xref: /linux/crypto/testmgr.c (revision 2c1ed907520c50326b8f604907a8478b27881a2e)
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3  * Algorithm testing framework and tests.
4  *
5  * Copyright (c) 2002 James Morris <jmorris@intercode.com.au>
6  * Copyright (c) 2002 Jean-Francois Dive <jef@linuxbe.org>
7  * Copyright (c) 2007 Nokia Siemens Networks
8  * Copyright (c) 2008 Herbert Xu <herbert@gondor.apana.org.au>
9  * Copyright (c) 2019 Google LLC
10  *
11  * Updated RFC4106 AES-GCM testing.
12  *    Authors: Aidan O'Mahony (aidan.o.mahony@intel.com)
13  *             Adrian Hoban <adrian.hoban@intel.com>
14  *             Gabriele Paoloni <gabriele.paoloni@intel.com>
15  *             Tadeusz Struk (tadeusz.struk@intel.com)
16  *    Copyright (c) 2010, Intel Corporation.
17  */
18 
19 #include <crypto/aead.h>
20 #include <crypto/hash.h>
21 #include <crypto/skcipher.h>
22 #include <linux/err.h>
23 #include <linux/fips.h>
24 #include <linux/module.h>
25 #include <linux/once.h>
26 #include <linux/prandom.h>
27 #include <linux/scatterlist.h>
28 #include <linux/slab.h>
29 #include <linux/string.h>
30 #include <linux/uio.h>
31 #include <crypto/rng.h>
32 #include <crypto/drbg.h>
33 #include <crypto/akcipher.h>
34 #include <crypto/kpp.h>
35 #include <crypto/acompress.h>
36 #include <crypto/sig.h>
37 #include <crypto/internal/cipher.h>
38 #include <crypto/internal/simd.h>
39 
40 #include "internal.h"
41 
42 MODULE_IMPORT_NS("CRYPTO_INTERNAL");
43 
44 static bool notests;
45 module_param(notests, bool, 0644);
46 MODULE_PARM_DESC(notests, "disable crypto self-tests");
47 
48 static bool panic_on_fail;
49 module_param(panic_on_fail, bool, 0444);
50 
51 #ifdef CONFIG_CRYPTO_MANAGER_EXTRA_TESTS
52 static bool noextratests;
53 module_param(noextratests, bool, 0644);
54 MODULE_PARM_DESC(noextratests, "disable expensive crypto self-tests");
55 
56 static unsigned int fuzz_iterations = 100;
57 module_param(fuzz_iterations, uint, 0644);
58 MODULE_PARM_DESC(fuzz_iterations, "number of fuzz test iterations");
59 #endif
60 
61 #ifdef CONFIG_CRYPTO_MANAGER_DISABLE_TESTS
62 
63 /* a perfect nop */
alg_test(const char * driver,const char * alg,u32 type,u32 mask)64 int alg_test(const char *driver, const char *alg, u32 type, u32 mask)
65 {
66 	return 0;
67 }
68 
69 #else
70 
71 #include "testmgr.h"
72 
73 /*
74  * Need slab memory for testing (size in number of pages).
75  */
76 #define XBUFSIZE	8
77 
78 /*
79 * Used by test_cipher()
80 */
81 #define ENCRYPT 1
82 #define DECRYPT 0
83 
84 struct aead_test_suite {
85 	const struct aead_testvec *vecs;
86 	unsigned int count;
87 
88 	/*
89 	 * Set if trying to decrypt an inauthentic ciphertext with this
90 	 * algorithm might result in EINVAL rather than EBADMSG, due to other
91 	 * validation the algorithm does on the inputs such as length checks.
92 	 */
93 	unsigned int einval_allowed : 1;
94 
95 	/*
96 	 * Set if this algorithm requires that the IV be located at the end of
97 	 * the AAD buffer, in addition to being given in the normal way.  The
98 	 * behavior when the two IV copies differ is implementation-defined.
99 	 */
100 	unsigned int aad_iv : 1;
101 };
102 
103 struct cipher_test_suite {
104 	const struct cipher_testvec *vecs;
105 	unsigned int count;
106 };
107 
108 struct comp_test_suite {
109 	struct {
110 		const struct comp_testvec *vecs;
111 		unsigned int count;
112 	} comp, decomp;
113 };
114 
115 struct hash_test_suite {
116 	const struct hash_testvec *vecs;
117 	unsigned int count;
118 };
119 
120 struct cprng_test_suite {
121 	const struct cprng_testvec *vecs;
122 	unsigned int count;
123 };
124 
125 struct drbg_test_suite {
126 	const struct drbg_testvec *vecs;
127 	unsigned int count;
128 };
129 
130 struct akcipher_test_suite {
131 	const struct akcipher_testvec *vecs;
132 	unsigned int count;
133 };
134 
135 struct sig_test_suite {
136 	const struct sig_testvec *vecs;
137 	unsigned int count;
138 };
139 
140 struct kpp_test_suite {
141 	const struct kpp_testvec *vecs;
142 	unsigned int count;
143 };
144 
145 struct alg_test_desc {
146 	const char *alg;
147 	const char *generic_driver;
148 	int (*test)(const struct alg_test_desc *desc, const char *driver,
149 		    u32 type, u32 mask);
150 	int fips_allowed;	/* set if alg is allowed in fips mode */
151 
152 	union {
153 		struct aead_test_suite aead;
154 		struct cipher_test_suite cipher;
155 		struct comp_test_suite comp;
156 		struct hash_test_suite hash;
157 		struct cprng_test_suite cprng;
158 		struct drbg_test_suite drbg;
159 		struct akcipher_test_suite akcipher;
160 		struct sig_test_suite sig;
161 		struct kpp_test_suite kpp;
162 	} suite;
163 };
164 
hexdump(unsigned char * buf,unsigned int len)165 static void hexdump(unsigned char *buf, unsigned int len)
166 {
167 	print_hex_dump(KERN_CONT, "", DUMP_PREFIX_OFFSET,
168 			16, 1,
169 			buf, len, false);
170 }
171 
__testmgr_alloc_buf(char * buf[XBUFSIZE],int order)172 static int __testmgr_alloc_buf(char *buf[XBUFSIZE], int order)
173 {
174 	int i;
175 
176 	for (i = 0; i < XBUFSIZE; i++) {
177 		buf[i] = (char *)__get_free_pages(GFP_KERNEL, order);
178 		if (!buf[i])
179 			goto err_free_buf;
180 	}
181 
182 	return 0;
183 
184 err_free_buf:
185 	while (i-- > 0)
186 		free_pages((unsigned long)buf[i], order);
187 
188 	return -ENOMEM;
189 }
190 
testmgr_alloc_buf(char * buf[XBUFSIZE])191 static int testmgr_alloc_buf(char *buf[XBUFSIZE])
192 {
193 	return __testmgr_alloc_buf(buf, 0);
194 }
195 
__testmgr_free_buf(char * buf[XBUFSIZE],int order)196 static void __testmgr_free_buf(char *buf[XBUFSIZE], int order)
197 {
198 	int i;
199 
200 	for (i = 0; i < XBUFSIZE; i++)
201 		free_pages((unsigned long)buf[i], order);
202 }
203 
testmgr_free_buf(char * buf[XBUFSIZE])204 static void testmgr_free_buf(char *buf[XBUFSIZE])
205 {
206 	__testmgr_free_buf(buf, 0);
207 }
208 
209 #define TESTMGR_POISON_BYTE	0xfe
210 #define TESTMGR_POISON_LEN	16
211 
testmgr_poison(void * addr,size_t len)212 static inline void testmgr_poison(void *addr, size_t len)
213 {
214 	memset(addr, TESTMGR_POISON_BYTE, len);
215 }
216 
217 /* Is the memory region still fully poisoned? */
testmgr_is_poison(const void * addr,size_t len)218 static inline bool testmgr_is_poison(const void *addr, size_t len)
219 {
220 	return memchr_inv(addr, TESTMGR_POISON_BYTE, len) == NULL;
221 }
222 
223 /* flush type for hash algorithms */
224 enum flush_type {
225 	/* merge with update of previous buffer(s) */
226 	FLUSH_TYPE_NONE = 0,
227 
228 	/* update with previous buffer(s) before doing this one */
229 	FLUSH_TYPE_FLUSH,
230 
231 	/* likewise, but also export and re-import the intermediate state */
232 	FLUSH_TYPE_REIMPORT,
233 };
234 
235 /* finalization function for hash algorithms */
236 enum finalization_type {
237 	FINALIZATION_TYPE_FINAL,	/* use final() */
238 	FINALIZATION_TYPE_FINUP,	/* use finup() */
239 	FINALIZATION_TYPE_DIGEST,	/* use digest() */
240 };
241 
242 /*
243  * Whether the crypto operation will occur in-place, and if so whether the
244  * source and destination scatterlist pointers will coincide (req->src ==
245  * req->dst), or whether they'll merely point to two separate scatterlists
246  * (req->src != req->dst) that reference the same underlying memory.
247  *
248  * This is only relevant for algorithm types that support in-place operation.
249  */
250 enum inplace_mode {
251 	OUT_OF_PLACE,
252 	INPLACE_ONE_SGLIST,
253 	INPLACE_TWO_SGLISTS,
254 };
255 
256 #define TEST_SG_TOTAL	10000
257 
258 /**
259  * struct test_sg_division - description of a scatterlist entry
260  *
261  * This struct describes one entry of a scatterlist being constructed to check a
262  * crypto test vector.
263  *
264  * @proportion_of_total: length of this chunk relative to the total length,
265  *			 given as a proportion out of TEST_SG_TOTAL so that it
266  *			 scales to fit any test vector
267  * @offset: byte offset into a 2-page buffer at which this chunk will start
268  * @offset_relative_to_alignmask: if true, add the algorithm's alignmask to the
269  *				  @offset
270  * @flush_type: for hashes, whether an update() should be done now vs.
271  *		continuing to accumulate data
272  * @nosimd: if doing the pending update(), do it with SIMD disabled?
273  */
274 struct test_sg_division {
275 	unsigned int proportion_of_total;
276 	unsigned int offset;
277 	bool offset_relative_to_alignmask;
278 	enum flush_type flush_type;
279 	bool nosimd;
280 };
281 
282 /**
283  * struct testvec_config - configuration for testing a crypto test vector
284  *
285  * This struct describes the data layout and other parameters with which each
286  * crypto test vector can be tested.
287  *
288  * @name: name of this config, logged for debugging purposes if a test fails
289  * @inplace_mode: whether and how to operate on the data in-place, if applicable
290  * @req_flags: extra request_flags, e.g. CRYPTO_TFM_REQ_MAY_SLEEP
291  * @src_divs: description of how to arrange the source scatterlist
292  * @dst_divs: description of how to arrange the dst scatterlist, if applicable
293  *	      for the algorithm type.  Defaults to @src_divs if unset.
294  * @iv_offset: misalignment of the IV in the range [0..MAX_ALGAPI_ALIGNMASK+1],
295  *	       where 0 is aligned to a 2*(MAX_ALGAPI_ALIGNMASK+1) byte boundary
296  * @iv_offset_relative_to_alignmask: if true, add the algorithm's alignmask to
297  *				     the @iv_offset
298  * @key_offset: misalignment of the key, where 0 is default alignment
299  * @key_offset_relative_to_alignmask: if true, add the algorithm's alignmask to
300  *				      the @key_offset
301  * @finalization_type: what finalization function to use for hashes
302  * @nosimd: execute with SIMD disabled?  Requires !CRYPTO_TFM_REQ_MAY_SLEEP.
303  *	    This applies to the parts of the operation that aren't controlled
304  *	    individually by @nosimd_setkey or @src_divs[].nosimd.
305  * @nosimd_setkey: set the key (if applicable) with SIMD disabled?  Requires
306  *		   !CRYPTO_TFM_REQ_MAY_SLEEP.
307  */
308 struct testvec_config {
309 	const char *name;
310 	enum inplace_mode inplace_mode;
311 	u32 req_flags;
312 	struct test_sg_division src_divs[XBUFSIZE];
313 	struct test_sg_division dst_divs[XBUFSIZE];
314 	unsigned int iv_offset;
315 	unsigned int key_offset;
316 	bool iv_offset_relative_to_alignmask;
317 	bool key_offset_relative_to_alignmask;
318 	enum finalization_type finalization_type;
319 	bool nosimd;
320 	bool nosimd_setkey;
321 };
322 
323 #define TESTVEC_CONFIG_NAMELEN	192
324 
325 /*
326  * The following are the lists of testvec_configs to test for each algorithm
327  * type when the basic crypto self-tests are enabled, i.e. when
328  * CONFIG_CRYPTO_MANAGER_DISABLE_TESTS is unset.  They aim to provide good test
329  * coverage, while keeping the test time much shorter than the full fuzz tests
330  * so that the basic tests can be enabled in a wider range of circumstances.
331  */
332 
333 /* Configs for skciphers and aeads */
334 static const struct testvec_config default_cipher_testvec_configs[] = {
335 	{
336 		.name = "in-place (one sglist)",
337 		.inplace_mode = INPLACE_ONE_SGLIST,
338 		.src_divs = { { .proportion_of_total = 10000 } },
339 	}, {
340 		.name = "in-place (two sglists)",
341 		.inplace_mode = INPLACE_TWO_SGLISTS,
342 		.src_divs = { { .proportion_of_total = 10000 } },
343 	}, {
344 		.name = "out-of-place",
345 		.inplace_mode = OUT_OF_PLACE,
346 		.src_divs = { { .proportion_of_total = 10000 } },
347 	}, {
348 		.name = "unaligned buffer, offset=1",
349 		.src_divs = { { .proportion_of_total = 10000, .offset = 1 } },
350 		.iv_offset = 1,
351 		.key_offset = 1,
352 	}, {
353 		.name = "buffer aligned only to alignmask",
354 		.src_divs = {
355 			{
356 				.proportion_of_total = 10000,
357 				.offset = 1,
358 				.offset_relative_to_alignmask = true,
359 			},
360 		},
361 		.iv_offset = 1,
362 		.iv_offset_relative_to_alignmask = true,
363 		.key_offset = 1,
364 		.key_offset_relative_to_alignmask = true,
365 	}, {
366 		.name = "two even aligned splits",
367 		.src_divs = {
368 			{ .proportion_of_total = 5000 },
369 			{ .proportion_of_total = 5000 },
370 		},
371 	}, {
372 		.name = "one src, two even splits dst",
373 		.inplace_mode = OUT_OF_PLACE,
374 		.src_divs = { { .proportion_of_total = 10000 } },
375 		.dst_divs = {
376 			{ .proportion_of_total = 5000 },
377 			{ .proportion_of_total = 5000 },
378 		 },
379 	}, {
380 		.name = "uneven misaligned splits, may sleep",
381 		.req_flags = CRYPTO_TFM_REQ_MAY_SLEEP,
382 		.src_divs = {
383 			{ .proportion_of_total = 1900, .offset = 33 },
384 			{ .proportion_of_total = 3300, .offset = 7  },
385 			{ .proportion_of_total = 4800, .offset = 18 },
386 		},
387 		.iv_offset = 3,
388 		.key_offset = 3,
389 	}, {
390 		.name = "misaligned splits crossing pages, inplace",
391 		.inplace_mode = INPLACE_ONE_SGLIST,
392 		.src_divs = {
393 			{
394 				.proportion_of_total = 7500,
395 				.offset = PAGE_SIZE - 32
396 			}, {
397 				.proportion_of_total = 2500,
398 				.offset = PAGE_SIZE - 7
399 			},
400 		},
401 	}
402 };
403 
404 static const struct testvec_config default_hash_testvec_configs[] = {
405 	{
406 		.name = "init+update+final aligned buffer",
407 		.src_divs = { { .proportion_of_total = 10000 } },
408 		.finalization_type = FINALIZATION_TYPE_FINAL,
409 	}, {
410 		.name = "init+finup aligned buffer",
411 		.src_divs = { { .proportion_of_total = 10000 } },
412 		.finalization_type = FINALIZATION_TYPE_FINUP,
413 	}, {
414 		.name = "digest aligned buffer",
415 		.src_divs = { { .proportion_of_total = 10000 } },
416 		.finalization_type = FINALIZATION_TYPE_DIGEST,
417 	}, {
418 		.name = "init+update+final misaligned buffer",
419 		.src_divs = { { .proportion_of_total = 10000, .offset = 1 } },
420 		.finalization_type = FINALIZATION_TYPE_FINAL,
421 		.key_offset = 1,
422 	}, {
423 		.name = "digest misaligned buffer",
424 		.src_divs = {
425 			{
426 				.proportion_of_total = 10000,
427 				.offset = 1,
428 			},
429 		},
430 		.finalization_type = FINALIZATION_TYPE_DIGEST,
431 		.key_offset = 1,
432 	}, {
433 		.name = "init+update+update+final two even splits",
434 		.src_divs = {
435 			{ .proportion_of_total = 5000 },
436 			{
437 				.proportion_of_total = 5000,
438 				.flush_type = FLUSH_TYPE_FLUSH,
439 			},
440 		},
441 		.finalization_type = FINALIZATION_TYPE_FINAL,
442 	}, {
443 		.name = "digest uneven misaligned splits, may sleep",
444 		.req_flags = CRYPTO_TFM_REQ_MAY_SLEEP,
445 		.src_divs = {
446 			{ .proportion_of_total = 1900, .offset = 33 },
447 			{ .proportion_of_total = 3300, .offset = 7  },
448 			{ .proportion_of_total = 4800, .offset = 18 },
449 		},
450 		.finalization_type = FINALIZATION_TYPE_DIGEST,
451 	}, {
452 		.name = "digest misaligned splits crossing pages",
453 		.src_divs = {
454 			{
455 				.proportion_of_total = 7500,
456 				.offset = PAGE_SIZE - 32,
457 			}, {
458 				.proportion_of_total = 2500,
459 				.offset = PAGE_SIZE - 7,
460 			},
461 		},
462 		.finalization_type = FINALIZATION_TYPE_DIGEST,
463 	}, {
464 		.name = "import/export",
465 		.src_divs = {
466 			{
467 				.proportion_of_total = 6500,
468 				.flush_type = FLUSH_TYPE_REIMPORT,
469 			}, {
470 				.proportion_of_total = 3500,
471 				.flush_type = FLUSH_TYPE_REIMPORT,
472 			},
473 		},
474 		.finalization_type = FINALIZATION_TYPE_FINAL,
475 	}
476 };
477 
count_test_sg_divisions(const struct test_sg_division * divs)478 static unsigned int count_test_sg_divisions(const struct test_sg_division *divs)
479 {
480 	unsigned int remaining = TEST_SG_TOTAL;
481 	unsigned int ndivs = 0;
482 
483 	do {
484 		remaining -= divs[ndivs++].proportion_of_total;
485 	} while (remaining);
486 
487 	return ndivs;
488 }
489 
490 #define SGDIVS_HAVE_FLUSHES	BIT(0)
491 #define SGDIVS_HAVE_NOSIMD	BIT(1)
492 
valid_sg_divisions(const struct test_sg_division * divs,unsigned int count,int * flags_ret)493 static bool valid_sg_divisions(const struct test_sg_division *divs,
494 			       unsigned int count, int *flags_ret)
495 {
496 	unsigned int total = 0;
497 	unsigned int i;
498 
499 	for (i = 0; i < count && total != TEST_SG_TOTAL; i++) {
500 		if (divs[i].proportion_of_total <= 0 ||
501 		    divs[i].proportion_of_total > TEST_SG_TOTAL - total)
502 			return false;
503 		total += divs[i].proportion_of_total;
504 		if (divs[i].flush_type != FLUSH_TYPE_NONE)
505 			*flags_ret |= SGDIVS_HAVE_FLUSHES;
506 		if (divs[i].nosimd)
507 			*flags_ret |= SGDIVS_HAVE_NOSIMD;
508 	}
509 	return total == TEST_SG_TOTAL &&
510 		memchr_inv(&divs[i], 0, (count - i) * sizeof(divs[0])) == NULL;
511 }
512 
513 /*
514  * Check whether the given testvec_config is valid.  This isn't strictly needed
515  * since every testvec_config should be valid, but check anyway so that people
516  * don't unknowingly add broken configs that don't do what they wanted.
517  */
valid_testvec_config(const struct testvec_config * cfg)518 static bool valid_testvec_config(const struct testvec_config *cfg)
519 {
520 	int flags = 0;
521 
522 	if (cfg->name == NULL)
523 		return false;
524 
525 	if (!valid_sg_divisions(cfg->src_divs, ARRAY_SIZE(cfg->src_divs),
526 				&flags))
527 		return false;
528 
529 	if (cfg->dst_divs[0].proportion_of_total) {
530 		if (!valid_sg_divisions(cfg->dst_divs,
531 					ARRAY_SIZE(cfg->dst_divs), &flags))
532 			return false;
533 	} else {
534 		if (memchr_inv(cfg->dst_divs, 0, sizeof(cfg->dst_divs)))
535 			return false;
536 		/* defaults to dst_divs=src_divs */
537 	}
538 
539 	if (cfg->iv_offset +
540 	    (cfg->iv_offset_relative_to_alignmask ? MAX_ALGAPI_ALIGNMASK : 0) >
541 	    MAX_ALGAPI_ALIGNMASK + 1)
542 		return false;
543 
544 	if ((flags & (SGDIVS_HAVE_FLUSHES | SGDIVS_HAVE_NOSIMD)) &&
545 	    cfg->finalization_type == FINALIZATION_TYPE_DIGEST)
546 		return false;
547 
548 	if ((cfg->nosimd || cfg->nosimd_setkey ||
549 	     (flags & SGDIVS_HAVE_NOSIMD)) &&
550 	    (cfg->req_flags & CRYPTO_TFM_REQ_MAY_SLEEP))
551 		return false;
552 
553 	return true;
554 }
555 
556 struct test_sglist {
557 	char *bufs[XBUFSIZE];
558 	struct scatterlist sgl[XBUFSIZE];
559 	struct scatterlist sgl_saved[XBUFSIZE];
560 	struct scatterlist *sgl_ptr;
561 	unsigned int nents;
562 };
563 
init_test_sglist(struct test_sglist * tsgl)564 static int init_test_sglist(struct test_sglist *tsgl)
565 {
566 	return __testmgr_alloc_buf(tsgl->bufs, 1 /* two pages per buffer */);
567 }
568 
destroy_test_sglist(struct test_sglist * tsgl)569 static void destroy_test_sglist(struct test_sglist *tsgl)
570 {
571 	return __testmgr_free_buf(tsgl->bufs, 1 /* two pages per buffer */);
572 }
573 
574 /**
575  * build_test_sglist() - build a scatterlist for a crypto test
576  *
577  * @tsgl: the scatterlist to build.  @tsgl->bufs[] contains an array of 2-page
578  *	  buffers which the scatterlist @tsgl->sgl[] will be made to point into.
579  * @divs: the layout specification on which the scatterlist will be based
580  * @alignmask: the algorithm's alignmask
581  * @total_len: the total length of the scatterlist to build in bytes
582  * @data: if non-NULL, the buffers will be filled with this data until it ends.
583  *	  Otherwise the buffers will be poisoned.  In both cases, some bytes
584  *	  past the end of each buffer will be poisoned to help detect overruns.
585  * @out_divs: if non-NULL, the test_sg_division to which each scatterlist entry
586  *	      corresponds will be returned here.  This will match @divs except
587  *	      that divisions resolving to a length of 0 are omitted as they are
588  *	      not included in the scatterlist.
589  *
590  * Return: 0 or a -errno value
591  */
build_test_sglist(struct test_sglist * tsgl,const struct test_sg_division * divs,const unsigned int alignmask,const unsigned int total_len,struct iov_iter * data,const struct test_sg_division * out_divs[XBUFSIZE])592 static int build_test_sglist(struct test_sglist *tsgl,
593 			     const struct test_sg_division *divs,
594 			     const unsigned int alignmask,
595 			     const unsigned int total_len,
596 			     struct iov_iter *data,
597 			     const struct test_sg_division *out_divs[XBUFSIZE])
598 {
599 	struct {
600 		const struct test_sg_division *div;
601 		size_t length;
602 	} partitions[XBUFSIZE];
603 	const unsigned int ndivs = count_test_sg_divisions(divs);
604 	unsigned int len_remaining = total_len;
605 	unsigned int i;
606 
607 	BUILD_BUG_ON(ARRAY_SIZE(partitions) != ARRAY_SIZE(tsgl->sgl));
608 	if (WARN_ON(ndivs > ARRAY_SIZE(partitions)))
609 		return -EINVAL;
610 
611 	/* Calculate the (div, length) pairs */
612 	tsgl->nents = 0;
613 	for (i = 0; i < ndivs; i++) {
614 		unsigned int len_this_sg =
615 			min(len_remaining,
616 			    (total_len * divs[i].proportion_of_total +
617 			     TEST_SG_TOTAL / 2) / TEST_SG_TOTAL);
618 
619 		if (len_this_sg != 0) {
620 			partitions[tsgl->nents].div = &divs[i];
621 			partitions[tsgl->nents].length = len_this_sg;
622 			tsgl->nents++;
623 			len_remaining -= len_this_sg;
624 		}
625 	}
626 	if (tsgl->nents == 0) {
627 		partitions[tsgl->nents].div = &divs[0];
628 		partitions[tsgl->nents].length = 0;
629 		tsgl->nents++;
630 	}
631 	partitions[tsgl->nents - 1].length += len_remaining;
632 
633 	/* Set up the sgl entries and fill the data or poison */
634 	sg_init_table(tsgl->sgl, tsgl->nents);
635 	for (i = 0; i < tsgl->nents; i++) {
636 		unsigned int offset = partitions[i].div->offset;
637 		void *addr;
638 
639 		if (partitions[i].div->offset_relative_to_alignmask)
640 			offset += alignmask;
641 
642 		while (offset + partitions[i].length + TESTMGR_POISON_LEN >
643 		       2 * PAGE_SIZE) {
644 			if (WARN_ON(offset <= 0))
645 				return -EINVAL;
646 			offset /= 2;
647 		}
648 
649 		addr = &tsgl->bufs[i][offset];
650 		sg_set_buf(&tsgl->sgl[i], addr, partitions[i].length);
651 
652 		if (out_divs)
653 			out_divs[i] = partitions[i].div;
654 
655 		if (data) {
656 			size_t copy_len, copied;
657 
658 			copy_len = min(partitions[i].length, data->count);
659 			copied = copy_from_iter(addr, copy_len, data);
660 			if (WARN_ON(copied != copy_len))
661 				return -EINVAL;
662 			testmgr_poison(addr + copy_len, partitions[i].length +
663 				       TESTMGR_POISON_LEN - copy_len);
664 		} else {
665 			testmgr_poison(addr, partitions[i].length +
666 				       TESTMGR_POISON_LEN);
667 		}
668 	}
669 
670 	sg_mark_end(&tsgl->sgl[tsgl->nents - 1]);
671 	tsgl->sgl_ptr = tsgl->sgl;
672 	memcpy(tsgl->sgl_saved, tsgl->sgl, tsgl->nents * sizeof(tsgl->sgl[0]));
673 	return 0;
674 }
675 
676 /*
677  * Verify that a scatterlist crypto operation produced the correct output.
678  *
679  * @tsgl: scatterlist containing the actual output
680  * @expected_output: buffer containing the expected output
681  * @len_to_check: length of @expected_output in bytes
682  * @unchecked_prefix_len: number of ignored bytes in @tsgl prior to real result
683  * @check_poison: verify that the poison bytes after each chunk are intact?
684  *
685  * Return: 0 if correct, -EINVAL if incorrect, -EOVERFLOW if buffer overrun.
686  */
verify_correct_output(const struct test_sglist * tsgl,const char * expected_output,unsigned int len_to_check,unsigned int unchecked_prefix_len,bool check_poison)687 static int verify_correct_output(const struct test_sglist *tsgl,
688 				 const char *expected_output,
689 				 unsigned int len_to_check,
690 				 unsigned int unchecked_prefix_len,
691 				 bool check_poison)
692 {
693 	unsigned int i;
694 
695 	for (i = 0; i < tsgl->nents; i++) {
696 		struct scatterlist *sg = &tsgl->sgl_ptr[i];
697 		unsigned int len = sg->length;
698 		unsigned int offset = sg->offset;
699 		const char *actual_output;
700 
701 		if (unchecked_prefix_len) {
702 			if (unchecked_prefix_len >= len) {
703 				unchecked_prefix_len -= len;
704 				continue;
705 			}
706 			offset += unchecked_prefix_len;
707 			len -= unchecked_prefix_len;
708 			unchecked_prefix_len = 0;
709 		}
710 		len = min(len, len_to_check);
711 		actual_output = page_address(sg_page(sg)) + offset;
712 		if (memcmp(expected_output, actual_output, len) != 0)
713 			return -EINVAL;
714 		if (check_poison &&
715 		    !testmgr_is_poison(actual_output + len, TESTMGR_POISON_LEN))
716 			return -EOVERFLOW;
717 		len_to_check -= len;
718 		expected_output += len;
719 	}
720 	if (WARN_ON(len_to_check != 0))
721 		return -EINVAL;
722 	return 0;
723 }
724 
is_test_sglist_corrupted(const struct test_sglist * tsgl)725 static bool is_test_sglist_corrupted(const struct test_sglist *tsgl)
726 {
727 	unsigned int i;
728 
729 	for (i = 0; i < tsgl->nents; i++) {
730 		if (tsgl->sgl[i].page_link != tsgl->sgl_saved[i].page_link)
731 			return true;
732 		if (tsgl->sgl[i].offset != tsgl->sgl_saved[i].offset)
733 			return true;
734 		if (tsgl->sgl[i].length != tsgl->sgl_saved[i].length)
735 			return true;
736 	}
737 	return false;
738 }
739 
740 struct cipher_test_sglists {
741 	struct test_sglist src;
742 	struct test_sglist dst;
743 };
744 
alloc_cipher_test_sglists(void)745 static struct cipher_test_sglists *alloc_cipher_test_sglists(void)
746 {
747 	struct cipher_test_sglists *tsgls;
748 
749 	tsgls = kmalloc(sizeof(*tsgls), GFP_KERNEL);
750 	if (!tsgls)
751 		return NULL;
752 
753 	if (init_test_sglist(&tsgls->src) != 0)
754 		goto fail_kfree;
755 	if (init_test_sglist(&tsgls->dst) != 0)
756 		goto fail_destroy_src;
757 
758 	return tsgls;
759 
760 fail_destroy_src:
761 	destroy_test_sglist(&tsgls->src);
762 fail_kfree:
763 	kfree(tsgls);
764 	return NULL;
765 }
766 
free_cipher_test_sglists(struct cipher_test_sglists * tsgls)767 static void free_cipher_test_sglists(struct cipher_test_sglists *tsgls)
768 {
769 	if (tsgls) {
770 		destroy_test_sglist(&tsgls->src);
771 		destroy_test_sglist(&tsgls->dst);
772 		kfree(tsgls);
773 	}
774 }
775 
776 /* Build the src and dst scatterlists for an skcipher or AEAD test */
build_cipher_test_sglists(struct cipher_test_sglists * tsgls,const struct testvec_config * cfg,unsigned int alignmask,unsigned int src_total_len,unsigned int dst_total_len,const struct kvec * inputs,unsigned int nr_inputs)777 static int build_cipher_test_sglists(struct cipher_test_sglists *tsgls,
778 				     const struct testvec_config *cfg,
779 				     unsigned int alignmask,
780 				     unsigned int src_total_len,
781 				     unsigned int dst_total_len,
782 				     const struct kvec *inputs,
783 				     unsigned int nr_inputs)
784 {
785 	struct iov_iter input;
786 	int err;
787 
788 	iov_iter_kvec(&input, ITER_SOURCE, inputs, nr_inputs, src_total_len);
789 	err = build_test_sglist(&tsgls->src, cfg->src_divs, alignmask,
790 				cfg->inplace_mode != OUT_OF_PLACE ?
