xfb, 0xdf, 0xa5, 0x42 }, - .secret_size =3D 32, - .b_public_size =3D 32, - .expected_ss_size =3D 32, - -}, -/* wycheproof - edge case for public key */ -{ - .secret =3D (u8[32]){ 0xe0, 0x23, 0xa2, 0x89, 0xbd, 0x5e, 0x90, 0xfa, - 0x28, 0x04, 0xdd, 0xc0, 0x19, 0xa0, 0x5e, 0xf3, - 0xe7, 0x9d, 0x43, 0x4b, 0xb6, 0xea, 0x2f, 0x52, - 0x2e, 0xcb, 0x64, 0x3a, 0x75, 0x29, 0x6e, 0x95 }, - .b_public =3D (u8[32]){ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, - 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, - 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, - 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00 }, - .expected_ss =3D (u8[32]){ 0x54, 0xce, 0x8f, 0x22, 0x75, 0xc0, 0x77, 0xe3, - 0xb1, 0x30, 0x6a, 0x39, 0x39, 0xc5, 0xe0, 0x3e, - 0xef, 0x6b, 0xbb, 0x88, 0x06, 0x05, 0x44, 0x75, - 0x8d, 0x9f, 0xef, 0x59, 0xb0, 0xbc, 0x3e, 0x4f }, - .secret_size =3D 32, - .b_public_size =3D 32, - .expected_ss_size =3D 32, - -}, -/* wycheproof - edge case for public key */ -{ - .secret =3D (u8[32]){ 0x68, 0xf0, 0x10, 0xd6, 0x2e, 0xe8, 0xd9, 0x26, - 0x05, 0x3a, 0x36, 0x1c, 0x3a, 0x75, 0xc6, 0xea, - 0x4e, 0xbd, 0xc8, 0x60, 0x6a, 0xb2, 0x85, 0x00, - 0x3a, 0x6f, 0x8f, 0x40, 0x76, 0xb0, 0x1e, 0x83 }, - .b_public =3D (u8[32]){ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03 }, - .expected_ss =3D (u8[32]){ 0xf1, 0x36, 0x77, 0x5c, 0x5b, 0xeb, 0x0a, 0xf8, - 0x11, 0x0a, 0xf1, 0x0b, 0x20, 0x37, 0x23, 0x32, - 0x04, 0x3c, 0xab, 0x75, 0x24, 0x19, 0x67, 0x87, - 0x75, 0xa2, 0x23, 0xdf, 0x57, 0xc9, 0xd3, 0x0d }, - .secret_size =3D 32, - .b_public_size =3D 32, - .expected_ss_size =3D 32, - -}, -/* wycheproof - edge case for public key */ -{ - .secret =3D (u8[32]){ 0x58, 0xeb, 0xcb, 0x35, 0xb0, 0xf8, 0x84, 0x5c, - 0xaf, 0x1e, 0xc6, 0x30, 0xf9, 0x65, 0x76, 0xb6, - 0x2c, 0x4b, 0x7b, 0x6c, 0x36, 0xb2, 0x9d, 0xeb, - 0x2c, 0xb0, 0x08, 0x46, 0x51, 0x75, 0x5c, 0x96 }, - .b_public =3D (u8[32]){ 0xff, 0xff, 0xff, 0xfb, 0xff, 0xff, 0xfb, 0xff, - 0xff, 0xdf, 0xff, 0xff, 0xdf, 0xff, 0xff, 0xff, - 0xfe, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xf7, 0xff, - 0xff, 0xf7, 0xff, 0xff, 0xbf, 0xff, 0xff, 0x3f }, - .expected_ss =3D (u8[32]){ 0xbf, 0x9a, 0xff, 0xd0, 0x6b, 0x84, 0x40, 0x85, - 0x58, 0x64, 0x60, 0x96, 0x2e, 0xf2, 0x14, 0x6f, - 0xf3, 0xd4, 0x53, 0x3d, 0x94, 0x44, 0xaa, 0xb0, - 0x06, 0xeb, 0x88, 0xcc, 0x30, 0x54, 0x40, 0x7d }, - .secret_size =3D 32, - .b_public_size =3D 32, - .expected_ss_size =3D 32, - -}, -/* wycheproof - edge case for public key */ -{ - .secret =3D (u8[32]){ 0x18, 0x8c, 0x4b, 0xc5, 0xb9, 0xc4, 0x4b, 0x38, - 0xbb, 0x65, 0x8b, 0x9b, 0x2a, 0xe8, 0x2d, 0x5b, - 0x01, 0x01, 0x5e, 0x09, 0x31, 0x84, 0xb1, 0x7c, - 0xb7, 0x86, 0x35, 0x03, 0xa7, 0x83, 0xe1, 0xbb }, - .b_public =3D (u8[32]){ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f }, - .expected_ss =3D (u8[32]){ 0xd4, 0x80, 0xde, 0x04, 0xf6, 0x99, 0xcb, 0x3b, - 0xe0, 0x68, 0x4a, 0x9c, 0xc2, 0xe3, 0x12, 0x81, - 0xea, 0x0b, 0xc5, 0xa9, 0xdc, 0xc1, 0x57, 0xd3, - 0xd2, 0x01, 0x58, 0xd4, 0x6c, 0xa5, 0x24, 0x6d }, - .secret_size =3D 32, - .b_public_size =3D 32, - .expected_ss_size =3D 32, - -}, -/* wycheproof - edge case for public key */ -{ - .secret =3D (u8[32]){ 0xe0, 0x6c, 0x11, 0xbb, 0x2e, 0x13, 0xce, 0x3d, - 0xc7, 0x67, 0x3f, 0x67, 0xf5, 0x48, 0x22, 0x42, - 0x90, 0x94, 0x23, 0xa9, 0xae, 0x95, 0xee, 0x98, - 0x6a, 0x98, 0x8d, 0x98, 0xfa, 0xee, 0x23, 0xa2 }, - .b_public =3D (u8[32]){ 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0x7f, - 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0x7f, - 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0x7f, - 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0x7f }, - .expected_ss =3D (u8[32]){ 0x4c, 0x44, 0x01, 0xcc, 0xe6, 0xb5, 0x1e, 0x4c, - 0xb1, 0x8f, 0x27, 0x90, 0x24, 0x6c, 0x9b, 0xf9, - 0x14, 0xdb, 0x66, 0x77, 0x50, 0xa1, 0xcb, 0x89, - 0x06, 0x90, 0x92, 0xaf, 0x07, 0x29, 0x22, 0x76 }, - .secret_size =3D 32, - .b_public_size =3D 32, - .expected_ss_size =3D 32, - -}, -/* wycheproof - edge case for public key */ -{ - .secret =3D (u8[32]){ 0xc0, 0x65, 0x8c, 0x46, 0xdd, 0xe1, 0x81, 0x29, - 0x29, 0x38, 0x77, 0x53, 0x5b, 0x11, 0x62, 0xb6, - 0xf9, 0xf5, 0x41, 0x4a, 0x23, 0xcf, 0x4d, 0x2c, - 0xbc, 0x14, 0x0a, 0x4d, 0x99, 0xda, 0x2b, 0x8f }, - .b_public =3D (u8[32]){ 0xeb, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f }, - .expected_ss =3D (u8[32]){ 0x57, 0x8b, 0xa8, 0xcc, 0x2d, 0xbd, 0xc5, 0x75, - 0xaf, 0xcf, 0x9d, 0xf2, 0xb3, 0xee, 0x61, 0x89, - 0xf5, 0x33, 0x7d, 0x68, 0x54, 0xc7, 0x9b, 0x4c, - 0xe1, 0x65, 0xea, 0x12, 0x29, 0x3b, 0x3a, 0x0f }, - .secret_size =3D 32, - .b_public_size =3D 32, - .expected_ss_size =3D 32, - -}, -/* wycheproof - public key >=3D p */ -{ - .secret =3D (u8[32]){ 0xf0, 0x1e, 0x48, 0xda, 0xfa, 0xc9, 0xd7, 0xbc, - 0xf5, 0x89, 0xcb, 0xc3, 0x82, 0xc8, 0x78, 0xd1, - 0x8b, 0xda, 0x35, 0x50, 0x58, 0x9f, 0xfb, 0x5d, - 0x50, 0xb5, 0x23, 0xbe, 0xbe, 0x32, 0x9d, 0xae }, - .b_public =3D (u8[32]){ 0xef, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f }, - .expected_ss =3D (u8[32]){ 0xbd, 0x36, 0xa0, 0x79, 0x0e, 0xb8, 0x83, 0x09, - 0x8c, 0x98, 0x8b, 0x21, 0x78, 0x67, 0x73, 0xde, - 0x0b, 0x3a, 0x4d, 0xf1, 0x62, 0x28, 0x2c, 0xf1, - 0x10, 0xde, 0x18, 0xdd, 0x48, 0x4c, 0xe7, 0x4b }, - .secret_size =3D 32, - .b_public_size =3D 32, - .expected_ss_size =3D 32, - -}, -/* wycheproof - public key >=3D p */ -{ - .secret =3D (u8[32]){ 0x28, 0x87, 0x96, 0xbc, 0x5a, 0xff, 0x4b, 0x81, - 0xa3, 0x75, 0x01, 0x75, 0x7b, 0xc0, 0x75, 0x3a, - 0x3c, 0x21, 0x96, 0x47, 0x90, 0xd3, 0x86, 0x99, - 0x30, 0x8d, 0xeb, 0xc1, 0x7a, 0x6e, 0xaf, 0x8d }, - .b_public =3D (u8[32]){ 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f }, - .expected_ss =3D (u8[32]){ 0xb4, 0xe0, 0xdd, 0x76, 0xda, 0x7b, 0x07, 0x17, - 0x28, 0xb6, 0x1f, 0x85, 0x67, 0x71, 0xaa, 0x35, - 0x6e, 0x57, 0xed, 0xa7, 0x8a, 0x5b, 0x16, 0x55, - 0xcc, 0x38, 0x20, 0xfb, 0x5f, 0x85, 0x4c, 0x5c }, - .secret_size =3D 32, - .b_public_size =3D 32, - .expected_ss_size =3D 32, - -}, -/* wycheproof - public key >=3D p */ -{ - .secret =3D (u8[32]){ 0x98, 0xdf, 0x84, 0x5f, 0x66, 0x51, 0xbf, 0x11, - 0x38, 0x22, 0x1f, 0x11, 0x90, 0x41, 0xf7, 0x2b, - 0x6d, 0xbc, 0x3c, 0x4a, 0xce, 0x71, 0x43, 0xd9, - 0x9f, 0xd5, 0x5a, 0xd8, 0x67, 0x48, 0x0d, 0xa8 }, - .b_public =3D (u8[32]){ 0xf1, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f }, - .expected_ss =3D (u8[32]){ 0x6f, 0xdf, 0x6c, 0x37, 0x61, 0x1d, 0xbd, 0x53, - 0x04, 0xdc, 0x0f, 0x2e, 0xb7, 0xc9, 0x51, 0x7e, - 0xb3, 0xc5, 0x0e, 0x12, 0xfd, 0x05, 0x0a, 0xc6, - 0xde, 0xc2, 0x70, 0x71, 0xd4, 0xbf, 0xc0, 0x34 }, - .secret_size =3D 32, - .b_public_size =3D 32, - .expected_ss_size =3D 32, - -}, -/* wycheproof - public key >=3D p */ -{ - .secret =3D (u8[32]){ 0xf0, 0x94, 0x98, 0xe4, 0x6f, 0x02, 0xf8, 0x78, - 0x82, 0x9e, 0x78, 0xb8, 0x03, 0xd3, 0x16, 0xa2, - 0xed, 0x69, 0x5d, 0x04, 0x98, 0xa0, 0x8a, 0xbd, - 0xf8, 0x27, 0x69, 0x30, 0xe2, 0x4e, 0xdc, 0xb0 }, - .b_public =3D (u8[32]){ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f }, - .expected_ss =3D (u8[32]){ 0x4c, 0x8f, 0xc4, 0xb1, 0xc6, 0xab, 0x88, 0xfb, - 0x21, 0xf1, 0x8f, 0x6d, 0x4c, 0x81, 0x02, 0x40, - 0xd4, 0xe9, 0x46, 0x51, 0xba, 0x44, 0xf7, 0xa2, - 0xc8, 0x63, 0xce, 0xc7, 0xdc, 0x56, 0x60, 0x2d }, - .secret_size =3D 32, - .b_public_size =3D 32, - .expected_ss_size =3D 32, - -}, -/* wycheproof - public key >=3D p */ -{ - .secret =3D (u8[32]){ 0x18, 0x13, 0xc1, 0x0a, 0x5c, 0x7f, 0x21, 0xf9, - 0x6e, 0x17, 0xf2, 0x88, 0xc0, 0xcc, 0x37, 0x60, - 0x7c, 0x04, 0xc5, 0xf5, 0xae, 0xa2, 0xdb, 0x13, - 0x4f, 0x9e, 0x2f, 0xfc, 0x66, 0xbd, 0x9d, 0xb8 }, - .b_public =3D (u8[32]){ 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80 }, - .expected_ss =3D (u8[32]){ 0x1c, 0xd0, 0xb2, 0x82, 0x67, 0xdc, 0x54, 0x1c, - 0x64, 0x2d, 0x6d, 0x7d, 0xca, 0x44, 0xa8, 0xb3, - 0x8a, 0x63, 0x73, 0x6e, 0xef, 0x5c, 0x4e, 0x65, - 0x01, 0xff, 0xbb, 0xb1, 0x78, 0x0c, 0x03, 0x3c }, - .secret_size =3D 32, - .b_public_size =3D 32, - .expected_ss_size =3D 32, - -}, -/* wycheproof - public key >=3D p */ -{ - .secret =3D (u8[32]){ 0x78, 0x57, 0xfb, 0x80, 0x86, 0x53, 0x64, 0x5a, - 0x0b, 0xeb, 0x13, 0x8a, 0x64, 0xf5, 0xf4, 0xd7, - 0x33, 0xa4, 0x5e, 0xa8, 0x4c, 0x3c, 0xda, 0x11, - 0xa9, 0xc0, 0x6f, 0x7e, 0x71, 0x39, 0x14, 0x9e }, - .b_public =3D (u8[32]){ 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80 }, - .expected_ss =3D (u8[32]){ 0x87, 0x55, 0xbe, 0x01, 0xc6, 0x0a, 0x7e, 0x82, - 0x5c, 0xff, 0x3e, 0x0e, 0x78, 0xcb, 0x3a, 0xa4, - 0x33, 0x38, 0x61, 0x51, 0x6a, 0xa5, 0x9b, 0x1c, - 0x51, 0xa8, 0xb2, 0xa5, 0x43, 0xdf, 0xa8, 0x22 }, - .secret_size =3D 32, - .b_public_size =3D 32, - .expected_ss_size =3D 32, - -}, -/* wycheproof - public key >=3D p */ -{ - .secret =3D (u8[32]){ 0xe0, 0x3a, 0xa8, 0x42, 0xe2, 0xab, 0xc5, 0x6e, - 0x81, 0xe8, 0x7b, 0x8b, 0x9f, 0x41, 0x7b, 0x2a, - 0x1e, 0x59, 0x13, 0xc7, 0x23, 0xee, 0xd2, 0x8d, - 0x75, 0x2f, 0x8d, 0x47, 0xa5, 0x9f, 0x49, 0x8f }, - .b_public =3D (u8[32]){ 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80 }, - .expected_ss =3D (u8[32]){ 0x54, 0xc9, 0xa1, 0xed, 0x95, 0xe5, 0x46, 0xd2, - 0x78, 0x22, 0xa3, 0x60, 0x93, 0x1d, 0xda, 0x60, - 0xa1, 0xdf, 0x04, 0x9d, 0xa6, 0xf9, 0x04, 0x25, - 0x3c, 0x06, 0x12, 0xbb, 0xdc, 0x08, 0x74, 0x76 }, - .secret_size =3D 32, - .b_public_size =3D 32, - .expected_ss_size =3D 32, - -}, -/* wycheproof - public key >=3D p */ -{ - .secret =3D (u8[32]){ 0xf8, 0xf7, 0x07, 0xb7, 0x99, 0x9b, 0x18, 0xcb, - 0x0d, 0x6b, 0x96, 0x12, 0x4f, 0x20, 0x45, 0x97, - 0x2c, 0xa2, 0x74, 0xbf, 0xc1, 0x54, 0xad, 0x0c, - 0x87, 0x03, 0x8c, 0x24, 0xc6, 0xd0, 0xd4, 0xb2 }, - .b_public =3D (u8[32]){ 0xda, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, - .expected_ss =3D (u8[32]){ 0xcc, 0x1f, 0x40, 0xd7, 0x43, 0xcd, 0xc2, 0x23, - 0x0e, 0x10, 0x43, 0xda, 0xba, 0x8b, 0x75, 0xe8, - 0x10, 0xf1, 0xfb, 0xab, 0x7f, 0x25, 0x52, 0x69, - 0xbd, 0x9e, 0xbb, 0x29, 0xe6, 0xbf, 0x49, 0x4f }, - .secret_size =3D 32, - .b_public_size =3D 32, - .expected_ss_size =3D 32, - -}, -/* wycheproof - public key >=3D p */ -{ - .secret =3D (u8[32]){ 0xa0, 0x34, 0xf6, 0x84, 0xfa, 0x63, 0x1e, 0x1a, - 0x34, 0x81, 0x18, 0xc1, 0xce, 0x4c, 0x98, 0x23, - 0x1f, 0x2d, 0x9e, 0xec, 0x9b, 0xa5, 0x36, 0x5b, - 0x4a, 0x05, 0xd6, 0x9a, 0x78, 0x5b, 0x07, 0x96 }, - .b_public =3D (u8[32]){ 0xdb, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, - .expected_ss =3D (u8[32]){ 0x54, 0x99, 0x8e, 0xe4, 0x3a, 0x5b, 0x00, 0x7b, - 0xf4, 0x99, 0xf0, 0x78, 0xe7, 0x36, 0x52, 0x44, - 0x00, 0xa8, 0xb5, 0xc7, 0xe9, 0xb9, 0xb4, 0x37, - 0x71, 0x74, 0x8c, 0x7c, 0xdf, 0x88, 0x04, 0x12 }, - .secret_size =3D 32, - .b_public_size =3D 32, - .expected_ss_size =3D 32, - -}, -/* wycheproof - public key >=3D p */ -{ - .secret =3D (u8[32]){ 0x30, 0xb6, 0xc6, 0xa0, 0xf2, 0xff, 0xa6, 0x80, - 0x76, 0x8f, 0x99, 0x2b, 0xa8, 0x9e, 0x15, 0x2d, - 0x5b, 0xc9, 0x89, 0x3d, 0x38, 0xc9, 0x11, 0x9b, - 0xe4, 0xf7, 0x67, 0xbf, 0xab, 0x6e, 0x0c, 0xa5 }, - .b_public =3D (u8[32]){ 0xdc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, - .expected_ss =3D (u8[32]){ 0xea, 0xd9, 0xb3, 0x8e, 0xfd, 0xd7, 0x23, 0x63, - 0x79, 0x34, 0xe5, 0x5a, 0xb7, 0x17, 0xa7, 0xae, - 0x09, 0xeb, 0x86, 0xa2, 0x1d, 0xc3, 0x6a, 0x3f, - 0xee, 0xb8, 0x8b, 0x75, 0x9e, 0x39, 0x1e, 0x09 }, - .secret_size =3D 32, - .b_public_size =3D 32, - .expected_ss_size =3D 32, - -}, -/* wycheproof - public key >=3D p */ -{ - .secret =3D (u8[32]){ 0x90, 0x1b, 0x9d, 0xcf, 0x88, 0x1e, 0x01, 0xe0, - 0x27, 0x57, 0x50, 0x35, 0xd4, 0x0b, 0x43, 0xbd, - 0xc1, 0xc5, 0x24, 0x2e, 0x03, 0x08, 0x47, 0x49, - 0x5b, 0x0c, 0x72, 0x86, 0x46, 0x9b, 0x65, 0x91 }, - .b_public =3D (u8[32]){ 0xea, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, - .expected_ss =3D (u8[32]){ 0x60, 0x2f, 0xf4, 0x07, 0x89, 0xb5, 0x4b, 0x41, - 0x80, 0x59, 0x15, 0xfe, 0x2a, 0x62, 0x21, 0xf0, - 0x7a, 0x50, 0xff, 0xc2, 0xc3, 0xfc, 0x94, 0xcf, - 0x61, 0xf1, 0x3d, 0x79, 0x04, 0xe8, 0x8e, 0x0e }, - .secret_size =3D 32, - .b_public_size =3D 32, - .expected_ss_size =3D 32, - -}, -/* wycheproof - public key >=3D p */ -{ - .secret =3D (u8[32]){ 0x80, 0x46, 0x67, 0x7c, 0x28, 0xfd, 0x82, 0xc9, - 0xa1, 0xbd, 0xb7, 0x1a, 0x1a, 0x1a, 0x34, 0xfa, - 0xba, 0x12, 0x25, 0xe2, 0x50, 0x7f, 0xe3, 0xf5, - 0x4d, 0x10, 0xbd, 0x5b, 0x0d, 0x86, 0x5f, 0x8e }, - .b_public =3D (u8[32]){ 0xeb, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, - .expected_ss =3D (u8[32]){ 0xe0, 0x0a, 0xe8, 0xb1, 0x43, 0x47, 0x12, 0x47, - 