testmgr.c 150 KB
Newer Older
1
// SPDX-License-Identifier: GPL-2.0-or-later
2 3 4 5 6 7 8
/*
 * Algorithm testing framework and tests.
 *
 * Copyright (c) 2002 James Morris <jmorris@intercode.com.au>
 * Copyright (c) 2002 Jean-Francois Dive <jef@linuxbe.org>
 * Copyright (c) 2007 Nokia Siemens Networks
 * Copyright (c) 2008 Herbert Xu <herbert@gondor.apana.org.au>
9
 * Copyright (c) 2019 Google LLC
10
 *
11 12 13 14 15 16
 * Updated RFC4106 AES-GCM testing.
 *    Authors: Aidan O'Mahony (aidan.o.mahony@intel.com)
 *             Adrian Hoban <adrian.hoban@intel.com>
 *             Gabriele Paoloni <gabriele.paoloni@intel.com>
 *             Tadeusz Struk (tadeusz.struk@intel.com)
 *    Copyright (c) 2010, Intel Corporation.
17 18
 */

19
#include <crypto/aead.h>
20
#include <crypto/hash.h>
21
#include <crypto/skcipher.h>
22
#include <linux/err.h>
23
#include <linux/fips.h>
24
#include <linux/module.h>
25
#include <linux/once.h>
26
#include <linux/random.h>
27 28 29
#include <linux/scatterlist.h>
#include <linux/slab.h>
#include <linux/string.h>
30
#include <linux/uio.h>
31
#include <crypto/rng.h>
32
#include <crypto/drbg.h>
33
#include <crypto/akcipher.h>
34
#include <crypto/kpp.h>
35
#include <crypto/acompress.h>
36
#include <crypto/internal/cipher.h>
37
#include <crypto/internal/simd.h>
38 39

#include "internal.h"
40

41 42
MODULE_IMPORT_NS(CRYPTO_INTERNAL);

43 44 45 46
static bool notests;
module_param(notests, bool, 0644);
MODULE_PARM_DESC(notests, "disable crypto self-tests");

47 48 49
static bool panic_on_fail;
module_param(panic_on_fail, bool, 0444);

50 51 52 53 54 55 56 57 58 59
#ifdef CONFIG_CRYPTO_MANAGER_EXTRA_TESTS
static bool noextratests;
module_param(noextratests, bool, 0644);
MODULE_PARM_DESC(noextratests, "disable expensive crypto self-tests");

static unsigned int fuzz_iterations = 100;
module_param(fuzz_iterations, uint, 0644);
MODULE_PARM_DESC(fuzz_iterations, "number of fuzz test iterations");
#endif

60
#ifdef CONFIG_CRYPTO_MANAGER_DISABLE_TESTS
61 62 63 64 65 66 67 68 69

/* a perfect nop */
int alg_test(const char *driver, const char *alg, u32 type, u32 mask)
{
	return 0;
}

#else

70 71 72 73 74 75 76 77 78 79 80 81 82 83
#include "testmgr.h"

/*
 * Need slab memory for testing (size in number of pages).
 */
#define XBUFSIZE	8

/*
* Used by test_cipher()
*/
#define ENCRYPT 1
#define DECRYPT 0

struct aead_test_suite {
84 85
	const struct aead_testvec *vecs;
	unsigned int count;
86 87 88 89 90 91 92 93 94

	/*
	 * Set if trying to decrypt an inauthentic ciphertext with this
	 * algorithm might result in EINVAL rather than EBADMSG, due to other
	 * validation the algorithm does on the inputs such as length checks.
	 */
	unsigned int einval_allowed : 1;

	/*
95 96 97
	 * Set if this algorithm requires that the IV be located at the end of
	 * the AAD buffer, in addition to being given in the normal way.  The
	 * behavior when the two IV copies differ is implementation-defined.
98
	 */
99
	unsigned int aad_iv : 1;
100 101 102
};

struct cipher_test_suite {
103 104
	const struct cipher_testvec *vecs;
	unsigned int count;
105 106 107 108
};

struct comp_test_suite {
	struct {
109
		const struct comp_testvec *vecs;
110 111 112 113 114
		unsigned int count;
	} comp, decomp;
};

struct hash_test_suite {
115
	const struct hash_testvec *vecs;
116 117 118
	unsigned int count;
};

119
struct cprng_test_suite {
120
	const struct cprng_testvec *vecs;
121 122 123
	unsigned int count;
};

124
struct drbg_test_suite {
125
	const struct drbg_testvec *vecs;
126 127 128
	unsigned int count;
};

129
struct akcipher_test_suite {
130
	const struct akcipher_testvec *vecs;
131 132 133
	unsigned int count;
};

134
struct kpp_test_suite {
135
	const struct kpp_testvec *vecs;
136 137 138
	unsigned int count;
};

139 140
struct alg_test_desc {
	const char *alg;
141
	const char *generic_driver;
142 143
	int (*test)(const struct alg_test_desc *desc, const char *driver,
		    u32 type, u32 mask);
144
	int fips_allowed;	/* set if alg is allowed in fips mode */
145 146 147 148 149 150

	union {
		struct aead_test_suite aead;
		struct cipher_test_suite cipher;
		struct comp_test_suite comp;
		struct hash_test_suite hash;
151
		struct cprng_test_suite cprng;
152
		struct drbg_test_suite drbg;
153
		struct akcipher_test_suite akcipher;
154
		struct kpp_test_suite kpp;
155 156 157 158 159 160 161 162 163 164
	} suite;
};

static void hexdump(unsigned char *buf, unsigned int len)
{
	print_hex_dump(KERN_CONT, "", DUMP_PREFIX_OFFSET,
			16, 1,
			buf, len, false);
}

165
static int __testmgr_alloc_buf(char *buf[XBUFSIZE], int order)
166 167 168 169
{
	int i;

	for (i = 0; i < XBUFSIZE; i++) {
170
		buf[i] = (char *)__get_free_pages(GFP_KERNEL, order);
171 172 173 174 175 176 177 178
		if (!buf[i])
			goto err_free_buf;
	}

	return 0;

err_free_buf:
	while (i-- > 0)
179
		free_pages((unsigned long)buf[i], order);
180 181 182 183

	return -ENOMEM;
}

184 185 186 187 188 189
static int testmgr_alloc_buf(char *buf[XBUFSIZE])
{
	return __testmgr_alloc_buf(buf, 0);
}

static void __testmgr_free_buf(char *buf[XBUFSIZE], int order)
190 191 192 193
{
	int i;

	for (i = 0; i < XBUFSIZE; i++)
194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234
		free_pages((unsigned long)buf[i], order);
}

static void testmgr_free_buf(char *buf[XBUFSIZE])
{
	__testmgr_free_buf(buf, 0);
}

#define TESTMGR_POISON_BYTE	0xfe
#define TESTMGR_POISON_LEN	16

static inline void testmgr_poison(void *addr, size_t len)
{
	memset(addr, TESTMGR_POISON_BYTE, len);
}

/* Is the memory region still fully poisoned? */
static inline bool testmgr_is_poison(const void *addr, size_t len)
{
	return memchr_inv(addr, TESTMGR_POISON_BYTE, len) == NULL;
}

/* flush type for hash algorithms */
enum flush_type {
	/* merge with update of previous buffer(s) */
	FLUSH_TYPE_NONE = 0,

	/* update with previous buffer(s) before doing this one */
	FLUSH_TYPE_FLUSH,

	/* likewise, but also export and re-import the intermediate state */
	FLUSH_TYPE_REIMPORT,
};

/* finalization function for hash algorithms */
enum finalization_type {
	FINALIZATION_TYPE_FINAL,	/* use final() */
	FINALIZATION_TYPE_FINUP,	/* use finup() */
	FINALIZATION_TYPE_DIGEST,	/* use digest() */
};

235 236 237 238 239 240 241 242 243 244 245 246 247 248
/*
 * Whether the crypto operation will occur in-place, and if so whether the
 * source and destination scatterlist pointers will coincide (req->src ==
 * req->dst), or whether they'll merely point to two separate scatterlists
 * (req->src != req->dst) that reference the same underlying memory.
 *
 * This is only relevant for algorithm types that support in-place operation.
 */
enum inplace_mode {
	OUT_OF_PLACE,
	INPLACE_ONE_SGLIST,
	INPLACE_TWO_SGLISTS,
};

249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264
#define TEST_SG_TOTAL	10000

/**
 * struct test_sg_division - description of a scatterlist entry
 *
 * This struct describes one entry of a scatterlist being constructed to check a
 * crypto test vector.
 *
 * @proportion_of_total: length of this chunk relative to the total length,
 *			 given as a proportion out of TEST_SG_TOTAL so that it
 *			 scales to fit any test vector
 * @offset: byte offset into a 2-page buffer at which this chunk will start
 * @offset_relative_to_alignmask: if true, add the algorithm's alignmask to the
 *				  @offset
 * @flush_type: for hashes, whether an update() should be done now vs.
 *		continuing to accumulate data
265
 * @nosimd: if doing the pending update(), do it with SIMD disabled?
266 267 268 269 270 271
 */
struct test_sg_division {
	unsigned int proportion_of_total;
	unsigned int offset;
	bool offset_relative_to_alignmask;
	enum flush_type flush_type;
272
	bool nosimd;
273 274 275 276 277 278 279 280 281
};

/**
 * struct testvec_config - configuration for testing a crypto test vector
 *
 * This struct describes the data layout and other parameters with which each
 * crypto test vector can be tested.
 *
 * @name: name of this config, logged for debugging purposes if a test fails
282
 * @inplace_mode: whether and how to operate on the data in-place, if applicable
283 284 285 286 287 288 289 290
 * @req_flags: extra request_flags, e.g. CRYPTO_TFM_REQ_MAY_SLEEP
 * @src_divs: description of how to arrange the source scatterlist
 * @dst_divs: description of how to arrange the dst scatterlist, if applicable
 *	      for the algorithm type.  Defaults to @src_divs if unset.
 * @iv_offset: misalignment of the IV in the range [0..MAX_ALGAPI_ALIGNMASK+1],
 *	       where 0 is aligned to a 2*(MAX_ALGAPI_ALIGNMASK+1) byte boundary
 * @iv_offset_relative_to_alignmask: if true, add the algorithm's alignmask to
 *				     the @iv_offset
291 292 293
 * @key_offset: misalignment of the key, where 0 is default alignment
 * @key_offset_relative_to_alignmask: if true, add the algorithm's alignmask to
 *				      the @key_offset
294
 * @finalization_type: what finalization function to use for hashes
295
 * @nosimd: execute with SIMD disabled?  Requires !CRYPTO_TFM_REQ_MAY_SLEEP.
296 297 298
 */
struct testvec_config {
	const char *name;
299
	enum inplace_mode inplace_mode;
300 301 302 303
	u32 req_flags;
	struct test_sg_division src_divs[XBUFSIZE];
	struct test_sg_division dst_divs[XBUFSIZE];
	unsigned int iv_offset;
304
	unsigned int key_offset;
305
	bool iv_offset_relative_to_alignmask;
306
	bool key_offset_relative_to_alignmask;
307
	enum finalization_type finalization_type;
308
	bool nosimd;
309 310 311 312
};

#define TESTVEC_CONFIG_NAMELEN	192

313 314 315 316 317 318 319 320 321 322 323
/*
 * The following are the lists of testvec_configs to test for each algorithm
 * type when the basic crypto self-tests are enabled, i.e. when
 * CONFIG_CRYPTO_MANAGER_DISABLE_TESTS is unset.  They aim to provide good test
 * coverage, while keeping the test time much shorter than the full fuzz tests
 * so that the basic tests can be enabled in a wider range of circumstances.
 */

/* Configs for skciphers and aeads */
static const struct testvec_config default_cipher_testvec_configs[] = {
	{
324 325 326 327 328 329
		.name = "in-place (one sglist)",
		.inplace_mode = INPLACE_ONE_SGLIST,
		.src_divs = { { .proportion_of_total = 10000 } },
	}, {
		.name = "in-place (two sglists)",
		.inplace_mode = INPLACE_TWO_SGLISTS,
330 331 332
		.src_divs = { { .proportion_of_total = 10000 } },
	}, {
		.name = "out-of-place",
333
		.inplace_mode = OUT_OF_PLACE,
334 335 336 337 338
		.src_divs = { { .proportion_of_total = 10000 } },
	}, {
		.name = "unaligned buffer, offset=1",
		.src_divs = { { .proportion_of_total = 10000, .offset = 1 } },
		.iv_offset = 1,
339
		.key_offset = 1,
340 341 342 343 344 345 346 347 348 349 350
	}, {
		.name = "buffer aligned only to alignmask",
		.src_divs = {
			{
				.proportion_of_total = 10000,
				.offset = 1,
				.offset_relative_to_alignmask = true,
			},
		},
		.iv_offset = 1,
		.iv_offset_relative_to_alignmask = true,
351 352
		.key_offset = 1,
		.key_offset_relative_to_alignmask = true,
353 354 355 356 357 358 359 360 361 362 363 364 365 366 367
	}, {
		.name = "two even aligned splits",
		.src_divs = {
			{ .proportion_of_total = 5000 },
			{ .proportion_of_total = 5000 },
		},
	}, {
		.name = "uneven misaligned splits, may sleep",
		.req_flags = CRYPTO_TFM_REQ_MAY_SLEEP,
		.src_divs = {
			{ .proportion_of_total = 1900, .offset = 33 },
			{ .proportion_of_total = 3300, .offset = 7  },
			{ .proportion_of_total = 4800, .offset = 18 },
		},
		.iv_offset = 3,
368
		.key_offset = 3,
369 370
	}, {
		.name = "misaligned splits crossing pages, inplace",
371
		.inplace_mode = INPLACE_ONE_SGLIST,
372 373 374 375 376 377 378 379 380 381 382 383
		.src_divs = {
			{
				.proportion_of_total = 7500,
				.offset = PAGE_SIZE - 32
			}, {
				.proportion_of_total = 2500,
				.offset = PAGE_SIZE - 7
			},
		},
	}
};

384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400
static const struct testvec_config default_hash_testvec_configs[] = {
	{
		.name = "init+update+final aligned buffer",
		.src_divs = { { .proportion_of_total = 10000 } },
		.finalization_type = FINALIZATION_TYPE_FINAL,
	}, {
		.name = "init+finup aligned buffer",
		.src_divs = { { .proportion_of_total = 10000 } },
		.finalization_type = FINALIZATION_TYPE_FINUP,
	}, {
		.name = "digest aligned buffer",
		.src_divs = { { .proportion_of_total = 10000 } },
		.finalization_type = FINALIZATION_TYPE_DIGEST,
	}, {
		.name = "init+update+final misaligned buffer",
		.src_divs = { { .proportion_of_total = 10000, .offset = 1 } },
		.finalization_type = FINALIZATION_TYPE_FINAL,
401
		.key_offset = 1,
402 403 404 405 406 407 408 409 410 411
	}, {
		.name = "digest buffer aligned only to alignmask",
		.src_divs = {
			{
				.proportion_of_total = 10000,
				.offset = 1,
				.offset_relative_to_alignmask = true,
			},
		},
		.finalization_type = FINALIZATION_TYPE_DIGEST,
412 413
		.key_offset = 1,
		.key_offset_relative_to_alignmask = true,
414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459
	}, {
		.name = "init+update+update+final two even splits",
		.src_divs = {
			{ .proportion_of_total = 5000 },
			{
				.proportion_of_total = 5000,
				.flush_type = FLUSH_TYPE_FLUSH,
			},
		},
		.finalization_type = FINALIZATION_TYPE_FINAL,
	}, {
		.name = "digest uneven misaligned splits, may sleep",
		.req_flags = CRYPTO_TFM_REQ_MAY_SLEEP,
		.src_divs = {
			{ .proportion_of_total = 1900, .offset = 33 },
			{ .proportion_of_total = 3300, .offset = 7  },
			{ .proportion_of_total = 4800, .offset = 18 },
		},
		.finalization_type = FINALIZATION_TYPE_DIGEST,
	}, {
		.name = "digest misaligned splits crossing pages",
		.src_divs = {
			{
				.proportion_of_total = 7500,
				.offset = PAGE_SIZE - 32,
			}, {
				.proportion_of_total = 2500,
				.offset = PAGE_SIZE - 7,
			},
		},
		.finalization_type = FINALIZATION_TYPE_DIGEST,
	}, {
		.name = "import/export",
		.src_divs = {
			{
				.proportion_of_total = 6500,
				.flush_type = FLUSH_TYPE_REIMPORT,
			}, {
				.proportion_of_total = 3500,
				.flush_type = FLUSH_TYPE_REIMPORT,
			},
		},
		.finalization_type = FINALIZATION_TYPE_FINAL,
	}
};

460 461 462 463 464 465 466 467 468 469 470 471
static unsigned int count_test_sg_divisions(const struct test_sg_division *divs)
{
	unsigned int remaining = TEST_SG_TOTAL;
	unsigned int ndivs = 0;

	do {
		remaining -= divs[ndivs++].proportion_of_total;
	} while (remaining);

	return ndivs;
}

472 473 474
#define SGDIVS_HAVE_FLUSHES	BIT(0)
#define SGDIVS_HAVE_NOSIMD	BIT(1)

475
static bool valid_sg_divisions(const struct test_sg_division *divs,
476
			       unsigned int count, int *flags_ret)
477 478 479 480 481 482 483 484 485 486
{
	unsigned int total = 0;
	unsigned int i;

	for (i = 0; i < count && total != TEST_SG_TOTAL; i++) {
		if (divs[i].proportion_of_total <= 0 ||
		    divs[i].proportion_of_total > TEST_SG_TOTAL - total)
			return false;
		total += divs[i].proportion_of_total;
		if (divs[i].flush_type != FLUSH_TYPE_NONE)
487 488 489
			*flags_ret |= SGDIVS_HAVE_FLUSHES;
		if (divs[i].nosimd)
			*flags_ret |= SGDIVS_HAVE_NOSIMD;
490 491 492 493 494 495 496 497 498 499 500 501
	}
	return total == TEST_SG_TOTAL &&
		memchr_inv(&divs[i], 0, (count - i) * sizeof(divs[0])) == NULL;
}

/*
 * Check whether the given testvec_config is valid.  This isn't strictly needed
 * since every testvec_config should be valid, but check anyway so that people
 * don't unknowingly add broken configs that don't do what they wanted.
 */
static bool valid_testvec_config(const struct testvec_config *cfg)
{
502
	int flags = 0;
503 504 505 506 507

	if (cfg->name == NULL)
		return false;

	if (!valid_sg_divisions(cfg->src_divs, ARRAY_SIZE(cfg->src_divs),
508
				&flags))
509 510 511 512
		return false;

	if (cfg->dst_divs[0].proportion_of_total) {
		if (!valid_sg_divisions(cfg->dst_divs,
513
					ARRAY_SIZE(cfg->dst_divs), &flags))
514 515 516 517 518 519 520 521 522 523 524 525
			return false;
	} else {
		if (memchr_inv(cfg->dst_divs, 0, sizeof(cfg->dst_divs)))
			return false;
		/* defaults to dst_divs=src_divs */
	}

	if (cfg->iv_offset +
	    (cfg->iv_offset_relative_to_alignmask ? MAX_ALGAPI_ALIGNMASK : 0) >
	    MAX_ALGAPI_ALIGNMASK + 1)
		return false;

526 527 528 529 530 531
	if ((flags & (SGDIVS_HAVE_FLUSHES | SGDIVS_HAVE_NOSIMD)) &&
	    cfg->finalization_type == FINALIZATION_TYPE_DIGEST)
		return false;

	if ((cfg->nosimd || (flags & SGDIVS_HAVE_NOSIMD)) &&
	    (cfg->req_flags & CRYPTO_TFM_REQ_MAY_SLEEP))
532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770
		return false;

	return true;
}

struct test_sglist {
	char *bufs[XBUFSIZE];
	struct scatterlist sgl[XBUFSIZE];
	struct scatterlist sgl_saved[XBUFSIZE];
	struct scatterlist *sgl_ptr;
	unsigned int nents;
};

static int init_test_sglist(struct test_sglist *tsgl)
{
	return __testmgr_alloc_buf(tsgl->bufs, 1 /* two pages per buffer */);
}

static void destroy_test_sglist(struct test_sglist *tsgl)
{
	return __testmgr_free_buf(tsgl->bufs, 1 /* two pages per buffer */);
}

/**
 * build_test_sglist() - build a scatterlist for a crypto test
 *
 * @tsgl: the scatterlist to build.  @tsgl->bufs[] contains an array of 2-page
 *	  buffers which the scatterlist @tsgl->sgl[] will be made to point into.
 * @divs: the layout specification on which the scatterlist will be based
 * @alignmask: the algorithm's alignmask
 * @total_len: the total length of the scatterlist to build in bytes
 * @data: if non-NULL, the buffers will be filled with this data until it ends.
 *	  Otherwise the buffers will be poisoned.  In both cases, some bytes
 *	  past the end of each buffer will be poisoned to help detect overruns.
 * @out_divs: if non-NULL, the test_sg_division to which each scatterlist entry
 *	      corresponds will be returned here.  This will match @divs except
 *	      that divisions resolving to a length of 0 are omitted as they are
 *	      not included in the scatterlist.
 *
 * Return: 0 or a -errno value
 */
static int build_test_sglist(struct test_sglist *tsgl,
			     const struct test_sg_division *divs,
			     const unsigned int alignmask,
			     const unsigned int total_len,
			     struct iov_iter *data,
			     const struct test_sg_division *out_divs[XBUFSIZE])
{
	struct {
		const struct test_sg_division *div;
		size_t length;
	} partitions[XBUFSIZE];
	const unsigned int ndivs = count_test_sg_divisions(divs);
	unsigned int len_remaining = total_len;
	unsigned int i;

	BUILD_BUG_ON(ARRAY_SIZE(partitions) != ARRAY_SIZE(tsgl->sgl));
	if (WARN_ON(ndivs > ARRAY_SIZE(partitions)))
		return -EINVAL;

	/* Calculate the (div, length) pairs */
	tsgl->nents = 0;
	for (i = 0; i < ndivs; i++) {
		unsigned int len_this_sg =
			min(len_remaining,
			    (total_len * divs[i].proportion_of_total +
			     TEST_SG_TOTAL / 2) / TEST_SG_TOTAL);

		if (len_this_sg != 0) {
			partitions[tsgl->nents].div = &divs[i];
			partitions[tsgl->nents].length = len_this_sg;
			tsgl->nents++;
			len_remaining -= len_this_sg;
		}
	}
	if (tsgl->nents == 0) {
		partitions[tsgl->nents].div = &divs[0];
		partitions[tsgl->nents].length = 0;
		tsgl->nents++;
	}
	partitions[tsgl->nents - 1].length += len_remaining;

	/* Set up the sgl entries and fill the data or poison */
	sg_init_table(tsgl->sgl, tsgl->nents);
	for (i = 0; i < tsgl->nents; i++) {
		unsigned int offset = partitions[i].div->offset;
		void *addr;

		if (partitions[i].div->offset_relative_to_alignmask)
			offset += alignmask;

		while (offset + partitions[i].length + TESTMGR_POISON_LEN >
		       2 * PAGE_SIZE) {
			if (WARN_ON(offset <= 0))
				return -EINVAL;
			offset /= 2;
		}

		addr = &tsgl->bufs[i][offset];
		sg_set_buf(&tsgl->sgl[i], addr, partitions[i].length);

		if (out_divs)
			out_divs[i] = partitions[i].div;

		if (data) {
			size_t copy_len, copied;

			copy_len = min(partitions[i].length, data->count);
			copied = copy_from_iter(addr, copy_len, data);
			if (WARN_ON(copied != copy_len))
				return -EINVAL;
			testmgr_poison(addr + copy_len, partitions[i].length +
				       TESTMGR_POISON_LEN - copy_len);
		} else {
			testmgr_poison(addr, partitions[i].length +
				       TESTMGR_POISON_LEN);
		}
	}

	sg_mark_end(&tsgl->sgl[tsgl->nents - 1]);
	tsgl->sgl_ptr = tsgl->sgl;
	memcpy(tsgl->sgl_saved, tsgl->sgl, tsgl->nents * sizeof(tsgl->sgl[0]));
	return 0;
}

/*
 * Verify that a scatterlist crypto operation produced the correct output.
 *
 * @tsgl: scatterlist containing the actual output
 * @expected_output: buffer containing the expected output
 * @len_to_check: length of @expected_output in bytes
 * @unchecked_prefix_len: number of ignored bytes in @tsgl prior to real result
 * @check_poison: verify that the poison bytes after each chunk are intact?
 *
 * Return: 0 if correct, -EINVAL if incorrect, -EOVERFLOW if buffer overrun.
 */
static int verify_correct_output(const struct test_sglist *tsgl,
				 const char *expected_output,
				 unsigned int len_to_check,
				 unsigned int unchecked_prefix_len,
				 bool check_poison)
{
	unsigned int i;

	for (i = 0; i < tsgl->nents; i++) {
		struct scatterlist *sg = &tsgl->sgl_ptr[i];
		unsigned int len = sg->length;
		unsigned int offset = sg->offset;
		const char *actual_output;

		if (unchecked_prefix_len) {
			if (unchecked_prefix_len >= len) {
				unchecked_prefix_len -= len;
				continue;
			}
			offset += unchecked_prefix_len;
			len -= unchecked_prefix_len;
			unchecked_prefix_len = 0;
		}
		len = min(len, len_to_check);
		actual_output = page_address(sg_page(sg)) + offset;
		if (memcmp(expected_output, actual_output, len) != 0)
			return -EINVAL;
		if (check_poison &&
		    !testmgr_is_poison(actual_output + len, TESTMGR_POISON_LEN))
			return -EOVERFLOW;
		len_to_check -= len;
		expected_output += len;
	}
	if (WARN_ON(len_to_check != 0))
		return -EINVAL;
	return 0;
}

static bool is_test_sglist_corrupted(const struct test_sglist *tsgl)
{
	unsigned int i;

	for (i = 0; i < tsgl->nents; i++) {
		if (tsgl->sgl[i].page_link != tsgl->sgl_saved[i].page_link)
			return true;
		if (tsgl->sgl[i].offset != tsgl->sgl_saved[i].offset)
			return true;
		if (tsgl->sgl[i].length != tsgl->sgl_saved[i].length)
			return true;
	}
	return false;
}

struct cipher_test_sglists {
	struct test_sglist src;
	struct test_sglist dst;
};

static struct cipher_test_sglists *alloc_cipher_test_sglists(void)
{
	struct cipher_test_sglists *tsgls;

	tsgls = kmalloc(sizeof(*tsgls), GFP_KERNEL);
	if (!tsgls)
		return NULL;

	if (init_test_sglist(&tsgls->src) != 0)
		goto fail_kfree;
	if (init_test_sglist(&tsgls->dst) != 0)
		goto fail_destroy_src;

	return tsgls;

fail_destroy_src:
	destroy_test_sglist(&tsgls->src);
fail_kfree:
	kfree(tsgls);
	return NULL;
}

static void free_cipher_test_sglists(struct cipher_test_sglists *tsgls)
{
	if (tsgls) {
		destroy_test_sglist(&tsgls->src);
		destroy_test_sglist(&tsgls->dst);
		kfree(tsgls);
	}
}

/* Build the src and dst scatterlists for an skcipher or AEAD test */
static int build_cipher_test_sglists(struct cipher_test_sglists *tsgls,
				     const struct testvec_config *cfg,
				     unsigned int alignmask,
				     unsigned int src_total_len,
				     unsigned int dst_total_len,
				     const struct kvec *inputs,
				     unsigned int nr_inputs)
{
	struct iov_iter input;
	int err;

	iov_iter_kvec(&input, WRITE, inputs, nr_inputs, src_total_len);
	err = build_test_sglist(&tsgls->src, cfg->src_divs, alignmask,
771
				cfg->inplace_mode != OUT_OF_PLACE ?
772 773 774 775 776 777
					max(dst_total_len, src_total_len) :
					src_total_len,
				&input, NULL);
	if (err)
		return err;

778 779 780 781 782 783 784
	/*
	 * In-place crypto operations can use the same scatterlist for both the
	 * source and destination (req->src == req->dst), or can use separate
	 * scatterlists (req->src != req->dst) which point to the same
	 * underlying memory.  Make sure to test both cases.
	 */
	if (cfg->inplace_mode == INPLACE_ONE_SGLIST) {
785 786 787 788
		tsgls->dst.sgl_ptr = tsgls->src.sgl;
		tsgls->dst.nents = tsgls->src.nents;
		return 0;
	}
789 790 791 792 793 794 795 796 797 798 799 800 801 802 803
	if (cfg->inplace_mode == INPLACE_TWO_SGLISTS) {
		/*
		 * For now we keep it simple and only test the case where the
		 * two scatterlists have identical entries, rather than
		 * different entries that split up the same memory differently.
		 */
		memcpy(tsgls->dst.sgl, tsgls->src.sgl,
		       tsgls->src.nents * sizeof(tsgls->src.sgl[0]));
		memcpy(tsgls->dst.sgl_saved, tsgls->src.sgl,
		       tsgls->src.nents * sizeof(tsgls->src.sgl[0]));
		tsgls->dst.sgl_ptr = tsgls->dst.sgl;
		tsgls->dst.nents = tsgls->src.nents;
		return 0;
	}
	/* Out of place */
804 805 806 807
	return build_test_sglist(&tsgls->dst,
				 cfg->dst_divs[0].proportion_of_total ?
					cfg->dst_divs : cfg->src_divs,
				 alignmask, dst_total_len, NULL, NULL);
808 809
}

