lib/crypto: blake2s: Adjust parameter order of blake2s()

Reorder the parameters of blake2s() from (out, in, key, outlen, inlen,
keylen) to (key, keylen, in, inlen, out, outlen).

This aligns BLAKE2s with the common conventions of pairing buffers and
their lengths, and having outputs follow inputs.  This is widely used
elsewhere in lib/crypto/ and crypto/, and even elsewhere in the BLAKE2s
code itself such as blake2s_init_key() and blake2s_final().  So
blake2s() was a bit of an exception.

Notably, this results in the same order as hmac_*_usingrawkey().

Note that since the type signature changed, it's not possible for a
blake2s() call site to be silently missed.

Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
Link: https://lore.kernel.org/r/20251018043106.375964-2-ebiggers@kernel.org
Signed-off-by: Eric Biggers <ebiggers@kernel.org>

diff --git a/drivers/char/random.c b/drivers/char/random.c
index b8b24b6ed3fe436c8102968392278d5cb5544f06..422c5c76571b950b7646dd2683378bca3a09527e 100644 (file)
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -701,7 +701,7 @@ static void extract_entropy(void *buf, size_t len)
 
        /* next_key = HASHPRF(seed, RDSEED || 0) */
        block.counter = 0;
-       blake2s(next_key, (u8 *)&block, seed, sizeof(next_key), sizeof(block), sizeof(seed));
+       blake2s(seed, sizeof(seed), (const u8 *)&block, sizeof(block), next_key, sizeof(next_key));
        blake2s_init_key(&input_pool.hash, BLAKE2S_HASH_SIZE, next_key, sizeof(next_key));
 
        spin_unlock_irqrestore(&input_pool.lock, flags);
@@ -711,7 +711,7 @@ static void extract_entropy(void *buf, size_t len)
                i = min_t(size_t, len, BLAKE2S_HASH_SIZE);
                /* output = HASHPRF(seed, RDSEED || ++counter) */
                ++block.counter;
-               blake2s(buf, (u8 *)&block, seed, i, sizeof(block), sizeof(seed));
+               blake2s(seed, sizeof(seed), (const u8 *)&block, sizeof(block), buf, i);
                len -= i;
                buf += i;
        }

diff --git a/drivers/net/wireguard/cookie.c b/drivers/net/wireguard/cookie.c
index 94d0a7206084e861ba7a8601ab27426a48edbb63..be1b83aae03bfa012b18e77f047cf04dd300d9b4 100644 (file)
--- a/drivers/net/wireguard/cookie.c
+++ b/drivers/net/wireguard/cookie.c
@@ -77,7 +77,7 @@ static void compute_mac1(u8 mac1[COOKIE_LEN], const void *message, size_t len,
 {
        len = len - sizeof(struct message_macs) +
              offsetof(struct message_macs, mac1);
-       blake2s(mac1, message, key, COOKIE_LEN, len, NOISE_SYMMETRIC_KEY_LEN);
+       blake2s(key, NOISE_SYMMETRIC_KEY_LEN, message, len, mac1, COOKIE_LEN);
 }
 
 static void compute_mac2(u8 mac2[COOKIE_LEN], const void *message, size_t len,
@@ -85,7 +85,7 @@ static void compute_mac2(u8 mac2[COOKIE_LEN], const void *message, size_t len,
 {
        len = len - sizeof(struct message_macs) +
              offsetof(struct message_macs, mac2);
-       blake2s(mac2, message, cookie, COOKIE_LEN, len, COOKIE_LEN);
+       blake2s(cookie, COOKIE_LEN, message, len, mac2, COOKIE_LEN);
 }
 
 static void make_cookie(u8 cookie[COOKIE_LEN], struct sk_buff *skb,

diff --git a/drivers/net/wireguard/noise.c b/drivers/net/wireguard/noise.c
index 7eb9a23a3d4d93250d8086356018e7d5e9dc0ac3..306abb876c8057d295ba3ba5c3593b1e178c601c 100644 (file)
--- a/drivers/net/wireguard/noise.c
+++ b/drivers/net/wireguard/noise.c
@@ -35,8 +35,8 @@ void __init wg_noise_init(void)
 {
        struct blake2s_state blake;
 
