lib/crypto: blake2s: move hmac construction into wireguard

commit d8d83d8ab0a453e17e68b3a3bed1f940c34b8646 upstream.

Basically nobody should use blake2s in an HMAC construction; it already
has a keyed variant. But unfortunately for historical reasons, Noise,
used by WireGuard, uses HKDF quite strictly, which means we have to use
this. Because this really shouldn't be used by others, this commit moves
it into wireguard's noise.c locally, so that kernels that aren't using
WireGuard don't get this superfluous code baked in. On m68k systems,
this shaves off ~314 bytes.

Cc: Herbert Xu <herbert@gondor.apana.org.au>
Tested-by: Geert Uytterhoeven <geert@linux-m68k.org>
Acked-by: Ard Biesheuvel <ardb@kernel.org>
[Jason: for stable, skip the wireguard changes, since this kernel
 doesn't have wireguard.]
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/include/crypto/blake2s.h b/include/crypto/blake2s.h
index b471deac28ff8812d10759723202ea7250f12cc2..00472cb95ead110514a0050c9fa878b2b9192ec5 100644 (file)
--- a/include/crypto/blake2s.h
+++ b/include/crypto/blake2s.h
@@ -100,7 +100,4 @@ static inline void blake2s(u8 *out, const u8 *in, const u8 *key,
        blake2s_final(&state, out);
 }
 
-void blake2s256_hmac(u8 *out, const u8 *in, const u8 *key, const size_t inlen,
-                    const size_t keylen);
-
 #endif /* BLAKE2S_H */

diff --git a/lib/crypto/blake2s-selftest.c b/lib/crypto/blake2s-selftest.c
index 79ef404a990d2a20bdc030a924e35f3a545d89e4..7a9edc96ddddf8d00d366d0b98bde4dfa71b3396 100644 (file)
--- a/lib/crypto/blake2s-selftest.c
+++ b/lib/crypto/blake2s-selftest.c
@@ -15,7 +15,6 @@
  * #include <stdio.h>
  *
  * #include <openssl/evp.h>
- * #include <openssl/hmac.h>
  *
  * #define BLAKE2S_TESTVEC_COUNT       256
  *
@@ -58,16 +57,6 @@
  *     }
  *     printf("};\n\n");
  *
- *     printf("static const u8 blake2s_hmac_testvecs[][BLAKE2S_HASH_SIZE] __initconst = {\n");
- *
- *     HMAC(EVP_blake2s256(), key, sizeof(key), buf, sizeof(buf), hash, NULL);
- *     print_vec(hash, BLAKE2S_OUTBYTES);
- *
- *     HMAC(EVP_blake2s256(), buf, sizeof(buf), key, sizeof(key), hash, NULL);
- *     print_vec(hash, BLAKE2S_OUTBYTES);
- *
- *     printf("};\n");
- *
  *     return 0;
  *}
  */
@@ -554,15 +543,6 @@ static const u8 blake2s_testvecs[][BLAKE2S_HASH_SIZE] __initconst = {
     0xd6, 0x98, 0x6b, 0x07, 0x10, 0x65, 0x52, 0x65, },
 };
 
-static const u8 blake2s_hmac_testvecs[][BLAKE2S_HASH_SIZE] __initconst = {
-  { 0xce, 0xe1, 0x57, 0x69, 0x82, 0xdc, 0xbf, 0x43, 0xad, 0x56, 0x4c, 0x70,
-    0xed, 0x68, 0x16, 0x96, 0xcf, 0xa4, 0x73, 0xe8, 0xe8, 0xfc, 0x32, 0x79,
-    0x08, 0x0a, 0x75, 0x82, 0xda, 0x3f, 0x05, 0x11, },
-  { 0x77, 0x2f, 0x0c, 0x71, 0x41, 0xf4, 0x4b, 0x2b, 0xb3, 0xc6, 0xb6, 0xf9,
-    0x60, 0xde, 0xe4, 0x52, 0x38, 0x66, 0xe8, 0xbf, 0x9b, 0x96, 0xc4, 0x9f,
-    0x60, 0xd9, 0x24, 0x37, 0x99, 0xd6, 0xec, 0x31, },
-};
-
 bool __init blake2s_selftest(void)
 {
        u8 key[BLAKE2S_KEY_SIZE];
@@ -607,16 +587,5 @@ bool __init blake2s_selftest(void)
                }
        }
 
-       if (success) {
-               blake2s256_hmac(hash, buf, key, sizeof(buf), sizeof(key));
-               success &= !memcmp(hash, blake2s_hmac_testvecs[0], BLAKE2S_HASH_SIZE);
-
-               blake2s256_hmac(hash, key, buf, sizeof(key), sizeof(buf));
-               success &= !memcmp(hash, blake2s_hmac_testvecs[1], BLAKE2S_HASH_SIZE);
-
-               if (!success)
-                       pr_err("blake2s256_hmac self-test: FAIL\n");
-       }
-
        return success;
 }

diff --git a/lib/crypto/blake2s.c b/lib/crypto/blake2s.c
index 4cf856ee80cac89e87cb85a114c2201a2ebd2c56..536fce87555b31df8a50b4d6438e0577665bb7a6 100644 (file)
--- a/lib/crypto/blake2s.c
+++ b/lib/crypto/blake2s.c
@@ -59,43 +59,6 @@ void blake2s_final(struct blake2s_state *state, u8 *out)
 }
 EXPORT_SYMBOL(blake2s_final);
 
-void blake2s256_hmac(u8 *out, const u8 *in, const u8 *key, const size_t inlen,
-                    const size_t keylen)
-{
-       struct blake2s_state state;
-       u8 x_key[BLAKE2S_BLOCK_SIZE] __aligned(__alignof__(u32)) = { 0 };
-       u8 i_hash[BLAKE2S_HASH_SIZE] __aligned(__alignof__(u32));
-       int i;
-
-       if (keylen > BLAKE2S_BLOCK_SIZE) {
-               blake2s_init(&state, BLAKE2S_HASH_SIZE);
-               blake2s_update(&state, key, keylen);
-               blake2s_final(&state, x_key);
-       } else
-               memcpy(x_key, key, keylen);
-
-       for (i = 0; i < BLAKE2S_BLOCK_SIZE; ++i)
-               x_key[i] ^= 0x36;
-
-       blake2s_init(&state, BLAKE2S_HASH_SIZE);
-       blake2s_update(&state, x_key, BLAKE2S_BLOCK_SIZE);
-       blake2s_update(&state, in, inlen);
-       blake2s_final(&state, i_hash);
-
-       for (i = 0; i < BLAKE2S_BLOCK_SIZE; ++i)
-               x_key[i] ^= 0x5c ^ 0x36;
-
-       blake2s_init(&state, BLAKE2S_HASH_SIZE);
-       blake2s_update(&state, x_key, BLAKE2S_BLOCK_SIZE);
-       blake2s_update(&state, i_hash, BLAKE2S_HASH_SIZE);
-       blake2s_final(&state, i_hash);
-
-       memcpy(out, i_hash, BLAKE2S_HASH_SIZE);
-       memzero_explicit(x_key, BLAKE2S_BLOCK_SIZE);
-       memzero_explicit(i_hash, BLAKE2S_HASH_SIZE);
-}
-EXPORT_SYMBOL(blake2s256_hmac);
-
 static int __init mod_init(void)
 {
        if (!IS_ENABLED(CONFIG_CRYPTO_MANAGER_DISABLE_TESTS) &&