From f733ade6a202b6b7119c70a07741e95d3cd2243e Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Sun, 6 Jul 2025 09:55:05 -0500 Subject: [PATCH 1/4] linuxkm/{linuxkm_wc_port.h,module_hooks.c}: add feature gates around wolfCrypt_FIPS_*_sanity() references matching those in fips_test.c. --- linuxkm/linuxkm_wc_port.h | 56 +++++++++++++++++++++++++++++++++++++++ linuxkm/module_hooks.c | 28 ++++++++++++++++++++ 2 files changed, 84 insertions(+) diff --git a/linuxkm/linuxkm_wc_port.h b/linuxkm/linuxkm_wc_port.h index fcd3453df..2acf456d7 100644 --- a/linuxkm/linuxkm_wc_port.h +++ b/linuxkm/linuxkm_wc_port.h @@ -475,21 +475,49 @@ extern int wolfCrypt_FIPS_first(void); extern int wolfCrypt_FIPS_last(void); #if FIPS_VERSION3_GE(6,0,0) +#ifndef NO_AES extern int wolfCrypt_FIPS_AES_sanity(void); +#if defined(WOLFSSL_CMAC) && defined(WOLFSSL_AES_DIRECT) extern int wolfCrypt_FIPS_CMAC_sanity(void); +#endif +#endif +#ifndef NO_DH extern int wolfCrypt_FIPS_DH_sanity(void); +#endif +#ifdef HAVE_ECC extern int wolfCrypt_FIPS_ECC_sanity(void); +#endif +#ifdef HAVE_ED25519 extern int wolfCrypt_FIPS_ED25519_sanity(void); +#endif +#ifdef HAVE_ED448 extern int wolfCrypt_FIPS_ED448_sanity(void); +#endif extern int wolfCrypt_FIPS_HMAC_sanity(void); +#ifndef NO_KDF extern int wolfCrypt_FIPS_KDF_sanity(void); +#endif +#ifdef HAVE_PBKDF2 extern int wolfCrypt_FIPS_PBKDF_sanity(void); +#endif +#ifdef HAVE_HASHDRBG extern int wolfCrypt_FIPS_DRBG_sanity(void); +#endif +#ifndef NO_RSA extern int wolfCrypt_FIPS_RSA_sanity(void); +#endif +#ifndef NO_SHA extern int wolfCrypt_FIPS_SHA_sanity(void); +#endif +#ifndef NO_SHA256 extern int wolfCrypt_FIPS_SHA256_sanity(void); +#endif +#ifdef WOLFSSL_SHA512 extern int wolfCrypt_FIPS_SHA512_sanity(void); +#endif +#ifdef WOLFSSL_SHA3 extern int wolfCrypt_FIPS_SHA3_sanity(void); +#endif extern int wolfCrypt_FIPS_FT_sanity(void); extern int wc_RunAllCast_fips(void); #endif @@ -660,21 +688,49 @@ typeof(wolfCrypt_FIPS_first) *wolfCrypt_FIPS_first; typeof(wolfCrypt_FIPS_last) *wolfCrypt_FIPS_last; #if FIPS_VERSION3_GE(6,0,0) +#ifndef NO_AES typeof(wolfCrypt_FIPS_AES_sanity) *wolfCrypt_FIPS_AES_sanity; +#if defined(WOLFSSL_CMAC) && defined(WOLFSSL_AES_DIRECT) typeof(wolfCrypt_FIPS_CMAC_sanity) *wolfCrypt_FIPS_CMAC_sanity; +#endif +#endif +#ifndef NO_DH typeof(wolfCrypt_FIPS_DH_sanity) *wolfCrypt_FIPS_DH_sanity; +#endif +#ifdef HAVE_ECC typeof(wolfCrypt_FIPS_ECC_sanity) *wolfCrypt_FIPS_ECC_sanity; +#endif +#ifdef HAVE_ED25519 typeof(wolfCrypt_FIPS_ED25519_sanity) *wolfCrypt_FIPS_ED25519_sanity; +#endif +#ifdef HAVE_ED448 typeof(wolfCrypt_FIPS_ED448_sanity) *wolfCrypt_FIPS_ED448_sanity; +#endif typeof(wolfCrypt_FIPS_HMAC_sanity) *wolfCrypt_FIPS_HMAC_sanity; +#ifndef NO_KDF typeof(wolfCrypt_FIPS_KDF_sanity) *wolfCrypt_FIPS_KDF_sanity; +#endif +#ifdef HAVE_PBKDF2 typeof(wolfCrypt_FIPS_PBKDF_sanity) *wolfCrypt_FIPS_PBKDF_sanity; +#endif +#ifdef HAVE_HASHDRBG typeof(wolfCrypt_FIPS_DRBG_sanity) *wolfCrypt_FIPS_DRBG_sanity; +#endif +#ifndef NO_RSA typeof(wolfCrypt_FIPS_RSA_sanity) *wolfCrypt_FIPS_RSA_sanity; +#endif +#ifndef NO_SHA typeof(wolfCrypt_FIPS_SHA_sanity) *wolfCrypt_FIPS_SHA_sanity; +#endif +#ifndef NO_SHA256 typeof(wolfCrypt_FIPS_SHA256_sanity) *wolfCrypt_FIPS_SHA256_sanity; +#endif +#ifdef WOLFSSL_SHA512 typeof(wolfCrypt_FIPS_SHA512_sanity) *wolfCrypt_FIPS_SHA512_sanity; +#endif +#ifdef WOLFSSL_SHA3 typeof(wolfCrypt_FIPS_SHA3_sanity) *wolfCrypt_FIPS_SHA3_sanity; +#endif typeof(wolfCrypt_FIPS_FT_sanity) *wolfCrypt_FIPS_FT_sanity; typeof(wc_RunAllCast_fips) *wc_RunAllCast_fips; #endif diff --git a/linuxkm/module_hooks.c b/linuxkm/module_hooks.c index bece5327d..91f3b795f 100644 --- a/linuxkm/module_hooks.c +++ b/linuxkm/module_hooks.c @@ -598,36 +598,64 @@ static int set_up_wolfssl_linuxkm_pie_redirect_table(void) { wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_last = wolfCrypt_FIPS_last; #if FIPS_VERSION3_GE(6,0,0) +#ifndef NO_AES wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_AES_sanity = wolfCrypt_FIPS_AES_sanity; +#if defined(WOLFSSL_CMAC) && defined(WOLFSSL_AES_DIRECT) wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_CMAC_sanity = wolfCrypt_FIPS_CMAC_sanity; +#endif +#endif +#ifndef NO_DH wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_DH_sanity = wolfCrypt_FIPS_DH_sanity; +#endif +#ifdef HAVE_ECC wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_ECC_sanity = wolfCrypt_FIPS_ECC_sanity; +#endif +#ifdef HAVE_ED25519 wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_ED25519_sanity = wolfCrypt_FIPS_ED25519_sanity; +#endif +#ifdef HAVE_ED448 wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_ED448_sanity = wolfCrypt_FIPS_ED448_sanity; +#endif wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_HMAC_sanity = wolfCrypt_FIPS_HMAC_sanity; +#ifndef NO_KDF wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_KDF_sanity = wolfCrypt_FIPS_KDF_sanity; +#endif +#ifdef HAVE_PBKDF2 wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_PBKDF_sanity = wolfCrypt_FIPS_PBKDF_sanity; +#endif +#ifdef HAVE_HASHDRBG wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_DRBG_sanity = wolfCrypt_FIPS_DRBG_sanity; +#endif +#ifndef NO_RSA wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_RSA_sanity = wolfCrypt_FIPS_RSA_sanity; +#endif +#ifndef NO_SHA wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_SHA_sanity = wolfCrypt_FIPS_SHA_sanity; +#endif +#ifndef NO_SHA256 wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_SHA256_sanity = wolfCrypt_FIPS_SHA256_sanity; +#endif +#ifdef WOLFSSL_SHA512 wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_SHA512_sanity = wolfCrypt_FIPS_SHA512_sanity; +#endif +#ifdef WOLFSSL_SHA3 wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_SHA3_sanity = wolfCrypt_FIPS_SHA3_sanity; +#endif wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_FT_sanity = wolfCrypt_FIPS_FT_sanity; wolfssl_linuxkm_pie_redirect_table.wc_RunAllCast_fips = From 7c6afeb1060cd1a62ccbe8d8faed5de81ebafe00 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Wed, 9 Jul 2025 16:29:04 -0500 Subject: [PATCH 2/4] add linuxkm/wolfcrypt.lds module linker script, explicitly grouping wolfcrypt sections together; linuxkm/Kbuild: add linker script flag, containerize several more previously-missed ELF sections, and add a test verifying no sections were missed; linuxkm/linuxkm_memory.c: remove obsolete lkm_realloc() shim and unneeded my__show_free_areas() wrapper; linuxkm/linuxkm_wc_port.h: add new mapping from realloc() to native kvrealloc(), and gate out a slew of headers when __PIE__ to avoid polluting wolfCrypt objects with various unneeded header-implemented functions with associated awkward symbols references; linuxkm/lkcapi_glue.c: harmonize gate for REGISTER_ALG_OPTIONAL(); linuxkm/module_hooks.c: add "ERROR:" prefixes on pr_err()s; add wc_RunAllCast_fips() at shutdown to send confidence verification to the kernel log; remove section bounds checks now that layout is unreliable; wolfssl/wolfcrypt/settings.h: for WOLFSSL_LINUXKM && HAVE_LINUXKM_PIE_SUPPORT, #define WOLFSSL_ECC_CURVE_STATIC and WOLFSSL_NAMES_STATIC; wolfssl/wolfcrypt/types.h: refactor the typedef for wcchar from a pointer to a char[]; wolfcrypt/src/wc_xmss.c and wolfssl/wolfcrypt/wc_lms.h: add WOLFSSL_NAMES_STATIC code paths for struct wc_XmssString and struct wc_LmsParamsMap; wolfcrypt/src/asn.c: add WOLFSSL_NAMES_STATIC code paths for struct CertNameData, and add static attribute to a slew of wcchars not used or declared outside asn.c. --- linuxkm/Kbuild | 35 +++++++- linuxkm/linuxkm_memory.c | 66 --------------- linuxkm/linuxkm_wc_port.h | 102 ++++++++++++---------- linuxkm/lkcapi_glue.c | 2 +- linuxkm/module_hooks.c | 131 +++++++++++++---------------- linuxkm/wolfcrypt.lds | 19 +++++ wolfcrypt/src/asn.c | 159 +++++++++++++++++++---------------- wolfcrypt/src/wc_xmss.c | 4 + wolfssl/wolfcrypt/settings.h | 6 +- wolfssl/wolfcrypt/types.h | 8 +- wolfssl/wolfcrypt/wc_lms.h | 4 + 11 files changed, 267 insertions(+), 269 deletions(-) create mode 100644 linuxkm/wolfcrypt.lds diff --git a/linuxkm/Kbuild b/linuxkm/Kbuild index 2df401ce7..89d2199d1 100644 --- a/linuxkm/Kbuild +++ b/linuxkm/Kbuild @@ -151,6 +151,8 @@ endif ifeq "$(ENABLED_LINUXKM_PIE)" "yes" +LDFLAGS_libwolfssl.o += -T $(src)/wolfcrypt.lds + rename-pie-text-and-data-sections: $(WOLFSSL_OBJ_TARGETS) ifndef NM @@ -186,8 +188,39 @@ ifneq "$(quiet)" "silent_" endif cd "$(obj)" || exit $$? for file in $(WOLFCRYPT_PIE_FILES); do - $(OBJCOPY) --rename-section .text=.text.wolfcrypt --rename-section .data=.data.wolfcrypt --rename-section .rodata=.rodata.wolfcrypt "$$file" || exit $$? + $(OBJCOPY) --rename-section .text=.text.wolfcrypt \ + --rename-section .text.unlikely=.text.wolfcrypt \ + --rename-section .rodata=.rodata.wolfcrypt \ + --rename-section .rodata.str1.1=.rodata.wolfcrypt \ + --rename-section .rodata.str1.8=.rodata.wolfcrypt \ + --rename-section .data=.data.wolfcrypt \ + --rename-section .data.rel.local=.data.wolfcrypt \ + --rename-section .bss=.bss.wolfcrypt "$$file" || exit $$? done + { $(READELF) --syms $(WOLFCRYPT_PIE_FILES) | \ + $(AWK) -v obj="$(obj)" ' \ + /File:/ { \ + if (substr($$2, 1, length(obj)) == obj) { \ + curfile = substr($$2, length(obj) + 2); \ + } else { \ + curfile=$$2; \ + } \ + next; \ + } \ + { \ + if (($$4 == "SECTION") && ($$8 !