diff --git a/.wolfssl_known_macro_extras b/.wolfssl_known_macro_extras index 643c0af73..5e2dae25e 100644 --- a/.wolfssl_known_macro_extras +++ b/.wolfssl_known_macro_extras @@ -561,7 +561,6 @@ USE_STSAFE_VERBOSE USE_TLSV13 USE_WOLF_STRNSTR USS_API -WC_16BIT_CPU WC_AESXTS_STREAM_NO_REQUEST_ACCOUNTING WC_AES_BS_WORD_SIZE WC_AES_GCM_DEC_AUTH_EARLY diff --git a/configure.ac b/configure.ac index d82bbe96b..1925d806b 100644 --- a/configure.ac +++ b/configure.ac @@ -5656,7 +5656,8 @@ AC_ARG_ENABLE([pwdbased], # MemUse Entropy # wolfEntropy Software Jitter SP800-90B certifiable entropy source -if test "$ENABLED_LINUXKM_DEFAULTS" = "yes" +if test "$ENABLED_LINUXKM_DEFAULTS" = "yes" && \ + (test "$ENABLED_FIPS" = "no" || test "$HAVE_FIPS_VERSION" -ge 6) then ENABLED_ENTROPY_MEMUSE_DEFAULT=yes else diff --git a/linuxkm/linuxkm_wc_port.h b/linuxkm/linuxkm_wc_port.h index dcc445883..506e42141 100644 --- a/linuxkm/linuxkm_wc_port.h +++ b/linuxkm/linuxkm_wc_port.h @@ -136,6 +136,7 @@ extern void wc_linuxkm_relax_long_loop(void); enum wc_svr_flags { + WC_SVR_FLAG_NONE = 0, WC_SVR_FLAG_INHIBIT = 1, }; @@ -478,7 +479,7 @@ #endif #ifndef SAVE_VECTOR_REGISTERS #define SAVE_VECTOR_REGISTERS(fail_clause) { \ - int _svr_ret = wc_save_vector_registers_x86(0); \ + int _svr_ret = wc_save_vector_registers_x86(WC_SVR_FLAG_NONE); \ if (_svr_ret != 0) { \ fail_clause \ } \ @@ -489,11 +490,11 @@ #define SAVE_VECTOR_REGISTERS2() ({ \ int _fuzzer_ret = SAVE_VECTOR_REGISTERS2_fuzzer(); \ (_fuzzer_ret == 0) ? \ - wc_save_vector_registers_x86(0) : \ + wc_save_vector_registers_x86(WC_SVR_FLAG_NONE) : \ _fuzzer_ret; \ }) #else - #define SAVE_VECTOR_REGISTERS2() wc_save_vector_registers_x86(0) + #define SAVE_VECTOR_REGISTERS2() wc_save_vector_registers_x86(WC_SVR_FLAG_NONE) #endif #endif #ifndef RESTORE_VECTOR_REGISTERS diff --git a/src/bio.c b/src/bio.c index 7fffc68ff..7dad889fa 100644 --- a/src/bio.c +++ b/src/bio.c @@ -3327,7 +3327,7 @@ int wolfSSL_BIO_vprintf(WOLFSSL_BIO* bio, const char* format, va_list args) /* In Visual Studio versions prior to Visual Studio 2013, the va_* symbols aren't defined. If using Visual Studio 2013 or later, define HAVE_VA_COPY. */ - #if !defined(_WIN32) || defined(HAVE_VA_COPY) + #if defined(XVSNPRINTF) && (!defined(_WIN32) || defined(HAVE_VA_COPY)) case WOLFSSL_BIO_SSL: { int count; @@ -3358,7 +3358,7 @@ int wolfSSL_BIO_vprintf(WOLFSSL_BIO* bio, const char* format, va_list args) va_end(copy); } break; - #endif /* !_WIN32 || HAVE_VA_COPY */ + #endif /* XVSNPRINTF && (!