diff --git a/linuxkm/lkcapi_aes_glue.c b/linuxkm/lkcapi_aes_glue.c index ee3647a53..9c4b9c622 100644 --- a/linuxkm/lkcapi_aes_glue.c +++ b/linuxkm/lkcapi_aes_glue.c @@ -2254,7 +2254,7 @@ static int linuxkm_test_aescbc(void) aes = (Aes *)malloc(sizeof(*aes)); if (aes == NULL) - return -ENOMEM; + return MEMORY_E; XMEMSET(enc, 0, sizeof(enc)); XMEMSET(dec, 0, sizeof(enc)); @@ -2458,12 +2458,12 @@ static int linuxkm_test_aescfb(void) aes = (Aes *)malloc(sizeof(*aes)); if (aes == NULL) - return -ENOMEM; + return MEMORY_E; ret = aesofb_test(); if (ret) { wc_test_render_error_message("aesgcm_test failed: ", ret); - ret = -EINVAL; + ret = WC_TEST_RET_DEC_EC(ret); goto test_cfb_end; } @@ -2629,7 +2629,7 @@ static int linuxkm_test_aesgcm(void) return check_aead_driver_masking(NULL /* tfm */, WOLFKM_AESGCM_NAME, WOLFKM_AESGCM_DRIVER); else { wc_test_render_error_message("aesgcm_test failed: ", ret); - return -EINVAL; + return WC_TEST_RET_DEC_EC(ret); } #else int ret = 0; @@ -2688,7 +2688,7 @@ static int linuxkm_test_aesgcm(void) aes = (Aes *)malloc(sizeof(*aes)); if (aes == NULL) - return -ENOMEM; + return MEMORY_E; ret = wc_AesInit(aes, NULL, INVALID_DEVID); if (ret) { @@ -2927,7 +2927,7 @@ static int linuxkm_test_aesgcm_rfc4106(void) return check_aead_driver_masking(NULL /* tfm */, WOLFKM_AESGCM_RFC4106_NAME, WOLFKM_AESGCM_RFC4106_DRIVER); else { wc_test_render_error_message("aesgcm_test failed: ", ret); - return -EINVAL; + return WC_TEST_RET_DEC_EC(ret); } } @@ -4055,7 +4055,7 @@ static int linuxkm_test_aesctr(void) { return check_skcipher_driver_masking(NULL /* tfm */, WOLFKM_AESCTR_NAME, WOLFKM_AESCTR_DRIVER); else { wc_test_render_error_message("aes_ctr_test failed: ", ret); - return -EINVAL; + return WC_TEST_RET_DEC_EC(ret); } } @@ -4069,7 +4069,7 @@ static int linuxkm_test_aesofb(void) { return check_skcipher_driver_masking(NULL /* tfm */, WOLFKM_AESOFB_NAME, WOLFKM_AESOFB_DRIVER); else { wc_test_render_error_message("aesofb_test failed: ", ret); - return -EINVAL; + return WC_TEST_RET_DEC_EC(ret); } } @@ -4083,7 +4083,7 @@ static int linuxkm_test_aesecb(void) { return check_skcipher_driver_masking(NULL /* tfm */, WOLFKM_AESECB_NAME, WOLFKM_AESECB_DRIVER); else { wc_test_render_error_message("aes_test failed: ", ret); - return -EINVAL; + return WC_TEST_RET_DEC_EC(ret); } } diff --git a/linuxkm/lkcapi_dh_glue.c b/linuxkm/lkcapi_dh_glue.c index c8c5ff239..b081a48bf 100644 --- a/linuxkm/lkcapi_dh_glue.c +++ b/linuxkm/lkcapi_dh_glue.c @@ -2804,7 +2804,7 @@ static int linuxkm_test_kpp_driver(const char * driver, const byte * shared_secret, word32 shared_s_len) { - int test_rc = -1; + int test_rc = WC_NO_ERR_TRACE(WC_FAILURE); struct crypto_kpp * tfm = NULL; struct kpp_request * req = NULL; struct scatterlist src, dst; @@ -2822,6 +2822,10 @@ static int linuxkm_test_kpp_driver(const char * driver, pr_err("error: allocating kpp algorithm %s failed: %ld\n", driver, PTR_ERR(tfm)); tfm = NULL; + if (PTR_ERR(tfm) == -ENOMEM) + test_rc = MEMORY_E; + else + test_rc = BAD_FUNC_ARG; goto test_kpp_end; } @@ -2830,12 +2834,17 @@ static int linuxkm_test_kpp_driver(const char * driver, pr_err("error: allocating kpp request %s failed\n", driver); req = NULL; + if (PTR_ERR(req) == -ENOMEM) + test_rc = MEMORY_E; + else + test_rc = BAD_FUNC_ARG; goto test_kpp_end; } err = crypto_kpp_set_secret(tfm, a_secret, secret_len); if (err) { pr_err("error: crypto_kpp_set_secret returned: %d\n", err); + test_rc = BAD_FUNC_ARG; goto test_kpp_end; } @@ -2843,12 +2852,14 @@ static int linuxkm_test_kpp_driver(const char * driver, dst_len = crypto_kpp_maxsize(tfm); if (dst_len <= 0) { pr_err("error: crypto_kpp_maxsize returned: %d\n", dst_len); + test_rc = BAD_FUNC_ARG; goto test_kpp_end; } dst_buf = malloc(dst_len); if (dst_buf == NULL) { pr_err("error: allocating out buf failed"); + test_rc = MEMORY_E; goto test_kpp_end; } @@ -2862,17 +2873,20 @@ static int linuxkm_test_kpp_driver(const char * driver, err = crypto_kpp_generate_public_key(req); if (err) { pr_err("error: crypto_kpp_generate_public_key returned: %d", err); + test_rc = BAD_FUNC_ARG; goto test_kpp_end; } if (memcmp(expected_a_pub, sg_virt(req->dst), pub_len)) { pr_err("error: crypto_kpp_generate_public_key: wrong output"); + test_rc = WC_KEY_MISMATCH_E; goto test_kpp_end; } src_buf = malloc(src_len); if (src_buf == NULL) { pr_err("error: allocating in buf failed"); + test_rc = MEMORY_E; goto test_kpp_end; } @@ -2887,11 +2901,13 @@ static int linuxkm_test_kpp_driver(const char * driver, err = crypto_kpp_compute_shared_secret(req); if (err) { pr_err("error: crypto_kpp_compute_shared_secret returned: %d", err); + test_rc = BAD_FUNC_ARG; goto test_kpp_end; } if (memcmp(shared_secret, sg_virt(req->dst), shared_s_len)) { pr_err("error: shared secret does not match"); + test_rc = BAD_FUNC_ARG; goto test_kpp_end; } diff --git a/linuxkm/lkcapi_ecdh_glue.c b/linuxkm/lkcapi_ecdh_glue.c index 26ea5b290..f463c3d04 100644 --- a/linuxkm/lkcapi_ecdh_glue.c +++ b/linuxkm/lkcapi_ecdh_glue.c @@ -787,7 +787,7 @@ static int linuxkm_test_ecdh_nist_driver(const char * driver, const byte * shared_secret, word32 shared_s_len) { - int test_rc = -1; + int test_rc = WC_NO_ERR_TRACE(WC_FAILURE); struct crypto_kpp * tfm = NULL; struct kpp_request * req = NULL; struct scatterlist src, dst; @@ -805,6 +805,10 @@ static int linuxkm_test_ecdh_nist_driver(const char * driver, pr_err("error: allocating kpp algorithm %s failed: %ld\n", driver, PTR_ERR(tfm)); tfm = NULL; + if (PTR_ERR(tfm) == -ENOMEM) + test_rc = MEMORY_E; + else + test_rc = BAD_FUNC_ARG; goto test_ecdh_nist_end; } @@ -813,12 +817,17 @@ static int linuxkm_test_ecdh_nist_driver(const char * driver, pr_err("error: allocating kpp request %s failed\n", driver); req = NULL; + if (PTR_ERR(req) == -ENOMEM) + test_rc = MEMORY_E; + else + test_rc = BAD_FUNC_ARG; goto test_ecdh_nist_end; } err = crypto_kpp_set_secret(tfm, secret, secret_len); if (err) { pr_err("error: crypto_kpp_set_secret returned: %d\n", err); + test_rc = BAD_FUNC_ARG; goto test_ecdh_nist_end; } @@ -826,12 +835,14 @@ static int linuxkm_test_ecdh_nist_driver(const char * driver, dst_len = crypto_kpp_maxsize(tfm); if (dst_len <= 0) { pr_err("error: crypto_kpp_maxsize returned: %d\n", dst_len); + test_rc = BAD_FUNC_ARG; goto test_ecdh_nist_end; } dst_buf = malloc(dst_len); if (dst_buf == NULL) { pr_err("error: allocating out buf failed"); + test_rc = BAD_FUNC_ARG; goto test_ecdh_nist_end; } @@ -845,17 +856,20 @@ static int linuxkm_test_ecdh_nist_driver(const char * driver, err = crypto_kpp_generate_public_key(req); if (err) { pr_err("error: crypto_kpp_generate_public_key returned: %d", err); + test_rc = BAD_FUNC_ARG; goto test_ecdh_nist_end; } if (memcmp(expected_a_pub, sg_virt(req->dst), pub_len)) { pr_err("error: crypto_kpp_generate_public_key: wrong output"); + test_rc = BAD_FUNC_ARG; goto test_ecdh_nist_end; } src_buf = malloc(src_len); if (src_buf == NULL) { pr_err("error: allocating in buf failed"); + test_rc = MEMORY_E; goto test_ecdh_nist_end; } @@ -870,11 +884,13 @@ static int linuxkm_test_ecdh_nist_driver(const char * driver, err = crypto_kpp_compute_shared_secret(req); if (err) { pr_err("error: crypto_kpp_compute_shared_secret returned: %d", err); + test_rc = BAD_FUNC_ARG; goto test_ecdh_nist_end; } if (memcmp(shared_secret, sg_virt(req->dst), shared_s_len)) { pr_err("error: shared secret does not match"); + test_rc = BAD_FUNC_ARG; goto test_ecdh_nist_end; } diff --git a/linuxkm/lkcapi_ecdsa_glue.c b/linuxkm/lkcapi_ecdsa_glue.c index eb0988051..3413387ba 100644 --- a/linuxkm/lkcapi_ecdsa_glue.c +++ b/linuxkm/lkcapi_ecdsa_glue.c @@ -650,7 +650,7 @@ static int linuxkm_test_ecdsa_nist_driver(const char * driver, const byte * sig, word32 sig_len, const byte * hash, word32 hash_len) { - int test_rc = -1; + int test_rc = WC_NO_ERR_TRACE(WC_FAILURE); int ret = 0; struct crypto_akcipher * tfm = NULL; struct akcipher_request * req = NULL; @@ -664,6 +664,7 @@ static int linuxkm_test_ecdsa_nist_driver(const char * driver, param_copy = (byte *)malloc(sig_len + hash_len); if (! param_copy) { pr_err("error: allocating param_copy buffer failed.\n"); + test_rc = MEMORY_E; goto test_ecdsa_nist_end; } memcpy(param_copy, sig, sig_len); @@ -680,6 +681,10 @@ static int linuxkm_test_ecdsa_nist_driver(const char * driver, pr_err("error: allocating akcipher algorithm %s failed: %ld\n", driver, PTR_ERR(tfm)); tfm = NULL; + if (PTR_ERR(tfm) == -ENOMEM) + test_rc = MEMORY_E; + else + test_rc = BAD_FUNC_ARG; goto test_ecdsa_nist_end; } @@ -688,6 +693,10 @@ static int linuxkm_test_ecdsa_nist_driver(const char * driver, pr_err("error: allocating akcipher request %s failed\n", driver); req = NULL; + if (PTR_ERR(req) == -ENOMEM) + test_rc = MEMORY_E; + else + test_rc = BAD_FUNC_ARG; goto test_ecdsa_nist_end; } @@ -695,6 +704,7 @@ static int linuxkm_test_ecdsa_nist_driver(const char * driver, ret = crypto_akcipher_set_pub_key(tfm, pub, pub_len); if (ret) { pr_err("error: crypto_akcipher_set_pub_key returned: %d\n", ret); + test_rc = BAD_FUNC_ARG; goto test_ecdsa_nist_end; } @@ -703,6 +713,7 @@ static int linuxkm_test_ecdsa_nist_driver(const char * driver, if ((int) maxsize <= 0) { pr_err("error: crypto_akcipher_maxsize " "returned %d\n", maxsize); + test_rc = BAD_FUNC_ARG; goto test_ecdsa_nist_end; } } @@ -725,6 +736,7 @@ static int linuxkm_test_ecdsa_nist_driver(const char * driver, ret = crypto_akcipher_verify(req); if (ret) { pr_err("error: crypto_akcipher_verify returned: %d\n", ret); + test_rc = BAD_FUNC_ARG; goto test_ecdsa_nist_end; } @@ -732,6 +744,7 @@ static int linuxkm_test_ecdsa_nist_driver(const char * driver, bad_sig = malloc(sig_len); if (bad_sig == NULL) { pr_err("error: alloc sig failed\n"); + test_rc = MEMORY_E; goto test_ecdsa_nist_end; } @@ -749,6 +762,7 @@ static int linuxkm_test_ecdsa_nist_driver(const char * driver, if (ret != -EBADMSG) { pr_err("error: crypto_akcipher_verify returned %d, expected %d\n", ret, -EBADMSG); + test_rc = BAD_FUNC_ARG; goto test_ecdsa_nist_end; } diff --git a/linuxkm/lkcapi_glue.c b/linuxkm/lkcapi_glue.c index 6f2b0a9e3..d21280e79 100644 --- a/linuxkm/lkcapi_glue.c +++ b/linuxkm/lkcapi_glue.c @@ -87,22 +87,6 @@ (alg).base.cra_name, \ (alg).base.cra_priority); \ -#ifdef WOLFSSL_DEBUG_TRACE_ERROR_CODES - enum linux_errcodes { - my_EINVAL = EINVAL, - my_ENOMEM = ENOMEM, - my_EBADMSG = EBADMSG - }; - - #undef EINVAL - #undef ENOMEM - #undef EBADMSG - - #define EINVAL WC_ERR_TRACE(my_EINVAL) - #define ENOMEM WC_ERR_TRACE(my_ENOMEM) - #define EBADMSG WC_ERR_TRACE(my_EBADMSG) -#endif - #if defined(WOLFSSL_AESNI) || defined(USE_INTEL_SPEEDUP) || \ defined(USE_INTEL_SPEEDUP_FOR_AES) #define LKCAPI_HAVE_ARCH_ACCEL @@ -382,41 +366,42 @@ static ssize_t deinstall_algs_handler(struct kobject *kobj, struct kobj_attribut return count; } -/* create control channels at /sys/module/libwolfssl/parameters/{install_algs,deinstall_algs} */ +/* create control channels at /sys/module/libwolfssl/{install_algs,deinstall_algs} */ static struct kobj_attribute install_algs_attr = __ATTR(install_algs, 0220, NULL, install_algs_handler); static struct kobj_attribute deinstall_algs_attr = __ATTR(deinstall_algs, 0220, NULL, deinstall_algs_handler); -static int installed_sysfs_files = 0; +static int installed_sysfs_LKCAPI_files = 0; static int linuxkm_lkcapi_sysfs_install(void) { int ret; - if (! installed_sysfs_files) { - installed_sysfs_files = 1; - ret = sysfs_create_file(&THIS_MODULE->mkobj.kobj, &install_algs_attr.attr); - if (ret) { - pr_err("sysfs_create_file failed: %d\n", ret); + if (! installed_sysfs_LKCAPI_files) { + ret = linuxkm_lkcapi_sysfs_install_node(&install_algs_attr, NULL); + if (ret) return ret; - } - ret = sysfs_create_file(&THIS_MODULE->mkobj.kobj, &deinstall_algs_attr.attr); - if (ret) { - pr_err("sysfs_create_file failed: %d\n", ret); + ret = linuxkm_lkcapi_sysfs_install_node(&deinstall_algs_attr, NULL); + if (ret) return ret; - } + installed_sysfs_LKCAPI_files = 1; } return 0; } static int linuxkm_lkcapi_sysfs_deinstall(void) { - if (installed_sysfs_files) { - installed_sysfs_files = 0; - sysfs_remove_file(&THIS_MODULE->mkobj.kobj, &install_algs_attr.attr); - sysfs_remove_file(&THIS_MODULE->mkobj.kobj, &deinstall_algs_attr.attr); + if (installed_sysfs_LKCAPI_files) { + int ret = linuxkm_lkcapi_sysfs_deinstall_node(&install_algs_attr, NULL); + if (ret) + return ret; + ret = linuxkm_lkcapi_sysfs_deinstall_node(&deinstall_algs_attr, NULL); + if (ret) + return ret; + installed_sysfs_LKCAPI_files = 0; } return 0; } static int linuxkm_lkcapi_registered = 0; +static int linuxkm_lkcapi_n_registered = 0; static int linuxkm_lkcapi_register(void) { @@ -452,20 +437,30 @@ static int linuxkm_lkcapi_register(void) if (! alg ## _loaded) { \ ret = (crypto_register_ ## alg_class)(&(alg)); \ if (ret) { \ - seen_err = 1; \ + seen_err = ret; \ pr_err("ERROR: crypto_register_" #alg_class " for %s failed "\ "with return code %d.\n", \ (alg).base.cra_driver_name, ret); \ } else { \ ret = (tester()); \ if (ret) { \ - seen_err = 1; \ - pr_err("ERROR: self-test for %s failed " \ + seen_err = -EINVAL; \ + pr_err("ERROR: wolfCrypt self-test for %s failed " \ "with return code %d.\n", \ (alg).base.cra_driver_name, ret); \ (crypto_unregister_ ## alg_class)(&(alg)); \ + if (! (alg.base.cra_flags & CRYPTO_ALG_DEAD)) { \ + pr_err("ERROR: alg %s not _DEAD " \ + "after crypto_unregister_%s -- " \ + "marking as loaded despite test failure.", \ + (alg).base.cra_driver_name, \ + #alg_class); \ + alg ## _loaded = 1; \ + ++linuxkm_lkcapi_n_registered; \ + } \ } else { \ alg ## _loaded = 1; \ + ++linuxkm_lkcapi_n_registered; \ WOLFKM_INSTALL_NOTICE(alg) \ } \ } \ @@ -557,8 +552,13 @@ static int linuxkm_lkcapi_register(void) /* special installation handler for wc_linuxkm_drbg, to conditionally * install it as the system-wide default rng. */ - if (! wc_linuxkm_drbg_loaded) + if (! wc_linuxkm_drbg_loaded) { ret = wc_linuxkm_drbg_startup(); + if (ret == 0) + ++linuxkm_lkcapi_n_registered; + else + seen_err = ret; + } #endif #ifdef LINUXKM_LKCAPI_REGISTER_ECDSA @@ -642,6 +642,9 @@ static int linuxkm_lkcapi_register(void) disable_setkey_warnings = 0; #endif + pr_info("wolfCrypt: %d algorithm%s registered.", linuxkm_lkcapi_n_registered, + linuxkm_lkcapi_n_registered == 1 ? "" : "s"); + if (ret == -1) { /* no installations occurred */ if (linuxkm_lkcapi_registered) @@ -656,114 +659,132 @@ static int linuxkm_lkcapi_register(void) * occurred. */ linuxkm_lkcapi_registered = 1; - if (seen_err) - return -EINVAL; - else - return 0; + return seen_err; } } static int linuxkm_lkcapi_unregister(void) { int seen_err = 0; + int n_deregistered = 0; - if (! linuxkm_lkcapi_registered) + if (linuxkm_lkcapi_n_registered == 0) return -ENOENT; -#define UNREGISTER_ALG(alg, uninstaller) do { \ +#define UNREGISTER_ALG(alg, alg_class) \ + do { \ if (alg ## _loaded) { \ - int cur_refcnt = WC_LKM_REFCOUNT_TO_INT(alg.base.cra_refcnt);\ - if (cur_refcnt == 1) { \ - (uninstaller)(&(alg)); \ + if (alg.base.cra_flags & CRYPTO_ALG_DEAD) { \ + pr_err("alg %s already CRYPTO_ALG_DEAD.", \ + alg.base.cra_driver_name); \ alg ## _loaded = 0; \ + ++n_deregistered; \ } \ else { \ - pr_err("alg %s cannot be uninstalled (refcnt = %d)", \ - alg.base.cra_driver_name, cur_refcnt); \ - if (cur_refcnt > 0) { seen_err = 1; } \ + int cur_refcnt = \ + WC_LKM_REFCOUNT_TO_INT(alg.base.cra_refcnt); \ + if (cur_refcnt == 1) { \ + (crypto_unregister_ ## alg_class)(&(alg)); \ + if (! (alg.base.cra_flags & CRYPTO_ALG_DEAD)) { \ + pr_err("ERROR: alg %s not _DEAD after " \ + "crypto_unregister_%s -- " \ + "leaving marked as loaded.", \ + (alg).base.cra_driver_name, \ + #alg_class); \ + seen_err = -EBUSY; \ + } else { \ + alg ## _loaded = 0; \ + ++n_deregistered; \ + } \ + } \ + else { \ + pr_err("alg %s cannot be uninstalled (refcnt = %d)", \ + alg.base.cra_driver_name, cur_refcnt); \ + if (cur_refcnt > 0) { seen_err = -EBUSY; } \ + } \ } \ } \ } while (0) #ifdef LINUXKM_LKCAPI_REGISTER_AESCBC - UNREGISTER_ALG(cbcAesAlg, crypto_unregister_skcipher); + UNREGISTER_ALG(cbcAesAlg, skcipher); #endif #ifdef LINUXKM_LKCAPI_REGISTER_AESCFB - UNREGISTER_ALG(cfbAesAlg, crypto_unregister_skcipher); + UNREGISTER_ALG(cfbAesAlg, skcipher); #endif #ifdef LINUXKM_LKCAPI_REGISTER_AESGCM - UNREGISTER_ALG(gcmAesAead, crypto_unregister_aead); + UNREGISTER_ALG(gcmAesAead, aead); #endif #ifdef LINUXKM_LKCAPI_REGISTER_AESGCM_RFC4106 - UNREGISTER_ALG(gcmAesAead_rfc4106, crypto_unregister_aead); + UNREGISTER_ALG(gcmAesAead_rfc4106, aead); #endif #ifdef LINUXKM_LKCAPI_REGISTER_AESXTS - UNREGISTER_ALG(xtsAesAlg, crypto_unregister_skcipher); + UNREGISTER_ALG(xtsAesAlg, skcipher); #endif #ifdef LINUXKM_LKCAPI_REGISTER_AESCTR - UNREGISTER_ALG(ctrAesAlg, crypto_unregister_skcipher); + UNREGISTER_ALG(ctrAesAlg, skcipher); #endif #ifdef LINUXKM_LKCAPI_REGISTER_AESOFB - UNREGISTER_ALG(ofbAesAlg, crypto_unregister_skcipher); + UNREGISTER_ALG(ofbAesAlg, skcipher); #endif #ifdef LINUXKM_LKCAPI_REGISTER_AESECB - UNREGISTER_ALG(ecbAesAlg, crypto_unregister_skcipher); + UNREGISTER_ALG(ecbAesAlg, skcipher); #endif #ifdef LINUXKM_LKCAPI_REGISTER_SHA1 - UNREGISTER_ALG(sha1_alg, crypto_unregister_shash); + UNREGISTER_ALG(sha1_alg, shash); #endif #ifdef LINUXKM_LKCAPI_REGISTER_SHA2_224 - UNREGISTER_ALG(sha2_224_alg, crypto_unregister_shash); + UNREGISTER_ALG(sha2_224_alg, shash); #endif #ifdef LINUXKM_LKCAPI_REGISTER_SHA2_256 - UNREGISTER_ALG(sha2_256_alg, crypto_unregister_shash); + UNREGISTER_ALG(sha2_256_alg, shash); #endif #ifdef LINUXKM_LKCAPI_REGISTER_SHA2_384 - UNREGISTER_ALG(sha2_384_alg, crypto_unregister_shash); + UNREGISTER_ALG(sha2_384_alg, shash); #endif #ifdef LINUXKM_LKCAPI_REGISTER_SHA2_512 - UNREGISTER_ALG(sha2_512_alg, crypto_unregister_shash); + UNREGISTER_ALG(sha2_512_alg, shash); #endif #ifdef LINUXKM_LKCAPI_REGISTER_SHA3_224 - UNREGISTER_ALG(sha3_224_alg, crypto_unregister_shash); + UNREGISTER_ALG(sha3_224_alg, shash); #endif #ifdef LINUXKM_LKCAPI_REGISTER_SHA3_256 - UNREGISTER_ALG(sha3_256_alg, crypto_unregister_shash); + UNREGISTER_ALG(sha3_256_alg, shash); #endif #ifdef LINUXKM_LKCAPI_REGISTER_SHA3_384 - UNREGISTER_ALG(sha3_384_alg, crypto_unregister_shash); + UNREGISTER_ALG(sha3_384_alg, shash); #endif #ifdef LINUXKM_LKCAPI_REGISTER_SHA3_512 - UNREGISTER_ALG(sha3_512_alg, crypto_unregister_shash); + UNREGISTER_ALG(sha3_512_alg, shash); #endif -#ifdef LINUXKM_LKCAPI_REGISTER_SHA1 - UNREGISTER_ALG(sha1_hmac_alg, crypto_unregister_shash); +#ifdef LINUXKM_LKCAPI_REGISTER_SHA1_HMAC + UNREGISTER_ALG(sha1_hmac_alg, shash); #endif #ifdef LINUXKM_LKCAPI_REGISTER_SHA2_224_HMAC - UNREGISTER_ALG(sha2_224_hmac_alg, crypto_unregister_shash); + UNREGISTER_ALG(sha2_224_hmac_alg, shash); #endif #ifdef LINUXKM_LKCAPI_REGISTER_SHA2_256_HMAC - UNREGISTER_ALG(sha2_256_hmac_alg, crypto_unregister_shash); + UNREGISTER_ALG(sha2_256_hmac_alg, shash); #endif #ifdef LINUXKM_LKCAPI_REGISTER_SHA2_384_HMAC - UNREGISTER_ALG(sha2_384_hmac_alg, crypto_unregister_shash); + UNREGISTER_ALG(sha2_384_hmac_alg, shash); #endif #ifdef LINUXKM_LKCAPI_REGISTER_SHA2_512_HMAC - UNREGISTER_ALG(sha2_512_hmac_alg, crypto_unregister_shash); + UNREGISTER_ALG(sha2_512_hmac_alg, shash); #endif #ifdef LINUXKM_LKCAPI_REGISTER_SHA3_224_HMAC - UNREGISTER_ALG(sha3_224_hmac_alg, crypto_unregister_shash); + UNREGISTER_ALG(sha3_224_hmac_alg, shash); #endif #ifdef LINUXKM_LKCAPI_REGISTER_SHA3_256_HMAC - UNREGISTER_ALG(sha3_256_hmac_alg, crypto_unregister_shash); + UNREGISTER_ALG(sha3_256_hmac_alg, shash); #endif #ifdef LINUXKM_LKCAPI_REGISTER_SHA3_384_HMAC - UNREGISTER_ALG(sha3_384_hmac_alg, crypto_unregister_shash); + UNREGISTER_ALG(sha3_384_hmac_alg, shash); #endif #ifdef LINUXKM_LKCAPI_REGISTER_SHA3_512_HMAC - UNREGISTER_ALG(sha3_512_hmac_alg, crypto_unregister_shash); + UNREGISTER_ALG(sha3_512_hmac_alg, shash); #endif #ifdef LINUXKM_LKCAPI_REGISTER_HASH_DRBG @@ -771,78 +792,82 @@ static int linuxkm_lkcapi_unregister(void) * the system-wide default rng. */ if (wc_linuxkm_drbg_loaded) { - if (wc_linuxkm_drbg_cleanup() != 0) - seen_err = 1; + int ret = wc_linuxkm_drbg_cleanup(); + if (ret == 0) + ++n_deregistered; + else + seen_err = ret; } #endif #ifdef LINUXKM_LKCAPI_REGISTER_ECDSA #if defined(LINUXKM_ECC192) - UNREGISTER_ALG(ecdsa_nist_p192, crypto_unregister_akcipher); + UNREGISTER_ALG(ecdsa_nist_p192, akcipher); #endif /* LINUXKM_ECC192 */ - UNREGISTER_ALG(ecdsa_nist_p256, crypto_unregister_akcipher); - UNREGISTER_ALG(ecdsa_nist_p384, crypto_unregister_akcipher); + UNREGISTER_ALG(ecdsa_nist_p256, akcipher); + UNREGISTER_ALG(ecdsa_nist_p384, akcipher); #if defined(HAVE_ECC521) - UNREGISTER_ALG(ecdsa_nist_p521, crypto_unregister_akcipher); + UNREGISTER_ALG(ecdsa_nist_p521, akcipher); #endif /* HAVE_ECC521 */ #endif /* LINUXKM_LKCAPI_REGISTER_ECDSA */ #ifdef LINUXKM_LKCAPI_REGISTER_ECDH #if defined(LINUXKM_ECC192) - UNREGISTER_ALG(ecdh_nist_p192, crypto_unregister_kpp); + UNREGISTER_ALG(ecdh_nist_p192, kpp); #endif /* LINUXKM_ECC192 */ - UNREGISTER_ALG(ecdh_nist_p256, crypto_unregister_kpp); - UNREGISTER_ALG(ecdh_nist_p384, crypto_unregister_kpp); + UNREGISTER_ALG(ecdh_nist_p256, kpp); + UNREGISTER_ALG(ecdh_nist_p384, kpp); /* no ecdh p521 in kernel. */ #endif /* LINUXKM_LKCAPI_REGISTER_ECDH */ #ifdef LINUXKM_LKCAPI_REGISTER_RSA #if defined(LINUXKM_DIRECT_RSA) - UNREGISTER_ALG(direct_rsa, crypto_unregister_akcipher); + UNREGISTER_ALG(direct_rsa, akcipher); #endif /* LINUXKM_DIRECT_RSA */ #ifndef NO_SHA256 - UNREGISTER_ALG(pkcs1_sha256, crypto_unregister_akcipher); + UNREGISTER_ALG(pkcs1_sha256, akcipher); #endif /* !NO_SHA256 */ #ifdef WOLFSSL_SHA512 - UNREGISTER_ALG(pkcs1_sha512, crypto_unregister_akcipher); + UNREGISTER_ALG(pkcs1_sha512, akcipher); #endif /* WOLFSSL_SHA512 */ #endif /* LINUXKM_LKCAPI_REGISTER_RSA */ #ifdef LINUXKM_LKCAPI_REGISTER_DH #ifdef LINUXKM_DH - UNREGISTER_ALG(dh, crypto_unregister_kpp); + UNREGISTER_ALG(dh, kpp); #endif /* LINUXKM_DH */ #ifdef HAVE_FFDHE_2048 - UNREGISTER_ALG(ffdhe2048, crypto_unregister_kpp); + UNREGISTER_ALG(ffdhe2048, kpp); #endif /* HAVE_FFDHE_2048 */ #ifdef HAVE_FFDHE_3072 - UNREGISTER_ALG(ffdhe3072, crypto_unregister_kpp); + UNREGISTER_ALG(ffdhe3072, kpp); #endif /* HAVE_FFDHE_3072 */ #ifdef HAVE_FFDHE_4096 - UNREGISTER_ALG(ffdhe4096, crypto_unregister_kpp); + UNREGISTER_ALG(ffdhe4096, kpp); #endif /* HAVE_FFDHE_4096 */ #ifdef HAVE_FFDHE_6144 - UNREGISTER_ALG(ffdhe6144, crypto_unregister_kpp); + UNREGISTER_ALG(ffdhe6144, kpp); #endif /* HAVE_FFDHE_6144 */ #ifdef HAVE_FFDHE_8192 - UNREGISTER_ALG(ffdhe8192, crypto_unregister_kpp); + UNREGISTER_ALG(ffdhe8192, kpp); #endif /* HAVE_FFDHE_8192 */ #endif /* LINUXKM_LKCAPI_REGISTER_DH */ #undef UNREGISTER_ALG - /* only clear linuxkm_lkcapi_registered if no errors occurred, to allow - * retries. - */ + linuxkm_lkcapi_n_registered -= n_deregistered; + pr_info("wolfCrypt: %d algorithm%s deregistered, %d remain%s registered.", + n_deregistered, n_deregistered == 1 ? "" : "s", + linuxkm_lkcapi_n_registered, linuxkm_lkcapi_n_registered == 1 ? "s" : ""); - if (seen_err == 0) { - linuxkm_lkcapi_registered = 0; - pr_info("wolfCrypt: All algorithms deregistered successfully."); - } + if (linuxkm_lkcapi_n_registered > 0) + return -EBUSY; - return seen_err ? -EINVAL : 0; + linuxkm_lkcapi_registered = 0; + + return seen_err; } diff --git a/linuxkm/lkcapi_rsa_glue.c b/linuxkm/lkcapi_rsa_glue.c index e48a51fc9..ff3c5e617 100644 --- a/linuxkm/lkcapi_rsa_glue.c +++ b/linuxkm/lkcapi_rsa_glue.c @@ -1411,7 +1411,7 @@ test_rsa_end: static int linuxkm_test_pkcs1_driver(const char * driver, int nbits, int hash_oid, word32 hash_len) { - int test_rc = -1; + int test_rc = WC_NO_ERR_TRACE(WC_FAILURE); int ret = 0; struct crypto_akcipher * tfm = NULL; struct akcipher_request * req = NULL; @@ -1450,6 +1450,7 @@ static int linuxkm_test_pkcs1_driver(const char * driver, int nbits, hash = malloc(WC_SHA512_DIGEST_SIZE); if (! hash) { pr_err("error: allocating hash buffer failed.