module_hooks.c 23 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714
  1. /* module_hooks.c -- module load/unload hooks for libwolfssl.ko
  2. *
  3. * Copyright (C) 2006-2023 wolfSSL Inc.
  4. *
  5. * This file is part of wolfSSL.
  6. *
  7. * wolfSSL is free software; you can redistribute it and/or modify
  8. * it under the terms of the GNU General Public License as published by
  9. * the Free Software Foundation; either version 2 of the License, or
  10. * (at your option) any later version.
  11. *
  12. * wolfSSL is distributed in the hope that it will be useful,
  13. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  14. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  15. * GNU General Public License for more details.
  16. *
  17. * You should have received a copy of the GNU General Public License
  18. * along with this program; if not, write to the Free Software
  19. * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  20. */
  21. #ifndef WOLFSSL_LICENSE
  22. #define WOLFSSL_LICENSE "GPL v2"
  23. #endif
  24. #define FIPS_NO_WRAPPERS
  25. #define WOLFSSL_NEED_LINUX_CURRENT
  26. #ifdef HAVE_CONFIG_H
  27. #include <config.h>
  28. #endif
  29. #include <wolfssl/wolfcrypt/settings.h>
  30. #include <wolfssl/wolfcrypt/error-crypt.h>
  31. #ifdef WOLFCRYPT_ONLY
  32. #include <wolfssl/version.h>
  33. #else
  34. #include <wolfssl/ssl.h>
  35. #endif
  36. #ifdef HAVE_FIPS
  37. #include <wolfssl/wolfcrypt/fips_test.h>
  38. #endif
  39. #ifndef NO_CRYPT_TEST
  40. #include <wolfcrypt/test/test.h>
  41. #include <linux/delay.h>
  42. #endif
  43. static int libwolfssl_cleanup(void) {
  44. int ret;
  45. #ifdef WOLFCRYPT_ONLY
  46. ret = wolfCrypt_Cleanup();
  47. if (ret != 0)
  48. pr_err("wolfCrypt_Cleanup() failed: %s\n", wc_GetErrorString(ret));
  49. else
  50. pr_info("wolfCrypt " LIBWOLFSSL_VERSION_STRING " cleanup complete.\n");
  51. #else
  52. ret = wolfSSL_Cleanup();
  53. if (ret != WOLFSSL_SUCCESS)
  54. pr_err("wolfSSL_Cleanup() failed: %s\n", wc_GetErrorString(ret));
  55. else
  56. pr_info("wolfSSL " LIBWOLFSSL_VERSION_STRING " cleanup complete.\n");
  57. #endif
  58. return ret;
  59. }
  60. #ifdef HAVE_LINUXKM_PIE_SUPPORT
  61. extern int wolfCrypt_PIE_first_function(void);
  62. extern int wolfCrypt_PIE_last_function(void);
  63. extern const unsigned int wolfCrypt_PIE_rodata_start[];
  64. extern const unsigned int wolfCrypt_PIE_rodata_end[];
  65. /* cheap portable ad-hoc hash function to confirm bitwise stability of the PIE
  66. * binary image.
  67. */
  68. static unsigned int hash_span(char *start, char *end) {
  69. unsigned int sum = 1;
  70. while (start < end) {
  71. unsigned int rotate_by;
  72. sum ^= *start++;
  73. rotate_by = (sum ^ (sum >> 5)) & 31;
  74. sum = (sum << rotate_by) | (sum >> (32 - rotate_by));
  75. }
  76. return sum;
  77. }
  78. #ifdef USE_WOLFSSL_LINUXKM_PIE_REDIRECT_TABLE
  79. extern struct wolfssl_linuxkm_pie_redirect_table wolfssl_linuxkm_pie_redirect_table;
  80. static int set_up_wolfssl_linuxkm_pie_redirect_table(void);
  81. #endif /* USE_WOLFSSL_LINUXKM_PIE_REDIRECT_TABLE */
  82. #endif /* HAVE_LINUXKM_PIE_SUPPORT */
  83. #ifdef HAVE_FIPS
  84. static void lkmFipsCb(int ok, int err, const char* hash)
  85. {
  86. if ((! ok) || (err != 0))
  87. pr_err("libwolfssl FIPS error: %s\n", wc_GetErrorString(err));
  88. if (err == IN_CORE_FIPS_E) {
  89. pr_err("In-core integrity hash check failure.\n"
  90. "Update verifyCore[] in fips_test.c with new hash \"%s\" and rebuild.\n",
  91. hash ? hash : "<null>");
  92. }
  93. }
  94. #endif
  95. #ifdef WOLFCRYPT_FIPS_CORE_DYNAMIC_HASH_VALUE
  96. #ifndef CONFIG_MODULE_SIG
  97. #error WOLFCRYPT_FIPS_CORE_DYNAMIC_HASH_VALUE requires a CONFIG_MODULE_SIG kernel.
