Merge pull request #9089 from douzzer/20250811-linuxkm-and-other-fixes

20250811-linuxkm-and-other-fixes

.wolfssl_known_macro_extras

@@ -561,7 +561,6 @@ USE_STSAFE_VERBOSE
 USE_TLSV13
 USE_WOLF_STRNSTR
 USS_API
-WC_16BIT_CPU
 WC_AESXTS_STREAM_NO_REQUEST_ACCOUNTING
 WC_AES_BS_WORD_SIZE
 WC_AES_GCM_DEC_AUTH_EARLY

configure.ac

@@ -5656,7 +5656,8 @@ AC_ARG_ENABLE([pwdbased],
 # MemUse Entropy
 # wolfEntropy Software Jitter SP800-90B certifiable entropy source
 
-if test "$ENABLED_LINUXKM_DEFAULTS" = "yes"
+if test "$ENABLED_LINUXKM_DEFAULTS" = "yes" && \
+   (test "$ENABLED_FIPS" = "no" || test "$HAVE_FIPS_VERSION" -ge 6)
 then
     ENABLED_ENTROPY_MEMUSE_DEFAULT=yes
 else

linuxkm/linuxkm_wc_port.h

@@ -136,6 +136,7 @@
     extern void wc_linuxkm_relax_long_loop(void);
 
     enum wc_svr_flags {
+        WC_SVR_FLAG_NONE = 0,
         WC_SVR_FLAG_INHIBIT = 1,
     };
 
@@ -478,7 +479,7 @@
         #endif
         #ifndef SAVE_VECTOR_REGISTERS
             #define SAVE_VECTOR_REGISTERS(fail_clause) {     \
-                int _svr_ret = wc_save_vector_registers_x86(0); \
+                int _svr_ret = wc_save_vector_registers_x86(WC_SVR_FLAG_NONE); \
                 if (_svr_ret != 0) {                         \
                     fail_clause                              \
                 }                                            \
@@ -489,11 +490,11 @@
                 #define SAVE_VECTOR_REGISTERS2() ({                    \
                     int _fuzzer_ret = SAVE_VECTOR_REGISTERS2_fuzzer(); \
                     (_fuzzer_ret == 0) ?                               \
-                     wc_save_vector_registers_x86(0) :                    \
+                     wc_save_vector_registers_x86(WC_SVR_FLAG_NONE) :  \
                      _fuzzer_ret;                                      \
                 })
             #else
-                #define SAVE_VECTOR_REGISTERS2() wc_save_vector_registers_x86(0)
+                #define SAVE_VECTOR_REGISTERS2() wc_save_vector_registers_x86(WC_SVR_FLAG_NONE)
             #endif
         #endif
         #ifndef RESTORE_VECTOR_REGISTERS

src/bio.c

@@ -3327,7 +3327,7 @@ int wolfSSL_BIO_vprintf(WOLFSSL_BIO* bio, const char* format, va_list args)
     /* In Visual Studio versions prior to Visual Studio 2013, the va_* symbols
        aren't defined. If using Visual Studio 2013 or later, define
        HAVE_VA_COPY. */
-    #if !defined(_WIN32) || defined(HAVE_VA_COPY)
+    #if defined(XVSNPRINTF) && (!defined(_WIN32) || defined(HAVE_VA_COPY))
         case WOLFSSL_BIO_SSL:
             {
                 int count;
@@ -3358,7 +3358,7 @@ int wolfSSL_BIO_vprintf(WOLFSSL_BIO* bio, const char* format, va_list args)
                 va_end(copy);
             }
             break;
-    #endif /* !_WIN32 || HAVE_VA_COPY */
+    #endif /* XVSNPRINTF && (!_WIN32 || HAVE_VA_COPY) */
 
         default:
             WOLFSSL_MSG("Unsupported WOLFSSL_BIO type for wolfSSL_BIO_printf");