_WIN32 || HAVE_VA_COPY) */ default: WOLFSSL_MSG("Unsupported WOLFSSL_BIO type for wolfSSL_BIO_printf"); diff --git a/src/crl.c b/src/crl.c index a02d26878..96524ee4d 100644 --- a/src/crl.c +++ b/src/crl.c @@ -210,24 +210,23 @@ static CRL_Entry* CRL_Entry_new(void* heap) /* Free all CRL Entry resources */ static void CRL_Entry_free(CRL_Entry* crle, void* heap) { -#ifdef CRL_STATIC_REVOKED_LIST - if (crle != NULL) { - XMEMSET(crle->certs, 0, CRL_MAX_REVOKED_CERTS*sizeof(RevokedCert)); - } -#else - RevokedCert* tmp = crle->certs; - RevokedCert* next; - - WOLFSSL_ENTER("FreeCRL_Entry"); + WOLFSSL_ENTER("CRL_Entry_free"); if (crle == NULL) { WOLFSSL_MSG("CRL Entry is null"); return; } +#ifdef CRL_STATIC_REVOKED_LIST + XMEMSET(crle->certs, 0, CRL_MAX_REVOKED_CERTS*sizeof(RevokedCert)); +#else + { + RevokedCert* tmp; + RevokedCert* next; + + for (tmp = crle->certs; tmp != NULL; tmp = next) { + next = tmp->next; + XFREE(tmp, heap, DYNAMIC_TYPE_REVOKED); + } - while (tmp != NULL) { - next = tmp->next; - XFREE(tmp, heap, DYNAMIC_TYPE_REVOKED); - tmp = next; } #endif XFREE(crle->signature, heap, DYNAMIC_TYPE_CRL_ENTRY); diff --git a/src/pk.c b/src/pk.c index 7cb73d7a4..8bc1c75c0 100644 --- a/src/pk.c +++ b/src/pk.c @@ -8858,7 +8858,7 @@ static int _DH_compute_key(unsigned char* key, const WOLFSSL_BIGNUM* otherPub, if (ret == 0) { /* Validate the size of the private key. */ sz = wolfSSL_BN_num_bytes(dh->priv_key); - if (sz > (int)privSz) { + if (sz > privSz) { WOLFSSL_ERROR_MSG("Bad priv internal size"); ret = WOLFSSL_FATAL_ERROR; } @@ -8957,12 +8957,14 @@ static int _DH_compute_key(unsigned char* key, const WOLFSSL_BIGNUM* otherPub, } PRIVATE_KEY_LOCK(); + if (privSz > 0) { #ifdef WOLFSSL_SMALL_STACK - if (priv != NULL) + if (priv != NULL) #endif - { - /* Zeroize sensitive data. */ - ForceZero(priv, (word32)privSz); + { + /* Zeroize sensitive data. */ + ForceZero(priv, (word32)privSz); + } } #ifdef WOLFSSL_SMALL_STACK XFREE(pub, NULL, DYNAMIC_TYPE_PUBLIC_KEY); diff --git a/src/ssl_load.c b/src/ssl_load.c index a540e801f..7f7b8a180 100644 --- a/src/ssl_load.c +++ b/src/ssl_load.c @@ -2742,14 +2742,14 @@ int ProcessFile(WOLFSSL_CTX* ctx, const char* fname, int format, int type, if (wc_PemGetHeaderFooter(CA_TYPE, &header, &footer) == 0 && (XSTRNSTR((char*)content.buffer, header, (word32)sz) != NULL)) { type = CA_TYPE; - WOLFSSL_DEBUG_PRINTF("Detected cert type CA_TYPE = %d:", type); + WOLFSSL_MSG_CERT_LOG_EX("Detected cert type CA_TYPE = %d:", type); } #ifdef HAVE_CRL /* Look for CRL header and footer. */ else if (wc_PemGetHeaderFooter(CRL_TYPE, &header, &footer) == 0 && (XSTRNSTR((char*)content.buffer, header, (word32)sz) != NULL)) { type = CRL_TYPE; - WOLFSSL_DEBUG_PRINTF("Detected cert type CRL_TYPE = %d:", type); + WOLFSSL_MSG_CERT_LOG_EX("Detected cert type CRL_TYPE = %d:", type); } #endif /* Look for cert header and footer - same as CA_TYPE. */ @@ -2757,7 +2757,7 @@ int ProcessFile(WOLFSSL_CTX* ctx, const char* fname, int format, int type, (XSTRNSTR((char*)content.buffer, header, (word32)sz) != NULL)) { type = CERT_TYPE; - WOLFSSL_DEBUG_PRINTF("Detected cert type CERT_TYPE = %d:", type); + WOLFSSL_MSG_CERT_LOG_EX("Detected cert type CERT_TYPE = %d:", type); } else #endif /* !NO_CODING && !WOLFSSL_NO_PEM */ diff --git a/wolfcrypt/src/logging.c b/wolfcrypt/src/logging.c index 151c4e49d..a09d8d614 100644 --- a/wolfcrypt/src/logging.c +++ b/wolfcrypt/src/logging.c @@ -373,6 +373,7 @@ static void wolfssl_log(const int logLevel, const char* const file_name, return 0; } + #ifdef XVSNPRINTF #ifdef __clang__ /* tell clang argument 1 is format */ __attribute__((__format__ (__printf__, 1, 0))) @@ -404,9 +405,10 @@ static void wolfssl_log(const int logLevel, const char* const file_name, #endif return 0; } /* WOLFSSL_MSG_CERT_EX */ -#else + #endif /* XVSNPRINTF */ + +#else /* (!WOLFSSL_DEBUG_CERTS && !DEBUG_WOLFSSL) || NO_WOLFSSL_DEBUG_CERTS */ - /* !(DEBUG_WOLFSSL || WOLFSSL_DEBUG_CERTS) */ #ifdef WOLF_NO_VARIADIC_MACROS #ifdef __WATCOMC__ /* Do-nothing implementation in header for OW Open Watcom V2 */ @@ -425,7 +427,7 @@ static void wolfssl_log(const int logLevel, const char* const file_name, #else /* using a macro, see logging.h */ #endif -#endif /* DEBUG_WOLFSSL || WOLFSSL_DEBUG_CERTS */ +#endif /* (!WOLFSSL_DEBUG_CERTS && !DEBUG_WOLFSSL) || NO_WOLFSSL_DEBUG_CERTS */ #if defined(XVSNPRINTF) && !defined(NO_WOLFSSL_MSG_EX) #include /* for var args */ diff --git a/wolfcrypt/src/memory.c b/wolfcrypt/src/memory.c index 29a72d024..3bd5fc185 100644 --- a/wolfcrypt/src/memory.c +++ b/wolfcrypt/src/memory.c @@ -26,6 +26,13 @@ #include +#ifdef NO_INLINE + #include +#else + #define WOLFSSL_MISC_INCLUDED + #include +#endif + /* Possible memory options: * NO_WOLFSSL_MEMORY: Disables wolf memory callback support. When not defined settings.h defines USE_WOLFSSL_MEMORY. @@ -1661,36 +1668,10 @@ void __attribute__((no_instrument_function)) #endif #ifndef WOLFSSL_NO_FORCE_ZERO -/* Exported version of ForceZero() that takes a size_t. */ +/* Exported version of ForceZero(). */ void wc_ForceZero(void *mem, size_t len) { - byte *zb = (byte *)mem; - unsigned long *zl; - - XFENCE(); - - while ((wc_ptr_t)zb & (wc_ptr_t)(sizeof(unsigned long) - 1U)) { - if (len == 0) - return; - *zb++ = 0; - --len; - } - - zl = (unsigned long *)zb; - - while (len > sizeof(unsigned long)) { - *zl++ = 0; - len -= sizeof(unsigned long); - } - - zb = (byte *)zl; - - while (len) { - *zb++ = 0; - --len; - } - - XFENCE(); + ForceZero(mem, len); } #endif diff --git a/wolfcrypt/src/misc.c b/wolfcrypt/src/misc.c index 066134a22..bf8373c7d 100644 --- a/wolfcrypt/src/misc.c +++ b/wolfcrypt/src/misc.c @@ -587,32 +587,36 @@ WC_MISC_STATIC WC_INLINE void xorbuf(void* buf, const void* mask, word32 count) #ifndef WOLFSSL_NO_FORCE_ZERO /* This routine fills the first len bytes of the memory area pointed by mem - with zeros. It ensures compiler optimization doesn't skip it */ -WC_MISC_STATIC WC_INLINE void ForceZero(void* mem, word32 len) + with zeros. It ensures compiler optimization doesn't skip it. */ +WC_MISC_STATIC WC_INLINE void ForceZero(void* mem, size_t len) { - volatile