  98. #endif
  99. static int updateFipsHash(void);
  100. #endif
  101. #ifdef WOLFSSL_LINUXKM_BENCHMARKS
  102. #undef HAVE_PTHREAD
  103. #define STRING_USER
  104. #define NO_MAIN_FUNCTION
  105. #define current_time benchmark_current_time
  106. #define WOLFSSL_NO_FLOAT_FMT
  107. #include "wolfcrypt/benchmark/benchmark.c"
  108. #endif /* WOLFSSL_LINUXKM_BENCHMARKS */
  109. #if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 0, 0)
  110. static int __init wolfssl_init(void)
  111. #else
  112. static int wolfssl_init(void)
  113. #endif
  114. {
  115. int ret;
  116. #ifdef WOLFCRYPT_FIPS_CORE_DYNAMIC_HASH_VALUE
  117. if (THIS_MODULE->sig_ok == false) {
  118. pr_err("wolfSSL module load aborted -- bad or missing module signature with FIPS dynamic hash.\n");
  119. return -ECANCELED;
  120. }
  121. ret = updateFipsHash();
  122. if (ret < 0) {
  123. pr_err("wolfSSL module load aborted -- updateFipsHash: %s\n",wc_GetErrorString(ret));
  124. return -ECANCELED;
  125. }
  126. #endif
  127. #ifdef USE_WOLFSSL_LINUXKM_PIE_REDIRECT_TABLE
  128. ret = set_up_wolfssl_linuxkm_pie_redirect_table();
  129. if (ret < 0)
  130. return ret;
  131. #endif
  132. #ifdef HAVE_LINUXKM_PIE_SUPPORT
  133. #if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 4, 0)
  134. /* see linux commit ac3b432839 */
  135. #define THIS_MODULE_TEXT_BASE (THIS_MODULE->mem[MOD_TEXT].base)
  136. #define THIS_MODULE_TEXT_SIZE (THIS_MODULE->mem[MOD_TEXT].size)
  137. #define THIS_MODULE_RO_BASE (THIS_MODULE->mem[MOD_RODATA].base)
  138. #define THIS_MODULE_RO_SIZE (THIS_MODULE->mem[MOD_RODATA].size)
  139. #elif LINUX_VERSION_CODE >= KERNEL_VERSION(4, 5, 0)
  140. #define THIS_MODULE_TEXT_BASE (THIS_MODULE->core_layout.base)
  141. #define THIS_MODULE_TEXT_SIZE (THIS_MODULE->core_layout.text_size)
  142. #define THIS_MODULE_RO_BASE ((char *)THIS_MODULE->core_layout.base + THIS_MODULE->core_layout.text_size)
  143. #define THIS_MODULE_RO_SIZE (THIS_MODULE->core_layout.ro_size)
  144. #else
  145. #define THIS_MODULE_TEXT_BASE (THIS_MODULE->module_core)
  146. #define THIS_MODULE_TEXT_SIZE (THIS_MODULE->core_text_size)
  147. #define THIS_MODULE_RO_BASE ((char *)THIS_MODULE->module_core + THIS_MODULE->core_ro_size)
  148. #define THIS_MODULE_RO_SIZE (THIS_MODULE->core_ro_size)
  149. #endif
  150. {
  151. char *pie_text_start = (char *)wolfCrypt_PIE_first_function;
  152. char *pie_text_end = (char *)wolfCrypt_PIE_last_function;
  153. char *pie_rodata_start = (char *)wolfCrypt_PIE_rodata_start;
  154. char *pie_rodata_end = (char *)wolfCrypt_PIE_rodata_end;
  155. unsigned int text_hash, rodata_hash;
  156. if ((pie_text_start < pie_text_end) &&
  157. (pie_text_start >= (char *)THIS_MODULE_TEXT_BASE) &&
  158. (pie_text_end - (char *)THIS_MODULE_TEXT_BASE <= THIS_MODULE_TEXT_SIZE))
  159. {
  160. text_hash = hash_span(pie_text_start, pie_text_end);
  161. } else {
  162. pr_info("out-of-bounds PIE fenceposts! pie_text_start=%px pie_text_end=%px (span=%lu)"
  163. " core_layout.base=%px text_end=%px\n",
