[PATCH 0/6] lib/crypto: More at_least decorations

[PATCH 0/6] lib/crypto: More at_least decorations

[Eric Biggers]

This series depends on the 'at_least' macro added by
https://lore.kernel.org/r/20251122025510.1625066-4-Jason@zx2c4.com
It can also be retrieved from

    git fetch https://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/linux.git more-at-least-decorations-v1

Add the at_least (i.e. 'static') decoration to the fixed-size array
parameters of more of the crypto library functions.  This causes clang
to generate a warning if a too-small array of known size is passed.

Eric Biggers (6):
  lib/crypto: chacha: Add at_least decoration to fixed-size array params
  lib/crypto: curve25519: Add at_least decoration to fixed-size array
    params
  lib/crypto: md5: Add at_least decoration to fixed-size array params
  lib/crypto: poly1305: Add at_least decoration to fixed-size array
    params
  lib/crypto: sha1: Add at_least decoration to fixed-size array params
  lib/crypto: sha2: Add at_least decoration to fixed-size array params

 include/crypto/chacha.h     | 12 ++++-----
 include/crypto/curve25519.h | 24 ++++++++++-------
 include/crypto/md5.h        | 11 ++++----
 include/crypto/poly1305.h   |  2 +-
 include/crypto/sha1.h       | 12 +++++----
 include/crypto/sha2.h       | 53 ++++++++++++++++++++++---------------
 6 files changed, 65 insertions(+), 49 deletions(-)


base-commit: 86d930bb1c19ec798fd432c5b8f25912373c98b2
-- 
2.51.2

[PATCH 1/6] lib/crypto: chacha: Add at_least decoration to fixed-size array params

[Eric Biggers]

Add the at_least (i.e. 'static') decoration to the fixed-size array
parameters of the chacha library functions.  This causes clang to warn
when a too-small array of known size is passed.

Signed-off-by: Eric Biggers <ebiggers@kernel.org>
---
 include/crypto/chacha.h | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/include/crypto/chacha.h b/include/crypto/chacha.h
index 38e26dff27b0..1cc301a48469 100644
--- a/include/crypto/chacha.h
+++ b/include/crypto/chacha.h
@@ -36,22 +36,22 @@
 struct chacha_state {
 	u32 x[CHACHA_STATE_WORDS];
 };
 
 void chacha_block_generic(struct chacha_state *state,
-			  u8 out[CHACHA_BLOCK_SIZE], int nrounds);
+			  u8 out[at_least CHACHA_BLOCK_SIZE], int nrounds);
 static inline void chacha20_block(struct chacha_state *state,
-				  u8 out[CHACHA_BLOCK_SIZE])
+				  u8 out[at_least CHACHA_BLOCK_SIZE])
 {
 	chacha_block_generic(state, out, 20);
 }
 
 void hchacha_block_generic(const struct chacha_state *state,
-			   u32 out[HCHACHA_OUT_WORDS], int nrounds);
+			   u32 out[at_least HCHACHA_OUT_WORDS], int nrounds);
 
 void hchacha_block(const struct chacha_state *state,
-		   u32 out[HCHACHA_OUT_WORDS], int nrounds);
+		   u32 out[at_least HCHACHA_OUT_WORDS], int nrounds);
 
 enum chacha_constants { /* expand 32-byte k */
 	CHACHA_CONSTANT_EXPA = 0x61707865U,
 	CHACHA_CONSTANT_ND_3 = 0x3320646eU,
 	CHACHA_CONSTANT_2_BY = 0x79622d32U,
@@ -65,12 +65,12 @@ static inline void chacha_init_consts(struct chacha_state *state)
 	state->x[2]  = CHACHA_CONSTANT_2_BY;
 	state->x[3]  = CHACHA_CONSTANT_TE_K;
 }
 
 static inline void chacha_init(struct chacha_state *state,
-			       const u32 key[CHACHA_KEY_WORDS],
-			       const u8 iv[CHACHA_IV_SIZE])
+			       const u32 key[at_least CHACHA_KEY_WORDS],
+			       const u8 iv[at_least CHACHA_IV_SIZE])
 {
 	chacha_init_consts(state);
 	state->x[4]  = key[0];
 	state->x[5]  = key[1];
 	state->x[6]  = key[2];
-- 
2.51.2

[PATCH 2/6] lib/crypto: curve25519: Add at_least decoration to fixed-size array params

[Eric Biggers]

Add the at_least (i.e. 'static') decoration to the fixed-size array
parameters of the curve25519 library functions.  This causes clang to
warn when a too-small array of known size is passed.