810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852
/*
 * Support for testing passing a misaligned key to setkey():
 *
 * If cfg->key_offset is set, copy the key into a new buffer at that offset,
 * optionally adding alignmask.  Else, just use the key directly.
 */
static int prepare_keybuf(const u8 *key, unsigned int ksize,
			  const struct testvec_config *cfg,
			  unsigned int alignmask,
			  const u8 **keybuf_ret, const u8 **keyptr_ret)
{
	unsigned int key_offset = cfg->key_offset;
	u8 *keybuf = NULL, *keyptr = (u8 *)key;

	if (key_offset != 0) {
		if (cfg->key_offset_relative_to_alignmask)
			key_offset += alignmask;
		keybuf = kmalloc(key_offset + ksize, GFP_KERNEL);
		if (!keybuf)
			return -ENOMEM;
		keyptr = keybuf + key_offset;
		memcpy(keyptr, key, ksize);
	}
	*keybuf_ret = keybuf;
	*keyptr_ret = keyptr;
	return 0;
}

/* Like setkey_f(tfm, key, ksize), but sometimes misalign the key */
#define do_setkey(setkey_f, tfm, key, ksize, cfg, alignmask)		\
({									\
	const u8 *keybuf, *keyptr;					\
	int err;							\
									\
	err = prepare_keybuf((key), (ksize), (cfg), (alignmask),	\
			     &keybuf, &keyptr);				\
	if (err == 0) {							\
		err = setkey_f((tfm), keyptr, (ksize));			\
		kfree(keybuf);						\
	}								\
	err;								\
})

853
#ifdef CONFIG_CRYPTO_MANAGER_EXTRA_TESTS
854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871

/* Generate a random length in range [0, max_len], but prefer smaller values */
static unsigned int generate_random_length(unsigned int max_len)
{
	unsigned int len = prandom_u32() % (max_len + 1);

	switch (prandom_u32() % 4) {
	case 0:
		return len % 64;
	case 1:
		return len % 256;
	case 2:
		return len % 1024;
	default:
		return len;
	}
}

872 873 874 875 876 877 878 879 880 881 882 883 884 885 886 887 888
/* Flip a random bit in the given nonempty data buffer */
static void flip_random_bit(u8 *buf, size_t size)
{
	size_t bitpos;

	bitpos = prandom_u32() % (size * 8);
	buf[bitpos / 8] ^= 1 << (bitpos % 8);
}

/* Flip a random byte in the given nonempty data buffer */
static void flip_random_byte(u8 *buf, size_t size)
{
	buf[prandom_u32() % size] ^= 0xff;
}

/* Sometimes make some random changes to the given nonempty data buffer */
static void mutate_buffer(u8 *buf, size_t size)
889 890 891 892 893 894
{
	size_t num_flips;
	size_t i;

	/* Sometimes flip some bits */
	if (prandom_u32() % 4 == 0) {
895 896 897
		num_flips = min_t(size_t, 1 << (prandom_u32() % 8), size * 8);
		for (i = 0; i < num_flips; i++)
			flip_random_bit(buf, size);
898 899 900 901
	}

	/* Sometimes flip some bytes */
	if (prandom_u32() % 4 == 0) {
902
		num_flips = min_t(size_t, 1 << (prandom_u32() % 8), size);
903
		for (i = 0; i < num_flips; i++)
904
			flip_random_byte(buf, size);
905 906 907 908 909 910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 938 939 940 941 942 943 944 945 946 947 948 949 950
	}
}

/* Randomly generate 'count' bytes, but sometimes make them "interesting" */
static void generate_random_bytes(u8 *buf, size_t count)
{
	u8 b;
	u8 increment;
	size_t i;

	if (count == 0)
		return;

	switch (prandom_u32() % 8) { /* Choose a generation strategy */
	case 0:
	case 1:
		/* All the same byte, plus optional mutations */
		switch (prandom_u32() % 4) {
		case 0:
			b = 0x00;
			break;
		case 1:
			b = 0xff;
			break;
		default:
			b = (u8)prandom_u32();
			break;
		}
		memset(buf, b, count);
		mutate_buffer(buf, count);
		break;
	case 2:
		/* Ascending or descending bytes, plus optional mutations */
		increment = (u8)prandom_u32();
		b = (u8)prandom_u32();
		for (i = 0; i < count; i++, b += increment)
			buf[i] = b;
		mutate_buffer(buf, count);
		break;
	default:
		/* Fully random bytes */
		for (i = 0; i < count; i++)
			buf[i] = (u8)prandom_u32();
	}
}

951 952
static char *generate_random_sgl_divisions(struct test_sg_division *divs,
					   size_t max_divs, char *p, char *end,
953
					   bool gen_flushes, u32 req_flags)
954 955 956 957 958 959
{
	struct test_sg_division *div = divs;
	unsigned int remaining = TEST_SG_TOTAL;

	do {
		unsigned int this_len;
960
		const char *flushtype_str;
961 962 963 964 965 966 967 968 969 970 971 972 973 974 975 976 977 978 979 980 981 982 983 984 985 986 987 988

		if (div == &divs[max_divs - 1] || prandom_u32() % 2 == 0)
			this_len = remaining;
		else
			this_len = 1 + (prandom_u32() % remaining);
		div->proportion_of_total = this_len;

		if (prandom_u32() % 4 == 0)
			div->offset = (PAGE_SIZE - 128) + (prandom_u32() % 128);
		else if (prandom_u32() % 2 == 0)
			div->offset = prandom_u32() % 32;
		else
			div->offset = prandom_u32() % PAGE_SIZE;
		if (prandom_u32() % 8 == 0)
			div->offset_relative_to_alignmask = true;

		div->flush_type = FLUSH_TYPE_NONE;
		if (gen_flushes) {
			switch (prandom_u32() % 4) {
			case 0:
				div->flush_type = FLUSH_TYPE_REIMPORT;
				break;
			case 1:
				div->flush_type = FLUSH_TYPE_FLUSH;
				break;
			}
		}

989 990 991 992 993 994 995 996 997 998 999 1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011
		if (div->flush_type != FLUSH_TYPE_NONE &&
		    !(req_flags & CRYPTO_TFM_REQ_MAY_SLEEP) &&
		    prandom_u32() % 2 == 0)
			div->nosimd = true;

		switch (div->flush_type) {
		case FLUSH_TYPE_FLUSH:
			if (div->nosimd)
				flushtype_str = "<flush,nosimd>";
			else
				flushtype_str = "<flush>";
			break;
		case FLUSH_TYPE_REIMPORT:
			if (div->nosimd)
				flushtype_str = "<reimport,nosimd>";
			else
				flushtype_str = "<reimport>";
			break;
		default:
			flushtype_str = "";
			break;
		}

1012
		BUILD_BUG_ON(TEST_SG_TOTAL != 10000); /* for "%u.%u%%" */
1013
		p += scnprintf(p, end - p, "%s%u.%u%%@%s+%u%s", flushtype_str,
1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029 1030 1031 1032 1033 1034 1035 1036 1037
			       this_len / 100, this_len % 100,
			       div->offset_relative_to_alignmask ?
					"alignmask" : "",
			       div->offset, this_len == remaining ? "" : ", ");
		remaining -= this_len;
		div++;
	} while (remaining);

	return p;
}

/* Generate a random testvec_config for fuzz testing */
static void generate_random_testvec_config(struct testvec_config *cfg,
					   char *name, size_t max_namelen)
{
	char *p = name;
	char * const end = name + max_namelen;

	memset(cfg, 0, sizeof(*cfg));

	cfg->name = name;

	p += scnprintf(p, end - p, "random:");

1038 1039 1040 1041 1042 1043 1044 1045 1046 1047 1048 1049 1050
	switch (prandom_u32() % 4) {
	case 0:
	case 1:
		cfg->inplace_mode = OUT_OF_PLACE;
		break;
	case 2:
		cfg->inplace_mode = INPLACE_ONE_SGLIST;
		p += scnprintf(p, end - p, " inplace_one_sglist");
		break;
	default:
		cfg->inplace_mode = INPLACE_TWO_SGLISTS;
		p += scnprintf(p, end - p, " inplace_two_sglists");
		break;
1051 1052 1053 1054 1055 1056 1057 1058 1059 1060 1061 1062 1063 1064 1065 1066 1067 1068 1069 1070 1071 1072
	}

	if (prandom_u32() % 2 == 0) {
		cfg->req_flags |= CRYPTO_TFM_REQ_MAY_SLEEP;
		p += scnprintf(p, end - p, " may_sleep");
	}

	switch (prandom_u32() % 4) {
	case 0:
		cfg->finalization_type = FINALIZATION_TYPE_FINAL;
		p += scnprintf(p, end - p, " use_final");
		break;
	case 1:
		cfg->finalization_type = FINALIZATION_TYPE_FINUP;
		p += scnprintf(p, end - p, " use_finup");
		break;
	default:
		cfg->finalization_type = FINALIZATION_TYPE_DIGEST;
		p += scnprintf(p, end - p, " use_digest");
		break;
	}

1073 1074 1075 1076 1077 1078
	if (!(cfg->req_flags & CRYPTO_TFM_REQ_MAY_SLEEP) &&
	    prandom_u32() % 2 == 0) {
		cfg->nosimd = true;
		p += scnprintf(p, end - p, " nosimd");
	}

1079 1080 1081 1082
	p += scnprintf(p, end - p, " src_divs=[");
	p = generate_random_sgl_divisions(cfg->src_divs,
					  ARRAY_SIZE(cfg->src_divs), p, end,
					  (cfg->finalization_type !=
1083 1084
					   FINALIZATION_TYPE_DIGEST),
					  cfg->req_flags);
1085 1086
	p += scnprintf(p, end - p, "]");

1087
	if (cfg->inplace_mode == OUT_OF_PLACE && prandom_u32() % 2 == 0) {
1088 1089 1090
		p += scnprintf(p, end - p, " dst_divs=[");
		p = generate_random_sgl_divisions(cfg->dst_divs,
						  ARRAY_SIZE(cfg->dst_divs),
1091 1092
						  p, end, false,
						  cfg->req_flags);
1093 1094 1095 1096 1097 1098 1099 1100
		p += scnprintf(p, end - p, "]");
	}

	if (prandom_u32() % 2 == 0) {
		cfg->iv_offset = 1 + (prandom_u32() % MAX_ALGAPI_ALIGNMASK);
		p += scnprintf(p, end - p, " iv_offset=%u", cfg->iv_offset);
	}

1101 1102 1103 1104 1105
	if (prandom_u32() % 2 == 0) {
		cfg->key_offset = 1 + (prandom_u32() % MAX_ALGAPI_ALIGNMASK);
		p += scnprintf(p, end - p, " key_offset=%u", cfg->key_offset);
	}

1106 1107
	WARN_ON_ONCE(!valid_testvec_config(cfg));
}
1108 1109 1110

static void crypto_disable_simd_for_test(void)
{
1111
	migrate_disable();
1112 1113 1114 1115 1116 1117
	__this_cpu_write(crypto_simd_disabled_for_test, true);
}

static void crypto_reenable_simd_for_test(void)
{
	__this_cpu_write(crypto_simd_disabled_for_test, false);
1118
	migrate_enable();
1119
}
1120 1121 1122 1123 1124 1125 1126 1127 1128 1129 1130 1131 1132 1133 1134 1135 1136 1137 1138 1139 1140 1141 1142 1143 1144 1145 1146 1147 1148 1149 1150 1151 1152 1153 1154 1155 1156 1157 1158 1159 1160 1161

/*
 * Given an algorithm name, build the name of the generic implementation of that
 * algorithm, assuming the usual naming convention.  Specifically, this appends
 * "-generic" to every part of the name that is not a template name.  Examples:
 *
 *	aes => aes-generic
 *	cbc(aes) => cbc(aes-generic)
 *	cts(cbc(aes)) => cts(cbc(aes-generic))
 *	rfc7539(chacha20,poly1305) => rfc7539(chacha20-generic,poly1305-generic)
 *
 * Return: 0 on success, or -ENAMETOOLONG if the generic name would be too long
 */
static int build_generic_driver_name(const char *algname,
				     char driver_name[CRYPTO_MAX_ALG_NAME])
{
	const char *in = algname;
	char *out = driver_name;
	size_t len = strlen(algname);

	if (len >= CRYPTO_MAX_ALG_NAME)
		goto too_long;
	do {
		const char *in_saved = in;

		while (*in && *in != '(' && *in != ')' && *in != ',')
			*out++ = *in++;
		if (*in != '(' && in > in_saved) {
			len += 8;
			if (len >= CRYPTO_MAX_ALG_NAME)
				goto too_long;
			memcpy(out, "-generic", 8);
			out += 8;
		}
	} while ((*out++ = *in++) != '\0');
	return 0;

too_long:
	pr_err("alg: generic driver name for \"%s\" would be too long\n",
	       algname);
	return -ENAMETOOLONG;
}
1162 1163 1164 1165 1166 1167 1168 1169 1170
#else /* !CONFIG_CRYPTO_MANAGER_EXTRA_TESTS */
static void crypto_disable_simd_for_test(void)
{
}

static void crypto_reenable_simd_for_test(void)
{
}
#endif /* !CONFIG_CRYPTO_MANAGER_EXTRA_TESTS */
1171

1172 1173 1174 1175 1176 1177 1178 1179 1180 1181 1182 1183 1184 1185 1186 1187 1188 1189 1190 1191 1192 1193 1194 1195 1196 1197 1198 1199 1200 1201 1202 1203 1204 1205 1206 1207 1208 1209 1210 1211 1212 1213 1214 1215 1216 1217 1218
static int build_hash_sglist(struct test_sglist *tsgl,
			     const struct hash_testvec *vec,
			     const struct testvec_config *cfg,
			     unsigned int alignmask,
			     const struct test_sg_division *divs[XBUFSIZE])
{
	struct kvec kv;
	struct iov_iter input;

	kv.iov_base = (void *)vec->plaintext;
	kv.iov_len = vec->psize;
	iov_iter_kvec(&input, WRITE, &kv, 1, vec->psize);
	return build_test_sglist(tsgl, cfg->src_divs, alignmask, vec->psize,
				 &input, divs);
}

static int check_hash_result(const char *type,
			     const u8 *result, unsigned int digestsize,
			     const struct hash_testvec *vec,
			     const char *vec_name,
			     const char *driver,
			     const struct testvec_config *cfg)
{
	if (memcmp(result, vec->digest, digestsize) != 0) {
		pr_err("alg: %s: %s test failed (wrong result) on test vector %s, cfg=\"%s\"\n",
		       type, driver, vec_name, cfg->name);
		return -EINVAL;
	}
	if (!testmgr_is_poison(&result[digestsize], TESTMGR_POISON_LEN)) {
		pr_err("alg: %s: %s overran result buffer on test vector %s, cfg=\"%s\"\n",
		       type, driver, vec_name, cfg->name);
		return -EOVERFLOW;
	}
	return 0;
}

static inline int check_shash_op(const char *op, int err,
				 const char *driver, const char *vec_name,
				 const struct testvec_config *cfg)
{
	if (err)
		pr_err("alg: shash: %s %s() failed with err %d on test vector %s, cfg=\"%s\"\n",
		       driver, op, err, vec_name, cfg->name);
	return err;
}

/* Test one hash test vector in one configuration, using the shash API */
1219
static int test_shash_vec_cfg(const struct hash_testvec *vec,
1220 1221 1222 1223 1224 1225 1226 1227 1228 1229
			      const char *vec_name,
			      const struct testvec_config *cfg,
			      struct shash_desc *desc,
			      struct test_sglist *tsgl,
			      u8 *hashstate)
{
	struct crypto_shash *tfm = desc->tfm;
	const unsigned int alignmask = crypto_shash_alignmask(tfm);
	const unsigned int digestsize = crypto_shash_digestsize(tfm);
	const unsigned int statesize = crypto_shash_statesize(tfm);
1230
	const char *driver = crypto_shash_driver_name(tfm);
1231 1232 1233 1234 1235 1236 1237
	const struct test_sg_division *divs[XBUFSIZE];
	unsigned int i;
	u8 result[HASH_MAX_DIGESTSIZE + TESTMGR_POISON_LEN];
	int err;

	/* Set the key, if specified */
	if (vec->ksize) {
1238 1239
		err = do_setkey(crypto_shash_setkey, tfm, vec->key, vec->ksize,
				cfg, alignmask);
1240 1241 1242 1243 1244 1245 1246 1247 1248 1249 1250 1251 1252 1253 1254 1255 1256 1257 1258 1259 1260 1261 1262 1263 1264 1265 1266 1267 1268 1269 1270 1271 1272 1273 1274
		if (err) {
			if (err == vec->setkey_error)
				return 0;
			pr_err("alg: shash: %s setkey failed on test vector %s; expected_error=%d, actual_error=%d, flags=%#x\n",
			       driver, vec_name, vec->setkey_error, err,
			       crypto_shash_get_flags(tfm));
			return err;
		}
		if (vec->setkey_error) {
			pr_err("alg: shash: %s setkey unexpectedly succeeded on test vector %s; expected_error=%d\n",
			       driver, vec_name, vec->setkey_error);
			return -EINVAL;
		}
	}

	/* Build the scatterlist for the source data */
	err = build_hash_sglist(tsgl, vec, cfg, alignmask, divs);
	if (err) {
		pr_err("alg: shash: %s: error preparing scatterlist for test vector %s, cfg=\"%s\"\n",
		       driver, vec_name, cfg->name);
		return err;
	}

	/* Do the actual hashing */

	testmgr_poison(desc->__ctx, crypto_shash_descsize(tfm));
	testmgr_poison(result, digestsize + TESTMGR_POISON_LEN);

	if (cfg->finalization_type == FINALIZATION_TYPE_DIGEST ||
	    vec->digest_error) {
		/* Just using digest() */
		if (tsgl->nents != 1)
			return 0;
		if (cfg->nosimd)
			crypto_disable_simd_for_test();
1275
		err = crypto_shash_digest(desc, sg_virt(&tsgl->sgl[0]),
1276 1277 1278 1279 1280 1281 1282 1283 1284 1285 1286 1287 1288 1289 1290 1291 1292 1293 1294 1295 1296 1297 1298 1299 1300 1301 1302 1303 1304 1305 1306 1307 1308 1309 1310
					  tsgl->sgl[0].length, result);
		if (cfg->nosimd)
			crypto_reenable_simd_for_test();
		if (err) {
			if (err == vec->digest_error)
				return 0;
			pr_err("alg: shash: %s digest() failed on test vector %s; expected_error=%d, actual_error=%d, cfg=\"%s\"\n",
			       driver, vec_name, vec->digest_error, err,
			       cfg->name);
			return err;
		}
		if (vec->digest_error) {
			pr_err("alg: shash: %s digest() unexpectedly succeeded on test vector %s; expected_error=%d, cfg=\"%s\"\n",
			       driver, vec_name, vec->digest_error, cfg->name);
			return -EINVAL;
		}
		goto result_ready;
	}

	/* Using init(), zero or more update(), then final() or finup() */

	if (cfg->nosimd)
		crypto_disable_simd_for_test();
	err = crypto_shash_init(desc);
	if (cfg->nosimd)
		crypto_reenable_simd_for_test();
	err = check_shash_op("init", err, driver, vec_name, cfg);
	if (err)
		return err;

	for (i = 0; i < tsgl->nents; i++) {
		if (i + 1 == tsgl->nents &&
		    cfg->finalization_type == FINALIZATION_TYPE_FINUP) {
			if (divs[i]->nosimd)
				crypto_disable_simd_for_test();
1311
			err = crypto_shash_finup(desc, sg_virt(&tsgl->sgl[i]),
1312 1313 1314 1315 1316 1317 1318 1319 1320 1321 1322
						 tsgl->sgl[i].length, result);
			if (divs[i]->nosimd)
				crypto_reenable_simd_for_test();
			err = check_shash_op("finup", err, driver, vec_name,
					     cfg);
			if (err)
				return err;
			goto result_ready;
		}
		if (divs[i]->nosimd)
			crypto_disable_simd_for_test();
1323
		err = crypto_shash_update(desc, sg_virt(&tsgl->sgl[i]),
1324 1325 1326 1327 1328 1329 1330 1331 1332 1333 1334 1335 1336 1337 1338 1339 1340 1341 1342 1343 1344 1345 1346 1347 1348 1349 1350 1351 1352 1353 1354 1355 1356 1357 1358 1359 1360 1361 1362 1363 1364 1365 1366
					  tsgl->sgl[i].length);
		if (divs[i]->nosimd)
			crypto_reenable_simd_for_test();
		err = check_shash_op("update", err, driver, vec_name, cfg);
		if (err)
			return err;
		if (divs[i]->flush_type == FLUSH_TYPE_REIMPORT) {
			/* Test ->export() and ->import() */
			testmgr_poison(hashstate + statesize,
				       TESTMGR_POISON_LEN);
			err = crypto_shash_export(desc, hashstate);
			err = check_shash_op("export", err, driver, vec_name,
					     cfg);
			if (err)
				return err;
			if (!testmgr_is_poison(hashstate + statesize,
					       TESTMGR_POISON_LEN)) {
				pr_err("alg: shash: %s export() overran state buffer on test vector %s, cfg=\"%s\"\n",
				       driver, vec_name, cfg->name);
				return -EOVERFLOW;
			}
			testmgr_poison(desc->__ctx, crypto_shash_descsize(tfm));
			err = crypto_shash_import(desc, hashstate);
			err = check_shash_op("import", err, driver, vec_name,
					     cfg);
			if (err)
				return err;
		}
	}

	if (cfg->nosimd)
		crypto_disable_simd_for_test();
	err = crypto_shash_final(desc, result);
	if (cfg->nosimd)
		crypto_reenable_simd_for_test();
	err = check_shash_op("final", err, driver, vec_name, cfg);
	if (err)
		return err;
result_ready:
	return check_hash_result("shash", result, digestsize, vec, vec_name,
				 driver, cfg);
}

1367 1368 1369 1370 1371 1372 1373 1374 1375 1376 1377 1378 1379 1380 1381 1382 1383
static int do_ahash_op(int (*op)(struct ahash_request *req),
		       struct ahash_request *req,
		       struct crypto_wait *wait, bool nosimd)
{
	int err;

	if (nosimd)
		crypto_disable_simd_for_test();

	err = op(req);

	if (nosimd)
		crypto_reenable_simd_for_test();

	return crypto_wait_req(err, wait);
}

1384 1385 1386 1387
static int check_nonfinal_ahash_op(const char *op, int err,
				   u8 *result, unsigned int digestsize,
				   const char *driver, const char *vec_name,
				   const struct testvec_config *cfg)
1388
{
1389
	if (err) {
1390
		pr_err("alg: ahash: %s %s() failed with err %d on test vector %s, cfg=\"%s\"\n",
1391
		       driver, op, err, vec_name, cfg->name);
1392
		return err;
1393
	}
1394
	if (!testmgr_is_poison(result, digestsize)) {
1395
		pr_err("alg: ahash: %s %s() used result buffer on test vector %s, cfg=\"%s\"\n",
1396
		       driver, op, vec_name, cfg->name);
1397
		return -EINVAL;
1398
	}
1399
	return 0;
1400 1401
}

1402
/* Test one hash test vector in one configuration, using the ahash API */
1403
static int test_ahash_vec_cfg(const struct hash_testvec *vec,
1404 1405 1406 1407 1408
			      const char *vec_name,
			      const struct testvec_config *cfg,
			      struct ahash_request *req,
			      struct test_sglist *tsgl,
			      u8 *hashstate)
1409
{
1410 1411 1412 1413
	struct crypto_ahash *tfm = crypto_ahash_reqtfm(req);
	const unsigned int alignmask = crypto_ahash_alignmask(tfm);
	const unsigned int digestsize = crypto_ahash_digestsize(tfm);
	const unsigned int statesize = crypto_ahash_statesize(tfm);
1414
	const char *driver = crypto_ahash_driver_name(tfm);
1415 1416 1417 1418 1419 1420 1421 1422
	const u32 req_flags = CRYPTO_TFM_REQ_MAY_BACKLOG | cfg->req_flags;
	const struct test_sg_division *divs[XBUFSIZE];
	DECLARE_CRYPTO_WAIT(wait);
	unsigned int i;
	struct scatterlist *pending_sgl;
	unsigned int pending_len;
	u8 result[HASH_MAX_DIGESTSIZE + TESTMGR_POISON_LEN];
	int err;
1423

1424 1425
	/* Set the key, if specified */
	if (vec->ksize) {
1426 1427
		err = do_setkey(crypto_ahash_setkey, tfm, vec->key, vec->ksize,
				cfg, alignmask);
1428
		if (err) {
1429 1430
			if (err == vec->setkey_error)
				return 0;
1431
			pr_err("alg: ahash: %s setkey failed on test vector %s; expected_error=%d, actual_error=%d, flags=%#x\n",
1432
			       driver, vec_name, vec->setkey_error, err,
1433 1434 1435
			       crypto_ahash_get_flags(tfm));
			return err;
		}
1436
		if (vec->setkey_error) {
1437
			pr_err("alg: ahash: %s setkey unexpectedly succeeded on test vector %s; expected_error=%d\n",
1438
			       driver, vec_name, vec->setkey_error);
1439 1440
			return -EINVAL;
		}
1441
	}
1442

1443
	/* Build the scatterlist for the source data */
1444
	err = build_hash_sglist(tsgl, vec, cfg, alignmask, divs);
1445
	if (err) {
1446
		pr_err("alg: ahash: %s: error preparing scatterlist for test vector %s, cfg=\"%s\"\n",
1447
		       driver, vec_name, cfg->name);
1448
		return err;
1449 1450
	}

1451
	/* Do the actual hashing */
1452

1453 1454
	testmgr_poison(req->__ctx, crypto_ahash_reqsize(tfm));
	testmgr_poison(result, digestsize + TESTMGR_POISON_LEN);
1455

1456 1457
	if (cfg->finalization_type == FINALIZATION_TYPE_DIGEST ||
	    vec->digest_error) {
1458 1459 1460 1461
		/* Just using digest() */
		ahash_request_set_callback(req, req_flags, crypto_req_done,
					   &wait);
		ahash_request_set_crypt(req, tsgl->sgl, result, vec->psize);
1462
		err = do_ahash_op(crypto_ahash_digest, req, &wait, cfg->nosimd);
1463
		if (err) {
1464 1465
			if (err == vec->digest_error)
				return 0;
1466
			pr_err("alg: ahash: %s digest() failed on test vector %s; expected_error=%d, actual_error=%d, cfg=\"%s\"\n",
1467
			       driver, vec_name, vec->digest_error, err,
1468
			       cfg->name);
1469 1470
			return err;
		}
1471
		if (vec->digest_error) {
1472
			pr_err("alg: ahash: %s digest() unexpectedly succeeded on test vector %s; expected_error=%d, cfg=\"%s\"\n",
1473
			       driver, vec_name, vec->digest_error, cfg->name);
1474 1475
			return -EINVAL;
		}
1476 1477
		goto result_ready;
	}
1478

1479
	/* Using init(), zero or more update(), then final() or finup() */
1480

1481 1482
	ahash_request_set_callback(req, req_flags, crypto_req_done, &wait);
	ahash_request_set_crypt(req, NULL, result, 0);
1483
	err = do_ahash_op(crypto_ahash_init, req, &wait, cfg->nosimd);
1484 1485
	err = check_nonfinal_ahash_op("init", err, result, digestsize,
				      driver, vec_name, cfg);
1486 1487
	if (err)
		return err;
1488

1489 1490 1491 1492 1493 1494 1495 1496 1497 1498
	pending_sgl = NULL;
	pending_len = 0;
	for (i = 0; i < tsgl->nents; i++) {
		if (divs[i]->flush_type != FLUSH_TYPE_NONE &&
		    pending_sgl != NULL) {
			/* update() with the pending data */
			ahash_request_set_callback(req, req_flags,
						   crypto_req_done, &wait);
			ahash_request_set_crypt(req, pending_sgl, result,
						pending_len);
1499 1500
			err = do_ahash_op(crypto_ahash_update, req, &wait,
					  divs[i]->nosimd);
1501 1502 1503
			err = check_nonfinal_ahash_op("update", err,
						      result, digestsize,
						      driver, vec_name, cfg);
1504 1505 1506 1507
			if (err)
				return err;
			pending_sgl = NULL;
			pending_len = 0;
1508
		}
1509 1510 1511 1512 1513
		if (divs[i]->flush_type == FLUSH_TYPE_REIMPORT) {
			/* Test ->export() and ->import() */
			testmgr_poison(hashstate + statesize,
				       TESTMGR_POISON_LEN);
			err = crypto_ahash_export(req, hashstate);
1514 1515 1516
			err = check_nonfinal_ahash_op("export", err,
						      result, digestsize,
						      driver, vec_name, cfg);
1517 1518 1519 1520
			if (err)
				return err;
			if (!testmgr_is_poison(hashstate + statesize,
					       TESTMGR_POISON_LEN)) {
1521
				pr_err("alg: ahash: %s export() overran state buffer on test vector %s, cfg=\"%s\"\n",
1522
				       driver, vec_name, cfg->name);
1523
				return -EOVERFLOW;
1524
			}
1525

