2020-08-31 20:53:58 -05:00
|
|
|
/* module_hooks.c -- module load/unload hooks for libwolfssl.ko
|
|
|
|
|
*
|
2025-01-21 09:55:03 -07:00
|
|
|
* Copyright (C) 2006-2025 wolfSSL Inc.
|
2020-08-31 20:53:58 -05:00
|
|
|
*
|
|
|
|
|
* This file is part of wolfSSL.
|
|
|
|
|
*
|
|
|
|
|
* wolfSSL is free software; you can redistribute it and/or modify
|
|
|
|
|
* it under the terms of the GNU General Public License as published by
|
|
|
|
|
* the Free Software Foundation; either version 2 of the License, or
|
|
|
|
|
* (at your option) any later version.
|
|
|
|
|
*
|
|
|
|
|
* wolfSSL is distributed in the hope that it will be useful,
|
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
|
*
|
|
|
|
|
* You should have received a copy of the GNU General Public License
|
|
|
|
|
* along with this program; if not, write to the Free Software
|
|
|
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
|
|
|
|
|
*/
|
2020-08-18 14:17:44 -05:00
|
|
|
|
Add wolfcrypt/src/wolfssl_sources.h and wolfcrypt/src/wolfssl_sources_asm.h,
which force on BUILDING_WOLFSSL and do boilerplate includes, and update library
sources to include them at the top.
wolfssl_sources.h includes types.h, error-crypt.h, and logging.h, and
conditionally, config.h. settings.h and wc_port.h are unconditionally
included at the top of types.h.
wolfssl_sources_asm.h includes settings.h, and conditionally, config.h.
Add wolfssl_sources*.h to wolfcrypt/src/include.am, and to several IDE/ project
files.
Also added a TEST_WOLFSSL_SOURCES_INCLUSION_SEQUENCE clause in
wolfssl/wolfcrypt/settings.h to allow coverage testing.
In wolfcrypt/src/misc.c, retain existing ad hoc boilerplate includes, and use
them if WOLFSSL_VIS_FOR_TESTS, otherwise include the new wolfssl_sources.h.
Define WOLFSSL_VIS_FOR_TESTS at top of wolfcrypt/test/test.c.
Also renamed WOLFSSL_NEED_LINUX_CURRENT to WOLFSSL_LINUXKM_NEED_LINUX_CURRENT,
for clarity.
2025-04-04 16:51:04 -05:00
|
|
|
#define WOLFSSL_LINUXKM_NEED_LINUX_CURRENT
|
2021-11-05 18:29:41 -05:00
|
|
|
|
2025-04-04 18:44:12 -05:00
|
|
|
#include <wolfssl/wolfcrypt/libwolfssl_sources.h>
|
2020-08-18 14:17:44 -05:00
|
|
|
|
2025-07-09 16:29:04 -05:00
|
|
|
#define WOLFSSL_LICENSE "GPL v2"
|
|
|
|
|
|
2022-01-07 22:39:38 -06:00
|
|
|
#ifdef WOLFCRYPT_ONLY
|
|
|
|
|
#include <wolfssl/version.h>
|
|
|
|
|
#else
|
|
|
|
|
#include <wolfssl/ssl.h>
|
|
|
|
|
#endif
|
2021-08-19 11:15:52 -05:00
|
|
|
#ifdef HAVE_FIPS
|
linuxkm/lkcapi_sha_glue.c:
* implement interception of _get_random_bytes() and get_random_bytes_user() (implicitly intercepts /dev/random and /dev/urandom):
* get_crypto_default_rng()
* get_default_drbg_ctx()
* wc__get_random_bytes()
* wc_get_random_bytes_user()
* wc_extract_crng_user()
* wc_mix_pool_bytes()
* wc_crng_reseed()
* wc_get_random_bytes_by_kprobe()
* wc_get_random_bytes_user_kretprobe_enter()
* wc_get_random_bytes_user_kretprobe_exit()
* add LINUXKM_DRBG_GET_RANDOM_BYTES sections to wc_linuxkm_drbg_startup() and wc_linuxkm_drbg_cleanup()
* add linuxkm/patches/*/WOLFSSL_LINUXKM_HAVE_GET_RANDOM_CALLBACKS-*.patch, initially for versions:
* 5.10.17
* 5.10.236
* 5.15
* 5.17
* 6.1.73
* 6.12
* 6.15
* remove "*.patch" from .gitignore.
* add linuxkm/patches/regen-patches.sh.
* in wc_linuxkm_drbg_ctx_clear(), check lock count before freeing.
* in get_drbg() and put_drbg(), use migrate_disable(), not DISABLE_VECTOR_REGISTERS().
* in wc_linuxkm_drbg_generate(), explicitly DISABLE_VECTOR_REGISTERS() for the crypto_default_rng.
* in wc_linuxkm_drbg_generate(), add DRBG reinitialization code to handle RNG_FAILURE_E. This handles the situation where a DRBG was instantiated in a vector-ops-allowed context, caching a vectorized SHA256 ethod, but later used in a no-vector-ops-allowed context.
* in wc_linuxkm_drbg_seed(), add DISABLE_VECTOR_REGISTERS() wrapper around wc_RNG_DRBG_Reseed() for crypto_default_rng.
linuxkm/x86_vector_register_glue.c:
* add crash recovery logic to wc_linuxkm_fpu_state_assoc_unlikely()
* in wc_linuxkm_fpu_state_assoc(), when wc_linuxkm_fpu_states is null, don't call wc_linuxkm_fpu_state_assoc_unlikely() if !assume_fpu_began.
* in can_save_vector_registers_x86(), save_vector_registers_x86(), and restore_vector_registers_x86(), check for hard interrupt context first, to return early failure if current->pid is unusable.
* in save_vector_registers_x86(), tweak logic around WC_FPU_INHIBITED_FLAG, adding local_bh_disable()...local_bh_enable() to provide for safe recursion.
wolfcrypt/src/random.c: optimization: in Hash_df(), for WOLFSSL_LINUXKM, don't put digest[WC_SHA256_DIGEST_SIZE] in the heap, keep it on the stack.
wolfssl/wolfcrypt/types.h: add WOLFSSL_NO_ASM no-op definitions for DISABLE_VECTOR_REGISTERS() and REENABLE_VECTOR_REGISTERS().
configure.ac:
* move --enable-linuxkm and --enable-linuxkm-defaults initial detection early, so that HMAC_COPY_DEFAULT picks it up.
* add ENABLED_ENTROPY_MEMUSE_DEFAULT, and enable it by default when ENABLED_LINUXKM_DEFAULTS.
* update linuxkm-lkcapi-register help message.
linuxkm/linuxkm_wc_port.h:
* add my_kallsyms_lookup_name().
* add preempt_count, _raw_spin_lock_irqsave, _raw_spin_trylock, _raw_spin_unlock_irqrestore, and _cond_resched, to wolfssl_linuxkm_pie_redirect_table, and add spin_unlock_irqrestore() macro to mask native inline.
* move linuxkm mutex wrappers from wolfcrypt/src/wc_port.c to linuxkm_wc_port.h, make them inlines, and add new default spinlock-based implementation, with old method now gated on WOLFSSL_LINUXKM_USE_MUTEXES.
* change malloc() and realloc() wrappers from GFP_KERNEL to GFP_ATOMIC.
linuxkm/lkcapi_glue.c: make misc.h/misc.c inclusion unconditional, and trim now-redundant inclusions out of lkcapi_dh_glue.c and lkcapi_ecdh_glue.c.
2025-06-30 15:23:04 -05:00
|
|
|
#ifdef USE_CONTESTMUTEX
|
|
|
|
|
#error USE_CONTESTMUTEX is incompatible with WOLFSSL_LINUXKM
|
|
|
|
|
#endif
|
2022-01-07 22:39:38 -06:00
|
|
|
#include <wolfssl/wolfcrypt/fips_test.h>
|
2021-08-19 11:15:52 -05:00
|
|
|
#endif
|
wolfcrypt/src/aes.c: in wc_AesSetKeyLocal(), rework support for WC_FLAG_DONT_USE_AESNI (fixes WC_C_DYNAMIC_FALLBACK).
wolfssl/wolfcrypt/settings.h: in WOLFSSL_LINUXKM section, #ifdef LINUXKM_LKCAPI_REGISTER, #define WOLFSSL_TEST_SUBROUTINE to nothing, and #define WC_TEST_EXPORT_SUBTESTS.
linuxkm/lkcapi_glue.c:
* add check_skcipher_driver_masking() and check_aead_driver_masking(),
* use _masking() checks in all linuxkm_test_*().
* add !WOLFSSL_AESGCM_STREAM implementation of linuxkm_test_aesgcm().
* add implementations of linuxkm_test_aesctr(), linuxkm_test_aesofb(), and linuxkm_test_aesecb()
* remove incomplete+disabled AES-CCM shim implementation.
linuxkm/module_hooks.c: pull in wolfcrypt/test/test.h if LINUXKM_LKCAPI_REGISTER.
linuxkm/Makefile: build wolfcrypt/test/test.o if ENABLED_LINUXKM_LKCAPI_REGISTER.
Makefile.am: add ENABLED_LINUXKM_LKCAPI_REGISTER to exports in BUILD_LINUXKM section.
configure.ac: add AC_SUBST([ENABLED_LINUXKM_LKCAPI_REGISTER]); in ENABLED_LINUXKM_DEFAULTS set up, remove `-DWOLFSSL_TEST_SUBROUTINE=static` from AM_CFLAGS adds; fix whitespace.
.wolfssl_known_macro_extras: add WC_WANT_FLAG_DONT_USE_AESNI.
wolfcrypt/test/test.c: add `|| defined(WC_TEST_EXPORT_SUBTESTS)` to outermost gate, add wc_test_ prefix to render_error_message() and export it,
wolfcrypt/test/test.h: add prototype for wc_test_render_error_message(), and #ifdef WC_TEST_EXPORT_SUBTESTS, add prototypes for all the subtests.
2025-04-01 01:17:10 -05:00
|
|
|
#if !defined(NO_CRYPT_TEST) || defined(LINUXKM_LKCAPI_REGISTER)
|
2022-01-07 22:39:38 -06:00
|
|
|
#include <wolfcrypt/test/test.h>
|
2020-08-21 00:10:45 -05:00
|
|
|
#endif
|
2025-03-21 15:36:31 -06:00
|
|
|
#include <wolfssl/wolfcrypt/random.h>
|
|
|
|
|
#include <wolfssl/wolfcrypt/sha256.h>
|
2020-08-18 14:17:44 -05:00
|
|
|
|
2025-05-01 00:08:32 -05:00
|
|
|
#ifdef WOLFSSL_DEBUG_TRACE_ERROR_CODES
|
|
|
|
|
enum linux_errcodes {
|
|
|
|
|
my_EINVAL = EINVAL,
|
|
|
|
|
my_ENOMEM = ENOMEM,
|
|
|
|
|
my_EBADMSG = EBADMSG
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
#undef EINVAL
|
|
|
|
|
#undef ENOMEM
|
|
|
|
|
#undef EBADMSG
|
|
|
|
|
|
|
|
|
|
#define EINVAL WC_ERR_TRACE(my_EINVAL)
|
|
|
|
|
#define ENOMEM WC_ERR_TRACE(my_ENOMEM)
|
|
|
|
|
#define EBADMSG WC_ERR_TRACE(my_EBADMSG)
|
|
|
|
|
#endif
|
|
|
|
|
|
2020-12-16 15:17:12 -06:00
|
|
|
static int libwolfssl_cleanup(void) {
|
|
|
|
|
int ret;
|
|
|
|
|
#ifdef WOLFCRYPT_ONLY
|
|
|
|
|
ret = wolfCrypt_Cleanup();
|
|
|
|
|
if (ret != 0)
|
2025-07-09 16:29:04 -05:00
|
|
|
pr_err("ERROR: wolfCrypt_Cleanup() failed: %s\n", wc_GetErrorString(ret));
|
2020-12-16 15:17:12 -06:00
|
|
|
else
|
|
|
|
|
pr_info("wolfCrypt " LIBWOLFSSL_VERSION_STRING " cleanup complete.\n");
|
|
|
|
|
#else
|
|
|
|
|
ret = wolfSSL_Cleanup();
|
|
|
|
|
if (ret != WOLFSSL_SUCCESS)
|
2025-07-09 16:29:04 -05:00
|
|
|
pr_err("ERROR: wolfSSL_Cleanup() failed: %s\n", wc_GetErrorString(ret));
|
2020-12-16 15:17:12 -06:00
|
|
|
else
|
|
|
|
|
pr_info("wolfSSL " LIBWOLFSSL_VERSION_STRING " cleanup complete.\n");
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
2021-08-19 11:15:52 -05:00
|
|
|
#ifdef HAVE_LINUXKM_PIE_SUPPORT
|
|
|
|
|
|
linuxkm: completion and stabilization of LKCAPI integration for AES-CBC, AES-CFB, AES-GCM, and AES-XTS:
linuxkm/lkcapi_glue.c (added in earlier commit):
implement linuxkm_lkcapi_register() and linuxkm_lkcapi_unregister() with idempotency.
add AES-XTS algorithm glue and self-test implementations.
add per-algorithm gating: LINUXKM_LKCAPI_REGISTER_AESCBC, _AESCFB, _AESGCM, and _AESXTS.
carry forward philljj's implementations for AES-CBC, AES-CFB, and AES-GCM, with various cleanups.
linuxkm/module_hooks.c:
print the "wolfCrypt container hashes" message only if DEBUG_LINUXKM_PIE_SUPPORT is set.
render the FIPS version for the self-test success message using the HAVE_FIPS_VERSION* macros.
add a "skipping full wolfcrypt_test() ..." message for --disable-crypttests builds.
add CONFIG_FORTIFY_SOURCE gates.
configure.ac:
add support for --enable-linuxkm-lkcapi-register;
add AES-XTS to output config summary;
rename --enable-xts to --enable-aesxts (retaining old option for backward compatibility).
linuxkm/linuxkm_wc_port.h: add support for CONFIG_FORTIFY_SOURCE.
linuxkm/linuxkm_memory.c:
fix retvals in save_vector_registers_x86() (wc-style MEMORY_E, not sys-style ENOMEM).
add __my_fortify_panic() implementation.
linuxkm/Kbuild: for ENABLED_LINUXKM_PIE in rename-pie-text-and-data-sections recipe, create an .rodata.wolfcrypt section.
linuxkm/include.am: add linuxkm/lkcapi_glue.c to EXTRA_DIST.
wolfcrypt/test/test.c:
when defined(HAVE_FIPS_VERSION), inhibit a test clause in aes_xts_128_test() disallowed by FIPS ("FIPS AES-XTS main and tweak keys must differ").
fix out-of-order user message in ecc_test().
2024-01-26 20:01:19 -06:00
|
|
|
#ifdef DEBUG_LINUXKM_PIE_SUPPORT
|
|
|
|
|
|
2021-08-19 11:15:52 -05:00
|
|
|
extern int wolfCrypt_PIE_first_function(void);
|
|
|
|
|
extern int wolfCrypt_PIE_last_function(void);
|
|
|
|
|
extern const unsigned int wolfCrypt_PIE_rodata_start[];
|
|
|
|
|
extern const unsigned int wolfCrypt_PIE_rodata_end[];
|
|
|
|
|
|
|
|
|
|
/* cheap portable ad-hoc hash function to confirm bitwise stability of the PIE
|
|
|
|
|
* binary image.
|
|
|
|
|
*/
|
|
|
|
|
static unsigned int hash_span(char *start, char *end) {
|
|
|
|
|
unsigned int sum = 1;
|
|
|
|
|
while (start < end) {
|
|
|
|
|
unsigned int rotate_by;
|
|
|
|
|
sum ^= *start++;
|
|
|
|
|
rotate_by = (sum ^ (sum >> 5)) & 31;
|
|
|
|
|
sum = (sum << rotate_by) | (sum >> (32 - rotate_by));
|
|
|
|
|
}
|
|
|
|
|
return sum;
|
|
|
|
|
}
|
|
|
|
|
|
linuxkm: completion and stabilization of LKCAPI integration for AES-CBC, AES-CFB, AES-GCM, and AES-XTS:
linuxkm/lkcapi_glue.c (added in earlier commit):
implement linuxkm_lkcapi_register() and linuxkm_lkcapi_unregister() with idempotency.
add AES-XTS algorithm glue and self-test implementations.
add per-algorithm gating: LINUXKM_LKCAPI_REGISTER_AESCBC, _AESCFB, _AESGCM, and _AESXTS.
carry forward philljj's implementations for AES-CBC, AES-CFB, and AES-GCM, with various cleanups.
linuxkm/module_hooks.c:
print the "wolfCrypt container hashes" message only if DEBUG_LINUXKM_PIE_SUPPORT is set.
render the FIPS version for the self-test success message using the HAVE_FIPS_VERSION* macros.
add a "skipping full wolfcrypt_test() ..." message for --disable-crypttests builds.
add CONFIG_FORTIFY_SOURCE gates.
configure.ac:
add support for --enable-linuxkm-lkcapi-register;
add AES-XTS to output config summary;
rename --enable-xts to --enable-aesxts (retaining old option for backward compatibility).
linuxkm/linuxkm_wc_port.h: add support for CONFIG_FORTIFY_SOURCE.
linuxkm/linuxkm_memory.c:
fix retvals in save_vector_registers_x86() (wc-style MEMORY_E, not sys-style ENOMEM).
add __my_fortify_panic() implementation.
linuxkm/Kbuild: for ENABLED_LINUXKM_PIE in rename-pie-text-and-data-sections recipe, create an .rodata.wolfcrypt section.
linuxkm/include.am: add linuxkm/lkcapi_glue.c to EXTRA_DIST.
wolfcrypt/test/test.c:
when defined(HAVE_FIPS_VERSION), inhibit a test clause in aes_xts_128_test() disallowed by FIPS ("FIPS AES-XTS main and tweak keys must differ").
fix out-of-order user message in ecc_test().
2024-01-26 20:01:19 -06:00
|
|
|
#endif /* DEBUG_LINUXKM_PIE_SUPPORT */
|
|
|
|
|
|
2021-08-19 11:15:52 -05:00
|
|
|
#ifdef USE_WOLFSSL_LINUXKM_PIE_REDIRECT_TABLE
|
|
|
|
|
extern struct wolfssl_linuxkm_pie_redirect_table wolfssl_linuxkm_pie_redirect_table;
|
|
|
|
|
static int set_up_wolfssl_linuxkm_pie_redirect_table(void);
|
|
|
|
|
#endif /* USE_WOLFSSL_LINUXKM_PIE_REDIRECT_TABLE */
|
|
|
|
|
|
|
|
|
|
#endif /* HAVE_LINUXKM_PIE_SUPPORT */
|
|
|
|
|
|
|
|
|
|
#ifdef HAVE_FIPS
|
|
|
|
|
static void lkmFipsCb(int ok, int err, const char* hash)
|
|
|
|
|
{
|
|
|
|
|
if ((! ok) || (err != 0))
|
2025-07-09 16:29:04 -05:00
|
|
|
pr_err("ERROR: libwolfssl FIPS error: %s\n", wc_GetErrorString(err));
|
src/internal.c: in wolfSSL_ERR_reason_error_string(), add missing error string for SCR_DIFFERENT_CERT_E, and de-gate error strings previously gated on HAVE_HTTP_CLIENT.
tests/api.c: add error_test() adapted from wolfcrypt/test/test.c, checking all error strings for expected presence/absence and length, called from existing test_wolfSSL_ERR_strings().
wolfssl/ssl.h, wolfssl/error-ssl.h, and wolfssl/wolfcrypt/error-crypt.h:
* move several negative error return codes from ssl.h to error-ssl.h,
* renumber them to conform to existing sequence, and
* include error-ssl.h from ssl.h;
* add special-case WOLFSSL_DEBUG_TRACE_ERROR_CODES macros for WOLFSSL_FAILURE;
* add missing WOLFSSL_API attribute to wc_backtrace_render().
add numerous WC_NO_ERR_TRACE()s to operand error code uses, cleaning up error traces in general, and particularly when WOLFSSL_DEBUG_TRACE_ERROR_CODES_ALWAYS.
* crypto lib (36),
* crypto test&benchmark (20),
* TLS lib (179),
* examples (122),
* linuxkm (3),
* tests/api.c (2272).
2024-08-28 23:05:04 -05:00
|
|
|
if (err == WC_NO_ERR_TRACE(IN_CORE_FIPS_E)) {
|
2021-09-15 23:05:32 -05:00
|
|
|
pr_err("In-core integrity hash check failure.\n"
|
|
|
|
|
"Update verifyCore[] in fips_test.c with new hash \"%s\" and rebuild.\n",
|
2021-08-19 11:15:52 -05:00
|
|
|
hash ? hash : "<null>");
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
#endif
|
2020-12-16 15:17:12 -06:00
|
|
|
|
2021-11-05 18:29:41 -05:00
|
|
|
#ifdef WOLFCRYPT_FIPS_CORE_DYNAMIC_HASH_VALUE
|
|
|
|
|
static int updateFipsHash(void);
|
|
|
|
|
#endif
|
2021-10-22 16:57:21 -05:00
|
|
|
|
2023-05-17 01:44:36 -05:00
|
|
|
#ifdef WOLFSSL_LINUXKM_BENCHMARKS
|
wolfssl/wolfcrypt/types.h:
* fix overallocation in WC_DECLARE_ARRAY() macro in the !WOLFSSL_SMALL_STACK path.
* rename WC_INIT_ARRAY() to WC_ALLOC_ARRAY() for clarity (it doesn't initialize any memory).
* rename WC_DECLARE_ARRAY_DYNAMIC_DEC(), WC_DECLARE_ARRAY_DYNAMIC_EXE(), and WC_FREE_ARRAY_DYNAMIC() to WC_DECLARE_HEAP_ARRAY(), WC_ALLOC_HEAP_ARRAY(), and WC_FREE_HEAP_ARRAY(), respectively, also for clarity, and refactor out the duplicate definitions.
* add WC_ALLOC_VAR(), and move the XMALLOC() in smallstack WC_DECLARE_VAR() into it. smallstack WC_DECLARE_VAR() now initializes the pointer to NULL, like smallstack WC_DECLARE_ARRAY(), assuring all pointers are valid upon shortcircuit to cleanup for a failed allocation (see WC_ALLOC_DO_ON_FAILURE below).
* add a new hook "WC_ALLOC_DO_ON_FAILURE" in WC_ALLOC_VAR(), WC_ALLOC_ARRAY(), and WC_DECLARE_ARRAY_DYNAMIC_EXE(), which is invoked when an allocation fails. by default the hook is defined to WC_DO_NOTHING.
* add basic safety to WC_*_HEAP_ARRAY() by recording/detecting allocation state via idx##VAR_NAME.
* add macros WC_ARRAY_OK() and WC_HEAP_ARRAY_OK() to test if allocation succeeded.
* add macros WC_CALLOC_ARRAY() and WC_CALLOC_HEAP_ARRAY() which zero the objects.
* add macro WC_CALLOC_VAR() which zeros the object.
ED448: smallstack refactor of ge448_scalarmult_base().
src/tls.c tests/api.c wolfcrypt/test/test.c: update WC_DECLARE_VAR()s with now-required matching WC_ALLOC_VAR()s.
wolfcrypt/benchmark/benchmark.c:
* no functional changes in default error-free behavior.
* add definition of WC_ALLOC_DO_ON_FAILURE() that prints error message, sets ret, and does goto exit.
* add BENCH_NTIMES and BENCH_AGREETIMES overrideeable macros, to allow fast sanitizer runs and slow high-precision runs.
* smallstack refactor of all declarations of stack arrays of the form foo[BENCH_MAX_PENDING], using WC_DECLARE_ARRAY() (35 in all).
* additional smallstack refactors, using WC_DECLARE_VAR(), for bench_aesxts(), bench_ed448KeyGen(), bench_eccsi*(), and bench_sakke*().
* fixes for various unhandled error conditions around malloc failures.
wolfcrypt/test/test.c: opportunistically constify several (42) static constants, moving them to the readonly data segment.
linuxkm/Makefile: if ENABLED_LINUXKM_BENCHMARKS, add wolfcrypt/benchmark/benchmark.o to WOLFSSL_OBJ_FILES.
linuxkm/Kbuild: enable FPU for benchmark.o, and remove enablement for module_hooks.o.
linuxkm/module_hooks.c: remove inline include of benchmark.c.
2024-02-16 02:32:18 -06:00
|
|
|
extern int wolfcrypt_benchmark_main(int argc, char** argv);
|
2023-05-17 01:44:36 -05:00
|
|
|
#endif /* WOLFSSL_LINUXKM_BENCHMARKS */
|
|
|
|
|
|
2025-05-01 00:08:32 -05:00
|
|
|
WC_MAYBE_UNUSED static int linuxkm_lkcapi_sysfs_install_node(struct kobj_attribute *node, int *installed_flag)
|
|
|
|
|
{
|
|
|
|
|
if ((installed_flag == NULL) || (! *installed_flag)) {
|
|
|
|
|
int ret = sysfs_create_file(&THIS_MODULE->mkobj.kobj, &node->attr);
|
|
|
|
|
if (ret) {
|
2025-07-09 16:29:04 -05:00
|
|
|
pr_err("ERROR: sysfs_create_file failed for %s: %d\n", node->attr.name, ret);
|
2025-05-01 00:08:32 -05:00
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
if (installed_flag)
|
|
|
|
|
*installed_flag = 1;
|
|
|
|
|
}
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
WC_MAYBE_UNUSED static int linuxkm_lkcapi_sysfs_deinstall_node(struct kobj_attribute *node, int *installed_flag)
|
|
|
|
|
{
|
|
|
|
|
if ((installed_flag == NULL) || *installed_flag) {
|
|
|
|
|
sysfs_remove_file(&THIS_MODULE->mkobj.kobj, &node->attr);
|
|
|
|
|
if (installed_flag)
|
|
|
|
|
*installed_flag = 0;
|
|
|
|
|
}
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#ifdef HAVE_FIPS
|
|
|
|
|
static ssize_t FIPS_rerun_self_test_handler(struct kobject *kobj, struct kobj_attribute *attr,
|
|
|
|
|
const char *buf, size_t count);
|
|
|
|
|
static struct kobj_attribute FIPS_rerun_self_test_attr = __ATTR(FIPS_rerun_self_test, 0220, NULL, FIPS_rerun_self_test_handler);
|
|
|
|
|
static int installed_sysfs_FIPS_files = 0;
|
|
|
|
|
#endif
|
|
|
|
|
|
linuxkm: completion and stabilization of LKCAPI integration for AES-CBC, AES-CFB, AES-GCM, and AES-XTS:
linuxkm/lkcapi_glue.c (added in earlier commit):
implement linuxkm_lkcapi_register() and linuxkm_lkcapi_unregister() with idempotency.
add AES-XTS algorithm glue and self-test implementations.
add per-algorithm gating: LINUXKM_LKCAPI_REGISTER_AESCBC, _AESCFB, _AESGCM, and _AESXTS.
carry forward philljj's implementations for AES-CBC, AES-CFB, and AES-GCM, with various cleanups.
linuxkm/module_hooks.c:
print the "wolfCrypt container hashes" message only if DEBUG_LINUXKM_PIE_SUPPORT is set.
render the FIPS version for the self-test success message using the HAVE_FIPS_VERSION* macros.
add a "skipping full wolfcrypt_test() ..." message for --disable-crypttests builds.
add CONFIG_FORTIFY_SOURCE gates.
configure.ac:
add support for --enable-linuxkm-lkcapi-register;
add AES-XTS to output config summary;
rename --enable-xts to --enable-aesxts (retaining old option for backward compatibility).
linuxkm/linuxkm_wc_port.h: add support for CONFIG_FORTIFY_SOURCE.
linuxkm/linuxkm_memory.c:
fix retvals in save_vector_registers_x86() (wc-style MEMORY_E, not sys-style ENOMEM).
add __my_fortify_panic() implementation.
linuxkm/Kbuild: for ENABLED_LINUXKM_PIE in rename-pie-text-and-data-sections recipe, create an .rodata.wolfcrypt section.
linuxkm/include.am: add linuxkm/lkcapi_glue.c to EXTRA_DIST.
wolfcrypt/test/test.c:
when defined(HAVE_FIPS_VERSION), inhibit a test clause in aes_xts_128_test() disallowed by FIPS ("FIPS AES-XTS main and tweak keys must differ").
fix out-of-order user message in ecc_test().
2024-01-26 20:01:19 -06:00
|
|
|
#ifdef LINUXKM_LKCAPI_REGISTER
|
|
|
|
|
#include "linuxkm/lkcapi_glue.c"
|
2024-01-26 14:04:02 -06:00
|
|
|
#endif
|
|
|
|
|
|
2024-05-08 16:18:33 -05:00
|
|
|
#if defined(WOLFSSL_LINUXKM_USE_SAVE_VECTOR_REGISTERS) && defined(CONFIG_X86)
|
|
|
|
|
#include "linuxkm/x86_vector_register_glue.c"
|
|
|
|
|
#endif
|
|
|
|
|
|
2020-08-19 13:39:54 -05:00
|
|
|
#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 0, 0)
|
2020-08-18 14:17:44 -05:00
|
|
|
static int __init wolfssl_init(void)
|
2020-08-19 13:39:54 -05:00
|
|
|
#else
|
|
|
|
|
static int wolfssl_init(void)
|
|
|
|
|
#endif
|
2020-08-18 14:17:44 -05:00
|
|
|
{
|
2020-12-03 18:24:39 -06:00
|
|
|
int ret;
|
2021-08-19 11:15:52 -05:00
|
|
|
|
2021-11-09 22:02:17 -06:00
|
|
|
#ifdef WOLFCRYPT_FIPS_CORE_DYNAMIC_HASH_VALUE
|
2025-04-22 16:44:07 -05:00
|
|
|
#ifdef CONFIG_MODULE_SIG
|
2021-09-15 23:05:32 -05:00
|
|
|
if (THIS_MODULE->sig_ok == false) {
|
2025-07-09 16:29:04 -05:00
|
|
|
pr_err("ERROR: wolfSSL module load aborted -- bad or missing module signature with FIPS dynamic hash.\n");
|
2021-09-15 23:05:32 -05:00
|
|
|
return -ECANCELED;
|
|
|
|
|
}
|
2025-04-22 16:44:07 -05:00
|
|
|
#endif
|
2021-11-05 18:29:41 -05:00
|
|
|
ret = updateFipsHash();
|
|
|
|
|
if (ret < 0) {
|
2025-07-09 16:29:04 -05:00
|
|
|
pr_err("ERROR: wolfSSL module load aborted -- updateFipsHash: %s\n",wc_GetErrorString(ret));
|
2021-11-05 18:29:41 -05:00
|
|
|
return -ECANCELED;
|
|
|
|
|
}
|
|
|
|
|
#endif
|
2021-09-15 23:05:32 -05:00
|
|
|
|
2021-08-19 11:15:52 -05:00
|
|
|
#ifdef USE_WOLFSSL_LINUXKM_PIE_REDIRECT_TABLE
|
|
|
|
|
ret = set_up_wolfssl_linuxkm_pie_redirect_table();
|
|
|
|
|
if (ret < 0)
|
|
|
|
|
return ret;
|
|
|
|
|
#endif
|
|
|
|
|
|
linuxkm: completion and stabilization of LKCAPI integration for AES-CBC, AES-CFB, AES-GCM, and AES-XTS:
linuxkm/lkcapi_glue.c (added in earlier commit):
implement linuxkm_lkcapi_register() and linuxkm_lkcapi_unregister() with idempotency.
add AES-XTS algorithm glue and self-test implementations.
add per-algorithm gating: LINUXKM_LKCAPI_REGISTER_AESCBC, _AESCFB, _AESGCM, and _AESXTS.
carry forward philljj's implementations for AES-CBC, AES-CFB, and AES-GCM, with various cleanups.
linuxkm/module_hooks.c:
print the "wolfCrypt container hashes" message only if DEBUG_LINUXKM_PIE_SUPPORT is set.
render the FIPS version for the self-test success message using the HAVE_FIPS_VERSION* macros.
add a "skipping full wolfcrypt_test() ..." message for --disable-crypttests builds.
add CONFIG_FORTIFY_SOURCE gates.
configure.ac:
add support for --enable-linuxkm-lkcapi-register;
add AES-XTS to output config summary;
rename --enable-xts to --enable-aesxts (retaining old option for backward compatibility).
linuxkm/linuxkm_wc_port.h: add support for CONFIG_FORTIFY_SOURCE.
linuxkm/linuxkm_memory.c:
fix retvals in save_vector_registers_x86() (wc-style MEMORY_E, not sys-style ENOMEM).
add __my_fortify_panic() implementation.
linuxkm/Kbuild: for ENABLED_LINUXKM_PIE in rename-pie-text-and-data-sections recipe, create an .rodata.wolfcrypt section.
linuxkm/include.am: add linuxkm/lkcapi_glue.c to EXTRA_DIST.
wolfcrypt/test/test.c:
when defined(HAVE_FIPS_VERSION), inhibit a test clause in aes_xts_128_test() disallowed by FIPS ("FIPS AES-XTS main and tweak keys must differ").
fix out-of-order user message in ecc_test().
2024-01-26 20:01:19 -06:00
|
|
|
#if defined(HAVE_LINUXKM_PIE_SUPPORT) && defined(DEBUG_LINUXKM_PIE_SUPPORT)
|
2021-09-20 13:46:51 -05:00
|
|
|
|
2023-05-09 23:53:49 -05:00
|
|
|
#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 4, 0)
|
|
|
|
|
/* see linux commit ac3b432839 */
|
|
|
|
|
#define THIS_MODULE_TEXT_BASE (THIS_MODULE->mem[MOD_TEXT].base)
|
|
|
|
|
#define THIS_MODULE_TEXT_SIZE (THIS_MODULE->mem[MOD_TEXT].size)
|
|
|
|
|
#define THIS_MODULE_RO_BASE (THIS_MODULE->mem[MOD_RODATA].base)
|
|
|
|
|
#define THIS_MODULE_RO_SIZE (THIS_MODULE->mem[MOD_RODATA].size)
|
|
|
|
|
#elif LINUX_VERSION_CODE >= KERNEL_VERSION(4, 5, 0)
|
|
|
|
|
#define THIS_MODULE_TEXT_BASE (THIS_MODULE->core_layout.base)
|
2021-09-20 13:46:51 -05:00
|
|
|
#define THIS_MODULE_TEXT_SIZE (THIS_MODULE->core_layout.text_size)
|
2023-05-09 23:53:49 -05:00
|
|
|
#define THIS_MODULE_RO_BASE ((char *)THIS_MODULE->core_layout.base + THIS_MODULE->core_layout.text_size)
|
2021-09-20 13:46:51 -05:00
|
|
|
#define THIS_MODULE_RO_SIZE (THIS_MODULE->core_layout.ro_size)
|
|
|
|
|
#else
|
2023-05-09 23:53:49 -05:00
|
|
|
#define THIS_MODULE_TEXT_BASE (THIS_MODULE->module_core)
|
2021-09-20 13:46:51 -05:00
|
|
|
#define THIS_MODULE_TEXT_SIZE (THIS_MODULE->core_text_size)
|
2023-05-09 23:53:49 -05:00
|
|
|
#define THIS_MODULE_RO_BASE ((char *)THIS_MODULE->module_core + THIS_MODULE->core_ro_size)
|
2021-09-20 13:46:51 -05:00
|
|
|
#define THIS_MODULE_RO_SIZE (THIS_MODULE->core_ro_size)
|
|
|
|
|
#endif
|
|
|
|
|
|
2021-08-19 11:15:52 -05:00
|
|
|
{
|
|
|
|
|
char *pie_text_start = (char *)wolfCrypt_PIE_first_function;
|
|
|
|
|
char *pie_text_end = (char *)wolfCrypt_PIE_last_function;
|
|
|
|
|
char *pie_rodata_start = (char *)wolfCrypt_PIE_rodata_start;
|
|
|
|
|
char *pie_rodata_end = (char *)wolfCrypt_PIE_rodata_end;
|
|
|
|
|
unsigned int text_hash, rodata_hash;
|
|
|
|
|
|
2025-07-09 16:29:04 -05:00
|
|
|
text_hash = hash_span(pie_text_start, pie_text_end);
|
|
|
|
|
rodata_hash = hash_span(pie_rodata_start, pie_rodata_end);
|
2021-08-19 11:15:52 -05:00
|
|
|
|
|
|
|
|
/* note, "%pK" conceals the actual layout information. "%px" exposes
|
|
|
|
|
* the true module start address, which is potentially useful to an
|
|
|
|
|
* attacker.
|
|
|
|
|
*/
|
2025-07-09 16:29:04 -05:00
|
|
|
pr_info("wolfCrypt section hashes (spans): text 0x%x (%lu), rodata 0x%x (%lu), offset %c0x%lx\n",
|
2021-08-19 11:15:52 -05:00
|
|
|
text_hash, pie_text_end-pie_text_start,
|
2025-07-09 16:29:04 -05:00
|
|
|
rodata_hash, pie_rodata_end-pie_rodata_start,
|
|
|
|
|
pie_text_start < pie_rodata_start ? '+' : '-',
|
|
|
|
|
pie_text_start < pie_rodata_start ? pie_rodata_start - pie_text_start : pie_text_start - pie_rodata_start);
|
2021-08-19 11:15:52 -05:00
|
|
|
}
|
2025-07-09 16:29:04 -05:00
|
|
|
|
linuxkm: completion and stabilization of LKCAPI integration for AES-CBC, AES-CFB, AES-GCM, and AES-XTS:
linuxkm/lkcapi_glue.c (added in earlier commit):
implement linuxkm_lkcapi_register() and linuxkm_lkcapi_unregister() with idempotency.
add AES-XTS algorithm glue and self-test implementations.
add per-algorithm gating: LINUXKM_LKCAPI_REGISTER_AESCBC, _AESCFB, _AESGCM, and _AESXTS.
carry forward philljj's implementations for AES-CBC, AES-CFB, and AES-GCM, with various cleanups.
linuxkm/module_hooks.c:
print the "wolfCrypt container hashes" message only if DEBUG_LINUXKM_PIE_SUPPORT is set.
render the FIPS version for the self-test success message using the HAVE_FIPS_VERSION* macros.
add a "skipping full wolfcrypt_test() ..." message for --disable-crypttests builds.
add CONFIG_FORTIFY_SOURCE gates.
configure.ac:
add support for --enable-linuxkm-lkcapi-register;
add AES-XTS to output config summary;
rename --enable-xts to --enable-aesxts (retaining old option for backward compatibility).
linuxkm/linuxkm_wc_port.h: add support for CONFIG_FORTIFY_SOURCE.
linuxkm/linuxkm_memory.c:
fix retvals in save_vector_registers_x86() (wc-style MEMORY_E, not sys-style ENOMEM).
add __my_fortify_panic() implementation.
linuxkm/Kbuild: for ENABLED_LINUXKM_PIE in rename-pie-text-and-data-sections recipe, create an .rodata.wolfcrypt section.
linuxkm/include.am: add linuxkm/lkcapi_glue.c to EXTRA_DIST.
wolfcrypt/test/test.c:
when defined(HAVE_FIPS_VERSION), inhibit a test clause in aes_xts_128_test() disallowed by FIPS ("FIPS AES-XTS main and tweak keys must differ").
fix out-of-order user message in ecc_test().
