Commit Graph

135 Commits

Author SHA1 Message Date
Daniel Pouzzner e4f0acdc1d linuxkm/linuxkm_wc_port.h: disable CONFIG_FORTIFY_SOURCE module-wide on kernels <5.18 (shim conflicts), and add WC_FORCE_LINUXKM_FORTIFY_SOURCE for future use. 2025-10-07 12:49:54 -05:00
Daniel Pouzzner 46fd3d60f9 linuxkm/Kbuild: activate linker script with backward-compatible construct (tests good on 4.4);
linuxkm/linuxkm_wc_port.h: completely inhibit CONFIG_FORTIFY_SOURCE across the module when HAVE_LINUXKM_PIE_SUPPORT, for fidget-free backward compat;

linuxkm/module_hooks.c:
* add startup-time sanity check on fenceposts,
* enhance DEBUG_LINUXKM_PIE_SUPPORT with coverage for WOLFSSL_TEXT_SEGMENT_CANONICALIZER on the entire text segment,
* compute and report a hash on the stabilized text segment,
* fix wc_linuxkm_normalize_relocations() to allow span end == __wc_text_end, and
* add numerous verbose pr_err()s when DEBUG_LINUXKM_PIE_SUPPORT.
2025-10-03 15:07:56 -05:00
Daniel Pouzzner 7ea66aeffe refactor WOLFSSL_LINUXKM gates as generic WOLFSSL_KERNEL_MODE gates where appropriate:
rename WOLFSSL_LINUXKM_USE_SAVE_VECTOR_REGISTERS to WOLFSSL_USE_SAVE_VECTOR_REGISTERS, and wherever appropriate, replace defined(WOLFSSL_LINUXKM) with defined(WOLFSSL_USE_SAVE_VECTOR_REGISTERS).

rename WC_WANT_FLAG_DONT_USE_AESNI to WC_WANT_FLAG_DONT_USE_VECTOR_OPS.

rename lkm_printf() to wc_km_printf().

replace WOLFSSL_LINUXKM gates on kernel-incompatible includes with header-specific gates NO_STRING_H, NO_STDINT_H, NO_LIMITS_H, NO_CTYPE_H, NO_STDLIB_H

remove low level threading setup section of wolfssl/internal.h, which duplicated existing logic in wc_port.h, except for off-topic WOLFSSL_APACHE_MYNEWT TLS-layer setup, which is preserved, and a defined(__NT__) clause, which is now merged into the existing section in wc_port.h.
2025-09-29 16:59:12 -05:00
Daniel Pouzzner 97c094f802 linuxkm/: accommodate API change from k[v]realloc_noprof() to k[v]realloc_node_align_noprof() expected in 6.18+ (current linux-next). 2025-09-28 11:46:17 -05:00
Daniel Pouzzner ae4b33c997 linuxkm/linuxkm_wc_port.h: when HAVE_LINUXKM_PIE_SUPPORT, map
WOLFSSL_TEXT_SEGMENT_CANONICALIZER() to wc_linuxkm_normalize_relocations(), and
  define WOLFSSL_TEXT_SEGMENT_CANONICALIZER_BUFSIZ to 8192.

linuxkm/module_hooks.c: in wc_linuxkm_normalize_relocations(), add checks for
  out-of-order offsets.
2025-09-08 16:43:34 -05:00
Daniel Pouzzner 7df8ee4081 linuxkm/linuxkm_wc_port.h: add default setup for LINUXKM_LKCAPI_REGISTER_HASH_DRBG_DEFAULT, to make visibility in random.c;
linuxkm/lkcapi_sha_glue.c: revert f7c7ac275a (get_drbg() DISABLE_VECTOR_REGISTERS() for crypto_default_rng) -- compiler/inlining bug makes it break on at least one target, so caller needs to retain responsibility;

linuxkm/x86_vector_register_glue.c: in wc_save_vector_registers_x86(), always return WC_ACCEL_INHIBIT_E if already fpu_state & WC_FPU_INHIBITED_FLAG, for safe+correct dynamics on recursive calls.
2025-08-30 12:08:57 -05:00
Daniel Pouzzner f7c7ac275a linuxkm/linuxkm_wc_port.h and linuxkm/x86_vector_register_glue.c: refactor
wc_save_vector_registers_x86() and wc_restore_vector_registers_x86() to allow
  recursive WC_SVR_FLAG_INHIBIT while already in a vector save context;