1526 1527
			testmgr_poison(req->__ctx, crypto_ahash_reqsize(tfm));
			err = crypto_ahash_import(req, hashstate);
1528 1529 1530
			err = check_nonfinal_ahash_op("import", err,
						      result, digestsize,
						      driver, vec_name, cfg);
1531 1532
			if (err)
				return err;
1533
		}
1534 1535 1536 1537
		if (pending_sgl == NULL)
			pending_sgl = &tsgl->sgl[i];
		pending_len += tsgl->sgl[i].length;
	}
1538

1539 1540 1541 1542
	ahash_request_set_callback(req, req_flags, crypto_req_done, &wait);
	ahash_request_set_crypt(req, pending_sgl, result, pending_len);
	if (cfg->finalization_type == FINALIZATION_TYPE_FINAL) {
		/* finish with update() and final() */
1543
		err = do_ahash_op(crypto_ahash_update, req, &wait, cfg->nosimd);
1544 1545
		err = check_nonfinal_ahash_op("update", err, result, digestsize,
					      driver, vec_name, cfg);
1546 1547
		if (err)
			return err;
1548
		err = do_ahash_op(crypto_ahash_final, req, &wait, cfg->nosimd);
1549
		if (err) {
1550
			pr_err("alg: ahash: %s final() failed with err %d on test vector %s, cfg=\"%s\"\n",
1551
			       driver, err, vec_name, cfg->name);
1552 1553 1554 1555
			return err;
		}
	} else {
		/* finish with finup() */
1556
		err = do_ahash_op(crypto_ahash_finup, req, &wait, cfg->nosimd);
1557
		if (err) {
1558
			pr_err("alg: ahash: %s finup() failed with err %d on test vector %s, cfg=\"%s\"\n",
1559
			       driver, err, vec_name, cfg->name);
1560
			return err;
1561 1562 1563
		}
	}

1564
result_ready:
1565 1566 1567 1568
	return check_hash_result("ahash", result, digestsize, vec, vec_name,
				 driver, cfg);
}

1569
static int test_hash_vec_cfg(const struct hash_testvec *vec,
1570 1571 1572 1573 1574 1575 1576 1577 1578 1579 1580 1581 1582 1583 1584 1585
			     const char *vec_name,
			     const struct testvec_config *cfg,
			     struct ahash_request *req,
			     struct shash_desc *desc,
			     struct test_sglist *tsgl,
			     u8 *hashstate)
{
	int err;

	/*
	 * For algorithms implemented as "shash", most bugs will be detected by
	 * both the shash and ahash tests.  Test the shash API first so that the
	 * failures involve less indirection, so are easier to debug.
	 */

	if (desc) {
1586
		err = test_shash_vec_cfg(vec, vec_name, cfg, desc, tsgl,
1587 1588 1589
					 hashstate);
		if (err)
			return err;
1590
	}
1591

1592
	return test_ahash_vec_cfg(vec, vec_name, cfg, req, tsgl, hashstate);
1593
}
1594

1595 1596 1597
static int test_hash_vec(const struct hash_testvec *vec, unsigned int vec_num,
			 struct ahash_request *req, struct shash_desc *desc,
			 struct test_sglist *tsgl, u8 *hashstate)
1598
{
1599
	char vec_name[16];
1600 1601
	unsigned int i;
	int err;
1602

1603 1604
	sprintf(vec_name, "%u", vec_num);

1605
	for (i = 0; i < ARRAY_SIZE(default_hash_testvec_configs); i++) {
1606
		err = test_hash_vec_cfg(vec, vec_name,
1607
					&default_hash_testvec_configs[i],
1608
					req, desc, tsgl, hashstate);
1609 1610 1611
		if (err)
			return err;
	}
1612

1613 1614 1615 1616
#ifdef CONFIG_CRYPTO_MANAGER_EXTRA_TESTS
	if (!noextratests) {
		struct testvec_config cfg;
		char cfgname[TESTVEC_CONFIG_NAMELEN];
1617

1618 1619 1620
		for (i = 0; i < fuzz_iterations; i++) {
			generate_random_testvec_config(&cfg, cfgname,
						       sizeof(cfgname));
1621
			err = test_hash_vec_cfg(vec, vec_name, &cfg,
1622
						req, desc, tsgl, hashstate);
1623 1624
			if (err)
				return err;
1625
			cond_resched();
1626 1627
		}
	}
1628 1629 1630
#endif
	return 0;
}
1631

1632 1633 1634 1635 1636
#ifdef CONFIG_CRYPTO_MANAGER_EXTRA_TESTS
/*
 * Generate a hash test vector from the given implementation.
 * Assumes the buffers in 'vec' were already allocated.
 */
1637
static void generate_random_hash_testvec(struct shash_desc *desc,
1638 1639 1640 1641 1642 1643 1644 1645 1646 1647 1648 1649 1650 1651 1652 1653 1654 1655 1656 1657 1658
					 struct hash_testvec *vec,
					 unsigned int maxkeysize,
					 unsigned int maxdatasize,
					 char *name, size_t max_namelen)
{
	/* Data */
	vec->psize = generate_random_length(maxdatasize);
	generate_random_bytes((u8 *)vec->plaintext, vec->psize);

	/*
	 * Key: length in range [1, maxkeysize], but usually choose maxkeysize.
	 * If algorithm is unkeyed, then maxkeysize == 0 and set ksize = 0.
	 */
	vec->setkey_error = 0;
	vec->ksize = 0;
	if (maxkeysize) {
		vec->ksize = maxkeysize;
		if (prandom_u32() % 4 == 0)
			vec->ksize = 1 + (prandom_u32() % maxkeysize);
		generate_random_bytes((u8 *)vec->key, vec->ksize);

1659
		vec->setkey_error = crypto_shash_setkey(desc->tfm, vec->key,
1660 1661 1662 1663 1664 1665 1666 1667 1668 1669 1670 1671 1672 1673 1674 1675 1676 1677
							vec->ksize);
		/* If the key couldn't be set, no need to continue to digest. */
		if (vec->setkey_error)
			goto done;
	}

	/* Digest */
	vec->digest_error = crypto_shash_digest(desc, vec->plaintext,
						vec->psize, (u8 *)vec->digest);
done:
	snprintf(name, max_namelen, "\"random: psize=%u ksize=%u\"",
		 vec->psize, vec->ksize);
}

/*
 * Test the hash algorithm represented by @req against the corresponding generic
 * implementation, if one is available.
 */
1678
static int test_hash_vs_generic_impl(const char *generic_driver,
1679 1680
				     unsigned int maxkeysize,
				     struct ahash_request *req,
1681
				     struct shash_desc *desc,
1682 1683 1684 1685 1686 1687 1688 1689
				     struct test_sglist *tsgl,
				     u8 *hashstate)
{
	struct crypto_ahash *tfm = crypto_ahash_reqtfm(req);
	const unsigned int digestsize = crypto_ahash_digestsize(tfm);
	const unsigned int blocksize = crypto_ahash_blocksize(tfm);
	const unsigned int maxdatasize = (2 * PAGE_SIZE) - TESTMGR_POISON_LEN;
	const char *algname = crypto_hash_alg_common(tfm)->base.cra_name;
1690
	const char *driver = crypto_ahash_driver_name(tfm);
1691 1692
	char _generic_driver[CRYPTO_MAX_ALG_NAME];
	struct crypto_shash *generic_tfm = NULL;
1693
	struct shash_desc *generic_desc = NULL;
1694 1695 1696
	unsigned int i;
	struct hash_testvec vec = { 0 };
	char vec_name[64];
1697
	struct testvec_config *cfg;
1698 1699 1700 1701 1702 1703 1704 1705 1706 1707 1708 1709 1710 1711 1712 1713 1714 1715 1716 1717 1718 1719 1720 1721 1722 1723 1724 1725 1726
	char cfgname[TESTVEC_CONFIG_NAMELEN];
	int err;

	if (noextratests)
		return 0;

	if (!generic_driver) { /* Use default naming convention? */
		err = build_generic_driver_name(algname, _generic_driver);
		if (err)
			return err;
		generic_driver = _generic_driver;
	}

	if (strcmp(generic_driver, driver) == 0) /* Already the generic impl? */
		return 0;

	generic_tfm = crypto_alloc_shash(generic_driver, 0, 0);
	if (IS_ERR(generic_tfm)) {
		err = PTR_ERR(generic_tfm);
		if (err == -ENOENT) {
			pr_warn("alg: hash: skipping comparison tests for %s because %s is unavailable\n",
				driver, generic_driver);
			return 0;
		}
		pr_err("alg: hash: error allocating %s (generic impl of %s): %d\n",
		       generic_driver, algname, err);
		return err;
	}

1727 1728 1729 1730 1731 1732
	cfg = kzalloc(sizeof(*cfg), GFP_KERNEL);
	if (!cfg) {
		err = -ENOMEM;
		goto out;
	}

1733 1734 1735 1736 1737 1738 1739 1740
	generic_desc = kzalloc(sizeof(*desc) +
			       crypto_shash_descsize(generic_tfm), GFP_KERNEL);
	if (!generic_desc) {
		err = -ENOMEM;
		goto out;
	}
	generic_desc->tfm = generic_tfm;

1741 1742 1743 1744 1745 1746 1747 1748 1749 1750 1751 1752 1753 1754 1755 1756 1757 1758 1759 1760 1761 1762 1763 1764 1765 1766 1767 1768 1769 1770 1771
	/* Check the algorithm properties for consistency. */

	if (digestsize != crypto_shash_digestsize(generic_tfm)) {
		pr_err("alg: hash: digestsize for %s (%u) doesn't match generic impl (%u)\n",
		       driver, digestsize,
		       crypto_shash_digestsize(generic_tfm));
		err = -EINVAL;
		goto out;
	}

	if (blocksize != crypto_shash_blocksize(generic_tfm)) {
		pr_err("alg: hash: blocksize for %s (%u) doesn't match generic impl (%u)\n",
		       driver, blocksize, crypto_shash_blocksize(generic_tfm));
		err = -EINVAL;
		goto out;
	}

	/*
	 * Now generate test vectors using the generic implementation, and test
	 * the other implementation against them.
	 */

	vec.key = kmalloc(maxkeysize, GFP_KERNEL);
	vec.plaintext = kmalloc(maxdatasize, GFP_KERNEL);
	vec.digest = kmalloc(digestsize, GFP_KERNEL);
	if (!vec.key || !vec.plaintext || !vec.digest) {
		err = -ENOMEM;
		goto out;
	}

	for (i = 0; i < fuzz_iterations * 8; i++) {
1772
		generate_random_hash_testvec(generic_desc, &vec,
1773 1774
					     maxkeysize, maxdatasize,
					     vec_name, sizeof(vec_name));
1775
		generate_random_testvec_config(cfg, cfgname, sizeof(cfgname));
1776

1777
		err = test_hash_vec_cfg(&vec, vec_name, cfg,
1778
					req, desc, tsgl, hashstate);
1779 1780 1781 1782 1783 1784
		if (err)
			goto out;
		cond_resched();
	}
	err = 0;
out:
1785
	kfree(cfg);
1786 1787 1788 1789
	kfree(vec.key);
	kfree(vec.plaintext);
	kfree(vec.digest);
	crypto_free_shash(generic_tfm);
1790
	kfree_sensitive(generic_desc);
1791 1792 1793
	return err;
}
#else /* !CONFIG_CRYPTO_MANAGER_EXTRA_TESTS */
1794
static int test_hash_vs_generic_impl(const char *generic_driver,
1795 1796
				     unsigned int maxkeysize,
				     struct ahash_request *req,
1797
				     struct shash_desc *desc,
1798 1799 1800 1801 1802 1803 1804
				     struct test_sglist *tsgl,
				     u8 *hashstate)
{
	return 0;
}
#endif /* !CONFIG_CRYPTO_MANAGER_EXTRA_TESTS */

1805 1806 1807 1808 1809 1810 1811 1812 1813 1814 1815 1816 1817 1818 1819 1820 1821 1822 1823 1824 1825 1826 1827 1828 1829 1830 1831 1832 1833 1834 1835 1836 1837
static int alloc_shash(const char *driver, u32 type, u32 mask,
		       struct crypto_shash **tfm_ret,
		       struct shash_desc **desc_ret)
{
	struct crypto_shash *tfm;
	struct shash_desc *desc;

	tfm = crypto_alloc_shash(driver, type, mask);
	if (IS_ERR(tfm)) {
		if (PTR_ERR(tfm) == -ENOENT) {
			/*
			 * This algorithm is only available through the ahash
			 * API, not the shash API, so skip the shash tests.
			 */
			return 0;
		}
		pr_err("alg: hash: failed to allocate shash transform for %s: %ld\n",
		       driver, PTR_ERR(tfm));
		return PTR_ERR(tfm);
	}

	desc = kmalloc(sizeof(*desc) + crypto_shash_descsize(tfm), GFP_KERNEL);
	if (!desc) {
		crypto_free_shash(tfm);
		return -ENOMEM;
	}
	desc->tfm = tfm;

	*tfm_ret = tfm;
	*desc_ret = desc;
	return 0;
}

1838 1839
static int __alg_test_hash(const struct hash_testvec *vecs,
			   unsigned int num_vecs, const char *driver,
1840 1841
			   u32 type, u32 mask,
			   const char *generic_driver, unsigned int maxkeysize)
1842
{
1843
	struct crypto_ahash *atfm = NULL;
1844
	struct ahash_request *req = NULL;
1845 1846
	struct crypto_shash *stfm = NULL;
	struct shash_desc *desc = NULL;
1847 1848
	struct test_sglist *tsgl = NULL;
	u8 *hashstate = NULL;
1849
	unsigned int statesize;
1850 1851
	unsigned int i;
	int err;
1852

1853 1854 1855 1856 1857 1858 1859
	/*
	 * Always test the ahash API.  This works regardless of whether the
	 * algorithm is implemented as ahash or shash.
	 */

	atfm = crypto_alloc_ahash(driver, type, mask);
	if (IS_ERR(atfm)) {
1860
		pr_err("alg: hash: failed to allocate transform for %s: %ld\n",
1861 1862
		       driver, PTR_ERR(atfm));
		return PTR_ERR(atfm);
1863
	}
1864
	driver = crypto_ahash_driver_name(atfm);
1865

1866
	req = ahash_request_alloc(atfm, GFP_KERNEL);
1867 1868 1869 1870 1871 1872
	if (!req) {
		pr_err("alg: hash: failed to allocate request for %s\n",
		       driver);
		err = -ENOMEM;
		goto out;
	}
1873

1874 1875 1876 1877 1878 1879 1880 1881
	/*
	 * If available also test the shash API, to cover corner cases that may
	 * be missed by testing the ahash API only.
	 */
	err = alloc_shash(driver, type, mask, &stfm, &desc);
	if (err)
		goto out;

1882 1883 1884 1885 1886 1887 1888 1889 1890
	tsgl = kmalloc(sizeof(*tsgl), GFP_KERNEL);
	if (!tsgl || init_test_sglist(tsgl) != 0) {
		pr_err("alg: hash: failed to allocate test buffers for %s\n",
		       driver);
		kfree(tsgl);
		tsgl = NULL;
		err = -ENOMEM;
		goto out;
	}
1891

1892 1893 1894 1895
	statesize = crypto_ahash_statesize(atfm);
	if (stfm)
		statesize = max(statesize, crypto_shash_statesize(stfm));
	hashstate = kmalloc(statesize + TESTMGR_POISON_LEN, GFP_KERNEL);
1896 1897 1898 1899 1900 1901
	if (!hashstate) {
		pr_err("alg: hash: failed to allocate hash state buffer for %s\n",
		       driver);
		err = -ENOMEM;
		goto out;
	}
1902

1903
	for (i = 0; i < num_vecs; i++) {
1904 1905 1906
		if (fips_enabled && vecs[i].fips_skip)
			continue;

1907
		err = test_hash_vec(&vecs[i], i, req, desc, tsgl, hashstate);
1908
		if (err)
1909
			goto out;
1910
		cond_resched();
1911
	}
1912
	err = test_hash_vs_generic_impl(generic_driver, maxkeysize, req,
1913
					desc, tsgl, hashstate);
1914
out:
1915 1916 1917 1918 1919
	kfree(hashstate);
	if (tsgl) {
		destroy_test_sglist(tsgl);
		kfree(tsgl);
	}
1920 1921
	kfree(desc);
	crypto_free_shash(stfm);
1922
	ahash_request_free(req);
1923
	crypto_free_ahash(atfm);
1924
	return err;
1925 1926
}

1927 1928
static int alg_test_hash(const struct alg_test_desc *desc, const char *driver,
			 u32 type, u32 mask)
1929
{
1930 1931 1932
	const struct hash_testvec *template = desc->suite.hash.vecs;
	unsigned int tcount = desc->suite.hash.count;
	unsigned int nr_unkeyed, nr_keyed;
1933
	unsigned int maxkeysize = 0;
1934
	int err;
1935

1936 1937 1938 1939 1940
	/*
	 * For OPTIONAL_KEY algorithms, we have to do all the unkeyed tests
	 * first, before setting a key on the tfm.  To make this easier, we
	 * require that the unkeyed test vectors (if any) are listed first.
	 */
1941

1942 1943 1944 1945 1946 1947 1948 1949 1950 1951
	for (nr_unkeyed = 0; nr_unkeyed < tcount; nr_unkeyed++) {
		if (template[nr_unkeyed].ksize)
			break;
	}
	for (nr_keyed = 0; nr_unkeyed + nr_keyed < tcount; nr_keyed++) {
		if (!template[nr_unkeyed + nr_keyed].ksize) {
			pr_err("alg: hash: test vectors for %s out of order, "
			       "unkeyed ones must come first\n", desc->alg);
			return -EINVAL;
		}
1952 1953
		maxkeysize = max_t(unsigned int, maxkeysize,
				   template[nr_unkeyed + nr_keyed].ksize);
1954
	}
1955

1956 1957
	err = 0;
	if (nr_unkeyed) {
1958 1959
		err = __alg_test_hash(template, nr_unkeyed, driver, type, mask,
				      desc->generic_driver, maxkeysize);
1960
		template += nr_unkeyed;
1961 1962
	}

1963
	if (!err && nr_keyed)
1964 1965
		err = __alg_test_hash(template, nr_keyed, driver, type, mask,
				      desc->generic_driver, maxkeysize);
1966 1967

	return err;
1968 1969
}

1970
static int test_aead_vec_cfg(int enc, const struct aead_testvec *vec,
1971
			     const char *vec_name,
1972 1973 1974
			     const struct testvec_config *cfg,
			     struct aead_request *req,
			     struct cipher_test_sglists *tsgls)
1975
{
1976 1977 1978 1979
	struct crypto_aead *tfm = crypto_aead_reqtfm(req);
	const unsigned int alignmask = crypto_aead_alignmask(tfm);
	const unsigned int ivsize = crypto_aead_ivsize(tfm);
	const unsigned int authsize = vec->clen - vec->plen;
1980
	const char *driver = crypto_aead_driver_name(tfm);
1981 1982 1983 1984 1985 1986 1987 1988 1989
	const u32 req_flags = CRYPTO_TFM_REQ_MAY_BACKLOG | cfg->req_flags;
	const char *op = enc ? "encryption" : "decryption";
	DECLARE_CRYPTO_WAIT(wait);
	u8 _iv[3 * (MAX_ALGAPI_ALIGNMASK + 1) + MAX_IVLEN];
	u8 *iv = PTR_ALIGN(&_iv[0], 2 * (MAX_ALGAPI_ALIGNMASK + 1)) +
		 cfg->iv_offset +
		 (cfg->iv_offset_relative_to_alignmask ? alignmask : 0);
	struct kvec input[2];
	int err;
1990

1991 1992 1993
	/* Set the key */
	if (vec->wk)
		crypto_aead_set_flags(tfm, CRYPTO_TFM_REQ_FORBID_WEAK_KEYS);
1994
	else
1995
		crypto_aead_clear_flags(tfm, CRYPTO_TFM_REQ_FORBID_WEAK_KEYS);
1996 1997 1998

	err = do_setkey(crypto_aead_setkey, tfm, vec->key, vec->klen,
			cfg, alignmask);
1999
	if (err && err != vec->setkey_error) {
2000 2001
		pr_err("alg: aead: %s setkey failed on test vector %s; expected_error=%d, actual_error=%d, flags=%#x\n",
		       driver, vec_name, vec->setkey_error, err,
2002
		       crypto_aead_get_flags(tfm));
2003
		return err;
2004
	}
2005
	if (!err && vec->setkey_error) {
2006 2007
		pr_err("alg: aead: %s setkey unexpectedly succeeded on test vector %s; expected_error=%d\n",
		       driver, vec_name, vec->setkey_error);
2008
		return -EINVAL;
2009 2010
	}

2011 2012
	/* Set the authentication tag size */
	err = crypto_aead_setauthsize(tfm, authsize);
2013
	if (err && err != vec->setauthsize_error) {
2014 2015
		pr_err("alg: aead: %s setauthsize failed on test vector %s; expected_error=%d, actual_error=%d\n",
		       driver, vec_name, vec->setauthsize_error, err);
2016 2017
		return err;
	}
2018
	if (!err && vec->setauthsize_error) {
2019 2020
		pr_err("alg: aead: %s setauthsize unexpectedly succeeded on test vector %s; expected_error=%d\n",
		       driver, vec_name, vec->setauthsize_error);
2021 2022 2023 2024 2025
		return -EINVAL;
	}

	if (vec->setkey_error || vec->setauthsize_error)
		return 0;
2026

2027 2028 2029 2030 2031 2032 2033
	/* The IV must be copied to a buffer, as the algorithm may modify it */
	if (WARN_ON(ivsize > MAX_IVLEN))
		return -EINVAL;
	if (vec->iv)
		memcpy(iv, vec->iv, ivsize);
	else
		memset(iv, 0, ivsize);
2034

2035 2036 2037 2038 2039 2040 2041 2042 2043 2044 2045 2046
	/* Build the src/dst scatterlists */
	input[0].iov_base = (void *)vec->assoc;
	input[0].iov_len = vec->alen;
	input[1].iov_base = enc ? (void *)vec->ptext : (void *)vec->ctext;
	input[1].iov_len = enc ? vec->plen : vec->clen;
	err = build_cipher_test_sglists(tsgls, cfg, alignmask,
					vec->alen + (enc ? vec->plen :
						     vec->clen),
					vec->alen + (enc ? vec->clen :
						     vec->plen),
					input, 2);
	if (err) {
2047 2048
		pr_err("alg: aead: %s %s: error preparing scatterlists for test vector %s, cfg=\"%s\"\n",
		       driver, op, vec_name, cfg->name);
2049 2050
		return err;
	}
2051

2052 2053 2054 2055 2056 2057
	/* Do the actual encryption or decryption */
	testmgr_poison(req->__ctx, crypto_aead_reqsize(tfm));
	aead_request_set_callback(req, req_flags, crypto_req_done, &wait);
	aead_request_set_crypt(req, tsgls->src.sgl_ptr, tsgls->dst.sgl_ptr,
			       enc ? vec->plen : vec->clen, iv);
	aead_request_set_ad(req, vec->alen);
2058 2059 2060 2061 2062 2063
	if (cfg->nosimd)
		crypto_disable_simd_for_test();
	err = enc ? crypto_aead_encrypt(req) : crypto_aead_decrypt(req);
	if (cfg->nosimd)
		crypto_reenable_simd_for_test();
	err = crypto_wait_req(err, &wait);
2064 2065 2066 2067 2068 2069 2070 2071 2072 2073 2074

	/* Check that the algorithm didn't overwrite things it shouldn't have */
	if (req->cryptlen != (enc ? vec->plen : vec->clen) ||
	    req->assoclen != vec->alen ||
	    req->iv != iv ||
	    req->src != tsgls->src.sgl_ptr ||
	    req->dst != tsgls->dst.sgl_ptr ||
	    crypto_aead_reqtfm(req) != tfm ||
	    req->base.complete != crypto_req_done ||
	    req->base.flags != req_flags ||
	    req->base.data != &wait) {
2075 2076
		pr_err("alg: aead: %s %s corrupted request struct on test vector %s, cfg=\"%s\"\n",
		       driver, op, vec_name, cfg->name);
2077 2078 2079 2080 2081 2082 2083 2084 2085 2086 2087 2088 2089 2090 2091 2092 2093 2094 2095 2096 2097
		if (req->cryptlen != (enc ? vec->plen : vec->clen))
			pr_err("alg: aead: changed 'req->cryptlen'\n");
		if (req->assoclen != vec->alen)
			pr_err("alg: aead: changed 'req->assoclen'\n");
		if (req->iv != iv)
			pr_err("alg: aead: changed 'req->iv'\n");
		if (req->src != tsgls->src.sgl_ptr)
			pr_err("alg: aead: changed 'req->src'\n");
		if (req->dst != tsgls->dst.sgl_ptr)
			pr_err("alg: aead: changed 'req->dst'\n");
		if (crypto_aead_reqtfm(req) != tfm)
			pr_err("alg: aead: changed 'req->base.tfm'\n");
		if (req->base.complete != crypto_req_done)
			pr_err("alg: aead: changed 'req->base.complete'\n");
		if (req->base.flags != req_flags)
			pr_err("alg: aead: changed 'req->base.flags'\n");
		if (req->base.data != &wait)
			pr_err("alg: aead: changed 'req->base.data'\n");
		return -EINVAL;
	}
	if (is_test_sglist_corrupted(&tsgls->src)) {
2098 2099
		pr_err("alg: aead: %s %s corrupted src sgl on test vector %s, cfg=\"%s\"\n",
		       driver, op, vec_name, cfg->name);
2100 2101 2102 2103
		return -EINVAL;
	}
	if (tsgls->dst.sgl_ptr != tsgls->src.sgl &&
	    is_test_sglist_corrupted(&tsgls->dst)) {
2104 2105
		pr_err("alg: aead: %s %s corrupted dst sgl on test vector %s, cfg=\"%s\"\n",
		       driver, op, vec_name, cfg->name);
2106
		return -EINVAL;
2107
	}
2108

2109 2110 2111 2112 2113 2114 2115 2116 2117 2118 2119 2120 2121 2122 2123 2124 2125 2126 2127 2128
	/* Check for unexpected success or failure, or wrong error code */
	if ((err == 0 && vec->novrfy) ||
	    (err != vec->crypt_error && !(err == -EBADMSG && vec->novrfy))) {
		char expected_error[32];

		if (vec->novrfy &&
		    vec->crypt_error != 0 && vec->crypt_error != -EBADMSG)
			sprintf(expected_error, "-EBADMSG or %d",
				vec->crypt_error);
		else if (vec->novrfy)
			sprintf(expected_error, "-EBADMSG");
		else
			sprintf(expected_error, "%d", vec->crypt_error);
		if (err) {
			pr_err("alg: aead: %s %s failed on test vector %s; expected_error=%s, actual_error=%d, cfg=\"%s\"\n",
			       driver, op, vec_name, expected_error, err,
			       cfg->name);
			return err;
		}
		pr_err("alg: aead: %s %s unexpectedly succeeded on test vector %s; expected_error=%s, cfg=\"%s\"\n",
2129
		       driver, op, vec_name, expected_error, cfg->name);
2130 2131
		return -EINVAL;
	}
2132 2133
	if (err) /* Expectedly failed. */
		return 0;
2134

2135 2136 2137
	/* Check for the correct output (ciphertext or plaintext) */
	err = verify_correct_output(&tsgls->dst, enc ? vec->ctext : vec->ptext,
				    enc ? vec->clen : vec->plen,
2138 2139
				    vec->alen,
				    enc || cfg->inplace_mode == OUT_OF_PLACE);
2140
	if (err == -EOVERFLOW) {
2141 2142
		pr_err("alg: aead: %s %s overran dst buffer on test vector %s, cfg=\"%s\"\n",
		       driver, op, vec_name, cfg->name);
2143 2144 2145
		return err;
	}
	if (err) {
2146 2147
		pr_err("alg: aead: %s %s test failed (wrong result) on test vector %s, cfg=\"%s\"\n",
		       driver, op, vec_name, cfg->name);
2148 2149
		return err;
	}
2150

2151 2152
	return 0;
}
2153

2154 2155
static int test_aead_vec(int enc, const struct aead_testvec *vec,
			 unsigned int vec_num, struct aead_request *req,
2156 2157
			 struct cipher_test_sglists *tsgls)
{
2158
	char vec_name[16];
2159 2160
	unsigned int i;
	int err;
2161

2162 2163
	if (enc && vec->novrfy)
		return 0;
2164

2165 2166
	sprintf(vec_name, "%u", vec_num);

2167
	for (i = 0; i < ARRAY_SIZE(default_cipher_testvec_configs); i++) {
2168
		err = test_aead_vec_cfg(enc, vec, vec_name,
2169 2170 2171 2172 2173
					&default_cipher_testvec_configs[i],
					req, tsgls);
		if (err)
			return err;
	}
2174