-       blake2s(handshake_init_chaining_key, handshake_name, NULL,
-               NOISE_HASH_LEN, sizeof(handshake_name), 0);
+       blake2s(NULL, 0, handshake_name, sizeof(handshake_name),
+               handshake_init_chaining_key, NOISE_HASH_LEN);
        blake2s_init(&blake, NOISE_HASH_LEN);
        blake2s_update(&blake, handshake_init_chaining_key, NOISE_HASH_LEN);
        blake2s_update(&blake, identifier_name, sizeof(identifier_name));

diff --git a/include/crypto/blake2s.h b/include/crypto/blake2s.h
index f9ffd39194eb81ba195f7153134ea54f7f938e83..a7dd678725b2741b5a12c4cd1e64a10db32a9292 100644 (file)
--- a/include/crypto/blake2s.h
+++ b/include/crypto/blake2s.h
@@ -86,9 +86,9 @@ static inline void blake2s_init_key(struct blake2s_state *state,
 void blake2s_update(struct blake2s_state *state, const u8 *in, size_t inlen);
 void blake2s_final(struct blake2s_state *state, u8 *out);
 
-static inline void blake2s(u8 *out, const u8 *in, const u8 *key,
-                          const size_t outlen, const size_t inlen,
-                          const size_t keylen)
+static inline void blake2s(const u8 *key, const size_t keylen,
+                          const u8 *in, const size_t inlen,
+                          u8 *out, const size_t outlen)
 {
        struct blake2s_state state;
 

diff --git a/lib/crypto/tests/blake2s_kunit.c b/lib/crypto/tests/blake2s_kunit.c
index 057c40132246f1d2fab171c862c9adb6f9b4f306..247bbdf7dc864ec9d629088f117ef0e2276c6620 100644 (file)
--- a/lib/crypto/tests/blake2s_kunit.c
+++ b/lib/crypto/tests/blake2s_kunit.c
@@ -14,7 +14,7 @@
 static void blake2s_default(const u8 *data, size_t len,
                            u8 out[BLAKE2S_HASH_SIZE])
 {
-       blake2s(out, data, NULL, BLAKE2S_HASH_SIZE, len, 0);
+       blake2s(NULL, 0, data, len, out, BLAKE2S_HASH_SIZE);
 }
 
 static void blake2s_init_default(struct blake2s_state *state)
@@ -52,7 +52,7 @@ static void test_blake2s_all_key_and_hash_lens(struct kunit *test)
        for (int key_len = 0; key_len <= BLAKE2S_KEY_SIZE; key_len++) {
                rand_bytes_seeded_from_len(key, key_len);
                for (int out_len = 1; out_len <= BLAKE2S_HASH_SIZE; out_len++) {
-                       blake2s(hash, data, key, out_len, data_len, key_len);
+                       blake2s(key, key_len, data, data_len, hash, out_len);
                        blake2s_update(&main_state, hash, out_len);
                }
        }
@@ -80,10 +80,10 @@ static void test_blake2s_with_guarded_key_buf(struct kunit *test)
                rand_bytes(key, key_len);
                memcpy(guarded_key, key, key_len);
 
-               blake2s(hash1, test_buf, key,
-                       BLAKE2S_HASH_SIZE, data_len, key_len);
-               blake2s(hash2, test_buf, guarded_key,
-                       BLAKE2S_HASH_SIZE, data_len, key_len);
+               blake2s(key, key_len, test_buf, data_len,
+                       hash1, BLAKE2S_HASH_SIZE);
+               blake2s(guarded_key, key_len, test_buf, data_len,
+                       hash2, BLAKE2S_HASH_SIZE);
                KUNIT_ASSERT_MEMEQ(test, hash1, hash2, BLAKE2S_HASH_SIZE);
 
                blake2s_init_key(&state, BLAKE2S_HASH_SIZE,
@@ -107,8 +107,8 @@ static void test_blake2s_with_guarded_out_buf(struct kunit *test)
                u8 hash[BLAKE2S_HASH_SIZE];
                u8 *guarded_hash = &test_buf[TEST_BUF_LEN - out_len];
 
-               blake2s(hash, test_buf, NULL, out_len, data_len, 0);
-               blake2s(guarded_hash, test_buf, NULL, out_len, data_len, 0);
+               blake2s(NULL, 0, test_buf, data_len, hash, out_len);
+               blake2s(NULL, 0, test_buf, data_len, guarded_hash, out_len);
                KUNIT_ASSERT_MEMEQ(test, hash, guarded_hash, out_len);
        }
 }