2024-01-26 20:01:19 -06:00
|
|
|
#endif /* HAVE_LINUXKM_PIE_SUPPORT && DEBUG_LINUXKM_PIE_SUPPORT */
|
2021-08-19 11:15:52 -05:00
|
|
|
|
|
|
|
|
#ifdef HAVE_FIPS
|
|
|
|
|
ret = wolfCrypt_SetCb_fips(lkmFipsCb);
|
|
|
|
|
if (ret != 0) {
|
2025-07-09 16:29:04 -05:00
|
|
|
pr_err("ERROR: wolfCrypt_SetCb_fips() failed: %s\n", wc_GetErrorString(ret));
|
2021-08-19 11:15:52 -05:00
|
|
|
return -ECANCELED;
|
|
|
|
|
}
|
|
|
|
|
fipsEntry();
|
|
|
|
|
ret = wolfCrypt_GetStatus_fips();
|
|
|
|
|
if (ret != 0) {
|
2025-07-09 16:29:04 -05:00
|
|
|
pr_err("ERROR: wolfCrypt_GetStatus_fips() failed with code %d: %s\n", ret, wc_GetErrorString(ret));
|
src/internal.c: in wolfSSL_ERR_reason_error_string(), add missing error string for SCR_DIFFERENT_CERT_E, and de-gate error strings previously gated on HAVE_HTTP_CLIENT.
tests/api.c: add error_test() adapted from wolfcrypt/test/test.c, checking all error strings for expected presence/absence and length, called from existing test_wolfSSL_ERR_strings().
wolfssl/ssl.h, wolfssl/error-ssl.h, and wolfssl/wolfcrypt/error-crypt.h:
* move several negative error return codes from ssl.h to error-ssl.h,
* renumber them to conform to existing sequence, and
* include error-ssl.h from ssl.h;
* add special-case WOLFSSL_DEBUG_TRACE_ERROR_CODES macros for WOLFSSL_FAILURE;
* add missing WOLFSSL_API attribute to wc_backtrace_render().
add numerous WC_NO_ERR_TRACE()s to operand error code uses, cleaning up error traces in general, and particularly when WOLFSSL_DEBUG_TRACE_ERROR_CODES_ALWAYS.
* crypto lib (36),
* crypto test&benchmark (20),
* TLS lib (179),
* examples (122),
* linuxkm (3),
* tests/api.c (2272).
2024-08-28 23:05:04 -05:00
|
|
|
if (ret == WC_NO_ERR_TRACE(IN_CORE_FIPS_E)) {
|
2021-08-19 11:15:52 -05:00
|
|
|
const char *newhash = wolfCrypt_GetCoreHash_fips();
|
|
|
|
|
pr_err("Update verifyCore[] in fips_test.c with new hash \"%s\" and rebuild.\n",
|
|
|
|
|
newhash ? newhash : "<null>");
|
|
|
|
|
}
|
|
|
|
|
return -ECANCELED;
|
|
|
|
|
}
|
2025-01-24 14:29:05 -06:00
|
|
|
#endif /* HAVE_FIPS */
|
|
|
|
|
|
|
|
|
|
#ifdef WC_RNG_SEED_CB
|
|
|
|
|
ret = wc_SetSeed_Cb(wc_GenerateSeed);
|
|
|
|
|
if (ret < 0) {
|
2025-07-09 16:29:04 -05:00
|
|
|
pr_err("ERROR: wc_SetSeed_Cb() failed with return code %d.\n", ret);
|
2025-01-24 14:29:05 -06:00
|
|
|
(void)libwolfssl_cleanup();
|
|
|
|
|
msleep(10);
|
|
|
|
|
return -ECANCELED;
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
#ifdef WOLFCRYPT_ONLY
|
|
|
|
|
ret = wolfCrypt_Init();
|
|
|
|
|
if (ret != 0) {
|
2025-07-09 16:29:04 -05:00
|
|
|
pr_err("ERROR: wolfCrypt_Init() failed: %s\n", wc_GetErrorString(ret));
|
2025-01-24 14:29:05 -06:00
|
|
|
return -ECANCELED;
|
|
|
|
|
}
|
|
|
|
|
#else
|
|
|
|
|
ret = wolfSSL_Init();
|
|
|
|
|
if (ret != WOLFSSL_SUCCESS) {
|
2025-07-09 16:29:04 -05:00
|
|
|
pr_err("ERROR: wolfSSL_Init() failed: %s\n", wc_GetErrorString(ret));
|
2025-01-24 14:29:05 -06:00
|
|
|
return -ECANCELED;
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
|
2025-03-12 17:08:04 -05:00
|
|
|
#if defined(HAVE_FIPS) && FIPS_VERSION3_GT(5,2,0)
|
2025-01-24 14:29:05 -06:00
|
|
|
ret = wc_RunAllCast_fips();
|
|
|
|
|
if (ret != 0) {
|
2025-07-09 16:29:04 -05:00
|
|
|
pr_err("ERROR: wc_RunAllCast_fips() failed with return value %d\n", ret);
|
2025-01-24 14:29:05 -06:00
|
|
|
return -ECANCELED;
|
|
|
|
|
}
|
2021-08-19 11:15:52 -05:00
|
|
|
|
2024-01-29 17:48:31 -06:00
|
|
|
pr_info("FIPS 140-3 wolfCrypt-fips v%d.%d.%d%s%s startup "
|
|
|
|
|
"self-test succeeded.\n",
|
linuxkm: completion and stabilization of LKCAPI integration for AES-CBC, AES-CFB, AES-GCM, and AES-XTS:
linuxkm/lkcapi_glue.c (added in earlier commit):
implement linuxkm_lkcapi_register() and linuxkm_lkcapi_unregister() with idempotency.
add AES-XTS algorithm glue and self-test implementations.
add per-algorithm gating: LINUXKM_LKCAPI_REGISTER_AESCBC, _AESCFB, _AESGCM, and _AESXTS.
carry forward philljj's implementations for AES-CBC, AES-CFB, and AES-GCM, with various cleanups.
linuxkm/module_hooks.c:
print the "wolfCrypt container hashes" message only if DEBUG_LINUXKM_PIE_SUPPORT is set.
render the FIPS version for the self-test success message using the HAVE_FIPS_VERSION* macros.
add a "skipping full wolfcrypt_test() ..." message for --disable-crypttests builds.
add CONFIG_FORTIFY_SOURCE gates.
configure.ac:
add support for --enable-linuxkm-lkcapi-register;
add AES-XTS to output config summary;
rename --enable-xts to --enable-aesxts (retaining old option for backward compatibility).
linuxkm/linuxkm_wc_port.h: add support for CONFIG_FORTIFY_SOURCE.
linuxkm/linuxkm_memory.c:
fix retvals in save_vector_registers_x86() (wc-style MEMORY_E, not sys-style ENOMEM).
add __my_fortify_panic() implementation.
linuxkm/Kbuild: for ENABLED_LINUXKM_PIE in rename-pie-text-and-data-sections recipe, create an .rodata.wolfcrypt section.
linuxkm/include.am: add linuxkm/lkcapi_glue.c to EXTRA_DIST.
wolfcrypt/test/test.c:
when defined(HAVE_FIPS_VERSION), inhibit a test clause in aes_xts_128_test() disallowed by FIPS ("FIPS AES-XTS main and tweak keys must differ").
fix out-of-order user message in ecc_test().
2024-01-26 20:01:19 -06:00
|
|
|
#ifdef HAVE_FIPS_VERSION_MAJOR
|
|
|
|
|
HAVE_FIPS_VERSION_MAJOR,
|
|
|
|
|
#else
|
|
|
|
|
HAVE_FIPS_VERSION,
|
|
|
|
|
#endif
|
|
|
|
|
#ifdef HAVE_FIPS_VERSION_MINOR
|
|
|
|
|
HAVE_FIPS_VERSION_MINOR,
|
|
|
|
|
#else
|
|
|
|
|
0,
|
|
|
|
|
#endif
|
|
|
|
|
#ifdef HAVE_FIPS_VERSION_PATCH
|
|
|
|
|
HAVE_FIPS_VERSION_PATCH,
|
2021-08-19 11:15:52 -05:00
|
|
|
#else
|
linuxkm: completion and stabilization of LKCAPI integration for AES-CBC, AES-CFB, AES-GCM, and AES-XTS:
linuxkm/lkcapi_glue.c (added in earlier commit):
implement linuxkm_lkcapi_register() and linuxkm_lkcapi_unregister() with idempotency.
add AES-XTS algorithm glue and self-test implementations.
add per-algorithm gating: LINUXKM_LKCAPI_REGISTER_AESCBC, _AESCFB, _AESGCM, and _AESXTS.
carry forward philljj's implementations for AES-CBC, AES-CFB, and AES-GCM, with various cleanups.
linuxkm/module_hooks.c:
print the "wolfCrypt container hashes" message only if DEBUG_LINUXKM_PIE_SUPPORT is set.
render the FIPS version for the self-test success message using the HAVE_FIPS_VERSION* macros.
add a "skipping full wolfcrypt_test() ..." message for --disable-crypttests builds.
add CONFIG_FORTIFY_SOURCE gates.
configure.ac:
add support for --enable-linuxkm-lkcapi-register;
add AES-XTS to output config summary;
rename --enable-xts to --enable-aesxts (retaining old option for backward compatibility).
linuxkm/linuxkm_wc_port.h: add support for CONFIG_FORTIFY_SOURCE.
linuxkm/linuxkm_memory.c:
fix retvals in save_vector_registers_x86() (wc-style MEMORY_E, not sys-style ENOMEM).
add __my_fortify_panic() implementation.
linuxkm/Kbuild: for ENABLED_LINUXKM_PIE in rename-pie-text-and-data-sections recipe, create an .rodata.wolfcrypt section.
linuxkm/include.am: add linuxkm/lkcapi_glue.c to EXTRA_DIST.
wolfcrypt/test/test.c:
when defined(HAVE_FIPS_VERSION), inhibit a test clause in aes_xts_128_test() disallowed by FIPS ("FIPS AES-XTS main and tweak keys must differ").
fix out-of-order user message in ecc_test().
2024-01-26 20:01:19 -06:00
|
|
|
0,
|
2021-08-19 11:15:52 -05:00
|
|
|
#endif
|
linuxkm: completion and stabilization of LKCAPI integration for AES-CBC, AES-CFB, AES-GCM, and AES-XTS:
linuxkm/lkcapi_glue.c (added in earlier commit):
implement linuxkm_lkcapi_register() and linuxkm_lkcapi_unregister() with idempotency.
add AES-XTS algorithm glue and self-test implementations.
add per-algorithm gating: LINUXKM_LKCAPI_REGISTER_AESCBC, _AESCFB, _AESGCM, and _AESXTS.
carry forward philljj's implementations for AES-CBC, AES-CFB, and AES-GCM, with various cleanups.
linuxkm/module_hooks.c:
print the "wolfCrypt container hashes" message only if DEBUG_LINUXKM_PIE_SUPPORT is set.
render the FIPS version for the self-test success message using the HAVE_FIPS_VERSION* macros.
add a "skipping full wolfcrypt_test() ..." message for --disable-crypttests builds.
add CONFIG_FORTIFY_SOURCE gates.
configure.ac:
add support for --enable-linuxkm-lkcapi-register;
add AES-XTS to output config summary;
rename --enable-xts to --enable-aesxts (retaining old option for backward compatibility).
linuxkm/linuxkm_wc_port.h: add support for CONFIG_FORTIFY_SOURCE.
linuxkm/linuxkm_memory.c:
fix retvals in save_vector_registers_x86() (wc-style MEMORY_E, not sys-style ENOMEM).
add __my_fortify_panic() implementation.
linuxkm/Kbuild: for ENABLED_LINUXKM_PIE in rename-pie-text-and-data-sections recipe, create an .rodata.wolfcrypt section.
linuxkm/include.am: add linuxkm/lkcapi_glue.c to EXTRA_DIST.
wolfcrypt/test/test.c:
when defined(HAVE_FIPS_VERSION), inhibit a test clause in aes_xts_128_test() disallowed by FIPS ("FIPS AES-XTS main and tweak keys must differ").
fix out-of-order user message in ecc_test().
2024-01-26 20:01:19 -06:00
|
|
|
#ifdef HAVE_FIPS_VERSION_PORT
|
|
|
|
|
"-",
|
|
|
|
|
HAVE_FIPS_VERSION_PORT
|
|
|
|
|
#else
|
|
|
|
|
"",
|
|
|
|
|
""
|
|
|
|
|
#endif
|
|
|
|
|
);
|
2025-03-12 17:08:04 -05:00
|
|
|
#endif /* HAVE_FIPS && FIPS_VERSION3_GT(5,2,0) */
|
2021-08-19 11:15:52 -05:00
|
|
|
|
2020-08-21 00:10:45 -05:00
|
|
|
#ifndef NO_CRYPT_TEST
|
2023-03-03 22:00:24 -06:00
|
|
|
ret = wolfcrypt_test(NULL);
|
2020-08-21 01:28:03 -05:00
|
|
|
if (ret < 0) {
|
2025-07-09 16:29:04 -05:00
|
|
|
pr_err("ERROR: wolfcrypt self-test failed with return code %d.\n", ret);
|
2020-12-16 15:17:12 -06:00
|
|
|
(void)libwolfssl_cleanup();
|
2020-08-21 12:10:17 -05:00
|
|
|
msleep(10);
|
2021-08-19 11:15:52 -05:00
|
|
|
return -ECANCELED;
|
2020-08-21 00:10:45 -05:00
|
|
|
}
|
2020-12-03 18:24:39 -06:00
|
|
|
pr_info("wolfCrypt self-test passed.\n");
|
linuxkm: completion and stabilization of LKCAPI integration for AES-CBC, AES-CFB, AES-GCM, and AES-XTS:
linuxkm/lkcapi_glue.c (added in earlier commit):
implement linuxkm_lkcapi_register() and linuxkm_lkcapi_unregister() with idempotency.
add AES-XTS algorithm glue and self-test implementations.
add per-algorithm gating: LINUXKM_LKCAPI_REGISTER_AESCBC, _AESCFB, _AESGCM, and _AESXTS.
carry forward philljj's implementations for AES-CBC, AES-CFB, and AES-GCM, with various cleanups.
linuxkm/module_hooks.c:
print the "wolfCrypt container hashes" message only if DEBUG_LINUXKM_PIE_SUPPORT is set.
render the FIPS version for the self-test success message using the HAVE_FIPS_VERSION* macros.
add a "skipping full wolfcrypt_test() ..." message for --disable-crypttests builds.
add CONFIG_FORTIFY_SOURCE gates.
configure.ac:
add support for --enable-linuxkm-lkcapi-register;
add AES-XTS to output config summary;
rename --enable-xts to --enable-aesxts (retaining old option for backward compatibility).
linuxkm/linuxkm_wc_port.h: add support for CONFIG_FORTIFY_SOURCE.
linuxkm/linuxkm_memory.c:
fix retvals in save_vector_registers_x86() (wc-style MEMORY_E, not sys-style ENOMEM).
add __my_fortify_panic() implementation.
linuxkm/Kbuild: for ENABLED_LINUXKM_PIE in rename-pie-text-and-data-sections recipe, create an .rodata.wolfcrypt section.
linuxkm/include.am: add linuxkm/lkcapi_glue.c to EXTRA_DIST.
wolfcrypt/test/test.c:
when defined(HAVE_FIPS_VERSION), inhibit a test clause in aes_xts_128_test() disallowed by FIPS ("FIPS AES-XTS main and tweak keys must differ").
fix out-of-order user message in ecc_test().
