kdf: Remove unsupported KDFs

Gary Lin via Grub-devel Sat, 18 Oct 2025 14:11:35 -0700

Clean up _gcry_kdf_*() to remove unsupported KDFs.

Signed-off-by: Gary Lin <[email protected]>
Reviewed-by: Daniel Kiper <[email protected]>
---
 conf/Makefile.extra-dist                      |   1 +
 .../11-kdf-remove-unsupported-kdfs.patch      | 166 ++++++++++++++++++
 2 files changed, 167 insertions(+)
 create mode 100644 
grub-core/lib/libgcrypt-patches/11-kdf-remove-unsupported-kdfs.patch


diff --git a/conf/Makefile.extra-dist b/conf/Makefile.extra-dist
index e1e569de0..bc6768549 100644
--- a/conf/Makefile.extra-dist
+++ b/conf/Makefile.extra-dist
@@ -45,6 +45,7 @@ EXTRA_DIST += 
grub-core/lib/libgcrypt-patches/07_disable_64div.patch
 EXTRA_DIST += grub-core/lib/libgcrypt-patches/08_sexp_leak.patch
 EXTRA_DIST += grub-core/lib/libgcrypt-patches/09-blake2b-hash-buffers.patch
 EXTRA_DIST += grub-core/lib/libgcrypt-patches/10-kdf-use-GPG-errs.patch
+EXTRA_DIST += 
grub-core/lib/libgcrypt-patches/11-kdf-remove-unsupported-kdfs.patch
 