\n"); + test_rc = MEMORY_E; goto test_pkcs1_end; } @@ -1458,12 +1459,14 @@ static int linuxkm_test_pkcs1_driver(const char * driver, int nbits, hash, hash_len); if (ret) { pr_err("error: wc_Hash returned: %d\n", ret); + test_rc = ret; goto test_pkcs1_end; } key = (RsaKey*)malloc(sizeof(RsaKey)); if (key == NULL) { pr_err("error: allocating key(%zu) failed\n", sizeof(RsaKey)); + test_rc = MEMORY_E; goto test_pkcs1_end; } @@ -1480,6 +1483,7 @@ static int linuxkm_test_pkcs1_driver(const char * driver, int nbits, ret = wc_InitRsaKey(key, NULL); if (ret) { pr_err("error: init rsa key returned: %d\n", ret); + test_rc = ret; goto test_pkcs1_end; } init_key = 1; @@ -1488,6 +1492,7 @@ static int linuxkm_test_pkcs1_driver(const char * driver, int nbits, ret = wc_RsaSetRNG(key, &rng); if (ret) { pr_err("error: rsa set rng returned: %d\n", ret); + test_rc = ret; goto test_pkcs1_end; } #endif /* WC_RSA_BLINDING */ @@ -1495,18 +1500,21 @@ static int linuxkm_test_pkcs1_driver(const char * driver, int nbits, ret = wc_MakeRsaKey(key, nbits, WC_RSA_EXPONENT, &rng); if (ret) { pr_err("error: make rsa key returned: %d\n", ret); + test_rc = ret; goto test_pkcs1_end; } key_len = wc_RsaEncryptSize(key); if (key_len <= 0) { pr_err("error: rsa encrypt size returned: %d\n", key_len); + test_rc = key_len; goto test_pkcs1_end; } sig = (byte*)malloc(key_len); if (sig == NULL) { pr_err("error: allocating sig(%d) failed\n", key_len); + test_rc = MEMORY_E; goto test_pkcs1_end; } memset(sig, 0, key_len); @@ -1514,6 +1522,7 @@ static int linuxkm_test_pkcs1_driver(const char * driver, int nbits, km_sig = (byte*)malloc(key_len); if (km_sig == NULL) { pr_err("error: allocating km_sig(%d) failed\n", key_len); + test_rc = MEMORY_E; goto test_pkcs1_end; } memset(km_sig, 0, key_len); @@ -1521,6 +1530,7 @@ static int linuxkm_test_pkcs1_driver(const char * driver, int nbits, enc = (byte*)malloc(key_len); if (enc == NULL) { pr_err("error: allocating enc(%d) failed\n", key_len); + test_rc = MEMORY_E; goto test_pkcs1_end; } memset(enc, 0, key_len); @@ -1528,6 +1538,7 @@ static int linuxkm_test_pkcs1_driver(const char * driver, int nbits, dec = (byte*)malloc(key_len + 1); if (dec == NULL) { pr_err("error: allocating dec(%d) failed\n", key_len); + test_rc = MEMORY_E; goto test_pkcs1_end; } memset(dec, 0, key_len + 1); @@ -1535,6 +1546,7 @@ static int linuxkm_test_pkcs1_driver(const char * driver, int nbits, enc2 = (byte*)malloc(key_len); if (enc2 == NULL) { pr_err("error: allocating enc2(%d) failed\n", key_len); + test_rc = MEMORY_E; goto test_pkcs1_end; } memset(enc2, 0, key_len); @@ -1542,6 +1554,7 @@ static int linuxkm_test_pkcs1_driver(const char * driver, int nbits, dec2 = (byte*)malloc(key_len + 1); if (dec2 == NULL) { pr_err("error: allocating dec2(%d) failed\n", key_len); + test_rc = MEMORY_E; goto test_pkcs1_end; } memset(dec2, 0, key_len + 1); @@ -1552,12 +1565,14 @@ static int linuxkm_test_pkcs1_driver(const char * driver, int nbits, priv_len = wc_RsaKeyToDer(key, NULL, 0); if (priv_len <= 0) { pr_err("error: rsa priv to der returned: %d\n", priv_len); + test_rc = priv_len; goto test_pkcs1_end; } priv = (byte*)malloc(priv_len); if (priv == NULL) { pr_err("error: allocating priv(%d) failed\n", priv_len); + test_rc = MEMORY_E; goto test_pkcs1_end; } @@ -1566,6 +1581,7 @@ static int linuxkm_test_pkcs1_driver(const char * driver, int nbits, priv_len = wc_RsaKeyToDer(key, priv, priv_len); if (priv_len <= 0) { pr_err("error: rsa priv to der returned: %d\n", priv_len); + test_rc = priv_len; goto test_pkcs1_end; } @@ -1573,12 +1589,14 @@ static int linuxkm_test_pkcs1_driver(const char * driver, int nbits, pub_len = wc_RsaKeyToPublicDer(key, NULL, 0); if (pub_len <= 0) { pr_err("error: rsa pub to der returned: %d\n", pub_len); + test_rc = pub_len; goto test_pkcs1_end; } pub = (byte*)malloc(pub_len); if (pub == NULL) { pr_err("error: allocating pub(%d) failed\n", pub_len); + test_rc = MEMORY_E; goto test_pkcs1_end; } @@ -1587,6 +1605,7 @@ static int linuxkm_test_pkcs1_driver(const char * driver, int nbits, pub_len = wc_RsaKeyToPublicDer(key, pub, pub_len); if (pub_len <= 0) { pr_err("error: rsa pub to der returned: %d\n", pub_len); + test_rc = pub_len; goto test_pkcs1_end; } @@ -1598,12 +1617,14 @@ static int linuxkm_test_pkcs1_driver(const char * driver, int nbits, enc_len = wc_EncodeSignature(enc, hash, hash_len, hash_oid); if (enc_len <= 0) { pr_err("error: wc_EncodeSignature returned: %d\n", enc_len); + test_rc = enc_len; goto test_pkcs1_end; } sig_len = wc_RsaSSL_Sign(enc, enc_len, sig, key_len, key, &rng); if (sig_len <= 0) { pr_err("error: wc_RsaSSL_Sign returned: %d\n", sig_len); + test_rc = sig_len; goto test_pkcs1_end; } @@ -1612,6 +1633,7 @@ static int linuxkm_test_pkcs1_driver(const char * driver, int nbits, if (ret <= 0 || ret != (int) enc_len) { pr_err("error: wc_RsaSSL_Verify returned %d, expected %d\n" , ret, enc_len); + test_rc = ret; goto test_pkcs1_end; } @@ -1619,6 +1641,7 @@ static int