1
0

module_hooks.c 27 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814
  1. /* module_hooks.c -- module load/unload hooks for libwolfssl.ko
  2. *
  3. * Copyright (C) 2006-2023 wolfSSL Inc.
  4. *
  5. * This file is part of wolfSSL.
  6. *
  7. * wolfSSL is free software; you can redistribute it and/or modify
  8. * it under the terms of the GNU General Public License as published by
  9. * the Free Software Foundation; either version 2 of the License, or
  10. * (at your option) any later version.
  11. *
  12. * wolfSSL is distributed in the hope that it will be useful,
  13. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  14. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  15. * GNU General Public License for more details.
  16. *
  17. * You should have received a copy of the GNU General Public License
  18. * along with this program; if not, write to the Free Software
  19. * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  20. */
  21. #ifndef WOLFSSL_LICENSE
  22. #ifdef WOLFSSL_COMMERCIAL_LICENSE
  23. #define WOLFSSL_LICENSE "wolfSSL Commercial"
  24. #else
  25. #define WOLFSSL_LICENSE "GPL v2"
  26. #endif
  27. #endif
  28. #define FIPS_NO_WRAPPERS
  29. #define WOLFSSL_NEED_LINUX_CURRENT
  30. #ifdef HAVE_CONFIG_H
  31. #include <config.h>
  32. #endif
  33. #include <wolfssl/wolfcrypt/settings.h>
  34. #include <wolfssl/wolfcrypt/error-crypt.h>
  35. #ifdef WOLFCRYPT_ONLY
  36. #include <wolfssl/version.h>
  37. #else
  38. #include <wolfssl/ssl.h>
  39. #endif
  40. #ifdef HAVE_FIPS
  41. #include <wolfssl/wolfcrypt/fips_test.h>
  42. #endif
  43. #ifndef NO_CRYPT_TEST
  44. #include <wolfcrypt/test/test.h>
  45. #endif
  46. static int libwolfssl_cleanup(void) {
  47. int ret;
  48. #ifdef WOLFCRYPT_ONLY
  49. ret = wolfCrypt_Cleanup();
  50. if (ret != 0)
  51. pr_err("wolfCrypt_Cleanup() failed: %s\n", wc_GetErrorString(ret));
  52. else
  53. pr_info("wolfCrypt " LIBWOLFSSL_VERSION_STRING " cleanup complete.\n");
  54. #else
  55. ret = wolfSSL_Cleanup();
  56. if (ret != WOLFSSL_SUCCESS)
  57. pr_err("wolfSSL_Cleanup() failed: %s\n", wc_GetErrorString(ret));
  58. else
  59. pr_info("wolfSSL " LIBWOLFSSL_VERSION_STRING " cleanup complete.\n");
  60. #endif
  61. return ret;
  62. }
  63. #ifdef HAVE_LINUXKM_PIE_SUPPORT
  64. #ifdef DEBUG_LINUXKM_PIE_SUPPORT
  65. extern int wolfCrypt_PIE_first_function(void);
  66. extern int wolfCrypt_PIE_last_function(void);
  67. extern const unsigned int wolfCrypt_PIE_rodata_start[];
  68. extern const unsigned int wolfCrypt_PIE_rodata_end[];
  69. /* cheap portable ad-hoc hash function to confirm bitwise stability of the PIE
  70. * binary image.
  71. */
  72. static unsigned int hash_span(char *start, char *end) {
  73. unsigned int sum = 1;
  74. while (start < end) {
  75. unsigned int rotate_by;
  76. sum ^= *start++;
  77. rotate_by = (sum ^ (sum >> 5)) & 31;
  78. sum = (sum << rotate_by) | (sum >> (32 - rotate_by));
  79. }
  80. return sum;
  81. }
  82. #endif /* DEBUG_LINUXKM_PIE_SUPPORT */
  83. #ifdef USE_WOLFSSL_LINUXKM_PIE_REDIRECT_TABLE
  84. extern struct wolfssl_linuxkm_pie_redirect_table wolfssl_linuxkm_pie_redirect_table;
  85. static int set_up_wolfssl_linuxkm_pie_redirect_table(void);
  86. #endif /* USE_WOLFSSL_LINUXKM_PIE_REDIRECT_TABLE */
  87. #endif /* HAVE_LINUXKM_PIE_SUPPORT */
  88. #ifdef HAVE_FIPS
  89. static void lkmFipsCb(int ok, int err, const char* hash)
  90. {
  91. if ((! ok) || (err != 0))
  92. pr_err("libwolfssl FIPS error: %s\n", wc_GetErrorString(err));
  93. if (err == IN_CORE_FIPS_E) {
  94. pr_err("In-core integrity hash check failure.\n"
  95. "Update verifyCore[] in fips_test.c with new hash \"%s\" and rebuild.\n",
  96. hash ? hash : "<null>");
  97. }
  98. }
  99. #endif
  100. #ifdef WOLFCRYPT_FIPS_CORE_DYNAMIC_HASH_VALUE
  101. #ifndef CONFIG_MODULE_SIG
  102. #error WOLFCRYPT_FIPS_CORE_DYNAMIC_HASH_VALUE requires a CONFIG_MODULE_SIG kernel.