0xba, 0x24, 0xf1, 0x2c, 0x88, 0x55, 0x36, 0xc3, - 0xcb, 0x98, 0x1b, 0x58, 0xe1, 0xe5, 0x6b, 0x2b, - 0xaf, 0x35, 0xc1, 0x2a, 0xe1, 0xf7, 0x9c, 0x26 }, - .secret_size =3D 32, - .b_public_size =3D 32, - .expected_ss_size =3D 32, - -}, -/* wycheproof - public key >=3D p */ -{ - .secret =3D (u8[32]){ 0x60, 0x2f, 0x7e, 0x2f, 0x68, 0xa8, 0x46, 0xb8, - 0x2c, 0xc2, 0x69, 0xb1, 0xd4, 0x8e, 0x93, 0x98, - 0x86, 0xae, 0x54, 0xfd, 0x63, 0x6c, 0x1f, 0xe0, - 0x74, 0xd7, 0x10, 0x12, 0x7d, 0x47, 0x24, 0x91 }, - .b_public =3D (u8[32]){ 0xef, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, - .expected_ss =3D (u8[32]){ 0x98, 0xcb, 0x9b, 0x50, 0xdd, 0x3f, 0xc2, 0xb0, - 0xd4, 0xf2, 0xd2, 0xbf, 0x7c, 0x5c, 0xfd, 0xd1, - 0x0c, 0x8f, 0xcd, 0x31, 0xfc, 0x40, 0xaf, 0x1a, - 0xd4, 0x4f, 0x47, 0xc1, 0x31, 0x37, 0x63, 0x62 }, - .secret_size =3D 32, - .b_public_size =3D 32, - .expected_ss_size =3D 32, - -}, -/* wycheproof - public key >=3D p */ -{ - .secret =3D (u8[32]){ 0x60, 0x88, 0x7b, 0x3d, 0xc7, 0x24, 0x43, 0x02, - 0x6e, 0xbe, 0xdb, 0xbb, 0xb7, 0x06, 0x65, 0xf4, - 0x2b, 0x87, 0xad, 0xd1, 0x44, 0x0e, 0x77, 0x68, - 0xfb, 0xd7, 0xe8, 0xe2, 0xce, 0x5f, 0x63, 0x9d }, - .b_public =3D (u8[32]){ 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, - .expected_ss =3D (u8[32]){ 0x38, 0xd6, 0x30, 0x4c, 0x4a, 0x7e, 0x6d, 0x9f, - 0x79, 0x59, 0x33, 0x4f, 0xb5, 0x24, 0x5b, 0xd2, - 0xc7, 0x54, 0x52, 0x5d, 0x4c, 0x91, 0xdb, 0x95, - 0x02, 0x06, 0x92, 0x62, 0x34, 0xc1, 0xf6, 0x33 }, - .secret_size =3D 32, - .b_public_size =3D 32, - .expected_ss_size =3D 32, - -}, -/* wycheproof - public key >=3D p */ -{ - .secret =3D (u8[32]){ 0x78, 0xd3, 0x1d, 0xfa, 0x85, 0x44, 0x97, 0xd7, - 0x2d, 0x8d, 0xef, 0x8a, 0x1b, 0x7f, 0xb0, 0x06, - 0xce, 0xc2, 0xd8, 0xc4, 0x92, 0x46, 0x47, 0xc9, - 0x38, 0x14, 0xae, 0x56, 0xfa, 0xed, 0xa4, 0x95 }, - .b_public =3D (u8[32]){ 0xf1, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, - .expected_ss =3D (u8[32]){ 0x78, 0x6c, 0xd5, 0x49, 0x96, 0xf0, 0x14, 0xa5, - 0xa0, 0x31, 0xec, 0x14, 0xdb, 0x81, 0x2e, 0xd0, - 0x83, 0x55, 0x06, 0x1f, 0xdb, 0x5d, 0xe6, 0x80, - 0xa8, 0x00, 0xac, 0x52, 0x1f, 0x31, 0x8e, 0x23 }, - .secret_size =3D 32, - .b_public_size =3D 32, - .expected_ss_size =3D 32, - -}, -/* wycheproof - public key >=3D p */ -{ - .secret =3D (u8[32]){ 0xc0, 0x4c, 0x5b, 0xae, 0xfa, 0x83, 0x02, 0xdd, - 0xde, 0xd6, 0xa4, 0xbb, 0x95, 0x77, 0x61, 0xb4, - 0xeb, 0x97, 0xae, 0xfa, 0x4f, 0xc3, 0xb8, 0x04, - 0x30, 0x85, 0xf9, 0x6a, 0x56, 0x59, 0xb3, 0xa5 }, - .b_public =3D (u8[32]){ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, - .expected_ss =3D (u8[32]){ 0x29, 0xae, 0x8b, 0xc7, 0x3e, 0x9b, 0x10, 0xa0, - 0x8b, 0x4f, 0x68, 0x1c, 0x43, 0xc3, 0xe0, 0xac, - 0x1a, 0x17, 0x1d, 0x31, 0xb3, 0x8f, 0x1a, 0x48, - 0xef, 0xba, 0x29, 0xae, 0x63, 0x9e, 0xa1, 0x34 }, - .secret_size =3D 32, - .b_public_size =3D 32, - .expected_ss_size =3D 32, - -}, -/* wycheproof - RFC 7748 */ -{ - .secret =3D (u8[32]){ 0xa0, 0x46, 0xe3, 0x6b, 0xf0, 0x52, 0x7c, 0x9d, - 0x3b, 0x16, 0x15, 0x4b, 0x82, 0x46, 0x5e, 0xdd, - 0x62, 0x14, 0x4c, 0x0a, 0xc1, 0xfc, 0x5a, 0x18, - 0x50, 0x6a, 0x22, 0x44, 0xba, 0x44, 0x9a, 0x44 }, - .b_public =3D (u8[32]){ 0xe6, 0xdb, 0x68, 0x67, 0x58, 0x30, 0x30, 0xdb, - 0x35, 0x94, 0xc1, 0xa4, 0x24, 0xb1, 0x5f, 0x7c, - 0x72, 0x66, 0x24, 0xec, 0x26, 0xb3, 0x35, 0x3b, - 0x10, 0xa9, 0x03, 0xa6, 0xd0, 0xab, 0x1c, 0x4c }, - .expected_ss =3D (u8[32]){ 0xc3, 0xda, 0x55, 0x37, 0x9d, 0xe9, 0xc6, 0x90, - 0x8e, 0x94, 0xea, 0x4d, 0xf2, 0x8d, 0x08, 0x4f, - 0x32, 0xec, 0xcf, 0x03, 0x49, 0x1c, 0x71, 0xf7, - 0x54, 0xb4, 0x07, 0x55, 0x77, 0xa2, 0x85, 0x52 }, - .secret_size =3D 32, - .b_public_size =3D 32, - .expected_ss_size =3D 32, - -}, -/* wycheproof - RFC 7748 */ -{ - .secret =3D (u8[32]){ 0x48, 0x66, 0xe9, 0xd4, 0xd1, 0xb4, 0x67, 0x3c, - 0x5a, 0xd2, 0x26, 0x91, 0x95, 0x7d, 0x6a, 0xf5, - 0xc1, 0x1b, 0x64, 0x21, 0xe0, 0xea, 0x01, 0xd4, - 0x2c, 0xa4, 0x16, 0x9e, 0x79, 0x18, 0xba, 0x4d }, - .b_public =3D (u8[32]){ 0xe5, 0x21, 0x0f, 0x12, 0x78, 0x68, 0x11, 0xd3, - 0xf4, 0xb7, 0x95, 0x9d, 0x05, 0x38, 0xae, 0x2c, - 0x31, 0xdb, 0xe7, 0x10, 0x6f, 0xc0, 0x3c, 0x3e, - 0xfc, 0x4c, 0xd5, 0x49, 0xc7, 0x15, 0xa4, 0x13 }, - .expected_ss =3D (u8[32]){ 0x95, 0xcb, 0xde, 0x94, 0x76, 0xe8, 0x90, 0x7d, - 0x7a, 0xad, 0xe4, 0x5c, 0xb4, 0xb8, 0x73, 0xf8, - 0x8b, 0x59, 0x5a, 0x68, 0x79, 0x9f, 0xa1, 0x52, - 0xe6, 0xf8, 0xf7, 0x64, 0x7a, 0xac, 0x79, 0x57 }, - .secret_size =3D 32, - .b_public_size =3D 32, - .expected_ss_size =3D 32, - -}, -/* wycheproof - edge case for shared secret */ -{ - .secret =3D (u8[32]){ 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4, - 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3, - 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc, - 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 }, - .b_public =3D (u8[32]){ 0x0a, 0xb4, 0xe7, 0x63, 0x80, 0xd8, 0x4d, 0xde, - 0x4f, 0x68, 0x33, 0xc5, 0x8f, 0x2a, 0x9f, 0xb8, - 0xf8, 0x3b, 0xb0, 0x16, 0x9b, 0x17, 0x2b, 0xe4, - 0xb6, 0xe0, 0x59, 0x28, 0x87, 0x74, 0x1a, 0x36 }, - .expected_ss =3D (u8[32]){ 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, - .secret_size =3D 32, - .b_public_size =3D 32, - .expected_ss_size =3D 32, - -}, -/* wycheproof - edge case for shared secret */ -{ - .secret =3D (u8[32]){ 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4, - 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3, - 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc, - 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 }, - .b_public =3D (u8[32]){ 0x89, 0xe1, 0x0d, 0x57, 0x01, 0xb4, 0x33, 0x7d, - 0x2d, 0x03, 0x21, 0x81, 0x53, 0x8b, 0x10, 0x64, - 0xbd, 0x40, 0x84, 0x40, 0x1c, 0xec, 0xa1, 0xfd, - 0x12, 0x66, 0x3a, 0x19, 0x59, 0x38, 0x80, 0x00 }, - .expected_ss =3D (u8[32]){ 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, - .secret_size =3D 32, - .b_public_size =3D 32, - .expected_ss_size =3D 32, - -}, -/* wycheproof - edge case for shared secret */ -{ - .secret =3D (u8[32]){ 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4, - 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3, - 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc, - 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 }, - .b_public =3D (u8[32]){ 0x2b, 0x55, 0xd3, 0xaa, 0x4a, 0x8f, 0x80, 0xc8, - 0xc0, 0xb2, 0xae, 0x5f, 0x93, 0x3e, 0x85, 0xaf, - 0x49, 0xbe, 0xac, 0x36, 0xc2, 0xfa, 0x73, 0x94, - 0xba, 0xb7, 0x6c, 0x89, 0x33, 0xf8, 0xf8, 0x1d }, - .expected_ss =3D (u8[32]){ 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, - .secret_size =3D 32, - .b_public_size =3D 32, - .expected_ss_size =3D 32, - -}, -/* wycheproof - edge case for shared secret */ -{ - .secret =3D (u8[32]){ 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4, - 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3, - 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc, - 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 }, - .b_public =3D (u8[32]){ 0x63, 0xe5, 0xb1, 0xfe, 0x96, 0x01, 0xfe, 0x84, - 0x38, 0x5d, 0x88, 0x66, 0xb0, 0x42, 0x12, 0x62, - 0xf7, 0x8f, 0xbf, 0xa5, 0xaf, 0xf9, 0x58, 0x5e, - 0x62, 0x66, 0x79, 0xb1, 0x85, 0x47, 0xd9, 0x59 }, - .expected_ss =3D (u8[32]){ 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f }, - .secret_size =3D 32, - .b_public_size =3D 32, - .expected_ss_size =3D 32, - -}, -/* wycheproof - edge case for shared secret */ -{ - .secret =3D (u8[32]){ 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4, - 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3, - 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc, - 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 }, - .b_public =3D (u8[32]){ 0xe4, 0x28, 0xf3, 0xda, 0xc1, 0x78, 0x09, 0xf8, - 0x27, 0xa5, 0x22, 0xce, 0x32, 0x35, 0x50, 0x58, - 0xd0, 0x73, 0x69, 0x36, 0x4a, 0xa7, 0x89, 0x02, - 0xee, 0x10, 0x13, 0x9b, 0x9f, 0x9d, 0xd6, 0x53 }, - .expected_ss =3D (u8[32]){ 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f }, - .secret_size =3D 32, - .b_public_size =3D 32, - .expected_ss_size =3D 32, - -}, -/* wycheproof - edge case for shared secret */ -{ - .secret =3D (u8[32]){ 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4, - 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3, - 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc, - 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 }, - .b_public =3D (u8[32]){ 0xb3, 0xb5, 0x0e, 0x3e, 0xd3, 0xa4, 0x07, 0xb9, - 0x5d, 0xe9, 0x42, 0xef, 0x74, 0x57, 0x5b, 0x5a, - 0xb8, 0xa1, 0x0c, 0x09, 0xee, 0x10, 0x35, 0x44, - 0xd6, 0x0b, 0xdf, 0xed, 0x81, 0x38, 0xab, 0x2b }, - .expected_ss =3D (u8[32]){ 0xf9, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f }, - .secret_size =3D 32, - .b_public_size =3D 32, - .expected_ss_size =3D 32, - -}, -/* wycheproof - edge case for shared secret */ -{ - .secret =3D (u8[32]){ 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4, - 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3, - 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc, - 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 }, - .b_public =3D (u8[32]){ 0x21, 0x3f, 0xff, 0xe9, 0x3d, 0x5e, 0xa8, 0xcd, - 0x24, 0x2e, 0x46, 0x28, 0x44, 0x02, 0x99, 0x22, - 0xc4, 0x3c, 0x77, 0xc9, 0xe3, 0xe4, 0x2f, 0x56, - 0x2f, 0x48, 0x5d, 0x24, 0xc5, 0x01, 0xa2, 0x0b }, - .expected_ss =3D (u8[32]){ 0xf3, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f }, - .secret_size =3D 32, - .b_public_size =3D 32, - .expected_ss_size =3D 32, - -}, -/* wycheproof - edge case for shared secret */ -{ - .secret =3D (u8[32]){ 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4, - 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3, - 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc, - 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 }, - .b_public =3D (u8[32]){ 0x91, 0xb2, 0x32, 0xa1, 0x78, 0xb3, 0xcd, 0x53, - 0x09, 0x32, 0x44, 0x1e, 0x61, 0x39, 0x41, 0x8f, - 0x72, 0x17, 0x22, 0x92, 0xf1, 0xda, 0x4c, 0x18, - 0x34, 0xfc, 0x5e, 0xbf, 0xef, 0xb5, 0x1e, 0x3f }, - .expected_ss =3D (u8[32]){ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03 }, - .secret_size =3D 32, - .b_public_size =3D 32, - .expected_ss_size =3D 32, - -}, -/* wycheproof - edge case for shared secret */ -{ - .secret =3D (u8[32]){ 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4, - 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3, - 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc, - 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 }, - .b_public =3D (u8[32]){ 0x04, 0x5c, 0x6e, 0x11, 0xc5, 0xd3, 0x32, 0x55, - 0x6c, 0x78, 0x22, 0xfe, 0x94, 0xeb, 0xf8, 0x9b, - 0x56, 0xa3, 0x87, 0x8d, 0xc2, 0x7c, 0xa0, 0x79, - 0x10, 0x30, 0x58, 0x84, 0x9f, 0xab, 0xcb, 0x4f }, - .expected_ss =3D (u8[32]){ 0xe5, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f }, - .secret_size =3D 32, - .b_public_size =3D 32, - .expected_ss_size =3D 32, - -}, -/* wycheproof - edge case for shared secret */ -{ - .secret =3D (u8[32]){ 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4, - 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3, - 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc, - 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 }, - .b_public =3D (u8[32]){ 0x1c, 0xa2, 0x19, 0x0b, 0x71, 0x16, 0x35, 0x39, - 0x06, 0x3c, 0x35, 0x77, 0x3b, 0xda, 0x0c, 0x9c, - 0x92, 0x8e, 0x91, 0x36, 0xf0, 0x62, 0x0a, 0xeb, - 0x09, 0x3f, 0x09, 0x91, 0x97, 0xb7, 0xf7, 0x4e }, - .expected_ss =3D (u8[32]){ 0xe3, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f }, - .secret_size =3D 32, - .b_public_size =3D 32, - .expected_ss_size =3D 32, - -}, -/* wycheproof - edge case for shared secret */ -{ - .secret =3D (u8[32]){ 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4, - 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3, - 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc, - 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 }, - .b_public =3D (u8[32]){ 0xf7, 0x6e, 0x90, 0x10, 0xac, 0x33, 0xc5, 0x04, - 0x3b, 0x2d, 0x3b, 0x76, 0xa8, 0x42, 0x17, 0x10, - 0x00, 0xc4, 0x91, 0x62, 0x22, 0xe9, 0xe8, 0x58, - 0x97, 0xa0, 0xae, 0xc7, 0xf6, 0x35, 0x0b, 0x3c }, - .expected_ss =3D (u8[32]){ 0xdd, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f }, - .secret_size =3D 32, - .b_public_size =3D 32, - .expected_ss_size =3D 32, - -}, -/* wycheproof - edge case for shared secret */ -{ - .secret =3D (u8[32]){ 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4, - 