kernel: backport wireguard blake2s patch
authorHauke Mehrtens <hauke@hauke-m.de>
Sun, 3 Jul 2022 19:27:38 +0000 (21:27 +0200)
committerHauke Mehrtens <hauke@hauke-m.de>
Sun, 3 Jul 2022 19:27:38 +0000 (21:27 +0200)
This patch was backported to kernel 5.4.200, but without the wireguard
change, because wireguard is not available in upstream kernel 5.4.
This adds the missing changes for wireguard too.

Fixes: be0639063a70 ("kernel: bump 5.4 to 5.4.203")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
target/linux/generic/backport-5.4/080-wireguard-0136-lib-crypto-blake2s-move-hmac-construction-into-wireg.patch [new file with mode: 0644]

diff --git a/target/linux/generic/backport-5.4/080-wireguard-0136-lib-crypto-blake2s-move-hmac-construction-into-wireg.patch b/target/linux/generic/backport-5.4/080-wireguard-0136-lib-crypto-blake2s-move-hmac-construction-into-wireg.patch
new file mode 100644 (file)
index 0000000..78491f5
--- /dev/null
@@ -0,0 +1,108 @@
+From 5fb6a3ba3af6aff7cdc53d319fc4cc6f79555ca1 Mon Sep 17 00:00:00 2001
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Tue, 11 Jan 2022 14:37:41 +0100
+Subject: lib/crypto: blake2s: move hmac construction into wireguard
+
+commit d8d83d8ab0a453e17e68b3a3bed1f940c34b8646 upstream.
+
+Basically nobody should use blake2s in an HMAC construction; it already
+has a keyed variant. But unfortunately for historical reasons, Noise,
+used by WireGuard, uses HKDF quite strictly, which means we have to use
+this. Because this really shouldn't be used by others, this commit moves
+it into wireguard's noise.c locally, so that kernels that aren't using
+WireGuard don't get this superfluous code baked in. On m68k systems,
+this shaves off ~314 bytes.
+
+Cc: Herbert Xu <herbert@gondor.apana.org.au>
+Tested-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Acked-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireguard/noise.c | 45 ++++++++++++++++++++++++++++++-----
+ include/crypto/blake2s.h      |  3 ---
+ lib/crypto/blake2s-selftest.c | 31 ------------------------
+ lib/crypto/blake2s.c          | 37 ----------------------------
+ 4 files changed, 39 insertions(+), 77 deletions(-)
+
+--- a/drivers/net/wireguard/noise.c
++++ b/drivers/net/wireguard/noise.c
+@@ -302,6 +302,41 @@ void wg_noise_set_static_identity_privat
+               static_identity->static_public, private_key);
+ }
++static void hmac(u8 *out, const u8 *in, const u8 *key, const size_t inlen, const size_t keylen)
++{
++      struct blake2s_state state;
++      u8 x_key[BLAKE2S_BLOCK_SIZE] __aligned(__alignof__(u32)) = { 0 };
++      u8 i_hash[BLAKE2S_HASH_SIZE] __aligned(__alignof__(u32));
++      int i;
++
++      if (keylen > BLAKE2S_BLOCK_SIZE) {
++              blake2s_init(&state, BLAKE2S_HASH_SIZE);
++              blake2s_update(&state, key, keylen);
++              blake2s_final(&state, x_key);
++      } else
++              memcpy(x_key, key, keylen);
++
++      for (i = 0; i < BLAKE2S_BLOCK_SIZE; ++i)
++              x_key[i] ^= 0x36;
++
++      blake2s_init(&state, BLAKE2S_HASH_SIZE);
++      blake2s_update(&state, x_key, BLAKE2S_BLOCK_SIZE);
++      blake2s_update(&state, in, inlen);
++      blake2s_final(&state, i_hash);
++
++      for (i = 0; i < BLAKE2S_BLOCK_SIZE; ++i)
++              x_key[i] ^= 0x5c ^ 0x36;
++
++      blake2s_init(&state, BLAKE2S_HASH_SIZE);
++      blake2s_update(&state, x_key, BLAKE2S_BLOCK_SIZE);
++      blake2s_update(&state, i_hash, BLAKE2S_HASH_SIZE);
++      blake2s_final(&state, i_hash);
++
++      memcpy(out, i_hash, BLAKE2S_HASH_SIZE);
++      memzero_explicit(x_key, BLAKE2S_BLOCK_SIZE);
++      memzero_explicit(i_hash, BLAKE2S_HASH_SIZE);
++}
++
+ /* This is Hugo Krawczyk's HKDF:
+  *  - https://eprint.iacr.org/2010/264.pdf
+  *  - https://tools.ietf.org/html/rfc5869
+@@ -322,14 +357,14 @@ static void kdf(u8 *first_dst, u8 *secon
+                ((third_len || third_dst) && (!second_len || !second_dst))));
+       /* Extract entropy from data into secret */
+-      blake2s256_hmac(secret, data, chaining_key, data_len, NOISE_HASH_LEN);
++      hmac(secret, data, chaining_key, data_len, NOISE_HASH_LEN);
+       if (!first_dst || !first_len)
+               goto out;
+       /* Expand first key: key = secret, data = 0x1 */
+       output[0] = 1;
+-      blake2s256_hmac(output, output, secret, 1, BLAKE2S_HASH_SIZE);
++      hmac(output, output, secret, 1, BLAKE2S_HASH_SIZE);
+       memcpy(first_dst, output, first_len);
+       if (!second_dst || !second_len)
+@@ -337,8 +372,7 @@ static void kdf(u8 *first_dst, u8 *secon
+       /* Expand second key: key = secret, data = first-key || 0x2 */
+       output[BLAKE2S_HASH_SIZE] = 2;
+-      blake2s256_hmac(output, output, secret, BLAKE2S_HASH_SIZE + 1,
+-                      BLAKE2S_HASH_SIZE);
++      hmac(output, output, secret, BLAKE2S_HASH_SIZE + 1, BLAKE2S_HASH_SIZE);
+       memcpy(second_dst, output, second_len);
+       if (!third_dst || !third_len)
+@@ -346,8 +380,7 @@ static void kdf(u8 *first_dst, u8 *secon
+       /* Expand third key: key = secret, data = second-key || 0x3 */
+       output[BLAKE2S_HASH_SIZE] = 3;
+-      blake2s256_hmac(output, output, secret, BLAKE2S_HASH_SIZE + 1,
+-                      BLAKE2S_HASH_SIZE);
++      hmac(output, output, secret, BLAKE2S_HASH_SIZE + 1, BLAKE2S_HASH_SIZE);
+       memcpy(third_dst, output, third_len);
+ out: