libgcrypt/kdf: Implement hash_buffers() for BLAKE2b-512

The hash_buffers() functions are disabled in GRUB by default but the Argon2 implementation requires hash_buffers() for BLAKE2b-512. This commit implements argon2_blake2b_512_hash_buffers() as the replacement of _gcry_digest_spec_blake2b_512.hash_buffers(). Signed-off-by: Gary Lin <glin@suse.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2025-10-15 11:00:18 +08:00 · 2025-10-15 11:00:18 +08:00 · 0c06a454fc
commit 0c06a454fc
parent bc94dfd541
2 changed files with 64 additions and 0 deletions
--- a/conf/Makefile.extra-dist
+++ b/conf/Makefile.extra-dist
@ -43,6 +43,7 @@ EXTRA_DIST += grub-core/lib/libgcrypt-patches/05_disable_rsa_shake.patch
 EXTRA_DIST += grub-core/lib/libgcrypt-patches/06_blake.patch
 EXTRA_DIST += grub-core/lib/libgcrypt-patches/07_disable_64div.patch
 EXTRA_DIST += grub-core/lib/libgcrypt-patches/08_sexp_leak.patch
+EXTRA_DIST += grub-core/lib/libgcrypt-patches/09-blake2b-hash-buffers.patch

 EXTRA_DIST += grub-core/lib/libtasn1-patches/0001-libtasn1-disable-code-not-needed-in-grub.patch
 EXTRA_DIST += grub-core/lib/libtasn1-patches/0002-libtasn1-replace-strcat-with-strcpy-in-_asn1_str_cat.patch
--- a/grub-core/lib/libgcrypt-patches/09-blake2b-hash-buffers.patch
+++ b/grub-core/lib/libgcrypt-patches/09-blake2b-hash-buffers.patch
@ -0,0 +1,63 @@
+From 42e9975171439e2e9713e122cb0e74174f057e98 Mon Sep 17 00:00:00 2001
+From: Gary Lin <glin@suse.com>
+Date: Mon, 25 Aug 2025 15:54:24 +0800
+Subject: [PATCH 1/4] libgcrypt/kdf: Implement blake2b_512.hash_buffers()
+
+Add argon2_blake2b_512_hash_buffers() as the replacement of
+_gcry_digest_spec_blake2b_512.hash_buffers().
+
+Signed-off-by: Gary Lin <glin@suse.com>
+---
+ grub-core/lib/libgcrypt-grub/cipher/kdf.c | 25 ++++++++++++++++++++++-
+ 1 file changed, 24 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/lib/libgcrypt-grub/cipher/kdf.c b/grub-core/lib/libgcrypt-grub/cipher/kdf.c
+index 0689f88b1..08e3ef658 100644
+--- a/grub-core/lib/libgcrypt-grub/cipher/kdf.c
+++ b/grub-core/lib/libgcrypt-grub/cipher/kdf.c
+@@ -129,10 +129,31 @@ beswap64_block (u64 *dst)
+ #endif
+ }
+ 
+/* Implementation of _gcry_blake2b_512_hash_buffers */
+static gcry_err_code_t
+argon2_blake2b_512_hash_buffers (void *outbuf, const gcry_buffer_t *iov, int iovcnt)
+{
+  void *hd;
+
+  hd = xtrymalloc (_gcry_digest_spec_blake2b_512.contextsize);
+  if (!hd)
+    return GPG_ERR_OUT_OF_MEMORY;
+
+  _gcry_digest_spec_blake2b_512.init (hd, 0);
+  for (;iovcnt > 0; iov++, iovcnt--)
+    _gcry_digest_spec_blake2b_512.write (hd, (const char*)iov[0].data + iov[0].off, iov[0].len);
+  _gcry_digest_spec_blake2b_512.final (hd);
+  grub_memcpy (outbuf, _gcry_digest_spec_blake2b_512.read (hd), 512 / 8);
+
+  xfree (hd);
+
+  return GPG_ERR_NO_ERROR;
+}
+ 
+ static gpg_err_code_t
+ argon2_fill_first_blocks (argon2_ctx_t a)
+ {
+  gpg_err_code_t err;
+   unsigned char h0_01_i[72];
+   unsigned char buf[10][4];
+   gcry_buffer_t iov[8];
+@@ -195,7 +216,9 @@ argon2_fill_first_blocks (argon2_ctx_t a)
+       iov_count++;
+     }
+ 
+-  _gcry_digest_spec_blake2b_512.hash_buffers (h0_01_i, 64, iov, iov_count);
+  err = argon2_blake2b_512_hash_buffers (h0_01_i, iov, iov_count);
+  if (err != GPG_ERR_NO_ERROR)
+    return err;
+ 
+   for (i = 0; i < a->lanes; i++)
+     {
+-- 
+2.51.0
+