~ "wolfcrypt")) {\ + if (! ((curfile ";" $$8) in warned_on)) { \ + print curfile ": " $$8 >"/dev/stderr"; \ + warned_on[curfile ": " $$8] = 1; \ + ++warnings; \ + }}} \ + END { \ + if (warnings) { \ + exit(1); \ + } else { \ + exit(0); \ + }}'; } || \ + { echo 'Error: section(s) missed by containerization.' >&2; exit 1; } ifneq "$(quiet)" "silent_" echo ' wolfCrypt .{text,data,rodata} sections containerized to .{text,data,rodata}.wolfcrypt' endif diff --git a/linuxkm/linuxkm_memory.c b/linuxkm/linuxkm_memory.c index e17a56ccc..b447e9843 100644 --- a/linuxkm/linuxkm_memory.c +++ b/linuxkm/linuxkm_memory.c @@ -21,72 +21,6 @@ /* included by wolfcrypt/src/memory.c */ -#ifdef HAVE_KVMALLOC -/* adapted from kvrealloc() draft by Changli Gao, 2010-05-13 */ -void *lkm_realloc(void *ptr, size_t newsize) { - void *nptr; - size_t oldsize; - - if (unlikely(newsize == 0)) { - kvfree(ptr); - return ZERO_SIZE_PTR; - } - - if (unlikely(ptr == NULL)) - return kvmalloc_node(newsize, GFP_KERNEL, NUMA_NO_NODE); - - if (is_vmalloc_addr(ptr)) { - /* no way to discern the size of the old allocation, - * because the kernel doesn't export find_vm_area(). if - * it did, we could then call get_vm_area_size() on the - * returned struct vm_struct. - */ - return NULL; - } else { -#ifndef __PIE__ - struct page *page; - - page = virt_to_head_page(ptr); - if (PageSlab(page) || PageCompound(page)) { - if (newsize < PAGE_SIZE) -#endif /* ! __PIE__ */ - return krealloc(ptr, newsize, GFP_KERNEL); -#ifndef __PIE__ - oldsize = ksize(ptr); - } else { - oldsize = page->private; - if (newsize <= oldsize) - return ptr; - } -#endif /* ! __PIE__ */ - } - - nptr = kvmalloc_node(newsize, GFP_KERNEL, NUMA_NO_NODE); - if (nptr != NULL) { - memcpy(nptr, ptr, oldsize); - kvfree(ptr); - } - - return nptr; -} -#endif /* HAVE_KVMALLOC */ - -#if defined(__PIE__) && (LINUX_VERSION_CODE >= KERNEL_VERSION(6, 1, 0)) -/* needed in 6.1+ because show_free_areas() static definition in mm.h calls - * __show_free_areas(), which isn't exported (neither was show_free_areas()). - */ -void my__show_free_areas( - unsigned int flags, - nodemask_t *nodemask, - int max_zone_idx) -{ - (void)flags; - (void)nodemask; - (void)max_zone_idx; - return; -} -#endif - #if defined(__PIE__) && defined(CONFIG_FORTIFY_SOURCE) /* needed because FORTIFY_SOURCE inline implementations call fortify_panic(). */ void __my_fortify_panic(const char *name) { diff --git a/linuxkm/linuxkm_wc_port.h b/linuxkm/linuxkm_wc_port.h index 2acf456d7..6be606426 100644 --- a/linuxkm/linuxkm_wc_port.h +++ b/linuxkm/linuxkm_wc_port.h @@ -77,8 +77,14 @@ #define ALIGN16 __attribute__ ( (aligned (32))) #endif - /* kvmalloc()/kvfree() and friends added in linux commit a7c3e901 */ - #if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 12, 0) + /* kvmalloc()/kvfree() and friends added in linux commit a7c3e901, merged for 4.12. + * kvrealloc() added in de2860f463, merged for 5.15, backported to 5.10.137. + * moved to ultimate home (slab.h) in 8587ca6f34, merged for 5.16. + + */ + #if (LINUX_VERSION_CODE >= KERNEL_VERSION(5, 15, 0)) || \ + ((LINUX_VERSION_CODE >= KERNEL_VERSION(5, 10, 137)) && \ + (LINUX_VERSION_CODE < KERNEL_VERSION(5, 11, 90))) #define HAVE_KVMALLOC #endif @@ -258,36 +264,54 @@ #undef memmove #define memmove my_memmove - #endif /* CONFIG_FORTIFY_SOURCE */ + #else /* !CONFIG_FORTIFY_SOURCE */ + + #include + + #endif /* !CONFIG_FORTIFY_SOURCE */ + + #ifdef LINUXKM_LKCAPI_REGISTER + /* the LKCAPI assumes that expanded encrypt and decrypt keys will stay + * loaded simultaneously, and the Linux in-tree implementations have two + * AES key structs in each context, one for each direction. in + * linuxkm/lkcapi_aes_glue.c, we do the same + * thing with "struct km_AesCtx". however, wolfCrypt struct AesXts + * already has two AES expanded keys, the main and tweak, and the tweak + * is always used in the encrypt direction regardless of the main + * direction. to avoid allocating and computing a duplicate second + * tweak encrypt key, we set + * WC_AES_XTS_SUPPORT_SIMULTANEOUS_ENC_AND_DEC_KEYS, which adds a second + * Aes slot to wolfCrypt's struct AesXts, and activates support for + * AES_ENCRYPTION_AND_DECRYPTION on AES-XTS. + */ + #ifndef WC_AES_XTS_SUPPORT_SIMULTANEOUS_ENC_AND_DEC_KEYS + #define WC_AES_XTS_SUPPORT_SIMULTANEOUS_ENC_AND_DEC_KEYS + #endif + #endif /* LINUXKM_LKCAPI_REGISTER */ #include +#ifndef __PIE__ #include #include +#endif - #ifdef __PIE__ - /* without this, mm.h brings in static, but not inline, pmd_to_page(), - * with direct references to global vmem variables. - */ - #undef USE_SPLIT_PMD_PTLOCKS - #define USE_SPLIT_PMD_PTLOCKS 0 - - #if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 1, 0) - /* without this, static show_free_areas() mm.h brings in direct - * reference to unexported __show_free_areas(). - */ - #define __show_free_areas my__show_free_areas - void my__show_free_areas( - unsigned int flags, - nodemask_t *nodemask, - int max_zone_idx); - #endif - #endif +#ifdef __PIE__ + /* linux/slab.h will recursively bring in linux/page-flags.h, polluting the + * wolfCrypt container objects with static functions const_folio_flags() and + * folio_flags(), unless we kludge it off thusly. + */ + #define PAGE_FLAGS_H +#else #include +#endif + + #include + +#ifndef __PIE__ #ifndef SINGLE_THREADED #include #endif #include - #include #ifdef LINUXKM_LKCAPI_REGISTER #include @@ -306,29 +330,13 @@ #include #endif - /* the LKCAPI assumes that expanded encrypt and decrypt keys will stay - * loaded simultaneously, and the Linux in-tree implementations have two - * AES key structs in each context, one for each direction. in - * linuxkm/lkcapi_aes_glue.c, we do the same - * thing with "struct km_AesCtx". however, wolfCrypt struct AesXts - * already has two AES expanded keys, the main and tweak, and the tweak - * is always used in the encrypt direction regardless of the main - * direction. to avoid allocating and computing a duplicate second - * tweak encrypt key, we set - * WC_AES_XTS_SUPPORT_SIMULTANEOUS_ENC_AND_DEC_KEYS, which adds a second - * Aes slot to wolfCrypt's struct AesXts, and activates support for - * AES_ENCRYPTION_AND_DECRYPTION on AES-XTS. - */ - #ifndef WC_AES_XTS_SUPPORT_SIMULTANEOUS_ENC_AND_DEC_KEYS - #define WC_AES_XTS_SUPPORT_SIMULTANEOUS_ENC_AND_DEC_KEYS - #endif - #if defined(_LINUX_REFCOUNT_H) || defined(_LINUX_REFCOUNT_TYPES_H) #define WC_LKM_REFCOUNT_TO_INT(refcount) (atomic_read(&(refcount.refs))) #else #define WC_LKM_REFCOUNT_TO_INT(refcount) (atomic_read(&(refcount))) #endif #endif +#endif /* !__PIE__ */ #if defined(WOLFSSL_AESNI) || defined(USE_INTEL_SPEEDUP) || \ defined(WOLFSSL_SP_X86_64_ASM) @@ -622,17 +630,20 @@ typeof(kzalloc_noprof) *kzalloc_noprof; typeof(__kvmalloc_node_noprof) *__kvmalloc_node_noprof; typeof(__kmalloc_cache_noprof) *__kmalloc_cache_noprof; + typeof(kvrealloc_noprof) *kvrealloc_noprof; #elif LINUX_VERSION_CODE >= KERNEL_VERSION(6, 10, 0) typeof(kmalloc_noprof) *kmalloc_noprof; typeof(krealloc_noprof) *krealloc_noprof; typeof(kzalloc_noprof) *kzalloc_noprof; typeof(kvmalloc_node_noprof) *kvmalloc_node_noprof; typeof(kmalloc_trace_noprof) *kmalloc_trace_noprof; + typeof(kvrealloc_noprof) *kvrealloc_noprof; #else /* <6.10.0 */ typeof(kmalloc) *kmalloc; typeof(krealloc) *krealloc; #ifdef HAVE_KVMALLOC - typeof(kvmalloc_node) *kvmalloc_node; + typeof(kvmalloc_node) *kvmalloc_node; + typeof(kvrealloc) *kvrealloc; #endif #if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 1, 0) typeof(kmalloc_trace) *kmalloc_trace; @@ -646,7 +657,6 @@ #endif typeof(kfree) *kfree; typeof(ksize) *ksize; - typeof(is_vmalloc_addr) *is_vmalloc_addr; typeof(get_random_bytes) *get_random_bytes; #if LINUX_VERSION_CODE < KERNEL_VERSION(4, 0, 0) @@ -854,6 +864,7 @@ #define kzalloc_noprof (wolfssl_linuxkm_get_pie_redirect_table()->kzalloc_noprof) #define __kvmalloc_node_noprof (wolfssl_linuxkm_get_pie_redirect_table()->__kvmalloc_node_noprof) #define __kmalloc_cache_noprof (wolfssl_linuxkm_get_pie_redirect_table()->__kmalloc_cache_noprof) + #define kvrealloc_noprof (wolfssl_linuxkm_get_pie_redirect_table()->kvrealloc_noprof) #elif LINUX_VERSION_CODE >= KERNEL_VERSION(6, 10, 0) /* see include/linux/alloc_tag.h and include/linux/slab.h */ #define kmalloc_noprof (wolfssl_linuxkm_get_pie_redirect_table()->kmalloc_noprof) @@ -861,12 +872,14 @@ #define kzalloc_noprof (wolfssl_linuxkm_get_pie_redirect_table()->kzalloc_noprof) #define kvmalloc_node_noprof (wolfssl_linuxkm_get_pie_redirect_table()->kvmalloc_node_noprof) #define kmalloc_trace_noprof (wolfssl_linuxkm_get_pie_redirect_table()->kmalloc_trace_noprof) + #define kvrealloc_noprof (wolfssl_linuxkm_get_pie_redirect_table()->kvrealloc_noprof) #else /* <6.10.0 */ #define kmalloc (wolfssl_linuxkm_get_pie_redirect_table()->kmalloc) #define krealloc (wolfssl_linuxkm_get_pie_redirect_table()->krealloc) #define kzalloc(size, flags) kmalloc(size, (flags) | __GFP_ZERO) #ifdef HAVE_KVMALLOC #define kvmalloc_node (wolfssl_linuxkm_get_pie_redirect_table()->kvmalloc_node) + #define kvrealloc (wolfssl_linuxkm_get_pie_redirect_table()->kvrealloc) #endif #if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 1, 0) #define kmalloc_trace (wolfssl_linuxkm_get_pie_redirect_table()->kmalloc_trace) @@ -882,8 +895,6 @@ #endif #define ksize (wolfssl_linuxkm_get_pie_redirect_table()->ksize) - #define is_vmalloc_addr (wolfssl_linuxkm_get_pie_redirect_table()->is_vmalloc_addr) - #define get_random_bytes (wolfssl_linuxkm_get_pie_redirect_table()->get_random_bytes) #if LINUX_VERSION_CODE < KERNEL_VERSION(4, 0, 0) #define getnstimeofday (wolfssl_linuxkm_get_pie_redirect_table()->getnstimeofday) @@ -1162,10 +1173,9 @@ _alloc_sz; \ }) #ifdef HAVE_KVMALLOC -#define malloc(size) kvmalloc_node(WC_LINUXKM_ROUND_UP_P_OF_2(size), (preempt_count() == 0 ? GFP_KERNEL : GFP_ATOMIC), NUMA_NO_NODE) + #define malloc(size) kvmalloc_node(WC_LINUXKM_ROUND_UP_P_OF_2(size), (preempt_count() == 0 ? GFP_KERNEL : GFP_ATOMIC), NUMA_NO_NODE) #define free(ptr) kvfree(ptr) - void *lkm_realloc(void *ptr, size_t newsize); - #define realloc(ptr, newsize) lkm_realloc(ptr, WC_LINUXKM_ROUND_UP_P_OF_2(newsize)) + #define realloc(ptr, newsize) kvrealloc(ptr, WC_LINUXKM_ROUND_UP_P_OF_2(newsize), (preempt_count() == 0 ? GFP_KERNEL : GFP_ATOMIC)) #else #define malloc(size) kmalloc(WC_LINUXKM_ROUND_UP_P_OF_2(size), (preempt_count() == 0 ? GFP_KERNEL : GFP_ATOMIC)) #define free(ptr) kfree(ptr) diff --git a/linuxkm/lkcapi_glue.c b/linuxkm/lkcapi_glue.c index 09118df1a..00609ed50 100644 --- a/linuxkm/lkcapi_glue.c +++ b/linuxkm/lkcapi_glue.c @@ -591,7 +591,7 @@ static int linuxkm_lkcapi_register(void) * on here is for ECDH loading to be optional when fips and fips tests are * enabled. Failures because of !fips_allowed are skipped over. */ - #if defined(CONFIG_CRYPTO_FIPS) && \ + #if defined(HAVE_FIPS) && defined(CONFIG_CRYPTO_FIPS) && \ defined(CONFIG_CRYPTO_MANAGER) && \ !defined(CONFIG_CRYPTO_MANAGER_DISABLE_TESTS) #if defined(LINUXKM_ECC192) diff --git a/linuxkm/module_hooks.c b/linuxkm/module_hooks.c index 91f3b795f..5d0fe8079 100644 --- a/linuxkm/module_hooks.c +++ b/linuxkm/module_hooks.c @@ -19,14 +19,12 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA */ -#ifndef WOLFSSL_LICENSE -#define WOLFSSL_LICENSE "GPL v2" -#endif - #define WOLFSSL_LINUXKM_NEED_LINUX_CURRENT #include +#define WOLFSSL_LICENSE "GPL v2" + #ifdef WOLFCRYPT_ONLY #include #else @@ -65,13 +63,13 @@ static int libwolfssl_cleanup(void) { #ifdef WOLFCRYPT_ONLY ret = wolfCrypt_Cleanup(); if (ret != 0) - pr_err("wolfCrypt_Cleanup() failed: %s\n", wc_GetErrorString(ret)); + pr_err("ERROR: wolfCrypt_Cleanup() failed: %s\n", wc_GetErrorString(ret)); else pr_info("wolfCrypt " LIBWOLFSSL_VERSION_STRING " cleanup complete.\n"); #else ret = wolfSSL_Cleanup(); if (ret != WOLFSSL_SUCCESS) - pr_err("wolfSSL_Cleanup() failed: %s\n", wc_GetErrorString(ret)); + pr_err("ERROR: wolfSSL_Cleanup() failed: %s\n", wc_GetErrorString(ret)); else pr_info("wolfSSL " LIBWOLFSSL_VERSION_STRING " cleanup complete.\n"); #endif @@ -115,7 +113,7 @@ static int set_up_wolfssl_linuxkm_pie_redirect_table(void); static void lkmFipsCb(int ok, int err, const char* hash) { if ((! ok) || (err != 0)) - pr_err("libwolfssl FIPS error: %s\n", wc_GetErrorString(err)); + pr_err("ERROR: libwolfssl FIPS error: %s\n", wc_GetErrorString(err)); if (err == WC_NO_ERR_TRACE(IN_CORE_FIPS_E)) { pr_err("In-core integrity hash check failure.\n" "Update verifyCore[] in fips_test.c with new hash \"%s\" and rebuild.\n", @@ -137,7 +135,7 @@ WC_MAYBE_UNUSED static int linuxkm_lkcapi_sysfs_install_node(struct kobj_attribu if ((installed_flag == NULL) || (! *installed_flag)) { int ret = sysfs_create_file(&THIS_MODULE->mkobj.kobj, &node->attr); if (ret) { - pr_err("sysfs_create_file failed for %s: %d\n", node->attr.name, ret); + pr_err("ERROR: sysfs_create_file failed for %s: %d\n", node->attr.name, ret); return ret; } if (installed_flag) @@ -182,13 +180,13 @@ static int wolfssl_init(void) #ifdef WOLFCRYPT_FIPS_CORE_DYNAMIC_HASH_VALUE #ifdef CONFIG_MODULE_SIG if (THIS_MODULE->sig_ok == false) { - pr_err("wolfSSL module load aborted -- bad or missing module signature with FIPS dynamic hash.\n"); + pr_err("ERROR: wolfSSL module load aborted -- bad or missing module signature with FIPS dynamic hash.\n"); return -ECANCELED; } #endif ret = updateFipsHash(); if (ret < 0) { - pr_err("wolfSSL module load aborted -- updateFipsHash: %s\n",wc_GetErrorString(ret)); + pr_err("ERROR: wolfSSL module load aborted -- updateFipsHash: %s\n",wc_GetErrorString(ret)); return -ECANCELED; } #endif @@ -226,58 +224,32 @@ static int wolfssl_init(void) char *pie_rodata_end = (char *)wolfCrypt_PIE_rodata_end; unsigned int text_hash, rodata_hash; - if ((pie_text_start < pie_text_end) && - (pie_text_start >= (char *)THIS_MODULE_TEXT_BASE) && - (pie_text_end - (char *)THIS_MODULE_TEXT_BASE <= THIS_MODULE_TEXT_SIZE)) - { - text_hash = hash_span(pie_text_start, pie_text_end); - } else { - pr_info("out-of-bounds PIE fenceposts! pie_text_start=%px pie_text_end=%px (span=%lu)" - " core_layout.base=%px text_end=%px\n", - pie_text_start, - pie_text_end, - pie_text_end-pie_text_start, - THIS_MODULE_TEXT_BASE, - (char *)THIS_MODULE_TEXT_BASE + THIS_MODULE_TEXT_SIZE); - text_hash = 0; - } - - if ((pie_rodata_start < pie_rodata_end) && // cppcheck-suppress comparePointers - (pie_rodata_start >= (char *)THIS_MODULE_RO_BASE) && - (pie_rodata_end - (char *)THIS_MODULE_RO_BASE <= THIS_MODULE_RO_SIZE)) - { - rodata_hash = hash_span(pie_rodata_start, pie_rodata_end); - } else { - pr_info("out-of-bounds PIE fenceposts! pie_rodata_start=%px pie_rodata_end=%px (span=%lu)" - " core_layout.base+core_layout.text_size=%px rodata_end=%px\n", - pie_rodata_start, - pie_rodata_end, - pie_rodata_end-pie_rodata_start, - (char *)THIS_MODULE_RO_BASE, - (char *)THIS_MODULE_RO_BASE + THIS_MODULE_RO_SIZE); - rodata_hash = 0; - } + text_hash = hash_span(pie_text_start, pie_text_end); + rodata_hash = hash_span(pie_rodata_start, pie_rodata_end); /* note, "%pK" conceals the actual layout information. "%px" exposes * the true module start address, which is potentially useful to an * attacker. */ - pr_info("wolfCrypt container hashes (spans): text 0x%x (%lu), rodata 0x%x (%lu)\n", + pr_info("wolfCrypt section hashes (spans): text 0x%x (%lu), rodata 0x%x (%lu), offset %c0x%lx\n", text_hash, pie_text_end-pie_text_start, - rodata_hash, pie_rodata_end-pie_rodata_start); + rodata_hash, pie_rodata_end-pie_rodata_start, + pie_text_start < pie_rodata_start ? '+' : '-', + pie_text_start < pie_rodata_start ? pie_rodata_start - pie_text_start : pie_text_start - pie_rodata_start); } + #endif /* HAVE_LINUXKM_PIE_SUPPORT && DEBUG_LINUXKM_PIE_SUPPORT */ #ifdef HAVE_FIPS ret = wolfCrypt_SetCb_fips(lkmFipsCb); if (ret != 0) { - pr_err("wolfCrypt_SetCb_fips() failed: %s\n", wc_GetErrorString(ret)); + pr_err("ERROR: wolfCrypt_SetCb_fips() failed: %s\n", wc_GetErrorString(ret)); return -ECANCELED; } fipsEntry(); ret = wolfCrypt_GetStatus_fips(); if (ret != 0) { - pr_err("wolfCrypt_GetStatus_fips() failed with code %d: %s\n", ret, wc_GetErrorString(ret)); + pr_err("ERROR: wolfCrypt_GetStatus_fips() failed with code %d: %s\n", ret, wc_GetErrorString(ret)); if (ret == WC_NO_ERR_TRACE(IN_CORE_FIPS_E)) { const char *newhash = wolfCrypt_GetCoreHash_fips(); pr_err("Update verifyCore[] in fips_test.c with new hash \"%s\" and rebuild.\n", @@ -290,7 +262,7 @@ static int wolfssl_init(void) #ifdef WC_RNG_SEED_CB ret = wc_SetSeed_Cb(wc_GenerateSeed); if (ret < 0) { - pr_err("wc_SetSeed_Cb() failed with return code %d.