  103. #endif
  104. static int updateFipsHash(void);
  105. #endif
  106. #ifdef WOLFSSL_LINUXKM_BENCHMARKS
  107. extern int wolfcrypt_benchmark_main(int argc, char** argv);
  108. #endif /* WOLFSSL_LINUXKM_BENCHMARKS */
  109. #ifdef LINUXKM_LKCAPI_REGISTER
  110. #include "linuxkm/lkcapi_glue.c"
  111. #endif
  112. #if defined(WOLFSSL_LINUXKM_USE_SAVE_VECTOR_REGISTERS) && defined(CONFIG_X86)
  113. #include "linuxkm/x86_vector_register_glue.c"
  114. #endif
  115. #if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 0, 0)
  116. static int __init wolfssl_init(void)
  117. #else
  118. static int wolfssl_init(void)
  119. #endif
  120. {
  121. int ret;
  122. #ifdef WOLFCRYPT_FIPS_CORE_DYNAMIC_HASH_VALUE
  123. if (THIS_MODULE->sig_ok == false) {
  124. pr_err("wolfSSL module load aborted -- bad or missing module signature with FIPS dynamic hash.\n");
  125. return -ECANCELED;
  126. }
  127. ret = updateFipsHash();
  128. if (ret < 0) {
  129. pr_err("wolfSSL module load aborted -- updateFipsHash: %s\n",wc_GetErrorString(ret));
  130. return -ECANCELED;
  131. }
  132. #endif
  133. #ifdef USE_WOLFSSL_LINUXKM_PIE_REDIRECT_TABLE
  134. ret = set_up_wolfssl_linuxkm_pie_redirect_table();
  135. if (ret < 0)
  136. return ret;
  137. #endif
  138. #if defined(HAVE_LINUXKM_PIE_SUPPORT) && defined(DEBUG_LINUXKM_PIE_SUPPORT)
  139. #if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 4, 0)
  140. /* see linux commit ac3b432839 */
  141. #define THIS_MODULE_TEXT_BASE (THIS_MODULE->mem[MOD_TEXT].base)
  142. #define THIS_MODULE_TEXT_SIZE (THIS_MODULE->mem[MOD_TEXT].size)
  143. #define THIS_MODULE_RO_BASE (THIS_MODULE->mem[MOD_RODATA].base)
  144. #define THIS_MODULE_RO_SIZE (THIS_MODULE->mem[MOD_RODATA].size)
  145. #elif LINUX_VERSION_CODE >= KERNEL_VERSION(4, 5, 0)
  146. #define THIS_MODULE_TEXT_BASE (THIS_MODULE->core_layout.base)
  147. #define THIS_MODULE_TEXT_SIZE (THIS_MODULE->core_layout.text_size)
  148. #define THIS_MODULE_RO_BASE ((char *)THIS_MODULE->core_layout.base + THIS_MODULE->core_layout.text_size)
  149. #define THIS_MODULE_RO_SIZE (THIS_MODULE->core_layout.ro_size)
  150. #else
  151. #define THIS_MODULE_TEXT_BASE (THIS_MODULE->module_core)
  152. #define THIS_MODULE_TEXT_SIZE (THIS_MODULE->core_text_size)
  153. #define THIS_MODULE_RO_BASE ((char *)THIS_MODULE->module_core + THIS_MODULE->core_ro_size)
  154. #define THIS_MODULE_RO_SIZE (THIS_MODULE->core_ro_size)
  155. #endif
  156. {
  157. char *pie_text_start = (char *)wolfCrypt_PIE_first_function;
  158. char *pie_text_end = (char *)wolfCrypt_PIE_last_function;
  159. char *pie_rodata_start = (char *)wolfCrypt_PIE_rodata_start;
  160. char *pie_rodata_end = (char *)wolfCrypt_PIE_rodata_end;
  161. unsigned int text_hash, rodata_hash;
  162. if ((pie_text_start < pie_text_end) &&
  163. (pie_text_start >= (char *)THIS_MODULE_TEXT_BASE) &&
  164. (pie_text_end - (char *)THIS_MODULE_TEXT_BASE <= THIS_MODULE_TEXT_SIZE))
  165. {
  166. text_hash = hash_span(pie_text_start, pie_text_end);
  167. } else {
  168. pr_info("out-of-bounds PIE fenceposts! pie_text_start=%px pie_text_end=%px (span=%lu)"
  169. " core_layout.base=%px text_end=%px\n",
  170. pie_text_start,
  171. pie_text_end,
  172. pie_text_end-pie_text_start,
  173. THIS_MODULE_TEXT_BASE,
  174. (char *)THIS_MODULE_TEXT_BASE + THIS_MODULE_TEXT_SIZE);
  175. text_hash = 0;
  176. }
  177. if ((pie_rodata_start < pie_rodata_end) && // cppcheck-suppress comparePointers
  178. (pie_rodata_start >= (char *)THIS_MODULE_RO_BASE) &&
  179. (pie_rodata_end - (char *)THIS_MODULE_RO_BASE <= THIS_MODULE_RO_SIZE))
  180. {
  181. rodata_hash = hash_span(pie_rodata_start, pie_rodata_end);
  182. } else {
  183. pr_info("out-of-bounds PIE fenceposts! pie_rodata_start=%px pie_rodata_end=%px (span=%lu)"
  184. " core_layout.base+core_layout.text_size=%px rodata_end=%px\n",
  185. pie_rodata_start,
  186. pie_rodata_end,
  187. pie_rodata_end-pie_rodata_start,
  188. (char *)THIS_MODULE_RO_BASE,
  189. (char *)THIS_MODULE_RO_BASE + THIS_MODULE_RO_SIZE);
  190. rodata_hash = 0;
  191. }
  192. /* note, "%pK" conceals the actual layout information. "%px" exposes
  193. * the true module start address, which is potentially useful to an
  194. * attacker.