  164. pie_text_start,
  165. pie_text_end,
  166. pie_text_end-pie_text_start,
  167. THIS_MODULE_TEXT_BASE,
  168. (char *)THIS_MODULE_TEXT_BASE + THIS_MODULE_TEXT_SIZE);
  169. text_hash = 0;
  170. }
  171. if ((pie_rodata_start < pie_rodata_end) && // cppcheck-suppress comparePointers
  172. (pie_rodata_start >= (char *)THIS_MODULE_RO_BASE) &&
  173. (pie_rodata_end - (char *)THIS_MODULE_RO_BASE <= THIS_MODULE_RO_SIZE))
  174. {
  175. rodata_hash = hash_span(pie_rodata_start, pie_rodata_end);
  176. } else {
  177. pr_info("out-of-bounds PIE fenceposts! pie_rodata_start=%px pie_rodata_end=%px (span=%lu)"
  178. " core_layout.base+core_layout.text_size=%px rodata_end=%px\n",
  179. pie_rodata_start,
  180. pie_rodata_end,
  181. pie_rodata_end-pie_rodata_start,
  182. (char *)THIS_MODULE_RO_BASE,
  183. (char *)THIS_MODULE_RO_BASE + THIS_MODULE_RO_SIZE);
  184. rodata_hash = 0;
  185. }
  186. /* note, "%pK" conceals the actual layout information. "%px" exposes
  187. * the true module start address, which is potentially useful to an
  188. * attacker.
  189. */
  190. pr_info("wolfCrypt container hashes (spans): text 0x%x (%lu), rodata 0x%x (%lu)\n",
  191. text_hash, pie_text_end-pie_text_start,
  192. rodata_hash, pie_rodata_end-pie_rodata_start);
  193. }
  194. #endif /* HAVE_LINUXKM_PIE_SUPPORT */
  195. #ifdef HAVE_FIPS
  196. ret = wolfCrypt_SetCb_fips(lkmFipsCb);
  197. if (ret != 0) {
  198. pr_err("wolfCrypt_SetCb_fips() failed: %s\n", wc_GetErrorString(ret));
  199. return -ECANCELED;
  200. }
  201. fipsEntry();
  202. ret = wolfCrypt_GetStatus_fips();
  203. if (ret != 0) {
  204. pr_err("wolfCrypt_GetStatus_fips() failed: %s\n", wc_GetErrorString(ret));
  205. if (ret == IN_CORE_FIPS_E) {
  206. const char *newhash = wolfCrypt_GetCoreHash_fips();
  207. pr_err("Update verifyCore[] in fips_test.c with new hash \"%s\" and rebuild.\n",
  208. newhash ? newhash : "<null>");
  209. }
  210. return -ECANCELED;
  211. }
  212. pr_info("wolfCrypt FIPS ["
  213. #if defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION == 3)
  214. "ready"
  215. #elif defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION == 2) \
  216. && defined(WOLFCRYPT_FIPS_RAND)
  217. "140-2 rand"
  218. #elif defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION == 2)
  219. "140-2"
  220. #else
  221. "140"
  222. #endif
  223. "] POST succeeded.\n");
  224. #endif /* HAVE_FIPS */
  225. #ifdef WC_RNG_SEED_CB
  226. ret = wc_SetSeed_Cb(wc_GenerateSeed);
  227. if (ret < 0) {
  228. pr_err("wc_SetSeed_Cb() failed with return code %d.\n", ret);
  229. (void)libwolfssl_cleanup();
  230. msleep(10);
  231. return -ECANCELED;
  232. }
  233. #endif
  234. #ifdef WOLFCRYPT_ONLY
  235. ret = wolfCrypt_Init();
  236. if (ret != 0) {
  237. pr_err("wolfCrypt_Init() failed: %s\n", wc_GetErrorString(ret));
  238. return -ECANCELED;
  239. }
  240. #else
  241. ret = wolfSSL_Init();
  242. if (ret != WOLFSSL_SUCCESS) {
  243. pr_err("wolfSSL_Init() failed: %s\n", wc_GetErrorString(ret));
  244. return -ECANCELED;
