module_hooks.c 28 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825
  1. /* module_hooks.c -- module load/unload hooks for libwolfssl.ko
  2. *
  3. * Copyright (C) 2006-2024 wolfSSL Inc.
  4. *
  5. * This file is part of wolfSSL.
  6. *
  7. * wolfSSL is free software; you can redistribute it and/or modify
  8. * it under the terms of the GNU General Public License as published by
  9. * the Free Software Foundation; either version 2 of the License, or
  10. * (at your option) any later version.
  11. *
  12. * wolfSSL is distributed in the hope that it will be useful,
  13. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  14. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  15. * GNU General Public License for more details.
  16. *
  17. * You should have received a copy of the GNU General Public License
  18. * along with this program; if not, write to the Free Software
  19. * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  20. */
  21. #ifndef WOLFSSL_LICENSE
  22. #ifdef WOLFSSL_COMMERCIAL_LICENSE
  23. #define WOLFSSL_LICENSE "wolfSSL Commercial"
  24. #else
  25. #define WOLFSSL_LICENSE "GPL v2"
  26. #endif
  27. #endif
  28. #define FIPS_NO_WRAPPERS
  29. #define WOLFSSL_NEED_LINUX_CURRENT
  30. #ifdef HAVE_CONFIG_H
  31. #include <config.h>
  32. #endif
  33. #include <wolfssl/wolfcrypt/settings.h>
  34. #include <wolfssl/wolfcrypt/error-crypt.h>
  35. #ifdef WOLFCRYPT_ONLY
  36. #include <wolfssl/version.h>
  37. #else
  38. #include <wolfssl/ssl.h>
  39. #endif
  40. #ifdef HAVE_FIPS
  41. #include <wolfssl/wolfcrypt/fips_test.h>
  42. #endif
  43. #ifndef NO_CRYPT_TEST
  44. #include <wolfcrypt/test/test.h>
  45. #endif
  46. static int libwolfssl_cleanup(void) {
  47. int ret;
  48. #ifdef WOLFCRYPT_ONLY
  49. ret = wolfCrypt_Cleanup();
  50. if (ret != 0)
  51. pr_err("wolfCrypt_Cleanup() failed: %s\n", wc_GetErrorString(ret));
  52. else
  53. pr_info("wolfCrypt " LIBWOLFSSL_VERSION_STRING " cleanup complete.\n");
  54. #else
  55. ret = wolfSSL_Cleanup();
  56. if (ret != WOLFSSL_SUCCESS)
  57. pr_err("wolfSSL_Cleanup() failed: %s\n", wc_GetErrorString(ret));
  58. else
  59. pr_info("wolfSSL " LIBWOLFSSL_VERSION_STRING " cleanup complete.\n");
  60. #endif
  61. return ret;
  62. }
  63. #ifdef HAVE_LINUXKM_PIE_SUPPORT
  64. #ifdef DEBUG_LINUXKM_PIE_SUPPORT
  65. extern int wolfCrypt_PIE_first_function(void);
  66. extern int wolfCrypt_PIE_last_function(void);
  67. extern const unsigned int wolfCrypt_PIE_rodata_start[];
  68. extern const unsigned int wolfCrypt_PIE_rodata_end[];
  69. /* cheap portable ad-hoc hash function to confirm bitwise stability of the PIE
  70. * binary image.
  71. */
  72. static unsigned int hash_span(char *start, char *end) {
  73. unsigned int sum = 1;
  74. while (start < end) {
  75. unsigned int rotate_by;
  76. sum ^= *start++;
  77. rotate_by = (sum ^ (sum >> 5)) & 31;
  78. sum = (sum << rotate_by) | (sum >> (32 - rotate_by));
  79. }
  80. return sum;
  81. }
  82. #endif /* DEBUG_LINUXKM_PIE_SUPPORT */
  83. #ifdef USE_WOLFSSL_LINUXKM_PIE_REDIRECT_TABLE
  84. extern struct wolfssl_linuxkm_pie_redirect_table wolfssl_linuxkm_pie_redirect_table;
  85. static int set_up_wolfssl_linuxkm_pie_redirect_table(void);
  86. #endif /* USE_WOLFSSL_LINUXKM_PIE_REDIRECT_TABLE */
  87. #endif /* HAVE_LINUXKM_PIE_SUPPORT */
  88. #ifdef HAVE_FIPS
  89. static void lkmFipsCb(int ok, int err, const char* hash)
  90. {
  91. if ((! ok) || (err != 0))
  92. pr_err("libwolfssl FIPS error: %s\n", wc_GetErrorString(err));
  93. if (err == WC_NO_ERR_TRACE(IN_CORE_FIPS_E)) {
  94. pr_err("In-core integrity hash check failure.\n"
  95. "Update verifyCore[] in fips_test.c with new hash \"%s\" and rebuild.\n",
  96. hash ? hash : "<null>");
  97. }
  98. }
  99. #endif
  100. #ifdef WOLFCRYPT_FIPS_CORE_DYNAMIC_HASH_VALUE
  101. #ifndef CONFIG_MODULE_SIG
  102. #error WOLFCRYPT_FIPS_CORE_DYNAMIC_HASH_VALUE requires a CONFIG_MODULE_SIG kernel.