linuxkm/lkcapi_sha_glue.c: in get_drbg() and put_drbg(),
  DISABLE_VECTOR_REGISTERS()...REENABLE_VECTOR_REGISTERS() if tfm ==
  crypto_default_rng.
2025-08-28 11:02:45 -05:00
Daniel Pouzzner 79a75d1ef2 linuxkm/module_hooks.c: in wc_linuxkm_normalize_relocations(), allow non-text
relocations 1 byte outside the destination segment, and when
  DEBUG_LINUXKM_PIE_SUPPORT, tally the relocation counts by segment for final info
  report;

linuxkm/module_hooks.c and linuxkm/linuxkm_wc_port.h: tweak gating on
  wc_linuxkm_normalize_relocations() and related -- ifdef
  HAVE_LINUXKM_PIE_SUPPORT, not ifdef USE_WOLFSSL_LINUXKM_PIE_REDIRECT_TABLE --
  for consistency+clarity.
2025-08-26 11:07:40 -05:00
Daniel Pouzzner e0383b496a linuxkm/module_hooks.c: implement wc_linuxkm_GenerateSeed_IntelRD, gated on WC_LINUXKM_RDSEED_IN_GLUE_LAYER;
add WC_GENERATE_SEED_DEFAULT, which defaults to wc_GenerateSeed if not overridden, and replace wc_GenerateSeed with WC_GENERATE_SEED_DEFAULT in various calls to wc_SetSeed_Cb();

linuxkm/linuxkm_wc_port.h: if FIPS <v6 and RDSEED, define WC_LINUXKM_RDSEED_IN_GLUE_LAYER and define WC_GENERATE_SEED_DEFAULT wc_linuxkm_GenerateSeed_IntelRD;

wolfcrypt/test/test.c: update rng_seed_test() with gating and vectors for FIPS v5 with HAVE_AMD_RDSEED or HAVE_INTEL_RDSEED;

wolfssl/wolfcrypt/types.h: add WC_HAVE_VECTOR_SPEEDUPS helper macro, and enlarge fallthrough definition coverage for DISABLE_VECTOR_REGISTERS.
2025-08-22 21:58:00 -05:00
Daniel Pouzzner af4e2d127f linuxkm/: implement wc_linuxkm_pie_reloc_tab and wc_linuxkm_normalize_relocations(), and integrate with updateFipsHash(). 2025-08-22 00:38:06 -05:00
Daniel Pouzzner f4fefcbd5e configure.ac: for linuxkm, don't set ENABLED_ENTROPY_MEMUSE_DEFAULT to yes on FIPS v5-;
linuxkm/linuxkm_wc_port.h: add WC_SVR_FLAG_NONE;

wolfssl/wolfcrypt/settings.h: for WOLFSSL_LINUXKM setup for WC_RESEED_INTERVAL,
  use UINT_MAX if FIPS v5-;

wolfssl/wolfcrypt/types.h: add definitions for SAVE_NO_VECTOR_REGISTERS2, and
  map no-op SAVE_VECTOR_REGISTERS2() to it.
2025-08-11 16:14:32 -05:00
Daniel Pouzzner bbd606538a linuxkm/linuxkm_wc_port.h, linuxkm/x86_vector_register_glue.c, linuxkm/Kbuild:
* rename can_save_vector_registers_x86(), save_vector_registers_x86(), and restore_vector_registers_x86(), with wc_ prefix, and properly export them;
* move setup for WOLFSSL_LINUXKM_USE_SAVE_VECTOR_REGISTERS outside BUILDING_WOLFSSL gate;
* fix !BUILDING_WOLFSSL bindings for DISABLE_VECTOR_REGISTERS() to properly fall through to no-ops in !WOLFSSL_LINUXKM_USE_SAVE_VECTOR_REGISTERS configs, and properly #error if WOLFSSL_LINUXKM_USE_SAVE_VECTOR_REGISTERS but !CONFIG_X86;

.github/workflows/linuxkm.yml: --enable-linuxkm-benchmarks for additional coverage.
2025-07-31 10:37:39 -05:00
Daniel Pouzzner c353052e54 linuxkm/linuxkm_wc_port.h:
* move enum wc_svr_flags out of BUILDING_WOLFSSL guard;
* add DISABLE_VECTOR_REGISTERS() and REENABLE_VECTOR_REGISTERS() definitions for !BUILDING_WOLFSSL;
* add #include <linux/spinlock.h> to !WOLFSSL_LINUXKM_USE_MUTEXES implementation to fix compilation (and add usability) to caller code;

linuxkm/lkcapi_sha_glue.c: in wc_linuxkm_drbg_ctx_clear(), fix error-path deallocation of locked object;

wolfcrypt/benchmark/benchmark.c:

* in FIPS v6+ builds, and FIPS linuxkm v5+, check retval from wc_AesEncryptDirect() and wc_AesDecryptDirect();
* add WC_RELAX_LONG_LOOP() in bench_stats_sym_finish() and bench_stats_asym_finish_ex();

wolfcrypt/test/test.c: fix rng_seed_test() with correct test vectors for the relevant combinations of features, and gate the test out if there are user override defines for ENTROPY_SCALE_FACTOR or SEED_BLOCK_SZ.
2025-07-30 22:15:05 -05:00
Daniel Pouzzner b0f6829614 20250725-wc_linuxkm_relax_long_loop: improvements from peer review: fix, clarify, and extend comments, improve indentation, and snip out a stray redundant preprocessor definition. 2025-07-26 08:27:43 -05:00
Daniel Pouzzner 77dccc0c32 linuxkm:
* add wc_linuxkm_check_for_intr_signals(), wc_linuxkm_relax_long_loop(),
  WC_CHECK_FOR_INTR_SIGNALS(), WC_RELAX_LONG_LOOP(), SAVE_NO_VECTOR_REGISTERS(),
  RESTORE_NO_VECTOR_REGISTERS(), and new error code INTERRUPTED_E ("Process
  interrupted");

* update the no-asm remaps in the PK implementations to use
  SAVE_NO_VECTOR_REGISTERS() and RESTORE_NO_VECTOR_REGISTERS(), so that inner
  loops in them are always covered by the new logic.
2025-07-25 15:56:48 -05:00
Daniel Pouzzner ca6a12769f linuxkm/linuxkm_wc_port.h: additional fixes for version gates;
.github/workflows/linuxkm.yml: add a second scenario with --enable-linuxkm-pie.
2025-07-23 16:57:24 -05:00
Daniel Pouzzner a447a991b0 linuxkm/Kbuild: add KERNEL_EXTRA_CFLAGS_REMOVE;
linuxkm/linuxkm_wc_port.h: fix version threshold for HAVE_KVREALLOC (6.12.0, not 6.11.0), and add manual overrides.
2025-07-23 14:31:52 -05:00
Daniel Pouzzner c26f6ded14 linuxkm/linuxkm_wc_port.h: use more flexible logic to define WC_LKM_INDIRECT_SYM(), allowing various overrides and orthogonalizing the definitions proper, and add explanatory comments. 2025-07-22 14:40:45 -05:00
Daniel Pouzzner 0495f2cc20 linuxkm/linuxkm_wc_port.h: add WC_LKM_INDIRECT_SYM() macro; on x86, use wolfssl_linuxkm_pie_redirect_table directly for indirect calls from PIE container, otherwise use wolfssl_linuxkm_get_pie_redirect_table() to avoid e.g. R_AARCH64_LD64_GOT_LO12_NC relocations;
linuxkm/Kbuild: remove -fno-stack-protector from default PIE_FLAGS.
2025-07-21 19:34:00 -05:00
Daniel Pouzzner 01313cc0c8 linuxkm/x86_vector_register_glue.c:
* refactor the save_vector_registers_x86() algorithm to depend directly on preempt_count(), and use local_bh_enable() and preempt_disable() directly, to mitigate glitchiness around irq_fpu_usable() and crypto_simd_usable();

* eliminate the WC_FPU_ALREADY_FLAG kludge.

* improve the error and warning messages, and add some additional checks and messages for unexpected states; add VRG_PR_ERR_X and VRG_PR_WARN_X for pr_*_once() semantics on regular builds, but unlimited messages when WOLFSSL_LINUXKM_VERBOSE_DEBUG.

linuxkm/linuxkm_wc_port.h and linuxkm/module_hooks.c:

* move the spinlock-based implementation of wc_LockMutex() from linuxkm_wc_port.h to module_hooks.c, due to numerous stuboorn direct external symbol references;

* extensively refactor the kernel header #include strategy, keeping many more superfluous headers out of __PIE__ objects, and fixing unavoidable static header functions with grafted __always_inline attributes;

* add version exceptions for RHEL 9.5.