  245. }
  246. #endif
  247. #ifndef NO_CRYPT_TEST
  248. ret = wolfcrypt_test(NULL);
  249. if (ret < 0) {
  250. pr_err("wolfcrypt self-test failed with return code %d.\n", ret);
  251. (void)libwolfssl_cleanup();
  252. msleep(10);
  253. return -ECANCELED;
  254. }
  255. pr_info("wolfCrypt self-test passed.\n");
  256. #endif
  257. #ifdef WOLFSSL_LINUXKM_BENCHMARKS
  258. wolfcrypt_benchmark_main(0, (char**)NULL);
  259. #endif
  260. #ifdef WOLFCRYPT_ONLY
  261. pr_info("wolfCrypt " LIBWOLFSSL_VERSION_STRING " loaded%s"
  262. ".\nSee https://www.wolfssl.com/ for more information.\n"
  263. "wolfCrypt Copyright (C) 2006-present wolfSSL Inc. Licensed under " WOLFSSL_LICENSE ".\n",
  264. #ifdef CONFIG_MODULE_SIG
  265. THIS_MODULE->sig_ok ? " with valid module signature" : " without valid module signature"
  266. #else
  267. ""
  268. #endif
  269. );
  270. #else
  271. pr_info("wolfSSL " LIBWOLFSSL_VERSION_STRING " loaded%s"
  272. ".\nSee https://www.wolfssl.com/ for more information.\n"
  273. "wolfSSL Copyright (C) 2006-present wolfSSL Inc. Licensed under " WOLFSSL_LICENSE ".\n",
  274. #ifdef CONFIG_MODULE_SIG
  275. THIS_MODULE->sig_ok ? " with valid module signature" : " without valid module signature"
  276. #else
  277. ""
  278. #endif
  279. );
  280. #endif
  281. return 0;
  282. }
  283. module_init(wolfssl_init);
  284. #if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 0, 0)
  285. static void __exit wolfssl_exit(void)
  286. #else
  287. static void wolfssl_exit(void)
  288. #endif
  289. {
  290. (void)libwolfssl_cleanup();
  291. return;
  292. }
  293. module_exit(wolfssl_exit);
  294. MODULE_LICENSE(WOLFSSL_LICENSE);
  295. MODULE_AUTHOR("https://www.wolfssl.com/");
  296. MODULE_DESCRIPTION("libwolfssl cryptographic and protocol facilities");
  297. MODULE_VERSION(LIBWOLFSSL_VERSION_STRING);
  298. #ifdef USE_WOLFSSL_LINUXKM_PIE_REDIRECT_TABLE
  299. /* get_current() is an inline or macro, depending on the target -- sidestep the whole issue with a wrapper func. */
  300. static struct task_struct *my_get_current_thread(void) {
  301. return get_current();
  302. }
  303. /* ditto for preempt_count(). */
  304. static int my_preempt_count(void) {
  305. return preempt_count();
  306. }
  307. static int set_up_wolfssl_linuxkm_pie_redirect_table(void) {
  308. memset(
  309. &wolfssl_linuxkm_pie_redirect_table,
  310. 0,
  311. sizeof wolfssl_linuxkm_pie_redirect_table);
  312. #ifndef __ARCH_MEMCMP_NO_REDIRECT
  313. wolfssl_linuxkm_pie_redirect_table.memcmp = memcmp;
  314. #endif
  315. #ifndef __ARCH_MEMCPY_NO_REDIRECT
  316. wolfssl_linuxkm_pie_redirect_table.memcpy = memcpy;
  317. #endif
  318. #ifndef __ARCH_MEMSET_NO_REDIRECT
  319. wolfssl_linuxkm_pie_redirect_table.memset = memset;
  320. #endif
  321. #ifndef __ARCH_MEMMOVE_NO_REDIRECT
  322. wolfssl_linuxkm_pie_redirect_table.memmove = memmove;
  323. #endif
  324. #ifndef __ARCH_STRCMP_NO_REDIRECT
  325. wolfssl_linuxkm_pie_redirect_table.strcmp = strcmp;
  326. #endif
  327. #ifndef __ARCH_STRNCMP_NO_REDIRECT