Signed-off-by: Eric Biggers <ebiggers@kernel.org>
---
 include/crypto/curve25519.h | 24 ++++++++++++++----------
 1 file changed, 14 insertions(+), 10 deletions(-)

diff --git a/include/crypto/curve25519.h b/include/crypto/curve25519.h
index db63a5577c00..2362b48f8741 100644
--- a/include/crypto/curve25519.h
+++ b/include/crypto/curve25519.h
@@ -11,28 +11,32 @@
 
 enum curve25519_lengths {
 	CURVE25519_KEY_SIZE = 32
 };
 
-void curve25519_generic(u8 out[CURVE25519_KEY_SIZE],
-			const u8 scalar[CURVE25519_KEY_SIZE],
-			const u8 point[CURVE25519_KEY_SIZE]);
+void curve25519_generic(u8 out[at_least CURVE25519_KEY_SIZE],
+			const u8 scalar[at_least CURVE25519_KEY_SIZE],
+			const u8 point[at_least CURVE25519_KEY_SIZE]);
 
-bool __must_check curve25519(u8 mypublic[CURVE25519_KEY_SIZE],
-			     const u8 secret[CURVE25519_KEY_SIZE],
-			     const u8 basepoint[CURVE25519_KEY_SIZE]);
+bool __must_check
+curve25519(u8 mypublic[at_least CURVE25519_KEY_SIZE],
+	   const u8 secret[at_least CURVE25519_KEY_SIZE],
+	   const u8 basepoint[at_least CURVE25519_KEY_SIZE]);
 
-bool __must_check curve25519_generate_public(u8 pub[CURVE25519_KEY_SIZE],
-					     const u8 secret[CURVE25519_KEY_SIZE]);
+bool __must_check
+curve25519_generate_public(u8 pub[at_least CURVE25519_KEY_SIZE],
+			   const u8 secret[at_least CURVE25519_KEY_SIZE]);
 
-static inline void curve25519_clamp_secret(u8 secret[CURVE25519_KEY_SIZE])
+static inline void
+curve25519_clamp_secret(u8 secret[at_least CURVE25519_KEY_SIZE])
 {
 	secret[0] &= 248;
 	secret[31] = (secret[31] & 127) | 64;
 }
 
-static inline void curve25519_generate_secret(u8 secret[CURVE25519_KEY_SIZE])
+static inline void
+curve25519_generate_secret(u8 secret[at_least CURVE25519_KEY_SIZE])
 {
 	get_random_bytes_wait(secret, CURVE25519_KEY_SIZE);
 	curve25519_clamp_secret(secret);
 }
 
-- 
2.51.2

[PATCH 3/6] lib/crypto: md5: Add at_least decoration to fixed-size array params

[Eric Biggers]

Add the at_least (i.e. 'static') decoration to the fixed-size array
parameters of the md5 library functions.  This causes clang to warn when
a too-small array of known size is passed.

Signed-off-by: Eric Biggers <ebiggers@kernel.org>
---
 include/crypto/md5.h | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/include/crypto/md5.h b/include/crypto/md5.h
index c9aa5c3abc53..c47aedfe67ec 100644
--- a/include/crypto/md5.h
+++ b/include/crypto/md5.h
@@ -74,21 +74,21 @@ void md5_update(struct md5_ctx *ctx, const u8 *data, size_t len);
  *
  * After finishing, this zeroizes @ctx.  So the caller does not need to do it.
  *
  * Context: Any context.
  */
-void md5_final(struct md5_ctx *ctx, u8 out[MD5_DIGEST_SIZE]);
+void md5_final(struct md5_ctx *ctx, u8 out[at_least MD5_DIGEST_SIZE]);
 
 /**
  * md5() - Compute MD5 message digest in one shot
  * @data: the message data
  * @len: the data length in bytes
  * @out: (output) the resulting MD5 message digest
  *
  * Context: Any context.
  */
-void md5(const u8 *data, size_t len, u8 out[MD5_DIGEST_SIZE]);
+void md5(const u8 *data, size_t len, u8 out[at_least MD5_DIGEST_SIZE]);
 
 /**
  * struct hmac_md5_key - Prepared key for HMAC-MD5
  * @istate: private
  * @ostate: private
@@ -171,11 +171,11 @@ static inline void hmac_md5_update(struct hmac_md5_ctx *ctx,
  *
  * After finishing, this zeroizes @ctx.  So the caller does not need to do it.
  *
  * Context: Any context.
  */
-void hmac_md5_final(struct hmac_md5_ctx *ctx, u8 out[MD5_DIGEST_SIZE]);
+void hmac_md5_final(struct hmac_md5_ctx *ctx, u8 out[at_least MD5_DIGEST_SIZE]);
 
 /**
  * hmac_md5() - Compute HMAC-MD5 in one shot, using a prepared key
  * @key: the prepared HMAC key
  * @data: the message data
@@ -185,11 +185,12 @@ void hmac_md5_final(struct hmac_md5_ctx *ctx, u8 out[MD5_DIGEST_SIZE]);
  * If you're using the key only once, consider using hmac_md5_usingrawkey().
  *
  * Context: Any context.
  */
 void hmac_md5(const struct hmac_md5_key *key,
-	      const u8 *data, size_t data_len, u8 out[MD5_DIGEST_SIZE]);
+	      const u8 *data, size_t data_len,
+	      u8 out[at_least MD5_DIGEST_SIZE]);
 
 /**
  * hmac_md5_usingrawkey() - Compute HMAC-MD5 in one shot, using a raw key
  * @raw_key: the raw HMAC-MD5 key
  * @raw_key_len: the key length in bytes.  All key lengths are supported.
@@ -202,8 +203,8 @@ void hmac_md5(const struct hmac_md5_key *key,
  *
  * Context: Any context.
  */
 void hmac_md5_usingrawkey(const u8 *raw_key, size_t raw_key_len,
 			  const u8 *data, size_t data_len,
-			  u8 out[MD5_DIGEST_SIZE]);
+			  u8 out[at_least MD5_DIGEST_SIZE]);
 
 #endif /* _CRYPTO_MD5_H */
-- 
2.51.2

[PATCH 4/6] lib/crypto: poly1305: Add at_least decoration to fixed-size array params

[Eric Biggers]

Add the at_least (i.e. 'static') decoration to the fixed-size array
parameters of the poly1305 library functions.  This causes clang to warn
when a too-small array of known size is passed.