791 					max(dst_total_len, src_total_len) :
792 					src_total_len,
793 				&input, NULL);
794 	if (err)
795 		return err;
796 
797 	/*
798 	 * In-place crypto operations can use the same scatterlist for both the
799 	 * source and destination (req->src == req->dst), or can use separate
800 	 * scatterlists (req->src != req->dst) which point to the same
801 	 * underlying memory.  Make sure to test both cases.
802 	 */
803 	if (cfg->inplace_mode == INPLACE_ONE_SGLIST) {
804 		tsgls->dst.sgl_ptr = tsgls->src.sgl;
805 		tsgls->dst.nents = tsgls->src.nents;
806 		return 0;
807 	}
808 	if (cfg->inplace_mode == INPLACE_TWO_SGLISTS) {
809 		/*
810 		 * For now we keep it simple and only test the case where the
811 		 * two scatterlists have identical entries, rather than
812 		 * different entries that split up the same memory differently.
813 		 */
814 		memcpy(tsgls->dst.sgl, tsgls->src.sgl,
815 		       tsgls->src.nents * sizeof(tsgls->src.sgl[0]));
816 		memcpy(tsgls->dst.sgl_saved, tsgls->src.sgl,
817 		       tsgls->src.nents * sizeof(tsgls->src.sgl[0]));
818 		tsgls->dst.sgl_ptr = tsgls->dst.sgl;
819 		tsgls->dst.nents = tsgls->src.nents;
820 		return 0;
821 	}
822 	/* Out of place */
823 	return build_test_sglist(&tsgls->dst,
824 				 cfg->dst_divs[0].proportion_of_total ?
825 					cfg->dst_divs : cfg->src_divs,
826 				 alignmask, dst_total_len, NULL, NULL);
827 }
828 
829 /*
830  * Support for testing passing a misaligned key to setkey():
831  *
832  * If cfg->key_offset is set, copy the key into a new buffer at that offset,
833  * optionally adding alignmask.  Else, just use the key directly.
834  */
prepare_keybuf(const u8 * key,unsigned int ksize,const struct testvec_config * cfg,unsigned int alignmask,const u8 ** keybuf_ret,const u8 ** keyptr_ret)835 static int prepare_keybuf(const u8 *key, unsigned int ksize,
836 			  const struct testvec_config *cfg,
837 			  unsigned int alignmask,
838 			  const u8 **keybuf_ret, const u8 **keyptr_ret)
839 {
840 	unsigned int key_offset = cfg->key_offset;
841 	u8 *keybuf = NULL, *keyptr = (u8 *)key;
842 
843 	if (key_offset != 0) {
844 		if (cfg->key_offset_relative_to_alignmask)
845 			key_offset += alignmask;
846 		keybuf = kmalloc(key_offset + ksize, GFP_KERNEL);
847 		if (!keybuf)
848 			return -ENOMEM;
849 		keyptr = keybuf + key_offset;
850 		memcpy(keyptr, key, ksize);
851 	}
852 	*keybuf_ret = keybuf;
853 	*keyptr_ret = keyptr;
854 	return 0;
855 }
856 
857 /*
858  * Like setkey_f(tfm, key, ksize), but sometimes misalign the key.
859  * In addition, run the setkey function in no-SIMD context if requested.
860  */
861 #define do_setkey(setkey_f, tfm, key, ksize, cfg, alignmask)		\
862 ({									\
863 	const u8 *keybuf, *keyptr;					\
864 	int err;							\
865 									\
866 	err = prepare_keybuf((key), (ksize), (cfg), (alignmask),	\
867 			     &keybuf, &keyptr);				\
868 	if (err == 0) {							\
869 		if ((cfg)->nosimd_setkey)				\
870 			crypto_disable_simd_for_test();			\
871 		err = setkey_f((tfm), keyptr, (ksize));			\
872 		if ((cfg)->nosimd_setkey)				\
873 			crypto_reenable_simd_for_test();		\
874 		kfree(keybuf);						\
875 	}								\
876 	err;								\
877 })
878 
879 #ifdef CONFIG_CRYPTO_MANAGER_EXTRA_TESTS
880 
881 /*
882  * The fuzz tests use prandom instead of the normal Linux RNG since they don't
883  * need cryptographically secure random numbers.  This greatly improves the
884  * performance of these tests, especially if they are run before the Linux RNG
885  * has been initialized or if they are run on a lockdep-enabled kernel.
886  */
887 
init_rnd_state(struct rnd_state * rng)888 static inline void init_rnd_state(struct rnd_state *rng)
889 {
890 	prandom_seed_state(rng, get_random_u64());
891 }
892 
prandom_u8(struct rnd_state * rng)893 static inline u8 prandom_u8(struct rnd_state *rng)
894 {
895 	return prandom_u32_state(rng);
896 }
897 
prandom_u32_below(struct rnd_state * rng,u32 ceil)898 static inline u32 prandom_u32_below(struct rnd_state *rng, u32 ceil)
899 {
900 	/*
901 	 * This is slightly biased for non-power-of-2 values of 'ceil', but this
902 	 * isn't important here.
903 	 */
904 	return prandom_u32_state(rng) % ceil;
905 }
906 
prandom_bool(struct rnd_state * rng)907 static inline bool prandom_bool(struct rnd_state *rng)
908 {
909 	return prandom_u32_below(rng, 2);
910 }
911 
prandom_u32_inclusive(struct rnd_state * rng,u32 floor,u32 ceil)912 static inline u32 prandom_u32_inclusive(struct rnd_state *rng,
913 					u32 floor, u32 ceil)
914 {
915 	return floor + prandom_u32_below(rng, ceil - floor + 1);
916 }
917 
918 /* Generate a random length in range [0, max_len], but prefer smaller values */
generate_random_length(struct rnd_state * rng,unsigned int max_len)919 static unsigned int generate_random_length(struct rnd_state *rng,
920 					   unsigned int max_len)
921 {
922 	unsigned int len = prandom_u32_below(rng, max_len + 1);
923 
924 	switch (prandom_u32_below(rng, 4)) {
925 	case 0:
926 		len %= 64;
927 		break;
928 	case 1:
929 		len %= 256;
930 		break;
931 	case 2:
932 		len %= 1024;
933 		break;
934 	default:
935 		break;
936 	}
937 	if (len && prandom_u32_below(rng, 4) == 0)
938 		len = rounddown_pow_of_two(len);
939 	return len;
940 }
941 
942 /* Flip a random bit in the given nonempty data buffer */
flip_random_bit(struct rnd_state * rng,u8 * buf,size_t size)943 static void flip_random_bit(struct rnd_state *rng, u8 *buf, size_t size)
944 {
945 	size_t bitpos;
946 
947 	bitpos = prandom_u32_below(rng, size * 8);
948 	buf[bitpos / 8] ^= 1 << (bitpos % 8);
949 }
950 
951 /* Flip a random byte in the given nonempty data buffer */
flip_random_byte(struct rnd_state * rng,u8 * buf,size_t size)952 static void flip_random_byte(struct rnd_state *rng, u8 *buf, size_t size)
953 {
954 	buf[prandom_u32_below(rng, size)] ^= 0xff;
955 }
956 
957 /* Sometimes make some random changes to the given nonempty data buffer */
mutate_buffer(struct rnd_state * rng,u8 * buf,size_t size)958 static void mutate_buffer(struct rnd_state *rng, u8 *buf, size_t size)
959 {
960 	size_t num_flips;
961 	size_t i;
962 
963 	/* Sometimes flip some bits */
964 	if (prandom_u32_below(rng, 4) == 0) {
965 		num_flips = min_t(size_t, 1 << prandom_u32_below(rng, 8),
966 				  size * 8);
967 		for (i = 0; i < num_flips; i++)
968 			flip_random_bit(rng, buf, size);
969 	}
970 
971 	/* Sometimes flip some bytes */
972 	if (prandom_u32_below(rng, 4) == 0) {
973 		num_flips = min_t(size_t, 1 << prandom_u32_below(rng, 8), size);
974 		for (i = 0; i < num_flips; i++)
975 			flip_random_byte(rng, buf, size);
976 	}
977 }
978 
979 /* Randomly generate 'count' bytes, but sometimes make them "interesting" */
generate_random_bytes(struct rnd_state * rng,u8 * buf,size_t count)980 static void generate_random_bytes(struct rnd_state *rng, u8 *buf, size_t count)
981 {
982 	u8 b;
983 	u8 increment;
984 	size_t i;
985 
986 	if (count == 0)
987 		return;
988 
989 	switch (prandom_u32_below(rng, 8)) { /* Choose a generation strategy */
990 	case 0:
991 	case 1:
992 		/* All the same byte, plus optional mutations */
993 		switch (prandom_u32_below(rng, 4)) {
994 		case 0:
995 			b = 0x00;
996 			break;
997 		case 1:
998 			b = 0xff;
999 			break;
1000 		default:
1001 			b = prandom_u8(rng);
1002 			break;
1003 		}
1004 		memset(buf, b, count);
1005 		mutate_buffer(rng, buf, count);
1006 		break;
1007 	case 2:
1008 		/* Ascending or descending bytes, plus optional mutations */
1009 		increment = prandom_u8(rng);
1010 		b = prandom_u8(rng);
1011 		for (i = 0; i < count; i++, b += increment)
1012 			buf[i] = b;
1013 		mutate_buffer(rng, buf, count);
1014 		break;
1015 	default:
1016 		/* Fully random bytes */
1017 		prandom_bytes_state(rng, buf, count);
1018 	}
1019 }
1020 
generate_random_sgl_divisions(struct rnd_state * rng,struct test_sg_division * divs,size_t max_divs,char * p,char * end,bool gen_flushes,u32 req_flags)1021 static char *generate_random_sgl_divisions(struct rnd_state *rng,
1022 					   struct test_sg_division *divs,
1023 					   size_t max_divs, char *p, char *end,
1024 					   bool gen_flushes, u32 req_flags)
1025 {
1026 	struct test_sg_division *div = divs;
1027 	unsigned int remaining = TEST_SG_TOTAL;
1028 
1029 	do {
1030 		unsigned int this_len;
1031 		const char *flushtype_str;
1032 
1033 		if (div == &divs[max_divs - 1] || prandom_bool(rng))
1034 			this_len = remaining;
1035 		else if (prandom_u32_below(rng, 4) == 0)
1036 			this_len = (remaining + 1) / 2;
1037 		else
1038 			this_len = prandom_u32_inclusive(rng, 1, remaining);
1039 		div->proportion_of_total = this_len;
1040 
1041 		if (prandom_u32_below(rng, 4) == 0)
1042 			div->offset = prandom_u32_inclusive(rng,
1043 							    PAGE_SIZE - 128,
1044 							    PAGE_SIZE - 1);
1045 		else if (prandom_bool(rng))
1046 			div->offset = prandom_u32_below(rng, 32);
1047 		else
1048 			div->offset = prandom_u32_below(rng, PAGE_SIZE);
1049 		if (prandom_u32_below(rng, 8) == 0)
1050 			div->offset_relative_to_alignmask = true;
1051 
1052 		div->flush_type = FLUSH_TYPE_NONE;
1053 		if (gen_flushes) {
1054 			switch (prandom_u32_below(rng, 4)) {
1055 			case 0:
1056 				div->flush_type = FLUSH_TYPE_REIMPORT;
1057 				break;
1058 			case 1:
1059 				div->flush_type = FLUSH_TYPE_FLUSH;
1060 				break;
1061 			}
1062 		}
1063 
1064 		if (div->flush_type != FLUSH_TYPE_NONE &&
1065 		    !(req_flags & CRYPTO_TFM_REQ_MAY_SLEEP) &&
1066 		    prandom_bool(rng))
1067 			div->nosimd = true;
1068 
1069 		switch (div->flush_type) {
1070 		case FLUSH_TYPE_FLUSH:
1071 			if (div->nosimd)
1072 				flushtype_str = "<flush,nosimd>";
1073 			else
1074 				flushtype_str = "<flush>";
1075 			break;
1076 		case FLUSH_TYPE_REIMPORT:
1077 			if (div->nosimd)
1078 				flushtype_str = "<reimport,nosimd>";
1079 			else
1080 				flushtype_str = "<reimport>";
1081 			break;
1082 		default:
1083 			flushtype_str = "";
1084 			break;
1085 		}
1086 
1087 		BUILD_BUG_ON(TEST_SG_TOTAL != 10000); /* for "%u.%u%%" */
1088 		p += scnprintf(p, end - p, "%s%u.%u%%@%s+%u%s", flushtype_str,
1089 			       this_len / 100, this_len % 100,
1090 			       div->offset_relative_to_alignmask ?
1091 					"alignmask" : "",
1092 			       div->offset, this_len == remaining ? "" : ", ");
1093 		remaining -= this_len;
1094 		div++;
1095 	} while (remaining);
1096 
1097 	return p;
1098 }
1099 
1100 /* Generate a random testvec_config for fuzz testing */
generate_random_testvec_config(struct rnd_state * rng,struct testvec_config * cfg,char * name,size_t max_namelen)1101 static void generate_random_testvec_config(struct rnd_state *rng,
1102 					   struct testvec_config *cfg,
1103 					   char *name, size_t max_namelen)
1104 {
1105 	char *p = name;
1106 	char * const end = name + max_namelen;
1107 
1108 	memset(cfg, 0, sizeof(*cfg));
1109 
1110 	cfg->name = name;
1111 
1112 	p += scnprintf(p, end - p, "random:");
1113 
1114 	switch (prandom_u32_below(rng, 4)) {
1115 	case 0:
1116 	case 1:
1117 		cfg->inplace_mode = OUT_OF_PLACE;
1118 		break;
1119 	case 2:
1120 		cfg->inplace_mode = INPLACE_ONE_SGLIST;
1121 		p += scnprintf(p, end - p, " inplace_one_sglist");
1122 		break;
1123 	default:
1124 		cfg->inplace_mode = INPLACE_TWO_SGLISTS;
1125 		p += scnprintf(p, end - p, " inplace_two_sglists");
1126 		break;
1127 	}
1128 
1129 	if (prandom_bool(rng)) {
1130 		cfg->req_flags |= CRYPTO_TFM_REQ_MAY_SLEEP;
1131 		p += scnprintf(p, end - p, " may_sleep");
1132 	}
1133 
1134 	switch (prandom_u32_below(rng, 4)) {
1135 	case 0:
1136 		cfg->finalization_type = FINALIZATION_TYPE_FINAL;
1137 		p += scnprintf(p, end - p, " use_final");
1138 		break;
1139 	case 1:
1140 		cfg->finalization_type = FINALIZATION_TYPE_FINUP;
1141 		p += scnprintf(p, end - p, " use_finup");
1142 		break;
1143 	default:
1144 		cfg->finalization_type = FINALIZATION_TYPE_DIGEST;
1145 		p += scnprintf(p, end - p, " use_digest");
1146 		break;
1147 	}
1148 
1149 	if (!(cfg->req_flags & CRYPTO_TFM_REQ_MAY_SLEEP)) {
1150 		if (prandom_bool(rng)) {
1151 			cfg->nosimd = true;
1152 			p += scnprintf(p, end - p, " nosimd");
1153 		}
1154 		if (prandom_bool(rng)) {
1155 			cfg->nosimd_setkey = true;
1156 			p += scnprintf(p, end - p, " nosimd_setkey");
1157 		}
1158 	}
1159 
1160 	p += scnprintf(p, end - p, " src_divs=[");
1161 	p = generate_random_sgl_divisions(rng, cfg->src_divs,
1162 					  ARRAY_SIZE(cfg->src_divs), p, end,
1163 					  (cfg->finalization_type !=
1164 					   FINALIZATION_TYPE_DIGEST),
1165 					  cfg->req_flags);
1166 	p += scnprintf(p, end - p, "]");
1167 
1168 	if (cfg->inplace_mode == OUT_OF_PLACE && prandom_bool(rng)) {
1169 		p += scnprintf(p, end - p, " dst_divs=[");
1170 		p = generate_random_sgl_divisions(rng, cfg->dst_divs,
1171 						  ARRAY_SIZE(cfg->dst_divs),
1172 						  p, end, false,
1173 						  cfg->req_flags);
1174 		p += scnprintf(p, end - p, "]");
1175 	}
1176 
1177 	if (prandom_bool(rng)) {
1178 		cfg->iv_offset = prandom_u32_inclusive(rng, 1,
1179 						       MAX_ALGAPI_ALIGNMASK);
1180 		p += scnprintf(p, end - p, " iv_offset=%u", cfg->iv_offset);
1181 	}
1182 
1183 	if (prandom_bool(rng)) {
1184 		cfg->key_offset = prandom_u32_inclusive(rng, 1,
1185 							MAX_ALGAPI_ALIGNMASK);
1186 		p += scnprintf(p, end - p, " key_offset=%u", cfg->key_offset);
1187 	}
1188 
1189 	WARN_ON_ONCE(!valid_testvec_config(cfg));
1190 }
1191 
crypto_disable_simd_for_test(void)1192 static void crypto_disable_simd_for_test(void)
1193 {
1194 	migrate_disable();
1195 	__this_cpu_write(crypto_simd_disabled_for_test, true);
1196 }
1197 
crypto_reenable_simd_for_test(void)1198 static void crypto_reenable_simd_for_test(void)
1199 {
1200 	__this_cpu_write(crypto_simd_disabled_for_test, false);
1201 	migrate_enable();
1202 }
1203 
1204 /*
1205  * Given an algorithm name, build the name of the generic implementation of that
1206  * algorithm, assuming the usual naming convention.  Specifically, this appends
1207  * "-generic" to every part of the name that is not a template name.  Examples:
1208  *
1209  *	aes => aes-generic
1210  *	cbc(aes) => cbc(aes-generic)
1211  *	cts(cbc(aes)) => cts(cbc(aes-generic))
1212  *	rfc7539(chacha20,poly1305) => rfc7539(chacha20-generic,poly1305-generic)
1213  *
1214  * Return: 0 on success, or -ENAMETOOLONG if the generic name would be too long
1215  */
build_generic_driver_name(const char * algname,char driver_name[CRYPTO_MAX_ALG_NAME])1216 static int build_generic_driver_name(const char *algname,
1217 				     char driver_name[CRYPTO_MAX_ALG_NAME])
1218 {
1219 	const char *in = algname;
1220 	char *out = driver_name;
1221 	size_t len = strlen(algname);
1222 
1223 	if (len >= CRYPTO_MAX_ALG_NAME)
1224 		goto too_long;
1225 	do {
1226 		const char *in_saved = in;
1227 
1228 		while (*in && *in != '(' && *in != ')' && *in != ',')
1229 			*out++ = *in++;
1230 		if (*in != '(' && in > in_saved) {
1231 			len += 8;
1232 			if (len >= CRYPTO_MAX_ALG_NAME)
1233 				goto too_long;
1234 			memcpy(out, "-generic", 8);
1235 			out += 8;
1236 		}
1237 	} while ((*out++ = *in++) != '\0');
1238 	return 0;
1239 
1240 too_long:
1241 	pr_err("alg: generic driver name for \"%s\" would be too long\n",
1242 	       algname);
1243 	return -ENAMETOOLONG;
1244 }
1245 #else /* !CONFIG_CRYPTO_MANAGER_EXTRA_TESTS */
crypto_disable_simd_for_test(void)1246 static void crypto_disable_simd_for_test(void)
1247 {
1248 }
1249 
crypto_reenable_simd_for_test(void)1250 static void crypto_reenable_simd_for_test(void)
1251 {
1252 }
1253 #endif /* !CONFIG_CRYPTO_MANAGER_EXTRA_TESTS */
1254 
build_hash_sglist(struct test_sglist * tsgl,const struct hash_testvec * vec,const struct testvec_config * cfg,unsigned int alignmask,const struct test_sg_division * divs[XBUFSIZE])1255 static int build_hash_sglist(struct test_sglist *tsgl,
1256 			     const struct hash_testvec *vec,
1257 			     const struct testvec_config *cfg,
1258 			     unsigned int alignmask,
1259 			     const struct test_sg_division *divs[XBUFSIZE])
1260 {
1261 	struct kvec kv;
1262 	struct iov_iter input;
1263 
1264 	kv.iov_base = (void *)vec->plaintext;
1265 	kv.iov_len = vec->psize;
1266 	iov_iter_kvec(&input, ITER_SOURCE, &kv, 1, vec->psize);
1267 	return build_test_sglist(tsgl, cfg->src_divs, alignmask, vec->psize,
1268 				 &input, divs);
1269 }
1270 
check_hash_result(const char * type,const u8 * result,unsigned int digestsize,const struct hash_testvec * vec,const char * vec_name,const char * driver,const struct testvec_config * cfg)1271 static int check_hash_result(const char *type,
1272 			     const u8 *result, unsigned int digestsize,
1273 			     const struct hash_testvec *vec,
1274 			     const char *vec_name,
1275 			     const char *driver,
1276 			     const struct testvec_config *cfg)
1277 {
1278 	if (memcmp(result, vec->digest, digestsize) != 0) {
1279 		pr_err("alg: %s: %s test failed (wrong result) on test vector %s, cfg=\"%s\"\n",
1280 		       type, driver, vec_name, cfg->name);
1281 		return -EINVAL;
1282 	}
1283 	if (!testmgr_is_poison(&result[digestsize], TESTMGR_POISON_LEN)) {
1284 		pr_err("alg: %s: %s overran result buffer on test vector %s, cfg=\"%s\"\n",
1285 		       type, driver, vec_name, cfg->name);
1286 		return -EOVERFLOW;
1287 	}
1288 	return 0;
1289 }
1290 
check_shash_op(const char * op,int err,const char * driver,const char * vec_name,const struct testvec_config * cfg)1291 static inline int check_shash_op(const char *op, int err,
1292 				 const char *driver, const char *vec_name,
1293 				 const struct testvec_config *cfg)
1294 {
1295 	if (err)
1296 		pr_err("alg: shash: %s %s() failed with err %d on test vector %s, cfg=\"%s\"\n",
1297 		       driver, op, err, vec_name, cfg->name);
1298 	return err;
1299 }
1300 
1301 /* Test one hash test vector in one configuration, using the shash API */
test_shash_vec_cfg(const struct hash_testvec * vec,const char * vec_name,const struct testvec_config * cfg,struct shash_desc * desc,struct test_sglist * tsgl,u8 * hashstate)1302 static int test_shash_vec_cfg(const struct hash_testvec *vec,
1303 			      const char *vec_name,
1304 			      const struct testvec_config *cfg,
1305 			      struct shash_desc *desc,
1306 			      struct test_sglist *tsgl,
1307 			      u8 *hashstate)
1308 {
1309 	struct crypto_shash *tfm = desc->tfm;
1310 	const unsigned int digestsize = crypto_shash_digestsize(tfm);
1311 	const unsigned int statesize = crypto_shash_statesize(tfm);
1312 	const char *driver = crypto_shash_driver_name(tfm);
1313 	const struct test_sg_division *divs[XBUFSIZE];
1314 	unsigned int i;
1315 	u8 result[HASH_MAX_DIGESTSIZE + TESTMGR_POISON_LEN];
1316 	int err;
1317 
1318 	/* Set the key, if specified */
1319 	if (vec->ksize) {
1320 		err = do_setkey(crypto_shash_setkey, tfm, vec->key, vec->ksize,
1321 				cfg, 0);
1322 		if (err) {
1323 			if (err == vec->setkey_error)
1324 				return 0;
1325 			pr_err("alg: shash: %s setkey failed on test vector %s; expected_error=%d, actual_error=%d, flags=%#x\n",
1326 			       driver, vec_name, vec->setkey_error, err,
1327 			       crypto_shash_get_flags(tfm));
1328 			return err;
1329 		}
1330 		if (vec->setkey_error) {
1331 			pr_err("alg: shash: %s setkey unexpectedly succeeded on test vector %s; expected_error=%d\n",
1332 			       driver, vec_name, vec->setkey_error);
1333 			return -EINVAL;
1334 		}
1335 	}
1336 
1337 	/* Build the scatterlist for the source data */
1338 	err = build_hash_sglist(tsgl, vec, cfg, 0, divs);
1339 	if (err) {
1340 		pr_err("alg: shash: %s: error preparing scatterlist for test vector %s, cfg=\"%s\"\n",
1341 		       driver, vec_name, cfg->name);
1342 		return err;
1343 	}
1344 
1345 	/* Do the actual hashing */
1346 
1347 	testmgr_poison(desc->__ctx, crypto_shash_descsize(tfm));
1348 	testmgr_poison(result, digestsize + TESTMGR_POISON_LEN);
1349 
1350 	if (cfg->finalization_type == FINALIZATION_TYPE_DIGEST ||
1351 	    vec->digest_error) {
1352 		/* Just using digest() */
1353 		if (tsgl->nents != 1)
1354 			return 0;
1355 		if (cfg->nosimd)
1356 			crypto_disable_simd_for_test();
1357 		err = crypto_shash_digest(desc, sg_virt(&tsgl->sgl[0]),
1358 					  tsgl->sgl[0].length, result);
1359 		if (cfg->nosimd)
1360 			crypto_reenable_simd_for_test();
1361 		if (err) {
1362 			if (err == vec->digest_error)
1363 				return 0;
1364 			pr_err("alg: shash: %s digest() failed on test vector %s; expected_error=%d, actual_error=%d, cfg=\"%s\"\n",
1365 			       driver, vec_name, vec->digest_error, err,
1366 			       cfg->name);
1367 			return err;
1368 		}
1369 		if (vec->digest_error) {
1370 			pr_err("alg: shash: %s digest() unexpectedly succeeded on test vector %s; expected_error=%d, cfg=\"%s\"\n",
1371 			       driver, vec_name, vec->digest_error, cfg->name);
1372 			return -EINVAL;
1373 		}
1374 		goto result_ready;
1375 	}
1376 
1377 	/* Using init(), zero or more update(), then final() or finup() */
1378 
1379 	if (cfg->nosimd)
1380 		crypto_disable_simd_for_test();
1381 	err = crypto_shash_init(desc);
1382 	if (cfg->nosimd)
1383 		crypto_reenable_simd_for_test();
1384 	err = check_shash_op("init", err, driver, vec_name, cfg);
1385 	if (err)
1386 		return err;
1387 
1388 	for (i = 0; i < tsgl->nents; i++) {
1389 		if (i + 1 == tsgl->nents &&
1390 		    cfg->finalization_type == FINALIZATION_TYPE_FINUP) {
1391 			if (divs[i]->nosimd)
1392 				crypto_disable_simd_for_test();
1393 			err = crypto_shash_finup(desc, sg_virt(&tsgl->sgl[i]),
1394 						 tsgl->sgl[i].length, result);
1395 			if (divs[i]->nosimd)
1396 				crypto_reenable_simd_for_test();
1397 			err = check_shash_op("finup", err, driver, vec_name,
1398 					     cfg);
1399 			if (err)
1400 				return err;
1401 			goto result_ready;
1402 		}
1403 		if (divs[i]->nosimd)
1404 			crypto_disable_simd_for_test();
1405 		err = crypto_shash_update(desc, sg_virt(&tsgl->sgl[i]),
1406 					  tsgl->sgl[i].length);
1407 		if (divs[i]->nosimd)
1408 			crypto_reenable_simd_for_test();
1409 		err = check_shash_op("update", err, driver, vec_name, cfg);
1410 		if (err)
1411 			return err;
1412 		if (divs[i]->flush_type == FLUSH_TYPE_REIMPORT) {
1413 			/* Test ->export() and ->import() */
1414 			testmgr_poison(hashstate + statesize,
1415 				       TESTMGR_POISON_LEN);
1416 			err = crypto_shash_export(desc, hashstate);
1417 			err = check_shash_op("export", err, driver, vec_name,
1418 					     cfg);
1419 			if (err)
1420 				return err;
1421 			if (!testmgr_is_poison(hashstate + statesize,
1422 					       TESTMGR_POISON_LEN)) {
1423 				pr_err("alg: shash: %s export() overran state buffer on test vector %s, cfg=\"%s\"\n",
1424 				       driver, vec_name, cfg->name);
1425 				return -EOVERFLOW;
1426 			}
1427 			testmgr_poison(desc->__ctx, crypto_shash_descsize(tfm));
1428 			err = crypto_shash_import(desc, hashstate);
1429 			err = check_shash_op("import", err, driver, vec_name,
1430 					     cfg);
1431 			if (err)
1432 				return err;
1433 		}
1434 	}
1435 
1436 	if (cfg->nosimd)
1437 		crypto_disable_simd_for_test();
1438 	err = crypto_shash_final(desc, result);
1439 	if (cfg->nosimd)
1440 		crypto_reenable_simd_for_test();
1441 	err = check_shash_op("final", err, driver, vec_name, cfg);
1442 	if (err)
1443 		return err;
1444 result_ready:
1445 	return check_hash_result("shash", result, digestsize, vec, vec_name,
1446 				 driver, cfg);
1447 }
1448 
do_ahash_op(int (* op)(struct ahash_request * req),struct ahash_request * req,struct crypto_wait * wait,bool nosimd)1449 static int do_ahash_op(int (*op)(struct ahash_request *req),
1450 		       struct ahash_request *req,
1451 		       struct crypto_wait *wait, bool nosimd)
1452 {
1453 	int err;
1454 
1455 	if (nosimd)
1456 		crypto_disable_simd_for_test();
1457 
1458 	err = op(req);
1459 
1460 	if (nosimd)
1461 		crypto_reenable_simd_for_test();
1462 
1463 	return crypto_wait_req(err, wait);
1464 }
1465 
check_nonfinal_ahash_op(const char * op,int err,u8 * result,unsigned int digestsize,const char * driver,const char * vec_name,const struct testvec_config * cfg)1466 static int check_nonfinal_ahash_op(const char *op, int err,
1467 				   u8 *result, unsigned int digestsize,
1468 				   const char *driver, const char *vec_name,
1469 				   const struct testvec_config *cfg)
1470 {
1471 	if (err) {
1472 		pr_err("alg: ahash: %s %s() failed with err %d on test vector %s, cfg=\"%s\"\n",
1473 		       driver, op, err, vec_name, cfg->name);
1474 		return err;
1475 	}
1476 	if (!testmgr_is_poison(result, digestsize)) {
1477 		pr_err("alg: ahash: %s %s() used result buffer on test vector %s, cfg=\"%s\"\n",
1478 		       driver, op, vec_name, cfg->name);
1479 		return -EINVAL;
1480 	}
1481 	return 0;
1482 }
1483 
1484 /* Test one hash test vector in one configuration, using the ahash API */
test_ahash_vec_cfg(const struct hash_testvec * vec,const char * vec_name,const struct testvec_config * cfg,struct ahash_request * req,struct test_sglist * tsgl,u8 * hashstate)1485 static int test_ahash_vec_cfg(const struct hash_testvec *vec,
1486 			      const char *vec_name,
1487 			      const struct testvec_config *cfg,
1488 			      struct ahash_request *req,
1489 			      struct test_sglist *tsgl,
1490 			      u8 *hashstate)
1491 {
1492 	struct crypto_ahash *tfm = crypto_ahash_reqtfm(req);
1493 	const unsigned int digestsize = crypto_ahash_digestsize(tfm);
1494 	const unsigned int statesize = crypto_ahash_statesize(tfm);
1495 	const char *driver = crypto_ahash_driver_name(tfm);
1496 	const u32 req_flags = CRYPTO_TFM_REQ_MAY_BACKLOG | cfg->req_flags;
1497 	const struct test_sg_division *divs[XBUFSIZE];
1498 	DECLARE_CRYPTO_WAIT(wait);
1499 	unsigned int i;
1500 	struct scatterlist *pending_sgl;
1501 	unsigned int pending_len;
1502 	u8 result[HASH_MAX_DIGESTSIZE + TESTMGR_POISON_LEN];
1503 	int err;
1504 
1505 	/* Set the key, if specified */
1506 	if (vec->ksize) {
1507 		err = do_setkey(crypto_ahash_setkey, tfm, vec->key, vec->ksize,
1508 				cfg, 0);
1509 		if (err) {
1510 			if (err == vec->setkey_error)
1511 				return 0;
1512 			pr_err("alg: ahash: %s setkey failed on test vector %s; expected_error=%d, actual_error=%d, flags=%#x\n",
1513 			       driver, vec_name, vec->setkey_error, err,
1514 			       crypto_ahash_get_flags(tfm));
1515 			return err;
1516 		}
1517 		if (vec->setkey_error) {
1518 			pr_err("alg: ahash: %s setkey unexpectedly succeeded on test vector %s; expected_error=%d\n",
1519 			       driver, vec_name, vec->setkey_error);
1520 			return -EINVAL;
1521 		}
1522 	}
1523 
1524 	/* Build the scatterlist for the source data */
1525 	err = build_hash_sglist(tsgl, vec, cfg, 0, divs);
1526 	if (err) {
1527 		pr_err("alg: ahash: %s: error preparing scatterlist for test vector %s, cfg=\"%s\"\n",
1528 		       driver, vec_name, cfg->name);
1529 		return err;
1530 	}
1531 
1532 	/* Do the actual hashing */
1533 
1534 	testmgr_poison(req->__ctx, crypto_ahash_reqsize(tfm));
1535 	testmgr_poison(result, digestsize + TESTMGR_POISON_LEN);
1536 
1537 	if (cfg->finalization_type == FINALIZATION_TYPE_DIGEST ||
1538 	    vec->digest_error) {
1539 		/* Just using digest() */
1540 		ahash_request_set_callback(req, req_flags, crypto_req_done,
1541 					   &wait);
1542 		ahash_request_set_crypt(req, tsgl->sgl, result, vec->psize);
1543 		err = do_ahash_op(crypto_ahash_digest, req, &wait, cfg->nosimd);
1544 		if (err) {
1545 			if (err == vec->digest_error)
1546 				return 0;
1547 			pr_err("alg: ahash: %s digest() failed on test vector %s; expected_error=%d, actual_error=%d, cfg=\"%s\"\n",
1548 			       driver, vec_name, vec->digest_error, err,
1549 			       cfg->name);
1550 			return err;
1551 		}
1552 		if (vec->digest_error) {
1553 			pr_err("alg: ahash: %s digest() unexpectedly succeeded on test vector %s; expected_error=%d, cfg=\"%s\"\n",
1554 			       driver, vec_name, vec->digest_error, cfg->name);
1555 			return -EINVAL;
1556 		}
1557 		goto result_ready;
1558 	}
1559 
1560 	/* Using init(), zero or more update(), then final() or finup() */
1561 
1562 	ahash_request_set_callback(req, req_flags, crypto_req_done, &wait);
1563 	ahash_request_set_crypt(req, NULL, result, 0);
1564 	err = do_ahash_op(crypto_ahash_init, req, &wait, cfg->nosimd);
1565 	err = check_nonfinal_ahash_op("init", err, result, digestsize,
1566 				      driver, vec_name, cfg);
1567 	if (err)
1568 		return err;
1569 
1570 	pending_sgl = NULL;
1571 	pending_len = 0;
1572 	for (i = 0; i < tsgl->nents; i++) {
1573 		if (divs[i]->flush_type != FLUSH_TYPE_NONE &&
1574 		    pending_sgl != NULL) {
1575 			/* update() with the pending data */
1576 			ahash_request_set_callback(req, req_flags,
1577 						   crypto_req_done, &wait);
1578 			ahash_request_set_crypt(req, pending_sgl, result,
1579 						pending_len);
1580 			err = do_ahash_op(crypto_ahash_update, req, &wait,
1581 					  divs[i]->nosimd);
1582 			err = check_nonfinal_ahash_op("update", err,
1583 						      result, digestsize,
1584 						      driver, vec_name, cfg);
1585 			if (err)
1586 				return err;
1587 			pending_sgl = NULL;
1588 			pending_len = 0;
1589 		}
1590 		if (divs[i]->flush_type == FLUSH_TYPE_REIMPORT) {
1591 			/* Test ->export() and ->import() */
1592 			testmgr_poison(hashstate + statesize,
1593 				       TESTMGR_POISON_LEN);
1594 			err = crypto_ahash_export(req, hashstate);
1595 			err = check_nonfinal_ahash_op("export", err,
1596 						      result, digestsize,
1597 						      driver, vec_name, cfg);
1598 			if (err)
1599 				return err;
1600 			if (!testmgr_is_poison(hashstate + statesize,
1601 					       TESTMGR_POISON_LEN)) {
1602 				pr_err("alg: ahash: %s export() overran state buffer on test vector %s, cfg=\"%s\"\n",
1603 				       driver, vec_name, cfg->name);
1604 				return -EOVERFLOW;
1605 			}
1606 
1607 			testmgr_poison(req->__ctx, crypto_ahash_reqsize(tfm));
1608 			err = crypto_ahash_import(req, hashstate);
1609 			err = check_nonfinal_ahash_op("import", err,
1610 						      result, digestsize,
1611 						      driver, vec_name, cfg);
1612 			if (err)
1613 				return err;
1614 		}
1615 		if (pending_sgl == NULL)
1616 			pending_sgl = &tsgl->sgl[i];
1617 		pending_len += tsgl->sgl[i].length;
1618 	}
1619 
1620 	ahash_request_set_callback(req, req_flags, crypto_req_done, &wait);
1621 	ahash_request_set_crypt(req, pending_sgl, result, pending_len);
1622 	if (cfg->finalization_type == FINALIZATION_TYPE_FINAL) {
1623 		/* finish with update() and final() */
1624 		err = do_ahash_op(crypto_ahash_update, req, &wait, cfg->nosimd);
1625 		err = check_nonfinal_ahash_op("update", err, result, digestsize,
1626 					      driver, vec_name, cfg);
1627 		if (err)
1628 			return err;
1629 		err = do_ahash_op(crypto_ahash_final, req, &wait, cfg->nosimd);
1630 		if (err) {
1631 			pr_err("alg: ahash: %s final() failed with err %d on test vector %s, cfg=\"%s\"\n",
1632 			       driver, err, vec_name, cfg->name);
1633 			return err;
1634 		}
1635 	} else {
1636 		/* finish with finup() */
1637 		err = do_ahash_op(crypto_ahash_finup, req, &wait, cfg->nosimd);
1638 		if (err) {
1639 			pr_err("alg: ahash: %s finup() failed with err %d on test vector %s, cfg=\"%s\"\n",
1640 			       driver, err, vec_name, cfg->name);
1641 			return err;
1642 		}
1643 	}
1644 
1645 result_ready:
1646 	return check_hash_result("ahash", result, digestsize, vec, vec_name,
1647 				 driver, cfg);
1648 }
1649 
test_hash_vec_cfg(const struct hash_testvec * vec,const char * vec_name,const struct testvec_config * cfg,struct ahash_request * req,struct shash_desc * desc,struct test_sglist * tsgl,u8 * hashstate)1650 static int test_hash_vec_cfg(const struct hash_testvec *vec,
1651 			     const char *vec_name,
1652 			     const struct testvec_config *cfg,
1653 			     struct ahash_request *req,
1654 			     struct shash_desc *desc,
1655 			     struct test_sglist *tsgl,
1656 			     u8 *hashstate)
1657 {
1658 	int err;
1659 
1660 	/*
1661 	 * For algorithms implemented as "shash", most bugs will be detected by
1662 	 * both the shash and ahash tests.  Test the shash API first so that the
1663 	 * failures involve less indirection, so are easier to debug.