linuxkm/Kbuild:

* on x86 with CONFIG_MITIGATION_{RETPOLINE,RETHUNK}, use inline rethunks rather than none;

* refactor check for "Error: section(s) missed by containerization." using `readelf --sections --syms`, for 100% coverage, more informative error output, and suppression of false positives on printk-related cruft;

configure.ac and linuxkm/lkcapi_sha_glue.c: use LINUXKM_LKCAPI_[DONT_]REGISTER_{SHA,HMAC}_ALL to represent --enable-linuxkm-lkcapi-register=[-]all-{sha,hmac}, which allows alg families (notably SHA1) to be masked out piecemeal;

linuxkm/lkcapi_rsa_glue.c: in linuxkm_test_pkcs1pad_driver(), mitigate unused args when LINUXKM_AKCIPHER_NO_SIGNVERIFY.
2025-07-16 13:09:03 -05:00
Daniel Pouzzner 2c341a5806 Merge pull request #8990 from JacobBarthelmeh/license
updating license from GPLv2 to GPLv3

(linuxkm tweak to `MODULE_LICENSE("GPL")` to follow.)
2025-07-14 16:14:39 -05:00
philljj 1f71e6d246 Merge pull request #8998 from douzzer/20250712-linuxkm-all-aes-sha-hmac
20250712-linuxkm-all-aes-sha-hmac
2025-07-14 14:19:09 -05:00
Daniel Pouzzner 80c9212dd9 linuxkm/linuxkm_wc_port.h, linuxkm/lkcapi_aes_glue.c, configure.ac: fix LKCAPI on kernel 5.4 (sunrise version for LKCAPI), and add all-aes, all-sha, all-hmac, and their negations, to --enable-linuxkm-lkcapi-register. 2025-07-14 12:39:41 -05:00
Daniel Pouzzner ee3b459e16 linuxkm/linuxkm_wc_port.h: refactor the fix for folio_flags()/const_folio_flags() text segment spam -- inhibiting inclusion of linux/page-flags.h breaks on some kernel configs. 2025-07-14 10:27:35 -05:00
JacobBarthelmeh 629c5b4cf6 updating license from GPLv2 to GPLv3 2025-07-10 16:11:36 -06:00
Daniel Pouzzner f49e583721 linuxkm/Kbuild: skip "section(s) missed by containerization" test unless KERNEL_ARCH_X86;
linuxkm/linuxkm_wc_port.h: fixes for legacy kernels, particularly: when building TLS stack (!WOLFCRYPT_ONLY), use the best heap with a functioning realloc(), else use kvmalloc() and friends if available, even if kvrealloc() is unavailable.  also, provide for XMALLOC_USER and XMALLOC_OVERRIDE;

linuxkm/lkcapi_glue.c: recognize the new CONFIG_CRYPTO_SELFTESTS_FULL alongside the old CONFIG_CRYPTO_MANAGER_EXTRA_TESTS;

linuxkm/linuxkm_memory.c: restore my__show_free_areas() in case it's still needed.
2025-07-10 00:57:51 -05:00
Daniel Pouzzner 01e8815762 wolfssl/wolfcrypt/settings.h: add #define WOLFSSL_NO_PUBLIC_FFDHE and #undef HAVE_PUBLIC_FFDHE to WOLFSSL_LINUXKM setup to avoid .data.rel.ro.local functions in dh.c;
linuxkm/linuxkm_wc_port.h: only use kvrealloc() on kernel >=6.11 -- the version in 5.15-6.10 is incompatible (oldsize arg).  also, restore use of kvmalloc on 4.12+, but with XREALLOC undefined, suitable for cryptonly modules; add #include <linux/sched.h> even on __PIE__ objects to make cond_sched() available;

wolfcrypt/src/asn.c: harmonize gate around definitions of BEGIN_DSA_PRIV and END_DSA_PRIV;

wolfcrypt/src/asn.c: in EccSpecifiedECDomainDecode(), work around "const char[]" types in WOLFSSL_ECC_CURVE_STATIC struct ecc_set_type on FIPS <6;

wolfcrypt/src/asn.c, wolfcrypt/src/wc_xmss.c, wolfssl/wolfcrypt/wc_lms.h: add comments to new WOLFSSL_NAMES_STATIC slots explaining where the size comes from.
2025-07-09 18:22:18 -05:00
Daniel Pouzzner 7c6afeb106 add linuxkm/wolfcrypt.lds module linker script, explicitly grouping wolfcrypt sections together;
linuxkm/Kbuild: add linker script flag, containerize several more previously-missed ELF sections, and add a test verifying no sections were missed;