  195. */
  196. pr_info("wolfCrypt container hashes (spans): text 0x%x (%lu), rodata 0x%x (%lu)\n",
  197. text_hash, pie_text_end-pie_text_start,
  198. rodata_hash, pie_rodata_end-pie_rodata_start);
  199. }
  200. #endif /* HAVE_LINUXKM_PIE_SUPPORT && DEBUG_LINUXKM_PIE_SUPPORT */
  201. #ifdef HAVE_FIPS
  202. ret = wolfCrypt_SetCb_fips(lkmFipsCb);
  203. if (ret != 0) {
  204. pr_err("wolfCrypt_SetCb_fips() failed: %s\n", wc_GetErrorString(ret));
  205. return -ECANCELED;
  206. }
  207. fipsEntry();
  208. ret = wolfCrypt_GetStatus_fips();
  209. if (ret != 0) {
  210. pr_err("wolfCrypt_GetStatus_fips() failed with code %d: %s\n", ret, wc_GetErrorString(ret));
  211. if (ret == IN_CORE_FIPS_E) {
  212. const char *newhash = wolfCrypt_GetCoreHash_fips();
  213. pr_err("Update verifyCore[] in fips_test.c with new hash \"%s\" and rebuild.\n",
  214. newhash ? newhash : "<null>");
  215. }
  216. return -ECANCELED;
  217. }
  218. pr_info("FIPS 140-3 wolfCrypt-fips v%d.%d.%d%s%s startup "
  219. "self-test succeeded.\n",
  220. #ifdef HAVE_FIPS_VERSION_MAJOR
  221. HAVE_FIPS_VERSION_MAJOR,
  222. #else
  223. HAVE_FIPS_VERSION,
  224. #endif
  225. #ifdef HAVE_FIPS_VERSION_MINOR
  226. HAVE_FIPS_VERSION_MINOR,
  227. #else
  228. 0,
  229. #endif
  230. #ifdef HAVE_FIPS_VERSION_PATCH
  231. HAVE_FIPS_VERSION_PATCH,
  232. #else
  233. 0,
  234. #endif
  235. #ifdef HAVE_FIPS_VERSION_PORT
  236. "-",
  237. HAVE_FIPS_VERSION_PORT
  238. #else
  239. "",
  240. ""
  241. #endif
  242. );
  243. #endif /* HAVE_FIPS */
  244. #ifdef WC_RNG_SEED_CB
  245. ret = wc_SetSeed_Cb(wc_GenerateSeed);
  246. if (ret < 0) {
  247. pr_err("wc_SetSeed_Cb() failed with return code %d.\n", ret);
  248. (void)libwolfssl_cleanup();
  249. msleep(10);
  250. return -ECANCELED;
  251. }
  252. #endif
  253. #ifdef WOLFCRYPT_ONLY
  254. ret = wolfCrypt_Init();
  255. if (ret != 0) {
  256. pr_err("wolfCrypt_Init() failed: %s\n", wc_GetErrorString(ret));
  257. return -ECANCELED;
  258. }
  259. #else
  260. ret = wolfSSL_Init();
  261. if (ret != WOLFSSL_SUCCESS) {
  262. pr_err("wolfSSL_Init() failed: %s\n", wc_GetErrorString(ret));
  263. return -ECANCELED;
  264. }
  265. #endif
  266. #ifndef NO_CRYPT_TEST
  267. ret = wolfcrypt_test(NULL);
  268. if (ret < 0) {
  269. pr_err("wolfcrypt self-test failed with return code %d.\n", ret);
  270. (void)libwolfssl_cleanup();
  271. msleep(10);
  272. return -ECANCELED;
  273. }
  274. pr_info("wolfCrypt self-test passed.\n");
  275. #else
  276. pr_info("skipping full wolfcrypt_test() "
  277. "(configure with --enable-crypttests to enable).\n");
  278. #endif
  279. #ifdef LINUXKM_LKCAPI_REGISTER
  280. ret = linuxkm_lkcapi_register();
  281. if (ret) {
  282. pr_err("linuxkm_lkcapi_register() failed with return code %d.\n", ret);
  283. linuxkm_lkcapi_unregister();
  284. (void)libwolfssl_cleanup();
  285. msleep(10);
  286. return -ECANCELED;
  287. }
  288. #endif
  289. #ifdef WOLFSSL_LINUXKM_BENCHMARKS
  290. wolfcrypt_benchmark_main(0, (char**)NULL);
  291. #endif
  292. #ifdef WOLFCRYPT_ONLY
  293. pr_info("wolfCrypt " LIBWOLFSSL_VERSION_STRING " loaded%s"
  294. ".\nSee https://www.wolfssl.com/ for more information.\n"
  295. "wolfCrypt Copyright (C) 2006-present wolfSSL Inc. Licensed under " WOLFSSL_LICENSE ".\n",
  296. #ifdef CONFIG_MODULE_SIG
  297. THIS_MODULE->sig_ok ? " with valid module signature" : " without valid module signature"