1664 	 */
1665 
1666 	if (desc) {
1667 		err = test_shash_vec_cfg(vec, vec_name, cfg, desc, tsgl,
1668 					 hashstate);
1669 		if (err)
1670 			return err;
1671 	}
1672 
1673 	return test_ahash_vec_cfg(vec, vec_name, cfg, req, tsgl, hashstate);
1674 }
1675 
test_hash_vec(const struct hash_testvec * vec,unsigned int vec_num,struct ahash_request * req,struct shash_desc * desc,struct test_sglist * tsgl,u8 * hashstate)1676 static int test_hash_vec(const struct hash_testvec *vec, unsigned int vec_num,
1677 			 struct ahash_request *req, struct shash_desc *desc,
1678 			 struct test_sglist *tsgl, u8 *hashstate)
1679 {
1680 	char vec_name[16];
1681 	unsigned int i;
1682 	int err;
1683 
1684 	sprintf(vec_name, "%u", vec_num);
1685 
1686 	for (i = 0; i < ARRAY_SIZE(default_hash_testvec_configs); i++) {
1687 		err = test_hash_vec_cfg(vec, vec_name,
1688 					&default_hash_testvec_configs[i],
1689 					req, desc, tsgl, hashstate);
1690 		if (err)
1691 			return err;
1692 	}
1693 
1694 #ifdef CONFIG_CRYPTO_MANAGER_EXTRA_TESTS
1695 	if (!noextratests) {
1696 		struct rnd_state rng;
1697 		struct testvec_config cfg;
1698 		char cfgname[TESTVEC_CONFIG_NAMELEN];
1699 
1700 		init_rnd_state(&rng);
1701 
1702 		for (i = 0; i < fuzz_iterations; i++) {
1703 			generate_random_testvec_config(&rng, &cfg, cfgname,
1704 						       sizeof(cfgname));
1705 			err = test_hash_vec_cfg(vec, vec_name, &cfg,
1706 						req, desc, tsgl, hashstate);
1707 			if (err)
1708 				return err;
1709 			cond_resched();
1710 		}
1711 	}
1712 #endif
1713 	return 0;
1714 }
1715 
1716 #ifdef CONFIG_CRYPTO_MANAGER_EXTRA_TESTS
1717 /*
1718  * Generate a hash test vector from the given implementation.
1719  * Assumes the buffers in 'vec' were already allocated.
1720  */
generate_random_hash_testvec(struct rnd_state * rng,struct shash_desc * desc,struct hash_testvec * vec,unsigned int maxkeysize,unsigned int maxdatasize,char * name,size_t max_namelen)1721 static void generate_random_hash_testvec(struct rnd_state *rng,
1722 					 struct shash_desc *desc,
1723 					 struct hash_testvec *vec,
1724 					 unsigned int maxkeysize,
1725 					 unsigned int maxdatasize,
1726 					 char *name, size_t max_namelen)
1727 {
1728 	/* Data */
1729 	vec->psize = generate_random_length(rng, maxdatasize);
1730 	generate_random_bytes(rng, (u8 *)vec->plaintext, vec->psize);
1731 
1732 	/*
1733 	 * Key: length in range [1, maxkeysize], but usually choose maxkeysize.
1734 	 * If algorithm is unkeyed, then maxkeysize == 0 and set ksize = 0.
1735 	 */
1736 	vec->setkey_error = 0;
1737 	vec->ksize = 0;
1738 	if (maxkeysize) {
1739 		vec->ksize = maxkeysize;
1740 		if (prandom_u32_below(rng, 4) == 0)
1741 			vec->ksize = prandom_u32_inclusive(rng, 1, maxkeysize);
1742 		generate_random_bytes(rng, (u8 *)vec->key, vec->ksize);
1743 
1744 		vec->setkey_error = crypto_shash_setkey(desc->tfm, vec->key,
1745 							vec->ksize);
1746 		/* If the key couldn't be set, no need to continue to digest. */
1747 		if (vec->setkey_error)
1748 			goto done;
1749 	}
1750 
1751 	/* Digest */
1752 	vec->digest_error = crypto_shash_digest(desc, vec->plaintext,
1753 						vec->psize, (u8 *)vec->digest);
1754 done:
1755 	snprintf(name, max_namelen, "\"random: psize=%u ksize=%u\"",
1756 		 vec->psize, vec->ksize);
1757 }
1758 
1759 /*
1760  * Test the hash algorithm represented by @req against the corresponding generic
1761  * implementation, if one is available.
1762  */
test_hash_vs_generic_impl(const char * generic_driver,unsigned int maxkeysize,struct ahash_request * req,struct shash_desc * desc,struct test_sglist * tsgl,u8 * hashstate)1763 static int test_hash_vs_generic_impl(const char *generic_driver,
1764 				     unsigned int maxkeysize,
1765 				     struct ahash_request *req,
1766 				     struct shash_desc *desc,
1767 				     struct test_sglist *tsgl,
1768 				     u8 *hashstate)
1769 {
1770 	struct crypto_ahash *tfm = crypto_ahash_reqtfm(req);
1771 	const unsigned int digestsize = crypto_ahash_digestsize(tfm);
1772 	const unsigned int blocksize = crypto_ahash_blocksize(tfm);
1773 	const unsigned int maxdatasize = (2 * PAGE_SIZE) - TESTMGR_POISON_LEN;
1774 	const char *algname = crypto_hash_alg_common(tfm)->base.cra_name;
1775 	const char *driver = crypto_ahash_driver_name(tfm);
1776 	struct rnd_state rng;
1777 	char _generic_driver[CRYPTO_MAX_ALG_NAME];
1778 	struct crypto_shash *generic_tfm = NULL;
1779 	struct shash_desc *generic_desc = NULL;
1780 	unsigned int i;
1781 	struct hash_testvec vec = { 0 };
1782 	char vec_name[64];
1783 	struct testvec_config *cfg;
1784 	char cfgname[TESTVEC_CONFIG_NAMELEN];
1785 	int err;
1786 
1787 	if (noextratests)
1788 		return 0;
1789 
1790 	init_rnd_state(&rng);
1791 
1792 	if (!generic_driver) { /* Use default naming convention? */
1793 		err = build_generic_driver_name(algname, _generic_driver);
1794 		if (err)
1795 			return err;
1796 		generic_driver = _generic_driver;
1797 	}
1798 
1799 	if (strcmp(generic_driver, driver) == 0) /* Already the generic impl? */
1800 		return 0;
1801 
1802 	generic_tfm = crypto_alloc_shash(generic_driver, 0, 0);
1803 	if (IS_ERR(generic_tfm)) {
1804 		err = PTR_ERR(generic_tfm);
1805 		if (err == -ENOENT) {
1806 			pr_warn("alg: hash: skipping comparison tests for %s because %s is unavailable\n",
1807 				driver, generic_driver);
1808 			return 0;
1809 		}
1810 		pr_err("alg: hash: error allocating %s (generic impl of %s): %d\n",
1811 		       generic_driver, algname, err);
1812 		return err;
1813 	}
1814 
1815 	cfg = kzalloc(sizeof(*cfg), GFP_KERNEL);
1816 	if (!cfg) {
1817 		err = -ENOMEM;
1818 		goto out;
1819 	}
1820 
1821 	generic_desc = kzalloc(sizeof(*desc) +
1822 			       crypto_shash_descsize(generic_tfm), GFP_KERNEL);
1823 	if (!generic_desc) {
1824 		err = -ENOMEM;
1825 		goto out;
1826 	}
1827 	generic_desc->tfm = generic_tfm;
1828 
1829 	/* Check the algorithm properties for consistency. */
1830 
1831 	if (digestsize != crypto_shash_digestsize(generic_tfm)) {
1832 		pr_err("alg: hash: digestsize for %s (%u) doesn't match generic impl (%u)\n",
1833 		       driver, digestsize,
1834 		       crypto_shash_digestsize(generic_tfm));
1835 		err = -EINVAL;
1836 		goto out;
1837 	}
1838 
1839 	if (blocksize != crypto_shash_blocksize(generic_tfm)) {
1840 		pr_err("alg: hash: blocksize for %s (%u) doesn't match generic impl (%u)\n",
1841 		       driver, blocksize, crypto_shash_blocksize(generic_tfm));
1842 		err = -EINVAL;
1843 		goto out;
1844 	}
1845 
1846 	/*
1847 	 * Now generate test vectors using the generic implementation, and test
1848 	 * the other implementation against them.
1849 	 */
1850 
1851 	vec.key = kmalloc(maxkeysize, GFP_KERNEL);
1852 	vec.plaintext = kmalloc(maxdatasize, GFP_KERNEL);
1853 	vec.digest = kmalloc(digestsize, GFP_KERNEL);
1854 	if (!vec.key || !vec.plaintext || !vec.digest) {
1855 		err = -ENOMEM;
1856 		goto out;
1857 	}
1858 
1859 	for (i = 0; i < fuzz_iterations * 8; i++) {
1860 		generate_random_hash_testvec(&rng, generic_desc, &vec,
1861 					     maxkeysize, maxdatasize,
1862 					     vec_name, sizeof(vec_name));
1863 		generate_random_testvec_config(&rng, cfg, cfgname,
1864 					       sizeof(cfgname));
1865 
1866 		err = test_hash_vec_cfg(&vec, vec_name, cfg,
1867 					req, desc, tsgl, hashstate);
1868 		if (err)
1869 			goto out;
1870 		cond_resched();
1871 	}
1872 	err = 0;
1873 out:
1874 	kfree(cfg);
1875 	kfree(vec.key);
1876 	kfree(vec.plaintext);
1877 	kfree(vec.digest);
1878 	crypto_free_shash(generic_tfm);
1879 	kfree_sensitive(generic_desc);
1880 	return err;
1881 }
1882 #else /* !CONFIG_CRYPTO_MANAGER_EXTRA_TESTS */
test_hash_vs_generic_impl(const char * generic_driver,unsigned int maxkeysize,struct ahash_request * req,struct shash_desc * desc,struct test_sglist * tsgl,u8 * hashstate)1883 static int test_hash_vs_generic_impl(const char *generic_driver,
1884 				     unsigned int maxkeysize,
1885 				     struct ahash_request *req,
1886 				     struct shash_desc *desc,
1887 				     struct test_sglist *tsgl,
1888 				     u8 *hashstate)
1889 {
1890 	return 0;
1891 }
1892 #endif /* !CONFIG_CRYPTO_MANAGER_EXTRA_TESTS */
1893 
alloc_shash(const char * driver,u32 type,u32 mask,struct crypto_shash ** tfm_ret,struct shash_desc ** desc_ret)1894 static int alloc_shash(const char *driver, u32 type, u32 mask,
1895 		       struct crypto_shash **tfm_ret,
1896 		       struct shash_desc **desc_ret)
1897 {
1898 	struct crypto_shash *tfm;
1899 	struct shash_desc *desc;
1900 
1901 	tfm = crypto_alloc_shash(driver, type, mask);
1902 	if (IS_ERR(tfm)) {
1903 		if (PTR_ERR(tfm) == -ENOENT) {
1904 			/*
1905 			 * This algorithm is only available through the ahash
1906 			 * API, not the shash API, so skip the shash tests.
1907 			 */
1908 			return 0;
1909 		}
1910 		pr_err("alg: hash: failed to allocate shash transform for %s: %ld\n",
1911 		       driver, PTR_ERR(tfm));
1912 		return PTR_ERR(tfm);
1913 	}
1914 
1915 	desc = kmalloc(sizeof(*desc) + crypto_shash_descsize(tfm), GFP_KERNEL);
1916 	if (!desc) {
1917 		crypto_free_shash(tfm);
1918 		return -ENOMEM;
1919 	}
1920 	desc->tfm = tfm;
1921 
1922 	*tfm_ret = tfm;
1923 	*desc_ret = desc;
1924 	return 0;
1925 }
1926 
__alg_test_hash(const struct hash_testvec * vecs,unsigned int num_vecs,const char * driver,u32 type,u32 mask,const char * generic_driver,unsigned int maxkeysize)1927 static int __alg_test_hash(const struct hash_testvec *vecs,
1928 			   unsigned int num_vecs, const char *driver,
1929 			   u32 type, u32 mask,
1930 			   const char *generic_driver, unsigned int maxkeysize)
1931 {
1932 	struct crypto_ahash *atfm = NULL;
1933 	struct ahash_request *req = NULL;
1934 	struct crypto_shash *stfm = NULL;
1935 	struct shash_desc *desc = NULL;
1936 	struct test_sglist *tsgl = NULL;
1937 	u8 *hashstate = NULL;
1938 	unsigned int statesize;
1939 	unsigned int i;
1940 	int err;
1941 
1942 	/*
1943 	 * Always test the ahash API.  This works regardless of whether the
1944 	 * algorithm is implemented as ahash or shash.
1945 	 */
1946 
1947 	atfm = crypto_alloc_ahash(driver, type, mask);
1948 	if (IS_ERR(atfm)) {
1949 		if (PTR_ERR(atfm) == -ENOENT)
1950 			return 0;
1951 		pr_err("alg: hash: failed to allocate transform for %s: %ld\n",
1952 		       driver, PTR_ERR(atfm));
1953 		return PTR_ERR(atfm);
1954 	}
1955 	driver = crypto_ahash_driver_name(atfm);
1956 
1957 	req = ahash_request_alloc(atfm, GFP_KERNEL);
1958 	if (!req) {
1959 		pr_err("alg: hash: failed to allocate request for %s\n",
1960 		       driver);
1961 		err = -ENOMEM;
1962 		goto out;
1963 	}
1964 
1965 	/*
1966 	 * If available also test the shash API, to cover corner cases that may
1967 	 * be missed by testing the ahash API only.
1968 	 */
1969 	err = alloc_shash(driver, type, mask, &stfm, &desc);
1970 	if (err)
1971 		goto out;
1972 
1973 	tsgl = kmalloc(sizeof(*tsgl), GFP_KERNEL);
1974 	if (!tsgl || init_test_sglist(tsgl) != 0) {
1975 		pr_err("alg: hash: failed to allocate test buffers for %s\n",
1976 		       driver);
1977 		kfree(tsgl);
1978 		tsgl = NULL;
1979 		err = -ENOMEM;
1980 		goto out;
1981 	}
1982 
1983 	statesize = crypto_ahash_statesize(atfm);
1984 	if (stfm)
1985 		statesize = max(statesize, crypto_shash_statesize(stfm));
1986 	hashstate = kmalloc(statesize + TESTMGR_POISON_LEN, GFP_KERNEL);
1987 	if (!hashstate) {
1988 		pr_err("alg: hash: failed to allocate hash state buffer for %s\n",
1989 		       driver);
1990 		err = -ENOMEM;
1991 		goto out;
1992 	}
1993 
1994 	for (i = 0; i < num_vecs; i++) {
1995 		if (fips_enabled && vecs[i].fips_skip)
1996 			continue;
1997 
1998 		err = test_hash_vec(&vecs[i], i, req, desc, tsgl, hashstate);
1999 		if (err)
2000 			goto out;
2001 		cond_resched();
2002 	}
2003 	err = test_hash_vs_generic_impl(generic_driver, maxkeysize, req,
2004 					desc, tsgl, hashstate);
2005 out:
2006 	kfree(hashstate);
2007 	if (tsgl) {
2008 		destroy_test_sglist(tsgl);
2009 		kfree(tsgl);
2010 	}
2011 	kfree(desc);
2012 	crypto_free_shash(stfm);
2013 	ahash_request_free(req);
2014 	crypto_free_ahash(atfm);
2015 	return err;
2016 }
2017 
alg_test_hash(const struct alg_test_desc * desc,const char * driver,u32 type,u32 mask)2018 static int alg_test_hash(const struct alg_test_desc *desc, const char *driver,
2019 			 u32 type, u32 mask)
2020 {
2021 	const struct hash_testvec *template = desc->suite.hash.vecs;
2022 	unsigned int tcount = desc->suite.hash.count;
2023 	unsigned int nr_unkeyed, nr_keyed;
2024 	unsigned int maxkeysize = 0;
2025 	int err;
2026 
2027 	/*
2028 	 * For OPTIONAL_KEY algorithms, we have to do all the unkeyed tests
2029 	 * first, before setting a key on the tfm.  To make this easier, we
2030 	 * require that the unkeyed test vectors (if any) are listed first.
2031 	 */
2032 
2033 	for (nr_unkeyed = 0; nr_unkeyed < tcount; nr_unkeyed++) {
2034 		if (template[nr_unkeyed].ksize)
2035 			break;
2036 	}
2037 	for (nr_keyed = 0; nr_unkeyed + nr_keyed < tcount; nr_keyed++) {
2038 		if (!template[nr_unkeyed + nr_keyed].ksize) {
2039 			pr_err("alg: hash: test vectors for %s out of order, "
2040 			       "unkeyed ones must come first\n", desc->alg);
2041 			return -EINVAL;
2042 		}
2043 		maxkeysize = max_t(unsigned int, maxkeysize,
2044 				   template[nr_unkeyed + nr_keyed].ksize);
2045 	}
2046 
2047 	err = 0;
2048 	if (nr_unkeyed) {
2049 		err = __alg_test_hash(template, nr_unkeyed, driver, type, mask,
2050 				      desc->generic_driver, maxkeysize);
2051 		template += nr_unkeyed;
2052 	}
2053 
2054 	if (!err && nr_keyed)
2055 		err = __alg_test_hash(template, nr_keyed, driver, type, mask,
2056 				      desc->generic_driver, maxkeysize);
2057 
2058 	return err;
2059 }
2060 
test_aead_vec_cfg(int enc,const struct aead_testvec * vec,const char * vec_name,const struct testvec_config * cfg,struct aead_request * req,struct cipher_test_sglists * tsgls)2061 static int test_aead_vec_cfg(int enc, const struct aead_testvec *vec,
2062 			     const char *vec_name,
2063 			     const struct testvec_config *cfg,
2064 			     struct aead_request *req,
2065 			     struct cipher_test_sglists *tsgls)
2066 {
2067 	struct crypto_aead *tfm = crypto_aead_reqtfm(req);
2068 	const unsigned int alignmask = crypto_aead_alignmask(tfm);
2069 	const unsigned int ivsize = crypto_aead_ivsize(tfm);
2070 	const unsigned int authsize = vec->clen - vec->plen;
2071 	const char *driver = crypto_aead_driver_name(tfm);
2072 	const u32 req_flags = CRYPTO_TFM_REQ_MAY_BACKLOG | cfg->req_flags;
2073 	const char *op = enc ? "encryption" : "decryption";
2074 	DECLARE_CRYPTO_WAIT(wait);
2075 	u8 _iv[3 * (MAX_ALGAPI_ALIGNMASK + 1) + MAX_IVLEN];
2076 	u8 *iv = PTR_ALIGN(&_iv[0], 2 * (MAX_ALGAPI_ALIGNMASK + 1)) +
2077 		 cfg->iv_offset +
2078 		 (cfg->iv_offset_relative_to_alignmask ? alignmask : 0);
2079 	struct kvec input[2];
2080 	int err;
2081 
2082 	/* Set the key */
2083 	if (vec->wk)
2084 		crypto_aead_set_flags(tfm, CRYPTO_TFM_REQ_FORBID_WEAK_KEYS);
2085 	else
2086 		crypto_aead_clear_flags(tfm, CRYPTO_TFM_REQ_FORBID_WEAK_KEYS);
2087 
2088 	err = do_setkey(crypto_aead_setkey, tfm, vec->key, vec->klen,
2089 			cfg, alignmask);
2090 	if (err && err != vec->setkey_error) {
2091 		pr_err("alg: aead: %s setkey failed on test vector %s; expected_error=%d, actual_error=%d, flags=%#x\n",
2092 		       driver, vec_name, vec->setkey_error, err,
2093 		       crypto_aead_get_flags(tfm));
2094 		return err;
2095 	}
2096 	if (!err && vec->setkey_error) {
2097 		pr_err("alg: aead: %s setkey unexpectedly succeeded on test vector %s; expected_error=%d\n",
2098 		       driver, vec_name, vec->setkey_error);
2099 		return -EINVAL;
2100 	}
2101 
2102 	/* Set the authentication tag size */
2103 	err = crypto_aead_setauthsize(tfm, authsize);
2104 	if (err && err != vec->setauthsize_error) {
2105 		pr_err("alg: aead: %s setauthsize failed on test vector %s; expected_error=%d, actual_error=%d\n",
2106 		       driver, vec_name, vec->setauthsize_error, err);
2107 		return err;
2108 	}
2109 	if (!err && vec->setauthsize_error) {
2110 		pr_err("alg: aead: %s setauthsize unexpectedly succeeded on test vector %s; expected_error=%d\n",
2111 		       driver, vec_name, vec->setauthsize_error);
2112 		return -EINVAL;
2113 	}
2114 
2115 	if (vec->setkey_error || vec->setauthsize_error)
2116 		return 0;
2117 
2118 	/* The IV must be copied to a buffer, as the algorithm may modify it */
2119 	if (WARN_ON(ivsize > MAX_IVLEN))
2120 		return -EINVAL;
2121 	if (vec->iv)
2122 		memcpy(iv, vec->iv, ivsize);
2123 	else
2124 		memset(iv, 0, ivsize);
2125 
2126 	/* Build the src/dst scatterlists */
2127 	input[0].iov_base = (void *)vec->assoc;
2128 	input[0].iov_len = vec->alen;
2129 	input[1].iov_base = enc ? (void *)vec->ptext : (void *)vec->ctext;
2130 	input[1].iov_len = enc ? vec->plen : vec->clen;
2131 	err = build_cipher_test_sglists(tsgls, cfg, alignmask,
2132 					vec->alen + (enc ? vec->plen :
2133 						     vec->clen),
2134 					vec->alen + (enc ? vec->clen :
2135 						     vec->plen),
2136 					input, 2);
2137 	if (err) {
2138 		pr_err("alg: aead: %s %s: error preparing scatterlists for test vector %s, cfg=\"%s\"\n",
2139 		       driver, op, vec_name, cfg->name);
2140 		return err;
2141 	}
2142 
2143 	/* Do the actual encryption or decryption */
2144 	testmgr_poison(req->__ctx, crypto_aead_reqsize(tfm));
2145 	aead_request_set_callback(req, req_flags, crypto_req_done, &wait);
2146 	aead_request_set_crypt(req, tsgls->src.sgl_ptr, tsgls->dst.sgl_ptr,
2147 			       enc ? vec->plen : vec->clen, iv);
2148 	aead_request_set_ad(req, vec->alen);
2149 	if (cfg->nosimd)
2150 		crypto_disable_simd_for_test();
2151 	err = enc ? crypto_aead_encrypt(req) : crypto_aead_decrypt(req);
2152 	if (cfg->nosimd)
2153 		crypto_reenable_simd_for_test();
2154 	err = crypto_wait_req(err, &wait);
2155 
2156 	/* Check that the algorithm didn't overwrite things it shouldn't have */
2157 	if (req->cryptlen != (enc ? vec->plen : vec->clen) ||
2158 	    req->assoclen != vec->alen ||
2159 	    req->iv != iv ||
2160 	    req->src != tsgls->src.sgl_ptr ||
2161 	    req->dst != tsgls->dst.sgl_ptr ||
2162 	    crypto_aead_reqtfm(req) != tfm ||
2163 	    req->base.complete != crypto_req_done ||
2164 	    req->base.flags != req_flags ||
2165 	    req->base.data != &wait) {
2166 		pr_err("alg: aead: %s %s corrupted request struct on test vector %s, cfg=\"%s\"\n",
2167 		       driver, op, vec_name, cfg->name);
2168 		if (req->cryptlen != (enc ? vec->plen : vec->clen))
2169 			pr_err("alg: aead: changed 'req->cryptlen'\n");
2170 		if (req->assoclen != vec->alen)
2171 			pr_err("alg: aead: changed 'req->assoclen'\n");
2172 		if (req->iv != iv)
2173 			pr_err("alg: aead: changed 'req->iv'\n");
2174 		if (req->src != tsgls->src.sgl_ptr)
2175 			pr_err("alg: aead: changed 'req->src'\n");
2176 		if (req->dst != tsgls->dst.sgl_ptr)
2177 			pr_err("alg: aead: changed 'req->dst'\n");
2178 		if (crypto_aead_reqtfm(req) != tfm)
2179 			pr_err("alg: aead: changed 'req->base.tfm'\n");
2180 		if (req->base.complete != crypto_req_done)
2181 			pr_err("alg: aead: changed 'req->base.complete'\n");
2182 		if (req->base.flags != req_flags)
2183 			pr_err("alg: aead: changed 'req->base.flags'\n");
2184 		if (req->base.data != &wait)
2185 			pr_err("alg: aead: changed 'req->base.data'\n");
2186 		return -EINVAL;
2187 	}
2188 	if (is_test_sglist_corrupted(&tsgls->src)) {
2189 		pr_err("alg: aead: %s %s corrupted src sgl on test vector %s, cfg=\"%s\"\n",
2190 		       driver, op, vec_name, cfg->name);
2191 		return -EINVAL;
2192 	}
2193 	if (tsgls->dst.sgl_ptr != tsgls->src.sgl &&
2194 	    is_test_sglist_corrupted(&tsgls->dst)) {
2195 		pr_err("alg: aead: %s %s corrupted dst sgl on test vector %s, cfg=\"%s\"\n",
2196 		       driver, op, vec_name, cfg->name);
2197 		return -EINVAL;
2198 	}
2199 
2200 	/* Check for unexpected success or failure, or wrong error code */
2201 	if ((err == 0 && vec->novrfy) ||
2202 	    (err != vec->crypt_error && !(err == -EBADMSG && vec->novrfy))) {
2203 		char expected_error[32];
2204 
2205 		if (vec->novrfy &&
2206 		    vec->crypt_error != 0 && vec->crypt_error != -EBADMSG)
2207 			sprintf(expected_error, "-EBADMSG or %d",
2208 				vec->crypt_error);
2209 		else if (vec->novrfy)
2210 			sprintf(expected_error, "-EBADMSG");
2211 		else
2212 			sprintf(expected_error, "%d", vec->crypt_error);
2213 		if (err) {
2214 			pr_err("alg: aead: %s %s failed on test vector %s; expected_error=%s, actual_error=%d, cfg=\"%s\"\n",
2215 			       driver, op, vec_name, expected_error, err,
2216 			       cfg->name);
2217 			return err;
2218 		}
2219 		pr_err("alg: aead: %s %s unexpectedly succeeded on test vector %s; expected_error=%s, cfg=\"%s\"\n",
2220 		       driver, op, vec_name, expected_error, cfg->name);
2221 		return -EINVAL;
2222 	}
2223 	if (err) /* Expectedly failed. */
2224 		return 0;
2225 
2226 	/* Check for the correct output (ciphertext or plaintext) */
2227 	err = verify_correct_output(&tsgls->dst, enc ? vec->ctext : vec->ptext,
2228 				    enc ? vec->clen : vec->plen,
2229 				    vec->alen,
2230 				    enc || cfg->inplace_mode == OUT_OF_PLACE);
2231 	if (err == -EOVERFLOW) {
2232 		pr_err("alg: aead: %s %s overran dst buffer on test vector %s, cfg=\"%s\"\n",
2233 		       driver, op, vec_name, cfg->name);
2234 		return err;
2235 	}
2236 	if (err) {
2237 		pr_err("alg: aead: %s %s test failed (wrong result) on test vector %s, cfg=\"%s\"\n",
2238 		       driver, op, vec_name, cfg->name);
2239 		return err;
2240 	}
2241 
2242 	return 0;
2243 }
2244 
test_aead_vec(int enc,const struct aead_testvec * vec,unsigned int vec_num,struct aead_request * req,struct cipher_test_sglists * tsgls)2245 static int test_aead_vec(int enc, const struct aead_testvec *vec,
2246 			 unsigned int vec_num, struct aead_request *req,
2247 			 struct cipher_test_sglists *tsgls)
2248 {
2249 	char vec_name[16];
2250 	unsigned int i;
2251 	int err;
2252 
2253 	if (enc && vec->novrfy)
2254 		return 0;
2255 
2256 	sprintf(vec_name, "%u", vec_num);
2257 
2258 	for (i = 0; i < ARRAY_SIZE(default_cipher_testvec_configs); i++) {
2259 		err = test_aead_vec_cfg(enc, vec, vec_name,
2260 					&default_cipher_testvec_configs[i],
2261 					req, tsgls);
2262 		if (err)
2263 			return err;
2264 	}
2265 
2266 #ifdef CONFIG_CRYPTO_MANAGER_EXTRA_TESTS
2267 	if (!noextratests) {
2268 		struct rnd_state rng;
2269 		struct testvec_config cfg;
2270 		char cfgname[TESTVEC_CONFIG_NAMELEN];
2271 
2272 		init_rnd_state(&rng);
2273 
2274 		for (i = 0; i < fuzz_iterations; i++) {
2275 			generate_random_testvec_config(&rng, &cfg, cfgname,
2276 						       sizeof(cfgname));
2277 			err = test_aead_vec_cfg(enc, vec, vec_name,
2278 						&cfg, req, tsgls);
2279 			if (err)
2280 				return err;
2281 			cond_resched();
2282 		}
2283 	}
2284 #endif
2285 	return 0;
2286 }
2287 
2288 #ifdef CONFIG_CRYPTO_MANAGER_EXTRA_TESTS
2289 
2290 struct aead_extra_tests_ctx {
2291 	struct rnd_state rng;
2292 	struct aead_request *req;
2293 	struct crypto_aead *tfm;
2294 	const struct alg_test_desc *test_desc;
2295 	struct cipher_test_sglists *tsgls;
2296 	unsigned int maxdatasize;
2297 	unsigned int maxkeysize;
2298 
2299 	struct aead_testvec vec;
2300 	char vec_name[64];
2301 	char cfgname[TESTVEC_CONFIG_NAMELEN];
2302 	struct testvec_config cfg;
2303 };
2304 
2305 /*
2306  * Make at least one random change to a (ciphertext, AAD) pair.  "Ciphertext"
2307  * here means the full ciphertext including the authentication tag.  The
2308  * authentication tag (and hence also the ciphertext) is assumed to be nonempty.
