From 017ac97de0518920586ab63d22443a74e5d76294 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Wed, 4 Feb 2026 14:12:51 -0600 Subject: [PATCH 1/4] configure.ac: remove prohibition on ARM32 --enable-armasm with --enable-aesgcm-stream (current code in aes.c falls back to C gracefully in that case). --- configure.ac | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/configure.ac b/configure.ac index e248005e0b..e2e333d57b 100644 --- a/configure.ac +++ b/configure.ac @@ -1383,13 +1383,13 @@ then esac fi -# 32 bit armasm and RISC-V asm don't yet support WOLFSSL_AESGCM_STREAM. Disable +# RISC-V asm doesn't yet support WOLFSSL_AESGCM_STREAM. Disable # implicit activation, and error on explicit activation. -if test "$enable_riscv_asm" = "yes" || (test "$enable_armasm" = "yes" && test "$host_cpu" != "aarch64" && test "$host_cpu" != "aarch64_be") +if test "$enable_riscv_asm" = "yes" then if test "$enable_aesgcm_stream" = "yes" then - AC_MSG_ERROR([32 bit armasm and RISC-V asm don't yet support WOLFSSL_AESGCM_STREAM.]) + AC_MSG_ERROR([RISC-V asm doesn't yet support WOLFSSL_AESGCM_STREAM.]) fi enable_aesgcm_stream=no fi @@ -10689,11 +10689,9 @@ then if test "$ENABLED_AESGCM" = "no" then AC_MSG_ERROR([AES-GCM streaming is enabled but AES-GCM is disabled.]) - elif test "$ENABLED_RISCV_ASM" = "yes" || \ - (test "$ENABLED_ARMASM" = "yes" && \ - test "$host_cpu" != "aarch64" && test "$host_cpu" != "aarch64_be") + elif test "$ENABLED_RISCV_ASM" = "yes" then - AC_MSG_ERROR([32 bit armasm and RISC-V asm don't yet support WOLFSSL_AESGCM_STREAM.]) + AC_MSG_ERROR([RISC-V asm doesn't yet support WOLFSSL_AESGCM_STREAM.]) else AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AESGCM_STREAM" AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_AESGCM_STREAM" From 10d4b1dd927c995118faae2fab01807ac1f5db26 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Wed, 4 Feb 2026 14:14:57 -0600 Subject: [PATCH 2/4] wolfcrypt/src/aes.c: fix -Wunused-variable in wc_AesSetKey(). --- wolfcrypt/src/aes.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/wolfcrypt/src/aes.c b/wolfcrypt/src/aes.c index 3807566bdd..7217c7f871 100644 --- a/wolfcrypt/src/aes.c +++ b/wolfcrypt/src/aes.c @@ -4341,7 +4341,6 @@ static WARN_UNUSED_RESULT int wc_AesDecrypt( int wc_AesSetKey(Aes* aes, const byte* userKey, word32 keylen, const byte* iv, int dir) { - int ret; if ((aes == NULL) || (userKey == NULL)) { return BAD_FUNC_ARG; } @@ -4367,7 +4366,7 @@ static WARN_UNUSED_RESULT int wc_AesDecrypt( #ifdef WOLF_CRYPTO_CB if (aes->devId != INVALID_DEVID) { #ifdef WOLF_CRYPTO_CB_AES_SETKEY - ret = wc_CryptoCb_AesSetKey(aes, userKey, keylen); + int ret = wc_CryptoCb_AesSetKey(aes, userKey, keylen); if (ret == 0) { /* Callback succeeded - SE owns the key */ aes->keylen = (int)keylen; From 0364a348b5f53f31b5c942fa86fe3e510a1f75a9 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Wed, 4 Feb 2026 14:30:08 -0600 Subject: [PATCH 3/4] linuxkm/lkcapi_sha_glue.c and linuxkm/linuxkm_wc_port.h: when LINUXKM_DRBG_GET_RANDOM_BYTES, add "-with-global-replace" to the DRBG driver name, to advertise that /dev/[u]random and getrandom() are FIPS PRNGs; when NO_LINUXKM_DRBG_GET_RANDOM_BYTES, don't implicitly define LINUXKM_LKCAPI_REGISTER_HASH_DRBG_DEFAULT. --- linuxkm/linuxkm_wc_port.h | 7 ++++--- linuxkm/lkcapi_sha_glue.c | 41 ++++++++++++++++++++++++--------------- 2 files changed, 29 insertions(+), 19 deletions(-) diff --git a/linuxkm/linuxkm_wc_port.h b/linuxkm/linuxkm_wc_port.h index 00e7e45d3e..ebe0d64bc5 100644 --- a/linuxkm/linuxkm_wc_port.h +++ b/linuxkm/linuxkm_wc_port.h @@ -545,9 +545,10 @@ * to assure that calls to get_random_bytes() in random.c are gated out * (they would recurse, potentially infinitely). */ - #if (defined(LINUXKM_LKCAPI_REGISTER_ALL) && \ - !defined(LINUXKM_LKCAPI_DONT_REGISTER_HASH_DRBG) && \ - !defined(LINUXKM_LKCAPI_DONT_REGISTER_HASH_DRBG_DEFAULT)) && \ + #if defined(LINUXKM_LKCAPI_REGISTER_ALL) && \ + !defined(LINUXKM_LKCAPI_DONT_REGISTER_HASH_DRBG) && \ + !defined(LINUXKM_LKCAPI_DONT_REGISTER_HASH_DRBG_DEFAULT) && \ + !defined(NO_LINUXKM_DRBG_GET_RANDOM_BYTES) && \ !defined(LINUXKM_LKCAPI_REGISTER_HASH_DRBG_DEFAULT) #define LINUXKM_LKCAPI_REGISTER_HASH_DRBG_DEFAULT #endif diff --git a/linuxkm/lkcapi_sha_glue.c b/linuxkm/lkcapi_sha_glue.c index 1bdc56a8ac..bf2a16c929 100644 --- a/linuxkm/lkcapi_sha_glue.c +++ b/linuxkm/lkcapi_sha_glue.c @@ -30,6 +30,22 @@ #error SHA* WC_LINUXKM_C_FALLBACK_IN_SHIMS is not currently supported. #endif +#ifdef NO_LINUXKM_DRBG_GET_RANDOM_BYTES + #undef LINUXKM_DRBG_GET_RANDOM_BYTES +/* setup for LINUXKM_LKCAPI_REGISTER_HASH_DRBG_DEFAULT is in linuxkm_wc_port.h */ +#elif defined(LINUXKM_LKCAPI_REGISTER_HASH_DRBG_DEFAULT) && \ + (defined(WOLFSSL_LINUXKM_HAVE_GET_RANDOM_CALLBACKS) || \ + defined(WOLFSSL_LINUXKM_USE_GET_RANDOM_KPROBES)) + #ifndef LINUXKM_DRBG_GET_RANDOM_BYTES + #define LINUXKM_DRBG_GET_RANDOM_BYTES + #endif +#else + #ifdef LINUXKM_DRBG_GET_RANDOM_BYTES + #error LINUXKM_DRBG_GET_RANDOM_BYTES configured with no callback model configured. + #undef LINUXKM_DRBG_GET_RANDOM_BYTES + #endif +#endif + #include #include @@ -94,7 +110,14 @@ * exhaustion. A caller that really needs PR can pass in seed data in its call * to our rng_alg.generate() implementation. */ -#define WOLFKM_STDRNG_DRIVER ("sha2-256-drbg-nopr" WOLFKM_SHA_DRIVER_SUFFIX) +#ifdef LINUXKM_DRBG_GET_RANDOM_BYTES + #define WOLFKM_STDRNG_DRIVER ("sha2-256-drbg-nopr" \ + WOLFKM_DRIVER_SUFFIX_BASE \ + "-with-global-replace") +#else + #define WOLFKM_STDRNG_DRIVER ("sha2-256-drbg-nopr" \ + WOLFKM_DRIVER_SUFFIX_BASE) +#endif #ifdef LINUXKM_LKCAPI_REGISTER_SHA_ALL #define LINUXKM_LKCAPI_REGISTER_SHA1 @@ -388,7 +411,7 @@ #else #if defined(LINUXKM_LKCAPI_REGISTER_ALL_KCONFIG) && defined(CONFIG_CRYPTO_DRBG) && \ !defined(LINUXKM_LKCAPI_DONT_REGISTER_HASH_DRBG) - #error Config conflict: target kernel has CONFIG_CRYPTO_SHA3, but module is missing WOLFSSL_SHA3 + #error Config conflict: target kernel has CONFIG_CRYPTO_DRBG, but module is missing HAVE_HASHDRBG #endif #undef LINUXKM_LKCAPI_REGISTER_HASH_DRBG #endif @@ -1257,20 +1280,6 @@ static struct rng_alg wc_linuxkm_drbg = { }; static int wc_linuxkm_drbg_loaded = 0; -#ifdef NO_LINUXKM_DRBG_GET_RANDOM_BYTES - #undef LINUXKM_DRBG_GET_RANDOM_BYTES -#elif defined(LINUXKM_LKCAPI_REGISTER_HASH_DRBG_DEFAULT) && \ - (defined(WOLFSSL_LINUXKM_HAVE_GET_RANDOM_CALLBACKS) || defined(WOLFSSL_LINUXKM_USE_GET_RANDOM_KPROBES)) - #ifndef LINUXKM_DRBG_GET_RANDOM_BYTES - #define LINUXKM_DRBG_GET_RANDOM_BYTES - #endif -#else - #ifdef LINUXKM_DRBG_GET_RANDOM_BYTES - #error LINUXKM_DRBG_GET_RANDOM_BYTES configured with no callback model configured. - #undef LINUXKM_DRBG_GET_RANDOM_BYTES - #endif -#endif - #ifdef LINUXKM_DRBG_GET_RANDOM_BYTES #ifndef WOLFSSL_SMALL_STACK_CACHE From 5fca3786c621b9d1270ced7c85d1c32a6989186b Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Wed, 4 Feb 2026 14:30:31 -0600 Subject: [PATCH 4/4] .wolfssl_known_macro_extras: remove WC_SHA3_HARDEN (unneeded because --enable-faultharden defines it). --- .wolfssl_known_macro_extras | 1 - 1 file changed, 1 deletion(-) diff --git a/.wolfssl_known_macro_extras b/.wolfssl_known_macro_extras index af5a97f080..246ded2a45 100644 --- a/.wolfssl_known_macro_extras +++ b/.wolfssl_known_macro_extras @@ -637,7 +637,6 @@ WC_RSA_NONBLOCK WC_RSA_NONBLOCK_TIME WC_RSA_NO_FERMAT_CHECK WC_RWLOCK_OPS_INLINE -WC_SHA3_HARDEN WC_SHA384 WC_SHA384_DIGEST_SIZE WC_SHA512