2175 2176 2177 2178
#ifdef CONFIG_CRYPTO_MANAGER_EXTRA_TESTS
	if (!noextratests) {
		struct testvec_config cfg;
		char cfgname[TESTVEC_CONFIG_NAMELEN];
2179

2180 2181 2182
		for (i = 0; i < fuzz_iterations; i++) {
			generate_random_testvec_config(&cfg, cfgname,
						       sizeof(cfgname));
2183
			err = test_aead_vec_cfg(enc, vec, vec_name,
2184 2185 2186
						&cfg, req, tsgls);
			if (err)
				return err;
2187
			cond_resched();
2188 2189
		}
	}
2190 2191 2192
#endif
	return 0;
}
2193

2194
#ifdef CONFIG_CRYPTO_MANAGER_EXTRA_TESTS
2195 2196 2197 2198 2199 2200 2201 2202 2203 2204 2205 2206 2207 2208 2209

struct aead_extra_tests_ctx {
	struct aead_request *req;
	struct crypto_aead *tfm;
	const struct alg_test_desc *test_desc;
	struct cipher_test_sglists *tsgls;
	unsigned int maxdatasize;
	unsigned int maxkeysize;

	struct aead_testvec vec;
	char vec_name[64];
	char cfgname[TESTVEC_CONFIG_NAMELEN];
	struct testvec_config cfg;
};

2210
/*
2211 2212 2213 2214
 * Make at least one random change to a (ciphertext, AAD) pair.  "Ciphertext"
 * here means the full ciphertext including the authentication tag.  The
 * authentication tag (and hence also the ciphertext) is assumed to be nonempty.
 */
2215 2216
static void mutate_aead_message(struct aead_testvec *vec, bool aad_iv,
				unsigned int ivsize)
2217
{
2218
	const unsigned int aad_tail_size = aad_iv ? ivsize : 0;
2219 2220 2221 2222 2223 2224 2225 2226 2227 2228 2229 2230 2231 2232 2233 2234 2235 2236 2237 2238 2239 2240 2241 2242 2243 2244 2245 2246 2247 2248 2249 2250 2251 2252 2253 2254 2255
	const unsigned int authsize = vec->clen - vec->plen;

	if (prandom_u32() % 2 == 0 && vec->alen > aad_tail_size) {
		 /* Mutate the AAD */
		flip_random_bit((u8 *)vec->assoc, vec->alen - aad_tail_size);
		if (prandom_u32() % 2 == 0)
			return;
	}
	if (prandom_u32() % 2 == 0) {
		/* Mutate auth tag (assuming it's at the end of ciphertext) */
		flip_random_bit((u8 *)vec->ctext + vec->plen, authsize);
	} else {
		/* Mutate any part of the ciphertext */
		flip_random_bit((u8 *)vec->ctext, vec->clen);
	}
}

/*
 * Minimum authentication tag size in bytes at which we assume that we can
 * reliably generate inauthentic messages, i.e. not generate an authentic
 * message by chance.
 */
#define MIN_COLLISION_FREE_AUTHSIZE 8

static void generate_aead_message(struct aead_request *req,
				  const struct aead_test_suite *suite,
				  struct aead_testvec *vec,
				  bool prefer_inauthentic)
{
	struct crypto_aead *tfm = crypto_aead_reqtfm(req);
	const unsigned int ivsize = crypto_aead_ivsize(tfm);
	const unsigned int authsize = vec->clen - vec->plen;
	const bool inauthentic = (authsize >= MIN_COLLISION_FREE_AUTHSIZE) &&
				 (prefer_inauthentic || prandom_u32() % 4 == 0);

	/* Generate the AAD. */
	generate_random_bytes((u8 *)vec->assoc, vec->alen);
2256 2257 2258
	if (suite->aad_iv && vec->alen >= ivsize)
		/* Avoid implementation-defined behavior. */
		memcpy((u8 *)vec->assoc + vec->alen - ivsize, vec->iv, ivsize);
2259 2260 2261 2262 2263 2264 2265 2266 2267 2268 2269 2270 2271 2272 2273 2274 2275 2276 2277 2278 2279 2280 2281 2282 2283 2284 2285 2286 2287 2288 2289 2290 2291 2292 2293

	if (inauthentic && prandom_u32() % 2 == 0) {
		/* Generate a random ciphertext. */
		generate_random_bytes((u8 *)vec->ctext, vec->clen);
	} else {
		int i = 0;
		struct scatterlist src[2], dst;
		u8 iv[MAX_IVLEN];
		DECLARE_CRYPTO_WAIT(wait);

		/* Generate a random plaintext and encrypt it. */
		sg_init_table(src, 2);
		if (vec->alen)
			sg_set_buf(&src[i++], vec->assoc, vec->alen);
		if (vec->plen) {
			generate_random_bytes((u8 *)vec->ptext, vec->plen);
			sg_set_buf(&src[i++], vec->ptext, vec->plen);
		}
		sg_init_one(&dst, vec->ctext, vec->alen + vec->clen);
		memcpy(iv, vec->iv, ivsize);
		aead_request_set_callback(req, 0, crypto_req_done, &wait);
		aead_request_set_crypt(req, src, &dst, vec->plen, iv);
		aead_request_set_ad(req, vec->alen);
		vec->crypt_error = crypto_wait_req(crypto_aead_encrypt(req),
						   &wait);
		/* If encryption failed, we're done. */
		if (vec->crypt_error != 0)
			return;
		memmove((u8 *)vec->ctext, vec->ctext + vec->alen, vec->clen);
		if (!inauthentic)
			return;
		/*
		 * Mutate the authentic (ciphertext, AAD) pair to get an
		 * inauthentic one.
		 */
2294
		mutate_aead_message(vec, suite->aad_iv, ivsize);
2295 2296 2297 2298 2299 2300 2301 2302 2303 2304 2305 2306
	}
	vec->novrfy = 1;
	if (suite->einval_allowed)
		vec->crypt_error = -EINVAL;
}

/*
 * Generate an AEAD test vector 'vec' using the implementation specified by
 * 'req'.  The buffers in 'vec' must already be allocated.
 *
 * If 'prefer_inauthentic' is true, then this function will generate inauthentic
 * test vectors (i.e. vectors with 'vec->novrfy=1') more often.
2307 2308 2309
 */
static void generate_random_aead_testvec(struct aead_request *req,
					 struct aead_testvec *vec,
2310
					 const struct aead_test_suite *suite,
2311 2312
					 unsigned int maxkeysize,
					 unsigned int maxdatasize,
2313 2314
					 char *name, size_t max_namelen,
					 bool prefer_inauthentic)
2315 2316 2317
{
	struct crypto_aead *tfm = crypto_aead_reqtfm(req);
	const unsigned int ivsize = crypto_aead_ivsize(tfm);
2318
	const unsigned int maxauthsize = crypto_aead_maxauthsize(tfm);
2319 2320 2321 2322 2323 2324 2325 2326 2327 2328 2329 2330 2331 2332 2333 2334 2335
	unsigned int authsize;
	unsigned int total_len;

	/* Key: length in [0, maxkeysize], but usually choose maxkeysize */
	vec->klen = maxkeysize;
	if (prandom_u32() % 4 == 0)
		vec->klen = prandom_u32() % (maxkeysize + 1);
	generate_random_bytes((u8 *)vec->key, vec->klen);
	vec->setkey_error = crypto_aead_setkey(tfm, vec->key, vec->klen);

	/* IV */
	generate_random_bytes((u8 *)vec->iv, ivsize);

	/* Tag length: in [0, maxauthsize], but usually choose maxauthsize */
	authsize = maxauthsize;
	if (prandom_u32() % 4 == 0)
		authsize = prandom_u32() % (maxauthsize + 1);
2336 2337
	if (prefer_inauthentic && authsize < MIN_COLLISION_FREE_AUTHSIZE)
		authsize = MIN_COLLISION_FREE_AUTHSIZE;
2338 2339 2340 2341 2342
	if (WARN_ON(authsize > maxdatasize))
		authsize = maxdatasize;
	maxdatasize -= authsize;
	vec->setauthsize_error = crypto_aead_setauthsize(tfm, authsize);

2343
	/* AAD, plaintext, and ciphertext lengths */
2344 2345 2346 2347 2348 2349 2350 2351 2352
	total_len = generate_random_length(maxdatasize);
	if (prandom_u32() % 4 == 0)
		vec->alen = 0;
	else
		vec->alen = generate_random_length(total_len);
	vec->plen = total_len - vec->alen;
	vec->clen = vec->plen + authsize;

	/*
2353 2354
	 * Generate the AAD, plaintext, and ciphertext.  Not applicable if the
	 * key or the authentication tag size couldn't be set.
2355
	 */
2356
	vec->novrfy = 0;
2357
	vec->crypt_error = 0;
2358 2359
	if (vec->setkey_error == 0 && vec->setauthsize_error == 0)
		generate_aead_message(req, suite, vec, prefer_inauthentic);
2360
	snprintf(name, max_namelen,
2361 2362 2363 2364 2365 2366 2367 2368 2369 2370 2371 2372 2373 2374 2375 2376 2377 2378 2379 2380 2381 2382 2383 2384 2385 2386 2387 2388 2389 2390 2391 2392 2393 2394 2395 2396 2397 2398 2399 2400 2401 2402 2403
		 "\"random: alen=%u plen=%u authsize=%u klen=%u novrfy=%d\"",
		 vec->alen, vec->plen, authsize, vec->klen, vec->novrfy);
}

static void try_to_generate_inauthentic_testvec(
					struct aead_extra_tests_ctx *ctx)
{
	int i;

	for (i = 0; i < 10; i++) {
		generate_random_aead_testvec(ctx->req, &ctx->vec,
					     &ctx->test_desc->suite.aead,
					     ctx->maxkeysize, ctx->maxdatasize,
					     ctx->vec_name,
					     sizeof(ctx->vec_name), true);
		if (ctx->vec.novrfy)
			return;
	}
}

/*
 * Generate inauthentic test vectors (i.e. ciphertext, AAD pairs that aren't the
 * result of an encryption with the key) and verify that decryption fails.
 */
static int test_aead_inauthentic_inputs(struct aead_extra_tests_ctx *ctx)
{
	unsigned int i;
	int err;

	for (i = 0; i < fuzz_iterations * 8; i++) {
		/*
		 * Since this part of the tests isn't comparing the
		 * implementation to another, there's no point in testing any
		 * test vectors other than inauthentic ones (vec.novrfy=1) here.
		 *
		 * If we're having trouble generating such a test vector, e.g.
		 * if the algorithm keeps rejecting the generated keys, don't
		 * retry forever; just continue on.
		 */
		try_to_generate_inauthentic_testvec(ctx);
		if (ctx->vec.novrfy) {
			generate_random_testvec_config(&ctx->cfg, ctx->cfgname,
						       sizeof(ctx->cfgname));
2404
			err = test_aead_vec_cfg(DECRYPT, &ctx->vec,
2405 2406 2407 2408 2409 2410 2411 2412
						ctx->vec_name, &ctx->cfg,
						ctx->req, ctx->tsgls);
			if (err)
				return err;
		}
		cond_resched();
	}
	return 0;
2413 2414 2415
}

/*
2416 2417
 * Test the AEAD algorithm against the corresponding generic implementation, if
 * one is available.
2418
 */
2419
static int test_aead_vs_generic_impl(struct aead_extra_tests_ctx *ctx)
2420
{
2421
	struct crypto_aead *tfm = ctx->tfm;
2422
	const char *algname = crypto_aead_alg(tfm)->base.cra_name;
2423
	const char *driver = crypto_aead_driver_name(tfm);
2424
	const char *generic_driver = ctx->test_desc->generic_driver;
2425 2426 2427 2428 2429 2430 2431 2432 2433 2434 2435 2436 2437 2438 2439 2440 2441 2442 2443 2444 2445 2446 2447 2448 2449 2450 2451 2452 2453 2454 2455 2456 2457 2458 2459 2460 2461
	char _generic_driver[CRYPTO_MAX_ALG_NAME];
	struct crypto_aead *generic_tfm = NULL;
	struct aead_request *generic_req = NULL;
	unsigned int i;
	int err;

	if (!generic_driver) { /* Use default naming convention? */
		err = build_generic_driver_name(algname, _generic_driver);
		if (err)
			return err;
		generic_driver = _generic_driver;
	}

	if (strcmp(generic_driver, driver) == 0) /* Already the generic impl? */
		return 0;

	generic_tfm = crypto_alloc_aead(generic_driver, 0, 0);
	if (IS_ERR(generic_tfm)) {
		err = PTR_ERR(generic_tfm);
		if (err == -ENOENT) {
			pr_warn("alg: aead: skipping comparison tests for %s because %s is unavailable\n",
				driver, generic_driver);
			return 0;
		}
		pr_err("alg: aead: error allocating %s (generic impl of %s): %d\n",
		       generic_driver, algname, err);
		return err;
	}

	generic_req = aead_request_alloc(generic_tfm, GFP_KERNEL);
	if (!generic_req) {
		err = -ENOMEM;
		goto out;
	}

	/* Check the algorithm properties for consistency. */

2462 2463
	if (crypto_aead_maxauthsize(tfm) !=
	    crypto_aead_maxauthsize(generic_tfm)) {
2464
		pr_err("alg: aead: maxauthsize for %s (%u) doesn't match generic impl (%u)\n",
2465 2466
		       driver, crypto_aead_maxauthsize(tfm),
		       crypto_aead_maxauthsize(generic_tfm));
2467 2468 2469 2470
		err = -EINVAL;
		goto out;
	}

2471
	if (crypto_aead_ivsize(tfm) != crypto_aead_ivsize(generic_tfm)) {
2472
		pr_err("alg: aead: ivsize for %s (%u) doesn't match generic impl (%u)\n",
2473 2474
		       driver, crypto_aead_ivsize(tfm),
		       crypto_aead_ivsize(generic_tfm));
2475 2476 2477 2478
		err = -EINVAL;
		goto out;
	}

2479
	if (crypto_aead_blocksize(tfm) != crypto_aead_blocksize(generic_tfm)) {
2480
		pr_err("alg: aead: blocksize for %s (%u) doesn't match generic impl (%u)\n",
2481 2482
		       driver, crypto_aead_blocksize(tfm),
		       crypto_aead_blocksize(generic_tfm));
2483 2484 2485 2486 2487 2488 2489 2490 2491
		err = -EINVAL;
		goto out;
	}

	/*
	 * Now generate test vectors using the generic implementation, and test
	 * the other implementation against them.
	 */
	for (i = 0; i < fuzz_iterations * 8; i++) {
2492
		generate_random_aead_testvec(generic_req, &ctx->vec,
2493
					     &ctx->test_desc->suite.aead,
2494 2495
					     ctx->maxkeysize, ctx->maxdatasize,
					     ctx->vec_name,
2496
					     sizeof(ctx->vec_name), false);
2497 2498
		generate_random_testvec_config(&ctx->cfg, ctx->cfgname,
					       sizeof(ctx->cfgname));
2499
		if (!ctx->vec.novrfy) {
2500
			err = test_aead_vec_cfg(ENCRYPT, &ctx->vec,
2501 2502 2503 2504 2505 2506
						ctx->vec_name, &ctx->cfg,
						ctx->req, ctx->tsgls);
			if (err)
				goto out;
		}
		if (ctx->vec.crypt_error == 0 || ctx->vec.novrfy) {
2507
			err = test_aead_vec_cfg(DECRYPT, &ctx->vec,
2508 2509
						ctx->vec_name, &ctx->cfg,
						ctx->req, ctx->tsgls);
2510 2511 2512
			if (err)
				goto out;
		}
2513 2514 2515 2516 2517 2518 2519 2520
		cond_resched();
	}
	err = 0;
out:
	crypto_free_aead(generic_tfm);
	aead_request_free(generic_req);
	return err;
}
2521

2522
static int test_aead_extra(const struct alg_test_desc *test_desc,
2523 2524 2525 2526 2527 2528 2529 2530 2531 2532 2533 2534 2535 2536 2537 2538 2539 2540 2541 2542 2543 2544 2545 2546 2547 2548 2549 2550 2551 2552 2553 2554 2555 2556
			   struct aead_request *req,
			   struct cipher_test_sglists *tsgls)
{
	struct aead_extra_tests_ctx *ctx;
	unsigned int i;
	int err;

	if (noextratests)
		return 0;

	ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
	if (!ctx)
		return -ENOMEM;
	ctx->req = req;
	ctx->tfm = crypto_aead_reqtfm(req);
	ctx->test_desc = test_desc;
	ctx->tsgls = tsgls;
	ctx->maxdatasize = (2 * PAGE_SIZE) - TESTMGR_POISON_LEN;
	ctx->maxkeysize = 0;
	for (i = 0; i < test_desc->suite.aead.count; i++)
		ctx->maxkeysize = max_t(unsigned int, ctx->maxkeysize,
					test_desc->suite.aead.vecs[i].klen);

	ctx->vec.key = kmalloc(ctx->maxkeysize, GFP_KERNEL);
	ctx->vec.iv = kmalloc(crypto_aead_ivsize(ctx->tfm), GFP_KERNEL);
	ctx->vec.assoc = kmalloc(ctx->maxdatasize, GFP_KERNEL);
	ctx->vec.ptext = kmalloc(ctx->maxdatasize, GFP_KERNEL);
	ctx->vec.ctext = kmalloc(ctx->maxdatasize, GFP_KERNEL);
	if (!ctx->vec.key || !ctx->vec.iv || !ctx->vec.assoc ||
	    !ctx->vec.ptext || !ctx->vec.ctext) {
		err = -ENOMEM;
		goto out;
	}

2557
	err = test_aead_vs_generic_impl(ctx);
2558 2559 2560
	if (err)
		goto out;

2561
	err = test_aead_inauthentic_inputs(ctx);
2562 2563 2564 2565 2566 2567 2568 2569 2570
out:
	kfree(ctx->vec.key);
	kfree(ctx->vec.iv);
	kfree(ctx->vec.assoc);
	kfree(ctx->vec.ptext);
	kfree(ctx->vec.ctext);
	kfree(ctx);
	return err;
}
2571
#else /* !CONFIG_CRYPTO_MANAGER_EXTRA_TESTS */
2572
static int test_aead_extra(const struct alg_test_desc *test_desc,
2573 2574
			   struct aead_request *req,
			   struct cipher_test_sglists *tsgls)
2575 2576 2577 2578 2579
{
	return 0;
}
#endif /* !CONFIG_CRYPTO_MANAGER_EXTRA_TESTS */

2580
static int test_aead(int enc, const struct aead_test_suite *suite,
2581 2582 2583 2584 2585
		     struct aead_request *req,
		     struct cipher_test_sglists *tsgls)
{
	unsigned int i;
	int err;
2586

2587
	for (i = 0; i < suite->count; i++) {
2588
		err = test_aead_vec(enc, &suite->vecs[i], i, req, tsgls);
2589 2590
		if (err)
			return err;
2591
		cond_resched();
2592 2593
	}
	return 0;
2594 2595
}

2596 2597
static int alg_test_aead(const struct alg_test_desc *desc, const char *driver,
			 u32 type, u32 mask)
2598
{
2599 2600 2601 2602 2603
	const struct aead_test_suite *suite = &desc->suite.aead;
	struct crypto_aead *tfm;
	struct aead_request *req = NULL;
	struct cipher_test_sglists *tsgls = NULL;
	int err;
2604

2605 2606 2607 2608
	if (suite->count <= 0) {
		pr_err("alg: aead: empty test suite for %s\n", driver);
		return -EINVAL;
	}
2609

2610 2611 2612 2613 2614 2615
	tfm = crypto_alloc_aead(driver, type, mask);
	if (IS_ERR(tfm)) {
		pr_err("alg: aead: failed to allocate transform for %s: %ld\n",
		       driver, PTR_ERR(tfm));
		return PTR_ERR(tfm);
	}
2616
	driver = crypto_aead_driver_name(tfm);
2617

2618 2619 2620 2621 2622 2623 2624
	req = aead_request_alloc(tfm, GFP_KERNEL);
	if (!req) {
		pr_err("alg: aead: failed to allocate request for %s\n",
		       driver);
		err = -ENOMEM;
		goto out;
	}
2625

2626 2627 2628 2629 2630 2631
	tsgls = alloc_cipher_test_sglists();
	if (!tsgls) {
		pr_err("alg: aead: failed to allocate test buffers for %s\n",
		       driver);
		err = -ENOMEM;
		goto out;
2632 2633
	}

2634
	err = test_aead(ENCRYPT, suite, req, tsgls);
2635 2636 2637
	if (err)
		goto out;

2638
	err = test_aead(DECRYPT, suite, req, tsgls);
2639 2640 2641
	if (err)
		goto out;

2642
	err = test_aead_extra(desc, req, tsgls);
2643 2644 2645 2646 2647
out:
	free_cipher_test_sglists(tsgls);
	aead_request_free(req);
	crypto_free_aead(tfm);
	return err;
2648 2649
}

2650
static int test_cipher(struct crypto_cipher *tfm, int enc,
2651 2652
		       const struct cipher_testvec *template,
		       unsigned int tcount)
2653 2654 2655 2656 2657
{
	const char *algo = crypto_tfm_alg_driver_name(crypto_cipher_tfm(tfm));
	unsigned int i, j, k;
	char *q;
	const char *e;
2658
	const char *input, *result;
2659
	void *data;
2660 2661 2662 2663 2664
	char *xbuf[XBUFSIZE];
	int ret = -ENOMEM;

	if (testmgr_alloc_buf(xbuf))
		goto out_nobuf;
2665 2666 2667 2668 2669 2670 2671 2672 2673

	if (enc == ENCRYPT)
	        e = "encryption";
	else
		e = "decryption";

	j = 0;
	for (i = 0; i < tcount; i++) {

2674 2675 2676
		if (fips_enabled && template[i].fips_skip)
			continue;

2677 2678
		input  = enc ? template[i].ptext : template[i].ctext;
		result = enc ? template[i].ctext : template[i].ptext;
2679 2680
		j++;

2681
		ret = -EINVAL;
2682
		if (WARN_ON(template[i].len > PAGE_SIZE))
2683 2684
			goto out;

2685
		data = xbuf[0];
2686
		memcpy(data, input, template[i].len);
2687 2688 2689

		crypto_cipher_clear_flags(tfm, ~0);
		if (template[i].wk)
2690
			crypto_cipher_set_flags(tfm, CRYPTO_TFM_REQ_FORBID_WEAK_KEYS);
2691 2692 2693

		ret = crypto_cipher_setkey(tfm, template[i].key,
					   template[i].klen);
2694 2695 2696 2697 2698 2699
		if (ret) {
			if (ret == template[i].setkey_error)
				continue;
			pr_err("alg: cipher: %s setkey failed on test vector %u; expected_error=%d, actual_error=%d, flags=%#x\n",
			       algo, j, template[i].setkey_error, ret,
			       crypto_cipher_get_flags(tfm));
2700
			goto out;
2701 2702 2703 2704 2705 2706 2707
		}
		if (template[i].setkey_error) {
			pr_err("alg: cipher: %s setkey unexpectedly succeeded on test vector %u; expected_error=%d\n",
			       algo, j, template[i].setkey_error);
			ret = -EINVAL;
			goto out;
		}
2708

2709
		for (k = 0; k < template[i].len;
2710 2711 2712 2713 2714 2715 2716 2717 2718 2719
		     k += crypto_cipher_blocksize(tfm)) {
			if (enc)
				crypto_cipher_encrypt_one(tfm, data + k,
							  data + k);
			else
				crypto_cipher_decrypt_one(tfm, data + k,
							  data + k);
		}

		q = data;
2720
		if (memcmp(q, result, template[i].len)) {
2721 2722
			printk(KERN_ERR "alg: cipher: Test %d failed "
			       "on %s for %s\n", j, e, algo);
2723
			hexdump(q, template[i].len);
2724 2725 2726 2727 2728 2729 2730 2731
			ret = -EINVAL;
			goto out;
		}
	}

	ret = 0;

out:
2732 2733
	testmgr_free_buf(xbuf);
out_nobuf:
2734 2735 2736
	return ret;
}

2737
static int test_skcipher_vec_cfg(int enc, const struct cipher_testvec *vec,
2738
				 const char *vec_name,
2739 2740 2741
				 const struct testvec_config *cfg,
				 struct skcipher_request *req,
				 struct cipher_test_sglists *tsgls)
2742
{
2743 2744 2745
	struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
	const unsigned int alignmask = crypto_skcipher_alignmask(tfm);
	const unsigned int ivsize = crypto_skcipher_ivsize(tfm);
2746
	const char *driver = crypto_skcipher_driver_name(tfm);
2747 2748 2749 2750 2751 2752 2753 2754 2755
	const u32 req_flags = CRYPTO_TFM_REQ_MAY_BACKLOG | cfg->req_flags;
	const char *op = enc ? "encryption" : "decryption";
	DECLARE_CRYPTO_WAIT(wait);
	u8 _iv[3 * (MAX_ALGAPI_ALIGNMASK + 1) + MAX_IVLEN];
	u8 *iv = PTR_ALIGN(&_iv[0], 2 * (MAX_ALGAPI_ALIGNMASK + 1)) +
		 cfg->iv_offset +
		 (cfg->iv_offset_relative_to_alignmask ? alignmask : 0);
	struct kvec input;
	int err;
2756

2757 2758 2759
	/* Set the key */
	if (vec->wk)
		crypto_skcipher_set_flags(tfm, CRYPTO_TFM_REQ_FORBID_WEAK_KEYS);
2760
	else
2761 2762
		crypto_skcipher_clear_flags(tfm,
					    CRYPTO_TFM_REQ_FORBID_WEAK_KEYS);
2763 2764
	err = do_setkey(crypto_skcipher_setkey, tfm, vec->key, vec->klen,
			cfg, alignmask);
2765
	if (err) {
2766
		if (err == vec->setkey_error)
2767
			return 0;
2768 2769
		pr_err("alg: skcipher: %s setkey failed on test vector %s; expected_error=%d, actual_error=%d, flags=%#x\n",
		       driver, vec_name, vec->setkey_error, err,
2770
		       crypto_skcipher_get_flags(tfm));
2771 2772
		return err;
	}
2773
	if (vec->setkey_error) {
2774 2775
		pr_err("alg: skcipher: %s setkey unexpectedly succeeded on test vector %s; expected_error=%d\n",
		       driver, vec_name, vec->setkey_error);
2776
		return -EINVAL;
2777 2778
	}

2779 2780 2781 2782
	/* The IV must be copied to a buffer, as the algorithm may modify it */
	if (ivsize) {
		if (WARN_ON(ivsize > MAX_IVLEN))
			return -EINVAL;
2783 2784 2785
		if (vec->generates_iv && !enc)
			memcpy(iv, vec->iv_out, ivsize);
		else if (vec->iv)
2786
			memcpy(iv, vec->iv, ivsize);
2787
		else
2788 2789 2790
			memset(iv, 0, ivsize);
	} else {
		if (vec->generates_iv) {
2791 2792
			pr_err("alg: skcipher: %s has ivsize=0 but test vector %s generates IV!\n",
			       driver, vec_name);
2793
			return -EINVAL;
2794
		}
2795
		iv = NULL;
2796 2797
	}

2798 2799 2800 2801 2802 2803
	/* Build the src/dst scatterlists */
	input.iov_base = enc ? (void *)vec->ptext : (void *)vec->ctext;
	input.iov_len = vec->len;
	err = build_cipher_test_sglists(tsgls, cfg, alignmask,
					vec->len, vec->len, &input, 1);
	if (err) {
2804 2805
		pr_err("alg: skcipher: %s %s: error preparing scatterlists for test vector %s, cfg=\"%s\"\n",
		       driver, op, vec_name, cfg->name);
2806 2807
		return err;
	}
2808

2809 2810 2811 2812 2813
	/* Do the actual encryption or decryption */
	testmgr_poison(req->__ctx, crypto_skcipher_reqsize(tfm));
	skcipher_request_set_callback(req, req_flags, crypto_req_done, &wait);
	skcipher_request_set_crypt(req, tsgls->src.sgl_ptr, tsgls->dst.sgl_ptr,
				   vec->len, iv);
2814 2815 2816 2817 2818 2819
	if (cfg->nosimd)
		crypto_disable_simd_for_test();
	err = enc ? crypto_skcipher_encrypt(req) : crypto_skcipher_decrypt(req);
	if (cfg->nosimd)
		crypto_reenable_simd_for_test();
	err = crypto_wait_req(err, &wait);
2820

