[openwrt/openwrt] kernel: backport wireguard blake2s patch

LEDE Commits lede-commits at lists.infradead.org
Sun Jul 3 12:37:12 PDT 2022 

hauke pushed a commit to openwrt/openwrt.git, branch openwrt-21.02:
https://git.openwrt.org/8001e1995539526e873764bcedcff6aa69f1ee9f

commit 8001e1995539526e873764bcedcff6aa69f1ee9f
Author: Hauke Mehrtens <hauke at hauke-m.de>
AuthorDate: Sun Jul 3 21:27:38 2022 +0200

    kernel: backport wireguard blake2s patch
    
    This patch was backported to kernel 5.4.200, but without the wireguard
    change, because wireguard is not available in upstream kernel 5.4.
    This adds the missing changes for wireguard too.
    
    Fixes: be0639063a70 ("kernel: bump 5.4 to 5.4.203")
    Signed-off-by: Hauke Mehrtens <hauke at hauke-m.de>
---
 ...blake2s-move-hmac-construction-into-wireg.patch | 108 +++++++++++++++++++++
 1 file changed, 108 insertions(+)

diff --git a/target/linux/generic/backport-5.4/080-wireguard-0136-lib-crypto-blake2s-move-hmac-construction-into-wireg.patch b/target/linux/generic/backport-5.4/080-wireguard-0136-lib-crypto-blake2s-move-hmac-construction-into-wireg.patch
new file mode 100644
index 0000000000..78491f59c1
--- /dev/null
+++ b/target/linux/generic/backport-5.4/080-wireguard-0136-lib-crypto-blake2s-move-hmac-construction-into-wireg.patch
@@ -0,0 +1,108 @@
+From 5fb6a3ba3af6aff7cdc53d319fc4cc6f79555ca1 Mon Sep 17 00:00:00 2001
+From: "Jason A. Donenfeld" <Jason at zx2c4.com>
+Date: Tue, 11 Jan 2022 14:37:41 +0100
+Subject: lib/crypto: blake2s: move hmac construction into wireguard
+
+commit d8d83d8ab0a453e17e68b3a3bed1f940c34b8646 upstream.
+
+Basically nobody should use blake2s in an HMAC construction; it already
+has a keyed variant. But unfortunately for historical reasons, Noise,
+used by WireGuard, uses HKDF quite strictly, which means we have to use
+this. Because this really shouldn't be used by others, this commit moves
+it into wireguard's noise.c locally, so that kernels that aren't using
+WireGuard don't get this superfluous code baked in. On m68k systems,
+this shaves off ~314 bytes.
+
+Cc: Herbert Xu <herbert at gondor.apana.org.au>
+Tested-by: Geert Uytterhoeven <geert at linux-m68k.org>
+Acked-by: Ard Biesheuvel <ardb at kernel.org>
+Signed-off-by: Jason A. Donenfeld <Jason at zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+---
+ drivers/net/wireguard/noise.c | 45 ++++++++++++++++++++++++++++++-----
+ include/crypto/blake2s.h      |  3 ---
+ lib/crypto/blake2s-selftest.c | 31 ------------------------
+ lib/crypto/blake2s.c          | 37 ----------------------------
+ 4 files changed, 39 insertions(+), 77 deletions(-)
+
+--- a/drivers/net/wireguard/noise.c
++++ b/drivers/net/wireguard/noise.c
+@@ -302,6 +302,41 @@ void wg_noise_set_static_identity_privat
+ 		static_identity->static_public, private_key);
+ }
+ 
++static void hmac(u8 *out, const u8 *in, const u8 *key, const size_t inlen, const size_t keylen)
++{
++	struct blake2s_state state;
++	u8 x_key[BLAKE2S_BLOCK_SIZE] __aligned(__alignof__(u32)) = { 0 };
++	u8 i_hash[BLAKE2S_HASH_SIZE] __aligned(__alignof__(u32));
++	int i;
++
++	if (keylen > BLAKE2S_BLOCK_SIZE) {
++		blake2s_init(&state, BLAKE2S_HASH_SIZE);
++		blake2s_update(&state, key, keylen);
++		blake2s_final(&state, x_key);
++	} else
++		memcpy(x_key, key, keylen);
++
++	for (i = 0; i < BLAKE2S_BLOCK_SIZE; ++i)
++		x_key[i] ^= 0x36;
++
++	blake2s_init(&state, BLAKE2S_HASH_SIZE);
++	blake2s_update(&state, x_key, BLAKE2S_BLOCK_SIZE);
++	blake2s_update(&state, in, inlen);
++	blake2s_final(&state, i_hash);
++
++	for (i = 0; i < BLAKE2S_BLOCK_SIZE; ++i)
++		x_key[i] ^= 0x5c ^ 0x36;
++
++	blake2s_init(&state, BLAKE2S_HASH_SIZE);
++	blake2s_update(&state, x_key, BLAKE2S_BLOCK_SIZE);
++	blake2s_update(&state, i_hash, BLAKE2S_HASH_SIZE);
++	blake2s_final(&state, i_hash);
++
++	memcpy(out, i_hash, BLAKE2S_HASH_SIZE);
++	memzero_explicit(x_key, BLAKE2S_BLOCK_SIZE);
++	memzero_explicit(i_hash, BLAKE2S_HASH_SIZE);
++}
++
+ /* This is Hugo Krawczyk's HKDF:
+  *  - https://eprint.iacr.org/2010/264.pdf
+  *  - https://tools.ietf.org/html/rfc5869
+@@ -322,14 +357,14 @@ static void kdf(u8 *first_dst, u8 *secon
+ 		 ((third_len || third_dst) && (!second_len || !second_dst))));
+ 
+ 	/* Extract entropy from data into secret */
+-	blake2s256_hmac(secret, data, chaining_key, data_len, NOISE_HASH_LEN);
++	hmac(secret, data, chaining_key, data_len, NOISE_HASH_LEN);
+ 
+ 	if (!first_dst || !first_len)
+ 		goto out;
+ 
+ 	/* Expand first key: key = secret, data = 0x1 */
+ 	output[0] = 1;
+-	blake2s256_hmac(output, output, secret, 1, BLAKE2S_HASH_SIZE);
++	hmac(output, output, secret, 1, BLAKE2S_HASH_SIZE);
+ 	memcpy(first_dst, output, first_len);
+ 
+ 	if (!second_dst || !second_len)
+@@ -337,8 +372,7 @@ static void kdf(u8 *first_dst, u8 *secon
+ 
+ 	/* Expand second key: key = secret, data = first-key || 0x2 */
+ 	output[BLAKE2S_HASH_SIZE] = 2;
+-	blake2s256_hmac(output, output, secret, BLAKE2S_HASH_SIZE + 1,
+-			BLAKE2S_HASH_SIZE);
++	hmac(output, output, secret, BLAKE2S_HASH_SIZE + 1, BLAKE2S_HASH_SIZE);
+ 	memcpy(second_dst, output, second_len);
+ 
+ 	if (!third_dst || !third_len)
+@@ -346,8 +380,7 @@ static void kdf(u8 *first_dst, u8 *secon
+ 
+ 	/* Expand third key: key = secret, data = second-key || 0x3 */
+ 	output[BLAKE2S_HASH_SIZE] = 3;
+-	blake2s256_hmac(output, output, secret, BLAKE2S_HASH_SIZE + 1,
+-			BLAKE2S_HASH_SIZE);
++	hmac(output, output, secret, BLAKE2S_HASH_SIZE + 1, BLAKE2S_HASH_SIZE);
+ 	memcpy(third_dst, output, third_len);
+ 
+ out:

More information about the lede-commits mailing list