linuxkm_test_pkcs1_driver(const char * driver, int nbits, n_diff = memcmp(dec, enc, enc_len); if (n_diff) { pr_err("error: decrypt doesn't match plain: %d\n", n_diff); + test_rc = BAD_FUNC_ARG; goto test_pkcs1_end; } @@ -1631,6 +1654,10 @@ static int linuxkm_test_pkcs1_driver(const char * driver, int nbits, pr_err("error: allocating akcipher algorithm %s failed: %ld\n", driver, PTR_ERR(tfm)); tfm = NULL; + if (PTR_ERR(tfm) == -ENOMEM) + test_rc = MEMORY_E; + else + test_rc = BAD_FUNC_ARG; goto test_pkcs1_end; } @@ -1639,6 +1666,10 @@ static int linuxkm_test_pkcs1_driver(const char * driver, int nbits, pr_err("error: allocating akcipher request %s failed\n", driver); req = NULL; + if (PTR_ERR(req) == -ENOMEM) + test_rc = MEMORY_E; + else + test_rc = BAD_FUNC_ARG; goto test_pkcs1_end; } @@ -1649,6 +1680,7 @@ static int linuxkm_test_pkcs1_driver(const char * driver, int nbits, ret = crypto_akcipher_set_priv_key(tfm, priv, priv_len); if (ret) { pr_err("error: crypto_akcipher_set_priv_key returned: %d\n", ret); + test_rc = BAD_FUNC_ARG; goto test_pkcs1_end; } @@ -1657,6 +1689,7 @@ static int linuxkm_test_pkcs1_driver(const char * driver, int nbits, if (maxsize != key_len) { pr_err("error: crypto_akcipher_maxsize " "returned %d, expected %d\n", maxsize, key_len); + test_rc = BAD_FUNC_ARG; goto test_pkcs1_end; } } @@ -1670,6 +1703,7 @@ static int linuxkm_test_pkcs1_driver(const char * driver, int nbits, ret = crypto_akcipher_sign(req); if (ret) { pr_err("error: crypto_akcipher_sign returned: %d\n", ret); + test_rc = BAD_FUNC_ARG; goto test_pkcs1_end; } @@ -1677,6 +1711,7 @@ static int linuxkm_test_pkcs1_driver(const char * driver, int nbits, ret = crypto_akcipher_set_pub_key(tfm, pub + 24, pub_len - 24); if (ret) { pr_err("error: crypto_akcipher_set_pub_key returned: %d\n", ret); + test_rc = BAD_FUNC_ARG; goto test_pkcs1_end; } @@ -1685,17 +1720,19 @@ static int linuxkm_test_pkcs1_driver(const char * driver, int nbits, if (maxsize != key_len) { pr_err("error: crypto_akcipher_maxsize " "returned %d, expected %d\n", maxsize, key_len); + test_rc = BAD_FUNC_ARG; goto test_pkcs1_end; } } - /** + /* * Set sig as src, and null as dst. * src_tab is: * src_tab[0]: signature * src_tab[1]: message (digest) * - * src_len is sig size plus digest size. */ + * src_len is sig size plus digest size. + */ sg_init_table(src_tab, 2); sg_set_buf(&src_tab[0], km_sig, key_len); sg_set_buf(&src_tab[1], hash, hash_len); @@ -1706,6 +1743,7 @@ static int linuxkm_test_pkcs1_driver(const char * driver, int nbits, ret = crypto_akcipher_verify(req); if (ret) { pr_err("error: crypto_akcipher_verify returned: %d\n", ret); + test_rc = BAD_FUNC_ARG; goto test_pkcs1_end; } @@ -1713,12 +1751,14 @@ static int linuxkm_test_pkcs1_driver(const char * driver, int nbits, ret = wc_RsaSSL_Verify(km_sig, key_len, dec, key_len, key); if (ret <= 0) { pr_err("error: wc_RsaSSL_Verify returned: %d\n", ret); + test_rc = ret; goto test_pkcs1_end; } n_diff = memcmp(km_sig, sig, sig_len); if (n_diff) { pr_err("error: km-sig doesn't match sig: %d\n", n_diff); + test_rc = BAD_FUNC_ARG; goto test_pkcs1_end; } @@ -1726,13 +1766,14 @@ static int linuxkm_test_pkcs1_driver(const char * driver, int nbits, n_diff = memcmp(dec, enc, enc_len); if (n_diff) { pr_err("error: decrypt doesn't match plain: %d\n", n_diff); + test_rc = BAD_FUNC_ARG; goto test_pkcs1_end; } #endif /* !LINUXKM_AKCIPHER_NO_SIGNVERIFY */ - /** + /* * pkcs1 encrypt and ecrypt test - * */ + */ memset(enc, 0, key_len); memset(enc2, 0, key_len); memset(dec, 0, key_len); @@ -1750,12 +1791,14 @@ static int linuxkm_test_pkcs1_driver(const char * driver, int nbits, ret = crypto_akcipher_set_pub_key(tfm, pub + 24, pub_len - 24); if (ret) { pr_err("error: crypto_akcipher_set_pub_key returned: %d\n", ret); + test_rc = BAD_FUNC_ARG; goto test_pkcs1_end; } ret = crypto_akcipher_encrypt(req); if (ret) { pr_err("error: crypto_akcipher_encrypt returned: %d\n", ret); + test_rc = BAD_FUNC_ARG; goto test_pkcs1_end; } @@ -1764,6 +1807,7 @@ static int linuxkm_test_pkcs1_driver(const char * driver, int nbits, if (unlikely(ret != (int) key_len)) { pr_err("error: wc_RsaPublicEncrypt returned: %d\n", ret); + test_rc = ret; goto test_pkcs1_end; } @@ -1778,12 +1822,14 @@ static int linuxkm_test_pkcs1_driver(const char * driver, int nbits, ret = crypto_akcipher_set_priv_key(tfm, priv, priv_len); if (ret) { pr_err("error: crypto_akcipher_set_priv_key returned: %d\n", ret); + test_rc = BAD_FUNC_ARG; goto test_pkcs1_end; } ret = crypto_akcipher_decrypt(req); if (ret) { pr_err("error: crypto_akcipher_decrypt returned: %d\n", ret); + test_rc = BAD_FUNC_ARG; goto test_pkcs1_end; } @@ -1791,18 +1837,21 @@ static int linuxkm_test_pkcs1_driver(const char * driver, int nbits, sizeof(p_vector), key); if (ret != (int) sizeof(p_vector)) { pr_err("error: wc_RsaPrivateDecrypt returned: %d\n", ret); + test_rc = ret; goto test_pkcs1_end; } n_diff = memcmp(dec, dec2, sizeof(p_vector)); if (n_diff) { pr_err("error: decrypt don't match: %d\n", n_diff); + test_rc = BAD_FUNC_ARG; goto test_pkcs1_end; } n_diff = memcmp(dec, p_vector, sizeof(p_vector)); if (n_diff) { pr_err("error: decrypt doesn't match plaintext: %d\n", n_diff); + test_rc = BAD_FUNC_ARG; goto test_pkcs1_end; } diff --git a/linuxkm/lkcapi_sha_glue.c b/linuxkm/lkcapi_sha_glue.c index a785495e1..6c5da4f0a 100644 --- a/linuxkm/lkcapi_sha_glue.c +++ b/linuxkm/lkcapi_sha_glue.c @@ -435,7 +435,7 @@ static int linuxkm_test_ ## name(void) { \ else { \ wc_test_render_error_message("linuxkm_test_" #name " failed: ", \ ret); \ - return -EINVAL; \ + return WC_TEST_RET_DEC_EC(ret); \ } \ } \ \ @@ -537,7 +537,7 @@ static int linuxkm_test_ ## name(void) { \ else { \ wc_test_render_error_message("linuxkm_test_" #name " failed: ", \ ret); \ - return -EINVAL; \ + return WC_TEST_RET_DEC_EC(ret); \ } \ } \ \ @@ -620,9 +620,10 @@ WC_MAYBE_UNUSED static int linuxkm_hmac_setkey_common(struct crypto_shash *tfm, struct km_sha_hmac_pstate *p_ctx = (struct km_sha_hmac_pstate *)crypto_shash_ctx(tfm); int ret; -#ifdef HAVE_FIPS +#if defined(HAVE_FIPS) && (FIPS_VERSION3_LT(6, 0, 0) || defined(CONFIG_CRYPTO_MANAGER_DISABLE_TESTS) || (LINUX_VERSION_CODE >= KERNEL_VERSION(6, 0, 0))) ret = wc_HmacSetKey(&p_ctx->wc_hmac, type, key, length); #else + /* kernel 5.10.x crypto manager expects FIPS-undersized keys to succeed. */ ret = wc_HmacSetKey_ex(&p_ctx->wc_hmac, type, key, length, 1 /* allowFlag */); #endif @@ -768,7 +769,7 @@ static int linuxkm_test_ ## name(void) { \ else { \ wc_test_render_error_message("linuxkm_test_" #name " failed: ", \ ret); \ - return -EINVAL; \ + return WC_TEST_RET_DEC_EC(ret); \ } \ } \ \ @@ -878,8 +879,6 @@ static int wc_linuxkm_drbg_generate(struct crypto_rng *tfm, struct wc_linuxkm_drbg_ctx *ctx = (struct wc_linuxkm_drbg_ctx *)crypto_rng_ctx(tfm); int ret; - (void)tfm; - wc_LockMutex(&ctx->lock); if (slen > 0) { @@ -907,8 +906,6 @@ static int wc_linuxkm_drbg_seed(struct crypto_rng *tfm, struct wc_linuxkm_drbg_ctx *ctx = (struct wc_linuxkm_drbg_ctx *)crypto_rng_ctx(tfm); int ret; - (void)tfm; - if (slen == 0) return 0; @@ -944,7 +941,8 @@ static struct rng_alg wc_linuxkm_drbg = { static int wc_linuxkm_drbg_loaded = 0; static int wc_linuxkm_drbg_default_instance_registered = 0; -WC_MAYBE_UNUSED static int wc_linuxkm_drbg_startup(void) { +WC_MAYBE_UNUSED static int wc_linuxkm_drbg_startup(void) +{ int ret; int cur_refcnt; @@ -967,6 +965,74 @@ WC_MAYBE_UNUSED static int wc_linuxkm_drbg_startup(void) { return ret; } + { + struct crypto_rng *tfm = crypto_alloc_rng(wc_linuxkm_drbg.base.cra_name, 0, 0); + if (IS_ERR(tfm)) { + pr_err("error: allocating rng algorithm %s failed: %ld\n", + wc_linuxkm_drbg.base.cra_name, PTR_ERR(tfm)); + ret = PTR_ERR(tfm); + tfm = NULL; + } + else + ret = 0; +#ifndef LINUXKM_LKCAPI_PRIORITY_ALLOW_MASKING + if (! ret) { + const char *actual_driver_name = crypto_tfm_alg_driver_name(crypto_rng_tfm(tfm)); + if (strcmp(actual_driver_name, wc_linuxkm_drbg.base.cra_driver_name)) { + pr_err("error: unexpected implementation for %s: %s (expected %s)\n", + wc_linuxkm_drbg.base.cra_name, + actual_driver_name, + wc_linuxkm_drbg.base.cra_driver_name); + ret = -ENOENT; + } + } +#endif + + if (! ret) { + u8 buf1[16], buf2[16]; + int i; + + memset(buf1, 0, sizeof buf1); + memset(buf2, 0, sizeof buf2); + + ret = crypto_rng_generate(tfm, NULL, 0, buf1, (unsigned int)sizeof buf1); + if (! ret) + ret = crypto_rng_generate(tfm, buf1, (unsigned int)sizeof buf1, buf2, (unsigned int)sizeof buf2); + if (! ret) { + if (memcmp(buf1, buf2, sizeof buf1) == 0) + ret = -EBADMSG; + } + + if (! ret) { + /* There's a 94% chance that 16 random bytes will all be nonzero, + * or a 6% chance that at least one of them will be zero. + * Iterate up to 20 times to push that 6% chance to 5E-25, + * an effective certainty on a functioning PRNG. + */ + for (i = 0; i < 20; ++i) { + if (! memchr(buf1, 0, sizeof buf1)) { + ret = 0; + break; + } + ret = crypto_rng_generate(tfm, buf1, (unsigned int)sizeof buf1, buf2, (unsigned int)sizeof buf2); + if (ret) + break; + ret = -EBADMSG; + + } + } + } + + if (tfm) + crypto_free_rng(tfm); + + if (ret) { + crypto_unregister_rng(&wc_linuxkm_drbg); + return ret; + } + + } + wc_linuxkm_drbg_loaded = 1; WOLFKM_INSTALL_NOTICE(wc_linuxkm_drbg); diff --git a/linuxkm/module_hooks.c b/linuxkm/module_hooks.c index 69d626926..ebb7340db 100644 --- a/linuxkm/module_hooks.c +++ b/linuxkm/module_hooks.c @@ -45,6 +45,22 @@ #include #include +#ifdef WOLFSSL_DEBUG_TRACE_ERROR_CODES + enum linux_errcodes { + my_EINVAL = EINVAL, + my_ENOMEM = ENOMEM, + my_EBADMSG = EBADMSG + }; + + #undef EINVAL + #undef ENOMEM + #undef EBADMSG + + #define EINVAL WC_ERR_TRACE(my_EINVAL) + #define ENOMEM WC_ERR_TRACE(my_ENOMEM) + #define EBADMSG WC_ERR_TRACE(my_EBADMSG) +#endif + static int libwolfssl_cleanup(void) { int ret; #ifdef WOLFCRYPT_ONLY @@ -117,6 +133,37 @@ static int updateFipsHash(void); extern int wolfcrypt_benchmark_main(int argc, char** argv); #endif /* WOLFSSL_LINUXKM_BENCHMARKS */ +WC_MAYBE_UNUSED static int linuxkm_lkcapi_sysfs_install_node(struct kobj_attribute *node, int *installed_flag) +{ + if ((installed_flag == NULL) || (! *installed_flag)) { + int ret = sysfs_create_file(&THIS_MODULE->mkobj.kobj, &node->attr); + if (ret) { + pr_err("sysfs_create_file failed for %s: %d\n", node->attr.name, ret); + return ret; + } + if (installed_flag) + *installed_flag = 1; + } + return 0; +} + +WC_MAYBE_UNUSED static int linuxkm_lkcapi_sysfs_deinstall_node(struct kobj_attribute *node, int *installed_flag) +{ + if ((installed_flag == NULL) || *installed_flag) { + sysfs_remove_file(&THIS_MODULE->mkobj.kobj, &node->attr); + if (installed_flag) + *installed_flag = 0; + } + return 0; +} + +#ifdef HAVE_FIPS + static ssize_t FIPS_rerun_self_test_handler(struct kobject *kobj, struct kobj_attribute *attr, + const char *buf, size_t count); + static struct kobj_attribute FIPS_rerun_self_test_attr = __ATTR(FIPS_rerun_self_test, 0220, NULL, FIPS_rerun_self_test_handler); + static int installed_sysfs_FIPS_files = 0; +#endif + #ifdef LINUXKM_LKCAPI_REGISTER #include "linuxkm/lkcapi_glue.c" #endif @@ -338,6 +385,10 @@ static int wolfssl_init(void) #endif /* !LINUXKM_LKCAPI_REGISTER_ONLY_ON_COMMAND */ #endif /* LINUXKM_LKCAPI_REGISTER */ +#ifdef HAVE_FIPS + (void)linuxkm_lkcapi_sysfs_install_node(&FIPS_rerun_self_test_attr, &installed_sysfs_FIPS_files); +#endif + #ifdef WOLFSSL_LINUXKM_BENCHMARKS wolfcrypt_benchmark_main(0, (char**)NULL); #endif @@ -375,6 +426,10 @@ static void __exit wolfssl_exit(void) static void