Signed-off-by: Eric Biggers <ebiggers@kernel.org>
---
 include/crypto/poly1305.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/crypto/poly1305.h b/include/crypto/poly1305.h
index d4daeec8da19..190beb427c6d 100644
--- a/include/crypto/poly1305.h
+++ b/include/crypto/poly1305.h
@@ -57,11 +57,11 @@ struct poly1305_desc_ctx {
 	u32 s[4];
 	struct poly1305_block_state state;
 };
 
 void poly1305_init(struct poly1305_desc_ctx *desc,
-		   const u8 key[POLY1305_KEY_SIZE]);
+		   const u8 key[at_least POLY1305_KEY_SIZE]);
 void poly1305_update(struct poly1305_desc_ctx *desc,
 		     const u8 *src, unsigned int nbytes);
 void poly1305_final(struct poly1305_desc_ctx *desc, u8 *digest);
 
 #endif
-- 
2.51.2

[PATCH 5/6] lib/crypto: sha1: Add at_least decoration to fixed-size array params

[Eric Biggers]

Add the at_least (i.e. 'static') decoration to the fixed-size array
parameters of the sha1 library functions.  This causes clang to warn
when a too-small array of known size is passed.

Signed-off-by: Eric Biggers <ebiggers@kernel.org>
---
 include/crypto/sha1.h | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/include/crypto/sha1.h b/include/crypto/sha1.h
index 162a529ec841..27f08b972931 100644
--- a/include/crypto/sha1.h
+++ b/include/crypto/sha1.h
@@ -82,21 +82,21 @@ void sha1_update(struct sha1_ctx *ctx, const u8 *data, size_t len);
  *
  * After finishing, this zeroizes @ctx.  So the caller does not need to do it.
  *
  * Context: Any context.
  */
-void sha1_final(struct sha1_ctx *ctx, u8 out[SHA1_DIGEST_SIZE]);
+void sha1_final(struct sha1_ctx *ctx, u8 out[at_least SHA1_DIGEST_SIZE]);
 
 /**
  * sha1() - Compute SHA-1 message digest in one shot
  * @data: the message data
  * @len: the data length in bytes
  * @out: (output) the resulting SHA-1 message digest
  *
  * Context: Any context.
  */
-void sha1(const u8 *data, size_t len, u8 out[SHA1_DIGEST_SIZE]);
+void sha1(const u8 *data, size_t len, u8 out[at_least SHA1_DIGEST_SIZE]);
 
 /**
  * struct hmac_sha1_key - Prepared key for HMAC-SHA1
  * @istate: private
  * @ostate: private
@@ -179,11 +179,12 @@ static inline void hmac_sha1_update(struct hmac_sha1_ctx *ctx,
  *
  * After finishing, this zeroizes @ctx.  So the caller does not need to do it.
  *
  * Context: Any context.
  */
-void hmac_sha1_final(struct hmac_sha1_ctx *ctx, u8 out[SHA1_DIGEST_SIZE]);
+void hmac_sha1_final(struct hmac_sha1_ctx *ctx,
+		     u8 out[at_least SHA1_DIGEST_SIZE]);
 
 /**
  * hmac_sha1() - Compute HMAC-SHA1 in one shot, using a prepared key
  * @key: the prepared HMAC key
  * @data: the message data
@@ -193,11 +194,12 @@ void hmac_sha1_final(struct hmac_sha1_ctx *ctx, u8 out[SHA1_DIGEST_SIZE]);
  * If you're using the key only once, consider using hmac_sha1_usingrawkey().
  *
  * Context: Any context.
  */
 void hmac_sha1(const struct hmac_sha1_key *key,
-	       const u8 *data, size_t data_len, u8 out[SHA1_DIGEST_SIZE]);
+	       const u8 *data, size_t data_len,
+	       u8 out[at_least SHA1_DIGEST_SIZE]);
 
 /**
  * hmac_sha1_usingrawkey() - Compute HMAC-SHA1 in one shot, using a raw key
  * @raw_key: the raw HMAC-SHA1 key
  * @raw_key_len: the key length in bytes.  All key lengths are supported.
@@ -210,8 +212,8 @@ void hmac_sha1(const struct hmac_sha1_key *key,
  *
  * Context: Any context.
  */
 void hmac_sha1_usingrawkey(const u8 *raw_key, size_t raw_key_len,
 			   const u8 *data, size_t data_len,
-			   u8 out[SHA1_DIGEST_SIZE]);
+			   u8 out[at_least SHA1_DIGEST_SIZE]);
 
 #endif /* _CRYPTO_SHA1_H */
-- 
2.51.2

[PATCH 6/6] lib/crypto: sha2: Add at_least decoration to fixed-size array params

[Eric Biggers]

Add the at_least (i.e. 'static') decoration to the fixed-size array
parameters of the sha2 library functions.  This causes clang to warn
when a too-small array of known size is passed.