2821 2822 2823 2824 2825 2826 2827 2828 2829
	/* Check that the algorithm didn't overwrite things it shouldn't have */
	if (req->cryptlen != vec->len ||
	    req->iv != iv ||
	    req->src != tsgls->src.sgl_ptr ||
	    req->dst != tsgls->dst.sgl_ptr ||
	    crypto_skcipher_reqtfm(req) != tfm ||
	    req->base.complete != crypto_req_done ||
	    req->base.flags != req_flags ||
	    req->base.data != &wait) {
2830 2831
		pr_err("alg: skcipher: %s %s corrupted request struct on test vector %s, cfg=\"%s\"\n",
		       driver, op, vec_name, cfg->name);
2832 2833 2834 2835 2836 2837 2838 2839 2840 2841 2842 2843 2844 2845 2846 2847 2848 2849 2850
		if (req->cryptlen != vec->len)
			pr_err("alg: skcipher: changed 'req->cryptlen'\n");
		if (req->iv != iv)
			pr_err("alg: skcipher: changed 'req->iv'\n");
		if (req->src != tsgls->src.sgl_ptr)
			pr_err("alg: skcipher: changed 'req->src'\n");
		if (req->dst != tsgls->dst.sgl_ptr)
			pr_err("alg: skcipher: changed 'req->dst'\n");
		if (crypto_skcipher_reqtfm(req) != tfm)
			pr_err("alg: skcipher: changed 'req->base.tfm'\n");
		if (req->base.complete != crypto_req_done)
			pr_err("alg: skcipher: changed 'req->base.complete'\n");
		if (req->base.flags != req_flags)
			pr_err("alg: skcipher: changed 'req->base.flags'\n");
		if (req->base.data != &wait)
			pr_err("alg: skcipher: changed 'req->base.data'\n");
		return -EINVAL;
	}
	if (is_test_sglist_corrupted(&tsgls->src)) {
2851 2852
		pr_err("alg: skcipher: %s %s corrupted src sgl on test vector %s, cfg=\"%s\"\n",
		       driver, op, vec_name, cfg->name);
2853 2854 2855 2856
		return -EINVAL;
	}
	if (tsgls->dst.sgl_ptr != tsgls->src.sgl &&
	    is_test_sglist_corrupted(&tsgls->dst)) {
2857 2858
		pr_err("alg: skcipher: %s %s corrupted dst sgl on test vector %s, cfg=\"%s\"\n",
		       driver, op, vec_name, cfg->name);
2859 2860 2861
		return -EINVAL;
	}

2862 2863 2864 2865
	/* Check for success or failure */
	if (err) {
		if (err == vec->crypt_error)
			return 0;
2866 2867
		pr_err("alg: skcipher: %s %s failed on test vector %s; expected_error=%d, actual_error=%d, cfg=\"%s\"\n",
		       driver, op, vec_name, vec->crypt_error, err, cfg->name);
2868 2869 2870
		return err;
	}
	if (vec->crypt_error) {
2871 2872
		pr_err("alg: skcipher: %s %s unexpectedly succeeded on test vector %s; expected_error=%d, cfg=\"%s\"\n",
		       driver, op, vec_name, vec->crypt_error, cfg->name);
2873 2874 2875
		return -EINVAL;
	}

2876 2877 2878 2879
	/* Check for the correct output (ciphertext or plaintext) */
	err = verify_correct_output(&tsgls->dst, enc ? vec->ctext : vec->ptext,
				    vec->len, 0, true);
	if (err == -EOVERFLOW) {
2880 2881
		pr_err("alg: skcipher: %s %s overran dst buffer on test vector %s, cfg=\"%s\"\n",
		       driver, op, vec_name, cfg->name);
2882 2883 2884
		return err;
	}
	if (err) {
2885 2886
		pr_err("alg: skcipher: %s %s test failed (wrong result) on test vector %s, cfg=\"%s\"\n",
		       driver, op, vec_name, cfg->name);
2887 2888
		return err;
	}
2889

2890
	/* If applicable, check that the algorithm generated the correct IV */
2891
	if (vec->iv_out && memcmp(iv, vec->iv_out, ivsize) != 0) {
2892 2893
		pr_err("alg: skcipher: %s %s test failed (wrong output IV) on test vector %s, cfg=\"%s\"\n",
		       driver, op, vec_name, cfg->name);
2894 2895 2896
		hexdump(iv, ivsize);
		return -EINVAL;
	}
2897

2898 2899
	return 0;
}
2900

2901
static int test_skcipher_vec(int enc, const struct cipher_testvec *vec,
2902 2903 2904 2905
			     unsigned int vec_num,
			     struct skcipher_request *req,
			     struct cipher_test_sglists *tsgls)
{
2906
	char vec_name[16];
2907 2908
	unsigned int i;
	int err;
2909

2910 2911
	if (fips_enabled && vec->fips_skip)
		return 0;
2912

2913 2914
	sprintf(vec_name, "%u", vec_num);

2915
	for (i = 0; i < ARRAY_SIZE(default_cipher_testvec_configs); i++) {
2916
		err = test_skcipher_vec_cfg(enc, vec, vec_name,
2917 2918 2919 2920 2921
					    &default_cipher_testvec_configs[i],
					    req, tsgls);
		if (err)
			return err;
	}
2922

2923 2924 2925 2926 2927 2928 2929 2930
#ifdef CONFIG_CRYPTO_MANAGER_EXTRA_TESTS
	if (!noextratests) {
		struct testvec_config cfg;
		char cfgname[TESTVEC_CONFIG_NAMELEN];

		for (i = 0; i < fuzz_iterations; i++) {
			generate_random_testvec_config(&cfg, cfgname,
						       sizeof(cfgname));
2931
			err = test_skcipher_vec_cfg(enc, vec, vec_name,
2932 2933 2934
						    &cfg, req, tsgls);
			if (err)
				return err;
2935
			cond_resched();
2936 2937
		}
	}
2938 2939 2940
#endif
	return 0;
}
2941

2942 2943 2944 2945 2946 2947 2948 2949 2950 2951 2952
#ifdef CONFIG_CRYPTO_MANAGER_EXTRA_TESTS
/*
 * Generate a symmetric cipher test vector from the given implementation.
 * Assumes the buffers in 'vec' were already allocated.
 */
static void generate_random_cipher_testvec(struct skcipher_request *req,
					   struct cipher_testvec *vec,
					   unsigned int maxdatasize,
					   char *name, size_t max_namelen)
{
	struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
2953
	const unsigned int maxkeysize = crypto_skcipher_max_keysize(tfm);
2954 2955 2956 2957 2958 2959 2960 2961 2962 2963 2964 2965 2966 2967 2968 2969 2970 2971 2972 2973 2974 2975 2976 2977 2978 2979 2980 2981 2982 2983
	const unsigned int ivsize = crypto_skcipher_ivsize(tfm);
	struct scatterlist src, dst;
	u8 iv[MAX_IVLEN];
	DECLARE_CRYPTO_WAIT(wait);

	/* Key: length in [0, maxkeysize], but usually choose maxkeysize */
	vec->klen = maxkeysize;
	if (prandom_u32() % 4 == 0)
		vec->klen = prandom_u32() % (maxkeysize + 1);
	generate_random_bytes((u8 *)vec->key, vec->klen);
	vec->setkey_error = crypto_skcipher_setkey(tfm, vec->key, vec->klen);

	/* IV */
	generate_random_bytes((u8 *)vec->iv, ivsize);

	/* Plaintext */
	vec->len = generate_random_length(maxdatasize);
	generate_random_bytes((u8 *)vec->ptext, vec->len);

	/* If the key couldn't be set, no need to continue to encrypt. */
	if (vec->setkey_error)
		goto done;

	/* Ciphertext */
	sg_init_one(&src, vec->ptext, vec->len);
	sg_init_one(&dst, vec->ctext, vec->len);
	memcpy(iv, vec->iv, ivsize);
	skcipher_request_set_callback(req, 0, crypto_req_done, &wait);
	skcipher_request_set_crypt(req, &src, &dst, vec->len, iv);
	vec->crypt_error = crypto_wait_req(crypto_skcipher_encrypt(req), &wait);
2984 2985 2986 2987 2988 2989 2990 2991 2992
	if (vec->crypt_error != 0) {
		/*
		 * The only acceptable error here is for an invalid length, so
		 * skcipher decryption should fail with the same error too.
		 * We'll test for this.  But to keep the API usage well-defined,
		 * explicitly initialize the ciphertext buffer too.
		 */
		memset((u8 *)vec->ctext, 0, vec->len);
	}
2993 2994 2995 2996 2997 2998 2999 3000 3001
done:
	snprintf(name, max_namelen, "\"random: len=%u klen=%u\"",
		 vec->len, vec->klen);
}

/*
 * Test the skcipher algorithm represented by @req against the corresponding
 * generic implementation, if one is available.
 */
3002
static int test_skcipher_vs_generic_impl(const char *generic_driver,
3003 3004 3005 3006
					 struct skcipher_request *req,
					 struct cipher_test_sglists *tsgls)
{
	struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
3007
	const unsigned int maxkeysize = crypto_skcipher_max_keysize(tfm);
3008 3009 3010 3011
	const unsigned int ivsize = crypto_skcipher_ivsize(tfm);
	const unsigned int blocksize = crypto_skcipher_blocksize(tfm);
	const unsigned int maxdatasize = (2 * PAGE_SIZE) - TESTMGR_POISON_LEN;
	const char *algname = crypto_skcipher_alg(tfm)->base.cra_name;
3012
	const char *driver = crypto_skcipher_driver_name(tfm);
3013 3014 3015 3016 3017 3018
	char _generic_driver[CRYPTO_MAX_ALG_NAME];
	struct crypto_skcipher *generic_tfm = NULL;
	struct skcipher_request *generic_req = NULL;
	unsigned int i;
	struct cipher_testvec vec = { 0 };
	char vec_name[64];
3019
	struct testvec_config *cfg;
3020 3021 3022 3023 3024 3025 3026 3027 3028 3029 3030 3031 3032 3033 3034 3035 3036 3037 3038 3039 3040 3041 3042 3043 3044 3045 3046 3047 3048 3049 3050 3051 3052
	char cfgname[TESTVEC_CONFIG_NAMELEN];
	int err;

	if (noextratests)
		return 0;

	/* Keywrap isn't supported here yet as it handles its IV differently. */
	if (strncmp(algname, "kw(", 3) == 0)
		return 0;

	if (!generic_driver) { /* Use default naming convention? */
		err = build_generic_driver_name(algname, _generic_driver);
		if (err)
			return err;
		generic_driver = _generic_driver;
	}

	if (strcmp(generic_driver, driver) == 0) /* Already the generic impl? */
		return 0;

	generic_tfm = crypto_alloc_skcipher(generic_driver, 0, 0);
	if (IS_ERR(generic_tfm)) {
		err = PTR_ERR(generic_tfm);
		if (err == -ENOENT) {
			pr_warn("alg: skcipher: skipping comparison tests for %s because %s is unavailable\n",
				driver, generic_driver);
			return 0;
		}
		pr_err("alg: skcipher: error allocating %s (generic impl of %s): %d\n",
		       generic_driver, algname, err);
		return err;
	}

3053 3054 3055 3056 3057 3058
	cfg = kzalloc(sizeof(*cfg), GFP_KERNEL);
	if (!cfg) {
		err = -ENOMEM;
		goto out;
	}

3059 3060 3061 3062 3063 3064 3065 3066
	generic_req = skcipher_request_alloc(generic_tfm, GFP_KERNEL);
	if (!generic_req) {
		err = -ENOMEM;
		goto out;
	}

	/* Check the algorithm properties for consistency. */

3067 3068 3069 3070 3071 3072 3073 3074 3075
	if (crypto_skcipher_min_keysize(tfm) !=
	    crypto_skcipher_min_keysize(generic_tfm)) {
		pr_err("alg: skcipher: min keysize for %s (%u) doesn't match generic impl (%u)\n",
		       driver, crypto_skcipher_min_keysize(tfm),
		       crypto_skcipher_min_keysize(generic_tfm));
		err = -EINVAL;
		goto out;
	}

3076
	if (maxkeysize != crypto_skcipher_max_keysize(generic_tfm)) {
3077
		pr_err("alg: skcipher: max keysize for %s (%u) doesn't match generic impl (%u)\n",
3078 3079
		       driver, maxkeysize,
		       crypto_skcipher_max_keysize(generic_tfm));
3080 3081 3082 3083 3084 3085 3086 3087 3088 3089 3090 3091 3092 3093 3094 3095 3096 3097 3098 3099 3100 3101 3102 3103
		err = -EINVAL;
		goto out;
	}

	if (ivsize != crypto_skcipher_ivsize(generic_tfm)) {
		pr_err("alg: skcipher: ivsize for %s (%u) doesn't match generic impl (%u)\n",
		       driver, ivsize, crypto_skcipher_ivsize(generic_tfm));
		err = -EINVAL;
		goto out;
	}

	if (blocksize != crypto_skcipher_blocksize(generic_tfm)) {
		pr_err("alg: skcipher: blocksize for %s (%u) doesn't match generic impl (%u)\n",
		       driver, blocksize,
		       crypto_skcipher_blocksize(generic_tfm));
		err = -EINVAL;
		goto out;
	}

	/*
	 * Now generate test vectors using the generic implementation, and test
	 * the other implementation against them.
	 */

3104
	vec.key = kmalloc(maxkeysize, GFP_KERNEL);
3105 3106 3107 3108 3109 3110 3111 3112 3113 3114 3115
	vec.iv = kmalloc(ivsize, GFP_KERNEL);
	vec.ptext = kmalloc(maxdatasize, GFP_KERNEL);
	vec.ctext = kmalloc(maxdatasize, GFP_KERNEL);
	if (!vec.key || !vec.iv || !vec.ptext || !vec.ctext) {
		err = -ENOMEM;
		goto out;
	}

	for (i = 0; i < fuzz_iterations * 8; i++) {
		generate_random_cipher_testvec(generic_req, &vec, maxdatasize,
					       vec_name, sizeof(vec_name));
3116
		generate_random_testvec_config(cfg, cfgname, sizeof(cfgname));
3117

3118
		err = test_skcipher_vec_cfg(ENCRYPT, &vec, vec_name,
3119
					    cfg, req, tsgls);
3120 3121
		if (err)
			goto out;
3122
		err = test_skcipher_vec_cfg(DECRYPT, &vec, vec_name,
3123
					    cfg, req, tsgls);
3124 3125 3126 3127 3128 3129
		if (err)
			goto out;
		cond_resched();
	}
	err = 0;
out:
3130
	kfree(cfg);
3131 3132 3133 3134 3135 3136 3137 3138 3139
	kfree(vec.key);
	kfree(vec.iv);
	kfree(vec.ptext);
	kfree(vec.ctext);
	crypto_free_skcipher(generic_tfm);
	skcipher_request_free(generic_req);
	return err;
}
#else /* !CONFIG_CRYPTO_MANAGER_EXTRA_TESTS */
3140
static int test_skcipher_vs_generic_impl(const char *generic_driver,
3141 3142 3143 3144 3145 3146 3147
					 struct skcipher_request *req,
					 struct cipher_test_sglists *tsgls)
{
	return 0;
}
#endif /* !CONFIG_CRYPTO_MANAGER_EXTRA_TESTS */

3148
static int test_skcipher(int enc, const struct cipher_test_suite *suite,
3149 3150 3151 3152 3153
			 struct skcipher_request *req,
			 struct cipher_test_sglists *tsgls)
{
	unsigned int i;
	int err;
3154

3155
	for (i = 0; i < suite->count; i++) {
3156
		err = test_skcipher_vec(enc, &suite->vecs[i], i, req, tsgls);
3157 3158
		if (err)
			return err;
3159
		cond_resched();
3160 3161
	}
	return 0;
3162 3163
}

3164 3165
static int alg_test_skcipher(const struct alg_test_desc *desc,
			     const char *driver, u32 type, u32 mask)
3166
{
3167 3168 3169 3170 3171
	const struct cipher_test_suite *suite = &desc->suite.cipher;
	struct crypto_skcipher *tfm;
	struct skcipher_request *req = NULL;
	struct cipher_test_sglists *tsgls = NULL;
	int err;
3172

3173 3174 3175 3176
	if (suite->count <= 0) {
		pr_err("alg: skcipher: empty test suite for %s\n", driver);
		return -EINVAL;
	}
3177

3178 3179 3180 3181 3182 3183
	tfm = crypto_alloc_skcipher(driver, type, mask);
	if (IS_ERR(tfm)) {
		pr_err("alg: skcipher: failed to allocate transform for %s: %ld\n",
		       driver, PTR_ERR(tfm));
		return PTR_ERR(tfm);
	}
3184
	driver = crypto_skcipher_driver_name(tfm);
3185

3186 3187 3188 3189 3190 3191 3192
	req = skcipher_request_alloc(tfm, GFP_KERNEL);
	if (!req) {
		pr_err("alg: skcipher: failed to allocate request for %s\n",
		       driver);
		err = -ENOMEM;
		goto out;
	}
3193

3194 3195 3196 3197 3198 3199
	tsgls = alloc_cipher_test_sglists();
	if (!tsgls) {
		pr_err("alg: skcipher: failed to allocate test buffers for %s\n",
		       driver);
		err = -ENOMEM;
		goto out;
3200 3201
	}

3202
	err = test_skcipher(ENCRYPT, suite, req, tsgls);
3203 3204 3205
	if (err)
		goto out;

3206
	err = test_skcipher(DECRYPT, suite, req, tsgls);
3207 3208 3209
	if (err)
		goto out;

3210
	err = test_skcipher_vs_generic_impl(desc->generic_driver, req, tsgls);
3211 3212 3213 3214 3215
out:
	free_cipher_test_sglists(tsgls);
	skcipher_request_free(req);
	crypto_free_skcipher(tfm);
	return err;
3216 3217
}

3218 3219 3220 3221
static int test_comp(struct crypto_comp *tfm,
		     const struct comp_testvec *ctemplate,
		     const struct comp_testvec *dtemplate,
		     int ctcount, int dtcount)
3222 3223
{
	const char *algo = crypto_tfm_alg_driver_name(crypto_comp_tfm(tfm));
3224
	char *output, *decomp_output;
3225 3226 3227
	unsigned int i;
	int ret;

3228 3229 3230 3231 3232 3233 3234 3235 3236 3237
	output = kmalloc(COMP_BUF_SIZE, GFP_KERNEL);
	if (!output)
		return -ENOMEM;

	decomp_output = kmalloc(COMP_BUF_SIZE, GFP_KERNEL);
	if (!decomp_output) {
		kfree(output);
		return -ENOMEM;
	}

3238
	for (i = 0; i < ctcount; i++) {
3239 3240
		int ilen;
		unsigned int dlen = COMP_BUF_SIZE;
3241

3242 3243
		memset(output, 0, COMP_BUF_SIZE);
		memset(decomp_output, 0, COMP_BUF_SIZE);
3244 3245 3246

		ilen = ctemplate[i].inlen;
		ret = crypto_comp_compress(tfm, ctemplate[i].input,
3247
					   ilen, output, &dlen);
3248 3249 3250 3251 3252 3253 3254
		if (ret) {
			printk(KERN_ERR "alg: comp: compression failed "
			       "on test %d for %s: ret=%d\n", i + 1, algo,
			       -ret);
			goto out;
		}

3255 3256 3257 3258 3259 3260 3261 3262 3263 3264 3265
		ilen = dlen;
		dlen = COMP_BUF_SIZE;
		ret = crypto_comp_decompress(tfm, output,
					     ilen, decomp_output, &dlen);
		if (ret) {
			pr_err("alg: comp: compression failed: decompress: on test %d for %s failed: ret=%d\n",
			       i + 1, algo, -ret);
			goto out;
		}

		if (dlen != ctemplate[i].inlen) {
3266 3267 3268 3269 3270 3271 3272
			printk(KERN_ERR "alg: comp: Compression test %d "
			       "failed for %s: output len = %d\n", i + 1, algo,
			       dlen);
			ret = -EINVAL;
			goto out;
		}

3273 3274 3275 3276 3277
		if (memcmp(decomp_output, ctemplate[i].input,
			   ctemplate[i].inlen)) {
			pr_err("alg: comp: compression failed: output differs: on test %d for %s\n",
			       i + 1, algo);
			hexdump(decomp_output, dlen);
3278 3279 3280 3281 3282 3283
			ret = -EINVAL;
			goto out;
		}
	}

	for (i = 0; i < dtcount; i++) {
3284 3285
		int ilen;
		unsigned int dlen = COMP_BUF_SIZE;
3286

3287
		memset(decomp_output, 0, COMP_BUF_SIZE);
3288 3289 3290

		ilen = dtemplate[i].inlen;
		ret = crypto_comp_decompress(tfm, dtemplate[i].input,
3291
					     ilen, decomp_output, &dlen);
3292 3293 3294 3295 3296 3297 3298
		if (ret) {
			printk(KERN_ERR "alg: comp: decompression failed "
			       "on test %d for %s: ret=%d\n", i + 1, algo,
			       -ret);
			goto out;
		}

3299 3300 3301 3302 3303 3304 3305 3306
		if (dlen != dtemplate[i].outlen) {
			printk(KERN_ERR "alg: comp: Decompression test %d "
			       "failed for %s: output len = %d\n", i + 1, algo,
			       dlen);
			ret = -EINVAL;
			goto out;
		}

3307
		if (memcmp(decomp_output, dtemplate[i].output, dlen)) {
3308 3309
			printk(KERN_ERR "alg: comp: Decompression test %d "
			       "failed for %s\n", i + 1, algo);
3310
			hexdump(decomp_output, dlen);
3311 3312 3313 3314 3315 3316 3317 3318
			ret = -EINVAL;
			goto out;
		}
	}

	ret = 0;

out:
3319 3320
	kfree(decomp_output);
	kfree(output);
3321 3322 3323
	return ret;
}

3324
static int test_acomp(struct crypto_acomp *tfm,
3325
			      const struct comp_testvec *ctemplate,
3326 3327
		      const struct comp_testvec *dtemplate,
		      int ctcount, int dtcount)
3328 3329 3330
{
	const char *algo = crypto_tfm_alg_driver_name(crypto_acomp_tfm(tfm));
	unsigned int i;
3331
	char *output, *decomp_out;
3332 3333 3334
	int ret;
	struct scatterlist src, dst;
	struct acomp_req *req;
3335
	struct crypto_wait wait;
3336

3337 3338 3339 3340
	output = kmalloc(COMP_BUF_SIZE, GFP_KERNEL);
	if (!output)
		return -ENOMEM;

3341 3342 3343 3344 3345 3346
	decomp_out = kmalloc(COMP_BUF_SIZE, GFP_KERNEL);
	if (!decomp_out) {
		kfree(output);
		return -ENOMEM;
	}

3347 3348 3349
	for (i = 0; i < ctcount; i++) {
		unsigned int dlen = COMP_BUF_SIZE;
		int ilen = ctemplate[i].inlen;
3350
		void *input_vec;
3351

3352
		input_vec = kmemdup(ctemplate[i].input, ilen, GFP_KERNEL);
3353 3354 3355 3356 3357
		if (!input_vec) {
			ret = -ENOMEM;
			goto out;
		}

3358
		memset(output, 0, dlen);
3359
		crypto_init_wait(&wait);
3360
		sg_init_one(&src, input_vec, ilen);
3361 3362 3363 3364 3365 3366
		sg_init_one(&dst, output, dlen);

		req = acomp_request_alloc(tfm);
		if (!req) {
			pr_err("alg: acomp: request alloc failed for %s\n",
			       algo);
3367
			kfree(input_vec);
3368 3369 3370 3371 3372 3373
			ret = -ENOMEM;
			goto out;
		}

		acomp_request_set_params(req, &src, &dst, ilen, dlen);
		acomp_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG,
3374
					   crypto_req_done, &wait);
3375

3376
		ret = crypto_wait_req(crypto_acomp_compress(req), &wait);
3377 3378 3379
		if (ret) {
			pr_err("alg: acomp: compression failed on test %d for %s: ret=%d\n",
			       i + 1, algo, -ret);
3380
			kfree(input_vec);
3381 3382 3383 3384
			acomp_request_free(req);
			goto out;
		}

3385 3386 3387 3388
		ilen = req->dlen;
		dlen = COMP_BUF_SIZE;
		sg_init_one(&src, output, ilen);
		sg_init_one(&dst, decomp_out, dlen);
3389
		crypto_init_wait(&wait);
3390 3391
		acomp_request_set_params(req, &src, &dst, ilen, dlen);

3392
		ret = crypto_wait_req(crypto_acomp_decompress(req), &wait);
3393 3394 3395 3396 3397 3398 3399 3400 3401
		if (ret) {
			pr_err("alg: acomp: compression failed on test %d for %s: ret=%d\n",
			       i + 1, algo, -ret);
			kfree(input_vec);
			acomp_request_free(req);
			goto out;
		}

		if (req->dlen != ctemplate[i].inlen) {
3402 3403 3404
			pr_err("alg: acomp: Compression test %d failed for %s: output len = %d\n",
			       i + 1, algo, req->dlen);
			ret = -EINVAL;
3405
			kfree(input_vec);
3406 3407 3408 3409
			acomp_request_free(req);
			goto out;
		}

3410
		if (memcmp(input_vec, decomp_out, req->dlen)) {
3411 3412 3413 3414
			pr_err("alg: acomp: Compression test %d failed for %s\n",
			       i + 1, algo);
			hexdump(output, req->dlen);
			ret = -EINVAL;
3415
			kfree(input_vec);
3416 3417 3418 3419
			acomp_request_free(req);
			goto out;
		}

3420 3421 3422 3423 3424 3425 3426 3427 3428 3429 3430 3431 3432 3433 3434
#ifdef CONFIG_CRYPTO_MANAGER_EXTRA_TESTS
		crypto_init_wait(&wait);
		sg_init_one(&src, input_vec, ilen);
		acomp_request_set_params(req, &src, NULL, ilen, 0);

		ret = crypto_wait_req(crypto_acomp_compress(req), &wait);
		if (ret) {
			pr_err("alg: acomp: compression failed on NULL dst buffer test %d for %s: ret=%d\n",
			       i + 1, algo, -ret);
			kfree(input_vec);
			acomp_request_free(req);
			goto out;
		}
#endif

3435
		kfree(input_vec);
3436 3437 3438 3439 3440 3441
		acomp_request_free(req);
	}

	for (i = 0; i < dtcount; i++) {
		unsigned int dlen = COMP_BUF_SIZE;
		int ilen = dtemplate[i].inlen;
3442 3443
		void *input_vec;

3444
		input_vec = kmemdup(dtemplate[i].input, ilen, GFP_KERNEL);
3445 3446 3447 3448
		if (!input_vec) {
			ret = -ENOMEM;
			goto out;
		}
3449

3450
		memset(output, 0, dlen);
3451
		crypto_init_wait(&wait);
3452
		sg_init_one(&src, input_vec, ilen);
3453 3454 3455 3456 3457 3458
		sg_init_one(&dst, output, dlen);

		req = acomp_request_alloc(tfm);
		if (!req) {
			pr_err("alg: acomp: request alloc failed for %s\n",
			       algo);
3459
			kfree(input_vec);
3460 3461 3462 3463 3464 3465
			ret = -ENOMEM;
			goto out;
		}

		acomp_request_set_params(req, &src, &dst, ilen, dlen);
		acomp_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG,
3466
					   crypto_req_done, &wait);
3467

3468
		ret = crypto_wait_req(crypto_acomp_decompress(req), &wait);
3469 3470 3471
		if (ret) {
			pr_err("alg: acomp: decompression failed on test %d for %s: ret=%d\n",
			       i + 1, algo, -ret);
3472
			kfree(input_vec);
3473 3474 3475 3476 3477 3478 3479 3480
			acomp_request_free(req);
			goto out;
		}

		if (req->dlen != dtemplate[i].outlen) {
			pr_err("alg: acomp: Decompression test %d failed for %s: output len = %d\n",
			       i + 1, algo, req->dlen);
			ret = -EINVAL;
3481
			kfree(input_vec);
3482 3483 3484 3485 3486 3487 3488 3489 3490
			acomp_request_free(req);
			goto out;
		}

		if (memcmp(output, dtemplate[i].output, req->dlen)) {
			pr_err("alg: acomp: Decompression test %d failed for %s\n",
			       i + 1, algo);
			hexdump(output, req->dlen);
			ret = -EINVAL;
3491
			kfree(input_vec);
3492 3493 3494 3495
			acomp_request_free(req);
			goto out;
		}

3496 3497 3498 3499 3500 3501 3502 3503 3504 3505 3506 3507 3508 3509
#ifdef CONFIG_CRYPTO_MANAGER_EXTRA_TESTS
		crypto_init_wait(&wait);
		acomp_request_set_params(req, &src, NULL, ilen, 0);

		ret = crypto_wait_req(crypto_acomp_decompress(req), &wait);
		if (ret) {
			pr_err("alg: acomp: decompression failed on NULL dst buffer test %d for %s: ret=%d\n",
			       i + 1, algo, -ret);
			kfree(input_vec);
			acomp_request_free(req);
			goto out;
		}
#endif