2024-01-26 20:01:19 -06:00
|
|
|
#else
|
2025-03-12 17:08:04 -05:00
|
|
|
#if !defined(HAVE_FIPS) || FIPS_VERSION3_LE(5,2,0)
|
2024-01-29 17:48:31 -06:00
|
|
|
pr_info("skipping full wolfcrypt_test() "
|
|
|
|
|
"(configure with --enable-crypttests to enable).\n");
|
2020-12-03 18:24:39 -06:00
|
|
|
#endif
|
2025-03-12 17:08:04 -05:00
|
|
|
#endif
|
2020-12-03 18:24:39 -06:00
|
|
|
|
linuxkm: completion and stabilization of LKCAPI integration for AES-CBC, AES-CFB, AES-GCM, and AES-XTS:
linuxkm/lkcapi_glue.c (added in earlier commit):
implement linuxkm_lkcapi_register() and linuxkm_lkcapi_unregister() with idempotency.
add AES-XTS algorithm glue and self-test implementations.
add per-algorithm gating: LINUXKM_LKCAPI_REGISTER_AESCBC, _AESCFB, _AESGCM, and _AESXTS.
carry forward philljj's implementations for AES-CBC, AES-CFB, and AES-GCM, with various cleanups.
linuxkm/module_hooks.c:
print the "wolfCrypt container hashes" message only if DEBUG_LINUXKM_PIE_SUPPORT is set.
render the FIPS version for the self-test success message using the HAVE_FIPS_VERSION* macros.
add a "skipping full wolfcrypt_test() ..." message for --disable-crypttests builds.
add CONFIG_FORTIFY_SOURCE gates.
configure.ac:
add support for --enable-linuxkm-lkcapi-register;
add AES-XTS to output config summary;
rename --enable-xts to --enable-aesxts (retaining old option for backward compatibility).
linuxkm/linuxkm_wc_port.h: add support for CONFIG_FORTIFY_SOURCE.
linuxkm/linuxkm_memory.c:
fix retvals in save_vector_registers_x86() (wc-style MEMORY_E, not sys-style ENOMEM).
add __my_fortify_panic() implementation.
linuxkm/Kbuild: for ENABLED_LINUXKM_PIE in rename-pie-text-and-data-sections recipe, create an .rodata.wolfcrypt section.
linuxkm/include.am: add linuxkm/lkcapi_glue.c to EXTRA_DIST.
wolfcrypt/test/test.c:
when defined(HAVE_FIPS_VERSION), inhibit a test clause in aes_xts_128_test() disallowed by FIPS ("FIPS AES-XTS main and tweak keys must differ").
fix out-of-order user message in ecc_test().
2024-01-26 20:01:19 -06:00
|
|
|
#ifdef LINUXKM_LKCAPI_REGISTER
|
linuxkm: support DRBG in LKCAPI shim set:
* Implement --enable-linuxkm-lkcapi-register=stdrng and =stdrng-default,
LINUXKM_LKCAPI_REGISTER_HASH_DRBG, and
LINUXKM_LKCAPI_REGISTER_HASH_DRBG_DEFAULT. With "_DEFAULT", the DRBG is
installed as the systemwide default stdrng, necessitating
deregister-on-command, described below. Note that get_random_bytes() and the
associated /dev/random and /dev/urandom do not use the default stdrng, and
their back end cannot currently be replaced by a module.
* Add control nodes /sys/module/libwolfssl/install_algs and
/sys/module/libwolfssl/deinstall_algs.
* Add configure option --enable-linuxkm-lkcapi-register=sysfs-nodes-only, and
macro LINUXKM_LKCAPI_REGISTER_ONLY_ON_COMMAND, to inhibit registration at
module load time.
In configure.ac ENABLED_LINUXKM_LKCAPI_REGISTER setup, don't define
WOLFSSL_DH_GEN_PUB in old FIPS, but do define it for =all.
2025-04-29 00:42:15 -05:00
|
|
|
#ifdef LINUXKM_LKCAPI_REGISTER_ONLY_ON_COMMAND
|
|
|
|
|
ret = linuxkm_lkcapi_sysfs_install();
|
|
|
|
|
|
|
|
|
|
if (ret) {
|
2025-07-09 16:29:04 -05:00
|
|
|
pr_err("ERROR: linuxkm_lkcapi_sysfs_install() failed with return code %d.\n", ret);
|
linuxkm: support DRBG in LKCAPI shim set:
* Implement --enable-linuxkm-lkcapi-register=stdrng and =stdrng-default,
LINUXKM_LKCAPI_REGISTER_HASH_DRBG, and
LINUXKM_LKCAPI_REGISTER_HASH_DRBG_DEFAULT. With "_DEFAULT", the DRBG is
installed as the systemwide default stdrng, necessitating
deregister-on-command, described below. Note that get_random_bytes() and the
associated /dev/random and /dev/urandom do not use the default stdrng, and
their back end cannot currently be replaced by a module.
* Add control nodes /sys/module/libwolfssl/install_algs and
/sys/module/libwolfssl/deinstall_algs.
* Add configure option --enable-linuxkm-lkcapi-register=sysfs-nodes-only, and
macro LINUXKM_LKCAPI_REGISTER_ONLY_ON_COMMAND, to inhibit registration at
module load time.
In configure.ac ENABLED_LINUXKM_LKCAPI_REGISTER setup, don't define
WOLFSSL_DH_GEN_PUB in old FIPS, but do define it for =all.
2025-04-29 00:42:15 -05:00
|
|
|
(void)libwolfssl_cleanup();
|
|
|
|
|
msleep(10);
|
|
|
|
|
return -ECANCELED;
|
|
|
|
|
}
|
|
|
|
|
#else /* !LINUXKM_LKCAPI_REGISTER_ONLY_ON_COMMAND */
|
linuxkm: completion and stabilization of LKCAPI integration for AES-CBC, AES-CFB, AES-GCM, and AES-XTS:
linuxkm/lkcapi_glue.c (added in earlier commit):
implement linuxkm_lkcapi_register() and linuxkm_lkcapi_unregister() with idempotency.
add AES-XTS algorithm glue and self-test implementations.
add per-algorithm gating: LINUXKM_LKCAPI_REGISTER_AESCBC, _AESCFB, _AESGCM, and _AESXTS.
carry forward philljj's implementations for AES-CBC, AES-CFB, and AES-GCM, with various cleanups.
linuxkm/module_hooks.c:
print the "wolfCrypt container hashes" message only if DEBUG_LINUXKM_PIE_SUPPORT is set.
render the FIPS version for the self-test success message using the HAVE_FIPS_VERSION* macros.
add a "skipping full wolfcrypt_test() ..." message for --disable-crypttests builds.
add CONFIG_FORTIFY_SOURCE gates.
configure.ac:
add support for --enable-linuxkm-lkcapi-register;
add AES-XTS to output config summary;
rename --enable-xts to --enable-aesxts (retaining old option for backward compatibility).
linuxkm/linuxkm_wc_port.h: add support for CONFIG_FORTIFY_SOURCE.
linuxkm/linuxkm_memory.c:
fix retvals in save_vector_registers_x86() (wc-style MEMORY_E, not sys-style ENOMEM).
add __my_fortify_panic() implementation.
linuxkm/Kbuild: for ENABLED_LINUXKM_PIE in rename-pie-text-and-data-sections recipe, create an .rodata.wolfcrypt section.
linuxkm/include.am: add linuxkm/lkcapi_glue.c to EXTRA_DIST.
wolfcrypt/test/test.c:
when defined(HAVE_FIPS_VERSION), inhibit a test clause in aes_xts_128_test() disallowed by FIPS ("FIPS AES-XTS main and tweak keys must differ").
fix out-of-order user message in ecc_test().
2024-01-26 20:01:19 -06:00
|
|
|
ret = linuxkm_lkcapi_register();
|
2024-01-26 14:07:58 -06:00
|
|
|
|
|
|
|
|
if (ret) {
|
2025-07-09 16:29:04 -05:00
|
|
|
pr_err("ERROR: linuxkm_lkcapi_register() failed with return code %d.\n", ret);
|
linuxkm: completion and stabilization of LKCAPI integration for AES-CBC, AES-CFB, AES-GCM, and AES-XTS:
linuxkm/lkcapi_glue.c (added in earlier commit):
implement linuxkm_lkcapi_register() and linuxkm_lkcapi_unregister() with idempotency.
add AES-XTS algorithm glue and self-test implementations.
add per-algorithm gating: LINUXKM_LKCAPI_REGISTER_AESCBC, _AESCFB, _AESGCM, and _AESXTS.
carry forward philljj's implementations for AES-CBC, AES-CFB, and AES-GCM, with various cleanups.
linuxkm/module_hooks.c:
print the "wolfCrypt container hashes" message only if DEBUG_LINUXKM_PIE_SUPPORT is set.
render the FIPS version for the self-test success message using the HAVE_FIPS_VERSION* macros.
add a "skipping full wolfcrypt_test() ..." message for --disable-crypttests builds.
add CONFIG_FORTIFY_SOURCE gates.
configure.ac:
add support for --enable-linuxkm-lkcapi-register;
add AES-XTS to output config summary;
rename --enable-xts to --enable-aesxts (retaining old option for backward compatibility).
linuxkm/linuxkm_wc_port.h: add support for CONFIG_FORTIFY_SOURCE.
linuxkm/linuxkm_memory.c:
fix retvals in save_vector_registers_x86() (wc-style MEMORY_E, not sys-style ENOMEM).
add __my_fortify_panic() implementation.
linuxkm/Kbuild: for ENABLED_LINUXKM_PIE in rename-pie-text-and-data-sections recipe, create an .rodata.wolfcrypt section.
linuxkm/include.am: add linuxkm/lkcapi_glue.c to EXTRA_DIST.
wolfcrypt/test/test.c:
when defined(HAVE_FIPS_VERSION), inhibit a test clause in aes_xts_128_test() disallowed by FIPS ("FIPS AES-XTS main and tweak keys must differ").
fix out-of-order user message in ecc_test().
2024-01-26 20:01:19 -06:00
|
|
|
linuxkm_lkcapi_unregister();
|
2024-01-26 14:07:58 -06:00
|
|
|
(void)libwolfssl_cleanup();
|
|
|
|
|
msleep(10);
|
|
|
|
|
return -ECANCELED;
|
|
|
|
|
}
|
linuxkm: support DRBG in LKCAPI shim set:
* Implement --enable-linuxkm-lkcapi-register=stdrng and =stdrng-default,
LINUXKM_LKCAPI_REGISTER_HASH_DRBG, and
LINUXKM_LKCAPI_REGISTER_HASH_DRBG_DEFAULT. With "_DEFAULT", the DRBG is
installed as the systemwide default stdrng, necessitating
deregister-on-command, described below. Note that get_random_bytes() and the
associated /dev/random and /dev/urandom do not use the default stdrng, and
their back end cannot currently be replaced by a module.
* Add control nodes /sys/module/libwolfssl/install_algs and
/sys/module/libwolfssl/deinstall_algs.
* Add configure option --enable-linuxkm-lkcapi-register=sysfs-nodes-only, and
macro LINUXKM_LKCAPI_REGISTER_ONLY_ON_COMMAND, to inhibit registration at
module load time.
In configure.ac ENABLED_LINUXKM_LKCAPI_REGISTER setup, don't define
WOLFSSL_DH_GEN_PUB in old FIPS, but do define it for =all.
2025-04-29 00:42:15 -05:00
|
|
|
#endif /* !LINUXKM_LKCAPI_REGISTER_ONLY_ON_COMMAND */
|
|
|
|
|
#endif /* LINUXKM_LKCAPI_REGISTER */
|
2024-01-26 14:07:58 -06:00
|
|
|
|
2025-05-01 00:08:32 -05:00
|
|
|
#ifdef HAVE_FIPS
|
|
|
|
|
(void)linuxkm_lkcapi_sysfs_install_node(&FIPS_rerun_self_test_attr, &installed_sysfs_FIPS_files);
|
|
|
|
|
#endif
|
|
|
|
|
|
2023-05-17 01:44:36 -05:00
|
|
|
#ifdef WOLFSSL_LINUXKM_BENCHMARKS
|
|
|
|
|
wolfcrypt_benchmark_main(0, (char**)NULL);
|
|
|
|
|
#endif
|
|
|
|
|
|
2020-12-03 18:24:39 -06:00
|
|
|
#ifdef WOLFCRYPT_ONLY
|
2021-10-22 16:57:21 -05:00
|
|
|
pr_info("wolfCrypt " LIBWOLFSSL_VERSION_STRING " loaded%s"
|
|
|
|
|
".\nSee https://www.wolfssl.com/ for more information.\n"
|
|
|
|
|
"wolfCrypt Copyright (C) 2006-present wolfSSL Inc. Licensed under " WOLFSSL_LICENSE ".\n",
|
2021-09-15 23:05:32 -05:00
|
|
|
#ifdef CONFIG_MODULE_SIG
|
2021-10-22 16:57:21 -05:00
|
|
|
THIS_MODULE->sig_ok ? " with valid module signature" : " without valid module signature"
|
|
|
|
|
#else
|
|
|
|
|
""
|
2021-09-15 23:05:32 -05:00
|
|
|
#endif
|
2021-11-05 18:29:41 -05:00
|
|
|
);
|
2020-08-21 01:28:03 -05:00
|
|
|
#else
|
2021-10-22 16:57:21 -05:00
|
|
|
pr_info("wolfSSL " LIBWOLFSSL_VERSION_STRING " loaded%s"
|
|
|
|
|
".\nSee https://www.wolfssl.com/ for more information.\n"
|
|
|
|
|
"wolfSSL Copyright (C) 2006-present wolfSSL Inc. Licensed under " WOLFSSL_LICENSE ".\n",
|
2021-09-15 23:05:32 -05:00
|
|
|
#ifdef CONFIG_MODULE_SIG
|
2021-10-22 16:57:21 -05:00
|
|
|
THIS_MODULE->sig_ok ? " with valid module signature" : " without valid module signature"
|
|
|
|
|
#else
|
|
|
|
|
""
|
2021-09-15 23:05:32 -05:00
|
|
|
#endif
|
2021-10-22 16:57:21 -05:00
|
|
|
);
|
2020-08-21 00:10:45 -05:00
|
|
|
#endif
|
2020-08-18 14:17:44 -05:00
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
module_init(wolfssl_init);
|
|
|
|
|
|
2020-08-19 13:39:54 -05:00
|
|
|
#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 0, 0)
|
2020-08-18 14:17:44 -05:00
|
|
|
static void __exit wolfssl_exit(void)
|
2020-08-19 13:39:54 -05:00
|
|
|
#else
|
|
|
|
|
static void wolfssl_exit(void)
|
|
|
|
|
#endif
|
2020-08-18 14:17:44 -05:00
|
|
|
{
|
2025-05-01 00:08:32 -05:00
|
|
|
#ifdef HAVE_FIPS
|
2025-07-09 16:29:04 -05:00
|
|
|
int ret;
|
|
|
|
|
|
2025-05-01 00:08:32 -05:00
|
|
|
(void)linuxkm_lkcapi_sysfs_deinstall_node(&FIPS_rerun_self_test_attr, &installed_sysfs_FIPS_files);
|
|
|
|
|
#endif
|
|
|
|
|
|
linuxkm: completion and stabilization of LKCAPI integration for AES-CBC, AES-CFB, AES-GCM, and AES-XTS:
linuxkm/lkcapi_glue.c (added in earlier commit):
implement linuxkm_lkcapi_register() and linuxkm_lkcapi_unregister() with idempotency.
add AES-XTS algorithm glue and self-test implementations.
add per-algorithm gating: LINUXKM_LKCAPI_REGISTER_AESCBC, _AESCFB, _AESGCM, and _AESXTS.
carry forward philljj's implementations for AES-CBC, AES-CFB, and AES-GCM, with various cleanups.
linuxkm/module_hooks.c:
print the "wolfCrypt container hashes" message only if DEBUG_LINUXKM_PIE_SUPPORT is set.
render the FIPS version for the self-test success message using the HAVE_FIPS_VERSION* macros.
add a "skipping full wolfcrypt_test() ..." message for --disable-crypttests builds.
add CONFIG_FORTIFY_SOURCE gates.
configure.ac:
add support for --enable-linuxkm-lkcapi-register;
add AES-XTS to output config summary;
rename --enable-xts to --enable-aesxts (retaining old option for backward compatibility).
linuxkm/linuxkm_wc_port.h: add support for CONFIG_FORTIFY_SOURCE.
linuxkm/linuxkm_memory.c:
fix retvals in save_vector_registers_x86() (wc-style MEMORY_E, not sys-style ENOMEM).
add __my_fortify_panic() implementation.
linuxkm/Kbuild: for ENABLED_LINUXKM_PIE in rename-pie-text-and-data-sections recipe, create an .rodata.wolfcrypt section.
linuxkm/include.am: add linuxkm/lkcapi_glue.c to EXTRA_DIST.
wolfcrypt/test/test.c:
when defined(HAVE_FIPS_VERSION), inhibit a test clause in aes_xts_128_test() disallowed by FIPS ("FIPS AES-XTS main and tweak keys must differ").
fix out-of-order user message in ecc_test().
2024-01-26 20:01:19 -06:00
|
|
|
#ifdef LINUXKM_LKCAPI_REGISTER
|
linuxkm: support DRBG in LKCAPI shim set:
* Implement --enable-linuxkm-lkcapi-register=stdrng and =stdrng-default,
LINUXKM_LKCAPI_REGISTER_HASH_DRBG, and
LINUXKM_LKCAPI_REGISTER_HASH_DRBG_DEFAULT. With "_DEFAULT", the DRBG is
installed as the systemwide default stdrng, necessitating
deregister-on-command, described below. Note that get_random_bytes() and the
associated /dev/random and /dev/urandom do not use the default stdrng, and
their back end cannot currently be replaced by a module.
* Add control nodes /sys/module/libwolfssl/install_algs and
/sys/module/libwolfssl/deinstall_algs.
* Add configure option --enable-linuxkm-lkcapi-register=sysfs-nodes-only, and
macro LINUXKM_LKCAPI_REGISTER_ONLY_ON_COMMAND, to inhibit registration at
module load time.
In configure.ac ENABLED_LINUXKM_LKCAPI_REGISTER setup, don't define
WOLFSSL_DH_GEN_PUB in old FIPS, but do define it for =all.
2025-04-29 00:42:15 -05:00
|
|
|
(void)linuxkm_lkcapi_unregister();
|
|
|
|
|
(void)linuxkm_lkcapi_sysfs_deinstall();
|
linuxkm: completion and stabilization of LKCAPI integration for AES-CBC, AES-CFB, AES-GCM, and AES-XTS:
linuxkm/lkcapi_glue.c (added in earlier commit):
implement linuxkm_lkcapi_register() and linuxkm_lkcapi_unregister() with idempotency.
add AES-XTS algorithm glue and self-test implementations.
add per-algorithm gating: LINUXKM_LKCAPI_REGISTER_AESCBC, _AESCFB, _AESGCM, and _AESXTS.
carry forward philljj's implementations for AES-CBC, AES-CFB, and AES-GCM, with various cleanups.
linuxkm/module_hooks.c:
print the "wolfCrypt container hashes" message only if DEBUG_LINUXKM_PIE_SUPPORT is set.
render the FIPS version for the self-test success message using the HAVE_FIPS_VERSION* macros.
add a "skipping full wolfcrypt_test() ..." message for --disable-crypttests builds.
add CONFIG_FORTIFY_SOURCE gates.
configure.ac:
add support for --enable-linuxkm-lkcapi-register;
add AES-XTS to output config summary;
rename --enable-xts to --enable-aesxts (retaining old option for backward compatibility).
linuxkm/linuxkm_wc_port.h: add support for CONFIG_FORTIFY_SOURCE.
linuxkm/linuxkm_memory.c:
fix retvals in save_vector_registers_x86() (wc-style MEMORY_E, not sys-style ENOMEM).
add __my_fortify_panic() implementation.
linuxkm/Kbuild: for ENABLED_LINUXKM_PIE in rename-pie-text-and-data-sections recipe, create an .rodata.wolfcrypt section.
linuxkm/include.am: add linuxkm/lkcapi_glue.c to EXTRA_DIST.
wolfcrypt/test/test.c:
when defined(HAVE_FIPS_VERSION), inhibit a test clause in aes_xts_128_test() disallowed by FIPS ("FIPS AES-XTS main and tweak keys must differ").
fix out-of-order user message in ecc_test().