\n", ret); + pr_err("ERROR: wc_SetSeed_Cb() failed with return code %d.\n", ret); (void)libwolfssl_cleanup(); msleep(10); return -ECANCELED; @@ -300,13 +272,13 @@ static int wolfssl_init(void) #ifdef WOLFCRYPT_ONLY ret = wolfCrypt_Init(); if (ret != 0) { - pr_err("wolfCrypt_Init() failed: %s\n", wc_GetErrorString(ret)); + pr_err("ERROR: wolfCrypt_Init() failed: %s\n", wc_GetErrorString(ret)); return -ECANCELED; } #else ret = wolfSSL_Init(); if (ret != WOLFSSL_SUCCESS) { - pr_err("wolfSSL_Init() failed: %s\n", wc_GetErrorString(ret)); + pr_err("ERROR: wolfSSL_Init() failed: %s\n", wc_GetErrorString(ret)); return -ECANCELED; } #endif @@ -314,7 +286,7 @@ static int wolfssl_init(void) #if defined(HAVE_FIPS) && FIPS_VERSION3_GT(5,2,0) ret = wc_RunAllCast_fips(); if (ret != 0) { - pr_err("wc_RunAllCast_fips() failed with return value %d\n", ret); + pr_err("ERROR: wc_RunAllCast_fips() failed with return value %d\n", ret); return -ECANCELED; } @@ -348,7 +320,7 @@ static int wolfssl_init(void) #ifndef NO_CRYPT_TEST ret = wolfcrypt_test(NULL); if (ret < 0) { - pr_err("wolfcrypt self-test failed with return code %d.\n", ret); + pr_err("ERROR: wolfcrypt self-test failed with return code %d.\n", ret); (void)libwolfssl_cleanup(); msleep(10); return -ECANCELED; @@ -366,7 +338,7 @@ static int wolfssl_init(void) ret = linuxkm_lkcapi_sysfs_install(); if (ret) { - pr_err("linuxkm_lkcapi_sysfs_install() failed with return code %d.\n", ret); + pr_err("ERROR: linuxkm_lkcapi_sysfs_install() failed with return code %d.\n", ret); (void)libwolfssl_cleanup(); msleep(10); return -ECANCELED; @@ -375,7 +347,7 @@ static int wolfssl_init(void) ret = linuxkm_lkcapi_register(); if (ret) { - pr_err("linuxkm_lkcapi_register() failed with return code %d.\n", ret); + pr_err("ERROR: linuxkm_lkcapi_register() failed with return code %d.\n", ret); linuxkm_lkcapi_unregister(); (void)libwolfssl_cleanup(); msleep(10); @@ -426,6 +398,8 @@ static void wolfssl_exit(void) #endif { #ifdef HAVE_FIPS + int ret; + (void)linuxkm_lkcapi_sysfs_deinstall_node(&FIPS_rerun_self_test_attr, &installed_sysfs_FIPS_files); #endif @@ -434,6 +408,15 @@ static void wolfssl_exit(void) (void)linuxkm_lkcapi_sysfs_deinstall(); #endif +#ifdef HAVE_FIPS + ret = wc_RunAllCast_fips(); + if (ret != 0) { + pr_err("ERROR: wc_RunAllCast_fips() failed at shutdown with return value %d\n", ret); + } + else + pr_info("wolfCrypt FIPS re-self-test succeeded at unload: all algorithms re-verified."); +#endif + (void)libwolfssl_cleanup(); return; @@ -527,17 +510,20 @@ static int set_up_wolfssl_linuxkm_pie_redirect_table(void) { wolfssl_linuxkm_pie_redirect_table.kzalloc_noprof = kzalloc_noprof; wolfssl_linuxkm_pie_redirect_table.__kvmalloc_node_noprof = __kvmalloc_node_noprof; wolfssl_linuxkm_pie_redirect_table.__kmalloc_cache_noprof = __kmalloc_cache_noprof; + wolfssl_linuxkm_pie_redirect_table.kvrealloc_noprof = kvrealloc_noprof; #elif LINUX_VERSION_CODE >= KERNEL_VERSION(6, 10, 0) wolfssl_linuxkm_pie_redirect_table.kmalloc_noprof = kmalloc_noprof; wolfssl_linuxkm_pie_redirect_table.krealloc_noprof = krealloc_noprof; wolfssl_linuxkm_pie_redirect_table.kzalloc_noprof = kzalloc_noprof; wolfssl_linuxkm_pie_redirect_table.kvmalloc_node_noprof = kvmalloc_node_noprof; wolfssl_linuxkm_pie_redirect_table.kmalloc_trace_noprof = kmalloc_trace_noprof; + wolfssl_linuxkm_pie_redirect_table.kvrealloc_noprof = kvrealloc_noprof; #else wolfssl_linuxkm_pie_redirect_table.kmalloc = kmalloc; wolfssl_linuxkm_pie_redirect_table.krealloc = krealloc; #ifdef HAVE_KVMALLOC wolfssl_linuxkm_pie_redirect_table.kvmalloc_node = kvmalloc_node; + wolfssl_linuxkm_pie_redirect_table.kvrealloc = kvrealloc; #endif #if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 1, 0) wolfssl_linuxkm_pie_redirect_table.kmalloc_trace = @@ -555,7 +541,6 @@ static int set_up_wolfssl_linuxkm_pie_redirect_table(void) { #ifdef HAVE_KVMALLOC wolfssl_linuxkm_pie_redirect_table.kvfree = kvfree; #endif - wolfssl_linuxkm_pie_redirect_table.is_vmalloc_addr = is_vmalloc_addr; wolfssl_linuxkm_pie_redirect_table.get_random_bytes = get_random_bytes; #if LINUX_VERSION_CODE < KERNEL_VERSION(4, 0, 0) @@ -711,7 +696,7 @@ static int set_up_wolfssl_linuxkm_pie_redirect_table(void) { i < (unsigned long *)&wolfssl_linuxkm_pie_redirect_table._last_slot; ++i) if (*i == 0) { - pr_err("wolfCrypt container redirect table initialization was " + pr_err("ERROR: wolfCrypt container redirect table initialization was " "incomplete [%lu].\n", i-(unsigned long *)&wolfssl_linuxkm_pie_redirect_table); return -EFAULT; @@ -798,11 +783,11 @@ static int updateFipsHash(void) word32 base16_out_len = binCoreSz; ret = Base16_Decode((const byte *)coreKey, sizeof coreKey - 1, binCoreKey, &base16_out_len); if (ret != 0) { - pr_err("Base16_Decode for coreKey: %s\n", wc_GetErrorString(ret)); + pr_err("ERROR: Base16_Decode for coreKey: %s\n", wc_GetErrorString(ret)); goto out; } if (base16_out_len != binCoreSz) { - pr_err("unexpected output length %u for coreKey from Base16_Decode.\n",base16_out_len); + pr_err("ERROR: unexpected output length %u for coreKey from Base16_Decode.\n",base16_out_len); ret = BAD_STATE_E; goto out; } @@ -811,14 +796,14 @@ static int updateFipsHash(void) tfm = crypto_alloc_shash("hmac(sha256)", 0, 0); if (IS_ERR(tfm)) { if (PTR_ERR(tfm) == -ENOMEM) { - pr_err("crypto_alloc_shash failed: out of memory\n"); + pr_err("ERROR: crypto_alloc_shash failed: out of memory\n"); ret = MEMORY_E; } else if (PTR_ERR(tfm) == -ENOENT) { - pr_err("crypto_alloc_shash failed: kernel is missing hmac(sha256) implementation\n"); - pr_err("check for CONFIG_CRYPTO_SHA256 and CONFIG_CRYPTO_HMAC.\n"); + pr_err("ERROR: crypto_alloc_shash failed: kernel is missing hmac(sha256) implementation\n"); + pr_err("ERROR: check for CONFIG_CRYPTO_SHA256 and CONFIG_CRYPTO_HMAC.\n"); ret = NOT_COMPILED_IN; } else { - pr_err("crypto_alloc_shash failed with ret %ld\n",PTR_ERR(tfm)); + pr_err("ERROR: crypto_alloc_shash failed with ret %ld\n",PTR_ERR(tfm)); ret = HASH_TYPE_E; } tfm = NULL; @@ -829,7 +814,7 @@ static int updateFipsHash(void) size_t desc_size = crypto_shash_descsize(tfm) + sizeof *desc; desc = XMALLOC(desc_size, NULL, DYNAMIC_TYPE_TMP_BUFFER); if (desc == NULL) { - pr_err("failed allocating desc."); + pr_err("ERROR: failed allocating desc."); ret = MEMORY_E; goto out; } @@ -838,7 +823,7 @@ static int updateFipsHash(void) ret = crypto_shash_setkey(tfm, binCoreKey, binCoreSz); if (ret) { - pr_err("crypto_ahash_setkey failed: err %d\n", ret); + pr_err("ERROR: crypto_ahash_setkey failed: err %d\n", ret); ret = BAD_STATE_E; goto out; } @@ -846,7 +831,7 @@ static int updateFipsHash(void) desc->tfm = tfm; ret = crypto_shash_init(desc); if (ret) { - pr_err("crypto_shash_init failed: err %d\n", ret); + pr_err("ERROR: crypto_shash_init failed: err %d\n", ret); ret = BAD_STATE_E; goto out; } @@ -855,7 +840,7 @@ static int updateFipsHash(void) ret = crypto_shash_update(desc, (byte *)(wc_ptr_t)first, (word32)code_sz); if (ret) { - pr_err("crypto_shash_update failed: err %d\n", ret); + pr_err("ERROR: crypto_shash_update failed: err %d\n", ret); ret = BAD_STATE_E; goto out; } @@ -865,7 +850,7 @@ static int updateFipsHash(void) data_sz = (unsigned long)verifyCore - (unsigned long)start; ret = crypto_shash_update(desc, (byte*)start, (word32)data_sz); if (ret) { - pr_err("crypto_shash_update failed: err %d\n", ret); + pr_err("ERROR: crypto_shash_update failed: err %d\n", ret); ret = BAD_STATE_E; goto out; } @@ -874,7 +859,7 @@ static int updateFipsHash(void) } ret = crypto_shash_update(desc, (byte*)start, (word32)data_sz); if (ret) { - pr_err("crypto_shash_update failed: err %d\n", ret); + pr_err("ERROR: crypto_shash_update failed: err %d\n", ret); ret = BAD_STATE_E; goto out; } @@ -883,14 +868,14 @@ static int updateFipsHash(void) ret = crypto_shash_final(desc, hash); if (ret) { - pr_err("crypto_shash_final failed: err %d\n", ret); + pr_err("ERROR: crypto_shash_final failed: err %d\n", ret); ret = BAD_STATE_E; goto out; } ret = GenBase16_Hash(hash, WC_SHA256_DIGEST_SIZE, base16_hash, WC_SHA256_DIGEST_SIZE*2 + 1); if (ret != 0) { - pr_err("GenBase16_Hash failed: %s\n", wc_GetErrorString(ret)); + pr_err("ERROR: GenBase16_Hash failed: %s\n", wc_GetErrorString(ret)); goto out; } @@ -898,11 +883,11 @@ static int updateFipsHash(void) word32 base16_out_len = verifySz; ret = Base16_Decode((const byte *)verifyCore, sizeof verifyCore - 1, binVerify, &base16_out_len); if (ret != 0) { - pr_err("Base16_Decode for verifyCore: %s\n", wc_GetErrorString(ret)); + pr_err("ERROR: Base16_Decode for verifyCore: %s\n", wc_GetErrorString(ret)); goto out; } if (base16_out_len != binCoreSz) { - pr_err("unexpected output length %u for verifyCore from Base16_Decode.