src/crl.c

@@ -210,24 +210,23 @@ static CRL_Entry* CRL_Entry_new(void* heap)
 /* Free all CRL Entry resources */
 static void CRL_Entry_free(CRL_Entry* crle, void* heap)
 {
-#ifdef CRL_STATIC_REVOKED_LIST
-    if (crle != NULL) {
-        XMEMSET(crle->certs, 0, CRL_MAX_REVOKED_CERTS*sizeof(RevokedCert));
-    }
-#else
-    RevokedCert* tmp = crle->certs;
-    RevokedCert* next;
-
-    WOLFSSL_ENTER("FreeCRL_Entry");
+    WOLFSSL_ENTER("CRL_Entry_free");
     if (crle == NULL) {
         WOLFSSL_MSG("CRL Entry is null");
         return;
     }
+#ifdef CRL_STATIC_REVOKED_LIST
+    XMEMSET(crle->certs, 0, CRL_MAX_REVOKED_CERTS*sizeof(RevokedCert));
+#else
+    {
+        RevokedCert* tmp;
+        RevokedCert* next;
+
+        for (tmp = crle->certs; tmp != NULL; tmp = next) {
+            next = tmp->next;
+            XFREE(tmp, heap, DYNAMIC_TYPE_REVOKED);
+        }
 
-    while (tmp != NULL) {
-        next = tmp->next;
-        XFREE(tmp, heap, DYNAMIC_TYPE_REVOKED);
-        tmp = next;
     }
 #endif
     XFREE(crle->signature, heap, DYNAMIC_TYPE_CRL_ENTRY);

src/pk.c

@@ -8858,7 +8858,7 @@ static int _DH_compute_key(unsigned char* key, const WOLFSSL_BIGNUM* otherPub,
     if (ret == 0) {
         /* Validate the size of the private key. */
         sz = wolfSSL_BN_num_bytes(dh->priv_key);
-        if (sz > (int)privSz) {
+        if (sz > privSz) {
             WOLFSSL_ERROR_MSG("Bad priv internal size");
             ret = WOLFSSL_FATAL_ERROR;
         }
@@ -8957,12 +8957,14 @@ static int _DH_compute_key(unsigned char* key, const WOLFSSL_BIGNUM* otherPub,
     }
     PRIVATE_KEY_LOCK();
 
+    if (privSz > 0) {
 #ifdef WOLFSSL_SMALL_STACK
-    if (priv != NULL)
+        if (priv != NULL)
 #endif
-    {
-        /* Zeroize sensitive data. */
-        ForceZero(priv, (word32)privSz);
+        {
+            /* Zeroize sensitive data. */
+            ForceZero(priv, (word32)privSz);
+        }
     }
 #ifdef WOLFSSL_SMALL_STACK
     XFREE(pub,  NULL, DYNAMIC_TYPE_PUBLIC_KEY);

src/ssl_load.c

@@ -2742,14 +2742,14 @@ int ProcessFile(WOLFSSL_CTX* ctx, const char* fname, int format, int type,
         if (wc_PemGetHeaderFooter(CA_TYPE, &header, &footer) == 0 &&
                 (XSTRNSTR((char*)content.buffer, header, (word32)sz) != NULL)) {
             type = CA_TYPE;
-            WOLFSSL_DEBUG_PRINTF("Detected cert type CA_TYPE = %d:", type);
+            WOLFSSL_MSG_CERT_LOG_EX("Detected cert type CA_TYPE = %d:", type);
         }
 #ifdef HAVE_CRL
         /* Look for CRL header and footer. */
         else if (wc_PemGetHeaderFooter(CRL_TYPE, &header, &footer) == 0 &&
                 (XSTRNSTR((char*)content.buffer, header, (word32)sz) != NULL)) {
             type = CRL_TYPE;
-            WOLFSSL_DEBUG_PRINTF("Detected cert type CRL_TYPE = %d:", type);
+            WOLFSSL_MSG_CERT_LOG_EX("Detected cert type CRL_TYPE = %d:", type);
         }
 #endif
         /* Look for cert header and footer - same as CA_TYPE. */
@@ -2757,7 +2757,7 @@ int ProcessFile(WOLFSSL_CTX* ctx, const char* fname, int format, int type,
                 (XSTRNSTR((char*)content.buffer, header, (word32)sz) !=
                     NULL)) {
             type = CERT_TYPE;
-            WOLFSSL_DEBUG_PRINTF("Detected cert type CERT_TYPE = %d:", type);
+            WOLFSSL_MSG_CERT_LOG_EX("Detected cert type CERT_TYPE = %d:", type);
         }
         else
 #endif /* !NO_CODING && !WOLFSSL_NO_PEM */

wolfcrypt/src/logging.c

@@ -373,6 +373,7 @@ static void wolfssl_log(const int logLevel, const char* const file_name,
         return 0;
     }
 