linuxkm/linuxkm_memory.c: remove obsolete lkm_realloc() shim and unneeded my__show_free_areas() wrapper;

linuxkm/linuxkm_wc_port.h: add new mapping from realloc() to native kvrealloc(), and gate out a slew of headers when __PIE__ to avoid polluting wolfCrypt objects with various unneeded header-implemented functions with associated awkward symbols references;

linuxkm/lkcapi_glue.c: harmonize gate for REGISTER_ALG_OPTIONAL();

linuxkm/module_hooks.c: add "ERROR:" prefixes on pr_err()s; add wc_RunAllCast_fips() at shutdown to send confidence verification to the kernel log; remove section bounds checks now that layout is unreliable;

wolfssl/wolfcrypt/settings.h: for WOLFSSL_LINUXKM && HAVE_LINUXKM_PIE_SUPPORT, #define WOLFSSL_ECC_CURVE_STATIC and WOLFSSL_NAMES_STATIC;

wolfssl/wolfcrypt/types.h: refactor the typedef for wcchar from a pointer to a char[];

wolfcrypt/src/wc_xmss.c and wolfssl/wolfcrypt/wc_lms.h: add WOLFSSL_NAMES_STATIC code paths for struct wc_XmssString and struct wc_LmsParamsMap;

wolfcrypt/src/asn.c: add WOLFSSL_NAMES_STATIC code paths for struct CertNameData, and add static attribute to a slew of wcchars not used or declared outside asn.c.
2025-07-09 18:22:18 -05:00
Daniel Pouzzner f733ade6a2 linuxkm/{linuxkm_wc_port.h,module_hooks.c}: add feature gates around wolfCrypt_FIPS_*_sanity() references matching those in fips_test.c. 2025-07-09 18:22:18 -05:00
Daniel Pouzzner ef3a1a28d9 linuxkm/linuxkm_wc_port.h, linuxkm/module_hooks.c, and wolfcrypt/src/wc_port.c: fixes for spinlocks on CONFIG_ARM64;
wolfcrypt/src/wc_port.c: include random.h, for Entropy_Init().
2025-07-03 22:09:34 -05:00
Daniel Pouzzner dd69d56e33 linuxkm/linuxkm_wc_port.h: in malloc/realloc, use GFP_KERNEL if it's safe to sleep;
linuxkm/lkcapi_sha_glue.c:

* in wc_linuxkm_drbg_init_tfm(), sleep if it's safe, and observe a wc_linuxkm_drbg_init_tfm_disable_vector_registers flag;

* in wc_crng_reseed(), preemptively execute the reseed if it's safe to sleep;

* in wc_linuxkm_drbg_startup(), in LINUXKM_DRBG_GET_RANDOM_BYTES section, add reseed test sequence if defined(DEBUG_DRBG_RESEEDS).
2025-07-02 16:46:27 -05:00
Daniel Pouzzner b3944a73c2 linuxkm/lkcapi_sha_glue.c:
* implement interception of _get_random_bytes() and get_random_bytes_user() (implicitly intercepts /dev/random and /dev/urandom):

    * get_crypto_default_rng()
    * get_default_drbg_ctx()
    * wc__get_random_bytes()
    * wc_get_random_bytes_user()
    * wc_extract_crng_user()
    * wc_mix_pool_bytes()
    * wc_crng_reseed()
    * wc_get_random_bytes_by_kprobe()
    * wc_get_random_bytes_user_kretprobe_enter()
    * wc_get_random_bytes_user_kretprobe_exit()

    * add LINUXKM_DRBG_GET_RANDOM_BYTES sections to wc_linuxkm_drbg_startup() and wc_linuxkm_drbg_cleanup()

    * add linuxkm/patches/*/WOLFSSL_LINUXKM_HAVE_GET_RANDOM_CALLBACKS-*.patch, initially for versions:
      * 5.10.17
      * 5.10.236
      * 5.15
      * 5.17
      * 6.1.73
      * 6.12
      * 6.15

    * remove "*.patch" from .gitignore.

    * add linuxkm/patches/regen-patches.sh.

  * in wc_linuxkm_drbg_ctx_clear(), check lock count before freeing.