  328. wolfssl_linuxkm_pie_redirect_table.strncmp = strncmp;
  329. #endif
  330. #ifndef __ARCH_STRCASECMP_NO_REDIRECT
  331. wolfssl_linuxkm_pie_redirect_table.strcasecmp = strcasecmp;
  332. #endif
  333. #ifndef __ARCH_STRNCASECMP_NO_REDIRECT
  334. wolfssl_linuxkm_pie_redirect_table.strncasecmp = strncasecmp;
  335. #endif
  336. #ifndef __ARCH_STRLEN_NO_REDIRECT
  337. wolfssl_linuxkm_pie_redirect_table.strlen = strlen;
  338. #endif
  339. #ifndef __ARCH_STRSTR_NO_REDIRECT
  340. wolfssl_linuxkm_pie_redirect_table.strstr = strstr;
  341. #endif
  342. #ifndef __ARCH_STRNCPY_NO_REDIRECT
  343. wolfssl_linuxkm_pie_redirect_table.strncpy = strncpy;
  344. #endif
  345. #ifndef __ARCH_STRNCAT_NO_REDIRECT
  346. wolfssl_linuxkm_pie_redirect_table.strncat = strncat;
  347. #endif
  348. wolfssl_linuxkm_pie_redirect_table.kstrtoll = kstrtoll;
  349. #if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 15, 0)
  350. wolfssl_linuxkm_pie_redirect_table._printk = _printk;
  351. #else
  352. wolfssl_linuxkm_pie_redirect_table.printk = printk;
  353. #endif
  354. wolfssl_linuxkm_pie_redirect_table.snprintf = snprintf;
  355. wolfssl_linuxkm_pie_redirect_table._ctype = _ctype;
  356. wolfssl_linuxkm_pie_redirect_table.kmalloc = kmalloc;
  357. wolfssl_linuxkm_pie_redirect_table.kfree = kfree;
  358. wolfssl_linuxkm_pie_redirect_table.ksize = ksize;
  359. wolfssl_linuxkm_pie_redirect_table.krealloc = krealloc;
  360. #ifdef HAVE_KVMALLOC
  361. wolfssl_linuxkm_pie_redirect_table.kvmalloc_node = kvmalloc_node;
  362. wolfssl_linuxkm_pie_redirect_table.kvfree = kvfree;
  363. #endif
  364. wolfssl_linuxkm_pie_redirect_table.is_vmalloc_addr = is_vmalloc_addr;
  365. #if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 1, 0)
  366. wolfssl_linuxkm_pie_redirect_table.kmalloc_trace =
  367. kmalloc_trace;
  368. #else
  369. wolfssl_linuxkm_pie_redirect_table.kmem_cache_alloc_trace =
  370. kmem_cache_alloc_trace;
  371. wolfssl_linuxkm_pie_redirect_table.kmalloc_order_trace =
  372. kmalloc_order_trace;
  373. #endif
  374. wolfssl_linuxkm_pie_redirect_table.get_random_bytes = get_random_bytes;
  375. #if LINUX_VERSION_CODE < KERNEL_VERSION(4, 0, 0)
  376. wolfssl_linuxkm_pie_redirect_table.getnstimeofday =
  377. getnstimeofday;
  378. #elif LINUX_VERSION_CODE < KERNEL_VERSION(5, 0, 0)
  379. wolfssl_linuxkm_pie_redirect_table.current_kernel_time64 =
  380. current_kernel_time64;
  381. #else
  382. wolfssl_linuxkm_pie_redirect_table.ktime_get_coarse_real_ts64 =
  383. ktime_get_coarse_real_ts64;
  384. #endif
  385. wolfssl_linuxkm_pie_redirect_table.get_current = my_get_current_thread;
  386. wolfssl_linuxkm_pie_redirect_table.preempt_count = my_preempt_count;
  387. #ifdef WOLFSSL_LINUXKM_USE_SAVE_VECTOR_REGISTERS
  388. #if LINUX_VERSION_CODE < KERNEL_VERSION(6, 2, 0)
  389. wolfssl_linuxkm_pie_redirect_table.cpu_number = &cpu_number;
  390. #else
  391. wolfssl_linuxkm_pie_redirect_table.pcpu_hot = &pcpu_hot;
  392. #endif
  393. wolfssl_linuxkm_pie_redirect_table.nr_cpu_ids = &nr_cpu_ids;