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3, - 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc, - 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 }, - .b_public =3D (u8[32]){ 0xbb, 0x72, 0x68, 0x8d, 0x8f, 0x8a, 0xa7, 0xa3, - 0x9c, 0xd6, 0x06, 0x0c, 0xd5, 0xc8, 0x09, 0x3c, - 0xde, 0xc6, 0xfe, 0x34, 0x19, 0x37, 0xc3, 0x88, - 0x6a, 0x99, 0x34, 0x6c, 0xd0, 0x7f, 0xaa, 0x55 }, - .expected_ss =3D (u8[32]){ 0xdb, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f }, - .secret_size =3D 32, - .b_public_size =3D 32, - .expected_ss_size =3D 32, - -}, -/* wycheproof - edge case for shared secret */ -{ - .secret =3D (u8[32]){ 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4, - 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3, - 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc, - 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 }, - .b_public =3D (u8[32]){ 0x88, 0xfd, 0xde, 0xa1, 0x93, 0x39, 0x1c, 0x6a, - 0x59, 0x33, 0xef, 0x9b, 0x71, 0x90, 0x15, 0x49, - 0x44, 0x72, 0x05, 0xaa, 0xe9, 0xda, 0x92, 0x8a, - 0x6b, 0x91, 0xa3, 0x52, 0xba, 0x10, 0xf4, 0x1f }, - .expected_ss =3D (u8[32]){ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02 }, - .secret_size =3D 32, - .b_public_size =3D 32, - .expected_ss_size =3D 32, - -}, -/* wycheproof - edge case for shared secret */ -{ - .secret =3D (u8[32]){ 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4, - 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3, - 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc, - 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 }, - .b_public =3D (u8[32]){ 0x30, 0x3b, 0x39, 0x2f, 0x15, 0x31, 0x16, 0xca, - 0xd9, 0xcc, 0x68, 0x2a, 0x00, 0xcc, 0xc4, 0x4c, - 0x95, 0xff, 0x0d, 0x3b, 0xbe, 0x56, 0x8b, 0xeb, - 0x6c, 0x4e, 0x73, 0x9b, 0xaf, 0xdc, 0x2c, 0x68 }, - .expected_ss =3D (u8[32]){ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00 }, - .secret_size =3D 32, - .b_public_size =3D 32, - .expected_ss_size =3D 32, - -}, -/* wycheproof - checking for overflow */ -{ - .secret =3D (u8[32]){ 0xc8, 0x17, 0x24, 0x70, 0x40, 0x00, 0xb2, 0x6d, - 0x31, 0x70, 0x3c, 0xc9, 0x7e, 0x3a, 0x37, 0x8d, - 0x56, 0xfa, 0xd8, 0x21, 0x93, 0x61, 0xc8, 0x8c, - 0xca, 0x8b, 0xd7, 0xc5, 0x71, 0x9b, 0x12, 0xb2 }, - .b_public =3D (u8[32]){ 0xfd, 0x30, 0x0a, 0xeb, 0x40, 0xe1, 0xfa, 0x58, - 0x25, 0x18, 0x41, 0x2b, 0x49, 0xb2, 0x08, 0xa7, - 0x84, 0x2b, 0x1e, 0x1f, 0x05, 0x6a, 0x04, 0x01, - 0x78, 0xea, 0x41, 0x41, 0x53, 0x4f, 0x65, 0x2d }, - .expected_ss =3D (u8[32]){ 0xb7, 0x34, 0x10, 0x5d, 0xc2, 0x57, 0x58, 0x5d, - 0x73, 0xb5, 0x66, 0xcc, 0xb7, 0x6f, 0x06, 0x27, - 0x95, 0xcc, 0xbe, 0xc8, 0x91, 0x28, 0xe5, 0x2b, - 0x02, 0xf3, 0xe5, 0x96, 0x39, 0xf1, 0x3c, 0x46 }, - .secret_size =3D 32, - .b_public_size =3D 32, - .expected_ss_size =3D 32, - -}, -/* wycheproof - checking for overflow */ -{ - .secret =3D (u8[32]){ 0xc8, 0x17, 0x24, 0x70, 0x40, 0x00, 0xb2, 0x6d, - 0x31, 0x70, 0x3c, 0xc9, 0x7e, 0x3a, 0x37, 0x8d, - 0x56, 0xfa, 0xd8, 0x21, 0x93, 0x61, 0xc8, 0x8c, - 0xca, 0x8b, 0xd7, 0xc5, 0x71, 0x9b, 0x12, 0xb2 }, - .b_public =3D (u8[32]){ 0xc8, 0xef, 0x79, 0xb5, 0x14, 0xd7, 0x68, 0x26, - 0x77, 0xbc, 0x79, 0x31, 0xe0, 0x6e, 0xe5, 0xc2, - 0x7c, 0x9b, 0x39, 0x2b, 0x4a, 0xe9, 0x48, 0x44, - 0x73, 0xf5, 0x54, 0xe6, 0x67, 0x8e, 0xcc, 0x2e }, - .expected_ss =3D (u8[32]){ 0x64, 0x7a, 0x46, 0xb6, 0xfc, 0x3f, 0x40, 0xd6, - 0x21, 0x41, 0xee, 0x3c, 0xee, 0x70, 0x6b, 0x4d, - 0x7a, 0x92, 0x71, 0x59, 0x3a, 0x7b, 0x14, 0x3e, - 0x8e, 0x2e, 0x22, 0x79, 0x88, 0x3e, 0x45, 0x50 }, - .secret_size =3D 32, - .b_public_size =3D 32, - .expected_ss_size =3D 32, - -}, -/* wycheproof - checking for overflow */ -{ - .secret =3D (u8[32]){ 0xc8, 0x17, 0x24, 0x70, 0x40, 0x00, 0xb2, 0x6d, - 0x31, 0x70, 0x3c, 0xc9, 0x7e, 0x3a, 0x37, 0x8d, - 0x56, 0xfa, 0xd8, 0x21, 0x93, 0x61, 0xc8, 0x8c, - 0xca, 0x8b, 0xd7, 0xc5, 0x71, 0x9b, 0x12, 0xb2 }, - .b_public =3D (u8[32]){ 0x64, 0xae, 0xac, 0x25, 0x04, 0x14, 0x48, 0x61, - 0x53, 0x2b, 0x7b, 0xbc, 0xb6, 0xc8, 0x7d, 0x67, - 0xdd, 0x4c, 0x1f, 0x07, 0xeb, 0xc2, 0xe0, 0x6e, - 0xff, 0xb9, 0x5a, 0xec, 0xc6, 0x17, 0x0b, 0x2c }, - .expected_ss =3D (u8[32]){ 0x4f, 0xf0, 0x3d, 0x5f, 0xb4, 0x3c, 0xd8, 0x65, - 0x7a, 0x3c, 0xf3, 0x7c, 0x13, 0x8c, 0xad, 0xce, - 0xcc, 0xe5, 0x09, 0xe4, 0xeb, 0xa0, 0x89, 0xd0, - 0xef, 0x40, 0xb4, 0xe4, 0xfb, 0x94, 0x61, 0x55 }, - .secret_size =3D 32, - .b_public_size =3D 32, - .expected_ss_size =3D 32, - -}, -/* wycheproof - checking for overflow */ -{ - .secret =3D (u8[32]){ 0xc8, 0x17, 0x24, 0x70, 0x40, 0x00, 0xb2, 0x6d, - 0x31, 0x70, 0x3c, 0xc9, 0x7e, 0x3a, 0x37, 0x8d, - 0x56, 0xfa, 0xd8, 0x21, 0x93, 0x61, 0xc8, 0x8c, - 0xca, 0x8b, 0xd7, 0xc5, 0x71, 0x9b, 0x12, 0xb2 }, - .b_public =3D (u8[32]){ 0xbf, 0x68, 0xe3, 0x5e, 0x9b, 0xdb, 0x7e, 0xee, - 0x1b, 0x50, 0x57, 0x02, 0x21, 0x86, 0x0f, 0x5d, - 0xcd, 0xad, 0x8a, 0xcb, 0xab, 0x03, 0x1b, 0x14, - 0x97, 0x4c, 0xc4, 0x90, 0x13, 0xc4, 0x98, 0x31 }, - .expected_ss =3D (u8[32]){ 0x21, 0xce, 0xe5, 0x2e, 0xfd, 0xbc, 0x81, 0x2e, - 0x1d, 0x02, 0x1a, 0x4a, 0xf1, 0xe1, 0xd8, 0xbc, - 0x4d, 0xb3, 0xc4, 0x00, 0xe4, 0xd2, 0xa2, 0xc5, - 0x6a, 0x39, 0x26, 0xdb, 0x4d, 0x99, 0xc6, 0x5b }, - .secret_size =3D 32, - .b_public_size =3D 32, - .expected_ss_size =3D 32, - -}, -/* wycheproof - checking for overflow */ -{ - .secret =3D (u8[32]){ 0xc8, 0x17, 0x24, 0x70, 0x40, 0x00, 0xb2, 0x6d, - 0x31, 0x70, 0x3c, 0xc9, 0x7e, 0x3a, 0x37, 0x8d, - 0x56, 0xfa, 0xd8, 0x21, 0x93, 0x61, 0xc8, 0x8c, - 0xca, 0x8b, 0xd7, 0xc5, 0x71, 0x9b, 0x12, 0xb2 }, - .b_public =3D (u8[32]){ 0x53, 0x47, 0xc4, 0x91, 0x33, 0x1a, 0x64, 0xb4, - 0x3d, 0xdc, 0x68, 0x30, 0x34, 0xe6, 0x77, 0xf5, - 0x3d, 0xc3, 0x2b, 0x52, 0xa5, 0x2a, 0x57, 0x7c, - 0x15, 0xa8, 0x3b, 0xf2, 0x98, 0xe9, 0x9f, 0x19 }, - .expected_ss =3D (u8[32]){ 0x18, 0xcb, 0x89, 0xe4, 0xe2, 0x0c, 0x0c, 0x2b, - 0xd3, 0x24, 0x30, 0x52, 0x45, 0x26, 0x6c, 0x93, - 0x27, 0x69, 0x0b, 0xbe, 0x79, 0xac, 0xb8, 0x8f, - 0x5b, 0x8f, 0xb3, 0xf7, 0x4e, 0xca, 0x3e, 0x52 }, - .secret_size =3D 32, - .b_public_size =3D 32, - .expected_ss_size =3D 32, - -}, -/* wycheproof - private key =3D=3D -1 (mod order) */ -{ - .secret =3D (u8[32]){ 0xa0, 0x23, 0xcd, 0xd0, 0x83, 0xef, 0x5b, 0xb8, - 0x2f, 0x10, 0xd6, 0x2e, 0x59, 0xe1, 0x5a, 0x68, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x50 }, - .b_public =3D (u8[32]){ 0x25, 0x8e, 0x04, 0x52, 0x3b, 0x8d, 0x25, 0x3e, - 0xe6, 0x57, 0x19, 0xfc, 0x69, 0x06, 0xc6, 0x57, - 0x19, 0x2d, 0x80, 0x71, 0x7e, 0xdc, 0x82, 0x8f, - 0xa0, 0xaf, 0x21, 0x68, 0x6e, 0x2f, 0xaa, 0x75 }, - .expected_ss =3D (u8[32]){ 0x25, 0x8e, 0x04, 0x52, 0x3b, 0x8d, 0x25, 0x3e, - 0xe6, 0x57, 0x19, 0xfc, 0x69, 0x06, 0xc6, 0x57, - 0x19, 0x2d, 0x80, 0x71, 0x7e, 0xdc, 0x82, 0x8f, - 0xa0, 0xaf, 0x21, 0x68, 0x6e, 0x2f, 0xaa, 0x75 }, - .secret_size =3D 32, - .b_public_size =3D 32, - .expected_ss_size =3D 32, - -}, -/* wycheproof - private key =3D=3D 1 (mod order) on twist */ -{ - .secret =3D (u8[32]){ 0x58, 0x08, 0x3d, 0xd2, 0x61, 0xad, 0x91, 0xef, - 0xf9, 0x52, 0x32, 0x2e, 0xc8, 0x24, 0xc6, 0x82, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x5f }, - .b_public =3D (u8[32]){ 0x2e, 0xae, 0x5e, 0xc3, 0xdd, 0x49, 0x4e, 0x9f, - 0x2d, 0x37, 0xd2, 0x58, 0xf8, 0x73, 0xa8, 0xe6, - 0xe9, 0xd0, 0xdb, 0xd1, 0xe3, 0x83, 0xef, 0x64, - 0xd9, 0x8b, 0xb9, 0x1b, 0x3e, 0x0b, 0xe0, 0x35 }, - .expected_ss =3D (u8[32]){ 0x2e, 0xae, 0x5e, 0xc3, 0xdd, 0x49, 0x4e, 0x9f, - 0x2d, 0x37, 0xd2, 0x58, 0xf8, 0x73, 0xa8, 0xe6, - 0xe9, 0xd0, 0xdb, 0xd1, 0xe3, 0x83, 0xef, 0x64, - 0xd9, 0x8b, 0xb9, 0x1b, 0x3e, 0x0b, 0xe0, 0x35 }, - .secret_size =3D 32, - .b_public_size =3D 32, - .expected_ss_size =3D 32, - -} -}; - static const struct kpp_testvec ecdh_p192_tv_template[] =3D { { .secret =3D #ifdef __LITTLE_ENDIAN "\x02\x00" /* type */ --=20 2.50.1 From nobody Tue Sep 9 16:20:08 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 048AB2BEC21; Sat, 6 Sep 2025 21:37:02 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757194623; cv=none; b=O//ha8lx7XPPH2/BtqvDVDdpltlLI0xtM6qXKG85reYyLIK0lbPZGXbQX9siy4UCMg9tobdQ8RZYspgJTQoeomHZ6nfv2jzVPFmlYo+bBNqPOVoFxsbb1h5pvdg8Qv0B3gAiTGd5TeQtwifqb3rIF8iQ/KWRfRObsq+XMDS2EKU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757194623; c=relaxed/simple; bh=qeA+FP+PuaUpGik41riGWKZvCqoBTBbqU4Qqt/+2lG8=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=ECf/T82mR2hExy+9xR9p3LqDsd4GiudFPqb+qTv2eJyxa3AQ07mUq/A7v5gNSrNNhptirQLdVxuB5G7HakTL8J7G5wDldDGwURDJySNcJw/Lf3HIwSpvdvptNxs7+t2Y/ZLHBzjNVu/IpWj5fP2m0ESXUPIpEcpIYVF9nVVhMxE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=sSDDKlH/; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="sSDDKlH/" Received: by smtp.kernel.org (Postfix) with ESMTPSA id B58D1C116C6; Sat, 6 Sep 2025 21:37:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1757194622; bh=qeA+FP+PuaUpGik41riGWKZvCqoBTBbqU4Qqt/+2lG8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=sSDDKlH/aH65brYyaH5eBFlhDKmJZ9sraOxMyF3g1tjGf0AUnwE2PqNycmNg7456t Cgs+Ilqe++W3YiJ0x3GHjzzcUy8UCEujV8fmDjtEhgHoAfKHfg2MKi2KwOPy8Bk3Us ly1sTOgXXBnnxbx1Dgo2Bsbfv0XD2FpzUqCOyTLqR2Ttfs/iKOZtSTx+B+pyxG5Uck GjMuxWSxjJFq8z8kTc9ysuDFITtk1ooji8IR7Ioh56stV2/r4ofr4XjurivZTcaUBZ jVYl1l8Npy8cdu1aPrhHGBSOUV9gW3xomyGZbSIBVSq6cWBUvHqXxw23C0lQshZe+L sOD1bi7zn7Dig== From: Eric Biggers To: linux-crypto@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Ard Biesheuvel , "Jason A . Donenfeld" , Zhiqi Song , Longfang Liu , x86@kernel.org, linux-arm-kernel@lists.infradead.org, linuxppc-dev@lists.ozlabs.org, Eric Biggers , Geert Uytterhoeven Subject: [PATCH v2 06/12] crypto: curve25519 - Remove unused kpp support Date: Sat, 6 Sep 2025 14:35:17 -0700 Message-ID: <20250906213523.84915-7-ebiggers@kernel.org> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250906213523.84915-1-ebiggers@kernel.org> References: <20250906213523.84915-1-ebiggers@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Curve25519 has both a library API and a crypto_kpp API. However, the crypto_kpp API for Curve25519 had no users outside crypto/testmgr.c. I.e., no non-test code ever passed "curve25519" to crypto_alloc_kpp(). Remove this unused code. We'll instead focus on the Curve25519 library API (), which is a simpler and easier-to-use API and is the API that is actually being used. Acked-by: Geert Uytterhoeven # m68k Signed-off-by: Eric Biggers --- arch/m68k/configs/amiga_defconfig | 1 - arch/m68k/configs/apollo_defconfig | 1 - arch/m68k/configs/atari_defconfig | 1 - arch/m68k/configs/bvme6000_defconfig | 1 - arch/m68k/configs/hp300_defconfig | 1 - arch/m68k/configs/mac_defconfig | 1 - arch/m68k/configs/multi_defconfig | 1 - arch/m68k/configs/mvme147_defconfig | 1 - arch/m68k/configs/mvme16x_defconfig | 1 - arch/m68k/configs/q40_defconfig | 1 - arch/m68k/configs/sun3_defconfig | 1 - arch/m68k/configs/sun3x_defconfig | 1 - arch/s390/configs/debug_defconfig | 1 - arch/s390/configs/defconfig | 1 - crypto/Kconfig | 8 --- crypto/Makefile | 1 - crypto/curve25519-generic.c | 91 ---------------------------- 17 files changed, 114 deletions(-) delete mode 100644 crypto/curve25519-generic.c diff --git a/arch/m68k/configs/amiga_defconfig b/arch/m68k/configs/amiga_de= fconfig index 5171bb183967b..24e7314ae4d3c 100644 --- a/arch/m68k/configs/amiga_defconfig +++ b/arch/m68k/configs/amiga_defconfig @@ -558,11 +558,10 @@ CONFIG_CRYPTO_BENCHMARK=3Dm CONFIG_CRYPTO_RSA=3Dm CONFIG_CRYPTO_DH=3Dm CONFIG_CRYPTO_ECDH=3Dm CONFIG_CRYPTO_ECDSA=3Dm CONFIG_CRYPTO_ECRDSA=3Dm -CONFIG_CRYPTO_CURVE25519=3Dm CONFIG_CRYPTO_AES=3Dy CONFIG_CRYPTO_AES_TI=3Dm CONFIG_CRYPTO_ANUBIS=3Dm CONFIG_CRYPTO_ARIA=3Dm CONFIG_CRYPTO_BLOWFISH=3Dm diff --git a/arch/m68k/configs/apollo_defconfig b/arch/m68k/configs/apollo_= defconfig index 16f343ae48c67..4f13c2fa2097e 100644 --- a/arch/m68k/configs/apollo_defconfig +++ b/arch/m68k/configs/apollo_defconfig @@ -515,11 +515,10 @@ CONFIG_CRYPTO_BENCHMARK=3Dm CONFIG_CRYPTO_RSA=3Dm CONFIG_CRYPTO_DH=3Dm CONFIG_CRYPTO_ECDH=3Dm CONFIG_CRYPTO_ECDSA=3Dm CONFIG_CRYPTO_ECRDSA=3Dm -CONFIG_CRYPTO_CURVE25519=3Dm CONFIG_CRYPTO_AES=3Dy CONFIG_CRYPTO_AES_TI=3Dm CONFIG_CRYPTO_ANUBIS=3Dm CONFIG_CRYPTO_ARIA=3Dm CONFIG_CRYPTO_BLOWFISH=3Dm diff --git a/arch/m68k/configs/atari_defconfig b/arch/m68k/configs/atari_de= fconfig index c08788728ea96..95ef2c838141d 100644 --- a/arch/m68k/configs/atari_defconfig +++ b/arch/m68k/configs/atari_defconfig @@ -535,11 +535,10 @@ CONFIG_CRYPTO_BENCHMARK=3Dm CONFIG_CRYPTO_RSA=3Dm CONFIG_CRYPTO_DH=3Dm CONFIG_CRYPTO_ECDH=3Dm