This is a note to let you know that I've just added the patch titled lib/crypto: blake2s: move hmac construction into wireguard to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: lib-crypto-blake2s-move-hmac-construction-into-wireguard.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From foo@baz Thu Jun 16 07:08:33 PM CEST 2022 From: "Jason A. Donenfeld" <Jason@xxxxxxxxx> Date: Tue, 11 Jan 2022 14:37:41 +0100 Subject: lib/crypto: blake2s: move hmac construction into wireguard From: "Jason A. Donenfeld" <Jason@xxxxxxxxx> commit d8d83d8ab0a453e17e68b3a3bed1f940c34b8646 upstream. Basically nobody should use blake2s in an HMAC construction; it already has a keyed variant. But unfortunately for historical reasons, Noise, used by WireGuard, uses HKDF quite strictly, which means we have to use this. Because this really shouldn't be used by others, this commit moves it into wireguard's noise.c locally, so that kernels that aren't using WireGuard don't get this superfluous code baked in. On m68k systems, this shaves off ~314 bytes. Cc: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> Tested-by: Geert Uytterhoeven <geert@xxxxxxxxxxxxxx> Acked-by: Ard Biesheuvel <ardb@xxxxxxxxxx> [Jason: for stable, skip the wireguard changes, since this kernel doesn't have wireguard.] Signed-off-by: Jason A. Donenfeld <Jason@xxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- include/crypto/blake2s.h | 3 --- lib/crypto/blake2s-selftest.c | 31 ------------------------------- lib/crypto/blake2s.c | 37 ------------------------------------- 3 files changed, 71 deletions(-) --- a/include/crypto/blake2s.h +++ b/include/crypto/blake2s.h @@ -100,7 +100,4 @@ static inline void blake2s(u8 *out, cons blake2s_final(&state, out); } -void blake2s256_hmac(u8 *out, const u8 *in, const u8 *key, const size_t inlen, - const size_t keylen); - #endif /* BLAKE2S_H */ --- a/lib/crypto/blake2s-selftest.c +++ b/lib/crypto/blake2s-selftest.c @@ -15,7 +15,6 @@ * #include <stdio.h> * * #include <openssl/evp.h> - * #include <openssl/hmac.h> * * #define BLAKE2S_TESTVEC_COUNT 256 * @@ -58,16 +57,6 @@ * } * printf("};\n\n"); * - * printf("static const u8 blake2s_hmac_testvecs[][BLAKE2S_HASH_SIZE] __initconst = {\n"); - * - * HMAC(EVP_blake2s256(), key, sizeof(key), buf, sizeof(buf), hash, NULL); - * print_vec(hash, BLAKE2S_OUTBYTES); - * - * HMAC(EVP_blake2s256(), buf, sizeof(buf), key, sizeof(key), hash, NULL); - * print_vec(hash, BLAKE2S_OUTBYTES); - * - * printf("};\n"); - * * return 0; *} */ @@ -554,15 +543,6 @@ static const u8 blake2s_testvecs[][BLAKE 0xd6, 0x98, 0x6b, 0x07, 0x10, 0x65, 0x52, 0x65, }, }; -static const u8 blake2s_hmac_testvecs[][BLAKE2S_HASH_SIZE] __initconst = { - { 0xce, 0xe1, 0x57, 0x69, 0x82, 0xdc, 0xbf, 0x43, 0xad, 0x56, 0x4c, 0x70, - 0xed, 0x68, 0x16, 0x96, 0xcf, 0xa4, 0x73, 0xe8, 0xe8, 0xfc, 0x32, 0x79, - 0x08, 0x0a, 0x75, 0x82, 0xda, 0x3f, 0x05, 0x11, }, - { 0x77, 0x2f, 0x0c, 0x71, 0x41, 0xf4, 0x4b, 0x2b, 0xb3, 0xc6, 0xb6, 0xf9, - 0x60, 0xde, 0xe4, 0x52, 0x38, 0x66, 0xe8, 0xbf, 0x9b, 0x96, 0xc4, 0x9f, - 0x60, 0xd9, 0x24, 0x37, 0x99, 0xd6, 0xec, 0x31, }, -}; - bool __init blake2s_selftest(void) { u8 key[BLAKE2S_KEY_SIZE]; @@ -607,16 +587,5 @@ bool __init blake2s_selftest(void) } } - if (success) { - blake2s256_hmac(hash, buf, key, sizeof(buf), sizeof(key)); - success &= !memcmp(hash, blake2s_hmac_testvecs[0], BLAKE2S_HASH_SIZE); - - blake2s256_hmac(hash, key, buf, sizeof(key), sizeof(buf)); - success &= !memcmp(hash, blake2s_hmac_testvecs[1], BLAKE2S_HASH_SIZE); - - if (!success) - pr_err("blake2s256_hmac self-test: FAIL\n"); - } - return