  394. #if defined(CONFIG_SMP) && (LINUX_VERSION_CODE >= KERNEL_VERSION(5, 7, 0))
  395. wolfssl_linuxkm_pie_redirect_table.migrate_disable = &migrate_disable;
  396. wolfssl_linuxkm_pie_redirect_table.migrate_enable = &migrate_enable;
  397. #endif
  398. #ifdef WOLFSSL_LINUXKM_SIMD_X86
  399. wolfssl_linuxkm_pie_redirect_table.irq_fpu_usable = irq_fpu_usable;
  400. #ifdef kernel_fpu_begin
  401. wolfssl_linuxkm_pie_redirect_table.kernel_fpu_begin_mask =
  402. kernel_fpu_begin_mask;
  403. #else
  404. wolfssl_linuxkm_pie_redirect_table.kernel_fpu_begin =
  405. kernel_fpu_begin;
  406. #endif
  407. wolfssl_linuxkm_pie_redirect_table.kernel_fpu_end = kernel_fpu_end;
  408. #endif /* WOLFSSL_LINUXKM_SIMD_X86 */
  409. #endif /* WOLFSSL_LINUXKM_USE_SAVE_VECTOR_REGISTERS */
  410. wolfssl_linuxkm_pie_redirect_table.__mutex_init = __mutex_init;
  411. #if LINUX_VERSION_CODE < KERNEL_VERSION(4, 0, 0)
  412. wolfssl_linuxkm_pie_redirect_table.mutex_lock_nested = mutex_lock_nested;
  413. #else
  414. wolfssl_linuxkm_pie_redirect_table.mutex_lock = mutex_lock;
  415. #endif
  416. wolfssl_linuxkm_pie_redirect_table.mutex_unlock = mutex_unlock;
  417. #if LINUX_VERSION_CODE < KERNEL_VERSION(4, 0, 0)
  418. wolfssl_linuxkm_pie_redirect_table.mutex_destroy = mutex_destroy;
  419. #endif
  420. #ifdef HAVE_FIPS
  421. wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_first =
  422. wolfCrypt_FIPS_first;
  423. wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_last =
  424. wolfCrypt_FIPS_last;
  425. #endif
  426. #if !defined(WOLFCRYPT_ONLY) && !defined(NO_CERTS)
  427. wolfssl_linuxkm_pie_redirect_table.GetCA = GetCA;
  428. #ifndef NO_SKID
  429. wolfssl_linuxkm_pie_redirect_table.GetCAByName = GetCAByName;
  430. #endif
  431. #endif
  432. /* runtime assert that the table has no null slots after initialization. */
  433. {
  434. unsigned long *i;
  435. for (i = (unsigned long *)&wolfssl_linuxkm_pie_redirect_table;
  436. i < (unsigned long *)&wolfssl_linuxkm_pie_redirect_table._last_slot;
  437. ++i)
  438. if (*i == 0) {
  439. pr_err("wolfCrypt container redirect table initialization was incomplete.\n");
  440. return -EFAULT;
  441. }
  442. }
  443. return 0;
  444. }
  445. #endif /* USE_WOLFSSL_LINUXKM_PIE_REDIRECT_TABLE */
  446. #ifdef WOLFCRYPT_FIPS_CORE_DYNAMIC_HASH_VALUE
  447. #include <wolfssl/wolfcrypt/coding.h>
  448. PRAGMA_GCC_DIAG_PUSH
  449. PRAGMA_GCC("GCC diagnostic ignored \"-Wnested-externs\"")
  450. PRAGMA_GCC("GCC diagnostic ignored \"-Wpointer-arith\"")
  451. #include <crypto/hash.h>
  452. PRAGMA_GCC_DIAG_POP
  453. extern char verifyCore[WC_SHA256_DIGEST_SIZE*2 + 1];
  454. extern const char coreKey[WC_SHA256_DIGEST_SIZE*2 + 1];
  455. extern const unsigned int wolfCrypt_FIPS_ro_start[];
  456. extern const unsigned int wolfCrypt_FIPS_ro_end[];
  457. #define FIPS_IN_CORE_KEY_SZ 32
  458. #define FIPS_IN_CORE_VERIFY_SZ FIPS_IN_CORE_KEY_SZ
  459. typedef int (*fips_address_function)(void);
  460. #define MAX_FIPS_DATA_SZ 100000
  461. #define MAX_FIPS_CODE_SZ 1000000
