target/linux/generic/backport-5.4/080-wireguard-0136-lib-crypto-blake2s-move-hmac-construction-into-wireg.patch - T108 - Gitiles

 From 5fb6a3ba3af6aff7cdc53d319fc4cc6f79555ca1 Mon Sep 17 00:00:00 2001
 From: "Jason A. Donenfeld" <Jason@zx2c4.com>
 Date: Tue, 11 Jan 2022 14:37:41 +0100
 Subject: lib/crypto: blake2s: move hmac construction into wireguard

 commit d8d83d8ab0a453e17e68b3a3bed1f940c34b8646 upstream.

 Basically nobody should use blake2s in an HMAC construction; it already
 has a keyed variant. But unfortunately for historical reasons, Noise,
 used by WireGuard, uses HKDF quite strictly, which means we have to use
 this. Because this really shouldn't be used by others, this commit moves
 it into wireguard's noise.c locally, so that kernels that aren't using
 WireGuard don't get this superfluous code baked in. On m68k systems,
 this shaves off ~314 bytes.

 Cc: Herbert Xu <herbert@gondor.apana.org.au>
 Tested-by: Geert Uytterhoeven <geert@linux-m68k.org>
 Acked-by: Ard Biesheuvel <ardb@kernel.org>
 Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 ---
  drivers/net/wireguard/noise.c | 45 ++++++++++++++++++++++++++++++-----
  include/crypto/blake2s.h      |  3 ---
  lib/crypto/blake2s-selftest.c | 31 ------------------------
  lib/crypto/blake2s.c          | 37 ----------------------------
  4 files changed, 39 insertions(+), 77 deletions(-)

 --- a/drivers/net/wireguard/noise.c
 +++ b/drivers/net/wireguard/noise.c
 @@ -302,6 +302,41 @@ void wg_noise_set_static_identity_privat
  		static_identity->static_public, private_key);
  }

 +static void hmac(u8 *out, const u8 *in, const u8 *key, const size_t inlen, const size_t keylen)
 +{
 +	struct blake2s_state state;
 +	u8 x_key[BLAKE2S_BLOCK_SIZE] __aligned(__alignof__(u32)) = { 0 };
 +	u8 i_hash[BLAKE2S_HASH_SIZE] __aligned(__alignof__(u32));
 +	int i;
 +
 +	if (keylen > BLAKE2S_BLOCK_SIZE) {
 +		blake2s_init(&state, BLAKE2S_HASH_SIZE);
 +		blake2s_update(&state, key, keylen);
 +		blake2s_final(&state, x_key);
 +	} else
 +		memcpy(x_key, key, keylen);
 +
 +	for (i = 0; i < BLAKE2S_BLOCK_SIZE; ++i)
 +		x_key[i] ^= 0x36;
 +
 +	blake2s_init(&state, BLAKE2S_HASH_SIZE);
 +	blake2s_update(&state, x_key, BLAKE2S_BLOCK_SIZE);
 +	blake2s_update(&state, in, inlen);
 +	blake2s_final(&state, i_hash);
 +
 +	for (i = 0; i < BLAKE2S_BLOCK_SIZE; ++i)
 +		x_key[i] ^= 0x5c ^ 0x36;
 +
 +	blake2s_init(&state, BLAKE2S_HASH_SIZE);
 +	blake2s_update(&state, x_key, BLAKE2S_BLOCK_SIZE);
 +	blake2s_update(&state, i_hash, BLAKE2S_HASH_SIZE);
 +	blake2s_final(&state, i_hash);
 +
 +	memcpy(out, i_hash, BLAKE2S_HASH_SIZE);
 +	memzero_explicit(x_key, BLAKE2S_BLOCK_SIZE);
 +	memzero_explicit(i_hash, BLAKE2S_HASH_SIZE);
 +}
 +
  /* This is Hugo Krawczyk's HKDF:
   *  - https://eprint.iacr.org/2010/264.pdf
   *  - https://tools.ietf.org/html/rfc5869
 @@ -322,14 +357,14 @@ static void kdf(u8 *first_dst, u8 *secon
  		 ((third_len || third_dst) && (!second_len || !second_dst))));