success; } --- a/lib/crypto/blake2s.c +++ b/lib/crypto/blake2s.c @@ -59,43 +59,6 @@ void blake2s_final(struct blake2s_state } EXPORT_SYMBOL(blake2s_final); -void blake2s256_hmac(u8 *out, const u8 *in, const u8 *key, const size_t inlen, - const size_t keylen) -{ - struct blake2s_state state; - u8 x_key[BLAKE2S_BLOCK_SIZE] __aligned(__alignof__(u32)) = { 0 }; - u8 i_hash[BLAKE2S_HASH_SIZE] __aligned(__alignof__(u32)); - int i; - - if (keylen > BLAKE2S_BLOCK_SIZE) { - blake2s_init(&state, BLAKE2S_HASH_SIZE); - blake2s_update(&state, key, keylen); - blake2s_final(&state, x_key); - } else - memcpy(x_key, key, keylen); - - for (i = 0; i < BLAKE2S_BLOCK_SIZE; ++i) - x_key[i] ^= 0x36; - - blake2s_init(&state, BLAKE2S_HASH_SIZE); - blake2s_update(&state, x_key, BLAKE2S_BLOCK_SIZE); - blake2s_update(&state, in, inlen); - blake2s_final(&state, i_hash); - - for (i = 0; i < BLAKE2S_BLOCK_SIZE; ++i) - x_key[i] ^= 0x5c ^ 0x36; - - blake2s_init(&state, BLAKE2S_HASH_SIZE); - blake2s_update(&state, x_key, BLAKE2S_BLOCK_SIZE); - blake2s_update(&state, i_hash, BLAKE2S_HASH_SIZE); - blake2s_final(&state, i_hash); - - memcpy(out, i_hash, BLAKE2S_HASH_SIZE); - memzero_explicit(x_key, BLAKE2S_BLOCK_SIZE); - memzero_explicit(i_hash, BLAKE2S_HASH_SIZE); -} -EXPORT_SYMBOL(blake2s256_hmac); - static int __init mod_init(void) { if (!IS_ENABLED(CONFIG_CRYPTO_MANAGER_DISABLE_TESTS) && Patches currently in stable-queue which might be from Jason@xxxxxxxxx are queue-4.14/random-do-not-take-pool-spinlock-at-boot.patch queue-4.14/random-remove-kernel.random.read_wakeup_threshold.patch queue-4.14/random-simplify-arithmetic-function-flow-in-account.patch queue-4.14/random-order-timer-entropy-functions-below-interrupt-functions.patch queue-4.14/random-introduce-drain_entropy-helper-to-declutter-crng_reseed.patch queue-4.14/random-fix-locking-in-crng_fast_load.patch queue-4.14/random-cleanup-uuid-handling.patch queue-4.14/random-group-userspace-read-write-functions.patch queue-4.14/random-make-credit_entropy_bits-always-safe.patch queue-4.14/latent_entropy-avoid-build-error-when-plugin-cflags-are-not-set.patch queue-4.14/revert-hwrng-core-freeze-khwrng-thread-during-suspend.patch queue-4.14/drivers-char-random.c-make-primary_crng-static.patch queue-4.14/random-do-not-re-init-if-crng_reseed-completes-before-primary-init.patch queue-4.14/random-always-fill-buffer-in-get_random_bytes_wait.patch queue-4.14/random-use-proper-jiffies-comparison-macro.patch queue-4.14/init-call-time_init-before-rand_initialize.patch queue-4.14/random-split-primary-secondary-crng-init-paths.patch queue-4.14/random-pull-add_hwgenerator_randomness-declaration-into-random.h.patch queue-4.14/random-unify-early-init-crng-load-accounting.patch queue-4.14/drivers-char-random.c-remove-unused-stuct-poolinfo-poolbits.patch queue-4.14/random-use-blake2s-instead-of-sha1-in-extraction.patch queue-4.14/random-make-cpu-trust-a-boot-parameter.patch queue-4.14/random-convert-to-using-fops-write_iter.patch queue-4.14/random-initialize-chacha20-constants-with-correct-endianness.patch queue-4.14/random-remove-incomplete-last_data-logic.patch queue-4.14/random-group-entropy-extraction-functions.patch queue-4.14/random-optimize-add_interrupt_randomness.patch queue-4.14/random-add-proper-spdx-header.patch queue-4.14/linux-random.h-remove-arch_has_random-arch_has_random_seed.patch queue-4.14/random-rewrite-header-introductory-comment.patch queue-4.14/random-make-dev-random-be-almost-like-dev-urandom.patch queue-4.14/random-remove-ifdef-d-out-interrupt-bench.patch