Signed-off-by: Eric Biggers <ebiggers@kernel.org>
---
 include/crypto/sha2.h | 53 +++++++++++++++++++++++++------------------
 1 file changed, 31 insertions(+), 22 deletions(-)

diff --git a/include/crypto/sha2.h b/include/crypto/sha2.h
index e5dafb935cc8..7bb8fe169daf 100644
--- a/include/crypto/sha2.h
+++ b/include/crypto/sha2.h
@@ -188,21 +188,21 @@ static inline void sha224_update(struct sha224_ctx *ctx,
  *
  * After finishing, this zeroizes @ctx.  So the caller does not need to do it.
  *
  * Context: Any context.
  */
-void sha224_final(struct sha224_ctx *ctx, u8 out[SHA224_DIGEST_SIZE]);
+void sha224_final(struct sha224_ctx *ctx, u8 out[at_least SHA224_DIGEST_SIZE]);
 
 /**
  * sha224() - Compute SHA-224 message digest in one shot
  * @data: the message data
  * @len: the data length in bytes
  * @out: (output) the resulting SHA-224 message digest
  *
  * Context: Any context.
  */
-void sha224(const u8 *data, size_t len, u8 out[SHA224_DIGEST_SIZE]);
+void sha224(const u8 *data, size_t len, u8 out[at_least SHA224_DIGEST_SIZE]);
 
 /**
  * struct hmac_sha224_key - Prepared key for HMAC-SHA224
  * @key: private
  */
@@ -285,11 +285,12 @@ static inline void hmac_sha224_update(struct hmac_sha224_ctx *ctx,
  *
  * After finishing, this zeroizes @ctx.  So the caller does not need to do it.
  *
  * Context: Any context.
  */
-void hmac_sha224_final(struct hmac_sha224_ctx *ctx, u8 out[SHA224_DIGEST_SIZE]);
+void hmac_sha224_final(struct hmac_sha224_ctx *ctx,
+		       u8 out[at_least SHA224_DIGEST_SIZE]);
 
 /**
  * hmac_sha224() - Compute HMAC-SHA224 in one shot, using a prepared key
  * @key: the prepared HMAC key
  * @data: the message data
@@ -299,11 +300,12 @@ void hmac_sha224_final(struct hmac_sha224_ctx *ctx, u8 out[SHA224_DIGEST_SIZE]);
  * If you're using the key only once, consider using hmac_sha224_usingrawkey().
  *
  * Context: Any context.
  */
 void hmac_sha224(const struct hmac_sha224_key *key,
-		 const u8 *data, size_t data_len, u8 out[SHA224_DIGEST_SIZE]);
+		 const u8 *data, size_t data_len,
+		 u8 out[at_least SHA224_DIGEST_SIZE]);
 
 /**
  * hmac_sha224_usingrawkey() - Compute HMAC-SHA224 in one shot, using a raw key
  * @raw_key: the raw HMAC-SHA224 key
  * @raw_key_len: the key length in bytes.  All key lengths are supported.
@@ -316,11 +318,11 @@ void hmac_sha224(const struct hmac_sha224_key *key,
  *
  * Context: Any context.
  */
 void hmac_sha224_usingrawkey(const u8 *raw_key, size_t raw_key_len,
 			     const u8 *data, size_t data_len,
-			     u8 out[SHA224_DIGEST_SIZE]);
+			     u8 out[at_least SHA224_DIGEST_SIZE]);
 
 /**
  * struct sha256_ctx - Context for hashing a message with SHA-256
  * @ctx: private
  */
@@ -361,21 +363,21 @@ static inline void sha256_update(struct sha256_ctx *ctx,
  *
  * After finishing, this zeroizes @ctx.  So the caller does not need to do it.
  *
  * Context: Any context.
  */
-void sha256_final(struct sha256_ctx *ctx, u8 out[SHA256_DIGEST_SIZE]);
+void sha256_final(struct sha256_ctx *ctx, u8 out[at_least SHA256_DIGEST_SIZE]);
 
 /**
  * sha256() - Compute SHA-256 message digest in one shot
  * @data: the message data
  * @len: the data length in bytes
  * @out: (output) the resulting SHA-256 message digest
  *
  * Context: Any context.
  */
-void sha256(const u8 *data, size_t len, u8 out[SHA256_DIGEST_SIZE]);
+void sha256(const u8 *data, size_t len, u8 out[at_least SHA256_DIGEST_SIZE]);
 
 /**
  * sha256_finup_2x() - Compute two SHA-256 digests from a common initial
  *		       context.  On some CPUs, this is faster than sequentially
  *		       computing each digest.
@@ -388,12 +390,13 @@ void sha256(const u8 *data, size_t len, u8 out[SHA256_DIGEST_SIZE]);
  * @out2: (output) the second SHA-256 message digest
  *
  * Context: Any context.
  */
 void sha256_finup_2x(const struct sha256_ctx *ctx, const u8 *data1,
-		     const u8 *data2, size_t len, u8 out1[SHA256_DIGEST_SIZE],
-		     u8 out2[SHA256_DIGEST_SIZE]);
+		     const u8 *data2, size_t len,
+		     u8 out1[at_least SHA256_DIGEST_SIZE],
+		     u8 out2[at_least SHA256_DIGEST_SIZE]);
 