  298. #else
  299. ""
  300. #endif
  301. );
  302. #else
  303. pr_info("wolfSSL " LIBWOLFSSL_VERSION_STRING " loaded%s"
  304. ".\nSee https://www.wolfssl.com/ for more information.\n"
  305. "wolfSSL Copyright (C) 2006-present wolfSSL Inc. Licensed under " WOLFSSL_LICENSE ".\n",
  306. #ifdef CONFIG_MODULE_SIG
  307. THIS_MODULE->sig_ok ? " with valid module signature" : " without valid module signature"
  308. #else
  309. ""
  310. #endif
  311. );
  312. #endif
  313. return 0;
  314. }
  315. module_init(wolfssl_init);
  316. #if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 0, 0)
  317. static void __exit wolfssl_exit(void)
  318. #else
  319. static void wolfssl_exit(void)
  320. #endif
  321. {
  322. #ifdef LINUXKM_LKCAPI_REGISTER
  323. linuxkm_lkcapi_unregister();
  324. #endif
  325. (void)libwolfssl_cleanup();
  326. return;
  327. }
  328. module_exit(wolfssl_exit);
  329. MODULE_LICENSE(WOLFSSL_LICENSE);
  330. MODULE_AUTHOR("https://www.wolfssl.com/");
  331. MODULE_DESCRIPTION("libwolfssl cryptographic and protocol facilities");
  332. MODULE_VERSION(LIBWOLFSSL_VERSION_STRING);
  333. #ifdef USE_WOLFSSL_LINUXKM_PIE_REDIRECT_TABLE
  334. /* get_current() is an inline or macro, depending on the target -- sidestep the whole issue with a wrapper func. */
  335. static struct task_struct *my_get_current_thread(void) {
  336. return get_current();
  337. }
  338. #if defined(WOLFSSL_LINUXKM_SIMD_X86) && defined(WOLFSSL_COMMERCIAL_LICENSE)
  339. /* ditto for fpregs_lock/fpregs_unlock */
  340. #ifdef WOLFSSL_LINUXKM_USE_SAVE_VECTOR_REGISTERS
  341. static void my_fpregs_lock(void) {
  342. fpregs_lock();
  343. }
  344. static void my_fpregs_unlock(void) {
  345. fpregs_unlock();
  346. }
  347. #endif /* WOLFSSL_LINUXKM_SIMD_X86 && WOLFSSL_COMMERCIAL_LICENSE */
  348. #endif /* USE_WOLFSSL_LINUXKM_PIE_REDIRECT_TABLE */
  349. static int set_up_wolfssl_linuxkm_pie_redirect_table(void) {
  350. memset(
  351. &wolfssl_linuxkm_pie_redirect_table,
  352. 0,
  353. sizeof wolfssl_linuxkm_pie_redirect_table);
  354. #ifndef __ARCH_MEMCMP_NO_REDIRECT
  355. wolfssl_linuxkm_pie_redirect_table.memcmp = memcmp;
  356. #endif
  357. #ifndef CONFIG_FORTIFY_SOURCE
  358. #ifndef __ARCH_MEMCPY_NO_REDIRECT
  359. wolfssl_linuxkm_pie_redirect_table.memcpy = memcpy;
  360. #endif
  361. #ifndef __ARCH_MEMSET_NO_REDIRECT
  362. wolfssl_linuxkm_pie_redirect_table.memset = memset;
  363. #endif
  364. #ifndef __ARCH_MEMMOVE_NO_REDIRECT
  365. wolfssl_linuxkm_pie_redirect_table.memmove = memmove;
  366. #endif
  367. #endif /* !CONFIG_FORTIFY_SOURCE */
  368. #ifndef __ARCH_STRCMP_NO_REDIRECT
  369. wolfssl_linuxkm_pie_redirect_table.strcmp = strcmp;
  370. #endif
  371. #ifndef __ARCH_STRNCMP_NO_REDIRECT
  372. wolfssl_linuxkm_pie_redirect_table.strncmp = strncmp;
  373. #endif
  374. #ifndef __ARCH_STRCASECMP_NO_REDIRECT
  375. wolfssl_linuxkm_pie_redirect_table.strcasecmp = strcasecmp;
  376. #endif
  377. #ifndef __ARCH_STRNCASECMP_NO_REDIRECT
  378. wolfssl_linuxkm_pie_redirect_table.strncasecmp = strncasecmp;
  379. #endif
  380. #ifndef __ARCH_STRLEN_NO_REDIRECT
  381. wolfssl_linuxkm_pie_redirect_table.strlen = strlen;
  382. #endif
  383. #ifndef __ARCH_STRSTR_NO_REDIRECT
  384. wolfssl_linuxkm_pie_redirect_table.strstr = strstr;
  385. #endif
  386. #ifndef __ARCH_STRNCPY_NO_REDIRECT
  387. wolfssl_linuxkm_pie_redirect_table.strncpy = strncpy;
  388. #endif
  389. #ifndef __ARCH_STRNCAT_NO_REDIRECT
  390. wolfssl_linuxkm_pie_redirect_table.strncat = strncat;
  391. #endif
  392. wolfssl_linuxkm_pie_redirect_table.kstrtoll = kstrtoll;
  393. #if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 15, 0)
  394. wolfssl_linuxkm_pie_redirect_table._printk = _printk;
  395. #else
  396. wolfssl_linuxkm_pie_redirect_table.printk = printk;
  397. #endif
  398. #ifdef CONFIG_FORTIFY_SOURCE
  399. wolfssl_linuxkm_pie_redirect_table.__warn_printk = __warn_printk;
  400. #endif
  401. wolfssl_linuxkm_pie_redirect_table.snprintf = snprintf;
  402. wolfssl_linuxkm_pie_redirect_table._ctype = _ctype;
  403. #if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 10, 0)
  404. wolfssl_linuxkm_pie_redirect_table.kmalloc_noprof = kmalloc_noprof;
  405. wolfssl_linuxkm_pie_redirect_table.krealloc_noprof = krealloc_noprof;
  406. wolfssl_linuxkm_pie_redirect_table.kzalloc_noprof = kzalloc_noprof;
  407. wolfssl_linuxkm_pie_redirect_table.kvmalloc_node_noprof = kvmalloc_node_noprof;
  408. wolfssl_linuxkm_pie_redirect_table.kmalloc_trace_noprof = kmalloc_trace_noprof;
  409. #else
  410. wolfssl_linuxkm_pie_redirect_table.kmalloc = kmalloc;
  411. wolfssl_linuxkm_pie_redirect_table.krealloc = krealloc;
  412. #ifdef HAVE_KVMALLOC
  413. wolfssl_linuxkm_pie_redirect_table.kvmalloc_node = kvmalloc_node;
  414. #endif
  415. #if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 1, 0)
  416. wolfssl_linuxkm_pie_redirect_table.kmalloc_trace =
  417. kmalloc_trace;
  418. #else
  419. wolfssl_linuxkm_pie_redirect_table.kmem_cache_alloc_trace =
  420. kmem_cache_alloc_trace;
  421. wolfssl_linuxkm_pie_redirect_table.kmalloc_order_trace =
  422. kmalloc_order_trace;
  423. #endif
  424. #endif
  425. wolfssl_linuxkm_pie_redirect_table.kfree = kfree;
  426. wolfssl_linuxkm_pie_redirect_table.ksize = ksize;
  427. #ifdef HAVE_KVMALLOC
  428. wolfssl_linuxkm_pie_redirect_table.kvfree = kvfree;
  429. #endif
  430. wolfssl_linuxkm_pie_redirect_table.is_vmalloc_addr = is_vmalloc_addr;
  431. wolfssl_linuxkm_pie_redirect_table.get_random_bytes = get_random_bytes;
  432. #if LINUX_VERSION_CODE < KERNEL_VERSION(4, 0, 0)
  433. wolfssl_linuxkm_pie_redirect_table.getnstimeofday =
  434. getnstimeofday;
  435. #elif LINUX_VERSION_CODE < KERNEL_VERSION(5, 0, 0)
  436. wolfssl_linuxkm_pie_redirect_table.current_kernel_time64 =
  437. current_kernel_time64;
  438. #else
  439. wolfssl_linuxkm_pie_redirect_table.ktime_get_coarse_real_ts64 =
  440. ktime_get_coarse_real_ts64;
  441. #endif
  442. wolfssl_linuxkm_pie_redirect_table.get_current = my_get_current_thread;
  443. #if defined(WOLFSSL_LINUXKM_USE_SAVE_VECTOR_REGISTERS) && defined(CONFIG_X86)
  444. wolfssl_linuxkm_pie_redirect_table.allocate_wolfcrypt_linuxkm_fpu_states = allocate_wolfcrypt_linuxkm_fpu_states;
  445. wolfssl_linuxkm_pie_redirect_table.can_save_vector_registers_x86 = can_save_vector_registers_x86;
  446. wolfssl_linuxkm_pie_redirect_table.free_wolfcrypt_linuxkm_fpu_states = free_wolfcrypt_linuxkm_fpu_states;
  447. wolfssl_linuxkm_pie_redirect_table.restore_vector_registers_x86 = restore_vector_registers_x86;
  448. wolfssl_linuxkm_pie_redirect_table.save_vector_registers_x86 = save_vector_registers_x86;
  449. #elif defined(WOLFSSL_LINUXKM_USE_SAVE_VECTOR_REGISTERS)
  450. #error WOLFSSL_LINUXKM_USE_SAVE_VECTOR_REGISTERS is set for an unsupported architecture.
  451. #endif /* WOLFSSL_LINUXKM_USE_SAVE_VECTOR_REGISTERS */
  452. wolfssl_linuxkm_pie_redirect_table.__mutex_init = __mutex_init;
  453. #if LINUX_VERSION_CODE < KERNEL_VERSION(4, 0, 0)
  454. wolfssl_linuxkm_pie_redirect_table.mutex_lock_nested = mutex_lock_nested;
  455. #else
  456. wolfssl_linuxkm_pie_redirect_table.mutex_lock = mutex_lock;
  457. #endif
  458. wolfssl_linuxkm_pie_redirect_table.mutex_unlock = mutex_unlock;
  459. #if LINUX_VERSION_CODE < KERNEL_VERSION(4, 0, 0)
  460. wolfssl_linuxkm_pie_redirect_table.mutex_destroy = mutex_destroy;
  461. #endif
  462. #ifdef HAVE_FIPS
  463. wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_first =
  464. wolfCrypt_FIPS_first;
  465. wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_last =
  466. wolfCrypt_FIPS_last;
  467. #if FIPS_VERSION3_GE(6,0,0)
  468. wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_AES_sanity =
  469. wolfCrypt_FIPS_AES_sanity;
  470. wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_CMAC_sanity =
  471. wolfCrypt_FIPS_CMAC_sanity;
  472. wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_DH_sanity =
  473. wolfCrypt_FIPS_DH_sanity;
  474. wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_ECC_sanity =
  475. wolfCrypt_FIPS_ECC_sanity;
  476. wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_ED25519_sanity =
  477. wolfCrypt_FIPS_ED25519_sanity;
  478. wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_ED448_sanity =
  479. wolfCrypt_FIPS_ED448_sanity;
  480. wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_HMAC_sanity =
  481. wolfCrypt_FIPS_HMAC_sanity;
  482. wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_KDF_sanity =
  483. wolfCrypt_FIPS_KDF_sanity;
  484. wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_PBKDF_sanity =
  485. wolfCrypt_FIPS_PBKDF_sanity;
  486. wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_DRBG_sanity =
  487. wolfCrypt_FIPS_DRBG_sanity;
  488. wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_RSA_sanity =
  489. wolfCrypt_FIPS_RSA_sanity;
  490. wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_SHA_sanity =
  491. wolfCrypt_FIPS_SHA_sanity;
  492. wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_SHA256_sanity =
  493. wolfCrypt_FIPS_SHA256_sanity;
  494. wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_SHA512_sanity =
  495. wolfCrypt_FIPS_SHA512_sanity;
  496. wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_SHA3_sanity =
  497. wolfCrypt_FIPS_SHA3_sanity;
  498. wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_FT_sanity =
  499. wolfCrypt_FIPS_FT_sanity;
  500. wolfssl_linuxkm_pie_redirect_table.wc_RunAllCast_fips =
  501. wc_RunAllCast_fips;
  502. #endif
  503. #endif
  504. #if !defined(WOLFCRYPT_ONLY) && !defined(NO_CERTS)
  505. wolfssl_linuxkm_pie_redirect_table.GetCA = GetCA;
  506. #ifndef NO_SKID
  507. wolfssl_linuxkm_pie_redirect_table.GetCAByName = GetCAByName;
  508. #endif
  509. #endif
  510. /* runtime assert that the table has no null slots after initialization. */
  511. {
  512. unsigned long *i;
  513. static_assert(sizeof(unsigned long) == sizeof(void *),
  514. "unexpected pointer size");
  515. for (i = (unsigned long *)&wolfssl_linuxkm_pie_redirect_table;
  516. i < (unsigned long *)&wolfssl_linuxkm_pie_redirect_table._last_slot;
  517. ++i)
  518. if (*i == 0) {
  519. pr_err("wolfCrypt container redirect table initialization was "
  520. "incomplete [%lu].\n",
  521. i-(unsigned long *)&wolfssl_linuxkm_pie_redirect_table);
  522. return -EFAULT;
  523. }
  524. }
  525. return 0;
  526. }
  527. #endif /* USE_WOLFSSL_LINUXKM_PIE_REDIRECT_TABLE */
