libgcrypt/kdf: Implement hash_buffers() for BLAKE2b-512

The hash_buffers() functions are disabled in GRUB by default but the
Argon2 implementation requires hash_buffers() for BLAKE2b-512.

This commit implements argon2_blake2b_512_hash_buffers() as the
replacement of _gcry_digest_spec_blake2b_512.hash_buffers().

Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

diff --git a/conf/Makefile.extra-dist b/conf/Makefile.extra-dist
index 10cbd4fa41d35f48c54e4699c193aaff4a1b3e65..6da09b6d9010c8341b6e1ca951cf19503e8aeee5 100644 (file)
--- a/conf/Makefile.extra-dist
+++ b/conf/Makefile.extra-dist
@@ -43,6 +43,7 @@ EXTRA_DIST += grub-core/lib/libgcrypt-patches/05_disable_rsa_shake.patch
 EXTRA_DIST += grub-core/lib/libgcrypt-patches/06_blake.patch
 EXTRA_DIST += grub-core/lib/libgcrypt-patches/07_disable_64div.patch
 EXTRA_DIST += grub-core/lib/libgcrypt-patches/08_sexp_leak.patch
+EXTRA_DIST += grub-core/lib/libgcrypt-patches/09-blake2b-hash-buffers.patch
 
 EXTRA_DIST += grub-core/lib/libtasn1-patches/0001-libtasn1-disable-code-not-needed-in-grub.patch
 EXTRA_DIST += grub-core/lib/libtasn1-patches/0002-libtasn1-replace-strcat-with-strcpy-in-_asn1_str_cat.patch

diff --git a/grub-core/lib/libgcrypt-patches/09-blake2b-hash-buffers.patch b/grub-core/lib/libgcrypt-patches/09-blake2b-hash-buffers.patch
new file mode 100644 (file)
index 0000000..fd4bae5
--- /dev/null
+++ b/grub-core/lib/libgcrypt-patches/09-blake2b-hash-buffers.patch
@@ -0,0 +1,63 @@
+From 42e9975171439e2e9713e122cb0e74174f057e98 Mon Sep 17 00:00:00 2001
+From: Gary Lin <glin@suse.com>
+Date: Mon, 25 Aug 2025 15:54:24 +0800
+Subject: [PATCH 1/4] libgcrypt/kdf: Implement blake2b_512.hash_buffers()
+
+Add argon2_blake2b_512_hash_buffers() as the replacement of
+_gcry_digest_spec_blake2b_512.hash_buffers().
+
+Signed-off-by: Gary Lin <glin@suse.com>
+---
+ grub-core/lib/libgcrypt-grub/cipher/kdf.c | 25 ++++++++++++++++++++++-
+ 1 file changed, 24 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/lib/libgcrypt-grub/cipher/kdf.c b/grub-core/lib/libgcrypt-grub/cipher/kdf.c
+index 0689f88b1..08e3ef658 100644
+--- a/grub-core/lib/libgcrypt-grub/cipher/kdf.c
++++ b/grub-core/lib/libgcrypt-grub/cipher/kdf.c
+@@ -129,10 +129,31 @@ beswap64_block (u64 *dst)
+ #endif
+ }
+ 
++/* Implementation of _gcry_blake2b_512_hash_buffers */
++static gcry_err_code_t
++argon2_blake2b_512_hash_buffers (void *outbuf, const gcry_buffer_t *iov, int iovcnt)
++{
++  void *hd;
++
++  hd = xtrymalloc (_gcry_digest_spec_blake2b_512.contextsize);
++  if (!hd)
++    return GPG_ERR_OUT_OF_MEMORY;
++
++  _gcry_digest_spec_blake2b_512.init (hd, 0);
++  for (;iovcnt > 0; iov++, iovcnt--)
++    _gcry_digest_spec_blake2b_512.write (hd, (const char*)iov[0].data + iov[0].off, iov[0].len);
++  _gcry_digest_spec_blake2b_512.final (hd);
++  grub_memcpy (outbuf, _gcry_digest_spec_blake2b_512.read (hd), 512 / 8);
++
++  xfree (hd);
++
++  return GPG_ERR_NO_ERROR;
++}
+ 
+ static gpg_err_code_t
+ argon2_fill_first_blocks (argon2_ctx_t a)
+ {
++  gpg_err_code_t err;
+   unsigned char h0_01_i[72];
+   unsigned char buf[10][4];
+   gcry_buffer_t iov[8];
+@@ -195,7 +216,9 @@ argon2_fill_first_blocks (argon2_ctx_t a)
+       iov_count++;
+     }
+ 
+-  _gcry_digest_spec_blake2b_512.hash_buffers (h0_01_i, 64, iov, iov_count);
++  err = argon2_blake2b_512_hash_buffers (h0_01_i, iov, iov_count);
++  if (err != GPG_ERR_NO_ERROR)
++    return err;
+ 
+   for (i = 0; i < a->lanes; i++)
+     {
+-- 
+2.51.0
+