 /**
  * sha256_finup_2x_is_optimized() - Check if sha256_finup_2x() is using a real
  *				    interleaved implementation, as opposed to a
  *				    sequential fallback
@@ -486,11 +489,12 @@ static inline void hmac_sha256_update(struct hmac_sha256_ctx *ctx,
  *
  * After finishing, this zeroizes @ctx.  So the caller does not need to do it.
  *
  * Context: Any context.
  */
-void hmac_sha256_final(struct hmac_sha256_ctx *ctx, u8 out[SHA256_DIGEST_SIZE]);
+void hmac_sha256_final(struct hmac_sha256_ctx *ctx,
+		       u8 out[at_least SHA256_DIGEST_SIZE]);
 
 /**
  * hmac_sha256() - Compute HMAC-SHA256 in one shot, using a prepared key
  * @key: the prepared HMAC key
  * @data: the message data
@@ -500,11 +504,12 @@ void hmac_sha256_final(struct hmac_sha256_ctx *ctx, u8 out[SHA256_DIGEST_SIZE]);
  * If you're using the key only once, consider using hmac_sha256_usingrawkey().
  *
  * Context: Any context.
  */
 void hmac_sha256(const struct hmac_sha256_key *key,
-		 const u8 *data, size_t data_len, u8 out[SHA256_DIGEST_SIZE]);
+		 const u8 *data, size_t data_len,
+		 u8 out[at_least SHA256_DIGEST_SIZE]);
 
 /**
  * hmac_sha256_usingrawkey() - Compute HMAC-SHA256 in one shot, using a raw key
  * @raw_key: the raw HMAC-SHA256 key
  * @raw_key_len: the key length in bytes.  All key lengths are supported.
@@ -517,11 +522,11 @@ void hmac_sha256(const struct hmac_sha256_key *key,
  *
  * Context: Any context.
  */
 void hmac_sha256_usingrawkey(const u8 *raw_key, size_t raw_key_len,
 			     const u8 *data, size_t data_len,
-			     u8 out[SHA256_DIGEST_SIZE]);
+			     u8 out[at_least SHA256_DIGEST_SIZE]);
 
 /* State for the SHA-512 (and SHA-384) compression function */
 struct sha512_block_state {
 	u64 h[8];
 };
@@ -596,21 +601,21 @@ static inline void sha384_update(struct sha384_ctx *ctx,
  *
  * After finishing, this zeroizes @ctx.  So the caller does not need to do it.
  *
  * Context: Any context.
  */
-void sha384_final(struct sha384_ctx *ctx, u8 out[SHA384_DIGEST_SIZE]);
+void sha384_final(struct sha384_ctx *ctx, u8 out[at_least SHA384_DIGEST_SIZE]);
 
 /**
  * sha384() - Compute SHA-384 message digest in one shot
  * @data: the message data
  * @len: the data length in bytes
  * @out: (output) the resulting SHA-384 message digest
  *
  * Context: Any context.
  */
-void sha384(const u8 *data, size_t len, u8 out[SHA384_DIGEST_SIZE]);
+void sha384(const u8 *data, size_t len, u8 out[at_least SHA384_DIGEST_SIZE]);
 
 /**
  * struct hmac_sha384_key - Prepared key for HMAC-SHA384
  * @key: private
  */
@@ -693,11 +698,12 @@ static inline void hmac_sha384_update(struct hmac_sha384_ctx *ctx,
  *
  * After finishing, this zeroizes @ctx.  So the caller does not need to do it.
  *
  * Context: Any context.
  */
-void hmac_sha384_final(struct hmac_sha384_ctx *ctx, u8 out[SHA384_DIGEST_SIZE]);
+void hmac_sha384_final(struct hmac_sha384_ctx *ctx,
+		       u8 out[at_least SHA384_DIGEST_SIZE]);
 
 /**
  * hmac_sha384() - Compute HMAC-SHA384 in one shot, using a prepared key
  * @key: the prepared HMAC key
  * @data: the message data
@@ -707,11 +713,12 @@ void hmac_sha384_final(struct hmac_sha384_ctx *ctx, u8 out[SHA384_DIGEST_SIZE]);
  * If you're using the key only once, consider using hmac_sha384_usingrawkey().
  *
  * Context: Any context.
  */
 void hmac_sha384(const struct hmac_sha384_key *key,
-		 const u8 *data, size_t data_len, u8 out[SHA384_DIGEST_SIZE]);
+		 const u8 *data, size_t data_len,
+		 u8 out[at_least SHA384_DIGEST_SIZE]);
 