2309  */
mutate_aead_message(struct rnd_state * rng,struct aead_testvec * vec,bool aad_iv,unsigned int ivsize)2310 static void mutate_aead_message(struct rnd_state *rng,
2311 				struct aead_testvec *vec, bool aad_iv,
2312 				unsigned int ivsize)
2313 {
2314 	const unsigned int aad_tail_size = aad_iv ? ivsize : 0;
2315 	const unsigned int authsize = vec->clen - vec->plen;
2316 
2317 	if (prandom_bool(rng) && vec->alen > aad_tail_size) {
2318 		 /* Mutate the AAD */
2319 		flip_random_bit(rng, (u8 *)vec->assoc,
2320 				vec->alen - aad_tail_size);
2321 		if (prandom_bool(rng))
2322 			return;
2323 	}
2324 	if (prandom_bool(rng)) {
2325 		/* Mutate auth tag (assuming it's at the end of ciphertext) */
2326 		flip_random_bit(rng, (u8 *)vec->ctext + vec->plen, authsize);
2327 	} else {
2328 		/* Mutate any part of the ciphertext */
2329 		flip_random_bit(rng, (u8 *)vec->ctext, vec->clen);
2330 	}
2331 }
2332 
2333 /*
2334  * Minimum authentication tag size in bytes at which we assume that we can
2335  * reliably generate inauthentic messages, i.e. not generate an authentic
2336  * message by chance.
2337  */
2338 #define MIN_COLLISION_FREE_AUTHSIZE 8
2339 
generate_aead_message(struct rnd_state * rng,struct aead_request * req,const struct aead_test_suite * suite,struct aead_testvec * vec,bool prefer_inauthentic)2340 static void generate_aead_message(struct rnd_state *rng,
2341 				  struct aead_request *req,
2342 				  const struct aead_test_suite *suite,
2343 				  struct aead_testvec *vec,
2344 				  bool prefer_inauthentic)
2345 {
2346 	struct crypto_aead *tfm = crypto_aead_reqtfm(req);
2347 	const unsigned int ivsize = crypto_aead_ivsize(tfm);
2348 	const unsigned int authsize = vec->clen - vec->plen;
2349 	const bool inauthentic = (authsize >= MIN_COLLISION_FREE_AUTHSIZE) &&
2350 				 (prefer_inauthentic ||
2351 				  prandom_u32_below(rng, 4) == 0);
2352 
2353 	/* Generate the AAD. */
2354 	generate_random_bytes(rng, (u8 *)vec->assoc, vec->alen);
2355 	if (suite->aad_iv && vec->alen >= ivsize)
2356 		/* Avoid implementation-defined behavior. */
2357 		memcpy((u8 *)vec->assoc + vec->alen - ivsize, vec->iv, ivsize);
2358 
2359 	if (inauthentic && prandom_bool(rng)) {
2360 		/* Generate a random ciphertext. */
2361 		generate_random_bytes(rng, (u8 *)vec->ctext, vec->clen);
2362 	} else {
2363 		int i = 0;
2364 		struct scatterlist src[2], dst;
2365 		u8 iv[MAX_IVLEN];
2366 		DECLARE_CRYPTO_WAIT(wait);
2367 
2368 		/* Generate a random plaintext and encrypt it. */
2369 		sg_init_table(src, 2);
2370 		if (vec->alen)
2371 			sg_set_buf(&src[i++], vec->assoc, vec->alen);
2372 		if (vec->plen) {
2373 			generate_random_bytes(rng, (u8 *)vec->ptext, vec->plen);
2374 			sg_set_buf(&src[i++], vec->ptext, vec->plen);
2375 		}
2376 		sg_init_one(&dst, vec->ctext, vec->alen + vec->clen);
2377 		memcpy(iv, vec->iv, ivsize);
2378 		aead_request_set_callback(req, 0, crypto_req_done, &wait);
2379 		aead_request_set_crypt(req, src, &dst, vec->plen, iv);
2380 		aead_request_set_ad(req, vec->alen);
2381 		vec->crypt_error = crypto_wait_req(crypto_aead_encrypt(req),
2382 						   &wait);
2383 		/* If encryption failed, we're done. */
2384 		if (vec->crypt_error != 0)
2385 			return;
2386 		memmove((u8 *)vec->ctext, vec->ctext + vec->alen, vec->clen);
2387 		if (!inauthentic)
2388 			return;
2389 		/*
2390 		 * Mutate the authentic (ciphertext, AAD) pair to get an
2391 		 * inauthentic one.
2392 		 */
2393 		mutate_aead_message(rng, vec, suite->aad_iv, ivsize);
2394 	}
2395 	vec->novrfy = 1;
2396 	if (suite->einval_allowed)
2397 		vec->crypt_error = -EINVAL;
2398 }
2399 
2400 /*
2401  * Generate an AEAD test vector 'vec' using the implementation specified by
2402  * 'req'.  The buffers in 'vec' must already be allocated.
2403  *
2404  * If 'prefer_inauthentic' is true, then this function will generate inauthentic
2405  * test vectors (i.e. vectors with 'vec->novrfy=1') more often.
2406  */
generate_random_aead_testvec(struct rnd_state * rng,struct aead_request * req,struct aead_testvec * vec,const struct aead_test_suite * suite,unsigned int maxkeysize,unsigned int maxdatasize,char * name,size_t max_namelen,bool prefer_inauthentic)2407 static void generate_random_aead_testvec(struct rnd_state *rng,
2408 					 struct aead_request *req,
2409 					 struct aead_testvec *vec,
2410 					 const struct aead_test_suite *suite,
2411 					 unsigned int maxkeysize,
2412 					 unsigned int maxdatasize,
2413 					 char *name, size_t max_namelen,
2414 					 bool prefer_inauthentic)
2415 {
2416 	struct crypto_aead *tfm = crypto_aead_reqtfm(req);
2417 	const unsigned int ivsize = crypto_aead_ivsize(tfm);
2418 	const unsigned int maxauthsize = crypto_aead_maxauthsize(tfm);
2419 	unsigned int authsize;
2420 	unsigned int total_len;
2421 
2422 	/* Key: length in [0, maxkeysize], but usually choose maxkeysize */
2423 	vec->klen = maxkeysize;
2424 	if (prandom_u32_below(rng, 4) == 0)
2425 		vec->klen = prandom_u32_below(rng, maxkeysize + 1);
2426 	generate_random_bytes(rng, (u8 *)vec->key, vec->klen);
2427 	vec->setkey_error = crypto_aead_setkey(tfm, vec->key, vec->klen);
2428 
2429 	/* IV */
2430 	generate_random_bytes(rng, (u8 *)vec->iv, ivsize);
2431 
2432 	/* Tag length: in [0, maxauthsize], but usually choose maxauthsize */
2433 	authsize = maxauthsize;
2434 	if (prandom_u32_below(rng, 4) == 0)
2435 		authsize = prandom_u32_below(rng, maxauthsize + 1);
2436 	if (prefer_inauthentic && authsize < MIN_COLLISION_FREE_AUTHSIZE)
2437 		authsize = MIN_COLLISION_FREE_AUTHSIZE;
2438 	if (WARN_ON(authsize > maxdatasize))
2439 		authsize = maxdatasize;
2440 	maxdatasize -= authsize;
2441 	vec->setauthsize_error = crypto_aead_setauthsize(tfm, authsize);
2442 
2443 	/* AAD, plaintext, and ciphertext lengths */
2444 	total_len = generate_random_length(rng, maxdatasize);
2445 	if (prandom_u32_below(rng, 4) == 0)
2446 		vec->alen = 0;
2447 	else
2448 		vec->alen = generate_random_length(rng, total_len);
2449 	vec->plen = total_len - vec->alen;
2450 	vec->clen = vec->plen + authsize;
2451 
2452 	/*
2453 	 * Generate the AAD, plaintext, and ciphertext.  Not applicable if the
2454 	 * key or the authentication tag size couldn't be set.
2455 	 */
2456 	vec->novrfy = 0;
2457 	vec->crypt_error = 0;
2458 	if (vec->setkey_error == 0 && vec->setauthsize_error == 0)
2459 		generate_aead_message(rng, req, suite, vec, prefer_inauthentic);
2460 	snprintf(name, max_namelen,
2461 		 "\"random: alen=%u plen=%u authsize=%u klen=%u novrfy=%d\"",
2462 		 vec->alen, vec->plen, authsize, vec->klen, vec->novrfy);
2463 }
2464 
try_to_generate_inauthentic_testvec(struct aead_extra_tests_ctx * ctx)2465 static void try_to_generate_inauthentic_testvec(
2466 					struct aead_extra_tests_ctx *ctx)
2467 {
2468 	int i;
2469 
2470 	for (i = 0; i < 10; i++) {
2471 		generate_random_aead_testvec(&ctx->rng, ctx->req, &ctx->vec,
2472 					     &ctx->test_desc->suite.aead,
2473 					     ctx->maxkeysize, ctx->maxdatasize,
2474 					     ctx->vec_name,
2475 					     sizeof(ctx->vec_name), true);
2476 		if (ctx->vec.novrfy)
2477 			return;
2478 	}
2479 }
2480 
2481 /*
2482  * Generate inauthentic test vectors (i.e. ciphertext, AAD pairs that aren't the
2483  * result of an encryption with the key) and verify that decryption fails.
2484  */
test_aead_inauthentic_inputs(struct aead_extra_tests_ctx * ctx)2485 static int test_aead_inauthentic_inputs(struct aead_extra_tests_ctx *ctx)
2486 {
2487 	unsigned int i;
2488 	int err;
2489 
2490 	for (i = 0; i < fuzz_iterations * 8; i++) {
2491 		/*
2492 		 * Since this part of the tests isn't comparing the
2493 		 * implementation to another, there's no point in testing any
2494 		 * test vectors other than inauthentic ones (vec.novrfy=1) here.
2495 		 *
2496 		 * If we're having trouble generating such a test vector, e.g.
2497 		 * if the algorithm keeps rejecting the generated keys, don't
2498 		 * retry forever; just continue on.
2499 		 */
2500 		try_to_generate_inauthentic_testvec(ctx);
2501 		if (ctx->vec.novrfy) {
2502 			generate_random_testvec_config(&ctx->rng, &ctx->cfg,
2503 						       ctx->cfgname,
2504 						       sizeof(ctx->cfgname));
2505 			err = test_aead_vec_cfg(DECRYPT, &ctx->vec,
2506 						ctx->vec_name, &ctx->cfg,
2507 						ctx->req, ctx->tsgls);
2508 			if (err)
2509 				return err;
2510 		}
2511 		cond_resched();
2512 	}
2513 	return 0;
2514 }
2515 
2516 /*
2517  * Test the AEAD algorithm against the corresponding generic implementation, if
2518  * one is available.
2519  */
test_aead_vs_generic_impl(struct aead_extra_tests_ctx * ctx)2520 static int test_aead_vs_generic_impl(struct aead_extra_tests_ctx *ctx)
2521 {
2522 	struct crypto_aead *tfm = ctx->tfm;
2523 	const char *algname = crypto_aead_alg(tfm)->base.cra_name;
2524 	const char *driver = crypto_aead_driver_name(tfm);
2525 	const char *generic_driver = ctx->test_desc->generic_driver;
2526 	char _generic_driver[CRYPTO_MAX_ALG_NAME];
2527 	struct crypto_aead *generic_tfm = NULL;
2528 	struct aead_request *generic_req = NULL;
2529 	unsigned int i;
2530 	int err;
2531 
2532 	if (!generic_driver) { /* Use default naming convention? */
2533 		err = build_generic_driver_name(algname, _generic_driver);
2534 		if (err)
2535 			return err;
2536 		generic_driver = _generic_driver;
2537 	}
2538 
2539 	if (strcmp(generic_driver, driver) == 0) /* Already the generic impl? */
2540 		return 0;
2541 
2542 	generic_tfm = crypto_alloc_aead(generic_driver, 0, 0);
2543 	if (IS_ERR(generic_tfm)) {
2544 		err = PTR_ERR(generic_tfm);
2545 		if (err == -ENOENT) {
2546 			pr_warn("alg: aead: skipping comparison tests for %s because %s is unavailable\n",
2547 				driver, generic_driver);
2548 			return 0;
2549 		}
2550 		pr_err("alg: aead: error allocating %s (generic impl of %s): %d\n",
2551 		       generic_driver, algname, err);
2552 		return err;
2553 	}
2554 
2555 	generic_req = aead_request_alloc(generic_tfm, GFP_KERNEL);
2556 	if (!generic_req) {
2557 		err = -ENOMEM;
2558 		goto out;
2559 	}
2560 
2561 	/* Check the algorithm properties for consistency. */
2562 
2563 	if (crypto_aead_maxauthsize(tfm) !=
2564 	    crypto_aead_maxauthsize(generic_tfm)) {
2565 		pr_err("alg: aead: maxauthsize for %s (%u) doesn't match generic impl (%u)\n",
2566 		       driver, crypto_aead_maxauthsize(tfm),
2567 		       crypto_aead_maxauthsize(generic_tfm));
2568 		err = -EINVAL;
2569 		goto out;
2570 	}
2571 
2572 	if (crypto_aead_ivsize(tfm) != crypto_aead_ivsize(generic_tfm)) {
2573 		pr_err("alg: aead: ivsize for %s (%u) doesn't match generic impl (%u)\n",
2574 		       driver, crypto_aead_ivsize(tfm),
2575 		       crypto_aead_ivsize(generic_tfm));
2576 		err = -EINVAL;
2577 		goto out;
2578 	}
2579 
2580 	if (crypto_aead_blocksize(tfm) != crypto_aead_blocksize(generic_tfm)) {
2581 		pr_err("alg: aead: blocksize for %s (%u) doesn't match generic impl (%u)\n",
2582 		       driver, crypto_aead_blocksize(tfm),
2583 		       crypto_aead_blocksize(generic_tfm));
2584 		err = -EINVAL;
2585 		goto out;
2586 	}
2587 
2588 	/*
2589 	 * Now generate test vectors using the generic implementation, and test
2590 	 * the other implementation against them.
2591 	 */
2592 	for (i = 0; i < fuzz_iterations * 8; i++) {
2593 		generate_random_aead_testvec(&ctx->rng, generic_req, &ctx->vec,
2594 					     &ctx->test_desc->suite.aead,
2595 					     ctx->maxkeysize, ctx->maxdatasize,
2596 					     ctx->vec_name,
2597 					     sizeof(ctx->vec_name), false);
2598 		generate_random_testvec_config(&ctx->rng, &ctx->cfg,
2599 					       ctx->cfgname,
2600 					       sizeof(ctx->cfgname));
2601 		if (!ctx->vec.novrfy) {
2602 			err = test_aead_vec_cfg(ENCRYPT, &ctx->vec,
2603 						ctx->vec_name, &ctx->cfg,
2604 						ctx->req, ctx->tsgls);
2605 			if (err)
2606 				goto out;
2607 		}
2608 		if (ctx->vec.crypt_error == 0 || ctx->vec.novrfy) {
2609 			err = test_aead_vec_cfg(DECRYPT, &ctx->vec,
2610 						ctx->vec_name, &ctx->cfg,
2611 						ctx->req, ctx->tsgls);
2612 			if (err)
2613 				goto out;
2614 		}
2615 		cond_resched();
2616 	}
2617 	err = 0;
2618 out:
2619 	crypto_free_aead(generic_tfm);
2620 	aead_request_free(generic_req);
2621 	return err;
2622 }
2623 
test_aead_extra(const struct alg_test_desc * test_desc,struct aead_request * req,struct cipher_test_sglists * tsgls)2624 static int test_aead_extra(const struct alg_test_desc *test_desc,
2625 			   struct aead_request *req,
2626 			   struct cipher_test_sglists *tsgls)
2627 {
2628 	struct aead_extra_tests_ctx *ctx;
2629 	unsigned int i;
2630 	int err;
2631 
2632 	if (noextratests)
2633 		return 0;
2634 
2635 	ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
2636 	if (!ctx)
2637 		return -ENOMEM;
2638 	init_rnd_state(&ctx->rng);
2639 	ctx->req = req;
2640 	ctx->tfm = crypto_aead_reqtfm(req);
2641 	ctx->test_desc = test_desc;
2642 	ctx->tsgls = tsgls;
2643 	ctx->maxdatasize = (2 * PAGE_SIZE) - TESTMGR_POISON_LEN;
2644 	ctx->maxkeysize = 0;
2645 	for (i = 0; i < test_desc->suite.aead.count; i++)
2646 		ctx->maxkeysize = max_t(unsigned int, ctx->maxkeysize,
2647 					test_desc->suite.aead.vecs[i].klen);
2648 
2649 	ctx->vec.key = kmalloc(ctx->maxkeysize, GFP_KERNEL);
2650 	ctx->vec.iv = kmalloc(crypto_aead_ivsize(ctx->tfm), GFP_KERNEL);
2651 	ctx->vec.assoc = kmalloc(ctx->maxdatasize, GFP_KERNEL);
2652 	ctx->vec.ptext = kmalloc(ctx->maxdatasize, GFP_KERNEL);
2653 	ctx->vec.ctext = kmalloc(ctx->maxdatasize, GFP_KERNEL);
2654 	if (!ctx->vec.key || !ctx->vec.iv || !ctx->vec.assoc ||
2655 	    !ctx->vec.ptext || !ctx->vec.ctext) {
2656 		err = -ENOMEM;
2657 		goto out;
2658 	}
2659 
2660 	err = test_aead_vs_generic_impl(ctx);
2661 	if (err)
2662 		goto out;
2663 
2664 	err = test_aead_inauthentic_inputs(ctx);
2665 out:
2666 	kfree(ctx->vec.key);
2667 	kfree(ctx->vec.iv);
2668 	kfree(ctx->vec.assoc);
2669 	kfree(ctx->vec.ptext);
2670 	kfree(ctx->vec.ctext);
2671 	kfree(ctx);
2672 	return err;
2673 }
2674 #else /* !CONFIG_CRYPTO_MANAGER_EXTRA_TESTS */
test_aead_extra(const struct alg_test_desc * test_desc,struct aead_request * req,struct cipher_test_sglists * tsgls)2675 static int test_aead_extra(const struct alg_test_desc *test_desc,
2676 			   struct aead_request *req,
2677 			   struct cipher_test_sglists *tsgls)
2678 {
2679 	return 0;
2680 }
2681 #endif /* !CONFIG_CRYPTO_MANAGER_EXTRA_TESTS */
2682 
test_aead(int enc,const struct aead_test_suite * suite,struct aead_request * req,struct cipher_test_sglists * tsgls)2683 static int test_aead(int enc, const struct aead_test_suite *suite,
2684 		     struct aead_request *req,
2685 		     struct cipher_test_sglists *tsgls)
2686 {
2687 	unsigned int i;
2688 	int err;
2689 
2690 	for (i = 0; i < suite->count; i++) {
2691 		err = test_aead_vec(enc, &suite->vecs[i], i, req, tsgls);
2692 		if (err)
2693 			return err;
2694 		cond_resched();
2695 	}
2696 	return 0;
2697 }
2698 
alg_test_aead(const struct alg_test_desc * desc,const char * driver,u32 type,u32 mask)2699 static int alg_test_aead(const struct alg_test_desc *desc, const char *driver,
2700 			 u32 type, u32 mask)
2701 {
2702 	const struct aead_test_suite *suite = &desc->suite.aead;
2703 	struct crypto_aead *tfm;
2704 	struct aead_request *req = NULL;
2705 	struct cipher_test_sglists *tsgls = NULL;
2706 	int err;
2707 
2708 	if (suite->count <= 0) {
2709 		pr_err("alg: aead: empty test suite for %s\n", driver);
2710 		return -EINVAL;
2711 	}
2712 
2713 	tfm = crypto_alloc_aead(driver, type, mask);
2714 	if (IS_ERR(tfm)) {
2715 		if (PTR_ERR(tfm) == -ENOENT)
2716 			return 0;
2717 		pr_err("alg: aead: failed to allocate transform for %s: %ld\n",
2718 		       driver, PTR_ERR(tfm));
2719 		return PTR_ERR(tfm);
2720 	}
2721 	driver = crypto_aead_driver_name(tfm);
2722 
2723 	req = aead_request_alloc(tfm, GFP_KERNEL);
2724 	if (!req) {
2725 		pr_err("alg: aead: failed to allocate request for %s\n",
2726 		       driver);
2727 		err = -ENOMEM;
2728 		goto out;
2729 	}
2730 
2731 	tsgls = alloc_cipher_test_sglists();
2732 	if (!tsgls) {
2733 		pr_err("alg: aead: failed to allocate test buffers for %s\n",
2734 		       driver);
2735 		err = -ENOMEM;
2736 		goto out;
2737 	}
2738 
2739 	err = test_aead(ENCRYPT, suite, req, tsgls);
2740 	if (err)
2741 		goto out;
2742 
2743 	err = test_aead(DECRYPT, suite, req, tsgls);
2744 	if (err)
2745 		goto out;
2746 
2747 	err = test_aead_extra(desc, req, tsgls);
2748 out:
2749 	free_cipher_test_sglists(tsgls);
2750 	aead_request_free(req);
2751 	crypto_free_aead(tfm);
2752 	return err;
2753 }
2754 
test_cipher(struct crypto_cipher * tfm,int enc,const struct cipher_testvec * template,unsigned int tcount)2755 static int test_cipher(struct crypto_cipher *tfm, int enc,
2756 		       const struct cipher_testvec *template,
2757 		       unsigned int tcount)
2758 {
2759 	const char *algo = crypto_tfm_alg_driver_name(crypto_cipher_tfm(tfm));
2760 	unsigned int i, j, k;
2761 	char *q;
2762 	const char *e;
2763 	const char *input, *result;
2764 	void *data;
2765 	char *xbuf[XBUFSIZE];
2766 	int ret = -ENOMEM;
2767 
2768 	if (testmgr_alloc_buf(xbuf))
2769 		goto out_nobuf;
2770 
2771 	if (enc == ENCRYPT)
2772 	        e = "encryption";
2773 	else
2774 		e = "decryption";
2775 
2776 	j = 0;
2777 	for (i = 0; i < tcount; i++) {
2778 
2779 		if (fips_enabled && template[i].fips_skip)
2780 			continue;
2781 
2782 		input  = enc ? template[i].ptext : template[i].ctext;
2783 		result = enc ? template[i].ctext : template[i].ptext;
2784 		j++;
2785 
2786 		ret = -EINVAL;
2787 		if (WARN_ON(template[i].len > PAGE_SIZE))
2788 			goto out;
2789 
2790 		data = xbuf[0];
2791 		memcpy(data, input, template[i].len);
2792 
2793 		crypto_cipher_clear_flags(tfm, ~0);
2794 		if (template[i].wk)
2795 			crypto_cipher_set_flags(tfm, CRYPTO_TFM_REQ_FORBID_WEAK_KEYS);
2796 
2797 		ret = crypto_cipher_setkey(tfm, template[i].key,
2798 					   template[i].klen);
2799 		if (ret) {
2800 			if (ret == template[i].setkey_error)
2801 				continue;
2802 			pr_err("alg: cipher: %s setkey failed on test vector %u; expected_error=%d, actual_error=%d, flags=%#x\n",
2803 			       algo, j, template[i].setkey_error, ret,
2804 			       crypto_cipher_get_flags(tfm));
2805 			goto out;
2806 		}
2807 		if (template[i].setkey_error) {
2808 			pr_err("alg: cipher: %s setkey unexpectedly succeeded on test vector %u; expected_error=%d\n",
2809 			       algo, j, template[i].setkey_error);
2810 			ret = -EINVAL;
2811 			goto out;
2812 		}
2813 
2814 		for (k = 0; k < template[i].len;
2815 		     k += crypto_cipher_blocksize(tfm)) {
2816 			if (enc)
2817 				crypto_cipher_encrypt_one(tfm, data + k,
2818 							  data + k);
2819 			else
2820 				crypto_cipher_decrypt_one(tfm, data + k,
2821 							  data + k);
2822 		}
2823 
2824 		q = data;
2825 		if (memcmp(q, result, template[i].len)) {
2826 			printk(KERN_ERR "alg: cipher: Test %d failed "
2827 			       "on %s for %s\n", j, e, algo);
2828 			hexdump(q, template[i].len);
2829 			ret = -EINVAL;
2830 			goto out;
2831 		}
2832 	}
2833 
2834 	ret = 0;
2835 
2836 out:
2837 	testmgr_free_buf(xbuf);
2838 out_nobuf:
2839 	return ret;
2840 }
2841 
test_skcipher_vec_cfg(int enc,const struct cipher_testvec * vec,const char * vec_name,const struct testvec_config * cfg,struct skcipher_request * req,struct cipher_test_sglists * tsgls)2842 static int test_skcipher_vec_cfg(int enc, const struct cipher_testvec *vec,
2843 				 const char *vec_name,
2844 				 const struct testvec_config *cfg,
2845 				 struct skcipher_request *req,
2846 				 struct cipher_test_sglists *tsgls)
2847 {
2848 	struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
2849 	const unsigned int alignmask = crypto_skcipher_alignmask(tfm);
2850 	const unsigned int ivsize = crypto_skcipher_ivsize(tfm);
2851 	const char *driver = crypto_skcipher_driver_name(tfm);
2852 	const u32 req_flags = CRYPTO_TFM_REQ_MAY_BACKLOG | cfg->req_flags;
2853 	const char *op = enc ? "encryption" : "decryption";
2854 	DECLARE_CRYPTO_WAIT(wait);
2855 	u8 _iv[3 * (MAX_ALGAPI_ALIGNMASK + 1) + MAX_IVLEN];
2856 	u8 *iv = PTR_ALIGN(&_iv[0], 2 * (MAX_ALGAPI_ALIGNMASK + 1)) +
2857 		 cfg->iv_offset +
2858 		 (cfg->iv_offset_relative_to_alignmask ? alignmask : 0);
2859 	struct kvec input;
2860 	int err;
2861 
2862 	/* Set the key */
2863 	if (vec->wk)
2864 		crypto_skcipher_set_flags(tfm, CRYPTO_TFM_REQ_FORBID_WEAK_KEYS);
2865 	else
2866 		crypto_skcipher_clear_flags(tfm,
2867 					    CRYPTO_TFM_REQ_FORBID_WEAK_KEYS);
2868 	err = do_setkey(crypto_skcipher_setkey, tfm, vec->key, vec->klen,
2869 			cfg, alignmask);
2870 	if (err) {
2871 		if (err == vec->setkey_error)
2872 			return 0;
2873 		pr_err("alg: skcipher: %s setkey failed on test vector %s; expected_error=%d, actual_error=%d, flags=%#x\n",
2874 		       driver, vec_name, vec->setkey_error, err,
2875 		       crypto_skcipher_get_flags(tfm));
2876 		return err;
2877 	}
2878 	if (vec->setkey_error) {
2879 		pr_err("alg: skcipher: %s setkey unexpectedly succeeded on test vector %s; expected_error=%d\n",
2880 		       driver, vec_name, vec->setkey_error);
2881 		return -EINVAL;
2882 	}
2883 
2884 	/* The IV must be copied to a buffer, as the algorithm may modify it */
2885 	if (ivsize) {
2886 		if (WARN_ON(ivsize > MAX_IVLEN))
2887 			return -EINVAL;
2888 		if (vec->iv)
2889 			memcpy(iv, vec->iv, ivsize);
2890 		else
2891 			memset(iv, 0, ivsize);
2892 	} else {
2893 		iv = NULL;
2894 	}
2895 
2896 	/* Build the src/dst scatterlists */
2897 	input.iov_base = enc ? (void *)vec->ptext : (void *)vec->ctext;
2898 	input.iov_len = vec->len;
2899 	err = build_cipher_test_sglists(tsgls, cfg, alignmask,
2900 					vec->len, vec->len, &input, 1);
2901 	if (err) {
2902 		pr_err("alg: skcipher: %s %s: error preparing scatterlists for test vector %s, cfg=\"%s\"\n",
2903 		       driver, op, vec_name, cfg->name);
2904 		return err;
2905 	}
2906 
2907 	/* Do the actual encryption or decryption */
2908 	testmgr_poison(req->__ctx, crypto_skcipher_reqsize(tfm));
2909 	skcipher_request_set_callback(req, req_flags, crypto_req_done, &wait);
2910 	skcipher_request_set_crypt(req, tsgls->src.sgl_ptr, tsgls->dst.sgl_ptr,
2911 				   vec->len, iv);
2912 	if (cfg->nosimd)
2913 		crypto_disable_simd_for_test();
2914 	err = enc ? crypto_skcipher_encrypt(req) : crypto_skcipher_decrypt(req);
2915 	if (cfg->nosimd)
2916 		crypto_reenable_simd_for_test();
2917 	err = crypto_wait_req(err, &wait);
2918 
2919 	/* Check that the algorithm didn't overwrite things it shouldn't have */
2920 	if (req->cryptlen != vec->len ||
2921 	    req->iv != iv ||
2922 	    req->src != tsgls->src.sgl_ptr ||
2923 	    req->dst != tsgls->dst.sgl_ptr ||
2924 	    crypto_skcipher_reqtfm(req) != tfm ||
2925 	    req->base.complete != crypto_req_done ||
2926 	    req->base.flags != req_flags ||
2927 	    req->base.data != &wait) {
2928 		pr_err("alg: skcipher: %s %s corrupted request struct on test vector %s, cfg=\"%s\"\n",
2929 		       driver, op, vec_name, cfg->name);
2930 		if (req->cryptlen != vec->len)
2931 			pr_err("alg: skcipher: changed 'req->cryptlen'\n");
2932 		if (req->iv != iv)
2933 			pr_err("alg: skcipher: changed 'req->iv'\n");
2934 		if (req->src != tsgls->src.sgl_ptr)
2935 			pr_err("alg: skcipher: changed 'req->src'\n");
2936 		if (req->dst != tsgls->dst.sgl_ptr)
2937 			pr_err("alg: skcipher: changed 'req->dst'\n");
2938 		if (crypto_skcipher_reqtfm(req) != tfm)
2939 			pr_err("alg: skcipher: changed 'req->base.tfm'\n");
2940 		if (req->base.complete != crypto_req_done)
2941 			pr_err("alg: skcipher: changed 'req->base.complete'\n");
2942 		if (req->base.flags != req_flags)
2943 			pr_err("alg: skcipher: changed 'req->base.flags'\n");
2944 		if (req->base.data != &wait)
2945 			pr_err("alg: skcipher: changed 'req->base.data'\n");
2946 		return -EINVAL;
2947 	}
2948 	if (is_test_sglist_corrupted(&tsgls->src)) {
2949 		pr_err("alg: skcipher: %s %s corrupted src sgl on test vector %s, cfg=\"%s\"\n",
2950 		       driver, op, vec_name, cfg->name);
2951 		return -EINVAL;
2952 	}
2953 	if (tsgls->dst.sgl_ptr != tsgls->src.sgl &&
2954 	    is_test_sglist_corrupted(&tsgls->dst)) {
2955 		pr_err("alg: skcipher: %s %s corrupted dst sgl on test vector %s, cfg=\"%s\"\n",
2956 		       driver, op, vec_name, cfg->name);
2957 		return -EINVAL;
2958 	}
2959 
2960 	/* Check for success or failure */
2961 	if (err) {
2962 		if (err == vec->crypt_error)
2963 			return 0;
2964 		pr_err("alg: skcipher: %s %s failed on test vector %s; expected_error=%d, actual_error=%d, cfg=\"%s\"\n",
2965 		       driver, op, vec_name, vec->crypt_error, err, cfg->name);
2966 		return err;
2967 	}
2968 	if (vec->crypt_error) {
2969 		pr_err("alg: skcipher: %s %s unexpectedly succeeded on test vector %s; expected_error=%d, cfg=\"%s\"\n",
2970 		       driver, op, vec_name, vec->crypt_error, cfg->name);
2971 		return -EINVAL;
2972 	}
2973 
2974 	/* Check for the correct output (ciphertext or plaintext) */
2975 	err = verify_correct_output(&tsgls->dst, enc ? vec->ctext : vec->ptext,
2976 				    vec->len, 0, true);
2977 	if (err == -EOVERFLOW) {
2978 		pr_err("alg: skcipher: %s %s overran dst buffer on test vector %s, cfg=\"%s\"\n",
2979 		       driver, op, vec_name, cfg->name);
2980 		return err;
2981 	}
2982 	if (err) {
2983 		pr_err("alg: skcipher: %s %s test failed (wrong result) on test vector %s, cfg=\"%s\"\n",
2984 		       driver, op, vec_name, cfg->name);
2985 		return err;
2986 	}
2987 
2988 	/* If applicable, check that the algorithm generated the correct IV */
2989 	if (vec->iv_out && memcmp(iv, vec->iv_out, ivsize) != 0) {
2990 		pr_err("alg: skcipher: %s %s test failed (wrong output IV) on test vector %s, cfg=\"%s\"\n",
2991 		       driver, op, vec_name, cfg->name);
2992 		hexdump(iv, ivsize);
2993 		return -EINVAL;
2994 	}
2995 
2996 	return 0;
2997 }
2998 
test_skcipher_vec(int enc,const struct cipher_testvec * vec,unsigned int vec_num,struct skcipher_request * req,struct cipher_test_sglists * tsgls)2999 static int test_skcipher_vec(int enc, const struct cipher_testvec *vec,
3000 			     unsigned int vec_num,
3001 			     struct skcipher_request *req,
3002 			     struct cipher_test_sglists *tsgls)
3003 {
3004 	char vec_name[16];
3005 	unsigned int i;
3006 	int err;
3007 
3008 	if (fips_enabled && vec->fips_skip)
3009 		return 0;
3010 
3011 	sprintf(vec_name, "%u", vec_num);
3012 
3013 	for (i = 0; i < ARRAY_SIZE(default_cipher_testvec_configs); i++) {
3014 		err = test_skcipher_vec_cfg(enc, vec, vec_name,
3015 					    &default_cipher_testvec_configs[i],
3016 					    req, tsgls);
3017 		if (err)
3018 			return err;
3019 	}
3020 
3021 #ifdef CONFIG_CRYPTO_MANAGER_EXTRA_TESTS
3022 	if (!noextratests) {
3023 		struct rnd_state rng;
3024 		struct testvec_config cfg;
3025 		char cfgname[TESTVEC_CONFIG_NAMELEN];
3026 
3027 		init_rnd_state(&rng);
3028 
3029 		for (i = 0; i < fuzz_iterations; i++) {
3030 			generate_random_testvec_config(&rng, &cfg, cfgname,
3031 						       sizeof(cfgname));
3032 			err = test_skcipher_vec_cfg(enc, vec, vec_name,
3033 						    &cfg, req, tsgls);
3034 			if (err)
3035 				return err;
3036 			cond_resched();
3037 		}
3038 	}
3039 #endif
3040 	return 0;
3041 }
3042 
3043 #ifdef CONFIG_CRYPTO_MANAGER_EXTRA_TESTS
3044 /*
3045  * Generate a symmetric cipher test vector from the given implementation.
