diff --git a/linuxkm/Kbuild b/linuxkm/Kbuild index 2df401ce7..89d2199d1 100644 --- a/linuxkm/Kbuild +++ b/linuxkm/Kbuild @@ -151,6 +151,8 @@ endif ifeq "$(ENABLED_LINUXKM_PIE)" "yes" +LDFLAGS_libwolfssl.o += -T $(src)/wolfcrypt.lds + rename-pie-text-and-data-sections: $(WOLFSSL_OBJ_TARGETS) ifndef NM @@ -186,8 +188,39 @@ ifneq "$(quiet)" "silent_" endif cd "$(obj)" || exit $$? for file in $(WOLFCRYPT_PIE_FILES); do - $(OBJCOPY) --rename-section .text=.text.wolfcrypt --rename-section .data=.data.wolfcrypt --rename-section .rodata=.rodata.wolfcrypt "$$file" || exit $$? + $(OBJCOPY) --rename-section .text=.text.wolfcrypt \ + --rename-section .text.unlikely=.text.wolfcrypt \ + --rename-section .rodata=.rodata.wolfcrypt \ + --rename-section .rodata.str1.1=.rodata.wolfcrypt \ + --rename-section .rodata.str1.8=.rodata.wolfcrypt \ + --rename-section .data=.data.wolfcrypt \ + --rename-section .data.rel.local=.data.wolfcrypt \ + --rename-section .bss=.bss.wolfcrypt "$$file" || exit $$? done + { $(READELF) --syms $(WOLFCRYPT_PIE_FILES) | \ + $(AWK) -v obj="$(obj)" ' \ + /File:/ { \ + if (substr($$2, 1, length(obj)) == obj) { \ + curfile = substr($$2, length(obj) + 2); \ + } else { \ + curfile=$$2; \ + } \ + next; \ + } \ + { \ + if (($$4 == "SECTION") && ($$8 !~ "wolfcrypt")) {\ + if (! ((curfile ";" $$8) in warned_on)) { \ + print curfile ": " $$8 >"/dev/stderr"; \ + warned_on[curfile ": " $$8] = 1; \ + ++warnings; \ + }}} \ + END { \ + if (warnings) { \ + exit(1); \ + } else { \ + exit(0); \ + }}'; } || \ + { echo 'Error: section(s) missed by containerization.' >&2; exit 1; } ifneq "$(quiet)" "silent_" echo ' wolfCrypt .{text,data,rodata} sections containerized to .{text,data,rodata}.wolfcrypt' endif diff --git a/linuxkm/linuxkm_memory.c b/linuxkm/linuxkm_memory.c index e17a56ccc..b447e9843 100644 --- a/linuxkm/linuxkm_memory.c +++ b/linuxkm/linuxkm_memory.c @@ -21,72 +21,6 @@ /* included by wolfcrypt/src/memory.c */ -#ifdef HAVE_KVMALLOC -/* adapted from kvrealloc() draft by Changli Gao, 2010-05-13 */ -void *lkm_realloc(void *ptr, size_t newsize) { - void *nptr; - size_t oldsize; - - if (unlikely(newsize == 0)) { - kvfree(ptr); - return ZERO_SIZE_PTR; - } - - if (unlikely(ptr == NULL)) - return kvmalloc_node(newsize, GFP_KERNEL, NUMA_NO_NODE); - - if (is_vmalloc_addr(ptr)) { - /* no way to discern the size of the old allocation, - * because the kernel doesn't export find_vm_area(). if - * it did, we could then call get_vm_area_size() on the - * returned struct vm_struct. - */ - return NULL; - } else { -#ifndef __PIE__ - struct page *page; - - page = virt_to_head_page(ptr); - if (PageSlab(page) || PageCompound(page)) { - if (newsize < PAGE_SIZE) -#endif /* ! __PIE__ */ - return krealloc(ptr, newsize, GFP_KERNEL); -#ifndef __PIE__ - oldsize = ksize(ptr); - } else { - oldsize = page->private; - if (newsize <= oldsize) - return ptr; - } -#endif /* ! __PIE__ */ - } - - nptr = kvmalloc_node(newsize, GFP_KERNEL, NUMA_NO_NODE); - if (nptr != NULL) { - memcpy(nptr, ptr, oldsize); - kvfree(ptr); - } - - return nptr; -} -#endif /* HAVE_KVMALLOC */ - -#if defined(__PIE__) && (LINUX_VERSION_CODE >= KERNEL_VERSION(6, 1, 0)) -/* needed in 6.1+ because show_free_areas() static definition in mm.h calls - * __show_free_areas(), which isn't exported (neither was show_free_areas()). - */ -void my__show_free_areas( - unsigned int flags, - nodemask_t *nodemask, - int max_zone_idx) -{ - (void)flags; - (void)nodemask; - (void)max_zone_idx; - return; -} -#endif - #if defined(__PIE__) && defined(CONFIG_FORTIFY_SOURCE) /* needed because FORTIFY_SOURCE inline implementations call fortify_panic(). */ void __my_fortify_panic(const char *name) { diff --git a/linuxkm/linuxkm_wc_port.h b/linuxkm/linuxkm_wc_port.h index 2acf456d7..6be606426 100644 --- a/linuxkm/linuxkm_wc_port.h +++ b/linuxkm/linuxkm_wc_port.h @@ -77,8 +77,14 @@ #define ALIGN16 __attribute__ ( (aligned (32))) #endif - /* kvmalloc()/kvfree() and friends added in linux commit a7c3e901 */ - #if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 12, 0) + /* kvmalloc()/kvfree() and friends added in linux commit a7c3e901, merged for 4.12. + * kvrealloc() added in de2860f463, merged for 5.15, backported to 5.10.137. + * moved to ultimate home (slab.h) in 8587ca6f34, merged for 5.16. + + */ + #if (LINUX_VERSION_CODE >= KERNEL_VERSION(5, 15, 0)) || \ + ((LINUX_VERSION_CODE >= KERNEL_VERSION(5, 10, 137)) && \ + (LINUX_VERSION_CODE < KERNEL_VERSION(5, 11, 90))) #define HAVE_KVMALLOC #endif @@ -258,36 +264,54 @@ #undef memmove #define memmove my_memmove - #endif /* CONFIG_FORTIFY_SOURCE */ + #else /* !CONFIG_FORTIFY_SOURCE */ + + #include + + #endif /* !CONFIG_FORTIFY_SOURCE */ + + #ifdef LINUXKM_LKCAPI_REGISTER + /* the LKCAPI assumes that expanded encrypt and decrypt keys will stay + * loaded simultaneously, and the Linux in-tree implementations have two + * AES key structs in each context, one for each direction. in + * linuxkm/lkcapi_aes_glue.c, we do the same + * thing with "struct km_AesCtx". however, wolfCrypt struct AesXts + * already has two AES expanded keys, the main and tweak, and the tweak + * is always used in the encrypt direction regardless of the main + * direction. to avoid allocating and computing a duplicate second + * tweak encrypt key, we set + * WC_AES_XTS_SUPPORT_SIMULTANEOUS_ENC_AND_DEC_KEYS, which adds a