 /**
  * hmac_sha384_usingrawkey() - Compute HMAC-SHA384 in one shot, using a raw key
  * @raw_key: the raw HMAC-SHA384 key
  * @raw_key_len: the key length in bytes.  All key lengths are supported.
@@ -724,11 +731,11 @@ void hmac_sha384(const struct hmac_sha384_key *key,
  *
  * Context: Any context.
  */
 void hmac_sha384_usingrawkey(const u8 *raw_key, size_t raw_key_len,
 			     const u8 *data, size_t data_len,
-			     u8 out[SHA384_DIGEST_SIZE]);
+			     u8 out[at_least SHA384_DIGEST_SIZE]);
 
 /**
  * struct sha512_ctx - Context for hashing a message with SHA-512
  * @ctx: private
  */
@@ -769,21 +776,21 @@ static inline void sha512_update(struct sha512_ctx *ctx,
  *
  * After finishing, this zeroizes @ctx.  So the caller does not need to do it.
  *
  * Context: Any context.
  */
-void sha512_final(struct sha512_ctx *ctx, u8 out[SHA512_DIGEST_SIZE]);
+void sha512_final(struct sha512_ctx *ctx, u8 out[at_least SHA512_DIGEST_SIZE]);
 
 /**
  * sha512() - Compute SHA-512 message digest in one shot
  * @data: the message data
  * @len: the data length in bytes
  * @out: (output) the resulting SHA-512 message digest
  *
  * Context: Any context.
  */
-void sha512(const u8 *data, size_t len, u8 out[SHA512_DIGEST_SIZE]);
+void sha512(const u8 *data, size_t len, u8 out[at_least SHA512_DIGEST_SIZE]);
 
 /**
  * struct hmac_sha512_key - Prepared key for HMAC-SHA512
  * @key: private
  */
@@ -866,11 +873,12 @@ static inline void hmac_sha512_update(struct hmac_sha512_ctx *ctx,
  *
  * After finishing, this zeroizes @ctx.  So the caller does not need to do it.
  *
  * Context: Any context.
  */
-void hmac_sha512_final(struct hmac_sha512_ctx *ctx, u8 out[SHA512_DIGEST_SIZE]);
+void hmac_sha512_final(struct hmac_sha512_ctx *ctx,
+		       u8 out[at_least SHA512_DIGEST_SIZE]);
 
 /**
  * hmac_sha512() - Compute HMAC-SHA512 in one shot, using a prepared key
  * @key: the prepared HMAC key
  * @data: the message data
@@ -880,11 +888,12 @@ void hmac_sha512_final(struct hmac_sha512_ctx *ctx, u8 out[SHA512_DIGEST_SIZE]);
  * If you're using the key only once, consider using hmac_sha512_usingrawkey().
  *
  * Context: Any context.
  */
 void hmac_sha512(const struct hmac_sha512_key *key,
-		 const u8 *data, size_t data_len, u8 out[SHA512_DIGEST_SIZE]);
+		 const u8 *data, size_t data_len,
+		 u8 out[at_least SHA512_DIGEST_SIZE]);
 
 /**
  * hmac_sha512_usingrawkey() - Compute HMAC-SHA512 in one shot, using a raw key
  * @raw_key: the raw HMAC-SHA512 key
  * @raw_key_len: the key length in bytes.  All key lengths are supported.
@@ -897,8 +906,8 @@ void hmac_sha512(const struct hmac_sha512_key *key,
  *
  * Context: Any context.
  */
 void hmac_sha512_usingrawkey(const u8 *raw_key, size_t raw_key_len,
 			     const u8 *data, size_t data_len,
-			     u8 out[SHA512_DIGEST_SIZE]);
+			     u8 out[at_least SHA512_DIGEST_SIZE]);
 
 #endif /* _CRYPTO_SHA2_H */
-- 
2.51.2

Re: [PATCH 0/6] lib/crypto: More at_least decorations

[Jason A. Donenfeld]

Acked-by: Jason A. Donenfeld <Jason@zx2c4.com>

Re: [PATCH 0/6] lib/crypto: More at_least decorations

[Eric Biggers]

On Sat, Nov 22, 2025 at 11:42:00AM -0800, Eric Biggers wrote:
> This series depends on the 'at_least' macro added by
> https://lore.kernel.org/r/20251122025510.1625066-4-Jason@zx2c4.com
> It can also be retrieved from
> 
>     git fetch https://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/linux.git more-at-least-decorations-v1
> 
> Add the at_least (i.e. 'static') decoration to the fixed-size array
> parameters of more of the crypto library functions.  This causes clang
> to generate a warning if a too-small array of known size is passed.
> 
> Eric Biggers (6):
>   lib/crypto: chacha: Add at_least decoration to fixed-size array params
>   lib/crypto: curve25519: Add at_least decoration to fixed-size array
>     params
>   lib/crypto: md5: Add at_least decoration to fixed-size array params
>   lib/crypto: poly1305: Add at_least decoration to fixed-size array
>     params
>   lib/crypto: sha1: Add at_least decoration to fixed-size array params
>   lib/crypto: sha2: Add at_least decoration to fixed-size array params
> 
>  include/crypto/chacha.h     | 12 ++++-----
>  include/crypto/curve25519.h | 24 ++++++++++-------
>  include/crypto/md5.h        | 11 ++++----
>  include/crypto/poly1305.h   |  2 +-
>  include/crypto/sha1.h       | 12 +++++----
>  include/crypto/sha2.h       | 53 ++++++++++++++++++++++---------------

It turns out this causes a build error when <crypto/poly1305.h>,
<crypto/sha1.h>, or <crypto/sha2.h> is included before
<linux/compiler.h>.