  * in get_drbg() and put_drbg(), use migrate_disable(), not DISABLE_VECTOR_REGISTERS().

  * in wc_linuxkm_drbg_generate(), explicitly DISABLE_VECTOR_REGISTERS() for the crypto_default_rng.

  * in wc_linuxkm_drbg_generate(), add DRBG reinitialization code to handle RNG_FAILURE_E.  This handles the situation where a DRBG was instantiated in a vector-ops-allowed context, caching a vectorized SHA256 ethod, but later used in a no-vector-ops-allowed context.

  * in wc_linuxkm_drbg_seed(), add DISABLE_VECTOR_REGISTERS() wrapper around wc_RNG_DRBG_Reseed() for crypto_default_rng.

linuxkm/x86_vector_register_glue.c:

  * add crash recovery logic to wc_linuxkm_fpu_state_assoc_unlikely()

  * in wc_linuxkm_fpu_state_assoc(), when wc_linuxkm_fpu_states is null, don't call wc_linuxkm_fpu_state_assoc_unlikely() if !assume_fpu_began.

  * in can_save_vector_registers_x86(), save_vector_registers_x86(), and restore_vector_registers_x86(), check for hard interrupt context first, to return early failure if current->pid is unusable.

  * in save_vector_registers_x86(), tweak logic around WC_FPU_INHIBITED_FLAG, adding local_bh_disable()...local_bh_enable() to provide for safe recursion.

wolfcrypt/src/random.c: optimization: in Hash_df(), for WOLFSSL_LINUXKM, don't put digest[WC_SHA256_DIGEST_SIZE] in the heap, keep it on the stack.

wolfssl/wolfcrypt/types.h: add WOLFSSL_NO_ASM no-op definitions for DISABLE_VECTOR_REGISTERS() and REENABLE_VECTOR_REGISTERS().

configure.ac:

* move --enable-linuxkm and --enable-linuxkm-defaults initial detection early, so that HMAC_COPY_DEFAULT picks it up.

* add ENABLED_ENTROPY_MEMUSE_DEFAULT, and enable it by default when ENABLED_LINUXKM_DEFAULTS.

* update linuxkm-lkcapi-register help message.

linuxkm/linuxkm_wc_port.h:

* add my_kallsyms_lookup_name().

* add preempt_count, _raw_spin_lock_irqsave, _raw_spin_trylock, _raw_spin_unlock_irqrestore, and _cond_resched, to wolfssl_linuxkm_pie_redirect_table, and add spin_unlock_irqrestore() macro to mask native inline.

* move linuxkm mutex wrappers from wolfcrypt/src/wc_port.c to linuxkm_wc_port.h, make them inlines, and add new default spinlock-based implementation, with old method now gated on WOLFSSL_LINUXKM_USE_MUTEXES.

* change malloc() and realloc() wrappers from GFP_KERNEL to GFP_ATOMIC.

linuxkm/lkcapi_glue.c: make misc.h/misc.c inclusion unconditional, and trim now-redundant inclusions out of lkcapi_dh_glue.c and lkcapi_ecdh_glue.c.
2025-07-02 14:25:05 -05:00
Daniel Pouzzner b25d484a4e linuxkm/lkcapi_sha_glue.c: implement mutex-free sync mechanism for wc_linuxkm_drbg_ctx in new get_drbg(), get_drbg_n(), and put_drbg();
linuxkm/x86_vector_register_glue.c: implement support for WC_FPU_INHIBITED_FLAG, and an `int inhibit_p` argument to save_vector_registers_x86();

wolfcrypt/src/random.c: implement linuxkm support for RDSEED and HAVE_ENTROPY_MEMUSE;

wolfssl/wolfcrypt/error-crypt.h and wolfcrypt/src/error.c: add WC_ACCEL_INHIBIT_E "Crypto acceleration is currently inhibited";

linuxkm/module_hooks.c and linuxkm/x86_vector_register_glue.c: remove broken and bit-rotten WOLFSSL_COMMERCIAL_LICENSE and LINUXKM_FPU_STATES_FOLLOW_THREADS code paths.
2025-07-02 14:25:05 -05:00
jordan 8fef82cc59 linuxkm rsa: linux 6.13 support. 2025-05-21 16:07:46 -05:00
Daniel Pouzzner 273b7fc0da linuxkm: support DRBG in LKCAPI shim set:
* Implement --enable-linuxkm-lkcapi-register=stdrng and =stdrng-default,
  LINUXKM_LKCAPI_REGISTER_HASH_DRBG, and
  LINUXKM_LKCAPI_REGISTER_HASH_DRBG_DEFAULT.  With "_DEFAULT", the DRBG is
  installed as the systemwide default stdrng, necessitating
  deregister-on-command, described below.  Note that get_random_bytes() and the
  associated /dev/random and /dev/urandom do not use the default stdrng, and
  their back end cannot currently be replaced by a module.