  103. #endif
  104. static int updateFipsHash(void);
  105. #endif
  106. #ifdef WOLFSSL_LINUXKM_BENCHMARKS
  107. extern int wolfcrypt_benchmark_main(int argc, char** argv);
  108. #endif /* WOLFSSL_LINUXKM_BENCHMARKS */
  109. #ifdef LINUXKM_LKCAPI_REGISTER
  110. #include "linuxkm/lkcapi_glue.c"
  111. #endif
  112. #if defined(WOLFSSL_LINUXKM_USE_SAVE_VECTOR_REGISTERS) && defined(CONFIG_X86)
  113. #include "linuxkm/x86_vector_register_glue.c"
  114. #endif
  115. #if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 0, 0)
  116. static int __init wolfssl_init(void)
  117. #else
  118. static int wolfssl_init(void)
  119. #endif
  120. {
  121. int ret;
  122. #ifdef WOLFCRYPT_FIPS_CORE_DYNAMIC_HASH_VALUE
  123. if (THIS_MODULE->sig_ok == false) {
  124. pr_err("wolfSSL module load aborted -- bad or missing module signature with FIPS dynamic hash.\n");
  125. return -ECANCELED;
  126. }
  127. ret = updateFipsHash();
  128. if (ret < 0) {
  129. pr_err("wolfSSL module load aborted -- updateFipsHash: %s\n",wc_GetErrorString(ret));
  130. return -ECANCELED;
  131. }
  132. #endif
  133. #ifdef USE_WOLFSSL_LINUXKM_PIE_REDIRECT_TABLE
  134. ret = set_up_wolfssl_linuxkm_pie_redirect_table();
  135. if (ret < 0)
  136. return ret;
  137. #endif
  138. #if defined(HAVE_LINUXKM_PIE_SUPPORT) && defined(DEBUG_LINUXKM_PIE_SUPPORT)
  139. #if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 4, 0)
  140. /* see linux commit ac3b432839 */
  141. #define THIS_MODULE_TEXT_BASE (THIS_MODULE->mem[MOD_TEXT].base)
  142. #define THIS_MODULE_TEXT_SIZE (THIS_MODULE->mem[MOD_TEXT].size)
  143. #define THIS_MODULE_RO_BASE (THIS_MODULE->mem[MOD_RODATA].base)
  144. #define THIS_MODULE_RO_SIZE (THIS_MODULE->mem[MOD_RODATA].size)
  145. #elif LINUX_VERSION_CODE >= KERNEL_VERSION(4, 5, 0)
  146. #define THIS_MODULE_TEXT_BASE (THIS_MODULE->core_layout.base)
  147. #define THIS_MODULE_TEXT_SIZE (THIS_MODULE->core_layout.text_size)
  148. #define THIS_MODULE_RO_BASE ((char *)THIS_MODULE->core_layout.base + THIS_MODULE->core_layout.text_size)
  149. #define THIS_MODULE_RO_SIZE (THIS_MODULE->core_layout.ro_size)
  150. #else
  151. #define THIS_MODULE_TEXT_BASE (THIS_MODULE->module_core)
  152. #define THIS_MODULE_TEXT_SIZE (THIS_MODULE->core_text_size)
  153. #define THIS_MODULE_RO_BASE ((char *)THIS_MODULE->module_core + THIS_MODULE->core_ro_size)
  154. #define THIS_MODULE_RO_SIZE (THIS_MODULE->core_ro_size)
  155. #endif
  156. {
  157. char *pie_text_start = (char *)wolfCrypt_PIE_first_function;
  158. char *pie_text_end = (char *)wolfCrypt_PIE_last_function;
  159. char *pie_rodata_start = (char *)wolfCrypt_PIE_rodata_start;
  160. char *pie_rodata_end = (char *)wolfCrypt_PIE_rodata_end;
  161. unsigned int text_hash, rodata_hash;
  162. if ((pie_text_start < pie_text_end) &&
  163. (pie_text_start >= (char *)THIS_MODULE_TEXT_BASE) &&
  164. (pie_text_end - (char *)THIS_MODULE_TEXT_BASE <= THIS_MODULE_TEXT_SIZE))
  165. {
  166. text_hash = hash_span(pie_text_start, pie_text_end);
  167. } else {
  168. pr_info("out-of-bounds PIE fenceposts! pie_text_start=%px pie_text_end=%px (span=%lu)"
  169. " core_layout.base=%px text_end=%px\n",
  170. pie_text_start,
  171. pie_text_end,
  172. pie_text_end-pie_text_start,
  173. THIS_MODULE_TEXT_BASE,
  174. (char *)THIS_MODULE_TEXT_BASE + THIS_MODULE_TEXT_SIZE);
  175. text_hash = 0;
  176. }
  177. if ((pie_rodata_start < pie_rodata_end) && // cppcheck-suppress comparePointers
  178. (pie_rodata_start >= (char *)THIS_MODULE_RO_BASE) &&
  179. (pie_rodata_end - (char *)THIS_MODULE_RO_BASE <= THIS_MODULE_RO_SIZE))
  180. {
  181. rodata_hash = hash_span(pie_rodata_start, pie_rodata_end);
  182. } else {
  183. pr_info("out-of-bounds PIE fenceposts! pie_rodata_start=%px pie_rodata_end=%px (span=%lu)"
  184. " core_layout.base+core_layout.text_size=%px rodata_end=%px\n",
  185. pie_rodata_start,
  186. pie_rodata_end,
  187. pie_rodata_end-pie_rodata_start,
  188. (char *)THIS_MODULE_RO_BASE,
  189. (char *)THIS_MODULE_RO_BASE + THIS_MODULE_RO_SIZE);
  190. rodata_hash = 0;
  191. }
  192. /* note, "%pK" conceals the actual layout information. "%px" exposes
  193. * the true module start address, which is potentially useful to an
  194. * attacker.