second + * Aes slot to wolfCrypt's struct AesXts, and activates support for + * AES_ENCRYPTION_AND_DECRYPTION on AES-XTS. + */ + #ifndef WC_AES_XTS_SUPPORT_SIMULTANEOUS_ENC_AND_DEC_KEYS + #define WC_AES_XTS_SUPPORT_SIMULTANEOUS_ENC_AND_DEC_KEYS + #endif + #endif /* LINUXKM_LKCAPI_REGISTER */ #include +#ifndef __PIE__ #include #include +#endif - #ifdef __PIE__ - /* without this, mm.h brings in static, but not inline, pmd_to_page(), - * with direct references to global vmem variables. - */ - #undef USE_SPLIT_PMD_PTLOCKS - #define USE_SPLIT_PMD_PTLOCKS 0 - - #if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 1, 0) - /* without this, static show_free_areas() mm.h brings in direct - * reference to unexported __show_free_areas(). - */ - #define __show_free_areas my__show_free_areas - void my__show_free_areas( - unsigned int flags, - nodemask_t *nodemask, - int max_zone_idx); - #endif - #endif +#ifdef __PIE__ + /* linux/slab.h will recursively bring in linux/page-flags.h, polluting the + * wolfCrypt container objects with static functions const_folio_flags() and + * folio_flags(), unless we kludge it off thusly. + */ + #define PAGE_FLAGS_H +#else #include +#endif + + #include + +#ifndef __PIE__ #ifndef SINGLE_THREADED #include #endif #include - #include #ifdef LINUXKM_LKCAPI_REGISTER #include @@ -306,29 +330,13 @@ #include #endif - /* the LKCAPI assumes that expanded encrypt and decrypt keys will stay - * loaded simultaneously, and the Linux in-tree implementations have two - * AES key structs in each context, one for each direction. in - * linuxkm/lkcapi_aes_glue.c, we do the same - * thing with "struct km_AesCtx". however, wolfCrypt struct AesXts - * already has two AES expanded keys, the main and tweak, and the tweak - * is always used in the encrypt direction regardless of the main - * direction. to avoid allocating and computing a duplicate second - * tweak encrypt key, we set - * WC_AES_XTS_SUPPORT_SIMULTANEOUS_ENC_AND_DEC_KEYS, which adds a second - * Aes slot to wolfCrypt's struct AesXts, and activates support for - * AES_ENCRYPTION_AND_DECRYPTION on AES-XTS. - */ - #ifndef WC_AES_XTS_SUPPORT_SIMULTANEOUS_ENC_AND_DEC_KEYS - #define WC_AES_XTS_SUPPORT_SIMULTANEOUS_ENC_AND_DEC_KEYS - #endif - #if defined(_LINUX_REFCOUNT_H) || defined(_LINUX_REFCOUNT_TYPES_H) #define WC_LKM_REFCOUNT_TO_INT(refcount) (atomic_read(&(refcount.refs))) #else #define WC_LKM_REFCOUNT_TO_INT(refcount) (atomic_read(&(refcount))) #endif #endif +#endif /* !__PIE__ */ #if defined(WOLFSSL_AESNI) || defined(USE_INTEL_SPEEDUP) || \ defined(WOLFSSL_SP_X86_64_ASM) @@ -622,17 +630,20 @@ typeof(kzalloc_noprof) *kzalloc_noprof; typeof(__kvmalloc_node_noprof) *__kvmalloc_node_noprof; typeof(__kmalloc_cache_noprof) *__kmalloc_cache_noprof; + typeof(kvrealloc_noprof) *kvrealloc_noprof; #elif LINUX_VERSION_CODE >= KERNEL_VERSION(6, 10, 0) typeof(kmalloc_noprof) *kmalloc_noprof; typeof(krealloc_noprof) *krealloc_noprof; typeof(kzalloc_noprof) *kzalloc_noprof; typeof(kvmalloc_node_noprof) *kvmalloc_node_noprof; typeof(kmalloc_trace_noprof) *kmalloc_trace_noprof; + typeof(kvrealloc_noprof) *kvrealloc_noprof; #else /* <6.10.0 */ typeof(kmalloc) *kmalloc; typeof(krealloc) *krealloc; #ifdef HAVE_KVMALLOC - typeof(kvmalloc_node) *kvmalloc_node; + typeof(kvmalloc_node) *kvmalloc_node; + typeof(kvrealloc) *kvrealloc; #endif #if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 1, 0) typeof(kmalloc_trace) *kmalloc_trace; @@ -646,7 +657,6 @@ #endif typeof(kfree) *kfree; typeof(ksize) *ksize; - typeof(is_vmalloc_addr) *is_vmalloc_addr; typeof(get_random_bytes) *get_random_bytes; #if LINUX_VERSION_CODE < KERNEL_VERSION(4, 0, 0) @@ -854,6 +864,7 @@ #define kzalloc_noprof (wolfssl_linuxkm_get_pie_redirect_table()->kzalloc_noprof) #define __kvmalloc_node_noprof (wolfssl_linuxkm_get_pie_redirect_table()->__kvmalloc_node_noprof) #define __kmalloc_cache_noprof (wolfssl_linuxkm_get_pie_redirect_table()->__kmalloc_cache_noprof) + #define kvrealloc_noprof (wolfssl_linuxkm_get_pie_redirect_table()->kvrealloc_noprof) #elif LINUX_VERSION_CODE >= KERNEL_VERSION(6, 10, 0) /* see include/linux/alloc_tag.h and include/linux/slab.h */ #define kmalloc_noprof (wolfssl_linuxkm_get_pie_redirect_table()->kmalloc_noprof) @@ -861,12 +872,14 @@ #define kzalloc_noprof (wolfssl_linuxkm_get_pie_redirect_table()->kzalloc_noprof) #define kvmalloc_node_noprof (wolfssl_linuxkm_get_pie_redirect_table()->kvmalloc_node_noprof) #define kmalloc_trace_noprof (wolfssl_linuxkm_get_pie_redirect_table()->kmalloc_trace_noprof) + #define kvrealloc_noprof (wolfssl_linuxkm_get_pie_redirect_table()->kvrealloc_noprof) #else /* <6.10.0 */ #define kmalloc (wolfssl_linuxkm_get_pie_redirect_table()->kmalloc) #define krealloc (wolfssl_linuxkm_get_pie_redirect_table()->krealloc) #define kzalloc(size, flags) kmalloc(size, (flags) | __GFP_ZERO) #ifdef HAVE_KVMALLOC #define kvmalloc_node (wolfssl_linuxkm_get_pie_redirect_table()->kvmalloc_node) + #define kvrealloc (wolfssl_linuxkm_get_pie_redirect_table()->kvrealloc) #endif #if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 1, 0) #define kmalloc_trace (wolfssl_linuxkm_get_pie_redirect_table()->kmalloc_trace) @@ -882,8 +895,6 @@ #endif #define ksize (wolfssl_linuxkm_get_pie_redirect_table()->ksize) - #define is_vmalloc_addr (wolfssl_linuxkm_get_pie_redirect_table()->is_vmalloc_addr) - #define