mirror of
https://github.com/openwrt/openwrt.git
synced 2025-01-14 17:00:18 +00:00
109 lines
4.0 KiB
Diff
109 lines
4.0 KiB
Diff
|
From 5fb6a3ba3af6aff7cdc53d319fc4cc6f79555ca1 Mon Sep 17 00:00:00 2001
|
||
|
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
|
||
|
Date: Tue, 11 Jan 2022 14:37:41 +0100
|
||
|
Subject: lib/crypto: blake2s: move hmac construction into wireguard
|
||
|
|
||
|
commit d8d83d8ab0a453e17e68b3a3bed1f940c34b8646 upstream.
|
||
|
|
||
|
Basically nobody should use blake2s in an HMAC construction; it already
|
||
|
has a keyed variant. But unfortunately for historical reasons, Noise,
|
||
|
used by WireGuard, uses HKDF quite strictly, which means we have to use
|
||
|
this. Because this really shouldn't be used by others, this commit moves
|
||
|
it into wireguard's noise.c locally, so that kernels that aren't using
|
||
|
WireGuard don't get this superfluous code baked in. On m68k systems,
|
||
|
this shaves off ~314 bytes.
|
||
|
|
||
|
Cc: Herbert Xu <herbert@gondor.apana.org.au>
|
||
|
Tested-by: Geert Uytterhoeven <geert@linux-m68k.org>
|
||
|
Acked-by: Ard Biesheuvel <ardb@kernel.org>
|
||
|
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
||
|
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
---
|
||
|
drivers/net/wireguard/noise.c | 45 ++++++++++++++++++++++++++++++-----
|
||
|
include/crypto/blake2s.h | 3 ---
|
||
|
lib/crypto/blake2s-selftest.c | 31 ------------------------
|
||
|
lib/crypto/blake2s.c | 37 ----------------------------
|
||
|
4 files changed, 39 insertions(+), 77 deletions(-)
|
||
|
|
||
|
--- a/drivers/net/wireguard/noise.c
|
||
|
+++ b/drivers/net/wireguard/noise.c
|
||
|
@@ -302,6 +302,41 @@ void wg_noise_set_static_identity_privat
|
||
|
static_identity->static_public, private_key);
|
||
|
}
|
||
|
|
||
|
+static void hmac(u8 *out, const u8 *in, const u8 *key, const size_t inlen, const size_t keylen)
|
||
|
+{
|
||
|
+ struct blake2s_state state;
|
||
|
+ u8 x_key[BLAKE2S_BLOCK_SIZE] __aligned(__alignof__(u32)) = { 0 };
|
||
|
+ u8 i_hash[BLAKE2S_HASH_SIZE] __aligned(__alignof__(u32));
|
||
|
+ int i;
|
||
|
+
|
||
|
+ if (keylen > BLAKE2S_BLOCK_SIZE) {
|
||
|
+ blake2s_init(&state, BLAKE2S_HASH_SIZE);
|
||
|
+ blake2s_update(&state, key, keylen);
|
||
|
+ blake2s_final(&state, x_key);
|
||
|
+ } else
|
||
|
+ memcpy(x_key, key, keylen);
|
||
|
+
|
||
|
+ for (i = 0; i < BLAKE2S_BLOCK_SIZE; ++i)
|
||
|
+ x_key[i] ^= 0x36;
|
||
|
+
|
||
|
+ blake2s_init(&state, BLAKE2S_HASH_SIZE);
|
||
|
+ blake2s_update(&state, x_key, BLAKE2S_BLOCK_SIZE);
|
||
|
+ blake2s_update(&state, in, inlen);
|
||
|
+ blake2s_final(&state, i_hash);
|
||
|
+
|
||
|
+ for (i = 0; i < BLAKE2S_BLOCK_SIZE; ++i)
|
||
|
+ x_key[i] ^= 0x5c ^ 0x36;
|
||
|
+
|
||
|
+ blake2s_init(&state, BLAKE2S_HASH_SIZE);
|
||
|
+ blake2s_update(&state, x_key, BLAKE2S_BLOCK_SIZE);
|
||
|
+ blake2s_update(&state, i_hash, BLAKE2S_HASH_SIZE);
|
||
|
+ blake2s_final(&state, i_hash);
|
||
|
+
|
||
|
+ memcpy(out, i_hash, BLAKE2S_HASH_SIZE);
|
||
|
+ memzero_explicit(x_key, BLAKE2S_BLOCK_SIZE);
|
||
|
+ memzero_explicit(i_hash, BLAKE2S_HASH_SIZE);
|
||
|
+}
|
||
|
+
|
||
|
/* This is Hugo Krawczyk's HKDF:
|
||
|
* - https://eprint.iacr.org/2010/264.pdf
|
||
|
* - https://tools.ietf.org/html/rfc5869
|
||
|
@@ -322,14 +357,14 @@ static void kdf(u8 *first_dst, u8 *secon
|
||
|
((third_len || third_dst) && (!second_len || !second_dst))));
|
||
|
|
||
|
/* Extract entropy from data into secret */
|
||
|
- blake2s256_hmac(secret, data, chaining_key, data_len, NOISE_HASH_LEN);
|
||
|
+ hmac(secret, data, chaining_key, data_len, NOISE_HASH_LEN);
|
||
|
|
||
|
if (!first_dst || !first_len)
|
||
|
goto out;
|
||
|
|
||
|
/* Expand first key: key = secret, data = 0x1 */
|
||
|
output[0] = 1;
|
||
|
- blake2s256_hmac(output, output, secret, 1, BLAKE2S_HASH_SIZE);
|
||
|
+ hmac(output, output, secret, 1, BLAKE2S_HASH_SIZE);
|
||
|
memcpy(first_dst, output, first_len);
|
||
|
|
||
|
if (!second_dst || !second_len)
|
||
|
@@ -337,8 +372,7 @@ static void kdf(u8 *first_dst, u8 *secon
|
||
|
|
||
|
/* Expand second key: key = secret, data = first-key || 0x2 */
|
||
|
output[BLAKE2S_HASH_SIZE] = 2;
|
||
|
- blake2s256_hmac(output, output, secret, BLAKE2S_HASH_SIZE + 1,
|
||
|
- BLAKE2S_HASH_SIZE);
|
||
|
+ hmac(output, output, secret, BLAKE2S_HASH_SIZE + 1, BLAKE2S_HASH_SIZE);
|
||
|
memcpy(second_dst, output, second_len);
|
||
|
|
||
|
if (!third_dst || !third_len)
|
||
|
@@ -346,8 +380,7 @@ static void kdf(u8 *first_dst, u8 *secon
|
||
|
|
||
|
/* Expand third key: key = secret, data = second-key || 0x3 */
|
||
|
output[BLAKE2S_HASH_SIZE] = 3;
|
||
|
- blake2s256_hmac(output, output, secret, BLAKE2S_HASH_SIZE + 1,
|
||
|
- BLAKE2S_HASH_SIZE);
|
||
|
+ hmac(output, output, secret, BLAKE2S_HASH_SIZE + 1, BLAKE2S_HASH_SIZE);
|
||
|
memcpy(third_dst, output, third_len);
|
||
|
|
||
|
out:
|