* Add control nodes /sys/module/libwolfssl/install_algs and
  /sys/module/libwolfssl/deinstall_algs.

* Add configure option --enable-linuxkm-lkcapi-register=sysfs-nodes-only, and
  macro LINUXKM_LKCAPI_REGISTER_ONLY_ON_COMMAND, to inhibit registration at
  module load time.

In configure.ac ENABLED_LINUXKM_LKCAPI_REGISTER setup, don't define
  WOLFSSL_DH_GEN_PUB in old FIPS, but do define it for =all.
2025-04-29 00:42:15 -05:00
Daniel Pouzzner 0430d25cfb linuxkm shims for all SHA and SHA-HMAC flavors. 2025-04-18 11:57:29 -05:00
jordan ff93e6d5d4 linuxkm: register rsa. 2025-04-16 09:50:06 -05:00
jordan 380c3613ed linuxkm: register ecdh. 2025-04-11 15:16:09 -04:00
Daniel Pouzzner f609d423d7 linuxkm/Kbuild: treat KERNEL_ARCH "x86_64" as "x86" and remove inapt -mpreferred-stack-boundary=4 from x86 WOLFSSL_CFLAGS;
linuxkm/linuxkm_wc_port.h: use >=6.9.0 as the gate for 5-arg fortify_panic();

in lkm_printf() definition, use _printk on >5.15.0;

linuxkm/module_hooks.c: raise MAX_FIPS_DATA_SZ and MAX_FIPS_CODE_SZ to
accommodate growth.
2025-04-10 17:23:17 +00:00
Daniel Pouzzner a22bcc3667 linuxkm/linuxkm_wc_port.h: on kernel >=6.8, for CONFIG_FORTIFY_SOURCE, use 5-arg fortify_panic() override macro. 2025-04-09 18:35:04 +00:00
Daniel Pouzzner 6761dbb2ed Merge pull request #8637 from philljj/register_ecdsa
linuxkm: register ecdsa.
2025-04-08 23:05:00 -05:00
Daniel Pouzzner 217440c885 Add wolfcrypt/src/wolfssl_sources.h and wolfcrypt/src/wolfssl_sources_asm.h,
which force on BUILDING_WOLFSSL and do boilerplate includes, and update library
  sources to include them at the top.

  wolfssl_sources.h includes types.h, error-crypt.h, and logging.h, and
  conditionally, config.h.  settings.h and wc_port.h are unconditionally
  included at the top of types.h.

  wolfssl_sources_asm.h includes settings.h, and conditionally, config.h.

Add wolfssl_sources*.h to wolfcrypt/src/include.am, and to several IDE/ project
  files.

Also added a TEST_WOLFSSL_SOURCES_INCLUSION_SEQUENCE clause in
  wolfssl/wolfcrypt/settings.h to allow coverage testing.

In wolfcrypt/src/misc.c, retain existing ad hoc boilerplate includes, and use
  them if WOLFSSL_VIS_FOR_TESTS, otherwise include the new wolfssl_sources.h.

Define WOLFSSL_VIS_FOR_TESTS at top of wolfcrypt/test/test.c.

Also renamed WOLFSSL_NEED_LINUX_CURRENT to WOLFSSL_LINUXKM_NEED_LINUX_CURRENT,
  for clarity.
2025-04-04 16:51:04 -05:00
jordan d62c65231b linuxkm: register ecdsa. 2025-04-04 11:54:03 -04:00
Lealem Amedie 2fdac57a69 Remove linuxkm-pie dependency for FIPS linuxkm 2025-03-21 15:36:31 -06:00
Daniel Pouzzner f7ddc49487 linuxkm/linuxkm_wc_port.h: add #error if the user tries to use the kernel crypto fuzzer with FIPS AES-XTS (kernel bug).
src/internal.c: fix shiftTooManyBitsSigned in DefTicketEncCb().