  462. extern int GenBase16_Hash(const byte* in, int length, char* out, int outSz);
  463. static int updateFipsHash(void)
  464. {
  465. struct crypto_shash *tfm = NULL;
  466. struct shash_desc *desc = NULL;
  467. word32 verifySz = FIPS_IN_CORE_VERIFY_SZ;
  468. word32 binCoreSz = FIPS_IN_CORE_KEY_SZ;
  469. int ret;
  470. byte *hash = NULL;
  471. char *base16_hash = NULL;
  472. byte *binCoreKey = NULL;
  473. byte *binVerify = NULL;
  474. fips_address_function first = wolfCrypt_FIPS_first;
  475. fips_address_function last = wolfCrypt_FIPS_last;
  476. char* start = (char*)wolfCrypt_FIPS_ro_start;
  477. char* end = (char*)wolfCrypt_FIPS_ro_end;
  478. unsigned long code_sz = (unsigned long)last - (unsigned long)first;
  479. unsigned long data_sz = (unsigned long)end - (unsigned long)start;
  480. if (data_sz == 0 || data_sz > MAX_FIPS_DATA_SZ)
  481. return BAD_FUNC_ARG; /* bad fips data size */
  482. if (code_sz == 0 || code_sz > MAX_FIPS_CODE_SZ)
  483. return BAD_FUNC_ARG; /* bad fips code size */
  484. hash = XMALLOC(WC_SHA256_DIGEST_SIZE, 0, DYNAMIC_TYPE_TMP_BUFFER);
  485. if (hash == NULL) {
  486. ret = MEMORY_E;
  487. goto out;
  488. }
  489. base16_hash = XMALLOC(WC_SHA256_DIGEST_SIZE*2 + 1, 0, DYNAMIC_TYPE_TMP_BUFFER);
  490. if (base16_hash == NULL) {
  491. ret = MEMORY_E;
  492. goto out;
  493. }
  494. binCoreKey = XMALLOC(binCoreSz, 0, DYNAMIC_TYPE_TMP_BUFFER);
  495. if (binCoreKey == NULL) {
  496. ret = MEMORY_E;
  497. goto out;
  498. }
  499. binVerify = XMALLOC(verifySz, 0, DYNAMIC_TYPE_TMP_BUFFER);
  500. if (binVerify == NULL) {
  501. ret = MEMORY_E;
  502. goto out;
  503. }
  504. {
  505. word32 base16_out_len = binCoreSz;
  506. ret = Base16_Decode((const byte *)coreKey, sizeof coreKey - 1, binCoreKey, &base16_out_len);
  507. if (ret != 0) {
  508. pr_err("Base16_Decode for coreKey: %s\n", wc_GetErrorString(ret));
  509. goto out;
  510. }
  511. if (base16_out_len != binCoreSz) {
  512. pr_err("unexpected output length %u for coreKey from Base16_Decode.\n",base16_out_len);
  513. ret = BAD_STATE_E;
  514. goto out;
  515. }
  516. }
  517. tfm = crypto_alloc_shash("hmac(sha256)", 0, 0);
  518. if (IS_ERR(tfm)) {
  519. if (PTR_ERR(tfm) == -ENOMEM) {
  520. pr_err("crypto_alloc_shash failed: out of memory\n");
  521. ret = MEMORY_E;
  522. } else if (PTR_ERR(tfm) == -ENOENT) {
  523. pr_err("crypto_alloc_shash failed: kernel is missing hmac(sha256) implementation\n");
  524. pr_err("check for CONFIG_CRYPTO_SHA256 and CONFIG_CRYPTO_HMAC.\n");
  525. ret = NOT_COMPILED_IN;
  526. } else {
  527. pr_err("crypto_alloc_shash failed with ret %ld\n",PTR_ERR(tfm));
  528. ret = HASH_TYPE_E;
  529. }
  530. tfm = NULL;
  531. goto out;
  532. }
  533. {
  534. size_t desc_size = crypto_shash_descsize(tfm) + sizeof *desc;
  535. desc = XMALLOC(desc_size, NULL, DYNAMIC_TYPE_TMP_BUFFER);
  536. if (desc == NULL) {
  537. pr_err("failed allocating desc.");
  538. ret = MEMORY_E;
  539. goto out;
  540. }
  541. XMEMSET(desc, 0, desc_size);
  542. }