  528. #ifdef WOLFCRYPT_FIPS_CORE_DYNAMIC_HASH_VALUE
  529. #include <wolfssl/wolfcrypt/coding.h>
  530. PRAGMA_GCC_DIAG_PUSH
  531. PRAGMA_GCC("GCC diagnostic ignored \"-Wnested-externs\"")
  532. PRAGMA_GCC("GCC diagnostic ignored \"-Wpointer-arith\"")
  533. #include <crypto/hash.h>
  534. PRAGMA_GCC_DIAG_POP
  535. extern char verifyCore[WC_SHA256_DIGEST_SIZE*2 + 1];
  536. extern const char coreKey[WC_SHA256_DIGEST_SIZE*2 + 1];
  537. extern const unsigned int wolfCrypt_FIPS_ro_start[];
  538. extern const unsigned int wolfCrypt_FIPS_ro_end[];
  539. #define FIPS_IN_CORE_KEY_SZ 32
  540. #define FIPS_IN_CORE_VERIFY_SZ FIPS_IN_CORE_KEY_SZ
  541. typedef int (*fips_address_function)(void);
  542. #define MAX_FIPS_DATA_SZ 100000
  543. #define MAX_FIPS_CODE_SZ 1000000
  544. extern int GenBase16_Hash(const byte* in, int length, char* out, int outSz);
  545. static int updateFipsHash(void)
  546. {
  547. struct crypto_shash *tfm = NULL;
  548. struct shash_desc *desc = NULL;
  549. word32 verifySz = FIPS_IN_CORE_VERIFY_SZ;
  550. word32 binCoreSz = FIPS_IN_CORE_KEY_SZ;
  551. int ret;
  552. byte *hash = NULL;
  553. char *base16_hash = NULL;
  554. byte *binCoreKey = NULL;
  555. byte *binVerify = NULL;
  556. fips_address_function first = wolfCrypt_FIPS_first;
  557. fips_address_function last = wolfCrypt_FIPS_last;
  558. char* start = (char*)wolfCrypt_FIPS_ro_start;
  559. char* end = (char*)wolfCrypt_FIPS_ro_end;
  560. unsigned long code_sz = (unsigned long)last - (unsigned long)first;
  561. unsigned long data_sz = (unsigned long)end - (unsigned long)start;
  562. if (data_sz == 0 || data_sz > MAX_FIPS_DATA_SZ)
  563. return BAD_FUNC_ARG; /* bad fips data size */
  564. if (code_sz == 0 || code_sz > MAX_FIPS_CODE_SZ)
  565. return BAD_FUNC_ARG; /* bad fips code size */
  566. hash = XMALLOC(WC_SHA256_DIGEST_SIZE, 0, DYNAMIC_TYPE_TMP_BUFFER);
  567. if (hash == NULL) {
  568. ret = MEMORY_E;
  569. goto out;
  570. }
  571. base16_hash = XMALLOC(WC_SHA256_DIGEST_SIZE*2 + 1, 0, DYNAMIC_TYPE_TMP_BUFFER);
  572. if (base16_hash == NULL) {
  573. ret = MEMORY_E;
  574. goto out;
  575. }
  576. binCoreKey = XMALLOC(binCoreSz, 0, DYNAMIC_TYPE_TMP_BUFFER);
  577. if (binCoreKey == NULL) {
  578. ret = MEMORY_E;
  579. goto out;
  580. }
  581. binVerify = XMALLOC(verifySz, 0, DYNAMIC_TYPE_TMP_BUFFER);
  582. if (binVerify == NULL) {
  583. ret = MEMORY_E;
  584. goto out;
  585. }
  586. {
  587. word32 base16_out_len = binCoreSz;
  588. ret = Base16_Decode((const byte *)coreKey, sizeof coreKey - 1, binCoreKey, &base16_out_len);
  589. if (ret != 0) {
  590. pr_err("Base16_Decode for coreKey: %s\n", wc_GetErrorString(ret));
  591. goto out;
  592. }
  593. if (base16_out_len != binCoreSz) {
  594. pr_err("unexpected output length %u for coreKey from Base16_Decode.\n",base16_out_len);
  595. ret = BAD_STATE_E;
  596. goto out;
  597. }
  598. }
  599. tfm = crypto_alloc_shash("hmac(sha256)", 0, 0);
  600. if (IS_ERR(tfm)) {
  601. if (PTR_ERR(tfm) == -ENOMEM) {
  602. pr_err("crypto_alloc_shash failed: out of memory\n");
  603. ret = MEMORY_E;
  604. } else if (PTR_ERR(tfm) == -ENOENT) {
  605. pr_err("crypto_alloc_shash failed: kernel is missing hmac(sha256) implementation\n");
  606. pr_err("check for CONFIG_CRYPTO_SHA256 and CONFIG_CRYPTO_HMAC.\n");
  607. ret = NOT_COMPILED_IN;
  608. } else {
  609. pr_err("crypto_alloc_shash failed with ret %ld\n",PTR_ERR(tfm));
  610. ret = HASH_TYPE_E;
  611. }
  612. tfm = NULL;
  613. goto out;
  614. }
  615. {
  616. size_t desc_size = crypto_shash_descsize(tfm) + sizeof *desc;
  617. desc = XMALLOC(desc_size, NULL, DYNAMIC_TYPE_TMP_BUFFER);