3046  * Assumes the buffers in 'vec' were already allocated.
3047  */
generate_random_cipher_testvec(struct rnd_state * rng,struct skcipher_request * req,struct cipher_testvec * vec,unsigned int maxdatasize,char * name,size_t max_namelen)3048 static void generate_random_cipher_testvec(struct rnd_state *rng,
3049 					   struct skcipher_request *req,
3050 					   struct cipher_testvec *vec,
3051 					   unsigned int maxdatasize,
3052 					   char *name, size_t max_namelen)
3053 {
3054 	struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
3055 	const unsigned int maxkeysize = crypto_skcipher_max_keysize(tfm);
3056 	const unsigned int ivsize = crypto_skcipher_ivsize(tfm);
3057 	struct scatterlist src, dst;
3058 	u8 iv[MAX_IVLEN];
3059 	DECLARE_CRYPTO_WAIT(wait);
3060 
3061 	/* Key: length in [0, maxkeysize], but usually choose maxkeysize */
3062 	vec->klen = maxkeysize;
3063 	if (prandom_u32_below(rng, 4) == 0)
3064 		vec->klen = prandom_u32_below(rng, maxkeysize + 1);
3065 	generate_random_bytes(rng, (u8 *)vec->key, vec->klen);
3066 	vec->setkey_error = crypto_skcipher_setkey(tfm, vec->key, vec->klen);
3067 
3068 	/* IV */
3069 	generate_random_bytes(rng, (u8 *)vec->iv, ivsize);
3070 
3071 	/* Plaintext */
3072 	vec->len = generate_random_length(rng, maxdatasize);
3073 	generate_random_bytes(rng, (u8 *)vec->ptext, vec->len);
3074 
3075 	/* If the key couldn't be set, no need to continue to encrypt. */
3076 	if (vec->setkey_error)
3077 		goto done;
3078 
3079 	/* Ciphertext */
3080 	sg_init_one(&src, vec->ptext, vec->len);
3081 	sg_init_one(&dst, vec->ctext, vec->len);
3082 	memcpy(iv, vec->iv, ivsize);
3083 	skcipher_request_set_callback(req, 0, crypto_req_done, &wait);
3084 	skcipher_request_set_crypt(req, &src, &dst, vec->len, iv);
3085 	vec->crypt_error = crypto_wait_req(crypto_skcipher_encrypt(req), &wait);
3086 	if (vec->crypt_error != 0) {
3087 		/*
3088 		 * The only acceptable error here is for an invalid length, so
3089 		 * skcipher decryption should fail with the same error too.
3090 		 * We'll test for this.  But to keep the API usage well-defined,
3091 		 * explicitly initialize the ciphertext buffer too.
3092 		 */
3093 		memset((u8 *)vec->ctext, 0, vec->len);
3094 	}
3095 done:
3096 	snprintf(name, max_namelen, "\"random: len=%u klen=%u\"",
3097 		 vec->len, vec->klen);
3098 }
3099 
3100 /*
3101  * Test the skcipher algorithm represented by @req against the corresponding
3102  * generic implementation, if one is available.
3103  */
test_skcipher_vs_generic_impl(const char * generic_driver,struct skcipher_request * req,struct cipher_test_sglists * tsgls)3104 static int test_skcipher_vs_generic_impl(const char *generic_driver,
3105 					 struct skcipher_request *req,
3106 					 struct cipher_test_sglists *tsgls)
3107 {
3108 	struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
3109 	const unsigned int maxkeysize = crypto_skcipher_max_keysize(tfm);
3110 	const unsigned int ivsize = crypto_skcipher_ivsize(tfm);
3111 	const unsigned int blocksize = crypto_skcipher_blocksize(tfm);
3112 	const unsigned int maxdatasize = (2 * PAGE_SIZE) - TESTMGR_POISON_LEN;
3113 	const char *algname = crypto_skcipher_alg(tfm)->base.cra_name;
3114 	const char *driver = crypto_skcipher_driver_name(tfm);
3115 	struct rnd_state rng;
3116 	char _generic_driver[CRYPTO_MAX_ALG_NAME];
3117 	struct crypto_skcipher *generic_tfm = NULL;
3118 	struct skcipher_request *generic_req = NULL;
3119 	unsigned int i;
3120 	struct cipher_testvec vec = { 0 };
3121 	char vec_name[64];
3122 	struct testvec_config *cfg;
3123 	char cfgname[TESTVEC_CONFIG_NAMELEN];
3124 	int err;
3125 
3126 	if (noextratests)
3127 		return 0;
3128 
3129 	init_rnd_state(&rng);
3130 
3131 	if (!generic_driver) { /* Use default naming convention? */
3132 		err = build_generic_driver_name(algname, _generic_driver);
3133 		if (err)
3134 			return err;
3135 		generic_driver = _generic_driver;
3136 	}
3137 
3138 	if (strcmp(generic_driver, driver) == 0) /* Already the generic impl? */
3139 		return 0;
3140 
3141 	generic_tfm = crypto_alloc_skcipher(generic_driver, 0, 0);
3142 	if (IS_ERR(generic_tfm)) {
3143 		err = PTR_ERR(generic_tfm);
3144 		if (err == -ENOENT) {
3145 			pr_warn("alg: skcipher: skipping comparison tests for %s because %s is unavailable\n",
3146 				driver, generic_driver);
3147 			return 0;
3148 		}
3149 		pr_err("alg: skcipher: error allocating %s (generic impl of %s): %d\n",
3150 		       generic_driver, algname, err);
3151 		return err;
3152 	}
3153 
3154 	cfg = kzalloc(sizeof(*cfg), GFP_KERNEL);
3155 	if (!cfg) {
3156 		err = -ENOMEM;
3157 		goto out;
3158 	}
3159 
3160 	generic_req = skcipher_request_alloc(generic_tfm, GFP_KERNEL);
3161 	if (!generic_req) {
3162 		err = -ENOMEM;
3163 		goto out;
3164 	}
3165 
3166 	/* Check the algorithm properties for consistency. */
3167 
3168 	if (crypto_skcipher_min_keysize(tfm) !=
3169 	    crypto_skcipher_min_keysize(generic_tfm)) {
3170 		pr_err("alg: skcipher: min keysize for %s (%u) doesn't match generic impl (%u)\n",
3171 		       driver, crypto_skcipher_min_keysize(tfm),
3172 		       crypto_skcipher_min_keysize(generic_tfm));
3173 		err = -EINVAL;
3174 		goto out;
3175 	}
3176 
3177 	if (maxkeysize != crypto_skcipher_max_keysize(generic_tfm)) {
3178 		pr_err("alg: skcipher: max keysize for %s (%u) doesn't match generic impl (%u)\n",
3179 		       driver, maxkeysize,
3180 		       crypto_skcipher_max_keysize(generic_tfm));
3181 		err = -EINVAL;
3182 		goto out;
3183 	}
3184 
3185 	if (ivsize != crypto_skcipher_ivsize(generic_tfm)) {
3186 		pr_err("alg: skcipher: ivsize for %s (%u) doesn't match generic impl (%u)\n",
3187 		       driver, ivsize, crypto_skcipher_ivsize(generic_tfm));
3188 		err = -EINVAL;
3189 		goto out;
3190 	}
3191 
3192 	if (blocksize != crypto_skcipher_blocksize(generic_tfm)) {
3193 		pr_err("alg: skcipher: blocksize for %s (%u) doesn't match generic impl (%u)\n",
3194 		       driver, blocksize,
3195 		       crypto_skcipher_blocksize(generic_tfm));
3196 		err = -EINVAL;
3197 		goto out;
3198 	}
3199 
3200 	/*
3201 	 * Now generate test vectors using the generic implementation, and test
3202 	 * the other implementation against them.
3203 	 */
3204 
3205 	vec.key = kmalloc(maxkeysize, GFP_KERNEL);
3206 	vec.iv = kmalloc(ivsize, GFP_KERNEL);
3207 	vec.ptext = kmalloc(maxdatasize, GFP_KERNEL);
3208 	vec.ctext = kmalloc(maxdatasize, GFP_KERNEL);
3209 	if (!vec.key || !vec.iv || !vec.ptext || !vec.ctext) {
3210 		err = -ENOMEM;
3211 		goto out;
3212 	}
3213 
3214 	for (i = 0; i < fuzz_iterations * 8; i++) {
3215 		generate_random_cipher_testvec(&rng, generic_req, &vec,
3216 					       maxdatasize,
3217 					       vec_name, sizeof(vec_name));
3218 		generate_random_testvec_config(&rng, cfg, cfgname,
3219 					       sizeof(cfgname));
3220 
3221 		err = test_skcipher_vec_cfg(ENCRYPT, &vec, vec_name,
3222 					    cfg, req, tsgls);
3223 		if (err)
3224 			goto out;
3225 		err = test_skcipher_vec_cfg(DECRYPT, &vec, vec_name,
3226 					    cfg, req, tsgls);
3227 		if (err)
3228 			goto out;
3229 		cond_resched();
3230 	}
3231 	err = 0;
3232 out:
3233 	kfree(cfg);
3234 	kfree(vec.key);
3235 	kfree(vec.iv);
3236 	kfree(vec.ptext);
3237 	kfree(vec.ctext);
3238 	crypto_free_skcipher(generic_tfm);
3239 	skcipher_request_free(generic_req);
3240 	return err;
3241 }
3242 #else /* !CONFIG_CRYPTO_MANAGER_EXTRA_TESTS */
test_skcipher_vs_generic_impl(const char * generic_driver,struct skcipher_request * req,struct cipher_test_sglists * tsgls)3243 static int test_skcipher_vs_generic_impl(const char *generic_driver,
3244 					 struct skcipher_request *req,
3245 					 struct cipher_test_sglists *tsgls)
3246 {
3247 	return 0;
3248 }
3249 #endif /* !CONFIG_CRYPTO_MANAGER_EXTRA_TESTS */
3250 
test_skcipher(int enc,const struct cipher_test_suite * suite,struct skcipher_request * req,struct cipher_test_sglists * tsgls)3251 static int test_skcipher(int enc, const struct cipher_test_suite *suite,
3252 			 struct skcipher_request *req,
3253 			 struct cipher_test_sglists *tsgls)
3254 {
3255 	unsigned int i;
3256 	int err;
3257 
3258 	for (i = 0; i < suite->count; i++) {
3259 		err = test_skcipher_vec(enc, &suite->vecs[i], i, req, tsgls);
3260 		if (err)
3261 			return err;
3262 		cond_resched();
3263 	}
3264 	return 0;
3265 }
3266 
alg_test_skcipher(const struct alg_test_desc * desc,const char * driver,u32 type,u32 mask)3267 static int alg_test_skcipher(const struct alg_test_desc *desc,
3268 			     const char *driver, u32 type, u32 mask)
3269 {
3270 	const struct cipher_test_suite *suite = &desc->suite.cipher;
3271 	struct crypto_skcipher *tfm;
3272 	struct skcipher_request *req = NULL;
3273 	struct cipher_test_sglists *tsgls = NULL;
3274 	int err;
3275 
3276 	if (suite->count <= 0) {
3277 		pr_err("alg: skcipher: empty test suite for %s\n", driver);
3278 		return -EINVAL;
3279 	}
3280 
3281 	tfm = crypto_alloc_skcipher(driver, type, mask);
3282 	if (IS_ERR(tfm)) {
3283 		if (PTR_ERR(tfm) == -ENOENT)
3284 			return 0;
3285 		pr_err("alg: skcipher: failed to allocate transform for %s: %ld\n",
3286 		       driver, PTR_ERR(tfm));
3287 		return PTR_ERR(tfm);
3288 	}
3289 	driver = crypto_skcipher_driver_name(tfm);
3290 
3291 	req = skcipher_request_alloc(tfm, GFP_KERNEL);
3292 	if (!req) {
3293 		pr_err("alg: skcipher: failed to allocate request for %s\n",
3294 		       driver);
3295 		err = -ENOMEM;
3296 		goto out;
3297 	}
3298 
3299 	tsgls = alloc_cipher_test_sglists();
3300 	if (!tsgls) {
3301 		pr_err("alg: skcipher: failed to allocate test buffers for %s\n",
3302 		       driver);
3303 		err = -ENOMEM;
3304 		goto out;
3305 	}
3306 
3307 	err = test_skcipher(ENCRYPT, suite, req, tsgls);
3308 	if (err)
3309 		goto out;
3310 
3311 	err = test_skcipher(DECRYPT, suite, req, tsgls);
3312 	if (err)
3313 		goto out;
3314 
3315 	err = test_skcipher_vs_generic_impl(desc->generic_driver, req, tsgls);
3316 out:
3317 	free_cipher_test_sglists(tsgls);
3318 	skcipher_request_free(req);
3319 	crypto_free_skcipher(tfm);
3320 	return err;
3321 }
3322 
test_comp(struct crypto_comp * tfm,const struct comp_testvec * ctemplate,const struct comp_testvec * dtemplate,int ctcount,int dtcount)3323 static int test_comp(struct crypto_comp *tfm,
3324 		     const struct comp_testvec *ctemplate,
3325 		     const struct comp_testvec *dtemplate,
3326 		     int ctcount, int dtcount)
3327 {
3328 	const char *algo = crypto_tfm_alg_driver_name(crypto_comp_tfm(tfm));
3329 	char *output, *decomp_output;
3330 	unsigned int i;
3331 	int ret;
3332 
3333 	output = kmalloc(COMP_BUF_SIZE, GFP_KERNEL);
3334 	if (!output)
3335 		return -ENOMEM;
3336 
3337 	decomp_output = kmalloc(COMP_BUF_SIZE, GFP_KERNEL);
3338 	if (!decomp_output) {
3339 		kfree(output);
3340 		return -ENOMEM;
3341 	}
3342 
3343 	for (i = 0; i < ctcount; i++) {
3344 		int ilen;
3345 		unsigned int dlen = COMP_BUF_SIZE;
3346 
3347 		memset(output, 0, COMP_BUF_SIZE);
3348 		memset(decomp_output, 0, COMP_BUF_SIZE);
3349 
3350 		ilen = ctemplate[i].inlen;
3351 		ret = crypto_comp_compress(tfm, ctemplate[i].input,
3352 					   ilen, output, &dlen);
3353 		if (ret) {
3354 			printk(KERN_ERR "alg: comp: compression failed "
3355 			       "on test %d for %s: ret=%d\n", i + 1, algo,
3356 			       -ret);
3357 			goto out;
3358 		}
3359 
3360 		ilen = dlen;
3361 		dlen = COMP_BUF_SIZE;
3362 		ret = crypto_comp_decompress(tfm, output,
3363 					     ilen, decomp_output, &dlen);
3364 		if (ret) {
3365 			pr_err("alg: comp: compression failed: decompress: on test %d for %s failed: ret=%d\n",
3366 			       i + 1, algo, -ret);
3367 			goto out;
3368 		}
3369 
3370 		if (dlen != ctemplate[i].inlen) {
3371 			printk(KERN_ERR "alg: comp: Compression test %d "
3372 			       "failed for %s: output len = %d\n", i + 1, algo,
3373 			       dlen);
3374 			ret = -EINVAL;
3375 			goto out;
3376 		}
3377 
3378 		if (memcmp(decomp_output, ctemplate[i].input,
3379 			   ctemplate[i].inlen)) {
3380 			pr_err("alg: comp: compression failed: output differs: on test %d for %s\n",
3381 			       i + 1, algo);
3382 			hexdump(decomp_output, dlen);
3383 			ret = -EINVAL;
3384 			goto out;
3385 		}
3386 	}
3387 
3388 	for (i = 0; i < dtcount; i++) {
3389 		int ilen;
3390 		unsigned int dlen = COMP_BUF_SIZE;
3391 
3392 		memset(decomp_output, 0, COMP_BUF_SIZE);
3393 
3394 		ilen = dtemplate[i].inlen;
3395 		ret = crypto_comp_decompress(tfm, dtemplate[i].input,
3396 					     ilen, decomp_output, &dlen);
3397 		if (ret) {
3398 			printk(KERN_ERR "alg: comp: decompression failed "
3399 			       "on test %d for %s: ret=%d\n", i + 1, algo,
3400 			       -ret);
3401 			goto out;
3402 		}
3403 
3404 		if (dlen != dtemplate[i].outlen) {
3405 			printk(KERN_ERR "alg: comp: Decompression test %d "
3406 			       "failed for %s: output len = %d\n", i + 1, algo,
3407 			       dlen);
3408 			ret = -EINVAL;
3409 			goto out;
3410 		}
3411 
3412 		if (memcmp(decomp_output, dtemplate[i].output, dlen)) {
3413 			printk(KERN_ERR "alg: comp: Decompression test %d "
3414 			       "failed for %s\n", i + 1, algo);
3415 			hexdump(decomp_output, dlen);
3416 			ret = -EINVAL;
3417 			goto out;
3418 		}
3419 	}
3420 
3421 	ret = 0;
3422 
3423 out:
3424 	kfree(decomp_output);
3425 	kfree(output);
3426 	return ret;
3427 }
3428 
test_acomp(struct crypto_acomp * tfm,const struct comp_testvec * ctemplate,const struct comp_testvec * dtemplate,int ctcount,int dtcount)3429 static int test_acomp(struct crypto_acomp *tfm,
3430 		      const struct comp_testvec *ctemplate,
3431 		      const struct comp_testvec *dtemplate,
3432 		      int ctcount, int dtcount)
3433 {
3434 	const char *algo = crypto_tfm_alg_driver_name(crypto_acomp_tfm(tfm));
3435 	unsigned int i;
3436 	char *output, *decomp_out;
3437 	int ret;
3438 	struct scatterlist src, dst;
3439 	struct acomp_req *req;
3440 	struct crypto_wait wait;
3441 
3442 	output = kmalloc(COMP_BUF_SIZE, GFP_KERNEL);
3443 	if (!output)
3444 		return -ENOMEM;
3445 
3446 	decomp_out = kmalloc(COMP_BUF_SIZE, GFP_KERNEL);
3447 	if (!decomp_out) {
3448 		kfree(output);
3449 		return -ENOMEM;
3450 	}
3451 
3452 	for (i = 0; i < ctcount; i++) {
3453 		unsigned int dlen = COMP_BUF_SIZE;
3454 		int ilen = ctemplate[i].inlen;
3455 		void *input_vec;
3456 
3457 		input_vec = kmemdup(ctemplate[i].input, ilen, GFP_KERNEL);
3458 		if (!input_vec) {
3459 			ret = -ENOMEM;
3460 			goto out;
3461 		}
3462 
3463 		memset(output, 0, dlen);
3464 		crypto_init_wait(&wait);
3465 		sg_init_one(&src, input_vec, ilen);
3466 		sg_init_one(&dst, output, dlen);
3467 
3468 		req = acomp_request_alloc(tfm);
3469 		if (!req) {
3470 			pr_err("alg: acomp: request alloc failed for %s\n",
3471 			       algo);
3472 			kfree(input_vec);
3473 			ret = -ENOMEM;
3474 			goto out;
3475 		}
3476 
3477 		acomp_request_set_params(req, &src, &dst, ilen, dlen);
3478 		acomp_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG,
3479 					   crypto_req_done, &wait);
3480 
3481 		ret = crypto_wait_req(crypto_acomp_compress(req), &wait);
3482 		if (ret) {
3483 			pr_err("alg: acomp: compression failed on test %d for %s: ret=%d\n",
3484 			       i + 1, algo, -ret);
3485 			kfree(input_vec);
3486 			acomp_request_free(req);
3487 			goto out;
3488 		}
3489 
3490 		ilen = req->dlen;
3491 		dlen = COMP_BUF_SIZE;
3492 		sg_init_one(&src, output, ilen);
3493 		sg_init_one(&dst, decomp_out, dlen);
3494 		crypto_init_wait(&wait);
3495 		acomp_request_set_params(req, &src, &dst, ilen, dlen);
3496 
3497 		ret = crypto_wait_req(crypto_acomp_decompress(req), &wait);
3498 		if (ret) {
3499 			pr_err("alg: acomp: compression failed on test %d for %s: ret=%d\n",
3500 			       i + 1, algo, -ret);
3501 			kfree(input_vec);
3502 			acomp_request_free(req);
3503 			goto out;
3504 		}
3505 
3506 		if (req->dlen != ctemplate[i].inlen) {
3507 			pr_err("alg: acomp: Compression test %d failed for %s: output len = %d\n",
3508 			       i + 1, algo, req->dlen);
3509 			ret = -EINVAL;
3510 			kfree(input_vec);
3511 			acomp_request_free(req);
3512 			goto out;
3513 		}
3514 
3515 		if (memcmp(input_vec, decomp_out, req->dlen)) {
3516 			pr_err("alg: acomp: Compression test %d failed for %s\n",
3517 			       i + 1, algo);
3518 			hexdump(output, req->dlen);
3519 			ret = -EINVAL;
3520 			kfree(input_vec);
3521 			acomp_request_free(req);
3522 			goto out;
3523 		}
3524 
3525 #ifdef CONFIG_CRYPTO_MANAGER_EXTRA_TESTS
3526 		crypto_init_wait(&wait);
3527 		sg_init_one(&src, input_vec, ilen);
3528 		acomp_request_set_params(req, &src, NULL, ilen, 0);
3529 
3530 		ret = crypto_wait_req(crypto_acomp_compress(req), &wait);
3531 		if (ret) {
3532 			pr_err("alg: acomp: compression failed on NULL dst buffer test %d for %s: ret=%d\n",
3533 			       i + 1, algo, -ret);
3534 			kfree(input_vec);
3535 			acomp_request_free(req);
3536 			goto out;
3537 		}
3538 #endif
3539 
3540 		kfree(input_vec);
3541 		acomp_request_free(req);
3542 	}
3543 
3544 	for (i = 0; i < dtcount; i++) {
3545 		unsigned int dlen = COMP_BUF_SIZE;
3546 		int ilen = dtemplate[i].inlen;
3547 		void *input_vec;
3548 
3549 		input_vec = kmemdup(dtemplate[i].input, ilen, GFP_KERNEL);
3550 		if (!input_vec) {
3551 			ret = -ENOMEM;
3552 			goto out;
3553 		}
3554 
3555 		memset(output, 0, dlen);
3556 		crypto_init_wait(&wait);
3557 		sg_init_one(&src, input_vec, ilen);
3558 		sg_init_one(&dst, output, dlen);
3559 
3560 		req = acomp_request_alloc(tfm);
3561 		if (!req) {
3562 			pr_err("alg: acomp: request alloc failed for %s\n",
3563 			       algo);
3564 			kfree(input_vec);
3565 			ret = -ENOMEM;
3566 			goto out;
3567 		}
3568 
3569 		acomp_request_set_params(req, &src, &dst, ilen, dlen);
3570 		acomp_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG,
3571 					   crypto_req_done, &wait);
3572 
3573 		ret = crypto_wait_req(crypto_acomp_decompress(req), &wait);
3574 		if (ret) {
3575 			pr_err("alg: acomp: decompression failed on test %d for %s: ret=%d\n",
3576 			       i + 1, algo, -ret);
3577 			kfree(input_vec);
3578 			acomp_request_free(req);
3579 			goto out;
3580 		}
3581 
3582 		if (req->dlen != dtemplate[i].outlen) {
3583 			pr_err("alg: acomp: Decompression test %d failed for %s: output len = %d\n",
3584 			       i + 1, algo, req->dlen);
3585 			ret = -EINVAL;
3586 			kfree(input_vec);
3587 			acomp_request_free(req);
3588 			goto out;
3589 		}
3590 
3591 		if (memcmp(output, dtemplate[i].output, req->dlen)) {
3592 			pr_err("alg: acomp: Decompression test %d failed for %s\n",
3593 			       i + 1, algo);
3594 			hexdump(output, req->dlen);
3595 			ret = -EINVAL;
3596 			kfree(input_vec);
3597 			acomp_request_free(req);
3598 			goto out;
3599 		}
3600 
3601 #ifdef CONFIG_CRYPTO_MANAGER_EXTRA_TESTS
3602 		crypto_init_wait(&wait);
3603 		acomp_request_set_params(req, &src, NULL, ilen, 0);
3604 
3605 		ret = crypto_wait_req(crypto_acomp_decompress(req), &wait);
3606 		if (ret) {
3607 			pr_err("alg: acomp: decompression failed on NULL dst buffer test %d for %s: ret=%d\n",
3608 			       i + 1, algo, -ret);
3609 			kfree(input_vec);
3610 			acomp_request_free(req);
3611 			goto out;
3612 		}
3613 #endif
3614 
3615 		kfree(input_vec);
3616 		acomp_request_free(req);
3617 	}
3618 
3619 	ret = 0;
3620 
3621 out:
3622 	kfree(decomp_out);
3623 	kfree(output);
3624 	return ret;
3625 }
3626 
test_cprng(struct crypto_rng * tfm,const struct cprng_testvec * template,unsigned int tcount)3627 static int test_cprng(struct crypto_rng *tfm,
3628 		      const struct cprng_testvec *template,
3629 		      unsigned int tcount)
3630 {
3631 	const char *algo = crypto_tfm_alg_driver_name(crypto_rng_tfm(tfm));
3632 	int err = 0, i, j, seedsize;
3633 	u8 *seed;
3634 	char result[32];
3635 
3636 	seedsize = crypto_rng_seedsize(tfm);
3637 
3638 	seed = kmalloc(seedsize, GFP_KERNEL);
3639 	if (!seed) {
3640 		printk(KERN_ERR "alg: cprng: Failed to allocate seed space "
3641 		       "for %s\n", algo);
3642 		return -ENOMEM;
3643 	}
3644 
3645 	for (i = 0; i < tcount; i++) {
3646 		memset(result, 0, 32);
3647 
3648 		memcpy(seed, template[i].v, template[i].vlen);
3649 		memcpy(seed + template[i].vlen, template[i].key,
3650 		       template[i].klen);
3651 		memcpy(seed + template[i].vlen + template[i].klen,
3652 		       template[i].dt, template[i].dtlen);
3653 
3654 		err = crypto_rng_reset(tfm, seed, seedsize);
3655 		if (err) {
3656 			printk(KERN_ERR "alg: cprng: Failed to reset rng "
3657 			       "for %s\n", algo);
3658 			goto out;
3659 		}
3660 
3661 		for (j = 0; j < template[i].loops; j++) {
3662 			err = crypto_rng_get_bytes(tfm, result,
3663 						   template[i].rlen);
3664 			if (err < 0) {
3665 				printk(KERN_ERR "alg: cprng: Failed to obtain "
3666 				       "the correct amount of random data for "
3667 				       "%s (requested %d)\n", algo,
3668 				       template[i].rlen);
3669 				goto out;
3670 			}
3671 		}
3672 
3673 		err = memcmp(result, template[i].result,
3674 			     template[i].rlen);
3675 		if (err) {
3676 			printk(KERN_ERR "alg: cprng: Test %d failed for %s\n",
3677 			       i, algo);
3678 			hexdump(result, template[i].rlen);
3679 			err = -EINVAL;
3680 			goto out;
3681 		}
3682 	}
3683 
3684 out:
3685 	kfree(seed);
3686 	return err;
3687 }
3688 
alg_test_cipher(const struct alg_test_desc * desc,const char * driver,u32 type,u32 mask)3689 static int alg_test_cipher(const struct alg_test_desc *desc,
3690 			   const char *driver, u32 type, u32 mask)
3691 {
3692 	const struct cipher_test_suite *suite = &desc->suite.cipher;
3693 	struct crypto_cipher *tfm;
3694 	int err;
3695 
3696 	tfm = crypto_alloc_cipher(driver, type, mask);
3697 	if (IS_ERR(tfm)) {
3698 		if (PTR_ERR(tfm) == -ENOENT)
3699 			return 0;
3700 		printk(KERN_ERR "alg: cipher: Failed to load transform for "
3701 		       "%s: %ld\n", driver, PTR_ERR(tfm));
3702 		return PTR_ERR(tfm);
3703 	}
3704 
3705 	err = test_cipher(tfm, ENCRYPT, suite->vecs, suite->count);
3706 	if (!err)
3707 		err = test_cipher(tfm, DECRYPT, suite->vecs, suite->count);
3708 
3709 	crypto_free_cipher(tfm);
3710 	return err;
3711 }
3712 
alg_test_comp(const struct alg_test_desc * desc,const char * driver,u32 type,u32 mask)3713 static int alg_test_comp(const struct alg_test_desc *desc, const char *driver,
3714 			 u32 type, u32 mask)
3715 {
3716 	struct crypto_comp *comp;
3717 	struct crypto_acomp *acomp;
3718 	int err;
3719 	u32 algo_type = type & CRYPTO_ALG_TYPE_ACOMPRESS_MASK;
3720 
3721 	if (algo_type == CRYPTO_ALG_TYPE_ACOMPRESS) {
3722 		acomp = crypto_alloc_acomp(driver, type, mask);
3723 		if (IS_ERR(acomp)) {
3724 			if (PTR_ERR(acomp) == -ENOENT)
3725 				return 0;
3726 			pr_err("alg: acomp: Failed to load transform for %s: %ld\n",
3727 			       driver, PTR_ERR(acomp));
3728 			return PTR_ERR(acomp);
3729 		}
3730 		err = test_acomp(acomp, desc->suite.comp.comp.vecs,
3731 				 desc->suite.comp.decomp.vecs,
3732 				 desc->suite.comp.comp.count,
3733 				 desc->suite.comp.decomp.count);
3734 		crypto_free_acomp(acomp);
3735 	} else {
3736 		comp = crypto_alloc_comp(driver, type, mask);
3737 		if (IS_ERR(comp)) {
3738 			if (PTR_ERR(comp) == -ENOENT)
3739 				return 0;
3740 			pr_err("alg: comp: Failed to load transform for %s: %ld\n",
3741 			       driver, PTR_ERR(comp));
3742 			return PTR_ERR(comp);
3743 		}
3744 
3745 		err = test_comp(comp, desc->suite.comp.comp.vecs,
3746 				desc->suite.comp.decomp.vecs,
3747 				desc->suite.comp.comp.count,
3748 				desc->suite.comp.decomp.count);
3749 
3750 		crypto_free_comp(comp);
3751 	}
3752 	return err;
3753 }
3754 
alg_test_crc32c(const struct alg_test_desc * desc,const char * driver,u32 type,u32 mask)3755 static int alg_test_crc32c(const struct alg_test_desc *desc,
3756 			   const char *driver, u32 type, u32 mask)
3757 {
3758 	struct crypto_shash *tfm;
3759 	__le32 val;
3760 	int err;
3761 
3762 	err = alg_test_hash(desc, driver, type, mask);
3763 	if (err)
3764 		return err;
3765 
3766 	tfm = crypto_alloc_shash(driver, type, mask);
3767 	if (IS_ERR(tfm)) {
3768 		if (PTR_ERR(tfm) == -ENOENT) {
3769 			/*
3770 			 * This crc32c implementation is only available through
3771 			 * ahash API, not the shash API, so the remaining part
3772 			 * of the test is not applicable to it.