2024-01-26 20:01:19 -06:00
|
|
|
#endif
|
|
|
|
|
|
2025-07-09 16:29:04 -05:00
|
|
|
#ifdef HAVE_FIPS
|
|
|
|
|
ret = wc_RunAllCast_fips();
|
|
|
|
|
if (ret != 0) {
|
|
|
|
|
pr_err("ERROR: wc_RunAllCast_fips() failed at shutdown with return value %d\n", ret);
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
pr_info("wolfCrypt FIPS re-self-test succeeded at unload: all algorithms re-verified.");
|
|
|
|
|
#endif
|
|
|
|
|
|
2020-12-16 15:17:12 -06:00
|
|
|
(void)libwolfssl_cleanup();
|
2021-09-15 23:05:32 -05:00
|
|
|
|
2020-08-18 14:17:44 -05:00
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
module_exit(wolfssl_exit);
|
|
|
|
|
|
2021-09-15 23:05:32 -05:00
|
|
|
MODULE_LICENSE(WOLFSSL_LICENSE);
|
2020-08-18 14:17:44 -05:00
|
|
|
MODULE_AUTHOR("https://www.wolfssl.com/");
|
|
|
|
|
MODULE_DESCRIPTION("libwolfssl cryptographic and protocol facilities");
|
|
|
|
|
MODULE_VERSION(LIBWOLFSSL_VERSION_STRING);
|
2021-08-19 11:15:52 -05:00
|
|
|
|
|
|
|
|
#ifdef USE_WOLFSSL_LINUXKM_PIE_REDIRECT_TABLE
|
|
|
|
|
|
2021-09-15 23:05:32 -05:00
|
|
|
/* get_current() is an inline or macro, depending on the target -- sidestep the whole issue with a wrapper func. */
|
|
|
|
|
static struct task_struct *my_get_current_thread(void) {
|
|
|
|
|
return get_current();
|
|
|
|
|
}
|
|
|
|
|
|
linuxkm/lkcapi_sha_glue.c:
* implement interception of _get_random_bytes() and get_random_bytes_user() (implicitly intercepts /dev/random and /dev/urandom):
* get_crypto_default_rng()
* get_default_drbg_ctx()
* wc__get_random_bytes()
* wc_get_random_bytes_user()
* wc_extract_crng_user()
* wc_mix_pool_bytes()
* wc_crng_reseed()
* wc_get_random_bytes_by_kprobe()
* wc_get_random_bytes_user_kretprobe_enter()
* wc_get_random_bytes_user_kretprobe_exit()
* add LINUXKM_DRBG_GET_RANDOM_BYTES sections to wc_linuxkm_drbg_startup() and wc_linuxkm_drbg_cleanup()
* add linuxkm/patches/*/WOLFSSL_LINUXKM_HAVE_GET_RANDOM_CALLBACKS-*.patch, initially for versions:
* 5.10.17
* 5.10.236
* 5.15
* 5.17
* 6.1.73
* 6.12
* 6.15
* remove "*.patch" from .gitignore.
* add linuxkm/patches/regen-patches.sh.
* in wc_linuxkm_drbg_ctx_clear(), check lock count before freeing.
* in get_drbg() and put_drbg(), use migrate_disable(), not DISABLE_VECTOR_REGISTERS().
* in wc_linuxkm_drbg_generate(), explicitly DISABLE_VECTOR_REGISTERS() for the crypto_default_rng.
* in wc_linuxkm_drbg_generate(), add DRBG reinitialization code to handle RNG_FAILURE_E. This handles the situation where a DRBG was instantiated in a vector-ops-allowed context, caching a vectorized SHA256 ethod, but later used in a no-vector-ops-allowed context.
* in wc_linuxkm_drbg_seed(), add DISABLE_VECTOR_REGISTERS() wrapper around wc_RNG_DRBG_Reseed() for crypto_default_rng.
linuxkm/x86_vector_register_glue.c:
* add crash recovery logic to wc_linuxkm_fpu_state_assoc_unlikely()
* in wc_linuxkm_fpu_state_assoc(), when wc_linuxkm_fpu_states is null, don't call wc_linuxkm_fpu_state_assoc_unlikely() if !assume_fpu_began.
* in can_save_vector_registers_x86(), save_vector_registers_x86(), and restore_vector_registers_x86(), check for hard interrupt context first, to return early failure if current->pid is unusable.
* in save_vector_registers_x86(), tweak logic around WC_FPU_INHIBITED_FLAG, adding local_bh_disable()...local_bh_enable() to provide for safe recursion.
wolfcrypt/src/random.c: optimization: in Hash_df(), for WOLFSSL_LINUXKM, don't put digest[WC_SHA256_DIGEST_SIZE] in the heap, keep it on the stack.
wolfssl/wolfcrypt/types.h: add WOLFSSL_NO_ASM no-op definitions for DISABLE_VECTOR_REGISTERS() and REENABLE_VECTOR_REGISTERS().
configure.ac:
* move --enable-linuxkm and --enable-linuxkm-defaults initial detection early, so that HMAC_COPY_DEFAULT picks it up.
* add ENABLED_ENTROPY_MEMUSE_DEFAULT, and enable it by default when ENABLED_LINUXKM_DEFAULTS.
* update linuxkm-lkcapi-register help message.
linuxkm/linuxkm_wc_port.h:
* add my_kallsyms_lookup_name().
* add preempt_count, _raw_spin_lock_irqsave, _raw_spin_trylock, _raw_spin_unlock_irqrestore, and _cond_resched, to wolfssl_linuxkm_pie_redirect_table, and add spin_unlock_irqrestore() macro to mask native inline.
* move linuxkm mutex wrappers from wolfcrypt/src/wc_port.c to linuxkm_wc_port.h, make them inlines, and add new default spinlock-based implementation, with old method now gated on WOLFSSL_LINUXKM_USE_MUTEXES.
* change malloc() and realloc() wrappers from GFP_KERNEL to GFP_ATOMIC.
linuxkm/lkcapi_glue.c: make misc.h/misc.c inclusion unconditional, and trim now-redundant inclusions out of lkcapi_dh_glue.c and lkcapi_ecdh_glue.c.
2025-06-30 15:23:04 -05:00
|
|
|
/* preempt_count() is an inline function in arch/x86/include/asm/preempt.h that
|
|
|
|
|
* accesses __preempt_count, which is an int array declared with
|
|
|
|
|
* DECLARE_PER_CPU_CACHE_HOT.
|
|
|
|
|
*/
|
|
|
|
|
static int my_preempt_count(void) {
|
|
|
|
|
return preempt_count();
|
|
|
|
|
}
|
|
|
|
|
|
2021-08-19 11:15:52 -05:00
|
|
|
static int set_up_wolfssl_linuxkm_pie_redirect_table(void) {
|
|
|
|
|
memset(
|
|
|
|
|
&wolfssl_linuxkm_pie_redirect_table,
|
|
|
|
|
0,
|
|
|
|
|
sizeof wolfssl_linuxkm_pie_redirect_table);
|
|
|
|
|
|
|
|
|
|
#ifndef __ARCH_MEMCMP_NO_REDIRECT
|
|
|
|
|
wolfssl_linuxkm_pie_redirect_table.memcmp = memcmp;
|
|
|
|
|
#endif
|
linuxkm: completion and stabilization of LKCAPI integration for AES-CBC, AES-CFB, AES-GCM, and AES-XTS:
linuxkm/lkcapi_glue.c (added in earlier commit):
implement linuxkm_lkcapi_register() and linuxkm_lkcapi_unregister() with idempotency.
add AES-XTS algorithm glue and self-test implementations.
add per-algorithm gating: LINUXKM_LKCAPI_REGISTER_AESCBC, _AESCFB, _AESGCM, and _AESXTS.
carry forward philljj's implementations for AES-CBC, AES-CFB, and AES-GCM, with various cleanups.
linuxkm/module_hooks.c:
print the "wolfCrypt container hashes" message only if DEBUG_LINUXKM_PIE_SUPPORT is set.
render the FIPS version for the self-test success message using the HAVE_FIPS_VERSION* macros.
add a "skipping full wolfcrypt_test() ..." message for --disable-crypttests builds.
add CONFIG_FORTIFY_SOURCE gates.
configure.ac:
add support for --enable-linuxkm-lkcapi-register;
add AES-XTS to output config summary;
rename --enable-xts to --enable-aesxts (retaining old option for backward compatibility).
linuxkm/linuxkm_wc_port.h: add support for CONFIG_FORTIFY_SOURCE.
linuxkm/linuxkm_memory.c:
fix retvals in save_vector_registers_x86() (wc-style MEMORY_E, not sys-style ENOMEM).
add __my_fortify_panic() implementation.
linuxkm/Kbuild: for ENABLED_LINUXKM_PIE in rename-pie-text-and-data-sections recipe, create an .rodata.wolfcrypt section.
linuxkm/include.am: add linuxkm/lkcapi_glue.c to EXTRA_DIST.
wolfcrypt/test/test.c:
when defined(HAVE_FIPS_VERSION), inhibit a test clause in aes_xts_128_test() disallowed by FIPS ("FIPS AES-XTS main and tweak keys must differ").
fix out-of-order user message in ecc_test().
2024-01-26 20:01:19 -06:00
|
|
|
#ifndef CONFIG_FORTIFY_SOURCE
|
2021-08-19 11:15:52 -05:00
|
|
|
#ifndef __ARCH_MEMCPY_NO_REDIRECT
|
|
|
|
|
wolfssl_linuxkm_pie_redirect_table.memcpy = memcpy;
|
|
|
|
|
#endif
|
|
|
|
|
#ifndef __ARCH_MEMSET_NO_REDIRECT
|
|
|
|
|
wolfssl_linuxkm_pie_redirect_table.memset = memset;
|
|
|
|
|
#endif
|
|
|
|
|
#ifndef __ARCH_MEMMOVE_NO_REDIRECT
|
|
|
|
|
wolfssl_linuxkm_pie_redirect_table.memmove = memmove;
|
|
|
|
|
#endif
|
linuxkm: completion and stabilization of LKCAPI integration for AES-CBC, AES-CFB, AES-GCM, and AES-XTS:
linuxkm/lkcapi_glue.c (added in earlier commit):
implement linuxkm_lkcapi_register() and linuxkm_lkcapi_unregister() with idempotency.
add AES-XTS algorithm glue and self-test implementations.
add per-algorithm gating: LINUXKM_LKCAPI_REGISTER_AESCBC, _AESCFB, _AESGCM, and _AESXTS.
carry forward philljj's implementations for AES-CBC, AES-CFB, and AES-GCM, with various cleanups.
linuxkm/module_hooks.c:
print the "wolfCrypt container hashes" message only if DEBUG_LINUXKM_PIE_SUPPORT is set.
render the FIPS version for the self-test success message using the HAVE_FIPS_VERSION* macros.
add a "skipping full wolfcrypt_test() ..." message for --disable-crypttests builds.
add CONFIG_FORTIFY_SOURCE gates.
configure.ac:
add support for --enable-linuxkm-lkcapi-register;
add AES-XTS to output config summary;
rename --enable-xts to --enable-aesxts (retaining old option for backward compatibility).
linuxkm/linuxkm_wc_port.h: add support for CONFIG_FORTIFY_SOURCE.
linuxkm/linuxkm_memory.c:
fix retvals in save_vector_registers_x86() (wc-style MEMORY_E, not sys-style ENOMEM).
add __my_fortify_panic() implementation.
linuxkm/Kbuild: for ENABLED_LINUXKM_PIE in rename-pie-text-and-data-sections recipe, create an .rodata.wolfcrypt section.
linuxkm/include.am: add linuxkm/lkcapi_glue.c to EXTRA_DIST.
wolfcrypt/test/test.c:
when defined(HAVE_FIPS_VERSION), inhibit a test clause in aes_xts_128_test() disallowed by FIPS ("FIPS AES-XTS main and tweak keys must differ").
fix out-of-order user message in ecc_test().
2024-01-26 20:01:19 -06:00
|
|
|
#endif /* !CONFIG_FORTIFY_SOURCE */
|
2022-05-10 12:20:12 -05:00
|
|
|
#ifndef __ARCH_STRCMP_NO_REDIRECT
|
|
|
|
|
wolfssl_linuxkm_pie_redirect_table.strcmp = strcmp;
|
|
|
|
|
#endif
|
2021-08-19 11:15:52 -05:00
|
|
|
#ifndef __ARCH_STRNCMP_NO_REDIRECT
|
|
|
|
|
wolfssl_linuxkm_pie_redirect_table.strncmp = strncmp;
|
|
|
|
|
#endif
|
2022-05-10 12:20:12 -05:00
|
|
|
#ifndef __ARCH_STRCASECMP_NO_REDIRECT
|
|
|
|
|
wolfssl_linuxkm_pie_redirect_table.strcasecmp = strcasecmp;
|
|
|
|
|
#endif
|
|
|
|
|
#ifndef __ARCH_STRNCASECMP_NO_REDIRECT
|
|
|
|
|
wolfssl_linuxkm_pie_redirect_table.strncasecmp = strncasecmp;
|
|
|
|
|
#endif
|
2021-08-19 11:15:52 -05:00
|
|
|
#ifndef __ARCH_STRLEN_NO_REDIRECT
|
|
|
|
|
wolfssl_linuxkm_pie_redirect_table.strlen = strlen;
|
|
|
|
|
#endif
|
|
|
|
|
#ifndef __ARCH_STRSTR_NO_REDIRECT
|
|
|
|
|
wolfssl_linuxkm_pie_redirect_table.strstr = strstr;
|
|
|
|
|
#endif
|
|
|
|
|
#ifndef __ARCH_STRNCPY_NO_REDIRECT
|
|
|
|
|
wolfssl_linuxkm_pie_redirect_table.strncpy = strncpy;
|
|
|
|
|
#endif
|
|
|
|
|
#ifndef __ARCH_STRNCAT_NO_REDIRECT
|
|
|
|
|
wolfssl_linuxkm_pie_redirect_table.strncat = strncat;
|
|
|
|
|
#endif
|
|
|
|
|
wolfssl_linuxkm_pie_redirect_table.kstrtoll = kstrtoll;
|
|
|
|
|
|
2021-11-01 12:03:41 -05:00
|
|
|
#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 15, 0)
|
|
|
|
|
wolfssl_linuxkm_pie_redirect_table._printk = _printk;
|
|
|
|
|
#else
|
|
|
|
|
wolfssl_linuxkm_pie_redirect_table.printk = printk;
|
|
|
|
|
#endif
|
linuxkm: completion and stabilization of LKCAPI integration for AES-CBC, AES-CFB, AES-GCM, and AES-XTS:
linuxkm/lkcapi_glue.c (added in earlier commit):
implement linuxkm_lkcapi_register() and linuxkm_lkcapi_unregister() with idempotency.
add AES-XTS algorithm glue and self-test implementations.
add per-algorithm gating: LINUXKM_LKCAPI_REGISTER_AESCBC, _AESCFB, _AESGCM, and _AESXTS.
carry forward philljj's implementations for AES-CBC, AES-CFB, and AES-GCM, with various cleanups.
linuxkm/module_hooks.c:
print the "wolfCrypt container hashes" message only if DEBUG_LINUXKM_PIE_SUPPORT is set.
render the FIPS version for the self-test success message using the HAVE_FIPS_VERSION* macros.
add a "skipping full wolfcrypt_test() ..." message for --disable-crypttests builds.
add CONFIG_FORTIFY_SOURCE gates.
configure.ac:
add support for --enable-linuxkm-lkcapi-register;
add AES-XTS to output config summary;
rename --enable-xts to --enable-aesxts (retaining old option for backward compatibility).
linuxkm/linuxkm_wc_port.h: add support for CONFIG_FORTIFY_SOURCE.
linuxkm/linuxkm_memory.c:
fix retvals in save_vector_registers_x86() (wc-style MEMORY_E, not sys-style ENOMEM).
add __my_fortify_panic() implementation.
linuxkm/Kbuild: for ENABLED_LINUXKM_PIE in rename-pie-text-and-data-sections recipe, create an .rodata.wolfcrypt section.
linuxkm/include.am: add linuxkm/lkcapi_glue.c to EXTRA_DIST.
wolfcrypt/test/test.c:
when defined(HAVE_FIPS_VERSION), inhibit a test clause in aes_xts_128_test() disallowed by FIPS ("FIPS AES-XTS main and tweak keys must differ").
fix out-of-order user message in ecc_test().