\n",base16_out_len); + pr_err("ERROR: unexpected output length %u for verifyCore from Base16_Decode.\n",base16_out_len); ret = BAD_STATE_E; goto out; } @@ -958,13 +943,13 @@ static ssize_t FIPS_rerun_self_test_handler(struct kobject *kobj, struct kobj_at ret = wolfCrypt_IntegrityTest_fips(); if (ret != 0) { - pr_err("wolfCrypt_IntegrityTest_fips: error %d", ret); + pr_err("ERROR: wolfCrypt_IntegrityTest_fips: error %d", ret); return -EINVAL; } ret = wolfCrypt_GetStatus_fips(); if (ret != 0) { - pr_err("wolfCrypt_GetStatus_fips() failed with code %d: %s\n", ret, wc_GetErrorString(ret)); + pr_err("ERROR: wolfCrypt_GetStatus_fips() failed with code %d: %s\n", ret, wc_GetErrorString(ret)); if (ret == WC_NO_ERR_TRACE(IN_CORE_FIPS_E)) return -ELIBBAD; else @@ -973,7 +958,7 @@ static ssize_t FIPS_rerun_self_test_handler(struct kobject *kobj, struct kobj_at ret = wc_RunAllCast_fips(); if (ret != 0) { - pr_err("wc_RunAllCast_fips() failed with return value %d\n", ret); + pr_err("ERROR: wc_RunAllCast_fips() failed with return value %d\n", ret); return -EINVAL; } diff --git a/linuxkm/wolfcrypt.lds b/linuxkm/wolfcrypt.lds new file mode 100644 index 000000000..4db5774b2 --- /dev/null +++ b/linuxkm/wolfcrypt.lds @@ -0,0 +1,19 @@ +SECTIONS { + . = ALIGN(4096); + .text.wolfcrypt : { + *(.text.wolfcrypt) + } + . = ALIGN(4096); + .rodata.wolfcrypt : { + *(.rodata.wolfcrypt) + } + . = ALIGN(4096); + .data.wolfcrypt : { + *(.data.wolfcrypt) + } + . = ALIGN(4096); + .bss.wolfcrypt : { + *(.bss.wolfcrypt) + } + . = ALIGN(4096); +} diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 1b463b616..776d00f67 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -14288,8 +14288,15 @@ static int GetHashId(const byte* id, int length, byte* hash, int hashAlg) *((byte*)(((byte *)(cert)) + certNameSubject[(id) - 3].enc)) = (val) /* Get the string of a name component from the subject name. */ -#define GetCertNameSubjectStr(id) \ - (certNameSubject[(id) - 3].str) +#ifdef WOLFSSL_NAMES_STATIC + #define GetCertNameSubjectStr(id) \ + ((certNameSubject[(id) - 3].strLen) ? \ + (certNameSubject[(id) - 3].str) : \ + NULL) +#else + #define GetCertNameSubjectStr(id) \ + (certNameSubject[(id) - 3].str) +#endif /* Get the string length of a name component from the subject name. */ #define GetCertNameSubjectStrLen(id) \ (certNameSubject[(id) - 3].strLen) @@ -14315,7 +14322,13 @@ static int GetHashId(const byte* id, int length, byte* hash, int hashAlg) /* Mapping of certificate name component to useful information. */ typedef struct CertNameData { /* Type string of name component. */ +#ifdef WOLFSSL_NAMES_STATIC + const char str[20]; + #define EMPTY_STR { 0 } +#else const char* str; + #define EMPTY_STR NULL +#endif /* Length of type string of name component. */ byte strLen; #if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT) @@ -14497,7 +14510,7 @@ static const CertNameData certNameSubject[] = { }, /* Title */ { - NULL, 0, + EMPTY_STR, 0, #if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT) 0, 0, @@ -14514,7 +14527,7 @@ static const CertNameData certNameSubject[] = { }, /* Undefined */ { - NULL, 0, + EMPTY_STR, 0, #if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT) 0, 0, @@ -14531,7 +14544,7 @@ static const CertNameData certNameSubject[] = { }, /* Undefined */ { - NULL, 0, + EMPTY_STR, 0, #if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT) 0, 0, @@ -14565,7 +14578,7 @@ static const CertNameData certNameSubject[] = { }, /* Undefined */ { - NULL, 0, + EMPTY_STR, 0, #if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT) 0, 0, @@ -26135,102 +26148,102 @@ void wc_FreeDer(DerBuffer** pDer) /* Note: If items added make sure MAX_X509_HEADER_SZ is updated to reflect maximum length and pem_struct_min_sz to reflect minimum size */ -wcchar BEGIN_CERT = "-----BEGIN CERTIFICATE-----"; -wcchar END_CERT = "-----END CERTIFICATE-----"; +static wcchar BEGIN_CERT = "-----BEGIN CERTIFICATE-----"; +static wcchar END_CERT = "-----END CERTIFICATE-----"; #ifdef WOLFSSL_CERT_REQ - wcchar BEGIN_CERT_REQ = "-----BEGIN CERTIFICATE REQUEST-----"; - wcchar END_CERT_REQ = "-----END CERTIFICATE REQUEST-----"; + static wcchar BEGIN_CERT_REQ = "-----BEGIN CERTIFICATE REQUEST-----"; + static wcchar END_CERT_REQ = "-----END CERTIFICATE REQUEST-----"; #endif #if defined(WOLFSSL_ACERT) - wcchar BEGIN_ACERT = "-----BEGIN ATTRIBUTE CERTIFICATE-----"; - wcchar END_ACERT = "-----END ATTRIBUTE CERTIFICATE-----"; + static wcchar BEGIN_ACERT = "-----BEGIN ATTRIBUTE CERTIFICATE-----"; + static wcchar END_ACERT = "-----END ATTRIBUTE CERTIFICATE-----"; #endif /* WOLFSSL_ACERT */ #ifndef NO_DH - wcchar BEGIN_DH_PARAM = "-----BEGIN DH PARAMETERS-----"; - wcchar END_DH_PARAM = "-----END DH PARAMETERS-----"; - wcchar BEGIN_X942_PARAM = "-----BEGIN X9.42 DH PARAMETERS-----"; - wcchar END_X942_PARAM = "-----END X9.42 DH PARAMETERS-----"; + static wcchar BEGIN_DH_PARAM = "-----BEGIN DH PARAMETERS-----"; + static wcchar END_DH_PARAM = "-----END DH PARAMETERS-----"; + static wcchar BEGIN_X942_PARAM = "-----BEGIN X9.42 DH PARAMETERS-----"; + static wcchar END_X942_PARAM = "-----END X9.42 DH PARAMETERS-----"; #endif #ifndef NO_DSA - wcchar BEGIN_DSA_PARAM = "-----BEGIN DSA PARAMETERS-----"; - wcchar END_DSA_PARAM = "-----END DSA PARAMETERS-----"; + static wcchar BEGIN_DSA_PARAM = "-----BEGIN DSA PARAMETERS-----"; + static wcchar END_DSA_PARAM = "-----END DSA PARAMETERS-----"; #endif -wcchar BEGIN_X509_CRL = "-----BEGIN X509 CRL-----"; -wcchar END_X509_CRL = "-----END X509 CRL-----"; -wcchar BEGIN_TRUSTED_CERT = "-----BEGIN TRUSTED CERTIFICATE-----"; -wcchar END_TRUSTED_CERT = "-----END TRUSTED CERTIFICATE-----"; -wcchar BEGIN_RSA_PRIV = "-----BEGIN RSA PRIVATE KEY-----"; -wcchar END_RSA_PRIV = "-----END RSA PRIVATE KEY-----"; -wcchar BEGIN_RSA_PUB = "-----BEGIN RSA PUBLIC KEY-----"; -wcchar END_RSA_PUB = "-----END RSA PUBLIC KEY-----"; -wcchar BEGIN_PRIV_KEY = "-----BEGIN PRIVATE KEY-----"; -wcchar END_PRIV_KEY = "-----END PRIVATE KEY-----"; -wcchar BEGIN_ENC_PRIV_KEY = "-----BEGIN ENCRYPTED PRIVATE KEY-----"; -wcchar END_ENC_PRIV_KEY = "-----END ENCRYPTED PRIVATE KEY-----"; +static wcchar BEGIN_X509_CRL = "-----BEGIN X509 CRL-----"; +static wcchar END_X509_CRL = "-----END X509 CRL-----"; +static wcchar BEGIN_TRUSTED_CERT = "-----BEGIN TRUSTED CERTIFICATE-----"; +static wcchar END_TRUSTED_CERT = "-----END TRUSTED CERTIFICATE-----"; +static wcchar BEGIN_RSA_PRIV = "-----BEGIN RSA PRIVATE KEY-----"; +static wcchar END_RSA_PRIV = "-----END RSA PRIVATE KEY-----"; +static wcchar BEGIN_RSA_PUB = "-----BEGIN RSA PUBLIC KEY-----"; +static wcchar END_RSA_PUB = "-----END RSA PUBLIC KEY-----"; +static wcchar BEGIN_PRIV_KEY = "-----BEGIN PRIVATE KEY-----"; +static wcchar END_PRIV_KEY = "-----END PRIVATE KEY-----"; +static wcchar BEGIN_ENC_PRIV_KEY = "-----BEGIN ENCRYPTED PRIVATE KEY-----"; +static wcchar END_ENC_PRIV_KEY = "-----END ENCRYPTED PRIVATE KEY-----"; #ifdef HAVE_ECC - wcchar BEGIN_EC_PRIV = "-----BEGIN EC PRIVATE KEY-----"; - wcchar END_EC_PRIV = "-----END EC PRIVATE KEY-----"; + static wcchar BEGIN_EC_PRIV = "-----BEGIN EC PRIVATE KEY-----"; + static wcchar END_EC_PRIV = "-----END EC PRIVATE KEY-----"; #ifdef OPENSSL_EXTRA - wcchar BEGIN_EC_PARAM = "-----BEGIN EC PARAMETERS-----"; - wcchar END_EC_PARAM = "-----END EC PARAMETERS-----"; + static wcchar BEGIN_EC_PARAM = "-----BEGIN EC PARAMETERS-----"; + static wcchar END_EC_PARAM = "-----END EC PARAMETERS-----"; #endif #endif #ifdef HAVE_PKCS7 -wcchar BEGIN_PKCS7 = "-----BEGIN PKCS7-----"; -wcchar END_PKCS7 = "-----END PKCS7-----"; +static wcchar BEGIN_PKCS7 = "-----BEGIN PKCS7-----"; +static wcchar END_PKCS7 = "-----END PKCS7-----"; #endif #if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448) || \ !defined(NO_DSA) - wcchar BEGIN_DSA_PRIV = "-----BEGIN DSA PRIVATE KEY-----"; - wcchar END_DSA_PRIV = "-----END DSA PRIVATE KEY-----"; + static wcchar BEGIN_DSA_PRIV = "-----BEGIN DSA PRIVATE KEY-----"; + static wcchar END_DSA_PRIV = "-----END DSA PRIVATE KEY-----"; #endif #ifdef OPENSSL_EXTRA - const char BEGIN_PRIV_KEY_PREFIX[] = "-----BEGIN"; - const char PRIV_KEY_SUFFIX[] = "PRIVATE KEY-----"; - const char END_PRIV_KEY_PREFIX[] = "-----END"; + wcchar BEGIN_PRIV_KEY_PREFIX = "-----BEGIN"; + wcchar PRIV_KEY_SUFFIX = "PRIVATE KEY-----"; + wcchar END_PRIV_KEY_PREFIX = "-----END"; #endif -wcchar BEGIN_PUB_KEY = "-----BEGIN PUBLIC KEY-----"; -wcchar END_PUB_KEY = "-----END PUBLIC KEY-----"; +static wcchar BEGIN_PUB_KEY = "-----BEGIN PUBLIC KEY-----"; +static wcchar END_PUB_KEY = "-----END PUBLIC KEY-----"; #if