3773 			 */
3774 			return 0;
3775 		}
3776 		printk(KERN_ERR "alg: crc32c: Failed to load transform for %s: "
3777 		       "%ld\n", driver, PTR_ERR(tfm));
3778 		return PTR_ERR(tfm);
3779 	}
3780 	driver = crypto_shash_driver_name(tfm);
3781 
3782 	do {
3783 		SHASH_DESC_ON_STACK(shash, tfm);
3784 		u32 *ctx = (u32 *)shash_desc_ctx(shash);
3785 
3786 		shash->tfm = tfm;
3787 
3788 		*ctx = 420553207;
3789 		err = crypto_shash_final(shash, (u8 *)&val);
3790 		if (err) {
3791 			printk(KERN_ERR "alg: crc32c: Operation failed for "
3792 			       "%s: %d\n", driver, err);
3793 			break;
3794 		}
3795 
3796 		if (val != cpu_to_le32(~420553207)) {
3797 			pr_err("alg: crc32c: Test failed for %s: %u\n",
3798 			       driver, le32_to_cpu(val));
3799 			err = -EINVAL;
3800 		}
3801 	} while (0);
3802 
3803 	crypto_free_shash(tfm);
3804 
3805 	return err;
3806 }
3807 
alg_test_cprng(const struct alg_test_desc * desc,const char * driver,u32 type,u32 mask)3808 static int alg_test_cprng(const struct alg_test_desc *desc, const char *driver,
3809 			  u32 type, u32 mask)
3810 {
3811 	struct crypto_rng *rng;
3812 	int err;
3813 
3814 	rng = crypto_alloc_rng(driver, type, mask);
3815 	if (IS_ERR(rng)) {
3816 		if (PTR_ERR(rng) == -ENOENT)
3817 			return 0;
3818 		printk(KERN_ERR "alg: cprng: Failed to load transform for %s: "
3819 		       "%ld\n", driver, PTR_ERR(rng));
3820 		return PTR_ERR(rng);
3821 	}
3822 
3823 	err = test_cprng(rng, desc->suite.cprng.vecs, desc->suite.cprng.count);
3824 
3825 	crypto_free_rng(rng);
3826 
3827 	return err;
3828 }
3829 
3830 
drbg_cavs_test(const struct drbg_testvec * test,int pr,const char * driver,u32 type,u32 mask)3831 static int drbg_cavs_test(const struct drbg_testvec *test, int pr,
3832 			  const char *driver, u32 type, u32 mask)
3833 {
3834 	int ret = -EAGAIN;
3835 	struct crypto_rng *drng;
3836 	struct drbg_test_data test_data;
3837 	struct drbg_string addtl, pers, testentropy;
3838 	unsigned char *buf = kzalloc(test->expectedlen, GFP_KERNEL);
3839 
3840 	if (!buf)
3841 		return -ENOMEM;
3842 
3843 	drng = crypto_alloc_rng(driver, type, mask);
3844 	if (IS_ERR(drng)) {
3845 		kfree_sensitive(buf);
3846 		if (PTR_ERR(drng) == -ENOENT)
3847 			return 0;
3848 		printk(KERN_ERR "alg: drbg: could not allocate DRNG handle for "
3849 		       "%s\n", driver);
3850 		return PTR_ERR(drng);
3851 	}
3852 
3853 	test_data.testentropy = &testentropy;
3854 	drbg_string_fill(&testentropy, test->entropy, test->entropylen);
3855 	drbg_string_fill(&pers, test->pers, test->perslen);
3856 	ret = crypto_drbg_reset_test(drng, &pers, &test_data);
3857 	if (ret) {
3858 		printk(KERN_ERR "alg: drbg: Failed to reset rng\n");
3859 		goto outbuf;
3860 	}
3861 
3862 	drbg_string_fill(&addtl, test->addtla, test->addtllen);
3863 	if (pr) {
3864 		drbg_string_fill(&testentropy, test->entpra, test->entprlen);
3865 		ret = crypto_drbg_get_bytes_addtl_test(drng,
3866 			buf, test->expectedlen, &addtl,	&test_data);
3867 	} else {
3868 		ret = crypto_drbg_get_bytes_addtl(drng,
3869 			buf, test->expectedlen, &addtl);
3870 	}
3871 	if (ret < 0) {
3872 		printk(KERN_ERR "alg: drbg: could not obtain random data for "
3873 		       "driver %s\n", driver);
3874 		goto outbuf;
3875 	}
3876 
3877 	drbg_string_fill(&addtl, test->addtlb, test->addtllen);
3878 	if (pr) {
3879 		drbg_string_fill(&testentropy, test->entprb, test->entprlen);
3880 		ret = crypto_drbg_get_bytes_addtl_test(drng,
3881 			buf, test->expectedlen, &addtl, &test_data);
3882 	} else {
3883 		ret = crypto_drbg_get_bytes_addtl(drng,
3884 			buf, test->expectedlen, &addtl);
3885 	}
3886 	if (ret < 0) {
3887 		printk(KERN_ERR "alg: drbg: could not obtain random data for "
3888 		       "driver %s\n", driver);
3889 		goto outbuf;
3890 	}
3891 
3892 	ret = memcmp(test->expected, buf, test->expectedlen);
3893 
3894 outbuf:
3895 	crypto_free_rng(drng);
3896 	kfree_sensitive(buf);
3897 	return ret;
3898 }
3899 
3900 
alg_test_drbg(const struct alg_test_desc * desc,const char * driver,u32 type,u32 mask)3901 static int alg_test_drbg(const struct alg_test_desc *desc, const char *driver,
3902 			 u32 type, u32 mask)
3903 {
3904 	int err = 0;
3905 	int pr = 0;
3906 	int i = 0;
3907 	const struct drbg_testvec *template = desc->suite.drbg.vecs;
3908 	unsigned int tcount = desc->suite.drbg.count;
3909 
3910 	if (0 == memcmp(driver, "drbg_pr_", 8))
3911 		pr = 1;
3912 
3913 	for (i = 0; i < tcount; i++) {
3914 		err = drbg_cavs_test(&template[i], pr, driver, type, mask);
3915 		if (err) {
3916 			printk(KERN_ERR "alg: drbg: Test %d failed for %s\n",
3917 			       i, driver);
3918 			err = -EINVAL;
3919 			break;
3920 		}
3921 	}
3922 	return err;
3923 
3924 }
3925 
do_test_kpp(struct crypto_kpp * tfm,const struct kpp_testvec * vec,const char * alg)3926 static int do_test_kpp(struct crypto_kpp *tfm, const struct kpp_testvec *vec,
3927 		       const char *alg)
3928 {
3929 	struct kpp_request *req;
3930 	void *input_buf = NULL;
3931 	void *output_buf = NULL;
3932 	void *a_public = NULL;
3933 	void *a_ss = NULL;
3934 	void *shared_secret = NULL;
3935 	struct crypto_wait wait;
3936 	unsigned int out_len_max;
3937 	int err = -ENOMEM;
3938 	struct scatterlist src, dst;
3939 
3940 	req = kpp_request_alloc(tfm, GFP_KERNEL);
3941 	if (!req)
3942 		return err;
3943 
3944 	crypto_init_wait(&wait);
3945 
3946 	err = crypto_kpp_set_secret(tfm, vec->secret, vec->secret_size);
3947 	if (err < 0)
3948 		goto free_req;
3949 
3950 	out_len_max = crypto_kpp_maxsize(tfm);
3951 	output_buf = kzalloc(out_len_max, GFP_KERNEL);
3952 	if (!output_buf) {
3953 		err = -ENOMEM;
3954 		goto free_req;
3955 	}
3956 
3957 	/* Use appropriate parameter as base */
3958 	kpp_request_set_input(req, NULL, 0);
3959 	sg_init_one(&dst, output_buf, out_len_max);
3960 	kpp_request_set_output(req, &dst, out_len_max);
3961 	kpp_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG,
3962 				 crypto_req_done, &wait);
3963 
3964 	/* Compute party A's public key */
3965 	err = crypto_wait_req(crypto_kpp_generate_public_key(req), &wait);
3966 	if (err) {
3967 		pr_err("alg: %s: Party A: generate public key test failed. err %d\n",
3968 		       alg, err);
3969 		goto free_output;
3970 	}
3971 
3972 	if (vec->genkey) {
3973 		/* Save party A's public key */
3974 		a_public = kmemdup(sg_virt(req->dst), out_len_max, GFP_KERNEL);
3975 		if (!a_public) {
3976 			err = -ENOMEM;
3977 			goto free_output;
3978 		}
3979 	} else {
3980 		/* Verify calculated public key */
3981 		if (memcmp(vec->expected_a_public, sg_virt(req->dst),
3982 			   vec->expected_a_public_size)) {
3983 			pr_err("alg: %s: Party A: generate public key test failed. Invalid output\n",
3984 			       alg);
3985 			err = -EINVAL;
3986 			goto free_output;
3987 		}
3988 	}
3989 
3990 	/* Calculate shared secret key by using counter part (b) public key. */
3991 	input_buf = kmemdup(vec->b_public, vec->b_public_size, GFP_KERNEL);
3992 	if (!input_buf) {
3993 		err = -ENOMEM;
3994 		goto free_output;
3995 	}
3996 
3997 	sg_init_one(&src, input_buf, vec->b_public_size);
3998 	sg_init_one(&dst, output_buf, out_len_max);
3999 	kpp_request_set_input(req, &src, vec->b_public_size);
4000 	kpp_request_set_output(req, &dst, out_len_max);
4001 	kpp_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG,
4002 				 crypto_req_done, &wait);
4003 	err = crypto_wait_req(crypto_kpp_compute_shared_secret(req), &wait);
4004 	if (err) {
4005 		pr_err("alg: %s: Party A: compute shared secret test failed. err %d\n",
4006 		       alg, err);
4007 		goto free_all;
4008 	}
4009 
4010 	if (vec->genkey) {
4011 		/* Save the shared secret obtained by party A */
4012 		a_ss = kmemdup(sg_virt(req->dst), vec->expected_ss_size, GFP_KERNEL);
4013 		if (!a_ss) {
4014 			err = -ENOMEM;
4015 			goto free_all;
4016 		}
4017 
4018 		/*
4019 		 * Calculate party B's shared secret by using party A's
4020 		 * public key.
4021 		 */
4022 		err = crypto_kpp_set_secret(tfm, vec->b_secret,
4023 					    vec->b_secret_size);
4024 		if (err < 0)
4025 			goto free_all;
4026 
4027 		sg_init_one(&src, a_public, vec->expected_a_public_size);
4028 		sg_init_one(&dst, output_buf, out_len_max);
4029 		kpp_request_set_input(req, &src, vec->expected_a_public_size);
4030 		kpp_request_set_output(req, &dst, out_len_max);
4031 		kpp_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG,
4032 					 crypto_req_done, &wait);
4033 		err = crypto_wait_req(crypto_kpp_compute_shared_secret(req),
4034 				      &wait);
4035 		if (err) {
4036 			pr_err("alg: %s: Party B: compute shared secret failed. err %d\n",
4037 			       alg, err);
4038 			goto free_all;
4039 		}
4040 
4041 		shared_secret = a_ss;
4042 	} else {
4043 		shared_secret = (void *)vec->expected_ss;
4044 	}
4045 
4046 	/*
4047 	 * verify shared secret from which the user will derive
4048 	 * secret key by executing whatever hash it has chosen
4049 	 */
4050 	if (memcmp(shared_secret, sg_virt(req->dst),
4051 		   vec->expected_ss_size)) {
4052 		pr_err("alg: %s: compute shared secret test failed. Invalid output\n",
4053 		       alg);
4054 		err = -EINVAL;
4055 	}
4056 
4057 free_all:
4058 	kfree(a_ss);
4059 	kfree(input_buf);
4060 free_output:
4061 	kfree(a_public);
4062 	kfree(output_buf);
4063 free_req:
4064 	kpp_request_free(req);
4065 	return err;
4066 }
4067 
test_kpp(struct crypto_kpp * tfm,const char * alg,const struct kpp_testvec * vecs,unsigned int tcount)4068 static int test_kpp(struct crypto_kpp *tfm, const char *alg,
4069 		    const struct kpp_testvec *vecs, unsigned int tcount)
4070 {
4071 	int ret, i;
4072 
4073 	for (i = 0; i < tcount; i++) {
4074 		ret = do_test_kpp(tfm, vecs++, alg);
4075 		if (ret) {
4076 			pr_err("alg: %s: test failed on vector %d, err=%d\n",
4077 			       alg, i + 1, ret);
4078 			return ret;
4079 		}
4080 	}
4081 	return 0;
4082 }
4083 
alg_test_kpp(const struct alg_test_desc * desc,const char * driver,u32 type,u32 mask)4084 static int alg_test_kpp(const struct alg_test_desc *desc, const char *driver,
4085 			u32 type, u32 mask)
4086 {
4087 	struct crypto_kpp *tfm;
4088 	int err = 0;
4089 
4090 	tfm = crypto_alloc_kpp(driver, type, mask);
4091 	if (IS_ERR(tfm)) {
4092 		if (PTR_ERR(tfm) == -ENOENT)
4093 			return 0;
4094 		pr_err("alg: kpp: Failed to load tfm for %s: %ld\n",
4095 		       driver, PTR_ERR(tfm));
4096 		return PTR_ERR(tfm);
4097 	}
4098 	if (desc->suite.kpp.vecs)
4099 		err = test_kpp(tfm, desc->alg, desc->suite.kpp.vecs,
4100 			       desc->suite.kpp.count);
4101 
4102 	crypto_free_kpp(tfm);
4103 	return err;
4104 }
4105 
test_pack_u32(u8 * dst,u32 val)4106 static u8 *test_pack_u32(u8 *dst, u32 val)
4107 {
4108 	memcpy(dst, &val, sizeof(val));
4109 	return dst + sizeof(val);
4110 }
4111 
test_akcipher_one(struct crypto_akcipher * tfm,const struct akcipher_testvec * vecs)4112 static int test_akcipher_one(struct crypto_akcipher *tfm,
4113 			     const struct akcipher_testvec *vecs)
4114 {
4115 	char *xbuf[XBUFSIZE];
4116 	struct akcipher_request *req;
4117 	void *outbuf_enc = NULL;
4118 	void *outbuf_dec = NULL;
4119 	struct crypto_wait wait;
4120 	unsigned int out_len_max, out_len = 0;
4121 	int err = -ENOMEM;
4122 	struct scatterlist src, dst, src_tab[2];
4123 	const char *c;
4124 	unsigned int c_size;
4125 
4126 	if (testmgr_alloc_buf(xbuf))
4127 		return err;
4128 
4129 	req = akcipher_request_alloc(tfm, GFP_KERNEL);
4130 	if (!req)
4131 		goto free_xbuf;
4132 
4133 	crypto_init_wait(&wait);
4134 
4135 	if (vecs->public_key_vec)
4136 		err = crypto_akcipher_set_pub_key(tfm, vecs->key,
4137 						  vecs->key_len);
4138 	else
4139 		err = crypto_akcipher_set_priv_key(tfm, vecs->key,
4140 						   vecs->key_len);
4141 	if (err)
4142 		goto free_req;
4143 
4144 	/* First run encrypt test which does not require a private key */
4145 	err = -ENOMEM;
4146 	out_len_max = crypto_akcipher_maxsize(tfm);
4147 	outbuf_enc = kzalloc(out_len_max, GFP_KERNEL);
4148 	if (!outbuf_enc)
4149 		goto free_req;
4150 
4151 	c = vecs->c;
4152 	c_size = vecs->c_size;
4153 
4154 	err = -E2BIG;
4155 	if (WARN_ON(vecs->m_size > PAGE_SIZE))
4156 		goto free_all;
4157 	memcpy(xbuf[0], vecs->m, vecs->m_size);
4158 
4159 	sg_init_table(src_tab, 2);
4160 	sg_set_buf(&src_tab[0], xbuf[0], 8);
4161 	sg_set_buf(&src_tab[1], xbuf[0] + 8, vecs->m_size - 8);
4162 	sg_init_one(&dst, outbuf_enc, out_len_max);
4163 	akcipher_request_set_crypt(req, src_tab, &dst, vecs->m_size,
4164 				   out_len_max);
4165 	akcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG,
4166 				      crypto_req_done, &wait);
4167 
4168 	err = crypto_wait_req(crypto_akcipher_encrypt(req), &wait);
4169 	if (err) {
4170 		pr_err("alg: akcipher: encrypt test failed. err %d\n", err);
4171 		goto free_all;
4172 	}
4173 	if (c) {
4174 		if (req->dst_len != c_size) {
4175 			pr_err("alg: akcipher: encrypt test failed. Invalid output len\n");
4176 			err = -EINVAL;
4177 			goto free_all;
4178 		}
4179 		/* verify that encrypted message is equal to expected */
4180 		if (memcmp(c, outbuf_enc, c_size) != 0) {
4181 			pr_err("alg: akcipher: encrypt test failed. Invalid output\n");
4182 			hexdump(outbuf_enc, c_size);
4183 			err = -EINVAL;
4184 			goto free_all;
4185 		}
4186 	}
4187 
4188 	/*
4189 	 * Don't invoke decrypt test which requires a private key
4190 	 * for vectors with only a public key.
4191 	 */
4192 	if (vecs->public_key_vec) {
4193 		err = 0;
4194 		goto free_all;
4195 	}
4196 	outbuf_dec = kzalloc(out_len_max, GFP_KERNEL);
4197 	if (!outbuf_dec) {
4198 		err = -ENOMEM;
4199 		goto free_all;
4200 	}
4201 
4202 	if (!c) {
4203 		c = outbuf_enc;
4204 		c_size = req->dst_len;
4205 	}
4206 
4207 	err = -E2BIG;
4208 	if (WARN_ON(c_size > PAGE_SIZE))
4209 		goto free_all;
4210 	memcpy(xbuf[0], c, c_size);
4211 
4212 	sg_init_one(&src, xbuf[0], c_size);
4213 	sg_init_one(&dst, outbuf_dec, out_len_max);
4214 	crypto_init_wait(&wait);
4215 	akcipher_request_set_crypt(req, &src, &dst, c_size, out_len_max);
4216 
4217 	err = crypto_wait_req(crypto_akcipher_decrypt(req), &wait);
4218 	if (err) {
4219 		pr_err("alg: akcipher: decrypt test failed. err %d\n", err);
4220 		goto free_all;
4221 	}
4222 	out_len = req->dst_len;
4223 	if (out_len < vecs->m_size) {
4224 		pr_err("alg: akcipher: decrypt test failed. Invalid output len %u\n",
4225 		       out_len);
4226 		err = -EINVAL;
4227 		goto free_all;
4228 	}
4229 	/* verify that decrypted message is equal to the original msg */
4230 	if (memchr_inv(outbuf_dec, 0, out_len - vecs->m_size) ||
4231 	    memcmp(vecs->m, outbuf_dec + out_len - vecs->m_size,
4232 		   vecs->m_size)) {
4233 		pr_err("alg: akcipher: decrypt test failed. Invalid output\n");
4234 		hexdump(outbuf_dec, out_len);
4235 		err = -EINVAL;
4236 	}
4237 free_all:
4238 	kfree(outbuf_dec);
4239 	kfree(outbuf_enc);
4240 free_req:
4241 	akcipher_request_free(req);
4242 free_xbuf:
4243 	testmgr_free_buf(xbuf);
4244 	return err;
4245 }
4246 
test_akcipher(struct crypto_akcipher * tfm,const char * alg,const struct akcipher_testvec * vecs,unsigned int tcount)4247 static int test_akcipher(struct crypto_akcipher *tfm, const char *alg,
4248 			 const struct akcipher_testvec *vecs,
4249 			 unsigned int tcount)
4250 {
4251 	const char *algo =
4252 		crypto_tfm_alg_driver_name(crypto_akcipher_tfm(tfm));
4253 	int ret, i;
4254 
4255 	for (i = 0; i < tcount; i++) {
4256 		ret = test_akcipher_one(tfm, vecs++);
4257 		if (!ret)
4258 			continue;
4259 
4260 		pr_err("alg: akcipher: test %d failed for %s, err=%d\n",
4261 		       i + 1, algo, ret);
4262 		return ret;
4263 	}
4264 	return 0;
4265 }
4266 
alg_test_akcipher(const struct alg_test_desc * desc,const char * driver,u32 type,u32 mask)4267 static int alg_test_akcipher(const struct alg_test_desc *desc,
4268 			     const char *driver, u32 type, u32 mask)
4269 {
4270 	struct crypto_akcipher *tfm;
4271 	int err = 0;
4272 
4273 	tfm = crypto_alloc_akcipher(driver, type, mask);
4274 	if (IS_ERR(tfm)) {
4275 		if (PTR_ERR(tfm) == -ENOENT)
4276 			return 0;
4277 		pr_err("alg: akcipher: Failed to load tfm for %s: %ld\n",
4278 		       driver, PTR_ERR(tfm));
4279 		return PTR_ERR(tfm);
4280 	}
4281 	if (desc->suite.akcipher.vecs)
4282 		err = test_akcipher(tfm, desc->alg, desc->suite.akcipher.vecs,
4283 				    desc->suite.akcipher.count);
4284 
4285 	crypto_free_akcipher(tfm);
4286 	return err;
4287 }
4288 
test_sig_one(struct crypto_sig * tfm,const struct sig_testvec * vecs)4289 static int test_sig_one(struct crypto_sig *tfm, const struct sig_testvec *vecs)
4290 {
4291 	u8 *ptr, *key __free(kfree);
4292 	int err, sig_size;
4293 
4294 	key = kmalloc(vecs->key_len + 2 * sizeof(u32) + vecs->param_len,
4295 		      GFP_KERNEL);
4296 	if (!key)
4297 		return -ENOMEM;
4298 
4299 	/* ecrdsa expects additional parameters appended to the key */
4300 	memcpy(key, vecs->key, vecs->key_len);
4301 	ptr = key + vecs->key_len;
4302 	ptr = test_pack_u32(ptr, vecs->algo);
4303 	ptr = test_pack_u32(ptr, vecs->param_len);
4304 	memcpy(ptr, vecs->params, vecs->param_len);
4305 
4306 	if (vecs->public_key_vec)
4307 		err = crypto_sig_set_pubkey(tfm, key, vecs->key_len);
4308 	else
4309 		err = crypto_sig_set_privkey(tfm, key, vecs->key_len);
4310 	if (err)
4311 		return err;
4312 
4313 	/*
4314 	 * Run asymmetric signature verification first
4315 	 * (which does not require a private key)
4316 	 */
4317 	err = crypto_sig_verify(tfm, vecs->c, vecs->c_size,
4318 				vecs->m, vecs->m_size);
4319 	if (err) {
4320 		pr_err("alg: sig: verify test failed: err %d\n", err);
4321 		return err;
4322 	}
4323 
4324 	/*
4325 	 * Don't invoke sign test (which requires a private key)
4326 	 * for vectors with only a public key.