CONFIG_CRYPTO_ECDSA=3Dm CONFIG_CRYPTO_ECRDSA=3Dm -CONFIG_CRYPTO_CURVE25519=3Dm CONFIG_CRYPTO_AES=3Dy CONFIG_CRYPTO_AES_TI=3Dm CONFIG_CRYPTO_ANUBIS=3Dm CONFIG_CRYPTO_ARIA=3Dm CONFIG_CRYPTO_BLOWFISH=3Dm diff --git a/arch/m68k/configs/bvme6000_defconfig b/arch/m68k/configs/bvme6= 000_defconfig index 962497e7c53fd..d0aca54485f2d 100644 --- a/arch/m68k/configs/bvme6000_defconfig +++ b/arch/m68k/configs/bvme6000_defconfig @@ -507,11 +507,10 @@ CONFIG_CRYPTO_BENCHMARK=3Dm CONFIG_CRYPTO_RSA=3Dm CONFIG_CRYPTO_DH=3Dm CONFIG_CRYPTO_ECDH=3Dm CONFIG_CRYPTO_ECDSA=3Dm CONFIG_CRYPTO_ECRDSA=3Dm -CONFIG_CRYPTO_CURVE25519=3Dm CONFIG_CRYPTO_AES=3Dy CONFIG_CRYPTO_AES_TI=3Dm CONFIG_CRYPTO_ANUBIS=3Dm CONFIG_CRYPTO_ARIA=3Dm CONFIG_CRYPTO_BLOWFISH=3Dm diff --git a/arch/m68k/configs/hp300_defconfig b/arch/m68k/configs/hp300_de= fconfig index ec28650189e40..faa5ec07cf9e5 100644 --- a/arch/m68k/configs/hp300_defconfig +++ b/arch/m68k/configs/hp300_defconfig @@ -517,11 +517,10 @@ CONFIG_CRYPTO_BENCHMARK=3Dm CONFIG_CRYPTO_RSA=3Dm CONFIG_CRYPTO_DH=3Dm CONFIG_CRYPTO_ECDH=3Dm CONFIG_CRYPTO_ECDSA=3Dm CONFIG_CRYPTO_ECRDSA=3Dm -CONFIG_CRYPTO_CURVE25519=3Dm CONFIG_CRYPTO_AES=3Dy CONFIG_CRYPTO_AES_TI=3Dm CONFIG_CRYPTO_ANUBIS=3Dm CONFIG_CRYPTO_ARIA=3Dm CONFIG_CRYPTO_BLOWFISH=3Dm diff --git a/arch/m68k/configs/mac_defconfig b/arch/m68k/configs/mac_defcon= fig index 0afb3ad180dee..313a52341dafa 100644 --- a/arch/m68k/configs/mac_defconfig +++ b/arch/m68k/configs/mac_defconfig @@ -534,11 +534,10 @@ CONFIG_CRYPTO_BENCHMARK=3Dm CONFIG_CRYPTO_RSA=3Dm CONFIG_CRYPTO_DH=3Dm CONFIG_CRYPTO_ECDH=3Dm CONFIG_CRYPTO_ECDSA=3Dm CONFIG_CRYPTO_ECRDSA=3Dm -CONFIG_CRYPTO_CURVE25519=3Dm CONFIG_CRYPTO_AES=3Dy CONFIG_CRYPTO_AES_TI=3Dm CONFIG_CRYPTO_ANUBIS=3Dm CONFIG_CRYPTO_ARIA=3Dm CONFIG_CRYPTO_BLOWFISH=3Dm diff --git a/arch/m68k/configs/multi_defconfig b/arch/m68k/configs/multi_de= fconfig index b311e953995d6..44cc3461f5695 100644 --- a/arch/m68k/configs/multi_defconfig +++ b/arch/m68k/configs/multi_defconfig @@ -621,11 +621,10 @@ CONFIG_CRYPTO_BENCHMARK=3Dm CONFIG_CRYPTO_RSA=3Dm CONFIG_CRYPTO_DH=3Dm CONFIG_CRYPTO_ECDH=3Dm CONFIG_CRYPTO_ECDSA=3Dm CONFIG_CRYPTO_ECRDSA=3Dm -CONFIG_CRYPTO_CURVE25519=3Dm CONFIG_CRYPTO_AES=3Dy CONFIG_CRYPTO_AES_TI=3Dm CONFIG_CRYPTO_ANUBIS=3Dm CONFIG_CRYPTO_ARIA=3Dm CONFIG_CRYPTO_BLOWFISH=3Dm diff --git a/arch/m68k/configs/mvme147_defconfig b/arch/m68k/configs/mvme14= 7_defconfig index f4e6224f137f9..0394fd631679e 100644 --- a/arch/m68k/configs/mvme147_defconfig +++ b/arch/m68k/configs/mvme147_defconfig @@ -507,11 +507,10 @@ CONFIG_CRYPTO_BENCHMARK=3Dm CONFIG_CRYPTO_RSA=3Dm CONFIG_CRYPTO_DH=3Dm CONFIG_CRYPTO_ECDH=3Dm CONFIG_CRYPTO_ECDSA=3Dm CONFIG_CRYPTO_ECRDSA=3Dm -CONFIG_CRYPTO_CURVE25519=3Dm CONFIG_CRYPTO_AES=3Dy CONFIG_CRYPTO_AES_TI=3Dm CONFIG_CRYPTO_ANUBIS=3Dm CONFIG_CRYPTO_ARIA=3Dm CONFIG_CRYPTO_BLOWFISH=3Dm diff --git a/arch/m68k/configs/mvme16x_defconfig b/arch/m68k/configs/mvme16= x_defconfig index 498e167222f18..d8ad11b7054c4 100644 --- a/arch/m68k/configs/mvme16x_defconfig +++ b/arch/m68k/configs/mvme16x_defconfig @@ -508,11 +508,10 @@ CONFIG_CRYPTO_BENCHMARK=3Dm CONFIG_CRYPTO_RSA=3Dm CONFIG_CRYPTO_DH=3Dm CONFIG_CRYPTO_ECDH=3Dm CONFIG_CRYPTO_ECDSA=3Dm CONFIG_CRYPTO_ECRDSA=3Dm -CONFIG_CRYPTO_CURVE25519=3Dm CONFIG_CRYPTO_AES=3Dy CONFIG_CRYPTO_AES_TI=3Dm CONFIG_CRYPTO_ANUBIS=3Dm CONFIG_CRYPTO_ARIA=3Dm CONFIG_CRYPTO_BLOWFISH=3Dm diff --git a/arch/m68k/configs/q40_defconfig b/arch/m68k/configs/q40_defcon= fig index 8c6b1eef85342..bdc090d0c0ad0 100644 --- a/arch/m68k/configs/q40_defconfig +++ b/arch/m68k/configs/q40_defconfig @@ -524,11 +524,10 @@ CONFIG_CRYPTO_BENCHMARK=3Dm CONFIG_CRYPTO_RSA=3Dm CONFIG_CRYPTO_DH=3Dm CONFIG_CRYPTO_ECDH=3Dm CONFIG_CRYPTO_ECDSA=3Dm CONFIG_CRYPTO_ECRDSA=3Dm -CONFIG_CRYPTO_CURVE25519=3Dm CONFIG_CRYPTO_AES=3Dy CONFIG_CRYPTO_AES_TI=3Dm CONFIG_CRYPTO_ANUBIS=3Dm CONFIG_CRYPTO_ARIA=3Dm CONFIG_CRYPTO_BLOWFISH=3Dm diff --git a/arch/m68k/configs/sun3_defconfig b/arch/m68k/configs/sun3_defc= onfig index c34648f299efb..05324e30c65f5 100644 --- a/arch/m68k/configs/sun3_defconfig +++ b/arch/m68k/configs/sun3_defconfig @@ -505,11 +505,10 @@ CONFIG_CRYPTO_BENCHMARK=3Dm CONFIG_CRYPTO_RSA=3Dm CONFIG_CRYPTO_DH=3Dm CONFIG_CRYPTO_ECDH=3Dm CONFIG_CRYPTO_ECDSA=3Dm CONFIG_CRYPTO_ECRDSA=3Dm -CONFIG_CRYPTO_CURVE25519=3Dm CONFIG_CRYPTO_AES=3Dy CONFIG_CRYPTO_AES_TI=3Dm CONFIG_CRYPTO_ANUBIS=3Dm CONFIG_CRYPTO_ARIA=3Dm CONFIG_CRYPTO_BLOWFISH=3Dm diff --git a/arch/m68k/configs/sun3x_defconfig b/arch/m68k/configs/sun3x_de= fconfig index 73810d14660f2..a1a3fb24fb7b0 100644 --- a/arch/m68k/configs/sun3x_defconfig +++ b/arch/m68k/configs/sun3x_defconfig @@ -505,11 +505,10 @@ CONFIG_CRYPTO_BENCHMARK=3Dm CONFIG_CRYPTO_RSA=3Dm CONFIG_CRYPTO_DH=3Dm CONFIG_CRYPTO_ECDH=3Dm CONFIG_CRYPTO_ECDSA=3Dm CONFIG_CRYPTO_ECRDSA=3Dm -CONFIG_CRYPTO_CURVE25519=3Dm CONFIG_CRYPTO_AES=3Dy CONFIG_CRYPTO_AES_TI=3Dm CONFIG_CRYPTO_ANUBIS=3Dm CONFIG_CRYPTO_ARIA=3Dm CONFIG_CRYPTO_BLOWFISH=3Dm diff --git a/arch/s390/configs/debug_defconfig b/arch/s390/configs/debug_de= fconfig index 5e616bc988ac3..1c54348b812da 100644 --- a/arch/s390/configs/debug_defconfig +++ b/arch/s390/configs/debug_defconfig @@ -759,11 +759,10 @@ CONFIG_CRYPTO_CRYPTD=3Dm CONFIG_CRYPTO_BENCHMARK=3Dm CONFIG_CRYPTO_DH=3Dm CONFIG_CRYPTO_ECDH=3Dm CONFIG_CRYPTO_ECDSA=3Dm CONFIG_CRYPTO_ECRDSA=3Dm -CONFIG_CRYPTO_CURVE25519=3Dm CONFIG_CRYPTO_AES_TI=3Dm CONFIG_CRYPTO_ANUBIS=3Dm CONFIG_CRYPTO_ARIA=3Dm CONFIG_CRYPTO_BLOWFISH=3Dm CONFIG_CRYPTO_CAST5=3Dm diff --git a/arch/s390/configs/defconfig b/arch/s390/configs/defconfig index 094599cdaf4d9..90a9dad7f8015 100644 --- a/arch/s390/configs/defconfig +++ b/arch/s390/configs/defconfig @@ -743,11 +743,10 @@ CONFIG_CRYPTO_CRYPTD=3Dm CONFIG_CRYPTO_BENCHMARK=3Dm CONFIG_CRYPTO_DH=3Dm CONFIG_CRYPTO_ECDH=3Dm CONFIG_CRYPTO_ECDSA=3Dm CONFIG_CRYPTO_ECRDSA=3Dm -CONFIG_CRYPTO_CURVE25519=3Dm CONFIG_CRYPTO_AES_TI=3Dm CONFIG_CRYPTO_ANUBIS=3Dm CONFIG_CRYPTO_ARIA=3Dm CONFIG_CRYPTO_BLOWFISH=3Dm CONFIG_CRYPTO_CAST5=3Dm diff --git a/crypto/Kconfig b/crypto/Kconfig index 09e8fb6ee0813..a04595f9d0ca4 100644 --- a/crypto/Kconfig +++ b/crypto/Kconfig @@ -342,18 +342,10 @@ config CRYPTO_ECRDSA RFC 7091, ISO/IEC 14888-3) =20 One of the Russian cryptographic standard algorithms (called GOST algorithms). Only signature verification is implemented. =20 -config CRYPTO_CURVE25519 - tristate "Curve25519" - select CRYPTO_KPP - select CRYPTO_LIB_CURVE25519_GENERIC - select CRYPTO_LIB_CURVE25519_INTERNAL - help - Curve25519 elliptic curve (RFC7748) - endmenu =20 menu "Block ciphers" =20 config CRYPTO_AES diff --git a/crypto/Makefile b/crypto/Makefile index 6c5d59369dacc..e430e6e99b6a2 100644 --- a/crypto/Makefile +++ b/crypto/Makefile @@ -180,11 +180,10 @@ obj-$(CONFIG_CRYPTO_USER_API_SKCIPHER) +=3D algif_skc= ipher.o obj-$(CONFIG_CRYPTO_USER_API_RNG) +=3D algif_rng.o obj-$(CONFIG_CRYPTO_USER_API_AEAD) +=3D algif_aead.o obj-$(CONFIG_CRYPTO_ZSTD) +=3D zstd.o obj-$(CONFIG_CRYPTO_ECC) +=3D ecc.o obj-$(CONFIG_CRYPTO_ESSIV) +=3D essiv.o -obj-$(CONFIG_CRYPTO_CURVE25519) +=3D curve25519-generic.o =20 ecdh_generic-y +=3D ecdh.o ecdh_generic-y +=3D ecdh_helper.o obj-$(CONFIG_CRYPTO_ECDH) +=3D ecdh_generic.o =20 diff --git a/crypto/curve25519-generic.c b/crypto/curve25519-generic.c deleted file mode 100644 index f3e56e73c66ca..0000000000000 --- a/crypto/curve25519-generic.c +++ /dev/null @@ -1,91 +0,0 @@ -// SPDX-License-Identifier: GPL-2.0-or-later - -#include -#include -#include -#include -#include - -static int curve25519_set_secret(struct crypto_kpp *tfm, const void *buf, - unsigned int len) -{ - u8 *secret =3D kpp_tfm_ctx(tfm); - - if (!len) - curve25519_generate_secret(secret); - else if (len =3D=3D CURVE25519_KEY_SIZE && - crypto_memneq(buf, curve25519_null_point, CURVE25519_KEY_SIZE)) - memcpy(secret, buf, CURVE25519_KEY_SIZE); - else - return -EINVAL; - return 0; -} - -static int curve25519_compute_value(struct kpp_request *req) -{ - struct crypto_kpp *tfm =3D crypto_kpp_reqtfm(req); - const u8 *secret =3D kpp_tfm_ctx(tfm); - u8 public_key[CURVE25519_KEY_SIZE]; - u8 buf[CURVE25519_KEY_SIZE]; - int copied, nbytes; - u8 const *bp; - - if (req->src) { - copied =3D sg_copy_to_buffer(req->src, - sg_nents_for_len(req->src, - CURVE25519_KEY_SIZE), - public_key, CURVE25519_KEY_SIZE); - if (copied !=3D CURVE25519_KEY_SIZE) - return -EINVAL; - bp =3D public_key; - } else { - bp =3D curve25519_base_point; - } - - curve25519_generic(buf, secret, bp); - - /* might want less than we've got */ - nbytes =3D min_t(size_t, CURVE25519_KEY_SIZE, req->dst_len); - copied =3D sg_copy_from_buffer(req->dst, sg_nents_for_len(req->dst, - nbytes), - buf, nbytes); - if (copied !=3D nbytes) - return -EINVAL; - return 0; -} - -static unsigned int curve25519_max_size(struct crypto_kpp *tfm) -{ - return CURVE25519_KEY_SIZE; -} - -static struct kpp_alg curve25519_alg =3D { - .base.cra_name =3D "curve25519", - .base.cra_driver_name =3D "curve25519-generic", - .base.cra_priority =3D 100, - .base.cra_module =3D THIS_MODULE, - .base.cra_ctxsize =3D CURVE25519_KEY_SIZE, - - .set_secret =3D curve25519_set_secret, - .generate_public_key =3D curve25519_compute_value, - .compute_shared_secret =3D curve25519_compute_value, - .max_size =3D curve25519_max_size, -}; - -static int __init curve25519_init(void) -{ - return crypto_register_kpp(&curve25519_alg); -} - -static void __exit curve25519_exit(void) -{ - crypto_unregister_kpp(&curve25519_alg); -} - -module_init(curve25519_init); -module_exit(curve25519_exit); - -MODULE_ALIAS_CRYPTO("curve25519"); -MODULE_ALIAS_CRYPTO("curve25519-generic"); -MODULE_DESCRIPTION("Curve25519 elliptic curve (RFC7748)"); -MODULE_LICENSE("GPL"); --=20 2.50.1 From nobody Tue Sep 9 16:20:08 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9EC882BF3CC; Sat, 6 Sep 2025 21:37:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757194623; cv=none; b=BnGCZW/TByBmNFih8tKfpZhh+17pxbid0RZkAOe124aAmfTEe4K1X9Tt8MRt9i4Y0V2ENo4fbq9tw9S9uhrlHe3FfAoy/m4Sv4wWNthHh2eY2SybKlRK7+zM0RoKsxiv3DiL44Nh66nLcdgaeUYAvw4PMQXKImr4N3KZsvF3N1g= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757194623; c=relaxed/simple; bh=tzGI0nGLAWdIcbdPPsgLKUoZLaVZT1uXpdHfuiLD0g0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=XtUBsexvjcB+9jvlAp+XTGiFyhNna575tbEB80SApzmsLH+vyE0kRoD4je8b9oLljJH19J093+bW+XhI79tZPobmYzokTJYds0qEdKzdRHRcbC8oQwbkUCHq7wJXyCRNk4d1AhvwK7SM+aYxsAuQ/CcaYL4zNIXKVVhlax1iKB8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=rHpEawtO; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="rHpEawtO" Received: by smtp.kernel.org (Postfix) with ESMTPSA id C4550C4CEE7; Sat, 6 Sep 2025 21:37:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1757194623; bh=tzGI0nGLAWdIcbdPPsgLKUoZLaVZT1uXpdHfuiLD0g0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=rHpEawtOaPMFgazeibQBP4YKM4CphYALdcZ5G0xnacCc6i8Ak32AsUJpFuOVUzJzz Jj4wAKaqjNGnPQuORFGDndAHzzGw/h3QgB66ELqxwB1XJzXvpa1ZKXjqgNAgVVntFn qj2267pYscDwQuziV9Sl/7b94Re54nq+y8CpH+Lge2eGc0VLyUJNNoMQdzair8ju4e j5u9Y2SMCHLEyY/aiqqurKQzyxH3ezm+NpUieTZx3JFRvAHcLQFmyF1FFii9C168kk QGPT8s31r3SqK/9fvdeNIzYR9gHAQ3yGpuP9zhMWreu2KEwpeYkzo8lFCM6DLq1qx6 lqVdy+qFmaf5w== From: Eric Biggers To: linux-crypto@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Ard Biesheuvel , "Jason A . Donenfeld" , Zhiqi Song , Longfang Liu , x86@kernel.org, linux-arm-kernel@lists.infradead.org, linuxppc-dev@lists.ozlabs.org, Eric Biggers Subject: [PATCH v2 07/12] lib/crypto: tests: Migrate Curve25519 self-test to KUnit Date: Sat, 6 Sep 2025 14:35:18 -0700 Message-ID: <20250906213523.84915-8-ebiggers@kernel.org> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250906213523.84915-1-ebiggers@kernel.org> References: <20250906213523.84915-1-ebiggers@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Move the Curve25519 test from an ad-hoc self-test to a KUnit test. Generally keep the same test logic for now, just translated to KUnit. There's one exception, which is that I dropped the incomplete test of curve25519_generic(). The approach I'm taking to cover the different implementations with the KUnit tests is to just rely on booting kernels in QEMU with different '-cpu' options, rather than try to make the tests (incompletely) test multiple implementations on one CPU. This way, both the test and the library API are simpler. This commit makes the file lib/crypto/curve25519.c no longer needed, as its only purpose was to call the