queue-4.14/um-use-fallback-for-random_get_entropy-instead-of-zero.patch queue-4.14/lib-crypto-sha1-re-roll-loops-to-reduce-code-size.patch queue-4.14/random-tie-batched-entropy-generation-to-base_crng-generation.patch queue-4.14/sparc-use-fallback-for-random_get_entropy-instead-of-zero.patch queue-4.14/random-use-linear-min-entropy-accumulation-crediting.patch queue-4.14/random-remove-batched-entropy-locking.patch queue-4.14/xtensa-use-fallback-for-random_get_entropy-instead-of-zero.patch queue-4.14/powerpc-remove-arch_has_random-arch_has_random_seed.patch queue-4.14/fdt-add-support-for-rng-seed.patch queue-4.14/random-continually-use-hwgenerator-randomness.patch queue-4.14/random-access-input_pool_data-directly-rather-than-through-pointer.patch queue-4.14/random-add-arch_get_random_-long_early.patch queue-4.14/random-inline-leaves-of-rand_initialize.patch queue-4.14/random-cleanup-poolinfo-abstraction.patch queue-4.14/random-wire-up-fops-splice_-read-write-_iter.patch queue-4.14/random-handle-latent-entropy-and-command-line-from-random_init.patch queue-4.14/random-remove-use_input_pool-parameter-from-crng_reseed.patch queue-4.14/random-credit-architectural-init-the-exact-amount.patch queue-4.14/ia64-define-get_cycles-macro-for-arch-override.patch queue-4.14/random-replace-custom-notifier-chain-with-standard-one.patch queue-4.14/random-support-freezable-kthreads-in-add_hwgenerator_randomness.patch queue-4.14/random-document-get_random_int-family.patch queue-4.14/random-remove-the-blocking-pool.patch queue-4.14/random-avoid-initializing-twice-in-credit-race.patch queue-4.14/random-avoid-warnings-for-config_numa-builds.patch queue-4.14/crypto-drbg-add-fips-140-2-ctrng-for-noise-source.patch queue-4.14/random-mark-bootloader-randomness-code-as-__init.patch queue-4.14/random-zero-buffer-after-reading-entropy-from-userspace.patch queue-4.14/random-remove-whitespace-and-reorder-includes.patch queue-4.14/random-ignore-grnd_random-in-getentropy-2.patch queue-4.14/random-clear-fast-pool-crng-and-batches-in-cpuhp-bring-up.patch queue-4.14/random-document-add_hwgenerator_randomness-with-other-input-functions.patch queue-4.14/random-fix-typo-in-add_timer_randomness.patch queue-4.14/random-do-crng-pre-init-loading-in-worker-rather-than-irq.patch queue-4.14/powerpc-use-bool-in-archrandom.h.patch queue-4.14/random-do-not-split-fast-init-input-in-add_hwgenerator_randomness.patch queue-4.14/timekeeping-add-raw-clock-fallback-for-random_get_entropy.patch queue-4.14/random-early-initialization-of-chacha-constants.patch queue-4.14/crypto-drbg-prepare-for-more-fine-grained-tracking-of-seeding-state.patch queue-4.14/random-delete-code-to-pull-data-into-pools.patch queue-4.14/crypto-drbg-always-try-to-free-jitter-rng-instance.patch queue-4.14/random-simplify-entropy-debiting.patch queue-4.14/random-don-t-reset-crng_init_cnt-on-urandom_read.patch queue-4.14/random-skip-fast_init-if-hwrng-provides-large-chunk-of-entropy.patch queue-4.14/random-use-siphash-as-interrupt-entropy-accumulator.patch queue-4.14/random-avoid-checking-crng_ready-twice-in-random_init.patch queue-4.14/random-fix-soft-lockup-when-trying-to-read-from-an-uninitialized-blocking-pool.patch queue-4.14/random-group-sysctl-functions.patch queue-4.14/random-don-t-let-644-read-only-sysctls-be-written-to.patch queue-4.14/random-document-crng_fast_key_erasure-destination-possibility.patch queue-4.14/random-only-wake-up-writers-after-zap-if-threshold-was-passed.patch queue-4.14/random-use-wait_event_freezable-in-add_hwgenerator_randomness.patch queue-4.14/random-check-for-signal-and-try-earlier-when-generating-entropy.patch