byte* z = (volatile byte*)mem; + byte *zb = (byte *)mem; + unsigned long *zl; -#if (defined(WOLFSSL_X86_64_BUILD) || defined(WOLFSSL_AARCH64_BUILD)) \ - && defined(WORD64_AVAILABLE) - volatile word64* w; - #ifndef WOLFSSL_UNALIGNED_64BIT_ACCESS - word32 l = (sizeof(word64) - ((size_t)z & (sizeof(word64)-1))) & - (sizeof(word64)-1); + XFENCE(); - if (len < l) l = len; - len -= l; - while (l--) *z++ = 0; - #endif - for (w = (volatile word64*)z; - len >= sizeof(*w); - len -= (word32)sizeof(*w)) - { - *w++ = 0; - } - z = (volatile byte*)w; -#endif + while ((wc_ptr_t)zb & (wc_ptr_t)(sizeof(unsigned long) - 1U)) { + if (len == 0) + return; + *zb++ = 0; + --len; + } - while (len--) *z++ = 0; + zl = (unsigned long *)zb; + + while (len >= sizeof(unsigned long)) { + *zl++ = 0; + len -= sizeof(unsigned long); + } + + zb = (byte *)zl; + + while (len) { + *zb++ = 0; + --len; + } + + XFENCE(); } #endif diff --git a/wolfcrypt/src/rsa.c b/wolfcrypt/src/rsa.c index a0670397d..7014e6ded 100644 --- a/wolfcrypt/src/rsa.c +++ b/wolfcrypt/src/rsa.c @@ -4763,12 +4763,11 @@ int wc_CheckProbablePrime_ex(const byte* pRaw, word32 pRawSz, if (ret == MP_OKAY) ret = mp_read_unsigned_bin(e, eRaw, eRawSz); - if (ret == MP_OKAY) { + if (ret == MP_OKAY) SAVE_VECTOR_REGISTERS(ret = _svr_ret;); - if (ret == MP_OKAY) - ret = _CheckProbablePrime(p, Q, e, nlen, isPrime, rng); - + if (ret == 0) { + ret = _CheckProbablePrime(p, Q, e, nlen, isPrime, rng); RESTORE_VECTOR_REGISTERS(); } @@ -5173,7 +5172,8 @@ int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng) } #endif - RESTORE_VECTOR_REGISTERS(); + if (err != WC_NO_ERR_TRACE(WC_ACCEL_INHIBIT_E)) + RESTORE_VECTOR_REGISTERS(); /* Last value p - 1. */ mp_forcezero(tmp1); diff --git a/wolfssl/wolfcrypt/logging.h b/wolfssl/wolfcrypt/logging.h index c15de663c..f7eec130d 100644 --- a/wolfssl/wolfcrypt/logging.h +++ b/wolfssl/wolfcrypt/logging.h @@ -40,21 +40,22 @@ * **************************************************************************** * * WOLFSSL_DEBUG_PRINTF() - * Utility macro: A buffer-less, non-truncating debug message renderer. - * Unavailable on some targets, and has no default no-op definition, - * so the WOLFSSL_DEBUG_CERTIFICATE_LOADS gate is needed. + * Utility macro: A buffer-less, non-truncating debug message renderer. On + * supported targets, it is always functional, i.e. it is not affected by + * DEBUG_WOLFSSL or wolfSSL_Debugging_{ON,OFF}(). Test for support using + * defined(WOLFSSL_DEBUG_PRINTF) -- if it is unsupported it is not defined. * - * WOLFSSL_DEBUG_PRINTF_FN(...) + * WOLFSSL_DEBUG_PRINTF_FN * Used to supply an override definition of the target platform's printf-like - * function, and it is not function-like: + * function. By default, it is defined to fprintf. If defined, this is used + * as the underlying function for all logging by the library. * - * #ifdef WOLFSSL_DEBUG_PRINTF_FN - * #define [user-supplied definition] - * #elif defined(ARDUINO) - * #warning ARDUINO only has print and sprintf, no printf on some targets. - * #elif defined(WOLFSSL_LOG_PRINTF) || defined(WOLFSSL_DEOS) - * #define WOLFSSL_DEBUG_PRINTF_FN printf - * [...] + * WOLFSSL_DEBUG_PRINTF_FIRST_ARGS + * Used to supply an override definition of the initial args to the target + * platform's printf-like function, with a trailing comma. This can be + * defined to nothing if there are no initial args to supply. By default, it + * is defined to stderr plus a trailing comma. If defined, the args are + * passed to WOLFSSL_DEBUG_PRINTF_FN wherever it is called. * * WOLFSSL_MSG_EX_BUF_SZ * Re-definable macro: maximum length of WOLFSSL_MSG_EX debugging messages. @@ -89,6 +90,10 @@ * WOLFSSL_MSG_CERT_EX * Variable number of parameters. Should be supported nearly everywhere. * + * WOLFSSL_MSG_CERT_LOG_EX + * Variable number of parameters. Should be supported nearly everywhere. + * Print during either DEBUG_WOLFSSL or WOLFSSL_DEBUG_CERTS + * * When any of the above are disabled: * With WOLF_NO_VARIADIC_MACROS a do nothing placeholder function is used. * Otherwise, a do-nothing macro. See WC_DO_NOTHING @@ -120,7 +125,7 @@ * See also: * int WOLFSSL_IS_DEBUG_ON(void) * - * Note: does not detect or control WOLFSSL_DEBUG_PRINTF_FN usage + * Note: does not affect WOLFSSL_DEBUG_PRINTF(), which renders unconditionally. * */ @@ -394,12 +399,15 @@ WOLFSSL_API void wolfSSL_SetLoggingPrefix(const char* prefix); * * WOLFSSL_MSG_CERT_LOG will also print during WOLFSSL_DEBUG_CERTS * even if standard DEBUG_WOLFSSL is not enabled. */ -#if defined(DEBUG_WOLFSSL) - #define WOLFSSL_MSG_CERT_LOG(msg) WOLFSSL_MSG(msg) -#elif defined(WOLFSSL_DEBUG_CERTS) +#if defined(WOLFSSL_DEBUG_CERTS) #define WOLFSSL_MSG_CERT_LOG(msg) WOLFSSL_MSG_CERT(msg) + #define WOLFSSL_MSG_CERT_LOG_EX WOLFSSL_MSG_CERT_EX +#elif defined(DEBUG_WOLFSSL) + #define WOLFSSL_MSG_CERT_LOG(msg) WOLFSSL_MSG(msg) + #define WOLFSSL_MSG_CERT_LOG_EX WOLFSSL_MSG_EX #else #define WOLFSSL_MSG_CERT_LOG(msg) WC_DO_NOTHING + #define WOLFSSL_MSG_CERT_LOG_EX WOLFSSL_MSG_EX #endif /* WOLFSSL_ERROR and WOLFSSL_HAVE_ERROR_QUEUE */ @@ -535,7 +543,7 @@ WOLFSSL_API void wolfSSL_SetLoggingPrefix(const char* prefix); #define WOLFSSL_DEBUG_PRINTF_FN M2M_LOG_INFO #elif defined(WOLFSSL_ANDROID_DEBUG) #define WOLFSSL_DEBUG_PRINTF_FN __android_log_print - #define WOLFSSL_DEBUG_PRINTF_FIRST_ARGS ANDROID_LOG_VERBOSE, "[wolfSSL]" + #define WOLFSSL_DEBUG_PRINTF_FIRST_ARGS ANDROID_LOG_VERBOSE, "[wolfSSL]", #elif defined(WOLFSSL_XILINX) #define WOLFSSL_DEBUG_PRINTF_FN xil_printf #elif defined(WOLFSSL_LINUXKM) @@ -557,7 +565,7 @@ WOLFSSL_API void wolfSSL_SetLoggingPrefix(const char* prefix); /* ESP-IDF supports variadic. Do not use WOLF_NO_VARIADIC_MACROS. * This is only for WOLF_NO_VARIADIC_MACROS testing: */ #define