+    #ifdef XVSNPRINTF
     #ifdef __clang__
     /* tell clang argument 1 is format */
     __attribute__((__format__ (__printf__, 1, 0)))
@@ -404,9 +405,10 @@ static void wolfssl_log(const int logLevel, const char* const file_name,
 #endif
         return 0;
     } /* WOLFSSL_MSG_CERT_EX */
-#else
+    #endif /* XVSNPRINTF */
+
+#else /* (!WOLFSSL_DEBUG_CERTS && !DEBUG_WOLFSSL) || NO_WOLFSSL_DEBUG_CERTS */
 
-    /* !(DEBUG_WOLFSSL || WOLFSSL_DEBUG_CERTS) */
     #ifdef WOLF_NO_VARIADIC_MACROS
         #ifdef  __WATCOMC__
             /* Do-nothing implementation in header for OW Open Watcom V2 */
@@ -425,7 +427,7 @@ static void wolfssl_log(const int logLevel, const char* const file_name,
     #else
         /* using a macro, see logging.h */
     #endif
-#endif /* DEBUG_WOLFSSL || WOLFSSL_DEBUG_CERTS */
+#endif /* (!WOLFSSL_DEBUG_CERTS && !DEBUG_WOLFSSL) || NO_WOLFSSL_DEBUG_CERTS */
 
 #if defined(XVSNPRINTF) && !defined(NO_WOLFSSL_MSG_EX)
 #include <stdarg.h> /* for var args */

wolfcrypt/src/memory.c

@@ -26,6 +26,13 @@
 
 #include <wolfssl/wolfcrypt/libwolfssl_sources.h>
 
+#ifdef NO_INLINE
+    #include <wolfssl/wolfcrypt/misc.h>
+#else
+    #define WOLFSSL_MISC_INCLUDED
+    #include <wolfcrypt/src/misc.c>
+#endif
+
 /*
 Possible memory options:
  * NO_WOLFSSL_MEMORY:               Disables wolf memory callback support. When not defined settings.h defines USE_WOLFSSL_MEMORY.
@@ -1661,36 +1668,10 @@ void __attribute__((no_instrument_function))
 #endif
 
 #ifndef WOLFSSL_NO_FORCE_ZERO
-/* Exported version of ForceZero() that takes a size_t. */
+/* Exported version of ForceZero(). */
 void wc_ForceZero(void *mem, size_t len)
 {
-    byte *zb = (byte *)mem;
-    unsigned long *zl;
-
-    XFENCE();
-
-    while ((wc_ptr_t)zb & (wc_ptr_t)(sizeof(unsigned long) - 1U)) {
-        if (len == 0)
-            return;
-        *zb++ = 0;
-        --len;
-    }
-
-    zl = (unsigned long *)zb;
-
-    while (len > sizeof(unsigned long)) {
-        *zl++ = 0;
-        len -= sizeof(unsigned long);
-    }
-
-    zb = (byte *)zl;
-
-    while (len) {
-        *zb++ = 0;
-        --len;
-    }
-
-    XFENCE();
+    ForceZero(mem, len);
 }
 #endif
 

wolfcrypt/src/misc.c

@@ -587,32 +587,36 @@ WC_MISC_STATIC WC_INLINE void xorbuf(void* buf, const void* mask, word32 count)
 
 #ifndef WOLFSSL_NO_FORCE_ZERO
 /* This routine fills the first len bytes of the memory area pointed by mem
-   with zeros. It ensures compiler optimization doesn't skip it  */
-WC_MISC_STATIC WC_INLINE void ForceZero(void* mem, word32 len)
+   with zeros. It ensures compiler optimization doesn't skip it. */
+WC_MISC_STATIC WC_INLINE void ForceZero(void* mem, size_t len)
 {
-    volatile byte* z = (volatile byte*)mem;
+    byte *zb = (byte *)mem;
+    unsigned long *zl;
 