self-test. However, keep it for now, since a later commit will add code to it again. Temporarily omit the default value of CRYPTO_SELFTESTS that the other lib/crypto/ KUnit tests have. It would cause a recursive kconfig dependency, since the Curve25519 code is still entangled with CRYPTO. A later commit will fix that. Signed-off-by: Eric Biggers --- include/crypto/curve25519.h | 2 - lib/crypto/Makefile | 1 - lib/crypto/curve25519.c | 3 - lib/crypto/tests/Kconfig | 9 +++ lib/crypto/tests/Makefile | 1 + .../curve25519_kunit.c} | 70 +++++++++++-------- 6 files changed, 49 insertions(+), 37 deletions(-) rename lib/crypto/{curve25519-selftest.c =3D> tests/curve25519_kunit.c} (9= 7%) diff --git a/include/crypto/curve25519.h b/include/crypto/curve25519.h index ece6a9b5fafc8..4e6dc840b1592 100644 --- a/include/crypto/curve25519.h +++ b/include/crypto/curve25519.h @@ -26,12 +26,10 @@ void curve25519_arch(u8 out[CURVE25519_KEY_SIZE], const u8 point[CURVE25519_KEY_SIZE]); =20 void curve25519_base_arch(u8 pub[CURVE25519_KEY_SIZE], const u8 secret[CURVE25519_KEY_SIZE]); =20 -bool curve25519_selftest(void); - static inline bool __must_check curve25519(u8 mypublic[CURVE25519_KEY_SIZE], const u8 secret[CURVE25519_KEY_SIZE], const u8 basepoint[CURVE25519_KEY_SIZE]) { diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile index ad27c5bf99e11..6c3be971ace09 100644 --- a/lib/crypto/Makefile +++ b/lib/crypto/Makefile @@ -85,11 +85,10 @@ ifeq ($(call clang-min-version, 180000),) KASAN_SANITIZE_curve25519-hacl64.o :=3D n endif =20 obj-$(CONFIG_CRYPTO_LIB_CURVE25519) +=3D libcurve25519.o libcurve25519-y +=3D curve25519.o -libcurve25519-$(CONFIG_CRYPTO_SELFTESTS) +=3D curve25519-selftest.o =20 obj-$(CONFIG_CRYPTO_LIB_DES) +=3D libdes.o libdes-y :=3D des.o =20 ##########################################################################= ###### diff --git a/lib/crypto/curve25519.c b/lib/crypto/curve25519.c index 6850b76a80c9e..25f16777865bf 100644 --- a/lib/crypto/curve25519.c +++ b/lib/crypto/curve25519.c @@ -13,13 +13,10 @@ #include #include =20 static int __init curve25519_init(void) { - if (IS_ENABLED(CONFIG_CRYPTO_SELFTESTS) && - WARN_ON(!curve25519_selftest())) - return -ENODEV; return 0; } =20 static void __exit curve25519_exit(void) { diff --git a/lib/crypto/tests/Kconfig b/lib/crypto/tests/Kconfig index fd341aa12f157..eaca60d3e0a36 100644 --- a/lib/crypto/tests/Kconfig +++ b/lib/crypto/tests/Kconfig @@ -8,10 +8,19 @@ config CRYPTO_LIB_BLAKE2S_KUNIT_TEST # No need to select CRYPTO_LIB_BLAKE2S here, as that option doesn't # exist; the BLAKE2s code is always built-in for the /dev/random driver. help KUnit tests for the BLAKE2s cryptographic hash function. =20 +config CRYPTO_LIB_CURVE25519_KUNIT_TEST + tristate "KUnit tests for Curve25519" if !KUNIT_ALL_TESTS + depends on KUNIT + default KUNIT_ALL_TESTS + select CRYPTO_LIB_BENCHMARK_VISIBLE + select CRYPTO_LIB_CURVE25519 + help + KUnit tests for the Curve25519 Diffie-Hellman function. + config CRYPTO_LIB_MD5_KUNIT_TEST tristate "KUnit tests for MD5" if !KUNIT_ALL_TESTS depends on KUNIT default KUNIT_ALL_TESTS || CRYPTO_SELFTESTS select CRYPTO_LIB_BENCHMARK_VISIBLE diff --git a/lib/crypto/tests/Makefile b/lib/crypto/tests/Makefile index be7de929af2cc..a71fad19922ba 100644 --- a/lib/crypto/tests/Makefile +++ b/lib/crypto/tests/Makefile @@ -1,8 +1,9 @@ # SPDX-License-Identifier: GPL-2.0-or-later =20 obj-$(CONFIG_CRYPTO_LIB_BLAKE2S_KUNIT_TEST) +=3D blake2s_kunit.o +obj-$(CONFIG_CRYPTO_LIB_CURVE25519_KUNIT_TEST) +=3D curve25519_kunit.o obj-$(CONFIG_CRYPTO_LIB_MD5_KUNIT_TEST) +=3D md5_kunit.o obj-$(CONFIG_CRYPTO_LIB_POLY1305_KUNIT_TEST) +=3D poly1305_kunit.o obj-$(CONFIG_CRYPTO_LIB_SHA1_KUNIT_TEST) +=3D sha1_kunit.o obj-$(CONFIG_CRYPTO_LIB_SHA256_KUNIT_TEST) +=3D sha224_kunit.o sha256_kuni= t.o obj-$(CONFIG_CRYPTO_LIB_SHA512_KUNIT_TEST) +=3D sha384_kunit.o sha512_kuni= t.o diff --git a/lib/crypto/curve25519-selftest.c b/lib/crypto/tests/curve25519= _kunit.c similarity index 97% rename from lib/crypto/curve25519-selftest.c rename to lib/crypto/tests/curve25519_kunit.c index c85e85381e788..0d1c46ca74018 100644 --- a/lib/crypto/curve25519-selftest.c +++ b/lib/crypto/tests/curve25519_kunit.c @@ -2,18 +2,19 @@ /* * Copyright (C) 2015-2019 Jason A. Donenfeld . All Right= s Reserved. */ =20 #include +#include =20 struct curve25519_test_vector { u8 private[CURVE25519_KEY_SIZE]; u8 public[CURVE25519_KEY_SIZE]; u8 result[CURVE25519_KEY_SIZE]; bool valid; }; -static const struct curve25519_test_vector curve25519_test_vectors[] __ini= tconst =3D { +static const struct curve25519_test_vector curve25519_test_vectors[] =3D { { .private =3D { 0x77, 0x07, 0x6d, 0x0a, 0x73, 0x18, 0xa5, 0x7d, 0x3c, 0x16, 0xc1, 0x72, 0x51, 0xb2, 0x66, 0x45, 0xdf, 0x4c, 0x2f, 0x87, 0xeb, 0xc0, 0x99, 0x2a, 0xb1, 0x77, 0xfb, 0xa5, 0x1d, 0xb9, 0x2c, 0x2a }, @@ -1278,44 +1279,51 @@ static const struct curve25519_test_vector curve255= 19_test_vectors[] __initconst 0xd9, 0x8b, 0xb9, 0x1b, 0x3e, 0x0b, 0xe0, 0x35 }, .valid =3D true } }; =20 -bool __init curve25519_selftest(void) +static void test_curve25519(struct kunit *test) { - bool success =3D true, ret, ret2; - size_t i =3D 0, j; - u8 in[CURVE25519_KEY_SIZE]; - u8 out[CURVE25519_KEY_SIZE], out2[CURVE25519_KEY_SIZE], - out3[CURVE25519_KEY_SIZE]; + for (size_t i =3D 0; i < ARRAY_SIZE(curve25519_test_vectors); ++i) { + const struct curve25519_test_vector *vec =3D + &curve25519_test_vectors[i]; + u8 out[CURVE25519_KEY_SIZE] =3D {}; + bool ret; =20 - for (i =3D 0; i < ARRAY_SIZE(curve25519_test_vectors); ++i) { - memset(out, 0, CURVE25519_KEY_SIZE); - ret =3D curve25519(out, curve25519_test_vectors[i].private, - curve25519_test_vectors[i].public); - if (ret !=3D curve25519_test_vectors[i].valid || - memcmp(out, curve25519_test_vectors[i].result, - CURVE25519_KEY_SIZE)) { - pr_err("curve25519 self-test %zu: FAIL\n", i + 1); - success =3D false; - } + ret =3D curve25519(out, vec->private, vec->public); + KUNIT_EXPECT_EQ_MSG(test, ret, vec->valid, + "Wrong return value with test vector %zu", + i); + KUNIT_EXPECT_MEMEQ_MSG(test, out, vec->result, sizeof(out), + "Wrong output with test vector %zu", i); } +} + +static void test_curve25519_basepoint(struct kunit *test) +{ + for (size_t i =3D 0; i < 5; ++i) { + u8 in[CURVE25519_KEY_SIZE]; + u8 out[CURVE25519_KEY_SIZE]; + u8 out2[CURVE25519_KEY_SIZE]; + bool ret, ret2; =20 - for (i =3D 0; i < 5; ++i) { get_random_bytes(in, sizeof(in)); ret =3D curve25519_generate_public(out, in); ret2 =3D curve25519(out2, in, (u8[CURVE25519_KEY_SIZE]){ 9 }); - curve25519_generic(out3, in, (u8[CURVE25519_KEY_SIZE]){ 9 }); - if (ret !=3D ret2 || - memcmp(out, out2, CURVE25519_KEY_SIZE) || - memcmp(out, out3, CURVE25519_KEY_SIZE)) { - pr_err("curve25519 basepoint self-test %zu: FAIL: input - 0x", - i + 1); - for (j =3D CURVE25519_KEY_SIZE; j-- > 0;) - printk(KERN_CONT "%02x", in[j]); - printk(KERN_CONT "\n"); - success =3D false; - } + KUNIT_EXPECT_EQ_MSG(test, ret, ret2, + "in=3D%*phN", CURVE25519_KEY_SIZE, in); + KUNIT_EXPECT_MEMEQ_MSG(test, out, out2, CURVE25519_KEY_SIZE, + "in=3D%*phN", CURVE25519_KEY_SIZE, in); } - - return success; } + +static struct kunit_case curve25519_test_cases[] =3D { + KUNIT_CASE(test_curve25519), + KUNIT_CASE(test_curve25519_basepoint), + {}, +}; + +static struct kunit_suite curve25519_test_suite =3D { + .name =3D "curve25519", + .test_cases =3D curve25519_test_cases, +}; +kunit_test_suite(curve25519_test_suite); --=20 2.50.1 From nobody Tue Sep 9 16:20:08 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 825E32C031E; Sat, 6 Sep 2025 21:37:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757194624; cv=none; b=eYJut3cqNx04XLABswxSKsFj0BvmHQ6U8SiDSgqJYxRPewYpvgfMVf+f20EAcKTHlgl6exTiXaPV20lzSnxAqVhsX21NFyqLpG/+ibUG5sijzLHSXHbsr5ykYud8OENM2KGmWyV9YjO+PFyxFFLDxs0I7tIluGYABxaNhhBw4fE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757194624; c=relaxed/simple; bh=qgC3ZMySIzbT7snif3jifRd6wEGhkdEbMg6+X/hdkEc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=hcJZZe4pe5qQFBvkJZXjKdBKmI5GdH2SMKyQNqXrgfKtlrxDSiM4dXlrKrUY6TFgEl+myGVQU6TIrN4pHTONo2yAeSMXXe7n2oRvWQV+3Vt4Bl5qulWT8kt88AbSXw2orlN/cNHUlumf7eWPx1y912oV7WioHK6DoTL3DVXWKdE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=HnoS8wHm; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="HnoS8wHm" Received: by smtp.kernel.org (Postfix) with ESMTPSA id AC403C4CEF9; Sat, 6 Sep 2025 21:37:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1757194624; bh=qgC3ZMySIzbT7snif3jifRd6wEGhkdEbMg6+X/hdkEc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=HnoS8wHmNnAGXmjtE/Ly7bQ7EaKSHOs35JkeDWyFwsdG9Ef0wGj/vRGGJi9LdHgEG 6554LkhwPyJSQdav86Ah8LR1Az7qGvnT8pakFGsdrktTJPFodmNAYNDA7mplknq9hY OW/gW6f8vnby4h7cHEhDMspXJQB2bekl39gTwXoKOksiJVJQ+fLpNSmlq3qGP4RllR mruhQRhcwQXyF50nfeUOnWCxZ05ApEJuyYd5Ns1efTg6CeAPdnoat3/ddkoslV6bvx BmzBRNBrkqfhfamYYWCtEEgKPMzOAiRgIM6VVp721vi9qCEbm0FQHrHW2VfmKizDAJ oKm6HcxZ1EZYA== From: Eric Biggers To: linux-crypto@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Ard Biesheuvel , "Jason A . Donenfeld" , Zhiqi Song , Longfang Liu , x86@kernel.org, linux-arm-kernel@lists.infradead.org, linuxppc-dev@lists.ozlabs.org, Eric Biggers Subject: [PATCH v2 08/12] lib/crypto: tests: Add Curve25519 benchmark Date: Sat, 6 Sep 2025 14:35:19 -0700 Message-ID: <20250906213523.84915-9-ebiggers@kernel.org> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250906213523.84915-1-ebiggers@kernel.org> References: <20250906213523.84915-1-ebiggers@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Add a benchmark to curve25519_kunit. This brings it in line with the other crypto KUnit tests and provides an easy way to measure performance. Signed-off-by: Eric Biggers --- lib/crypto/tests/curve25519_kunit.c | 31 +++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/lib/crypto/tests/curve25519_kunit.c b/lib/crypto/tests/curve25= 519_kunit.c index 0d1c46ca74018..355ad79a210d1 100644 --- a/lib/crypto/tests/curve25519_kunit.c +++ b/lib/crypto/tests/curve25519_kunit.c @@ -3,10 +3,11 @@ * Copyright (C) 2015-2019 Jason A. Donenfeld . All Right= s Reserved. */ =20 #include #include +#include =20 struct curve25519_test_vector { u8 private[CURVE25519_KEY_SIZE]; u8 public[CURVE25519_KEY_SIZE]; u8 result[CURVE25519_KEY_SIZE]; @@ -1314,13 +1315,43 @@ static void test_curve25519_basepoint(struct kunit = *test) KUNIT_EXPECT_MEMEQ_MSG(test, out, out2, CURVE25519_KEY_SIZE, "in=3D%*phN", CURVE25519_KEY_SIZE, in); } } =20 +static void benchmark_curve25519(struct kunit *test) +{ + const u8 *private =3D curve25519_test_vectors[0].private; + const u8 *public =3D curve25519_test_vectors[0].public; + const size_t warmup_niter =3D 5000; + const size_t benchmark_niter =3D 1024; + u8 out[CURVE25519_KEY_SIZE]; + bool ok =3D true; + u64 t; + + if (!IS_ENABLED(CONFIG_CRYPTO_LIB_BENCHMARK)) + kunit_skip(test, "not enabled"); + + /* Warm-up */ + for (size_t i =3D 0; i < warmup_niter; i++) + ok &=3D curve25519(out, private, public); + + /* Benchmark */ + preempt_disable(); + t =3D ktime_get_ns(); + for (size_t i =3D 0; i < benchmark_niter; i++) + ok &=3D curve25519(out, private, public); + t =3D ktime_get_ns() - t; + preempt_enable(); + KUNIT_EXPECT_TRUE(test, ok); + kunit_info(test, "%llu ops/s", + div64_u64((u64)benchmark_niter * NSEC_PER_SEC, t ?: 1)); +} + static struct kunit_case curve25519_test_cases[] =3D { KUNIT_CASE(test_curve25519), KUNIT_CASE(test_curve25519_basepoint), + KUNIT_CASE(benchmark_curve25519), {}, }; =20 static struct kunit_suite curve25519_test_suite =3D { .name =3D "curve25519", --=20 2.50.1 From nobody Tue Sep 9 16:20:08 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6D9AC2C1583; Sat, 6 Sep 2025 21:37:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757194625; cv=none; b=BWXl4Z9d8Z4KHl24jOtdx+0WDXZqFrTWLGGshN73mWa8Ks3n3DHrHfnGNUulkpjgRex/YGoxLYDzntEWUx6EQPKIrpkHe9Es/Ed6o2ahYqjNlksAY7oo2zHDme4zcJThDwPERmvomOFAfQBM0MrwH9BaRuollrIsMF1iSzBGxkY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757194625; c=relaxed/simple; bh=CQJ4knDhIHFMSRh4/nbpAJJmql9MOH99GJgLFyWdS58=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=fk9iYGNBqLzIrx3AzqDSrdE4ST33MYpsCnQYYh1KDPiOqRzHa6SrLC1icBgdU/sq9Q/2yuTf91GXaPRyjwCajg01ucHiGKl1CCsoGPCWQca59NMc/tHhFrfGccGOOuL6QQLTSxBnQRs3kIknP04ifEWnMQJaqa6yDLZcJ84dnJI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=vC0Kr4aV; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="vC0Kr4aV" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 