 EXTRA_DIST += 
grub-core/lib/libtasn1-patches/0001-libtasn1-disable-code-not-needed-in-grub.patch
 EXTRA_DIST += 
grub-core/lib/libtasn1-patches/0002-libtasn1-replace-strcat-with-strcpy-in-_asn1_str_cat.patch
diff --git 
a/grub-core/lib/libgcrypt-patches/11-kdf-remove-unsupported-kdfs.patch 
b/grub-core/lib/libgcrypt-patches/11-kdf-remove-unsupported-kdfs.patch
new file mode 100644
index 000000000..44ef3dec2
--- /dev/null
+++ b/grub-core/lib/libgcrypt-patches/11-kdf-remove-unsupported-kdfs.patch
@@ -0,0 +1,166 @@
+From fc9c57f54fd28685f7df79e53078e1dc9e44f964 Mon Sep 17 00:00:00 2001
+From: Gary Lin <[email protected]>
+Date: Mon, 25 Aug 2025 16:00:17 +0800
+Subject: [PATCH 3/4] libgcrypt/kdf: Remove unsupported KDFs
+
+Clean up _gcry_kdf_*() to remove unsupported KDFs.
+
+Signed-off-by: Gary Lin <[email protected]>
+---
+ grub-core/lib/libgcrypt-grub/cipher/kdf.c | 119 ----------------------
+ 1 file changed, 119 deletions(-)
+
+diff --git a/grub-core/lib/libgcrypt-grub/cipher/kdf.c 
b/grub-core/lib/libgcrypt-grub/cipher/kdf.c
+index 6e0351d8a..c51a70eff 100644
+--- a/grub-core/lib/libgcrypt-grub/cipher/kdf.c
++++ b/grub-core/lib/libgcrypt-grub/cipher/kdf.c
+@@ -821,64 +821,6 @@ _gcry_kdf_open (gcry_kdf_hd_t *hd, int algo, int subalgo,
+                           key, keylen, ad, adlen);
+       break;
+ 
+-    case GCRY_KDF_BALLOON:
+-      if (!inputlen || !saltlen || keylen || adlen)
+-        ec = GPG_ERR_INV_VALUE;
+-      else
+-        {
+-          (void)key;
+-          (void)ad;
+-          ec = balloon_open (hd, subalgo, param, paramlen,
+-                             input, inputlen, salt, saltlen);
+-        }
+-      break;
+-
+-    case GCRY_KDF_ONESTEP_KDF:
+-      if (!inputlen || !paramlen || !adlen)
+-        ec = GPG_ERR_INV_VALUE;
+-      else
+-        {
+-          (void)salt;
+-          (void)key;
+-          ec = onestep_kdf_open (hd, subalgo, param, paramlen,
+-                                 input, inputlen, ad, adlen);
+-        }
+-      break;
+-
+-    case GCRY_KDF_ONESTEP_KDF_MAC:
+-      if (!inputlen || !paramlen || !keylen || !adlen)
+-        ec = GPG_ERR_INV_VALUE;
+-      else
+-        {
+-          (void)salt;
+-          ec = onestep_kdf_mac_open (hd, subalgo, param, paramlen,
+-                                     input, inputlen, key, keylen, ad, adlen);
+-        }
+-      break;
+-
+-    case GCRY_KDF_HKDF:
+-      if (!inputlen || !paramlen)
+-        ec = GPG_ERR_INV_VALUE;
+-      else
+-        {
+-          (void)salt;
+-          ec = hkdf_open (hd, subalgo, param, paramlen,
+-                          input, inputlen, key, keylen, ad, adlen);
+-        }
+-      break;
+-
+-    case GCRY_KDF_X963_KDF:
+-      if (!inputlen || !paramlen)
+-        ec = GPG_ERR_INV_VALUE;
+-      else
+-        {
+-          (void)salt;
+-          (void)key;
+-          ec = x963_kdf_open (hd, subalgo, param, paramlen,
+-                              input, inputlen, ad, adlen);
+-        }
+-      break;
+-
+     default:
+       ec = GPG_ERR_UNKNOWN_ALGORITHM;
+       break;
+@@ -898,26 +840,6 @@ _gcry_kdf_compute (gcry_kdf_hd_t h, const struct 
gcry_kdf_thread_ops *ops)
+       ec = argon2_compute ((argon2_ctx_t)(void *)h, ops);
+       break;
+ 
+-    case GCRY_KDF_BALLOON:
+-      ec = balloon_compute_all ((balloon_ctx_t)(void *)h, ops);
+-      break;
+-
+-    case GCRY_KDF_ONESTEP_KDF:
+-      ec = onestep_kdf_compute ((onestep_kdf_ctx_t)(void *)h, ops);
+-      break;
+-
+-    case GCRY_KDF_ONESTEP_KDF_MAC:
+-      ec = onestep_kdf_mac_compute ((onestep_kdf_mac_ctx_t)(void *)h, ops);
+-      break;
+-
+-    case GCRY_KDF_HKDF:
+-      ec = hkdf_compute ((hkdf_ctx_t)(void *)h, ops);
+-      break;
+-
+-    case GCRY_KDF_X963_KDF:
+-      ec = x963_kdf_compute ((x963_kdf_ctx_t)(void *)h, ops);
+-      break;
+-
+     default:
+       ec = GPG_ERR_UNKNOWN_ALGORITHM;
+       break;
+@@ -938,27 +860,6 @@ _gcry_kdf_final (gcry_kdf_hd_t h, size_t resultlen, void 
*result)
+       ec = argon2_final ((argon2_ctx_t)(void *)h, resultlen, result);
+       break;
+ 
+-    case GCRY_KDF_BALLOON:
+-      ec = balloon_final ((balloon_ctx_t)(void *)h, resultlen, result);
+-      break;
+-
+-    case GCRY_KDF_ONESTEP_KDF:
+-      ec = onestep_kdf_final ((onestep_kdf_ctx_t)(void *)h, resultlen, 
result);
+-      break;
+-
+-    case GCRY_KDF_ONESTEP_KDF_MAC:
+-      ec = onestep_kdf_mac_final ((onestep_kdf_mac_ctx_t)(void *)h,
+-                                  resultlen, result);
+-      break;
+-
+-    case GCRY_KDF_HKDF:
+-      ec = hkdf_final ((hkdf_ctx_t)(void *)h, resultlen, result);
+-      break;
+-
+-    case GCRY_KDF_X963_KDF:
+-      ec = x963_kdf_final ((x963_kdf_ctx_t)(void *)h, resultlen, result);
+-      break;
+-
+     default:
+       ec = GPG_ERR_UNKNOWN_ALGORITHM;
+       break;
+@@ -976,26 +877,6 @@ _gcry_kdf_close (gcry_kdf_hd_t h)
+       argon2_close ((argon2_ctx_t)(void *)h);
+       break;
+ 
+-    case GCRY_KDF_BALLOON:
+-      balloon_close ((balloon_ctx_t)(void *)h);
+-      break;
+-
+-    case GCRY_KDF_ONESTEP_KDF:
+-      onestep_kdf_close ((onestep_kdf_ctx_t)(void *)h);
+-      break;
+-
+-    case GCRY_KDF_ONESTEP_KDF_MAC:
+-      onestep_kdf_mac_close ((onestep_kdf_mac_ctx_t)(void *)h);
+-      break;
+-
+-    case GCRY_KDF_HKDF:
+-      hkdf_close ((hkdf_ctx_t)(void *)h);
+-      break;
+-
+-    case GCRY_KDF_X963_KDF:
+-      x963_kdf_close ((x963_kdf_ctx_t)(void *)h);
+-      break;
+-
+     default:
+       break;
+     }
+-- 
+2.51.0
+
-- 
2.51.0


_______________________________________________
Grub-devel mailing list
[email protected]
https://lists.gnu.org/mailman/listinfo/grub-devel

[PATCH v5 05/13] libgcrypt/kdf: Remove unsupported KDFs

Reply via email to