4327 	 */
4328 	if (vecs->public_key_vec)
4329 		return 0;
4330 
4331 	sig_size = crypto_sig_keysize(tfm);
4332 	if (sig_size < vecs->c_size) {
4333 		pr_err("alg: sig: invalid maxsize %u\n", sig_size);
4334 		return -EINVAL;
4335 	}
4336 
4337 	u8 *sig __free(kfree) = kzalloc(sig_size, GFP_KERNEL);
4338 	if (!sig)
4339 		return -ENOMEM;
4340 
4341 	/* Run asymmetric signature generation */
4342 	err = crypto_sig_sign(tfm, vecs->m, vecs->m_size, sig, sig_size);
4343 	if (err) {
4344 		pr_err("alg: sig: sign test failed: err %d\n", err);
4345 		return err;
4346 	}
4347 
4348 	/* Verify that generated signature equals cooked signature */
4349 	if (memcmp(sig, vecs->c, vecs->c_size) ||
4350 	    memchr_inv(sig + vecs->c_size, 0, sig_size - vecs->c_size)) {
4351 		pr_err("alg: sig: sign test failed: invalid output\n");
4352 		hexdump(sig, sig_size);
4353 		return -EINVAL;
4354 	}
4355 
4356 	return 0;
4357 }
4358 
test_sig(struct crypto_sig * tfm,const char * alg,const struct sig_testvec * vecs,unsigned int tcount)4359 static int test_sig(struct crypto_sig *tfm, const char *alg,
4360 		    const struct sig_testvec *vecs, unsigned int tcount)
4361 {
4362 	const char *algo = crypto_tfm_alg_driver_name(crypto_sig_tfm(tfm));
4363 	int ret, i;
4364 
4365 	for (i = 0; i < tcount; i++) {
4366 		ret = test_sig_one(tfm, vecs++);
4367 		if (ret) {
4368 			pr_err("alg: sig: test %d failed for %s: err %d\n",
4369 			       i + 1, algo, ret);
4370 			return ret;
4371 		}
4372 	}
4373 	return 0;
4374 }
4375 
alg_test_sig(const struct alg_test_desc * desc,const char * driver,u32 type,u32 mask)4376 static int alg_test_sig(const struct alg_test_desc *desc, const char *driver,
4377 			u32 type, u32 mask)
4378 {
4379 	struct crypto_sig *tfm;
4380 	int err = 0;
4381 
4382 	tfm = crypto_alloc_sig(driver, type, mask);
4383 	if (IS_ERR(tfm)) {
4384 		pr_err("alg: sig: Failed to load tfm for %s: %ld\n",
4385 		       driver, PTR_ERR(tfm));
4386 		return PTR_ERR(tfm);
4387 	}
4388 	if (desc->suite.sig.vecs)
4389 		err = test_sig(tfm, desc->alg, desc->suite.sig.vecs,
4390 			       desc->suite.sig.count);
4391 
4392 	crypto_free_sig(tfm);
4393 	return err;
4394 }
4395 
alg_test_null(const struct alg_test_desc * desc,const char * driver,u32 type,u32 mask)4396 static int alg_test_null(const struct alg_test_desc *desc,
4397 			     const char *driver, u32 type, u32 mask)
4398 {
4399 	return 0;
4400 }
4401 
4402 #define ____VECS(tv)	.vecs = tv, .count = ARRAY_SIZE(tv)
4403 #define __VECS(tv)	{ ____VECS(tv) }
4404 
4405 /* Please keep this list sorted by algorithm name. */
4406 static const struct alg_test_desc alg_test_descs[] = {
4407 	{
4408 		.alg = "adiantum(xchacha12,aes)",
4409 		.generic_driver = "adiantum(xchacha12-generic,aes-generic,nhpoly1305-generic)",
4410 		.test = alg_test_skcipher,
4411 		.suite = {
4412 			.cipher = __VECS(adiantum_xchacha12_aes_tv_template)
4413 		},
4414 	}, {
4415 		.alg = "adiantum(xchacha20,aes)",
4416 		.generic_driver = "adiantum(xchacha20-generic,aes-generic,nhpoly1305-generic)",
4417 		.test = alg_test_skcipher,
4418 		.suite = {
4419 			.cipher = __VECS(adiantum_xchacha20_aes_tv_template)
4420 		},
4421 	}, {
4422 		.alg = "aegis128",
4423 		.test = alg_test_aead,
4424 		.suite = {
4425 			.aead = __VECS(aegis128_tv_template)
4426 		}
4427 	}, {
4428 		.alg = "ansi_cprng",
4429 		.test = alg_test_cprng,
4430 		.suite = {
4431 			.cprng = __VECS(ansi_cprng_aes_tv_template)
4432 		}
4433 	}, {
4434 		.alg = "authenc(hmac(md5),ecb(cipher_null))",
4435 		.test = alg_test_aead,
4436 		.suite = {
4437 			.aead = __VECS(hmac_md5_ecb_cipher_null_tv_template)
4438 		}
4439 	}, {
4440 		.alg = "authenc(hmac(sha1),cbc(aes))",
4441 		.test = alg_test_aead,
4442 		.fips_allowed = 1,
4443 		.suite = {
4444 			.aead = __VECS(hmac_sha1_aes_cbc_tv_temp)
4445 		}
4446 	}, {
4447 		.alg = "authenc(hmac(sha1),cbc(des))",
4448 		.test = alg_test_aead,
4449 		.suite = {
4450 			.aead = __VECS(hmac_sha1_des_cbc_tv_temp)
4451 		}
4452 	}, {
4453 		.alg = "authenc(hmac(sha1),cbc(des3_ede))",
4454 		.test = alg_test_aead,
4455 		.suite = {
4456 			.aead = __VECS(hmac_sha1_des3_ede_cbc_tv_temp)
4457 		}
4458 	}, {
4459 		.alg = "authenc(hmac(sha1),ctr(aes))",
4460 		.test = alg_test_null,
4461 		.fips_allowed = 1,
4462 	}, {
4463 		.alg = "authenc(hmac(sha1),ecb(cipher_null))",
4464 		.test = alg_test_aead,
4465 		.suite = {
4466 			.aead = __VECS(hmac_sha1_ecb_cipher_null_tv_temp)
4467 		}
4468 	}, {
4469 		.alg = "authenc(hmac(sha1),rfc3686(ctr(aes)))",
4470 		.test = alg_test_null,
4471 		.fips_allowed = 1,
4472 	}, {
4473 		.alg = "authenc(hmac(sha224),cbc(des))",
4474 		.test = alg_test_aead,
4475 		.suite = {
4476 			.aead = __VECS(hmac_sha224_des_cbc_tv_temp)
4477 		}
4478 	}, {
4479 		.alg = "authenc(hmac(sha224),cbc(des3_ede))",
4480 		.test = alg_test_aead,
4481 		.suite = {
4482 			.aead = __VECS(hmac_sha224_des3_ede_cbc_tv_temp)
4483 		}
4484 	}, {
4485 		.alg = "authenc(hmac(sha256),cbc(aes))",
4486 		.test = alg_test_aead,
4487 		.fips_allowed = 1,
4488 		.suite = {
4489 			.aead = __VECS(hmac_sha256_aes_cbc_tv_temp)
4490 		}
4491 	}, {
4492 		.alg = "authenc(hmac(sha256),cbc(des))",
4493 		.test = alg_test_aead,
4494 		.suite = {
4495 			.aead = __VECS(hmac_sha256_des_cbc_tv_temp)
4496 		}
4497 	}, {
4498 		.alg = "authenc(hmac(sha256),cbc(des3_ede))",
4499 		.test = alg_test_aead,
4500 		.suite = {
4501 			.aead = __VECS(hmac_sha256_des3_ede_cbc_tv_temp)
4502 		}
4503 	}, {
4504 		.alg = "authenc(hmac(sha256),ctr(aes))",
4505 		.test = alg_test_null,
4506 		.fips_allowed = 1,
4507 	}, {
4508 		.alg = "authenc(hmac(sha256),rfc3686(ctr(aes)))",
4509 		.test = alg_test_null,
4510 		.fips_allowed = 1,
4511 	}, {
4512 		.alg = "authenc(hmac(sha384),cbc(des))",
4513 		.test = alg_test_aead,
4514 		.suite = {
4515 			.aead = __VECS(hmac_sha384_des_cbc_tv_temp)
4516 		}
4517 	}, {
4518 		.alg = "authenc(hmac(sha384),cbc(des3_ede))",
4519 		.test = alg_test_aead,
4520 		.suite = {
4521 			.aead = __VECS(hmac_sha384_des3_ede_cbc_tv_temp)
4522 		}
4523 	}, {
4524 		.alg = "authenc(hmac(sha384),ctr(aes))",
4525 		.test = alg_test_null,
4526 		.fips_allowed = 1,
4527 	}, {
4528 		.alg = "authenc(hmac(sha384),rfc3686(ctr(aes)))",
4529 		.test = alg_test_null,
4530 		.fips_allowed = 1,
4531 	}, {
4532 		.alg = "authenc(hmac(sha512),cbc(aes))",
4533 		.fips_allowed = 1,
4534 		.test = alg_test_aead,
4535 		.suite = {
4536 			.aead = __VECS(hmac_sha512_aes_cbc_tv_temp)
4537 		}
4538 	}, {
4539 		.alg = "authenc(hmac(sha512),cbc(des))",
4540 		.test = alg_test_aead,
4541 		.suite = {
4542 			.aead = __VECS(hmac_sha512_des_cbc_tv_temp)
4543 		}
4544 	}, {
4545 		.alg = "authenc(hmac(sha512),cbc(des3_ede))",
4546 		.test = alg_test_aead,
4547 		.suite = {
4548 			.aead = __VECS(hmac_sha512_des3_ede_cbc_tv_temp)
4549 		}
4550 	}, {
4551 		.alg = "authenc(hmac(sha512),ctr(aes))",
4552 		.test = alg_test_null,
4553 		.fips_allowed = 1,
4554 	}, {
4555 		.alg = "authenc(hmac(sha512),rfc3686(ctr(aes)))",
4556 		.test = alg_test_null,
4557 		.fips_allowed = 1,
4558 	}, {
4559 		.alg = "blake2b-160",
4560 		.test = alg_test_hash,
4561 		.fips_allowed = 0,
4562 		.suite = {
4563 			.hash = __VECS(blake2b_160_tv_template)
4564 		}
4565 	}, {
4566 		.alg = "blake2b-256",
4567 		.test = alg_test_hash,
4568 		.fips_allowed = 0,
4569 		.suite = {
4570 			.hash = __VECS(blake2b_256_tv_template)
4571 		}
4572 	}, {
4573 		.alg = "blake2b-384",
4574 		.test = alg_test_hash,
4575 		.fips_allowed = 0,
4576 		.suite = {
4577 			.hash = __VECS(blake2b_384_tv_template)
4578 		}
4579 	}, {
4580 		.alg = "blake2b-512",
4581 		.test = alg_test_hash,
4582 		.fips_allowed = 0,
4583 		.suite = {
4584 			.hash = __VECS(blake2b_512_tv_template)
4585 		}
4586 	}, {
4587 		.alg = "cbc(aes)",
4588 		.test = alg_test_skcipher,
4589 		.fips_allowed = 1,
4590 		.suite = {
4591 			.cipher = __VECS(aes_cbc_tv_template)
4592 		},
4593 	}, {
4594 		.alg = "cbc(anubis)",
4595 		.test = alg_test_skcipher,
4596 		.suite = {
4597 			.cipher = __VECS(anubis_cbc_tv_template)
4598 		},
4599 	}, {
4600 		.alg = "cbc(aria)",
4601 		.test = alg_test_skcipher,
4602 		.suite = {
4603 			.cipher = __VECS(aria_cbc_tv_template)
4604 		},
4605 	}, {
4606 		.alg = "cbc(blowfish)",
4607 		.test = alg_test_skcipher,
4608 		.suite = {
4609 			.cipher = __VECS(bf_cbc_tv_template)
4610 		},
4611 	}, {
4612 		.alg = "cbc(camellia)",
4613 		.test = alg_test_skcipher,
4614 		.suite = {
4615 			.cipher = __VECS(camellia_cbc_tv_template)
4616 		},
4617 	}, {
4618 		.alg = "cbc(cast5)",
4619 		.test = alg_test_skcipher,
4620 		.suite = {
4621 			.cipher = __VECS(cast5_cbc_tv_template)
4622 		},
4623 	}, {
4624 		.alg = "cbc(cast6)",
4625 		.test = alg_test_skcipher,
4626 		.suite = {
4627 			.cipher = __VECS(cast6_cbc_tv_template)
4628 		},
4629 	}, {
4630 		.alg = "cbc(des)",
4631 		.test = alg_test_skcipher,
4632 		.suite = {
4633 			.cipher = __VECS(des_cbc_tv_template)
4634 		},
4635 	}, {
4636 		.alg = "cbc(des3_ede)",
4637 		.test = alg_test_skcipher,
4638 		.suite = {
4639 			.cipher = __VECS(des3_ede_cbc_tv_template)
4640 		},
4641 	}, {
4642 		/* Same as cbc(aes) except the key is stored in
4643 		 * hardware secure memory which we reference by index
4644 		 */
4645 		.alg = "cbc(paes)",
4646 		.test = alg_test_null,
4647 		.fips_allowed = 1,
4648 	}, {
4649 		/* Same as cbc(sm4) except the key is stored in
4650 		 * hardware secure memory which we reference by index
4651 		 */
4652 		.alg = "cbc(psm4)",
4653 		.test = alg_test_null,
4654 	}, {
4655 		.alg = "cbc(serpent)",
4656 		.test = alg_test_skcipher,
4657 		.suite = {
4658 			.cipher = __VECS(serpent_cbc_tv_template)
4659 		},
4660 	}, {
4661 		.alg = "cbc(sm4)",
4662 		.test = alg_test_skcipher,
4663 		.suite = {
4664 			.cipher = __VECS(sm4_cbc_tv_template)
4665 		}
4666 	}, {
4667 		.alg = "cbc(twofish)",
4668 		.test = alg_test_skcipher,
4669 		.suite = {
4670 			.cipher = __VECS(tf_cbc_tv_template)
4671 		},
4672 	}, {
4673 #if IS_ENABLED(CONFIG_CRYPTO_PAES_S390)
4674 		.alg = "cbc-paes-s390",
4675 		.fips_allowed = 1,
4676 		.test = alg_test_skcipher,
4677 		.suite = {
4678 			.cipher = __VECS(aes_cbc_tv_template)
4679 		}
4680 	}, {
4681 #endif
4682 		.alg = "cbcmac(aes)",
4683 		.test = alg_test_hash,
4684 		.suite = {
4685 			.hash = __VECS(aes_cbcmac_tv_template)
4686 		}
4687 	}, {
4688 		.alg = "cbcmac(sm4)",
4689 		.test = alg_test_hash,
4690 		.suite = {
4691 			.hash = __VECS(sm4_cbcmac_tv_template)
4692 		}
4693 	}, {
4694 		.alg = "ccm(aes)",
4695 		.generic_driver = "ccm_base(ctr(aes-generic),cbcmac(aes-generic))",
4696 		.test = alg_test_aead,
4697 		.fips_allowed = 1,
4698 		.suite = {
4699 			.aead = {
4700 				____VECS(aes_ccm_tv_template),
4701 				.einval_allowed = 1,
4702 			}
4703 		}
4704 	}, {
4705 		.alg = "ccm(sm4)",
4706 		.generic_driver = "ccm_base(ctr(sm4-generic),cbcmac(sm4-generic))",
4707 		.test = alg_test_aead,
4708 		.suite = {
4709 			.aead = {
4710 				____VECS(sm4_ccm_tv_template),
4711 				.einval_allowed = 1,
4712 			}
4713 		}
4714 	}, {
4715 		.alg = "chacha20",
4716 		.test = alg_test_skcipher,
4717 		.suite = {
4718 			.cipher = __VECS(chacha20_tv_template)
4719 		},
4720 	}, {
4721 		.alg = "cmac(aes)",
4722 		.fips_allowed = 1,
4723 		.test = alg_test_hash,
4724 		.suite = {
4725 			.hash = __VECS(aes_cmac128_tv_template)
4726 		}
4727 	}, {
4728 		.alg = "cmac(camellia)",
4729 		.test = alg_test_hash,
4730 		.suite = {
4731 			.hash = __VECS(camellia_cmac128_tv_template)
4732 		}
4733 	}, {
4734 		.alg = "cmac(des3_ede)",
4735 		.test = alg_test_hash,
4736 		.suite = {
4737 			.hash = __VECS(des3_ede_cmac64_tv_template)
4738 		}
4739 	}, {
4740 		.alg = "cmac(sm4)",
4741 		.test = alg_test_hash,
4742 		.suite = {
4743 			.hash = __VECS(sm4_cmac128_tv_template)
4744 		}
4745 	}, {
4746 		.alg = "compress_null",
4747 		.test = alg_test_null,
4748 	}, {
4749 		.alg = "crc32",
4750 		.test = alg_test_hash,
4751 		.fips_allowed = 1,
4752 		.suite = {
4753 			.hash = __VECS(crc32_tv_template)
4754 		}
4755 	}, {
4756 		.alg = "crc32c",
4757 		.test = alg_test_crc32c,
4758 		.fips_allowed = 1,
4759 		.suite = {
4760 			.hash = __VECS(crc32c_tv_template)
4761 		}
4762 	}, {
4763 		.alg = "crc64-rocksoft",
4764 		.test = alg_test_hash,
4765 		.fips_allowed = 1,
4766 		.suite = {
4767 			.hash = __VECS(crc64_rocksoft_tv_template)
4768 		}
4769 	}, {
4770 		.alg = "crct10dif",
4771 		.test = alg_test_hash,
4772 		.fips_allowed = 1,
4773 		.suite = {
4774 			.hash = __VECS(crct10dif_tv_template)
4775 		}
4776 	}, {
4777 		.alg = "ctr(aes)",
4778 		.test = alg_test_skcipher,
4779 		.fips_allowed = 1,
4780 		.suite = {
4781 			.cipher = __VECS(aes_ctr_tv_template)
4782 		}
4783 	}, {
4784 		.alg = "ctr(aria)",
4785 		.test = alg_test_skcipher,
4786 		.suite = {
4787 			.cipher = __VECS(aria_ctr_tv_template)
4788 		}
4789 	}, {
4790 		.alg = "ctr(blowfish)",
4791 		.test = alg_test_skcipher,
4792 		.suite = {
4793 			.cipher = __VECS(bf_ctr_tv_template)
4794 		}
4795 	}, {
4796 		.alg = "ctr(camellia)",
4797 		.test = alg_test_skcipher,
4798 		.suite = {
4799 			.cipher = __VECS(camellia_ctr_tv_template)
4800 		}
4801 	}, {
4802 		.alg = "ctr(cast5)",
4803 		.test = alg_test_skcipher,
4804 		.suite = {
4805 			.cipher = __VECS(cast5_ctr_tv_template)
4806 		}
4807 	}, {
4808 		.alg = "ctr(cast6)",
4809 		.test = alg_test_skcipher,
4810 		.suite = {
4811 			.cipher = __VECS(cast6_ctr_tv_template)
4812 		}
4813 	}, {
4814 		.alg = "ctr(des)",
4815 		.test = alg_test_skcipher,
4816 		.suite = {
4817 			.cipher = __VECS(des_ctr_tv_template)
4818 		}
4819 	}, {
4820 		.alg = "ctr(des3_ede)",
4821 		.test = alg_test_skcipher,
4822 		.suite = {
4823 			.cipher = __VECS(des3_ede_ctr_tv_template)
4824 		}
4825 	}, {
4826 		/* Same as ctr(aes) except the key is stored in
4827 		 * hardware secure memory which we reference by index
4828 		 */
4829 		.alg = "ctr(paes)",
4830 		.test = alg_test_null,
4831 		.fips_allowed = 1,
4832 	}, {
4833 
4834 		/* Same as ctr(sm4) except the key is stored in
4835 		 * hardware secure memory which we reference by index
4836 		 */
4837 		.alg = "ctr(psm4)",
4838 		.test = alg_test_null,
4839 	}, {
4840 		.alg = "ctr(serpent)",
4841 		.test = alg_test_skcipher,
4842 		.suite = {
4843 			.cipher = __VECS(serpent_ctr_tv_template)
4844 		}
4845 	}, {
4846 		.alg = "ctr(sm4)",
4847 		.test = alg_test_skcipher,
4848 		.suite = {
4849 			.cipher = __VECS(sm4_ctr_tv_template)
4850 		}
4851 	}, {
4852 		.alg = "ctr(twofish)",
4853 		.test = alg_test_skcipher,
4854 		.suite = {
4855 			.cipher = __VECS(tf_ctr_tv_template)
4856 		}
4857 	}, {
4858 #if IS_ENABLED(CONFIG_CRYPTO_PAES_S390)
4859 		.alg = "ctr-paes-s390",
4860 		.fips_allowed = 1,
4861 		.test = alg_test_skcipher,
4862 		.suite = {
4863 			.cipher = __VECS(aes_ctr_tv_template)
4864 		}
4865 	}, {
4866 #endif
4867 		.alg = "cts(cbc(aes))",
4868 		.test = alg_test_skcipher,
4869 		.fips_allowed = 1,
4870 		.suite = {
4871 			.cipher = __VECS(cts_mode_tv_template)
4872 		}
4873 	}, {
4874 		/* Same as cts(cbc((aes)) except the key is stored in
4875 		 * hardware secure memory which we reference by index
4876 		 */
4877 		.alg = "cts(cbc(paes))",
4878 		.test = alg_test_null,
4879 		.fips_allowed = 1,
4880 	}, {
4881 		.alg = "cts(cbc(sm4))",
4882 		.test = alg_test_skcipher,
4883 		.suite = {
4884 			.cipher = __VECS(sm4_cts_tv_template)
4885 		}
4886 	}, {
4887 		.alg = "curve25519",
4888 		.test = alg_test_kpp,
4889 		.suite = {
4890 			.kpp = __VECS(curve25519_tv_template)
4891 		}
4892 	}, {
4893 		.alg = "deflate",
4894 		.test = alg_test_comp,
4895 		.fips_allowed = 1,
4896 		.suite = {
4897 			.comp = {
4898 				.comp = __VECS(deflate_comp_tv_template),
4899 				.decomp = __VECS(deflate_decomp_tv_template)
4900 			}
4901 		}
4902 	}, {
4903 		.alg = "deflate-iaa",
4904 		.test = alg_test_comp,
4905 		.fips_allowed = 1,
4906 		.suite = {
4907 			.comp = {
4908 				.comp = __VECS(deflate_comp_tv_template),
4909 				.decomp = __VECS(deflate_decomp_tv_template)
4910 			}
4911 		}
4912 	}, {
4913 		.alg = "dh",
4914 		.test = alg_test_kpp,
4915 		.suite = {
4916 			.kpp = __VECS(dh_tv_template)
4917 		}
4918 	}, {
4919 		.alg = "digest_null",
4920 		.test = alg_test_null,
4921 	}, {
4922 		.alg = "drbg_nopr_ctr_aes128",
4923 		.test = alg_test_drbg,
4924 		.fips_allowed = 1,
4925 		.suite = {
4926 			.drbg = __VECS(drbg_nopr_ctr_aes128_tv_template)
4927 		}
4928 	}, {
4929 		.alg = "drbg_nopr_ctr_aes192",
4930 		.test = alg_test_drbg,
4931 		.fips_allowed = 1,
4932 		.suite = {
4933 			.drbg = __VECS(drbg_nopr_ctr_aes192_tv_template)
4934 		}
4935 	}, {
4936 		.alg = "drbg_nopr_ctr_aes256",
4937 		.test = alg_test_drbg,
4938 		.fips_allowed = 1,
4939 		.suite = {
4940 			.drbg = __VECS(drbg_nopr_ctr_aes256_tv_template)
4941 		}
4942 	}, {
4943 		.alg = "drbg_nopr_hmac_sha256",
4944 		.test = alg_test_drbg,
4945 		.fips_allowed = 1,
4946 		.suite = {
4947 			.drbg = __VECS(drbg_nopr_hmac_sha256_tv_template)
4948 		}
4949 	}, {
4950 		/*
4951 		 * There is no need to specifically test the DRBG with every
4952 		 * backend cipher -- covered by drbg_nopr_hmac_sha512 test
4953 		 */
4954 		.alg = "drbg_nopr_hmac_sha384",
4955 		.test = alg_test_null,
4956 	}, {
4957 		.alg = "drbg_nopr_hmac_sha512",
4958 		.test = alg_test_drbg,
4959 		.fips_allowed = 1,
4960 		.suite = {
4961 			.drbg = __VECS(drbg_nopr_hmac_sha512_tv_template)
4962 		}
4963 	}, {
4964 		.alg = "drbg_nopr_sha256",
4965 		.test = alg_test_drbg,
4966 		.fips_allowed = 1,
4967 		.suite = {
4968 			.drbg = __VECS(drbg_nopr_sha256_tv_template)
4969 		}
4970 	}, {
4971 		/* covered by drbg_nopr_sha256 test */
4972 		.alg = "drbg_nopr_sha384",
4973 		.test = alg_test_null,
4974 	}, {
4975 		.alg = "drbg_nopr_sha512",
4976 		.fips_allowed = 1,
4977 		.test = alg_test_null,
4978 	}, {
4979 		.alg = "drbg_pr_ctr_aes128",
4980 		.test = alg_test_drbg,
4981 		.fips_allowed = 1,
4982 		.suite = {
4983 			.drbg = __VECS(drbg_pr_ctr_aes128_tv_template)
4984 		}
4985 	}, {
4986 		/* covered by drbg_pr_ctr_aes128 test */
4987 		.alg = "drbg_pr_ctr_aes192",
4988 		.fips_allowed = 1,
4989 		.test = alg_test_null,
4990 	}, {
4991 		.alg = "drbg_pr_ctr_aes256",
4992 		.fips_allowed = 1,
4993 		.test = alg_test_null,
4994 	}, {
4995 		.alg = "drbg_pr_hmac_sha256",
4996 		.test = alg_test_drbg,
4997 		.fips_allowed = 1,
4998 		.suite = {
4999 			.drbg = __VECS(drbg_pr_hmac_sha256_tv_template)
5000 		}
5001 	}, {
5002 		/* covered by drbg_pr_hmac_sha256 test */
5003 		.alg = "drbg_pr_hmac_sha384",
5004 		.test = alg_test_null,
5005 	}, {
5006 		.alg = "drbg_pr_hmac_sha512",
5007 		.test = alg_test_null,
5008 		.fips_allowed = 1,
5009 	}, {
5010 		.alg = "drbg_pr_sha256",
5011 		.test = alg_test_drbg,
5012 		.fips_allowed = 1,
5013 		.suite = {
5014 			.drbg = __VECS(drbg_pr_sha256_tv_template)
5015 		}
5016 	}, {
5017 		/* covered by drbg_pr_sha256 test */
5018 		.alg = "drbg_pr_sha384",
5019 		.test = alg_test_null,
5020 	}, {
5021 		.alg = "drbg_pr_sha512",
5022 		.fips_allowed = 1,
5023 		.test = alg_test_null,
5024 	}, {
5025 		.alg = "ecb(aes)",
5026 		.test = alg_test_skcipher,
5027 		.fips_allowed = 1,
5028 		.suite = {
5029 			.cipher = __VECS(aes_tv_template)
5030 		}
5031 	}, {
5032 		.alg = "ecb(anubis)",
5033 		.test = alg_test_skcipher,
5034 		.suite = {
5035 			.cipher = __VECS(anubis_tv_template)
5036 		}
5037 	}, {
5038 		.alg = "ecb(arc4)",
5039 		.generic_driver = "arc4-generic",
5040 		.test = alg_test_skcipher,
5041 		.suite = {
5042 			.cipher = __VECS(arc4_tv_template)
5043 		}
5044 	}, {
5045 		.alg = "ecb(aria)",
5046 		.test = alg_test_skcipher,
5047 		.suite = {
5048 			.cipher = __VECS(aria_tv_template)
5049 		}
5050 	}, {
5051 		.alg = "ecb(blowfish)",
5052 		.test = alg_test_skcipher,
5053 		.suite = {
5054 			.cipher = __VECS(bf_tv_template)
5055 		}
5056 	}, {
5057 		.alg = "ecb(camellia)",
5058 		.test = alg_test_skcipher,
5059 		.suite = {
5060 			.cipher = __VECS(camellia_tv_template)
5061 		}
5062 	}, {
5063 		.alg = "ecb(cast5)",
5064 		.test = alg_test_skcipher,
5065 		.suite = {
5066 			.cipher = __VECS(cast5_tv_template)
5067 		}
5068 	}, {
5069 		.alg = "ecb(cast6)",
5070 		.test = alg_test_skcipher,
5071 		.suite = {
5072 			.cipher = __VECS(cast6_tv_template)
5073 		}
5074 	}, {
5075 		.alg = "ecb(cipher_null)",
5076 		.test = alg_test_null,
5077 		.fips_allowed = 1,
5078 	}, {
5079 		.alg = "ecb(des)",
5080 		.test = alg_test_skcipher,
5081 		.suite = {
5082 			.cipher = __VECS(des_tv_template)
5083 		}
5084 	}, {
5085 		.alg = "ecb(des3_ede)",
5086 		.test = alg_test_skcipher,
5087 		.suite = {
5088 			.cipher = __VECS(des3_ede_tv_template)
5089 		}
5090 	}, {
5091 		.alg = "ecb(fcrypt)",
5092 		.test = alg_test_skcipher,
5093 		.suite = {
5094 			.cipher = {
5095 				.vecs = fcrypt_pcbc_tv_template,
5096 				.count = 1
5097 			}
5098 		}
5099 	}, {
5100 		.alg = "ecb(khazad)",
5101 		.test = alg_test_skcipher,
5102 		.suite = {
5103 			.cipher = __VECS(khazad_tv_template)
5104 		}
5105 	}, {
5106 		/* Same as ecb(aes) except the key is stored in
5107 		 * hardware secure memory which we reference by index
5108 		 */
5109 		.alg = "ecb(paes)",
5110 		.test = alg_test_null,
5111 		.fips_allowed = 1,
5112 	}, {
5113 		.alg = "ecb(seed)",
5114 		.test = alg_test_skcipher,
5115 		.suite = {
5116 			.cipher = __VECS(seed_tv_template)
5117 		}
5118 	}, {
5119 		.alg = "ecb(serpent)",
5120 		.test = alg_test_skcipher,
5121 		.suite = {
5122 			.cipher = __VECS(serpent_tv_template)
5123 		}
5124 	}, {
5125 		.alg = "ecb(sm4)",
5126 		.test = alg_test_skcipher,
5127 		.suite = {
5128 			.cipher = __VECS(sm4_tv_template)
5129 		}
5130 	}, {
5131 		.alg = "ecb(tea)",
5132 		.test = alg_test_skcipher,
5133 		.suite = {
5134 			.cipher = __VECS(tea_tv_template)
5135 		}
5136 	}, {
5137 		.alg = "ecb(twofish)",
5138 		.test = alg_test_skcipher,
5139 		.suite = {
5140 			.cipher = __VECS(tf_tv_template)
5141 		}
5142 	}, {
5143 		.alg = "ecb(xeta)",
5144 		.test = alg_test_skcipher,
5145 		.suite = {
5146 			.cipher = __VECS(xeta_tv_template)
5147 		}
5148 	}, {
5149 		.alg = "ecb(xtea)",
5150 		.test = alg_test_skcipher,
5151 		.suite = {
5152 			.cipher = __VECS(xtea_tv_template)
5153 		}
5154 	}, {
5155 #if IS_ENABLED(CONFIG_CRYPTO_PAES_S390)
5156 		.alg = "ecb-paes-s390",
5157 		.fips_allowed = 1,
5158 		.test = alg_test_skcipher,
5159 		.suite = {
5160 			.cipher = __VECS(aes_tv_template)
5161 		}
5162 	}, {
5163 #endif
5164 		.alg = "ecdh-nist-p192",
5165 		.test = alg_test_kpp,
5166 		.suite = {
5167 			.kpp = __VECS(ecdh_p192_tv_template)
5168 		}
5169 	}, {
5170 		.alg = "ecdh-nist-p256",
5171 		.test = alg_test_kpp,
5172 		.fips_allowed = 1,
5173 		.suite = {
5174 			.kpp = __VECS(ecdh_p256_tv_template)
5175 		}
5176 	}, {
5177 		.alg = "ecdh-nist-p384",
5178 		.test = alg_test_kpp,
5179 		.fips_allowed = 1,
5180 		.suite = {
5181 			.kpp = __VECS(ecdh_p384_tv_template)
5182 		}
5183 	}, {