3510
		kfree(input_vec);
3511 3512 3513 3514 3515 3516
		acomp_request_free(req);
	}

	ret = 0;

out:
3517
	kfree(decomp_out);
3518
	kfree(output);
3519 3520 3521
	return ret;
}

3522 3523
static int test_cprng(struct crypto_rng *tfm,
		      const struct cprng_testvec *template,
3524 3525 3526
		      unsigned int tcount)
{
	const char *algo = crypto_tfm_alg_driver_name(crypto_rng_tfm(tfm));
3527
	int err = 0, i, j, seedsize;
3528 3529 3530 3531 3532 3533 3534 3535 3536 3537 3538 3539 3540 3541 3542 3543 3544 3545 3546 3547 3548 3549 3550 3551 3552 3553 3554 3555 3556 3557 3558
	u8 *seed;
	char result[32];

	seedsize = crypto_rng_seedsize(tfm);

	seed = kmalloc(seedsize, GFP_KERNEL);
	if (!seed) {
		printk(KERN_ERR "alg: cprng: Failed to allocate seed space "
		       "for %s\n", algo);
		return -ENOMEM;
	}

	for (i = 0; i < tcount; i++) {
		memset(result, 0, 32);

		memcpy(seed, template[i].v, template[i].vlen);
		memcpy(seed + template[i].vlen, template[i].key,
		       template[i].klen);
		memcpy(seed + template[i].vlen + template[i].klen,
		       template[i].dt, template[i].dtlen);

		err = crypto_rng_reset(tfm, seed, seedsize);
		if (err) {
			printk(KERN_ERR "alg: cprng: Failed to reset rng "
			       "for %s\n", algo);
			goto out;
		}

		for (j = 0; j < template[i].loops; j++) {
			err = crypto_rng_get_bytes(tfm, result,
						   template[i].rlen);
3559
			if (err < 0) {
3560 3561
				printk(KERN_ERR "alg: cprng: Failed to obtain "
				       "the correct amount of random data for "
3562 3563
				       "%s (requested %d)\n", algo,
				       template[i].rlen);
3564 3565 3566 3567 3568 3569 3570 3571 3572 3573 3574 3575 3576 3577 3578 3579 3580 3581 3582 3583
				goto out;
			}
		}

		err = memcmp(result, template[i].result,
			     template[i].rlen);
		if (err) {
			printk(KERN_ERR "alg: cprng: Test %d failed for %s\n",
			       i, algo);
			hexdump(result, template[i].rlen);
			err = -EINVAL;
			goto out;
		}
	}

out:
	kfree(seed);
	return err;
}

3584 3585 3586
static int alg_test_cipher(const struct alg_test_desc *desc,
			   const char *driver, u32 type, u32 mask)
{
3587
	const struct cipher_test_suite *suite = &desc->suite.cipher;
3588
	struct crypto_cipher *tfm;
3589
	int err;
3590

3591
	tfm = crypto_alloc_cipher(driver, type, mask);
3592 3593 3594 3595 3596 3597
	if (IS_ERR(tfm)) {
		printk(KERN_ERR "alg: cipher: Failed to load transform for "
		       "%s: %ld\n", driver, PTR_ERR(tfm));
		return PTR_ERR(tfm);
	}

3598 3599 3600
	err = test_cipher(tfm, ENCRYPT, suite->vecs, suite->count);
	if (!err)
		err = test_cipher(tfm, DECRYPT, suite->vecs, suite->count);
3601

3602 3603 3604 3605
	crypto_free_cipher(tfm);
	return err;
}

3606 3607 3608
static int alg_test_comp(const struct alg_test_desc *desc, const char *driver,
			 u32 type, u32 mask)
{
3609 3610
	struct crypto_comp *comp;
	struct crypto_acomp *acomp;
3611
	int err;
3612 3613 3614 3615 3616 3617 3618 3619 3620 3621 3622 3623 3624 3625 3626 3627 3628 3629 3630 3631 3632
	u32 algo_type = type & CRYPTO_ALG_TYPE_ACOMPRESS_MASK;

	if (algo_type == CRYPTO_ALG_TYPE_ACOMPRESS) {
		acomp = crypto_alloc_acomp(driver, type, mask);
		if (IS_ERR(acomp)) {
			pr_err("alg: acomp: Failed to load transform for %s: %ld\n",
			       driver, PTR_ERR(acomp));
			return PTR_ERR(acomp);
		}
		err = test_acomp(acomp, desc->suite.comp.comp.vecs,
				 desc->suite.comp.decomp.vecs,
				 desc->suite.comp.comp.count,
				 desc->suite.comp.decomp.count);
		crypto_free_acomp(acomp);
	} else {
		comp = crypto_alloc_comp(driver, type, mask);
		if (IS_ERR(comp)) {
			pr_err("alg: comp: Failed to load transform for %s: %ld\n",
			       driver, PTR_ERR(comp));
			return PTR_ERR(comp);
		}
3633

3634 3635 3636 3637
		err = test_comp(comp, desc->suite.comp.comp.vecs,
				desc->suite.comp.decomp.vecs,
				desc->suite.comp.comp.count,
				desc->suite.comp.decomp.count);
3638

3639 3640
		crypto_free_comp(comp);
	}
3641 3642 3643
	return err;
}

3644 3645 3646 3647
static int alg_test_crc32c(const struct alg_test_desc *desc,
			   const char *driver, u32 type, u32 mask)
{
	struct crypto_shash *tfm;
3648
	__le32 val;
3649 3650 3651 3652
	int err;

	err = alg_test_hash(desc, driver, type, mask);
	if (err)
3653
		return err;
3654

3655
	tfm = crypto_alloc_shash(driver, type, mask);
3656
	if (IS_ERR(tfm)) {
3657 3658 3659 3660 3661 3662 3663 3664
		if (PTR_ERR(tfm) == -ENOENT) {
			/*
			 * This crc32c implementation is only available through
			 * ahash API, not the shash API, so the remaining part
			 * of the test is not applicable to it.
			 */
			return 0;
		}
3665 3666
		printk(KERN_ERR "alg: crc32c: Failed to load transform for %s: "
		       "%ld\n", driver, PTR_ERR(tfm));
3667
		return PTR_ERR(tfm);
3668
	}
3669
	driver = crypto_shash_driver_name(tfm);
3670 3671

	do {
3672 3673
		SHASH_DESC_ON_STACK(shash, tfm);
		u32 *ctx = (u32 *)shash_desc_ctx(shash);
3674

3675
		shash->tfm = tfm;
3676

3677
		*ctx = 420553207;
3678
		err = crypto_shash_final(shash, (u8 *)&val);
3679 3680 3681 3682 3683 3684
		if (err) {
			printk(KERN_ERR "alg: crc32c: Operation failed for "
			       "%s: %d\n", driver, err);
			break;
		}

3685 3686 3687
		if (val != cpu_to_le32(~420553207)) {
			pr_err("alg: crc32c: Test failed for %s: %u\n",
			       driver, le32_to_cpu(val));
3688 3689 3690 3691 3692 3693 3694 3695 3696
			err = -EINVAL;
		}
	} while (0);

	crypto_free_shash(tfm);

	return err;
}

3697 3698 3699 3700 3701 3702
static int alg_test_cprng(const struct alg_test_desc *desc, const char *driver,
			  u32 type, u32 mask)
{
	struct crypto_rng *rng;
	int err;

3703
	rng = crypto_alloc_rng(driver, type, mask);
3704 3705 3706 3707 3708 3709 3710 3711 3712 3713 3714 3715 3716
	if (IS_ERR(rng)) {
		printk(KERN_ERR "alg: cprng: Failed to load transform for %s: "
		       "%ld\n", driver, PTR_ERR(rng));
		return PTR_ERR(rng);
	}

	err = test_cprng(rng, desc->suite.cprng.vecs, desc->suite.cprng.count);

	crypto_free_rng(rng);

	return err;
}

3717

3718
static int drbg_cavs_test(const struct drbg_testvec *test, int pr,
3719 3720 3721 3722 3723 3724 3725 3726 3727 3728 3729
			  const char *driver, u32 type, u32 mask)
{
	int ret = -EAGAIN;
	struct crypto_rng *drng;
	struct drbg_test_data test_data;
	struct drbg_string addtl, pers, testentropy;
	unsigned char *buf = kzalloc(test->expectedlen, GFP_KERNEL);

	if (!buf)
		return -ENOMEM;

3730
	drng = crypto_alloc_rng(driver, type, mask);
3731
	if (IS_ERR(drng)) {
3732
		printk(KERN_ERR "alg: drbg: could not allocate DRNG handle for "
3733
		       "%s\n", driver);
3734
		kfree_sensitive(buf);
3735 3736 3737 3738 3739 3740 3741 3742 3743 3744 3745 3746 3747 3748 3749 3750 3751 3752 3753 3754 3755
		return -ENOMEM;
	}

	test_data.testentropy = &testentropy;
	drbg_string_fill(&testentropy, test->entropy, test->entropylen);
	drbg_string_fill(&pers, test->pers, test->perslen);
	ret = crypto_drbg_reset_test(drng, &pers, &test_data);
	if (ret) {
		printk(KERN_ERR "alg: drbg: Failed to reset rng\n");
		goto outbuf;
	}

	drbg_string_fill(&addtl, test->addtla, test->addtllen);
	if (pr) {
		drbg_string_fill(&testentropy, test->entpra, test->entprlen);
		ret = crypto_drbg_get_bytes_addtl_test(drng,
			buf, test->expectedlen, &addtl,	&test_data);
	} else {
		ret = crypto_drbg_get_bytes_addtl(drng,
			buf, test->expectedlen, &addtl);
	}
3756
	if (ret < 0) {
3757
		printk(KERN_ERR "alg: drbg: could not obtain random data for "
3758 3759 3760 3761 3762 3763 3764 3765 3766 3767 3768 3769 3770
		       "driver %s\n", driver);
		goto outbuf;
	}

	drbg_string_fill(&addtl, test->addtlb, test->addtllen);
	if (pr) {
		drbg_string_fill(&testentropy, test->entprb, test->entprlen);
		ret = crypto_drbg_get_bytes_addtl_test(drng,
			buf, test->expectedlen, &addtl, &test_data);
	} else {
		ret = crypto_drbg_get_bytes_addtl(drng,
			buf, test->expectedlen, &addtl);
	}
3771
	if (ret < 0) {
3772
		printk(KERN_ERR "alg: drbg: could not obtain random data for "
3773 3774 3775 3776 3777 3778 3779 3780
		       "driver %s\n", driver);
		goto outbuf;
	}

	ret = memcmp(test->expected, buf, test->expectedlen);

outbuf:
	crypto_free_rng(drng);
3781
	kfree_sensitive(buf);
3782 3783 3784 3785 3786 3787 3788 3789 3790 3791
	return ret;
}


static int alg_test_drbg(const struct alg_test_desc *desc, const char *driver,
			 u32 type, u32 mask)
{
	int err = 0;
	int pr = 0;
	int i = 0;
3792
	const struct drbg_testvec *template = desc->suite.drbg.vecs;
3793 3794 3795 3796 3797 3798 3799 3800 3801 3802 3803 3804 3805 3806 3807 3808 3809 3810
	unsigned int tcount = desc->suite.drbg.count;

	if (0 == memcmp(driver, "drbg_pr_", 8))
		pr = 1;

	for (i = 0; i < tcount; i++) {
		err = drbg_cavs_test(&template[i], pr, driver, type, mask);
		if (err) {
			printk(KERN_ERR "alg: drbg: Test %d failed for %s\n",
			       i, driver);
			err = -EINVAL;
			break;
		}
	}
	return err;

}

3811
static int do_test_kpp(struct crypto_kpp *tfm, const struct kpp_testvec *vec,
3812 3813 3814 3815 3816
		       const char *alg)
{
	struct kpp_request *req;
	void *input_buf = NULL;
	void *output_buf = NULL;
3817 3818 3819
	void *a_public = NULL;
	void *a_ss = NULL;
	void *shared_secret = NULL;
3820
	struct crypto_wait wait;
3821 3822 3823 3824 3825 3826 3827 3828
	unsigned int out_len_max;
	int err = -ENOMEM;
	struct scatterlist src, dst;

	req = kpp_request_alloc(tfm, GFP_KERNEL);
	if (!req)
		return err;

3829
	crypto_init_wait(&wait);
3830 3831 3832 3833 3834 3835 3836 3837 3838 3839 3840 3841 3842 3843 3844 3845 3846

	err = crypto_kpp_set_secret(tfm, vec->secret, vec->secret_size);
	if (err < 0)
		goto free_req;

	out_len_max = crypto_kpp_maxsize(tfm);
	output_buf = kzalloc(out_len_max, GFP_KERNEL);
	if (!output_buf) {
		err = -ENOMEM;
		goto free_req;
	}

	/* Use appropriate parameter as base */
	kpp_request_set_input(req, NULL, 0);
	sg_init_one(&dst, output_buf, out_len_max);
	kpp_request_set_output(req, &dst, out_len_max);
	kpp_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG,
3847
				 crypto_req_done, &wait);
3848

3849
	/* Compute party A's public key */
3850
	err = crypto_wait_req(crypto_kpp_generate_public_key(req), &wait);
3851
	if (err) {
3852
		pr_err("alg: %s: Party A: generate public key test failed. err %d\n",
3853 3854 3855
		       alg, err);
		goto free_output;
	}
3856 3857 3858

	if (vec->genkey) {
		/* Save party A's public key */
3859
		a_public = kmemdup(sg_virt(req->dst), out_len_max, GFP_KERNEL);
3860 3861 3862 3863 3864 3865 3866 3867 3868 3869 3870 3871 3872
		if (!a_public) {
			err = -ENOMEM;
			goto free_output;
		}
	} else {
		/* Verify calculated public key */
		if (memcmp(vec->expected_a_public, sg_virt(req->dst),
			   vec->expected_a_public_size)) {
			pr_err("alg: %s: Party A: generate public key test failed. Invalid output\n",
			       alg);
			err = -EINVAL;
			goto free_output;
		}
3873 3874 3875
	}

	/* Calculate shared secret key by using counter part (b) public key. */
3876
	input_buf = kmemdup(vec->b_public, vec->b_public_size, GFP_KERNEL);
3877 3878 3879 3880 3881 3882 3883 3884 3885 3886
	if (!input_buf) {
		err = -ENOMEM;
		goto free_output;
	}

	sg_init_one(&src, input_buf, vec->b_public_size);
	sg_init_one(&dst, output_buf, out_len_max);
	kpp_request_set_input(req, &src, vec->b_public_size);
	kpp_request_set_output(req, &dst, out_len_max);
	kpp_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG,
3887 3888
				 crypto_req_done, &wait);
	err = crypto_wait_req(crypto_kpp_compute_shared_secret(req), &wait);
3889
	if (err) {
3890
		pr_err("alg: %s: Party A: compute shared secret test failed. err %d\n",
3891 3892 3893
		       alg, err);
		goto free_all;
	}
3894 3895 3896

	if (vec->genkey) {
		/* Save the shared secret obtained by party A */
3897
		a_ss = kmemdup(sg_virt(req->dst), vec->expected_ss_size, GFP_KERNEL);
3898 3899 3900 3901 3902 3903 3904 3905 3906 3907 3908 3909 3910 3911 3912 3913 3914 3915 3916
		if (!a_ss) {
			err = -ENOMEM;
			goto free_all;
		}

		/*
		 * Calculate party B's shared secret by using party A's
		 * public key.
		 */
		err = crypto_kpp_set_secret(tfm, vec->b_secret,
					    vec->b_secret_size);
		if (err < 0)
			goto free_all;

		sg_init_one(&src, a_public, vec->expected_a_public_size);
		sg_init_one(&dst, output_buf, out_len_max);
		kpp_request_set_input(req, &src, vec->expected_a_public_size);
		kpp_request_set_output(req, &dst, out_len_max);
		kpp_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG,
3917 3918 3919
					 crypto_req_done, &wait);
		err = crypto_wait_req(crypto_kpp_compute_shared_secret(req),
				      &wait);
3920 3921 3922 3923 3924 3925 3926 3927 3928 3929 3930
		if (err) {
			pr_err("alg: %s: Party B: compute shared secret failed. err %d\n",
			       alg, err);
			goto free_all;
		}

		shared_secret = a_ss;
	} else {
		shared_secret = (void *)vec->expected_ss;
	}

3931 3932 3933 3934
	/*
	 * verify shared secret from which the user will derive
	 * secret key by executing whatever hash it has chosen
	 */
3935
	if (memcmp(shared_secret, sg_virt(req->dst),
3936 3937 3938 3939 3940 3941 3942
		   vec->expected_ss_size)) {
		pr_err("alg: %s: compute shared secret test failed. Invalid output\n",
		       alg);
		err = -EINVAL;
	}

free_all:
3943
	kfree(a_ss);
3944 3945
	kfree(input_buf);
free_output:
3946
	kfree(a_public);
3947 3948 3949 3950 3951 3952 3953
	kfree(output_buf);
free_req:
	kpp_request_free(req);
	return err;
}

static int test_kpp(struct crypto_kpp *tfm, const char *alg,
3954
		    const struct kpp_testvec *vecs, unsigned int tcount)
3955 3956 3957 3958 3959 3960 3961 3962 3963 3964 3965 3966 3967 3968 3969 3970 3971 3972 3973 3974
{
	int ret, i;

	for (i = 0; i < tcount; i++) {
		ret = do_test_kpp(tfm, vecs++, alg);
		if (ret) {
			pr_err("alg: %s: test failed on vector %d, err=%d\n",
			       alg, i + 1, ret);
			return ret;
		}
	}
	return 0;
}

static int alg_test_kpp(const struct alg_test_desc *desc, const char *driver,
			u32 type, u32 mask)
{
	struct crypto_kpp *tfm;
	int err = 0;

3975
	tfm = crypto_alloc_kpp(driver, type, mask);
3976 3977 3978 3979 3980 3981 3982 3983 3984 3985 3986 3987 3988
	if (IS_ERR(tfm)) {
		pr_err("alg: kpp: Failed to load tfm for %s: %ld\n",
		       driver, PTR_ERR(tfm));
		return PTR_ERR(tfm);
	}
	if (desc->suite.kpp.vecs)
		err = test_kpp(tfm, desc->alg, desc->suite.kpp.vecs,
			       desc->suite.kpp.count);

	crypto_free_kpp(tfm);
	return err;
}

3989 3990 3991 3992 3993 3994
static u8 *test_pack_u32(u8 *dst, u32 val)
{
	memcpy(dst, &val, sizeof(val));
	return dst + sizeof(val);
}

3995
static int test_akcipher_one(struct crypto_akcipher *tfm,
3996
			     const struct akcipher_testvec *vecs)
3997
{
3998
	char *xbuf[XBUFSIZE];
3999 4000 4001
	struct akcipher_request *req;
	void *outbuf_enc = NULL;
	void *outbuf_dec = NULL;
4002
	struct crypto_wait wait;
4003 4004
	unsigned int out_len_max, out_len = 0;
	int err = -ENOMEM;
4005
	struct scatterlist src, dst, src_tab[3];
4006 4007 4008
	const char *m, *c;
	unsigned int m_size, c_size;
	const char *op;
4009
	u8 *key, *ptr;
4010

4011 4012 4013
	if (testmgr_alloc_buf(xbuf))
		return err;

4014 4015
	req = akcipher_request_alloc(tfm, GFP_KERNEL);
	if (!req)
4016
		goto free_xbuf;
4017

4018
	crypto_init_wait(&wait);
4019

4020 4021 4022
	key = kmalloc(vecs->key_len + sizeof(u32) * 2 + vecs->param_len,
		      GFP_KERNEL);
	if (!key)
4023
		goto free_req;
4024 4025 4026 4027 4028 4029
	memcpy(key, vecs->key, vecs->key_len);
	ptr = key + vecs->key_len;
	ptr = test_pack_u32(ptr, vecs->algo);
	ptr = test_pack_u32(ptr, vecs->param_len);
	memcpy(ptr, vecs->params, vecs->param_len);

4030
	if (vecs->public_key_vec)
4031
		err = crypto_akcipher_set_pub_key(tfm, key, vecs->key_len);
4032
	else
4033
		err = crypto_akcipher_set_priv_key(tfm, key, vecs->key_len);
4034
	if (err)
4035
		goto free_key;
4036

4037 4038 4039 4040
	/*
	 * First run test which do not require a private key, such as
	 * encrypt or verify.
	 */
4041 4042
	err = -ENOMEM;
	out_len_max = crypto_akcipher_maxsize(tfm);
4043 4044
	outbuf_enc = kzalloc(out_len_max, GFP_KERNEL);
	if (!outbuf_enc)
4045
		goto free_key;
4046

4047 4048 4049 4050 4051 4052 4053 4054 4055 4056 4057 4058 4059 4060 4061 4062
	if (!vecs->siggen_sigver_test) {
		m = vecs->m;
		m_size = vecs->m_size;
		c = vecs->c;
		c_size = vecs->c_size;
		op = "encrypt";
	} else {
		/* Swap args so we could keep plaintext (digest)
		 * in vecs->m, and cooked signature in vecs->c.
		 */
		m = vecs->c; /* signature */
		m_size = vecs->c_size;
		c = vecs->m; /* digest */
		c_size = vecs->m_size;
		op = "verify";
	}
4063

4064
	err = -E2BIG;
4065 4066 4067
	if (WARN_ON(m_size > PAGE_SIZE))
		goto free_all;
	memcpy(xbuf[0], m, m_size);
4068

4069
	sg_init_table(src_tab, 3);
4070
	sg_set_buf(&src_tab[0], xbuf[0], 8);
4071
	sg_set_buf(&src_tab[1], xbuf[0] + 8, m_size - 8);
4072 4073 4074 4075 4076 4077 4078 4079 4080 4081 4082
	if (vecs->siggen_sigver_test) {
		if (WARN_ON(c_size > PAGE_SIZE))
			goto free_all;
		memcpy(xbuf[1], c, c_size);
		sg_set_buf(&src_tab[2], xbuf[1], c_size);
		akcipher_request_set_crypt(req, src_tab, NULL, m_size, c_size);
	} else {
		sg_init_one(&dst, outbuf_enc, out_len_max);
		akcipher_request_set_crypt(req, src_tab, &dst, m_size,
					   out_len_max);
	}
4083
	akcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG,
4084
				      crypto_req_done, &wait);
4085

4086
	err = crypto_wait_req(vecs->siggen_sigver_test ?
4087 4088
			      /* Run asymmetric signature verification */
			      crypto_akcipher_verify(req) :
4089 4090
			      /* Run asymmetric encrypt */
			      crypto_akcipher_encrypt(req), &wait);
4091
	if (err) {
4092
		pr_err("alg: akcipher: %s test failed. err %d\n", op, err);
4093 4094
		goto free_all;
	}
4095
	if (!vecs->siggen_sigver_test && c) {
4096 4097 4098 4099 4100 4101 4102 4103 4104 4105 4106 4107 4108 4109
		if (req->dst_len != c_size) {
			pr_err("alg: akcipher: %s test failed. Invalid output len\n",
			       op);
			err = -EINVAL;
			goto free_all;
		}
		/* verify that encrypted message is equal to expected */
		if (memcmp(c, outbuf_enc, c_size) != 0) {
			pr_err("alg: akcipher: %s test failed. Invalid output\n",
			       op);
			hexdump(outbuf_enc, c_size);
			err = -EINVAL;
			goto free_all;
		}
4110
	}
4111 4112 4113 4114 4115

	/*
	 * Don't invoke (decrypt or sign) test which require a private key
	 * for vectors with only a public key.
	 */
4116 4117 4118 4119 4120 4121 4122 4123 4124
	if (vecs->public_key_vec) {
		err = 0;
		goto free_all;
	}
	outbuf_dec = kzalloc(out_len_max, GFP_KERNEL);
	if (!outbuf_dec) {
		err = -ENOMEM;
		goto free_all;
	}
4125

4126 4127 4128 4129 4130
	if (!vecs->siggen_sigver_test && !c) {
		c = outbuf_enc;
		c_size = req->dst_len;
	}

4131
	err = -E2BIG;
4132 4133
	op = vecs->siggen_sigver_test ? "sign" : "decrypt";
	if (WARN_ON(c_size > PAGE_SIZE))
4134
		goto free_all;
4135
	memcpy(xbuf[0], c, c_size);
4136

4137
	sg_init_one(&src, xbuf[0], c_size);
4138
	sg_init_one(&dst, outbuf_dec, out_len_max);
4139
	crypto_init_wait(&wait);
4140
	akcipher_request_set_crypt(req, &src, &dst, c_size, out_len_max);
4141

4142
	err = crypto_wait_req(vecs->siggen_sigver_test ?
4143 4144
			      /* Run asymmetric signature generation */
			      crypto_akcipher_sign(req) :
4145 4146
			      /* Run asymmetric decrypt */
			      crypto_akcipher_decrypt(req), &wait);
4147
	if (err) {
4148
		pr_err("alg: akcipher: %s test failed. err %d\n", op, err);
4149 4150 4151
		goto free_all;
	}
	out_len = req->dst_len;
4152 4153 4154
	if (out_len < m_size) {
		pr_err("alg: akcipher: %s test failed. Invalid output len %u\n",
		       op, out_len);
4155 4156 4157 4158
		err = -EINVAL;
		goto free_all;
	}
	/* verify that decrypted message is equal to the original msg */
4159 4160 4161
	if (memchr_inv(outbuf_dec, 0, out_len - m_size) ||
	    memcmp(m, outbuf_dec + out_len - m_size, m_size)) {
		pr_err("alg: akcipher: %s test failed. Invalid output\n", op);
4162
		hexdump(outbuf_dec, out_len);
4163 4164 4165 4166 4167
		err = -EINVAL;
	}
free_all:
	kfree(outbuf_dec);
	kfree(outbuf_enc);
4168 4169
free_key:
	kfree(key);
4170 4171
free_req:
	akcipher_request_free(req);
4172 4173
free_xbuf:
	testmgr_free_buf(xbuf);
4174 4175 4176
	return err;
}

4177
static int test_akcipher(struct crypto_akcipher *tfm, const char *alg,
4178 4179
			 const struct akcipher_testvec *vecs,
			 unsigned int tcount)
4180
{
4181 4182
	const char *algo =
		crypto_tfm_alg_driver_name(crypto_akcipher_tfm(tfm));
4183 4184 4185
	int ret, i;

	for (i = 0; i < tcount; i++) {
4186 4187 4188
		ret = test_akcipher_one(tfm, vecs++);
		if (!ret)
			continue;
4189

4190 4191
		pr_err("alg: akcipher: test %d failed for %s, err=%d\n",
		       i + 1, algo, ret);
4192 4193
		return ret;
	}
4194 4195 4196 4197 4198 4199 4200 4201 4202
	return 0;
}

static int alg_test_akcipher(const struct alg_test_desc *desc,
			     const char *driver, u32 type, u32 mask)
{
	struct crypto_akcipher *tfm;
	int err = 0;

4203
	tfm = crypto_alloc_akcipher(driver, type, mask);
4204 4205 4206 4207 4208 4209 4210 4211 4212 4213 4214 4215 4216
	if (IS_ERR(tfm)) {
		pr_err("alg: akcipher: Failed to load tfm for %s: %ld\n",
		       driver, PTR_ERR(tfm));
		return PTR_ERR(tfm);
	}
	if (desc->suite.akcipher.vecs)
		err = test_akcipher(tfm, desc->alg, desc->suite.akcipher.vecs,
				    desc->suite.akcipher.count);

	crypto_free_akcipher(tfm);
	return err;
}

4217 4218 4219 4220 4221 4222
static int alg_test_null(const struct alg_test_desc *desc,
			     const char *driver, u32 type, u32 mask)
{
	return 0;
}

4223 4224
#define ____VECS(tv)	.vecs = tv, .count = ARRAY_SIZE(tv)
#define __VECS(tv)	{ ____VECS(tv) }
4225