  543. ret = crypto_shash_setkey(tfm, binCoreKey, binCoreSz);
  544. if (ret) {
  545. pr_err("crypto_ahash_setkey failed: err %d\n", ret);
  546. ret = BAD_STATE_E;
  547. goto out;
  548. }
  549. desc->tfm = tfm;
  550. ret = crypto_shash_init(desc);
  551. if (ret) {
  552. pr_err("crypto_shash_init failed: err %d\n", ret);
  553. ret = BAD_STATE_E;
  554. goto out;
  555. }
  556. ret = crypto_shash_update(desc, (byte *)(wc_ptr_t)first, (word32)code_sz);
  557. if (ret) {
  558. pr_err("crypto_shash_update failed: err %d\n", ret);
  559. ret = BAD_STATE_E;
  560. goto out;
  561. }
  562. /* don't hash verifyCore or changing verifyCore will change hash */
  563. if (verifyCore >= start && verifyCore < end) {
  564. data_sz = (unsigned long)verifyCore - (unsigned long)start;
  565. ret = crypto_shash_update(desc, (byte*)start, (word32)data_sz);
  566. if (ret) {
  567. pr_err("crypto_shash_update failed: err %d\n", ret);
  568. ret = BAD_STATE_E;
  569. goto out;
  570. }
  571. start = (char*)verifyCore + sizeof(verifyCore);
  572. data_sz = (unsigned long)end - (unsigned long)start;
  573. }
  574. ret = crypto_shash_update(desc, (byte*)start, (word32)data_sz);
  575. if (ret) {
  576. pr_err("crypto_shash_update failed: err %d\n", ret);
  577. ret = BAD_STATE_E;
  578. goto out;
  579. }
  580. ret = crypto_shash_final(desc, hash);
  581. if (ret) {
  582. pr_err("crypto_shash_final failed: err %d\n", ret);
  583. ret = BAD_STATE_E;
  584. goto out;
  585. }
  586. ret = GenBase16_Hash(hash, WC_SHA256_DIGEST_SIZE, base16_hash, WC_SHA256_DIGEST_SIZE*2 + 1);
  587. if (ret != 0) {
  588. pr_err("GenBase16_Hash failed: %s\n", wc_GetErrorString(ret));
  589. goto out;
  590. }
  591. {
  592. word32 base16_out_len = verifySz;
  593. ret = Base16_Decode((const byte *)verifyCore, sizeof verifyCore - 1, binVerify, &base16_out_len);
  594. if (ret != 0) {
  595. pr_err("Base16_Decode for verifyCore: %s\n", wc_GetErrorString(ret));
  596. goto out;
  597. }
  598. if (base16_out_len != binCoreSz) {
  599. pr_err("unexpected output length %u for verifyCore from Base16_Decode.\n",base16_out_len);
  600. ret = BAD_STATE_E;
  601. goto out;
  602. }
  603. }
  604. if (XMEMCMP(hash, binVerify, WC_SHA256_DIGEST_SIZE) == 0)
  605. pr_info("updateFipsHash: verifyCore already matches.\n");
  606. else {
  607. XMEMCPY(verifyCore, base16_hash, WC_SHA256_DIGEST_SIZE*2 + 1);
  608. pr_info("updateFipsHash: verifyCore updated.\n");
  609. }
  610. ret = 0;
  611. out:
  612. if (tfm != NULL)
  613. crypto_free_shash(tfm);
  614. if (desc != NULL)
  615. XFREE(desc, NULL, DYNAMIC_TYPE_TMP_BUFFER);
  616. if (hash != NULL)
  617. XFREE(hash, NULL, DYNAMIC_TYPE_TMP_BUFFER);
  618. if (base16_hash != NULL)
  619. XFREE(base16_hash, NULL, DYNAMIC_TYPE_TMP_BUFFER);
  620. if (binCoreKey != NULL)
  621. XFREE(binCoreKey, NULL, DYNAMIC_TYPE_TMP_BUFFER);
  622. if (binVerify != NULL)
  623. XFREE(binVerify, NULL, DYNAMIC_TYPE_TMP_BUFFER);
  624. return ret;
  625. }
  626. #endif /* WOLFCRYPT_FIPS_CORE_DYNAMIC_HASH_VALUE */