2024-01-26 20:01:19 -06:00
|
|
|
|
|
|
|
|
#ifdef CONFIG_FORTIFY_SOURCE
|
|
|
|
|
wolfssl_linuxkm_pie_redirect_table.__warn_printk = __warn_printk;
|
|
|
|
|
#endif
|
|
|
|
|
|
2021-08-19 11:15:52 -05:00
|
|
|
wolfssl_linuxkm_pie_redirect_table.snprintf = snprintf;
|
|
|
|
|
|
|
|
|
|
wolfssl_linuxkm_pie_redirect_table._ctype = _ctype;
|
|
|
|
|
|
2024-08-02 10:16:19 -05:00
|
|
|
#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 11, 0)
|
|
|
|
|
wolfssl_linuxkm_pie_redirect_table.kmalloc_noprof = kmalloc_noprof;
|
|
|
|
|
wolfssl_linuxkm_pie_redirect_table.krealloc_noprof = krealloc_noprof;
|
|
|
|
|
wolfssl_linuxkm_pie_redirect_table.kzalloc_noprof = kzalloc_noprof;
|
|
|
|
|
wolfssl_linuxkm_pie_redirect_table.__kvmalloc_node_noprof = __kvmalloc_node_noprof;
|
|
|
|
|
wolfssl_linuxkm_pie_redirect_table.__kmalloc_cache_noprof = __kmalloc_cache_noprof;
|
2025-07-09 16:29:04 -05:00
|
|
|
wolfssl_linuxkm_pie_redirect_table.kvrealloc_noprof = kvrealloc_noprof;
|
2024-08-02 10:16:19 -05:00
|
|
|
#elif LINUX_VERSION_CODE >= KERNEL_VERSION(6, 10, 0)
|
2024-05-30 11:21:42 -05:00
|
|
|
wolfssl_linuxkm_pie_redirect_table.kmalloc_noprof = kmalloc_noprof;
|
|
|
|
|
wolfssl_linuxkm_pie_redirect_table.krealloc_noprof = krealloc_noprof;
|
|
|
|
|
wolfssl_linuxkm_pie_redirect_table.kzalloc_noprof = kzalloc_noprof;
|
|
|
|
|
wolfssl_linuxkm_pie_redirect_table.kvmalloc_node_noprof = kvmalloc_node_noprof;
|
|
|
|
|
wolfssl_linuxkm_pie_redirect_table.kmalloc_trace_noprof = kmalloc_trace_noprof;
|
2025-07-09 16:29:04 -05:00
|
|
|
wolfssl_linuxkm_pie_redirect_table.kvrealloc_noprof = kvrealloc_noprof;
|
2024-05-30 11:21:42 -05:00
|
|
|
#else
|
2021-08-19 11:15:52 -05:00
|
|
|
wolfssl_linuxkm_pie_redirect_table.kmalloc = kmalloc;
|
|
|
|
|
wolfssl_linuxkm_pie_redirect_table.krealloc = krealloc;
|
|
|
|
|
#ifdef HAVE_KVMALLOC
|
|
|
|
|
wolfssl_linuxkm_pie_redirect_table.kvmalloc_node = kvmalloc_node;
|
2025-07-09 18:22:01 -05:00
|
|
|
#endif
|
|
|
|
|
#ifdef HAVE_KVREALLOC
|
2025-07-09 16:29:04 -05:00
|
|
|
wolfssl_linuxkm_pie_redirect_table.kvrealloc = kvrealloc;
|
2021-08-19 11:15:52 -05:00
|
|
|
#endif
|
2022-10-18 13:34:24 -05:00
|
|
|
#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 1, 0)
|
|
|
|
|
wolfssl_linuxkm_pie_redirect_table.kmalloc_trace =
|
|
|
|
|
kmalloc_trace;
|
|
|
|
|
#else
|
|
|
|
|
wolfssl_linuxkm_pie_redirect_table.kmem_cache_alloc_trace =
|
|
|
|
|
kmem_cache_alloc_trace;
|
|
|
|
|
wolfssl_linuxkm_pie_redirect_table.kmalloc_order_trace =
|
|
|
|
|
kmalloc_order_trace;
|
|
|
|
|
#endif
|
2024-05-30 11:21:42 -05:00
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
wolfssl_linuxkm_pie_redirect_table.kfree = kfree;
|
|
|
|
|
wolfssl_linuxkm_pie_redirect_table.ksize = ksize;
|
|
|
|
|
#ifdef HAVE_KVMALLOC
|
|
|
|
|
wolfssl_linuxkm_pie_redirect_table.kvfree = kvfree;
|
|
|
|
|
#endif
|
2021-08-19 11:15:52 -05:00
|
|
|
|
|
|
|
|
wolfssl_linuxkm_pie_redirect_table.get_random_bytes = get_random_bytes;
|
2021-09-20 13:46:51 -05:00
|
|
|
#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 0, 0)
|
|
|
|
|
wolfssl_linuxkm_pie_redirect_table.getnstimeofday =
|
|
|
|
|
getnstimeofday;
|
|
|
|
|
#elif LINUX_VERSION_CODE < KERNEL_VERSION(5, 0, 0)
|
|
|
|
|
wolfssl_linuxkm_pie_redirect_table.current_kernel_time64 =
|
|
|
|
|
current_kernel_time64;
|
|
|
|
|
#else
|
|
|
|
|
wolfssl_linuxkm_pie_redirect_table.ktime_get_coarse_real_ts64 =
|
|
|
|
|
ktime_get_coarse_real_ts64;
|
|
|
|
|
#endif
|
2021-09-15 23:05:32 -05:00
|
|
|
|
|
|
|
|
wolfssl_linuxkm_pie_redirect_table.get_current = my_get_current_thread;
|
2023-05-17 01:44:36 -05:00
|
|
|
|
2024-05-08 16:18:33 -05:00
|
|
|
#if defined(WOLFSSL_LINUXKM_USE_SAVE_VECTOR_REGISTERS) && defined(CONFIG_X86)
|
|
|
|
|
wolfssl_linuxkm_pie_redirect_table.allocate_wolfcrypt_linuxkm_fpu_states = allocate_wolfcrypt_linuxkm_fpu_states;
|
|
|
|
|
wolfssl_linuxkm_pie_redirect_table.can_save_vector_registers_x86 = can_save_vector_registers_x86;
|
|
|
|
|
wolfssl_linuxkm_pie_redirect_table.free_wolfcrypt_linuxkm_fpu_states = free_wolfcrypt_linuxkm_fpu_states;
|
|
|
|
|
wolfssl_linuxkm_pie_redirect_table.restore_vector_registers_x86 = restore_vector_registers_x86;
|
|
|
|
|
wolfssl_linuxkm_pie_redirect_table.save_vector_registers_x86 = save_vector_registers_x86;
|
|
|
|
|
#elif defined(WOLFSSL_LINUXKM_USE_SAVE_VECTOR_REGISTERS)
|
|
|
|
|
#error WOLFSSL_LINUXKM_USE_SAVE_VECTOR_REGISTERS is set for an unsupported architecture.
|
2023-05-17 01:44:36 -05:00
|
|
|
#endif /* WOLFSSL_LINUXKM_USE_SAVE_VECTOR_REGISTERS */
|
2021-08-19 11:15:52 -05:00
|
|
|
|
|
|
|
|
wolfssl_linuxkm_pie_redirect_table.__mutex_init = __mutex_init;
|
2021-09-20 13:46:51 -05:00
|
|
|
#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 0, 0)
|
|
|
|
|
wolfssl_linuxkm_pie_redirect_table.mutex_lock_nested = mutex_lock_nested;
|
|
|
|
|
#else
|
|
|
|
|
wolfssl_linuxkm_pie_redirect_table.mutex_lock = mutex_lock;
|
|
|
|
|
#endif
|
2021-08-19 11:15:52 -05:00
|
|
|
wolfssl_linuxkm_pie_redirect_table.mutex_unlock = mutex_unlock;
|
2021-09-20 13:46:51 -05:00
|
|
|
#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 0, 0)
|
|
|
|
|
wolfssl_linuxkm_pie_redirect_table.mutex_destroy = mutex_destroy;
|
|
|
|
|
#endif
|
2021-08-19 11:15:52 -05:00
|
|
|
|
|
|
|
|
#ifdef HAVE_FIPS
|
|
|
|
|
wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_first =
|
|
|
|
|
wolfCrypt_FIPS_first;
|
|
|
|
|
wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_last =
|
|
|
|
|
wolfCrypt_FIPS_last;
|
2024-04-13 21:12:22 -05:00
|
|
|
#if FIPS_VERSION3_GE(6,0,0)
|
2025-07-06 09:55:05 -05:00
|
|
|
#ifndef NO_AES
|
2024-04-13 21:12:22 -05:00
|
|
|
wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_AES_sanity =
|
|
|
|
|
wolfCrypt_FIPS_AES_sanity;
|
2025-07-06 09:55:05 -05:00
|
|
|
#if defined(WOLFSSL_CMAC) && defined(WOLFSSL_AES_DIRECT)
|
2024-04-13 21:12:22 -05:00
|
|
|
wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_CMAC_sanity =
|
|
|
|
|
wolfCrypt_FIPS_CMAC_sanity;
|
2025-07-06 09:55:05 -05:00
|
|
|
#endif
|
|
|
|
|
#endif
|
|
|
|
|
#ifndef NO_DH
|
2024-04-13 21:12:22 -05:00
|
|
|
wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_DH_sanity =
|
|
|
|
|
wolfCrypt_FIPS_DH_sanity;
|
2025-07-06 09:55:05 -05:00
|
|
|
#endif
|
|
|
|
|
#ifdef HAVE_ECC
|
2024-04-13 21:12:22 -05:00
|
|
|
wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_ECC_sanity =
|
|
|
|
|
wolfCrypt_FIPS_ECC_sanity;
|
2025-07-06 09:55:05 -05:00
|
|
|
#endif
|
|
|
|
|
#ifdef HAVE_ED25519
|
2024-04-13 21:12:22 -05:00
|
|
|
wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_ED25519_sanity =
|
|
|
|
|
wolfCrypt_FIPS_ED25519_sanity;
|
2025-07-06 09:55:05 -05:00
|
|
|
#endif
|
|
|
|
|
#ifdef HAVE_ED448
|
2024-04-13 21:12:22 -05:00
|
|
|
wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_ED448_sanity =
|
|
|
|
|
wolfCrypt_FIPS_ED448_sanity;
|
2025-07-06 09:55:05 -05:00
|
|
|
#endif
|
2024-04-13 21:12:22 -05:00
|
|
|
wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_HMAC_sanity =
|
|
|
|
|
wolfCrypt_FIPS_HMAC_sanity;
|
2025-07-06 09:55:05 -05:00
|
|
|
#ifndef NO_KDF
|
2024-04-13 21:12:22 -05:00
|
|
|
wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_KDF_sanity =
|
|
|
|
|
wolfCrypt_FIPS_KDF_sanity;
|
2025-07-06 09:55:05 -05:00
|
|
|
#endif
|
|
|
|
|
#ifdef HAVE_PBKDF2
|
2024-04-13 21:12:22 -05:00
|
|
|
wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_PBKDF_sanity =
|
|
|
|
|
wolfCrypt_FIPS_PBKDF_sanity;
|
2025-07-06 09:55:05 -05:00
|
|
|
#endif
|
|
|
|
|
#ifdef HAVE_HASHDRBG
|
2024-04-13 21:12:22 -05:00
|
|
|
wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_DRBG_sanity =
|
|
|
|
|
wolfCrypt_FIPS_DRBG_sanity;
|
2025-07-06 09:55:05 -05:00
|
|
|
#endif
|
|
|
|
|
#ifndef NO_RSA
|
2024-04-13 21:12:22 -05:00
|
|
|
wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_RSA_sanity =
|
|
|
|
|
wolfCrypt_FIPS_RSA_sanity;
|
2025-07-06 09:55:05 -05:00
|
|
|
#endif
|
|
|
|
|
#ifndef NO_SHA
|
2024-04-13 21:12:22 -05:00
|
|
|
wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_SHA_sanity =
|
|
|
|
|
wolfCrypt_FIPS_SHA_sanity;
|
2025-07-06 09:55:05 -05:00
|
|
|
#endif
|
|
|
|
|
#ifndef NO_SHA256
|
2024-04-13 21:12:22 -05:00
|
|
|
wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_SHA256_sanity =
|
|
|
|
|
wolfCrypt_FIPS_SHA256_sanity;
|
2025-07-06 09:55:05 -05:00
|
|
|
#endif
|
|
|
|
|
#ifdef WOLFSSL_SHA512
|
2024-04-13 21:12:22 -05:00
|
|
|
wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_SHA512_sanity =
|
|
|
|
|
wolfCrypt_FIPS_SHA512_sanity;
|
2025-07-06 09:55:05 -05:00
|
|
|
#endif
|
|
|
|
|
#ifdef WOLFSSL_SHA3
|
2024-04-13 21:12:22 -05:00
|
|
|
wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_SHA3_sanity =
|
|
|
|
|
wolfCrypt_FIPS_SHA3_sanity;
|
2025-07-06 09:55:05 -05:00
|
|
|
#endif
|
2024-04-13 21:12:22 -05:00
|
|
|
wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_FT_sanity =
|
|
|
|
|
wolfCrypt_FIPS_FT_sanity;
|
|
|
|
|
wolfssl_linuxkm_pie_redirect_table.wc_RunAllCast_fips =
|
|
|
|
|
wc_RunAllCast_fips;
|
|
|
|
|
#endif
|
2021-08-19 11:15:52 -05:00
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
#if !defined(WOLFCRYPT_ONLY) && !defined(NO_CERTS)
|
|
|
|
|
wolfssl_linuxkm_pie_redirect_table.GetCA = GetCA;
|
|
|
|
|
#ifndef NO_SKID
|
|
|
|
|
wolfssl_linuxkm_pie_redirect_table.GetCAByName = GetCAByName;
|
2024-09-06 14:15:19 -05:00
|
|
|
#ifdef HAVE_OCSP
|
2024-09-13 18:01:11 -05:00
|
|
|
wolfssl_linuxkm_pie_redirect_table.GetCAByKeyHash = GetCAByKeyHash;
|
2024-09-06 14:15:19 -05:00
|
|
|
#endif /* HAVE_OCSP */
|
|
|
|
|
#endif /* NO_SKID */
|
2024-09-13 18:01:11 -05:00
|
|
|
#ifdef WOLFSSL_AKID_NAME
|
|
|
|
|
wolfssl_linuxkm_pie_redirect_table.GetCAByAKID = GetCAByAKID;
|
|
|
|
|
#endif /* WOLFSSL_AKID_NAME */
|
wolfssl/wolfcrypt/error-crypt.h, wolfcrypt/src/error.c: add WC_FAILURE ("wolfCrypt generic failure") with value -1, for traceable error return of -1 in wolfCrypt.
configure.ac: add OPENSSL_EXTRA to --enable-wolfsentry.
linuxkm/linuxkm_wc_port.h, linuxkm/module_hooks.c, wolfssl/ssl.h: accommodate backward dependencies for wolfSSL_X509_NAME_add_entry_by_NID, wolfSSL_X509_NAME_free, and wolfSSL_X509_NAME_new_ex.
linuxkm/lkcapi_glue.c: if CONFIG_CRYPTO_MANAGER, assert match of CONFIG_CRYPTO_FIPS and HAVE_FIPS.
src/ssl_crypto.c, wolfcrypt/src/wc_lms.c, wolfcrypt/src/wc_lms_impl.c, wolfcrypt/src/wc_xmss.c, wolfcrypt/test/test.c: add missing casts for XMALLOC()s.
src/ssl_crypto.c: in wolfSSL_AES_decrypt(), fix gate for wc_AesDecryptDirect() return type.
wolfcrypt/test/test.c: smallstack refactor in test_dilithium_decode_level().
tests/api.c: fix uninited vars and "embedding a directive within macro arguments is not portable" in test_wc_dilithium_der().
2024-11-21 21:59:26 -06:00
|
|
|
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
|
|
|
|
|
wolfssl_linuxkm_pie_redirect_table.wolfSSL_X509_NAME_add_entry_by_NID = wolfSSL_X509_NAME_add_entry_by_NID;
|
|
|
|
|
wolfssl_linuxkm_pie_redirect_table.wolfSSL_X509_NAME_free = wolfSSL_X509_NAME_free;
|
|
|
|
|
wolfssl_linuxkm_pie_redirect_table.wolfSSL_X509_NAME_new_ex = wolfSSL_X509_NAME_new_ex;
|
|
|
|
|
#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */
|
2024-09-06 14:15:19 -05:00
|
|
|
#endif /* !WOLFCRYPT_ONLY && !NO_CERTS */
|
2021-08-19 11:15:52 -05:00
|
|
|
|
2024-08-20 23:36:07 -05:00
|
|
|
#ifdef WOLFSSL_DEBUG_BACKTRACE_ERROR_CODES
|
|
|
|
|
wolfssl_linuxkm_pie_redirect_table.dump_stack = dump_stack;
|
|
|
|
|
#endif
|
|
|
|
|
|
linuxkm/lkcapi_sha_glue.c:
* implement interception of _get_random_bytes() and get_random_bytes_user() (implicitly intercepts /dev/random and /dev/urandom):
* get_crypto_default_rng()
* get_default_drbg_ctx()
* wc__get_random_bytes()
* wc_get_random_bytes_user()
* wc_extract_crng_user()
* wc_mix_pool_bytes()
* wc_crng_reseed()
* wc_get_random_bytes_by_kprobe()
* wc_get_random_bytes_user_kretprobe_enter()
* wc_get_random_bytes_user_kretprobe_exit()
* add LINUXKM_DRBG_GET_RANDOM_BYTES sections to wc_linuxkm_drbg_startup() and wc_linuxkm_drbg_cleanup()
* add linuxkm/patches/*/WOLFSSL_LINUXKM_HAVE_GET_RANDOM_CALLBACKS-*.patch, initially for versions:
* 5.10.17
* 5.10.236
* 5.15
* 5.17
* 6.1.73
* 6.12
* 6.15
* remove "*.patch" from .gitignore.
* add linuxkm/patches/regen-patches.sh.
* in wc_linuxkm_drbg_ctx_clear(), check lock count before freeing.
* in get_drbg() and put_drbg(), use migrate_disable(), not DISABLE_VECTOR_REGISTERS().
* in wc_linuxkm_drbg_generate(), explicitly DISABLE_VECTOR_REGISTERS() for the crypto_default_rng.
* in wc_linuxkm_drbg_generate(), add DRBG reinitialization code to handle RNG_FAILURE_E. This handles the situation where a DRBG was instantiated in a vector-ops-allowed context, caching a vectorized SHA256 ethod, but later used in a no-vector-ops-allowed context.
* in wc_linuxkm_drbg_seed(), add DISABLE_VECTOR_REGISTERS() wrapper around wc_RNG_DRBG_Reseed() for crypto_default_rng.
linuxkm/x86_vector_register_glue.c:
* add crash recovery logic to wc_linuxkm_fpu_state_assoc_unlikely()
* in wc_linuxkm_fpu_state_assoc(), when wc_linuxkm_fpu_states is null, don't call wc_linuxkm_fpu_state_assoc_unlikely() if !assume_fpu_began.
* in can_save_vector_registers_x86(), save_vector_registers_x86(), and restore_vector_registers_x86(), check for hard interrupt context first, to return early failure if current->pid is unusable.
* in save_vector_registers_x86(), tweak logic around WC_FPU_INHIBITED_FLAG, adding local_bh_disable()...local_bh_enable() to provide for safe recursion.
wolfcrypt/src/random.c: optimization: in Hash_df(), for WOLFSSL_LINUXKM, don't put digest[WC_SHA256_DIGEST_SIZE] in the heap, keep it on the stack.
wolfssl/wolfcrypt/types.h: add WOLFSSL_NO_ASM no-op definitions for DISABLE_VECTOR_REGISTERS() and REENABLE_VECTOR_REGISTERS().
configure.ac:
* move --enable-linuxkm and --enable-linuxkm-defaults initial detection early, so that HMAC_COPY_DEFAULT picks it up.
* add ENABLED_ENTROPY_MEMUSE_DEFAULT, and enable it by default when ENABLED_LINUXKM_DEFAULTS.