WOLFSSL_DEBUG_PRINTF(a) \ - WOLFSSL_DEBUG_PRINTF_FN(WOLFSSL_DEBUG_PRINTF_FIRST_ARGS, a) + WOLFSSL_DEBUG_PRINTF_FN(WOLFSSL_DEBUG_PRINTF_FIRST_ARGS a) #else /* no variadic not defined for this platform */ #endif diff --git a/wolfssl/wolfcrypt/misc.h b/wolfssl/wolfcrypt/misc.h index 096f3dda0..5da53819e 100644 --- a/wolfssl/wolfcrypt/misc.h +++ b/wolfssl/wolfcrypt/misc.h @@ -67,7 +67,7 @@ WOLFSSL_LOCAL void xorbuf(void* buf, const void* mask, word32 count); WOLFSSL_LOCAL -void ForceZero(void* mem, word32 len); +void ForceZero(void* mem, size_t len); WOLFSSL_LOCAL int ConstantCompare(const byte* a, const byte* b, int length); @@ -184,7 +184,7 @@ WOLFSSL_LOCAL w64wrapper w64Mul(word32 a, word32 b); /* Declarations for user defined functions */ #ifdef WOLFSSL_NO_FORCE_ZERO -void ForceZero(void* mem, word32 len); +void ForceZero(void* mem, size_t len); #endif #ifdef WOLFSSL_NO_CONST_CMP int ConstantCompare(const byte* a, const byte* b, int length); diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index aebd31b65..9bfa445a4 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -3756,7 +3756,11 @@ extern void uITRON4_free(void *p) ; * NIST SP 800-90A Rev. 1, to avoid unnecessary delays in DRBG * generation. */ - #define WC_RESEED_INTERVAL (((word64)1UL)<<48UL) + #if defined(HAVE_FIPS) && FIPS_VERSION_LT(6,0) + #define WC_RESEED_INTERVAL UINT_MAX + #else + #define WC_RESEED_INTERVAL (((word64)1UL)<<48UL) + #endif #endif #endif diff --git a/wolfssl/wolfcrypt/types.h b/wolfssl/wolfcrypt/types.h index 799b7d7c1..86c9cb62a 100644 --- a/wolfssl/wolfcrypt/types.h +++ b/wolfssl/wolfcrypt/types.h @@ -1946,6 +1946,9 @@ WOLFSSL_API word32 CheckRunTimeSettings(void); #ifndef SAVE_NO_VECTOR_REGISTERS #define SAVE_NO_VECTOR_REGISTERS(fail_clause) WC_RELAX_LONG_LOOP() #endif + #ifndef SAVE_NO_VECTOR_REGISTERS2 + #define SAVE_NO_VECTOR_REGISTERS2() 0 + #endif #else #ifndef SAVE_NO_VECTOR_REGISTERS #define SAVE_NO_VECTOR_REGISTERS(fail_clause) { \ @@ -1954,9 +1957,9 @@ WOLFSSL_API word32 CheckRunTimeSettings(void); WC_RELAX_LONG_LOOP(); \ } #endif -#endif -#ifndef SAVE_NO_VECTOR_REGISTERS2 - #define SAVE_NO_VECTOR_REGISTERS2() 0 + #ifndef SAVE_NO_VECTOR_REGISTERS2 + #define SAVE_NO_VECTOR_REGISTERS2() WC_CHECK_FOR_INTR_SIGNALS() + #endif #endif #ifndef RESTORE_NO_VECTOR_REGISTERS #define RESTORE_NO_VECTOR_REGISTERS() WC_RELAX_LONG_LOOP() @@ -1966,8 +1969,10 @@ WOLFSSL_API word32 CheckRunTimeSettings(void); #define SAVE_VECTOR_REGISTERS(fail_clause) SAVE_NO_VECTOR_REGISTERS(fail_clause) #endif #ifndef SAVE_VECTOR_REGISTERS2 - #define SAVE_VECTOR_REGISTERS2() 0 - #define SAVE_VECTOR_REGISTERS2_DOES_NOTHING + #define SAVE_VECTOR_REGISTERS2() SAVE_NO_VECTOR_REGISTERS2() + #define SAVE_VECTOR_REGISTERS2_DOES_NOTHING /* VECTOR_REGISTERS_{PUSH,POP} + * in aes.c depend on this. + */ #endif #ifndef CAN_SAVE_VECTOR_REGISTERS #define CAN_SAVE_VECTOR_REGISTERS() 1