get_random_bytes (wolfssl_linuxkm_get_pie_redirect_table()->get_random_bytes) #if LINUX_VERSION_CODE < KERNEL_VERSION(4, 0, 0) #define getnstimeofday (wolfssl_linuxkm_get_pie_redirect_table()->getnstimeofday) @@ -1162,10 +1173,9 @@ _alloc_sz; \ }) #ifdef HAVE_KVMALLOC -#define malloc(size) kvmalloc_node(WC_LINUXKM_ROUND_UP_P_OF_2(size), (preempt_count() == 0 ? GFP_KERNEL : GFP_ATOMIC), NUMA_NO_NODE) + #define malloc(size) kvmalloc_node(WC_LINUXKM_ROUND_UP_P_OF_2(size), (preempt_count() == 0 ? GFP_KERNEL : GFP_ATOMIC), NUMA_NO_NODE) #define free(ptr) kvfree(ptr) - void *lkm_realloc(void *ptr, size_t newsize); - #define realloc(ptr, newsize) lkm_realloc(ptr, WC_LINUXKM_ROUND_UP_P_OF_2(newsize)) + #define realloc(ptr, newsize) kvrealloc(ptr, WC_LINUXKM_ROUND_UP_P_OF_2(newsize), (preempt_count() == 0 ? GFP_KERNEL : GFP_ATOMIC)) #else #define malloc(size) kmalloc(WC_LINUXKM_ROUND_UP_P_OF_2(size), (preempt_count() == 0 ? GFP_KERNEL : GFP_ATOMIC)) #define free(ptr) kfree(ptr) diff --git a/linuxkm/lkcapi_glue.c b/linuxkm/lkcapi_glue.c index 09118df1a..00609ed50 100644 --- a/linuxkm/lkcapi_glue.c +++ b/linuxkm/lkcapi_glue.c @@ -591,7 +591,7 @@ static int linuxkm_lkcapi_register(void) * on here is for ECDH loading to be optional when fips and fips tests are * enabled. Failures because of !fips_allowed are skipped over. */ - #if defined(CONFIG_CRYPTO_FIPS) && \ + #if defined(HAVE_FIPS) && defined(CONFIG_CRYPTO_FIPS) && \ defined(CONFIG_CRYPTO_MANAGER) && \ !defined(CONFIG_CRYPTO_MANAGER_DISABLE_TESTS) #if defined(LINUXKM_ECC192) diff --git a/linuxkm/module_hooks.c b/linuxkm/module_hooks.c index 91f3b795f..5d0fe8079 100644 --- a/linuxkm/module_hooks.c +++ b/linuxkm/module_hooks.c @@ -19,14 +19,12 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA */ -#ifndef WOLFSSL_LICENSE -#define WOLFSSL_LICENSE "GPL v2" -#endif - #define WOLFSSL_LINUXKM_NEED_LINUX_CURRENT #include +#define WOLFSSL_LICENSE "GPL v2" + #ifdef WOLFCRYPT_ONLY #include #else @@ -65,13 +63,13 @@ static int libwolfssl_cleanup(void) { #ifdef WOLFCRYPT_ONLY ret = wolfCrypt_Cleanup(); if (ret != 0) - pr_err("wolfCrypt_Cleanup() failed: %s\n", wc_GetErrorString(ret)); + pr_err("ERROR: wolfCrypt_Cleanup() failed: %s\n", wc_GetErrorString(ret)); else pr_info("wolfCrypt " LIBWOLFSSL_VERSION_STRING " cleanup complete.\n"); #else ret = wolfSSL_Cleanup(); if (ret != WOLFSSL_SUCCESS) - pr_err("wolfSSL_Cleanup() failed: %s\n", wc_GetErrorString(ret)); + pr_err("ERROR: wolfSSL_Cleanup() failed: %s\n", wc_GetErrorString(ret)); else pr_info("wolfSSL " LIBWOLFSSL_VERSION_STRING " cleanup complete.\n"); #endif @@ -115,7 +113,7 @@ static int set_up_wolfssl_linuxkm_pie_redirect_table(void); static void lkmFipsCb(int ok, int err, const char* hash) { if ((! ok) || (err != 0)) - pr_err("libwolfssl FIPS error: %s\n", wc_GetErrorString(err)); + pr_err("ERROR: libwolfssl FIPS error: %s\n", wc_GetErrorString(err)); if (err == WC_NO_ERR_TRACE(IN_CORE_FIPS_E)) { pr_err("In-core integrity hash check failure.\n" "Update verifyCore[] in fips_test.c with new hash \"%s\" and rebuild.\n", @@ -137,7 +135,7 @@ WC_MAYBE_UNUSED static int linuxkm_lkcapi_sysfs_install_node(struct kobj_attribu if ((installed_flag == NULL) || (! *installed_flag)) { int ret = sysfs_create_file(&THIS_MODULE->mkobj.kobj, &node->attr); if (ret) { - pr_err("sysfs_create_file failed for %s: %d\n", node->attr.name, ret); + pr_err("ERROR: sysfs_create_file failed for %s: %d\n", node->attr.name, ret); return ret; } if (installed_flag) @@ -182,13 +180,13 @@ static int wolfssl_init(void) #ifdef WOLFCRYPT_FIPS_CORE_DYNAMIC_HASH_VALUE #ifdef CONFIG_MODULE_SIG if (THIS_MODULE->sig_ok == false) { - pr_err("wolfSSL module load aborted -- bad or missing module signature with FIPS dynamic hash.\n"); + pr_err("ERROR: wolfSSL module load aborted -- bad or missing module signature with FIPS dynamic hash.\n"); return -ECANCELED; } #endif ret = updateFipsHash(); if (ret < 0) { - pr_err("wolfSSL module load aborted -- updateFipsHash: %s\n",wc_GetErrorString(ret)); + pr_err("ERROR: wolfSSL module load aborted -- updateFipsHash: %s\n",wc_GetErrorString(ret)); return -ECANCELED; } #endif @@ -226,58 +224,32 @@ static int wolfssl_init(void) char *pie_rodata_end = (char *)wolfCrypt_PIE_rodata_end; unsigned int text_hash, rodata_hash; - if ((pie_text_start < pie_text_end) && - (pie_text_start >= (char *)THIS_MODULE_TEXT_BASE) && - (pie_text_end - (char *)THIS_MODULE_TEXT_BASE <= THIS_MODULE_TEXT_SIZE)) - { - text_hash = hash_span(pie_text_start, pie_text_end); - } else { - pr_info("out-of-bounds PIE fenceposts! pie_text_start=%px pie_text_end=%px (span=%lu)" - " core_layout.base=%px text_end=%px\n", - pie_text_start, - pie_text_end, - pie_text_end-pie_text_start, - THIS_MODULE_TEXT_BASE, - (char *)THIS_MODULE_TEXT_BASE + THIS_MODULE_TEXT_SIZE); - text_hash = 0; - } - - if ((pie_rodata_start < pie_rodata_end) && // cppcheck-suppress comparePointers - (pie_rodata_start >= (char *)THIS_MODULE_RO_BASE) && - (pie_rodata_end - (char *)THIS_MODULE_RO_BASE <= THIS_MODULE_RO_SIZE)) - { - rodata_hash = hash_span(pie_rodata_start, pie_rodata_end); - } else { - pr_info("out-of-bounds PIE fenceposts! pie_rodata_start=%px pie_rodata_end=%px (span=%lu)" - " core_layout.base+core_layout.text_size=%px rodata_end=%px\n", - pie_rodata_start, - pie_rodata_end, - pie_rodata_end-pie_rodata_start, - (char *)THIS_MODULE_RO_BASE, - (char *)THIS_MODULE_RO_BASE + THIS_MODULE_RO_SIZE); - rodata_hash = 0; - } + text_hash = hash_span(pie_text_start, pie_text_end); + rodata_hash = hash_span(pie_rodata_start, pie_rodata_end); /* note, "%pK" conceals the actual layout information. "%px" exposes * the true module start address, which is potentially useful to an * attacker. */ - pr_info("wolfCrypt container hashes (spans): text 0x%x (%lu), rodata 0x%x (%lu)\n", + pr_info("wolfCrypt section hashes (spans): text 0x%x (%lu), rodata 0x%x (%lu), offset %c0x%lx\n", text_hash, pie_text_end-pie_text_start, - rodata_hash, pie_rodata_end-pie_rodata_start); + rodata_hash, pie_rodata_end-pie_rodata_start, + pie_text_start < pie_rodata_start ? '+' : '-', + pie_text_start < pie_rodata_start ? pie_rodata_start - pie_text_start : pie_text_start - pie_rodata_start); } + #endif /* HAVE_LINUXKM_PIE_SUPPORT && DEBUG_LINUXKM_PIE_SUPPORT */ #ifdef HAVE_FIPS ret = wolfCrypt_SetCb_fips(lkmFipsCb); if (ret != 0) { - pr_err("wolfCrypt_SetCb_fips() failed: %s\n", wc_GetErrorString(ret)); + pr_err("ERROR: wolfCrypt_SetCb_fips() failed: %s\n", wc_GetErrorString(ret)); return -ECANCELED; } fipsEntry(); ret = wolfCrypt_GetStatus_fips(); if (ret != 0) { - pr_err("wolfCrypt_GetStatus_fips() failed with code %d: %s\n", ret, wc_GetErrorString(ret)); + pr_err("ERROR: wolfCrypt_GetStatus_fips() failed with code %d: %s\n", ret, wc_GetErrorString(ret)); if (ret == WC_NO_ERR_TRACE(IN_CORE_FIPS_E)) { const char *newhash = wolfCrypt_GetCoreHash_fips(); pr_err("Update verifyCore[] in fips_test.c with new hash \"%s\" and rebuild.\n", @@ -290,7 +262,7 @@ static int wolfssl_init(void) #ifdef WC_RNG_SEED_CB ret = wc_SetSeed_Cb(wc_GenerateSeed); if (ret < 0) { - pr_err("wc_SetSeed_Cb() failed with return code %d.\n", ret); + pr_err("ERROR: wc_SetSeed_Cb() failed with return code %d.\n", ret); (void)libwolfssl_cleanup(); msleep(10); return -ECANCELED; @@ -300,13 +272,13 @@ static int wolfssl_init(void) #ifdef WOLFCRYPT_ONLY ret = wolfCrypt_Init(); if (ret != 0) { - pr_err("wolfCrypt_Init() failed: %s\n", wc_GetErrorString(ret)); + pr_err("ERROR: wolfCrypt_Init() failed: %s\n", wc_GetErrorString(ret)); return -ECANCELED; } #else ret = wolfSSL_Init(); if (ret != WOLFSSL_SUCCESS) { - pr_err("wolfSSL_Init() failed: %s\n", wc_GetErrorString(ret)); + pr_err("ERROR: wolfSSL_Init() failed: %s\n", wc_GetErrorString(ret)); return -ECANCELED; } #endif @@ -314,7 +286,7 @@ static int wolfssl_init(void) #if defined(HAVE_FIPS) && FIPS_VERSION3_GT(5,2,0) ret = wc_RunAllCast_fips(); if (ret != 0) { - pr_err("wc_RunAllCast_fips() failed with return value %d\n", ret); + pr_err("ERROR: wc_RunAllCast_fips() failed with return value %d\n", ret); return -ECANCELED; } @@ -348,7 +320,7 @@ static int wolfssl_init(void) #ifndef NO_CRYPT_TEST ret = wolfcrypt_test(NULL); if (ret < 0) { - pr_err("wolfcrypt self-test failed with return code %d.\n", ret); + pr_err("ERROR: wolfcrypt self-test failed with return code %d.\n", ret); (void)libwolfssl_cleanup(); msleep(10); return -ECANCELED; @@ -366,7 +338,7 @@ static int wolfssl_init(void) ret = linuxkm_lkcapi_sysfs_install(); if (ret) { - pr_err("linuxkm_lkcapi_sysfs_install() failed with return code %d.\n", ret); + pr_err("ERROR: linuxkm_lkcapi_sysfs_install() failed with return code %d.\n", ret); (void)libwolfssl_cleanup(); msleep(10); return -ECANCELED; @@ -375,7 +347,7 @@ static int wolfssl_init(void) ret = linuxkm_lkcapi_register(); if (ret) { - pr_err("linuxkm_lkcapi_register() failed with return code %d.\n", ret); + pr_err("ERROR: linuxkm_lkcapi_register() failed with return code %d.\n", ret); linuxkm_lkcapi_unregister(); (void)libwolfssl_cleanup(); msleep(10); @@ -426,6 +398,8 @@ static void wolfssl_exit(void) #endif { #ifdef HAVE_FIPS + int ret; + (void)linuxkm_lkcapi_sysfs_deinstall_node(&FIPS_rerun_self_test_attr, &installed_sysfs_FIPS_files); #endif @@ -434,6 +408,15 @@ static void wolfssl_exit(void) (void)linuxkm_lkcapi_sysfs_deinstall(); #endif +#ifdef HAVE_FIPS + ret = wc_RunAllCast_fips(); + if (ret != 0) { + pr_err("ERROR: wc_RunAllCast_fips() failed at shutdown with return value %d\n", ret); + } + else + pr_info("wolfCrypt FIPS re-self-test succeeded at unload: all algorithms re-verified."); +#endif + (void)libwolfssl_cleanup(); return; @@ -527,17 +510,20 @@ static int set_up_wolfssl_linuxkm_pie_redirect_table(void) { wolfssl_linuxkm_pie_redirect_table.kzalloc_noprof = kzalloc_noprof; wolfssl_linuxkm_pie_redirect_table.__kvmalloc_node_noprof = __kvmalloc_node_noprof; wolfssl_linuxkm_pie_redirect_table.