4226 4227 4228
/* Please keep this list sorted by algorithm name. */
static const struct alg_test_desc alg_test_descs[] = {
	{
4229
		.alg = "adiantum(xchacha12,aes)",
4230
		.generic_driver = "adiantum(xchacha12-generic,aes-generic,nhpoly1305-generic)",
4231 4232 4233 4234 4235 4236
		.test = alg_test_skcipher,
		.suite = {
			.cipher = __VECS(adiantum_xchacha12_aes_tv_template)
		},
	}, {
		.alg = "adiantum(xchacha20,aes)",
4237
		.generic_driver = "adiantum(xchacha20-generic,aes-generic,nhpoly1305-generic)",
4238 4239 4240 4241 4242
		.test = alg_test_skcipher,
		.suite = {
			.cipher = __VECS(adiantum_xchacha20_aes_tv_template)
		},
	}, {
4243 4244 4245
		.alg = "aegis128",
		.test = alg_test_aead,
		.suite = {
4246
			.aead = __VECS(aegis128_tv_template)
4247 4248
		}
	}, {
4249 4250 4251
		.alg = "ansi_cprng",
		.test = alg_test_cprng,
		.suite = {
4252
			.cprng = __VECS(ansi_cprng_aes_tv_template)
4253
		}
4254 4255 4256 4257
	}, {
		.alg = "authenc(hmac(md5),ecb(cipher_null))",
		.test = alg_test_aead,
		.suite = {
4258
			.aead = __VECS(hmac_md5_ecb_cipher_null_tv_template)
4259
		}
4260
	}, {
4261
		.alg = "authenc(hmac(sha1),cbc(aes))",
4262
		.test = alg_test_aead,
4263
		.fips_allowed = 1,
4264
		.suite = {
4265
			.aead = __VECS(hmac_sha1_aes_cbc_tv_temp)
4266 4267
		}
	}, {
4268
		.alg = "authenc(hmac(sha1),cbc(des))",
4269 4270
		.test = alg_test_aead,
		.suite = {
4271
			.aead = __VECS(hmac_sha1_des_cbc_tv_temp)
4272 4273
		}
	}, {
4274
		.alg = "authenc(hmac(sha1),cbc(des3_ede))",
4275 4276
		.test = alg_test_aead,
		.suite = {
4277
			.aead = __VECS(hmac_sha1_des3_ede_cbc_tv_temp)
4278
		}
4279 4280 4281 4282
	}, {
		.alg = "authenc(hmac(sha1),ctr(aes))",
		.test = alg_test_null,
		.fips_allowed = 1,
4283 4284 4285 4286
	}, {
		.alg = "authenc(hmac(sha1),ecb(cipher_null))",
		.test = alg_test_aead,
		.suite = {
4287
			.aead = __VECS(hmac_sha1_ecb_cipher_null_tv_temp)
4288
		}
4289 4290 4291 4292
	}, {
		.alg = "authenc(hmac(sha1),rfc3686(ctr(aes)))",
		.test = alg_test_null,
		.fips_allowed = 1,
4293
	}, {
4294
		.alg = "authenc(hmac(sha224),cbc(des))",
4295 4296
		.test = alg_test_aead,
		.suite = {
4297
			.aead = __VECS(hmac_sha224_des_cbc_tv_temp)
4298 4299
		}
	}, {
4300
		.alg = "authenc(hmac(sha224),cbc(des3_ede))",
4301 4302
		.test = alg_test_aead,
		.suite = {
4303
			.aead = __VECS(hmac_sha224_des3_ede_cbc_tv_temp)
4304
		}
4305
	}, {
4306
		.alg = "authenc(hmac(sha256),cbc(aes))",
4307
		.test = alg_test_aead,
4308
		.fips_allowed = 1,
4309
		.suite = {
4310
			.aead = __VECS(hmac_sha256_aes_cbc_tv_temp)
4311 4312
		}
	}, {
4313
		.alg = "authenc(hmac(sha256),cbc(des))",
4314 4315
		.test = alg_test_aead,
		.suite = {
4316
			.aead = __VECS(hmac_sha256_des_cbc_tv_temp)
4317 4318
		}
	}, {
4319
		.alg = "authenc(hmac(sha256),cbc(des3_ede))",
4320 4321
		.test = alg_test_aead,
		.suite = {
4322
			.aead = __VECS(hmac_sha256_des3_ede_cbc_tv_temp)
4323
		}
4324 4325 4326 4327
	}, {
		.alg = "authenc(hmac(sha256),ctr(aes))",
		.test = alg_test_null,
		.fips_allowed = 1,
4328 4329 4330 4331
	}, {
		.alg = "authenc(hmac(sha256),rfc3686(ctr(aes)))",
		.test = alg_test_null,
		.fips_allowed = 1,
4332
	}, {
4333
		.alg = "authenc(hmac(sha384),cbc(des))",
4334 4335
		.test = alg_test_aead,
		.suite = {
4336
			.aead = __VECS(hmac_sha384_des_cbc_tv_temp)
4337 4338
		}
	}, {
4339
		.alg = "authenc(hmac(sha384),cbc(des3_ede))",
4340 4341
		.test = alg_test_aead,
		.suite = {
4342
			.aead = __VECS(hmac_sha384_des3_ede_cbc_tv_temp)
4343
		}
4344 4345 4346 4347
	}, {
		.alg = "authenc(hmac(sha384),ctr(aes))",
		.test = alg_test_null,
		.fips_allowed = 1,
4348 4349 4350 4351
	}, {
		.alg = "authenc(hmac(sha384),rfc3686(ctr(aes)))",
		.test = alg_test_null,
		.fips_allowed = 1,
4352
	}, {
4353
		.alg = "authenc(hmac(sha512),cbc(aes))",
4354
		.fips_allowed = 1,
4355 4356
		.test = alg_test_aead,
		.suite = {
4357
			.aead = __VECS(hmac_sha512_aes_cbc_tv_temp)
4358 4359
		}
	}, {
4360
		.alg = "authenc(hmac(sha512),cbc(des))",
4361 4362
		.test = alg_test_aead,
		.suite = {
4363
			.aead = __VECS(hmac_sha512_des_cbc_tv_temp)
4364 4365
		}
	}, {
4366
		.alg = "authenc(hmac(sha512),cbc(des3_ede))",
4367 4368
		.test = alg_test_aead,
		.suite = {
4369
			.aead = __VECS(hmac_sha512_des3_ede_cbc_tv_temp)
4370
		}
4371 4372 4373 4374
	}, {
		.alg = "authenc(hmac(sha512),ctr(aes))",
		.test = alg_test_null,
		.fips_allowed = 1,
4375 4376 4377 4378
	}, {
		.alg = "authenc(hmac(sha512),rfc3686(ctr(aes)))",
		.test = alg_test_null,
		.fips_allowed = 1,
4379 4380 4381 4382 4383 4384 4385 4386 4387 4388 4389 4390 4391 4392 4393 4394 4395 4396 4397 4398 4399 4400 4401 4402 4403 4404 4405 4406
	}, {
		.alg = "blake2b-160",
		.test = alg_test_hash,
		.fips_allowed = 0,
		.suite = {
			.hash = __VECS(blake2b_160_tv_template)
		}
	}, {
		.alg = "blake2b-256",
		.test = alg_test_hash,
		.fips_allowed = 0,
		.suite = {
			.hash = __VECS(blake2b_256_tv_template)
		}
	}, {
		.alg = "blake2b-384",
		.test = alg_test_hash,
		.fips_allowed = 0,
		.suite = {
			.hash = __VECS(blake2b_384_tv_template)
		}
	}, {
		.alg = "blake2b-512",
		.test = alg_test_hash,
		.fips_allowed = 0,
		.suite = {
			.hash = __VECS(blake2b_512_tv_template)
		}
4407
	}, {
4408
		.alg = "cbc(aes)",
4409
		.test = alg_test_skcipher,
4410
		.fips_allowed = 1,
4411
		.suite = {
4412 4413
			.cipher = __VECS(aes_cbc_tv_template)
		},
4414 4415
	}, {
		.alg = "cbc(anubis)",
4416
		.test = alg_test_skcipher,
4417
		.suite = {
4418 4419
			.cipher = __VECS(anubis_cbc_tv_template)
		},
4420 4421 4422 4423 4424 4425
	}, {
		.alg = "cbc(aria)",
		.test = alg_test_skcipher,
		.suite = {
			.cipher = __VECS(aria_cbc_tv_template)
		},
4426 4427
	}, {
		.alg = "cbc(blowfish)",
4428
		.test = alg_test_skcipher,
4429
		.suite = {
4430 4431
			.cipher = __VECS(bf_cbc_tv_template)
		},
4432 4433
	}, {
		.alg = "cbc(camellia)",
4434
		.test = alg_test_skcipher,
4435
		.suite = {
4436 4437
			.cipher = __VECS(camellia_cbc_tv_template)
		},
4438 4439 4440 4441
	}, {
		.alg = "cbc(cast5)",
		.test = alg_test_skcipher,
		.suite = {
4442 4443
			.cipher = __VECS(cast5_cbc_tv_template)
		},
4444 4445 4446 4447
	}, {
		.alg = "cbc(cast6)",
		.test = alg_test_skcipher,
		.suite = {
4448 4449
			.cipher = __VECS(cast6_cbc_tv_template)
		},
4450 4451
	}, {
		.alg = "cbc(des)",
4452
		.test = alg_test_skcipher,
4453
		.suite = {
4454 4455
			.cipher = __VECS(des_cbc_tv_template)
		},
4456 4457
	}, {
		.alg = "cbc(des3_ede)",
4458
		.test = alg_test_skcipher,
4459
		.suite = {
4460 4461
			.cipher = __VECS(des3_ede_cbc_tv_template)
		},
4462 4463 4464 4465 4466 4467 4468
	}, {
		/* Same as cbc(aes) except the key is stored in
		 * hardware secure memory which we reference by index
		 */
		.alg = "cbc(paes)",
		.test = alg_test_null,
		.fips_allowed = 1,
4469 4470 4471 4472 4473 4474
	}, {
		/* Same as cbc(sm4) except the key is stored in
		 * hardware secure memory which we reference by index
		 */
		.alg = "cbc(psm4)",
		.test = alg_test_null,
4475 4476 4477 4478
	}, {
		.alg = "cbc(serpent)",
		.test = alg_test_skcipher,
		.suite = {
4479 4480
			.cipher = __VECS(serpent_cbc_tv_template)
		},
4481 4482 4483 4484 4485 4486
	}, {
		.alg = "cbc(sm4)",
		.test = alg_test_skcipher,
		.suite = {
			.cipher = __VECS(sm4_cbc_tv_template)
		}
4487 4488
	}, {
		.alg = "cbc(twofish)",
4489
		.test = alg_test_skcipher,
4490
		.suite = {
4491 4492
			.cipher = __VECS(tf_cbc_tv_template)
		},
4493
	}, {
4494 4495 4496 4497 4498 4499 4500 4501 4502
#if IS_ENABLED(CONFIG_CRYPTO_PAES_S390)
		.alg = "cbc-paes-s390",
		.fips_allowed = 1,
		.test = alg_test_skcipher,
		.suite = {
			.cipher = __VECS(aes_cbc_tv_template)
		}
	}, {
#endif
4503 4504 4505 4506 4507 4508
		.alg = "cbcmac(aes)",
		.fips_allowed = 1,
		.test = alg_test_hash,
		.suite = {
			.hash = __VECS(aes_cbcmac_tv_template)
		}
4509 4510 4511 4512 4513 4514
	}, {
		.alg = "cbcmac(sm4)",
		.test = alg_test_hash,
		.suite = {
			.hash = __VECS(sm4_cbcmac_tv_template)
		}
4515 4516
	}, {
		.alg = "ccm(aes)",
4517
		.generic_driver = "ccm_base(ctr(aes-generic),cbcmac(aes-generic))",
4518
		.test = alg_test_aead,
4519
		.fips_allowed = 1,
4520
		.suite = {
4521 4522 4523 4524
			.aead = {
				____VECS(aes_ccm_tv_template),
				.einval_allowed = 1,
			}
4525
		}
4526 4527 4528 4529 4530 4531 4532 4533 4534 4535
	}, {
		.alg = "ccm(sm4)",
		.generic_driver = "ccm_base(ctr(sm4-generic),cbcmac(sm4-generic))",
		.test = alg_test_aead,
		.suite = {
			.aead = {
				____VECS(sm4_ccm_tv_template),
				.einval_allowed = 1,
			}
		}
4536 4537 4538 4539 4540 4541 4542
	}, {
		.alg = "cfb(aes)",
		.test = alg_test_skcipher,
		.fips_allowed = 1,
		.suite = {
			.cipher = __VECS(aes_cfb_tv_template)
		},
4543 4544 4545 4546 4547 4548
	}, {
		.alg = "cfb(aria)",
		.test = alg_test_skcipher,
		.suite = {
			.cipher = __VECS(aria_cfb_tv_template)
		},
4549 4550 4551 4552 4553 4554
	}, {
		.alg = "cfb(sm4)",
		.test = alg_test_skcipher,
		.suite = {
			.cipher = __VECS(sm4_cfb_tv_template)
		}
4555 4556 4557 4558
	}, {
		.alg = "chacha20",
		.test = alg_test_skcipher,
		.suite = {
4559 4560
			.cipher = __VECS(chacha20_tv_template)
		},
4561 4562
	}, {
		.alg = "cmac(aes)",
4563
		.fips_allowed = 1,
4564 4565
		.test = alg_test_hash,
		.suite = {
4566
			.hash = __VECS(aes_cmac128_tv_template)
4567 4568 4569 4570 4571
		}
	}, {
		.alg = "cmac(des3_ede)",
		.test = alg_test_hash,
		.suite = {
4572
			.hash = __VECS(des3_ede_cmac64_tv_template)
4573
		}
4574 4575 4576 4577 4578 4579
	}, {
		.alg = "cmac(sm4)",
		.test = alg_test_hash,
		.suite = {
			.hash = __VECS(sm4_cmac128_tv_template)
		}
4580 4581 4582
	}, {
		.alg = "compress_null",
		.test = alg_test_null,
4583 4584 4585
	}, {
		.alg = "crc32",
		.test = alg_test_hash,
4586
		.fips_allowed = 1,
4587
		.suite = {
4588
			.hash = __VECS(crc32_tv_template)
4589
		}
4590 4591
	}, {
		.alg = "crc32c",
4592
		.test = alg_test_crc32c,
4593
		.fips_allowed = 1,
4594
		.suite = {
4595
			.hash = __VECS(crc32c_tv_template)
4596
		}
4597 4598 4599 4600 4601 4602 4603
	}, {
		.alg = "crc64-rocksoft",
		.test = alg_test_hash,
		.fips_allowed = 1,
		.suite = {
			.hash = __VECS(crc64_rocksoft_tv_template)
		}
4604 4605 4606 4607 4608
	}, {
		.alg = "crct10dif",
		.test = alg_test_hash,
		.fips_allowed = 1,
		.suite = {
4609
			.hash = __VECS(crct10dif_tv_template)
4610
		}
4611 4612 4613
	}, {
		.alg = "ctr(aes)",
		.test = alg_test_skcipher,
4614
		.fips_allowed = 1,
4615
		.suite = {
4616
			.cipher = __VECS(aes_ctr_tv_template)
4617
		}
4618 4619 4620 4621 4622 4623
	}, {
		.alg = "ctr(aria)",
		.test = alg_test_skcipher,
		.suite = {
			.cipher = __VECS(aria_ctr_tv_template)
		}
4624 4625 4626 4627
	}, {
		.alg = "ctr(blowfish)",
		.test = alg_test_skcipher,
		.suite = {
4628
			.cipher = __VECS(bf_ctr_tv_template)
4629
		}
4630 4631 4632 4633
	}, {
		.alg = "ctr(camellia)",
		.test = alg_test_skcipher,
		.suite = {
4634
			.cipher = __VECS(camellia_ctr_tv_template)
4635
		}
4636 4637 4638 4639
	}, {
		.alg = "ctr(cast5)",
		.test = alg_test_skcipher,
		.suite = {
4640
			.cipher = __VECS(cast5_ctr_tv_template)
4641
		}
4642 4643 4644 4645
	}, {
		.alg = "ctr(cast6)",
		.test = alg_test_skcipher,
		.suite = {
4646
			.cipher = __VECS(cast6_ctr_tv_template)
4647
		}
4648 4649 4650 4651
	}, {
		.alg = "ctr(des)",
		.test = alg_test_skcipher,
		.suite = {
4652
			.cipher = __VECS(des_ctr_tv_template)
4653
		}
4654 4655 4656 4657
	}, {
		.alg = "ctr(des3_ede)",
		.test = alg_test_skcipher,
		.suite = {
4658
			.cipher = __VECS(des3_ede_ctr_tv_template)
4659
		}
4660 4661 4662 4663 4664 4665 4666
	}, {
		/* Same as ctr(aes) except the key is stored in
		 * hardware secure memory which we reference by index
		 */
		.alg = "ctr(paes)",
		.test = alg_test_null,
		.fips_allowed = 1,
4667
	}, {
4668 4669 4670 4671 4672 4673 4674