* update linuxkm-lkcapi-register help message.
linuxkm/linuxkm_wc_port.h:
* add my_kallsyms_lookup_name().
* add preempt_count, _raw_spin_lock_irqsave, _raw_spin_trylock, _raw_spin_unlock_irqrestore, and _cond_resched, to wolfssl_linuxkm_pie_redirect_table, and add spin_unlock_irqrestore() macro to mask native inline.
* move linuxkm mutex wrappers from wolfcrypt/src/wc_port.c to linuxkm_wc_port.h, make them inlines, and add new default spinlock-based implementation, with old method now gated on WOLFSSL_LINUXKM_USE_MUTEXES.
* change malloc() and realloc() wrappers from GFP_KERNEL to GFP_ATOMIC.
linuxkm/lkcapi_glue.c: make misc.h/misc.c inclusion unconditional, and trim now-redundant inclusions out of lkcapi_dh_glue.c and lkcapi_ecdh_glue.c.
2025-06-30 15:23:04 -05:00
|
|
|
wolfssl_linuxkm_pie_redirect_table.preempt_count = my_preempt_count;
|
2025-07-03 22:09:34 -05:00
|
|
|
#ifndef _raw_spin_lock_irqsave
|
linuxkm/lkcapi_sha_glue.c:
* implement interception of _get_random_bytes() and get_random_bytes_user() (implicitly intercepts /dev/random and /dev/urandom):
* get_crypto_default_rng()
* get_default_drbg_ctx()
* wc__get_random_bytes()
* wc_get_random_bytes_user()
* wc_extract_crng_user()
* wc_mix_pool_bytes()
* wc_crng_reseed()
* wc_get_random_bytes_by_kprobe()
* wc_get_random_bytes_user_kretprobe_enter()
* wc_get_random_bytes_user_kretprobe_exit()
* add LINUXKM_DRBG_GET_RANDOM_BYTES sections to wc_linuxkm_drbg_startup() and wc_linuxkm_drbg_cleanup()
* add linuxkm/patches/*/WOLFSSL_LINUXKM_HAVE_GET_RANDOM_CALLBACKS-*.patch, initially for versions:
* 5.10.17
* 5.10.236
* 5.15
* 5.17
* 6.1.73
* 6.12
* 6.15
* remove "*.patch" from .gitignore.
* add linuxkm/patches/regen-patches.sh.
* in wc_linuxkm_drbg_ctx_clear(), check lock count before freeing.
* in get_drbg() and put_drbg(), use migrate_disable(), not DISABLE_VECTOR_REGISTERS().
* in wc_linuxkm_drbg_generate(), explicitly DISABLE_VECTOR_REGISTERS() for the crypto_default_rng.
* in wc_linuxkm_drbg_generate(), add DRBG reinitialization code to handle RNG_FAILURE_E. This handles the situation where a DRBG was instantiated in a vector-ops-allowed context, caching a vectorized SHA256 ethod, but later used in a no-vector-ops-allowed context.
* in wc_linuxkm_drbg_seed(), add DISABLE_VECTOR_REGISTERS() wrapper around wc_RNG_DRBG_Reseed() for crypto_default_rng.
linuxkm/x86_vector_register_glue.c:
* add crash recovery logic to wc_linuxkm_fpu_state_assoc_unlikely()
* in wc_linuxkm_fpu_state_assoc(), when wc_linuxkm_fpu_states is null, don't call wc_linuxkm_fpu_state_assoc_unlikely() if !assume_fpu_began.
* in can_save_vector_registers_x86(), save_vector_registers_x86(), and restore_vector_registers_x86(), check for hard interrupt context first, to return early failure if current->pid is unusable.
* in save_vector_registers_x86(), tweak logic around WC_FPU_INHIBITED_FLAG, adding local_bh_disable()...local_bh_enable() to provide for safe recursion.
wolfcrypt/src/random.c: optimization: in Hash_df(), for WOLFSSL_LINUXKM, don't put digest[WC_SHA256_DIGEST_SIZE] in the heap, keep it on the stack.
wolfssl/wolfcrypt/types.h: add WOLFSSL_NO_ASM no-op definitions for DISABLE_VECTOR_REGISTERS() and REENABLE_VECTOR_REGISTERS().
configure.ac:
* move --enable-linuxkm and --enable-linuxkm-defaults initial detection early, so that HMAC_COPY_DEFAULT picks it up.
* add ENABLED_ENTROPY_MEMUSE_DEFAULT, and enable it by default when ENABLED_LINUXKM_DEFAULTS.
* update linuxkm-lkcapi-register help message.
linuxkm/linuxkm_wc_port.h:
* add my_kallsyms_lookup_name().
* add preempt_count, _raw_spin_lock_irqsave, _raw_spin_trylock, _raw_spin_unlock_irqrestore, and _cond_resched, to wolfssl_linuxkm_pie_redirect_table, and add spin_unlock_irqrestore() macro to mask native inline.
* move linuxkm mutex wrappers from wolfcrypt/src/wc_port.c to linuxkm_wc_port.h, make them inlines, and add new default spinlock-based implementation, with old method now gated on WOLFSSL_LINUXKM_USE_MUTEXES.
* change malloc() and realloc() wrappers from GFP_KERNEL to GFP_ATOMIC.
linuxkm/lkcapi_glue.c: make misc.h/misc.c inclusion unconditional, and trim now-redundant inclusions out of lkcapi_dh_glue.c and lkcapi_ecdh_glue.c.
2025-06-30 15:23:04 -05:00
|
|
|
wolfssl_linuxkm_pie_redirect_table._raw_spin_lock_irqsave = _raw_spin_lock_irqsave;
|
2025-07-03 22:09:34 -05:00
|
|
|
#endif
|
|
|
|
|
#ifndef _raw_spin_trylock
|
linuxkm/lkcapi_sha_glue.c:
* implement interception of _get_random_bytes() and get_random_bytes_user() (implicitly intercepts /dev/random and /dev/urandom):
* get_crypto_default_rng()
* get_default_drbg_ctx()
* wc__get_random_bytes()
* wc_get_random_bytes_user()
* wc_extract_crng_user()
* wc_mix_pool_bytes()
* wc_crng_reseed()
* wc_get_random_bytes_by_kprobe()
* wc_get_random_bytes_user_kretprobe_enter()
* wc_get_random_bytes_user_kretprobe_exit()
* add LINUXKM_DRBG_GET_RANDOM_BYTES sections to wc_linuxkm_drbg_startup() and wc_linuxkm_drbg_cleanup()
* add linuxkm/patches/*/WOLFSSL_LINUXKM_HAVE_GET_RANDOM_CALLBACKS-*.patch, initially for versions:
* 5.10.17
* 5.10.236
* 5.15
* 5.17
* 6.1.73
* 6.12
* 6.15
* remove "*.patch" from .gitignore.
* add linuxkm/patches/regen-patches.sh.
* in wc_linuxkm_drbg_ctx_clear(), check lock count before freeing.
* in get_drbg() and put_drbg(), use migrate_disable(), not DISABLE_VECTOR_REGISTERS().
* in wc_linuxkm_drbg_generate(), explicitly DISABLE_VECTOR_REGISTERS() for the crypto_default_rng.
* in wc_linuxkm_drbg_generate(), add DRBG reinitialization code to handle RNG_FAILURE_E. This handles the situation where a DRBG was instantiated in a vector-ops-allowed context, caching a vectorized SHA256 ethod, but later used in a no-vector-ops-allowed context.
* in wc_linuxkm_drbg_seed(), add DISABLE_VECTOR_REGISTERS() wrapper around wc_RNG_DRBG_Reseed() for crypto_default_rng.
linuxkm/x86_vector_register_glue.c:
* add crash recovery logic to wc_linuxkm_fpu_state_assoc_unlikely()
* in wc_linuxkm_fpu_state_assoc(), when wc_linuxkm_fpu_states is null, don't call wc_linuxkm_fpu_state_assoc_unlikely() if !assume_fpu_began.
* in can_save_vector_registers_x86(), save_vector_registers_x86(), and restore_vector_registers_x86(), check for hard interrupt context first, to return early failure if current->pid is unusable.
* in save_vector_registers_x86(), tweak logic around WC_FPU_INHIBITED_FLAG, adding local_bh_disable()...local_bh_enable() to provide for safe recursion.
wolfcrypt/src/random.c: optimization: in Hash_df(), for WOLFSSL_LINUXKM, don't put digest[WC_SHA256_DIGEST_SIZE] in the heap, keep it on the stack.
wolfssl/wolfcrypt/types.h: add WOLFSSL_NO_ASM no-op definitions for DISABLE_VECTOR_REGISTERS() and REENABLE_VECTOR_REGISTERS().
configure.ac:
* move --enable-linuxkm and --enable-linuxkm-defaults initial detection early, so that HMAC_COPY_DEFAULT picks it up.
* add ENABLED_ENTROPY_MEMUSE_DEFAULT, and enable it by default when ENABLED_LINUXKM_DEFAULTS.
* update linuxkm-lkcapi-register help message.
linuxkm/linuxkm_wc_port.h:
* add my_kallsyms_lookup_name().
* add preempt_count, _raw_spin_lock_irqsave, _raw_spin_trylock, _raw_spin_unlock_irqrestore, and _cond_resched, to wolfssl_linuxkm_pie_redirect_table, and add spin_unlock_irqrestore() macro to mask native inline.
* move linuxkm mutex wrappers from wolfcrypt/src/wc_port.c to linuxkm_wc_port.h, make them inlines, and add new default spinlock-based implementation, with old method now gated on WOLFSSL_LINUXKM_USE_MUTEXES.
* change malloc() and realloc() wrappers from GFP_KERNEL to GFP_ATOMIC.
linuxkm/lkcapi_glue.c: make misc.h/misc.c inclusion unconditional, and trim now-redundant inclusions out of lkcapi_dh_glue.c and lkcapi_ecdh_glue.c.
2025-06-30 15:23:04 -05:00
|
|
|
wolfssl_linuxkm_pie_redirect_table._raw_spin_trylock = _raw_spin_trylock;
|
2025-07-03 22:09:34 -05:00
|
|
|
#endif
|
|
|
|
|
#ifndef _raw_spin_unlock_irqrestore
|
linuxkm/lkcapi_sha_glue.c:
* implement interception of _get_random_bytes() and get_random_bytes_user() (implicitly intercepts /dev/random and /dev/urandom):
* get_crypto_default_rng()
* get_default_drbg_ctx()
* wc__get_random_bytes()
* wc_get_random_bytes_user()
* wc_extract_crng_user()
* wc_mix_pool_bytes()
* wc_crng_reseed()
* wc_get_random_bytes_by_kprobe()
* wc_get_random_bytes_user_kretprobe_enter()
* wc_get_random_bytes_user_kretprobe_exit()
* add LINUXKM_DRBG_GET_RANDOM_BYTES sections to wc_linuxkm_drbg_startup() and wc_linuxkm_drbg_cleanup()
* add linuxkm/patches/*/WOLFSSL_LINUXKM_HAVE_GET_RANDOM_CALLBACKS-*.patch, initially for versions:
* 5.10.17
* 5.10.236
* 5.15
* 5.17
* 6.1.73
* 6.12
* 6.15
* remove "*.patch" from .gitignore.
* add linuxkm/patches/regen-patches.sh.
* in wc_linuxkm_drbg_ctx_clear(), check lock count before freeing.
* in get_drbg() and put_drbg(), use migrate_disable(), not DISABLE_VECTOR_REGISTERS().
* in wc_linuxkm_drbg_generate(), explicitly DISABLE_VECTOR_REGISTERS() for the crypto_default_rng.
* in wc_linuxkm_drbg_generate(), add DRBG reinitialization code to handle RNG_FAILURE_E. This handles the situation where a DRBG was instantiated in a vector-ops-allowed context, caching a vectorized SHA256 ethod, but later used in a no-vector-ops-allowed context.
* in wc_linuxkm_drbg_seed(), add DISABLE_VECTOR_REGISTERS() wrapper around wc_RNG_DRBG_Reseed() for crypto_default_rng.
linuxkm/x86_vector_register_glue.c:
* add crash recovery logic to wc_linuxkm_fpu_state_assoc_unlikely()
* in wc_linuxkm_fpu_state_assoc(), when wc_linuxkm_fpu_states is null, don't call wc_linuxkm_fpu_state_assoc_unlikely() if !assume_fpu_began.
* in can_save_vector_registers_x86(), save_vector_registers_x86(), and restore_vector_registers_x86(), check for hard interrupt context first, to return early failure if current->pid is unusable.
* in save_vector_registers_x86(), tweak logic around WC_FPU_INHIBITED_FLAG, adding local_bh_disable()...local_bh_enable() to provide for safe recursion.
wolfcrypt/src/random.c: optimization: in Hash_df(), for WOLFSSL_LINUXKM, don't put digest[WC_SHA256_DIGEST_SIZE] in the heap, keep it on the stack.
wolfssl/wolfcrypt/types.h: add WOLFSSL_NO_ASM no-op definitions for DISABLE_VECTOR_REGISTERS() and REENABLE_VECTOR_REGISTERS().
configure.ac:
* move --enable-linuxkm and --enable-linuxkm-defaults initial detection early, so that HMAC_COPY_DEFAULT picks it up.
* add ENABLED_ENTROPY_MEMUSE_DEFAULT, and enable it by default when ENABLED_LINUXKM_DEFAULTS.
* update linuxkm-lkcapi-register help message.
linuxkm/linuxkm_wc_port.h:
* add my_kallsyms_lookup_name().
* add preempt_count, _raw_spin_lock_irqsave, _raw_spin_trylock, _raw_spin_unlock_irqrestore, and _cond_resched, to wolfssl_linuxkm_pie_redirect_table, and add spin_unlock_irqrestore() macro to mask native inline.
* move linuxkm mutex wrappers from wolfcrypt/src/wc_port.c to linuxkm_wc_port.h, make them inlines, and add new default spinlock-based implementation, with old method now gated on WOLFSSL_LINUXKM_USE_MUTEXES.
* change malloc() and realloc() wrappers from GFP_KERNEL to GFP_ATOMIC.
linuxkm/lkcapi_glue.c: make misc.h/misc.c inclusion unconditional, and trim now-redundant inclusions out of lkcapi_dh_glue.c and lkcapi_ecdh_glue.c.
2025-06-30 15:23:04 -05:00
|
|
|
wolfssl_linuxkm_pie_redirect_table._raw_spin_unlock_irqrestore = _raw_spin_unlock_irqrestore;
|
2025-07-03 22:09:34 -05:00
|
|
|
#endif
|
linuxkm/lkcapi_sha_glue.c:
* implement interception of _get_random_bytes() and get_random_bytes_user() (implicitly intercepts /dev/random and /dev/urandom):
* get_crypto_default_rng()
* get_default_drbg_ctx()
* wc__get_random_bytes()
* wc_get_random_bytes_user()
* wc_extract_crng_user()
* wc_mix_pool_bytes()
* wc_crng_reseed()
* wc_get_random_bytes_by_kprobe()
* wc_get_random_bytes_user_kretprobe_enter()
* wc_get_random_bytes_user_kretprobe_exit()
* add LINUXKM_DRBG_GET_RANDOM_BYTES sections to wc_linuxkm_drbg_startup() and wc_linuxkm_drbg_cleanup()
* add linuxkm/patches/*/WOLFSSL_LINUXKM_HAVE_GET_RANDOM_CALLBACKS-*.patch, initially for versions:
* 5.10.17
* 5.10.236
* 5.15
* 5.17
* 6.1.73
* 6.12
* 6.15
* remove "*.patch" from .gitignore.
* add linuxkm/patches/regen-patches.sh.
* in wc_linuxkm_drbg_ctx_clear(), check lock count before freeing.
* in get_drbg() and put_drbg(), use migrate_disable(), not DISABLE_VECTOR_REGISTERS().
* in wc_linuxkm_drbg_generate(), explicitly DISABLE_VECTOR_REGISTERS() for the crypto_default_rng.
* in wc_linuxkm_drbg_generate(), add DRBG reinitialization code to handle RNG_FAILURE_E. This handles the situation where a DRBG was instantiated in a vector-ops-allowed context, caching a vectorized SHA256 ethod, but later used in a no-vector-ops-allowed context.
* in wc_linuxkm_drbg_seed(), add DISABLE_VECTOR_REGISTERS() wrapper around wc_RNG_DRBG_Reseed() for crypto_default_rng.
linuxkm/x86_vector_register_glue.c:
* add crash recovery logic to wc_linuxkm_fpu_state_assoc_unlikely()
* in wc_linuxkm_fpu_state_assoc(), when wc_linuxkm_fpu_states is null, don't call wc_linuxkm_fpu_state_assoc_unlikely() if !assume_fpu_began.
* in can_save_vector_registers_x86(), save_vector_registers_x86(), and restore_vector_registers_x86(), check for hard interrupt context first, to return early failure if current->pid is unusable.
* in save_vector_registers_x86(), tweak logic around WC_FPU_INHIBITED_FLAG, adding local_bh_disable()...local_bh_enable() to provide for safe recursion.
wolfcrypt/src/random.c: optimization: in Hash_df(), for WOLFSSL_LINUXKM, don't put digest[WC_SHA256_DIGEST_SIZE] in the heap, keep it on the stack.
wolfssl/wolfcrypt/types.h: add WOLFSSL_NO_ASM no-op definitions for DISABLE_VECTOR_REGISTERS() and REENABLE_VECTOR_REGISTERS().
configure.ac:
* move --enable-linuxkm and --enable-linuxkm-defaults initial detection early, so that HMAC_COPY_DEFAULT picks it up.
* add ENABLED_ENTROPY_MEMUSE_DEFAULT, and enable it by default when ENABLED_LINUXKM_DEFAULTS.
* update linuxkm-lkcapi-register help message.
linuxkm/linuxkm_wc_port.h:
* add my_kallsyms_lookup_name().
* add preempt_count, _raw_spin_lock_irqsave, _raw_spin_trylock, _raw_spin_unlock_irqrestore, and _cond_resched, to wolfssl_linuxkm_pie_redirect_table, and add spin_unlock_irqrestore() macro to mask native inline.
* move linuxkm mutex wrappers from wolfcrypt/src/wc_port.c to linuxkm_wc_port.h, make them inlines, and add new default spinlock-based implementation, with old method now gated on WOLFSSL_LINUXKM_USE_MUTEXES.
* change malloc() and realloc() wrappers from GFP_KERNEL to GFP_ATOMIC.
linuxkm/lkcapi_glue.c: make misc.h/misc.c inclusion unconditional, and trim now-redundant inclusions out of lkcapi_dh_glue.c and lkcapi_ecdh_glue.c.
