linux-rng/include/crypto, branch master

Merge tag 'libcrypto-at-least-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/linux

2025-12-03T02:26:54Z

Pull 'at_least' array size update from Eric Biggers: "C supports lower bounds on the sizes of array parameters, using the static keyword as follows: 'void f(int a[static 32]);'. This allows the compiler to warn about a too-small array being passed. As discussed, this reuse of the 'static' keyword, while standard, is a bit obscure. Therefore, add an alias 'at_least' to compiler_types.h. Then, add this 'at_least' annotation to the array parameters of various crypto library functions" * tag 'libcrypto-at-least-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/linux: lib/crypto: sha2: Add at_least decoration to fixed-size array params lib/crypto: sha1: Add at_least decoration to fixed-size array params lib/crypto: poly1305: Add at_least decoration to fixed-size array params lib/crypto: md5: Add at_least decoration to fixed-size array params lib/crypto: curve25519: Add at_least decoration to fixed-size array params lib/crypto: chacha: Add at_least decoration to fixed-size array params lib/crypto: chacha20poly1305: Statically check fixed array lengths compiler_types: introduce at_least parameter decoration pseudo keyword wifi: iwlwifi: trans: rename at_least variable to min_mode

lib/crypto: sha2: Add at_least decoration to fixed-size array params

2025-11-23T20:19:47Z

Add the at_least (i.e. 'static') decoration to the fixed-size array parameters of the sha2 library functions. This causes clang to warn when a too-small array of known size is passed. Acked-by: Ard Biesheuvel Acked-by: "Jason A. Donenfeld" Link: https://lore.kernel.org/r/20251122194206.31822-7-ebiggers@kernel.org Signed-off-by: Eric Biggers

lib/crypto: sha1: Add at_least decoration to fixed-size array params

2025-11-23T20:19:47Z

Add the at_least (i.e. 'static') decoration to the fixed-size array parameters of the sha1 library functions. This causes clang to warn when a too-small array of known size is passed. Acked-by: Ard Biesheuvel Acked-by: "Jason A. Donenfeld" Link: https://lore.kernel.org/r/20251122194206.31822-6-ebiggers@kernel.org Signed-off-by: Eric Biggers

lib/crypto: poly1305: Add at_least decoration to fixed-size array params

2025-11-23T20:19:47Z

Add the at_least (i.e. 'static') decoration to the fixed-size array parameters of the poly1305 library functions. This causes clang to warn when a too-small array of known size is passed. Acked-by: Ard Biesheuvel Acked-by: "Jason A. Donenfeld" Link: https://lore.kernel.org/r/20251122194206.31822-5-ebiggers@kernel.org Signed-off-by: Eric Biggers

lib/crypto: md5: Add at_least decoration to fixed-size array params

2025-11-23T20:19:47Z

Add the at_least (i.e. 'static') decoration to the fixed-size array parameters of the md5 library functions. This causes clang to warn when a too-small array of known size is passed. Acked-by: Ard Biesheuvel Acked-by: "Jason A. Donenfeld" Link: https://lore.kernel.org/r/20251122194206.31822-4-ebiggers@kernel.org Signed-off-by: Eric Biggers

lib/crypto: curve25519: Add at_least decoration to fixed-size array params

2025-11-23T20:19:47Z

Add the at_least (i.e. 'static') decoration to the fixed-size array parameters of the curve25519 library functions. This causes clang to warn when a too-small array of known size is passed. Acked-by: Ard Biesheuvel Acked-by: "Jason A. Donenfeld" Link: https://lore.kernel.org/r/20251122194206.31822-3-ebiggers@kernel.org Signed-off-by: Eric Biggers

lib/crypto: chacha: Add at_least decoration to fixed-size array params

2025-11-23T20:19:47Z

Add the at_least (i.e. 'static') decoration to the fixed-size array parameters of the chacha library functions. This causes clang to warn when a too-small array of known size is passed. Acked-by: Ard Biesheuvel Acked-by: "Jason A. Donenfeld" Link: https://lore.kernel.org/r/20251122194206.31822-2-ebiggers@kernel.org Signed-off-by: Eric Biggers