  195. */
  196. pr_info("wolfCrypt container hashes (spans): text 0x%x (%lu), rodata 0x%x (%lu)\n",
  197. text_hash, pie_text_end-pie_text_start,
  198. rodata_hash, pie_rodata_end-pie_rodata_start);
  199. }
  200. #endif /* HAVE_LINUXKM_PIE_SUPPORT && DEBUG_LINUXKM_PIE_SUPPORT */
  201. #ifdef HAVE_FIPS
  202. ret = wolfCrypt_SetCb_fips(lkmFipsCb);
  203. if (ret != 0) {
  204. pr_err("wolfCrypt_SetCb_fips() failed: %s\n", wc_GetErrorString(ret));
  205. return -ECANCELED;
  206. }
  207. fipsEntry();
  208. ret = wolfCrypt_GetStatus_fips();
  209. if (ret != 0) {
  210. pr_err("wolfCrypt_GetStatus_fips() failed with code %d: %s\n", ret, wc_GetErrorString(ret));
  211. if (ret == WC_NO_ERR_TRACE(IN_CORE_FIPS_E)) {
  212. const char *newhash = wolfCrypt_GetCoreHash_fips();
  213. pr_err("Update verifyCore[] in fips_test.c with new hash \"%s\" and rebuild.\n",
  214. newhash ? newhash : "<null>");
  215. }
  216. return -ECANCELED;
  217. }
  218. pr_info("FIPS 140-3 wolfCrypt-fips v%d.%d.%d%s%s startup "
  219. "self-test succeeded.\n",
  220. #ifdef HAVE_FIPS_VERSION_MAJOR
  221. HAVE_FIPS_VERSION_MAJOR,
  222. #else
  223. HAVE_FIPS_VERSION,
  224. #endif
  225. #ifdef HAVE_FIPS_VERSION_MINOR
  226. HAVE_FIPS_VERSION_MINOR,
  227. #else
  228. 0,
  229. #endif
  230. #ifdef HAVE_FIPS_VERSION_PATCH
  231. HAVE_FIPS_VERSION_PATCH,
  232. #else
  233. 0,
  234. #endif
  235. #ifdef HAVE_FIPS_VERSION_PORT
  236. "-",
  237. HAVE_FIPS_VERSION_PORT
  238. #else
  239. "",
  240. ""
  241. #endif
  242. );
  243. #endif /* HAVE_FIPS */
  244. #ifdef WC_RNG_SEED_CB
  245. ret = wc_SetSeed_Cb(wc_GenerateSeed);
  246. if (ret < 0) {
  247. pr_err("wc_SetSeed_Cb() failed with return code %d.\n", ret);
  248. (void)libwolfssl_cleanup();
  249. msleep(10);
  250. return -ECANCELED;
  251. }
  252. #endif
  253. #ifdef WOLFCRYPT_ONLY
  254. ret = wolfCrypt_Init();
  255. if (ret != 0) {
  256. pr_err("wolfCrypt_Init() failed: %s\n", wc_GetErrorString(ret));
  257. return -ECANCELED;
  258. }
  259. #else
  260. ret = wolfSSL_Init();
  261. if (ret != WOLFSSL_SUCCESS) {
  262. pr_err("wolfSSL_Init() failed: %s\n", wc_GetErrorString(ret));
  263. return -ECANCELED;
  264. }
  265. #endif
  266. #ifndef NO_CRYPT_TEST
  267. ret = wolfcrypt_test(NULL);
  268. if (ret < 0) {
  269. pr_err("wolfcrypt self-test failed with return code %d.\n", ret);
  270. (void)libwolfssl_cleanup();
  271. msleep(10);
  272. return -ECANCELED;
  273. }
  274. pr_info("wolfCrypt self-test passed.\n");
  275. #else
  276. pr_info("skipping full wolfcrypt_test() "
  277. "(configure with --enable-crypttests to enable).\n");
  278. #endif
  279. #ifdef LINUXKM_LKCAPI_REGISTER
  280. ret = linuxkm_lkcapi_register();
  281. if (ret) {
  282. pr_err("linuxkm_lkcapi_register() failed with return code %d.\n", ret);
  283. linuxkm_lkcapi_unregister();
  284. (void)libwolfssl_cleanup();
  285. msleep(10);
  286. return -ECANCELED;
  287. }
  288. #endif
  289. #ifdef WOLFSSL_LINUXKM_BENCHMARKS
  290. wolfcrypt_benchmark_main(0, (char**)NULL);
  291. #endif
  292. #ifdef WOLFCRYPT_ONLY
  293. pr_info("wolfCrypt " LIBWOLFSSL_VERSION_STRING " loaded%s"
  294. ".\nSee https://www.wolfssl.com/ for more information.\n"
  295. "wolfCrypt Copyright (C) 2006-present wolfSSL Inc. Licensed under " WOLFSSL_LICENSE ".\n",
  296. #ifdef CONFIG_MODULE_SIG
  297. THIS_MODULE->sig_ok ? " with valid module signature" : " without valid module signature"
  298. #else
  299. ""
  300. #endif
  301. );
  302. #else
  303. pr_info("wolfSSL " LIBWOLFSSL_VERSION_STRING " loaded%s"