2025-06-30 15:23:04 -05:00
|
|
|
wolfssl_linuxkm_pie_redirect_table._cond_resched = _cond_resched;
|
|
|
|
|
|
2024-11-26 00:12:29 -06:00
|
|
|
#ifdef CONFIG_ARM64
|
|
|
|
|
wolfssl_linuxkm_pie_redirect_table.alt_cb_patch_nops = alt_cb_patch_nops;
|
2025-07-03 22:09:34 -05:00
|
|
|
wolfssl_linuxkm_pie_redirect_table.queued_spin_lock_slowpath = queued_spin_lock_slowpath;
|
2024-11-26 00:12:29 -06:00
|
|
|
#endif
|
|
|
|
|
|
2021-08-19 11:15:52 -05:00
|
|
|
/* runtime assert that the table has no null slots after initialization. */
|
|
|
|
|
{
|
|
|
|
|
unsigned long *i;
|
2024-01-29 17:48:31 -06:00
|
|
|
static_assert(sizeof(unsigned long) == sizeof(void *),
|
|
|
|
|
"unexpected pointer size");
|
2021-08-19 11:15:52 -05:00
|
|
|
for (i = (unsigned long *)&wolfssl_linuxkm_pie_redirect_table;
|
|
|
|
|
i < (unsigned long *)&wolfssl_linuxkm_pie_redirect_table._last_slot;
|
|
|
|
|
++i)
|
|
|
|
|
if (*i == 0) {
|
2025-07-09 16:29:04 -05:00
|
|
|
pr_err("ERROR: wolfCrypt container redirect table initialization was "
|
2024-01-29 17:48:31 -06:00
|
|
|
"incomplete [%lu].\n",
|
|
|
|
|
i-(unsigned long *)&wolfssl_linuxkm_pie_redirect_table);
|
2021-08-19 11:15:52 -05:00
|
|
|
return -EFAULT;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#endif /* USE_WOLFSSL_LINUXKM_PIE_REDIRECT_TABLE */
|
2021-11-09 22:02:17 -06:00
|
|
|
|
|
|
|
|
|
|
|
|
|
#ifdef WOLFCRYPT_FIPS_CORE_DYNAMIC_HASH_VALUE
|
|
|
|
|
|
|
|
|
|
#include <wolfssl/wolfcrypt/coding.h>
|
|
|
|
|
|
2023-07-14 09:50:01 -05:00
|
|
|
PRAGMA_GCC_DIAG_PUSH
|
|
|
|
|
PRAGMA_GCC("GCC diagnostic ignored \"-Wnested-externs\"")
|
|
|
|
|
PRAGMA_GCC("GCC diagnostic ignored \"-Wpointer-arith\"")
|
2021-11-09 22:02:17 -06:00
|
|
|
#include <crypto/hash.h>
|
2023-07-14 09:50:01 -05:00
|
|
|
PRAGMA_GCC_DIAG_POP
|
2021-11-09 22:02:17 -06:00
|
|
|
|
|
|
|
|
extern char verifyCore[WC_SHA256_DIGEST_SIZE*2 + 1];
|
|
|
|
|
extern const char coreKey[WC_SHA256_DIGEST_SIZE*2 + 1];
|
|
|
|
|
extern const unsigned int wolfCrypt_FIPS_ro_start[];
|
|
|
|
|
extern const unsigned int wolfCrypt_FIPS_ro_end[];
|
|
|
|
|
|
|
|
|
|
#define FIPS_IN_CORE_KEY_SZ 32
|
|
|
|
|
#define FIPS_IN_CORE_VERIFY_SZ FIPS_IN_CORE_KEY_SZ
|
|
|
|
|
typedef int (*fips_address_function)(void);
|
2025-04-10 17:23:17 +00:00
|
|
|
#define MAX_FIPS_DATA_SZ 10000000
|
|
|
|
|
#define MAX_FIPS_CODE_SZ 10000000
|
2021-11-09 22:02:17 -06:00
|
|
|
extern int GenBase16_Hash(const byte* in, int length, char* out, int outSz);
|
|
|
|
|
|
|
|
|
|
static int updateFipsHash(void)
|
|
|
|
|
{
|
|
|
|
|
struct crypto_shash *tfm = NULL;
|
|
|
|
|
struct shash_desc *desc = NULL;
|
|
|
|
|
word32 verifySz = FIPS_IN_CORE_VERIFY_SZ;
|
|
|
|
|
word32 binCoreSz = FIPS_IN_CORE_KEY_SZ;
|
|
|
|
|
int ret;
|
|
|
|
|
byte *hash = NULL;
|
|
|
|
|
char *base16_hash = NULL;
|
|
|
|
|
byte *binCoreKey = NULL;
|
|
|
|
|
byte *binVerify = NULL;
|
|
|
|
|
|
|
|
|
|
fips_address_function first = wolfCrypt_FIPS_first;
|
|
|
|
|
fips_address_function last = wolfCrypt_FIPS_last;
|
|
|
|
|
|
|
|
|
|
char* start = (char*)wolfCrypt_FIPS_ro_start;
|
|
|
|
|
char* end = (char*)wolfCrypt_FIPS_ro_end;
|
|
|
|
|
|
|
|
|
|
unsigned long code_sz = (unsigned long)last - (unsigned long)first;
|
|
|
|
|
unsigned long data_sz = (unsigned long)end - (unsigned long)start;
|
|
|
|
|
|
|
|
|
|
if (data_sz == 0 || data_sz > MAX_FIPS_DATA_SZ)
|
|
|
|
|
return BAD_FUNC_ARG; /* bad fips data size */
|
|
|
|
|
|
|
|
|
|
if (code_sz == 0 || code_sz > MAX_FIPS_CODE_SZ)
|
|
|
|
|
return BAD_FUNC_ARG; /* bad fips code size */
|
|
|
|
|
|
|
|
|
|
hash = XMALLOC(WC_SHA256_DIGEST_SIZE, 0, DYNAMIC_TYPE_TMP_BUFFER);
|
|
|
|
|
if (hash == NULL) {
|
|
|
|
|
ret = MEMORY_E;
|
|
|
|
|
goto out;
|
|
|
|
|
}
|
|
|
|
|
base16_hash = XMALLOC(WC_SHA256_DIGEST_SIZE*2 + 1, 0, DYNAMIC_TYPE_TMP_BUFFER);
|
|
|
|
|
if (base16_hash == NULL) {
|
|
|
|
|
ret = MEMORY_E;
|
|
|
|
|
goto out;
|
|
|
|
|
}
|
|
|
|
|
binCoreKey = XMALLOC(binCoreSz, 0, DYNAMIC_TYPE_TMP_BUFFER);
|
|
|
|
|
if (binCoreKey == NULL) {
|
|
|
|
|
ret = MEMORY_E;
|
|
|
|
|
goto out;
|
|
|
|
|
}
|
|
|
|
|
binVerify = XMALLOC(verifySz, 0, DYNAMIC_TYPE_TMP_BUFFER);
|
|
|
|
|
if (binVerify == NULL) {
|
|
|
|
|
ret = MEMORY_E;
|
|
|
|
|
goto out;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
{
|
|
|
|
|
word32 base16_out_len = binCoreSz;
|
|
|
|
|
ret = Base16_Decode((const byte *)coreKey, sizeof coreKey - 1, binCoreKey, &base16_out_len);
|
|
|
|
|
if (ret != 0) {
|
2025-07-09 16:29:04 -05:00
|
|
|
pr_err("ERROR: Base16_Decode for coreKey: %s\n", wc_GetErrorString(ret));
|
2021-11-09 22:02:17 -06:00
|
|
|
goto out;
|
|
|
|
|
}
|
|
|
|
|
if (base16_out_len != binCoreSz) {
|
2025-07-09 16:29:04 -05:00
|
|
|
pr_err("ERROR: unexpected output length %u for coreKey from Base16_Decode.\n",base16_out_len);
|
2021-11-09 22:02:17 -06:00
|
|
|
ret = BAD_STATE_E;
|
|
|
|
|
goto out;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
tfm = crypto_alloc_shash("hmac(sha256)", 0, 0);
|
|
|
|
|
if (IS_ERR(tfm)) {
|
|
|
|
|
if (PTR_ERR(tfm) == -ENOMEM) {
|
2025-07-09 16:29:04 -05:00
|
|
|
pr_err("ERROR: crypto_alloc_shash failed: out of memory\n");
|
2021-11-09 22:02:17 -06:00
|
|
|
ret = MEMORY_E;
|
|
|
|
|
} else if (PTR_ERR(tfm) == -ENOENT) {
|
2025-07-09 16:29:04 -05:00
|
|
|
pr_err("ERROR: crypto_alloc_shash failed: kernel is missing hmac(sha256) implementation\n");
|
|
|
|
|
pr_err("ERROR: check for CONFIG_CRYPTO_SHA256 and CONFIG_CRYPTO_HMAC.\n");
|
2021-11-09 22:02:17 -06:00
|
|
|
ret = NOT_COMPILED_IN;
|
|
|
|
|
} else {
|
2025-07-09 16:29:04 -05:00
|
|
|
pr_err("ERROR: crypto_alloc_shash failed with ret %ld\n",PTR_ERR(tfm));
|
2021-11-09 22:02:17 -06:00
|
|
|
ret = HASH_TYPE_E;
|
|
|
|
|
}
|
|
|
|
|
tfm = NULL;
|
|
|
|
|
goto out;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
{
|
|
|
|
|
size_t desc_size = crypto_shash_descsize(tfm) + sizeof *desc;
|
|
|
|
|
desc = XMALLOC(desc_size, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
|
|
|
|
if (desc == NULL) {
|
2025-07-09 16:29:04 -05:00
|
|
|
pr_err("ERROR: failed allocating desc.");
|
2021-11-09 22:02:17 -06:00
|
|
|
ret = MEMORY_E;
|
|
|
|
|
goto out;
|
|
|
|
|
}
|
|
|
|
|
XMEMSET(desc, 0, desc_size);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ret = crypto_shash_setkey(tfm, binCoreKey, binCoreSz);
|
|
|
|
|
if (ret) {
|
2025-07-09 16:29:04 -05:00
|
|
|
pr_err("ERROR: crypto_ahash_setkey failed: err %d\n", ret);
|
2021-11-09 22:02:17 -06:00
|
|
|
ret = BAD_STATE_E;
|
|
|
|
|
goto out;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
desc->tfm = tfm;
|
|
|
|
|
ret = crypto_shash_init(desc);
|
|
|
|
|
if (ret) {
|
2025-07-09 16:29:04 -05:00
|
|
|
pr_err("ERROR: crypto_shash_init failed: err %d\n", ret);
|
2021-11-09 22:02:17 -06:00
|
|
|
ret = BAD_STATE_E;
|
|
|
|
|
goto out;
|
|
|
|
|
}
|
|
|
|
|
|
2025-04-16 15:51:47 -05:00
|
|
|
WC_SANITIZE_DISABLE();
|
|
|
|
|
|
2021-11-09 22:02:17 -06:00
|
|
|
ret = crypto_shash_update(desc, (byte *)(wc_ptr_t)first, (word32)code_sz);
|
|
|
|
|
if (ret) {
|
2025-07-09 16:29:04 -05:00
|
|
|
pr_err("ERROR: crypto_shash_update failed: err %d\n", ret);
|
2021-11-09 22:02:17 -06:00
|
|
|
ret = BAD_STATE_E;
|
|
|
|
|
goto out;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* don't hash verifyCore or changing verifyCore will change hash */
|
|
|
|
|
if (verifyCore >= start && verifyCore < end) {
|
|
|
|
|
data_sz = (unsigned long)verifyCore - (unsigned long)start;
|
|
|
|
|
ret = crypto_shash_update(desc, (byte*)start, (word32)data_sz);
|
|
|
|
|
if (ret) {
|
2025-07-09 16:29:04 -05:00
|
|
|
pr_err("ERROR: crypto_shash_update failed: err %d\n", ret);
|
2021-11-09 22:02:17 -06:00
|
|
|
ret = BAD_STATE_E;
|
|
|
|
|
goto out;
|
|
|
|
|
}
|
|
|
|
|
start = (char*)verifyCore + sizeof(verifyCore);
|
|
|
|
|
data_sz = (unsigned long)end - (unsigned long)start;
|
|
|
|
|
}
|
|
|
|
|
ret = crypto_shash_update(desc, (byte*)start, (word32)data_sz);
|
|
|
|
|
if (ret) {
|
2025-07-09 16:29:04 -05:00
|
|
|
pr_err("ERROR: crypto_shash_update failed: err %d\n", ret);
|
2021-11-09 22:02:17 -06:00
|
|
|
ret = BAD_STATE_E;
|
|
|
|
|
goto out;
|
|
|
|
|
}
|
|
|
|
|
|
2025-04-16 15:51:47 -05:00
|
|
|
WC_SANITIZE_ENABLE();
|
|
|
|
|
|
2021-11-09 22:02:17 -06:00
|
|
|
ret = crypto_shash_final(desc, hash);
|
|
|
|
|
if (ret) {
|
2025-07-09 16:29:04 -05:00
|
|
|
pr_err("ERROR: crypto_shash_final failed: err %d\n", ret);
|
2021-11-09 22:02:17 -06:00
|
|
|
ret = BAD_STATE_E;
|
|
|
|
|
goto out;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ret = GenBase16_Hash(hash, WC_SHA256_DIGEST_SIZE, base16_hash, WC_SHA256_DIGEST_SIZE*2 + 1);
|
|
|
|
|
if (ret != 0) {
|
2025-07-09 16:29:04 -05:00
|
|
|
pr_err("ERROR: GenBase16_Hash failed: %s\n", wc_GetErrorString(ret));
|
2021-11-09 22:02:17 -06:00
|
|
|
goto out;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
{
|
|
|
|
|
word32 base16_out_len = verifySz;
|
|
|
|
|
ret = Base16_Decode((const byte *)verifyCore, sizeof verifyCore - 1, binVerify, &base16_out_len);
|
|
|
|
|
if (ret != 0) {
|
2025-07-09 16:29:04 -05:00
|
|
|
pr_err("ERROR: Base16_Decode for verifyCore: %s\n", wc_GetErrorString(ret));
|
2021-11-09 22:02:17 -06:00
|
|
|
goto out;
|
|
|
|
|
}
|
|
|
|
|
if (base16_out_len != binCoreSz) {
|
2025-07-09 16:29:04 -05:00
|
|
|
pr_err("ERROR: unexpected output length %u for verifyCore from Base16_Decode.\n",base16_out_len);
|
2021-11-09 22:02:17 -06:00
|
|
|
ret = BAD_STATE_E;
|
|
|
|
|
goto out;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2024-02-01 19:04:02 -06:00
|
|
|
if (XMEMCMP(hash, binVerify, WC_SHA256_DIGEST_SIZE) == 0) {
|
|
|
|
|
#if defined(DEBUG_LINUXKM_PIE_SUPPORT) || defined(WOLFSSL_LINUXKM_VERBOSE_DEBUG)
|
|
|
|
|
pr_info("updateFipsHash: verifyCore already matches [%s]\n", verifyCore);
|
|
|
|
|
#else
|
2021-11-09 22:02:17 -06:00
|
|
|
pr_info("updateFipsHash: verifyCore already matches.\n");
|
2024-02-01 19:04:02 -06:00
|
|
|
#endif
|
|
|
|
|
} else {
|
2021-11-09 22:02:17 -06:00
|
|
|
XMEMCPY(verifyCore, base16_hash, WC_SHA256_DIGEST_SIZE*2 + 1);
|
2024-02-01 19:04:02 -06:00
|
|
|
#if defined(DEBUG_LINUXKM_PIE_SUPPORT) || defined(WOLFSSL_LINUXKM_VERBOSE_DEBUG)
|
|
|
|
|
pr_info("updateFipsHash: verifyCore updated [%s].\n", base16_hash);
|
|
|
|
|
#else
|
2021-11-09 22:02:17 -06:00
|
|
|
pr_info("updateFipsHash: verifyCore updated.\n");
|
2024-02-01 19:04:02 -06:00
|
|
|
#endif
|
2021-11-09 22:02:17 -06:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ret = 0;
|
|
|
|
|
|
|
|
|
|
out:
|
|
|
|
|
|
|
|
|
|
if (tfm != NULL)
|
|
|
|
|
crypto_free_shash(tfm);
|
2024-08-06 10:20:45 -04:00
|
|
|
XFREE(desc, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
|
|
|
|
XFREE(hash, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
|
|
|
|
XFREE(base16_hash, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
|
|
|
|
XFREE(binCoreKey, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
|
|
|
|
XFREE(binVerify, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
2021-11-09 22:02:17 -06:00
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#endif /* WOLFCRYPT_FIPS_CORE_DYNAMIC_HASH_VALUE */
|
2025-05-01 00:08:32 -05:00
|
|
|
|
|
|
|
|
#ifdef HAVE_FIPS
|
|
|
|
|
|
|
|
|
|
static ssize_t FIPS_rerun_self_test_handler(struct kobject *kobj, struct kobj_attribute *attr,
|
|
|
|
|
const char *buf, size_t count)
|
|
|
|
|
{
|
|
|
|
|
int arg;
|
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
|
|
(void)kobj;
|
|
|
|
|
(void)attr;
|
|
|
|
|
|
|
|
|
|
if (kstrtoint(buf, 10, &arg) || arg != 1)
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
|
|
pr_info("wolfCrypt: rerunning FIPS self-test on command.");
|
|
|
|
|
|
|
|
|
|
ret = wolfCrypt_IntegrityTest_fips();
|
|
|
|
|
if (ret != 0) {
|
2025-07-09 16:29:04 -05:00
|
|
|
pr_err("ERROR: wolfCrypt_IntegrityTest_fips: error %d", ret);
|
2025-05-01 00:08:32 -05:00
|
|
|
return -EINVAL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ret = wolfCrypt_GetStatus_fips();
|
|
|
|
|
if (ret != 0) {
|
2025-07-09 16:29:04 -05:00
|
|
|
pr_err("ERROR: wolfCrypt_GetStatus_fips() failed with code %d: %s\n", ret, wc_GetErrorString(ret));
|
2025-05-01 00:08:32 -05:00
|
|
|
if (ret == WC_NO_ERR_TRACE(IN_CORE_FIPS_E))
|
|
|
|
|
return -ELIBBAD;
|
|
|
|
|
else
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ret = wc_RunAllCast_fips();
|
|
|
|
|
if (ret != 0) {
|
2025-07-09 16:29:04 -05:00
|
|
|
pr_err("ERROR: wc_RunAllCast_fips() failed with return value %d\n", ret);
|
2025-05-01 00:08:32 -05:00
|
|
|
return -EINVAL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
pr_info("wolfCrypt FIPS re-self-test succeeded: all algorithms verified and available.");
|
|
|
|
|
|
|
|
|
|
return count;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#endif /* HAVE_FIPS */
|