lib/crypto: chacha20poly1305: Statically check fixed array lengths

2025-11-23T20:19:21Z

Several parameters of the chacha20poly1305 functions require arrays of an exact length. Use the new at_least keyword to instruct gcc and clang to statically check that the caller is passing an object of at least that length. Here it is in action, with this faulty patch to wireguard's cookie.h: struct cookie_checker { u8 secret[NOISE_HASH_LEN]; - u8 cookie_encryption_key[NOISE_SYMMETRIC_KEY_LEN]; + u8 cookie_encryption_key[NOISE_SYMMETRIC_KEY_LEN - 1]; u8 message_mac1_key[NOISE_SYMMETRIC_KEY_LEN]; If I try compiling this code, I get this helpful warning: CC drivers/net/wireguard/cookie.o drivers/net/wireguard/cookie.c: In function ‘wg_cookie_message_create’: drivers/net/wireguard/cookie.c:193:9: warning: ‘xchacha20poly1305_encrypt’ reading 32 bytes from a region of size 31 [-Wstringop-overread] 193 | xchacha20poly1305_encrypt(dst->encrypted_cookie, cookie, COOKIE_LEN, | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 194 | macs->mac1, COOKIE_LEN, dst->nonce, | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 195 | checker->cookie_encryption_key); | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/net/wireguard/cookie.c:193:9: note: referencing argument 7 of type ‘const u8 *’ {aka ‘const unsigned char *’} In file included from drivers/net/wireguard/messages.h:10, from drivers/net/wireguard/cookie.h:9, from drivers/net/wireguard/cookie.c:6: include/crypto/chacha20poly1305.h:28:6: note: in a call to function ‘xchacha20poly1305_encrypt’ 28 | void xchacha20poly1305_encrypt(u8 *dst, const u8 *src, const size_t src_len, Acked-by: Ard Biesheuvel Signed-off-by: "Jason A. Donenfeld" Link: https://lore.kernel.org/r/20251123054819.2371989-4-Jason@zx2c4.com Signed-off-by: Eric Biggers

lib/crypto: x86/polyval: Migrate optimized code into library

2025-11-11T19:03:38Z

Migrate the x86_64 implementation of POLYVAL into lib/crypto/, wiring it up to the POLYVAL library interface. This makes the POLYVAL library be properly optimized on x86_64. This drops the x86_64 optimizations of polyval in the crypto_shash API. That's fine, since polyval will be removed from crypto_shash entirely since it is unneeded there. But even if it comes back, the crypto_shash API could just be implemented on top of the library API, as usual. Adjust the names and prototypes of the assembly functions to align more closely with the rest of the library code. Also replace a movaps instruction with movups to remove the assumption that the key struct is 16-byte aligned. Users can still align the key if they want (and at least in this case, movups is just as fast as movaps), but it's inconvenient to require it. Reviewed-by: Ard Biesheuvel Link: https://lore.kernel.org/r/20251109234726.638437-6-ebiggers@kernel.org Signed-off-by: Eric Biggers

lib/crypto: arm64/polyval: Migrate optimized code into library

2025-11-11T19:03:38Z

Migrate the arm64 implementation of POLYVAL into lib/crypto/, wiring it up to the POLYVAL library interface. This makes the POLYVAL library be properly optimized on arm64. This drops the arm64 optimizations of polyval in the crypto_shash API. That's fine, since polyval will be removed from crypto_shash entirely since it is unneeded there. But even if it comes back, the crypto_shash API could just be implemented on top of the library API, as usual. Adjust the names and prototypes of the assembly functions to align more closely with the rest of the library code. Reviewed-by: Ard Biesheuvel Link: https://lore.kernel.org/r/20251109234726.638437-5-ebiggers@kernel.org Signed-off-by: Eric Biggers