  304. ".\nSee https://www.wolfssl.com/ for more information.\n"
  305. "wolfSSL Copyright (C) 2006-present wolfSSL Inc. Licensed under " WOLFSSL_LICENSE ".\n",
  306. #ifdef CONFIG_MODULE_SIG
  307. THIS_MODULE->sig_ok ? " with valid module signature" : " without valid module signature"
  308. #else
  309. ""
  310. #endif
  311. );
  312. #endif
  313. return 0;
  314. }
  315. module_init(wolfssl_init);
  316. #if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 0, 0)
  317. static void __exit wolfssl_exit(void)
  318. #else
  319. static void wolfssl_exit(void)
  320. #endif
  321. {
  322. #ifdef LINUXKM_LKCAPI_REGISTER
  323. linuxkm_lkcapi_unregister();
  324. #endif
  325. (void)libwolfssl_cleanup();
  326. return;
  327. }
  328. module_exit(wolfssl_exit);
  329. MODULE_LICENSE(WOLFSSL_LICENSE);
  330. MODULE_AUTHOR("https://www.wolfssl.com/");
  331. MODULE_DESCRIPTION("libwolfssl cryptographic and protocol facilities");
  332. MODULE_VERSION(LIBWOLFSSL_VERSION_STRING);
  333. #ifdef USE_WOLFSSL_LINUXKM_PIE_REDIRECT_TABLE
  334. /* get_current() is an inline or macro, depending on the target -- sidestep the whole issue with a wrapper func. */
  335. static struct task_struct *my_get_current_thread(void) {
  336. return get_current();
  337. }
  338. #if defined(WOLFSSL_LINUXKM_SIMD_X86) && defined(WOLFSSL_COMMERCIAL_LICENSE)
  339. /* ditto for fpregs_lock/fpregs_unlock */
  340. #ifdef WOLFSSL_LINUXKM_USE_SAVE_VECTOR_REGISTERS
  341. static void my_fpregs_lock(void) {
  342. fpregs_lock();
  343. }
  344. static void my_fpregs_unlock(void) {
  345. fpregs_unlock();
  346. }
  347. #endif /* WOLFSSL_LINUXKM_SIMD_X86 && WOLFSSL_COMMERCIAL_LICENSE */
  348. #endif /* USE_WOLFSSL_LINUXKM_PIE_REDIRECT_TABLE */
  349. static int set_up_wolfssl_linuxkm_pie_redirect_table(void) {
  350. memset(
  351. &wolfssl_linuxkm_pie_redirect_table,
  352. 0,
  353. sizeof wolfssl_linuxkm_pie_redirect_table);
  354. #ifndef __ARCH_MEMCMP_NO_REDIRECT
  355. wolfssl_linuxkm_pie_redirect_table.memcmp = memcmp;
  356. #endif
  357. #ifndef CONFIG_FORTIFY_SOURCE
  358. #ifndef __ARCH_MEMCPY_NO_REDIRECT
  359. wolfssl_linuxkm_pie_redirect_table.memcpy = memcpy;
  360. #endif
  361. #ifndef __ARCH_MEMSET_NO_REDIRECT
  362. wolfssl_linuxkm_pie_redirect_table.memset = memset;
  363. #endif
  364. #ifndef __ARCH_MEMMOVE_NO_REDIRECT
  365. wolfssl_linuxkm_pie_redirect_table.memmove = memmove;
  366. #endif
  367. #endif /* !CONFIG_FORTIFY_SOURCE */
  368. #ifndef __ARCH_STRCMP_NO_REDIRECT
  369. wolfssl_linuxkm_pie_redirect_table.strcmp = strcmp;
  370. #endif
  371. #ifndef __ARCH_STRNCMP_NO_REDIRECT
  372. wolfssl_linuxkm_pie_redirect_table.strncmp = strncmp;
  373. #endif
  374. #ifndef __ARCH_STRCASECMP_NO_REDIRECT
  375. wolfssl_linuxkm_pie_redirect_table.strcasecmp = strcasecmp;
  376. #endif
  377. #ifndef __ARCH_STRNCASECMP_NO_REDIRECT
  378. wolfssl_linuxkm_pie_redirect_table.strncasecmp = strncasecmp;
  379. #endif
  380. #ifndef __ARCH_STRLEN_NO_REDIRECT
  381. wolfssl_linuxkm_pie_redirect_table.strlen = strlen;
  382. #endif
  383. #ifndef __ARCH_STRSTR_NO_REDIRECT
  384. wolfssl_linuxkm_pie_redirect_table.strstr = strstr;
  385. #endif
  386. #ifndef __ARCH_STRNCPY_NO_REDIRECT
  387. wolfssl_linuxkm_pie_redirect_table.strncpy = strncpy;
  388. #endif
  389. #ifndef __ARCH_STRNCAT_NO_REDIRECT
  390. wolfssl_linuxkm_pie_redirect_table.strncat = strncat;
  391. #endif
  392. wolfssl_linuxkm_pie_redirect_table.kstrtoll = kstrtoll;
  393. #if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 15, 0)
  394. wolfssl_linuxkm_pie_redirect_table._printk = _printk;