Jason's patch to <crypto/chacha20poly1305.h> is okay, because that one
indirectly includes <linux/compiler.h> by chance.

I thought <linux/compiler.h> already got included in everything via the
-include compiler flag.  But it's actually <linux/compiler_types.h>
which works that way, not <linux/compiler.h> which is a regular header.

We can make these crypto headers include <linux/compiler.h>.  But before
we do that, should we perhaps consider putting the definition of
'at_least' in <linux/compiler_types.h> instead of in <linux/compiler.h>,
so that it becomes always available?  This is basically a core language
feature.  Maybe it belongs next to the definition of __counted_by, which
is another definition related to array bounds?

- Eric

Re: [PATCH 0/6] lib/crypto: More at_least decorations

[Jason A. Donenfeld]

On Sat, Nov 22, 2025 at 08:00:37PM -0800, Eric Biggers wrote:
> We can make these crypto headers include <linux/compiler.h>.  But before
> we do that, should we perhaps consider putting the definition of
> 'at_least' in <linux/compiler_types.h> instead of in <linux/compiler.h>,
> so that it becomes always available?  This is basically a core language
> feature.  Maybe it belongs next to the definition of __counted_by, which
> is another definition related to array bounds?

This is indeed exactly what should be done. Do you want me to make a v4
and you can rebase -next, or do you want to just fix this up on top?

Jason

Re: [PATCH 0/6] lib/crypto: More at_least decorations

[Eric Biggers]

On Sun, Nov 23, 2025 at 06:16:05AM +0100, Jason A. Donenfeld wrote:
> On Sat, Nov 22, 2025 at 08:00:37PM -0800, Eric Biggers wrote:
> > We can make these crypto headers include <linux/compiler.h>.  But before
> > we do that, should we perhaps consider putting the definition of
> > 'at_least' in <linux/compiler_types.h> instead of in <linux/compiler.h>,
> > so that it becomes always available?  This is basically a core language
> > feature.  Maybe it belongs next to the definition of __counted_by, which
> > is another definition related to array bounds?
> 
> This is indeed exactly what should be done. Do you want me to make a v4
> and you can rebase -next, or do you want to just fix this up on top?
> 
> Jason

Sending out v4 would be good.  Thanks.

- Eric

Re: [PATCH 0/6] lib/crypto: More at_least decorations

[Ard Biesheuvel]

On Sat, 22 Nov 2025 at 20:42, Eric Biggers <ebiggers@kernel.org> wrote:
>
> This series depends on the 'at_least' macro added by
> https://lore.kernel.org/r/20251122025510.1625066-4-Jason@zx2c4.com
> It can also be retrieved from
>
>     git fetch https://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/linux.git more-at-least-decorations-v1
>
> Add the at_least (i.e. 'static') decoration to the fixed-size array
> parameters of more of the crypto library functions.  This causes clang
> to generate a warning if a too-small array of known size is passed.
>

FTR GCC does so too.

> Eric Biggers (6):
>   lib/crypto: chacha: Add at_least decoration to fixed-size array params
>   lib/crypto: curve25519: Add at_least decoration to fixed-size array
>     params
>   lib/crypto: md5: Add at_least decoration to fixed-size array params
>   lib/crypto: poly1305: Add at_least decoration to fixed-size array
>     params
>   lib/crypto: sha1: Add at_least decoration to fixed-size array params
>   lib/crypto: sha2: Add at_least decoration to fixed-size array params
>

Acked-by: Ard Biesheuvel <ardb@kernel.org>

>  include/crypto/chacha.h     | 12 ++++-----
>  include/crypto/curve25519.h | 24 ++++++++++-------
>  include/crypto/md5.h        | 11 ++++----
>  include/crypto/poly1305.h   |  2 +-
>  include/crypto/sha1.h       | 12 +++++----
>  include/crypto/sha2.h       | 53 ++++++++++++++++++++++---------------
>  6 files changed, 65 insertions(+), 49 deletions(-)
>
>
> base-commit: 86d930bb1c19ec798fd432c5b8f25912373c98b2
> --
> 2.51.2
>

Re: [PATCH 0/6] lib/crypto: More at_least decorations

[Eric Biggers]

On Sat, Nov 22, 2025 at 11:42:00AM -0800, Eric Biggers wrote:
> This series depends on the 'at_least' macro added by
> https://lore.kernel.org/r/20251122025510.1625066-4-Jason@zx2c4.com
> It can also be retrieved from
> 
>     git fetch https://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/linux.git more-at-least-decorations-v1
> 
> Add the at_least (i.e. 'static') decoration to the fixed-size array
> parameters of more of the crypto library functions.  This causes clang
> to generate a warning if a too-small array of known size is passed.
> 
> Eric Biggers (6):
>   lib/crypto: chacha: Add at_least decoration to fixed-size array params
>   lib/crypto: curve25519: Add at_least decoration to fixed-size array
>     params
>   lib/crypto: md5: Add at_least decoration to fixed-size array params
>   lib/crypto: poly1305: Add at_least decoration to fixed-size array
>     params
>   lib/crypto: sha1: Add at_least decoration to fixed-size array params
>   lib/crypto: sha2: Add at_least decoration to fixed-size array params
> 

Applied this series to
https://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/linux.git/log/?h=libcrypto-next

The build errors should be gone now, since I rebased it on top of
Jason's v4 patch
(https://lore.kernel.org/linux-crypto/20251123054819.2371989-3-Jason@zx2c4.com/).