__kmalloc_cache_noprof = __kmalloc_cache_noprof; + wolfssl_linuxkm_pie_redirect_table.kvrealloc_noprof = kvrealloc_noprof; #elif LINUX_VERSION_CODE >= KERNEL_VERSION(6, 10, 0) wolfssl_linuxkm_pie_redirect_table.kmalloc_noprof = kmalloc_noprof; wolfssl_linuxkm_pie_redirect_table.krealloc_noprof = krealloc_noprof; wolfssl_linuxkm_pie_redirect_table.kzalloc_noprof = kzalloc_noprof; wolfssl_linuxkm_pie_redirect_table.kvmalloc_node_noprof = kvmalloc_node_noprof; wolfssl_linuxkm_pie_redirect_table.kmalloc_trace_noprof = kmalloc_trace_noprof; + wolfssl_linuxkm_pie_redirect_table.kvrealloc_noprof = kvrealloc_noprof; #else wolfssl_linuxkm_pie_redirect_table.kmalloc = kmalloc; wolfssl_linuxkm_pie_redirect_table.krealloc = krealloc; #ifdef HAVE_KVMALLOC wolfssl_linuxkm_pie_redirect_table.kvmalloc_node = kvmalloc_node; + wolfssl_linuxkm_pie_redirect_table.kvrealloc = kvrealloc; #endif #if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 1, 0) wolfssl_linuxkm_pie_redirect_table.kmalloc_trace = @@ -555,7 +541,6 @@ static int set_up_wolfssl_linuxkm_pie_redirect_table(void) { #ifdef HAVE_KVMALLOC wolfssl_linuxkm_pie_redirect_table.kvfree = kvfree; #endif - wolfssl_linuxkm_pie_redirect_table.is_vmalloc_addr = is_vmalloc_addr; wolfssl_linuxkm_pie_redirect_table.get_random_bytes = get_random_bytes; #if LINUX_VERSION_CODE < KERNEL_VERSION(4, 0, 0) @@ -711,7 +696,7 @@ static int set_up_wolfssl_linuxkm_pie_redirect_table(void) { i < (unsigned long *)&wolfssl_linuxkm_pie_redirect_table._last_slot; ++i) if (*i == 0) { - pr_err("wolfCrypt container redirect table initialization was " + pr_err("ERROR: wolfCrypt container redirect table initialization was " "incomplete [%lu].\n", i-(unsigned long *)&wolfssl_linuxkm_pie_redirect_table); return -EFAULT; @@ -798,11 +783,11 @@ static int updateFipsHash(void) word32 base16_out_len = binCoreSz; ret = Base16_Decode((const byte *)coreKey, sizeof coreKey - 1, binCoreKey, &base16_out_len); if (ret != 0) { - pr_err("Base16_Decode for coreKey: %s\n", wc_GetErrorString(ret)); + pr_err("ERROR: Base16_Decode for coreKey: %s\n", wc_GetErrorString(ret)); goto out; } if (base16_out_len != binCoreSz) { - pr_err("unexpected output length %u for coreKey from Base16_Decode.\n",base16_out_len); + pr_err("ERROR: unexpected output length %u for coreKey from Base16_Decode.\n",base16_out_len); ret = BAD_STATE_E; goto out; } @@ -811,14 +796,14 @@ static int updateFipsHash(void) tfm = crypto_alloc_shash("hmac(sha256)", 0, 0); if (IS_ERR(tfm)) { if (PTR_ERR(tfm) == -ENOMEM) { - pr_err("crypto_alloc_shash failed: out of memory\n"); + pr_err("ERROR: crypto_alloc_shash failed: out of memory\n"); ret = MEMORY_E; } else if (PTR_ERR(tfm) == -ENOENT) { - pr_err("crypto_alloc_shash failed: kernel is missing hmac(sha256) implementation\n"); - pr_err("check for CONFIG_CRYPTO_SHA256 and CONFIG_CRYPTO_HMAC.\n"); + pr_err("ERROR: crypto_alloc_shash failed: kernel is missing hmac(sha256) implementation\n"); + pr_err("ERROR: check for CONFIG_CRYPTO_SHA256 and CONFIG_CRYPTO_HMAC.\n"); ret = NOT_COMPILED_IN; } else { - pr_err("crypto_alloc_shash failed with ret %ld\n",PTR_ERR(tfm)); + pr_err("ERROR: crypto_alloc_shash failed with ret %ld\n",PTR_ERR(tfm)); ret = HASH_TYPE_E; } tfm = NULL; @@ -829,7 +814,7 @@ static int updateFipsHash(void) size_t desc_size = crypto_shash_descsize(tfm) + sizeof *desc; desc = XMALLOC(desc_size, NULL, DYNAMIC_TYPE_TMP_BUFFER); if (desc == NULL) { - pr_err("failed allocating desc."); + pr_err("ERROR: failed allocating desc."); ret = MEMORY_E; goto out; } @@ -838,7 +823,7 @@ static int updateFipsHash(void) ret = crypto_shash_setkey(tfm, binCoreKey, binCoreSz); if (ret) { - pr_err("crypto_ahash_setkey failed: err %d\n", ret); + pr_err("ERROR: crypto_ahash_setkey failed: err %d\n", ret); ret = BAD_STATE_E; goto out; } @@ -846,7 +831,7 @@ static int updateFipsHash(void) desc->tfm = tfm; ret = crypto_shash_init(desc); if (ret) { - pr_err("crypto_shash_init failed: err %d\n", ret); + pr_err("ERROR: crypto_shash_init failed: err %d\n", ret); ret = BAD_STATE_E; goto out; } @@ -855,7 +840,7 @@ static int updateFipsHash(void) ret = crypto_shash_update(desc, (byte *)(wc_ptr_t)first, (word32)code_sz); if (ret) { - pr_err("crypto_shash_update failed: err %d\n", ret); + pr_err("ERROR: crypto_shash_update failed: err %d\n", ret); ret = BAD_STATE_E; goto out; } @@ -865,7 +850,7 @@ static int updateFipsHash(void) data_sz = (unsigned long)verifyCore - (unsigned long)start; ret = crypto_shash_update(desc, (byte*)start, (word32)data_sz); if (ret) { - pr_err("crypto_shash_update failed: err %d\n", ret); + pr_err("ERROR: crypto_shash_update failed: err %d\n", ret); ret = BAD_STATE_E; goto out; } @@ -874,7 +859,7 @@ static int updateFipsHash(void) } ret = crypto_shash_update(desc, (byte*)start, (word32)data_sz); if (ret) { - pr_err("crypto_shash_update failed: err %d\n", ret); + pr_err("ERROR: crypto_shash_update failed: err %d\n", ret); ret = BAD_STATE_E; goto out; } @@ -883,14 +868,14 @@ static int updateFipsHash(void) ret = crypto_shash_final(desc, hash); if (ret) { - pr_err("crypto_shash_final failed: err %d\n", ret); + pr_err("ERROR: crypto_shash_final failed: err %d\n", ret); ret = BAD_STATE_E; goto out; } ret = GenBase16_Hash(hash, WC_SHA256_DIGEST_SIZE, base16_hash, WC_SHA256_DIGEST_SIZE*2 + 1); if (ret != 0) { - pr_err("GenBase16_Hash failed: %s\n", wc_GetErrorString(ret)); + pr_err("ERROR: GenBase16_Hash failed: %s\n", wc_GetErrorString(ret)); goto out; } @@ -898,11 +883,11 @@ static int updateFipsHash(void) word32 base16_out_len = verifySz; ret = Base16_Decode((const byte *)verifyCore, sizeof verifyCore - 1, binVerify, &base16_out_len); if (ret != 0) { - pr_err("Base16_Decode for verifyCore: %s\n", wc_GetErrorString(ret)); + pr_err("ERROR: Base16_Decode for verifyCore: %s\n", wc_GetErrorString(ret)); goto out; } if (base16_out_len != binCoreSz) { - pr_err("unexpected output length %u for verifyCore from Base16_Decode.\n",base16_out_len); + pr_err("ERROR: unexpected output length %u for verifyCore from Base16_Decode.