9174EC4CEF5; Sat, 6 Sep 2025 21:37:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1757194625; bh=CQJ4knDhIHFMSRh4/nbpAJJmql9MOH99GJgLFyWdS58=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=vC0Kr4aV2MDmbVpnymLdTPEZrGi3BkuR7l6W7PpSF5Hy0JlNrPuytbWgARqDEFWa4 ksLj7ObBc4HIiTFQnpZraghc+4ZAxZ7ioXuydpWTZ4MELVghPd1RD7aXGCEXCeaOW1 87lHedKJzwLvy+1jTtDOo8Q2kz37c7gTztVpg1RWvKqgWwEevXx4sJ2+upJpJHZY21 91QIKZ38fMjYyYaN9kYVmNqvpfM9y0gmOPzDzCCtqlbTDpSpjNvuyV5+kz2arf0ZSP HiDCrFyj6R3DHGrZyUbp9crRNTK2/izTBCE0rBrWam6dUR+XIEPQqJFToXJz3e6yqz BuxmwJBc/SW1Q== From: Eric Biggers To: linux-crypto@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Ard Biesheuvel , "Jason A . Donenfeld" , Zhiqi Song , Longfang Liu , x86@kernel.org, linux-arm-kernel@lists.infradead.org, linuxppc-dev@lists.ozlabs.org, Eric Biggers Subject: [PATCH v2 09/12] lib/crypto: curve25519: Move a couple functions out-of-line Date: Sat, 6 Sep 2025 14:35:20 -0700 Message-ID: <20250906213523.84915-10-ebiggers@kernel.org> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250906213523.84915-1-ebiggers@kernel.org> References: <20250906213523.84915-1-ebiggers@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Move curve25519() and curve25519_generate_public() from curve25519.h to curve25519.c. There's no good reason for them to be inline. Signed-off-by: Eric Biggers --- include/crypto/curve25519.h | 28 +++------------------------- lib/crypto/curve25519.c | 34 +++++++++++++++++++++++++++++++++- 2 files changed, 36 insertions(+), 26 deletions(-) diff --git a/include/crypto/curve25519.h b/include/crypto/curve25519.h index 4e6dc840b1592..78aa5f28c847f 100644 --- a/include/crypto/curve25519.h +++ b/include/crypto/curve25519.h @@ -4,11 +4,10 @@ */ =20 #ifndef CURVE25519_H #define CURVE25519_H =20 -#include // For crypto_memneq. #include #include =20 enum curve25519_lengths { CURVE25519_KEY_SIZE =3D 32 @@ -26,37 +25,16 @@ void curve25519_arch(u8 out[CURVE25519_KEY_SIZE], const u8 point[CURVE25519_KEY_SIZE]); =20 void curve25519_base_arch(u8 pub[CURVE25519_KEY_SIZE], const u8 secret[CURVE25519_KEY_SIZE]); =20 -static inline bool __must_check curve25519(u8 mypublic[CURVE25519_KEY_SIZE], const u8 secret[CURVE25519_KEY_SIZE], - const u8 basepoint[CURVE25519_KEY_SIZE]) -{ - if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_CURVE25519)) - curve25519_arch(mypublic, secret, basepoint); - else - curve25519_generic(mypublic, secret, basepoint); - return crypto_memneq(mypublic, curve25519_null_point, - CURVE25519_KEY_SIZE); -} + const u8 basepoint[CURVE25519_KEY_SIZE]); =20 -static inline bool -__must_check curve25519_generate_public(u8 pub[CURVE25519_KEY_SIZE], - const u8 secret[CURVE25519_KEY_SIZE]) -{ - if (unlikely(!crypto_memneq(secret, curve25519_null_point, - CURVE25519_KEY_SIZE))) - return false; - - if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_CURVE25519)) - curve25519_base_arch(pub, secret); - else - curve25519_generic(pub, secret, curve25519_base_point); - return crypto_memneq(pub, curve25519_null_point, CURVE25519_KEY_SIZE); -} +bool __must_check curve25519_generate_public(u8 pub[CURVE25519_KEY_SIZE], + const u8 secret[CURVE25519_KEY_SIZE]); =20 static inline void curve25519_clamp_secret(u8 secret[CURVE25519_KEY_SIZE]) { secret[0] &=3D 248; secret[31] =3D (secret[31] & 127) | 64; diff --git a/lib/crypto/curve25519.c b/lib/crypto/curve25519.c index 25f16777865bf..1b786389d714a 100644 --- a/lib/crypto/curve25519.c +++ b/lib/crypto/curve25519.c @@ -8,12 +8,44 @@ * * Information: https://cr.yp.to/ecdh.html */ =20 #include -#include +#include +#include #include +#include + +bool __must_check +curve25519(u8 mypublic[CURVE25519_KEY_SIZE], + const u8 secret[CURVE25519_KEY_SIZE], + const u8 basepoint[CURVE25519_KEY_SIZE]) +{ + if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_CURVE25519)) + curve25519_arch(mypublic, secret, basepoint); + else + curve25519_generic(mypublic, secret, basepoint); + return crypto_memneq(mypublic, curve25519_null_point, + CURVE25519_KEY_SIZE); +} +EXPORT_SYMBOL(curve25519); + +bool __must_check +curve25519_generate_public(u8 pub[CURVE25519_KEY_SIZE], + const u8 secret[CURVE25519_KEY_SIZE]) +{ + if (unlikely(!crypto_memneq(secret, curve25519_null_point, + CURVE25519_KEY_SIZE))) + return false; + + if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_CURVE25519)) + curve25519_base_arch(pub, secret); + else + curve25519_generic(pub, secret, curve25519_base_point); + return crypto_memneq(pub, curve25519_null_point, CURVE25519_KEY_SIZE); +} +EXPORT_SYMBOL(curve25519_generate_public); =20 static int __init curve25519_init(void) { return 0; } --=20 2.50.1 From nobody Tue Sep 9 16:20:08 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 898CF2C3242; Sat, 6 Sep 2025 21:37:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757194626; cv=none; b=iUciYO4MyrDXgPX65jPkVCjxiAYJMRycUkLp0eQzHlgIj3GjZQ5WAlkuNW45qJZ0nTU4IYm2CJOPnm3CPNJUFVFqoPxUT3YskqLHiyNP3bQQcBASQKMP0th3TDZcxVbGu7LhmzodJxZphlyHLlJahCOKzDTomfiPLAk1Q0X51lg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757194626; c=relaxed/simple; bh=+bIpa2SHWGjz5BZD4t6PtYkdTnfFPbx1eSoFdVtI3/c=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=UnTMLLundW294ugWXtWQbupDnLvSVJjJDvMJfyAdSD08a5cPUT8O/ayvZ8vfPKHSmKpUBvYfg+SF7st37YCoa80AYHXbZzVbdCFXgkj0GhMaaXIG+pQ3z3GNwS7+VfDWW02m6HrGCx38921Xz9RQo5QUpLQIpT7bLAWVg/b2Lhk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=GtYVRLno; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="GtYVRLno" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 7BA3FC4CEF9; Sat, 6 Sep 2025 21:37:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1757194626; bh=+bIpa2SHWGjz5BZD4t6PtYkdTnfFPbx1eSoFdVtI3/c=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=GtYVRLnoz50D/h9nutxKvfZJddKLQ9I295JEkyKAw12x4rr49PU6HBx69FKw25h8k 8VjCwEgmYddYLFIe9CQmtEMpB+iCd1UfBORRs22zvHyv6RRF0fI9sbBHAcNdm1ogKs jY+FTI2KSUR4EyRpGGeWIWuQe9lypDuq07mamn7Q2VzwFmsRNtNth+ZiNK9pf7rRg0 vMVLgBm2wHIaD91MAuPTcGWqaq6oywUDjBl3kv4TgleyMME8y0wuTRQWfSuab8N3cL emWMN26TCeW02f97Cnll9NFXsC7KXFyK4KBjTe9Gn+rutUOH9ICqSY8IQOMhIYq2Il jGhoO7DeC5I/g== From: Eric Biggers To: linux-crypto@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Ard Biesheuvel , "Jason A . Donenfeld" , Zhiqi Song , Longfang Liu , x86@kernel.org, linux-arm-kernel@lists.infradead.org, linuxppc-dev@lists.ozlabs.org, Eric Biggers Subject: [PATCH v2 10/12] lib/crypto: curve25519: Consolidate into single module Date: Sat, 6 Sep 2025 14:35:21 -0700 Message-ID: <20250906213523.84915-11-ebiggers@kernel.org> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250906213523.84915-1-ebiggers@kernel.org> References: <20250906213523.84915-1-ebiggers@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Reorganize the Curve25519 library code: - Build a single libcurve25519 module, instead of up to three modules: libcurve25519, libcurve25519-generic, and an arch-specific module. - Move the arch-specific Curve25519 code from arch/$(SRCARCH)/crypto/ to lib/crypto/$(SRCARCH)/. Centralize the build rules into lib/crypto/Makefile and lib/crypto/Kconfig. - Include the arch-specific code directly in lib/crypto/curve25519.c via a header, rather than using a separate .c file. - Eliminate the entanglement with CRYPTO. CRYPTO_LIB_CURVE25519 no longer selects CRYPTO, and the arch-specific Curve25519 code no longer depends on CRYPTO. This brings Curve25519 in line with the latest conventions for lib/crypto/, used by other algorithms. The exception is that I kept the generic code in separate translation units for now. (Some of the function names collide between the x86 and generic Curve25519 code. And the Curve25519 functions are very long anyway, so inlining doesn't matter as much for Curve25519 as it does for some other algorithms.) Signed-off-by: Eric Biggers --- arch/arm/crypto/Kconfig | 12 ----- arch/arm/crypto/Makefile | 2 - arch/powerpc/crypto/Kconfig | 12 ----- arch/powerpc/crypto/Makefile | 2 - arch/x86/crypto/Kconfig | 12 ----- arch/x86/crypto/Makefile | 5 -- include/crypto/curve25519.h | 10 ---- lib/crypto/Kconfig | 37 +++++--------- lib/crypto/Makefile | 26 +++++++--- .../crypto/arm}/curve25519-core.S | 0 .../crypto/arm/curve25519.h | 31 +++--------- lib/crypto/curve25519-generic.c | 25 ---------- lib/crypto/curve25519.c | 50 ++++++++++++------- .../crypto/powerpc}/curve25519-ppc64le_asm.S | 0 .../crypto/powerpc/curve25519.h | 19 ++----- .../crypto/x86/curve25519.h | 31 +++--------- 16 files changed, 86 insertions(+), 188 deletions(-) rename {arch/arm/crypto =3D> lib/crypto/arm}/curve25519-core.S (100%) rename arch/arm/crypto/curve25519-glue.c =3D> lib/crypto/arm/curve25519.h = (58%) delete mode 100644 lib/crypto/curve25519-generic.c rename {arch/powerpc/crypto =3D> lib/crypto/powerpc}/curve25519-ppc64le_as= m.S (100%) rename arch/powerpc/crypto/curve25519-ppc64le-core.c =3D> lib/crypto/power= pc/curve25519.h (88%) rename arch/x86/crypto/curve25519-x86_64.c =3D> lib/crypto/x86/curve25519.= h (98%) diff --git a/arch/arm/crypto/Kconfig b/arch/arm/crypto/Kconfig index 97718d86f6007..c436eec22d86c 100644 --- a/arch/arm/crypto/Kconfig +++ b/arch/arm/crypto/Kconfig @@ -1,21 +1,9 @@ # SPDX-License-Identifier: GPL-2.0 =20 menu "Accelerated Cryptographic Algorithms for CPU (arm)" =20 -config CRYPTO_CURVE25519_NEON - tristate - depends on KERNEL_MODE_NEON - select CRYPTO_LIB_CURVE25519_GENERIC - select CRYPTO_ARCH_HAVE_LIB_CURVE25519 - default CRYPTO_LIB_CURVE25519_INTERNAL - help - Curve25519 algorithm - - Architecture: arm with - - NEON (Advanced SIMD) extensions - config CRYPTO_GHASH_ARM_CE tristate "Hash functions: GHASH (PMULL/NEON/ARMv8 Crypto Extensions)" depends on KERNEL_MODE_NEON select CRYPTO_AEAD select CRYPTO_HASH diff --git a/arch/arm/crypto/Makefile b/arch/arm/crypto/Makefile index 4f23999ae17df..6346a73effc06 100644 --- a/arch/arm/crypto/Makefile +++ b/arch/arm/crypto/Makefile @@ -5,17 +5,15 @@ =20 obj-$(CONFIG_CRYPTO_AES_ARM) +=3D aes-arm.o obj-$(CONFIG_CRYPTO_AES_ARM_BS) +=3D aes-arm-bs.o obj-$(CONFIG_CRYPTO_BLAKE2B_NEON) +=3D blake2b-neon.o obj-$(CONFIG_CRYPTO_NHPOLY1305_NEON) +=3D nhpoly1305-neon.o -obj-$(CONFIG_CRYPTO_CURVE25519_NEON) +=3D curve25519-neon.o =20 obj-$(CONFIG_CRYPTO_AES_ARM_CE) +=3D aes-arm-ce.o obj-$(CONFIG_CRYPTO_GHASH_ARM_CE) +=3D ghash-arm-ce.o =20 aes-arm-y :=3D aes-cipher-core.o aes-cipher-glue.o aes-arm-bs-y :=3D aes-neonbs-core.o aes-neonbs-glue.o blake2b-neon-y :=3D blake2b-neon-core.o blake2b-neon-glue.o aes-arm-ce-y :=3D aes-ce-core.o aes-ce-glue.o ghash-arm-ce-y :=3D ghash-ce-core.o ghash-ce-glue.o nhpoly1305-neon-y :=3D nh-neon-core.o nhpoly1305-neon-glue.o -curve25519-neon-y :=3D curve25519-core.o curve25519-glue.o diff --git a/arch/powerpc/crypto/Kconfig b/arch/powerpc/crypto/Kconfig index 6106a219da6af..662aed46f9c79 100644 --- a/arch/powerpc/crypto/Kconfig +++ b/arch/powerpc/crypto/Kconfig @@ -1,21 +1,9 @@ # SPDX-License-Identifier: GPL-2.0 =20 menu "Accelerated Cryptographic Algorithms for CPU (powerpc)" =20 -config CRYPTO_CURVE25519_PPC64 - tristate - depends on PPC64 && CPU_LITTLE_ENDIAN - select CRYPTO_LIB_CURVE25519_GENERIC - select CRYPTO_ARCH_HAVE_LIB_CURVE25519 - default CRYPTO_LIB_CURVE25519_INTERNAL - help - Curve25519 algorithm - - Architecture: PowerPC64 - - Little-endian - config CRYPTO_AES_PPC_SPE tristate "Ciphers: AES, modes: ECB/CBC/CTR/XTS (SPE)" depends on SPE select CRYPTO_SKCIPHER help diff --git a/arch/powerpc/crypto/Makefile b/arch/powerpc/crypto/Makefile index 9eb59dce67f36..5960e5300db71 100644 --- a/arch/powerpc/crypto/Makefile +++ b/arch/powerpc/crypto/Makefile @@ -6,16 +6,14 @@ # =20 obj-$(CONFIG_CRYPTO_AES_PPC_SPE) +=3D aes-ppc-spe.o obj-$(CONFIG_CRYPTO_AES_GCM_P10) +=3D aes-gcm-p10-crypto.o obj-$(CONFIG_CRYPTO_DEV_VMX_ENCRYPT) +=3D vmx-crypto.o -obj-$(CONFIG_CRYPTO_CURVE25519_PPC64) +=3D curve25519-ppc64le.o =20 aes-ppc-spe-y :=3D aes-spe-core.o aes-spe-keys.o aes-tab-4k.o aes-spe-mode= s.o aes-spe-glue.o aes-gcm-p10-crypto-y :=3D aes-gcm-p10-glue.o aes-gcm-p10.o ghashp10-ppc.o = aesp10-ppc.o vmx-crypto-objs :=3D vmx.o aesp8-ppc.o ghashp8-ppc.o aes.o aes_cbc.o aes_c= tr.o aes_xts.o ghash.o -curve25519-ppc64le-y :=3D curve25519-ppc64le-core.o curve25519-ppc64le_asm= .o =20 ifeq ($(CONFIG_CPU_LITTLE_ENDIAN),y) override flavour :=3D linux-ppc64le else ifdef CONFIG_PPC64_ELF_ABI_V2 