defined(HAVE_ED25519) || defined(HAVE_ED448) - wcchar BEGIN_EDDSA_PRIV = "-----BEGIN EDDSA PRIVATE KEY-----"; - wcchar END_EDDSA_PRIV = "-----END EDDSA PRIVATE KEY-----"; + static wcchar BEGIN_EDDSA_PRIV = "-----BEGIN EDDSA PRIVATE KEY-----"; + static wcchar END_EDDSA_PRIV = "-----END EDDSA PRIVATE KEY-----"; #endif #if defined(HAVE_FALCON) - wcchar BEGIN_FALCON_LEVEL1_PRIV = "-----BEGIN FALCON_LEVEL1 PRIVATE KEY-----"; - wcchar END_FALCON_LEVEL1_PRIV = "-----END FALCON_LEVEL1 PRIVATE KEY-----"; - wcchar BEGIN_FALCON_LEVEL5_PRIV = "-----BEGIN FALCON_LEVEL5 PRIVATE KEY-----"; - wcchar END_FALCON_LEVEL5_PRIV = "-----END FALCON_LEVEL5 PRIVATE KEY-----"; + static wcchar BEGIN_FALCON_LEVEL1_PRIV = "-----BEGIN FALCON_LEVEL1 PRIVATE KEY-----"; + static wcchar END_FALCON_LEVEL1_PRIV = "-----END FALCON_LEVEL1 PRIVATE KEY-----"; + static wcchar BEGIN_FALCON_LEVEL5_PRIV = "-----BEGIN FALCON_LEVEL5 PRIVATE KEY-----"; + static wcchar END_FALCON_LEVEL5_PRIV = "-----END FALCON_LEVEL5 PRIVATE KEY-----"; #endif /* HAVE_FALCON */ #if defined(HAVE_DILITHIUM) #ifdef WOLFSSL_DILITHIUM_FIPS204_DRAFT - wcchar BEGIN_DILITHIUM_LEVEL2_PRIV = "-----BEGIN DILITHIUM_LEVEL2 PRIVATE KEY-----"; - wcchar END_DILITHIUM_LEVEL2_PRIV = "-----END DILITHIUM_LEVEL2 PRIVATE KEY-----"; - wcchar BEGIN_DILITHIUM_LEVEL3_PRIV = "-----BEGIN DILITHIUM_LEVEL3 PRIVATE KEY-----"; - wcchar END_DILITHIUM_LEVEL3_PRIV = "-----END DILITHIUM_LEVEL3 PRIVATE KEY-----"; - wcchar BEGIN_DILITHIUM_LEVEL5_PRIV = "-----BEGIN DILITHIUM_LEVEL5 PRIVATE KEY-----"; - wcchar END_DILITHIUM_LEVEL5_PRIV = "-----END DILITHIUM_LEVEL5 PRIVATE KEY-----"; + static wcchar BEGIN_DILITHIUM_LEVEL2_PRIV = "-----BEGIN DILITHIUM_LEVEL2 PRIVATE KEY-----"; + static wcchar END_DILITHIUM_LEVEL2_PRIV = "-----END DILITHIUM_LEVEL2 PRIVATE KEY-----"; + static wcchar BEGIN_DILITHIUM_LEVEL3_PRIV = "-----BEGIN DILITHIUM_LEVEL3 PRIVATE KEY-----"; + static wcchar END_DILITHIUM_LEVEL3_PRIV = "-----END DILITHIUM_LEVEL3 PRIVATE KEY-----"; + static wcchar BEGIN_DILITHIUM_LEVEL5_PRIV = "-----BEGIN DILITHIUM_LEVEL5 PRIVATE KEY-----"; + static wcchar END_DILITHIUM_LEVEL5_PRIV = "-----END DILITHIUM_LEVEL5 PRIVATE KEY-----"; #endif - wcchar BEGIN_ML_DSA_LEVEL2_PRIV = "-----BEGIN ML_DSA_LEVEL2 PRIVATE KEY-----"; - wcchar END_ML_DSA_LEVEL2_PRIV = "-----END ML_DSA_LEVEL2 PRIVATE KEY-----"; - wcchar BEGIN_ML_DSA_LEVEL3_PRIV = "-----BEGIN ML_DSA_LEVEL3 PRIVATE KEY-----"; - wcchar END_ML_DSA_LEVEL3_PRIV = "-----END ML_DSA_LEVEL3 PRIVATE KEY-----"; - wcchar BEGIN_ML_DSA_LEVEL5_PRIV = "-----BEGIN ML_DSA_LEVEL5 PRIVATE KEY-----"; - wcchar END_ML_DSA_LEVEL5_PRIV = "-----END ML_DSA_LEVEL5 PRIVATE KEY-----"; + static wcchar BEGIN_ML_DSA_LEVEL2_PRIV = "-----BEGIN ML_DSA_LEVEL2 PRIVATE KEY-----"; + static wcchar END_ML_DSA_LEVEL2_PRIV = "-----END ML_DSA_LEVEL2 PRIVATE KEY-----"; + static wcchar BEGIN_ML_DSA_LEVEL3_PRIV = "-----BEGIN ML_DSA_LEVEL3 PRIVATE KEY-----"; + static wcchar END_ML_DSA_LEVEL3_PRIV = "-----END ML_DSA_LEVEL3 PRIVATE KEY-----"; + static wcchar BEGIN_ML_DSA_LEVEL5_PRIV = "-----BEGIN ML_DSA_LEVEL5 PRIVATE KEY-----"; + static wcchar END_ML_DSA_LEVEL5_PRIV = "-----END ML_DSA_LEVEL5 PRIVATE KEY-----"; #endif /* HAVE_DILITHIUM */ #if defined(HAVE_SPHINCS) - wcchar BEGIN_SPHINCS_FAST_LEVEL1_PRIV = "-----BEGIN SPHINCS_FAST_LEVEL1 PRIVATE KEY-----"; - wcchar END_SPHINCS_FAST_LEVEL1_PRIV = "-----END SPHINCS_FAST_LEVEL1 PRIVATE KEY-----"; - wcchar BEGIN_SPHINCS_FAST_LEVEL3_PRIV = "-----BEGIN SPHINCS_FAST_LEVEL3 PRIVATE KEY-----"; - wcchar END_SPHINCS_FAST_LEVEL3_PRIV = "-----END SPHINCS_FAST_LEVEL3 PRIVATE KEY-----"; - wcchar BEGIN_SPHINCS_FAST_LEVEL5_PRIV = "-----BEGIN SPHINCS_FAST_LEVEL5 PRIVATE KEY-----"; - wcchar END_SPHINCS_FAST_LEVEL5_PRIV = "-----END SPHINCS_FAST_LEVEL5 PRIVATE KEY-----"; + static wcchar BEGIN_SPHINCS_FAST_LEVEL1_PRIV = "-----BEGIN SPHINCS_FAST_LEVEL1 PRIVATE KEY-----"; + static wcchar END_SPHINCS_FAST_LEVEL1_PRIV = "-----END SPHINCS_FAST_LEVEL1 PRIVATE KEY-----"; + static wcchar BEGIN_SPHINCS_FAST_LEVEL3_PRIV = "-----BEGIN SPHINCS_FAST_LEVEL3 PRIVATE KEY-----"; + static wcchar END_SPHINCS_FAST_LEVEL3_PRIV = "-----END SPHINCS_FAST_LEVEL3 PRIVATE KEY-----"; + static wcchar BEGIN_SPHINCS_FAST_LEVEL5_PRIV = "-----BEGIN SPHINCS_FAST_LEVEL5 PRIVATE KEY-----"; + static wcchar END_SPHINCS_FAST_LEVEL5_PRIV = "-----END SPHINCS_FAST_LEVEL5 PRIVATE KEY-----"; - wcchar BEGIN_SPHINCS_SMALL_LEVEL1_PRIV = "-----BEGIN SPHINCS_SMALL_LEVEL1 PRIVATE KEY-----"; - wcchar END_SPHINCS_SMALL_LEVEL1_PRIV = "-----END SPHINCS_SMALL_LEVEL1 PRIVATE KEY-----"; - wcchar BEGIN_SPHINCS_SMALL_LEVEL3_PRIV = "-----BEGIN SPHINCS_SMALL_LEVEL3 PRIVATE KEY-----"; - wcchar END_SPHINCS_SMALL_LEVEL3_PRIV = "-----END SPHINCS_SMALL_LEVEL3 PRIVATE KEY-----"; - wcchar BEGIN_SPHINCS_SMALL_LEVEL5_PRIV = "-----BEGIN SPHINCS_SMALL_LEVEL5 PRIVATE KEY-----"; - wcchar END_SPHINCS_SMALL_LEVEL5_PRIV = "-----END SPHINCS_SMALL_LEVEL5 PRIVATE KEY-----"; + static wcchar BEGIN_SPHINCS_SMALL_LEVEL1_PRIV = "-----BEGIN SPHINCS_SMALL_LEVEL1 PRIVATE KEY-----"; + static wcchar END_SPHINCS_SMALL_LEVEL1_PRIV = "-----END SPHINCS_SMALL_LEVEL1 PRIVATE KEY-----"; + static wcchar BEGIN_SPHINCS_SMALL_LEVEL3_PRIV = "-----BEGIN SPHINCS_SMALL_LEVEL3 PRIVATE KEY-----"; + static wcchar END_SPHINCS_SMALL_LEVEL3_PRIV = "-----END SPHINCS_SMALL_LEVEL3 PRIVATE KEY-----"; + static wcchar BEGIN_SPHINCS_SMALL_LEVEL5_PRIV = "-----BEGIN SPHINCS_SMALL_LEVEL5 PRIVATE KEY-----"; + static wcchar END_SPHINCS_SMALL_LEVEL5_PRIV = "-----END SPHINCS_SMALL_LEVEL5 PRIVATE KEY-----"; #endif /* HAVE_SPHINCS */ const int pem_struct_min_sz = XSTR_SIZEOF("-----BEGIN X509 CRL-----" diff --git a/wolfcrypt/src/wc_xmss.c b/wolfcrypt/src/wc_xmss.c index 51b308bea..311636f6c 100644 --- a/wolfcrypt/src/wc_xmss.c +++ b/wolfcrypt/src/wc_xmss.c @@ -149,7 +149,11 @@ static WC_INLINE void wc_xmss_state_free(XmssState* state) */ typedef struct wc_XmssString { /* Name of algorithm as a string. */ +#ifdef WOLFSSL_NAMES_STATIC + const char str[32]; +#else const char* str; +#endif /* OID for algorithm. */ word32 oid; /* XMSS parameters. */ diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index fb09637c5..60091c6df 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -3694,8 +3694,11 @@ extern void uITRON4_free(void *p) ; #ifndef WOLFSSL_SP_DIV_WORD_HALF #define WOLFSSL_SP_DIV_WORD_HALF #endif - #ifdef __PIE__ + + #ifdef HAVE_LINUXKM_PIE_SUPPORT #define WC_NO_INTERNAL_FUNCTION_POINTERS + #define WOLFSSL_ECC_CURVE_STATIC + #define WOLFSSL_NAMES_STATIC #endif #ifndef NO_OLD_WC_NAMES @@ -4089,7 +4092,6 @@ extern void uITRON4_free(void *p) ; #if defined(__IAR_SYSTEMS_ICC__) && defined(__ROPI__) #define WOLFSSL_ECC_CURVE_STATIC #define WOLFSSL_NAMES_STATIC - #define WOLFSSL_NO_CONSTCHARCONST #endif /* FIPS v1 does not support TLS v1.3 (requires RSA PSS and HKDF) */ diff --git a/wolfssl/wolfcrypt/types.h b/wolfssl/wolfcrypt/types.h index 2c2254c65..c596d9693 100644 --- a/wolfssl/wolfcrypt/types.h +++ b/wolfssl/wolfcrypt/types.h @@ -111,13 +111,7 @@ library files. typedef byte word24[3]; #endif - -/* constant pointer to a constant char */ -#ifdef WOLFSSL_NO_CONSTCHARCONST - typedef const char* wcchar; -#else - typedef const char* const wcchar; -#endif +typedef const char wcchar[]; #ifndef WC_BITFIELD #ifdef WOLF_C89 diff --git a/wolfssl/wolfcrypt/wc_lms.h b/wolfssl/wolfcrypt/wc_lms.h index a4880a95d..73f121e56 100644 --- a/wolfssl/wolfcrypt/wc_lms.h +++ b/wolfssl/wolfcrypt/wc_lms.h @@ -384,7 +384,11 @@ typedef struct wc_LmsParamsMap { /* Identifier of parameters. */ enum wc_LmsParm id; /* String representation of identifier of parameters. */ +#ifdef WOLFSSL_NAMES_STATIC + const char str[32]; +#else const char* str; +#endif /* LMS parameter set. */ LmsParams params; } wc_LmsParamsMap; From 01e881576259a29fad3719997f43beaded8cb2e1 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Wed, 9 Jul 2025 18:22:01 -0500 Subject: [PATCH 3/4] wolfssl/wolfcrypt/settings.h: add #define WOLFSSL_NO_PUBLIC_FFDHE and #undef HAVE_PUBLIC_FFDHE to WOLFSSL_LINUXKM setup to avoid .data.rel.ro.local functions in dh.c; linuxkm/linuxkm_wc_port.h: only use kvrealloc() on kernel >=6.11 -- the version in 5.15-6.10 is incompatible (oldsize arg). also, restore use of kvmalloc on 4.12+, but with XREALLOC undefined, suitable for cryptonly modules; add #include even on __PIE__ objects to make cond_sched() available; wolfcrypt/src/asn.c: harmonize gate around definitions of BEGIN_DSA_PRIV and END_DSA_PRIV; wolfcrypt/src/asn.c: in EccSpecifiedECDomainDecode(), work around "const char[]" types in WOLFSSL_ECC_CURVE_STATIC struct ecc_set_type on FIPS <6; wolfcrypt/src/asn.c, wolfcrypt/src/wc_xmss.c, wolfssl/wolfcrypt/wc_lms.h: add comments to new WOLFSSL_NAMES_STATIC slots explaining where the size comes from. --- linuxkm/linuxkm_wc_port.h | 30 +++++++++++++++++++++++------- linuxkm/module_hooks.c | 2 ++ wolfcrypt/src/asn.c | 19 ++++++++++--------- wolfcrypt/src/wc_xmss.c | 4 +++- wolfssl/wolfcrypt/settings.h | 2 ++ wolfssl/wolfcrypt/wc_lms.h | 2 +- 6 files changed, 41 insertions(+), 18 deletions(-) diff --git a/linuxkm/linuxkm_wc_port.h b/linuxkm/linuxkm_wc_port.h index 6be606426..b1fbbe3bf 100644 --- a/linuxkm/linuxkm_wc_port.h +++ b/linuxkm/linuxkm_wc_port.h @@ -80,13 +80,16 @@ /* kvmalloc()/kvfree() and friends added in linux commit a7c3e901, merged for 4.12. * kvrealloc() added in de2860f463, merged for 5.15, backported to 5.10.137. * moved to ultimate home (slab.h) in 8587ca6f34, merged for 5.16. - + * + * however, until 6.11, it took an extra argument, oldsize, that makes it + * incompatible with traditional libc usage patterns, so we don't try to use it. */ - #if (LINUX_VERSION_CODE >= KERNEL_VERSION(5, 15, 0)) || \ - ((LINUX_VERSION_CODE >= KERNEL_VERSION(5, 10, 137)) && \ - (LINUX_VERSION_CODE < KERNEL_VERSION(5, 11, 90))) + #if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 12, 0) #define HAVE_KVMALLOC #endif + #if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 11, 0) + #define HAVE_KVREALLOC + #endif /* kernel printf doesn't implement fp. */ #ifndef WOLFSSL_NO_FLOAT_FMT @@ -306,6 +309,7 @@ #endif #include + #include #ifndef __PIE__ #ifndef SINGLE_THREADED @@ -637,12 +641,16 @@ typeof(kzalloc_noprof) *kzalloc_noprof; typeof(kvmalloc_node_noprof) *kvmalloc_node_noprof; typeof(kmalloc_trace_noprof) *kmalloc_trace_noprof; - typeof(kvrealloc_noprof) *kvrealloc_noprof; + #ifdef HAVE_KVREALLOC + typeof(kvrealloc_noprof) *kvrealloc_noprof; + #endif #else /* <6.10.0 */ typeof(kmalloc) *kmalloc; typeof(krealloc) *krealloc; #ifdef HAVE_KVMALLOC typeof(kvmalloc_node) *kvmalloc_node; + #endif + #ifdef HAVE_KVREALLOC typeof(kvrealloc) *kvrealloc; #endif #if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 1, 0) @@ -879,6 +887,8 @@ #define kzalloc(size, flags) kmalloc(size, (flags) | __GFP_ZERO) #ifdef HAVE_KVMALLOC #define kvmalloc_node (wolfssl_linuxkm_get_pie_redirect_table()->kvmalloc_node) + #endif + #ifdef HAVE_KVREALLOC #define kvrealloc (wolfssl_linuxkm_get_pie_redirect_table()->kvrealloc) #endif #if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 1, 0) @@ -1175,7 +1185,11 @@ #ifdef HAVE_KVMALLOC #define malloc(size) kvmalloc_node(WC_LINUXKM_ROUND_UP_P_OF_2(size), (preempt_count() == 0 ? GFP_KERNEL : GFP_ATOMIC), NUMA_NO_NODE) #define free(ptr) kvfree(ptr) - #define realloc(ptr, newsize) kvrealloc(ptr, WC_LINUXKM_ROUND_UP_P_OF_2(newsize), (preempt_count() == 0 ? GFP_KERNEL : GFP_ATOMIC)) + #ifdef HAVE_KVREALLOC + #define realloc(ptr, newsize) kvrealloc(ptr, WC_LINUXKM_ROUND_UP_P_OF_2(newsize), (preempt_count() == 0 ? GFP_KERNEL : GFP_ATOMIC)) + #else + #define realloc(ptr, newsize) ((void)(ptr), (void)(newsize), NULL) + #endif #else #define malloc(size) kmalloc(WC_LINUXKM_ROUND_UP_P_OF_2(size), (preempt_count() == 0 ? GFP_KERNEL : GFP_ATOMIC)) #define free(ptr) kfree(ptr) @@ -1204,7 +1218,9 @@ #else #define XFREE(p, h, t) ({void* _xp; (void)(h); (void)(t); _xp = (p); if(_xp) free(_xp);}) #endif - #define XREALLOC(p, n, h, t) ({(void)(h); (void)(t); realloc(p, n);}) + #if defined(HAVE_KVREALLOC) || !defined(HAVE_KVMALLOC) + #define XREALLOC(p, n, h, t) ({(void)(h); (void)(t); realloc(p, n);}) + #endif #endif #include diff --git a/linuxkm/module_hooks.c b/linuxkm/module_hooks.c index 5d0fe8079..5e30e1fec 100644 --- a/linuxkm/module_hooks.c +++ b/linuxkm/module_hooks.c @@ -523,6 +523,8 @@ static int set_up_wolfssl_linuxkm_pie_redirect_table(void) { wolfssl_linuxkm_pie_redirect_table.krealloc = krealloc; #ifdef HAVE_KVMALLOC wolfssl_linuxkm_pie_redirect_table.kvmalloc_node = kvmalloc_node; +#endif +#ifdef HAVE_KVREALLOC wolfssl_linuxkm_pie_redirect_table.kvrealloc = kvrealloc; #endif #if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 1, 0) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 776d00f67..eff679df5 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -14323,7 +14323,9 @@ static int GetHashId(const byte* id, int length, byte* hash, int hashAlg) typedef struct CertNameData { /* Type string of name component. */ #ifdef WOLFSSL_NAMES_STATIC - const char str[20]; + const char str[20]; /* large enough for largest string in certNameSubject[] + * below + */ #define EMPTY_STR { 0 } #else const char* str; @@ -26192,8 +26194,7 @@ static wcchar END_ENC_PRIV_KEY = "-----END ENCRYPTED PRIVATE KEY-----"; static wcchar BEGIN_PKCS7 = "-----BEGIN PKCS7-----"; static wcchar END_PKCS7 = "-----END PKCS7-----"; #endif -#if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448) || \ - !defined(NO_DSA) +#if defined(HAVE_ECC) || !defined(NO_DSA) static wcchar BEGIN_DSA_PRIV = "-----BEGIN DSA PRIVATE KEY-----"; static wcchar END_DSA_PRIV = "-----END DSA PRIVATE KEY-----"; #endif @@ -35701,25 +35702,25 @@ static int EccSpecifiedECDomainDecode(const byte* input, word32 inSz, #else if (ret == 0) { /* Base X-ordinate */ - DataToHexString(base + 1, (word32)curve->size, curve->Gx); + DataToHexString(base + 1, (word32)curve->size, (char *)curve->Gx); /* Base Y-ordinate */ - DataToHexString(base + 1 + curve->size, (word32)curve->size, curve->Gy); + DataToHexString(base + 1 + curve->size, (word32)curve->size, (char *)curve->Gy); /* Prime */ DataToHexString(dataASN[ECCSPECIFIEDASN_IDX_PRIME_P].data.ref.data, dataASN[ECCSPECIFIEDASN_IDX_PRIME_P].data.ref.length, - curve->prime); + (char *)curve->prime); /* Parameter A */ DataToHexString(dataASN[ECCSPECIFIEDASN_IDX_PARAM_A].data.ref.data, dataASN[ECCSPECIFIEDASN_IDX_PARAM_A].data.ref.length, - curve->Af); + (char *)curve->Af); /* Parameter B */ DataToHexString(dataASN[ECCSPECIFIEDASN_IDX_PARAM_B].data.ref.data, dataASN[ECCSPECIFIEDASN_IDX_PARAM_B].data.ref.length, - curve->Bf); + (char *)curve->Bf); /* Order of curve */ DataToHexString(dataASN[ECCSPECIFIEDASN_IDX_ORDER].data.ref.data, dataASN[ECCSPECIFIEDASN_IDX_ORDER].data.ref.length, - curve->order); + (char *)curve->order); } #endif /* WOLFSSL_ECC_CURVE_STATIC */ diff --git a/wolfcrypt/src/wc_xmss.c b/wolfcrypt/src/wc_xmss.c index 311636f6c..8efed091a 100644 --- a/wolfcrypt/src/wc_xmss.c +++ b/wolfcrypt/src/wc_xmss.c @@ -150,7 +150,9 @@ static WC_INLINE void wc_xmss_state_free(XmssState* state) typedef struct wc_XmssString { /* Name of algorithm as a string. */ #ifdef WOLFSSL_NAMES_STATIC - const char str[32]; + const char str[32]; /* large enough for largest string in wc_xmss_alg[] or + * wc_xmssmt_alg[] + */ #else const char* str; #endif diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index 60091c6df..9b3fb7bbf 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -3699,6 +3699,8 @@ extern void uITRON4_free(void *p) ; #define WC_NO_INTERNAL_FUNCTION_POINTERS #define WOLFSSL_ECC_CURVE_STATIC #define WOLFSSL_NAMES_STATIC + #define WOLFSSL_NO_PUBLIC_FFDHE + #undef HAVE_PUBLIC_FFDHE #endif #ifndef NO_OLD_WC_NAMES diff --git a/wolfssl/wolfcrypt/wc_lms.h b/wolfssl/wolfcrypt/wc_lms.h index 73f121e56..5ec4b5a45 100644 --- a/wolfssl/wolfcrypt/wc_lms.h +++ b/wolfssl/wolfcrypt/wc_lms.h @@ -385,7 +385,7 @@ typedef struct wc_LmsParamsMap { enum wc_LmsParm id; /* String representation of identifier of parameters. */ #ifdef WOLFSSL_NAMES_STATIC - const char str[32]; + const char str[32]; /* large enough for largest string in wc_lms_map[] */ #else const char* str; #endif From f49e5837212a869df3fadba5d2bba85915d3a0f9 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Thu, 10 Jul 2025 00:57:51 -0500 Subject: [PATCH 4/4] linuxkm/Kbuild: skip "section(s) missed by containerization" test unless KERNEL_ARCH_X86; linuxkm/linuxkm_wc_port.h: fixes for legacy kernels, particularly: when building TLS stack (!WOLFCRYPT_ONLY), use the best heap with a functioning realloc(), else use kvmalloc() and friends if available, even if kvrealloc() is unavailable. also, provide for XMALLOC_USER and XMALLOC_OVERRIDE; linuxkm/lkcapi_glue.c: recognize the new CONFIG_CRYPTO_SELFTESTS_FULL alongside the old CONFIG_CRYPTO_MANAGER_EXTRA_TESTS; linuxkm/linuxkm_memory.c: restore my__show_free_areas() in case it's still needed. --- .wolfssl_known_macro_extras | 2 +- linuxkm/Kbuild | 1 + linuxkm/linuxkm_memory.c | 16 ++++ linuxkm/linuxkm_wc_port.h | 166 +++++++++++++++++++++++------------- linuxkm/lkcapi_glue.c | 9 +- 5 files changed, 129 insertions(+), 65 deletions(-) diff --git a/.wolfssl_known_macro_extras b/.wolfssl_known_macro_extras index 941708511..2eb737945 100644 --- a/.wolfssl_known_macro_extras +++ b/.wolfssl_known_macro_extras @@ -65,6 +65,7 @@ CONFIG_CRYPTO_GCM CONFIG_CRYPTO_HMAC CONFIG_CRYPTO_MANAGER CONFIG_CRYPTO_RSA +CONFIG_CRYPTO_SELFTESTS_FULL CONFIG_CRYPTO_SHA1 CONFIG_CRYPTO_SHA256 CONFIG_CRYPTO_SHA3 @@ -774,7 +775,6 @@ WOLFSSL_NO_KCAPI_SHA224 WOLFSSL_NO_OCSP_DATE_CHECK WOLFSSL_NO_OCSP_ISSUER_CHAIN_CHECK WOLFSSL_NO_OCSP_OPTIONAL_CERTS -WOLFSSL_NO_PUBLIC_FFDHE WOLFSSL_NO_RSA_KEY_CHECK WOLFSSL_NO_SERVER_GROUPS_EXT WOLFSSL_NO_SESSION_STATS diff --git a/linuxkm/Kbuild b/linuxkm/Kbuild index 89d2199d1..e26818082 100644 --- a/linuxkm/Kbuild +++ b/linuxkm/Kbuild @@ -197,6 +197,7 @@ endif --rename-section .data.rel.local=.data.wolfcrypt \ --rename-section .bss=.bss.wolfcrypt "$$file" || exit $$? done + [ "$(KERNEL_ARCH_X86)" != "yes" ] || \ { $(READELF) --syms $(WOLFCRYPT_PIE_FILES) | \ $(AWK) -v obj="$(obj)" ' \ /File:/ { \ diff --git a/linuxkm/linuxkm_memory.c b/linuxkm/linuxkm_memory.c index b447e9843..f760eb239 100644 --- a/linuxkm/linuxkm_memory.c +++ b/linuxkm/linuxkm_memory.c @@ -21,6 +21,22 @@ /* included by wolfcrypt/src/memory.c */ +#if defined(__PIE__) && (LINUX_VERSION_CODE >= KERNEL_VERSION(6, 1, 0)) +/* needed in 6.1+ because show_free_areas() static definition in mm.h calls + * __show_free_areas(), which isn't exported (neither was show_free_areas()). + */ +void my__show_free_areas( + unsigned int flags, + nodemask_t *nodemask, + int max_zone_idx) +{ + (void)flags; + (void)nodemask; + (void)max_zone_idx; + return; +} +#endif + #if defined(__PIE__) && defined(CONFIG_FORTIFY_SOURCE) /* needed because FORTIFY_SOURCE inline implementations call fortify_panic(). */ void __my_fortify_panic(const char *name) { diff --git a/linuxkm/linuxkm_wc_port.h b/linuxkm/linuxkm_wc_port.h index b1fbbe3bf..add45a080 100644 --- a/linuxkm/linuxkm_wc_port.h +++ b/linuxkm/linuxkm_wc_port.h @@ -91,6 +91,21 @@ #define HAVE_KVREALLOC #endif + #ifdef WOLFCRYPT_ONLY + #ifdef HAVE_KVMALLOC + #define USE_KVMALLOC + #endif + #ifdef HAVE_KVREALLOC + #define USE_KVREALLOC + #endif + #else + /* functioning realloc() is needed for the TLS stack. */ + #if defined(HAVE_KVMALLOC) && defined(HAVE_KVREALLOC) + #define USE_KVMALLOC + #define USE_KVREALLOC + #endif + #endif + /* kernel printf doesn't implement fp. */ #ifndef WOLFSSL_NO_FLOAT_FMT #define WOLFSSL_NO_FLOAT_FMT @@ -273,6 +288,52 @@ #endif /* !CONFIG_FORTIFY_SOURCE */ +#if defined(__PIE__) && (LINUX_VERSION_CODE >= KERNEL_VERSION(6, 1, 0)) && \ + defined(CONFIG_X86) + /* linux/slab.h will recursively bring in linux/page-flags.h, polluting the + * wolfCrypt container objects with static functions const_folio_flags() and + * folio_flags(), unless we kludge it off thusly. + */ + #define PAGE_FLAGS_H +#endif + + #include + #include + #include + + #ifdef __PIE__ + /* without this, mm.h brings in static, but not inline, pmd_to_page(), + * with direct references to global vmem variables. + */ + #undef USE_SPLIT_PMD_PTLOCKS + #define USE_SPLIT_PMD_PTLOCKS 0 + + #if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 1, 0) + /* without this, static show_free_areas() mm.h brings in direct + * reference to unexported __show_free_areas(). + */ + #define __show_free_areas my__show_free_areas + void my__show_free_areas( + unsigned int flags, + nodemask_t *nodemask, + int max_zone_idx); + #endif + #endif + +#if !defined(__PIE__) || (LINUX_VERSION_CODE < KERNEL_VERSION(6, 1, 0)) + #include +#endif + + #ifndef SINGLE_THREADED + #include + #endif +#ifndef __PIE__ + #include +#endif + #include + #include + #include + #ifdef LINUXKM_LKCAPI_REGISTER /* the LKCAPI assumes that expanded encrypt and decrypt keys will stay * loaded simultaneously, and the Linux in-tree implementations have two @@ -290,58 +351,32 @@ #ifndef WC_AES_XTS_SUPPORT_SIMULTANEOUS_ENC_AND_DEC_KEYS #define WC_AES_XTS_SUPPORT_SIMULTANEOUS_ENC_AND_DEC_KEYS #endif + + #ifndef __PIE__ + #include + #include + #include + #include + #include + #include + #include + #include + #include + #if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 13, 0) + #include + #endif /* linux ver >= 6.13 */ + #ifdef WOLFSSL_LINUXKM_USE_GET_RANDOM_KPROBES + #include + #endif + + #if defined(_LINUX_REFCOUNT_H) || defined(_LINUX_REFCOUNT_TYPES_H) + #define WC_LKM_REFCOUNT_TO_INT(refcount) (atomic_read(&(refcount.refs))) + #else + #define WC_LKM_REFCOUNT_TO_INT(refcount) (atomic_read(&(refcount))) + #endif + #endif /* !__PIE__ */ #endif /* LINUXKM_LKCAPI_REGISTER */ - #include -#ifndef __PIE__ - #include - #include -#endif - -#ifdef __PIE__ - /* linux/slab.h will recursively bring in linux/page-flags.h, polluting the - * wolfCrypt container objects with static functions const_folio_flags() and - * folio_flags(), unless we kludge it off thusly. - */ - #define PAGE_FLAGS_H -#else - #include -#endif - - #include - #include - -#ifndef __PIE__ - #ifndef SINGLE_THREADED - #include - #endif - #include - - #ifdef LINUXKM_LKCAPI_REGISTER - #include - #include - #include - #include - #include - #include - #include - #include - #include - #if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 13, 0) - #include - #endif /* linux ver >= 6.13 */ - #ifdef WOLFSSL_LINUXKM_USE_GET_RANDOM_KPROBES - #include - #endif - - #if defined(_LINUX_REFCOUNT_H) || defined(_LINUX_REFCOUNT_TYPES_H) - #define WC_LKM_REFCOUNT_TO_INT(refcount) (atomic_read(&(refcount.refs))) - #else - #define WC_LKM_REFCOUNT_TO_INT(refcount) (atomic_read(&(refcount))) - #endif - #endif -#endif /* !__PIE__ */ - #if defined(WOLFSSL_AESNI) || defined(USE_INTEL_SPEEDUP) || \ defined(WOLFSSL_SP_X86_64_ASM) #ifndef CONFIG_X86 @@ -1171,6 +1206,13 @@ */ #define _MM_MALLOC_H_INCLUDED + #ifndef BUILDING_WOLFSSL + #include + #if defined(USE_KVMALLOC) && (LINUX_VERSION_CODE < KERNEL_VERSION(5, 16, 0)) + #include + #endif + #endif + /* fun fact: since linux commit 59bb47985c, kmalloc with power-of-2 size is * aligned to the size. */ @@ -1182,10 +1224,10 @@ ((sizeof(_alloc_sz) * 8UL) - __builtin_clzl(_alloc_sz - 1)); \ _alloc_sz; \ }) - #ifdef HAVE_KVMALLOC + #ifdef USE_KVMALLOC #define malloc(size) kvmalloc_node(WC_LINUXKM_ROUND_UP_P_OF_2(size), (preempt_count() == 0 ? GFP_KERNEL : GFP_ATOMIC), NUMA_NO_NODE) #define free(ptr) kvfree(ptr) - #ifdef HAVE_KVREALLOC + #ifdef USE_KVREALLOC #define realloc(ptr, newsize) kvrealloc(ptr, WC_LINUXKM_ROUND_UP_P_OF_2(newsize), (preempt_count() == 0 ? GFP_KERNEL : GFP_ATOMIC)) #else #define realloc(ptr, newsize) ((void)(ptr), (void)(newsize), NULL) @@ -1212,15 +1254,17 @@ #endif #define XREALLOC(p, n, h, t) ({(void)(h); (void)(t); wolfSSL_Realloc(p, n);}) #else - #define XMALLOC(s, h, t) ({(void)(h); (void)(t); malloc(s);}) - #ifdef WOLFSSL_XFREE_NO_NULLNESS_CHECK - #define XFREE(p, h, t) ({(void)(h); (void)(t); free(p);}) - #else - #define XFREE(p, h, t) ({void* _xp; (void)(h); (void)(t); _xp = (p); if(_xp) free(_xp);}) - #endif - #if defined(HAVE_KVREALLOC) || !defined(HAVE_KVMALLOC) - #define XREALLOC(p, n, h, t) ({(void)(h); (void)(t); realloc(p, n);}) - #endif + #if !defined(XMALLOC_USER) && !defined(XMALLOC_OVERRIDE) + #define XMALLOC(s, h, t) ({(void)(h); (void)(t); malloc(s);}) + #ifdef WOLFSSL_XFREE_NO_NULLNESS_CHECK + #define XFREE(p, h, t) ({(void)(h); (void)(t); free(p);}) + #else + #define XFREE(p, h, t) ({void* _xp; (void)(h); (void)(t); _xp = (p); if(_xp) free(_xp);}) + #endif + #if defined(USE_KVREALLOC) || !defined(USE_KVMALLOC) + #define XREALLOC(p, n, h, t) ({(void)(h); (void)(t); realloc(p, n);}) + #endif + #endif /* !XMALLOC_USER && !XMALLOC_OVERRIDE */ #endif #include diff --git a/linuxkm/lkcapi_glue.c b/linuxkm/lkcapi_glue.c index 00609ed50..ea1880933 100644 --- a/linuxkm/lkcapi_glue.c +++ b/linuxkm/lkcapi_glue.c @@ -64,7 +64,8 @@ #define WOLFSSL_LINUXKM_LKCAPI_PRIORITY 100000 #endif -#ifdef CONFIG_CRYPTO_MANAGER_EXTRA_TESTS +#if defined(CONFIG_CRYPTO_MANAGER_EXTRA_TESTS) || \ + defined(CONFIG_CRYPTO_SELFTESTS_FULL) static int disable_setkey_warnings = 0; #else #define disable_setkey_warnings 0 @@ -321,7 +322,8 @@ static int linuxkm_lkcapi_register(void) if (ret) return ret; -#ifdef CONFIG_CRYPTO_MANAGER_EXTRA_TESTS +#if defined(CONFIG_CRYPTO_MANAGER_EXTRA_TESTS) || \ + defined(CONFIG_CRYPTO_SELFTESTS_FULL) /* temporarily disable warnings around setkey failures, which are expected * from the crypto fuzzer in FIPS configs, and potentially in others. * unexpected setkey failures are fatal errors returned by the fuzzer. @@ -692,7 +694,8 @@ static int linuxkm_lkcapi_register(void) #undef REGISTER_ALG #undef REGISTER_ALG_OPTIONAL -#ifdef CONFIG_CRYPTO_MANAGER_EXTRA_TESTS +#if defined(CONFIG_CRYPTO_MANAGER_EXTRA_TESTS) || \ + defined(CONFIG_CRYPTO_SELFTESTS_FULL) disable_setkey_warnings = 0; #endif