wolfssl_exit(void) #endif { +#ifdef HAVE_FIPS + (void)linuxkm_lkcapi_sysfs_deinstall_node(&FIPS_rerun_self_test_attr, &installed_sysfs_FIPS_files); +#endif + #ifdef LINUXKM_LKCAPI_REGISTER (void)linuxkm_lkcapi_unregister(); (void)linuxkm_lkcapi_sysfs_deinstall(); @@ -852,3 +907,47 @@ static int updateFipsHash(void) } #endif /* WOLFCRYPT_FIPS_CORE_DYNAMIC_HASH_VALUE */ + +#ifdef HAVE_FIPS + +static ssize_t FIPS_rerun_self_test_handler(struct kobject *kobj, struct kobj_attribute *attr, + const char *buf, size_t count) +{ + int arg; + int ret; + + (void)kobj; + (void)attr; + + if (kstrtoint(buf, 10, &arg) || arg != 1) + return -EINVAL; + + pr_info("wolfCrypt: rerunning FIPS self-test on command."); + + ret = wolfCrypt_IntegrityTest_fips(); + if (ret != 0) { + pr_err("wolfCrypt_IntegrityTest_fips: error %d", ret); + return -EINVAL; + } + + ret = wolfCrypt_GetStatus_fips(); + if (ret != 0) { + pr_err("wolfCrypt_GetStatus_fips() failed with code %d: %s\n", ret, wc_GetErrorString(ret)); + if (ret == WC_NO_ERR_TRACE(IN_CORE_FIPS_E)) + return -ELIBBAD; + else + return -EINVAL; + } + + ret = wc_RunAllCast_fips(); + if (ret != 0) { + pr_err("wc_RunAllCast_fips() failed with return value %d\n", ret); + return -EINVAL; + } + + pr_info("wolfCrypt FIPS re-self-test succeeded: all algorithms verified and available."); + + return count; +} + +#endif /* HAVE_FIPS */ diff --git a/linuxkm/x86_vector_register_glue.c b/linuxkm/x86_vector_register_glue.c index 2f0618de5..f33587d45 100644 --- a/linuxkm/x86_vector_register_glue.c +++ b/linuxkm/x86_vector_register_glue.c @@ -420,15 +420,33 @@ WARN_UNUSED_RESULT int can_save_vector_registers_x86(void) } } - if (irq_fpu_usable()) +#if defined(TIF_NEED_FPU_LOAD) && \ + (LINUX_VERSION_CODE < KERNEL_VERSION(5, 17, 0)) && \ + ! ((LINUX_VERSION_CODE >= KERNEL_VERSION(5, 10, 180)) && \ + (LINUX_VERSION_CODE < KERNEL_VERSION(5, 11, 0))) && \ + ! ((LINUX_VERSION_CODE >= KERNEL_VERSION(5, 15, 39)) && \ + (LINUX_VERSION_CODE < KERNEL_VERSION(5, 16, 0))) + /* Work around a kernel bug -- see linux commit 59f5ede3bc0f0. + * irq_fpu_usable() on these older kernels can incorrectly return true, + * leading to an impermissible recursive kernel_fpu_begin() that + * corrupts the register state. What we really want here is + * this_cpu_read(in_kernel_fpu), but in_kernel_fpu is an unexported + * static array. + */ + if (irq_fpu_usable() && !test_thread_flag(TIF_NEED_FPU_LOAD)) return 1; else if (in_nmi() || (hardirq_count() > 0) || (softirq_count() > 0)) return 0; -#ifdef TIF_NEED_FPU_LOAD else if (test_thread_flag(TIF_NEED_FPU_LOAD)) return 1; + else + return 0; +#else + if (irq_fpu_usable()) + return 1; + else + return 0; #endif - return 0; } WARN_UNUSED_RESULT int save_vector_registers_x86(void) @@ -463,15 +481,29 @@ WARN_UNUSED_RESULT int save_vector_registers_x86(void) } if (irq_fpu_usable() -#if (LINUX_VERSION_CODE < KERNEL_VERSION(5, 17, 0)) && defined(TIF_NEED_FPU_LOAD) - /* work around a kernel bug -- see linux commit 59f5ede3bc0f0. - * what we really want here is this_cpu_read(in_kernel_fpu), but - * in_kernel_fpu is an unexported static array. +#if defined(TIF_NEED_FPU_LOAD) && \ + (LINUX_VERSION_CODE < KERNEL_VERSION(5, 17, 0)) && \ + ! ((LINUX_VERSION_CODE >= KERNEL_VERSION(5, 10, 180)) && \ + (LINUX_VERSION_CODE < KERNEL_VERSION(5, 11, 0))) && \ + ! ((LINUX_VERSION_CODE >= KERNEL_VERSION(5, 15, 39)) && \ + (LINUX_VERSION_CODE < KERNEL_VERSION(5, 16, 0))) + /* Work around a kernel bug -- see linux commit 59f5ede3bc0f0. + * irq_fpu_usable() on these older kernels can incorrectly return true, + * leading to an impermissible recursive kernel_fpu_begin() that + * corrupts the register state. What we really want here is + * this_cpu_read(in_kernel_fpu), but in_kernel_fpu is an unexported + * static array. */ && !test_thread_flag(TIF_NEED_FPU_LOAD) #endif ) { + /* note there is a bug in kernel <5.17.0 and <5.10.180 -- see linux + * commit 59f5ede3bc0f0 -- such that irq_fpu_usable() can incorrectly + * return true, leading to an impermissible recursive kernel_fpu_begin() + * that corrupts the register state. + */ + #ifdef WOLFSSL_COMMERCIAL_LICENSE struct fpstate *fpstate = wc_linuxkm_fpstate_buf_from_fpu_state(pstate); fpregs_lock(); @@ -511,18 +543,14 @@ WARN_UNUSED_RESULT int save_vector_registers_x86(void) wc_linuxkm_fpu_state_release(pstate); #endif return BAD_STATE_E; -#ifdef TIF_NEED_FPU_LOAD - } else if (!test_thread_flag(TIF_NEED_FPU_LOAD)) { - static int warned_fpu_forbidden = 0; - if (! warned_fpu_forbidden) - pr_err("save_vector_registers_x86 called with !irq_fpu_usable from" - " thread without previous FPU save.\n"); -#ifdef LINUXKM_FPU_STATES_FOLLOW_THREADS - wc_linuxkm_fpu_state_release(pstate); -#endif - return BAD_STATE_E; -#endif - } else { + } +#if defined(TIF_NEED_FPU_LOAD) && \ + (LINUX_VERSION_CODE < KERNEL_VERSION(5, 17, 0)) && \ + ! ((LINUX_VERSION_CODE >= KERNEL_VERSION(5, 10, 180)) && \ + (LINUX_VERSION_CODE < KERNEL_VERSION(5, 11, 0))) && \ + ! ((LINUX_VERSION_CODE >= KERNEL_VERSION(5, 15, 39)) && \ + (LINUX_VERSION_CODE < KERNEL_VERSION(5, 16, 0))) + else if (test_thread_flag(TIF_NEED_FPU_LOAD)) { /* assume already safely in_kernel_fpu from caller, but recursively * preempt_disable() to be extra-safe. */ @@ -548,6 +576,19 @@ WARN_UNUSED_RESULT int save_vector_registers_x86(void) pstate->fpu_state = WC_FPU_SAVED_MASK + 1U; } +#endif /* TIF_NEED_FPU_LOAD && <5.17.0 && !5.10.180+ */ + else { + static int warned_fpu_forbidden = 0; + if (! warned_fpu_forbidden) { + pr_err("save_vector_registers_x86 called with !irq_fpu_usable from" + " thread without previous FPU save.\n"); + warned_fpu_forbidden = 1; + } +#ifdef LINUXKM_FPU_STATES_FOLLOW_THREADS + wc_linuxkm_fpu_state_release(pstate); +#endif + return BAD_STATE_E; + } return 0; }