Received: by 2002:a6b:fb09:0:0:0:0:0 with SMTP id h9csp6136918iog; Thu, 23 Jun 2022 12:07:06 -0700 (PDT) X-Google-Smtp-Source: AGRyM1uT65P+W7ZJ8xqkHWTB1ITWtM+qu5PW6v8JOO4RJgSTmK6vZs3WuFgchfK/GyfbBhUBTch7 X-Received: by 2002:a17:902:e54e:b0:16a:1009:42f with SMTP id n14-20020a170902e54e00b0016a1009042fmr29603648plf.90.1656011226683; Thu, 23 Jun 2022 12:07:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1656011226; cv=none; d=google.com; s=arc-20160816; b=MAH2YDHGCwpz9laX++FW31G2cqoHezCLem1MwMk8rh2vfg7AnEllK9NFuGMMslxpJl QZuHHvYKy0dQTpKAJdoxhywFXEW2bctLLH52Qc9R/s3NgxQMthbvf4bKoiuKbjFoovn1 k222azSAcJZT5BgbiaAOkoa0G2PfVeL6Ug0bDIVyudZIRaSdN8XlchIr1iuPCrKP76fO Il92IBdwZFAi3D7RbCxjomI0qifpnxwpJwZ9JQQPkfrzgMKVCp0X7221faKpYUpvpGyp 436cpUDV9rO8XAWiZihKME15ip1Bi169HzilBI8Td0wowK3zacxmsw1T2E+BZ9i5N1sO qe3Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=sMRgcYrbJFXgyM6VBiZcM7WyrbHYuQAe52A/D9nb/9U=; b=df0zwIvnE79Gs29vfxdeiKEeTLy2fEsTAS6RDeTnDMVu3ItkIYqLcXu++zaIZKBEMS vcY0RpSjly5bNDXIkVRhuohEq7A1rdP+YMakgQe6bTtSg8PXLPAlPN4pDWfQZgJj9mDC VCzcj9DcyW+hsdFO0l2xLMVst8sR73iq61Ne8EMB1424jfVhG5V5kzpsOBHc+Y92+tt0 qr10gDn32CUEhIxzB6J/ach8d+FXYaz12abKAF11yEGkqnvaiyVjdtiQMTxCRVXZdy3t fQYEZqV3/ChcF8cRIuvmmlafYxDimQojcJtLsySLcwQsW9D9I2/LdJDn51Y5QoS9oKzI xyxw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=K9LvRaz5; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id ob18-20020a17090b391200b001e851c352easi3988389pjb.135.2022.06.23.12.06.53; Thu, 23 Jun 2022 12:07:06 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=K9LvRaz5; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232847AbiFWRAu (ORCPT + 99 others); Thu, 23 Jun 2022 13:00:50 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49222 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232647AbiFWQtY (ORCPT ); Thu, 23 Jun 2022 12:49:24 -0400 Received: from sin.source.kernel.org (sin.source.kernel.org [IPv6:2604:1380:40e1:4800::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E351A4D631; Thu, 23 Jun 2022 09:47:44 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sin.source.kernel.org (Postfix) with ESMTPS id 4AD8CCE25CD; Thu, 23 Jun 2022 16:47:43 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4E1B5C3411B; Thu, 23 Jun 2022 16:47:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1656002861; bh=GveS77NFMpQY+xaymSevlHEOIq7CUjT0HjuXcn/+YKY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=K9LvRaz5UGeslEsUUZE2M6an7RhpzTWqws5WZoODr8+I4E3N8Rddra0y4EiUxXlDC teZONmvqZd3HXYf9PUfcAG6g93YZxkfXDIAlywEbYpXpR4rr/rOG0TJgMyCs8pRfZE qpRiXH9k5Z+rvpghcrRO6OkvkcSYOsj2lfdt+N6k= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Herbert Xu , Geert Uytterhoeven , Ard Biesheuvel , "Jason A. Donenfeld" Subject: [PATCH 4.9 051/264] lib/crypto: blake2s: move hmac construction into wireguard Date: Thu, 23 Jun 2022 18:40:44 +0200 Message-Id: <20220623164345.515548745@linuxfoundation.org> X-Mailer: git-send-email 2.36.1 In-Reply-To: <20220623164344.053938039@linuxfoundation.org> References: <20220623164344.053938039@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.7 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: "Jason A. Donenfeld" commit d8d83d8ab0a453e17e68b3a3bed1f940c34b8646 upstream. Basically nobody should use blake2s in an HMAC construction; it already has a keyed variant. But unfortunately for historical reasons, Noise, used by WireGuard, uses HKDF quite strictly, which means we have to use this. Because this really shouldn't be used by others, this commit moves it into wireguard's noise.c locally, so that kernels that aren't using WireGuard don't get this superfluous code baked in. On m68k systems, this shaves off ~314 bytes. Cc: Herbert Xu Tested-by: Geert Uytterhoeven Acked-by: Ard Biesheuvel [Jason: for stable, skip the wireguard changes, since this kernel doesn't have wireguard.] Signed-off-by: Jason A. Donenfeld Signed-off-by: Greg Kroah-Hartman --- include/crypto/blake2s.h | 3 --- lib/crypto/blake2s-selftest.c | 31 ------------------------------- lib/crypto/blake2s.c | 37 ------------------------------------- 3 files changed, 71 deletions(-) --- a/include/crypto/blake2s.h +++ b/include/crypto/blake2s.h @@ -100,7 +100,4 @@ static inline void blake2s(u8 *out, cons blake2s_final(&state, out); } -void blake2s256_hmac(u8 *out, const u8 *in, const u8 *key, const size_t inlen, - const size_t keylen); - #endif /* BLAKE2S_H */ --- a/lib/crypto/blake2s-selftest.c +++ b/lib/crypto/blake2s-selftest.c @@ -15,7 +15,6 @@ * #include * * #include - * #include * * #define BLAKE2S_TESTVEC_COUNT 256 * @@ -58,16 +57,6 @@ * } * printf("};\n\n"); * - * printf("static const u8 blake2s_hmac_testvecs[][BLAKE2S_HASH_SIZE] __initconst = {\n"); - * - * HMAC(EVP_blake2s256(), key, sizeof(key), buf, sizeof(buf), hash, NULL); - * print_vec(hash, BLAKE2S_OUTBYTES); - * - * HMAC(EVP_blake2s256(), buf, sizeof(buf), key, sizeof(key), hash, NULL); - * print_vec(hash, BLAKE2S_OUTBYTES); - * - * printf("};\n"); - * * return 0; *} */ @@ -554,15 +543,6 @@ static const u8 blake2s_testvecs[][BLAKE 0xd6, 0x98, 0x6b, 0x07, 0x10, 0x65, 0x52, 0x65, }, }; -static const u8 blake2s_hmac_testvecs[][BLAKE2S_HASH_SIZE] __initconst = { - { 0xce, 0xe1, 0x57, 0x69, 0x82, 0xdc, 0xbf, 0x43, 0xad, 0x56, 0x4c, 0x70, - 0xed, 0x68, 0x16, 0x96, 0xcf, 0xa4, 0x73, 0xe8, 0xe8, 0xfc, 0x32, 0x79, - 0x08, 0x0a, 0x75, 0x82, 0xda, 0x3f, 0x05, 0x11, }, - { 0x77, 0x2f, 0x0c, 0x71, 0x41, 0xf4, 0x4b, 0x2b, 0xb3, 0xc6, 0xb6, 0xf9, - 0x60, 0xde, 0xe4, 0x52, 0x38, 0x66, 0xe8, 0xbf, 0x9b, 0x96, 0xc4, 0x9f, - 0x60, 0xd9, 0x24, 0x37, 0x99, 0xd6, 0xec, 0x31, }, -}; - bool __init blake2s_selftest(void) { u8 key[BLAKE2S_KEY_SIZE]; @@ -607,16 +587,5 @@ bool __init blake2s_selftest(void) } } - if (success) { - blake2s256_hmac(hash, buf, key, sizeof(buf), sizeof(key)); - success &= !memcmp(hash, blake2s_hmac_testvecs[0], BLAKE2S_HASH_SIZE); - - blake2s256_hmac(hash, key, buf, sizeof(key), sizeof(buf)); - success &= !memcmp(hash, blake2s_hmac_testvecs[1], BLAKE2S_HASH_SIZE); - - if (!success) - pr_err("blake2s256_hmac self-test: FAIL\n"); - } - return success; } --- a/lib/crypto/blake2s.c +++ b/lib/crypto/blake2s.c @@ -59,43 +59,6 @@ void blake2s_final(struct blake2s_state } EXPORT_SYMBOL(blake2s_final); -void blake2s256_hmac(u8 *out, const u8 *in, const u8 *key, const size_t inlen, - const size_t keylen) -{ - struct blake2s_state state; - u8 x_key[BLAKE2S_BLOCK_SIZE] __aligned(__alignof__(u32)) = { 0 }; - u8 i_hash[BLAKE2S_HASH_SIZE] __aligned(__alignof__(u32)); - int i; - - if (keylen > BLAKE2S_BLOCK_SIZE) { - blake2s_init(&state, BLAKE2S_HASH_SIZE); - blake2s_update(&state, key, keylen); - blake2s_final(&state, x_key); - } else - memcpy(x_key, key, keylen); - - for (i = 0; i < BLAKE2S_BLOCK_SIZE; ++i) - x_key[i] ^= 0x36; - - blake2s_init(&state, BLAKE2S_HASH_SIZE); - blake2s_update(&state, x_key, BLAKE2S_BLOCK_SIZE); - blake2s_update(&state, in, inlen); - blake2s_final(&state, i_hash); - - for (i = 0; i < BLAKE2S_BLOCK_SIZE; ++i) - x_key[i] ^= 0x5c ^ 0x36; - - blake2s_init(&state, BLAKE2S_HASH_SIZE); - blake2s_update(&state, x_key, BLAKE2S_BLOCK_SIZE); - blake2s_update(&state, i_hash, BLAKE2S_HASH_SIZE); - blake2s_final(&state, i_hash); - - memcpy(out, i_hash, BLAKE2S_HASH_SIZE); - memzero_explicit(x_key, BLAKE2S_BLOCK_SIZE); - memzero_explicit(i_hash, BLAKE2S_HASH_SIZE); -} -EXPORT_SYMBOL(blake2s256_hmac); - static int __init mod_init(void) { if (!IS_ENABLED(CONFIG_CRYPTO_MANAGER_DISABLE_TESTS) &&