\n",base16_out_len); ret = BAD_STATE_E; goto out; } @@ -958,13 +943,13 @@ static ssize_t FIPS_rerun_self_test_handler(struct kobject *kobj, struct kobj_at ret = wolfCrypt_IntegrityTest_fips(); if (ret != 0) { - pr_err("wolfCrypt_IntegrityTest_fips: error %d", ret); + pr_err("ERROR: wolfCrypt_IntegrityTest_fips: error %d", ret); return -EINVAL; } ret = wolfCrypt_GetStatus_fips(); if (ret != 0) { - pr_err("wolfCrypt_GetStatus_fips() failed with code %d: %s\n", ret, wc_GetErrorString(ret)); + pr_err("ERROR: wolfCrypt_GetStatus_fips() failed with code %d: %s\n", ret, wc_GetErrorString(ret)); if (ret == WC_NO_ERR_TRACE(IN_CORE_FIPS_E)) return -ELIBBAD; else @@ -973,7 +958,7 @@ static ssize_t FIPS_rerun_self_test_handler(struct kobject *kobj, struct kobj_at ret = wc_RunAllCast_fips(); if (ret != 0) { - pr_err("wc_RunAllCast_fips() failed with return value %d\n", ret); + pr_err("ERROR: wc_RunAllCast_fips() failed with return value %d\n", ret); return -EINVAL; } diff --git a/linuxkm/wolfcrypt.lds b/linuxkm/wolfcrypt.lds new file mode 100644 index 000000000..4db5774b2 --- /dev/null +++ b/linuxkm/wolfcrypt.lds @@ -0,0 +1,19 @@ +SECTIONS { + . = ALIGN(4096); + .text.wolfcrypt : { + *(.text.wolfcrypt) + } + . = ALIGN(4096); + .rodata.wolfcrypt : { + *(.rodata.wolfcrypt) + } + . = ALIGN(4096); + .data.wolfcrypt : { + *(.data.wolfcrypt) + } + . = ALIGN(4096); + .bss.wolfcrypt : { + *(.bss.wolfcrypt) + } + . = ALIGN(4096); +} diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 1b463b616..776d00f67 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -14288,8 +14288,15 @@ static int GetHashId(const byte* id, int length, byte* hash, int hashAlg) *((byte*)(((byte *)(cert)) + certNameSubject[(id) - 3].enc)) = (val) /* Get the string of a name component from the subject name. */ -#define GetCertNameSubjectStr(id) \ - (certNameSubject[(id) - 3].str) +#ifdef WOLFSSL_NAMES_STATIC + #define GetCertNameSubjectStr(id) \ + ((certNameSubject[(id) - 3].strLen) ? \ + (certNameSubject[(id) - 3].str) : \ + NULL) +#else + #define GetCertNameSubjectStr(id) \ + (certNameSubject[(id) - 3].str) +#endif /* Get the string length of a name component from the subject name. */ #define GetCertNameSubjectStrLen(id) \ (certNameSubject[(id) - 3].strLen) @@ -14315,7 +14322,13 @@ static int GetHashId(const byte* id, int length, byte* hash, int hashAlg) /* Mapping of certificate name component to useful information. */ typedef struct CertNameData { /* Type string of name component. */ +#ifdef WOLFSSL_NAMES_STATIC + const char str[20]; + #define EMPTY_STR { 0 } +#else const char* str; + #define EMPTY_STR NULL +#endif /* Length of type string of name component. */ byte strLen; #if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT) @@ -14497,7 +14510,7 @@ static const CertNameData certNameSubject[] = { }, /* Title */ { - NULL, 0, + EMPTY_STR, 0, #if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT) 0, 0, @@ -14514,7 +14527,7 @@ static const CertNameData certNameSubject[] = { }, /* Undefined */ { - NULL, 0, + EMPTY_STR, 0, #if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT) 0, 0, @@ -14531,7 +14544,7 @@ static const CertNameData certNameSubject[] = { }, /* Undefined */ { - NULL, 0, + EMPTY_STR, 0, #if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT) 0, 0, @@ -14565,7 +14578,7 @@ static const CertNameData certNameSubject[] = { }, /* Undefined */ { - NULL, 0, + EMPTY_STR, 0, #if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT) 0, 0, @@ -26135,102 +26148,102 @@ void wc_FreeDer(DerBuffer** pDer) /* Note: If items added make sure MAX_X509_HEADER_SZ is updated to reflect maximum length and pem_struct_min_sz to reflect minimum size */ -wcchar BEGIN_CERT = "-----BEGIN CERTIFICATE-----"; -wcchar END_CERT = "-----END CERTIFICATE-----"; +static wcchar BEGIN_CERT = "-----BEGIN CERTIFICATE-----"; +static wcchar END_CERT = "-----END CERTIFICATE-----"; #ifdef WOLFSSL_CERT_REQ - wcchar BEGIN_CERT_REQ = "-----BEGIN CERTIFICATE REQUEST-----"; - wcchar END_CERT_REQ = "-----END CERTIFICATE REQUEST-----"; + static wcchar BEGIN_CERT_REQ = "-----BEGIN CERTIFICATE REQUEST-----"; + static wcchar END_CERT_REQ = "-----END CERTIFICATE REQUEST-----"; #endif #if defined(WOLFSSL_ACERT) - wcchar BEGIN_ACERT = "-----BEGIN ATTRIBUTE CERTIFICATE-----"; - wcchar END_ACERT = "-----END ATTRIBUTE CERTIFICATE-----"; + static wcchar BEGIN_ACERT = "-----BEGIN ATTRIBUTE CERTIFICATE-----"; + static wcchar END_ACERT = "-----END ATTRIBUTE CERTIFICATE-----"; #endif /* WOLFSSL_ACERT */ #ifndef NO_DH - wcchar BEGIN_DH_PARAM = "-----BEGIN DH PARAMETERS-----"; - wcchar END_DH_PARAM = "-----END DH PARAMETERS-----"; - wcchar BEGIN_X942_PARAM = "-----BEGIN X9.42 DH PARAMETERS-----"; - wcchar END_X942_PARAM = "-----END X9.42 DH PARAMETERS-----"; + static wcchar BEGIN_DH_PARAM = "-----BEGIN DH PARAMETERS-----"; + static wcchar END_DH_PARAM = "-----END DH PARAMETERS-----"; + static wcchar BEGIN_X942_PARAM = "-----BEGIN X9.42 DH PARAMETERS-----"; + static wcchar END_X942_PARAM = "-----END X9.42 DH PARAMETERS-----"; #endif #ifndef NO_DSA - wcchar BEGIN_DSA_PARAM = "-----BEGIN DSA PARAMETERS-----"; - wcchar END_DSA_PARAM = "-----END DSA PARAMETERS-----"; + static wcchar BEGIN_DSA_PARAM = "-----BEGIN DSA PARAMETERS-----"; + static wcchar END_DSA_PARAM = "-----END DSA PARAMETERS-----"; #endif -wcchar BEGIN_X509_CRL = "-----BEGIN X509 CRL-----"; -wcchar END_X509_CRL = "-----END X509 CRL-----"; -wcchar BEGIN_TRUSTED_CERT = "-----BEGIN TRUSTED