queue-4.14/random-check-for-signals-every-page_size-chunk-of-dev-random.patch queue-4.14/arm-use-fallback-for-random_get_entropy-instead-of-zero.patch queue-4.14/random-absorb-fast-pool-into-input-pool-after-fast-load.patch queue-4.14/random-give-sysctl_random_min_urandom_seed-a-more-sensible-value.patch queue-4.14/crypto-blake2s-generic-c-library-implementation-and-selftest.patch queue-4.14/random-cleanup-fractional-entropy-shift-constants.patch queue-4.14/random-use-rdseed-instead-of-rdrand-in-entropy-extraction.patch queue-4.14/random-move-rand_initialize-earlier.patch queue-4.14/random-don-t-wake-crng_init_wait-when-crng_init-1.patch queue-4.14/random-add-a-urandom_read_nowait-for-random-apis-that-don-t-warn.patch queue-4.14/random-do-not-sign-extend-bytes-for-rotation-when-mixing.patch queue-4.14/random-move-initialization-functions-out-of-hot-pages.patch queue-4.14/random-remove-dead-code-left-over-from-blocking-pool.patch queue-4.14/drivers-char-random.c-constify-poolinfo_table.patch queue-4.14/crypto-drbg-track-whether-drbg-was-seeded-with-rng_is_initialized.patch queue-4.14/random-use-computational-hash-for-entropy-extraction.patch queue-4.14/random-add-and-use-pr_fmt.patch queue-4.14/random-round-robin-registers-as-ulong-not-u32.patch queue-4.14/random-always-wake-up-entropy-writers-after-extraction.patch queue-4.14/s390-remove-arch_has_random-arch_has_random_seed.patch queue-4.14/random-do-not-xor-rdrand-when-writing-into-dev-random.patch queue-4.14/crypto-drbg-make-reseeding-from-get_random_bytes-synchronous.patch queue-4.14/random-convert-to-entropy_bits-for-better-code-readability.patch queue-4.14/char-random-add-a-newline-at-the-end-of-the-file.patch queue-4.14/random-move-randomize_page-into-mm-where-it-belongs.patch queue-4.14/random-only-call-crng_finalize_init-for-primary_crng.patch queue-4.14/random-cleanup-integer-types.patch queue-4.14/random-re-add-removed-comment-about-get_random_-u32-u64-reseeding.patch queue-4.14/random-unify-cycles_t-and-jiffies-usage-and-types.patch queue-4.14/random-insist-on-random_get_entropy-existing-in-order-to-simplify.patch queue-4.14/random-group-initialization-wait-functions.patch queue-4.14/linux-random.h-mark-config_arch_random-functions-__must_check.patch queue-4.14/random-remove-unused-extract_entropy-reserved-argument.patch queue-4.14/random-check-for-signal_pending-outside-of-need_resched-check.patch queue-4.14/random-access-primary_pool-directly-rather-than-through-pointer.patch queue-4.14/random-fix-sysctl-documentation-nits.patch queue-4.14/random-remove-unused-tracepoints.patch queue-4.14/random-only-read-from-dev-random-after-its-pool-has-received-128-bits.patch queue-4.14/nios2-use-fallback-for-random_get_entropy-instead-of-zero.patch queue-4.14/random-treat-bootloader-trust-toggle-the-same-way-as-cpu-trust-toggle.patch queue-4.14/random-make-consistent-usage-of-crng_ready.patch queue-4.14/lib-crypto-blake2s-move-hmac-construction-into-wireguard.patch queue-4.14/parisc-define-get_cycles-macro-for-arch-override.patch queue-4.14/x86-tsc-use-fallback-for-random_get_entropy-instead-of-zero.patch queue-4.14/crypto-chacha20-fix-keystream-alignment-for-chacha20_block.patch queue-4.14/random-add-grnd_insecure-to-return-best-effort-non-cryptographic-bytes.patch queue-4.14/random-fix-whitespace-pre-random-bytes-work.patch queue-4.14/crypto-drbg-move-dynamic-reseed_threshold-adjustments-to-__drbg_seed.patch queue-4.14/random-check-for-signals-after-page-of-pool-writes.patch queue-4.14/random-make-random_get_entropy-return-an-unsigned-long.patch