  	/* Extract entropy from data into secret */
 -	blake2s256_hmac(secret, data, chaining_key, data_len, NOISE_HASH_LEN);
 +	hmac(secret, data, chaining_key, data_len, NOISE_HASH_LEN);

  	if (!first_dst || !first_len)
  		goto out;

  	/* Expand first key: key = secret, data = 0x1 */
  	output[0] = 1;
 -	blake2s256_hmac(output, output, secret, 1, BLAKE2S_HASH_SIZE);
 +	hmac(output, output, secret, 1, BLAKE2S_HASH_SIZE);
  	memcpy(first_dst, output, first_len);

  	if (!second_dst || !second_len)
 @@ -337,8 +372,7 @@ static void kdf(u8 *first_dst, u8 *secon

  	/* Expand second key: key = secret, data = first-key || 0x2 */
  	output[BLAKE2S_HASH_SIZE] = 2;
 -	blake2s256_hmac(output, output, secret, BLAKE2S_HASH_SIZE + 1,
 -			BLAKE2S_HASH_SIZE);
 +	hmac(output, output, secret, BLAKE2S_HASH_SIZE + 1, BLAKE2S_HASH_SIZE);
  	memcpy(second_dst, output, second_len);

  	if (!third_dst || !third_len)
 @@ -346,8 +380,7 @@ static void kdf(u8 *first_dst, u8 *secon

  	/* Expand third key: key = secret, data = second-key || 0x3 */
  	output[BLAKE2S_HASH_SIZE] = 3;
 -	blake2s256_hmac(output, output, secret, BLAKE2S_HASH_SIZE + 1,
 -			BLAKE2S_HASH_SIZE);
 +	hmac(output, output, secret, BLAKE2S_HASH_SIZE + 1, BLAKE2S_HASH_SIZE);
  	memcpy(third_dst, output, third_len);

  out:
	From 5fb6a3ba3af6aff7cdc53d319fc4cc6f79555ca1 Mon Sep 17 00:00:00 2001
	From: "Jason A. Donenfeld" <Jason@zx2c4.com>
	Date: Tue, 11 Jan 2022 14:37:41 +0100
	Subject: lib/crypto: blake2s: move hmac construction into wireguard

	commit d8d83d8ab0a453e17e68b3a3bed1f940c34b8646 upstream.

	Basically nobody should use blake2s in an HMAC construction; it already
	has a keyed variant. But unfortunately for historical reasons, Noise,
	used by WireGuard, uses HKDF quite strictly, which means we have to use
	this. Because this really shouldn't be used by others, this commit moves
	it into wireguard's noise.c locally, so that kernels that aren't using
	WireGuard don't get this superfluous code baked in. On m68k systems,
	this shaves off ~314 bytes.

	Cc: Herbert Xu <herbert@gondor.apana.org.au>
	Tested-by: Geert Uytterhoeven <geert@linux-m68k.org>
	Acked-by: Ard Biesheuvel <ardb@kernel.org>
	Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	---
	drivers/net/wireguard/noise.c \| 45 ++++++++++++++++++++++++++++++-----
	include/crypto/blake2s.h \| 3 ---
	lib/crypto/blake2s-selftest.c \| 31 ------------------------
	lib/crypto/blake2s.c \| 37 ----------------------------
	4 files changed, 39 insertions(+), 77 deletions(-)

	--- a/drivers/net/wireguard/noise.c
	+++ b/drivers/net/wireguard/noise.c
	@@ -302,6 +302,41 @@ void wg_noise_set_static_identity_privat
	static_identity->static_public, private_key);
	}