CERTIFICATE-----"; -wcchar END_TRUSTED_CERT = "-----END TRUSTED CERTIFICATE-----"; -wcchar BEGIN_RSA_PRIV = "-----BEGIN RSA PRIVATE KEY-----"; -wcchar END_RSA_PRIV = "-----END RSA PRIVATE KEY-----"; -wcchar BEGIN_RSA_PUB = "-----BEGIN RSA PUBLIC KEY-----"; -wcchar END_RSA_PUB = "-----END RSA PUBLIC KEY-----"; -wcchar BEGIN_PRIV_KEY = "-----BEGIN PRIVATE KEY-----"; -wcchar END_PRIV_KEY = "-----END PRIVATE KEY-----"; -wcchar BEGIN_ENC_PRIV_KEY = "-----BEGIN ENCRYPTED PRIVATE KEY-----"; -wcchar END_ENC_PRIV_KEY = "-----END ENCRYPTED PRIVATE KEY-----"; +static wcchar BEGIN_X509_CRL = "-----BEGIN X509 CRL-----"; +static wcchar END_X509_CRL = "-----END X509 CRL-----"; +static wcchar BEGIN_TRUSTED_CERT = "-----BEGIN TRUSTED CERTIFICATE-----"; +static wcchar END_TRUSTED_CERT = "-----END TRUSTED CERTIFICATE-----"; +static wcchar BEGIN_RSA_PRIV = "-----BEGIN RSA PRIVATE KEY-----"; +static wcchar END_RSA_PRIV = "-----END RSA PRIVATE KEY-----"; +static wcchar BEGIN_RSA_PUB = "-----BEGIN RSA PUBLIC KEY-----"; +static wcchar END_RSA_PUB = "-----END RSA PUBLIC KEY-----"; +static wcchar BEGIN_PRIV_KEY = "-----BEGIN PRIVATE KEY-----"; +static wcchar END_PRIV_KEY = "-----END PRIVATE KEY-----"; +static wcchar BEGIN_ENC_PRIV_KEY = "-----BEGIN ENCRYPTED PRIVATE KEY-----"; +static wcchar END_ENC_PRIV_KEY = "-----END ENCRYPTED PRIVATE KEY-----"; #ifdef HAVE_ECC - wcchar BEGIN_EC_PRIV = "-----BEGIN EC PRIVATE KEY-----"; - wcchar END_EC_PRIV = "-----END EC PRIVATE KEY-----"; + static wcchar BEGIN_EC_PRIV = "-----BEGIN EC PRIVATE KEY-----"; + static wcchar END_EC_PRIV = "-----END EC PRIVATE KEY-----"; #ifdef OPENSSL_EXTRA - wcchar BEGIN_EC_PARAM = "-----BEGIN EC PARAMETERS-----"; - wcchar END_EC_PARAM = "-----END EC PARAMETERS-----"; + static wcchar BEGIN_EC_PARAM = "-----BEGIN EC PARAMETERS-----"; + static wcchar END_EC_PARAM = "-----END EC PARAMETERS-----"; #endif #endif #ifdef HAVE_PKCS7 -wcchar BEGIN_PKCS7 = "-----BEGIN PKCS7-----"; -wcchar END_PKCS7 = "-----END PKCS7-----"; +static wcchar BEGIN_PKCS7 = "-----BEGIN PKCS7-----"; +static wcchar END_PKCS7 = "-----END PKCS7-----"; #endif #if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448) || \ !defined(NO_DSA) - wcchar BEGIN_DSA_PRIV = "-----BEGIN DSA PRIVATE KEY-----"; - wcchar END_DSA_PRIV = "-----END DSA PRIVATE KEY-----"; + static wcchar BEGIN_DSA_PRIV = "-----BEGIN DSA PRIVATE KEY-----"; + static wcchar END_DSA_PRIV = "-----END DSA PRIVATE KEY-----"; #endif #ifdef OPENSSL_EXTRA - const char BEGIN_PRIV_KEY_PREFIX[] = "-----BEGIN"; - const char PRIV_KEY_SUFFIX[] = "PRIVATE KEY-----"; - const char END_PRIV_KEY_PREFIX[] = "-----END"; + wcchar BEGIN_PRIV_KEY_PREFIX = "-----BEGIN"; + wcchar PRIV_KEY_SUFFIX = "PRIVATE KEY-----"; + wcchar END_PRIV_KEY_PREFIX = "-----END"; #endif -wcchar BEGIN_PUB_KEY = "-----BEGIN PUBLIC KEY-----"; -wcchar END_PUB_KEY = "-----END PUBLIC KEY-----"; +static wcchar BEGIN_PUB_KEY = "-----BEGIN PUBLIC KEY-----"; +static wcchar END_PUB_KEY = "-----END PUBLIC KEY-----"; #if defined(HAVE_ED25519) || defined(HAVE_ED448) - wcchar BEGIN_EDDSA_PRIV = "-----BEGIN EDDSA PRIVATE KEY-----"; - wcchar END_EDDSA_PRIV = "-----END EDDSA PRIVATE KEY-----"; + static wcchar BEGIN_EDDSA_PRIV = "-----BEGIN EDDSA PRIVATE KEY-----"; + static wcchar END_EDDSA_PRIV = "-----END EDDSA PRIVATE KEY-----"; #endif #if defined(HAVE_FALCON) - wcchar BEGIN_FALCON_LEVEL1_PRIV = "-----BEGIN FALCON_LEVEL1 PRIVATE KEY-----"; - wcchar END_FALCON_LEVEL1_PRIV = "-----END FALCON_LEVEL1 PRIVATE KEY-----"; - wcchar BEGIN_FALCON_LEVEL5_PRIV = "-----BEGIN FALCON_LEVEL5 PRIVATE KEY-----"; - wcchar END_FALCON_LEVEL5_PRIV = "-----END FALCON_LEVEL5 PRIVATE KEY-----"; + static wcchar BEGIN_FALCON_LEVEL1_PRIV = "-----BEGIN FALCON_LEVEL1 PRIVATE KEY-----"; + static wcchar END_FALCON_LEVEL1_PRIV = "-----END FALCON_LEVEL1 PRIVATE KEY-----"; + static wcchar BEGIN_FALCON_LEVEL5_PRIV = "-----BEGIN FALCON_LEVEL5 PRIVATE KEY-----"; + static wcchar END_FALCON_LEVEL5_PRIV = "-----END FALCON_LEVEL5 PRIVATE KEY-----"; #endif /* HAVE_FALCON */ #if defined(HAVE_DILITHIUM) #ifdef WOLFSSL_DILITHIUM_FIPS204_DRAFT - wcchar BEGIN_DILITHIUM_LEVEL2_PRIV = "-----BEGIN DILITHIUM_LEVEL2 PRIVATE KEY-----"; - wcchar END_DILITHIUM_LEVEL2_PRIV = "-----END DILITHIUM_LEVEL2 PRIVATE KEY-----"; - wcchar BEGIN_DILITHIUM_LEVEL3_PRIV = "-----BEGIN DILITHIUM_LEVEL3 PRIVATE KEY-----"; - wcchar END_DILITHIUM_LEVEL3_PRIV = "-----END DILITHIUM_LEVEL3 PRIVATE KEY-----"; - wcchar BEGIN_DILITHIUM_LEVEL5_PRIV = "-----BEGIN DILITHIUM_LEVEL5 PRIVATE KEY-----"; - wcchar END_DILITHIUM_LEVEL5_PRIV = "-----END DILITHIUM_LEVEL5 PRIVATE KEY-----"; + static wcchar BEGIN_DILITHIUM_LEVEL2_PRIV = "-----BEGIN DILITHIUM_LEVEL2 PRIVATE KEY-----"; + static wcchar END_DILITHIUM_LEVEL2_PRIV = "-----END DILITHIUM_LEVEL2 PRIVATE KEY-----"; + static wcchar BEGIN_DILITHIUM_LEVEL3_PRIV = "-----BEGIN DILITHIUM_LEVEL3 PRIVATE KEY-----"; + static wcchar END_DILITHIUM_LEVEL3_PRIV = "-----END DILITHIUM_LEVEL3 PRIVATE KEY-----"; + static wcchar BEGIN_DILITHIUM_LEVEL5_PRIV = "-----BEGIN DILITHIUM_LEVEL5 PRIVATE KEY-----"; + static wcchar END_DILITHIUM_LEVEL5_PRIV = "-----END DILITHIUM_LEVEL5 PRIVATE KEY-----"; #endif - wcchar BEGIN_ML_DSA_LEVEL2_PRIV = "-----BEGIN ML_DSA_LEVEL2 PRIVATE KEY-----"; - wcchar END_ML_DSA_LEVEL2_PRIV = "-----END ML_DSA_LEVEL2 PRIVATE KEY-----"; - wcchar BEGIN_ML_DSA_LEVEL3_PRIV = "-----BEGIN