- Eric

Re: [PATCH 0/6] lib/crypto: More at_least decorations

[Eric Biggers]

On Sun, Nov 23, 2025 at 09:31:19AM +0100, Ard Biesheuvel wrote:
> On Sat, 22 Nov 2025 at 20:42, Eric Biggers <ebiggers@kernel.org> wrote:
> >
> > This series depends on the 'at_least' macro added by
> > https://lore.kernel.org/r/20251122025510.1625066-4-Jason@zx2c4.com
> > It can also be retrieved from
> >
> >     git fetch https://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/linux.git more-at-least-decorations-v1
> >
> > Add the at_least (i.e. 'static') decoration to the fixed-size array
> > parameters of more of the crypto library functions.  This causes clang
> > to generate a warning if a too-small array of known size is passed.
> >
> 
> FTR GCC does so too.

See https://lore.kernel.org/linux-crypto/20251115021430.GA2148@sol/
Unfortunately gcc puts these warnings under -Wstringop-overflow which
the kernel disables, so we don't see them.  clang works, though.

- Eric

Re: [PATCH 0/6] lib/crypto: More at_least decorations

[Jason A. Donenfeld]

On Sun, Nov 23, 2025 at 9:37 PM Eric Biggers <ebiggers@kernel.org> wrote:
>
> On Sun, Nov 23, 2025 at 09:31:19AM +0100, Ard Biesheuvel wrote:
> > On Sat, 22 Nov 2025 at 20:42, Eric Biggers <ebiggers@kernel.org> wrote:
> > >
> > > This series depends on the 'at_least' macro added by
> > > https://lore.kernel.org/r/20251122025510.1625066-4-Jason@zx2c4.com
> > > It can also be retrieved from
> > >
> > >     git fetch https://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/linux.git more-at-least-decorations-v1
> > >
> > > Add the at_least (i.e. 'static') decoration to the fixed-size array
> > > parameters of more of the crypto library functions.  This causes clang
> > > to generate a warning if a too-small array of known size is passed.
> > >
> >
> > FTR GCC does so too.
>
> See https://lore.kernel.org/linux-crypto/20251115021430.GA2148@sol/
> Unfortunately gcc puts these warnings under -Wstringop-overflow which
> the kernel disables, so we don't see them.  clang works, though.

Is that disabling new? Look at the commit message in my chapoly
patch... The warning shown there happened from a real live kernel
build.

Jason

Re: [PATCH 0/6] lib/crypto: More at_least decorations

[Eric Biggers]

On Sun, Nov 23, 2025 at 09:38:49PM +0100, Jason A. Donenfeld wrote:
> On Sun, Nov 23, 2025 at 9:37 PM Eric Biggers <ebiggers@kernel.org> wrote:
> >
> > On Sun, Nov 23, 2025 at 09:31:19AM +0100, Ard Biesheuvel wrote:
> > > On Sat, 22 Nov 2025 at 20:42, Eric Biggers <ebiggers@kernel.org> wrote:
> > > >
> > > > This series depends on the 'at_least' macro added by
> > > > https://lore.kernel.org/r/20251122025510.1625066-4-Jason@zx2c4.com
> > > > It can also be retrieved from
> > > >
> > > >     git fetch https://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/linux.git more-at-least-decorations-v1
> > > >
> > > > Add the at_least (i.e. 'static') decoration to the fixed-size array
> > > > parameters of more of the crypto library functions.  This causes clang
> > > > to generate a warning if a too-small array of known size is passed.
> > > >
> > >
> > > FTR GCC does so too.
> >
> > See https://lore.kernel.org/linux-crypto/20251115021430.GA2148@sol/
> > Unfortunately gcc puts these warnings under -Wstringop-overflow which
> > the kernel disables, so we don't see them.  clang works, though.
> 
> Is that disabling new?

No.

> Look at the commit message in my chapoly patch... The warning shown
> there happened from a real live kernel build.

Oh, there's actually a difference between const and non-const
parameters.  A const parameter gives -Wstringop-overread, while a
non-const one gives -Wstringop-overflow.  Only the latter is disabled.

- Eric

Re: [PATCH 0/6] lib/crypto: More at_least decorations

[Kees Cook]

On Sun, Nov 23, 2025 at 12:54:31PM -0800, Eric Biggers wrote:
> Oh, there's actually a difference between const and non-const
> parameters.  A const parameter gives -Wstringop-overread, while a
> non-const one gives -Wstringop-overflow.  Only the latter is disabled.

FWIW, I'm hoping we can make the last bit of progress needed to get
-Warray-bounds and -Wstringop-overflow enabled globally after this
patch helps us track down any stragglers:
https://lore.kernel.org/lkml/20251121184342.it.626-kees@kernel.org/

-Kees

-- 
Kees Cook