	+static void hmac(u8 out, const u8 in, const u8 *key, const size_t inlen, const size_t keylen)
	+{
	+ struct blake2s_state state;
	+ u8 x_key[BLAKE2S_BLOCK_SIZE] __aligned(__alignof__(u32)) = { 0 };
	+ u8 i_hash[BLAKE2S_HASH_SIZE] __aligned(__alignof__(u32));
	+ int i;
	+
	+ if (keylen > BLAKE2S_BLOCK_SIZE) {
	+ blake2s_init(&state, BLAKE2S_HASH_SIZE);
	+ blake2s_update(&state, key, keylen);
	+ blake2s_final(&state, x_key);
	+ } else
	+ memcpy(x_key, key, keylen);
	+
	+ for (i = 0; i < BLAKE2S_BLOCK_SIZE; ++i)
	+ x_key[i] ^= 0x36;
	+
	+ blake2s_init(&state, BLAKE2S_HASH_SIZE);
	+ blake2s_update(&state, x_key, BLAKE2S_BLOCK_SIZE);
	+ blake2s_update(&state, in, inlen);
	+ blake2s_final(&state, i_hash);
	+
	+ for (i = 0; i < BLAKE2S_BLOCK_SIZE; ++i)
	+ x_key[i] ^= 0x5c ^ 0x36;
	+
	+ blake2s_init(&state, BLAKE2S_HASH_SIZE);
	+ blake2s_update(&state, x_key, BLAKE2S_BLOCK_SIZE);
	+ blake2s_update(&state, i_hash, BLAKE2S_HASH_SIZE);
	+ blake2s_final(&state, i_hash);
	+
	+ memcpy(out, i_hash, BLAKE2S_HASH_SIZE);
	+ memzero_explicit(x_key, BLAKE2S_BLOCK_SIZE);
	+ memzero_explicit(i_hash, BLAKE2S_HASH_SIZE);
	+}
	+
	/* This is Hugo Krawczyk's HKDF:
	* - https://eprint.iacr.org/2010/264.pdf
	* - https://tools.ietf.org/html/rfc5869
	@@ -322,14 +357,14 @@ static void kdf(u8 first_dst, u8 secon
	((third_len \|\| third_dst) && (!second_len \|\| !second_dst))));

	/* Extract entropy from data into secret */
	- blake2s256_hmac(secret, data, chaining_key, data_len, NOISE_HASH_LEN);
	+ hmac(secret, data, chaining_key, data_len, NOISE_HASH_LEN);

	if (!first_dst \|\| !first_len)
	goto out;

	/* Expand first key: key = secret, data = 0x1 */
	output[0] = 1;
	- blake2s256_hmac(output, output, secret, 1, BLAKE2S_HASH_SIZE);
	+ hmac(output, output, secret, 1, BLAKE2S_HASH_SIZE);
	memcpy(first_dst, output, first_len);

	if (!second_dst \|\| !second_len)
	@@ -337,8 +372,7 @@ static void kdf(u8 first_dst, u8 secon

	/* Expand second key: key = secret, data = first-key \|\| 0x2 */
	output[BLAKE2S_HASH_SIZE] = 2;
	- blake2s256_hmac(output, output, secret, BLAKE2S_HASH_SIZE + 1,
	- BLAKE2S_HASH_SIZE);
	+ hmac(output, output, secret, BLAKE2S_HASH_SIZE + 1, BLAKE2S_HASH_SIZE);
	memcpy(second_dst, output, second_len);

	if (!third_dst \|\| !third_len)
	@@ -346,8 +380,7 @@ static void kdf(u8 first_dst, u8 secon

	/* Expand third key: key = secret, data = second-key \|\| 0x3 */
	output[BLAKE2S_HASH_SIZE] = 3;
	- blake2s256_hmac(output, output, secret, BLAKE2S_HASH_SIZE + 1,
	- BLAKE2S_HASH_SIZE);
	+ hmac(output, output, secret, BLAKE2S_HASH_SIZE + 1, BLAKE2S_HASH_SIZE);
	memcpy(third_dst, output, third_len);

	out: