diff options
| -rw-r--r-- | target/linux/generic/backport-5.4/080-wireguard-0136-lib-crypto-blake2s-move-hmac-construction-into-wireg.patch | 108 |
1 files changed, 108 insertions, 0 deletions
diff --git a/target/linux/generic/backport-5.4/080-wireguard-0136-lib-crypto-blake2s-move-hmac-construction-into-wireg.patch b/target/linux/generic/backport-5.4/080-wireguard-0136-lib-crypto-blake2s-move-hmac-construction-into-wireg.patch new file mode 100644 index 0000000000..78491f59c1 --- /dev/null +++ b/target/linux/generic/backport-5.4/080-wireguard-0136-lib-crypto-blake2s-move-hmac-construction-into-wireg.patch @@ -0,0 +1,108 @@ +From 5fb6a3ba3af6aff7cdc53d319fc4cc6f79555ca1 Mon Sep 17 00:00:00 2001 +From: "Jason A. Donenfeld" <Jason@zx2c4.com> +Date: Tue, 11 Jan 2022 14:37:41 +0100 +Subject: lib/crypto: blake2s: move hmac construction into wireguard + +commit d8d83d8ab0a453e17e68b3a3bed1f940c34b8646 upstream. + +Basically nobody should use blake2s in an HMAC construction; it already +has a keyed variant. But unfortunately for historical reasons, Noise, +used by WireGuard, uses HKDF quite strictly, which means we have to use +this. Because this really shouldn't be used by others, this commit moves +it into wireguard's noise.c locally, so that kernels that aren't using +WireGuard don't get this superfluous code baked in. On m68k systems, +this shaves off ~314 bytes. + +Cc: Herbert Xu <herbert@gondor.apana.org.au> +Tested-by: Geert Uytterhoeven <geert@linux-m68k.org> +Acked-by: Ard Biesheuvel <ardb@kernel.org> +Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/net/wireguard/noise.c | 45 ++++++++++++++++++++++++++++++----- + include/crypto/blake2s.h | 3 --- + lib/crypto/blake2s-selftest.c | 31 ------------------------ + lib/crypto/blake2s.c | 37 ---------------------------- + 4 files changed, 39 insertions(+), 77 deletions(-) + +--- a/drivers/net/wireguard/noise.c ++++ b/drivers/net/wireguard/noise.c +@@ -302,6 +302,41 @@ void wg_noise_set_static_identity_privat + static_identity->static_public, private_key); + } + ++static void hmac(u8 *out, const u8 *in, const u8 *key, const size_t inlen, const size_t keylen) ++{ ++ struct blake2s_state state; ++ u8 x_key[BLAKE2S_BLOCK_SIZE] __aligned(__alignof__(u32)) = { 0 }; ++ u8 i_hash[BLAKE2S_HASH_SIZE] __aligned(__alignof__(u32)); ++ int i; ++ ++ if (keylen > BLAKE2S_BLOCK_SIZE) { ++ blake2s_init(&state, BLAKE2S_HASH_SIZE); ++ blake2s_update(&state, key, keylen); ++ blake2s_final(&state, x_key); ++ } else ++ memcpy(x_key, key, keylen); ++ ++ for (i = 0; i < BLAKE2S_BLOCK_SIZE; ++i) ++ x_key[i] ^= 0x36; ++ ++ blake2s_init(&state, BLAKE2S_HASH_SIZE); ++ blake2s_update(&state, x_key, BLAKE2S_BLOCK_SIZE); ++ blake2s_update(&state, in, inlen); ++ blake2s_final(&state, i_hash); ++ ++ for (i = 0; i < BLAKE2S_BLOCK_SIZE; ++i) ++ x_key[i] ^= 0x5c ^ 0x36; ++ ++ blake2s_init(&state, BLAKE2S_HASH_SIZE); ++ blake2s_update(&state, x_key, BLAKE2S_BLOCK_SIZE); ++ blake2s_update(&state, i_hash, BLAKE2S_HASH_SIZE); ++ blake2s_final(&state, i_hash); ++ ++ memcpy(out, i_hash, BLAKE2S_HASH_SIZE); ++ memzero_explicit(x_key, BLAKE2S_BLOCK_SIZE); ++ memzero_explicit(i_hash, BLAKE2S_HASH_SIZE); ++} ++ + /* This is Hugo Krawczyk's HKDF: + * - https://eprint.iacr.org/2010/264.pdf + * - https://tools.ietf.org/html/rfc5869 +@@ -322,14 +357,14 @@ static void kdf(u8 *first_dst, u8 *secon + ((third_len || third_dst) && (!second_len || !second_dst)))); + + /* Extract entropy from data into secret */ +- blake2s256_hmac(secret, data, chaining_key, data_len, NOISE_HASH_LEN); ++ hmac(secret, data, chaining_key, data_len, NOISE_HASH_LEN); + + if (!first_dst || !first_len) + goto out; + + /* Expand first key: key = secret, data = 0x1 */ + output[0] = 1; +- blake2s256_hmac(output, output, secret, 1, BLAKE2S_HASH_SIZE); ++ hmac(output, output, secret, 1, BLAKE2S_HASH_SIZE); + memcpy(first_dst, output, first_len); + + if (!second_dst || !second_len) +@@ -337,8 +372,7 @@ static void kdf(u8 *first_dst, u8 *secon + + /* Expand second key: key = secret, data = first-key || 0x2 */ + output[BLAKE2S_HASH_SIZE] = 2; +- blake2s256_hmac(output, output, secret, BLAKE2S_HASH_SIZE + 1, +- BLAKE2S_HASH_SIZE); ++ hmac(output, output, secret, BLAKE2S_HASH_SIZE + 1, BLAKE2S_HASH_SIZE); + memcpy(second_dst, output, second_len); + + if (!third_dst || !third_len) +@@ -346,8 +380,7 @@ static void kdf(u8 *first_dst, u8 *secon + + /* Expand third key: key = secret, data = second-key || 0x3 */ + output[BLAKE2S_HASH_SIZE] = 3; +- blake2s256_hmac(output, output, secret, BLAKE2S_HASH_SIZE + 1, +- BLAKE2S_HASH_SIZE); ++ hmac(output, output, secret, BLAKE2S_HASH_SIZE + 1, BLAKE2S_HASH_SIZE); + memcpy(third_dst, output, third_len); + + out: |