  395. #else
  396. wolfssl_linuxkm_pie_redirect_table.printk = printk;
  397. #endif
  398. #ifdef CONFIG_FORTIFY_SOURCE
  399. wolfssl_linuxkm_pie_redirect_table.__warn_printk = __warn_printk;
  400. #endif
  401. wolfssl_linuxkm_pie_redirect_table.snprintf = snprintf;
  402. wolfssl_linuxkm_pie_redirect_table._ctype = _ctype;
  403. #if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 11, 0)
  404. wolfssl_linuxkm_pie_redirect_table.kmalloc_noprof = kmalloc_noprof;
  405. wolfssl_linuxkm_pie_redirect_table.krealloc_noprof = krealloc_noprof;
  406. wolfssl_linuxkm_pie_redirect_table.kzalloc_noprof = kzalloc_noprof;
  407. wolfssl_linuxkm_pie_redirect_table.__kvmalloc_node_noprof = __kvmalloc_node_noprof;
  408. wolfssl_linuxkm_pie_redirect_table.__kmalloc_cache_noprof = __kmalloc_cache_noprof;
  409. #elif LINUX_VERSION_CODE >= KERNEL_VERSION(6, 10, 0)
  410. wolfssl_linuxkm_pie_redirect_table.kmalloc_noprof = kmalloc_noprof;
  411. wolfssl_linuxkm_pie_redirect_table.krealloc_noprof = krealloc_noprof;
  412. wolfssl_linuxkm_pie_redirect_table.kzalloc_noprof = kzalloc_noprof;
  413. wolfssl_linuxkm_pie_redirect_table.kvmalloc_node_noprof = kvmalloc_node_noprof;
  414. wolfssl_linuxkm_pie_redirect_table.kmalloc_trace_noprof = kmalloc_trace_noprof;
  415. #else
  416. wolfssl_linuxkm_pie_redirect_table.kmalloc = kmalloc;
  417. wolfssl_linuxkm_pie_redirect_table.krealloc = krealloc;
  418. #ifdef HAVE_KVMALLOC
  419. wolfssl_linuxkm_pie_redirect_table.kvmalloc_node = kvmalloc_node;
  420. #endif
  421. #if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 1, 0)
  422. wolfssl_linuxkm_pie_redirect_table.kmalloc_trace =
  423. kmalloc_trace;
  424. #else
  425. wolfssl_linuxkm_pie_redirect_table.kmem_cache_alloc_trace =
  426. kmem_cache_alloc_trace;
  427. wolfssl_linuxkm_pie_redirect_table.kmalloc_order_trace =
  428. kmalloc_order_trace;
  429. #endif
  430. #endif
  431. wolfssl_linuxkm_pie_redirect_table.kfree = kfree;
  432. wolfssl_linuxkm_pie_redirect_table.ksize = ksize;
  433. #ifdef HAVE_KVMALLOC
  434. wolfssl_linuxkm_pie_redirect_table.kvfree = kvfree;
  435. #endif
  436. wolfssl_linuxkm_pie_redirect_table.is_vmalloc_addr = is_vmalloc_addr;
  437. wolfssl_linuxkm_pie_redirect_table.get_random_bytes = get_random_bytes;
  438. #if LINUX_VERSION_CODE < KERNEL_VERSION(4, 0, 0)
  439. wolfssl_linuxkm_pie_redirect_table.getnstimeofday =
  440. getnstimeofday;
  441. #elif LINUX_VERSION_CODE < KERNEL_VERSION(5, 0, 0)
  442. wolfssl_linuxkm_pie_redirect_table.current_kernel_time64 =
  443. current_kernel_time64;
  444. #else
  445. wolfssl_linuxkm_pie_redirect_table.ktime_get_coarse_real_ts64 =
  446. ktime_get_coarse_real_ts64;
  447. #endif
  448. wolfssl_linuxkm_pie_redirect_table.get_current = my_get_current_thread;
  449. #if defined(WOLFSSL_LINUXKM_USE_SAVE_VECTOR_REGISTERS) && defined(CONFIG_X86)
  450. wolfssl_linuxkm_pie_redirect_table.allocate_wolfcrypt_linuxkm_fpu_states = allocate_wolfcrypt_linuxkm_fpu_states;
  451. wolfssl_linuxkm_pie_redirect_table.can_save_vector_registers_x86 = can_save_vector_registers_x86;
  452. wolfssl_linuxkm_pie_redirect_table.free_wolfcrypt_linuxkm_fpu_states = free_wolfcrypt_linuxkm_fpu_states;
  453. wolfssl_linuxkm_pie_redirect_table.restore_vector_registers_x86 = restore_vector_registers_x86;
  454. wolfssl_linuxkm_pie_redirect_table.save_vector_registers_x86 = save_vector_registers_x86;
  455. #elif defined(WOLFSSL_LINUXKM_USE_SAVE_VECTOR_REGISTERS)
  456. #error WOLFSSL_LINUXKM_USE_SAVE_VECTOR_REGISTERS is set for an unsupported architecture.
  457. #endif /* WOLFSSL_LINUXKM_USE_SAVE_VECTOR_REGISTERS */
  458. wolfssl_linuxkm_pie_redirect_table.__mutex_init = __mutex_init;
  459. #if LINUX_VERSION_CODE < KERNEL_VERSION(4, 0, 0)
  460. wolfssl_linuxkm_pie_redirect_table.mutex_lock_nested = mutex_lock_nested;
  461. #else
  462. wolfssl_linuxkm_pie_redirect_table.mutex_lock = mutex_lock;
  463. #endif
  464. wolfssl_linuxkm_pie_redirect_table.mutex_unlock = mutex_unlock;
  465. #if LINUX_VERSION_CODE < KERNEL_VERSION(4, 0, 0)
  466. wolfssl_linuxkm_pie_redirect_table.mutex_destroy = mutex_destroy;
  467. #endif
  468. #ifdef HAVE_FIPS
  469. wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_first =
  470. wolfCrypt_FIPS_first;
  471. wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_last =
  472. wolfCrypt_FIPS_last;
  473. #if FIPS_VERSION3_GE(6,0,0)
  474. wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_AES_sanity =
  475. wolfCrypt_FIPS_AES_sanity;
  476. wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_CMAC_sanity =
  477. wolfCrypt_FIPS_CMAC_sanity;
  478. wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_DH_sanity =
  479. wolfCrypt_FIPS_DH_sanity;
  480. wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_ECC_sanity =
  481. wolfCrypt_FIPS_ECC_sanity;
  482. wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_ED25519_sanity =
  483. wolfCrypt_FIPS_ED25519_sanity;
  484. wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_ED448_sanity =
  485. wolfCrypt_FIPS_ED448_sanity;
  486. wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_HMAC_sanity =
  487. wolfCrypt_FIPS_HMAC_sanity;
  488. wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_KDF_sanity =
  489. wolfCrypt_FIPS_KDF_sanity;
  490. wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_PBKDF_sanity =
  491. wolfCrypt_FIPS_PBKDF_sanity;
  492. wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_DRBG_sanity =
  493. wolfCrypt_FIPS_DRBG_sanity;
  494. wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_RSA_sanity =
  495. wolfCrypt_FIPS_RSA_sanity;
  496. wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_SHA_sanity =
  497. wolfCrypt_FIPS_SHA_sanity;
  498. wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_SHA256_sanity =
  499. wolfCrypt_FIPS_SHA256_sanity;
  500. wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_SHA512_sanity =
  501. wolfCrypt_FIPS_SHA512_sanity;
  502. wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_SHA3_sanity =
  503. wolfCrypt_FIPS_SHA3_sanity;
  504. wolfssl_linuxkm_pie_redirect_table.wolfCrypt_FIPS_FT_sanity =
  505. wolfCrypt_FIPS_FT_sanity;
  506. wolfssl_linuxkm_pie_redirect_table.wc_RunAllCast_fips =
  507. wc_RunAllCast_fips;
  508. #endif
  509. #endif
  510. #if !defined(WOLFCRYPT_ONLY) && !defined(NO_CERTS)
  511. wolfssl_linuxkm_pie_redirect_table.GetCA = GetCA;
  512. #ifndef NO_SKID
  513. wolfssl_linuxkm_pie_redirect_table.GetCAByName = GetCAByName;
  514. #ifdef HAVE_OCSP
  515. wolfssl_linuxkm_pie_redirect_table.GetCAByKeyHash = GetCAByKeyHash;
  516. #endif /* HAVE_OCSP */
  517. #endif /* NO_SKID */
  518. #ifdef WOLFSSL_AKID_NAME
  519. wolfssl_linuxkm_pie_redirect_table.GetCAByAKID = GetCAByAKID;
  520. #endif /* WOLFSSL_AKID_NAME */
  521. #endif /* !WOLFCRYPT_ONLY && !NO_CERTS */
  522. #ifdef WOLFSSL_DEBUG_BACKTRACE_ERROR_CODES
  523. wolfssl_linuxkm_pie_redirect_table.dump_stack = dump_stack;
  524. #endif
  525. /* runtime assert that the table has no null slots after initialization. */
  526. {
  527. unsigned long *i;
  528. static_assert(sizeof(unsigned long) == sizeof(void *),
  529. "unexpected pointer size");
  530. for (i = (unsigned long *)&wolfssl_linuxkm_pie_redirect_table;
  531. i < (unsigned long *)&wolfssl_linuxkm_pie_redirect_table._last_slot;
  532. ++i)
  533. if (*i == 0) {
  534. pr_err("wolfCrypt container redirect table initialization was "
  535. "incomplete [%lu].\n",
  536. i-(unsigned long *)&wolfssl_linuxkm_pie_redirect_table);
  537. return -EFAULT;
  538. }
  539. }
  540. return 0;
  541. }
  542. #endif /* USE_WOLFSSL_LINUXKM_PIE_REDIRECT_TABLE */
  543. #ifdef WOLFCRYPT_FIPS_CORE_DYNAMIC_HASH_VALUE
  544. #include <wolfssl/wolfcrypt/coding.h>
  545. PRAGMA_GCC_DIAG_PUSH
  546. PRAGMA_GCC("GCC diagnostic ignored \"-Wnested-externs\"")
  547. PRAGMA_GCC("GCC diagnostic ignored \"-Wpointer-arith\"")
  548. #include <crypto/hash.h>
  549. PRAGMA_GCC_DIAG_POP
  550. extern char verifyCore[WC_SHA256_DIGEST_SIZE*2 + 1];
  551. extern const char coreKey[WC_SHA256_DIGEST_SIZE*2 + 1];
  552. extern const unsigned int wolfCrypt_FIPS_ro_start[];
  553. extern const unsigned int wolfCrypt_FIPS_ro_end[];
  554. #define FIPS_IN_CORE_KEY_SZ 32
  555. #define FIPS_IN_CORE_VERIFY_SZ FIPS_IN_CORE_KEY_SZ
  556. typedef int (*fips_address_function)(void);
  557. #define MAX_FIPS_DATA_SZ 100000
  558. #define MAX_FIPS_CODE_SZ 1000000
  559. extern int GenBase16_Hash(const byte* in, int length, char* out, int outSz);
  560. static int updateFipsHash(void)
  561. {
  562. struct crypto_shash *tfm = NULL;
  563. struct shash_desc *desc = NULL;
  564. word32 verifySz = FIPS_IN_CORE_VERIFY_SZ;
  565. word32 binCoreSz = FIPS_IN_CORE_KEY_SZ;
  566. int ret;
  567. byte *hash = NULL;
  568. char *base16_hash = NULL;
  569. byte *binCoreKey = NULL;
  570. byte *binVerify = NULL;
  571. fips_address_function first = wolfCrypt_FIPS_first;
  572. fips_address_function last = wolfCrypt_FIPS_last;
  573. char* start = (char*)wolfCrypt_FIPS_ro_start;
  574. char* end = (char*)wolfCrypt_FIPS_ro_end;
  575. unsigned long code_sz = (unsigned long)last - (unsigned long)first;
  576. unsigned long data_sz = (unsigned long)end - (unsigned long)start;
  577. if (data_sz == 0 || data_sz > MAX_FIPS_DATA_SZ)
  578. return BAD_FUNC_ARG; /* bad fips data size */
  579. if (code_sz == 0 || code_sz > MAX_FIPS_CODE_SZ)
  580. return BAD_FUNC_ARG; /* bad fips code size */
  581. hash = XMALLOC(WC_SHA256_DIGEST_SIZE, 0, DYNAMIC_TYPE_TMP_BUFFER);
  582. if (hash == NULL) {
  583. ret = MEMORY_E;
  584. goto out;
  585. }
  586. base16_hash = XMALLOC(WC_SHA256_DIGEST_SIZE*2 + 1, 0, DYNAMIC_TYPE_TMP_BUFFER);
  587. if (base16_hash == NULL) {
  588. ret = MEMORY_E;
  589. goto out;
  590. }
  591. binCoreKey = XMALLOC(binCoreSz, 0, DYNAMIC_TYPE_TMP_BUFFER);
  592. if (binCoreKey == NULL) {
  593. ret = MEMORY_E;
  594. goto out;
  595. }
  596. binVerify = XMALLOC(verifySz, 0, DYNAMIC_TYPE_TMP_BUFFER);
  597. if (binVerify == NULL) {
  598. ret = MEMORY_E;
  599. goto out;
  600. }
  601. {
  602. word32 base16_out_len = binCoreSz;
  603. ret = Base16_Decode((const byte *)coreKey, sizeof coreKey - 1, binCoreKey, &base16_out_len);
  604. if (ret != 0) {
  605. pr_err("Base16_Decode for coreKey: %s\n", wc_GetErrorString(ret));
  606. goto out;
  607. }
  608. if (base16_out_len != binCoreSz) {
  609. pr_err("unexpected output length %u for coreKey from Base16_Decode.\n",base16_out_len);
  610. ret = BAD_STATE_E;
  611. goto out;
  612. }
  613. }
  614. tfm = crypto_alloc_shash("hmac(sha256)", 0, 0);
  615. if (IS_ERR(tfm)) {
  616. if (PTR_ERR(tfm) == -ENOMEM) {
  617. pr_err("crypto_alloc_shash failed: out of memory\n");
  618. ret = MEMORY_E;
  619. } else if (PTR_ERR(tfm) == -ENOENT) {
  620. pr_err("crypto_alloc_shash failed: kernel is missing hmac(sha256) implementation\n");
  621. pr_err("check for CONFIG_CRYPTO_SHA256 and CONFIG_CRYPTO_HMAC.\n");
  622. ret = NOT_COMPILED_IN;
  623. } else {