-#if (defined(WOLFSSL_X86_64_BUILD) || defined(WOLFSSL_AARCH64_BUILD)) \
-            && defined(WORD64_AVAILABLE)
-    volatile word64* w;
-    #ifndef WOLFSSL_UNALIGNED_64BIT_ACCESS
-        word32 l = (sizeof(word64) - ((size_t)z & (sizeof(word64)-1))) &
-                                                             (sizeof(word64)-1);
+    XFENCE();
 
-        if (len < l) l = len;
-        len -= l;
-        while (l--) *z++ = 0;
-    #endif
-        for (w = (volatile word64*)z;
-             len >= sizeof(*w);
-             len -= (word32)sizeof(*w))
-        {
-            *w++ = 0;
-        }
-    z = (volatile byte*)w;
-#endif
+    while ((wc_ptr_t)zb & (wc_ptr_t)(sizeof(unsigned long) - 1U)) {
+        if (len == 0)
+            return;
+        *zb++ = 0;
+        --len;
+    }
 
-    while (len--) *z++ = 0;
+    zl = (unsigned long *)zb;
+
+    while (len >= sizeof(unsigned long)) {
+        *zl++ = 0;
+        len -= sizeof(unsigned long);
+    }
+
+    zb = (byte *)zl;
+
+    while (len) {
+        *zb++ = 0;
+        --len;
+    }
+
+    XFENCE();
 }
 #endif
 

wolfcrypt/src/rsa.c

@@ -4763,12 +4763,11 @@ int wc_CheckProbablePrime_ex(const byte* pRaw, word32 pRawSz,
     if (ret == MP_OKAY)
         ret = mp_read_unsigned_bin(e, eRaw, eRawSz);
 
-    if (ret == MP_OKAY) {
+    if (ret == MP_OKAY)
         SAVE_VECTOR_REGISTERS(ret = _svr_ret;);
 
-        if (ret == MP_OKAY)
-            ret = _CheckProbablePrime(p, Q, e, nlen, isPrime, rng);
-
+    if (ret == 0) {
+        ret = _CheckProbablePrime(p, Q, e, nlen, isPrime, rng);
         RESTORE_VECTOR_REGISTERS();
     }
 
@@ -5173,7 +5172,8 @@ int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng)
     }
 #endif
 
-    RESTORE_VECTOR_REGISTERS();
+    if (err != WC_NO_ERR_TRACE(WC_ACCEL_INHIBIT_E))
+        RESTORE_VECTOR_REGISTERS();
 
     /* Last value p - 1. */
     mp_forcezero(tmp1);

wolfssl/wolfcrypt/logging.h

@@ -40,21 +40,22 @@
  * ****************************************************************************
  *
  * WOLFSSL_DEBUG_PRINTF()
- *   Utility macro: A buffer-less, non-truncating debug message renderer.
- *   Unavailable on some targets, and has no default no-op definition,
- *   so the WOLFSSL_DEBUG_CERTIFICATE_LOADS gate is needed.
+ *   Utility macro: A buffer-less, non-truncating debug message renderer.  On
+ *   supported targets, it is always functional, i.e. it is not affected by
+ *   DEBUG_WOLFSSL or wolfSSL_Debugging_{ON,OFF}().  Test for support using
+ *   defined(WOLFSSL_DEBUG_PRINTF) -- if it is unsupported it is not defined.
  *
- * WOLFSSL_DEBUG_PRINTF_FN(...)
+ * WOLFSSL_DEBUG_PRINTF_FN
  *   Used to supply an override definition of the target platform's printf-like
- *   function, and it is not function-like:
+ *   function.  By default, it is defined to fprintf.  If defined, this is used
+ *   as the underlying function for all logging by the library.
  *
- *   #ifdef WOLFSSL_DEBUG_PRINTF_FN
- *       #define [user-supplied definition]
- *   #elif defined(ARDUINO)
- *       #warning ARDUINO only has print and sprintf, no printf on some targets.
- *   #elif defined(WOLFSSL_LOG_PRINTF) || defined(WOLFSSL_DEOS)
- *       #define WOLFSSL_DEBUG_PRINTF_FN printf
- *   [...]
+ * WOLFSSL_DEBUG_PRINTF_FIRST_ARGS
+ *   Used to supply an override definition of the initial args to the target
+ *   platform's printf-like function, with a trailing comma.  This can be
+ *   defined to nothing if there are no initial args to supply.  By default, it
+ *   is defined to stderr plus a trailing comma.  If defined, the args are
+ *   passed to WOLFSSL_DEBUG_PRINTF_FN wherever it is called.
  *
  * WOLFSSL_MSG_EX_BUF_SZ
  *   Re-definable macro: maximum length of WOLFSSL_MSG_EX debugging messages.
@@ -89,6 +90,10 @@
  * WOLFSSL_MSG_CERT_EX
  *   Variable number of parameters. Should be supported nearly everywhere.
  *
+ * WOLFSSL_MSG_CERT_LOG_EX
+ *   Variable number of parameters. Should be supported nearly everywhere.
+ *   Print during either DEBUG_WOLFSSL or WOLFSSL_DEBUG_CERTS
+ *
  * When any of the above are disabled:
  *   With WOLF_NO_VARIADIC_MACROS a do nothing placeholder function is used.
  *   Otherwise, a do-nothing macro. See WC_DO_NOTHING
@@ -120,7 +125,7 @@
  * See also:
  *  int WOLFSSL_IS_DEBUG_ON(void)
  *
- *  Note: does not detect or control WOLFSSL_DEBUG_PRINTF_FN usage
+ *  Note: does not affect WOLFSSL_DEBUG_PRINTF(), which renders unconditionally.
  *
  */
 