diff --git a/arch/x86/crypto/Kconfig b/arch/x86/crypto/Kconfig index 6a895a571b00e..d9c6fc78cf332 100644 --- a/arch/x86/crypto/Kconfig +++ b/arch/x86/crypto/Kconfig @@ -1,21 +1,9 @@ # SPDX-License-Identifier: GPL-2.0 =20 menu "Accelerated Cryptographic Algorithms for CPU (x86)" =20 -config CRYPTO_CURVE25519_X86 - tristate - depends on 64BIT - select CRYPTO_LIB_CURVE25519_GENERIC - select CRYPTO_ARCH_HAVE_LIB_CURVE25519 - default CRYPTO_LIB_CURVE25519_INTERNAL - help - Curve25519 algorithm - - Architecture: x86_64 using: - - ADX (large integer arithmetic) - config CRYPTO_AES_NI_INTEL tristate "Ciphers: AES, modes: ECB, CBC, CTS, CTR, XCTR, XTS, GCM (AES-NI= /VAES)" select CRYPTO_AEAD select CRYPTO_LIB_AES select CRYPTO_LIB_GF128MUL diff --git a/arch/x86/crypto/Makefile b/arch/x86/crypto/Makefile index d402963d6b579..dfba7e5e88ea6 100644 --- a/arch/x86/crypto/Makefile +++ b/arch/x86/crypto/Makefile @@ -60,12 +60,10 @@ polyval-clmulni-y :=3D polyval-clmulni_asm.o polyval-cl= mulni_glue.o obj-$(CONFIG_CRYPTO_NHPOLY1305_SSE2) +=3D nhpoly1305-sse2.o nhpoly1305-sse2-y :=3D nh-sse2-x86_64.o nhpoly1305-sse2-glue.o obj-$(CONFIG_CRYPTO_NHPOLY1305_AVX2) +=3D nhpoly1305-avx2.o nhpoly1305-avx2-y :=3D nh-avx2-x86_64.o nhpoly1305-avx2-glue.o =20 -obj-$(CONFIG_CRYPTO_CURVE25519_X86) +=3D curve25519-x86_64.o - obj-$(CONFIG_CRYPTO_SM3_AVX_X86_64) +=3D sm3-avx-x86_64.o sm3-avx-x86_64-y :=3D sm3-avx-asm_64.o sm3_avx_glue.o =20 obj-$(CONFIG_CRYPTO_SM4_AESNI_AVX_X86_64) +=3D sm4-aesni-avx-x86_64.o sm4-aesni-avx-x86_64-y :=3D sm4-aesni-avx-asm_64.o sm4_aesni_avx_glue.o @@ -79,8 +77,5 @@ aria-aesni-avx-x86_64-y :=3D aria-aesni-avx-asm_64.o aria= _aesni_avx_glue.o obj-$(CONFIG_CRYPTO_ARIA_AESNI_AVX2_X86_64) +=3D aria-aesni-avx2-x86_64.o aria-aesni-avx2-x86_64-y :=3D aria-aesni-avx2-asm_64.o aria_aesni_avx2_glu= e.o =20 obj-$(CONFIG_CRYPTO_ARIA_GFNI_AVX512_X86_64) +=3D aria-gfni-avx512-x86_64.o aria-gfni-avx512-x86_64-y :=3D aria-gfni-avx512-asm_64.o aria_gfni_avx512_= glue.o - -# Disable GCOV in odd or sensitive code -GCOV_PROFILE_curve25519-x86_64.o :=3D n diff --git a/include/crypto/curve25519.h b/include/crypto/curve25519.h index 78aa5f28c847f..db63a5577c004 100644 --- a/include/crypto/curve25519.h +++ b/include/crypto/curve25519.h @@ -11,24 +11,14 @@ =20 enum curve25519_lengths { CURVE25519_KEY_SIZE =3D 32 }; =20 -extern const u8 curve25519_null_point[]; -extern const u8 curve25519_base_point[]; - void curve25519_generic(u8 out[CURVE25519_KEY_SIZE], const u8 scalar[CURVE25519_KEY_SIZE], const u8 point[CURVE25519_KEY_SIZE]); =20 -void curve25519_arch(u8 out[CURVE25519_KEY_SIZE], - const u8 scalar[CURVE25519_KEY_SIZE], - const u8 point[CURVE25519_KEY_SIZE]); - -void curve25519_base_arch(u8 pub[CURVE25519_KEY_SIZE], - const u8 secret[CURVE25519_KEY_SIZE]); - bool __must_check curve25519(u8 mypublic[CURVE25519_KEY_SIZE], const u8 secret[CURVE25519_KEY_SIZE], const u8 basepoint[CURVE25519_KEY_SIZE]); =20 bool __must_check curve25519_generate_public(u8 pub[CURVE25519_KEY_SIZE], diff --git a/lib/crypto/Kconfig b/lib/crypto/Kconfig index 37d85e0c9b979..eea17e36a22be 100644 --- a/lib/crypto/Kconfig +++ b/lib/crypto/Kconfig @@ -52,39 +52,28 @@ config CRYPTO_LIB_CHACHA_ARCH default y if PPC64 && CPU_LITTLE_ENDIAN && VSX default y if RISCV && 64BIT && RISCV_ISA_V && TOOLCHAIN_HAS_VECTOR_CRYPTO default y if S390 default y if X86_64 =20 -config CRYPTO_ARCH_HAVE_LIB_CURVE25519 - bool - help - Declares whether the architecture provides an arch-specific - accelerated implementation of the Curve25519 library interface, - either builtin or as a module. - -config CRYPTO_LIB_CURVE25519_GENERIC +config CRYPTO_LIB_CURVE25519 tristate select CRYPTO_LIB_UTILS help - This symbol can be depended upon by arch implementations of the - Curve25519 library interface that require the generic code as a - fallback, e.g., for SIMD implementations. If no arch specific - implementation is enabled, this implementation serves the users - of CRYPTO_LIB_CURVE25519. + The Curve25519 library functions. Select this if your module uses any + of the functions from . =20 -config CRYPTO_LIB_CURVE25519_INTERNAL - tristate - select CRYPTO_LIB_CURVE25519_GENERIC if CRYPTO_ARCH_HAVE_LIB_CURVE25519= =3Dn +config CRYPTO_LIB_CURVE25519_ARCH + bool + depends on CRYPTO_LIB_CURVE25519 && !UML && !KMSAN + default y if ARM && KERNEL_MODE_NEON + default y if PPC64 && CPU_LITTLE_ENDIAN + default y if X86_64 =20 -config CRYPTO_LIB_CURVE25519 - tristate - select CRYPTO - select CRYPTO_LIB_CURVE25519_INTERNAL - help - Enable the Curve25519 library interface. This interface may be - fulfilled by either the generic implementation or an arch-specific - one, if one is available and enabled. +config CRYPTO_LIB_CURVE25519_GENERIC + bool + depends on CRYPTO_LIB_CURVE25519 + default y if !CRYPTO_LIB_CURVE25519_ARCH || ARM || X86_64 =20 config CRYPTO_LIB_DES tristate =20 config CRYPTO_LIB_MD5 diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile index 6c3be971ace09..bded351aeacef 100644 --- a/lib/crypto/Makefile +++ b/lib/crypto/Makefile @@ -74,21 +74,35 @@ endif # CONFIG_CRYPTO_LIB_CHACHA_ARCH =20 obj-$(CONFIG_CRYPTO_LIB_CHACHA20POLY1305) +=3D libchacha20poly1305.o libchacha20poly1305-y +=3D chacha20poly1305.o libchacha20poly1305-$(CONFIG_CRYPTO_SELFTESTS) +=3D chacha20poly1305-selft= est.o =20 -obj-$(CONFIG_CRYPTO_LIB_CURVE25519_GENERIC) +=3D libcurve25519-generic.o -libcurve25519-generic-y :=3D curve25519-fiat32.o -libcurve25519-generic-$(CONFIG_ARCH_SUPPORTS_INT128) :=3D curve25519-hacl6= 4.o -libcurve25519-generic-y +=3D curve25519-generic.o +##########################################################################= ###### + +obj-$(CONFIG_CRYPTO_LIB_CURVE25519) +=3D libcurve25519.o +libcurve25519-y :=3D curve25519.o + +# Disable GCOV in odd or sensitive code +GCOV_PROFILE_curve25519.o :=3D n + +ifeq ($(CONFIG_ARCH_SUPPORTS_INT128),y) +libcurve25519-$(CONFIG_CRYPTO_LIB_CURVE25519_GENERIC) +=3D curve25519-hacl= 64.o +else +libcurve25519-$(CONFIG_CRYPTO_LIB_CURVE25519_GENERIC) +=3D curve25519-fiat= 32.o +endif # clang versions prior to 18 may blow out the stack with KASAN ifeq ($(call clang-min-version, 180000),) KASAN_SANITIZE_curve25519-hacl64.o :=3D n endif =20 -obj-$(CONFIG_CRYPTO_LIB_CURVE25519) +=3D libcurve25519.o -libcurve25519-y +=3D curve25519.o +ifeq ($(CONFIG_CRYPTO_LIB_CURVE25519_ARCH),y) +CFLAGS_curve25519.o +=3D -I$(src)/$(SRCARCH) +libcurve25519-$(CONFIG_ARM) +=3D arm/curve25519-core.o +libcurve25519-$(CONFIG_PPC) +=3D powerpc/curve25519-ppc64le_asm.o +endif + +##########################################################################= ###### =20 obj-$(CONFIG_CRYPTO_LIB_DES) +=3D libdes.o libdes-y :=3D des.o =20 ##########################################################################= ###### diff --git a/arch/arm/crypto/curve25519-core.S b/lib/crypto/arm/curve25519-= core.S similarity index 100% rename from arch/arm/crypto/curve25519-core.S rename to lib/crypto/arm/curve25519-core.S diff --git a/arch/arm/crypto/curve25519-glue.c b/lib/crypto/arm/curve25519.h similarity index 58% rename from arch/arm/crypto/curve25519-glue.c rename to lib/crypto/arm/curve25519.h index 3076020d8fbeb..f6d66494eb8f8 100644 --- a/arch/arm/crypto/curve25519-glue.c +++ b/lib/crypto/arm/curve25519.h @@ -10,53 +10,38 @@ #include #include #include #include #include -#include -#include #include -#include =20 asmlinkage void curve25519_neon(u8 mypublic[CURVE25519_KEY_SIZE], const u8 secret[CURVE25519_KEY_SIZE], const u8 basepoint[CURVE25519_KEY_SIZE]); =20 static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_neon); =20 -void curve25519_arch(u8 out[CURVE25519_KEY_SIZE], - const u8 scalar[CURVE25519_KEY_SIZE], - const u8 point[CURVE25519_KEY_SIZE]) +static void curve25519_arch(u8 out[CURVE25519_KEY_SIZE], + const u8 scalar[CURVE25519_KEY_SIZE], + const u8 point[CURVE25519_KEY_SIZE]) { if (static_branch_likely(&have_neon) && crypto_simd_usable()) { kernel_neon_begin(); curve25519_neon(out, scalar, point); kernel_neon_end(); } else { curve25519_generic(out, scalar, point); } } -EXPORT_SYMBOL(curve25519_arch); =20 -void curve25519_base_arch(u8 pub[CURVE25519_KEY_SIZE], - const u8 secret[CURVE25519_KEY_SIZE]) +static void curve25519_base_arch(u8 pub[CURVE25519_KEY_SIZE], + const u8 secret[CURVE25519_KEY_SIZE]) { - return curve25519_arch(pub, secret, curve25519_base_point); + curve25519_arch(pub, secret, curve25519_base_point); } -EXPORT_SYMBOL(curve25519_base_arch); =20 -static int __init arm_curve25519_init(void) +#define curve25519_mod_init_arch curve25519_mod_init_arch +static void curve25519_mod_init_arch(void) { if (elf_hwcap & HWCAP_NEON) static_branch_enable(&have_neon); - return 0; } - -static void __exit arm_curve25519_exit(void) -{ -} - -module_init(arm_curve25519_init); -module_exit(arm_curve25519_exit); - -MODULE_DESCRIPTION("Public key crypto: Curve25519 (NEON-accelerated)"); -MODULE_LICENSE("GPL v2"); diff --git a/lib/crypto/curve25519-generic.c b/lib/crypto/curve25519-generi= c.c deleted file mode 100644 index f8aa70c9f5598..0000000000000 --- a/lib/crypto/curve25519-generic.c +++ /dev/null @@ -1,25 +0,0 @@ -// SPDX-License-Identifier: GPL-2.0 OR MIT -/* - * Copyright (C) 2015-2019 Jason A. Donenfeld . All Right= s Reserved. - * - * This is an implementation of the Curve25519 ECDH algorithm, using either - * a 32-bit implementation or a 64-bit implementation with 128-bit integer= s, - * depending on what is supported by the target compiler. - * - * Information: https://cr.yp.to/ecdh.html - */ - -#include -#include -#include - -const u8 curve25519_null_point[CURVE25519_KEY_SIZE] __aligned(32) =3D { 0 = }; -const u8 curve25519_base_point[CURVE25519_KEY_SIZE] __aligned(32) =3D { 9 = }; - -EXPORT_SYMBOL(curve25519_null_point); -EXPORT_SYMBOL(curve25519_base_point); -EXPORT_SYMBOL(curve25519_generic); - -MODULE_LICENSE("GPL v2"); -MODULE_DESCRIPTION("Curve25519 scalar multiplication"); -MODULE_AUTHOR("Jason A. Donenfeld "); diff --git a/lib/crypto/curve25519.c b/lib/crypto/curve25519.c index 1b786389d714a..01e265dfbcd90 100644 --- a/lib/crypto/curve25519.c +++ b/lib/crypto/curve25519.c @@ -1,11 +1,12 @@ // SPDX-License-Identifier: GPL-2.0 OR MIT /* * Copyright (C) 2015-2019 Jason A. Donenfeld . All Right= s Reserved. * - * This is an implementation of the Curve25519 ECDH algorithm, using either - * a 32-bit implementation or a 64-bit implementation with 128-bit integer= s, + * This is an implementation of the Curve25519 ECDH algorithm, using eithe= r an + * architecture-optimized implementation or a generic implementation. The + * generic implementation is either 32-bit, or 64-bit with 128-bit integer= s, * depending on what is supported by the target compiler. * * Information: https://cr.yp.to/ecdh.html */ =20 @@ -13,19 +14,36 @@ #include #include #include #include =20 +static const u8 curve25519_null_point[CURVE25519_KEY_SIZE] __aligned(32) = =3D { 0 }; +static const u8 curve25519_base_point[CURVE25519_KEY_SIZE] __aligned(32) = =3D { 9 }; + +#ifdef CONFIG_CRYPTO_LIB_CURVE25519_ARCH +#include "curve25519.h" /* $(SRCARCH)/curve25519.h */ +#else +static void curve25519_arch(u8 mypublic[CURVE25519_KEY_SIZE], + const u8 secret[CURVE25519_KEY_SIZE], + const u8 basepoint[CURVE25519_KEY_SIZE]) +{ + curve25519_generic(mypublic, secret, basepoint); +} + +static void curve25519_base_arch(u8 pub[CURVE25519_KEY_SIZE], + const u8 secret[CURVE25519_KEY_SIZE]) +{ + curve25519_generic(pub, secret, curve25519_base_point); +} +#endif + bool __must_check curve25519(u8 mypublic[CURVE25519_KEY_SIZE], const u8 secret[CURVE25519_KEY_SIZE], const u8 basepoint[CURVE25519_KEY_SIZE]) { - if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_CURVE25519)) - curve25519_arch(mypublic, secret, basepoint); - else - curve25519_generic(mypublic, secret, basepoint); + curve25519_arch(mypublic, secret, basepoint); return crypto_memneq(mypublic, curve25519_null_point, CURVE25519_KEY_SIZE); } EXPORT_SYMBOL(curve25519); =20 @@ -34,29 +52,27 @@ curve25519_generate_public(u8 pub[CURVE25519_KEY_SIZE], const u8 secret[CURVE25519_KEY_SIZE]) { if (unlikely(!crypto_memneq(secret, curve25519_null_point, CURVE25519_KEY_SIZE))) return false; - - if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_CURVE25519)) - curve25519_base_arch(pub, secret); - else - curve25519_generic(pub, secret, curve25519_base_point); + curve25519_base_arch(pub, secret); return