tests/api/test_sha256.c and wolfssl/wolfcrypt/sha256.h: gate raw transform APIs (wc_Sha256Transform(), wc_Sha256FinalRaw()) and tests on !defined(WOLFSSL_KCAPI_HASH) && !defined(WOLFSSL_AFALG_HASH).

move enum wc_HashFlags from wolfssl/wolfcrypt/hash.h to wolfssl/wolfcrypt/types.h to resolve circular dependency detected by cross-armv7m-armasm-thumb-fips-140-3-dev-sp-asm-all-crypto-only.

add FIPS_VERSION_GE(7,0) gates to new null-arg tests in test_wc_Shake{128,256}_*().

optimize ByteReverseWords() for cases where only one operand is unaligned, and add correct handling of unaligned data in ByteReverseWords64() to resolve unaligned access sanitizer report in cross-aarch64_be-all-sp-asm-unittest-sanitizer.
2025-02-26 20:55:56 -06:00
JacobBarthelmeh 2c24291ed5 update copyright date 2025-01-21 09:55:03 -07:00
Daniel Pouzzner 7dcec3e62f linuxkm: work around aarch64 dependency on alt_cb_patch_nops for enable-linuxkm-pie (FIPS support). 2024-11-26 00:12:29 -06:00
Daniel Pouzzner d85c108952 wolfssl/wolfcrypt/error-crypt.h, wolfcrypt/src/error.c: add WC_FAILURE ("wolfCrypt generic failure") with value -1, for traceable error return of -1 in wolfCrypt.
configure.ac: add OPENSSL_EXTRA to --enable-wolfsentry.

linuxkm/linuxkm_wc_port.h, linuxkm/module_hooks.c, wolfssl/ssl.h: accommodate backward dependencies for wolfSSL_X509_NAME_add_entry_by_NID, wolfSSL_X509_NAME_free, and wolfSSL_X509_NAME_new_ex.

linuxkm/lkcapi_glue.c: if CONFIG_CRYPTO_MANAGER, assert match of CONFIG_CRYPTO_FIPS and HAVE_FIPS.

src/ssl_crypto.c, wolfcrypt/src/wc_lms.c, wolfcrypt/src/wc_lms_impl.c, wolfcrypt/src/wc_xmss.c, wolfcrypt/test/test.c: add missing casts for XMALLOC()s.

src/ssl_crypto.c: in wolfSSL_AES_decrypt(), fix gate for wc_AesDecryptDirect() return type.

wolfcrypt/test/test.c: smallstack refactor in test_dilithium_decode_level().

tests/api.c: fix uninited vars and "embedding a directive within macro arguments is not portable" in test_wc_dilithium_der().
2024-11-21 21:59:26 -06:00
Daniel Pouzzner 9db74dc128 configure.ac: add AM_MAINTAINER_MODE([disable]);
add config-time assert for "dual-alg-certs is incompatible with --enable-cryptonly.";

remove obsolete config-time check for "--enable-opensslextra without --enable-cryptonly is incompatible with --enable-linuxkm.";

linuxkm/linuxkm_wc_port.h: add fallback definitions for INT32_MAX and UINT32_MAX;

linuxkm/module_exports.c.template: add wolfssl/openssl/fips_rand.h;

wolfssl/wolfcrypt/settings.h: add #undef HAVE_ATEXIT to WOLFSSL_LINUXKM settings;

wolfssl/wolfcrypt/types.h: fix trailing comma in the DYNAMIC_TYPE_* enum.
2024-11-01 11:57:36 -05:00
Daniel Pouzzner 84f0800b96 configure.ac:
* set DEFAULT_ENABLED_ALL_ASM=no if enable_afalg or ENABLED_32BIT;
* omit enable_srtp_kdf from enable-all-crypto if enable_afalg.

linuxkm: add GetCAByAKID to wolfssl_linuxkm_pie_redirect_table.

src/x509.c: in GenerateDNSEntryIPString(), use XMEMSET() to initialize tmpName, not = {0}, to avoid unmaskable compiler emission of memset() call.

wolfssl/openssl/ssl.h: add OPENSSL_EXTRA to an existing OPENSSL_ALL-gated section, consistent with gating of correspinding section in wolfssl/ssl.h.

wolfssl/wolfcrypt/settings.h: adopt setup for WOLFSSL_SP_NO_UMAAL from wolfssl/wolfcrypt/sp_int.h now that it's used by wolfcrypt/src/port/arm/thumb2-poly1305-asm.S.
2024-09-13 18:01:11 -05:00