@@ -394,12 +399,15 @@ WOLFSSL_API void wolfSSL_SetLoggingPrefix(const char* prefix);
  *
  * WOLFSSL_MSG_CERT_LOG will also print during WOLFSSL_DEBUG_CERTS
  * even if standard DEBUG_WOLFSSL is not enabled. */
-#if defined(DEBUG_WOLFSSL)
-    #define WOLFSSL_MSG_CERT_LOG(msg) WOLFSSL_MSG(msg)
-#elif defined(WOLFSSL_DEBUG_CERTS)
+#if defined(WOLFSSL_DEBUG_CERTS)
     #define WOLFSSL_MSG_CERT_LOG(msg) WOLFSSL_MSG_CERT(msg)
+    #define WOLFSSL_MSG_CERT_LOG_EX WOLFSSL_MSG_CERT_EX
+#elif defined(DEBUG_WOLFSSL)
+    #define WOLFSSL_MSG_CERT_LOG(msg) WOLFSSL_MSG(msg)
+    #define WOLFSSL_MSG_CERT_LOG_EX WOLFSSL_MSG_EX
 #else
     #define WOLFSSL_MSG_CERT_LOG(msg) WC_DO_NOTHING
+    #define WOLFSSL_MSG_CERT_LOG_EX WOLFSSL_MSG_EX
 #endif
 
 /* WOLFSSL_ERROR and WOLFSSL_HAVE_ERROR_QUEUE */
@@ -535,7 +543,7 @@ WOLFSSL_API void wolfSSL_SetLoggingPrefix(const char* prefix);
     #define WOLFSSL_DEBUG_PRINTF_FN M2M_LOG_INFO
 #elif defined(WOLFSSL_ANDROID_DEBUG)
     #define WOLFSSL_DEBUG_PRINTF_FN __android_log_print
-    #define WOLFSSL_DEBUG_PRINTF_FIRST_ARGS ANDROID_LOG_VERBOSE, "[wolfSSL]"
+    #define WOLFSSL_DEBUG_PRINTF_FIRST_ARGS ANDROID_LOG_VERBOSE, "[wolfSSL]",
 #elif defined(WOLFSSL_XILINX)
     #define WOLFSSL_DEBUG_PRINTF_FN xil_printf
 #elif defined(WOLFSSL_LINUXKM)
@@ -557,7 +565,7 @@ WOLFSSL_API void wolfSSL_SetLoggingPrefix(const char* prefix);
             /* ESP-IDF supports variadic. Do not use WOLF_NO_VARIADIC_MACROS.
              * This is only for WOLF_NO_VARIADIC_MACROS testing: */
             #define WOLFSSL_DEBUG_PRINTF(a) \
-                WOLFSSL_DEBUG_PRINTF_FN(WOLFSSL_DEBUG_PRINTF_FIRST_ARGS, a)
+                WOLFSSL_DEBUG_PRINTF_FN(WOLFSSL_DEBUG_PRINTF_FIRST_ARGS a)
         #else
             /* no variadic not defined for this platform */
         #endif

wolfssl/wolfcrypt/misc.h

@@ -67,7 +67,7 @@ WOLFSSL_LOCAL
 void xorbuf(void* buf, const void* mask, word32 count);
 