		/* Same as ctr(sm4) except the key is stored in
		 * hardware secure memory which we reference by index
		 */
		.alg = "ctr(psm4)",
		.test = alg_test_null,
	}, {
4675 4676 4677
		.alg = "ctr(serpent)",
		.test = alg_test_skcipher,
		.suite = {
4678
			.cipher = __VECS(serpent_ctr_tv_template)
4679
		}
4680 4681 4682 4683 4684 4685
	}, {
		.alg = "ctr(sm4)",
		.test = alg_test_skcipher,
		.suite = {
			.cipher = __VECS(sm4_ctr_tv_template)
		}
4686 4687 4688 4689
	}, {
		.alg = "ctr(twofish)",
		.test = alg_test_skcipher,
		.suite = {
4690
			.cipher = __VECS(tf_ctr_tv_template)
4691
		}
4692
	}, {
4693 4694 4695 4696 4697 4698 4699 4700 4701
#if IS_ENABLED(CONFIG_CRYPTO_PAES_S390)
		.alg = "ctr-paes-s390",
		.fips_allowed = 1,
		.test = alg_test_skcipher,
		.suite = {
			.cipher = __VECS(aes_ctr_tv_template)
		}
	}, {
#endif
4702
		.alg = "cts(cbc(aes))",
4703
		.test = alg_test_skcipher,
4704
		.fips_allowed = 1,
4705
		.suite = {
4706
			.cipher = __VECS(cts_mode_tv_template)
4707
		}
4708 4709 4710 4711 4712 4713 4714
	}, {
		/* Same as cts(cbc((aes)) except the key is stored in
		 * hardware secure memory which we reference by index
		 */
		.alg = "cts(cbc(paes))",
		.test = alg_test_null,
		.fips_allowed = 1,
4715 4716 4717 4718 4719 4720
	}, {
		.alg = "curve25519",
		.test = alg_test_kpp,
		.suite = {
			.kpp = __VECS(curve25519_tv_template)
		}
4721 4722 4723
	}, {
		.alg = "deflate",
		.test = alg_test_comp,
4724
		.fips_allowed = 1,
4725 4726
		.suite = {
			.comp = {
4727 4728
				.comp = __VECS(deflate_comp_tv_template),
				.decomp = __VECS(deflate_decomp_tv_template)
4729 4730
			}
		}
4731 4732 4733 4734
	}, {
		.alg = "dh",
		.test = alg_test_kpp,
		.suite = {
4735
			.kpp = __VECS(dh_tv_template)
4736
		}
4737 4738 4739
	}, {
		.alg = "digest_null",
		.test = alg_test_null,
4740 4741 4742 4743 4744
	}, {
		.alg = "drbg_nopr_ctr_aes128",
		.test = alg_test_drbg,
		.fips_allowed = 1,
		.suite = {
4745
			.drbg = __VECS(drbg_nopr_ctr_aes128_tv_template)
4746 4747 4748 4749 4750 4751
		}
	}, {
		.alg = "drbg_nopr_ctr_aes192",
		.test = alg_test_drbg,
		.fips_allowed = 1,
		.suite = {
4752
			.drbg = __VECS(drbg_nopr_ctr_aes192_tv_template)
4753 4754 4755 4756 4757 4758
		}
	}, {
		.alg = "drbg_nopr_ctr_aes256",
		.test = alg_test_drbg,
		.fips_allowed = 1,
		.suite = {
4759
			.drbg = __VECS(drbg_nopr_ctr_aes256_tv_template)
4760 4761 4762 4763 4764 4765 4766 4767 4768 4769 4770 4771 4772 4773
		}
	}, {
		/*
		 * There is no need to specifically test the DRBG with every
		 * backend cipher -- covered by drbg_nopr_hmac_sha256 test
		 */
		.alg = "drbg_nopr_hmac_sha1",
		.fips_allowed = 1,
		.test = alg_test_null,
	}, {
		.alg = "drbg_nopr_hmac_sha256",
		.test = alg_test_drbg,
		.fips_allowed = 1,
		.suite = {
4774
			.drbg = __VECS(drbg_nopr_hmac_sha256_tv_template)
4775 4776 4777 4778 4779 4780 4781 4782
		}
	}, {
		/* covered by drbg_nopr_hmac_sha256 test */
		.alg = "drbg_nopr_hmac_sha384",
		.fips_allowed = 1,
		.test = alg_test_null,
	}, {
		.alg = "drbg_nopr_hmac_sha512",
4783
		.test = alg_test_drbg,
4784
		.fips_allowed = 1,
4785 4786 4787
		.suite = {
			.drbg = __VECS(drbg_nopr_hmac_sha512_tv_template)
		}
4788 4789 4790 4791 4792 4793 4794 4795 4796
	}, {
		.alg = "drbg_nopr_sha1",
		.fips_allowed = 1,
		.test = alg_test_null,
	}, {
		.alg = "drbg_nopr_sha256",
		.test = alg_test_drbg,
		.fips_allowed = 1,
		.suite = {
4797
			.drbg = __VECS(drbg_nopr_sha256_tv_template)
4798 4799 4800 4801 4802 4803 4804 4805 4806 4807 4808 4809 4810 4811 4812
		}
	}, {
		/* covered by drbg_nopr_sha256 test */
		.alg = "drbg_nopr_sha384",
		.fips_allowed = 1,
		.test = alg_test_null,
	}, {
		.alg = "drbg_nopr_sha512",
		.fips_allowed = 1,
		.test = alg_test_null,
	}, {
		.alg = "drbg_pr_ctr_aes128",
		.test = alg_test_drbg,
		.fips_allowed = 1,
		.suite = {
4813
			.drbg = __VECS(drbg_pr_ctr_aes128_tv_template)
4814 4815 4816 4817 4818 4819 4820 4821 4822 4823 4824 4825 4826 4827 4828 4829 4830 4831 4832
		}
	}, {
		/* covered by drbg_pr_ctr_aes128 test */
		.alg = "drbg_pr_ctr_aes192",
		.fips_allowed = 1,
		.test = alg_test_null,
	}, {
		.alg = "drbg_pr_ctr_aes256",
		.fips_allowed = 1,
		.test = alg_test_null,
	}, {
		.alg = "drbg_pr_hmac_sha1",
		.fips_allowed = 1,
		.test = alg_test_null,
	}, {
		.alg = "drbg_pr_hmac_sha256",
		.test = alg_test_drbg,
		.fips_allowed = 1,
		.suite = {
4833
			.drbg = __VECS(drbg_pr_hmac_sha256_tv_template)
4834 4835 4836 4837 4838 4839 4840 4841 4842 4843 4844 4845 4846 4847 4848 4849 4850 4851 4852
		}
	}, {
		/* covered by drbg_pr_hmac_sha256 test */
		.alg = "drbg_pr_hmac_sha384",
		.fips_allowed = 1,
		.test = alg_test_null,
	}, {
		.alg = "drbg_pr_hmac_sha512",
		.test = alg_test_null,
		.fips_allowed = 1,
	}, {
		.alg = "drbg_pr_sha1",
		.fips_allowed = 1,
		.test = alg_test_null,
	}, {
		.alg = "drbg_pr_sha256",
		.test = alg_test_drbg,
		.fips_allowed = 1,
		.suite = {
4853
			.drbg = __VECS(drbg_pr_sha256_tv_template)
4854 4855 4856 4857 4858 4859 4860 4861 4862 4863
		}
	}, {
		/* covered by drbg_pr_sha256 test */
		.alg = "drbg_pr_sha384",
		.fips_allowed = 1,
		.test = alg_test_null,
	}, {
		.alg = "drbg_pr_sha512",
		.fips_allowed = 1,
		.test = alg_test_null,
4864 4865
	}, {
		.alg = "ecb(aes)",
4866
		.test = alg_test_skcipher,
4867
		.fips_allowed = 1,
4868
		.suite = {
4869
			.cipher = __VECS(aes_tv_template)
4870 4871 4872
		}
	}, {
		.alg = "ecb(anubis)",
4873
		.test = alg_test_skcipher,
4874
		.suite = {
4875
			.cipher = __VECS(anubis_tv_template)
4876 4877 4878
		}
	}, {
		.alg = "ecb(arc4)",
4879
		.generic_driver = "ecb(arc4)-generic",
4880
		.test = alg_test_skcipher,
4881
		.suite = {
4882
			.cipher = __VECS(arc4_tv_template)
4883
		}
4884 4885 4886 4887 4888 4889
	}, {
		.alg = "ecb(aria)",
		.test = alg_test_skcipher,
		.suite = {
			.cipher = __VECS(aria_tv_template)
		}
4890 4891
	}, {
		.alg = "ecb(blowfish)",
4892
		.test = alg_test_skcipher,
4893
		.suite = {
4894
			.cipher = __VECS(bf_tv_template)
4895 4896 4897
		}
	}, {
		.alg = "ecb(camellia)",
4898
		.test = alg_test_skcipher,
4899
		.suite = {
4900
			.cipher = __VECS(camellia_tv_template)
4901 4902 4903
		}
	}, {
		.alg = "ecb(cast5)",
4904
		.test = alg_test_skcipher,
4905
		.suite = {
4906
			.cipher = __VECS(cast5_tv_template)
4907 4908 4909
		}
	}, {
		.alg = "ecb(cast6)",
4910
		.test = alg_test_skcipher,
4911
		.suite = {
4912
			.cipher = __VECS(cast6_tv_template)
4913
		}
4914 4915 4916
	}, {
		.alg = "ecb(cipher_null)",
		.test = alg_test_null,
4917
		.fips_allowed = 1,
4918 4919
	}, {
		.alg = "ecb(des)",
4920
		.test = alg_test_skcipher,
4921
		.suite = {
4922
			.cipher = __VECS(des_tv_template)
4923 4924 4925
		}
	}, {
		.alg = "ecb(des3_ede)",
4926
		.test = alg_test_skcipher,
4927
		.suite = {
4928
			.cipher = __VECS(des3_ede_tv_template)
4929
		}
4930 4931 4932 4933 4934
	}, {
		.alg = "ecb(fcrypt)",
		.test = alg_test_skcipher,
		.suite = {
			.cipher = {
4935 4936
				.vecs = fcrypt_pcbc_tv_template,
				.count = 1
4937 4938
			}
		}
4939 4940
	}, {
		.alg = "ecb(khazad)",
4941
		.test = alg_test_skcipher,
4942
		.suite = {
4943
			.cipher = __VECS(khazad_tv_template)
4944
		}
4945 4946 4947 4948 4949 4950 4951
	}, {
		/* Same as ecb(aes) except the key is stored in
		 * hardware secure memory which we reference by index
		 */
		.alg = "ecb(paes)",
		.test = alg_test_null,
		.fips_allowed = 1,
4952 4953
	}, {
		.alg = "ecb(seed)",
4954
		.test = alg_test_skcipher,
4955
		.suite = {
4956
			.cipher = __VECS(seed_tv_template)
4957 4958 4959
		}
	}, {
		.alg = "ecb(serpent)",
4960
		.test = alg_test_skcipher,
4961
		.suite = {
4962
			.cipher = __VECS(serpent_tv_template)
4963
		}
4964 4965 4966 4967
	}, {
		.alg = "ecb(sm4)",
		.test = alg_test_skcipher,
		.suite = {
4968
			.cipher = __VECS(sm4_tv_template)
4969
		}
4970 4971
	}, {
		.alg = "ecb(tea)",
4972
		.test = alg_test_skcipher,
4973
		.suite = {
4974
			.cipher = __VECS(tea_tv_template)
4975 4976 4977
		}
	}, {
		.alg = "ecb(twofish)",
4978
		.test = alg_test_skcipher,
4979
		.suite = {
4980
			.cipher = __VECS(tf_tv_template)
4981 4982 4983
		}
	}, {
		.alg = "ecb(xeta)",
4984
		.test = alg_test_skcipher,
4985
		.suite = {
4986
			.cipher = __VECS(xeta_tv_template)
4987 4988 4989
		}
	}, {
		.alg = "ecb(xtea)",
4990
		.test = alg_test_skcipher,
4991
		.suite = {
4992
			.cipher = __VECS(xtea_tv_template)
4993
		}
4994
	}, {
4995 4996 4997 4998 4999 5000 5001 5002 5003
#if IS_ENABLED(CONFIG_CRYPTO_PAES_S390)
		.alg = "ecb-paes-s390",
		.fips_allowed = 1,
		.test = alg_test_skcipher,
		.suite = {
			.cipher = __VECS(aes_tv_template)
		}
	}, {
#endif
5004
		.alg = "ecdh-nist-p192",
5005 5006
		.test = alg_test_kpp,
		.suite = {
5007 5008 5009 5010 5011 5012 5013 5014
			.kpp = __VECS(ecdh_p192_tv_template)
		}
	}, {
		.alg = "ecdh-nist-p256",
		.test = alg_test_kpp,
		.fips_allowed = 1,
		.suite = {
			.kpp = __VECS(ecdh_p256_tv_template)
5015
		}
5016 5017 5018 5019 5020 5021 5022
	}, {
		.alg = "ecdh-nist-p384",
		.test = alg_test_kpp,
		.fips_allowed = 1,
		.suite = {
			.kpp = __VECS(ecdh_p384_tv_template)
		}
5023 5024 5025 5026 5027 5028 5029 5030 5031 5032 5033 5034
	}, {
		.alg = "ecdsa-nist-p192",
		.test = alg_test_akcipher,
		.suite = {
			.akcipher = __VECS(ecdsa_nist_p192_tv_template)
		}
	}, {
		.alg = "ecdsa-nist-p256",
		.test = alg_test_akcipher,
		.suite = {
			.akcipher = __VECS(ecdsa_nist_p256_tv_template)
		}
5035 5036 5037 5038 5039 5040
	}, {
		.alg = "ecdsa-nist-p384",
		.test = alg_test_akcipher,
		.suite = {
			.akcipher = __VECS(ecdsa_nist_p384_tv_template)
		}
5041 5042 5043 5044 5045 5046
	}, {
		.alg = "ecrdsa",
		.test = alg_test_akcipher,
		.suite = {
			.akcipher = __VECS(ecrdsa_tv_template)
		}
5047 5048 5049 5050 5051 5052 5053 5054 5055 5056 5057 5058 5059 5060
	}, {
		.alg = "essiv(authenc(hmac(sha256),cbc(aes)),sha256)",
		.test = alg_test_aead,
		.fips_allowed = 1,
		.suite = {
			.aead = __VECS(essiv_hmac_sha256_aes_cbc_tv_temp)
		}
	}, {
		.alg = "essiv(cbc(aes),sha256)",
		.test = alg_test_skcipher,
		.fips_allowed = 1,
		.suite = {
			.cipher = __VECS(essiv_aes_cbc_tv_template)
		}
5061
	}, {
5062 5063 5064 5065 5066 5067 5068 5069 5070 5071 5072 5073 5074 5075 5076 5077 5078 5079 5080 5081 5082 5083 5084 5085 5086 5087 5088 5089 5090 5091 5092 5093 5094 5095 5096 5097 5098
#if IS_ENABLED(CONFIG_CRYPTO_DH_RFC7919_GROUPS)
		.alg = "ffdhe2048(dh)",
		.test = alg_test_kpp,
		.fips_allowed = 1,
		.suite = {
			.kpp = __VECS(ffdhe2048_dh_tv_template)
		}
	}, {
		.alg = "ffdhe3072(dh)",
		.test = alg_test_kpp,
		.fips_allowed = 1,
		.suite = {
			.kpp = __VECS(ffdhe3072_dh_tv_template)
		}
	}, {
		.alg = "ffdhe4096(dh)",
		.test = alg_test_kpp,
		.fips_allowed = 1,
		.suite = {
			.kpp = __VECS(ffdhe4096_dh_tv_template)
		}
	}, {
		.alg = "ffdhe6144(dh)",
		.test = alg_test_kpp,
		.fips_allowed = 1,
		.suite = {
			.kpp = __VECS(ffdhe6144_dh_tv_template)
		}
	}, {
		.alg = "ffdhe8192(dh)",
		.test = alg_test_kpp,
		.fips_allowed = 1,
		.suite = {
			.kpp = __VECS(ffdhe8192_dh_tv_template)
		}
	}, {
#endif /* CONFIG_CRYPTO_DH_RFC7919_GROUPS */
5099
		.alg = "gcm(aes)",
5100
		.generic_driver = "gcm_base(ctr(aes-generic),ghash-generic)",
5101
		.test = alg_test_aead,
5102
		.fips_allowed = 1,
5103
		.suite = {
5104
			.aead = __VECS(aes_gcm_tv_template)
5105
		}
5106 5107 5108 5109 5110 5111 5112
	}, {
		.alg = "gcm(aria)",
		.generic_driver = "gcm_base(ctr(aria-generic),ghash-generic)",
		.test = alg_test_aead,
		.suite = {
			.aead = __VECS(aria_gcm_tv_template)
		}
5113 5114 5115 5116 5117 5118
	}, {
		.alg = "gcm(sm4)",
		.generic_driver = "gcm_base(ctr(sm4-generic),ghash-generic)",
		.test = alg_test_aead,
		.suite = {
			.aead = __VECS(sm4_gcm_tv_template)
5119
		}
5120 5121 5122
	}, {
		.alg = "ghash",
		.test = alg_test_hash,
5123
		.fips_allowed = 1,
5124
		.suite = {
5125
			.hash = __VECS(ghash_tv_template)
5126
		}
5127 5128 5129 5130 5131 5132 5133 5134
	}, {
		.alg = "hctr2(aes)",
		.generic_driver =
		    "hctr2_base(xctr(aes-generic),polyval-generic)",
		.test = alg_test_skcipher,
		.suite = {
			.cipher = __VECS(aes_hctr2_tv_template)
		}
5135 5136 5137 5138
	}, {
		.alg = "hmac(md5)",
		.test = alg_test_hash,
		.suite = {
5139
			.hash = __VECS(hmac_md5_tv_template)
5140 5141 5142 5143 5144
		}
	}, {
		.alg = "hmac(rmd160)",
		.test = alg_test_hash,
		.suite = {
5145
			.hash = __VECS(hmac_rmd160_tv_template)
5146 5147 5148 5149
		}
	}, {
		.alg = "hmac(sha1)",
		.test = alg_test_hash,
5150
		.fips_allowed = 1,
5151
		.suite = {
5152
			.hash = __VECS(hmac_sha1_tv_template)
5153 5154 5155 5156
		}
	}, {
		.alg = "hmac(sha224)",
		.test = alg_test_hash,
5157
		.fips_allowed = 1,
5158
		.suite = {
5159
			.hash = __VECS(hmac_sha224_tv_template)
5160 5161 5162 5163
		}
	}, {
		.alg = "hmac(sha256)",
		.test = alg_test_hash,
5164
		.fips_allowed = 1,
5165
		.suite = {
5166
			.hash = __VECS(hmac_sha256_tv_template)
5167
		}
5168 5169 5170 5171 5172
	}, {
		.alg = "hmac(sha3-224)",
		.test = alg_test_hash,
		.fips_allowed = 1,
		.suite = {
5173
			.hash = __VECS(hmac_sha3_224_tv_template)
5174 5175 5176 5177 5178 5179
		}
	}, {
		.alg = "hmac(sha3-256)",
		.test = alg_test_hash,
		.fips_allowed = 1,
		.suite = {
5180
			.hash = __VECS(hmac_sha3_256_tv_template)
5181 5182 5183 5184 5185 5186
		}
	}, {
		.alg = "hmac(sha3-384)",
		.test = alg_test_hash,
		.fips_allowed = 1,
		.suite = {
5187
			.hash = __VECS(hmac_sha3_384_tv_template)
5188 5189 5190 5191 5192 5193
		}
	}, {
		.alg = "hmac(sha3-512)",
		.test = alg_test_hash,
		.fips_allowed = 1,
		.suite = {
5194
			.hash = __VECS(hmac_sha3_512_tv_template)
5195
		}
5196 5197 5198
	}, {
		.alg = "hmac(sha384)",
		.test = alg_test_hash,
5199
		.fips_allowed = 1,
5200
		.suite = {
5201
			.hash = __VECS(hmac_sha384_tv_template)
5202 5203 5204 5205
		}
	}, {
		.alg = "hmac(sha512)",
		.test = alg_test_hash,
5206
		.fips_allowed = 1,
5207
		.suite = {
5208
			.hash = __VECS(hmac_sha512_tv_template)
5209
		}
5210 5211 5212 5213 5214 5215
	}, {
		.alg = "hmac(sm3)",
		.test = alg_test_hash,
		.suite = {
			.hash = __VECS(hmac_sm3_tv_template)
		}
5216 5217 5218 5219 5220 5221 5222 5223 5224 5225 5226 5227
	}, {
		.alg = "hmac(streebog256)",
		.test = alg_test_hash,
		.suite = {
			.hash = __VECS(hmac_streebog256_tv_template)
		}
	}, {
		.alg = "hmac(streebog512)",
		.test = alg_test_hash,
		.suite = {
			.hash = __VECS(hmac_streebog512_tv_template)
		}
5228 5229 5230 5231
	}, {
		.alg = "jitterentropy_rng",
		.fips_allowed = 1,
		.test = alg_test_null,
5232 5233 5234 5235 5236
	}, {
		.alg = "kw(aes)",
		.test = alg_test_skcipher,
		.fips_allowed = 1,
		.suite = {
5237
			.cipher = __VECS(aes_kw_tv_template)
5238
		}
5239 5240
	}, {
		.alg = "lrw(aes)",
5241
		.generic_driver = "lrw(ecb(aes-generic))",
5242
		.test = alg_test_skcipher,
5243
		.suite = {
5244
			.cipher = __VECS(aes_lrw_tv_template)
5245
		}
5246 5247
	}, {
		.alg = "lrw(camellia)",
5248
		.generic_driver = "lrw(ecb(camellia-generic))",
5249 5250
		.test = alg_test_skcipher,
		.suite = {
5251
			.cipher = __VECS(camellia_lrw_tv_template)
5252
		}
5253 5254
	}, {
		.alg = "lrw(cast6)",
5255
		.generic_driver = "lrw(ecb(cast6-generic))",
5256 5257
		.test = alg_test_skcipher,
		.suite = {
5258
			.cipher = __VECS(cast6_lrw_tv_template)
5259
		}
5260 5261
	}, {
		.alg = "lrw(serpent)",
5262
		.generic_driver = "lrw(ecb(serpent-generic))",
5263 5264
		.test = alg_test_skcipher,
		.suite = {
5265
			.cipher = __VECS(serpent_lrw_tv_template)
5266
		}
5267 5268
	}, {
		.alg = "lrw(twofish)",
5269
		.generic_driver = "lrw(ecb(twofish-generic))",
5270 5271
		.test = alg_test_skcipher,
		.suite = {
5272
			.cipher = __VECS(tf_lrw_tv_template)
5273
		}
5274 5275 5276 5277 5278 5279
	}, {
		.alg = "lz4",
		.test = alg_test_comp,
		.fips_allowed = 1,
		.suite = {
			.comp = {
5280 5281
				.comp = __VECS(lz4_comp_tv_template),
				.decomp = __VECS(lz4_decomp_tv_template)
5282 5283 5284 5285 5286 5287 5288 5289
			}
		}
	}, {
		.alg = "lz4hc",
		.test = alg_test_comp,
		.fips_allowed = 1,
		.suite = {
			.comp = {
5290 5291
				.comp = __VECS(lz4hc_comp_tv_template),
				.decomp = __VECS(lz4hc_decomp_tv_template)
5292 5293
			}
		}
5294 5295 5296
	}, {
		.alg = "lzo",
		.test = alg_test_comp,
5297
		.fips_allowed = 1,
5298 5299
		.suite = {
			.comp = {
5300 5301
				.comp = __VECS(lzo_comp_tv_template),
				.decomp = __VECS(lzo_decomp_tv_template)
5302 5303
			}
		}
5304 5305 5306 5307 5308 5309 5310 5311 5312 5313
	}, {
		.alg = "lzo-rle",
		.test = alg_test_comp,
		.fips_allowed = 1,
		.suite = {
			.comp = {
				.comp = __VECS(lzorle_comp_tv_template),
				.decomp = __VECS(lzorle_decomp_tv_template)
			}
		}
5314 5315 5316 5317
	}, {
		.alg = "md4",
		.test = alg_test_hash,
		.suite = {
5318
			.hash = __VECS(md4_tv_template)
5319 5320 5321 5322 5323
		}
	}, {
		.alg = "md5",
		.test = alg_test_hash,
		.suite = {
5324
			.hash = __VECS(md5_tv_template)
5325 5326 5327 5328 5329
		}
	}, {
		.alg = "michael_mic",
		.test = alg_test_hash,
		.suite = {
5330
			.hash = __VECS(michael_mic_tv_template)
5331
		}
5332 5333 5334 5335 5336 5337
	}, {
		.alg = "nhpoly1305",
		.test = alg_test_hash,
		.suite = {
			.hash = __VECS(nhpoly1305_tv_template)
		}
5338 5339 5340 5341 5342
	}, {
		.alg = "ofb(aes)",
		.test = alg_test_skcipher,
		.fips_allowed = 1,
		.suite = {
5343
			.cipher = __VECS(aes_ofb_tv_template)
5344
		}
5345 5346 5347 5348 5349 5350 5351
	}, {
		/* Same as ofb(aes) except the key is stored in
		 * hardware secure memory which we reference by index
		 */
		.alg = "ofb(paes)",
		.test = alg_test_null,
		.fips_allowed = 1,
5352 5353 5354 5355 5356 5357
	}, {
		.alg = "ofb(sm4)",
		.test = alg_test_skcipher,
		.suite = {
			.cipher = __VECS(sm4_ofb_tv_template)
		}
5358 5359
	}, {
		.alg = "pcbc(fcrypt)",
5360
		.test = alg_test_skcipher,
5361
		.suite = {
5362
			.cipher = __VECS(fcrypt_pcbc_tv_template)
5363
		}
5364 5365 5366 5367 5368 5369 5370 5371 5372 5373 5374 5375 5376 5377 5378 5379 5380 5381 5382
	}, {
		.alg = "pkcs1pad(rsa,sha224)",
		.test = alg_test_null,
		.fips_allowed = 1,
	}, {
		.alg = "pkcs1pad(rsa,sha256)",
		.test = alg_test_akcipher,
		.fips_allowed = 1,
		.suite = {
			.akcipher = __VECS(pkcs1pad_rsa_tv_template)
		}
	}, {
		.alg = "pkcs1pad(rsa,sha384)",
		.test = alg_test_null,
		.fips_allowed = 1,
	}, {
		.alg = "pkcs1pad(rsa,sha512)",
		.test = alg_test_null,
		.fips_allowed = 1,
5383 5384 5385 5386
	}, {
		.alg = "poly1305",
		.test = alg_test_hash,
		.suite = {
5387
			.hash = __VECS(poly1305_tv_template)
5388
		}
5389 5390 5391 5392 5393 5394
	}, {
		.alg = "polyval",
		.test = alg_test_hash,
		.suite = {
			.hash = __VECS(polyval_tv_template)
		}
5395 5396
	}, {
		.alg = "rfc3686(ctr(aes))",
5397
		.test = alg_test_skcipher,
5398
		.fips_allowed = 1,
5399
		.suite = {
5400
			.cipher = __VECS(aes_ctr_rfc3686_tv_template)
5401
		}
5402 5403 5404 5405 5406 5407
	}, {
		.alg = "rfc3686(ctr(sm4))",
		.test = alg_test_skcipher,
		.suite = {
			.cipher = __VECS(sm4_ctr_rfc3686_tv_template)
		}
5408
	}, {
5409
		.alg = "rfc4106(gcm(aes))",
5410
		.generic_driver = "rfc4106(gcm_base(ctr(aes-generic),ghash-generic))",
5411
		.test = alg_test_aead,
5412
		.fips_allowed = 1,
5413
		.suite = {
5414 5415 5416
			.aead = {
				____VECS(aes_gcm_rfc4106_tv_template),
				.einval_allowed = 1,
5417
				.aad_iv = 1,
5418
			}
5419 5420
		}
	}, {
5421
		.alg = "rfc4309(ccm(aes))",
5422
		.generic_driver = "rfc4309(ccm_base(ctr(aes-generic),cbcmac(aes-generic)))",
5423
		.test = alg_test_aead,
5424
		.fips_allowed = 1,
5425
		.suite = {
5426 5427 5428
			.aead = {
				____VECS(aes_ccm_rfc4309_tv_template),
				.einval_allowed = 1,
5429
				.aad_iv = 1,
5430
			}
5431
		}
5432
	}, {
5433
		.alg = "rfc4543(gcm(aes))",
5434
		.generic_driver = "rfc4543(gcm_base(ctr(aes-generic),ghash-generic))",
5435 5436
		.test = alg_test_aead,
		.suite = {
5437 5438 5439
			.aead = {
				____VECS(aes_gcm_rfc4543_tv_template),
				.einval_allowed = 1,
5440
				.aad_iv = 1,
5441
			}
5442
		}
5443 5444 5445 5446
	}, {
		.alg = "rfc7539(chacha20,poly1305)",
		.test = alg_test_aead,
		.suite = {
5447
			.aead = __VECS(rfc7539_tv_template)
5448
		}
5449 5450 5451 5452
	}, {
		.alg = "rfc7539esp(chacha20,poly1305)",
		.test = alg_test_aead,
		.suite = {
5453 5454 5455
			.aead = {
				____VECS(rfc7539esp_tv_template),
				.einval_allowed = 1,
5456
				.aad_iv = 1,
5457
			}
5458
		}
5459 5460 5461 5462
	}, {
		.alg = "rmd160",
		.test = alg_test_hash,
		.suite = {
5463
			.hash = __VECS(rmd160_tv_template)
5464
		}
5465 5466 5467 5468 5469
	}, {
		.alg = "rsa",
		.test = alg_test_akcipher,
		.fips_allowed = 1,
		.suite = {
5470
			.akcipher = __VECS(rsa_tv_template)
5471
		}
5472 5473 5474
	}, {
		.alg = "sha1",
		.test = alg_test_hash,
5475
		.fips_allowed = 1,
5476
		.suite = {
5477
			.hash = __VECS(sha1_tv_template)
5478 5479 5480 5481
		}
	}, {
		.alg = "sha224",
		.test = alg_test_hash,
5482
		.fips_allowed = 1,
5483
		.suite = {
5484
			.hash = __VECS(sha224_tv_template)
5485 5486 5487 5488
		}
	}, {
		.alg = "sha256",
		.test = alg_test_hash,
5489
		.fips_allowed = 1,
5490
		.suite = {
5491
			.hash = __VECS(sha256_tv_template)
5492
		}
5493 5494 5495 5496 5497
	}, {
		.alg = "sha3-224",
		.test = alg_test_hash,
		.fips_allowed = 1,
		.suite = {
5498
			.hash = __VECS(sha3_224_tv_template)
5499 5500 5501 5502 5503 5504
		}
	}, {
		.alg = "sha3-256",
		.test = alg_test_hash,
		.fips_allowed = 1,
		.suite = {
5505
			.hash = __VECS(sha3_256_tv_template)
5506 5507 5508 5509 5510 5511
		}
	}, {
		.alg = "sha3-384",
		.test = alg_test_hash,
		.fips_allowed = 1,
		.suite = {
5512
			.hash = __VECS(sha3_384_tv_template)
5513 5514 5515 5516 5517 5518
		}
	}, {
		.alg = "sha3-512",
		.test = alg_test_hash,
		.fips_allowed = 1,
		.suite = {
5519
			.hash = __VECS(sha3_512_tv_template)
5520
		}
5521 5522 5523
	}, {
		.alg = "sha384",
		.test = alg_test_hash,
5524
		.fips_allowed = 1,
5525
		.suite = {
5526
			.hash = __VECS(sha384_tv_template)
5527 5528 5529 5530
		}
	}, {
		.alg = "sha512",
		.test = alg_test_hash,
5531
		.fips_allowed = 1,
5532
		.suite = {
5533
			.hash = __VECS(sha512_tv_template)
5534
		}
5535 5536 5537 5538 5539 5540
	}, {
		.alg = "sm2",
		.test = alg_test_akcipher,
		.suite = {
			.akcipher = __VECS(sm2_tv_template)
		}
5541 5542 5543 5544 5545 5546
	}, {
		.alg = "sm3",
		.test = alg_test_hash,
		.suite = {
			.hash = __VECS(sm3_tv_template)
		}
5547 5548 5549 5550 5551 5552 5553 5554 5555 5556 5557 5558
	}, {
		.alg = "streebog256",
		.test = alg_test_hash,
		.suite = {
			.hash = __VECS(streebog256_tv_template)
		}
	}, {
		.alg = "streebog512",
		.test = alg_test_hash,
		.suite = {
			.hash = __VECS(streebog512_tv_template)
		}
5559 5560 5561 5562 5563 5564
	}, {
		.alg = "vmac64(aes)",
		.test = alg_test_hash,
		.suite = {
			.hash = __VECS(vmac64_aes_tv_template)
		}
5565 5566 5567 5568
	}, {
		.alg = "wp256",
		.test = alg_test_hash,
		.suite = {
5569
			.hash = __VECS(wp256_tv_template)
5570 5571 5572 5573 5574
		}
	}, {
		.alg = "wp384",
		.test = alg_test_hash,
		.suite = {
5575
			.hash = __VECS(wp384_tv_template)
5576 5577 5578 5579 5580
		}
	}, {
		.alg = "wp512",
		.test = alg_test_hash,
		.suite = {
5581
			.hash = __VECS(wp512_tv_template)
5582 5583 5584 5585 5586
		}
	}, {
		.alg = "xcbc(aes)",
		.test = alg_test_hash,
		.suite = {
5587
			.hash = __VECS(aes_xcbc128_tv_template)
5588
		}
5589 5590 5591 5592 5593 5594
	}, {
		.alg = "xchacha12",
		.test = alg_test_skcipher,
		.suite = {
			.cipher = __VECS(xchacha12_tv_template)
		},
5595 5596 5597 5598 5599 5600
	}, {
		.alg = "xchacha20",
		.test = alg_test_skcipher,
		.suite = {
			.cipher = __VECS(xchacha20_tv_template)
		},
5601 5602 5603 5604 5605 5606
	}, {
		.alg = "xctr(aes)",
		.test = alg_test_skcipher,
		.suite = {
			.cipher = __VECS(aes_xctr_tv_template)
		}
5607 5608
	}, {
		.alg = "xts(aes)",
5609
		.generic_driver = "xts(ecb(aes-generic))",
5610
		.test = alg_test_skcipher,
5611
		.fips_allowed = 1,
5612
		.suite = {
5613
			.cipher = __VECS(aes_xts_tv_template)
5614
		}
5615 5616
	}, {
		.alg = "xts(camellia)",
5617
		.generic_driver = "xts(ecb(camellia-generic))",
5618 5619
		.test = alg_test_skcipher,
		.suite = {
5620
			.cipher = __VECS(camellia_xts_tv_template)
5621
		}
5622 5623
	}, {
		.alg = "xts(cast6)",
5624
		.generic_driver = "xts(ecb(cast6-generic))",
5625 5626
		.test = alg_test_skcipher,
		.suite = {
5627
			.cipher = __VECS(cast6_xts_tv_template)
5628
		}
5629 5630 5631 5632 5633 5634 5635
	}, {
		/* Same as xts(aes) except the key is stored in
		 * hardware secure memory which we reference by index
		 */
		.alg = "xts(paes)",
		.test = alg_test_null,
		.fips_allowed = 1,
5636 5637
	}, {
		.alg = "xts(serpent)",
5638
		.generic_driver = "xts(ecb(serpent-generic))",
5639 5640
		.test = alg_test_skcipher,
		.suite = {
5641
			.cipher = __VECS(serpent_xts_tv_template)
5642
		}
5643 5644
	}, {
		.alg = "xts(twofish)",
5645
		.generic_driver = "xts(ecb(twofish-generic))",
5646 5647
		.test = alg_test_skcipher,
		.suite = {
5648
			.cipher = __VECS(tf_xts_tv_template)
5649
		}
5650
	}, {
5651 5652 5653 5654 5655 5656 5657 5658 5659
#if IS_ENABLED(CONFIG_CRYPTO_PAES_S390)
		.alg = "xts-paes-s390",
		.fips_allowed = 1,
		.test = alg_test_skcipher,
		.suite = {
			.cipher = __VECS(aes_xts_tv_template)
		}
	}, {
#endif
5660 5661 5662 5663 5664 5665 5666
		.alg = "xts4096(paes)",
		.test = alg_test_null,
		.fips_allowed = 1,
	}, {
		.alg = "xts512(paes)",
		.test = alg_test_null,
		.fips_allowed = 1,
5667 5668 5669 5670 5671 5672 5673
	}, {
		.alg = "xxhash64",
		.test = alg_test_hash,
		.fips_allowed = 1,
		.suite = {
			.hash = __VECS(xxhash64_tv_template)
		}
5674 5675 5676 5677 5678 5679 5680 5681 5682 5683
	}, {
		.alg = "zlib-deflate",
		.test = alg_test_comp,
		.fips_allowed = 1,
		.suite = {
			.comp = {
				.comp = __VECS(zlib_deflate_comp_tv_template),
				.decomp = __VECS(zlib_deflate_decomp_tv_template)
			}
		}
5684 5685 5686 5687 5688 5689 5690 5691 5692 5693
	}, {
		.alg = "zstd",
		.test = alg_test_comp,
		.fips_allowed = 1,
		.suite = {
			.comp = {
				.comp = __VECS(zstd_comp_tv_template),
				.decomp = __VECS(zstd_decomp_tv_template)
			}
		}
5694 5695 5696
	}
};

5697
static void alg_check_test_descs_order(void)
5698 5699 5700 5701 5702 5703 5704 5705 5706 5707 5708 5709 5710 5711 5712 5713 5714 5715 5716 5717
{
	int i;

	for (i = 1; i < ARRAY_SIZE(alg_test_descs); i++) {
		int diff = strcmp(alg_test_descs[i - 1].alg,
				  alg_test_descs[i].alg);

		if (WARN_ON(diff > 0)) {
			pr_warn("testmgr: alg_test_descs entries in wrong order: '%s' before '%s'\n",
				alg_test_descs[i - 1].alg,
				alg_test_descs[i].alg);
		}

		if (WARN_ON(diff == 0)) {
			pr_warn("testmgr: duplicate alg_test_descs entry: '%s'\n",
				alg_test_descs[i].alg);
		}
	}
}

5718 5719
static void alg_check_testvec_configs(void)
{
5720 5721 5722 5723 5724
	int i;

	for (i = 0; i < ARRAY_SIZE(default_cipher_testvec_configs); i++)
		WARN_ON(!valid_testvec_config(
				&default_cipher_testvec_configs[i]));
5725 5726 5727 5728

	for (i = 0; i < ARRAY_SIZE(default_hash_testvec_configs); i++)
		WARN_ON(!valid_testvec_config(
				&default_hash_testvec_configs[i]));
5729 5730 5731 5732 5733 5734
}

static void testmgr_onetime_init(void)
{
	alg_check_test_descs_order();
	alg_check_testvec_configs();
5735 5736 5737 5738

#ifdef CONFIG_CRYPTO_MANAGER_EXTRA_TESTS
	pr_warn("alg: extra crypto tests enabled.  This is intended for developer use only.\n");
#endif
5739 5740
}

5741
static int alg_find_test(const char *alg)
5742 5743 5744 5745 5746 5747 5748 5749 5750 5751 5752 5753 5754 5755 5756 5757 5758 5759
{
	int start = 0;
	int end = ARRAY_SIZE(alg_test_descs);

	while (start < end) {
		int i = (start + end) / 2;
		int diff = strcmp(alg_test_descs[i].alg, alg);

		if (diff > 0) {
			end = i;
			continue;
		}

		if (diff < 0) {
			start = i + 1;
			continue;
		}

5760 5761 5762 5763 5764 5765
		return i;
	}

	return -1;
}

5766 5767 5768 5769 5770 5771 5772
static int alg_fips_disabled(const char *driver, const char *alg)
{
	pr_info("alg: %s (%s) is disabled due to FIPS\n", alg, driver);

	return -ECANCELED;
}

5773 5774 5775
int alg_test(const char *driver, const char *alg, u32 type, u32 mask)
{
	int i;
5776
	int j;
5777
	int rc;
5778

5779 5780 5781 5782 5783
	if (!fips_enabled && notests) {
		printk_once(KERN_INFO "alg: self-tests disabled\n");
		return 0;
	}

5784
	DO_ONCE(testmgr_onetime_init);
5785

5786 5787 5788 5789 5790 5791 5792 5793 5794 5795 5796
	if ((type & CRYPTO_ALG_TYPE_MASK) == CRYPTO_ALG_TYPE_CIPHER) {
		char nalg[CRYPTO_MAX_ALG_NAME];

		if (snprintf(nalg, sizeof(nalg), "ecb(%s)", alg) >=
		    sizeof(nalg))
			return -ENAMETOOLONG;

		i = alg_find_test(nalg);
		if (i < 0)
			goto notest;

5797 5798 5799
		if (fips_enabled && !alg_test_descs[i].fips_allowed)
			goto non_fips_alg;

5800 5801
		rc = alg_test_cipher(alg_test_descs + i, driver, type, mask);
		goto test_done;
5802 5803
	}

5804
	i = alg_find_test(alg);
5805 5806
	j = alg_find_test(driver);
	if (i < 0 && j < 0)
5807 5808
		goto notest;

5809 5810 5811 5812 5813 5814 5815
	if (fips_enabled) {
		if (j >= 0 && !alg_test_descs[j].fips_allowed)
			return -EINVAL;

		if (i >= 0 && !alg_test_descs[i].fips_allowed)
			goto non_fips_alg;
	}
5816

5817 5818 5819 5820
	rc = 0;
	if (i >= 0)
		rc |= alg_test_descs[i].test(alg_test_descs + i, driver,
					     type, mask);
5821
	if (j >= 0 && j != i)
5822 5823 5824
		rc |= alg_test_descs[j].test(alg_test_descs + j, driver,
					     type, mask);

5825
test_done:
5826 5827 5828 5829 5830 5831 5832
	if (rc) {
		if (fips_enabled || panic_on_fail) {
			fips_fail_notify();
			panic("alg: self-tests for %s (%s) failed in %s mode!\n",
			      driver, alg,
			      fips_enabled ? "fips" : "panic_on_fail");
		}
5833 5834 5835 5836 5837
		pr_warn("alg: self-tests for %s using %s failed (rc=%d)",
			alg, driver, rc);
		WARN(rc != -ENOENT,
		     "alg: self-tests for %s using %s failed (rc=%d)",
		     alg, driver, rc);
5838 5839 5840 5841
	} else {
		if (fips_enabled)
			pr_info("alg: self-tests for %s (%s) passed\n",
				driver, alg);
5842
	}
5843 5844

	return rc;
5845 5846

notest:
5847
	printk(KERN_INFO "alg: No test for %s (%s)\n", alg, driver);
5848 5849 5850 5851

	if (type & CRYPTO_ALG_FIPS_INTERNAL)
		return alg_fips_disabled(driver, alg);

5852
	return 0;
5853
non_fips_alg:
5854
	return alg_fips_disabled(driver, alg);
5855
}
5856

5857
#endif /* CONFIG_CRYPTO_MANAGER_DISABLE_TESTS */
5858

5859
EXPORT_SYMBOL_GPL(alg_test);