  624. pr_err("crypto_alloc_shash failed with ret %ld\n",PTR_ERR(tfm));
  625. ret = HASH_TYPE_E;
  626. }
  627. tfm = NULL;
  628. goto out;
  629. }
  630. {
  631. size_t desc_size = crypto_shash_descsize(tfm) + sizeof *desc;
  632. desc = XMALLOC(desc_size, NULL, DYNAMIC_TYPE_TMP_BUFFER);
  633. if (desc == NULL) {
  634. pr_err("failed allocating desc.");
  635. ret = MEMORY_E;
  636. goto out;
  637. }
  638. XMEMSET(desc, 0, desc_size);
  639. }
  640. ret = crypto_shash_setkey(tfm, binCoreKey, binCoreSz);
  641. if (ret) {
  642. pr_err("crypto_ahash_setkey failed: err %d\n", ret);
  643. ret = BAD_STATE_E;
  644. goto out;
  645. }
  646. desc->tfm = tfm;
  647. ret = crypto_shash_init(desc);
  648. if (ret) {
  649. pr_err("crypto_shash_init failed: err %d\n", ret);
  650. ret = BAD_STATE_E;
  651. goto out;
  652. }
  653. ret = crypto_shash_update(desc, (byte *)(wc_ptr_t)first, (word32)code_sz);
  654. if (ret) {
  655. pr_err("crypto_shash_update failed: err %d\n", ret);
  656. ret = BAD_STATE_E;
  657. goto out;
  658. }
  659. /* don't hash verifyCore or changing verifyCore will change hash */
  660. if (verifyCore >= start && verifyCore < end) {
  661. data_sz = (unsigned long)verifyCore - (unsigned long)start;
  662. ret = crypto_shash_update(desc, (byte*)start, (word32)data_sz);
  663. if (ret) {
  664. pr_err("crypto_shash_update failed: err %d\n", ret);
  665. ret = BAD_STATE_E;
  666. goto out;
  667. }
  668. start = (char*)verifyCore + sizeof(verifyCore);
  669. data_sz = (unsigned long)end - (unsigned long)start;
  670. }
  671. ret = crypto_shash_update(desc, (byte*)start, (word32)data_sz);
  672. if (ret) {
  673. pr_err("crypto_shash_update failed: err %d\n", ret);
  674. ret = BAD_STATE_E;
  675. goto out;
  676. }
  677. ret = crypto_shash_final(desc, hash);
  678. if (ret) {
  679. pr_err("crypto_shash_final failed: err %d\n", ret);
  680. ret = BAD_STATE_E;
  681. goto out;
  682. }
  683. ret = GenBase16_Hash(hash, WC_SHA256_DIGEST_SIZE, base16_hash, WC_SHA256_DIGEST_SIZE*2 + 1);
  684. if (ret != 0) {
  685. pr_err("GenBase16_Hash failed: %s\n", wc_GetErrorString(ret));
  686. goto out;
  687. }
  688. {
  689. word32 base16_out_len = verifySz;
  690. ret = Base16_Decode((const byte *)verifyCore, sizeof verifyCore - 1, binVerify, &base16_out_len);
  691. if (ret != 0) {
  692. pr_err("Base16_Decode for verifyCore: %s\n", wc_GetErrorString(ret));
  693. goto out;
  694. }
  695. if (base16_out_len != binCoreSz) {
  696. pr_err("unexpected output length %u for verifyCore from Base16_Decode.\n",base16_out_len);
  697. ret = BAD_STATE_E;
  698. goto out;
  699. }
  700. }
  701. if (XMEMCMP(hash, binVerify, WC_SHA256_DIGEST_SIZE) == 0) {
  702. #if defined(DEBUG_LINUXKM_PIE_SUPPORT) || defined(WOLFSSL_LINUXKM_VERBOSE_DEBUG)
  703. pr_info("updateFipsHash: verifyCore already matches [%s]\n", verifyCore);
  704. #else
  705. pr_info("updateFipsHash: verifyCore already matches.\n");
  706. #endif
  707. } else {
  708. XMEMCPY(verifyCore, base16_hash, WC_SHA256_DIGEST_SIZE*2 + 1);
  709. #if defined(DEBUG_LINUXKM_PIE_SUPPORT) || defined(WOLFSSL_LINUXKM_VERBOSE_DEBUG)
  710. pr_info("updateFipsHash: verifyCore updated [%s].\n", base16_hash);
  711. #else
  712. pr_info("updateFipsHash: verifyCore updated.\n");
  713. #endif
  714. }
  715. ret = 0;
  716. out:
  717. if (tfm != NULL)
  718. crypto_free_shash(tfm);
  719. XFREE(desc, NULL, DYNAMIC_TYPE_TMP_BUFFER);
  720. XFREE(hash, NULL, DYNAMIC_TYPE_TMP_BUFFER);
  721. XFREE(base16_hash, NULL, DYNAMIC_TYPE_TMP_BUFFER);
  722. XFREE(binCoreKey, NULL, DYNAMIC_TYPE_TMP_BUFFER);
  723. XFREE(binVerify, NULL, DYNAMIC_TYPE_TMP_BUFFER);
  724. return ret;
  725. }
  726. #endif /* WOLFCRYPT_FIPS_CORE_DYNAMIC_HASH_VALUE */