 WOLFSSL_LOCAL
-void ForceZero(void* mem, word32 len);
+void ForceZero(void* mem, size_t len);
 
 WOLFSSL_LOCAL
 int ConstantCompare(const byte* a, const byte* b, int length);
@@ -184,7 +184,7 @@ WOLFSSL_LOCAL w64wrapper w64Mul(word32 a, word32 b);
 
 /* Declarations for user defined functions */
 #ifdef WOLFSSL_NO_FORCE_ZERO
-void ForceZero(void* mem, word32 len);
+void ForceZero(void* mem, size_t len);
 #endif
 #ifdef WOLFSSL_NO_CONST_CMP
 int ConstantCompare(const byte* a, const byte* b, int length);

wolfssl/wolfcrypt/settings.h

@@ -3756,7 +3756,11 @@ extern void uITRON4_free(void *p) ;
          * NIST SP 800-90A Rev. 1, to avoid unnecessary delays in DRBG
          * generation.
          */
-        #define WC_RESEED_INTERVAL (((word64)1UL)<<48UL)
+        #if defined(HAVE_FIPS) && FIPS_VERSION_LT(6,0)
+            #define WC_RESEED_INTERVAL UINT_MAX
+        #else
+            #define WC_RESEED_INTERVAL (((word64)1UL)<<48UL)
+        #endif
     #endif
 #endif
 

wolfssl/wolfcrypt/types.h

@@ -1946,6 +1946,9 @@ WOLFSSL_API word32 CheckRunTimeSettings(void);
     #ifndef SAVE_NO_VECTOR_REGISTERS
         #define SAVE_NO_VECTOR_REGISTERS(fail_clause) WC_RELAX_LONG_LOOP()
     #endif
+    #ifndef SAVE_NO_VECTOR_REGISTERS2
+        #define SAVE_NO_VECTOR_REGISTERS2() 0
+    #endif
 #else
     #ifndef SAVE_NO_VECTOR_REGISTERS
         #define SAVE_NO_VECTOR_REGISTERS(fail_clause) {     \
@@ -1954,9 +1957,9 @@ WOLFSSL_API word32 CheckRunTimeSettings(void);
                 WC_RELAX_LONG_LOOP();                       \
             }
     #endif
-#endif
-#ifndef SAVE_NO_VECTOR_REGISTERS2
-    #define SAVE_NO_VECTOR_REGISTERS2() 0
+    #ifndef SAVE_NO_VECTOR_REGISTERS2
+        #define SAVE_NO_VECTOR_REGISTERS2() WC_CHECK_FOR_INTR_SIGNALS()
+    #endif
 #endif
 #ifndef RESTORE_NO_VECTOR_REGISTERS
     #define RESTORE_NO_VECTOR_REGISTERS() WC_RELAX_LONG_LOOP()
@@ -1966,8 +1969,10 @@ WOLFSSL_API word32 CheckRunTimeSettings(void);
     #define SAVE_VECTOR_REGISTERS(fail_clause) SAVE_NO_VECTOR_REGISTERS(fail_clause)
 #endif
 #ifndef SAVE_VECTOR_REGISTERS2
-    #define SAVE_VECTOR_REGISTERS2() 0
-    #define SAVE_VECTOR_REGISTERS2_DOES_NOTHING
+    #define SAVE_VECTOR_REGISTERS2() SAVE_NO_VECTOR_REGISTERS2()
+    #define SAVE_VECTOR_REGISTERS2_DOES_NOTHING /* VECTOR_REGISTERS_{PUSH,POP}
+                                                 * in aes.c depend on this.
+                                                 */
 #endif
 #ifndef CAN_SAVE_VECTOR_REGISTERS
     #define CAN_SAVE_VECTOR_REGISTERS() 1