ML_DSA_LEVEL3 PRIVATE KEY-----"; - wcchar END_ML_DSA_LEVEL3_PRIV = "-----END ML_DSA_LEVEL3 PRIVATE KEY-----"; - wcchar BEGIN_ML_DSA_LEVEL5_PRIV = "-----BEGIN ML_DSA_LEVEL5 PRIVATE KEY-----"; - wcchar END_ML_DSA_LEVEL5_PRIV = "-----END ML_DSA_LEVEL5 PRIVATE KEY-----"; + static wcchar BEGIN_ML_DSA_LEVEL2_PRIV = "-----BEGIN ML_DSA_LEVEL2 PRIVATE KEY-----"; + static wcchar END_ML_DSA_LEVEL2_PRIV = "-----END ML_DSA_LEVEL2 PRIVATE KEY-----"; + static wcchar BEGIN_ML_DSA_LEVEL3_PRIV = "-----BEGIN ML_DSA_LEVEL3 PRIVATE KEY-----"; + static wcchar END_ML_DSA_LEVEL3_PRIV = "-----END ML_DSA_LEVEL3 PRIVATE KEY-----"; + static wcchar BEGIN_ML_DSA_LEVEL5_PRIV = "-----BEGIN ML_DSA_LEVEL5 PRIVATE KEY-----"; + static wcchar END_ML_DSA_LEVEL5_PRIV = "-----END ML_DSA_LEVEL5 PRIVATE KEY-----"; #endif /* HAVE_DILITHIUM */ #if defined(HAVE_SPHINCS) - wcchar BEGIN_SPHINCS_FAST_LEVEL1_PRIV = "-----BEGIN SPHINCS_FAST_LEVEL1 PRIVATE KEY-----"; - wcchar END_SPHINCS_FAST_LEVEL1_PRIV = "-----END SPHINCS_FAST_LEVEL1 PRIVATE KEY-----"; - wcchar BEGIN_SPHINCS_FAST_LEVEL3_PRIV = "-----BEGIN SPHINCS_FAST_LEVEL3 PRIVATE KEY-----"; - wcchar END_SPHINCS_FAST_LEVEL3_PRIV = "-----END SPHINCS_FAST_LEVEL3 PRIVATE KEY-----"; - wcchar BEGIN_SPHINCS_FAST_LEVEL5_PRIV = "-----BEGIN SPHINCS_FAST_LEVEL5 PRIVATE KEY-----"; - wcchar END_SPHINCS_FAST_LEVEL5_PRIV = "-----END SPHINCS_FAST_LEVEL5 PRIVATE KEY-----"; + static wcchar BEGIN_SPHINCS_FAST_LEVEL1_PRIV = "-----BEGIN SPHINCS_FAST_LEVEL1 PRIVATE KEY-----"; + static wcchar END_SPHINCS_FAST_LEVEL1_PRIV = "-----END SPHINCS_FAST_LEVEL1 PRIVATE KEY-----"; + static wcchar BEGIN_SPHINCS_FAST_LEVEL3_PRIV = "-----BEGIN SPHINCS_FAST_LEVEL3 PRIVATE KEY-----"; + static wcchar END_SPHINCS_FAST_LEVEL3_PRIV = "-----END SPHINCS_FAST_LEVEL3 PRIVATE KEY-----"; + static wcchar BEGIN_SPHINCS_FAST_LEVEL5_PRIV = "-----BEGIN SPHINCS_FAST_LEVEL5 PRIVATE KEY-----"; + static wcchar END_SPHINCS_FAST_LEVEL5_PRIV = "-----END SPHINCS_FAST_LEVEL5 PRIVATE KEY-----"; - wcchar BEGIN_SPHINCS_SMALL_LEVEL1_PRIV = "-----BEGIN SPHINCS_SMALL_LEVEL1 PRIVATE KEY-----"; - wcchar END_SPHINCS_SMALL_LEVEL1_PRIV = "-----END SPHINCS_SMALL_LEVEL1 PRIVATE KEY-----"; - wcchar BEGIN_SPHINCS_SMALL_LEVEL3_PRIV = "-----BEGIN SPHINCS_SMALL_LEVEL3 PRIVATE KEY-----"; - wcchar END_SPHINCS_SMALL_LEVEL3_PRIV = "-----END SPHINCS_SMALL_LEVEL3 PRIVATE KEY-----"; - wcchar BEGIN_SPHINCS_SMALL_LEVEL5_PRIV = "-----BEGIN SPHINCS_SMALL_LEVEL5 PRIVATE KEY-----"; - wcchar END_SPHINCS_SMALL_LEVEL5_PRIV = "-----END SPHINCS_SMALL_LEVEL5 PRIVATE KEY-----"; + static wcchar BEGIN_SPHINCS_SMALL_LEVEL1_PRIV = "-----BEGIN SPHINCS_SMALL_LEVEL1 PRIVATE KEY-----"; + static wcchar END_SPHINCS_SMALL_LEVEL1_PRIV = "-----END SPHINCS_SMALL_LEVEL1 PRIVATE KEY-----"; + static wcchar BEGIN_SPHINCS_SMALL_LEVEL3_PRIV = "-----BEGIN SPHINCS_SMALL_LEVEL3 PRIVATE KEY-----"; + static wcchar END_SPHINCS_SMALL_LEVEL3_PRIV = "-----END SPHINCS_SMALL_LEVEL3 PRIVATE KEY-----"; + static wcchar BEGIN_SPHINCS_SMALL_LEVEL5_PRIV = "-----BEGIN SPHINCS_SMALL_LEVEL5 PRIVATE KEY-----"; + static wcchar END_SPHINCS_SMALL_LEVEL5_PRIV = "-----END SPHINCS_SMALL_LEVEL5 PRIVATE KEY-----"; #endif /* HAVE_SPHINCS */ const int pem_struct_min_sz = XSTR_SIZEOF("-----BEGIN X509 CRL-----" diff --git a/wolfcrypt/src/wc_xmss.c b/wolfcrypt/src/wc_xmss.c index 51b308bea..311636f6c 100644 --- a/wolfcrypt/src/wc_xmss.c +++ b/wolfcrypt/src/wc_xmss.c @@ -149,7 +149,11 @@ static WC_INLINE void wc_xmss_state_free(XmssState* state) */ typedef struct wc_XmssString { /* Name of algorithm as a string. */ +#ifdef WOLFSSL_NAMES_STATIC + const char str[32]; +#else const char* str; +#endif /* OID for algorithm. */ word32 oid; /* XMSS parameters. */ diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index fb09637c5..60091c6df 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -3694,8 +3694,11 @@ extern void uITRON4_free(void *p) ; #ifndef WOLFSSL_SP_DIV_WORD_HALF #define WOLFSSL_SP_DIV_WORD_HALF #endif - #ifdef __PIE__ + + #ifdef HAVE_LINUXKM_PIE_SUPPORT #define WC_NO_INTERNAL_FUNCTION_POINTERS + #define WOLFSSL_ECC_CURVE_STATIC + #define WOLFSSL_NAMES_STATIC #endif #ifndef NO_OLD_WC_NAMES @@ -4089,7 +4092,6 @@ extern void uITRON4_free(void *p) ; #if defined(__IAR_SYSTEMS_ICC__) && defined(__ROPI__) #define WOLFSSL_ECC_CURVE_STATIC #define WOLFSSL_NAMES_STATIC - #define WOLFSSL_NO_CONSTCHARCONST #endif /* FIPS v1 does not support TLS v1.3 (requires RSA PSS and HKDF) */ diff --git a/wolfssl/wolfcrypt/types.h b/wolfssl/wolfcrypt/types.h index 2c2254c65..c596d9693 100644 --- a/wolfssl/wolfcrypt/types.h +++ b/wolfssl/wolfcrypt/types.h @@ -111,13 +111,7 @@ library files. typedef byte word24[3]; #endif - -/* constant pointer to a constant char */ -#ifdef WOLFSSL_NO_CONSTCHARCONST - typedef const char* wcchar; -#else - typedef const char* const wcchar; -#endif +typedef const char wcchar[]; #ifndef WC_BITFIELD #ifdef WOLF_C89 diff --git a/wolfssl/wolfcrypt/wc_lms.h b/wolfssl/wolfcrypt/wc_lms.h index a4880a95d..73f121e56 100644 --- a/wolfssl/wolfcrypt/wc_lms.h +++ b/wolfssl/wolfcrypt/wc_lms.h @@ -384,7 +384,11 @@ typedef struct wc_LmsParamsMap { /* Identifier of parameters. */ enum wc_LmsParm id; /* String representation of identifier of parameters. */ +#ifdef WOLFSSL_NAMES_STATIC + const char str[32]; +#else const char* str; +#endif /* LMS parameter set. */ LmsParams params; } wc_LmsParamsMap;