queue-4.14/random-check-for-crng_init-0-in-add_device_randomness.patch queue-4.14/random-add-a-config-option-to-trust-the-cpu-s-hwrng.patch queue-4.14/random-remove-unnecessary-unlikely.patch queue-4.14/random-defer-fast-pool-mixing-to-worker.patch queue-4.14/random-harmonize-crng-init-done-messages.patch queue-4.14/crypto-blake2s-include-linux-bug.h-instead-of-asm-bug.h.patch queue-4.14/random-use-static-branch-for-crng_ready.patch queue-4.14/random-rather-than-entropy_store-abstraction-use-global.patch queue-4.14/drivers-char-random.c-remove-unused-dont_count_entropy.patch queue-4.14/random-remove-extern-from-functions-in-header.patch queue-4.14/siphash-use-one-source-of-truth-for-siphash-permutations.patch queue-4.14/random-group-entropy-collection-functions.patch queue-4.14/random-de-duplicate-input_pool-constants.patch queue-4.14/random-mix-build-time-latent-entropy-into-pool-at-init.patch queue-4.14/random-remove-useless-header-comment.patch queue-4.14/linux-random.h-use-false-with-bool.patch queue-4.14/maintainers-co-maintain-random.c.patch queue-4.14/random-remove-outdated-int_max-6-check-in-urandom_read.patch queue-4.14/m68k-use-fallback-for-random_get_entropy-instead-of-zero.patch queue-4.14/alpha-define-get_cycles-macro-for-arch-override.patch queue-4.14/random-mix-bootloader-randomness-into-pool.patch queue-4.14/random-remove-some-dead-code-of-poolinfo.patch queue-4.14/random-do-not-use-batches-when-crng_ready.patch queue-4.14/crypto-drbg-always-seeded-with-sp800-90b-compliant-noise-source.patch queue-4.14/s390-define-get_cycles-macro-for-arch-override.patch queue-4.14/random-do-not-pretend-to-handle-premature-next-security-model.patch queue-4.14/random-avoid-arch_get_random_seed_long-when-collecting-irq-randomness.patch queue-4.14/random-use-is_enabled-config_numa-instead-of-ifdefs.patch queue-4.14/random-make-crng-state-queryable.patch queue-4.14/random-avoid-superfluous-call-to-rdrand-in-crng-extraction.patch queue-4.14/random-use-symbolic-constants-for-crng_init-states.patch queue-4.14/random-reseed-more-often-immediately-after-booting.patch queue-4.14/random-ensure-early-rdseed-goes-through-mixer-on-init.patch queue-4.14/random-deobfuscate-irq-u32-u64-contributions.patch queue-4.14/random-do-not-use-input-pool-from-hard-irqs.patch queue-4.14/random-help-compiler-out-with-fast_mix-by-using-simpler-arguments.patch queue-4.14/revert-random-use-static-branch-for-crng_ready.patch queue-4.14/random-fix-crash-on-multiple-early-calls-to-add_bootloader_randomness.patch queue-4.14/random-return-nbytes-filled-from-hw-rng.patch queue-4.14/random-account-for-arch-randomness-in-bits.patch queue-4.14/crypto-blake2s-adjust-include-guard-naming.patch queue-4.14/random-do-not-allow-user-to-keep-crng-key-around-on-stack.patch queue-4.14/x86-remove-arch_has_random-arch_has_random_seed.patch queue-4.14/crypto-deduplicate-le32_to_cpu_array-and-cpu_to_le32_array.patch queue-4.14/random-remove-ratelimiting-for-in-kernel-unseeded-randomness.patch queue-4.14/random-remove-unused-irq_flags-argument-from-add_interrupt_randomness.patch queue-4.14/random-prepend-remaining-pool-constants-with-pool_.patch queue-4.14/powerpc-define-get_cycles-macro-for-arch-override.patch queue-4.14/random-remove-unused-output_pool-constants.patch queue-4.14/mips-use-fallback-for-random_get_entropy-instead-of-just-c0-random.patch queue-4.14/random-use-hash-function-for-crng_slow_load.patch queue-4.14/random-fix-typo-in-comments.patch queue-4.14/random-remove-preempt-disabled-region.patch queue-4.14/random-use-proper-return-types-on-get_random_-int-long-_wait.patch