crypto_memneq(pub, curve25519_null_point, CURVE25519_KEY_SIZE); } EXPORT_SYMBOL(curve25519_generate_public); =20 -static int __init curve25519_init(void) +#ifdef curve25519_mod_init_arch +static int __init curve25519_mod_init(void) { + curve25519_mod_init_arch(); return 0; } +subsys_initcall(curve25519_mod_init); =20 -static void __exit curve25519_exit(void) +static void __exit curve25519_mod_exit(void) { } - -module_init(curve25519_init); -module_exit(curve25519_exit); +module_exit(curve25519_mod_exit); +#endif =20 MODULE_LICENSE("GPL v2"); -MODULE_DESCRIPTION("Curve25519 scalar multiplication"); +MODULE_DESCRIPTION("Curve25519 algorithm"); MODULE_AUTHOR("Jason A. Donenfeld "); diff --git a/arch/powerpc/crypto/curve25519-ppc64le_asm.S b/lib/crypto/powe= rpc/curve25519-ppc64le_asm.S similarity index 100% rename from arch/powerpc/crypto/curve25519-ppc64le_asm.S rename to lib/crypto/powerpc/curve25519-ppc64le_asm.S diff --git a/arch/powerpc/crypto/curve25519-ppc64le-core.c b/lib/crypto/pow= erpc/curve25519.h similarity index 88% rename from arch/powerpc/crypto/curve25519-ppc64le-core.c rename to lib/crypto/powerpc/curve25519.h index 6eb18ee19cad3..dee6234c48e92 100644 --- a/arch/powerpc/crypto/curve25519-ppc64le-core.c +++ b/lib/crypto/powerpc/curve25519.h @@ -5,16 +5,13 @@ * X25519 scalar multiplication with 51 bits limbs for PPC64le. * Based on RFC7748 and AArch64 optimized implementation for X25519 * - Algorithm 1 Scalar multiplication of a variable point */ =20 -#include - #include #include #include -#include =20 #include #include =20 typedef uint64_t fe51[5]; @@ -173,23 +170,17 @@ static void curve25519_fe51(uint8_t out[32], const ui= nt8_t scalar[32], finv(z2, z2); fmul(x2, x2, z2); fe51_tobytes(out, x2); } =20 -void curve25519_arch(u8 mypublic[CURVE25519_KEY_SIZE], - const u8 secret[CURVE25519_KEY_SIZE], - const u8 basepoint[CURVE25519_KEY_SIZE]) +static void curve25519_arch(u8 mypublic[CURVE25519_KEY_SIZE], + const u8 secret[CURVE25519_KEY_SIZE], + const u8 basepoint[CURVE25519_KEY_SIZE]) { curve25519_fe51(mypublic, secret, basepoint); } -EXPORT_SYMBOL(curve25519_arch); =20 -void curve25519_base_arch(u8 pub[CURVE25519_KEY_SIZE], - const u8 secret[CURVE25519_KEY_SIZE]) +static void curve25519_base_arch(u8 pub[CURVE25519_KEY_SIZE], + const u8 secret[CURVE25519_KEY_SIZE]) { curve25519_fe51(pub, secret, curve25519_base_point); } -EXPORT_SYMBOL(curve25519_base_arch); - -MODULE_DESCRIPTION("PPC64le Curve25519 scalar multiplication with 51 bits = limbs"); -MODULE_LICENSE("GPL v2"); -MODULE_AUTHOR("Danny Tsen "); diff --git a/arch/x86/crypto/curve25519-x86_64.c b/lib/crypto/x86/curve2551= 9.h similarity index 98% rename from arch/x86/crypto/curve25519-x86_64.c rename to lib/crypto/x86/curve25519.h index ab91368284a47..5c0b8408852de 100644 --- a/arch/x86/crypto/curve25519-x86_64.c +++ b/lib/crypto/x86/curve25519.h @@ -2,17 +2,13 @@ /* * Copyright (C) 2020 Jason A. Donenfeld . All Rights Res= erved. * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation */ =20 -#include - -#include #include #include #include -#include =20 #include #include =20 static __always_inline u64 eq_mask(u64 a, u64 b) @@ -1588,43 +1584,30 @@ static void curve25519_ever64_base(u8 *out, const u= 8 *priv) memzero_explicit(tmp, sizeof(tmp)); } =20 static __ro_after_init DEFINE_STATIC_KEY_FALSE(curve25519_use_bmi2_adx); =20 -void curve25519_arch(u8 mypublic[CURVE25519_KEY_SIZE], - const u8 secret[CURVE25519_KEY_SIZE], - const u8 basepoint[CURVE25519_KEY_SIZE]) +static void curve25519_arch(u8 mypublic[CURVE25519_KEY_SIZE], + const u8 secret[CURVE25519_KEY_SIZE], + const u8 basepoint[CURVE25519_KEY_SIZE]) { if (static_branch_likely(&curve25519_use_bmi2_adx)) curve25519_ever64(mypublic, secret, basepoint); else curve25519_generic(mypublic, secret, basepoint); } -EXPORT_SYMBOL(curve25519_arch); =20 -void curve25519_base_arch(u8 pub[CURVE25519_KEY_SIZE], - const u8 secret[CURVE25519_KEY_SIZE]) +static void curve25519_base_arch(u8 pub[CURVE25519_KEY_SIZE], + const u8 secret[CURVE25519_KEY_SIZE]) { if (static_branch_likely(&curve25519_use_bmi2_adx)) curve25519_ever64_base(pub, secret); else curve25519_generic(pub, secret, curve25519_base_point); } -EXPORT_SYMBOL(curve25519_base_arch); =20 -static int __init curve25519_mod_init(void) +#define curve25519_mod_init_arch curve25519_mod_init_arch +static void curve25519_mod_init_arch(void) { if (boot_cpu_has(X86_FEATURE_BMI2) && boot_cpu_has(X86_FEATURE_ADX)) static_branch_enable(&curve25519_use_bmi2_adx); - return 0; -} - -static void __exit curve25519_mod_exit(void) -{ } - -module_init(curve25519_mod_init); -module_exit(curve25519_mod_exit); - -MODULE_DESCRIPTION("Curve25519 algorithm, ADX optimized"); -MODULE_LICENSE("GPL v2"); -MODULE_AUTHOR("Jason A. Donenfeld "); --=20 2.50.1 From nobody Tue Sep 9 16:20:08 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B5BDA2D0C7B; Sat, 6 Sep 2025 21:37:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757194627; cv=none; b=lndpKgp3+yN4ve6YSwCsNRP3+6Nc58l927s+jqNV9LPBEx4vJcFDhMHTOalASchtPMLEe8yKprpeld5NSe1gj/EK1KJZVx2DPOEY71lDCV+JUWNCXqJRIkLzoOYoWNaMJNB58eO6OZaZLxYe5CksnWDUflsvxDlgiWX6FUJ7tWY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757194627; c=relaxed/simple; bh=C5+a7mCYIvqBEAn5lQppE669dnFrkzWQF1zk0YiPpuo=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=gEGWK8XkTtbP6Dj16XqxkLrTYFh0qkcOnXGzGVcetGysYLbsvToySEE3Rhe9kx7a9kN84eeIBWEGEp0XFirKv+DrilENMa9Kj8MV1z5fG2GSXBaUYQCsRIigeiJyHVux52x812JyEYAWwe850mIHIhYgCuliUERDVxMFJu04M7g= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=aN33jdNb; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="aN33jdNb" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 9A72FC4CEF5; Sat, 6 Sep 2025 21:37:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1757194627; bh=C5+a7mCYIvqBEAn5lQppE669dnFrkzWQF1zk0YiPpuo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=aN33jdNbPPWCFS3rSncFy4YrpwJkk5GYVzpu/ZqZXYHs5pb7KD6mE/1nYTW0uwBnf CuHEMW/f3i3Av7mUSLDXUucUvQbO0Ifxb4QQUa2m5NldzAh1levjiV/RC8l6NH/Vlj jPrKaMMPtz6zW+NFbCYz2MszvmppHiQGp6fx348XONW90N+aL3rDFM335dTfmWjwGS Fu4lcw9Zezc1Fp5TVuqYxucMlguTKBQYxNUCO5MU7XlJHWnsa2wyMf6IWdZHjDTmLn cQmp7bIPWl4b3bZaLUlHs7wYTXFCZ35BiAjqlyqG072Tn5Xsc9TQ5/2TUvUsp2/LDX siufRL71HJrLw== From: Eric Biggers To: linux-crypto@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Ard Biesheuvel , "Jason A . Donenfeld" , Zhiqi Song , Longfang Liu , x86@kernel.org, linux-arm-kernel@lists.infradead.org, linuxppc-dev@lists.ozlabs.org, Eric Biggers Subject: [PATCH v2 11/12] lib/crypto: tests: Enable Curve25519 test when CRYPTO_SELFTESTS Date: Sat, 6 Sep 2025 14:35:22 -0700 Message-ID: <20250906213523.84915-12-ebiggers@kernel.org> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250906213523.84915-1-ebiggers@kernel.org> References: <20250906213523.84915-1-ebiggers@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Now that the Curve25519 library has been disentangled from CRYPTO, adding CRYPTO_SELFTESTS as a default value of CRYPTO_LIB_CURVE25519_KUNIT_TEST no longer causes a recursive kconfig dependency. Do this, which makes this option consistent with the other crypto KUnit test options in the same file. Signed-off-by: Eric Biggers --- lib/crypto/tests/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/crypto/tests/Kconfig b/lib/crypto/tests/Kconfig index eaca60d3e0a36..578af717e13a7 100644 --- a/lib/crypto/tests/Kconfig +++ b/lib/crypto/tests/Kconfig @@ -11,11 +11,11 @@ config CRYPTO_LIB_BLAKE2S_KUNIT_TEST KUnit tests for the BLAKE2s cryptographic hash function. =20 config CRYPTO_LIB_CURVE25519_KUNIT_TEST tristate "KUnit tests for Curve25519" if !KUNIT_ALL_TESTS depends on KUNIT - default KUNIT_ALL_TESTS + default KUNIT_ALL_TESTS || CRYPTO_SELFTESTS select CRYPTO_LIB_BENCHMARK_VISIBLE select CRYPTO_LIB_CURVE25519 help KUnit tests for the Curve25519 Diffie-Hellman function. =20 --=20 2.50.1 From nobody Tue Sep 9 16:20:08 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 475A42D130A; Sat, 6 Sep 2025 21:37:08 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757194628; cv=none; b=hOF/0KhpbHT1xZqE6UdbNj1vhNRW9FWwCzt5ICsY1r6R+Enq5tztFMNkBQHR62+6zaLtZLx5URMzGpcAlXM7uFLkewPVBkAr5UOhtvnZ3645SUrP17u1FsmljvA3H6FohCsSYULQsQEZ5EYr5GjWIDsu2ugZey8X6OJ/QR8YmV8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757194628; c=relaxed/simple; bh=JTwVCxO7VQKt0pRSCgeHeHvmX5quhsNXXzZV2f26Bs0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=soG70zQYBtjrnTbPRgmDCCBjRNHJbnsHWTQkW3J12Xiuu1c4EZHM5n8j/WAbM+/8Y8A1T3ZkMpcFFTt37Nck8gtFro9CHuSxLHJEQlsdAeZoTFpraCRBqi3mQe33U0DKwXxBy9R6DpG+L2uvBzKorJ5YcWhiKiEH++CJdAB/9dM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=eIjnKxH0; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="eIjnKxH0" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 79D6FC4CEE7; Sat, 6 Sep 2025 21:37:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1757194628; bh=JTwVCxO7VQKt0pRSCgeHeHvmX5quhsNXXzZV2f26Bs0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=eIjnKxH09OTN1s3TO5OkyZTYLxVqeC7VxU8nQKQBpGN/Fp3rPUrW0n+2bbZB8zzHO AM3Jbi3sTFeW+TtxRT/DDlpUtp2nU3AsNxgqi3J9QOr95cH4ApNZisj4U8uyWcTX9J oIUv1b9OFpCv+lF6lcDbX7MRLUeU9QQQf3jMAwVmuUuVNZ4nBBi2E9UrIgfPoWqKks rp25asjGBdt0WoQPVjykGqKwMURs6fc94N8vFJE6fVqLvc6WjT4BBmwHtxgcDe8YcQ 6/frNrko95cghzRkUomIuPn5fGIpDZcwvymzk8m+EMawZ4vDT4WQb8PO0vmvXDURHL twswbfGWpHfKw== From: Eric Biggers To: linux-crypto@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Ard Biesheuvel , "Jason A . Donenfeld" , Zhiqi Song , Longfang Liu , x86@kernel.org, linux-arm-kernel@lists.infradead.org, linuxppc-dev@lists.ozlabs.org, Eric Biggers Subject: [PATCH v2 12/12] wireguard: kconfig: Simplify crypto kconfig selections Date: Sat, 6 Sep 2025 14:35:23 -0700 Message-ID: <20250906213523.84915-13-ebiggers@kernel.org> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250906213523.84915-1-ebiggers@kernel.org> References: <20250906213523.84915-1-ebiggers@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Simplify the kconfig entry for WIREGUARD: - Drop the selections of the arch-optimized ChaCha20, Poly1305, BLAKE2s, and Curve25519 code. These options no longer exist, as lib/crypto/ now enables the arch-optimized code automatically. - Drop the selection of CRYPTO. This was needed only to make the arch-optimized options visible. lib/crypto/ now handles these options internally, without any dependency on CRYPTO. - Drop the dependency on !KMSAN. This was needed only to avoid selecting arch-optimized code that isn't compatible with KMSAN. lib/crypto/ now handles the !KMSAN dependencies internally. - Add a selection of CRYPTO_LIB_UTILS, since WireGuard directly calls crypto_memneq(). This gets selected indirectly by CRYPTO_LIB_CURVE25519 and CRYPTO_LIB_CHACHA20POLY1305 anyway, but it's best to make this dependency explicit. Signed-off-by: Eric Biggers Acked-by/Reviewed-by, so I haven't. But I have quite actively been --- drivers/net/Kconfig | 15 +-------------- 1 file changed, 1 insertion(+), 14 deletions(-) diff --git a/drivers/net/Kconfig b/drivers/net/Kconfig index b29628d46be9b..ac12eaf11755d 100644 --- a/drivers/net/Kconfig +++ b/drivers/net/Kconfig @@ -74,28 +74,15 @@ config DUMMY =20 config WIREGUARD tristate "WireGuard secure network tunnel" depends on NET && INET depends on IPV6 || !IPV6 - depends on !KMSAN # KMSAN doesn't support the crypto configs below select NET_UDP_TUNNEL select DST_CACHE - select CRYPTO select CRYPTO_LIB_CURVE25519 select CRYPTO_LIB_CHACHA20POLY1305 - select CRYPTO_CHACHA20_X86_64 if X86 && 64BIT - select CRYPTO_POLY1305_X86_64 if X86 && 64BIT - select CRYPTO_BLAKE2S_X86 if X86 && 64BIT - select CRYPTO_CURVE25519_X86 if X86 && 64BIT - select CRYPTO_CHACHA20_NEON if ARM || (ARM64 && KERNEL_MODE_NEON) - select CRYPTO_POLY1305_NEON if ARM64 && KERNEL_MODE_NEON - select CRYPTO_POLY1305_ARM if ARM - select CRYPTO_BLAKE2S_ARM if ARM - select CRYPTO_CURVE25519_NEON if ARM && KERNEL_MODE_NEON - select CRYPTO_CHACHA_MIPS if CPU_MIPS32_R2 - select CRYPTO_POLY1305_MIPS if MIPS - select CRYPTO_CHACHA_S390 if S390 + select CRYPTO_LIB_UTILS help WireGuard is a secure, fast, and easy to use replacement for IPSec that uses modern cryptography and clever networking tricks. It's designed to be fairly general purpose and abstract enough to fit most use cases, while at the same time remaining extremely simple to --=20 2.50.1