  618. if (desc == NULL) {
  619. pr_err("failed allocating desc.");
  620. ret = MEMORY_E;
  621. goto out;
  622. }
  623. XMEMSET(desc, 0, desc_size);
  624. }
  625. ret = crypto_shash_setkey(tfm, binCoreKey, binCoreSz);
  626. if (ret) {
  627. pr_err("crypto_ahash_setkey failed: err %d\n", ret);
  628. ret = BAD_STATE_E;
  629. goto out;
  630. }
  631. desc->tfm = tfm;
  632. ret = crypto_shash_init(desc);
  633. if (ret) {
  634. pr_err("crypto_shash_init failed: err %d\n", ret);
  635. ret = BAD_STATE_E;
  636. goto out;
  637. }
  638. ret = crypto_shash_update(desc, (byte *)(wc_ptr_t)first, (word32)code_sz);
  639. if (ret) {
  640. pr_err("crypto_shash_update failed: err %d\n", ret);
  641. ret = BAD_STATE_E;
  642. goto out;
  643. }
  644. /* don't hash verifyCore or changing verifyCore will change hash */
  645. if (verifyCore >= start && verifyCore < end) {
  646. data_sz = (unsigned long)verifyCore - (unsigned long)start;
  647. ret = crypto_shash_update(desc, (byte*)start, (word32)data_sz);
  648. if (ret) {
  649. pr_err("crypto_shash_update failed: err %d\n", ret);
  650. ret = BAD_STATE_E;
  651. goto out;
  652. }
  653. start = (char*)verifyCore + sizeof(verifyCore);
  654. data_sz = (unsigned long)end - (unsigned long)start;
  655. }
  656. ret = crypto_shash_update(desc, (byte*)start, (word32)data_sz);
  657. if (ret) {
  658. pr_err("crypto_shash_update failed: err %d\n", ret);
  659. ret = BAD_STATE_E;
  660. goto out;
  661. }
  662. ret = crypto_shash_final(desc, hash);
  663. if (ret) {
  664. pr_err("crypto_shash_final failed: err %d\n", ret);
  665. ret = BAD_STATE_E;
  666. goto out;
  667. }
  668. ret = GenBase16_Hash(hash, WC_SHA256_DIGEST_SIZE, base16_hash, WC_SHA256_DIGEST_SIZE*2 + 1);
  669. if (ret != 0) {
  670. pr_err("GenBase16_Hash failed: %s\n", wc_GetErrorString(ret));
  671. goto out;
  672. }
  673. {
  674. word32 base16_out_len = verifySz;
  675. ret = Base16_Decode((const byte *)verifyCore, sizeof verifyCore - 1, binVerify, &base16_out_len);
  676. if (ret != 0) {
  677. pr_err("Base16_Decode for verifyCore: %s\n", wc_GetErrorString(ret));
  678. goto out;
  679. }
  680. if (base16_out_len != binCoreSz) {
  681. pr_err("unexpected output length %u for verifyCore from Base16_Decode.\n",base16_out_len);
  682. ret = BAD_STATE_E;
  683. goto out;
  684. }
  685. }
  686. if (XMEMCMP(hash, binVerify, WC_SHA256_DIGEST_SIZE) == 0) {
  687. #if defined(DEBUG_LINUXKM_PIE_SUPPORT) || defined(WOLFSSL_LINUXKM_VERBOSE_DEBUG)
  688. pr_info("updateFipsHash: verifyCore already matches [%s]\n", verifyCore);
  689. #else
  690. pr_info("updateFipsHash: verifyCore already matches.\n");
  691. #endif
  692. } else {
  693. XMEMCPY(verifyCore, base16_hash, WC_SHA256_DIGEST_SIZE*2 + 1);
  694. #if defined(DEBUG_LINUXKM_PIE_SUPPORT) || defined(WOLFSSL_LINUXKM_VERBOSE_DEBUG)
  695. pr_info("updateFipsHash: verifyCore updated [%s].\n", base16_hash);
  696. #else
  697. pr_info("updateFipsHash: verifyCore updated.\n");
  698. #endif
  699. }
  700. ret = 0;
  701. out:
  702. if (tfm != NULL)
  703. crypto_free_shash(tfm);
  704. if (desc != NULL)
  705. XFREE(desc, NULL, DYNAMIC_TYPE_TMP_BUFFER);
  706. if (hash != NULL)
  707. XFREE(hash, NULL, DYNAMIC_TYPE_TMP_BUFFER);
  708. if (base16_hash != NULL)
  709. XFREE(base16_hash, NULL, DYNAMIC_TYPE_TMP_BUFFER);
  710. if (binCoreKey != NULL)
  711. XFREE(binCoreKey, NULL, DYNAMIC_TYPE_TMP_BUFFER);
  712. if (binVerify != NULL)
  713. XFREE(binVerify, NULL, DYNAMIC_TYPE_TMP_BUFFER);
  714. return ret;
  715. }
  716. #endif /* WOLFCRYPT_FIPS_CORE_DYNAMIC_HASH_VALUE */