5184 		.alg = "ecdsa-nist-p192",
5185 		.test = alg_test_sig,
5186 		.suite = {
5187 			.sig = __VECS(ecdsa_nist_p192_tv_template)
5188 		}
5189 	}, {
5190 		.alg = "ecdsa-nist-p256",
5191 		.test = alg_test_sig,
5192 		.fips_allowed = 1,
5193 		.suite = {
5194 			.sig = __VECS(ecdsa_nist_p256_tv_template)
5195 		}
5196 	}, {
5197 		.alg = "ecdsa-nist-p384",
5198 		.test = alg_test_sig,
5199 		.fips_allowed = 1,
5200 		.suite = {
5201 			.sig = __VECS(ecdsa_nist_p384_tv_template)
5202 		}
5203 	}, {
5204 		.alg = "ecdsa-nist-p521",
5205 		.test = alg_test_sig,
5206 		.fips_allowed = 1,
5207 		.suite = {
5208 			.sig = __VECS(ecdsa_nist_p521_tv_template)
5209 		}
5210 	}, {
5211 		.alg = "ecrdsa",
5212 		.test = alg_test_sig,
5213 		.suite = {
5214 			.sig = __VECS(ecrdsa_tv_template)
5215 		}
5216 	}, {
5217 		.alg = "essiv(authenc(hmac(sha256),cbc(aes)),sha256)",
5218 		.test = alg_test_aead,
5219 		.fips_allowed = 1,
5220 		.suite = {
5221 			.aead = __VECS(essiv_hmac_sha256_aes_cbc_tv_temp)
5222 		}
5223 	}, {
5224 		.alg = "essiv(cbc(aes),sha256)",
5225 		.test = alg_test_skcipher,
5226 		.fips_allowed = 1,
5227 		.suite = {
5228 			.cipher = __VECS(essiv_aes_cbc_tv_template)
5229 		}
5230 	}, {
5231 #if IS_ENABLED(CONFIG_CRYPTO_DH_RFC7919_GROUPS)
5232 		.alg = "ffdhe2048(dh)",
5233 		.test = alg_test_kpp,
5234 		.fips_allowed = 1,
5235 		.suite = {
5236 			.kpp = __VECS(ffdhe2048_dh_tv_template)
5237 		}
5238 	}, {
5239 		.alg = "ffdhe3072(dh)",
5240 		.test = alg_test_kpp,
5241 		.fips_allowed = 1,
5242 		.suite = {
5243 			.kpp = __VECS(ffdhe3072_dh_tv_template)
5244 		}
5245 	}, {
5246 		.alg = "ffdhe4096(dh)",
5247 		.test = alg_test_kpp,
5248 		.fips_allowed = 1,
5249 		.suite = {
5250 			.kpp = __VECS(ffdhe4096_dh_tv_template)
5251 		}
5252 	}, {
5253 		.alg = "ffdhe6144(dh)",
5254 		.test = alg_test_kpp,
5255 		.fips_allowed = 1,
5256 		.suite = {
5257 			.kpp = __VECS(ffdhe6144_dh_tv_template)
5258 		}
5259 	}, {
5260 		.alg = "ffdhe8192(dh)",
5261 		.test = alg_test_kpp,
5262 		.fips_allowed = 1,
5263 		.suite = {
5264 			.kpp = __VECS(ffdhe8192_dh_tv_template)
5265 		}
5266 	}, {
5267 #endif /* CONFIG_CRYPTO_DH_RFC7919_GROUPS */
5268 		.alg = "gcm(aes)",
5269 		.generic_driver = "gcm_base(ctr(aes-generic),ghash-generic)",
5270 		.test = alg_test_aead,
5271 		.fips_allowed = 1,
5272 		.suite = {
5273 			.aead = __VECS(aes_gcm_tv_template)
5274 		}
5275 	}, {
5276 		.alg = "gcm(aria)",
5277 		.generic_driver = "gcm_base(ctr(aria-generic),ghash-generic)",
5278 		.test = alg_test_aead,
5279 		.suite = {
5280 			.aead = __VECS(aria_gcm_tv_template)
5281 		}
5282 	}, {
5283 		.alg = "gcm(sm4)",
5284 		.generic_driver = "gcm_base(ctr(sm4-generic),ghash-generic)",
5285 		.test = alg_test_aead,
5286 		.suite = {
5287 			.aead = __VECS(sm4_gcm_tv_template)
5288 		}
5289 	}, {
5290 		.alg = "ghash",
5291 		.test = alg_test_hash,
5292 		.suite = {
5293 			.hash = __VECS(ghash_tv_template)
5294 		}
5295 	}, {
5296 		.alg = "hctr2(aes)",
5297 		.generic_driver =
5298 		    "hctr2_base(xctr(aes-generic),polyval-generic)",
5299 		.test = alg_test_skcipher,
5300 		.suite = {
5301 			.cipher = __VECS(aes_hctr2_tv_template)
5302 		}
5303 	}, {
5304 		.alg = "hmac(md5)",
5305 		.test = alg_test_hash,
5306 		.suite = {
5307 			.hash = __VECS(hmac_md5_tv_template)
5308 		}
5309 	}, {
5310 		.alg = "hmac(rmd160)",
5311 		.test = alg_test_hash,
5312 		.suite = {
5313 			.hash = __VECS(hmac_rmd160_tv_template)
5314 		}
5315 	}, {
5316 		.alg = "hmac(sha1)",
5317 		.test = alg_test_hash,
5318 		.fips_allowed = 1,
5319 		.suite = {
5320 			.hash = __VECS(hmac_sha1_tv_template)
5321 		}
5322 	}, {
5323 		.alg = "hmac(sha224)",
5324 		.test = alg_test_hash,
5325 		.fips_allowed = 1,
5326 		.suite = {
5327 			.hash = __VECS(hmac_sha224_tv_template)
5328 		}
5329 	}, {
5330 		.alg = "hmac(sha256)",
5331 		.test = alg_test_hash,
5332 		.fips_allowed = 1,
5333 		.suite = {
5334 			.hash = __VECS(hmac_sha256_tv_template)
5335 		}
5336 	}, {
5337 		.alg = "hmac(sha3-224)",
5338 		.test = alg_test_hash,
5339 		.fips_allowed = 1,
5340 		.suite = {
5341 			.hash = __VECS(hmac_sha3_224_tv_template)
5342 		}
5343 	}, {
5344 		.alg = "hmac(sha3-256)",
5345 		.test = alg_test_hash,
5346 		.fips_allowed = 1,
5347 		.suite = {
5348 			.hash = __VECS(hmac_sha3_256_tv_template)
5349 		}
5350 	}, {
5351 		.alg = "hmac(sha3-384)",
5352 		.test = alg_test_hash,
5353 		.fips_allowed = 1,
5354 		.suite = {
5355 			.hash = __VECS(hmac_sha3_384_tv_template)
5356 		}
5357 	}, {
5358 		.alg = "hmac(sha3-512)",
5359 		.test = alg_test_hash,
5360 		.fips_allowed = 1,
5361 		.suite = {
5362 			.hash = __VECS(hmac_sha3_512_tv_template)
5363 		}
5364 	}, {
5365 		.alg = "hmac(sha384)",
5366 		.test = alg_test_hash,
5367 		.fips_allowed = 1,
5368 		.suite = {
5369 			.hash = __VECS(hmac_sha384_tv_template)
5370 		}
5371 	}, {
5372 		.alg = "hmac(sha512)",
5373 		.test = alg_test_hash,
5374 		.fips_allowed = 1,
5375 		.suite = {
5376 			.hash = __VECS(hmac_sha512_tv_template)
5377 		}
5378 	}, {
5379 		.alg = "hmac(sm3)",
5380 		.test = alg_test_hash,
5381 		.suite = {
5382 			.hash = __VECS(hmac_sm3_tv_template)
5383 		}
5384 	}, {
5385 		.alg = "hmac(streebog256)",
5386 		.test = alg_test_hash,
5387 		.suite = {
5388 			.hash = __VECS(hmac_streebog256_tv_template)
5389 		}
5390 	}, {
5391 		.alg = "hmac(streebog512)",
5392 		.test = alg_test_hash,
5393 		.suite = {
5394 			.hash = __VECS(hmac_streebog512_tv_template)
5395 		}
5396 	}, {
5397 		.alg = "jitterentropy_rng",
5398 		.fips_allowed = 1,
5399 		.test = alg_test_null,
5400 	}, {
5401 		.alg = "lrw(aes)",
5402 		.generic_driver = "lrw(ecb(aes-generic))",
5403 		.test = alg_test_skcipher,
5404 		.suite = {
5405 			.cipher = __VECS(aes_lrw_tv_template)
5406 		}
5407 	}, {
5408 		.alg = "lrw(camellia)",
5409 		.generic_driver = "lrw(ecb(camellia-generic))",
5410 		.test = alg_test_skcipher,
5411 		.suite = {
5412 			.cipher = __VECS(camellia_lrw_tv_template)
5413 		}
5414 	}, {
5415 		.alg = "lrw(cast6)",
5416 		.generic_driver = "lrw(ecb(cast6-generic))",
5417 		.test = alg_test_skcipher,
5418 		.suite = {
5419 			.cipher = __VECS(cast6_lrw_tv_template)
5420 		}
5421 	}, {
5422 		.alg = "lrw(serpent)",
5423 		.generic_driver = "lrw(ecb(serpent-generic))",
5424 		.test = alg_test_skcipher,
5425 		.suite = {
5426 			.cipher = __VECS(serpent_lrw_tv_template)
5427 		}
5428 	}, {
5429 		.alg = "lrw(twofish)",
5430 		.generic_driver = "lrw(ecb(twofish-generic))",
5431 		.test = alg_test_skcipher,
5432 		.suite = {
5433 			.cipher = __VECS(tf_lrw_tv_template)
5434 		}
5435 	}, {
5436 		.alg = "lz4",
5437 		.test = alg_test_comp,
5438 		.fips_allowed = 1,
5439 		.suite = {
5440 			.comp = {
5441 				.comp = __VECS(lz4_comp_tv_template),
5442 				.decomp = __VECS(lz4_decomp_tv_template)
5443 			}
5444 		}
5445 	}, {
5446 		.alg = "lz4hc",
5447 		.test = alg_test_comp,
5448 		.fips_allowed = 1,
5449 		.suite = {
5450 			.comp = {
5451 				.comp = __VECS(lz4hc_comp_tv_template),
5452 				.decomp = __VECS(lz4hc_decomp_tv_template)
5453 			}
5454 		}
5455 	}, {
5456 		.alg = "lzo",
5457 		.test = alg_test_comp,
5458 		.fips_allowed = 1,
5459 		.suite = {
5460 			.comp = {
5461 				.comp = __VECS(lzo_comp_tv_template),
5462 				.decomp = __VECS(lzo_decomp_tv_template)
5463 			}
5464 		}
5465 	}, {
5466 		.alg = "lzo-rle",
5467 		.test = alg_test_comp,
5468 		.fips_allowed = 1,
5469 		.suite = {
5470 			.comp = {
5471 				.comp = __VECS(lzorle_comp_tv_template),
5472 				.decomp = __VECS(lzorle_decomp_tv_template)
5473 			}
5474 		}
5475 	}, {
5476 		.alg = "md4",
5477 		.test = alg_test_hash,
5478 		.suite = {
5479 			.hash = __VECS(md4_tv_template)
5480 		}
5481 	}, {
5482 		.alg = "md5",
5483 		.test = alg_test_hash,
5484 		.suite = {
5485 			.hash = __VECS(md5_tv_template)
5486 		}
5487 	}, {
5488 		.alg = "michael_mic",
5489 		.test = alg_test_hash,
5490 		.suite = {
5491 			.hash = __VECS(michael_mic_tv_template)
5492 		}
5493 	}, {
5494 		.alg = "nhpoly1305",
5495 		.test = alg_test_hash,
5496 		.suite = {
5497 			.hash = __VECS(nhpoly1305_tv_template)
5498 		}
5499 	}, {
5500 		.alg = "p1363(ecdsa-nist-p192)",
5501 		.test = alg_test_null,
5502 	}, {
5503 		.alg = "p1363(ecdsa-nist-p256)",
5504 		.test = alg_test_sig,
5505 		.fips_allowed = 1,
5506 		.suite = {
5507 			.sig = __VECS(p1363_ecdsa_nist_p256_tv_template)
5508 		}
5509 	}, {
5510 		.alg = "p1363(ecdsa-nist-p384)",
5511 		.test = alg_test_null,
5512 		.fips_allowed = 1,
5513 	}, {
5514 		.alg = "p1363(ecdsa-nist-p521)",
5515 		.test = alg_test_null,
5516 		.fips_allowed = 1,
5517 	}, {
5518 		.alg = "pcbc(fcrypt)",
5519 		.test = alg_test_skcipher,
5520 		.suite = {
5521 			.cipher = __VECS(fcrypt_pcbc_tv_template)
5522 		}
5523 	}, {
5524 		.alg = "pkcs1(rsa,none)",
5525 		.test = alg_test_sig,
5526 		.suite = {
5527 			.sig = __VECS(pkcs1_rsa_none_tv_template)
5528 		}
5529 	}, {
5530 		.alg = "pkcs1(rsa,sha224)",
5531 		.test = alg_test_null,
5532 		.fips_allowed = 1,
5533 	}, {
5534 		.alg = "pkcs1(rsa,sha256)",
5535 		.test = alg_test_sig,
5536 		.fips_allowed = 1,
5537 		.suite = {
5538 			.sig = __VECS(pkcs1_rsa_tv_template)
5539 		}
5540 	}, {
5541 		.alg = "pkcs1(rsa,sha3-256)",
5542 		.test = alg_test_null,
5543 		.fips_allowed = 1,
5544 	}, {
5545 		.alg = "pkcs1(rsa,sha3-384)",
5546 		.test = alg_test_null,
5547 		.fips_allowed = 1,
5548 	}, {
5549 		.alg = "pkcs1(rsa,sha3-512)",
5550 		.test = alg_test_null,
5551 		.fips_allowed = 1,
5552 	}, {
5553 		.alg = "pkcs1(rsa,sha384)",
5554 		.test = alg_test_null,
5555 		.fips_allowed = 1,
5556 	}, {
5557 		.alg = "pkcs1(rsa,sha512)",
5558 		.test = alg_test_null,
5559 		.fips_allowed = 1,
5560 	}, {
5561 		.alg = "pkcs1pad(rsa)",
5562 		.test = alg_test_null,
5563 		.fips_allowed = 1,
5564 	}, {
5565 		.alg = "poly1305",
5566 		.test = alg_test_hash,
5567 		.suite = {
5568 			.hash = __VECS(poly1305_tv_template)
5569 		}
5570 	}, {
5571 		.alg = "polyval",
5572 		.test = alg_test_hash,
5573 		.suite = {
5574 			.hash = __VECS(polyval_tv_template)
5575 		}
5576 	}, {
5577 		.alg = "rfc3686(ctr(aes))",
5578 		.test = alg_test_skcipher,
5579 		.fips_allowed = 1,
5580 		.suite = {
5581 			.cipher = __VECS(aes_ctr_rfc3686_tv_template)
5582 		}
5583 	}, {
5584 		.alg = "rfc3686(ctr(sm4))",
5585 		.test = alg_test_skcipher,
5586 		.suite = {
5587 			.cipher = __VECS(sm4_ctr_rfc3686_tv_template)
5588 		}
5589 	}, {
5590 		.alg = "rfc4106(gcm(aes))",
5591 		.generic_driver = "rfc4106(gcm_base(ctr(aes-generic),ghash-generic))",
5592 		.test = alg_test_aead,
5593 		.fips_allowed = 1,
5594 		.suite = {
5595 			.aead = {
5596 				____VECS(aes_gcm_rfc4106_tv_template),
5597 				.einval_allowed = 1,
5598 				.aad_iv = 1,
5599 			}
5600 		}
5601 	}, {
5602 		.alg = "rfc4309(ccm(aes))",
5603 		.generic_driver = "rfc4309(ccm_base(ctr(aes-generic),cbcmac(aes-generic)))",
5604 		.test = alg_test_aead,
5605 		.fips_allowed = 1,
5606 		.suite = {
5607 			.aead = {
5608 				____VECS(aes_ccm_rfc4309_tv_template),
5609 				.einval_allowed = 1,
5610 				.aad_iv = 1,
5611 			}
5612 		}
5613 	}, {
5614 		.alg = "rfc4543(gcm(aes))",
5615 		.generic_driver = "rfc4543(gcm_base(ctr(aes-generic),ghash-generic))",
5616 		.test = alg_test_aead,
5617 		.suite = {
5618 			.aead = {
5619 				____VECS(aes_gcm_rfc4543_tv_template),
5620 				.einval_allowed = 1,
5621 				.aad_iv = 1,
5622 			}
5623 		}
5624 	}, {
5625 		.alg = "rfc7539(chacha20,poly1305)",
5626 		.test = alg_test_aead,
5627 		.suite = {
5628 			.aead = __VECS(rfc7539_tv_template)
5629 		}
5630 	}, {
5631 		.alg = "rfc7539esp(chacha20,poly1305)",
5632 		.test = alg_test_aead,
5633 		.suite = {
5634 			.aead = {
5635 				____VECS(rfc7539esp_tv_template),
5636 				.einval_allowed = 1,
5637 				.aad_iv = 1,
5638 			}
5639 		}
5640 	}, {
5641 		.alg = "rmd160",
5642 		.test = alg_test_hash,
5643 		.suite = {
5644 			.hash = __VECS(rmd160_tv_template)
5645 		}
5646 	}, {
5647 		.alg = "rsa",
5648 		.test = alg_test_akcipher,
5649 		.fips_allowed = 1,
5650 		.suite = {
5651 			.akcipher = __VECS(rsa_tv_template)
5652 		}
5653 	}, {
5654 		.alg = "sha1",
5655 		.test = alg_test_hash,
5656 		.fips_allowed = 1,
5657 		.suite = {
5658 			.hash = __VECS(sha1_tv_template)
5659 		}
5660 	}, {
5661 		.alg = "sha224",
5662 		.test = alg_test_hash,
5663 		.fips_allowed = 1,
5664 		.suite = {
5665 			.hash = __VECS(sha224_tv_template)
5666 		}
5667 	}, {
5668 		.alg = "sha256",
5669 		.test = alg_test_hash,
5670 		.fips_allowed = 1,
5671 		.suite = {
5672 			.hash = __VECS(sha256_tv_template)
5673 		}
5674 	}, {
5675 		.alg = "sha3-224",
5676 		.test = alg_test_hash,
5677 		.fips_allowed = 1,
5678 		.suite = {
5679 			.hash = __VECS(sha3_224_tv_template)
5680 		}
5681 	}, {
5682 		.alg = "sha3-256",
5683 		.test = alg_test_hash,
5684 		.fips_allowed = 1,
5685 		.suite = {
5686 			.hash = __VECS(sha3_256_tv_template)
5687 		}
5688 	}, {
5689 		.alg = "sha3-384",
5690 		.test = alg_test_hash,
5691 		.fips_allowed = 1,
5692 		.suite = {
5693 			.hash = __VECS(sha3_384_tv_template)
5694 		}
5695 	}, {
5696 		.alg = "sha3-512",
5697 		.test = alg_test_hash,
5698 		.fips_allowed = 1,
5699 		.suite = {
5700 			.hash = __VECS(sha3_512_tv_template)
5701 		}
5702 	}, {
5703 		.alg = "sha384",
5704 		.test = alg_test_hash,
5705 		.fips_allowed = 1,
5706 		.suite = {
5707 			.hash = __VECS(sha384_tv_template)
5708 		}
5709 	}, {
5710 		.alg = "sha512",
5711 		.test = alg_test_hash,
5712 		.fips_allowed = 1,
5713 		.suite = {
5714 			.hash = __VECS(sha512_tv_template)
5715 		}
5716 	}, {
5717 		.alg = "sm3",
5718 		.test = alg_test_hash,
5719 		.suite = {
5720 			.hash = __VECS(sm3_tv_template)
5721 		}
5722 	}, {
5723 		.alg = "streebog256",
5724 		.test = alg_test_hash,
5725 		.suite = {
5726 			.hash = __VECS(streebog256_tv_template)
5727 		}
5728 	}, {
5729 		.alg = "streebog512",
5730 		.test = alg_test_hash,
5731 		.suite = {
5732 			.hash = __VECS(streebog512_tv_template)
5733 		}
5734 	}, {
5735 		.alg = "wp256",
5736 		.test = alg_test_hash,
5737 		.suite = {
5738 			.hash = __VECS(wp256_tv_template)
5739 		}
5740 	}, {
5741 		.alg = "wp384",
5742 		.test = alg_test_hash,
5743 		.suite = {
5744 			.hash = __VECS(wp384_tv_template)
5745 		}
5746 	}, {
5747 		.alg = "wp512",
5748 		.test = alg_test_hash,
5749 		.suite = {
5750 			.hash = __VECS(wp512_tv_template)
5751 		}
5752 	}, {
5753 		.alg = "x962(ecdsa-nist-p192)",
5754 		.test = alg_test_sig,
5755 		.suite = {
5756 			.sig = __VECS(x962_ecdsa_nist_p192_tv_template)
5757 		}
5758 	}, {
5759 		.alg = "x962(ecdsa-nist-p256)",
5760 		.test = alg_test_sig,
5761 		.fips_allowed = 1,
5762 		.suite = {
5763 			.sig = __VECS(x962_ecdsa_nist_p256_tv_template)
5764 		}
5765 	}, {
5766 		.alg = "x962(ecdsa-nist-p384)",
5767 		.test = alg_test_sig,
5768 		.fips_allowed = 1,
5769 		.suite = {
5770 			.sig = __VECS(x962_ecdsa_nist_p384_tv_template)
5771 		}
5772 	}, {
5773 		.alg = "x962(ecdsa-nist-p521)",
5774 		.test = alg_test_sig,
5775 		.fips_allowed = 1,
5776 		.suite = {
5777 			.sig = __VECS(x962_ecdsa_nist_p521_tv_template)
5778 		}
5779 	}, {
5780 		.alg = "xcbc(aes)",
5781 		.test = alg_test_hash,
5782 		.suite = {
5783 			.hash = __VECS(aes_xcbc128_tv_template)
5784 		}
5785 	}, {
5786 		.alg = "xcbc(sm4)",
5787 		.test = alg_test_hash,
5788 		.suite = {
5789 			.hash = __VECS(sm4_xcbc128_tv_template)
5790 		}
5791 	}, {
5792 		.alg = "xchacha12",
5793 		.test = alg_test_skcipher,
5794 		.suite = {
5795 			.cipher = __VECS(xchacha12_tv_template)
5796 		},
5797 	}, {
5798 		.alg = "xchacha20",
5799 		.test = alg_test_skcipher,
5800 		.suite = {
5801 			.cipher = __VECS(xchacha20_tv_template)
5802 		},
5803 	}, {
5804 		.alg = "xctr(aes)",
5805 		.test = alg_test_skcipher,
5806 		.suite = {
5807 			.cipher = __VECS(aes_xctr_tv_template)
5808 		}
5809 	}, {
5810 		.alg = "xts(aes)",
5811 		.generic_driver = "xts(ecb(aes-generic))",
5812 		.test = alg_test_skcipher,
5813 		.fips_allowed = 1,
5814 		.suite = {
5815 			.cipher = __VECS(aes_xts_tv_template)
5816 		}
5817 	}, {
5818 		.alg = "xts(camellia)",
5819 		.generic_driver = "xts(ecb(camellia-generic))",
5820 		.test = alg_test_skcipher,
5821 		.suite = {
5822 			.cipher = __VECS(camellia_xts_tv_template)
5823 		}
5824 	}, {
5825 		.alg = "xts(cast6)",
5826 		.generic_driver = "xts(ecb(cast6-generic))",
5827 		.test = alg_test_skcipher,
5828 		.suite = {
5829 			.cipher = __VECS(cast6_xts_tv_template)
5830 		}
5831 	}, {
5832 		/* Same as xts(aes) except the key is stored in
5833 		 * hardware secure memory which we reference by index
5834 		 */
5835 		.alg = "xts(paes)",
5836 		.test = alg_test_null,
5837 		.fips_allowed = 1,
5838 	}, {
5839 		.alg = "xts(serpent)",
5840 		.generic_driver = "xts(ecb(serpent-generic))",
5841 		.test = alg_test_skcipher,
5842 		.suite = {
5843 			.cipher = __VECS(serpent_xts_tv_template)
5844 		}
5845 	}, {
5846 		.alg = "xts(sm4)",
5847 		.generic_driver = "xts(ecb(sm4-generic))",
5848 		.test = alg_test_skcipher,
5849 		.suite = {
5850 			.cipher = __VECS(sm4_xts_tv_template)
5851 		}
5852 	}, {
5853 		.alg = "xts(twofish)",
5854 		.generic_driver = "xts(ecb(twofish-generic))",
5855 		.test = alg_test_skcipher,
5856 		.suite = {
5857 			.cipher = __VECS(tf_xts_tv_template)
5858 		}
5859 	}, {
5860 #if IS_ENABLED(CONFIG_CRYPTO_PAES_S390)
5861 		.alg = "xts-paes-s390",
5862 		.fips_allowed = 1,
5863 		.test = alg_test_skcipher,
5864 		.suite = {
5865 			.cipher = __VECS(aes_xts_tv_template)
5866 		}
5867 	}, {
5868 #endif
5869 		.alg = "xxhash64",
5870 		.test = alg_test_hash,
5871 		.fips_allowed = 1,
5872 		.suite = {
5873 			.hash = __VECS(xxhash64_tv_template)
5874 		}
5875 	}, {
5876 		.alg = "zstd",
5877 		.test = alg_test_comp,
5878 		.fips_allowed = 1,
5879 		.suite = {
5880 			.comp = {
5881 				.comp = __VECS(zstd_comp_tv_template),
5882 				.decomp = __VECS(zstd_decomp_tv_template)
5883 			}
5884 		}
5885 	}
5886 };
5887 
alg_check_test_descs_order(void)5888 static void alg_check_test_descs_order(void)
5889 {
5890 	int i;
5891 
5892 	for (i = 1; i < ARRAY_SIZE(alg_test_descs); i++) {
5893 		int diff = strcmp(alg_test_descs[i - 1].alg,
5894 				  alg_test_descs[i].alg);
5895 
5896 		if (WARN_ON(diff > 0)) {
5897 			pr_warn("testmgr: alg_test_descs entries in wrong order: '%s' before '%s'\n",
5898 				alg_test_descs[i - 1].alg,
5899 				alg_test_descs[i].alg);
5900 		}
5901 
5902 		if (WARN_ON(diff == 0)) {
5903 			pr_warn("testmgr: duplicate alg_test_descs entry: '%s'\n",
5904 				alg_test_descs[i].alg);
5905 		}
5906 	}
5907 }
5908 
alg_check_testvec_configs(void)5909 static void alg_check_testvec_configs(void)
5910 {
5911 	int i;
5912 
5913 	for (i = 0; i < ARRAY_SIZE(default_cipher_testvec_configs); i++)
5914 		WARN_ON(!valid_testvec_config(
5915 				&default_cipher_testvec_configs[i]));
5916 
5917 	for (i = 0; i < ARRAY_SIZE(default_hash_testvec_configs); i++)
5918 		WARN_ON(!valid_testvec_config(
5919 				&default_hash_testvec_configs[i]));
5920 }
5921 
testmgr_onetime_init(void)5922 static void testmgr_onetime_init(void)
5923 {
5924 	alg_check_test_descs_order();
5925 	alg_check_testvec_configs();
5926 
5927 #ifdef CONFIG_CRYPTO_MANAGER_EXTRA_TESTS
5928 	pr_warn("alg: extra crypto tests enabled.  This is intended for developer use only.\n");
5929 #endif
5930 }
5931 
alg_find_test(const char * alg)5932 static int alg_find_test(const char *alg)
5933 {
5934 	int start = 0;
5935 	int end = ARRAY_SIZE(alg_test_descs);
5936 
5937 	while (start < end) {
5938 		int i = (start + end) / 2;
5939 		int diff = strcmp(alg_test_descs[i].alg, alg);
5940 
5941 		if (diff > 0) {
5942 			end = i;
5943 			continue;
5944 		}
5945 
5946 		if (diff < 0) {
5947 			start = i + 1;
5948 			continue;
5949 		}
5950 
5951 		return i;
5952 	}
5953 
5954 	return -1;
5955 }
5956 
alg_fips_disabled(const char * driver,const char * alg)5957 static int alg_fips_disabled(const char *driver, const char *alg)
5958 {
5959 	pr_info("alg: %s (%s) is disabled due to FIPS\n", alg, driver);
5960 
5961 	return -ECANCELED;
5962 }
5963 
alg_test(const char * driver,const char * alg,u32 type,u32 mask)5964 int alg_test(const char *driver, const char *alg, u32 type, u32 mask)
5965 {
5966 	int i;
5967 	int j;
5968 	int rc;
5969 
5970 	if (!fips_enabled && notests) {
5971 		printk_once(KERN_INFO "alg: self-tests disabled\n");
5972 		return 0;
5973 	}
5974 
5975 	DO_ONCE(testmgr_onetime_init);
5976 
5977 	if ((type & CRYPTO_ALG_TYPE_MASK) == CRYPTO_ALG_TYPE_CIPHER) {
5978 		char nalg[CRYPTO_MAX_ALG_NAME];
5979 
5980 		if (snprintf(nalg, sizeof(nalg), "ecb(%s)", alg) >=
5981 		    sizeof(nalg))
5982 			return -ENAMETOOLONG;
5983 
5984 		i = alg_find_test(nalg);
5985 		if (i < 0)
5986 			goto notest;
5987 
5988 		if (fips_enabled && !alg_test_descs[i].fips_allowed)
5989 			goto non_fips_alg;
5990 
5991 		rc = alg_test_cipher(alg_test_descs + i, driver, type, mask);
5992 		goto test_done;
5993 	}
5994 
5995 	i = alg_find_test(alg);
5996 	j = alg_find_test(driver);
5997 	if (i < 0 && j < 0)
5998 		goto notest;
5999 
6000 	if (fips_enabled) {
6001 		if (j >= 0 && !alg_test_descs[j].fips_allowed)
6002 			return -EINVAL;
6003 
6004 		if (i >= 0 && !alg_test_descs[i].fips_allowed)
6005 			goto non_fips_alg;
6006 	}
6007 
6008 	rc = 0;
6009 	if (i >= 0)
6010 		rc |= alg_test_descs[i].test(alg_test_descs + i, driver,
6011 					     type, mask);
6012 	if (j >= 0 && j != i)
6013 		rc |= alg_test_descs[j].test(alg_test_descs + j, driver,
6014 					     type, mask);
6015 
6016 test_done:
6017 	if (rc) {
6018 		if (fips_enabled || panic_on_fail) {
6019 			fips_fail_notify();
6020 			panic("alg: self-tests for %s (%s) failed in %s mode!\n",
6021 			      driver, alg,
6022 			      fips_enabled ? "fips" : "panic_on_fail");
6023 		}
6024 		pr_warn("alg: self-tests for %s using %s failed (rc=%d)",
6025 			alg, driver, rc);
6026 		WARN(rc != -ENOENT,
6027 		     "alg: self-tests for %s using %s failed (rc=%d)",
6028 		     alg, driver, rc);
6029 	} else {
6030 		if (fips_enabled)
6031 			pr_info("alg: self-tests for %s (%s) passed\n",
6032 				driver, alg);
6033 	}
6034 
6035 	return rc;
6036 
6037 notest:
6038 	if ((type & CRYPTO_ALG_TYPE_MASK) == CRYPTO_ALG_TYPE_LSKCIPHER) {
6039 		char nalg[CRYPTO_MAX_ALG_NAME];
6040 
6041 		if (snprintf(nalg, sizeof(nalg), "ecb(%s)", alg) >=
6042 		    sizeof(nalg))
6043 			goto notest2;
6044 
6045 		i = alg_find_test(nalg);
6046 		if (i < 0)
6047 			goto notest2;
6048 
6049 		if (fips_enabled && !alg_test_descs[i].fips_allowed)
6050 			goto non_fips_alg;
6051 
6052 		rc = alg_test_skcipher(alg_test_descs + i, driver, type, mask);
6053 		goto test_done;
6054 	}
6055 
6056 notest2:
6057 	printk(KERN_INFO "alg: No test for %s (%s)\n", alg, driver);
6058 
6059 	if (type & CRYPTO_ALG_FIPS_INTERNAL)
6060 		return alg_fips_disabled(driver, alg);
6061 
6062 	return 0;
6063 non_fips_alg:
6064 	return alg_fips_disabled(driver, alg);
6065 }
6066 
6067 #endif /* CONFIG_CRYPTO_MANAGER_DISABLE_TESTS */
6068 
6069 EXPORT_SYMBOL_GPL(alg_test);
6070